* [PATCH 6.1 000/482] 6.1.149-rc1 review
@ 2025-08-26 11:04 Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 6.1 001/482] io_uring: dont use int for ABI Greg Kroah-Hartman
` (490 more replies)
0 siblings, 491 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, linux-kernel, torvalds, akpm, linux,
shuah, patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, srw, rwarsow, conor, hargar, broonie, achill
This is the start of the stable review cycle for the 6.1.149 release.
There are 482 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Thu, 28 Aug 2025 11:08:22 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.1.149-rc1.gz
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.1.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Linux 6.1.149-rc1
Florian Westphal <fw@strlen.de>
netfilter: nf_reject: don't leak dst refcount for loopback packets
Peter Oberparleiter <oberpar@linux.ibm.com>
s390/hypfs: Enable limited access during lockdown
Peter Oberparleiter <oberpar@linux.ibm.com>
s390/hypfs: Avoid unnecessary ioctl registration in debugfs
Takashi Iwai <tiwai@suse.de>
ALSA: usb-audio: Use correct sub-type for UAC3 feature unit validation
Hangbin Liu <liuhangbin@gmail.com>
bonding: send LACPDUs periodically in passive mode after receiving partner's LACPDU
Aahil Awatramani <aahila@google.com>
bonding: Add independent control state machine
Hangbin Liu <liuhangbin@gmail.com>
bonding: update LACP activity flag after setting lacp_active
William Liu <will@willsroot.io>
net/sched: Remove unnecessary WARNING condition for empty child qdisc in htb_activate
William Liu <will@willsroot.io>
net/sched: Make cake_enqueue return NET_XMIT_CN when past buffer_limit
ValdikSS <iam@valdikss.org.ru>
igc: fix disabling L1.2 PCI-E link substate on I226 on init
Jason Xing <kernelxing@tencent.com>
ixgbe: xsk: resolve the negative overflow of budget in ixgbe_xmit_zc
Jordan Rhee <jordanrhee@google.com>
gve: prevent ethtool ops after shutdown
Yuichiro Tsuji <yuichtsu@amazon.com>
net: usb: asix_devices: Fix PHY address mask in MDIO bus initialization
Horatiu Vultur <horatiu.vultur@microchip.com>
phy: mscc: Fix timestamping for vsc8584
Qingfang Deng <dqfext@gmail.com>
ppp: fix race conditions in ppp_fill_forward_path
Qingfang Deng <dqfext@gmail.com>
net: ethernet: mtk_ppe: add RCU lock around dev_fill_forward_path
Minhong He <heminhong@kylinos.cn>
ipv6: sr: validate HMAC algorithm ID in seg6_hmac_info_add
Jakub Ramaseuski <jramaseu@redhat.com>
net: gso: Forbid IPv6 TSO with extensions on devices with only IPV6_CSUM
Chenyuan Yang <chenyuan0y@gmail.com>
drm/amd/display: Add null pointer check in mod_hdcp_hdcp1_create_session()
Dan Carpenter <dan.carpenter@linaro.org>
ALSA: usb-audio: Fix size validation in convert_chmap_v3()
Baihan Li <libaihan@huawei.com>
drm/hisilicon/hibmc: fix the hibmc loaded failed bug
Ido Schimmel <idosch@nvidia.com>
mlxsw: spectrum: Forward packets with an IPv4 link-local source IP
Sergey Shtylyov <s.shtylyov@omp.ru>
Bluetooth: hci_conn: do return error from hci_enhanced_setup_sync()
Kees Cook <kees@kernel.org>
iommu/amd: Avoid stack buffer overflow from kernel cmdline
Dan Carpenter <dan.carpenter@linaro.org>
scsi: qla4xxx: Prevent a potential error pointer dereference
Wang Liang <wangliang74@huawei.com>
net: bridge: fix soft lockup in br_multicast_query_expired()
Anantha Prabhu <anantha.prabhu@broadcom.com>
RDMA/bnxt_re: Fix to initialize the PBL array
Boshi Yu <boshiyu@linux.alibaba.com>
RDMA/erdma: Fix ignored return value of init_kernel_qp
Nitin Gote <nitin.r.gote@intel.com>
iosys-map: Fix undefined behavior in iosys_map_clear()
Waiman Long <longman@redhat.com>
cgroup/cpuset: Use static_branch_enable_cpuslocked() on cpusets_insane_config_key
Tianxiang Peng <txpeng@tencent.com>
x86/cpu/hygon: Add missing resctrl_cpu_detect() in bsp_init helper
Jan Beulich <jbeulich@suse.com>
compiler: remove __ADDRESSABLE_ASM{_STR,}() again
David Lechner <dlechner@baylibre.com>
iio: temperature: maxim_thermocouple: use DMA-safe buffer for spi_read()
Jonathan Cameron <Jonathan.Cameron@huawei.com>
iio: light: as73211: Ensure buffer holes are zeroed
Pu Lehui <pulehui@huawei.com>
tracing: Limit access to parser->buffer when trace_get_user failed
Steven Rostedt <rostedt@goodmis.org>
tracing: Remove unneeded goto out logic
Jean-Baptiste Maneyrol <jean-baptiste.maneyrol@tdk.com>
iio: imu: inv_icm42600: change invalid data error to -EBUSY
Jakub Kicinski <kuba@kernel.org>
tls: fix handling of zero-length records on the rx_list
Mikhail Lobanov <m.lobanov@rosa.ru>
wifi: mac80211: check basic rates validity in sta_link_apply_parameters
Benjamin Berg <benjamin.berg@intel.com>
wifi: mac80211: avoid lockdep checking when removing deflink
Matthieu Baerts (NGI0) <matttbe@kernel.org>
selftests: mptcp: pm: check flush doesn't reset limits
Timur Kristóf <timur.kristof@gmail.com>
drm/amd/display: Don't overclock DCE 6 by 15%
Jinjiang Tu <tujinjiang@huawei.com>
mm/memory-failure: fix infinite UCE for VM_PFNMAP pfn
Victor Shih <victor.shih@genesyslogic.com.tw>
mmc: sdhci-pci-gli: GL9763e: Mask the replay timer timeout of AER
Victor Shih <victor.shih@genesyslogic.com.tw>
mmc: sdhci-pci-gli: Add a new function to simplify the code
Bjorn Helgaas <bhelgaas@google.com>
mmc: sdhci-pci-gli: Use PCI AER definitions, not hard-coded values
Imre Deak <imre.deak@intel.com>
drm/dp: Change AUX DPCD probe address from DPCD_REV to LANE0_1_STATUS
Geliang Tang <tanggeliang@kylinos.cn>
mptcp: disable add_addr retransmission when timeout is 0
Chao Yu <chao@kernel.org>
f2fs: fix to avoid out-of-boundary access in dnode page
Chao Yu <chao@kernel.org>
f2fs: fix to call clear_page_private_reference in .{release,invalid}_folio
Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
soc: qcom: mdt_loader: Ensure we don't read past the ELF header
Gokul krishna Krishnakumar <quic_gokukris@quicinc.com>
soc: qcom: mdt_loader: Enhance split binary detection
Geraldo Nascimento <geraldogabriel@gmail.com>
PCI: rockchip: Set Target Link Speed to 5.0 GT/s before retraining
Geraldo Nascimento <geraldogabriel@gmail.com>
PCI: rockchip: Use standard PCIe definitions
Ranjan Kumar <ranjan.kumar@broadcom.com>
scsi: mpi3mr: Serialize admin queue BAR writes on 32-bit systems
Ranjan Kumar <ranjan.kumar@broadcom.com>
scsi: mpi3mr: Drop unnecessary volatile from __iomem pointers
Baokun Li <libaokun1@huawei.com>
ext4: preserve SB_I_VERSION on remount
André Draszik <andre.draszik@linaro.org>
scsi: ufs: exynos: Fix programming of HCI_UTRL_NEXUS_TYPE
Judith Mendez <jm@ti.com>
arm64: dts: ti: k3-am62-main: Remove eMMC High Speed DDR support
Selvarasu Ganesan <selvarasu.g@samsung.com>
usb: dwc3: Remove WARN_ON for device endpoint command timeouts
Kuen-Han Tsai <khtsai@google.com>
usb: dwc3: Ignore late xferNotReady event to prevent halt timeout
Zenm Chen <zenmchen@gmail.com>
USB: storage: Ignore driver CD mode for Realtek multi-mode Wi-Fi dongles
Thorsten Blum <thorsten.blum@linux.dev>
usb: storage: realtek_cr: Use correct byte order for bcs->Residue
Mael GUERIN <mael.guerin@murena.io>
USB: storage: Add unusual-devs entry for Novatek NTK96550-based camera
Marek Vasut <marek.vasut+renesas@mailbox.org>
usb: renesas-xhci: Fix External ROM access timeouts
Xu Yang <xu.yang_2@nxp.com>
usb: core: hcd: fix accessing unmapped memory in SINGLE_STEP_SET_FEATURE test
Ian Abbott <abbotti@mev.co.uk>
comedi: Fix use of uninitialized memory in do_insn_ioctl() and do_insnlist_ioctl()
Edward Adam Davis <eadavis@qq.com>
comedi: pcl726: Prevent invalid irq number
Ian Abbott <abbotti@mev.co.uk>
comedi: Make insn_rw_emulate_bits() do insn->n samples
Miao Li <limiao@kylinos.cn>
usb: quirks: Add DELAY_INIT quick for another SanDisk 3.2Gen1 Flash Drive
Miaoqian Lin <linmq006@gmail.com>
most: core: Drop device reference after usage in get_channel()
David Lechner <dlechner@baylibre.com>
iio: proximity: isl29501: fix buffered read on big-endian systems
Salah Triki <salah.triki@gmail.com>
iio: pressure: bmp280: Use IS_ERR() in bmp280_common_probe()
Steven Rostedt <rostedt@goodmis.org>
ftrace: Also allocate and copy hash for reading of filter files
Xu Yilun <yilun.xu@linux.intel.com>
fpga: zynq_fpga: Fix the wrong usage of dma_map_sgtable()
Al Viro <viro@zeniv.linux.org.uk>
use uniform permission checks for all mount propagation changes
Ye Bin <yebin10@huawei.com>
fs/buffer: fix use-after-free when call bh_read() helper
Stefan Metzmacher <metze@samba.org>
smb: server: split ksmbd_rdma_stop_listening() out of ksmbd_rdma_destroy()
Timur Kristóf <timur.kristof@gmail.com>
drm/amd/display: Fill display clock and vblank time in dce110_fill_display_configs
Timur Kristóf <timur.kristof@gmail.com>
drm/amd/display: Find first CRTC and its line time in dce110_fill_display_configs
Timur Kristóf <timur.kristof@gmail.com>
drm/amd/display: Fix DP audio DTO1 clock source on DCE 6.
Timur Kristóf <timur.kristof@gmail.com>
drm/amd/display: Fix fractional fb divider in set_pixel_clock_v3
Mario Limonciello <mario.limonciello@amd.com>
drm/amd/display: Avoid a NULL pointer dereference
Peter Oberparleiter <oberpar@linux.ibm.com>
s390/sclp: Fix SCCB present check
Evgeniy Harchenko <evgeniyharchenko.dev@gmail.com>
ALSA: hda/realtek: Add support for HP EliteBook x360 830 G6 and EliteBook 830 G6
Herton R. Krzesinski <herton@redhat.com>
mm/debug_vm_pgtable: clear page table entries at destroy_args()
Phillip Lougher <phillip@squashfs.org.uk>
squashfs: fix memory leak in squashfs_fill_super
Victor Shih <victor.shih@genesyslogic.com.tw>
mmc: sdhci-pci-gli: GL9763e: Rename the gli_set_gl9763e() for consistency
Jiayi Li <lijiayi@kylinos.cn>
memstick: Fix deadlock by moving removing flag earlier
Will Deacon <will@kernel.org>
KVM: arm64: Fix kernel BUG() due to bad backport of FPSIMD/SVE/SME fix
Chao Gao <chao.gao@intel.com>
KVM: VMX: Flush shadow VMCS on emergency reboot
Sean Christopherson <seanjc@google.com>
x86/reboot: KVM: Handle VMXOFF in KVM's reboot callback
Sean Christopherson <seanjc@google.com>
x86/reboot: Harden virtualization hooks for emergency reboot
Thomas Weißschuh <thomas.weissschuh@linutronix.de>
kbuild: userprogs: use correct linker when mixing clang and GNU ld
Sumanth Gavini <sumanth.gavini@yahoo.com>
Bluetooth: hci_sync: Fix UAF on hci_abort_conn_sync
Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
selftests/memfd: add test for mapping write-sealed memfd read-only
Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
mm: reinstate ability to map write-sealed memfd mappings read-only
Lorenzo Stoakes <lstoakes@gmail.com>
mm: update memfd seal write check to include F_SEAL_WRITE
Lorenzo Stoakes <lstoakes@gmail.com>
mm: drop the assumption that VM_SHARED always implies writable
Paolo Abeni <pabeni@redhat.com>
mptcp: reset fallback status gracefully at disconnect() time
Paolo Abeni <pabeni@redhat.com>
mptcp: plug races between subflow fail and subflow creation
Paolo Abeni <pabeni@redhat.com>
mptcp: make fallback action and fallback decision atomic
Sean Christopherson <seanjc@google.com>
KVM: x86: Take irqfds.lock when adding/deleting IRQ bypass producer
Nianyao Tang <tangnianyao@huawei.com>
arm64/cpufeatures/kvm: Add ARMv8.9 FEAT_ECBHB bits in ID_AA64MMFR1 register
Giovanni Cabiddu <giovanni.cabiddu@intel.com>
crypto: qat - fix ring to service map for QAT GEN4
Sabrina Dubroca <sd@queasysnail.net>
tls: separate no-async decryption request handling from async
Qu Wenruo <wqu@suse.com>
btrfs: populate otime when logging an inode item
Damien Le Moal <dlemoal@kernel.org>
ata: Fix SATA_MOBILE_LPM_POLICY description in Kconfig
Johan Hovold <johan@kernel.org>
usb: dwc3: imx8mp: fix device leak at unbind
Tzung-Bi Shih <tzungbi@kernel.org>
platform/chrome: cros_ec: Unregister notifier in cros_ec_unregister()
Tzung-Bi Shih <tzungbi@kernel.org>
platform/chrome: cros_ec: remove unneeded label and if-condition
Chen-Yu Tsai <wenst@chromium.org>
platform/chrome: cros_ec: Use per-device lockdep key
Johan Hovold <johan@kernel.org>
usb: musb: omap2430: fix device leak at unbind
Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
usb: musb: omap2430: Convert to platform remove callback returning void
Vedang Nagar <quic_vnagar@quicinc.com>
media: venus: Fix OOB read due to missing payload bound check
Konrad Dybcio <konrad.dybcio@linaro.org>
media: venus: Introduce accessors for remapped hfi_buffer_reqs members
Anshuman Khandual <anshuman.khandual@arm.com>
mm/ptdump: take the memory hotplug lock inside ptdump_walk_pgd()
Davide Caratti <dcaratti@redhat.com>
net/sched: ets: use old 'nbands' while purging unused classes
Eric Dumazet <edumazet@google.com>
net_sched: sch_ets: implement lockless ets_dump()
Filipe Manana <fdmanana@suse.com>
btrfs: send: use fallocate for hole punching with send stream v2
Christoph Hellwig <hch@lst.de>
xfs: fully decouple XFS_IBULK* flags from XFS_IWALK* flags
Filipe Manana <fdmanana@suse.com>
btrfs: abort transaction on unexpected eb generation at btrfs_copy_root()
Filipe Manana <fdmanana@suse.com>
btrfs: qgroup: fix race between quota disable and quota rescan ioctl
Sebastian Reichel <sebastian.reichel@collabora.com>
usb: typec: fusb302: cache PD RX state
Shyam Prasad N <sprasad@microsoft.com>
cifs: reset iface weights when we cannot find a candidate
Lukas Wunner <lukas@wunner.de>
PCI/ACPI: Fix runtime PM ref imbalance on Hot-Plug Capable ports
Damien Le Moal <dlemoal@kernel.org>
block: Make REQ_OP_ZONE_FINISH a write operation
Christoph Hellwig <hch@lst.de>
block: reject invalid operation in submit_bio_noacct
Eric Biggers <ebiggers@kernel.org>
fscrypt: Don't use problematic non-inline crypto engines
Johan Hovold <johan@kernel.org>
net: enetc: fix device and OF node leak at probe
Lin.Cao <lincao12@amd.com>
drm/sched: Remove optimization that causes hang when killing dependent jobs
Ada Couprie Diaz <ada.coupriediaz@arm.com>
arm64/entry: Mask DAIF in cpu_switch_to(), call_on_irq_stack()
Nathan Chancellor <nathan@kernel.org>
ARM: 9448/1: Use an absolute path to unified.h in KBUILD_AFLAGS
Filipe Manana <fdmanana@suse.com>
btrfs: fix qgroup reservation leak on failure to allocate ordered extent
Eric Dumazet <edumazet@google.com>
net: add netdev_lockdep_set_classes() to virtual drivers
Yazen Ghannam <yazen.ghannam@amd.com>
x86/mce/amd: Add default names for MCA banks and blocks
Kan Liang <kan.liang@linux.intel.com>
perf/x86/intel: Fix crash in icl_update_topdown_event()
Zhang Lixu <lixu.zhang@intel.com>
iio: hid-sensor-prox: Fix incorrect OFFSET calculation
Zhang Lixu <lixu.zhang@intel.com>
iio: hid-sensor-prox: Restore lost scale assignments
Chao Yu <chao@kernel.org>
f2fs: fix to do sanity check on ino and xnid
Matthieu Baerts (NGI0) <matttbe@kernel.org>
mptcp: pm: kernel: flush: do not reset ADD_ADDR limit
Christoph Paasch <cpaasch@openai.com>
mptcp: drop skb if MPTCP skb extension allocation fails
Chen Yu <yu.c.chen@intel.com>
ACPI: pfr_update: Fix the driver update version check
Eric Biggers <ebiggers@kernel.org>
ipv6: sr: Fix MAC comparison to be constant-time
Jakub Acs <acsjakub@amazon.de>
net, hsr: reject HSR frame if skb can't hold tag
Timur Kristóf <timur.kristof@gmail.com>
drm/amd/display: Don't overwrite dce60_clk_mgr
Amber Lin <Amber.Lin@amd.com>
drm/amdkfd: Destroy KFD debugfs after destroy KFD wq
Alex Deucher <alexander.deucher@amd.com>
drm/amdgpu: update mmhub 3.0.1 client id mappings
Gang Ba <Gang.Ba@amd.com>
drm/amdgpu: Avoid extra evict-restore process.
Mario Limonciello <mario.limonciello@amd.com>
drm/amd: Restore cached power limit during resume
Ricardo Ribalda <ribalda@chromium.org>
media: venus: venc: Clamp param smaller than 1fps and bigger than 240
Ricardo Ribalda <ribalda@chromium.org>
media: venus: vdec: Clamp param smaller than 1fps and bigger than 240.
Jorge Ramirez-Ortiz <jorge.ramirez@oss.qualcomm.com>
media: venus: protect against spurious interrupts during probe
Jorge Ramirez-Ortiz <jorge.ramirez@oss.qualcomm.com>
media: venus: hfi: explicitly release IRQ during teardown
Vedang Nagar <quic_vnagar@quicinc.com>
media: venus: Add a check for packet size after reading from shared memory
Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
media: qcom: camss: cleanup media device allocated resource on error path
Zhang Shurong <zhang_shurong@foxmail.com>
media: ov2659: Fix memory leaks in ov2659_probe()
Gui-Dong Han <hanguidong02@gmail.com>
media: rainshadow-cec: fix TOCTOU race condition in rain_interrupt()
Ludwig Disterhof <ludwig@disterhof.eu>
media: usbtv: Lock resolution while streaming
Sakari Ailus <sakari.ailus@linux.intel.com>
media: v4l2-ctrls: Don't reset handler's error in v4l2_ctrl_handler_free()
Hans Verkuil <hverkuil@xs4all.nl>
media: vivid: fix wrong pixel_array control size
Haoxiang Li <haoxiang_li2024@163.com>
media: imx: fix a potential memory leak in imx_media_csc_scaler_device_init()
Bingbu Cao <bingbu.cao@intel.com>
media: hi556: correct the test pattern configuration
Dan Carpenter <dan.carpenter@linaro.org>
media: gspca: Add bounds checking to firmware parser
John David Anglin <dave.anglin@bell.net>
parisc: Update comments in make_insert_tlb
John David Anglin <dave.anglin@bell.net>
parisc: Try to fixup kernel exception in bad_area_nosemaphore path of do_page_fault()
John David Anglin <dave.anglin@bell.net>
parisc: Revise gateway LWS calls to probe user read access
John David Anglin <dave.anglin@bell.net>
parisc: Revise __get_user() to probe user read access
Randy Dunlap <rdunlap@infradead.org>
parisc: Makefile: explain that 64BIT requires both 32-bit and 64-bit compilers
John David Anglin <dave.anglin@bell.net>
parisc: Check region is readable by user in raw_copy_from_user()
Jon Hunter <jonathanh@nvidia.com>
soc/tegra: pmc: Ensure power-domains are in a known state
Baokun Li <libaokun1@huawei.com>
jbd2: prevent softlockup in jbd2_log_do_checkpoint()
Will Deacon <will@kernel.org>
vhost/vsock: Avoid allocating arbitrarily-sized SKBs
Will Deacon <will@kernel.org>
vsock/virtio: Validate length in packet header before skb_put()
Damien Le Moal <dlemoal@kernel.org>
PCI: endpoint: Fix configfs group removal on driver teardown
Damien Le Moal <dlemoal@kernel.org>
PCI: endpoint: Fix configfs group list head handling
Thomas Fourier <fourier.thomas@gmail.com>
mtd: rawnand: renesas: Add missing check after DMA map
Thomas Fourier <fourier.thomas@gmail.com>
mtd: rawnand: fsmc: Add missing check after DMA map
Gabor Juhos <j4g8y7@gmail.com>
mtd: spinand: propagate spinand_wait() errors from spinand_write_page()
Michael Walle <mwalle@kernel.org>
mtd: spi-nor: Fix spi_nor_try_unlock_all()
Tim Harvey <tharvey@gateworks.com>
hwmon: (gsc-hwmon) fix fan pwm setpoint show functions
Uwe Kleine-König <u.kleine-koenig@baylibre.com>
pwm: mediatek: Fix duty and period setting
Uwe Kleine-König <u.kleine-koenig@baylibre.com>
pwm: mediatek: Handle hardware enable and clock enable separately
Laurentiu Mihalcea <laurentiu.mihalcea@nxp.com>
pwm: imx-tpm: Reset counter if CMOD is 0
Johan Hovold <johan+linaro@kernel.org>
wifi: ath11k: fix dest ring-buffer corruption when ring is full
Johan Hovold <johan+linaro@kernel.org>
wifi: ath11k: fix source ring-buffer corruption
Johan Hovold <johan+linaro@kernel.org>
wifi: ath11k: fix dest ring-buffer corruption
Nathan Chancellor <nathan@kernel.org>
wifi: brcmsmac: Remove const from tbl_ptr parameter in wlc_lcnphy_common_read_table()
David Lechner <dlechner@baylibre.com>
iio: adc: ad_sigma_delta: change to buffer predisable
David Lechner <dlechner@baylibre.com>
iio: imu: bno055: fix OOB access of hw_xlate array
Marek Szyprowski <m.szyprowski@samsung.com>
zynq_fpga: use sgtable-based scatterlist wrappers
Adrian Hunter <adrian.hunter@intel.com>
scsi: ufs: ufs-pci: Fix default runtime and system PM levels
Archana Patni <archana.patni@intel.com>
scsi: ufs: ufs-pci: Fix hibernate state transition for Intel MTL-like host controllers
Damien Le Moal <dlemoal@kernel.org>
ata: libata-scsi: Fix ata_to_sense_error() status handling
Ranjan Kumar <ranjan.kumar@broadcom.com>
scsi: mpi3mr: Fix race between config read submit and interrupt completion
Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
dt-bindings: display: sprd,sharkl3-dsi-host: Fix missing clocks constraints
Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
dt-bindings: display: sprd,sharkl3-dpu: Fix missing clocks constraints
Zhang Yi <yi.zhang@huawei.com>
ext4: fix hole length calculation overflow in non-extent inodes
Liao Yuanhong <liaoyuanhong@vivo.com>
ext4: use kmalloc_array() for array space allocation
Theodore Ts'o <tytso@mit.edu>
ext4: don't try to clear the orphan_present feature block device is r/o
Ojaswin Mujoo <ojaswin@linux.ibm.com>
ext4: fix reserved gdt blocks handling in fsmap
Ojaswin Mujoo <ojaswin@linux.ibm.com>
ext4: fix fsmap end of range reporting with bigalloc
Andreas Dilger <adilger@dilger.ca>
ext4: check fast symlink for ea_inode correctly
Namjae Jeon <linkinjeon@kernel.org>
ksmbd: extend the connection limiting mechanism to support IPv6
Helge Deller <deller@gmx.de>
Revert "vgacon: Add check for vc_origin address range in vgacon_scroll()"
Eric Biggers <ebiggers@kernel.org>
lib/crypto: mips/chacha: Fix clang build and remove unneeded byteswap
Myrrh Periwinkle <myrrhperiwinkle@qtmlabs.xyz>
vt: defkeymap: Map keycodes above 127 to K_HOLE
Myrrh Periwinkle <myrrhperiwinkle@qtmlabs.xyz>
vt: keyboard: Don't process Unicode characters in K_OFF mode
Youssef Samir <quic_yabdulra@quicinc.com>
bus: mhi: host: Detect events pointing to unexpected TREs
Alexander Wilhelm <alexander.wilhelm@westermo.com>
bus: mhi: host: Fix endianness of BHI vector table
Johan Hovold <johan@kernel.org>
usb: dwc3: meson-g12a: fix device leaks at unbind
Johan Hovold <johan@kernel.org>
usb: gadget: udc: renesas_usb3: fix device leak at unbind
Nathan Chancellor <nathan@kernel.org>
usb: atm: cxacru: Merge cxacru_upload_firmware() into cxacru_heavy_init()
Finn Thain <fthain@linux-m68k.org>
m68k: Fix lost column on framebuffer debug console
Dan Carpenter <dan.carpenter@linaro.org>
cpufreq: armada-8k: Fix off by one in armada_8k_cpufreq_free_table()
Yunhui Cui <cuiyunhui@bytedance.com>
serial: 8250: fix panic due to PSLVERR
Aditya Garg <gargaditya08@live.com>
HID: apple: avoid setting up battery timer for devices without battery
Aditya Garg <gargaditya08@live.com>
HID: magicmouse: avoid setting up battery timer when not needed
Willy Tarreau <w@1wt.eu>
tools/nolibc: fix spelling of FD_SETBITMASK in FD_* macros
Ricardo Ribalda <ribalda@chromium.org>
media: uvcvideo: Do not mark valid metadata as invalid
Youngjun Lee <yjjuny.lee@samsung.com>
media: uvcvideo: Fix 1-byte out-of-bounds read in uvc_parse_format()
Breno Leitao <leitao@debian.org>
mm/kmemleak: avoid deadlock by moving pr_warn() outside kmemleak_lock
Waiman Long <longman@redhat.com>
mm/kmemleak: avoid soft lockup in __kmemleak_do_cleanup()
Randy Dunlap <rdunlap@infradead.org>
parisc: Makefile: fix a typo in palo.conf
Haiyang Zhang <haiyangz@microsoft.com>
hv_netvsc: Fix panic during namespace deletion with VF
Sravan Kumar Gundu <sravankumarlpu@gmail.com>
fbdev: Fix vmalloc out-of-bounds write in fast_imageblit
Qu Wenruo <wqu@suse.com>
btrfs: do not allow relocation of partially dropped subvolumes
Filipe Manana <fdmanana@suse.com>
btrfs: fix log tree replay failure due to file with 0 links and extents
Naohiro Aota <naohiro.aota@wdc.com>
btrfs: zoned: do not remove unwritten non-data block group
Filipe Manana <fdmanana@suse.com>
btrfs: abort transaction during log replay if walk_log_tree() failed
Johannes Thumshirn <johannes.thumshirn@wdc.com>
btrfs: zoned: use filesystem size not disk size for reclaim decision
Oliver Neukum <oneukum@suse.com>
cdc-acm: fix race between initial clearing halt and open
Eric Biggers <ebiggers@kernel.org>
thunderbolt: Fix copy+paste error in match_service_id()
Ian Abbott <abbotti@mev.co.uk>
comedi: fix race between polling and detaching
Myrrh Periwinkle <myrrhperiwinkle@qtmlabs.xyz>
usb: typec: ucsi: Update power_supply on power role change
Ricky Wu <ricky_wu@realtek.com>
misc: rtsx: usb: Ensure mmc child device is active when card is present
Xinyu Liu <katieeliu@tencent.com>
usb: core: config: Prevent OOB read in SS endpoint companion parsing
Baokun Li <libaokun1@huawei.com>
ext4: fix largest free orders lists corruption on mb_optimize_scan switch
Baokun Li <libaokun1@huawei.com>
ext4: fix zombie groups in average fragment size lists
Jack Xiao <Jack.Xiao@amd.com>
drm/amdgpu: fix incorrect vm flags to map bo
Shengjiu Wang <shengjiu.wang@nxp.com>
ASoC: fsl_sai: replace regmap_write with regmap_update_bits
Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
ASoC: fsl: merge DAI call back functions into ops
Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
ASoC: soc-dai.h: merge DAI call back functions into ops
Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
ASoC: soc-dai.c: add missing flag check at snd_soc_pcm_dai_probe()
Jiasheng Jiang <jiashengjiangcool@gmail.com>
scsi: lpfc: Remove redundant assignment to avoid memory leak
Meagan Lloyd <meaganlloyd@linux.microsoft.com>
rtc: ds1307: remove clear of oscillator stop flag (OSF) in probe
Sergey Bashirov <sergeybashirov@gmail.com>
pNFS: Fix uninited ptr deref in block/scsi layout
Sergey Bashirov <sergeybashirov@gmail.com>
pNFS: Handle RPC size limit for layoutcommits
Sergey Bashirov <sergeybashirov@gmail.com>
pNFS: Fix disk addr range check in block/scsi layout
Sergey Bashirov <sergeybashirov@gmail.com>
pNFS: Fix stripe mapping in block/scsi layout
John Garry <john.g.garry@oracle.com>
block: avoid possible overflow for chunk_sectors check in blk_stack_limits()
Cezary Rojewski <cezary.rojewski@intel.com>
ASoC: Intel: avs: Fix uninitialized pointer error in probe()
Buday Csaba <buday.csaba@prolan.hu>
net: phy: smsc: add proper reset flags for LAN8710A
Corey Minyard <corey@minyard.net>
ipmi: Fix strcpy source and destination the same
Yann E. MORIN <yann.morin.1998@free.fr>
kconfig: lxdialog: fix 'space' to (de)select options
Masahiro Yamada <masahiroy@kernel.org>
kconfig: gconf: fix potential memory leak in renderer_edited()
Masahiro Yamada <masahiroy@kernel.org>
kconfig: gconf: avoid hardcoding model2 in on_treeview2_cursor_changed()
Breno Leitao <leitao@debian.org>
ipmi: Use dev_warn_ratelimited() for incorrect message warnings
Artem Sadovnikov <a.sadovnikov@ispras.ru>
vfio/mlx5: fix possible overflow in tracking max message size
John Garry <john.g.garry@oracle.com>
scsi: aacraid: Stop using PCI_IRQ_AFFINITY
Maurizio Lombardi <mlombard@redhat.com>
scsi: target: core: Generate correct identifiers for PR OUT transport IDs
Ranjan Kumar <ranjan.kumar@broadcom.com>
scsi: Fix sas_user_scan() to handle wildcard and multi-channel scans
Shankari Anand <shankari.ak0208@gmail.com>
kconfig: nconf: Ensure null termination where strncpy is used
Keith Busch <kbusch@kernel.org>
vfio/type1: conditional rescheduling while pinning
Suchit Karunakaran <suchitkarunakaran@gmail.com>
kconfig: lxdialog: replace strcpy() with strncpy() in inputbox.c
fangzhong.zhou <myth5@myth5.com>
i2c: Force DLL0945 touchpad i2c freq to 100khz
Mateusz Guzik <mjguzik@gmail.com>
apparmor: use the condition in AA_BUG_FMT even with debug disabled
Benjamin Marzinski <bmarzins@redhat.com>
dm-table: fix checking for rq stackable devices
Mikulas Patocka <mpatocka@redhat.com>
dm-mpath: don't print the "loaded" message if registering fails
Jorge Marques <jorge.marques@analog.com>
i3c: master: Initialize ret in i3c_i2c_notifier_call()
Wolfram Sang <wsa+renesas@sang-engineering.com>
i3c: don't fail if GETHDRCAP is unsupported
Meagan Lloyd <meaganlloyd@linux.microsoft.com>
rtc: ds1307: handle oscillator stop flag (OSF) for ds1341
Wolfram Sang <wsa+renesas@sang-engineering.com>
i3c: add missing include to internal header
Petr Pavlu <petr.pavlu@suse.com>
module: Prevent silent truncation of module name in delete_module(2)
Purva Yeshi <purvayeshi550@gmail.com>
md: dm-zoned-target: Initialize return variable r to avoid uninitialized use
Bharat Bhushan <bbhushan2@marvell.com>
crypto: octeontx2 - add timeout for load_fvc completion poll
chenchangcheng <chenchangcheng@kylinos.cn>
media: uvcvideo: Fix bandwidth issue for Alcor camera
Alex Guo <alexguo1023@gmail.com>
media: dvb-frontends: w7090p: fix null-ptr-deref in w7090p_tuner_write_serpar and w7090p_tuner_read_serpar
Alex Guo <alexguo1023@gmail.com>
media: dvb-frontends: dib7090p: fix null-ptr-deref in dib7090p_rw_on_apb()
Wolfram Sang <wsa+renesas@sang-engineering.com>
media: usb: hdpvr: disable zero-length read messages
Dave Stevenson <dave.stevenson@raspberrypi.com>
media: tc358743: Increase FIFO trigger level to 374
Dave Stevenson <dave.stevenson@raspberrypi.com>
media: tc358743: Return an appropriate colorspace from tc358743_set_fmt
Dave Stevenson <dave.stevenson@raspberrypi.com>
media: tc358743: Check I2C succeeded during probe
Cheick Traore <cheick.traore@foss.st.com>
pinctrl: stm32: Manage irq affinity settings
Damien Le Moal <dlemoal@kernel.org>
scsi: mpi3mr: Correctly handle ATA device errors
Damien Le Moal <dlemoal@kernel.org>
scsi: mpt3sas: Correctly handle ATA device errors
Justin Tee <justin.tee@broadcom.com>
scsi: lpfc: Check for hdwq null ptr when cleaning up lpfc_vport structure
Arnd Bergmann <arnd@arndb.de>
RDMA/core: reduce stack using in nldev_stat_get_doit()
Yury Norov [NVIDIA] <yury.norov@gmail.com>
RDMA: hfi1: fix possible divide-by-zero in find_hw_thread_mask()
Amelie Delaunay <amelie.delaunay@foss.st.com>
dmaengine: stm32-dma: configure next sg only if there are more than 2 sgs
Johan Adolfsson <johan.adolfsson@axis.com>
leds: leds-lp50xx: Handle reg to get correct multi_index
Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
media: v4l2-common: Reduce warnings about missing V4L2_CID_LINK_FREQ control
Shiji Yang <yangshiji66@outlook.com>
MIPS: lantiq: falcon: sysctrl: fix request memory check logic
Thomas Weißschuh <thomas.weissschuh@linutronix.de>
MIPS: Don't crash in stack_top() for tasks without ABI or vDSO
Arnaud Lecomte <contact@arnaud-lcm.com>
jfs: upper bound check of tree index in dbAllocAG
Edward Adam Davis <eadavis@qq.com>
jfs: Regular file corruption check
Lizhi Xu <lizhi.xu@windriver.com>
jfs: truncate good inode pages when hard link is 0
jackysliu <1972843537@qq.com>
scsi: bfa: Double-free fix
Ziyan Fu <fuzy5@lenovo.com>
watchdog: iTCO_wdt: Report error if timeout configuration fails
Shiji Yang <yangshiji66@outlook.com>
MIPS: vpe-mt: add missing prototypes for vpe_{alloc,start,stop,free}
Florin Leotescu <florin.leotescu@nxp.com>
hwmon: (emc2305) Set initial PWM minimum value during probe based on thermal state
Sebastian Reichel <sebastian.reichel@collabora.com>
watchdog: dw_wdt: Fix default timeout
Amir Mohammad Jahangirzad <a.jahangirzad@gmail.com>
fs/orangefs: use snprintf() instead of sprintf()
Showrya M N <showrya@chelsio.com>
scsi: libiscsi: Initialize iscsi_conn->dd_data only if memory is allocated
Theodore Ts'o <tytso@mit.edu>
ext4: do not BUG when INLINE_DATA_FL lacks system.data xattr
Zhiqi Song <songzhiqi1@huawei.com>
crypto: hisilicon/hpre - fix dma unmap sequence
Yongzhen Zhang <zhangyongzhen@kylinos.cn>
fbdev: fix potential buffer overflow in do_register_framebuffer()
Pali Rohár <pali@kernel.org>
cifs: Fix calling CIFSFindFirst() for root path without msearch
Aaron Plattner <aplattner@nvidia.com>
watchdog: sbsa: Adjust keepalive timeout to avoid MediaTek WS0 race condition
Mario Limonciello <mario.limonciello@amd.com>
drm/amd/display: Only finalize atomic_obj if it was initialized
Jason Wang <jasowang@redhat.com>
vhost: fail early when __vhost_add_used() fails
Will Deacon <will@kernel.org>
vsock/virtio: Resize receive buffers so that each SKB fits in a 4K page
Álvaro Fernández Rojas <noltari@gmail.com>
net: dsa: b53: fix IP_MULTICAST_CTRL on BCM5325
Tvrtko Ursulin <tvrtko.ursulin@igalia.com>
drm/ttm: Respect the shrinker core free target
Yonghong Song <yonghong.song@linux.dev>
selftests/bpf: Fix a user_ringbuf failure with arm64 64KB page size
Jakub Kicinski <kuba@kernel.org>
uapi: in6: restore visibility of most IPv6 socket options
Emily Deng <Emily.Deng@amd.com>
drm/ttm: Should to return the evict error
Hari Kalavakunta <kalavakunta.hari.prasad@gmail.com>
net: ncsi: Fix buffer overflow in fetching version id
Shannon Nelson <shannon.nelson@amd.com>
ionic: clean dbpage in de-init
Thomas Fourier <fourier.thomas@gmail.com>
wifi: rtlwifi: fix possible skb memory leak in _rtl_pci_init_one_rxdesc()
Breno Leitao <leitao@debian.org>
ptp: Use ratelimite for freerun error message
Álvaro Fernández Rojas <noltari@gmail.com>
net: dsa: b53: prevent SWITCH_CTRL access on BCM5325
Álvaro Fernández Rojas <noltari@gmail.com>
net: dsa: b53: prevent DIS_LEARNING access on BCM5325
Álvaro Fernández Rojas <noltari@gmail.com>
net: dsa: b53: prevent GMII_PORT_OVERRIDE_CTRL access on BCM5325
Álvaro Fernández Rojas <noltari@gmail.com>
net: dsa: b53: fix b53_imp_vlan_setup for BCM5325
Alok Tiwari <alok.a.tiwari@oracle.com>
gve: Return error for unknown admin queue command
Gal Pressman <gal@nvidia.com>
net: vlan: Replace BUG() with WARN_ON_ONCE() in vlan_dev_* stubs
Mario Limonciello <mario.limonciello@amd.com>
drm/amd: Allow printing VanGogh OD SCLK levels without setting dpm to manual
Heiner Kallweit <hkallweit1@gmail.com>
dpaa_eth: don't use fixed_phy_change_carrier
Nicolas Escande <nico.escande@gmail.com>
neighbour: add support for NUD_PERMANENT proxy entries
Stanislaw Gruszka <stf_xl@wp.pl>
wifi: iwlegacy: Check rate_idx range after addition
Mina Almasry <almasrymina@google.com>
netmem: fix skb_frag_address_safe with unreadable skbs
Thomas Fourier <fourier.thomas@gmail.com>
powerpc: floppy: Add missing checks after DMA map
Thomas Fourier <fourier.thomas@gmail.com>
wifi: rtlwifi: fix possible skb memory leak in `_rtl_pci_rx_interrupt()`.
Ramya Gnanasekar <ramya.gnanasekar@oss.qualcomm.com>
wifi: mac80211: update radar_required in channel context after channel switch
Wen Chen <Wen.Chen3@amd.com>
drm/amd/display: Fix 'failed to blank crtc!'
Pagadala Yesu Anjaneyulu <pagadala.yesu.anjaneyulu@intel.com>
wifi: iwlwifi: fw: Fix possible memory leak in iwl_fw_dbg_collect
Rand Deeb <rand.sec96@gmail.com>
wifi: iwlwifi: dvm: fix potential overflow in rs_fill_link_cmd()
Ilya Bakoulin <Ilya.Bakoulin@amd.com>
drm/amd/display: Separate set_gsl from set_gsl_source_select
Jonas Rebmann <jre@pengutronix.de>
net: fec: allow disable coalescing
Eric Work <work.eric@gmail.com>
net: atlantic: add set_power to fw_ops for atl2 to fix wol
zhangjianrong <zhangjianrong5@huawei.com>
net: thunderbolt: Fix the parameter passing of tb_xdomain_enable_paths()/tb_xdomain_disable_paths()
zhangjianrong <zhangjianrong5@huawei.com>
net: thunderbolt: Enable end-to-end flow control also in transmit
Mark Brown <broonie@kernel.org>
kselftest/arm64: Specify SVE data when testing VL set in sve-ptrace
Bitterblue Smith <rtl8821cerfe2@gmail.com>
wifi: rtw89: Disable deep power saving for USB/SDIO
Bitterblue Smith <rtl8821cerfe2@gmail.com>
wifi: rtw89: Fix rtw89_mac_power_switch() for USB
Rob Clark <robdclark@chromium.org>
drm/msm: use trylock for debugfs
Kuniyuki Iwashima <kuniyu@google.com>
ipv6: mcast: Check inet6_dev->dead under idev->mc_lock in __ipv6_dev_mc_inc().
Thomas Fourier <fourier.thomas@gmail.com>
(powerpc/512) Fix possible `dma_unmap_single()` on uninitialized pointer
Johannes Berg <johannes.berg@intel.com>
wifi: mac80211: don't complete management TX on SAE commit
Chris Mason <clm@fb.com>
sched/fair: Bump sd->max_newidle_lb_cost when newidle balance fails
Sven Schnelle <svens@linux.ibm.com>
s390/stp: Remove udelay from stp_sync_clock()
Avraham Stern <avraham.stern@intel.com>
wifi: iwlwifi: mvm: fix scan request validation
Thomas Weißschuh <thomas.weissschuh@linutronix.de>
um: Re-evaluate thread flags repeatedly
Alok Tiwari <alok.a.tiwari@oracle.com>
net: thunderx: Fix format-truncation warning in bgx_acpi_match_id()
Oscar Maes <oscmaes92@gmail.com>
net: ipv4: fix incorrect MTU in broadcast routes
Ilan Peer <ilan.peer@intel.com>
wifi: cfg80211: Fix interface type validation
Matt Johnston <matt@codeconstruct.com.au>
net: mctp: Prevent duplicate binds
Paul E. McKenney <paulmck@kernel.org>
rcu: Protect ->defer_qs_iw_pending from data race
Breno Leitao <leitao@debian.org>
arm64: Mark kernel as tainted on SAE and SError panic
Leon Romanovsky <leon@kernel.org>
net/mlx5e: Properly access RCU protected qdisc_sleeping variable
Thomas Fourier <fourier.thomas@gmail.com>
net: ag71xx: Add missing check after DMA map
Thomas Fourier <fourier.thomas@gmail.com>
et131x: Add missing check after DMA map
Bitterblue Smith <rtl8821cerfe2@gmail.com>
wifi: rtw89: Lower the timeout in rtw89_fw_read_c2h_reg() for USB
Alok Tiwari <alok.a.tiwari@oracle.com>
be2net: Use correct byte order and format string for TCP seq and ack_seq
Sven Schnelle <svens@linux.ibm.com>
s390/time: Use monotonic clock in get_cycles()
Johannes Berg <johannes.berg@intel.com>
wifi: cfg80211: reject HTC bit for management frames
Steven Rostedt <rostedt@goodmis.org>
ktest.pl: Prevent recursion of default variable options
Oliver Neukum <oneukum@suse.com>
net: usb: cdc-ncm: check for filtering capability
Anthoine Bourgeois <anthoine.bourgeois@vates.tech>
xen/netfront: Fix TX response spurious interrupts
Xinxin Wan <xinxin.wan@intel.com>
ASoC: codecs: rt5640: Retry DEVICE_ID verification
Jonathan Santos <Jonathan.Santos@analog.com>
iio: adc: ad7768-1: Ensure SYNC_IN pulse minimum timing requirement
Cristian Ciocaltea <cristian.ciocaltea@collabora.com>
ALSA: usb-audio: Avoid precedence issues in mixer_quirks macros
Christophe Leroy <christophe.leroy@csgroup.eu>
ALSA: pcm: Rewrite recalculate_boundary() to avoid costly loop
Lucy Thrun <lucy.thrun@digital-rabbithole.de>
ALSA: hda/ca0132: Fix buffer overflow in add_tuning_control
Tomasz Michalec <tmichalec@google.com>
platform/chrome: cros_ec_typec: Defer probe on missing EC parent
Kees Cook <kees@kernel.org>
platform/x86: thinkpad_acpi: Handle KCOV __init vs inline mismatches
Gautham R. Shenoy <gautham.shenoy@amd.com>
pm: cpupower: Fix the snapshot-order of tsc,mperf, clock in mperf_stop()
Oliver Neukum <oneukum@suse.com>
usb: core: usb_submit_urb: downgrade type check
Tomasz Michalec <tmichalec@google.com>
usb: typec: intel_pmc_mux: Defer probe if SCU IPC isn't present
Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
ASoC: core: Check for rtd == NULL in snd_soc_remove_pcm_runtime()
Alok Tiwari <alok.a.tiwari@oracle.com>
ALSA: intel8x0: Fix incorrect codec index usage in mixer for ICH4
Mark Brown <broonie@kernel.org>
ASoC: hdac_hdmi: Rate limit logging on connection and disconnection
Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
x86/bugs: Avoid warning when overriding return thunk
Takashi Iwai <tiwai@suse.de>
ALSA: hda: Disable jack polling at shutdown
Takashi Iwai <tiwai@suse.de>
ALSA: hda: Handle the jack polling always via a work
Ulf Hansson <ulf.hansson@linaro.org>
mmc: rtsx_usb_sdmmc: Fix error-path in sd_set_power_mode()
Hans de Goede <hansg@kernel.org>
mei: bus: Check for still connected devices in mei_cl_bus_dev_release()
Peter Robinson <pbrobinson@gmail.com>
reset: brcmstb: Enable reset drivers for ARCH_BCM2835
Eliav Farber <farbere@amazon.com>
pps: clients: gpio: fix interrupt handling order in remove path
Breno Leitao <leitao@debian.org>
ACPI: APEI: GHES: add TAINT_MACHINE_CHECK on GHES panic path
Sarthak Garg <quic_sartgarg@quicinc.com>
mmc: sdhci-msm: Ensure SD card power isn't ON when card removed
Sebastian Ott <sebott@redhat.com>
ACPI: processor: fix acpi_object initialization
tuhaowen <tuhaowen@uniontech.com>
PM: sleep: console: Fix the black screen issue
Hsin-Te Yuan <yuanhsinte@chromium.org>
thermal: sysfs: Return ENODATA instead of EAGAIN for reads
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
PM: runtime: Clear power.needs_force_resume in pm_runtime_reinit()
Zhu Qiyu <qiyuzhu2@amd.com>
ACPI: PRM: Reduce unnecessary printing to avoid user confusion
Masami Hiramatsu (Google) <mhiramat@kernel.org>
selftests: tracing: Use mutex_unlock for testing glob filter
Thomas Weißschuh <thomas.weissschuh@linutronix.de>
tools/build: Fix s390(x) cross-compilation with clang
Aaron Kling <webgeek1234@gmail.com>
ARM: tegra: Use I/O memcpy to write to IRAM
Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
gpio: tps65912: check the return value of regmap_update_bits()
David Lechner <dlechner@baylibre.com>
iio: adc: ad_sigma_delta: don't overallocate scan buffer
Thomas Weißschuh <linux@weissschuh.net>
tools/nolibc: define time_t in terms of __kernel_old_time_t
David Collins <david.collins@oss.qualcomm.com>
thermal/drivers/qcom-spmi-temp-alarm: Enable stage 2 shutdown when required
Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
ASoC: soc-dapm: set bias_level if snd_soc_dapm_set_bias_level() was successed
Shubhrajyoti Datta <shubhrajyoti.datta@amd.com>
EDAC/synopsys: Clear the ECC counters on init
Lifeng Zheng <zhenglifeng1@huawei.com>
PM / devfreq: governor: Replace sscanf() with kstrtoul() in set_freq_store()
Alexander Kochetkov <al.kochet@gmail.com>
ARM: rockchip: fix kernel hang during smp initialization
Lifeng Zheng <zhenglifeng1@huawei.com>
cpufreq: Exit governor when failed to start old governor
Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
gpio: wcd934x: check the return value of regmap_update_bits()
Hiago De Franco <hiago.franco@toradex.com>
remoteproc: imx_rproc: skip clock enable when M-core is managed by the SCU
Mario Limonciello <mario.limonciello@amd.com>
usb: xhci: Avoid showing errors during surprise removal
Jay Chen <shawn2000100@gmail.com>
usb: xhci: Set avg_trb_len = 8 for EP0 during Address Device Command
Mario Limonciello <mario.limonciello@amd.com>
usb: xhci: Avoid showing warnings for dying controller
Benson Leung <bleung@chromium.org>
usb: typec: ucsi: psy: Set current max to 100mA for BC 1.2 and Default
Cynthia Huang <cynthia@andestech.com>
selftests/futex: Define SYS_futex on 32-bit architectures with 64-bit time_t
Prashant Malani <pmalani@google.com>
cpufreq: CPPC: Mark driver with NEED_UPDATE_LIMITS flag
Su Hui <suhui@nfschina.com>
usb: xhci: print xhci->xhc_state when queue_command failed
Al Viro <viro@zeniv.linux.org.uk>
securityfs: don't pin dentries twice, once is enough...
Al Viro <viro@zeniv.linux.org.uk>
fix locking in efi_secret_unlink()
Wei Gao <wegao@suse.com>
ext2: Handle fiemap on empty files to prevent EINVAL
Rong Zhang <ulin0208@gmail.com>
fs/ntfs3: correctly create symlink for relative path
Lizhi Xu <lizhi.xu@windriver.com>
fs/ntfs3: Add sanity check for file name
Damien Le Moal <dlemoal@kernel.org>
ata: libata-sata: Disallow changing LPM state if not supported
Al Viro <viro@zeniv.linux.org.uk>
better lockdep annotations for simple_recursive_removal()
Viacheslav Dubeyko <slava@dubeyko.com>
hfs: fix not erasing deleted b-tree node issue
Sarah Newman <srn@prgmr.com>
drbd: add missing kref_get in handle_write_conflicts
Jan Kara <jack@suse.cz>
udf: Verify partition map count
NeilBrown <neil@brown.name>
smb/server: avoid deadlock when linking with ReplaceIfExists
Kees Cook <kees@kernel.org>
arm64: Handle KCOV __init vs inline mismatches
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
hfsplus: don't use BUG_ON() in hfsplus_create_attributes_file()
Viacheslav Dubeyko <slava@dubeyko.com>
hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc()
Viacheslav Dubeyko <slava@dubeyko.com>
hfsplus: fix slab-out-of-bounds in hfsplus_bnode_read()
Viacheslav Dubeyko <slava@dubeyko.com>
hfs: fix slab-out-of-bounds in hfs_bnode_read()
Florian Westphal <fw@strlen.de>
netfilter: ctnetlink: fix refcount leak on table dump
Sabrina Dubroca <sd@queasysnail.net>
udp: also consider secpath when evaluating ipsec use for checksumming
Maxim Levitsky <mlevitsk@redhat.com>
KVM: VMX: Preserve host's DEBUGCTLMSR_FREEZE_IN_SMM while running the guest
Maxim Levitsky <mlevitsk@redhat.com>
KVM: VMX: Wrap all accesses to IA32_DEBUGCTL with getter/setter APIs
Maxim Levitsky <mlevitsk@redhat.com>
KVM: nVMX: Check vmcs12->guest_ia32_debugctl on nested VM-Enter
Sean Christopherson <seanjc@google.com>
KVM: VMX: Extract checking of guest's DEBUGCTL into helper
Sean Christopherson <seanjc@google.com>
KVM: VMX: Allow guest to set DEBUGCTL.RTM_DEBUG if RTM is supported
Sean Christopherson <seanjc@google.com>
KVM: x86: Drop kvm_x86_ops.set_dr6() in favor of a new KVM_RUN flag
Sean Christopherson <seanjc@google.com>
KVM: x86: Convert vcpu_run()'s immediate exit param into a generic bitmap
Sean Christopherson <seanjc@google.com>
KVM: x86: Fully defer to vendor code to decide how to force immediate exit
Sean Christopherson <seanjc@google.com>
KVM: VMX: Handle KVM-induced preemption timer exits in fastpath for L2
Sean Christopherson <seanjc@google.com>
KVM: x86: Move handling of is_guest_mode() into fastpath exit handlers
Sean Christopherson <seanjc@google.com>
KVM: VMX: Handle forced exit due to preemption timer in fastpath
Sean Christopherson <seanjc@google.com>
KVM: VMX: Re-enter guest in fastpath for "spurious" preemption timer exits
Sean Christopherson <seanjc@google.com>
KVM: x86: Plumb "force_immediate_exit" into kvm_entry() tracepoint
Sean Christopherson <seanjc@google.com>
KVM: x86/pmu: Gate all "unimplemented MSR" prints on report_ignored_msrs
Sean Christopherson <seanjc@google.com>
KVM: x86: Snapshot the host's DEBUGCTL after disabling IRQs
Sean Christopherson <seanjc@google.com>
KVM: x86: Snapshot the host's DEBUGCTL in common x86
Chao Gao <chao.gao@intel.com>
KVM: nVMX: Defer SVI update to vmcs01 on EOI when L2 is active w/o VID
Sean Christopherson <seanjc@google.com>
KVM: x86: Plumb in the vCPU to kvm_x86_ops.hwapic_isr_update()
Sean Christopherson <seanjc@google.com>
KVM: x86: Re-split x2APIC ICR into ICR+ICR2 for AMD (x2AVIC)
Sean Christopherson <seanjc@google.com>
KVM: SVM: Set RFLAGS.IF=1 in C code, to get VMRUN out of the STI shadow
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
ACPI: processor: perflib: Move problematic pr->performance check
Jiayi Li <lijiayi@kylinos.cn>
ACPI: processor: perflib: Fix initial _PPC limit application
Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Documentation: ACPI: Fix parent device references
Jann Horn <jannh@google.com>
eventpoll: Fix semi-unbounded recursion
Sasha Levin <sashal@kernel.org>
fs: Prevent file descriptor table allocations exceeding INT_MAX
Ma Ke <make24@iscas.ac.cn>
sunvdc: Balance device refcount in vdc_port_mpgroup_check
Haoran Jiang <jianghaoran@kylinos.cn>
LoongArch: BPF: Fix jump offset calculation in tailcall
Huacai Chen <chenhuacai@kernel.org>
PCI: Extend isolated function probing to LoongArch
Trond Myklebust <trond.myklebust@hammerspace.com>
NFS: Fix the setting of capabilities when automounting a new filesystem
Dai Ngo <dai.ngo@oracle.com>
NFSD: detect mismatch of file handle and delegation stateid in OPEN op
Jeff Layton <jlayton@kernel.org>
nfsd: handle get_client_locked() failure in nfsd4_setclientid_confirm()
Xu Yang <xu.yang_2@nxp.com>
net: usb: asix_devices: add phy_mask for ax88772 mdio bus
Johan Hovold <johan@kernel.org>
net: dpaa: fix device leak when querying time stamp info
Johan Hovold <johan@kernel.org>
net: mtk_eth_soc: fix device leak at probe
Johan Hovold <johan@kernel.org>
net: gianfar: fix device leak when querying time stamp info
Florian Larysch <fl@n621.de>
net: phy: micrel: fix KSZ8081/KSZ8091 cable test
Fedor Pchelkin <pchelkin@ispras.ru>
netlink: avoid infinite retry looping in netlink_unicast()
David Thompson <davthompson@nvidia.com>
gpio: mlxbf2: use platform_get_irq_optional()
Harald Mommer <harald.mommer@oss.qualcomm.com>
gpio: virtio: Fix config space reading.
Wang Zhaolong <wangzhaolong@huaweicloud.com>
smb: client: remove redundant lstrp update in negotiate protocol
Steve French <stfrench@microsoft.com>
smb3: fix for slab out of bounds on mount to ksmbd
Christopher Eby <kreed@kreed.org>
ALSA: hda/realtek: Add Framework Laptop 13 (AMD Ryzen AI 300) to quirks
Vasiliy Kovalev <kovalev@altlinux.org>
ALSA: hda/realtek: Fix headset mic on HONOR BRB-X
Takashi Iwai <tiwai@suse.de>
ALSA: usb-audio: Validate UAC3 cluster segment descriptors
Takashi Iwai <tiwai@suse.de>
ALSA: usb-audio: Validate UAC3 power domain descriptors, too
Pavel Begunkov <asml.silence@gmail.com>
io_uring: don't use int for ABI
-------------
Diffstat:
.../bindings/display/sprd/sprd,sharkl3-dpu.yaml | 2 +-
.../display/sprd/sprd,sharkl3-dsi-host.yaml | 2 +-
Documentation/firmware-guide/acpi/i2c-muxes.rst | 8 +-
Documentation/networking/bonding.rst | 12 ++
Documentation/networking/mptcp-sysctl.rst | 2 +
Makefile | 6 +-
arch/arm/Makefile | 2 +-
arch/arm/mach-rockchip/platsmp.c | 15 +-
arch/arm/mach-tegra/reset.c | 2 +-
arch/arm64/boot/dts/ti/k3-am62-main.dtsi | 1 -
arch/arm64/include/asm/acpi.h | 2 +-
arch/arm64/kernel/cpufeature.c | 1 +
arch/arm64/kernel/entry.S | 6 +
arch/arm64/kernel/fpsimd.c | 4 +-
arch/arm64/kernel/traps.c | 1 +
arch/arm64/mm/fault.c | 1 +
arch/arm64/mm/ptdump_debugfs.c | 3 -
arch/loongarch/net/bpf_jit.c | 21 +-
arch/m68k/kernel/head.S | 31 ++-
arch/mips/crypto/chacha-core.S | 20 +-
arch/mips/include/asm/vpe.h | 8 +
arch/mips/kernel/process.c | 16 +-
arch/mips/lantiq/falcon/sysctrl.c | 23 +--
arch/parisc/Makefile | 6 +-
arch/parisc/include/asm/special_insns.h | 28 +++
arch/parisc/include/asm/uaccess.h | 21 +-
arch/parisc/kernel/entry.S | 17 +-
arch/parisc/kernel/syscall.S | 30 ++-
arch/parisc/lib/memcpy.c | 19 +-
arch/parisc/mm/fault.c | 4 +
arch/powerpc/include/asm/floppy.h | 5 +-
arch/powerpc/platforms/512x/mpc512x_lpbfifo.c | 6 +-
arch/s390/hypfs/hypfs_dbfs.c | 19 +-
arch/s390/include/asm/timex.h | 13 +-
arch/s390/kernel/time.c | 2 +-
arch/s390/mm/dump_pagetables.c | 2 -
arch/um/include/asm/thread_info.h | 4 +
arch/um/kernel/process.c | 18 +-
arch/x86/events/intel/core.c | 2 +-
arch/x86/include/asm/kvm-x86-ops.h | 2 -
arch/x86/include/asm/kvm_host.h | 24 ++-
arch/x86/include/asm/msr-index.h | 1 +
arch/x86/include/asm/reboot.h | 5 +-
arch/x86/include/asm/virtext.h | 10 -
arch/x86/include/asm/xen/hypercall.h | 5 +-
arch/x86/kernel/cpu/bugs.c | 5 +-
arch/x86/kernel/cpu/hygon.c | 3 +
arch/x86/kernel/cpu/mce/amd.c | 13 +-
arch/x86/kernel/reboot.c | 43 ++--
arch/x86/kvm/hyperv.c | 10 +-
arch/x86/kvm/lapic.c | 61 ++++--
arch/x86/kvm/lapic.h | 1 +
arch/x86/kvm/svm/svm.c | 49 +++--
arch/x86/kvm/svm/vmenter.S | 9 +-
arch/x86/kvm/trace.h | 9 +-
arch/x86/kvm/vmx/nested.c | 26 ++-
arch/x86/kvm/vmx/pmu_intel.c | 8 +-
arch/x86/kvm/vmx/vmx.c | 183 +++++++++++------
arch/x86/kvm/vmx/vmx.h | 31 ++-
arch/x86/kvm/x86.c | 65 +++---
arch/x86/kvm/x86.h | 12 ++
block/blk-core.c | 26 ++-
block/blk-settings.c | 2 +-
drivers/acpi/acpi_processor.c | 2 +-
drivers/acpi/apei/ghes.c | 2 +
drivers/acpi/pfr_update.c | 2 +-
drivers/acpi/prmt.c | 26 ++-
drivers/acpi/processor_perflib.c | 11 +
drivers/ata/Kconfig | 35 +++-
drivers/ata/libata-sata.c | 5 +
drivers/ata/libata-scsi.c | 20 +-
drivers/base/power/runtime.c | 5 +
drivers/block/drbd/drbd_receiver.c | 6 +-
drivers/block/sunvdc.c | 4 +-
drivers/bus/mhi/host/boot.c | 8 +-
drivers/bus/mhi/host/internal.h | 4 +-
drivers/bus/mhi/host/main.c | 12 +-
drivers/char/ipmi/ipmi_msghandler.c | 8 +-
drivers/char/ipmi/ipmi_watchdog.c | 59 ++++--
drivers/comedi/comedi_fops.c | 38 +++-
drivers/comedi/comedi_internal.h | 1 +
drivers/comedi/drivers.c | 40 ++--
drivers/comedi/drivers/pcl726.c | 3 +-
drivers/cpufreq/armada-8k-cpufreq.c | 2 +-
drivers/cpufreq/cppc_cpufreq.c | 2 +-
drivers/cpufreq/cpufreq.c | 8 +-
drivers/crypto/hisilicon/hpre/hpre_crypto.c | 8 +-
.../crypto/marvell/octeontx2/otx2_cptpf_ucode.c | 16 +-
drivers/crypto/qat/qat_4xxx/adf_4xxx_hw_data.c | 13 ++
drivers/crypto/qat/qat_common/adf_accel_devices.h | 1 +
drivers/crypto/qat/qat_common/adf_gen4_hw_data.h | 6 +
drivers/crypto/qat/qat_common/adf_init.c | 3 +
drivers/devfreq/governor_userspace.c | 6 +-
drivers/dma/stm32-dma.c | 2 +-
drivers/edac/synopsys_edac.c | 93 ++++-----
drivers/fpga/zynq-fpga.c | 10 +-
drivers/gpio/gpio-mlxbf2.c | 2 +-
drivers/gpio/gpio-tps65912.c | 7 +-
drivers/gpio/gpio-virtio.c | 9 +-
drivers/gpio/gpio-wcd934x.c | 7 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_csa.c | 4 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c | 6 +-
drivers/gpu/drm/amd/amdgpu/mmhub_v3_0_1.c | 57 +++---
drivers/gpu/drm/amd/amdkfd/kfd_module.c | 2 +-
drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 6 +-
.../gpu/drm/amd/display/dc/bios/command_table.c | 2 +-
drivers/gpu/drm/amd/display/dc/clk_mgr/clk_mgr.c | 1 -
.../amd/display/dc/clk_mgr/dce100/dce_clk_mgr.c | 2 -
.../amd/display/dc/clk_mgr/dce110/dce110_clk_mgr.c | 40 ++--
.../amd/display/dc/clk_mgr/dce60/dce60_clk_mgr.c | 31 +--
drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c | 11 +-
.../gpu/drm/amd/display/modules/hdcp/hdcp_psp.c | 3 +
drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c | 6 +
drivers/gpu/drm/amd/pm/swsmu/smu11/vangogh_ppt.c | 37 ++--
drivers/gpu/drm/display/drm_dp_helper.c | 2 +-
drivers/gpu/drm/hisilicon/hibmc/hibmc_drm_drv.c | 4 +-
drivers/gpu/drm/msm/msm_gem.c | 3 +-
drivers/gpu/drm/msm/msm_gem.h | 6 +
drivers/gpu/drm/scheduler/sched_entity.c | 21 +-
drivers/gpu/drm/ttm/ttm_pool.c | 8 +-
drivers/gpu/drm/ttm/ttm_resource.c | 3 +
drivers/hid/hid-apple.c | 13 +-
drivers/hid/hid-magicmouse.c | 56 ++++--
drivers/hwmon/emc2305.c | 10 +-
drivers/hwmon/gsc-hwmon.c | 4 +-
drivers/i2c/i2c-core-acpi.c | 1 +
drivers/i3c/internals.h | 1 +
drivers/i3c/master.c | 4 +-
drivers/iio/adc/ad7768-1.c | 23 ++-
drivers/iio/adc/ad_sigma_delta.c | 6 +-
drivers/iio/imu/bno055/bno055.c | 11 +-
drivers/iio/imu/inv_icm42600/inv_icm42600_temp.c | 6 +-
drivers/iio/light/as73211.c | 2 +-
drivers/iio/light/hid-sensor-prox.c | 8 +-
drivers/iio/pressure/bmp280-core.c | 9 +-
drivers/iio/proximity/isl29501.c | 14 +-
drivers/iio/temperature/maxim_thermocouple.c | 26 ++-
drivers/infiniband/core/nldev.c | 22 +-
drivers/infiniband/hw/bnxt_re/qplib_res.c | 2 +
drivers/infiniband/hw/erdma/erdma_verbs.c | 4 +-
drivers/infiniband/hw/hfi1/affinity.c | 44 ++--
drivers/iommu/amd/init.c | 4 +-
drivers/leds/leds-lp50xx.c | 11 +-
drivers/md/dm-ps-historical-service-time.c | 4 +-
drivers/md/dm-ps-queue-length.c | 4 +-
drivers/md/dm-ps-round-robin.c | 4 +-
drivers/md/dm-ps-service-time.c | 4 +-
drivers/md/dm-table.c | 10 +-
drivers/md/dm-zoned-target.c | 2 +-
drivers/media/cec/usb/rainshadow/rainshadow-cec.c | 3 +-
drivers/media/dvb-frontends/dib7000p.c | 8 +
drivers/media/i2c/hi556.c | 26 +--
drivers/media/i2c/ov2659.c | 3 +-
drivers/media/i2c/tc358743.c | 86 +++++---
drivers/media/platform/qcom/camss/camss.c | 4 +-
drivers/media/platform/qcom/venus/core.c | 8 +-
drivers/media/platform/qcom/venus/core.h | 2 +
drivers/media/platform/qcom/venus/helpers.c | 2 +-
drivers/media/platform/qcom/venus/hfi_helper.h | 61 +++++-
drivers/media/platform/qcom/venus/hfi_msgs.c | 85 +++++---
drivers/media/platform/qcom/venus/hfi_venus.c | 5 +
drivers/media/platform/qcom/venus/vdec.c | 13 +-
drivers/media/platform/qcom/venus/vdec_ctrls.c | 2 +-
drivers/media/platform/qcom/venus/venc.c | 9 +-
drivers/media/platform/qcom/venus/venc_ctrls.c | 2 +-
drivers/media/test-drivers/vivid/vivid-ctrls.c | 3 +-
drivers/media/test-drivers/vivid/vivid-vid-cap.c | 4 +-
drivers/media/usb/gspca/vicam.c | 10 +-
drivers/media/usb/hdpvr/hdpvr-i2c.c | 6 +
drivers/media/usb/usbtv/usbtv-video.c | 4 +
drivers/media/usb/uvc/uvc_driver.c | 3 +
drivers/media/usb/uvc/uvc_video.c | 21 +-
drivers/media/v4l2-core/v4l2-common.c | 8 +-
drivers/media/v4l2-core/v4l2-ctrls-core.c | 1 -
drivers/memstick/core/memstick.c | 1 -
drivers/memstick/host/rtsx_usb_ms.c | 1 +
drivers/misc/cardreader/rtsx_usb.c | 16 +-
drivers/misc/mei/bus.c | 6 +
drivers/mmc/host/rtsx_usb_sdmmc.c | 4 +-
drivers/mmc/host/sdhci-msm.c | 14 ++
drivers/mmc/host/sdhci-pci-gli.c | 33 +--
drivers/most/core.c | 2 +-
drivers/mtd/nand/raw/fsmc_nand.c | 2 +
drivers/mtd/nand/raw/renesas-nand-controller.c | 6 +
drivers/mtd/nand/spi/core.c | 5 +-
drivers/mtd/spi-nor/swp.c | 19 +-
drivers/net/bonding/bond_3ad.c | 224 ++++++++++++++++++---
drivers/net/bonding/bond_main.c | 1 +
drivers/net/bonding/bond_netlink.c | 16 ++
drivers/net/bonding/bond_options.c | 29 ++-
drivers/net/dsa/b53/b53_common.c | 63 ++++--
drivers/net/dsa/b53/b53_regs.h | 2 +
drivers/net/dummy.c | 1 +
drivers/net/ethernet/agere/et131x.c | 36 ++++
drivers/net/ethernet/aquantia/atlantic/aq_hw.h | 2 +
.../aquantia/atlantic/hw_atl2/hw_atl2_utils_fw.c | 39 ++++
drivers/net/ethernet/atheros/ag71xx.c | 9 +
drivers/net/ethernet/cavium/thunder/thunder_bgx.c | 4 +-
drivers/net/ethernet/emulex/benet/be_main.c | 8 +-
drivers/net/ethernet/freescale/dpaa/dpaa_eth.c | 2 -
drivers/net/ethernet/freescale/dpaa/dpaa_ethtool.c | 4 +-
drivers/net/ethernet/freescale/enetc/enetc_pf.c | 14 +-
drivers/net/ethernet/freescale/fec_main.c | 34 ++--
drivers/net/ethernet/freescale/gianfar_ethtool.c | 4 +-
drivers/net/ethernet/google/gve/gve_adminq.c | 1 +
drivers/net/ethernet/google/gve/gve_main.c | 2 +
drivers/net/ethernet/intel/igc/igc_main.c | 14 +-
drivers/net/ethernet/intel/ixgbe/ixgbe_xsk.c | 4 +-
drivers/net/ethernet/mediatek/mtk_ppe_offload.c | 2 +
drivers/net/ethernet/mediatek/mtk_wed.c | 1 -
drivers/net/ethernet/mellanox/mlx5/core/en/qos.c | 2 +-
drivers/net/ethernet/mellanox/mlxsw/spectrum.c | 2 +
drivers/net/ethernet/mellanox/mlxsw/trap.h | 1 +
drivers/net/ethernet/pensando/ionic/ionic_lif.c | 7 +-
drivers/net/geneve.c | 1 +
drivers/net/hyperv/hyperv_net.h | 3 +
drivers/net/hyperv/netvsc_drv.c | 29 ++-
drivers/net/loopback.c | 1 +
drivers/net/phy/micrel.c | 2 +
drivers/net/phy/mscc/mscc.h | 12 ++
drivers/net/phy/mscc/mscc_main.c | 12 ++
drivers/net/phy/mscc/mscc_ptp.c | 49 +++--
drivers/net/phy/smsc.c | 1 +
drivers/net/ppp/ppp_generic.c | 17 +-
drivers/net/thunderbolt.c | 21 +-
drivers/net/usb/asix_devices.c | 1 +
drivers/net/usb/cdc_ncm.c | 20 +-
drivers/net/veth.c | 1 +
drivers/net/vxlan/vxlan_core.c | 1 +
drivers/net/wireless/ath/ath11k/ce.c | 3 -
drivers/net/wireless/ath/ath11k/dp_rx.c | 3 -
drivers/net/wireless/ath/ath11k/hal.c | 33 ++-
.../broadcom/brcm80211/brcmsmac/phy/phy_lcn.c | 2 +-
drivers/net/wireless/intel/iwlegacy/4965-mac.c | 5 +-
drivers/net/wireless/intel/iwlwifi/dvm/rs.c | 2 +-
drivers/net/wireless/intel/iwlwifi/fw/dbg.c | 7 +-
drivers/net/wireless/intel/iwlwifi/mvm/scan.c | 2 +-
drivers/net/wireless/realtek/rtlwifi/pci.c | 23 ++-
drivers/net/wireless/realtek/rtw89/core.c | 3 +
drivers/net/wireless/realtek/rtw89/fw.c | 9 +-
drivers/net/wireless/realtek/rtw89/fw.h | 2 +
drivers/net/wireless/realtek/rtw89/mac.c | 19 ++
drivers/net/wireless/realtek/rtw89/reg.h | 1 +
drivers/net/xen-netfront.c | 5 -
drivers/pci/controller/pcie-rockchip-host.c | 49 +++--
drivers/pci/controller/pcie-rockchip.h | 11 +-
drivers/pci/endpoint/pci-ep-cfs.c | 1 +
drivers/pci/endpoint/pci-epf-core.c | 2 +-
drivers/pci/pci-acpi.c | 4 +-
drivers/pci/pci.c | 8 +-
drivers/pci/probe.c | 2 +-
drivers/pinctrl/stm32/pinctrl-stm32.c | 1 +
drivers/platform/chrome/cros_ec.c | 19 +-
drivers/platform/chrome/cros_ec_typec.c | 4 +-
drivers/platform/x86/thinkpad_acpi.c | 4 +-
drivers/pps/clients/pps-gpio.c | 5 +-
drivers/ptp/ptp_clock.c | 2 +-
drivers/pwm/pwm-imx-tpm.c | 9 +
drivers/pwm/pwm-mediatek.c | 71 +++----
drivers/remoteproc/imx_rproc.c | 4 +-
drivers/reset/Kconfig | 10 +-
drivers/rtc/rtc-ds1307.c | 15 +-
drivers/s390/char/sclp.c | 11 +-
drivers/scsi/aacraid/comminit.c | 3 +-
drivers/scsi/bfa/bfad_im.c | 1 +
drivers/scsi/libiscsi.c | 3 +-
drivers/scsi/lpfc/lpfc_debugfs.c | 1 -
drivers/scsi/lpfc/lpfc_scsi.c | 4 +
drivers/scsi/mpi3mr/mpi3mr.h | 6 +-
drivers/scsi/mpi3mr/mpi3mr_fw.c | 17 +-
drivers/scsi/mpi3mr/mpi3mr_os.c | 22 +-
drivers/scsi/mpt3sas/mpt3sas_scsih.c | 19 ++
drivers/scsi/qla4xxx/ql4_os.c | 2 +
drivers/scsi/scsi_scan.c | 2 +-
drivers/scsi/scsi_transport_sas.c | 62 ++++--
drivers/soc/qcom/mdt_loader.c | 68 ++++++-
drivers/soc/tegra/pmc.c | 51 +++--
drivers/staging/media/imx/imx-media-csc-scaler.c | 2 +-
drivers/target/target_core_fabric_lib.c | 65 ++++--
drivers/target/target_core_internal.h | 4 +-
drivers/target/target_core_pr.c | 18 +-
drivers/thermal/qcom/qcom-spmi-temp-alarm.c | 43 +++-
drivers/thermal/thermal_sysfs.c | 9 +-
drivers/thunderbolt/domain.c | 2 +-
drivers/tty/serial/8250/8250_port.c | 3 +-
drivers/tty/vt/defkeymap.c_shipped | 112 +++++++++++
drivers/tty/vt/keyboard.c | 2 +-
drivers/ufs/host/ufs-exynos.c | 4 +-
drivers/ufs/host/ufshcd-pci.c | 42 +++-
drivers/usb/atm/cxacru.c | 172 ++++++++--------
drivers/usb/class/cdc-acm.c | 11 +-
drivers/usb/core/config.c | 10 +-
drivers/usb/core/hcd.c | 8 +-
drivers/usb/core/quirks.c | 1 +
drivers/usb/core/urb.c | 2 +-
drivers/usb/dwc3/dwc3-imx8mp.c | 6 +-
drivers/usb/dwc3/dwc3-meson-g12a.c | 3 +
drivers/usb/dwc3/ep0.c | 20 +-
drivers/usb/dwc3/gadget.c | 19 +-
drivers/usb/gadget/udc/renesas_usb3.c | 1 +
drivers/usb/host/xhci-mem.c | 2 +
drivers/usb/host/xhci-pci-renesas.c | 7 +-
drivers/usb/host/xhci-ring.c | 10 +-
drivers/usb/host/xhci.c | 6 +-
drivers/usb/musb/omap2430.c | 20 +-
drivers/usb/storage/realtek_cr.c | 2 +-
drivers/usb/storage/unusual_devs.h | 29 +++
drivers/usb/typec/mux/intel_pmc_mux.c | 2 +-
drivers/usb/typec/tcpm/fusb302.c | 8 +
drivers/usb/typec/ucsi/psy.c | 2 +-
drivers/usb/typec/ucsi/ucsi.c | 1 +
drivers/usb/typec/ucsi/ucsi.h | 7 +-
drivers/vfio/pci/mlx5/cmd.c | 4 +-
drivers/vfio/vfio_iommu_type1.c | 7 +
drivers/vhost/vhost.c | 3 +
drivers/vhost/vsock.c | 6 +-
drivers/video/console/vgacon.c | 2 +-
drivers/video/fbdev/core/fbcon.c | 9 +-
drivers/video/fbdev/core/fbmem.c | 3 +
drivers/virt/coco/efi_secret/efi_secret.c | 10 +-
drivers/watchdog/dw_wdt.c | 2 +
drivers/watchdog/iTCO_wdt.c | 6 +-
drivers/watchdog/sbsa_gwdt.c | 50 ++++-
fs/btrfs/block-group.c | 27 ++-
fs/btrfs/ctree.c | 9 +-
fs/btrfs/ordered-data.c | 12 +-
fs/btrfs/qgroup.c | 31 ++-
fs/btrfs/relocation.c | 19 ++
fs/btrfs/send.c | 39 ++++
fs/btrfs/tree-log.c | 60 ++++--
fs/btrfs/zoned.c | 3 +-
fs/buffer.c | 2 +-
fs/crypto/fscrypt_private.h | 17 ++
fs/crypto/hkdf.c | 2 +-
fs/crypto/keysetup.c | 3 +-
fs/crypto/keysetup_v1.c | 3 +-
fs/eventpoll.c | 60 ++++--
fs/ext2/inode.c | 12 +-
fs/ext4/fsmap.c | 23 ++-
fs/ext4/indirect.c | 4 +-
fs/ext4/inline.c | 19 +-
fs/ext4/inode.c | 2 +-
fs/ext4/mballoc.c | 69 +++----
fs/ext4/orphan.c | 5 +-
fs/ext4/super.c | 8 +-
fs/f2fs/data.c | 2 +
fs/f2fs/f2fs.h | 1 -
fs/f2fs/inode.c | 7 +
fs/f2fs/node.c | 10 +
fs/file.c | 15 ++
fs/hfs/bnode.c | 93 +++++++++
fs/hfsplus/bnode.c | 92 +++++++++
fs/hfsplus/unicode.c | 7 +
fs/hfsplus/xattr.c | 6 +-
fs/hugetlbfs/inode.c | 2 +-
fs/jbd2/checkpoint.c | 1 +
fs/jfs/file.c | 3 +
fs/jfs/inode.c | 2 +-
fs/jfs/jfs_dmap.c | 6 +
fs/libfs.c | 4 +-
fs/namespace.c | 34 ++--
fs/nfs/blocklayout/blocklayout.c | 4 +-
fs/nfs/blocklayout/dev.c | 5 +-
fs/nfs/blocklayout/extent_tree.c | 20 +-
fs/nfs/client.c | 44 +++-
fs/nfs/internal.h | 2 +-
fs/nfs/nfs4client.c | 20 +-
fs/nfs/nfs4proc.c | 2 +-
fs/nfs/pnfs.c | 11 +-
fs/nfsd/nfs4state.c | 34 +++-
fs/ntfs3/dir.c | 3 +
fs/ntfs3/inode.c | 31 +--
fs/orangefs/orangefs-debugfs.c | 2 +-
fs/smb/client/cifssmb.c | 10 +
fs/smb/client/connect.c | 1 -
fs/smb/client/sess.c | 9 +
fs/smb/client/smb2ops.c | 11 +-
fs/smb/server/connection.c | 3 +-
fs/smb/server/connection.h | 7 +-
fs/smb/server/smb2pdu.c | 16 +-
fs/smb/server/transport_rdma.c | 5 +-
fs/smb/server/transport_rdma.h | 4 +-
fs/smb/server/transport_tcp.c | 26 ++-
fs/squashfs/super.c | 14 +-
fs/udf/super.c | 13 +-
fs/xfs/xfs_itable.c | 6 +-
include/linux/blk_types.h | 6 +-
include/linux/compiler.h | 8 -
include/linux/fs.h | 4 +-
include/linux/hypervisor.h | 3 +
include/linux/if_vlan.h | 6 +-
include/linux/iosys-map.h | 7 +-
include/linux/memfd.h | 14 ++
include/linux/mm.h | 76 +++++--
include/linux/pci.h | 10 +-
include/linux/platform_data/cros_ec_proto.h | 4 +
include/linux/skbuff.h | 8 +-
include/linux/usb/cdc_ncm.h | 1 +
include/linux/virtio_vsock.h | 7 +-
include/net/bond_3ad.h | 3 +
include/net/bond_options.h | 1 +
include/net/bonding.h | 23 +++
include/net/cfg80211.h | 2 +-
include/net/mac80211.h | 2 +
include/net/neighbour.h | 1 +
include/sound/soc-dai.h | 13 ++
include/uapi/linux/if_link.h | 1 +
include/uapi/linux/in6.h | 4 +-
include/uapi/linux/io_uring.h | 2 +-
include/uapi/linux/pfrut.h | 1 +
kernel/cgroup/cpuset.c | 2 +-
kernel/fork.c | 2 +-
kernel/module/main.c | 10 +-
kernel/power/console.c | 7 +-
kernel/rcu/tree_plugin.h | 3 +
kernel/sched/fair.c | 19 +-
kernel/trace/ftrace.c | 19 +-
kernel/trace/trace.c | 33 ++-
kernel/trace/trace.h | 8 +-
mm/debug_vm_pgtable.c | 9 +-
mm/filemap.c | 2 +-
mm/kmemleak.c | 10 +-
mm/madvise.c | 2 +-
mm/memfd.c | 2 +-
mm/memory-failure.c | 8 +
mm/mmap.c | 12 +-
mm/ptdump.c | 2 +
mm/shmem.c | 2 +-
net/bluetooth/hci_conn.c | 3 +-
net/bluetooth/hci_sync.c | 43 ++--
net/bridge/br_multicast.c | 16 ++
net/bridge/br_private.h | 2 +
net/core/dev.c | 12 ++
net/core/neighbour.c | 12 +-
net/hsr/hsr_slave.c | 8 +-
net/ipv4/ip_tunnel.c | 1 +
net/ipv4/netfilter/nf_reject_ipv4.c | 6 +-
net/ipv4/route.c | 1 -
net/ipv4/udp_offload.c | 2 +-
net/ipv6/addrconf.c | 7 +-
net/ipv6/ip6_gre.c | 2 +
net/ipv6/ip6_tunnel.c | 1 +
net/ipv6/ip6_vti.c | 1 +
net/ipv6/mcast.c | 11 +-
net/ipv6/netfilter/nf_reject_ipv6.c | 5 +-
net/ipv6/seg6_hmac.c | 6 +-
net/ipv6/sit.c | 1 +
net/mac80211/cfg.c | 12 +-
net/mac80211/chan.c | 1 +
net/mac80211/mlme.c | 9 +-
net/mac80211/sta_info.c | 5 +-
net/mctp/af_mctp.c | 28 ++-
net/mptcp/options.c | 9 +-
net/mptcp/pm.c | 8 +-
net/mptcp/pm_netlink.c | 19 +-
net/mptcp/protocol.c | 55 ++++-
net/mptcp/protocol.h | 27 ++-
net/mptcp/subflow.c | 30 ++-
net/ncsi/internal.h | 2 +-
net/ncsi/ncsi-rsp.c | 1 +
net/netfilter/nf_conntrack_netlink.c | 24 ++-
net/netlink/af_netlink.c | 2 +-
net/sched/sch_cake.c | 14 +-
net/sched/sch_ets.c | 36 ++--
net/sched/sch_htb.c | 2 +-
net/tls/tls_sw.c | 16 +-
net/vmw_vsock/virtio_transport.c | 14 +-
net/wireless/mlme.c | 3 +-
scripts/kconfig/gconf.c | 8 +-
scripts/kconfig/lxdialog/inputbox.c | 6 +-
scripts/kconfig/lxdialog/menubox.c | 2 +-
scripts/kconfig/nconf.c | 2 +
scripts/kconfig/nconf.gui.c | 1 +
security/apparmor/include/lib.h | 6 +-
security/inode.c | 2 -
sound/core/pcm_native.c | 19 +-
sound/pci/hda/hda_codec.c | 44 ++--
sound/pci/hda/patch_ca0132.c | 2 +-
sound/pci/hda/patch_realtek.c | 4 +
sound/pci/intel8x0.c | 2 +-
sound/soc/codecs/hdac_hdmi.c | 10 +-
sound/soc/codecs/rt5640.c | 5 +
sound/soc/fsl/fsl_asrc.c | 16 +-
sound/soc/fsl/fsl_aud2htx.c | 10 +-
sound/soc/fsl/fsl_easrc.c | 16 +-
sound/soc/fsl/fsl_esai.c | 20 +-
sound/soc/fsl/fsl_micfil.c | 14 +-
sound/soc/fsl/fsl_sai.c | 44 ++--
sound/soc/fsl/fsl_spdif.c | 17 +-
sound/soc/fsl/fsl_ssi.c | 3 +-
sound/soc/fsl/fsl_xcvr.c | 16 +-
sound/soc/generic/audio-graph-card.c | 2 +-
sound/soc/intel/avs/core.c | 3 +-
sound/soc/soc-core.c | 28 +++
sound/soc/soc-dai.c | 43 ++--
sound/soc/soc-dapm.c | 4 +
sound/usb/mixer_quirks.c | 14 +-
sound/usb/stream.c | 25 ++-
sound/usb/validate.c | 14 +-
tools/include/nolibc/std.h | 4 +-
tools/include/nolibc/types.h | 4 +-
tools/include/uapi/linux/if_link.h | 1 +
.../cpupower/utils/idle_monitor/mperf_monitor.c | 4 +-
tools/scripts/Makefile.include | 4 +-
tools/testing/ktest/ktest.pl | 5 +-
tools/testing/selftests/arm64/fp/sve-ptrace.c | 3 +-
.../selftests/bpf/prog_tests/user_ringbuf.c | 10 +-
.../ftrace/test.d/ftrace/func-filter-glob.tc | 2 +-
tools/testing/selftests/futex/include/futextest.h | 11 +
tools/testing/selftests/memfd/memfd_test.c | 43 ++++
tools/testing/selftests/net/mptcp/pm_netlink.sh | 1 +
511 files changed, 4945 insertions(+), 1976 deletions(-)
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 001/482] io_uring: dont use int for ABI
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 6.1 002/482] ALSA: usb-audio: Validate UAC3 power domain descriptors, too Greg Kroah-Hartman
` (489 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Pavel Begunkov, Jens Axboe
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pavel Begunkov <asml.silence@gmail.com>
commit cf73d9970ea4f8cace5d8f02d2565a2723003112 upstream.
__kernel_rwf_t is defined as int, the actual size of which is
implementation defined. It won't go well if some compiler / archs
ever defines it as i64, so replace it with __u32, hoping that
there is no one using i16 for it.
Cc: stable@vger.kernel.org
Fixes: 2b188cc1bb857 ("Add io_uring IO interface")
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Link: https://lore.kernel.org/r/47c666c4ee1df2018863af3a2028af18feef11ed.1751412511.git.asml.silence@gmail.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/uapi/linux/io_uring.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/include/uapi/linux/io_uring.h
+++ b/include/uapi/linux/io_uring.h
@@ -38,7 +38,7 @@ struct io_uring_sqe {
};
__u32 len; /* buffer size or number of iovecs */
union {
- __kernel_rwf_t rw_flags;
+ __u32 rw_flags;
__u32 fsync_flags;
__u16 poll_events; /* compatibility */
__u32 poll32_events; /* word-reversed for BE */
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 002/482] ALSA: usb-audio: Validate UAC3 power domain descriptors, too
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 6.1 001/482] io_uring: dont use int for ABI Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 6.1 003/482] ALSA: usb-audio: Validate UAC3 cluster segment descriptors Greg Kroah-Hartman
` (488 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Takashi Iwai, Youngjun Lee
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
commit d832ccbc301fbd9e5a1d691bdcf461cdb514595f upstream.
UAC3 power domain descriptors need to be verified with its variable
bLength for avoiding the unexpected OOB accesses by malicious
firmware, too.
Fixes: 9a2fe9b801f5 ("ALSA: usb: initial USB Audio Device Class 3.0 support")
Reported-and-tested-by: Youngjun Lee <yjjuny.lee@samsung.com>
Cc: <stable@vger.kernel.org>
Link: https://patch.msgid.link/20250814081245.8902-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/validate.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
--- a/sound/usb/validate.c
+++ b/sound/usb/validate.c
@@ -221,6 +221,17 @@ static bool validate_uac3_feature_unit(c
return d->bLength >= sizeof(*d) + 4 + 2;
}
+static bool validate_uac3_power_domain_unit(const void *p,
+ const struct usb_desc_validator *v)
+{
+ const struct uac3_power_domain_descriptor *d = p;
+
+ if (d->bLength < sizeof(*d))
+ return false;
+ /* baEntities[] + wPDomainDescrStr */
+ return d->bLength >= sizeof(*d) + d->bNrEntities + 2;
+}
+
static bool validate_midi_out_jack(const void *p,
const struct usb_desc_validator *v)
{
@@ -285,6 +296,7 @@ static const struct usb_desc_validator a
struct uac3_clock_multiplier_descriptor),
/* UAC_VERSION_3, UAC3_SAMPLE_RATE_CONVERTER: not implemented yet */
/* UAC_VERSION_3, UAC3_CONNECTORS: not implemented yet */
+ FUNC(UAC_VERSION_3, UAC3_POWER_DOMAIN, validate_uac3_power_domain_unit),
{ } /* terminator */
};
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 003/482] ALSA: usb-audio: Validate UAC3 cluster segment descriptors
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 6.1 001/482] io_uring: dont use int for ABI Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 6.1 002/482] ALSA: usb-audio: Validate UAC3 power domain descriptors, too Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 6.1 004/482] ALSA: hda/realtek: Fix headset mic on HONOR BRB-X Greg Kroah-Hartman
` (487 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Takashi Iwai, Youngjun Lee
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
commit ecfd41166b72b67d3bdeb88d224ff445f6163869 upstream.
UAC3 class segment descriptors need to be verified whether their sizes
match with the declared lengths and whether they fit with the
allocated buffer sizes, too. Otherwise malicious firmware may lead to
the unexpected OOB accesses.
Fixes: 11785ef53228 ("ALSA: usb-audio: Initial Power Domain support")
Reported-and-tested-by: Youngjun Lee <yjjuny.lee@samsung.com>
Cc: <stable@vger.kernel.org>
Link: https://patch.msgid.link/20250814081245.8902-2-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/stream.c | 25 ++++++++++++++++++++++---
1 file changed, 22 insertions(+), 3 deletions(-)
--- a/sound/usb/stream.c
+++ b/sound/usb/stream.c
@@ -341,20 +341,28 @@ snd_pcm_chmap_elem *convert_chmap_v3(str
len = le16_to_cpu(cluster->wLength);
c = 0;
- p += sizeof(struct uac3_cluster_header_descriptor);
+ p += sizeof(*cluster);
+ len -= sizeof(*cluster);
- while (((p - (void *)cluster) < len) && (c < channels)) {
+ while (len > 0 && (c < channels)) {
struct uac3_cluster_segment_descriptor *cs_desc = p;
u16 cs_len;
u8 cs_type;
+ if (len < sizeof(*p))
+ break;
cs_len = le16_to_cpu(cs_desc->wLength);
+ if (len < cs_len)
+ break;
cs_type = cs_desc->bSegmentType;
if (cs_type == UAC3_CHANNEL_INFORMATION) {
struct uac3_cluster_information_segment_descriptor *is = p;
unsigned char map;
+ if (cs_len < sizeof(*is))
+ break;
+
/*
* TODO: this conversion is not complete, update it
* after adding UAC3 values to asound.h
@@ -456,6 +464,7 @@ snd_pcm_chmap_elem *convert_chmap_v3(str
chmap->map[c++] = map;
}
p += cs_len;
+ len -= cs_len;
}
if (channels < c)
@@ -876,7 +885,7 @@ snd_usb_get_audioformat_uac3(struct snd_
u64 badd_formats = 0;
unsigned int num_channels;
struct audioformat *fp;
- u16 cluster_id, wLength;
+ u16 cluster_id, wLength, cluster_wLength;
int clock = 0;
int err;
@@ -1003,6 +1012,16 @@ snd_usb_get_audioformat_uac3(struct snd_
iface_no, altno);
kfree(cluster);
return ERR_PTR(-EIO);
+ }
+
+ cluster_wLength = le16_to_cpu(cluster->wLength);
+ if (cluster_wLength < sizeof(*cluster) ||
+ cluster_wLength > wLength) {
+ dev_err(&dev->dev,
+ "%u:%d : invalid Cluster Descriptor size\n",
+ iface_no, altno);
+ kfree(cluster);
+ return ERR_PTR(-EIO);
}
num_channels = cluster->bNrChannels;
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 004/482] ALSA: hda/realtek: Fix headset mic on HONOR BRB-X
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (2 preceding siblings ...)
2025-08-26 11:04 ` [PATCH 6.1 003/482] ALSA: usb-audio: Validate UAC3 cluster segment descriptors Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 6.1 005/482] ALSA: hda/realtek: Add Framework Laptop 13 (AMD Ryzen AI 300) to quirks Greg Kroah-Hartman
` (486 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Vasiliy Kovalev, Takashi Iwai
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vasiliy Kovalev <kovalev@altlinux.org>
commit b26e2afb3834d4a61ce54c8484ff6014bef0b4b7 upstream.
Add a PCI quirk to enable microphone input on the headphone jack on
the HONOR BRB-X M1010 laptop.
Signed-off-by: Vasiliy Kovalev <kovalev@altlinux.org>
Cc: <stable@vger.kernel.org>
Link: https://patch.msgid.link/20250811132716.45076-1-kovalev@altlinux.org
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/pci/hda/patch_realtek.c | 1 +
1 file changed, 1 insertion(+)
--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -10440,6 +10440,7 @@ static const struct snd_pci_quirk alc269
SND_PCI_QUIRK(0x1d72, 0x1901, "RedmiBook 14", ALC256_FIXUP_ASUS_HEADSET_MIC),
SND_PCI_QUIRK(0x1d72, 0x1945, "Redmi G", ALC256_FIXUP_ASUS_HEADSET_MIC),
SND_PCI_QUIRK(0x1d72, 0x1947, "RedmiBook Air", ALC255_FIXUP_XIAOMI_HEADSET_MIC),
+ SND_PCI_QUIRK(0x1ee7, 0x2078, "HONOR BRB-X M1010", ALC2XX_FIXUP_HEADSET_MIC),
SND_PCI_QUIRK(0x1f66, 0x0105, "Ayaneo Portable Game Player", ALC287_FIXUP_CS35L41_I2C_2),
SND_PCI_QUIRK(0x2014, 0x800a, "Positivo ARN50", ALC269_FIXUP_LIMIT_INT_MIC_BOOST),
SND_PCI_QUIRK(0x2782, 0x0214, "VAIO VJFE-CL", ALC269_FIXUP_LIMIT_INT_MIC_BOOST),
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 005/482] ALSA: hda/realtek: Add Framework Laptop 13 (AMD Ryzen AI 300) to quirks
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (3 preceding siblings ...)
2025-08-26 11:04 ` [PATCH 6.1 004/482] ALSA: hda/realtek: Fix headset mic on HONOR BRB-X Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 6.1 006/482] smb3: fix for slab out of bounds on mount to ksmbd Greg Kroah-Hartman
` (485 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Christopher Eby, Takashi Iwai
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christopher Eby <kreed@kreed.org>
commit 0db77eccd964b11ab2b757031d1354fcc5a025ea upstream.
Framework Laptop 13 (AMD Ryzen AI 300) requires the same quirk for
headset detection as other Framework 13 models.
Signed-off-by: Christopher Eby <kreed@kreed.org>
Cc: <stable@vger.kernel.org>
Link: https://patch.msgid.link/20250810030006.9060-1-kreed@kreed.org
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/pci/hda/patch_realtek.c | 1 +
1 file changed, 1 insertion(+)
--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -10456,6 +10456,7 @@ static const struct snd_pci_quirk alc269
SND_PCI_QUIRK(0xf111, 0x0001, "Framework Laptop", ALC295_FIXUP_FRAMEWORK_LAPTOP_MIC_NO_PRESENCE),
SND_PCI_QUIRK(0xf111, 0x0006, "Framework Laptop", ALC295_FIXUP_FRAMEWORK_LAPTOP_MIC_NO_PRESENCE),
SND_PCI_QUIRK(0xf111, 0x0009, "Framework Laptop", ALC295_FIXUP_FRAMEWORK_LAPTOP_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0xf111, 0x000b, "Framework Laptop", ALC295_FIXUP_FRAMEWORK_LAPTOP_MIC_NO_PRESENCE),
SND_PCI_QUIRK(0xf111, 0x000c, "Framework Laptop", ALC295_FIXUP_FRAMEWORK_LAPTOP_MIC_NO_PRESENCE),
#if 0
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 006/482] smb3: fix for slab out of bounds on mount to ksmbd
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (4 preceding siblings ...)
2025-08-26 11:04 ` [PATCH 6.1 005/482] ALSA: hda/realtek: Add Framework Laptop 13 (AMD Ryzen AI 300) to quirks Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 6.1 007/482] smb: client: remove redundant lstrp update in negotiate protocol Greg Kroah-Hartman
` (484 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Namjae Jeon, Steve French
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Steve French <stfrench@microsoft.com>
commit 7d34ec36abb84fdfb6632a0f2cbda90379ae21fc upstream.
With KASAN enabled, it is possible to get a slab out of bounds
during mount to ksmbd due to missing check in parse_server_interfaces()
(see below):
BUG: KASAN: slab-out-of-bounds in
parse_server_interfaces+0x14ee/0x1880 [cifs]
Read of size 4 at addr ffff8881433dba98 by task mount/9827
CPU: 5 UID: 0 PID: 9827 Comm: mount Tainted: G
OE 6.16.0-rc2-kasan #2 PREEMPT(voluntary)
Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
Hardware name: Dell Inc. Precision Tower 3620/0MWYPT,
BIOS 2.13.1 06/14/2019
Call Trace:
<TASK>
dump_stack_lvl+0x9f/0xf0
print_report+0xd1/0x670
__virt_addr_valid+0x22c/0x430
? parse_server_interfaces+0x14ee/0x1880 [cifs]
? kasan_complete_mode_report_info+0x2a/0x1f0
? parse_server_interfaces+0x14ee/0x1880 [cifs]
kasan_report+0xd6/0x110
parse_server_interfaces+0x14ee/0x1880 [cifs]
__asan_report_load_n_noabort+0x13/0x20
parse_server_interfaces+0x14ee/0x1880 [cifs]
? __pfx_parse_server_interfaces+0x10/0x10 [cifs]
? trace_hardirqs_on+0x51/0x60
SMB3_request_interfaces+0x1ad/0x3f0 [cifs]
? __pfx_SMB3_request_interfaces+0x10/0x10 [cifs]
? SMB2_tcon+0x23c/0x15d0 [cifs]
smb3_qfs_tcon+0x173/0x2b0 [cifs]
? __pfx_smb3_qfs_tcon+0x10/0x10 [cifs]
? cifs_get_tcon+0x105d/0x2120 [cifs]
? do_raw_spin_unlock+0x5d/0x200
? cifs_get_tcon+0x105d/0x2120 [cifs]
? __pfx_smb3_qfs_tcon+0x10/0x10 [cifs]
cifs_mount_get_tcon+0x369/0xb90 [cifs]
? dfs_cache_find+0xe7/0x150 [cifs]
dfs_mount_share+0x985/0x2970 [cifs]
? check_path.constprop.0+0x28/0x50
? save_trace+0x54/0x370
? __pfx_dfs_mount_share+0x10/0x10 [cifs]
? __lock_acquire+0xb82/0x2ba0
? __kasan_check_write+0x18/0x20
cifs_mount+0xbc/0x9e0 [cifs]
? __pfx_cifs_mount+0x10/0x10 [cifs]
? do_raw_spin_unlock+0x5d/0x200
? cifs_setup_cifs_sb+0x29d/0x810 [cifs]
cifs_smb3_do_mount+0x263/0x1990 [cifs]
Reported-by: Namjae Jeon <linkinjeon@kernel.org>
Tested-by: Namjae Jeon <linkinjeon@kernel.org>
Cc: stable@vger.kernel.org
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/client/smb2ops.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
--- a/fs/smb/client/smb2ops.c
+++ b/fs/smb/client/smb2ops.c
@@ -714,6 +714,13 @@ next_iface:
bytes_left -= sizeof(*p);
break;
}
+ /* Validate that Next doesn't point beyond the buffer */
+ if (next > bytes_left) {
+ cifs_dbg(VFS, "%s: invalid Next pointer %zu > %zd\n",
+ __func__, next, bytes_left);
+ rc = -EINVAL;
+ goto out;
+ }
p = (struct network_interface_info_ioctl_rsp *)((u8 *)p+next);
bytes_left -= next;
}
@@ -725,7 +732,9 @@ next_iface:
}
/* Azure rounds the buffer size up 8, to a 16 byte boundary */
- if ((bytes_left > 8) || p->Next)
+ if ((bytes_left > 8) ||
+ (bytes_left >= offsetof(struct network_interface_info_ioctl_rsp, Next)
+ + sizeof(p->Next) && p->Next))
cifs_dbg(VFS, "%s: incomplete interface info\n", __func__);
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 007/482] smb: client: remove redundant lstrp update in negotiate protocol
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (5 preceding siblings ...)
2025-08-26 11:04 ` [PATCH 6.1 006/482] smb3: fix for slab out of bounds on mount to ksmbd Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 6.1 008/482] gpio: virtio: Fix config space reading Greg Kroah-Hartman
` (483 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paulo Alcantara (Red Hat),
Wang Zhaolong, Steve French
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wang Zhaolong <wangzhaolong@huaweicloud.com>
commit e19d8dd694d261ac26adb2a26121a37c107c81ad upstream.
Commit 34331d7beed7 ("smb: client: fix first command failure during
re-negotiation") addressed a race condition by updating lstrp before
entering negotiate state. However, this approach may have some unintended
side effects.
The lstrp field is documented as "when we got last response from this
server", and updating it before actually receiving a server response
could potentially affect other mechanisms that rely on this timestamp.
For example, the SMB echo detection logic also uses lstrp as a reference
point. In scenarios with frequent user operations during reconnect states,
the repeated calls to cifs_negotiate_protocol() might continuously
update lstrp, which could interfere with the echo detection timing.
Additionally, commit 266b5d02e14f ("smb: client: fix race condition in
negotiate timeout by using more precise timing") introduced a dedicated
neg_start field specifically for tracking negotiate start time. This
provides a more precise solution for the original race condition while
preserving the intended semantics of lstrp.
Since the race condition is now properly handled by the neg_start
mechanism, the lstrp update in cifs_negotiate_protocol() is no longer
necessary and can be safely removed.
Fixes: 266b5d02e14f ("smb: client: fix race condition in negotiate timeout by using more precise timing")
Cc: stable@vger.kernel.org
Acked-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
Signed-off-by: Wang Zhaolong <wangzhaolong@huaweicloud.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/client/connect.c | 1 -
1 file changed, 1 deletion(-)
--- a/fs/smb/client/connect.c
+++ b/fs/smb/client/connect.c
@@ -4217,7 +4217,6 @@ retry:
return 0;
}
- server->lstrp = jiffies;
server->tcpStatus = CifsInNegotiate;
server->neg_start = jiffies;
spin_unlock(&server->srv_lock);
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 008/482] gpio: virtio: Fix config space reading.
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (6 preceding siblings ...)
2025-08-26 11:04 ` [PATCH 6.1 007/482] smb: client: remove redundant lstrp update in negotiate protocol Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 6.1 009/482] gpio: mlxbf2: use platform_get_irq_optional() Greg Kroah-Hartman
` (482 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Harald Mommer, Viresh Kumar,
Bartosz Golaszewski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Harald Mommer <harald.mommer@oss.qualcomm.com>
commit 4740e1e2f320061c2f0dbadc0dd3dfb58df986d5 upstream.
Quote from the virtio specification chapter 4.2.2.2:
"For the device-specific configuration space, the driver MUST use 8 bit
wide accesses for 8 bit wide fields, 16 bit wide and aligned accesses
for 16 bit wide fields and 32 bit wide and aligned accesses for 32 and
64 bit wide fields."
Signed-off-by: Harald Mommer <harald.mommer@oss.qualcomm.com>
Cc: stable@vger.kernel.org
Fixes: 3a29355a22c0 ("gpio: Add virtio-gpio driver")
Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
Link: https://lore.kernel.org/r/20250724143718.5442-2-harald.mommer@oss.qualcomm.com
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpio/gpio-virtio.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
--- a/drivers/gpio/gpio-virtio.c
+++ b/drivers/gpio/gpio-virtio.c
@@ -539,7 +539,6 @@ static const char **virtio_gpio_get_name
static int virtio_gpio_probe(struct virtio_device *vdev)
{
- struct virtio_gpio_config config;
struct device *dev = &vdev->dev;
struct virtio_gpio *vgpio;
u32 gpio_names_size;
@@ -551,9 +550,11 @@ static int virtio_gpio_probe(struct virt
return -ENOMEM;
/* Read configuration */
- virtio_cread_bytes(vdev, 0, &config, sizeof(config));
- gpio_names_size = le32_to_cpu(config.gpio_names_size);
- ngpio = le16_to_cpu(config.ngpio);
+ gpio_names_size =
+ virtio_cread32(vdev, offsetof(struct virtio_gpio_config,
+ gpio_names_size));
+ ngpio = virtio_cread16(vdev, offsetof(struct virtio_gpio_config,
+ ngpio));
if (!ngpio) {
dev_err(dev, "Number of GPIOs can't be zero\n");
return -EINVAL;
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 009/482] gpio: mlxbf2: use platform_get_irq_optional()
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (7 preceding siblings ...)
2025-08-26 11:04 ` [PATCH 6.1 008/482] gpio: virtio: Fix config space reading Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 6.1 010/482] netlink: avoid infinite retry looping in netlink_unicast() Greg Kroah-Hartman
` (481 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Thompson, Shravan Kumar Ramani,
Mika Westerberg, Bartosz Golaszewski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Thompson <davthompson@nvidia.com>
commit 63c7bc53a35e785accdc2ceab8f72d94501931ab upstream.
The gpio-mlxbf2 driver interfaces with four GPIO controllers,
device instances 0-3. There are two IRQ resources shared between
the four controllers, and they are found in the ACPI table for
instances 0 and 3. The driver should not use platform_get_irq(),
otherwise this error is logged when probing instances 1 and 2:
mlxbf2_gpio MLNXBF22:01: error -ENXIO: IRQ index 0 not found
Fixes: 2b725265cb08 ("gpio: mlxbf2: Introduce IRQ support")
Cc: stable@vger.kernel.org
Signed-off-by: David Thompson <davthompson@nvidia.com>
Reviewed-by: Shravan Kumar Ramani <shravankr@nvidia.com>
Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Link: https://lore.kernel.org/r/20250728144619.29894-1-davthompson@nvidia.com
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpio/gpio-mlxbf2.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/gpio/gpio-mlxbf2.c
+++ b/drivers/gpio/gpio-mlxbf2.c
@@ -374,7 +374,7 @@ mlxbf2_gpio_probe(struct platform_device
gc->ngpio = npins;
gc->owner = THIS_MODULE;
- irq = platform_get_irq(pdev, 0);
+ irq = platform_get_irq_optional(pdev, 0);
if (irq >= 0) {
gs->irq_chip.name = name;
gs->irq_chip.irq_set_type = mlxbf2_gpio_irq_set_type;
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 010/482] netlink: avoid infinite retry looping in netlink_unicast()
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (8 preceding siblings ...)
2025-08-26 11:04 ` [PATCH 6.1 009/482] gpio: mlxbf2: use platform_get_irq_optional() Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 6.1 011/482] net: phy: micrel: fix KSZ8081/KSZ8091 cable test Greg Kroah-Hartman
` (480 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Fedor Pchelkin, Kuniyuki Iwashima,
Jakub Kicinski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fedor Pchelkin <pchelkin@ispras.ru>
commit 759dfc7d04bab1b0b86113f1164dc1fec192b859 upstream.
netlink_attachskb() checks for the socket's read memory allocation
constraints. Firstly, it has:
rmem < READ_ONCE(sk->sk_rcvbuf)
to check if the just increased rmem value fits into the socket's receive
buffer. If not, it proceeds and tries to wait for the memory under:
rmem + skb->truesize > READ_ONCE(sk->sk_rcvbuf)
The checks don't cover the case when skb->truesize + sk->sk_rmem_alloc is
equal to sk->sk_rcvbuf. Thus the function neither successfully accepts
these conditions, nor manages to reschedule the task - and is called in
retry loop for indefinite time which is caught as:
rcu: INFO: rcu_sched self-detected stall on CPU
rcu: 0-....: (25999 ticks this GP) idle=ef2/1/0x4000000000000000 softirq=262269/262269 fqs=6212
(t=26000 jiffies g=230833 q=259957)
NMI backtrace for cpu 0
CPU: 0 PID: 22 Comm: kauditd Not tainted 5.10.240 #68
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-4.fc42 04/01/2014
Call Trace:
<IRQ>
dump_stack lib/dump_stack.c:120
nmi_cpu_backtrace.cold lib/nmi_backtrace.c:105
nmi_trigger_cpumask_backtrace lib/nmi_backtrace.c:62
rcu_dump_cpu_stacks kernel/rcu/tree_stall.h:335
rcu_sched_clock_irq.cold kernel/rcu/tree.c:2590
update_process_times kernel/time/timer.c:1953
tick_sched_handle kernel/time/tick-sched.c:227
tick_sched_timer kernel/time/tick-sched.c:1399
__hrtimer_run_queues kernel/time/hrtimer.c:1652
hrtimer_interrupt kernel/time/hrtimer.c:1717
__sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1113
asm_call_irq_on_stack arch/x86/entry/entry_64.S:808
</IRQ>
netlink_attachskb net/netlink/af_netlink.c:1234
netlink_unicast net/netlink/af_netlink.c:1349
kauditd_send_queue kernel/audit.c:776
kauditd_thread kernel/audit.c:897
kthread kernel/kthread.c:328
ret_from_fork arch/x86/entry/entry_64.S:304
Restore the original behavior of the check which commit in Fixes
accidentally missed when restructuring the code.
Found by Linux Verification Center (linuxtesting.org).
Fixes: ae8f160e7eb2 ("netlink: Fix wraparounds of sk->sk_rmem_alloc.")
Cc: stable@vger.kernel.org
Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
Link: https://patch.msgid.link/20250728080727.255138-1-pchelkin@ispras.ru
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/netlink/af_netlink.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -1217,7 +1217,7 @@ int netlink_attachskb(struct sock *sk, s
nlk = nlk_sk(sk);
rmem = atomic_add_return(skb->truesize, &sk->sk_rmem_alloc);
- if ((rmem == skb->truesize || rmem < READ_ONCE(sk->sk_rcvbuf)) &&
+ if ((rmem == skb->truesize || rmem <= READ_ONCE(sk->sk_rcvbuf)) &&
!test_bit(NETLINK_S_CONGESTED, &nlk->state)) {
netlink_skb_set_owner_r(skb, sk);
return 0;
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 011/482] net: phy: micrel: fix KSZ8081/KSZ8091 cable test
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (9 preceding siblings ...)
2025-08-26 11:04 ` [PATCH 6.1 010/482] netlink: avoid infinite retry looping in netlink_unicast() Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 6.1 012/482] net: gianfar: fix device leak when querying time stamp info Greg Kroah-Hartman
` (479 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Florian Larysch, Jakub Kicinski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Larysch <fl@n621.de>
commit 49db61c27c4bbd24364086dc0892bd3e14c1502e upstream.
Commit 21b688dabecb ("net: phy: micrel: Cable Diag feature for lan8814
phy") introduced cable_test support for the LAN8814 that reuses parts of
the KSZ886x logic and introduced the cable_diag_reg and pair_mask
parameters to account for differences between those chips.
However, it did not update the ksz8081_type struct, so those members are
now 0, causing no pairs to be tested in ksz886x_cable_test_get_status
and ksz886x_cable_test_wait_for_completion to poll the wrong register
for the affected PHYs (Basic Control/Reset, which is 0 in normal
operation) and exit immediately.
Fix this by setting both struct members accordingly.
Fixes: 21b688dabecb ("net: phy: micrel: Cable Diag feature for lan8814 phy")
Cc: stable@vger.kernel.org
Signed-off-by: Florian Larysch <fl@n621.de>
Link: https://patch.msgid.link/20250723222250.13960-1-fl@n621.de
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/phy/micrel.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/net/phy/micrel.c
+++ b/drivers/net/phy/micrel.c
@@ -356,6 +356,8 @@ static const struct kszphy_type ksz8051_
static const struct kszphy_type ksz8081_type = {
.led_mode_reg = MII_KSZPHY_CTRL_2,
+ .cable_diag_reg = KSZ8081_LMD,
+ .pair_mask = KSZPHY_WIRE_PAIR_MASK,
.has_broadcast_disable = true,
.has_nand_tree_disable = true,
.has_rmii_ref_clk_sel = true,
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 012/482] net: gianfar: fix device leak when querying time stamp info
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (10 preceding siblings ...)
2025-08-26 11:04 ` [PATCH 6.1 011/482] net: phy: micrel: fix KSZ8081/KSZ8091 cable test Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 6.1 013/482] net: mtk_eth_soc: fix device leak at probe Greg Kroah-Hartman
` (478 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yangbo Lu, Johan Hovold,
Simon Horman, Jakub Kicinski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit da717540acd34e5056e3fa35791d50f6b3303f55 upstream.
Make sure to drop the reference to the ptp device taken by
of_find_device_by_node() when querying the time stamping capabilities.
Note that holding a reference to the ptp device does not prevent its
driver data from going away.
Fixes: 7349a74ea75c ("net: ethernet: gianfar_ethtool: get phc index through drvdata")
Cc: stable@vger.kernel.org # 4.18
Cc: Yangbo Lu <yangbo.lu@nxp.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20250725171213.880-4-johan@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/freescale/gianfar_ethtool.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/net/ethernet/freescale/gianfar_ethtool.c
+++ b/drivers/net/ethernet/freescale/gianfar_ethtool.c
@@ -1466,8 +1466,10 @@ static int gfar_get_ts_info(struct net_d
if (ptp_node) {
ptp_dev = of_find_device_by_node(ptp_node);
of_node_put(ptp_node);
- if (ptp_dev)
+ if (ptp_dev) {
ptp = platform_get_drvdata(ptp_dev);
+ put_device(&ptp_dev->dev);
+ }
}
if (ptp)
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 013/482] net: mtk_eth_soc: fix device leak at probe
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (11 preceding siblings ...)
2025-08-26 11:04 ` [PATCH 6.1 012/482] net: gianfar: fix device leak when querying time stamp info Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 6.1 014/482] net: dpaa: fix device leak when querying time stamp info Greg Kroah-Hartman
` (477 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Felix Fietkau, Johan Hovold,
Simon Horman, Jakub Kicinski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 3e13274ca8750823e8b68181bdf185d238febe0d upstream.
The reference count to the WED devices has already been incremented when
looking them up using of_find_device_by_node() so drop the bogus
additional reference taken during probe.
Fixes: 804775dfc288 ("net: ethernet: mtk_eth_soc: add support for Wireless Ethernet Dispatch (WED)")
Cc: stable@vger.kernel.org # 5.19
Cc: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Johan Hovold <johan@kernel.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20250725171213.880-5-johan@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/mediatek/mtk_wed.c | 1 -
1 file changed, 1 deletion(-)
--- a/drivers/net/ethernet/mediatek/mtk_wed.c
+++ b/drivers/net/ethernet/mediatek/mtk_wed.c
@@ -1074,7 +1074,6 @@ void mtk_wed_add_hw(struct device_node *
if (!pdev)
goto err_of_node_put;
- get_device(&pdev->dev);
irq = platform_get_irq(pdev, 0);
if (irq < 0)
goto err_put_device;
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 014/482] net: dpaa: fix device leak when querying time stamp info
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (12 preceding siblings ...)
2025-08-26 11:04 ` [PATCH 6.1 013/482] net: mtk_eth_soc: fix device leak at probe Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 6.1 015/482] net: usb: asix_devices: add phy_mask for ax88772 mdio bus Greg Kroah-Hartman
` (476 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yangbo Lu, Johan Hovold,
Simon Horman, Jakub Kicinski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 3fa840230f534385b34a4f39c8dd313fbe723f05 upstream.
Make sure to drop the reference to the ptp device taken by
of_find_device_by_node() when querying the time stamping capabilities.
Note that holding a reference to the ptp device does not prevent its
driver data from going away.
Fixes: 17ae0b0ee9db ("dpaa_eth: add the get_ts_info interface for ethtool")
Cc: stable@vger.kernel.org # 4.19
Cc: Yangbo Lu <yangbo.lu@nxp.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20250725171213.880-2-johan@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/freescale/dpaa/dpaa_ethtool.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/net/ethernet/freescale/dpaa/dpaa_ethtool.c
+++ b/drivers/net/ethernet/freescale/dpaa/dpaa_ethtool.c
@@ -473,8 +473,10 @@ static int dpaa_get_ts_info(struct net_d
of_node_put(ptp_node);
}
- if (ptp_dev)
+ if (ptp_dev) {
ptp = platform_get_drvdata(ptp_dev);
+ put_device(&ptp_dev->dev);
+ }
if (ptp)
info->phc_index = ptp->phc_index;
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 015/482] net: usb: asix_devices: add phy_mask for ax88772 mdio bus
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (13 preceding siblings ...)
2025-08-26 11:04 ` [PATCH 6.1 014/482] net: dpaa: fix device leak when querying time stamp info Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 6.1 016/482] nfsd: handle get_client_locked() failure in nfsd4_setclientid_confirm() Greg Kroah-Hartman
` (475 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Xu Yang, Oleksij Rempel, Paolo Abeni
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xu Yang <xu.yang_2@nxp.com>
commit 4faff70959d51078f9ee8372f8cff0d7045e4114 upstream.
Without setting phy_mask for ax88772 mdio bus, current driver may create
at most 32 mdio phy devices with phy address range from 0x00 ~ 0x1f.
DLink DUB-E100 H/W Ver B1 is such a device. However, only one main phy
device will bind to net phy driver. This is creating issue during system
suspend/resume since phy_polling_mode() in phy_state_machine() will
directly deference member of phydev->drv for non-main phy devices. Then
NULL pointer dereference issue will occur. Due to only external phy or
internal phy is necessary, add phy_mask for ax88772 mdio bus to workarnoud
the issue.
Closes: https://lore.kernel.org/netdev/20250806082931.3289134-1-xu.yang_2@nxp.com
Fixes: e532a096be0e ("net: usb: asix: ax88772: add phylib support")
Cc: stable@vger.kernel.org
Signed-off-by: Xu Yang <xu.yang_2@nxp.com>
Tested-by: Oleksij Rempel <o.rempel@pengutronix.de>
Reviewed-by: Oleksij Rempel <o.rempel@pengutronix.de>
Link: https://patch.msgid.link/20250811092931.860333-1-xu.yang_2@nxp.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/usb/asix_devices.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/net/usb/asix_devices.c
+++ b/drivers/net/usb/asix_devices.c
@@ -676,6 +676,7 @@ static int ax88772_init_mdio(struct usbn
priv->mdio->read = &asix_mdio_bus_read;
priv->mdio->write = &asix_mdio_bus_write;
priv->mdio->name = "Asix MDIO Bus";
+ priv->mdio->phy_mask = ~(BIT(priv->phy_addr) | BIT(AX_EMBD_PHY_ADDR));
/* mii bus name is usb-<usb bus number>-<usb device number> */
snprintf(priv->mdio->id, MII_BUS_ID_SIZE, "usb-%03d:%03d",
dev->udev->bus->busnum, dev->udev->devnum);
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 016/482] nfsd: handle get_client_locked() failure in nfsd4_setclientid_confirm()
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (14 preceding siblings ...)
2025-08-26 11:04 ` [PATCH 6.1 015/482] net: usb: asix_devices: add phy_mask for ax88772 mdio bus Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 6.1 017/482] NFSD: detect mismatch of file handle and delegation stateid in OPEN op Greg Kroah-Hartman
` (474 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, lei lu, Jeff Layton, Chuck Lever
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jeff Layton <jlayton@kernel.org>
commit 908e4ead7f757504d8b345452730636e298cbf68 upstream.
Lei Lu recently reported that nfsd4_setclientid_confirm() did not check
the return value from get_client_locked(). a SETCLIENTID_CONFIRM could
race with a confirmed client expiring and fail to get a reference. That
could later lead to a UAF.
Fix this by getting a reference early in the case where there is an
extant confirmed client. If that fails then treat it as if there were no
confirmed client found at all.
In the case where the unconfirmed client is expiring, just fail and
return the result from get_client_locked().
Reported-by: lei lu <llfamsec@gmail.com>
Closes: https://lore.kernel.org/linux-nfs/CAEBF3_b=UvqzNKdnfD_52L05Mqrqui9vZ2eFamgAbV0WG+FNWQ@mail.gmail.com/
Fixes: d20c11d86d8f ("nfsd: Protect session creation and client confirm using client_lock")
Cc: stable@vger.kernel.org
Signed-off-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nfsd/nfs4state.c | 20 +++++++++++++++-----
1 file changed, 15 insertions(+), 5 deletions(-)
--- a/fs/nfsd/nfs4state.c
+++ b/fs/nfsd/nfs4state.c
@@ -4285,10 +4285,16 @@ nfsd4_setclientid_confirm(struct svc_rqs
}
status = nfs_ok;
if (conf) {
- old = unconf;
- unhash_client_locked(old);
- nfsd4_change_callback(conf, &unconf->cl_cb_conn);
- } else {
+ if (get_client_locked(conf) == nfs_ok) {
+ old = unconf;
+ unhash_client_locked(old);
+ nfsd4_change_callback(conf, &unconf->cl_cb_conn);
+ } else {
+ conf = NULL;
+ }
+ }
+
+ if (!conf) {
old = find_confirmed_client_by_name(&unconf->cl_name, nn);
if (old) {
status = nfserr_clid_inuse;
@@ -4305,10 +4311,14 @@ nfsd4_setclientid_confirm(struct svc_rqs
}
trace_nfsd_clid_replaced(&old->cl_clientid);
}
+ status = get_client_locked(unconf);
+ if (status != nfs_ok) {
+ old = NULL;
+ goto out;
+ }
move_to_confirmed(unconf);
conf = unconf;
}
- get_client_locked(conf);
spin_unlock(&nn->client_lock);
if (conf == unconf)
fsnotify_dentry(conf->cl_nfsd_info_dentry, FS_MODIFY);
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 017/482] NFSD: detect mismatch of file handle and delegation stateid in OPEN op
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (15 preceding siblings ...)
2025-08-26 11:04 ` [PATCH 6.1 016/482] nfsd: handle get_client_locked() failure in nfsd4_setclientid_confirm() Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 6.1 018/482] NFS: Fix the setting of capabilities when automounting a new filesystem Greg Kroah-Hartman
` (473 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Petro Pavlov, Dai Ngo, Jeff Layton,
Chuck Lever
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dai Ngo <dai.ngo@oracle.com>
commit 9c65001c57164033ad08b654c8b5ae35512ddf4a upstream.
When the client sends an OPEN with claim type CLAIM_DELEG_CUR_FH or
CLAIM_DELEGATION_CUR, the delegation stateid and the file handle
must belong to the same file, otherwise return NFS4ERR_INVAL.
Note that RFC8881, section 8.2.4, mandates the server to return
NFS4ERR_BAD_STATEID if the selected table entry does not match the
current filehandle. However returning NFS4ERR_BAD_STATEID in the
OPEN causes the client to retry the operation and therefor get the
client into a loop. To avoid this situation we return NFS4ERR_INVAL
instead.
Reported-by: Petro Pavlov <petro.pavlov@vastdata.com>
Fixes: c44c5eeb2c02 ("[PATCH] nfsd4: add open state code for CLAIM_DELEGATE_CUR")
Cc: stable@vger.kernel.org
Signed-off-by: Dai Ngo <dai.ngo@oracle.com>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nfsd/nfs4state.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
--- a/fs/nfsd/nfs4state.c
+++ b/fs/nfsd/nfs4state.c
@@ -5733,6 +5733,20 @@ nfsd4_process_open2(struct svc_rqst *rqs
status = nfs4_check_deleg(cl, open, &dp);
if (status)
goto out;
+ if (dp && nfsd4_is_deleg_cur(open) &&
+ (dp->dl_stid.sc_file != fp)) {
+ /*
+ * RFC8881 section 8.2.4 mandates the server to return
+ * NFS4ERR_BAD_STATEID if the selected table entry does
+ * not match the current filehandle. However returning
+ * NFS4ERR_BAD_STATEID in the OPEN can cause the client
+ * to repeatedly retry the operation with the same
+ * stateid, since the stateid itself is valid. To avoid
+ * this situation NFSD returns NFS4ERR_INVAL instead.
+ */
+ status = nfserr_inval;
+ goto out;
+ }
stp = nfsd4_find_and_lock_existing_open(fp, open);
} else {
open->op_file = NULL;
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 018/482] NFS: Fix the setting of capabilities when automounting a new filesystem
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (16 preceding siblings ...)
2025-08-26 11:04 ` [PATCH 6.1 017/482] NFSD: detect mismatch of file handle and delegation stateid in OPEN op Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 6.1 019/482] PCI: Extend isolated function probing to LoongArch Greg Kroah-Hartman
` (472 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Benjamin Coddington, Trond Myklebust
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Trond Myklebust <trond.myklebust@hammerspace.com>
commit b01f21cacde9f2878492cf318fee61bf4ccad323 upstream.
Capabilities cannot be inherited when we cross into a new filesystem.
They need to be reset to the minimal defaults, and then probed for
again.
Fixes: 54ceac451598 ("NFS: Share NFS superblocks per-protocol per-server per-FSID")
Cc: stable@vger.kernel.org
Reviewed-by: Benjamin Coddington <bcodding@redhat.com>
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nfs/client.c | 44 ++++++++++++++++++++++++++++++++++++++++++--
fs/nfs/internal.h | 2 +-
fs/nfs/nfs4client.c | 20 +-------------------
fs/nfs/nfs4proc.c | 2 +-
4 files changed, 45 insertions(+), 23 deletions(-)
--- a/fs/nfs/client.c
+++ b/fs/nfs/client.c
@@ -657,6 +657,44 @@ struct nfs_client *nfs_init_client(struc
}
EXPORT_SYMBOL_GPL(nfs_init_client);
+static void nfs4_server_set_init_caps(struct nfs_server *server)
+{
+#if IS_ENABLED(CONFIG_NFS_V4)
+ /* Set the basic capabilities */
+ server->caps = server->nfs_client->cl_mvops->init_caps;
+ if (server->flags & NFS_MOUNT_NORDIRPLUS)
+ server->caps &= ~NFS_CAP_READDIRPLUS;
+ if (server->nfs_client->cl_proto == XPRT_TRANSPORT_RDMA)
+ server->caps &= ~NFS_CAP_READ_PLUS;
+
+ /*
+ * Don't use NFS uid/gid mapping if we're using AUTH_SYS or lower
+ * authentication.
+ */
+ if (nfs4_disable_idmapping &&
+ server->client->cl_auth->au_flavor == RPC_AUTH_UNIX)
+ server->caps |= NFS_CAP_UIDGID_NOMAP;
+#endif
+}
+
+void nfs_server_set_init_caps(struct nfs_server *server)
+{
+ switch (server->nfs_client->rpc_ops->version) {
+ case 2:
+ server->caps = NFS_CAP_HARDLINKS | NFS_CAP_SYMLINKS;
+ break;
+ case 3:
+ server->caps = NFS_CAP_HARDLINKS | NFS_CAP_SYMLINKS;
+ if (!(server->flags & NFS_MOUNT_NORDIRPLUS))
+ server->caps |= NFS_CAP_READDIRPLUS;
+ break;
+ default:
+ nfs4_server_set_init_caps(server);
+ break;
+ }
+}
+EXPORT_SYMBOL_GPL(nfs_server_set_init_caps);
+
/*
* Create a version 2 or 3 client
*/
@@ -695,7 +733,6 @@ static int nfs_init_server(struct nfs_se
/* Initialise the client representation from the mount data */
server->flags = ctx->flags;
server->options = ctx->options;
- server->caps |= NFS_CAP_HARDLINKS | NFS_CAP_SYMLINKS;
switch (clp->rpc_ops->version) {
case 2:
@@ -731,6 +768,8 @@ static int nfs_init_server(struct nfs_se
if (error < 0)
goto error;
+ nfs_server_set_init_caps(server);
+
/* Preserve the values of mount_server-related mount options */
if (ctx->mount_server.addrlen) {
memcpy(&server->mountd_address, &ctx->mount_server.address,
@@ -905,7 +944,6 @@ void nfs_server_copy_userdata(struct nfs
target->acregmax = source->acregmax;
target->acdirmin = source->acdirmin;
target->acdirmax = source->acdirmax;
- target->caps = source->caps;
target->options = source->options;
target->auth_info = source->auth_info;
target->port = source->port;
@@ -1112,6 +1150,8 @@ struct nfs_server *nfs_clone_server(stru
if (error < 0)
goto out_free_server;
+ nfs_server_set_init_caps(server);
+
/* probe the filesystem info for this server filesystem */
error = nfs_probe_server(server, fh);
if (error < 0)
--- a/fs/nfs/internal.h
+++ b/fs/nfs/internal.h
@@ -219,7 +219,7 @@ extern struct nfs_client *
nfs4_find_client_sessionid(struct net *, const struct sockaddr *,
struct nfs4_sessionid *, u32);
extern struct nfs_server *nfs_create_server(struct fs_context *);
-extern void nfs4_server_set_init_caps(struct nfs_server *);
+extern void nfs_server_set_init_caps(struct nfs_server *);
extern struct nfs_server *nfs4_create_server(struct fs_context *);
extern struct nfs_server *nfs4_create_referral_server(struct fs_context *);
extern int nfs4_update_server(struct nfs_server *server, const char *hostname,
--- a/fs/nfs/nfs4client.c
+++ b/fs/nfs/nfs4client.c
@@ -1065,24 +1065,6 @@ static void nfs4_session_limit_xasize(st
#endif
}
-void nfs4_server_set_init_caps(struct nfs_server *server)
-{
- /* Set the basic capabilities */
- server->caps |= server->nfs_client->cl_mvops->init_caps;
- if (server->flags & NFS_MOUNT_NORDIRPLUS)
- server->caps &= ~NFS_CAP_READDIRPLUS;
- if (server->nfs_client->cl_proto == XPRT_TRANSPORT_RDMA)
- server->caps &= ~NFS_CAP_READ_PLUS;
-
- /*
- * Don't use NFS uid/gid mapping if we're using AUTH_SYS or lower
- * authentication.
- */
- if (nfs4_disable_idmapping &&
- server->client->cl_auth->au_flavor == RPC_AUTH_UNIX)
- server->caps |= NFS_CAP_UIDGID_NOMAP;
-}
-
static int nfs4_server_common_setup(struct nfs_server *server,
struct nfs_fh *mntfh, bool auth_probe)
{
@@ -1097,7 +1079,7 @@ static int nfs4_server_common_setup(stru
if (error < 0)
goto out;
- nfs4_server_set_init_caps(server);
+ nfs_server_set_init_caps(server);
/* Probe the root fh to retrieve its FSID and filehandle */
error = nfs4_get_rootfh(server, mntfh, auth_probe);
--- a/fs/nfs/nfs4proc.c
+++ b/fs/nfs/nfs4proc.c
@@ -3957,7 +3957,7 @@ int nfs4_server_capabilities(struct nfs_
};
int err;
- nfs4_server_set_init_caps(server);
+ nfs_server_set_init_caps(server);
do {
err = nfs4_handle_exception(server,
_nfs4_server_capabilities(server, fhandle),
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 019/482] PCI: Extend isolated function probing to LoongArch
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (17 preceding siblings ...)
2025-08-26 11:04 ` [PATCH 6.1 018/482] NFS: Fix the setting of capabilities when automounting a new filesystem Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 6.1 020/482] LoongArch: BPF: Fix jump offset calculation in tailcall Greg Kroah-Hartman
` (471 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Huacai Chen, Bjorn Helgaas
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Huacai Chen <chenhuacai@loongson.cn>
commit a02fd05661d73a8507dd70dd820e9b984490c545 upstream.
Like s390 and the jailhouse hypervisor, LoongArch's PCI architecture allows
passing isolated PCI functions to a guest OS instance. So it is possible
that there is a multi-function device without function 0 for the host or
guest.
Allow probing such functions by adding a IS_ENABLED(CONFIG_LOONGARCH) case
in the hypervisor_isolated_pci_functions() helper.
This is similar to commit 189c6c33ff42 ("PCI: Extend isolated function
probing to s390").
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20250624062927.4037734-1-chenhuacai@loongson.cn
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/hypervisor.h | 3 +++
1 file changed, 3 insertions(+)
--- a/include/linux/hypervisor.h
+++ b/include/linux/hypervisor.h
@@ -37,6 +37,9 @@ static inline bool hypervisor_isolated_p
if (IS_ENABLED(CONFIG_S390))
return true;
+ if (IS_ENABLED(CONFIG_LOONGARCH))
+ return true;
+
return jailhouse_paravirt();
}
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 020/482] LoongArch: BPF: Fix jump offset calculation in tailcall
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (18 preceding siblings ...)
2025-08-26 11:04 ` [PATCH 6.1 019/482] PCI: Extend isolated function probing to LoongArch Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 6.1 021/482] sunvdc: Balance device refcount in vdc_port_mpgroup_check Greg Kroah-Hartman
` (470 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Hengqi Chen, Haoran Jiang,
Huacai Chen
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haoran Jiang <jianghaoran@kylinos.cn>
commit cd39d9e6b7e4c58fa77783e7aedf7ada51d02ea3 upstream.
The extra pass of bpf_int_jit_compile() skips JIT context initialization
which essentially skips offset calculation leaving out_offset = -1, so
the jmp_offset in emit_bpf_tail_call is calculated by
"#define jmp_offset (out_offset - (cur_offset))"
is a negative number, which is wrong. The final generated assembly are
as follow.
54: bgeu $a2, $t1, -8 # 0x0000004c
58: addi.d $a6, $s5, -1
5c: bltz $a6, -16 # 0x0000004c
60: alsl.d $t2, $a2, $a1, 0x3
64: ld.d $t2, $t2, 264
68: beq $t2, $zero, -28 # 0x0000004c
Before apply this patch, the follow test case will reveal soft lock issues.
cd tools/testing/selftests/bpf/
./test_progs --allow=tailcalls/tailcall_bpf2bpf_1
dmesg:
watchdog: BUG: soft lockup - CPU#2 stuck for 26s! [test_progs:25056]
Cc: stable@vger.kernel.org
Fixes: 5dc615520c4d ("LoongArch: Add BPF JIT support")
Reviewed-by: Hengqi Chen <hengqi.chen@gmail.com>
Signed-off-by: Haoran Jiang <jianghaoran@kylinos.cn>
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/loongarch/net/bpf_jit.c | 21 +++++----------------
1 file changed, 5 insertions(+), 16 deletions(-)
--- a/arch/loongarch/net/bpf_jit.c
+++ b/arch/loongarch/net/bpf_jit.c
@@ -201,11 +201,9 @@ bool bpf_jit_supports_kfunc_call(void)
return true;
}
-/* initialized on the first pass of build_body() */
-static int out_offset = -1;
-static int emit_bpf_tail_call(struct jit_ctx *ctx)
+static int emit_bpf_tail_call(struct jit_ctx *ctx, int insn)
{
- int off;
+ int off, tc_ninsn = 0;
u8 tcc = tail_call_reg(ctx);
u8 a1 = LOONGARCH_GPR_A1;
u8 a2 = LOONGARCH_GPR_A2;
@@ -215,7 +213,7 @@ static int emit_bpf_tail_call(struct jit
const int idx0 = ctx->idx;
#define cur_offset (ctx->idx - idx0)
-#define jmp_offset (out_offset - (cur_offset))
+#define jmp_offset (tc_ninsn - (cur_offset))
/*
* a0: &ctx
@@ -225,6 +223,7 @@ static int emit_bpf_tail_call(struct jit
* if (index >= array->map.max_entries)
* goto out;
*/
+ tc_ninsn = insn ? ctx->offset[insn+1] - ctx->offset[insn] : ctx->offset[0];
off = offsetof(struct bpf_array, map.max_entries);
emit_insn(ctx, ldwu, t1, a1, off);
/* bgeu $a2, $t1, jmp_offset */
@@ -256,15 +255,6 @@ static int emit_bpf_tail_call(struct jit
emit_insn(ctx, ldd, t3, t2, off);
__build_epilogue(ctx, true);
- /* out: */
- if (out_offset == -1)
- out_offset = cur_offset;
- if (cur_offset != out_offset) {
- pr_err_once("tail_call out_offset = %d, expected %d!\n",
- cur_offset, out_offset);
- return -1;
- }
-
return 0;
toofar:
@@ -789,7 +779,7 @@ static int build_insn(const struct bpf_i
/* tail call */
case BPF_JMP | BPF_TAIL_CALL:
mark_tail_call(ctx);
- if (emit_bpf_tail_call(ctx) < 0)
+ if (emit_bpf_tail_call(ctx, i) < 0)
return -EINVAL;
break;
@@ -1170,7 +1160,6 @@ out:
if (tmp_blinded)
bpf_jit_prog_release_other(prog, prog == orig_prog ? tmp : orig_prog);
- out_offset = -1;
return prog;
}
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 021/482] sunvdc: Balance device refcount in vdc_port_mpgroup_check
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (19 preceding siblings ...)
2025-08-26 11:04 ` [PATCH 6.1 020/482] LoongArch: BPF: Fix jump offset calculation in tailcall Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 6.1 022/482] fs: Prevent file descriptor table allocations exceeding INT_MAX Greg Kroah-Hartman
` (469 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ma Ke, Jens Axboe
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ma Ke <make24@iscas.ac.cn>
commit 63ce53724637e2e7ba51fe3a4f78351715049905 upstream.
Using device_find_child() to locate a probed virtual-device-port node
causes a device refcount imbalance, as device_find_child() internally
calls get_device() to increment the device’s reference count before
returning its pointer. vdc_port_mpgroup_check() directly returns true
upon finding a matching device without releasing the reference via
put_device(). We should call put_device() to decrement refcount.
As comment of device_find_child() says, 'NOTE: you will need to drop
the reference with put_device() after use'.
Found by code review.
Cc: stable@vger.kernel.org
Fixes: 3ee70591d6c4 ("sunvdc: prevent sunvdc panic when mpgroup disk added to guest domain")
Signed-off-by: Ma Ke <make24@iscas.ac.cn>
Link: https://lore.kernel.org/r/20250719075856.3447953-1-make24@iscas.ac.cn
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/block/sunvdc.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/block/sunvdc.c
+++ b/drivers/block/sunvdc.c
@@ -956,8 +956,10 @@ static bool vdc_port_mpgroup_check(struc
dev = device_find_child(vdev->dev.parent, &port_data,
vdc_device_probed);
- if (dev)
+ if (dev) {
+ put_device(dev);
return true;
+ }
return false;
}
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 022/482] fs: Prevent file descriptor table allocations exceeding INT_MAX
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (20 preceding siblings ...)
2025-08-26 11:04 ` [PATCH 6.1 021/482] sunvdc: Balance device refcount in vdc_port_mpgroup_check Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 6.1 023/482] eventpoll: Fix semi-unbounded recursion Greg Kroah-Hartman
` (468 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sasha Levin, Christian Brauner
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sasha Levin <sashal@kernel.org>
commit 04a2c4b4511d186b0fce685da21085a5d4acd370 upstream.
When sysctl_nr_open is set to a very high value (for example, 1073741816
as set by systemd), processes attempting to use file descriptors near
the limit can trigger massive memory allocation attempts that exceed
INT_MAX, resulting in a WARNING in mm/slub.c:
WARNING: CPU: 0 PID: 44 at mm/slub.c:5027 __kvmalloc_node_noprof+0x21a/0x288
This happens because kvmalloc_array() and kvmalloc() check if the
requested size exceeds INT_MAX and emit a warning when the allocation is
not flagged with __GFP_NOWARN.
Specifically, when nr_open is set to 1073741816 (0x3ffffff8) and a
process calls dup2(oldfd, 1073741880), the kernel attempts to allocate:
- File descriptor array: 1073741880 * 8 bytes = 8,589,935,040 bytes
- Multiple bitmaps: ~400MB
- Total allocation size: > 8GB (exceeding INT_MAX = 2,147,483,647)
Reproducer:
1. Set /proc/sys/fs/nr_open to 1073741816:
# echo 1073741816 > /proc/sys/fs/nr_open
2. Run a program that uses a high file descriptor:
#include <unistd.h>
#include <sys/resource.h>
int main() {
struct rlimit rlim = {1073741824, 1073741824};
setrlimit(RLIMIT_NOFILE, &rlim);
dup2(2, 1073741880); // Triggers the warning
return 0;
}
3. Observe WARNING in dmesg at mm/slub.c:5027
systemd commit a8b627a introduced automatic bumping of fs.nr_open to the
maximum possible value. The rationale was that systems with memory
control groups (memcg) no longer need separate file descriptor limits
since memory is properly accounted. However, this change overlooked
that:
1. The kernel's allocation functions still enforce INT_MAX as a maximum
size regardless of memcg accounting
2. Programs and tests that legitimately test file descriptor limits can
inadvertently trigger massive allocations
3. The resulting allocations (>8GB) are impractical and will always fail
systemd's algorithm starts with INT_MAX and keeps halving the value
until the kernel accepts it. On most systems, this results in nr_open
being set to 1073741816 (0x3ffffff8), which is just under 1GB of file
descriptors.
While processes rarely use file descriptors near this limit in normal
operation, certain selftests (like
tools/testing/selftests/core/unshare_test.c) and programs that test file
descriptor limits can trigger this issue.
Fix this by adding a check in alloc_fdtable() to ensure the requested
allocation size does not exceed INT_MAX. This causes the operation to
fail with -EMFILE instead of triggering a kernel warning and avoids the
impractical >8GB memory allocation request.
Fixes: 9cfe015aa424 ("get rid of NR_OPEN and introduce a sysctl_nr_open")
Cc: stable@vger.kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
Link: https://lore.kernel.org/20250629074021.1038845-1-sashal@kernel.org
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/file.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
--- a/fs/file.c
+++ b/fs/file.c
@@ -126,6 +126,21 @@ static struct fdtable * alloc_fdtable(un
if (unlikely(nr > sysctl_nr_open))
nr = ((sysctl_nr_open - 1) | (BITS_PER_LONG - 1)) + 1;
+ /*
+ * Check if the allocation size would exceed INT_MAX. kvmalloc_array()
+ * and kvmalloc() will warn if the allocation size is greater than
+ * INT_MAX, as filp_cachep objects are not __GFP_NOWARN.
+ *
+ * This can happen when sysctl_nr_open is set to a very high value and
+ * a process tries to use a file descriptor near that limit. For example,
+ * if sysctl_nr_open is set to 1073741816 (0x3ffffff8) - which is what
+ * systemd typically sets it to - then trying to use a file descriptor
+ * close to that value will require allocating a file descriptor table
+ * that exceeds 8GB in size.
+ */
+ if (unlikely(nr > INT_MAX / sizeof(struct file *)))
+ return ERR_PTR(-EMFILE);
+
fdt = kmalloc(sizeof(struct fdtable), GFP_KERNEL_ACCOUNT);
if (!fdt)
goto out;
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 023/482] eventpoll: Fix semi-unbounded recursion
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (21 preceding siblings ...)
2025-08-26 11:04 ` [PATCH 6.1 022/482] fs: Prevent file descriptor table allocations exceeding INT_MAX Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 6.1 024/482] Documentation: ACPI: Fix parent device references Greg Kroah-Hartman
` (467 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jann Horn, Christian Brauner
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jann Horn <jannh@google.com>
commit f2e467a48287c868818085aa35389a224d226732 upstream.
Ensure that epoll instances can never form a graph deeper than
EP_MAX_NESTS+1 links.
Currently, ep_loop_check_proc() ensures that the graph is loop-free and
does some recursion depth checks, but those recursion depth checks don't
limit the depth of the resulting tree for two reasons:
- They don't look upwards in the tree.
- If there are multiple downwards paths of different lengths, only one of
the paths is actually considered for the depth check since commit
28d82dc1c4ed ("epoll: limit paths").
Essentially, the current recursion depth check in ep_loop_check_proc() just
serves to prevent it from recursing too deeply while checking for loops.
A more thorough check is done in reverse_path_check() after the new graph
edge has already been created; this checks, among other things, that no
paths going upwards from any non-epoll file with a length of more than 5
edges exist. However, this check does not apply to non-epoll files.
As a result, it is possible to recurse to a depth of at least roughly 500,
tested on v6.15. (I am unsure if deeper recursion is possible; and this may
have changed with commit 8c44dac8add7 ("eventpoll: Fix priority inversion
problem").)
To fix it:
1. In ep_loop_check_proc(), note the subtree depth of each visited node,
and use subtree depths for the total depth calculation even when a subtree
has already been visited.
2. Add ep_get_upwards_depth_proc() for similarly determining the maximum
depth of an upwards walk.
3. In ep_loop_check(), use these values to limit the total path length
between epoll nodes to EP_MAX_NESTS edges.
Fixes: 22bacca48a17 ("epoll: prevent creating circular epoll structures")
Cc: stable@vger.kernel.org
Signed-off-by: Jann Horn <jannh@google.com>
Link: https://lore.kernel.org/20250711-epoll-recursion-fix-v1-1-fb2457c33292@google.com
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/eventpoll.c | 60 +++++++++++++++++++++++++++++++++++++++++++--------------
1 file changed, 46 insertions(+), 14 deletions(-)
--- a/fs/eventpoll.c
+++ b/fs/eventpoll.c
@@ -216,6 +216,7 @@ struct eventpoll {
/* used to optimize loop detection check */
u64 gen;
struct hlist_head refs;
+ u8 loop_check_depth;
#ifdef CONFIG_NET_RX_BUSY_POLL
/* used to track busy poll napi_id */
@@ -1951,23 +1952,24 @@ static int ep_poll(struct eventpoll *ep,
}
/**
- * ep_loop_check_proc - verify that adding an epoll file inside another
- * epoll structure does not violate the constraints, in
- * terms of closed loops, or too deep chains (which can
- * result in excessive stack usage).
+ * ep_loop_check_proc - verify that adding an epoll file @ep inside another
+ * epoll file does not create closed loops, and
+ * determine the depth of the subtree starting at @ep
*
* @ep: the &struct eventpoll to be currently checked.
* @depth: Current depth of the path being checked.
*
- * Return: %zero if adding the epoll @file inside current epoll
- * structure @ep does not violate the constraints, or %-1 otherwise.
+ * Return: depth of the subtree, or INT_MAX if we found a loop or went too deep.
*/
static int ep_loop_check_proc(struct eventpoll *ep, int depth)
{
- int error = 0;
+ int result = 0;
struct rb_node *rbp;
struct epitem *epi;
+ if (ep->gen == loop_check_gen)
+ return ep->loop_check_depth;
+
mutex_lock_nested(&ep->mtx, depth + 1);
ep->gen = loop_check_gen;
for (rbp = rb_first_cached(&ep->rbr); rbp; rbp = rb_next(rbp)) {
@@ -1975,13 +1977,11 @@ static int ep_loop_check_proc(struct eve
if (unlikely(is_file_epoll(epi->ffd.file))) {
struct eventpoll *ep_tovisit;
ep_tovisit = epi->ffd.file->private_data;
- if (ep_tovisit->gen == loop_check_gen)
- continue;
if (ep_tovisit == inserting_into || depth > EP_MAX_NESTS)
- error = -1;
+ result = INT_MAX;
else
- error = ep_loop_check_proc(ep_tovisit, depth + 1);
- if (error != 0)
+ result = max(result, ep_loop_check_proc(ep_tovisit, depth + 1) + 1);
+ if (result > EP_MAX_NESTS)
break;
} else {
/*
@@ -1995,9 +1995,27 @@ static int ep_loop_check_proc(struct eve
list_file(epi->ffd.file);
}
}
+ ep->loop_check_depth = result;
mutex_unlock(&ep->mtx);
- return error;
+ return result;
+}
+
+/**
+ * ep_get_upwards_depth_proc - determine depth of @ep when traversed upwards
+ */
+static int ep_get_upwards_depth_proc(struct eventpoll *ep, int depth)
+{
+ int result = 0;
+ struct epitem *epi;
+
+ if (ep->gen == loop_check_gen)
+ return ep->loop_check_depth;
+ hlist_for_each_entry_rcu(epi, &ep->refs, fllink)
+ result = max(result, ep_get_upwards_depth_proc(epi->ep, depth + 1) + 1);
+ ep->gen = loop_check_gen;
+ ep->loop_check_depth = result;
+ return result;
}
/**
@@ -2013,8 +2031,22 @@ static int ep_loop_check_proc(struct eve
*/
static int ep_loop_check(struct eventpoll *ep, struct eventpoll *to)
{
+ int depth, upwards_depth;
+
inserting_into = ep;
- return ep_loop_check_proc(to, 0);
+ /*
+ * Check how deep down we can get from @to, and whether it is possible
+ * to loop up to @ep.
+ */
+ depth = ep_loop_check_proc(to, 0);
+ if (depth > EP_MAX_NESTS)
+ return -1;
+ /* Check how far up we can go from @ep. */
+ rcu_read_lock();
+ upwards_depth = ep_get_upwards_depth_proc(ep, 0);
+ rcu_read_unlock();
+
+ return (depth+1+upwards_depth > EP_MAX_NESTS) ? -1 : 0;
}
static void clear_tfile_check_list(void)
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 024/482] Documentation: ACPI: Fix parent device references
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (22 preceding siblings ...)
2025-08-26 11:04 ` [PATCH 6.1 023/482] eventpoll: Fix semi-unbounded recursion Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 6.1 025/482] ACPI: processor: perflib: Fix initial _PPC limit application Greg Kroah-Hartman
` (466 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yevhen Kondrashyn, Andy Shevchenko,
Rafael J. Wysocki
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
commit e65cb011349e653ded541dddd6469c2ca813edcf upstream.
The _CRS resources in many cases want to have ResourceSource field
to be a type of ACPI String. This means that to compile properly
we need to enclosure the name path into double quotes. This will
in practice defer the interpretation to a run-time stage, However,
this may be interpreted differently on different OSes and ACPI
interpreter implementations. In particular ACPICA might not correctly
recognize the leading '^' (caret) character and will not resolve
the relative name path properly. On top of that, this piece may be
used in SSDTs which are loaded after the DSDT and on itself may also
not resolve relative name paths outside of their own scopes.
With this all said, fix documentation to use fully-qualified name
paths always to avoid any misinterpretations, which is proven to
work.
Fixes: 8eb5c87a92c0 ("i2c: add ACPI support for I2C mux ports")
Reported-by: Yevhen Kondrashyn <e.kondrashyn@gmail.com>
Cc: All applicable <stable@vger.kernel.org>
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Link: https://patch.msgid.link/20250710170225.961303-1-andriy.shevchenko@linux.intel.com
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
Documentation/firmware-guide/acpi/i2c-muxes.rst | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/Documentation/firmware-guide/acpi/i2c-muxes.rst
+++ b/Documentation/firmware-guide/acpi/i2c-muxes.rst
@@ -14,7 +14,7 @@ Consider this topology::
| | | 0x70 |--CH01--> i2c client B (0x50)
+------+ +------+
-which corresponds to the following ASL::
+which corresponds to the following ASL (in the scope of \_SB)::
Device (SMB1)
{
@@ -24,7 +24,7 @@ which corresponds to the following ASL::
Name (_HID, ...)
Name (_CRS, ResourceTemplate () {
I2cSerialBus (0x70, ControllerInitiated, I2C_SPEED,
- AddressingMode7Bit, "^SMB1", 0x00,
+ AddressingMode7Bit, "\\_SB.SMB1", 0x00,
ResourceConsumer,,)
}
@@ -37,7 +37,7 @@ which corresponds to the following ASL::
Name (_HID, ...)
Name (_CRS, ResourceTemplate () {
I2cSerialBus (0x50, ControllerInitiated, I2C_SPEED,
- AddressingMode7Bit, "^CH00", 0x00,
+ AddressingMode7Bit, "\\_SB.SMB1.CH00", 0x00,
ResourceConsumer,,)
}
}
@@ -52,7 +52,7 @@ which corresponds to the following ASL::
Name (_HID, ...)
Name (_CRS, ResourceTemplate () {
I2cSerialBus (0x50, ControllerInitiated, I2C_SPEED,
- AddressingMode7Bit, "^CH01", 0x00,
+ AddressingMode7Bit, "\\_SB.SMB1.CH01", 0x00,
ResourceConsumer,,)
}
}
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 025/482] ACPI: processor: perflib: Fix initial _PPC limit application
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (23 preceding siblings ...)
2025-08-26 11:04 ` [PATCH 6.1 024/482] Documentation: ACPI: Fix parent device references Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 6.1 026/482] ACPI: processor: perflib: Move problematic pr->performance check Greg Kroah-Hartman
` (465 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jiayi Li, Rafael J. Wysocki
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiayi Li <lijiayi@kylinos.cn>
commit d33bd88ac0ebb49e7f7c8f29a8c7ee9eae85d765 upstream.
If the BIOS sets a _PPC frequency limit upfront, it will fail to take
effect due to a call ordering issue. Namely, freq_qos_update_request()
is called before freq_qos_add_request() for the given request causing
the constraint update to be ignored. The call sequence in question is
as follows:
cpufreq_policy_online()
acpi_cpufreq_cpu_init()
acpi_processor_register_performance()
acpi_processor_get_performance_info()
acpi_processor_get_platform_limit()
freq_qos_update_request(&perflib_req) <- inactive QoS request
blocking_notifier_call_chain(&cpufreq_policy_notifier_list,
CPUFREQ_CREATE_POLICY)
acpi_processor_notifier()
acpi_processor_ppc_init()
freq_qos_add_request(&perflib_req) <- QoS request activation
Address this by adding an acpi_processor_get_platform_limit() call
to acpi_processor_ppc_init(), after the perflib_req activation via
freq_qos_add_request(), which causes the initial _PPC limit to be
picked up as appropriate. However, also ensure that the _PPC limit
will not be picked up in the cases when the cpufreq driver does not
call acpi_processor_register_performance() by adding a pr->performance
check to the related_cpus loop in acpi_processor_ppc_init().
Fixes: d15ce412737a ("ACPI: cpufreq: Switch to QoS requests instead of cpufreq notifier")
Signed-off-by: Jiayi Li <lijiayi@kylinos.cn>
Link: https://patch.msgid.link/20250721032606.3459369-1-lijiayi@kylinos.cn
[ rjw: Consolidate pr-related checks in acpi_processor_ppc_init() ]
[ rjw: Subject and changelog adjustments ]
Cc: 5.4+ <stable@vger.kernel.org> # 5.4+: 2d8b39a62a5d ACPI: processor: Avoid NULL pointer dereferences at init time
Cc: 5.4+ <stable@vger.kernel.org> # 5.4+: 3000ce3c52f8 cpufreq: Use per-policy frequency QoS
Cc: 5.4+ <stable@vger.kernel.org> # 5.4+: a1bb46c36ce3 ACPI: processor: Add QoS requests for all CPUs
Cc: 5.4+ <stable@vger.kernel.org> # 5.4+
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/acpi/processor_perflib.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
--- a/drivers/acpi/processor_perflib.c
+++ b/drivers/acpi/processor_perflib.c
@@ -173,11 +173,14 @@ void acpi_processor_ppc_init(struct cpuf
{
unsigned int cpu;
+ if (ignore_ppc == 1)
+ return;
+
for_each_cpu(cpu, policy->related_cpus) {
struct acpi_processor *pr = per_cpu(processors, cpu);
int ret;
- if (!pr)
+ if (!pr || !pr->performance)
continue;
/*
@@ -193,6 +196,11 @@ void acpi_processor_ppc_init(struct cpuf
if (ret < 0)
pr_err("Failed to add freq constraint for CPU%d (%d)\n",
cpu, ret);
+
+ ret = acpi_processor_get_platform_limit(pr);
+ if (ret)
+ pr_err("Failed to update freq constraint for CPU%d (%d)\n",
+ cpu, ret);
}
}
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 026/482] ACPI: processor: perflib: Move problematic pr->performance check
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (24 preceding siblings ...)
2025-08-26 11:04 ` [PATCH 6.1 025/482] ACPI: processor: perflib: Fix initial _PPC limit application Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 6.1 027/482] KVM: SVM: Set RFLAGS.IF=1 in C code, to get VMRUN out of the STI shadow Greg Kroah-Hartman
` (464 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Rafael J. Wysocki
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
commit d405ec23df13e6df599f5bd965a55d13420366b8 upstream.
Commit d33bd88ac0eb ("ACPI: processor: perflib: Fix initial _PPC limit
application") added a pr->performance check that prevents the frequency
QoS request from being added when the given processor has no performance
object. Unfortunately, this causes a WARN() in freq_qos_remove_request()
to trigger on an attempt to take the given CPU offline later because the
frequency QoS object has not been added for it due to the missing
performance object.
Address this by moving the pr->performance check before calling
acpi_processor_get_platform_limit() so it only prevents a limit from
being set for the CPU if the performance object is not present. This
way, the frequency QoS request is added as it was before the above
commit and it is present all the time along with the CPU's cpufreq
policy regardless of whether or not the CPU is online.
Fixes: d33bd88ac0eb ("ACPI: processor: perflib: Fix initial _PPC limit application")
Tested-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Cc: 5.4+ <stable@vger.kernel.org> # 5.4+
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Link: https://patch.msgid.link/2801421.mvXUDI8C0e@rafael.j.wysocki
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/acpi/processor_perflib.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/drivers/acpi/processor_perflib.c
+++ b/drivers/acpi/processor_perflib.c
@@ -180,7 +180,7 @@ void acpi_processor_ppc_init(struct cpuf
struct acpi_processor *pr = per_cpu(processors, cpu);
int ret;
- if (!pr || !pr->performance)
+ if (!pr)
continue;
/*
@@ -197,6 +197,9 @@ void acpi_processor_ppc_init(struct cpuf
pr_err("Failed to add freq constraint for CPU%d (%d)\n",
cpu, ret);
+ if (!pr->performance)
+ continue;
+
ret = acpi_processor_get_platform_limit(pr);
if (ret)
pr_err("Failed to update freq constraint for CPU%d (%d)\n",
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 027/482] KVM: SVM: Set RFLAGS.IF=1 in C code, to get VMRUN out of the STI shadow
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (25 preceding siblings ...)
2025-08-26 11:04 ` [PATCH 6.1 026/482] ACPI: processor: perflib: Move problematic pr->performance check Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 6.1 028/482] KVM: x86: Re-split x2APIC ICR into ICR+ICR2 for AMD (x2AVIC) Greg Kroah-Hartman
` (463 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Doug Covelli, Jim Mattson,
Sean Christopherson, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
[ Upstream commit be45bc4eff33d9a7dae84a2150f242a91a617402 ]
Enable/disable local IRQs, i.e. set/clear RFLAGS.IF, in the common
svm_vcpu_enter_exit() just after/before guest_state_{enter,exit}_irqoff()
so that VMRUN is not executed in an STI shadow. AMD CPUs have a quirk
(some would say "bug"), where the STI shadow bleeds into the guest's
intr_state field if a #VMEXIT occurs during injection of an event, i.e. if
the VMRUN doesn't complete before the subsequent #VMEXIT.
The spurious "interrupts masked" state is relatively benign, as it only
occurs during event injection and is transient. Because KVM is already
injecting an event, the guest can't be in HLT, and if KVM is querying IRQ
blocking for injection, then KVM would need to force an immediate exit
anyways since injecting multiple events is impossible.
However, because KVM copies int_state verbatim from vmcb02 to vmcb12, the
spurious STI shadow is visible to L1 when running a nested VM, which can
trip sanity checks, e.g. in VMware's VMM.
Hoist the STI+CLI all the way to C code, as the aforementioned calls to
guest_state_{enter,exit}_irqoff() already inform lockdep that IRQs are
enabled/disabled, and taking a fault on VMRUN with RFLAGS.IF=1 is already
possible. I.e. if there's kernel code that is confused by running with
RFLAGS.IF=1, then it's already a problem. In practice, since GIF=0 also
blocks NMIs, the only change in exposure to non-KVM code (relative to
surrounding VMRUN with STI+CLI) is exception handling code, and except for
the kvm_rebooting=1 case, all exception in the core VM-Enter/VM-Exit path
are fatal.
Use the "raw" variants to enable/disable IRQs to avoid tracing in the
"no instrumentation" code; the guest state helpers also take care of
tracing IRQ state.
Oppurtunstically document why KVM needs to do STI in the first place.
Reported-by: Doug Covelli <doug.covelli@broadcom.com>
Closes: https://lore.kernel.org/all/CADH9ctBs1YPmE4aCfGPNBwA10cA8RuAk2gO7542DjMZgs4uzJQ@mail.gmail.com
Fixes: f14eec0a3203 ("KVM: SVM: move more vmentry code to assembly")
Cc: stable@vger.kernel.org
Reviewed-by: Jim Mattson <jmattson@google.com>
Link: https://lore.kernel.org/r/20250224165442.2338294-2-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
[sean: resolve minor syntatic conflict in __svm_sev_es_vcpu_run()]
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/kvm/svm/svm.c | 14 ++++++++++++++
arch/x86/kvm/svm/vmenter.S | 9 +--------
2 files changed, 15 insertions(+), 8 deletions(-)
diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c
index b6bbd0dc4e65..c95a84afc35f 100644
--- a/arch/x86/kvm/svm/svm.c
+++ b/arch/x86/kvm/svm/svm.c
@@ -3982,6 +3982,18 @@ static noinstr void svm_vcpu_enter_exit(struct kvm_vcpu *vcpu, bool spec_ctrl_in
guest_state_enter_irqoff();
+ /*
+ * Set RFLAGS.IF prior to VMRUN, as the host's RFLAGS.IF at the time of
+ * VMRUN controls whether or not physical IRQs are masked (KVM always
+ * runs with V_INTR_MASKING_MASK). Toggle RFLAGS.IF here to avoid the
+ * temptation to do STI+VMRUN+CLI, as AMD CPUs bleed the STI shadow
+ * into guest state if delivery of an event during VMRUN triggers a
+ * #VMEXIT, and the guest_state transitions already tell lockdep that
+ * IRQs are being enabled/disabled. Note! GIF=0 for the entirety of
+ * this path, so IRQs aren't actually unmasked while running host code.
+ */
+ raw_local_irq_enable();
+
amd_clear_divider();
if (sev_es_guest(vcpu->kvm))
@@ -3989,6 +4001,8 @@ static noinstr void svm_vcpu_enter_exit(struct kvm_vcpu *vcpu, bool spec_ctrl_in
else
__svm_vcpu_run(svm, spec_ctrl_intercepted);
+ raw_local_irq_disable();
+
guest_state_exit_irqoff();
}
diff --git a/arch/x86/kvm/svm/vmenter.S b/arch/x86/kvm/svm/vmenter.S
index 42824f9b06a2..48b72625cc45 100644
--- a/arch/x86/kvm/svm/vmenter.S
+++ b/arch/x86/kvm/svm/vmenter.S
@@ -170,12 +170,8 @@ SYM_FUNC_START(__svm_vcpu_run)
VM_CLEAR_CPU_BUFFERS
/* Enter guest mode */
- sti
-
3: vmrun %_ASM_AX
4:
- cli
-
/* Pop @svm to RAX while it's the only available register. */
pop %_ASM_AX
@@ -343,11 +339,8 @@ SYM_FUNC_START(__svm_sev_es_vcpu_run)
VM_CLEAR_CPU_BUFFERS
/* Enter guest mode */
- sti
-
1: vmrun %_ASM_AX
-
-2: cli
+2:
/* Pop @svm to RDI, guest registers have been saved already. */
pop %_ASM_DI
--
2.50.1
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 028/482] KVM: x86: Re-split x2APIC ICR into ICR+ICR2 for AMD (x2AVIC)
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (26 preceding siblings ...)
2025-08-26 11:04 ` [PATCH 6.1 027/482] KVM: SVM: Set RFLAGS.IF=1 in C code, to get VMRUN out of the STI shadow Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 6.1 029/482] KVM: x86: Plumb in the vCPU to kvm_x86_ops.hwapic_isr_update() Greg Kroah-Hartman
` (462 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maxim Levitsky,
Suravee Suthikulpanit, Sean Christopherson, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
[ Upstream commit 73b42dc69be8564d4951a14d00f827929fe5ef79 ]
Re-introduce the "split" x2APIC ICR storage that KVM used prior to Intel's
IPI virtualization support, but only for AMD. While not stated anywhere
in the APM, despite stating the ICR is a single 64-bit register, AMD CPUs
store the 64-bit ICR as two separate 32-bit values in ICR and ICR2. When
IPI virtualization (IPIv on Intel, all AVIC flavors on AMD) is enabled,
KVM needs to match CPU behavior as some ICR ICR writes will be handled by
the CPU, not by KVM.
Add a kvm_x86_ops knob to control the underlying format used by the CPU to
store the x2APIC ICR, and tune it to AMD vs. Intel regardless of whether
or not x2AVIC is enabled. If KVM is handling all ICR writes, the storage
format for x2APIC mode doesn't matter, and having the behavior follow AMD
versus Intel will provide better test coverage and ease debugging.
Fixes: 4d1d7942e36a ("KVM: SVM: Introduce logic to (de)activate x2AVIC mode")
Cc: stable@vger.kernel.org
Cc: Maxim Levitsky <mlevitsk@redhat.com>
Cc: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
Link: https://lore.kernel.org/r/20240719235107.3023592-4-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
[sean: resolve minor syntatic conflicts]
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/include/asm/kvm_host.h | 2 ++
arch/x86/kvm/lapic.c | 42 +++++++++++++++++++++++----------
arch/x86/kvm/svm/svm.c | 2 ++
arch/x86/kvm/vmx/vmx.c | 2 ++
4 files changed, 36 insertions(+), 12 deletions(-)
diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h
index eb06c2f68314..17b4e61a52b9 100644
--- a/arch/x86/include/asm/kvm_host.h
+++ b/arch/x86/include/asm/kvm_host.h
@@ -1547,6 +1547,8 @@ struct kvm_x86_ops {
void (*enable_nmi_window)(struct kvm_vcpu *vcpu);
void (*enable_irq_window)(struct kvm_vcpu *vcpu);
void (*update_cr8_intercept)(struct kvm_vcpu *vcpu, int tpr, int irr);
+
+ const bool x2apic_icr_is_split;
bool (*check_apicv_inhibit_reasons)(enum kvm_apicv_inhibit reason);
void (*refresh_apicv_exec_ctrl)(struct kvm_vcpu *vcpu);
void (*hwapic_irr_update)(struct kvm_vcpu *vcpu, int max_irr);
diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c
index 7f57dce5c828..42eec987ac3d 100644
--- a/arch/x86/kvm/lapic.c
+++ b/arch/x86/kvm/lapic.c
@@ -2315,11 +2315,25 @@ int kvm_x2apic_icr_write(struct kvm_lapic *apic, u64 data)
data &= ~APIC_ICR_BUSY;
kvm_apic_send_ipi(apic, (u32)data, (u32)(data >> 32));
- kvm_lapic_set_reg64(apic, APIC_ICR, data);
+ if (kvm_x86_ops.x2apic_icr_is_split) {
+ kvm_lapic_set_reg(apic, APIC_ICR, data);
+ kvm_lapic_set_reg(apic, APIC_ICR2, data >> 32);
+ } else {
+ kvm_lapic_set_reg64(apic, APIC_ICR, data);
+ }
trace_kvm_apic_write(APIC_ICR, data);
return 0;
}
+static u64 kvm_x2apic_icr_read(struct kvm_lapic *apic)
+{
+ if (kvm_x86_ops.x2apic_icr_is_split)
+ return (u64)kvm_lapic_get_reg(apic, APIC_ICR) |
+ (u64)kvm_lapic_get_reg(apic, APIC_ICR2) << 32;
+
+ return kvm_lapic_get_reg64(apic, APIC_ICR);
+}
+
/* emulate APIC access in a trap manner */
void kvm_apic_write_nodecode(struct kvm_vcpu *vcpu, u32 offset)
{
@@ -2337,7 +2351,7 @@ void kvm_apic_write_nodecode(struct kvm_vcpu *vcpu, u32 offset)
* maybe-unecessary write, and both are in the noise anyways.
*/
if (apic_x2apic_mode(apic) && offset == APIC_ICR)
- WARN_ON_ONCE(kvm_x2apic_icr_write(apic, kvm_lapic_get_reg64(apic, APIC_ICR)));
+ WARN_ON_ONCE(kvm_x2apic_icr_write(apic, kvm_x2apic_icr_read(apic)));
else
kvm_lapic_reg_write(apic, offset, kvm_lapic_get_reg(apic, offset));
}
@@ -2760,18 +2774,22 @@ static int kvm_apic_state_fixup(struct kvm_vcpu *vcpu,
/*
* In x2APIC mode, the LDR is fixed and based on the id. And
- * ICR is internally a single 64-bit register, but needs to be
- * split to ICR+ICR2 in userspace for backwards compatibility.
+ * if the ICR is _not_ split, ICR is internally a single 64-bit
+ * register, but needs to be split to ICR+ICR2 in userspace for
+ * backwards compatibility.
*/
- if (set) {
+ if (set)
*ldr = kvm_apic_calc_x2apic_ldr(*id);
- icr = __kvm_lapic_get_reg(s->regs, APIC_ICR) |
- (u64)__kvm_lapic_get_reg(s->regs, APIC_ICR2) << 32;
- __kvm_lapic_set_reg64(s->regs, APIC_ICR, icr);
- } else {
- icr = __kvm_lapic_get_reg64(s->regs, APIC_ICR);
- __kvm_lapic_set_reg(s->regs, APIC_ICR2, icr >> 32);
+ if (!kvm_x86_ops.x2apic_icr_is_split) {
+ if (set) {
+ icr = __kvm_lapic_get_reg(s->regs, APIC_ICR) |
+ (u64)__kvm_lapic_get_reg(s->regs, APIC_ICR2) << 32;
+ __kvm_lapic_set_reg64(s->regs, APIC_ICR, icr);
+ } else {
+ icr = __kvm_lapic_get_reg64(s->regs, APIC_ICR);
+ __kvm_lapic_set_reg(s->regs, APIC_ICR2, icr >> 32);
+ }
}
}
@@ -2971,7 +2989,7 @@ static int kvm_lapic_msr_read(struct kvm_lapic *apic, u32 reg, u64 *data)
u32 low;
if (reg == APIC_ICR) {
- *data = kvm_lapic_get_reg64(apic, APIC_ICR);
+ *data = kvm_x2apic_icr_read(apic);
return 0;
}
diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c
index c95a84afc35f..b922f31d1415 100644
--- a/arch/x86/kvm/svm/svm.c
+++ b/arch/x86/kvm/svm/svm.c
@@ -4851,6 +4851,8 @@ static struct kvm_x86_ops svm_x86_ops __initdata = {
.enable_nmi_window = svm_enable_nmi_window,
.enable_irq_window = svm_enable_irq_window,
.update_cr8_intercept = svm_update_cr8_intercept,
+
+ .x2apic_icr_is_split = true,
.set_virtual_apic_mode = avic_refresh_virtual_apic_mode,
.refresh_apicv_exec_ctrl = avic_refresh_apicv_exec_ctrl,
.check_apicv_inhibit_reasons = avic_check_apicv_inhibit_reasons,
diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c
index fbe26b88f731..9a5cb896229f 100644
--- a/arch/x86/kvm/vmx/vmx.c
+++ b/arch/x86/kvm/vmx/vmx.c
@@ -8202,6 +8202,8 @@ static struct kvm_x86_ops vmx_x86_ops __initdata = {
.enable_nmi_window = vmx_enable_nmi_window,
.enable_irq_window = vmx_enable_irq_window,
.update_cr8_intercept = vmx_update_cr8_intercept,
+
+ .x2apic_icr_is_split = false,
.set_virtual_apic_mode = vmx_set_virtual_apic_mode,
.set_apic_access_page_addr = vmx_set_apic_access_page_addr,
.refresh_apicv_exec_ctrl = vmx_refresh_apicv_exec_ctrl,
--
2.50.1
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 029/482] KVM: x86: Plumb in the vCPU to kvm_x86_ops.hwapic_isr_update()
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (27 preceding siblings ...)
2025-08-26 11:04 ` [PATCH 6.1 028/482] KVM: x86: Re-split x2APIC ICR into ICR+ICR2 for AMD (x2AVIC) Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 6.1 030/482] KVM: nVMX: Defer SVI update to vmcs01 on EOI when L2 is active w/o VID Greg Kroah-Hartman
` (461 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chao Gao, Sean Christopherson,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
[ Upstream commit 76bce9f10162cd4b36ac0b7889649b22baf70ebd ]
Pass the target vCPU to the hwapic_isr_update() vendor hook so that VMX
can defer the update until after nested VM-Exit if an EOI for L1's vAPIC
occurs while L2 is active.
Note, commit d39850f57d21 ("KVM: x86: Drop @vcpu parameter from
kvm_x86_ops.hwapic_isr_update()") removed the parameter with the
justification that doing so "allows for a decent amount of (future)
cleanup in the APIC code", but it's not at all clear what cleanup was
intended, or if it was ever realized.
No functional change intended.
Cc: stable@vger.kernel.org
Reviewed-by: Chao Gao <chao.gao@intel.com>
Tested-by: Chao Gao <chao.gao@intel.com>
Link: https://lore.kernel.org/r/20241128000010.4051275-2-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
[sean: account for lack of kvm_x86_call(), drop vmx/x86_ops.h change]
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/include/asm/kvm_host.h | 2 +-
arch/x86/kvm/lapic.c | 8 ++++----
arch/x86/kvm/vmx/vmx.c | 2 +-
3 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h
index 17b4e61a52b9..6db42ee82032 100644
--- a/arch/x86/include/asm/kvm_host.h
+++ b/arch/x86/include/asm/kvm_host.h
@@ -1552,7 +1552,7 @@ struct kvm_x86_ops {
bool (*check_apicv_inhibit_reasons)(enum kvm_apicv_inhibit reason);
void (*refresh_apicv_exec_ctrl)(struct kvm_vcpu *vcpu);
void (*hwapic_irr_update)(struct kvm_vcpu *vcpu, int max_irr);
- void (*hwapic_isr_update)(int isr);
+ void (*hwapic_isr_update)(struct kvm_vcpu *vcpu, int isr);
bool (*guest_apic_has_interrupt)(struct kvm_vcpu *vcpu);
void (*load_eoi_exitmap)(struct kvm_vcpu *vcpu, u64 *eoi_exit_bitmap);
void (*set_virtual_apic_mode)(struct kvm_vcpu *vcpu);
diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c
index 42eec987ac3d..3d65d6a023c9 100644
--- a/arch/x86/kvm/lapic.c
+++ b/arch/x86/kvm/lapic.c
@@ -587,7 +587,7 @@ static inline void apic_set_isr(int vec, struct kvm_lapic *apic)
* just set SVI.
*/
if (unlikely(apic->apicv_active))
- static_call_cond(kvm_x86_hwapic_isr_update)(vec);
+ static_call_cond(kvm_x86_hwapic_isr_update)(apic->vcpu, vec);
else {
++apic->isr_count;
BUG_ON(apic->isr_count > MAX_APIC_VECTOR);
@@ -632,7 +632,7 @@ static inline void apic_clear_isr(int vec, struct kvm_lapic *apic)
* and must be left alone.
*/
if (unlikely(apic->apicv_active))
- static_call_cond(kvm_x86_hwapic_isr_update)(apic_find_highest_isr(apic));
+ static_call_cond(kvm_x86_hwapic_isr_update)(apic->vcpu, apic_find_highest_isr(apic));
else {
--apic->isr_count;
BUG_ON(apic->isr_count < 0);
@@ -2554,7 +2554,7 @@ void kvm_lapic_reset(struct kvm_vcpu *vcpu, bool init_event)
if (apic->apicv_active) {
static_call_cond(kvm_x86_apicv_post_state_restore)(vcpu);
static_call_cond(kvm_x86_hwapic_irr_update)(vcpu, -1);
- static_call_cond(kvm_x86_hwapic_isr_update)(-1);
+ static_call_cond(kvm_x86_hwapic_isr_update)(vcpu, -1);
}
vcpu->arch.apic_arb_prio = 0;
@@ -2847,7 +2847,7 @@ int kvm_apic_set_state(struct kvm_vcpu *vcpu, struct kvm_lapic_state *s)
if (apic->apicv_active) {
static_call_cond(kvm_x86_apicv_post_state_restore)(vcpu);
static_call_cond(kvm_x86_hwapic_irr_update)(vcpu, apic_find_highest_irr(apic));
- static_call_cond(kvm_x86_hwapic_isr_update)(apic_find_highest_isr(apic));
+ static_call_cond(kvm_x86_hwapic_isr_update)(vcpu, apic_find_highest_isr(apic));
}
kvm_make_request(KVM_REQ_EVENT, vcpu);
if (ioapic_in_kernel(vcpu->kvm))
diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c
index 9a5cb896229f..721ba6ddb121 100644
--- a/arch/x86/kvm/vmx/vmx.c
+++ b/arch/x86/kvm/vmx/vmx.c
@@ -6708,7 +6708,7 @@ static void vmx_set_apic_access_page_addr(struct kvm_vcpu *vcpu)
put_page(page);
}
-static void vmx_hwapic_isr_update(int max_isr)
+static void vmx_hwapic_isr_update(struct kvm_vcpu *vcpu, int max_isr)
{
u16 status;
u8 old;
--
2.50.1
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 030/482] KVM: nVMX: Defer SVI update to vmcs01 on EOI when L2 is active w/o VID
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (28 preceding siblings ...)
2025-08-26 11:04 ` [PATCH 6.1 029/482] KVM: x86: Plumb in the vCPU to kvm_x86_ops.hwapic_isr_update() Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 6.1 031/482] KVM: x86: Snapshot the hosts DEBUGCTL in common x86 Greg Kroah-Hartman
` (460 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Markku Ahvenjärvi,
Janne Karhunen, Chao Gao, Sean Christopherson, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chao Gao <chao.gao@intel.com>
[ Upstream commit 04bc93cf49d16d01753b95ddb5d4f230b809a991 ]
If KVM emulates an EOI for L1's virtual APIC while L2 is active, defer
updating GUEST_INTERUPT_STATUS.SVI, i.e. the VMCS's cache of the highest
in-service IRQ, until L1 is active, as vmcs01, not vmcs02, needs to track
vISR. The missed SVI update for vmcs01 can result in L1 interrupts being
incorrectly blocked, e.g. if there is a pending interrupt with lower
priority than the interrupt that was EOI'd.
This bug only affects use cases where L1's vAPIC is effectively passed
through to L2, e.g. in a pKVM scenario where L2 is L1's depriveleged host,
as KVM will only emulate an EOI for L1's vAPIC if Virtual Interrupt
Delivery (VID) is disabled in vmc12, and L1 isn't intercepting L2 accesses
to its (virtual) APIC page (or if x2APIC is enabled, the EOI MSR).
WARN() if KVM updates L1's ISR while L2 is active with VID enabled, as an
EOI from L2 is supposed to affect L2's vAPIC, but still defer the update,
to try to keep L1 alive. Specifically, KVM forwards all APICv-related
VM-Exits to L1 via nested_vmx_l1_wants_exit():
case EXIT_REASON_APIC_ACCESS:
case EXIT_REASON_APIC_WRITE:
case EXIT_REASON_EOI_INDUCED:
/*
* The controls for "virtualize APIC accesses," "APIC-
* register virtualization," and "virtual-interrupt
* delivery" only come from vmcs12.
*/
return true;
Fixes: c7c9c56ca26f ("x86, apicv: add virtual interrupt delivery support")
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/kvm/20230312180048.1778187-1-jason.cj.chen@intel.com
Reported-by: Markku Ahvenjärvi <mankku@gmail.com>
Closes: https://lore.kernel.org/all/20240920080012.74405-1-mankku@gmail.com
Cc: Janne Karhunen <janne.karhunen@gmail.com>
Signed-off-by: Chao Gao <chao.gao@intel.com>
[sean: drop request, handle in VMX, write changelog]
Tested-by: Chao Gao <chao.gao@intel.com>
Link: https://lore.kernel.org/r/20241128000010.4051275-3-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
[sean: resolve minor syntactic conflict in lapic.h, account for lack of
kvm_x86_call(), drop sanity check due to lack of wants_to_run]
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/kvm/lapic.c | 11 +++++++++++
arch/x86/kvm/lapic.h | 1 +
arch/x86/kvm/vmx/nested.c | 5 +++++
arch/x86/kvm/vmx/vmx.c | 16 ++++++++++++++++
arch/x86/kvm/vmx/vmx.h | 1 +
5 files changed, 34 insertions(+)
diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c
index 3d65d6a023c9..9aae76b74417 100644
--- a/arch/x86/kvm/lapic.c
+++ b/arch/x86/kvm/lapic.c
@@ -640,6 +640,17 @@ static inline void apic_clear_isr(int vec, struct kvm_lapic *apic)
}
}
+void kvm_apic_update_hwapic_isr(struct kvm_vcpu *vcpu)
+{
+ struct kvm_lapic *apic = vcpu->arch.apic;
+
+ if (WARN_ON_ONCE(!lapic_in_kernel(vcpu)) || !apic->apicv_active)
+ return;
+
+ static_call(kvm_x86_hwapic_isr_update)(vcpu, apic_find_highest_isr(apic));
+}
+EXPORT_SYMBOL_GPL(kvm_apic_update_hwapic_isr);
+
int kvm_lapic_find_highest_irr(struct kvm_vcpu *vcpu)
{
/* This may race with setting of irr in __apic_accept_irq() and
diff --git a/arch/x86/kvm/lapic.h b/arch/x86/kvm/lapic.h
index a5ac4a5a5179..e5d2dc58fcf8 100644
--- a/arch/x86/kvm/lapic.h
+++ b/arch/x86/kvm/lapic.h
@@ -122,6 +122,7 @@ int kvm_set_apic_base(struct kvm_vcpu *vcpu, struct msr_data *msr_info);
int kvm_apic_get_state(struct kvm_vcpu *vcpu, struct kvm_lapic_state *s);
int kvm_apic_set_state(struct kvm_vcpu *vcpu, struct kvm_lapic_state *s);
enum lapic_mode kvm_get_apic_mode(struct kvm_vcpu *vcpu);
+void kvm_apic_update_hwapic_isr(struct kvm_vcpu *vcpu);
int kvm_lapic_find_highest_irr(struct kvm_vcpu *vcpu);
u64 kvm_get_lapic_tscdeadline_msr(struct kvm_vcpu *vcpu);
diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c
index 8052f8b7d8e1..d55f7edc0860 100644
--- a/arch/x86/kvm/vmx/nested.c
+++ b/arch/x86/kvm/vmx/nested.c
@@ -4839,6 +4839,11 @@ void nested_vmx_vmexit(struct kvm_vcpu *vcpu, u32 vm_exit_reason,
kvm_make_request(KVM_REQ_APICV_UPDATE, vcpu);
}
+ if (vmx->nested.update_vmcs01_hwapic_isr) {
+ vmx->nested.update_vmcs01_hwapic_isr = false;
+ kvm_apic_update_hwapic_isr(vcpu);
+ }
+
if ((vm_exit_reason != -1) &&
(enable_shadow_vmcs || evmptr_is_valid(vmx->nested.hv_evmcs_vmptr)))
vmx->nested.need_vmcs12_to_shadow_sync = true;
diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c
index 721ba6ddb121..7b87fbc69b21 100644
--- a/arch/x86/kvm/vmx/vmx.c
+++ b/arch/x86/kvm/vmx/vmx.c
@@ -6713,6 +6713,22 @@ static void vmx_hwapic_isr_update(struct kvm_vcpu *vcpu, int max_isr)
u16 status;
u8 old;
+ /*
+ * If L2 is active, defer the SVI update until vmcs01 is loaded, as SVI
+ * is only relevant for if and only if Virtual Interrupt Delivery is
+ * enabled in vmcs12, and if VID is enabled then L2 EOIs affect L2's
+ * vAPIC, not L1's vAPIC. KVM must update vmcs01 on the next nested
+ * VM-Exit, otherwise L1 with run with a stale SVI.
+ */
+ if (is_guest_mode(vcpu)) {
+ /*
+ * KVM is supposed to forward intercepted L2 EOIs to L1 if VID
+ * is enabled in vmcs12; as above, the EOIs affect L2's vAPIC.
+ */
+ to_vmx(vcpu)->nested.update_vmcs01_hwapic_isr = true;
+ return;
+ }
+
if (max_isr == -1)
max_isr = 0;
diff --git a/arch/x86/kvm/vmx/vmx.h b/arch/x86/kvm/vmx/vmx.h
index 9e0bb98b116d..8b4b149bd9c1 100644
--- a/arch/x86/kvm/vmx/vmx.h
+++ b/arch/x86/kvm/vmx/vmx.h
@@ -189,6 +189,7 @@ struct nested_vmx {
bool reload_vmcs01_apic_access_page;
bool update_vmcs01_cpu_dirty_logging;
bool update_vmcs01_apicv_status;
+ bool update_vmcs01_hwapic_isr;
/*
* Enlightened VMCS has been enabled. It does not mean that L1 has to
--
2.50.1
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 031/482] KVM: x86: Snapshot the hosts DEBUGCTL in common x86
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (29 preceding siblings ...)
2025-08-26 11:04 ` [PATCH 6.1 030/482] KVM: nVMX: Defer SVI update to vmcs01 on EOI when L2 is active w/o VID Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 6.1 032/482] KVM: x86: Snapshot the hosts DEBUGCTL after disabling IRQs Greg Kroah-Hartman
` (459 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiaoyao Li, Sean Christopherson,
Sasha Levin, Ravi Bangoria
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
[ Upstream commit fb71c795935652fa20eaf9517ca9547f5af99a76 ]
Move KVM's snapshot of DEBUGCTL to kvm_vcpu_arch and take the snapshot in
common x86, so that SVM can also use the snapshot.
Opportunistically change the field to a u64. While bits 63:32 are reserved
on AMD, not mentioned at all in Intel's SDM, and managed as an "unsigned
long" by the kernel, DEBUGCTL is an MSR and therefore a 64-bit value.
Reviewed-by: Xiaoyao Li <xiaoyao.li@intel.com>
Cc: stable@vger.kernel.org
Reviewed-and-tested-by: Ravi Bangoria <ravi.bangoria@amd.com>
Link: https://lore.kernel.org/r/20250227222411.3490595-4-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
[sean: resolve minor syntatic conflict in vmx_vcpu_load()]
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/include/asm/kvm_host.h | 1 +
arch/x86/kvm/vmx/vmx.c | 8 ++------
arch/x86/kvm/vmx/vmx.h | 2 --
arch/x86/kvm/x86.c | 1 +
4 files changed, 4 insertions(+), 8 deletions(-)
diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h
index 6db42ee82032..555c7bf35e28 100644
--- a/arch/x86/include/asm/kvm_host.h
+++ b/arch/x86/include/asm/kvm_host.h
@@ -677,6 +677,7 @@ struct kvm_vcpu_arch {
u32 pkru;
u32 hflags;
u64 efer;
+ u64 host_debugctl;
u64 apic_base;
struct kvm_lapic *apic; /* kernel irqchip context */
bool load_eoi_exitmap_pending;
diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c
index 7b87fbc69b21..c24da2cff208 100644
--- a/arch/x86/kvm/vmx/vmx.c
+++ b/arch/x86/kvm/vmx/vmx.c
@@ -1418,13 +1418,9 @@ void vmx_vcpu_load_vmcs(struct kvm_vcpu *vcpu, int cpu,
*/
static void vmx_vcpu_load(struct kvm_vcpu *vcpu, int cpu)
{
- struct vcpu_vmx *vmx = to_vmx(vcpu);
-
vmx_vcpu_load_vmcs(vcpu, cpu, NULL);
vmx_vcpu_pi_load(vcpu, cpu);
-
- vmx->host_debugctlmsr = get_debugctlmsr();
}
static void vmx_vcpu_put(struct kvm_vcpu *vcpu)
@@ -7275,8 +7271,8 @@ static fastpath_t vmx_vcpu_run(struct kvm_vcpu *vcpu)
}
/* MSR_IA32_DEBUGCTLMSR is zeroed on vmexit. Restore it if needed */
- if (vmx->host_debugctlmsr)
- update_debugctlmsr(vmx->host_debugctlmsr);
+ if (vcpu->arch.host_debugctl)
+ update_debugctlmsr(vcpu->arch.host_debugctl);
#ifndef CONFIG_X86_64
/*
diff --git a/arch/x86/kvm/vmx/vmx.h b/arch/x86/kvm/vmx/vmx.h
index 8b4b149bd9c1..357819872d80 100644
--- a/arch/x86/kvm/vmx/vmx.h
+++ b/arch/x86/kvm/vmx/vmx.h
@@ -352,8 +352,6 @@ struct vcpu_vmx {
/* apic deadline value in host tsc */
u64 hv_deadline_tsc;
- unsigned long host_debugctlmsr;
-
/*
* Only bits masked by msr_ia32_feature_control_valid_bits can be set in
* msr_ia32_feature_control. FEAT_CTL_LOCKED is always included
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index a6dc8f662fa4..ba24bb50af57 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -4742,6 +4742,7 @@ void kvm_arch_vcpu_load(struct kvm_vcpu *vcpu, int cpu)
/* Save host pkru register if supported */
vcpu->arch.host_pkru = read_pkru();
+ vcpu->arch.host_debugctl = get_debugctlmsr();
/* Apply any externally detected TSC adjustments (due to suspend) */
if (unlikely(vcpu->arch.tsc_offset_adjustment)) {
--
2.50.1
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 032/482] KVM: x86: Snapshot the hosts DEBUGCTL after disabling IRQs
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (30 preceding siblings ...)
2025-08-26 11:04 ` [PATCH 6.1 031/482] KVM: x86: Snapshot the hosts DEBUGCTL in common x86 Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 6.1 033/482] KVM: x86/pmu: Gate all "unimplemented MSR" prints on report_ignored_msrs Greg Kroah-Hartman
` (458 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sean Christopherson, Sasha Levin,
Ravi Bangoria
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
[ Upstream commit 189ecdb3e112da703ac0699f4ec76aa78122f911 ]
Snapshot the host's DEBUGCTL after disabling IRQs, as perf can toggle
debugctl bits from IRQ context, e.g. when enabling/disabling events via
smp_call_function_single(). Taking the snapshot (long) before IRQs are
disabled could result in KVM effectively clobbering DEBUGCTL due to using
a stale snapshot.
Cc: stable@vger.kernel.org
Reviewed-and-tested-by: Ravi Bangoria <ravi.bangoria@amd.com>
Link: https://lore.kernel.org/r/20250227222411.3490595-6-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/kvm/x86.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index ba24bb50af57..b0ae61ba9b99 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -4742,7 +4742,6 @@ void kvm_arch_vcpu_load(struct kvm_vcpu *vcpu, int cpu)
/* Save host pkru register if supported */
vcpu->arch.host_pkru = read_pkru();
- vcpu->arch.host_debugctl = get_debugctlmsr();
/* Apply any externally detected TSC adjustments (due to suspend) */
if (unlikely(vcpu->arch.tsc_offset_adjustment)) {
@@ -10851,6 +10850,8 @@ static int vcpu_enter_guest(struct kvm_vcpu *vcpu)
set_debugreg(0, 7);
}
+ vcpu->arch.host_debugctl = get_debugctlmsr();
+
guest_timing_enter_irqoff();
for (;;) {
--
2.50.1
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 033/482] KVM: x86/pmu: Gate all "unimplemented MSR" prints on report_ignored_msrs
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (31 preceding siblings ...)
2025-08-26 11:04 ` [PATCH 6.1 032/482] KVM: x86: Snapshot the hosts DEBUGCTL after disabling IRQs Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 6.1 034/482] KVM: x86: Plumb "force_immediate_exit" into kvm_entry() tracepoint Greg Kroah-Hartman
` (457 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Aaron Lewis, Vitaly Kuznetsov,
Sasha Levin, Sean Christopherson
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
[ Upstream commit e76ae52747a82a548742107b4100e90da41a624d ]
Add helpers to print unimplemented MSR accesses and condition all such
prints on report_ignored_msrs, i.e. honor userspace's request to not
print unimplemented MSRs. Even though vcpu_unimpl() is ratelimited,
printing can still be problematic, e.g. if a print gets stalled when host
userspace is writing MSRs during live migration, an effective stall can
result in very noticeable disruption in the guest.
E.g. the profile below was taken while calling KVM_SET_MSRS on the PMU
counters while the PMU was disabled in KVM.
- 99.75% 0.00% [.] __ioctl
- __ioctl
- 99.74% entry_SYSCALL_64_after_hwframe
do_syscall_64
sys_ioctl
- do_vfs_ioctl
- 92.48% kvm_vcpu_ioctl
- kvm_arch_vcpu_ioctl
- 85.12% kvm_set_msr_ignored_check
svm_set_msr
kvm_set_msr_common
printk
vprintk_func
vprintk_default
vprintk_emit
console_unlock
call_console_drivers
univ8250_console_write
serial8250_console_write
uart_console_write
Reported-by: Aaron Lewis <aaronlewis@google.com>
Reviewed-by: Vitaly Kuznetsov <vkuznets@redhat.com>
Link: https://lore.kernel.org/r/20230124234905.3774678-3-seanjc@google.com
Stable-dep-of: 7d0cce6cbe71 ("KVM: VMX: Wrap all accesses to IA32_DEBUGCTL with getter/setter APIs")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/kvm/hyperv.c | 10 ++++------
arch/x86/kvm/svm/svm.c | 5 ++---
arch/x86/kvm/vmx/vmx.c | 4 +---
arch/x86/kvm/x86.c | 18 +++++-------------
arch/x86/kvm/x86.h | 12 ++++++++++++
5 files changed, 24 insertions(+), 25 deletions(-)
diff --git a/arch/x86/kvm/hyperv.c b/arch/x86/kvm/hyperv.c
index 28555bbd52e8..cb0a531e13c5 100644
--- a/arch/x86/kvm/hyperv.c
+++ b/arch/x86/kvm/hyperv.c
@@ -1406,8 +1406,7 @@ static int kvm_hv_set_msr_pw(struct kvm_vcpu *vcpu, u32 msr, u64 data,
case HV_X64_MSR_SYNDBG_CONTROL ... HV_X64_MSR_SYNDBG_PENDING_BUFFER:
return syndbg_set_msr(vcpu, msr, data, host);
default:
- vcpu_unimpl(vcpu, "Hyper-V unhandled wrmsr: 0x%x data 0x%llx\n",
- msr, data);
+ kvm_pr_unimpl_wrmsr(vcpu, msr, data);
return 1;
}
return 0;
@@ -1528,8 +1527,7 @@ static int kvm_hv_set_msr(struct kvm_vcpu *vcpu, u32 msr, u64 data, bool host)
return 1;
break;
default:
- vcpu_unimpl(vcpu, "Hyper-V unhandled wrmsr: 0x%x data 0x%llx\n",
- msr, data);
+ kvm_pr_unimpl_wrmsr(vcpu, msr, data);
return 1;
}
@@ -1581,7 +1579,7 @@ static int kvm_hv_get_msr_pw(struct kvm_vcpu *vcpu, u32 msr, u64 *pdata,
case HV_X64_MSR_SYNDBG_CONTROL ... HV_X64_MSR_SYNDBG_PENDING_BUFFER:
return syndbg_get_msr(vcpu, msr, pdata, host);
default:
- vcpu_unimpl(vcpu, "Hyper-V unhandled rdmsr: 0x%x\n", msr);
+ kvm_pr_unimpl_rdmsr(vcpu, msr);
return 1;
}
@@ -1646,7 +1644,7 @@ static int kvm_hv_get_msr(struct kvm_vcpu *vcpu, u32 msr, u64 *pdata,
data = APIC_BUS_FREQUENCY;
break;
default:
- vcpu_unimpl(vcpu, "Hyper-V unhandled rdmsr: 0x%x\n", msr);
+ kvm_pr_unimpl_rdmsr(vcpu, msr);
return 1;
}
*pdata = data;
diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c
index b922f31d1415..2c0f9c7d1242 100644
--- a/arch/x86/kvm/svm/svm.c
+++ b/arch/x86/kvm/svm/svm.c
@@ -3035,8 +3035,7 @@ static int svm_set_msr(struct kvm_vcpu *vcpu, struct msr_data *msr)
break;
case MSR_IA32_DEBUGCTLMSR:
if (!lbrv) {
- vcpu_unimpl(vcpu, "%s: MSR_IA32_DEBUGCTL 0x%llx, nop\n",
- __func__, data);
+ kvm_pr_unimpl_wrmsr(vcpu, ecx, data);
break;
}
@@ -3077,7 +3076,7 @@ static int svm_set_msr(struct kvm_vcpu *vcpu, struct msr_data *msr)
case MSR_VM_CR:
return svm_set_vm_cr(vcpu, data);
case MSR_VM_IGNNE:
- vcpu_unimpl(vcpu, "unimplemented wrmsr: 0x%x data 0x%llx\n", ecx, data);
+ kvm_pr_unimpl_wrmsr(vcpu, ecx, data);
break;
case MSR_AMD64_DE_CFG: {
struct kvm_msr_entry msr_entry;
diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c
index c24da2cff208..390af16d9a67 100644
--- a/arch/x86/kvm/vmx/vmx.c
+++ b/arch/x86/kvm/vmx/vmx.c
@@ -2140,9 +2140,7 @@ static int vmx_set_msr(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
invalid = data & ~vmx_get_supported_debugctl(vcpu, msr_info->host_initiated);
if (invalid & (DEBUGCTLMSR_BTF|DEBUGCTLMSR_LBR)) {
- if (report_ignored_msrs)
- vcpu_unimpl(vcpu, "%s: BTF|LBR in IA32_DEBUGCTLMSR 0x%llx, nop\n",
- __func__, data);
+ kvm_pr_unimpl_wrmsr(vcpu, msr_index, data);
data &= ~(DEBUGCTLMSR_BTF|DEBUGCTLMSR_LBR);
invalid &= ~(DEBUGCTLMSR_BTF|DEBUGCTLMSR_LBR);
}
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index b0ae61ba9b99..d224180c56f5 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -3573,7 +3573,6 @@ static void record_steal_time(struct kvm_vcpu *vcpu)
int kvm_set_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
{
- bool pr = false;
u32 msr = msr_info->index;
u64 data = msr_info->data;
@@ -3625,15 +3624,13 @@ int kvm_set_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
if (data == BIT_ULL(18)) {
vcpu->arch.msr_hwcr = data;
} else if (data != 0) {
- vcpu_unimpl(vcpu, "unimplemented HWCR wrmsr: 0x%llx\n",
- data);
+ kvm_pr_unimpl_wrmsr(vcpu, msr, data);
return 1;
}
break;
case MSR_FAM10H_MMIO_CONF_BASE:
if (data != 0) {
- vcpu_unimpl(vcpu, "unimplemented MMIO_CONF_BASE wrmsr: "
- "0x%llx\n", data);
+ kvm_pr_unimpl_wrmsr(vcpu, msr, data);
return 1;
}
break;
@@ -3813,16 +3810,13 @@ int kvm_set_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
case MSR_K7_PERFCTR0 ... MSR_K7_PERFCTR3:
case MSR_P6_PERFCTR0 ... MSR_P6_PERFCTR1:
- pr = true;
- fallthrough;
case MSR_K7_EVNTSEL0 ... MSR_K7_EVNTSEL3:
case MSR_P6_EVNTSEL0 ... MSR_P6_EVNTSEL1:
if (kvm_pmu_is_valid_msr(vcpu, msr))
return kvm_pmu_set_msr(vcpu, msr_info);
- if (pr || data != 0)
- vcpu_unimpl(vcpu, "disabled perfctr wrmsr: "
- "0x%x data 0x%llx\n", msr, data);
+ if (data)
+ kvm_pr_unimpl_wrmsr(vcpu, msr, data);
break;
case MSR_K7_CLK_CTL:
/*
@@ -3849,9 +3843,7 @@ int kvm_set_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
/* Drop writes to this legacy MSR -- see rdmsr
* counterpart for further detail.
*/
- if (report_ignored_msrs)
- vcpu_unimpl(vcpu, "ignored wrmsr: 0x%x data 0x%llx\n",
- msr, data);
+ kvm_pr_unimpl_wrmsr(vcpu, msr, data);
break;
case MSR_AMD64_OSVW_ID_LENGTH:
if (!guest_cpuid_has(vcpu, X86_FEATURE_OSVW))
diff --git a/arch/x86/kvm/x86.h b/arch/x86/kvm/x86.h
index 9de72586f406..f3554bf05201 100644
--- a/arch/x86/kvm/x86.h
+++ b/arch/x86/kvm/x86.h
@@ -331,6 +331,18 @@ extern bool report_ignored_msrs;
extern bool eager_page_split;
+static inline void kvm_pr_unimpl_wrmsr(struct kvm_vcpu *vcpu, u32 msr, u64 data)
+{
+ if (report_ignored_msrs)
+ vcpu_unimpl(vcpu, "Unhandled WRMSR(0x%x) = 0x%llx\n", msr, data);
+}
+
+static inline void kvm_pr_unimpl_rdmsr(struct kvm_vcpu *vcpu, u32 msr)
+{
+ if (report_ignored_msrs)
+ vcpu_unimpl(vcpu, "Unhandled RDMSR(0x%x)\n", msr);
+}
+
static inline u64 nsec_to_cycles(struct kvm_vcpu *vcpu, u64 nsec)
{
return pvclock_scale_delta(nsec, vcpu->arch.virtual_tsc_mult,
--
2.50.1
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 034/482] KVM: x86: Plumb "force_immediate_exit" into kvm_entry() tracepoint
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (32 preceding siblings ...)
2025-08-26 11:04 ` [PATCH 6.1 033/482] KVM: x86/pmu: Gate all "unimplemented MSR" prints on report_ignored_msrs Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 6.1 035/482] KVM: VMX: Re-enter guest in fastpath for "spurious" preemption timer exits Greg Kroah-Hartman
` (456 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maxim Levitsky, Sean Christopherson,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
[ Upstream commit 9c9025ea003a03f967affd690f39b4ef3452c0f5 ]
Annotate the kvm_entry() tracepoint with "immediate exit" when KVM is
forcing a VM-Exit immediately after VM-Enter, e.g. when KVM wants to
inject an event but needs to first complete some other operation.
Knowing that KVM is (or isn't) forcing an exit is useful information when
debugging issues related to event injection.
Suggested-by: Maxim Levitsky <mlevitsk@redhat.com>
Link: https://lore.kernel.org/r/20240110012705.506918-2-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/include/asm/kvm_host.h | 3 ++-
arch/x86/kvm/svm/svm.c | 5 +++--
arch/x86/kvm/trace.h | 9 ++++++---
arch/x86/kvm/vmx/vmx.c | 4 ++--
arch/x86/kvm/x86.c | 2 +-
5 files changed, 14 insertions(+), 9 deletions(-)
diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h
index 555c7bf35e28..93f523762854 100644
--- a/arch/x86/include/asm/kvm_host.h
+++ b/arch/x86/include/asm/kvm_host.h
@@ -1528,7 +1528,8 @@ struct kvm_x86_ops {
void (*flush_tlb_guest)(struct kvm_vcpu *vcpu);
int (*vcpu_pre_run)(struct kvm_vcpu *vcpu);
- enum exit_fastpath_completion (*vcpu_run)(struct kvm_vcpu *vcpu);
+ enum exit_fastpath_completion (*vcpu_run)(struct kvm_vcpu *vcpu,
+ bool force_immediate_exit);
int (*handle_exit)(struct kvm_vcpu *vcpu,
enum exit_fastpath_completion exit_fastpath);
int (*skip_emulated_instruction)(struct kvm_vcpu *vcpu);
diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c
index 2c0f9c7d1242..b4283c2358a6 100644
--- a/arch/x86/kvm/svm/svm.c
+++ b/arch/x86/kvm/svm/svm.c
@@ -4005,12 +4005,13 @@ static noinstr void svm_vcpu_enter_exit(struct kvm_vcpu *vcpu, bool spec_ctrl_in
guest_state_exit_irqoff();
}
-static __no_kcsan fastpath_t svm_vcpu_run(struct kvm_vcpu *vcpu)
+static __no_kcsan fastpath_t svm_vcpu_run(struct kvm_vcpu *vcpu,
+ bool force_immediate_exit)
{
struct vcpu_svm *svm = to_svm(vcpu);
bool spec_ctrl_intercepted = msr_write_intercepted(vcpu, MSR_IA32_SPEC_CTRL);
- trace_kvm_entry(vcpu);
+ trace_kvm_entry(vcpu, force_immediate_exit);
svm->vmcb->save.rax = vcpu->arch.regs[VCPU_REGS_RAX];
svm->vmcb->save.rsp = vcpu->arch.regs[VCPU_REGS_RSP];
diff --git a/arch/x86/kvm/trace.h b/arch/x86/kvm/trace.h
index 6c1dcf44c4fa..ab407bc00d84 100644
--- a/arch/x86/kvm/trace.h
+++ b/arch/x86/kvm/trace.h
@@ -15,20 +15,23 @@
* Tracepoint for guest mode entry.
*/
TRACE_EVENT(kvm_entry,
- TP_PROTO(struct kvm_vcpu *vcpu),
- TP_ARGS(vcpu),
+ TP_PROTO(struct kvm_vcpu *vcpu, bool force_immediate_exit),
+ TP_ARGS(vcpu, force_immediate_exit),
TP_STRUCT__entry(
__field( unsigned int, vcpu_id )
__field( unsigned long, rip )
+ __field( bool, immediate_exit )
),
TP_fast_assign(
__entry->vcpu_id = vcpu->vcpu_id;
__entry->rip = kvm_rip_read(vcpu);
+ __entry->immediate_exit = force_immediate_exit;
),
- TP_printk("vcpu %u, rip 0x%lx", __entry->vcpu_id, __entry->rip)
+ TP_printk("vcpu %u, rip 0x%lx%s", __entry->vcpu_id, __entry->rip,
+ __entry->immediate_exit ? "[immediate exit]" : "")
);
/*
diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c
index 390af16d9a67..0b495979a02b 100644
--- a/arch/x86/kvm/vmx/vmx.c
+++ b/arch/x86/kvm/vmx/vmx.c
@@ -7171,7 +7171,7 @@ static noinstr void vmx_vcpu_enter_exit(struct kvm_vcpu *vcpu,
guest_state_exit_irqoff();
}
-static fastpath_t vmx_vcpu_run(struct kvm_vcpu *vcpu)
+static fastpath_t vmx_vcpu_run(struct kvm_vcpu *vcpu, bool force_immediate_exit)
{
struct vcpu_vmx *vmx = to_vmx(vcpu);
unsigned long cr3, cr4;
@@ -7198,7 +7198,7 @@ static fastpath_t vmx_vcpu_run(struct kvm_vcpu *vcpu)
return EXIT_FASTPATH_NONE;
}
- trace_kvm_entry(vcpu);
+ trace_kvm_entry(vcpu, force_immediate_exit);
if (vmx->ple_window_dirty) {
vmx->ple_window_dirty = false;
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index d224180c56f5..08c3da88f402 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -10856,7 +10856,7 @@ static int vcpu_enter_guest(struct kvm_vcpu *vcpu)
WARN_ON_ONCE((kvm_vcpu_apicv_activated(vcpu) != kvm_vcpu_apicv_active(vcpu)) &&
(kvm_get_apic_mode(vcpu) != LAPIC_MODE_DISABLED));
- exit_fastpath = static_call(kvm_x86_vcpu_run)(vcpu);
+ exit_fastpath = static_call(kvm_x86_vcpu_run)(vcpu, req_immediate_exit);
if (likely(exit_fastpath != EXIT_FASTPATH_REENTER_GUEST))
break;
--
2.50.1
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 035/482] KVM: VMX: Re-enter guest in fastpath for "spurious" preemption timer exits
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (33 preceding siblings ...)
2025-08-26 11:04 ` [PATCH 6.1 034/482] KVM: x86: Plumb "force_immediate_exit" into kvm_entry() tracepoint Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 6.1 036/482] KVM: VMX: Handle forced exit due to preemption timer in fastpath Greg Kroah-Hartman
` (455 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sean Christopherson, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
[ Upstream commit e6b5d16bbd2d4c8259ad76aa33de80d561aba5f9 ]
Re-enter the guest in the fast path if VMX preeemption timer VM-Exit was
"spurious", i.e. if KVM "soft disabled" the timer by writing -1u and by
some miracle the timer expired before any other VM-Exit occurred. This is
just an intermediate step to cleaning up the preemption timer handling,
optimizing these types of spurious VM-Exits is not interesting as they are
extremely rare/infrequent.
Link: https://lore.kernel.org/r/20240110012705.506918-3-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/kvm/vmx/vmx.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c
index 0b495979a02b..96bbccd9477c 100644
--- a/arch/x86/kvm/vmx/vmx.c
+++ b/arch/x86/kvm/vmx/vmx.c
@@ -5933,8 +5933,15 @@ static fastpath_t handle_fastpath_preemption_timer(struct kvm_vcpu *vcpu)
{
struct vcpu_vmx *vmx = to_vmx(vcpu);
- if (!vmx->req_immediate_exit &&
- !unlikely(vmx->loaded_vmcs->hv_timer_soft_disabled)) {
+ /*
+ * In the *extremely* unlikely scenario that this is a spurious VM-Exit
+ * due to the timer expiring while it was "soft" disabled, just eat the
+ * exit and re-enter the guest.
+ */
+ if (unlikely(vmx->loaded_vmcs->hv_timer_soft_disabled))
+ return EXIT_FASTPATH_REENTER_GUEST;
+
+ if (!vmx->req_immediate_exit) {
kvm_lapic_expired_hv_timer(vcpu);
return EXIT_FASTPATH_REENTER_GUEST;
}
--
2.50.1
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 036/482] KVM: VMX: Handle forced exit due to preemption timer in fastpath
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (34 preceding siblings ...)
2025-08-26 11:04 ` [PATCH 6.1 035/482] KVM: VMX: Re-enter guest in fastpath for "spurious" preemption timer exits Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 6.1 037/482] KVM: x86: Move handling of is_guest_mode() into fastpath exit handlers Greg Kroah-Hartman
` (454 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sean Christopherson, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
[ Upstream commit 11776aa0cfa7d007ad1799b1553bdcbd830e5010 ]
Handle VMX preemption timer VM-Exits due to KVM forcing an exit in the
exit fastpath, i.e. avoid calling back into handle_preemption_timer() for
the same exit. There is no work to be done for forced exits, as the name
suggests the goal is purely to get control back in KVM.
In addition to shaving a few cycles, this will allow cleanly separating
handle_fastpath_preemption_timer() from handle_preemption_timer(), e.g.
it's not immediately obvious why _apparently_ calling
handle_fastpath_preemption_timer() twice on a "slow" exit is necessary:
the "slow" call is necessary to handle exits from L2, which are excluded
from the fastpath by vmx_vcpu_run().
Link: https://lore.kernel.org/r/20240110012705.506918-4-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/kvm/vmx/vmx.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c
index 96bbccd9477c..c804ad001a79 100644
--- a/arch/x86/kvm/vmx/vmx.c
+++ b/arch/x86/kvm/vmx/vmx.c
@@ -5941,12 +5941,15 @@ static fastpath_t handle_fastpath_preemption_timer(struct kvm_vcpu *vcpu)
if (unlikely(vmx->loaded_vmcs->hv_timer_soft_disabled))
return EXIT_FASTPATH_REENTER_GUEST;
- if (!vmx->req_immediate_exit) {
- kvm_lapic_expired_hv_timer(vcpu);
- return EXIT_FASTPATH_REENTER_GUEST;
- }
+ /*
+ * If the timer expired because KVM used it to force an immediate exit,
+ * then mission accomplished.
+ */
+ if (vmx->req_immediate_exit)
+ return EXIT_FASTPATH_EXIT_HANDLED;
- return EXIT_FASTPATH_NONE;
+ kvm_lapic_expired_hv_timer(vcpu);
+ return EXIT_FASTPATH_REENTER_GUEST;
}
static int handle_preemption_timer(struct kvm_vcpu *vcpu)
--
2.50.1
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 037/482] KVM: x86: Move handling of is_guest_mode() into fastpath exit handlers
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (35 preceding siblings ...)
2025-08-26 11:04 ` [PATCH 6.1 036/482] KVM: VMX: Handle forced exit due to preemption timer in fastpath Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 6.1 038/482] KVM: VMX: Handle KVM-induced preemption timer exits in fastpath for L2 Greg Kroah-Hartman
` (453 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sean Christopherson, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
[ Upstream commit bf1a49436ea37b98dd2f37c57608951d0e28eecc ]
Let the fastpath code decide which exits can/can't be handled in the
fastpath when L2 is active, e.g. when KVM generates a VMX preemption
timer exit to forcefully regain control, there is no "work" to be done and
so such exits can be handled in the fastpath regardless of whether L1 or
L2 is active.
Moving the is_guest_mode() check into the fastpath code also makes it
easier to see that L2 isn't allowed to use the fastpath in most cases,
e.g. it's not immediately obvious why handle_fastpath_preemption_timer()
is called from the fastpath and the normal path.
Link: https://lore.kernel.org/r/20240110012705.506918-5-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
[sean: resolve syntactic conflict in svm_exit_handlers_fastpath()]
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/kvm/svm/svm.c | 6 +++---
arch/x86/kvm/vmx/vmx.c | 6 +++---
2 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c
index b4283c2358a6..337a304d211b 100644
--- a/arch/x86/kvm/svm/svm.c
+++ b/arch/x86/kvm/svm/svm.c
@@ -3964,6 +3964,9 @@ static fastpath_t svm_exit_handlers_fastpath(struct kvm_vcpu *vcpu)
{
struct vmcb_control_area *control = &to_svm(vcpu)->vmcb->control;
+ if (is_guest_mode(vcpu))
+ return EXIT_FASTPATH_NONE;
+
/*
* Note, the next RIP must be provided as SRCU isn't held, i.e. KVM
* can't read guest memory (dereference memslots) to decode the WRMSR.
@@ -4127,9 +4130,6 @@ static __no_kcsan fastpath_t svm_vcpu_run(struct kvm_vcpu *vcpu,
svm_complete_interrupts(vcpu);
- if (is_guest_mode(vcpu))
- return EXIT_FASTPATH_NONE;
-
return svm_exit_handlers_fastpath(vcpu);
}
diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c
index c804ad001a79..18ceed9046a9 100644
--- a/arch/x86/kvm/vmx/vmx.c
+++ b/arch/x86/kvm/vmx/vmx.c
@@ -7138,6 +7138,9 @@ void noinstr vmx_spec_ctrl_restore_host(struct vcpu_vmx *vmx,
static fastpath_t vmx_exit_handlers_fastpath(struct kvm_vcpu *vcpu)
{
+ if (is_guest_mode(vcpu))
+ return EXIT_FASTPATH_NONE;
+
switch (to_vmx(vcpu)->exit_reason.basic) {
case EXIT_REASON_MSR_WRITE:
return handle_fastpath_set_msr_irqoff(vcpu);
@@ -7337,9 +7340,6 @@ static fastpath_t vmx_vcpu_run(struct kvm_vcpu *vcpu, bool force_immediate_exit)
vmx_recover_nmi_blocking(vmx);
vmx_complete_interrupts(vmx);
- if (is_guest_mode(vcpu))
- return EXIT_FASTPATH_NONE;
-
return vmx_exit_handlers_fastpath(vcpu);
}
--
2.50.1
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 038/482] KVM: VMX: Handle KVM-induced preemption timer exits in fastpath for L2
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (36 preceding siblings ...)
2025-08-26 11:04 ` [PATCH 6.1 037/482] KVM: x86: Move handling of is_guest_mode() into fastpath exit handlers Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 6.1 039/482] KVM: x86: Fully defer to vendor code to decide how to force immediate exit Greg Kroah-Hartman
` (452 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sean Christopherson, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
[ Upstream commit 7b3d1bbf8d68d76fb21210932a5e8ed8ea80dbcc ]
Eat VMX treemption timer exits in the fastpath regardless of whether L1 or
L2 is active. The VM-Exit is 100% KVM-induced, i.e. there is nothing
directly related to the exit that KVM needs to do on behalf of the guest,
thus there is no reason to wait until the slow path to do nothing.
Opportunistically add comments explaining why preemption timer exits for
emulating the guest's APIC timer need to go down the slow path.
Link: https://lore.kernel.org/r/20240110012705.506918-6-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/kvm/vmx/vmx.c | 22 ++++++++++++++++++++--
1 file changed, 20 insertions(+), 2 deletions(-)
diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c
index 18ceed9046a9..4db9d41d988c 100644
--- a/arch/x86/kvm/vmx/vmx.c
+++ b/arch/x86/kvm/vmx/vmx.c
@@ -5948,13 +5948,26 @@ static fastpath_t handle_fastpath_preemption_timer(struct kvm_vcpu *vcpu)
if (vmx->req_immediate_exit)
return EXIT_FASTPATH_EXIT_HANDLED;
+ /*
+ * If L2 is active, go down the slow path as emulating the guest timer
+ * expiration likely requires synthesizing a nested VM-Exit.
+ */
+ if (is_guest_mode(vcpu))
+ return EXIT_FASTPATH_NONE;
+
kvm_lapic_expired_hv_timer(vcpu);
return EXIT_FASTPATH_REENTER_GUEST;
}
static int handle_preemption_timer(struct kvm_vcpu *vcpu)
{
- handle_fastpath_preemption_timer(vcpu);
+ /*
+ * This non-fastpath handler is reached if and only if the preemption
+ * timer was being used to emulate a guest timer while L2 is active.
+ * All other scenarios are supposed to be handled in the fastpath.
+ */
+ WARN_ON_ONCE(!is_guest_mode(vcpu));
+ kvm_lapic_expired_hv_timer(vcpu);
return 1;
}
@@ -7138,7 +7151,12 @@ void noinstr vmx_spec_ctrl_restore_host(struct vcpu_vmx *vmx,
static fastpath_t vmx_exit_handlers_fastpath(struct kvm_vcpu *vcpu)
{
- if (is_guest_mode(vcpu))
+ /*
+ * If L2 is active, some VMX preemption timer exits can be handled in
+ * the fastpath even, all other exits must use the slow path.
+ */
+ if (is_guest_mode(vcpu) &&
+ to_vmx(vcpu)->exit_reason.basic != EXIT_REASON_PREEMPTION_TIMER)
return EXIT_FASTPATH_NONE;
switch (to_vmx(vcpu)->exit_reason.basic) {
--
2.50.1
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 039/482] KVM: x86: Fully defer to vendor code to decide how to force immediate exit
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (37 preceding siblings ...)
2025-08-26 11:04 ` [PATCH 6.1 038/482] KVM: VMX: Handle KVM-induced preemption timer exits in fastpath for L2 Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 6.1 040/482] KVM: x86: Convert vcpu_run()s immediate exit param into a generic bitmap Greg Kroah-Hartman
` (451 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sean Christopherson, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
[ Upstream commit 0ec3d6d1f169baa7fc512ae4b78d17e7c94b7763 ]
Now that vmx->req_immediate_exit is used only in the scope of
vmx_vcpu_run(), use force_immediate_exit to detect that KVM should usurp
the VMX preemption to force a VM-Exit and let vendor code fully handle
forcing a VM-Exit.
Opportunsitically drop __kvm_request_immediate_exit() and just have
vendor code call smp_send_reschedule() directly. SVM already does this
when injecting an event while also trying to single-step an IRET, i.e.
it's not exactly secret knowledge that KVM uses a reschedule IPI to force
an exit.
Link: https://lore.kernel.org/r/20240110012705.506918-7-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
[sean: resolve absurd conflict due to funky kvm_x86_ops.sched_in prototype]
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/include/asm/kvm-x86-ops.h | 1 -
arch/x86/include/asm/kvm_host.h | 3 ---
arch/x86/kvm/svm/svm.c | 7 ++++---
arch/x86/kvm/vmx/vmx.c | 32 +++++++++++++-----------------
arch/x86/kvm/vmx/vmx.h | 2 --
arch/x86/kvm/x86.c | 10 +---------
6 files changed, 19 insertions(+), 36 deletions(-)
diff --git a/arch/x86/include/asm/kvm-x86-ops.h b/arch/x86/include/asm/kvm-x86-ops.h
index 29bef25ac77c..0e5ae3b0c867 100644
--- a/arch/x86/include/asm/kvm-x86-ops.h
+++ b/arch/x86/include/asm/kvm-x86-ops.h
@@ -100,7 +100,6 @@ KVM_X86_OP(write_tsc_multiplier)
KVM_X86_OP(get_exit_info)
KVM_X86_OP(check_intercept)
KVM_X86_OP(handle_exit_irqoff)
-KVM_X86_OP(request_immediate_exit)
KVM_X86_OP(sched_in)
KVM_X86_OP_OPTIONAL(update_cpu_dirty_logging)
KVM_X86_OP_OPTIONAL(vcpu_blocking)
diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h
index 93f523762854..86f3bd6601e7 100644
--- a/arch/x86/include/asm/kvm_host.h
+++ b/arch/x86/include/asm/kvm_host.h
@@ -1590,8 +1590,6 @@ struct kvm_x86_ops {
struct x86_exception *exception);
void (*handle_exit_irqoff)(struct kvm_vcpu *vcpu);
- void (*request_immediate_exit)(struct kvm_vcpu *vcpu);
-
void (*sched_in)(struct kvm_vcpu *kvm, int cpu);
/*
@@ -2059,7 +2057,6 @@ extern bool kvm_find_async_pf_gfn(struct kvm_vcpu *vcpu, gfn_t gfn);
int kvm_skip_emulated_instruction(struct kvm_vcpu *vcpu);
int kvm_complete_insn_gp(struct kvm_vcpu *vcpu, int err);
-void __kvm_request_immediate_exit(struct kvm_vcpu *vcpu);
void __user *__x86_set_memory_region(struct kvm *kvm, int id, gpa_t gpa,
u32 size);
diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c
index 337a304d211b..12de50db401f 100644
--- a/arch/x86/kvm/svm/svm.c
+++ b/arch/x86/kvm/svm/svm.c
@@ -4033,9 +4033,12 @@ static __no_kcsan fastpath_t svm_vcpu_run(struct kvm_vcpu *vcpu,
* is enough to force an immediate vmexit.
*/
disable_nmi_singlestep(svm);
- smp_send_reschedule(vcpu->cpu);
+ force_immediate_exit = true;
}
+ if (force_immediate_exit)
+ smp_send_reschedule(vcpu->cpu);
+
pre_svm_run(vcpu);
sync_lapic_to_cr8(vcpu);
@@ -4874,8 +4877,6 @@ static struct kvm_x86_ops svm_x86_ops __initdata = {
.check_intercept = svm_check_intercept,
.handle_exit_irqoff = svm_handle_exit_irqoff,
- .request_immediate_exit = __kvm_request_immediate_exit,
-
.sched_in = svm_sched_in,
.nested_ops = &svm_nested_ops,
diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c
index 4db9d41d988c..179747d04edc 100644
--- a/arch/x86/kvm/vmx/vmx.c
+++ b/arch/x86/kvm/vmx/vmx.c
@@ -49,6 +49,8 @@
#include <asm/virtext.h>
#include <asm/vmx.h>
+#include <trace/events/ipi.h>
+
#include "capabilities.h"
#include "cpuid.h"
#include "evmcs.h"
@@ -1223,8 +1225,6 @@ void vmx_prepare_switch_to_guest(struct kvm_vcpu *vcpu)
u16 fs_sel, gs_sel;
int i;
- vmx->req_immediate_exit = false;
-
/*
* Note that guest MSRs to be saved/restored can also be changed
* when guest state is loaded. This happens when guest transitions
@@ -5929,7 +5929,8 @@ static int handle_pml_full(struct kvm_vcpu *vcpu)
return 1;
}
-static fastpath_t handle_fastpath_preemption_timer(struct kvm_vcpu *vcpu)
+static fastpath_t handle_fastpath_preemption_timer(struct kvm_vcpu *vcpu,
+ bool force_immediate_exit)
{
struct vcpu_vmx *vmx = to_vmx(vcpu);
@@ -5945,7 +5946,7 @@ static fastpath_t handle_fastpath_preemption_timer(struct kvm_vcpu *vcpu)
* If the timer expired because KVM used it to force an immediate exit,
* then mission accomplished.
*/
- if (vmx->req_immediate_exit)
+ if (force_immediate_exit)
return EXIT_FASTPATH_EXIT_HANDLED;
/*
@@ -7090,13 +7091,13 @@ static void atomic_switch_perf_msrs(struct vcpu_vmx *vmx)
msrs[i].host, false);
}
-static void vmx_update_hv_timer(struct kvm_vcpu *vcpu)
+static void vmx_update_hv_timer(struct kvm_vcpu *vcpu, bool force_immediate_exit)
{
struct vcpu_vmx *vmx = to_vmx(vcpu);
u64 tscl;
u32 delta_tsc;
- if (vmx->req_immediate_exit) {
+ if (force_immediate_exit) {
vmcs_write32(VMX_PREEMPTION_TIMER_VALUE, 0);
vmx->loaded_vmcs->hv_timer_soft_disabled = false;
} else if (vmx->hv_deadline_tsc != -1) {
@@ -7149,7 +7150,8 @@ void noinstr vmx_spec_ctrl_restore_host(struct vcpu_vmx *vmx,
barrier_nospec();
}
-static fastpath_t vmx_exit_handlers_fastpath(struct kvm_vcpu *vcpu)
+static fastpath_t vmx_exit_handlers_fastpath(struct kvm_vcpu *vcpu,
+ bool force_immediate_exit)
{
/*
* If L2 is active, some VMX preemption timer exits can be handled in
@@ -7163,7 +7165,7 @@ static fastpath_t vmx_exit_handlers_fastpath(struct kvm_vcpu *vcpu)
case EXIT_REASON_MSR_WRITE:
return handle_fastpath_set_msr_irqoff(vcpu);
case EXIT_REASON_PREEMPTION_TIMER:
- return handle_fastpath_preemption_timer(vcpu);
+ return handle_fastpath_preemption_timer(vcpu, force_immediate_exit);
default:
return EXIT_FASTPATH_NONE;
}
@@ -7284,7 +7286,9 @@ static fastpath_t vmx_vcpu_run(struct kvm_vcpu *vcpu, bool force_immediate_exit)
vmx_passthrough_lbr_msrs(vcpu);
if (enable_preemption_timer)
- vmx_update_hv_timer(vcpu);
+ vmx_update_hv_timer(vcpu, force_immediate_exit);
+ else if (force_immediate_exit)
+ smp_send_reschedule(vcpu->cpu);
kvm_wait_lapic_expire(vcpu);
@@ -7358,7 +7362,7 @@ static fastpath_t vmx_vcpu_run(struct kvm_vcpu *vcpu, bool force_immediate_exit)
vmx_recover_nmi_blocking(vmx);
vmx_complete_interrupts(vmx);
- return vmx_exit_handlers_fastpath(vcpu);
+ return vmx_exit_handlers_fastpath(vcpu, force_immediate_exit);
}
static void vmx_vcpu_free(struct kvm_vcpu *vcpu)
@@ -7865,11 +7869,6 @@ static __init void vmx_set_cpu_caps(void)
kvm_cpu_cap_check_and_set(X86_FEATURE_WAITPKG);
}
-static void vmx_request_immediate_exit(struct kvm_vcpu *vcpu)
-{
- to_vmx(vcpu)->req_immediate_exit = true;
-}
-
static int vmx_check_intercept_io(struct kvm_vcpu *vcpu,
struct x86_instruction_info *info)
{
@@ -8275,8 +8274,6 @@ static struct kvm_x86_ops vmx_x86_ops __initdata = {
.check_intercept = vmx_check_intercept,
.handle_exit_irqoff = vmx_handle_exit_irqoff,
- .request_immediate_exit = vmx_request_immediate_exit,
-
.sched_in = vmx_sched_in,
.cpu_dirty_log_size = PML_ENTITY_NUM,
@@ -8533,7 +8530,6 @@ static __init int hardware_setup(void)
if (!enable_preemption_timer) {
vmx_x86_ops.set_hv_timer = NULL;
vmx_x86_ops.cancel_hv_timer = NULL;
- vmx_x86_ops.request_immediate_exit = __kvm_request_immediate_exit;
}
kvm_caps.supported_mce_cap |= MCG_LMCE_P;
diff --git a/arch/x86/kvm/vmx/vmx.h b/arch/x86/kvm/vmx/vmx.h
index 357819872d80..ddbe73958d7f 100644
--- a/arch/x86/kvm/vmx/vmx.h
+++ b/arch/x86/kvm/vmx/vmx.h
@@ -343,8 +343,6 @@ struct vcpu_vmx {
unsigned int ple_window;
bool ple_window_dirty;
- bool req_immediate_exit;
-
/* Support for PML */
#define PML_ENTITY_NUM 512
struct page *pml_pg;
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index 08c3da88f402..400a6e9fb0be 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -10578,12 +10578,6 @@ static void kvm_vcpu_reload_apic_access_page(struct kvm_vcpu *vcpu)
static_call_cond(kvm_x86_set_apic_access_page_addr)(vcpu);
}
-void __kvm_request_immediate_exit(struct kvm_vcpu *vcpu)
-{
- smp_send_reschedule(vcpu->cpu);
-}
-EXPORT_SYMBOL_GPL(__kvm_request_immediate_exit);
-
/*
* Called within kvm->srcu read side.
* Returns 1 to let vcpu_run() continue the guest execution loop without
@@ -10817,10 +10811,8 @@ static int vcpu_enter_guest(struct kvm_vcpu *vcpu)
goto cancel_injection;
}
- if (req_immediate_exit) {
+ if (req_immediate_exit)
kvm_make_request(KVM_REQ_EVENT, vcpu);
- static_call(kvm_x86_request_immediate_exit)(vcpu);
- }
fpregs_assert_state_consistent();
if (test_thread_flag(TIF_NEED_FPU_LOAD))
--
2.50.1
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 040/482] KVM: x86: Convert vcpu_run()s immediate exit param into a generic bitmap
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (38 preceding siblings ...)
2025-08-26 11:04 ` [PATCH 6.1 039/482] KVM: x86: Fully defer to vendor code to decide how to force immediate exit Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 6.1 041/482] KVM: x86: Drop kvm_x86_ops.set_dr6() in favor of a new KVM_RUN flag Greg Kroah-Hartman
` (450 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sean Christopherson, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
[ Upstream commit 2478b1b220c49d25cb1c3f061ec4f9b351d9a131 ]
Convert kvm_x86_ops.vcpu_run()'s "force_immediate_exit" boolean parameter
into an a generic bitmap so that similar "take action" information can be
passed to vendor code without creating a pile of boolean parameters.
This will allow dropping kvm_x86_ops.set_dr6() in favor of a new flag, and
will also allow for adding similar functionality for re-loading debugctl
in the active VMCS.
Opportunistically massage the TDX WARN and comment to prepare for adding
more run_flags, all of which are expected to be mutually exclusive with
TDX, i.e. should be WARNed on.
No functional change intended.
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20250610232010.162191-3-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
[sean: drop TDX crud, account for lack of kvm_x86_call()]
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/include/asm/kvm_host.h | 6 +++++-
arch/x86/kvm/svm/svm.c | 4 ++--
arch/x86/kvm/vmx/vmx.c | 3 ++-
arch/x86/kvm/x86.c | 10 ++++++++--
4 files changed, 17 insertions(+), 6 deletions(-)
diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h
index 86f3bd6601e7..1383f5e5238a 100644
--- a/arch/x86/include/asm/kvm_host.h
+++ b/arch/x86/include/asm/kvm_host.h
@@ -1456,6 +1456,10 @@ static inline u16 kvm_lapic_irq_dest_mode(bool dest_mode_logical)
return dest_mode_logical ? APIC_DEST_LOGICAL : APIC_DEST_PHYSICAL;
}
+enum kvm_x86_run_flags {
+ KVM_RUN_FORCE_IMMEDIATE_EXIT = BIT(0),
+};
+
struct kvm_x86_ops {
const char *name;
@@ -1529,7 +1533,7 @@ struct kvm_x86_ops {
int (*vcpu_pre_run)(struct kvm_vcpu *vcpu);
enum exit_fastpath_completion (*vcpu_run)(struct kvm_vcpu *vcpu,
- bool force_immediate_exit);
+ u64 run_flags);
int (*handle_exit)(struct kvm_vcpu *vcpu,
enum exit_fastpath_completion exit_fastpath);
int (*skip_emulated_instruction)(struct kvm_vcpu *vcpu);
diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c
index 12de50db401f..dc8a1b72d8ec 100644
--- a/arch/x86/kvm/svm/svm.c
+++ b/arch/x86/kvm/svm/svm.c
@@ -4008,9 +4008,9 @@ static noinstr void svm_vcpu_enter_exit(struct kvm_vcpu *vcpu, bool spec_ctrl_in
guest_state_exit_irqoff();
}
-static __no_kcsan fastpath_t svm_vcpu_run(struct kvm_vcpu *vcpu,
- bool force_immediate_exit)
+static __no_kcsan fastpath_t svm_vcpu_run(struct kvm_vcpu *vcpu, u64 run_flags)
{
+ bool force_immediate_exit = run_flags & KVM_RUN_FORCE_IMMEDIATE_EXIT;
struct vcpu_svm *svm = to_svm(vcpu);
bool spec_ctrl_intercepted = msr_write_intercepted(vcpu, MSR_IA32_SPEC_CTRL);
diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c
index 179747d04edc..382f42200688 100644
--- a/arch/x86/kvm/vmx/vmx.c
+++ b/arch/x86/kvm/vmx/vmx.c
@@ -7204,8 +7204,9 @@ static noinstr void vmx_vcpu_enter_exit(struct kvm_vcpu *vcpu,
guest_state_exit_irqoff();
}
-static fastpath_t vmx_vcpu_run(struct kvm_vcpu *vcpu, bool force_immediate_exit)
+static fastpath_t vmx_vcpu_run(struct kvm_vcpu *vcpu, u64 run_flags)
{
+ bool force_immediate_exit = run_flags & KVM_RUN_FORCE_IMMEDIATE_EXIT;
struct vcpu_vmx *vmx = to_vmx(vcpu);
unsigned long cr3, cr4;
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index 400a6e9fb0be..83e5e823cbae 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -10591,6 +10591,7 @@ static int vcpu_enter_guest(struct kvm_vcpu *vcpu)
dm_request_for_irq_injection(vcpu) &&
kvm_cpu_accept_dm_intr(vcpu);
fastpath_t exit_fastpath;
+ u64 run_flags;
bool req_immediate_exit = false;
@@ -10811,8 +10812,11 @@ static int vcpu_enter_guest(struct kvm_vcpu *vcpu)
goto cancel_injection;
}
- if (req_immediate_exit)
+ run_flags = 0;
+ if (req_immediate_exit) {
+ run_flags |= KVM_RUN_FORCE_IMMEDIATE_EXIT;
kvm_make_request(KVM_REQ_EVENT, vcpu);
+ }
fpregs_assert_state_consistent();
if (test_thread_flag(TIF_NEED_FPU_LOAD))
@@ -10848,7 +10852,7 @@ static int vcpu_enter_guest(struct kvm_vcpu *vcpu)
WARN_ON_ONCE((kvm_vcpu_apicv_activated(vcpu) != kvm_vcpu_apicv_active(vcpu)) &&
(kvm_get_apic_mode(vcpu) != LAPIC_MODE_DISABLED));
- exit_fastpath = static_call(kvm_x86_vcpu_run)(vcpu, req_immediate_exit);
+ exit_fastpath = static_call(kvm_x86_vcpu_run)(vcpu, run_flags);
if (likely(exit_fastpath != EXIT_FASTPATH_REENTER_GUEST))
break;
@@ -10860,6 +10864,8 @@ static int vcpu_enter_guest(struct kvm_vcpu *vcpu)
break;
}
+ run_flags = 0;
+
/* Note, VM-Exits that go down the "slow" path are accounted below. */
++vcpu->stat.exits;
}
--
2.50.1
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 041/482] KVM: x86: Drop kvm_x86_ops.set_dr6() in favor of a new KVM_RUN flag
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (39 preceding siblings ...)
2025-08-26 11:04 ` [PATCH 6.1 040/482] KVM: x86: Convert vcpu_run()s immediate exit param into a generic bitmap Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 6.1 042/482] KVM: VMX: Allow guest to set DEBUGCTL.RTM_DEBUG if RTM is supported Greg Kroah-Hartman
` (449 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sean Christopherson, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
[ Upstream commit 80c64c7afea1da6a93ebe88d3d29d8a60377ef80 ]
Instruct vendor code to load the guest's DR6 into hardware via a new
KVM_RUN flag, and remove kvm_x86_ops.set_dr6(), whose sole purpose was to
load vcpu->arch.dr6 into hardware when DR6 can be read/written directly
by the guest.
Note, TDX already WARNs on any run_flag being set, i.e. will yell if KVM
thinks DR6 needs to be reloaded. TDX vCPUs force KVM_DEBUGREG_AUTO_SWITCH
and never clear the flag, i.e. should never observe KVM_RUN_LOAD_GUEST_DR6.
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20250610232010.162191-4-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
[sean: account for lack of vmx/main.c]
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/include/asm/kvm-x86-ops.h | 1 -
arch/x86/include/asm/kvm_host.h | 2 +-
arch/x86/kvm/svm/svm.c | 10 ++++++----
arch/x86/kvm/vmx/vmx.c | 10 +++-------
arch/x86/kvm/x86.c | 2 +-
5 files changed, 11 insertions(+), 14 deletions(-)
diff --git a/arch/x86/include/asm/kvm-x86-ops.h b/arch/x86/include/asm/kvm-x86-ops.h
index 0e5ae3b0c867..c068565fe954 100644
--- a/arch/x86/include/asm/kvm-x86-ops.h
+++ b/arch/x86/include/asm/kvm-x86-ops.h
@@ -47,7 +47,6 @@ KVM_X86_OP(set_idt)
KVM_X86_OP(get_gdt)
KVM_X86_OP(set_gdt)
KVM_X86_OP(sync_dirty_debug_regs)
-KVM_X86_OP(set_dr6)
KVM_X86_OP(set_dr7)
KVM_X86_OP(cache_reg)
KVM_X86_OP(get_rflags)
diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h
index 1383f5e5238a..c8fc4f2acf69 100644
--- a/arch/x86/include/asm/kvm_host.h
+++ b/arch/x86/include/asm/kvm_host.h
@@ -1458,6 +1458,7 @@ static inline u16 kvm_lapic_irq_dest_mode(bool dest_mode_logical)
enum kvm_x86_run_flags {
KVM_RUN_FORCE_IMMEDIATE_EXIT = BIT(0),
+ KVM_RUN_LOAD_GUEST_DR6 = BIT(1),
};
struct kvm_x86_ops {
@@ -1504,7 +1505,6 @@ struct kvm_x86_ops {
void (*get_gdt)(struct kvm_vcpu *vcpu, struct desc_ptr *dt);
void (*set_gdt)(struct kvm_vcpu *vcpu, struct desc_ptr *dt);
void (*sync_dirty_debug_regs)(struct kvm_vcpu *vcpu);
- void (*set_dr6)(struct kvm_vcpu *vcpu, unsigned long value);
void (*set_dr7)(struct kvm_vcpu *vcpu, unsigned long value);
void (*cache_reg)(struct kvm_vcpu *vcpu, enum kvm_reg reg);
unsigned long (*get_rflags)(struct kvm_vcpu *vcpu);
diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c
index dc8a1b72d8ec..5a6bd9d5cceb 100644
--- a/arch/x86/kvm/svm/svm.c
+++ b/arch/x86/kvm/svm/svm.c
@@ -4052,10 +4052,13 @@ static __no_kcsan fastpath_t svm_vcpu_run(struct kvm_vcpu *vcpu, u64 run_flags)
svm_hv_update_vp_id(svm->vmcb, vcpu);
/*
- * Run with all-zero DR6 unless needed, so that we can get the exact cause
- * of a #DB.
+ * Run with all-zero DR6 unless the guest can write DR6 freely, so that
+ * KVM can get the exact cause of a #DB. Note, loading guest DR6 from
+ * KVM's snapshot is only necessary when DR accesses won't exit.
*/
- if (likely(!(vcpu->arch.switch_db_regs & KVM_DEBUGREG_WONT_EXIT)))
+ if (unlikely(run_flags & KVM_RUN_LOAD_GUEST_DR6))
+ svm_set_dr6(vcpu, vcpu->arch.dr6);
+ else if (likely(!(vcpu->arch.switch_db_regs & KVM_DEBUGREG_WONT_EXIT)))
svm_set_dr6(vcpu, DR6_ACTIVE_LOW);
clgi();
@@ -4822,7 +4825,6 @@ static struct kvm_x86_ops svm_x86_ops __initdata = {
.set_idt = svm_set_idt,
.get_gdt = svm_get_gdt,
.set_gdt = svm_set_gdt,
- .set_dr6 = svm_set_dr6,
.set_dr7 = svm_set_dr7,
.sync_dirty_debug_regs = svm_sync_dirty_debug_regs,
.cache_reg = svm_cache_reg,
diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c
index 382f42200688..60d1ff3fca45 100644
--- a/arch/x86/kvm/vmx/vmx.c
+++ b/arch/x86/kvm/vmx/vmx.c
@@ -5530,12 +5530,6 @@ static void vmx_sync_dirty_debug_regs(struct kvm_vcpu *vcpu)
set_debugreg(DR6_RESERVED, 6);
}
-static void vmx_set_dr6(struct kvm_vcpu *vcpu, unsigned long val)
-{
- lockdep_assert_irqs_disabled();
- set_debugreg(vcpu->arch.dr6, 6);
-}
-
static void vmx_set_dr7(struct kvm_vcpu *vcpu, unsigned long val)
{
vmcs_writel(GUEST_DR7, val);
@@ -7251,6 +7245,9 @@ static fastpath_t vmx_vcpu_run(struct kvm_vcpu *vcpu, u64 run_flags)
vmcs_writel(GUEST_RIP, vcpu->arch.regs[VCPU_REGS_RIP]);
vcpu->arch.regs_dirty = 0;
+ if (run_flags & KVM_RUN_LOAD_GUEST_DR6)
+ set_debugreg(vcpu->arch.dr6, 6);
+
/*
* Refresh vmcs.HOST_CR3 if necessary. This must be done immediately
* prior to VM-Enter, as the kernel may load a new ASID (PCID) any time
@@ -8208,7 +8205,6 @@ static struct kvm_x86_ops vmx_x86_ops __initdata = {
.set_idt = vmx_set_idt,
.get_gdt = vmx_get_gdt,
.set_gdt = vmx_set_gdt,
- .set_dr6 = vmx_set_dr6,
.set_dr7 = vmx_set_dr7,
.sync_dirty_debug_regs = vmx_sync_dirty_debug_regs,
.cache_reg = vmx_cache_reg,
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index 83e5e823cbae..9d66830d594c 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -10833,7 +10833,7 @@ static int vcpu_enter_guest(struct kvm_vcpu *vcpu)
set_debugreg(vcpu->arch.eff_db[3], 3);
/* When KVM_DEBUGREG_WONT_EXIT, dr6 is accessible in guest. */
if (unlikely(vcpu->arch.switch_db_regs & KVM_DEBUGREG_WONT_EXIT))
- static_call(kvm_x86_set_dr6)(vcpu, vcpu->arch.dr6);
+ run_flags |= KVM_RUN_LOAD_GUEST_DR6;
} else if (unlikely(hw_breakpoint_active())) {
set_debugreg(0, 7);
}
--
2.50.1
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 042/482] KVM: VMX: Allow guest to set DEBUGCTL.RTM_DEBUG if RTM is supported
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (40 preceding siblings ...)
2025-08-26 11:04 ` [PATCH 6.1 041/482] KVM: x86: Drop kvm_x86_ops.set_dr6() in favor of a new KVM_RUN flag Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 6.1 043/482] KVM: VMX: Extract checking of guests DEBUGCTL into helper Greg Kroah-Hartman
` (448 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sasha Levin, Sean Christopherson
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
[ Upstream commit 17ec2f965344ee3fd6620bef7ef68792f4ac3af0 ]
Let the guest set DEBUGCTL.RTM_DEBUG if RTM is supported according to the
guest CPUID model, as debug support is supposed to be available if RTM is
supported, and there are no known downsides to letting the guest debug RTM
aborts.
Note, there are no known bug reports related to RTM_DEBUG, the primary
motivation is to reduce the probability of breaking existing guests when a
future change adds a missing consistency check on vmcs12.GUEST_DEBUGCTL
(KVM currently lets L2 run with whatever hardware supports; whoops).
Note #2, KVM already emulates DR6.RTM, and doesn't restrict access to
DR7.RTM.
Fixes: 83c529151ab0 ("KVM: x86: expose Intel cpu new features (HLE, RTM) to guest")
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20250610232010.162191-5-seanjc@google.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/include/asm/msr-index.h | 1 +
arch/x86/kvm/vmx/vmx.c | 4 ++++
2 files changed, 5 insertions(+)
diff --git a/arch/x86/include/asm/msr-index.h b/arch/x86/include/asm/msr-index.h
index 727947ed5e5e..afd65c815043 100644
--- a/arch/x86/include/asm/msr-index.h
+++ b/arch/x86/include/asm/msr-index.h
@@ -379,6 +379,7 @@
#define DEBUGCTLMSR_FREEZE_PERFMON_ON_PMI (1UL << 12)
#define DEBUGCTLMSR_FREEZE_IN_SMM_BIT 14
#define DEBUGCTLMSR_FREEZE_IN_SMM (1UL << DEBUGCTLMSR_FREEZE_IN_SMM_BIT)
+#define DEBUGCTLMSR_RTM_DEBUG BIT(15)
#define MSR_PEBS_FRONTEND 0x000003f7
diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c
index 60d1ff3fca45..9445def2b3d2 100644
--- a/arch/x86/kvm/vmx/vmx.c
+++ b/arch/x86/kvm/vmx/vmx.c
@@ -2064,6 +2064,10 @@ static u64 vmx_get_supported_debugctl(struct kvm_vcpu *vcpu, bool host_initiated
(host_initiated || intel_pmu_lbr_is_enabled(vcpu)))
debugctl |= DEBUGCTLMSR_LBR | DEBUGCTLMSR_FREEZE_LBRS_ON_PMI;
+ if (boot_cpu_has(X86_FEATURE_RTM) &&
+ (host_initiated || guest_cpuid_has(vcpu, X86_FEATURE_RTM)))
+ debugctl |= DEBUGCTLMSR_RTM_DEBUG;
+
return debugctl;
}
--
2.50.1
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 043/482] KVM: VMX: Extract checking of guests DEBUGCTL into helper
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (41 preceding siblings ...)
2025-08-26 11:04 ` [PATCH 6.1 042/482] KVM: VMX: Allow guest to set DEBUGCTL.RTM_DEBUG if RTM is supported Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 6.1 044/482] KVM: nVMX: Check vmcs12->guest_ia32_debugctl on nested VM-Enter Greg Kroah-Hartman
` (447 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dapeng Mi, Sasha Levin,
Sean Christopherson
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
[ Upstream commit 8a4351ac302cd8c19729ba2636acfd0467c22ae8 ]
Move VMX's logic to check DEBUGCTL values into a standalone helper so that
the code can be used by nested VM-Enter to apply the same logic to the
value being loaded from vmcs12.
KVM needs to explicitly check vmcs12->guest_ia32_debugctl on nested
VM-Enter, as hardware may support features that KVM does not, i.e. relying
on hardware to detect invalid guest state will result in false negatives.
Unfortunately, that means applying KVM's funky suppression of BTF and LBR
to vmcs12 so as not to break existing guests.
No functional change intended.
Reviewed-by: Dapeng Mi <dapeng1.mi@linux.intel.com>
Link: https://lore.kernel.org/r/20250610232010.162191-6-seanjc@google.com
Stable-dep-of: 7d0cce6cbe71 ("KVM: VMX: Wrap all accesses to IA32_DEBUGCTL with getter/setter APIs")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/kvm/vmx/vmx.c | 29 +++++++++++++++++------------
1 file changed, 17 insertions(+), 12 deletions(-)
diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c
index 9445def2b3d2..6517b9d929bf 100644
--- a/arch/x86/kvm/vmx/vmx.c
+++ b/arch/x86/kvm/vmx/vmx.c
@@ -2071,6 +2071,19 @@ static u64 vmx_get_supported_debugctl(struct kvm_vcpu *vcpu, bool host_initiated
return debugctl;
}
+static bool vmx_is_valid_debugctl(struct kvm_vcpu *vcpu, u64 data,
+ bool host_initiated)
+{
+ u64 invalid;
+
+ invalid = data & ~vmx_get_supported_debugctl(vcpu, host_initiated);
+ if (invalid & (DEBUGCTLMSR_BTF | DEBUGCTLMSR_LBR)) {
+ kvm_pr_unimpl_wrmsr(vcpu, MSR_IA32_DEBUGCTLMSR, data);
+ invalid &= ~(DEBUGCTLMSR_BTF | DEBUGCTLMSR_LBR);
+ }
+ return !invalid;
+}
+
/*
* Writes msr value into the appropriate "register".
* Returns 0 on success, non-0 otherwise.
@@ -2139,19 +2152,12 @@ static int vmx_set_msr(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
}
vmcs_writel(GUEST_SYSENTER_ESP, data);
break;
- case MSR_IA32_DEBUGCTLMSR: {
- u64 invalid;
-
- invalid = data & ~vmx_get_supported_debugctl(vcpu, msr_info->host_initiated);
- if (invalid & (DEBUGCTLMSR_BTF|DEBUGCTLMSR_LBR)) {
- kvm_pr_unimpl_wrmsr(vcpu, msr_index, data);
- data &= ~(DEBUGCTLMSR_BTF|DEBUGCTLMSR_LBR);
- invalid &= ~(DEBUGCTLMSR_BTF|DEBUGCTLMSR_LBR);
- }
-
- if (invalid)
+ case MSR_IA32_DEBUGCTLMSR:
+ if (!vmx_is_valid_debugctl(vcpu, data, msr_info->host_initiated))
return 1;
+ data &= vmx_get_supported_debugctl(vcpu, msr_info->host_initiated);
+
if (is_guest_mode(vcpu) && get_vmcs12(vcpu)->vm_exit_controls &
VM_EXIT_SAVE_DEBUG_CONTROLS)
get_vmcs12(vcpu)->guest_ia32_debugctl = data;
@@ -2161,7 +2167,6 @@ static int vmx_set_msr(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
(data & DEBUGCTLMSR_LBR))
intel_pmu_create_guest_lbr_event(vcpu);
return 0;
- }
case MSR_IA32_BNDCFGS:
if (!kvm_mpx_supported() ||
(!msr_info->host_initiated &&
--
2.50.1
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 044/482] KVM: nVMX: Check vmcs12->guest_ia32_debugctl on nested VM-Enter
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (42 preceding siblings ...)
2025-08-26 11:04 ` [PATCH 6.1 043/482] KVM: VMX: Extract checking of guests DEBUGCTL into helper Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 6.1 045/482] KVM: VMX: Wrap all accesses to IA32_DEBUGCTL with getter/setter APIs Greg Kroah-Hartman
` (446 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maxim Levitsky, Sasha Levin,
Sean Christopherson
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maxim Levitsky <mlevitsk@redhat.com>
[ Upstream commit 095686e6fcb4150f0a55b1a25987fad3d8af58d6 ]
Add a consistency check for L2's guest_ia32_debugctl, as KVM only supports
a subset of hardware functionality, i.e. KVM can't rely on hardware to
detect illegal/unsupported values. Failure to check the vmcs12 value
would allow the guest to load any harware-supported value while running L2.
Take care to exempt BTF and LBR from the validity check in order to match
KVM's behavior for writes via WRMSR, but without clobbering vmcs12. Even
if VM_EXIT_SAVE_DEBUG_CONTROLS is set in vmcs12, L1 can reasonably expect
that vmcs12->guest_ia32_debugctl will not be modified if writes to the MSR
are being intercepted.
Arguably, KVM _should_ update vmcs12 if VM_EXIT_SAVE_DEBUG_CONTROLS is set
*and* writes to MSR_IA32_DEBUGCTLMSR are not being intercepted by L1, but
that would incur non-trivial complexity and wouldn't change the fact that
KVM's handling of DEBUGCTL is blatantly broken. I.e. the extra complexity
is not worth carrying.
Cc: stable@vger.kernel.org
Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com>
Co-developed-by: Sean Christopherson <seanjc@google.com>
Link: https://lore.kernel.org/r/20250610232010.162191-7-seanjc@google.com
Stable-dep-of: 7d0cce6cbe71 ("KVM: VMX: Wrap all accesses to IA32_DEBUGCTL with getter/setter APIs")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/kvm/vmx/nested.c | 12 ++++++++++--
arch/x86/kvm/vmx/vmx.c | 5 ++---
arch/x86/kvm/vmx/vmx.h | 3 +++
3 files changed, 15 insertions(+), 5 deletions(-)
diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c
index d55f7edc0860..da129e12cff9 100644
--- a/arch/x86/kvm/vmx/nested.c
+++ b/arch/x86/kvm/vmx/nested.c
@@ -2532,7 +2532,8 @@ static int prepare_vmcs02(struct kvm_vcpu *vcpu, struct vmcs12 *vmcs12,
if (vmx->nested.nested_run_pending &&
(vmcs12->vm_entry_controls & VM_ENTRY_LOAD_DEBUG_CONTROLS)) {
kvm_set_dr(vcpu, 7, vmcs12->guest_dr7);
- vmcs_write64(GUEST_IA32_DEBUGCTL, vmcs12->guest_ia32_debugctl);
+ vmcs_write64(GUEST_IA32_DEBUGCTL, vmcs12->guest_ia32_debugctl &
+ vmx_get_supported_debugctl(vcpu, false));
} else {
kvm_set_dr(vcpu, 7, vcpu->arch.dr7);
vmcs_write64(GUEST_IA32_DEBUGCTL, vmx->nested.pre_vmenter_debugctl);
@@ -3022,7 +3023,8 @@ static int nested_vmx_check_guest_state(struct kvm_vcpu *vcpu,
return -EINVAL;
if ((vmcs12->vm_entry_controls & VM_ENTRY_LOAD_DEBUG_CONTROLS) &&
- CC(!kvm_dr7_valid(vmcs12->guest_dr7)))
+ (CC(!kvm_dr7_valid(vmcs12->guest_dr7)) ||
+ CC(!vmx_is_valid_debugctl(vcpu, vmcs12->guest_ia32_debugctl, false))))
return -EINVAL;
if ((vmcs12->vm_entry_controls & VM_ENTRY_LOAD_IA32_PAT) &&
@@ -4374,6 +4376,12 @@ static void sync_vmcs02_to_vmcs12(struct kvm_vcpu *vcpu, struct vmcs12 *vmcs12)
(vmcs12->vm_entry_controls & ~VM_ENTRY_IA32E_MODE) |
(vm_entry_controls_get(to_vmx(vcpu)) & VM_ENTRY_IA32E_MODE);
+ /*
+ * Note! Save DR7, but intentionally don't grab DEBUGCTL from vmcs02.
+ * Writes to DEBUGCTL that aren't intercepted by L1 are immediately
+ * propagated to vmcs12 (see vmx_set_msr()), as the value loaded into
+ * vmcs02 doesn't strictly track vmcs12.
+ */
if (vmcs12->vm_exit_controls & VM_EXIT_SAVE_DEBUG_CONTROLS)
kvm_get_dr(vcpu, 7, (unsigned long *)&vmcs12->guest_dr7);
diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c
index 6517b9d929bf..0b37e21d55b1 100644
--- a/arch/x86/kvm/vmx/vmx.c
+++ b/arch/x86/kvm/vmx/vmx.c
@@ -2052,7 +2052,7 @@ static u64 nested_vmx_truncate_sysenter_addr(struct kvm_vcpu *vcpu,
return (unsigned long)data;
}
-static u64 vmx_get_supported_debugctl(struct kvm_vcpu *vcpu, bool host_initiated)
+u64 vmx_get_supported_debugctl(struct kvm_vcpu *vcpu, bool host_initiated)
{
u64 debugctl = 0;
@@ -2071,8 +2071,7 @@ static u64 vmx_get_supported_debugctl(struct kvm_vcpu *vcpu, bool host_initiated
return debugctl;
}
-static bool vmx_is_valid_debugctl(struct kvm_vcpu *vcpu, u64 data,
- bool host_initiated)
+bool vmx_is_valid_debugctl(struct kvm_vcpu *vcpu, u64 data, bool host_initiated)
{
u64 invalid;
diff --git a/arch/x86/kvm/vmx/vmx.h b/arch/x86/kvm/vmx/vmx.h
index ddbe73958d7f..99e3f46de2ec 100644
--- a/arch/x86/kvm/vmx/vmx.h
+++ b/arch/x86/kvm/vmx/vmx.h
@@ -442,6 +442,9 @@ static inline void vmx_set_intercept_for_msr(struct kvm_vcpu *vcpu, u32 msr,
void vmx_update_cpu_dirty_logging(struct kvm_vcpu *vcpu);
+u64 vmx_get_supported_debugctl(struct kvm_vcpu *vcpu, bool host_initiated);
+bool vmx_is_valid_debugctl(struct kvm_vcpu *vcpu, u64 data, bool host_initiated);
+
/*
* Note, early Intel manuals have the write-low and read-high bitmap offsets
* the wrong way round. The bitmaps control MSRs 0x00000000-0x00001fff and
--
2.50.1
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 045/482] KVM: VMX: Wrap all accesses to IA32_DEBUGCTL with getter/setter APIs
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (43 preceding siblings ...)
2025-08-26 11:04 ` [PATCH 6.1 044/482] KVM: nVMX: Check vmcs12->guest_ia32_debugctl on nested VM-Enter Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 6.1 046/482] KVM: VMX: Preserve hosts DEBUGCTLMSR_FREEZE_IN_SMM while running the guest Greg Kroah-Hartman
` (445 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maxim Levitsky, Dapeng Mi,
Sasha Levin, Sean Christopherson
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maxim Levitsky <mlevitsk@redhat.com>
[ Upstream commit 7d0cce6cbe71af6e9c1831bff101a2b9c249c4a2 ]
Introduce vmx_guest_debugctl_{read,write}() to handle all accesses to
vmcs.GUEST_IA32_DEBUGCTL. This will allow stuffing FREEZE_IN_SMM into
GUEST_IA32_DEBUGCTL based on the host setting without bleeding the state
into the guest, and without needing to copy+paste the FREEZE_IN_SMM
logic into every patch that accesses GUEST_IA32_DEBUGCTL.
No functional change intended.
Cc: stable@vger.kernel.org
Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com>
[sean: massage changelog, make inline, use in all prepare_vmcs02() cases]
Reviewed-by: Dapeng Mi <dapeng1.mi@linux.intel.com>
Link: https://lore.kernel.org/r/20250610232010.162191-8-seanjc@google.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/kvm/vmx/nested.c | 10 +++++-----
arch/x86/kvm/vmx/pmu_intel.c | 8 ++++----
arch/x86/kvm/vmx/vmx.c | 8 +++++---
arch/x86/kvm/vmx/vmx.h | 10 ++++++++++
4 files changed, 24 insertions(+), 12 deletions(-)
diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c
index da129e12cff9..a220770644e1 100644
--- a/arch/x86/kvm/vmx/nested.c
+++ b/arch/x86/kvm/vmx/nested.c
@@ -2532,11 +2532,11 @@ static int prepare_vmcs02(struct kvm_vcpu *vcpu, struct vmcs12 *vmcs12,
if (vmx->nested.nested_run_pending &&
(vmcs12->vm_entry_controls & VM_ENTRY_LOAD_DEBUG_CONTROLS)) {
kvm_set_dr(vcpu, 7, vmcs12->guest_dr7);
- vmcs_write64(GUEST_IA32_DEBUGCTL, vmcs12->guest_ia32_debugctl &
- vmx_get_supported_debugctl(vcpu, false));
+ vmx_guest_debugctl_write(vcpu, vmcs12->guest_ia32_debugctl &
+ vmx_get_supported_debugctl(vcpu, false));
} else {
kvm_set_dr(vcpu, 7, vcpu->arch.dr7);
- vmcs_write64(GUEST_IA32_DEBUGCTL, vmx->nested.pre_vmenter_debugctl);
+ vmx_guest_debugctl_write(vcpu, vmx->nested.pre_vmenter_debugctl);
}
if (kvm_mpx_supported() && (!vmx->nested.nested_run_pending ||
!(vmcs12->vm_entry_controls & VM_ENTRY_LOAD_BNDCFGS)))
@@ -3404,7 +3404,7 @@ enum nvmx_vmentry_status nested_vmx_enter_non_root_mode(struct kvm_vcpu *vcpu,
if (!vmx->nested.nested_run_pending ||
!(vmcs12->vm_entry_controls & VM_ENTRY_LOAD_DEBUG_CONTROLS))
- vmx->nested.pre_vmenter_debugctl = vmcs_read64(GUEST_IA32_DEBUGCTL);
+ vmx->nested.pre_vmenter_debugctl = vmx_guest_debugctl_read();
if (kvm_mpx_supported() &&
(!vmx->nested.nested_run_pending ||
!(vmcs12->vm_entry_controls & VM_ENTRY_LOAD_BNDCFGS)))
@@ -4572,7 +4572,7 @@ static void load_vmcs12_host_state(struct kvm_vcpu *vcpu,
__vmx_set_segment(vcpu, &seg, VCPU_SREG_LDTR);
kvm_set_dr(vcpu, 7, 0x400);
- vmcs_write64(GUEST_IA32_DEBUGCTL, 0);
+ vmx_guest_debugctl_write(vcpu, 0);
if (nested_vmx_load_msr(vcpu, vmcs12->vm_exit_msr_load_addr,
vmcs12->vm_exit_msr_load_count))
diff --git a/arch/x86/kvm/vmx/pmu_intel.c b/arch/x86/kvm/vmx/pmu_intel.c
index 220cdbe1e286..76d3ed8abf6a 100644
--- a/arch/x86/kvm/vmx/pmu_intel.c
+++ b/arch/x86/kvm/vmx/pmu_intel.c
@@ -672,11 +672,11 @@ static void intel_pmu_reset(struct kvm_vcpu *vcpu)
*/
static void intel_pmu_legacy_freezing_lbrs_on_pmi(struct kvm_vcpu *vcpu)
{
- u64 data = vmcs_read64(GUEST_IA32_DEBUGCTL);
+ u64 data = vmx_guest_debugctl_read();
if (data & DEBUGCTLMSR_FREEZE_LBRS_ON_PMI) {
data &= ~DEBUGCTLMSR_LBR;
- vmcs_write64(GUEST_IA32_DEBUGCTL, data);
+ vmx_guest_debugctl_write(vcpu, data);
}
}
@@ -746,7 +746,7 @@ void vmx_passthrough_lbr_msrs(struct kvm_vcpu *vcpu)
if (!lbr_desc->event) {
vmx_disable_lbr_msrs_passthrough(vcpu);
- if (vmcs_read64(GUEST_IA32_DEBUGCTL) & DEBUGCTLMSR_LBR)
+ if (vmx_guest_debugctl_read() & DEBUGCTLMSR_LBR)
goto warn;
if (test_bit(INTEL_PMC_IDX_FIXED_VLBR, pmu->pmc_in_use))
goto warn;
@@ -769,7 +769,7 @@ void vmx_passthrough_lbr_msrs(struct kvm_vcpu *vcpu)
static void intel_pmu_cleanup(struct kvm_vcpu *vcpu)
{
- if (!(vmcs_read64(GUEST_IA32_DEBUGCTL) & DEBUGCTLMSR_LBR))
+ if (!(vmx_guest_debugctl_read() & DEBUGCTLMSR_LBR))
intel_pmu_release_guest_lbr_event(vcpu);
}
diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c
index 0b37e21d55b1..e470a294b22d 100644
--- a/arch/x86/kvm/vmx/vmx.c
+++ b/arch/x86/kvm/vmx/vmx.c
@@ -2027,7 +2027,7 @@ static int vmx_get_msr(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
msr_info->data = vmx->pt_desc.guest.addr_a[index / 2];
break;
case MSR_IA32_DEBUGCTLMSR:
- msr_info->data = vmcs_read64(GUEST_IA32_DEBUGCTL);
+ msr_info->data = vmx_guest_debugctl_read();
break;
default:
find_uret_msr:
@@ -2161,7 +2161,8 @@ static int vmx_set_msr(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
VM_EXIT_SAVE_DEBUG_CONTROLS)
get_vmcs12(vcpu)->guest_ia32_debugctl = data;
- vmcs_write64(GUEST_IA32_DEBUGCTL, data);
+ vmx_guest_debugctl_write(vcpu, data);
+
if (intel_pmu_lbr_is_enabled(vcpu) && !to_vmx(vcpu)->lbr_desc.event &&
(data & DEBUGCTLMSR_LBR))
intel_pmu_create_guest_lbr_event(vcpu);
@@ -4751,7 +4752,8 @@ static void init_vmcs(struct vcpu_vmx *vmx)
vmcs_write32(GUEST_SYSENTER_CS, 0);
vmcs_writel(GUEST_SYSENTER_ESP, 0);
vmcs_writel(GUEST_SYSENTER_EIP, 0);
- vmcs_write64(GUEST_IA32_DEBUGCTL, 0);
+
+ vmx_guest_debugctl_write(&vmx->vcpu, 0);
if (cpu_has_vmx_tpr_shadow()) {
vmcs_write64(VIRTUAL_APIC_PAGE_ADDR, 0);
diff --git a/arch/x86/kvm/vmx/vmx.h b/arch/x86/kvm/vmx/vmx.h
index 99e3f46de2ec..b7ae263cde7b 100644
--- a/arch/x86/kvm/vmx/vmx.h
+++ b/arch/x86/kvm/vmx/vmx.h
@@ -445,6 +445,16 @@ void vmx_update_cpu_dirty_logging(struct kvm_vcpu *vcpu);
u64 vmx_get_supported_debugctl(struct kvm_vcpu *vcpu, bool host_initiated);
bool vmx_is_valid_debugctl(struct kvm_vcpu *vcpu, u64 data, bool host_initiated);
+static inline void vmx_guest_debugctl_write(struct kvm_vcpu *vcpu, u64 val)
+{
+ vmcs_write64(GUEST_IA32_DEBUGCTL, val);
+}
+
+static inline u64 vmx_guest_debugctl_read(void)
+{
+ return vmcs_read64(GUEST_IA32_DEBUGCTL);
+}
+
/*
* Note, early Intel manuals have the write-low and read-high bitmap offsets
* the wrong way round. The bitmaps control MSRs 0x00000000-0x00001fff and
--
2.50.1
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 046/482] KVM: VMX: Preserve hosts DEBUGCTLMSR_FREEZE_IN_SMM while running the guest
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (44 preceding siblings ...)
2025-08-26 11:04 ` [PATCH 6.1 045/482] KVM: VMX: Wrap all accesses to IA32_DEBUGCTL with getter/setter APIs Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 047/482] udp: also consider secpath when evaluating ipsec use for checksumming Greg Kroah-Hartman
` (444 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maxim Levitsky, Sean Christopherson,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maxim Levitsky <mlevitsk@redhat.com>
[ Upstream commit 6b1dd26544d045f6a79e8c73572c0c0db3ef3c1a ]
Set/clear DEBUGCTLMSR_FREEZE_IN_SMM in GUEST_IA32_DEBUGCTL based on the
host's pre-VM-Enter value, i.e. preserve the host's FREEZE_IN_SMM setting
while running the guest. When running with the "default treatment of SMIs"
in effect (the only mode KVM supports), SMIs do not generate a VM-Exit that
is visible to host (non-SMM) software, and instead transitions directly
from VMX non-root to SMM. And critically, DEBUGCTL isn't context switched
by hardware on SMI or RSM, i.e. SMM will run with whatever value was
resident in hardware at the time of the SMI.
Failure to preserve FREEZE_IN_SMM results in the PMU unexpectedly counting
events while the CPU is executing in SMM, which can pollute profiling and
potentially leak information into the guest.
Check for changes in FREEZE_IN_SMM prior to every entry into KVM's inner
run loop, as the bit can be toggled in IRQ context via IPI callback (SMP
function call), by way of /sys/devices/cpu/freeze_on_smi.
Add a field in kvm_x86_ops to communicate which DEBUGCTL bits need to be
preserved, as FREEZE_IN_SMM is only supported and defined for Intel CPUs,
i.e. explicitly checking FREEZE_IN_SMM in common x86 is at best weird, and
at worst could lead to undesirable behavior in the future if AMD CPUs ever
happened to pick up a collision with the bit.
Exempt TDX vCPUs, i.e. protected guests, from the check, as the TDX Module
owns and controls GUEST_IA32_DEBUGCTL.
WARN in SVM if KVM_RUN_LOAD_DEBUGCTL is set, mostly to document that the
lack of handling isn't a KVM bug (TDX already WARNs on any run_flag).
Lastly, explicitly reload GUEST_IA32_DEBUGCTL on a VM-Fail that is missed
by KVM but detected by hardware, i.e. in nested_vmx_restore_host_state().
Doing so avoids the need to track host_debugctl on a per-VMCS basis, as
GUEST_IA32_DEBUGCTL is unconditionally written by prepare_vmcs02() and
load_vmcs12_host_state(). For the VM-Fail case, even though KVM won't
have actually entered the guest, vcpu_enter_guest() will have run with
vmcs02 active and thus could result in vmcs01 being run with a stale value.
Cc: stable@vger.kernel.org
Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com>
Co-developed-by: Sean Christopherson <seanjc@google.com>
Link: https://lore.kernel.org/r/20250610232010.162191-9-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
[sean: move vmx/main.c change to vmx/vmx.c]
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/include/asm/kvm_host.h | 7 +++++++
arch/x86/kvm/vmx/nested.c | 3 +++
arch/x86/kvm/vmx/vmx.c | 5 +++++
arch/x86/kvm/vmx/vmx.h | 15 ++++++++++++++-
arch/x86/kvm/x86.c | 14 ++++++++++++--
5 files changed, 41 insertions(+), 3 deletions(-)
diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h
index c8fc4f2acf69..d0229323ca63 100644
--- a/arch/x86/include/asm/kvm_host.h
+++ b/arch/x86/include/asm/kvm_host.h
@@ -1459,6 +1459,7 @@ static inline u16 kvm_lapic_irq_dest_mode(bool dest_mode_logical)
enum kvm_x86_run_flags {
KVM_RUN_FORCE_IMMEDIATE_EXIT = BIT(0),
KVM_RUN_LOAD_GUEST_DR6 = BIT(1),
+ KVM_RUN_LOAD_DEBUGCTL = BIT(2),
};
struct kvm_x86_ops {
@@ -1484,6 +1485,12 @@ struct kvm_x86_ops {
void (*vcpu_load)(struct kvm_vcpu *vcpu, int cpu);
void (*vcpu_put)(struct kvm_vcpu *vcpu);
+ /*
+ * Mask of DEBUGCTL bits that are owned by the host, i.e. that need to
+ * match the host's value even while the guest is active.
+ */
+ const u64 HOST_OWNED_DEBUGCTL;
+
void (*update_exception_bitmap)(struct kvm_vcpu *vcpu);
int (*get_msr)(struct kvm_vcpu *vcpu, struct msr_data *msr);
int (*set_msr)(struct kvm_vcpu *vcpu, struct msr_data *msr);
diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c
index a220770644e1..2c3cf4351c4c 100644
--- a/arch/x86/kvm/vmx/nested.c
+++ b/arch/x86/kvm/vmx/nested.c
@@ -4627,6 +4627,9 @@ static void nested_vmx_restore_host_state(struct kvm_vcpu *vcpu)
WARN_ON(kvm_set_dr(vcpu, 7, vmcs_readl(GUEST_DR7)));
}
+ /* Reload DEBUGCTL to ensure vmcs01 has a fresh FREEZE_IN_SMM value. */
+ vmx_reload_guest_debugctl(vcpu);
+
/*
* Note that calling vmx_set_{efer,cr0,cr4} is important as they
* handle a variety of side effects to KVM's software model.
diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c
index e470a294b22d..3fef4e14abc6 100644
--- a/arch/x86/kvm/vmx/vmx.c
+++ b/arch/x86/kvm/vmx/vmx.c
@@ -7258,6 +7258,9 @@ static fastpath_t vmx_vcpu_run(struct kvm_vcpu *vcpu, u64 run_flags)
if (run_flags & KVM_RUN_LOAD_GUEST_DR6)
set_debugreg(vcpu->arch.dr6, 6);
+ if (run_flags & KVM_RUN_LOAD_DEBUGCTL)
+ vmx_reload_guest_debugctl(vcpu);
+
/*
* Refresh vmcs.HOST_CR3 if necessary. This must be done immediately
* prior to VM-Enter, as the kernel may load a new ASID (PCID) any time
@@ -8197,6 +8200,8 @@ static struct kvm_x86_ops vmx_x86_ops __initdata = {
.vcpu_load = vmx_vcpu_load,
.vcpu_put = vmx_vcpu_put,
+ .HOST_OWNED_DEBUGCTL = DEBUGCTLMSR_FREEZE_IN_SMM,
+
.update_exception_bitmap = vmx_update_exception_bitmap,
.get_msr_feature = vmx_get_msr_feature,
.get_msr = vmx_get_msr,
diff --git a/arch/x86/kvm/vmx/vmx.h b/arch/x86/kvm/vmx/vmx.h
index b7ae263cde7b..dc6f06326648 100644
--- a/arch/x86/kvm/vmx/vmx.h
+++ b/arch/x86/kvm/vmx/vmx.h
@@ -447,12 +447,25 @@ bool vmx_is_valid_debugctl(struct kvm_vcpu *vcpu, u64 data, bool host_initiated)
static inline void vmx_guest_debugctl_write(struct kvm_vcpu *vcpu, u64 val)
{
+ WARN_ON_ONCE(val & DEBUGCTLMSR_FREEZE_IN_SMM);
+
+ val |= vcpu->arch.host_debugctl & DEBUGCTLMSR_FREEZE_IN_SMM;
vmcs_write64(GUEST_IA32_DEBUGCTL, val);
}
static inline u64 vmx_guest_debugctl_read(void)
{
- return vmcs_read64(GUEST_IA32_DEBUGCTL);
+ return vmcs_read64(GUEST_IA32_DEBUGCTL) & ~DEBUGCTLMSR_FREEZE_IN_SMM;
+}
+
+static inline void vmx_reload_guest_debugctl(struct kvm_vcpu *vcpu)
+{
+ u64 val = vmcs_read64(GUEST_IA32_DEBUGCTL);
+
+ if (!((val ^ vcpu->arch.host_debugctl) & DEBUGCTLMSR_FREEZE_IN_SMM))
+ return;
+
+ vmx_guest_debugctl_write(vcpu, val & ~DEBUGCTLMSR_FREEZE_IN_SMM);
}
/*
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index 9d66830d594c..dfecf5ba5aa7 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -10591,7 +10591,7 @@ static int vcpu_enter_guest(struct kvm_vcpu *vcpu)
dm_request_for_irq_injection(vcpu) &&
kvm_cpu_accept_dm_intr(vcpu);
fastpath_t exit_fastpath;
- u64 run_flags;
+ u64 run_flags, debug_ctl;
bool req_immediate_exit = false;
@@ -10838,7 +10838,17 @@ static int vcpu_enter_guest(struct kvm_vcpu *vcpu)
set_debugreg(0, 7);
}
- vcpu->arch.host_debugctl = get_debugctlmsr();
+ /*
+ * Refresh the host DEBUGCTL snapshot after disabling IRQs, as DEBUGCTL
+ * can be modified in IRQ context, e.g. via SMP function calls. Inform
+ * vendor code if any host-owned bits were changed, e.g. so that the
+ * value loaded into hardware while running the guest can be updated.
+ */
+ debug_ctl = get_debugctlmsr();
+ if ((debug_ctl ^ vcpu->arch.host_debugctl) & kvm_x86_ops.HOST_OWNED_DEBUGCTL &&
+ !vcpu->arch.guest_state_protected)
+ run_flags |= KVM_RUN_LOAD_DEBUGCTL;
+ vcpu->arch.host_debugctl = debug_ctl;
guest_timing_enter_irqoff();
--
2.50.1
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 047/482] udp: also consider secpath when evaluating ipsec use for checksumming
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (45 preceding siblings ...)
2025-08-26 11:04 ` [PATCH 6.1 046/482] KVM: VMX: Preserve hosts DEBUGCTLMSR_FREEZE_IN_SMM while running the guest Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 048/482] netfilter: ctnetlink: fix refcount leak on table dump Greg Kroah-Hartman
` (443 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sabrina Dubroca, Steffen Klassert,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sabrina Dubroca <sd@queasysnail.net>
[ Upstream commit 1118aaa3b35157777890fffab91d8c1da841b20b ]
Commit b40c5f4fde22 ("udp: disable inner UDP checksum offloads in
IPsec case") tried to fix checksumming in UFO when the packets are
going through IPsec, so that we can't rely on offloads because the UDP
header and payload will be encrypted.
But when doing a TCP test over VXLAN going through IPsec transport
mode with GSO enabled (esp4_offload module loaded), I'm seeing broken
UDP checksums on the encap after successful decryption.
The skbs get to udp4_ufo_fragment/__skb_udp_tunnel_segment via
__dev_queue_xmit -> validate_xmit_skb -> skb_gso_segment and at this
point we've already dropped the dst (unless the device sets
IFF_XMIT_DST_RELEASE, which is not common), so need_ipsec is false and
we proceed with checksum offload.
Make need_ipsec also check the secpath, which is not dropped on this
callpath.
Fixes: b40c5f4fde22 ("udp: disable inner UDP checksum offloads in IPsec case")
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/udp_offload.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/ipv4/udp_offload.c b/net/ipv4/udp_offload.c
index 1a51c4b44c00..593108049ab7 100644
--- a/net/ipv4/udp_offload.c
+++ b/net/ipv4/udp_offload.c
@@ -60,7 +60,7 @@ static struct sk_buff *__skb_udp_tunnel_segment(struct sk_buff *skb,
remcsum = !!(skb_shinfo(skb)->gso_type & SKB_GSO_TUNNEL_REMCSUM);
skb->remcsum_offload = remcsum;
- need_ipsec = skb_dst(skb) && dst_xfrm(skb_dst(skb));
+ need_ipsec = (skb_dst(skb) && dst_xfrm(skb_dst(skb))) || skb_sec_path(skb);
/* Try to offload checksum if possible */
offload_csum = !!(need_csum &&
!need_ipsec &&
--
2.50.1
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 048/482] netfilter: ctnetlink: fix refcount leak on table dump
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (46 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 6.1 047/482] udp: also consider secpath when evaluating ipsec use for checksumming Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 049/482] hfs: fix slab-out-of-bounds in hfs_bnode_read() Greg Kroah-Hartman
` (442 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Florian Westphal, Pablo Neira Ayuso,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
[ Upstream commit de788b2e6227462b6dcd0e07474e72c089008f74 ]
There is a reference count leak in ctnetlink_dump_table():
if (res < 0) {
nf_conntrack_get(&ct->ct_general); // HERE
cb->args[1] = (unsigned long)ct;
...
While its very unlikely, its possible that ct == last.
If this happens, then the refcount of ct was already incremented.
This 2nd increment is never undone.
This prevents the conntrack object from being released, which in turn
keeps prevents cnet->count from dropping back to 0.
This will then block the netns dismantle (or conntrack rmmod) as
nf_conntrack_cleanup_net_list() will wait forever.
This can be reproduced by running conntrack_resize.sh selftest in a loop.
It takes ~20 minutes for me on a preemptible kernel on average before
I see a runaway kworker spinning in nf_conntrack_cleanup_net_list.
One fix would to change this to:
if (res < 0) {
if (ct != last)
nf_conntrack_get(&ct->ct_general);
But this reference counting isn't needed in the first place.
We can just store a cookie value instead.
A followup patch will do the same for ctnetlink_exp_dump_table,
it looks to me as if this has the same problem and like
ctnetlink_dump_table, we only need a 'skip hint', not the actual
object so we can apply the same cookie strategy there as well.
Fixes: d205dc40798d ("[NETFILTER]: ctnetlink: fix deadlock in table dumping")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nf_conntrack_netlink.c | 24 +++++++++++++-----------
1 file changed, 13 insertions(+), 11 deletions(-)
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index 2cf58a8b8e4d..d3e28574ceb9 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -859,8 +859,6 @@ ctnetlink_conntrack_event(unsigned int events, const struct nf_ct_event *item)
static int ctnetlink_done(struct netlink_callback *cb)
{
- if (cb->args[1])
- nf_ct_put((struct nf_conn *)cb->args[1]);
kfree(cb->data);
return 0;
}
@@ -1175,19 +1173,26 @@ static int ctnetlink_filter_match(struct nf_conn *ct, void *data)
return 0;
}
+static unsigned long ctnetlink_get_id(const struct nf_conn *ct)
+{
+ unsigned long id = nf_ct_get_id(ct);
+
+ return id ? id : 1;
+}
+
static int
ctnetlink_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
{
unsigned int flags = cb->data ? NLM_F_DUMP_FILTERED : 0;
struct net *net = sock_net(skb->sk);
- struct nf_conn *ct, *last;
+ unsigned long last_id = cb->args[1];
struct nf_conntrack_tuple_hash *h;
struct hlist_nulls_node *n;
struct nf_conn *nf_ct_evict[8];
+ struct nf_conn *ct;
int res, i;
spinlock_t *lockp;
- last = (struct nf_conn *)cb->args[1];
i = 0;
local_bh_disable();
@@ -1224,7 +1229,7 @@ ctnetlink_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
continue;
if (cb->args[1]) {
- if (ct != last)
+ if (ctnetlink_get_id(ct) != last_id)
continue;
cb->args[1] = 0;
}
@@ -1237,8 +1242,7 @@ ctnetlink_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
NFNL_MSG_TYPE(cb->nlh->nlmsg_type),
ct, true, flags);
if (res < 0) {
- nf_conntrack_get(&ct->ct_general);
- cb->args[1] = (unsigned long)ct;
+ cb->args[1] = ctnetlink_get_id(ct);
spin_unlock(lockp);
goto out;
}
@@ -1251,12 +1255,10 @@ ctnetlink_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
}
out:
local_bh_enable();
- if (last) {
+ if (last_id) {
/* nf ct hash resize happened, now clear the leftover. */
- if ((struct nf_conn *)cb->args[1] == last)
+ if (cb->args[1] == last_id)
cb->args[1] = 0;
-
- nf_ct_put(last);
}
while (i) {
--
2.50.1
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 049/482] hfs: fix slab-out-of-bounds in hfs_bnode_read()
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (47 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 6.1 048/482] netfilter: ctnetlink: fix refcount leak on table dump Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 050/482] hfsplus: fix slab-out-of-bounds in hfsplus_bnode_read() Greg Kroah-Hartman
` (441 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Viacheslav Dubeyko, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Viacheslav Dubeyko <slava@dubeyko.com>
[ Upstream commit a431930c9bac518bf99d6b1da526a7f37ddee8d8 ]
This patch introduces is_bnode_offset_valid() method that checks
the requested offset value. Also, it introduces
check_and_correct_requested_length() method that checks and
correct the requested length (if it is necessary). These methods
are used in hfs_bnode_read(), hfs_bnode_write(), hfs_bnode_clear(),
hfs_bnode_copy(), and hfs_bnode_move() with the goal to prevent
the access out of allocated memory and triggering the crash.
Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
Link: https://lore.kernel.org/r/20250703214912.244138-1-slava@dubeyko.com
Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/hfs/bnode.c | 92 ++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 92 insertions(+)
diff --git a/fs/hfs/bnode.c b/fs/hfs/bnode.c
index cb823a8a6ba9..1dac5d9c055f 100644
--- a/fs/hfs/bnode.c
+++ b/fs/hfs/bnode.c
@@ -15,6 +15,48 @@
#include "btree.h"
+static inline
+bool is_bnode_offset_valid(struct hfs_bnode *node, int off)
+{
+ bool is_valid = off < node->tree->node_size;
+
+ if (!is_valid) {
+ pr_err("requested invalid offset: "
+ "NODE: id %u, type %#x, height %u, "
+ "node_size %u, offset %d\n",
+ node->this, node->type, node->height,
+ node->tree->node_size, off);
+ }
+
+ return is_valid;
+}
+
+static inline
+int check_and_correct_requested_length(struct hfs_bnode *node, int off, int len)
+{
+ unsigned int node_size;
+
+ if (!is_bnode_offset_valid(node, off))
+ return 0;
+
+ node_size = node->tree->node_size;
+
+ if ((off + len) > node_size) {
+ int new_len = (int)node_size - off;
+
+ pr_err("requested length has been corrected: "
+ "NODE: id %u, type %#x, height %u, "
+ "node_size %u, offset %d, "
+ "requested_len %d, corrected_len %d\n",
+ node->this, node->type, node->height,
+ node->tree->node_size, off, len, new_len);
+
+ return new_len;
+ }
+
+ return len;
+}
+
void hfs_bnode_read(struct hfs_bnode *node, void *buf, int off, int len)
{
struct page *page;
@@ -22,6 +64,20 @@ void hfs_bnode_read(struct hfs_bnode *node, void *buf, int off, int len)
int bytes_read;
int bytes_to_read;
+ if (!is_bnode_offset_valid(node, off))
+ return;
+
+ if (len == 0) {
+ pr_err("requested zero length: "
+ "NODE: id %u, type %#x, height %u, "
+ "node_size %u, offset %d, len %d\n",
+ node->this, node->type, node->height,
+ node->tree->node_size, off, len);
+ return;
+ }
+
+ len = check_and_correct_requested_length(node, off, len);
+
off += node->page_offset;
pagenum = off >> PAGE_SHIFT;
off &= ~PAGE_MASK; /* compute page offset for the first page */
@@ -80,6 +136,20 @@ void hfs_bnode_write(struct hfs_bnode *node, void *buf, int off, int len)
{
struct page *page;
+ if (!is_bnode_offset_valid(node, off))
+ return;
+
+ if (len == 0) {
+ pr_err("requested zero length: "
+ "NODE: id %u, type %#x, height %u, "
+ "node_size %u, offset %d, len %d\n",
+ node->this, node->type, node->height,
+ node->tree->node_size, off, len);
+ return;
+ }
+
+ len = check_and_correct_requested_length(node, off, len);
+
off += node->page_offset;
page = node->page[0];
@@ -104,6 +174,20 @@ void hfs_bnode_clear(struct hfs_bnode *node, int off, int len)
{
struct page *page;
+ if (!is_bnode_offset_valid(node, off))
+ return;
+
+ if (len == 0) {
+ pr_err("requested zero length: "
+ "NODE: id %u, type %#x, height %u, "
+ "node_size %u, offset %d, len %d\n",
+ node->this, node->type, node->height,
+ node->tree->node_size, off, len);
+ return;
+ }
+
+ len = check_and_correct_requested_length(node, off, len);
+
off += node->page_offset;
page = node->page[0];
@@ -119,6 +203,10 @@ void hfs_bnode_copy(struct hfs_bnode *dst_node, int dst,
hfs_dbg(BNODE_MOD, "copybytes: %u,%u,%u\n", dst, src, len);
if (!len)
return;
+
+ len = check_and_correct_requested_length(src_node, src, len);
+ len = check_and_correct_requested_length(dst_node, dst, len);
+
src += src_node->page_offset;
dst += dst_node->page_offset;
src_page = src_node->page[0];
@@ -136,6 +224,10 @@ void hfs_bnode_move(struct hfs_bnode *node, int dst, int src, int len)
hfs_dbg(BNODE_MOD, "movebytes: %u,%u,%u\n", dst, src, len);
if (!len)
return;
+
+ len = check_and_correct_requested_length(node, src, len);
+ len = check_and_correct_requested_length(node, dst, len);
+
src += node->page_offset;
dst += node->page_offset;
page = node->page[0];
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 050/482] hfsplus: fix slab-out-of-bounds in hfsplus_bnode_read()
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (48 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 6.1 049/482] hfs: fix slab-out-of-bounds in hfs_bnode_read() Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 051/482] hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc() Greg Kroah-Hartman
` (440 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kun Hu, Jiaji Qin, Shuoran Bai,
Viacheslav Dubeyko, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Viacheslav Dubeyko <slava@dubeyko.com>
[ Upstream commit c80aa2aaaa5e69d5219c6af8ef7e754114bd08d2 ]
The hfsplus_bnode_read() method can trigger the issue:
[ 174.852007][ T9784] ==================================================================
[ 174.852709][ T9784] BUG: KASAN: slab-out-of-bounds in hfsplus_bnode_read+0x2f4/0x360
[ 174.853412][ T9784] Read of size 8 at addr ffff88810b5fc6c0 by task repro/9784
[ 174.854059][ T9784]
[ 174.854272][ T9784] CPU: 1 UID: 0 PID: 9784 Comm: repro Not tainted 6.16.0-rc3 #7 PREEMPT(full)
[ 174.854281][ T9784] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 174.854286][ T9784] Call Trace:
[ 174.854289][ T9784] <TASK>
[ 174.854292][ T9784] dump_stack_lvl+0x10e/0x1f0
[ 174.854305][ T9784] print_report+0xd0/0x660
[ 174.854315][ T9784] ? __virt_addr_valid+0x81/0x610
[ 174.854323][ T9784] ? __phys_addr+0xe8/0x180
[ 174.854330][ T9784] ? hfsplus_bnode_read+0x2f4/0x360
[ 174.854337][ T9784] kasan_report+0xc6/0x100
[ 174.854346][ T9784] ? hfsplus_bnode_read+0x2f4/0x360
[ 174.854354][ T9784] hfsplus_bnode_read+0x2f4/0x360
[ 174.854362][ T9784] hfsplus_bnode_dump+0x2ec/0x380
[ 174.854370][ T9784] ? __pfx_hfsplus_bnode_dump+0x10/0x10
[ 174.854377][ T9784] ? hfsplus_bnode_write_u16+0x83/0xb0
[ 174.854385][ T9784] ? srcu_gp_start+0xd0/0x310
[ 174.854393][ T9784] ? __mark_inode_dirty+0x29e/0xe40
[ 174.854402][ T9784] hfsplus_brec_remove+0x3d2/0x4e0
[ 174.854411][ T9784] __hfsplus_delete_attr+0x290/0x3a0
[ 174.854419][ T9784] ? __pfx_hfs_find_1st_rec_by_cnid+0x10/0x10
[ 174.854427][ T9784] ? __pfx___hfsplus_delete_attr+0x10/0x10
[ 174.854436][ T9784] ? __asan_memset+0x23/0x50
[ 174.854450][ T9784] hfsplus_delete_all_attrs+0x262/0x320
[ 174.854459][ T9784] ? __pfx_hfsplus_delete_all_attrs+0x10/0x10
[ 174.854469][ T9784] ? rcu_is_watching+0x12/0xc0
[ 174.854476][ T9784] ? __mark_inode_dirty+0x29e/0xe40
[ 174.854483][ T9784] hfsplus_delete_cat+0x845/0xde0
[ 174.854493][ T9784] ? __pfx_hfsplus_delete_cat+0x10/0x10
[ 174.854507][ T9784] hfsplus_unlink+0x1ca/0x7c0
[ 174.854516][ T9784] ? __pfx_hfsplus_unlink+0x10/0x10
[ 174.854525][ T9784] ? down_write+0x148/0x200
[ 174.854532][ T9784] ? __pfx_down_write+0x10/0x10
[ 174.854540][ T9784] vfs_unlink+0x2fe/0x9b0
[ 174.854549][ T9784] do_unlinkat+0x490/0x670
[ 174.854557][ T9784] ? __pfx_do_unlinkat+0x10/0x10
[ 174.854565][ T9784] ? __might_fault+0xbc/0x130
[ 174.854576][ T9784] ? getname_flags.part.0+0x1c5/0x550
[ 174.854584][ T9784] __x64_sys_unlink+0xc5/0x110
[ 174.854592][ T9784] do_syscall_64+0xc9/0x480
[ 174.854600][ T9784] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 174.854608][ T9784] RIP: 0033:0x7f6fdf4c3167
[ 174.854614][ T9784] Code: f0 ff ff 73 01 c3 48 8b 0d 26 0d 0e 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 08
[ 174.854622][ T9784] RSP: 002b:00007ffcb948bca8 EFLAGS: 00000206 ORIG_RAX: 0000000000000057
[ 174.854630][ T9784] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f6fdf4c3167
[ 174.854636][ T9784] RDX: 00007ffcb948bcc0 RSI: 00007ffcb948bcc0 RDI: 00007ffcb948bd50
[ 174.854641][ T9784] RBP: 00007ffcb948cd90 R08: 0000000000000001 R09: 00007ffcb948bb40
[ 174.854645][ T9784] R10: 00007f6fdf564fc0 R11: 0000000000000206 R12: 0000561e1bc9c2d0
[ 174.854650][ T9784] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 174.854658][ T9784] </TASK>
[ 174.854661][ T9784]
[ 174.879281][ T9784] Allocated by task 9784:
[ 174.879664][ T9784] kasan_save_stack+0x20/0x40
[ 174.880082][ T9784] kasan_save_track+0x14/0x30
[ 174.880500][ T9784] __kasan_kmalloc+0xaa/0xb0
[ 174.880908][ T9784] __kmalloc_noprof+0x205/0x550
[ 174.881337][ T9784] __hfs_bnode_create+0x107/0x890
[ 174.881779][ T9784] hfsplus_bnode_find+0x2d0/0xd10
[ 174.882222][ T9784] hfsplus_brec_find+0x2b0/0x520
[ 174.882659][ T9784] hfsplus_delete_all_attrs+0x23b/0x320
[ 174.883144][ T9784] hfsplus_delete_cat+0x845/0xde0
[ 174.883595][ T9784] hfsplus_rmdir+0x106/0x1b0
[ 174.884004][ T9784] vfs_rmdir+0x206/0x690
[ 174.884379][ T9784] do_rmdir+0x2b7/0x390
[ 174.884751][ T9784] __x64_sys_rmdir+0xc5/0x110
[ 174.885167][ T9784] do_syscall_64+0xc9/0x480
[ 174.885568][ T9784] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 174.886083][ T9784]
[ 174.886293][ T9784] The buggy address belongs to the object at ffff88810b5fc600
[ 174.886293][ T9784] which belongs to the cache kmalloc-192 of size 192
[ 174.887507][ T9784] The buggy address is located 40 bytes to the right of
[ 174.887507][ T9784] allocated 152-byte region [ffff88810b5fc600, ffff88810b5fc698)
[ 174.888766][ T9784]
[ 174.888976][ T9784] The buggy address belongs to the physical page:
[ 174.889533][ T9784] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10b5fc
[ 174.890295][ T9784] flags: 0x57ff00000000000(node=1|zone=2|lastcpupid=0x7ff)
[ 174.890927][ T9784] page_type: f5(slab)
[ 174.891284][ T9784] raw: 057ff00000000000 ffff88801b4423c0 ffffea000426dc80 dead000000000002
[ 174.892032][ T9784] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[ 174.892774][ T9784] page dumped because: kasan: bad access detected
[ 174.893327][ T9784] page_owner tracks the page as allocated
[ 174.893825][ T9784] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52c00(GFP_NOIO|__GFP_NOWARN|__GFP_NO1
[ 174.895373][ T9784] post_alloc_hook+0x1c0/0x230
[ 174.895801][ T9784] get_page_from_freelist+0xdeb/0x3b30
[ 174.896284][ T9784] __alloc_frozen_pages_noprof+0x25c/0x2460
[ 174.896810][ T9784] alloc_pages_mpol+0x1fb/0x550
[ 174.897242][ T9784] new_slab+0x23b/0x340
[ 174.897614][ T9784] ___slab_alloc+0xd81/0x1960
[ 174.898028][ T9784] __slab_alloc.isra.0+0x56/0xb0
[ 174.898468][ T9784] __kmalloc_noprof+0x2b0/0x550
[ 174.898896][ T9784] usb_alloc_urb+0x73/0xa0
[ 174.899289][ T9784] usb_control_msg+0x1cb/0x4a0
[ 174.899718][ T9784] usb_get_string+0xab/0x1a0
[ 174.900133][ T9784] usb_string_sub+0x107/0x3c0
[ 174.900549][ T9784] usb_string+0x307/0x670
[ 174.900933][ T9784] usb_cache_string+0x80/0x150
[ 174.901355][ T9784] usb_new_device+0x1d0/0x19d0
[ 174.901786][ T9784] register_root_hub+0x299/0x730
[ 174.902231][ T9784] page last free pid 10 tgid 10 stack trace:
[ 174.902757][ T9784] __free_frozen_pages+0x80c/0x1250
[ 174.903217][ T9784] vfree.part.0+0x12b/0xab0
[ 174.903645][ T9784] delayed_vfree_work+0x93/0xd0
[ 174.904073][ T9784] process_one_work+0x9b5/0x1b80
[ 174.904519][ T9784] worker_thread+0x630/0xe60
[ 174.904927][ T9784] kthread+0x3a8/0x770
[ 174.905291][ T9784] ret_from_fork+0x517/0x6e0
[ 174.905709][ T9784] ret_from_fork_asm+0x1a/0x30
[ 174.906128][ T9784]
[ 174.906338][ T9784] Memory state around the buggy address:
[ 174.906828][ T9784] ffff88810b5fc580: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[ 174.907528][ T9784] ffff88810b5fc600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 174.908222][ T9784] >ffff88810b5fc680: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 174.908917][ T9784] ^
[ 174.909481][ T9784] ffff88810b5fc700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 174.910432][ T9784] ffff88810b5fc780: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[ 174.911401][ T9784] ==================================================================
The reason of the issue that code doesn't check the correctness
of the requested offset and length. As a result, incorrect value
of offset or/and length could result in access out of allocated
memory.
This patch introduces is_bnode_offset_valid() method that checks
the requested offset value. Also, it introduces
check_and_correct_requested_length() method that checks and
correct the requested length (if it is necessary). These methods
are used in hfsplus_bnode_read(), hfsplus_bnode_write(),
hfsplus_bnode_clear(), hfsplus_bnode_copy(), and hfsplus_bnode_move()
with the goal to prevent the access out of allocated memory
and triggering the crash.
Reported-by: Kun Hu <huk23@m.fudan.edu.cn>
Reported-by: Jiaji Qin <jjtan24@m.fudan.edu.cn>
Reported-by: Shuoran Bai <baishuoran@hrbeu.edu.cn>
Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
Link: https://lore.kernel.org/r/20250703214804.244077-1-slava@dubeyko.com
Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/hfsplus/bnode.c | 92 ++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 92 insertions(+)
diff --git a/fs/hfsplus/bnode.c b/fs/hfsplus/bnode.c
index 079ea80534f7..14f4995588ff 100644
--- a/fs/hfsplus/bnode.c
+++ b/fs/hfsplus/bnode.c
@@ -18,12 +18,68 @@
#include "hfsplus_fs.h"
#include "hfsplus_raw.h"
+static inline
+bool is_bnode_offset_valid(struct hfs_bnode *node, int off)
+{
+ bool is_valid = off < node->tree->node_size;
+
+ if (!is_valid) {
+ pr_err("requested invalid offset: "
+ "NODE: id %u, type %#x, height %u, "
+ "node_size %u, offset %d\n",
+ node->this, node->type, node->height,
+ node->tree->node_size, off);
+ }
+
+ return is_valid;
+}
+
+static inline
+int check_and_correct_requested_length(struct hfs_bnode *node, int off, int len)
+{
+ unsigned int node_size;
+
+ if (!is_bnode_offset_valid(node, off))
+ return 0;
+
+ node_size = node->tree->node_size;
+
+ if ((off + len) > node_size) {
+ int new_len = (int)node_size - off;
+
+ pr_err("requested length has been corrected: "
+ "NODE: id %u, type %#x, height %u, "
+ "node_size %u, offset %d, "
+ "requested_len %d, corrected_len %d\n",
+ node->this, node->type, node->height,
+ node->tree->node_size, off, len, new_len);
+
+ return new_len;
+ }
+
+ return len;
+}
+
/* Copy a specified range of bytes from the raw data of a node */
void hfs_bnode_read(struct hfs_bnode *node, void *buf, int off, int len)
{
struct page **pagep;
int l;
+ if (!is_bnode_offset_valid(node, off))
+ return;
+
+ if (len == 0) {
+ pr_err("requested zero length: "
+ "NODE: id %u, type %#x, height %u, "
+ "node_size %u, offset %d, len %d\n",
+ node->this, node->type, node->height,
+ node->tree->node_size, off, len);
+ return;
+ }
+
+ len = check_and_correct_requested_length(node, off, len);
+
off += node->page_offset;
pagep = node->page + (off >> PAGE_SHIFT);
off &= ~PAGE_MASK;
@@ -81,6 +137,20 @@ void hfs_bnode_write(struct hfs_bnode *node, void *buf, int off, int len)
struct page **pagep;
int l;
+ if (!is_bnode_offset_valid(node, off))
+ return;
+
+ if (len == 0) {
+ pr_err("requested zero length: "
+ "NODE: id %u, type %#x, height %u, "
+ "node_size %u, offset %d, len %d\n",
+ node->this, node->type, node->height,
+ node->tree->node_size, off, len);
+ return;
+ }
+
+ len = check_and_correct_requested_length(node, off, len);
+
off += node->page_offset;
pagep = node->page + (off >> PAGE_SHIFT);
off &= ~PAGE_MASK;
@@ -109,6 +179,20 @@ void hfs_bnode_clear(struct hfs_bnode *node, int off, int len)
struct page **pagep;
int l;
+ if (!is_bnode_offset_valid(node, off))
+ return;
+
+ if (len == 0) {
+ pr_err("requested zero length: "
+ "NODE: id %u, type %#x, height %u, "
+ "node_size %u, offset %d, len %d\n",
+ node->this, node->type, node->height,
+ node->tree->node_size, off, len);
+ return;
+ }
+
+ len = check_and_correct_requested_length(node, off, len);
+
off += node->page_offset;
pagep = node->page + (off >> PAGE_SHIFT);
off &= ~PAGE_MASK;
@@ -133,6 +217,10 @@ void hfs_bnode_copy(struct hfs_bnode *dst_node, int dst,
hfs_dbg(BNODE_MOD, "copybytes: %u,%u,%u\n", dst, src, len);
if (!len)
return;
+
+ len = check_and_correct_requested_length(src_node, src, len);
+ len = check_and_correct_requested_length(dst_node, dst, len);
+
src += src_node->page_offset;
dst += dst_node->page_offset;
src_page = src_node->page + (src >> PAGE_SHIFT);
@@ -187,6 +275,10 @@ void hfs_bnode_move(struct hfs_bnode *node, int dst, int src, int len)
hfs_dbg(BNODE_MOD, "movebytes: %u,%u,%u\n", dst, src, len);
if (!len)
return;
+
+ len = check_and_correct_requested_length(node, src, len);
+ len = check_and_correct_requested_length(node, dst, len);
+
src += node->page_offset;
dst += node->page_offset;
if (dst > src) {
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 051/482] hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc()
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (49 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 6.1 050/482] hfsplus: fix slab-out-of-bounds in hfsplus_bnode_read() Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 052/482] hfsplus: dont use BUG_ON() in hfsplus_create_attributes_file() Greg Kroah-Hartman
` (439 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wenzhi Wang, Liu Shixin,
Viacheslav Dubeyko, John Paul Adrian Glaubitz, Yangtao Li,
linux-fsdevel, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Viacheslav Dubeyko <slava@dubeyko.com>
[ Upstream commit 94458781aee6045bd3d0ad4b80b02886b9e2219b ]
The hfsplus_readdir() method is capable to crash by calling
hfsplus_uni2asc():
[ 667.121659][ T9805] ==================================================================
[ 667.122651][ T9805] BUG: KASAN: slab-out-of-bounds in hfsplus_uni2asc+0x902/0xa10
[ 667.123627][ T9805] Read of size 2 at addr ffff88802592f40c by task repro/9805
[ 667.124578][ T9805]
[ 667.124876][ T9805] CPU: 3 UID: 0 PID: 9805 Comm: repro Not tainted 6.16.0-rc3 #1 PREEMPT(full)
[ 667.124886][ T9805] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 667.124890][ T9805] Call Trace:
[ 667.124893][ T9805] <TASK>
[ 667.124896][ T9805] dump_stack_lvl+0x10e/0x1f0
[ 667.124911][ T9805] print_report+0xd0/0x660
[ 667.124920][ T9805] ? __virt_addr_valid+0x81/0x610
[ 667.124928][ T9805] ? __phys_addr+0xe8/0x180
[ 667.124934][ T9805] ? hfsplus_uni2asc+0x902/0xa10
[ 667.124942][ T9805] kasan_report+0xc6/0x100
[ 667.124950][ T9805] ? hfsplus_uni2asc+0x902/0xa10
[ 667.124959][ T9805] hfsplus_uni2asc+0x902/0xa10
[ 667.124966][ T9805] ? hfsplus_bnode_read+0x14b/0x360
[ 667.124974][ T9805] hfsplus_readdir+0x845/0xfc0
[ 667.124984][ T9805] ? __pfx_hfsplus_readdir+0x10/0x10
[ 667.124994][ T9805] ? stack_trace_save+0x8e/0xc0
[ 667.125008][ T9805] ? iterate_dir+0x18b/0xb20
[ 667.125015][ T9805] ? trace_lock_acquire+0x85/0xd0
[ 667.125022][ T9805] ? lock_acquire+0x30/0x80
[ 667.125029][ T9805] ? iterate_dir+0x18b/0xb20
[ 667.125037][ T9805] ? down_read_killable+0x1ed/0x4c0
[ 667.125044][ T9805] ? putname+0x154/0x1a0
[ 667.125051][ T9805] ? __pfx_down_read_killable+0x10/0x10
[ 667.125058][ T9805] ? apparmor_file_permission+0x239/0x3e0
[ 667.125069][ T9805] iterate_dir+0x296/0xb20
[ 667.125076][ T9805] __x64_sys_getdents64+0x13c/0x2c0
[ 667.125084][ T9805] ? __pfx___x64_sys_getdents64+0x10/0x10
[ 667.125091][ T9805] ? __x64_sys_openat+0x141/0x200
[ 667.125126][ T9805] ? __pfx_filldir64+0x10/0x10
[ 667.125134][ T9805] ? do_user_addr_fault+0x7fe/0x12f0
[ 667.125143][ T9805] do_syscall_64+0xc9/0x480
[ 667.125151][ T9805] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 667.125158][ T9805] RIP: 0033:0x7fa8753b2fc9
[ 667.125164][ T9805] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 48
[ 667.125172][ T9805] RSP: 002b:00007ffe96f8e0f8 EFLAGS: 00000217 ORIG_RAX: 00000000000000d9
[ 667.125181][ T9805] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fa8753b2fc9
[ 667.125185][ T9805] RDX: 0000000000000400 RSI: 00002000000063c0 RDI: 0000000000000004
[ 667.125190][ T9805] RBP: 00007ffe96f8e110 R08: 00007ffe96f8e110 R09: 00007ffe96f8e110
[ 667.125195][ T9805] R10: 0000000000000000 R11: 0000000000000217 R12: 0000556b1e3b4260
[ 667.125199][ T9805] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 667.125207][ T9805] </TASK>
[ 667.125210][ T9805]
[ 667.145632][ T9805] Allocated by task 9805:
[ 667.145991][ T9805] kasan_save_stack+0x20/0x40
[ 667.146352][ T9805] kasan_save_track+0x14/0x30
[ 667.146717][ T9805] __kasan_kmalloc+0xaa/0xb0
[ 667.147065][ T9805] __kmalloc_noprof+0x205/0x550
[ 667.147448][ T9805] hfsplus_find_init+0x95/0x1f0
[ 667.147813][ T9805] hfsplus_readdir+0x220/0xfc0
[ 667.148174][ T9805] iterate_dir+0x296/0xb20
[ 667.148549][ T9805] __x64_sys_getdents64+0x13c/0x2c0
[ 667.148937][ T9805] do_syscall_64+0xc9/0x480
[ 667.149291][ T9805] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 667.149809][ T9805]
[ 667.150030][ T9805] The buggy address belongs to the object at ffff88802592f000
[ 667.150030][ T9805] which belongs to the cache kmalloc-2k of size 2048
[ 667.151282][ T9805] The buggy address is located 0 bytes to the right of
[ 667.151282][ T9805] allocated 1036-byte region [ffff88802592f000, ffff88802592f40c)
[ 667.152580][ T9805]
[ 667.152798][ T9805] The buggy address belongs to the physical page:
[ 667.153373][ T9805] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x25928
[ 667.154157][ T9805] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 667.154916][ T9805] anon flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
[ 667.155631][ T9805] page_type: f5(slab)
[ 667.155997][ T9805] raw: 00fff00000000040 ffff88801b442f00 0000000000000000 dead000000000001
[ 667.156770][ T9805] raw: 0000000000000000 0000000080080008 00000000f5000000 0000000000000000
[ 667.157536][ T9805] head: 00fff00000000040 ffff88801b442f00 0000000000000000 dead000000000001
[ 667.158317][ T9805] head: 0000000000000000 0000000080080008 00000000f5000000 0000000000000000
[ 667.159088][ T9805] head: 00fff00000000003 ffffea0000964a01 00000000ffffffff 00000000ffffffff
[ 667.159865][ T9805] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
[ 667.160643][ T9805] page dumped because: kasan: bad access detected
[ 667.161216][ T9805] page_owner tracks the page as allocated
[ 667.161732][ T9805] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN9
[ 667.163566][ T9805] post_alloc_hook+0x1c0/0x230
[ 667.164003][ T9805] get_page_from_freelist+0xdeb/0x3b30
[ 667.164503][ T9805] __alloc_frozen_pages_noprof+0x25c/0x2460
[ 667.165040][ T9805] alloc_pages_mpol+0x1fb/0x550
[ 667.165489][ T9805] new_slab+0x23b/0x340
[ 667.165872][ T9805] ___slab_alloc+0xd81/0x1960
[ 667.166313][ T9805] __slab_alloc.isra.0+0x56/0xb0
[ 667.166767][ T9805] __kmalloc_cache_noprof+0x255/0x3e0
[ 667.167255][ T9805] psi_cgroup_alloc+0x52/0x2d0
[ 667.167693][ T9805] cgroup_mkdir+0x694/0x1210
[ 667.168118][ T9805] kernfs_iop_mkdir+0x111/0x190
[ 667.168568][ T9805] vfs_mkdir+0x59b/0x8d0
[ 667.168956][ T9805] do_mkdirat+0x2ed/0x3d0
[ 667.169353][ T9805] __x64_sys_mkdir+0xef/0x140
[ 667.169784][ T9805] do_syscall_64+0xc9/0x480
[ 667.170195][ T9805] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 667.170730][ T9805] page last free pid 1257 tgid 1257 stack trace:
[ 667.171304][ T9805] __free_frozen_pages+0x80c/0x1250
[ 667.171770][ T9805] vfree.part.0+0x12b/0xab0
[ 667.172182][ T9805] delayed_vfree_work+0x93/0xd0
[ 667.172612][ T9805] process_one_work+0x9b5/0x1b80
[ 667.173067][ T9805] worker_thread+0x630/0xe60
[ 667.173486][ T9805] kthread+0x3a8/0x770
[ 667.173857][ T9805] ret_from_fork+0x517/0x6e0
[ 667.174278][ T9805] ret_from_fork_asm+0x1a/0x30
[ 667.174703][ T9805]
[ 667.174917][ T9805] Memory state around the buggy address:
[ 667.175411][ T9805] ffff88802592f300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 667.176114][ T9805] ffff88802592f380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 667.176830][ T9805] >ffff88802592f400: 00 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 667.177547][ T9805] ^
[ 667.177933][ T9805] ffff88802592f480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 667.178640][ T9805] ffff88802592f500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 667.179350][ T9805] ==================================================================
The hfsplus_uni2asc() method operates by struct hfsplus_unistr:
struct hfsplus_unistr {
__be16 length;
hfsplus_unichr unicode[HFSPLUS_MAX_STRLEN];
} __packed;
where HFSPLUS_MAX_STRLEN is 255 bytes. The issue happens if length
of the structure instance has value bigger than 255 (for example,
65283). In such case, pointer on unicode buffer is going beyond of
the allocated memory.
The patch fixes the issue by checking the length value of
hfsplus_unistr instance and using 255 value in the case if length
value is bigger than HFSPLUS_MAX_STRLEN. Potential reason of such
situation could be a corruption of Catalog File b-tree's node.
Reported-by: Wenzhi Wang <wenzhi.wang@uwaterloo.ca>
Signed-off-by: Liu Shixin <liushixin2@huawei.com>
Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
cc: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
cc: Yangtao Li <frank.li@vivo.com>
cc: linux-fsdevel@vger.kernel.org
Reviewed-by: Yangtao Li <frank.li@vivo.com>
Link: https://lore.kernel.org/r/20250710230830.110500-1-slava@dubeyko.com
Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/hfsplus/unicode.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/fs/hfsplus/unicode.c b/fs/hfsplus/unicode.c
index 73342c925a4b..36b6cf2a3abb 100644
--- a/fs/hfsplus/unicode.c
+++ b/fs/hfsplus/unicode.c
@@ -132,7 +132,14 @@ int hfsplus_uni2asc(struct super_block *sb,
op = astr;
ip = ustr->unicode;
+
ustrlen = be16_to_cpu(ustr->length);
+ if (ustrlen > HFSPLUS_MAX_STRLEN) {
+ ustrlen = HFSPLUS_MAX_STRLEN;
+ pr_err("invalid length %u has been corrected to %d\n",
+ be16_to_cpu(ustr->length), ustrlen);
+ }
+
len = *len_p;
ce1 = NULL;
compose = !test_bit(HFSPLUS_SB_NODECOMPOSE, &HFSPLUS_SB(sb)->flags);
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 052/482] hfsplus: dont use BUG_ON() in hfsplus_create_attributes_file()
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (50 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 6.1 051/482] hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc() Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 053/482] arm64: Handle KCOV __init vs inline mismatches Greg Kroah-Hartman
` (438 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot, Tetsuo Handa,
Viacheslav Dubeyko, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
[ Upstream commit c7c6363ca186747ebc2df10c8a1a51e66e0e32d9 ]
When the volume header contains erroneous values that do not reflect
the actual state of the filesystem, hfsplus_fill_super() assumes that
the attributes file is not yet created, which later results in hitting
BUG_ON() when hfsplus_create_attributes_file() is called. Replace this
BUG_ON() with -EIO error with a message to suggest running fsck tool.
Reported-by: syzbot <syzbot+1107451c16b9eb9d29e6@syzkaller.appspotmail.com>
Closes: https://syzkaller.appspot.com/bug?extid=1107451c16b9eb9d29e6
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Reviewed-by: Viacheslav Dubeyko <slava@dubeyko.com>
Link: https://lore.kernel.org/r/7b587d24-c8a1-4413-9b9a-00a33fbd849f@I-love.SAKURA.ne.jp
Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/hfsplus/xattr.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/fs/hfsplus/xattr.c b/fs/hfsplus/xattr.c
index 2b0e0ba58139..beedc1a2237a 100644
--- a/fs/hfsplus/xattr.c
+++ b/fs/hfsplus/xattr.c
@@ -172,7 +172,11 @@ static int hfsplus_create_attributes_file(struct super_block *sb)
return PTR_ERR(attr_file);
}
- BUG_ON(i_size_read(attr_file) != 0);
+ if (i_size_read(attr_file) != 0) {
+ err = -EIO;
+ pr_err("detected inconsistent attributes file, running fsck.hfsplus is recommended.\n");
+ goto end_attr_file_creation;
+ }
hip = HFSPLUS_I(attr_file);
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 053/482] arm64: Handle KCOV __init vs inline mismatches
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (51 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 6.1 052/482] hfsplus: dont use BUG_ON() in hfsplus_create_attributes_file() Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 054/482] smb/server: avoid deadlock when linking with ReplaceIfExists Greg Kroah-Hartman
` (437 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Kees Cook, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kees Cook <kees@kernel.org>
[ Upstream commit 65c430906efffee9bd7551d474f01a6b1197df90 ]
GCC appears to have kind of fragile inlining heuristics, in the
sense that it can change whether or not it inlines something based on
optimizations. It looks like the kcov instrumentation being added (or in
this case, removed) from a function changes the optimization results,
and some functions marked "inline" are _not_ inlined. In that case,
we end up with __init code calling a function not marked __init, and we
get the build warnings I'm trying to eliminate in the coming patch that
adds __no_sanitize_coverage to __init functions:
WARNING: modpost: vmlinux: section mismatch in reference: acpi_get_enable_method+0x1c (section: .text.unlikely) -> acpi_psci_present (section: .init.text)
This problem is somewhat fragile (though using either __always_inline
or __init will deterministically solve it), but we've tripped over
this before with GCC and the solution has usually been to just use
__always_inline and move on.
For arm64 this requires forcing one ACPI function to be inlined with
__always_inline.
Link: https://lore.kernel.org/r/20250724055029.3623499-1-kees@kernel.org
Signed-off-by: Kees Cook <kees@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/include/asm/acpi.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/include/asm/acpi.h b/arch/arm64/include/asm/acpi.h
index 702587fda70c..8cbbd08cc8c5 100644
--- a/arch/arm64/include/asm/acpi.h
+++ b/arch/arm64/include/asm/acpi.h
@@ -128,7 +128,7 @@ acpi_set_mailbox_entry(int cpu, struct acpi_madt_generic_interrupt *processor)
{}
#endif
-static inline const char *acpi_get_enable_method(int cpu)
+static __always_inline const char *acpi_get_enable_method(int cpu)
{
if (acpi_psci_present())
return "psci";
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 054/482] smb/server: avoid deadlock when linking with ReplaceIfExists
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (52 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 6.1 053/482] arm64: Handle KCOV __init vs inline mismatches Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 055/482] udf: Verify partition map count Greg Kroah-Hartman
` (436 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, NeilBrown, Namjae Jeon, Steve French,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: NeilBrown <neil@brown.name>
[ Upstream commit d5fc1400a34b4ea5e8f2ce296ea12bf8c8421694 ]
If smb2_create_link() is called with ReplaceIfExists set and the name
does exist then a deadlock will happen.
ksmbd_vfs_kern_path_locked() will return with success and the parent
directory will be locked. ksmbd_vfs_remove_file() will then remove the
file. ksmbd_vfs_link() will then be called while the parent is still
locked. It will try to lock the same parent and will deadlock.
This patch moves the ksmbd_vfs_kern_path_unlock() call to *before*
ksmbd_vfs_link() and then simplifies the code, removing the file_present
flag variable.
Signed-off-by: NeilBrown <neil@brown.name>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/smb/server/smb2pdu.c | 16 ++++------------
1 file changed, 4 insertions(+), 12 deletions(-)
diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c
index 3e2cd22fb2bd..7943b2ee2a76 100644
--- a/fs/smb/server/smb2pdu.c
+++ b/fs/smb/server/smb2pdu.c
@@ -5648,7 +5648,6 @@ static int smb2_create_link(struct ksmbd_work *work,
{
char *link_name = NULL, *target_name = NULL, *pathname = NULL;
struct path path, parent_path;
- bool file_present = false;
int rc;
if (buf_len < (u64)sizeof(struct smb2_file_link_info) +
@@ -5681,11 +5680,8 @@ static int smb2_create_link(struct ksmbd_work *work,
if (rc) {
if (rc != -ENOENT)
goto out;
- } else
- file_present = true;
-
- if (file_info->ReplaceIfExists) {
- if (file_present) {
+ } else {
+ if (file_info->ReplaceIfExists) {
rc = ksmbd_vfs_remove_file(work, &path);
if (rc) {
rc = -EINVAL;
@@ -5693,21 +5689,17 @@ static int smb2_create_link(struct ksmbd_work *work,
link_name);
goto out;
}
- }
- } else {
- if (file_present) {
+ } else {
rc = -EEXIST;
ksmbd_debug(SMB, "link already exists\n");
goto out;
}
+ ksmbd_vfs_kern_path_unlock(&parent_path, &path);
}
-
rc = ksmbd_vfs_link(work, target_name, link_name);
if (rc)
rc = -EINVAL;
out:
- if (file_present)
- ksmbd_vfs_kern_path_unlock(&parent_path, &path);
if (!IS_ERR(link_name))
kfree(link_name);
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 055/482] udf: Verify partition map count
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (53 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 6.1 054/482] smb/server: avoid deadlock when linking with ReplaceIfExists Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 056/482] drbd: add missing kref_get in handle_write_conflicts Greg Kroah-Hartman
` (435 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+478f2c1a6f0f447a46bb,
Jan Kara, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jan Kara <jack@suse.cz>
[ Upstream commit 1a11201668e8635602577dcf06f2e96c591d8819 ]
Verify that number of partition maps isn't insanely high which can lead
to large allocation in udf_sb_alloc_partition_maps(). All partition maps
have to fit in the LVD which is in a single block.
Reported-by: syzbot+478f2c1a6f0f447a46bb@syzkaller.appspotmail.com
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/udf/super.c | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/fs/udf/super.c b/fs/udf/super.c
index fa790be4f19f..a186d2418b50 100644
--- a/fs/udf/super.c
+++ b/fs/udf/super.c
@@ -1410,7 +1410,7 @@ static int udf_load_logicalvol(struct super_block *sb, sector_t block,
struct genericPartitionMap *gpm;
uint16_t ident;
struct buffer_head *bh;
- unsigned int table_len;
+ unsigned int table_len, part_map_count;
int ret;
bh = udf_read_tagged(sb, block, block, &ident);
@@ -1431,7 +1431,16 @@ static int udf_load_logicalvol(struct super_block *sb, sector_t block,
"logical volume");
if (ret)
goto out_bh;
- ret = udf_sb_alloc_partition_maps(sb, le32_to_cpu(lvd->numPartitionMaps));
+
+ part_map_count = le32_to_cpu(lvd->numPartitionMaps);
+ if (part_map_count > table_len / sizeof(struct genericPartitionMap1)) {
+ udf_err(sb, "error loading logical volume descriptor: "
+ "Too many partition maps (%u > %u)\n", part_map_count,
+ table_len / (unsigned)sizeof(struct genericPartitionMap1));
+ ret = -EIO;
+ goto out_bh;
+ }
+ ret = udf_sb_alloc_partition_maps(sb, part_map_count);
if (ret)
goto out_bh;
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 056/482] drbd: add missing kref_get in handle_write_conflicts
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (54 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 6.1 055/482] udf: Verify partition map count Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 057/482] hfs: fix not erasing deleted b-tree node issue Greg Kroah-Hartman
` (434 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sarah Newman, Lars Ellenberg,
Christoph Böhmwalder, Jens Axboe, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sarah Newman <srn@prgmr.com>
[ Upstream commit 00c9c9628b49e368d140cfa61d7df9b8922ec2a8 ]
With `two-primaries` enabled, DRBD tries to detect "concurrent" writes
and handle write conflicts, so that even if you write to the same sector
simultaneously on both nodes, they end up with the identical data once
the writes are completed.
In handling "superseeded" writes, we forgot a kref_get,
resulting in a premature drbd_destroy_device and use after free,
and further to kernel crashes with symptoms.
Relevance: No one should use DRBD as a random data generator, and apparently
all users of "two-primaries" handle concurrent writes correctly on layer up.
That is cluster file systems use some distributed lock manager,
and live migration in virtualization environments stops writes on one node
before starting writes on the other node.
Which means that other than for "test cases",
this code path is never taken in real life.
FYI, in DRBD 9, things are handled differently nowadays. We still detect
"write conflicts", but no longer try to be smart about them.
We decided to disconnect hard instead: upper layers must not submit concurrent
writes. If they do, that's their fault.
Signed-off-by: Sarah Newman <srn@prgmr.com>
Signed-off-by: Lars Ellenberg <lars@linbit.com>
Signed-off-by: Christoph Böhmwalder <christoph.boehmwalder@linbit.com>
Link: https://lore.kernel.org/r/20250627095728.800688-1-christoph.boehmwalder@linbit.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/block/drbd/drbd_receiver.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/block/drbd/drbd_receiver.c b/drivers/block/drbd/drbd_receiver.c
index 4ba09abbcaf6..acaa84fbe7f6 100644
--- a/drivers/block/drbd/drbd_receiver.c
+++ b/drivers/block/drbd/drbd_receiver.c
@@ -2478,7 +2478,11 @@ static int handle_write_conflicts(struct drbd_device *device,
peer_req->w.cb = superseded ? e_send_superseded :
e_send_retry_write;
list_add_tail(&peer_req->w.list, &device->done_ee);
- queue_work(connection->ack_sender, &peer_req->peer_device->send_acks_work);
+ /* put is in drbd_send_acks_wf() */
+ kref_get(&device->kref);
+ if (!queue_work(connection->ack_sender,
+ &peer_req->peer_device->send_acks_work))
+ kref_put(&device->kref, drbd_destroy_device);
err = -ENOENT;
goto out;
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 057/482] hfs: fix not erasing deleted b-tree node issue
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (55 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 6.1 056/482] drbd: add missing kref_get in handle_write_conflicts Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 058/482] better lockdep annotations for simple_recursive_removal() Greg Kroah-Hartman
` (433 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Viacheslav Dubeyko,
Johannes Thumshirn, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Viacheslav Dubeyko <slava@dubeyko.com>
[ Upstream commit d3ed6d6981f4756f145766753c872482bc3b28d3 ]
The generic/001 test of xfstests suite fails and corrupts
the HFS volume:
sudo ./check generic/001
FSTYP -- hfs
PLATFORM -- Linux/x86_64 hfsplus-testing-0001 6.15.0-rc2+ #3 SMP PREEMPT_DYNAMIC Fri Apr 25 17:13:00 PDT 2>
MKFS_OPTIONS -- /dev/loop51
MOUNT_OPTIONS -- /dev/loop51 /mnt/scratch
generic/001 32s ... _check_generic_filesystem: filesystem on /dev/loop50 is inconsistent
(see /home/slavad/XFSTESTS-2/xfstests-dev/results//generic/001.full for details)
Ran: generic/001
Failures: generic/001
Failed 1 of 1 tests
fsck.hfs -d -n ./test-image.bin
** ./test-image.bin (NO WRITE)
Using cacheBlockSize=32K cacheTotalBlock=1024 cacheSize=32768K.
Executing fsck_hfs (version 540.1-Linux).
** Checking HFS volume.
The volume name is untitled
** Checking extents overflow file.
** Checking catalog file.
Unused node is not erased (node = 2)
Unused node is not erased (node = 4)
<skipped>
Unused node is not erased (node = 253)
Unused node is not erased (node = 254)
Unused node is not erased (node = 255)
Unused node is not erased (node = 256)
** Checking catalog hierarchy.
** Checking volume bitmap.
** Checking volume information.
Verify Status: VIStat = 0x0000, ABTStat = 0x0000 EBTStat = 0x0000
CBTStat = 0x0004 CatStat = 0x00000000
** The volume untitled was found corrupt and needs to be repaired.
volume type is HFS
primary MDB is at block 2 0x02
alternate MDB is at block 20971518 0x13ffffe
primary VHB is at block 0 0x00
alternate VHB is at block 0 0x00
sector size = 512 0x200
VolumeObject flags = 0x19
total sectors for volume = 20971520 0x1400000
total sectors for embedded volume = 0 0x00
This patch adds logic of clearing the deleted b-tree node.
sudo ./check generic/001
FSTYP -- hfs
PLATFORM -- Linux/x86_64 hfsplus-testing-0001 6.15.0-rc2+ #3 SMP PREEMPT_DYNAMIC Fri Apr 25 17:13:00 PDT 2025
MKFS_OPTIONS -- /dev/loop51
MOUNT_OPTIONS -- /dev/loop51 /mnt/scratch
generic/001 9s ... 32s
Ran: generic/001
Passed all 1 tests
fsck.hfs -d -n ./test-image.bin
** ./test-image.bin (NO WRITE)
Using cacheBlockSize=32K cacheTotalBlock=1024 cacheSize=32768K.
Executing fsck_hfs (version 540.1-Linux).
** Checking HFS volume.
The volume name is untitled
** Checking extents overflow file.
** Checking catalog file.
** Checking catalog hierarchy.
** Checking volume bitmap.
** Checking volume information.
** The volume untitled appears to be OK.
Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
Link: https://lore.kernel.org/r/20250430001211.1912533-1-slava@dubeyko.com
Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/hfs/bnode.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/fs/hfs/bnode.c b/fs/hfs/bnode.c
index 1dac5d9c055f..e8cd1a31f247 100644
--- a/fs/hfs/bnode.c
+++ b/fs/hfs/bnode.c
@@ -574,6 +574,7 @@ void hfs_bnode_put(struct hfs_bnode *node)
if (test_bit(HFS_BNODE_DELETED, &node->flags)) {
hfs_bnode_unhash(node);
spin_unlock(&tree->hash_lock);
+ hfs_bnode_clear(node, 0, tree->node_size);
hfs_bmap_free(node);
hfs_bnode_free(node);
return;
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 058/482] better lockdep annotations for simple_recursive_removal()
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (56 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 6.1 057/482] hfs: fix not erasing deleted b-tree node issue Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 059/482] ata: libata-sata: Disallow changing LPM state if not supported Greg Kroah-Hartman
` (432 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+169de184e9defe7fe709, Al Viro,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
[ Upstream commit 2a8061ee5e41034eb14170ec4517b5583dbeff9f ]
We want a class that nests outside of I_MUTEX_NORMAL (for the sake of
callbacks that might want to lock the victim) and inside I_MUTEX_PARENT
(so that a variant of that could be used with parent of the victim
held locked by the caller).
In reality, simple_recursive_removal()
* never holds two locks at once
* holds the lock on parent of dentry passed to callback
* is used only on the trees with fixed topology, so the depths
are not changing.
So the locking order is actually fine.
AFAICS, the best solution is to assign I_MUTEX_CHILD to the locks
grabbed by that thing.
Reported-by: syzbot+169de184e9defe7fe709@syzkaller.appspotmail.com
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/libfs.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/fs/libfs.c b/fs/libfs.c
index aada4e7c8713..cbd42d76fbd0 100644
--- a/fs/libfs.c
+++ b/fs/libfs.c
@@ -274,7 +274,7 @@ void simple_recursive_removal(struct dentry *dentry,
struct dentry *victim = NULL, *child;
struct inode *inode = this->d_inode;
- inode_lock(inode);
+ inode_lock_nested(inode, I_MUTEX_CHILD);
if (d_is_dir(this))
inode->i_flags |= S_DEAD;
while ((child = find_next_child(this, victim)) == NULL) {
@@ -286,7 +286,7 @@ void simple_recursive_removal(struct dentry *dentry,
victim = this;
this = this->d_parent;
inode = this->d_inode;
- inode_lock(inode);
+ inode_lock_nested(inode, I_MUTEX_CHILD);
if (simple_positive(victim)) {
d_invalidate(victim); // avoid lost mounts
if (d_is_dir(victim))
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 059/482] ata: libata-sata: Disallow changing LPM state if not supported
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (57 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 6.1 058/482] better lockdep annotations for simple_recursive_removal() Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 060/482] fs/ntfs3: Add sanity check for file name Greg Kroah-Hartman
` (431 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Damien Le Moal, Niklas Cassel,
Hannes Reinecke, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Damien Le Moal <dlemoal@kernel.org>
[ Upstream commit 413e800cadbf67550d76c77c230b2ecd96bce83a ]
Modify ata_scsi_lpm_store() to return an error if a user attempts to set
a link power management policy for a port that does not support LPM,
that is, ports flagged with ATA_FLAG_NO_LPM.
Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
Reviewed-by: Niklas Cassel <cassel@kernel.org>
Reviewed-by: Hannes Reinecke <hare@suse.de>
Link: https://lore.kernel.org/r/20250701125321.69496-6-dlemoal@kernel.org
Signed-off-by: Niklas Cassel <cassel@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/ata/libata-sata.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/ata/libata-sata.c b/drivers/ata/libata-sata.c
index 71a00842eb5e..b75999388bf0 100644
--- a/drivers/ata/libata-sata.c
+++ b/drivers/ata/libata-sata.c
@@ -812,6 +812,11 @@ static ssize_t ata_scsi_lpm_store(struct device *device,
spin_lock_irqsave(ap->lock, flags);
+ if (ap->flags & ATA_FLAG_NO_LPM) {
+ count = -EOPNOTSUPP;
+ goto out_unlock;
+ }
+
ata_for_each_link(link, ap, EDGE) {
ata_for_each_dev(dev, &ap->link, ENABLED) {
if (dev->horkage & ATA_HORKAGE_NOLPM) {
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 060/482] fs/ntfs3: Add sanity check for file name
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (58 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 6.1 059/482] ata: libata-sata: Disallow changing LPM state if not supported Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 061/482] fs/ntfs3: correctly create symlink for relative path Greg Kroah-Hartman
` (430 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+598057afa0f49e62bd23,
Lizhi Xu, Konstantin Komarov, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lizhi Xu <lizhi.xu@windriver.com>
[ Upstream commit e841ecb139339602bc1853f5f09daa5d1ea920a2 ]
The length of the file name should be smaller than the directory entry size.
Reported-by: syzbot+598057afa0f49e62bd23@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=598057afa0f49e62bd23
Signed-off-by: Lizhi Xu <lizhi.xu@windriver.com>
Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ntfs3/dir.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/fs/ntfs3/dir.c b/fs/ntfs3/dir.c
index a4ab0164d150..c49e64ebbd0a 100644
--- a/fs/ntfs3/dir.c
+++ b/fs/ntfs3/dir.c
@@ -304,6 +304,9 @@ static inline bool ntfs_dir_emit(struct ntfs_sb_info *sbi,
if (sbi->options->nohidden && (fname->dup.fa & FILE_ATTRIBUTE_HIDDEN))
return true;
+ if (fname->name_len + sizeof(struct NTFS_DE) > le16_to_cpu(e->size))
+ return true;
+
name_len = ntfs_utf16_to_nls(sbi, fname->name, fname->name_len, name,
PATH_MAX);
if (name_len <= 0) {
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 061/482] fs/ntfs3: correctly create symlink for relative path
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (59 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 6.1 060/482] fs/ntfs3: Add sanity check for file name Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 062/482] ext2: Handle fiemap on empty files to prevent EINVAL Greg Kroah-Hartman
` (429 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rong Zhang, Konstantin Komarov,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rong Zhang <ulin0208@gmail.com>
[ Upstream commit b1e9d89408f402858c00103f9831b25ffa0994d3 ]
After applying this patch, could correctly create symlink:
ln -s "relative/path/to/file" symlink
Signed-off-by: Rong Zhang <ulin0208@gmail.com>
[almaz.alexandrovich@paragon-software.com: added cpu_to_le32 macro to
rs->Flags assignment]
Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ntfs3/inode.c | 31 ++++++++++++++++++-------------
1 file changed, 18 insertions(+), 13 deletions(-)
diff --git a/fs/ntfs3/inode.c b/fs/ntfs3/inode.c
index 5baf6a2b3d48..844113c3175c 100644
--- a/fs/ntfs3/inode.c
+++ b/fs/ntfs3/inode.c
@@ -1114,10 +1114,10 @@ int inode_write_data(struct inode *inode, const void *data, size_t bytes)
* Number of bytes for REPARSE_DATA_BUFFER(IO_REPARSE_TAG_SYMLINK)
* for unicode string of @uni_len length.
*/
-static inline u32 ntfs_reparse_bytes(u32 uni_len)
+static inline u32 ntfs_reparse_bytes(u32 uni_len, bool is_absolute)
{
/* Header + unicode string + decorated unicode string. */
- return sizeof(short) * (2 * uni_len + 4) +
+ return sizeof(short) * (2 * uni_len + (is_absolute ? 4 : 0)) +
offsetof(struct REPARSE_DATA_BUFFER,
SymbolicLinkReparseBuffer.PathBuffer);
}
@@ -1130,8 +1130,11 @@ ntfs_create_reparse_buffer(struct ntfs_sb_info *sbi, const char *symname,
struct REPARSE_DATA_BUFFER *rp;
__le16 *rp_name;
typeof(rp->SymbolicLinkReparseBuffer) *rs;
+ bool is_absolute;
- rp = kzalloc(ntfs_reparse_bytes(2 * size + 2), GFP_NOFS);
+ is_absolute = (strlen(symname) > 1 && symname[1] == ':');
+
+ rp = kzalloc(ntfs_reparse_bytes(2 * size + 2, is_absolute), GFP_NOFS);
if (!rp)
return ERR_PTR(-ENOMEM);
@@ -1146,7 +1149,7 @@ ntfs_create_reparse_buffer(struct ntfs_sb_info *sbi, const char *symname,
goto out;
/* err = the length of unicode name of symlink. */
- *nsize = ntfs_reparse_bytes(err);
+ *nsize = ntfs_reparse_bytes(err, is_absolute);
if (*nsize > sbi->reparse.max_size) {
err = -EFBIG;
@@ -1166,7 +1169,7 @@ ntfs_create_reparse_buffer(struct ntfs_sb_info *sbi, const char *symname,
/* PrintName + SubstituteName. */
rs->SubstituteNameOffset = cpu_to_le16(sizeof(short) * err);
- rs->SubstituteNameLength = cpu_to_le16(sizeof(short) * err + 8);
+ rs->SubstituteNameLength = cpu_to_le16(sizeof(short) * err + (is_absolute ? 8 : 0));
rs->PrintNameLength = rs->SubstituteNameOffset;
/*
@@ -1174,16 +1177,18 @@ ntfs_create_reparse_buffer(struct ntfs_sb_info *sbi, const char *symname,
* parse this path.
* 0-absolute path 1- relative path (SYMLINK_FLAG_RELATIVE).
*/
- rs->Flags = 0;
+ rs->Flags = cpu_to_le32(is_absolute ? 0 : SYMLINK_FLAG_RELATIVE);
- memmove(rp_name + err + 4, rp_name, sizeof(short) * err);
+ memmove(rp_name + err + (is_absolute ? 4 : 0), rp_name, sizeof(short) * err);
- /* Decorate SubstituteName. */
- rp_name += err;
- rp_name[0] = cpu_to_le16('\\');
- rp_name[1] = cpu_to_le16('?');
- rp_name[2] = cpu_to_le16('?');
- rp_name[3] = cpu_to_le16('\\');
+ if (is_absolute) {
+ /* Decorate SubstituteName. */
+ rp_name += err;
+ rp_name[0] = cpu_to_le16('\\');
+ rp_name[1] = cpu_to_le16('?');
+ rp_name[2] = cpu_to_le16('?');
+ rp_name[3] = cpu_to_le16('\\');
+ }
return rp;
out:
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 062/482] ext2: Handle fiemap on empty files to prevent EINVAL
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (60 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 6.1 061/482] fs/ntfs3: correctly create symlink for relative path Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 063/482] fix locking in efi_secret_unlink() Greg Kroah-Hartman
` (428 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Wei Gao, Jan Kara, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wei Gao <wegao@suse.com>
[ Upstream commit a099b09a3342a0b28ea330e405501b5b4d0424b4 ]
Previously, ext2_fiemap would unconditionally apply "len = min_t(u64, len,
i_size_read(inode));", When inode->i_size was 0 (for an empty file), this
would reduce the requested len to 0. Passing len = 0 to iomap_fiemap could
then result in an -EINVAL error, even for valid queries on empty files.
Link: https://github.com/linux-test-project/ltp/issues/1246
Signed-off-by: Wei Gao <wegao@suse.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Link: https://patch.msgid.link/20250613152402.3432135-1-wegao@suse.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ext2/inode.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/fs/ext2/inode.c b/fs/ext2/inode.c
index 5a32fcd55183..430ccd983491 100644
--- a/fs/ext2/inode.c
+++ b/fs/ext2/inode.c
@@ -860,9 +860,19 @@ int ext2_fiemap(struct inode *inode, struct fiemap_extent_info *fieinfo,
u64 start, u64 len)
{
int ret;
+ loff_t i_size;
inode_lock(inode);
- len = min_t(u64, len, i_size_read(inode));
+ i_size = i_size_read(inode);
+ /*
+ * iomap_fiemap() returns EINVAL for 0 length. Make sure we don't trim
+ * length to 0 but still trim the range as much as possible since
+ * ext2_get_blocks() iterates unmapped space block by block which is
+ * slow.
+ */
+ if (i_size == 0)
+ i_size = 1;
+ len = min_t(u64, len, i_size);
ret = iomap_fiemap(inode, fieinfo, start, len, &ext2_iomap_ops);
inode_unlock(inode);
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 063/482] fix locking in efi_secret_unlink()
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (61 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 6.1 062/482] ext2: Handle fiemap on empty files to prevent EINVAL Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 064/482] securityfs: dont pin dentries twice, once is enough Greg Kroah-Hartman
` (427 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Al Viro, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
[ Upstream commit 2c58d42de71f9c73e40afacc9d062892d2cc8862 ]
We used to need securityfs_remove() to undo simple_pin_fs() done when
the file had been created and to drop the second extra reference
taken at the same time. Now that neither is needed (or done by
securityfs_remove()), we can simply call simple_unlink() and be done
with that - the broken games with locking had been there only for the
sake of securityfs_remove().
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/virt/coco/efi_secret/efi_secret.c | 10 +---------
1 file changed, 1 insertion(+), 9 deletions(-)
diff --git a/drivers/virt/coco/efi_secret/efi_secret.c b/drivers/virt/coco/efi_secret/efi_secret.c
index e700a5ef7043..d996feb0509a 100644
--- a/drivers/virt/coco/efi_secret/efi_secret.c
+++ b/drivers/virt/coco/efi_secret/efi_secret.c
@@ -136,15 +136,7 @@ static int efi_secret_unlink(struct inode *dir, struct dentry *dentry)
if (s->fs_files[i] == dentry)
s->fs_files[i] = NULL;
- /*
- * securityfs_remove tries to lock the directory's inode, but we reach
- * the unlink callback when it's already locked
- */
- inode_unlock(dir);
- securityfs_remove(dentry);
- inode_lock(dir);
-
- return 0;
+ return simple_unlink(inode, dentry);
}
static const struct inode_operations efi_secret_dir_inode_operations = {
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 064/482] securityfs: dont pin dentries twice, once is enough...
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (62 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 6.1 063/482] fix locking in efi_secret_unlink() Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 065/482] usb: xhci: print xhci->xhc_state when queue_command failed Greg Kroah-Hartman
` (426 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Al Viro, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
[ Upstream commit 27cd1bf1240d482e4f02ca4f9812e748f3106e4f ]
incidentally, securityfs_recursive_remove() is broken without that -
it leaks dentries, since simple_recursive_removal() does not expect
anything of that sort. It could be worked around by dput() in
remove_one() callback, but it's easier to just drop that double-get
stuff.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
security/inode.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/security/inode.c b/security/inode.c
index 6c326939750d..e6e07787eec9 100644
--- a/security/inode.c
+++ b/security/inode.c
@@ -159,7 +159,6 @@ static struct dentry *securityfs_create_dentry(const char *name, umode_t mode,
inode->i_fop = fops;
}
d_instantiate(dentry, inode);
- dget(dentry);
inode_unlock(dir);
return dentry;
@@ -306,7 +305,6 @@ void securityfs_remove(struct dentry *dentry)
simple_rmdir(dir, dentry);
else
simple_unlink(dir, dentry);
- dput(dentry);
}
inode_unlock(dir);
simple_release_fs(&mount, &mount_count);
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 065/482] usb: xhci: print xhci->xhc_state when queue_command failed
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (63 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 6.1 064/482] securityfs: dont pin dentries twice, once is enough Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 066/482] cpufreq: CPPC: Mark driver with NEED_UPDATE_LIMITS flag Greg Kroah-Hartman
` (425 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Su Hui, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Su Hui <suhui@nfschina.com>
[ Upstream commit 7919407eca2ef562fa6c98c41cfdf6f6cdd69d92 ]
When encounters some errors like these:
xhci_hcd 0000:4a:00.2: xHCI dying or halted, can't queue_command
xhci_hcd 0000:4a:00.2: FIXME: allocate a command ring segment
usb usb5-port6: couldn't allocate usb_device
It's hard to know whether xhc_state is dying or halted. So it's better
to print xhc_state's value which can help locate the resaon of the bug.
Signed-off-by: Su Hui <suhui@nfschina.com>
Link: https://lore.kernel.org/r/20250725060117.1773770-1-suhui@nfschina.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/host/xhci-ring.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c
index 0862fdd3e568..c4880b22f359 100644
--- a/drivers/usb/host/xhci-ring.c
+++ b/drivers/usb/host/xhci-ring.c
@@ -4421,7 +4421,8 @@ static int queue_command(struct xhci_hcd *xhci, struct xhci_command *cmd,
if ((xhci->xhc_state & XHCI_STATE_DYING) ||
(xhci->xhc_state & XHCI_STATE_HALTED)) {
- xhci_dbg(xhci, "xHCI dying or halted, can't queue_command\n");
+ xhci_dbg(xhci, "xHCI dying or halted, can't queue_command. state: 0x%x\n",
+ xhci->xhc_state);
return -ESHUTDOWN;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 066/482] cpufreq: CPPC: Mark driver with NEED_UPDATE_LIMITS flag
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (64 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 6.1 065/482] usb: xhci: print xhci->xhc_state when queue_command failed Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 067/482] selftests/futex: Define SYS_futex on 32-bit architectures with 64-bit time_t Greg Kroah-Hartman
` (424 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rafael J. Wysocki, Prashant Malani,
Viresh Kumar, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Prashant Malani <pmalani@google.com>
[ Upstream commit 0a1416a49e63c320f6e6c1c8d07e1b58c0d4a3f3 ]
AMU counters on certain CPPC-based platforms tend to yield inaccurate
delivered performance measurements on systems that are idle/mostly idle.
This results in an inaccurate frequency being stored by cpufreq in its
policy structure when the CPU is brought online. [1]
Consequently, if the userspace governor tries to set the frequency to a
new value, there is a possibility that it would be the erroneous value
stored earlier. In such a scenario, cpufreq would assume that the
requested frequency has already been set and return early, resulting in
the correct/new frequency request never making it to the hardware.
Since the operating frequency is liable to this sort of inconsistency,
mark the CPPC driver with CPUFREQ_NEED_UPDATE_LIMITS so that it is always
invoked when a target frequency update is requested.
Link: https://lore.kernel.org/linux-pm/20250619000925.415528-3-pmalani@google.com/ [1]
Suggested-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Prashant Malani <pmalani@google.com>
Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
Link: https://patch.msgid.link/20250722055611.130574-2-pmalani@google.com
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/cpufreq/cppc_cpufreq.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/cpufreq/cppc_cpufreq.c b/drivers/cpufreq/cppc_cpufreq.c
index cfa2e3f0e56b..d77e4aa209d9 100644
--- a/drivers/cpufreq/cppc_cpufreq.c
+++ b/drivers/cpufreq/cppc_cpufreq.c
@@ -809,7 +809,7 @@ static struct freq_attr *cppc_cpufreq_attr[] = {
};
static struct cpufreq_driver cppc_cpufreq_driver = {
- .flags = CPUFREQ_CONST_LOOPS,
+ .flags = CPUFREQ_CONST_LOOPS | CPUFREQ_NEED_UPDATE_LIMITS,
.verify = cppc_verify_policy,
.target = cppc_cpufreq_set_target,
.get = cppc_cpufreq_get_rate,
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 067/482] selftests/futex: Define SYS_futex on 32-bit architectures with 64-bit time_t
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (65 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 6.1 066/482] cpufreq: CPPC: Mark driver with NEED_UPDATE_LIMITS flag Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 068/482] usb: typec: ucsi: psy: Set current max to 100mA for BC 1.2 and Default Greg Kroah-Hartman
` (423 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Cynthia Huang, Ben Zong-You Xie,
Thomas Gleixner, Muhammad Usama Anjum, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cynthia Huang <cynthia@andestech.com>
[ Upstream commit 04850819c65c8242072818655d4341e70ae998b5 ]
The kernel does not provide sys_futex() on 32-bit architectures that do not
support 32-bit time representations, such as riscv32.
As a result, glibc cannot define SYS_futex, causing compilation failures in
tests that rely on this syscall. Define SYS_futex as SYS_futex_time64 in
such cases to ensure successful compilation and compatibility.
Signed-off-by: Cynthia Huang <cynthia@andestech.com>
Signed-off-by: Ben Zong-You Xie <ben717@andestech.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Muhammad Usama Anjum <usama.anjum@collabora.com>
Link: https://lore.kernel.org/all/20250710103630.3156130-1-ben717@andestech.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/selftests/futex/include/futextest.h | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/tools/testing/selftests/futex/include/futextest.h b/tools/testing/selftests/futex/include/futextest.h
index ddbcfc9b7bac..7a5fd1d5355e 100644
--- a/tools/testing/selftests/futex/include/futextest.h
+++ b/tools/testing/selftests/futex/include/futextest.h
@@ -47,6 +47,17 @@ typedef volatile u_int32_t futex_t;
FUTEX_PRIVATE_FLAG)
#endif
+/*
+ * SYS_futex is expected from system C library, in glibc some 32-bit
+ * architectures (e.g. RV32) are using 64-bit time_t, therefore it doesn't have
+ * SYS_futex defined but just SYS_futex_time64. Define SYS_futex as
+ * SYS_futex_time64 in this situation to ensure the compilation and the
+ * compatibility.
+ */
+#if !defined(SYS_futex) && defined(SYS_futex_time64)
+#define SYS_futex SYS_futex_time64
+#endif
+
/**
* futex() - SYS_futex syscall wrapper
* @uaddr: address of first futex
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 068/482] usb: typec: ucsi: psy: Set current max to 100mA for BC 1.2 and Default
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (66 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 6.1 067/482] selftests/futex: Define SYS_futex on 32-bit architectures with 64-bit time_t Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 069/482] usb: xhci: Avoid showing warnings for dying controller Greg Kroah-Hartman
` (422 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Benson Leung, Jameson Thies,
Heikki Krogerus, Sebastian Reichel, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Benson Leung <bleung@chromium.org>
[ Upstream commit af833e7f7db3cf4c82f063668e1b52297a30ec18 ]
ucsi_psy_get_current_max would return 0mA as the maximum current if
UCSI detected a BC or a Default USB Power sporce.
The comment in this function is true that we can't tell the difference
between DCP/CDP or SDP chargers, but we can guarantee that at least 1-unit
of USB 1.1/2.0 power is available, which is 100mA, which is a better
fallback value than 0, which causes some userspaces, including the ChromeOS
power manager, to regard this as a power source that is not providing
any power.
In reality, 100mA is guaranteed from all sources in these classes.
Signed-off-by: Benson Leung <bleung@chromium.org>
Reviewed-by: Jameson Thies <jthies@google.com>
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Reviewed-by: Sebastian Reichel <sebastian.reichel@collabora.com>
Link: https://lore.kernel.org/r/20250717200805.3710473-1-bleung@chromium.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/typec/ucsi/psy.c | 2 +-
drivers/usb/typec/ucsi/ucsi.h | 7 ++++---
2 files changed, 5 insertions(+), 4 deletions(-)
diff --git a/drivers/usb/typec/ucsi/psy.c b/drivers/usb/typec/ucsi/psy.c
index b35c6e07911e..9b0157063df0 100644
--- a/drivers/usb/typec/ucsi/psy.c
+++ b/drivers/usb/typec/ucsi/psy.c
@@ -163,7 +163,7 @@ static int ucsi_psy_get_current_max(struct ucsi_connector *con,
case UCSI_CONSTAT_PWR_OPMODE_DEFAULT:
/* UCSI can't tell b/w DCP/CDP or USB2/3x1/3x2 SDP chargers */
default:
- val->intval = 0;
+ val->intval = UCSI_TYPEC_DEFAULT_CURRENT * 1000;
break;
}
return 0;
diff --git a/drivers/usb/typec/ucsi/ucsi.h b/drivers/usb/typec/ucsi/ucsi.h
index 793a8307dded..0167239cdcd4 100644
--- a/drivers/usb/typec/ucsi/ucsi.h
+++ b/drivers/usb/typec/ucsi/ucsi.h
@@ -313,9 +313,10 @@ struct ucsi {
#define UCSI_MAX_SVID 5
#define UCSI_MAX_ALTMODES (UCSI_MAX_SVID * 6)
-#define UCSI_TYPEC_VSAFE5V 5000
-#define UCSI_TYPEC_1_5_CURRENT 1500
-#define UCSI_TYPEC_3_0_CURRENT 3000
+#define UCSI_TYPEC_VSAFE5V 5000
+#define UCSI_TYPEC_DEFAULT_CURRENT 100
+#define UCSI_TYPEC_1_5_CURRENT 1500
+#define UCSI_TYPEC_3_0_CURRENT 3000
struct ucsi_connector {
int num;
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 069/482] usb: xhci: Avoid showing warnings for dying controller
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (67 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 6.1 068/482] usb: typec: ucsi: psy: Set current max to 100mA for BC 1.2 and Default Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 070/482] usb: xhci: Set avg_trb_len = 8 for EP0 during Address Device Command Greg Kroah-Hartman
` (421 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mario Limonciello, Mathias Nyman,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mario Limonciello <mario.limonciello@amd.com>
[ Upstream commit 65fc0fc137b5da3ee1f4ca4f61050fcb203d7582 ]
When a USB4 dock is unplugged from a system it won't respond to ring
events. The PCI core handles the surprise removal event and notifies
all PCI drivers. The XHCI PCI driver sets a flag that the device is
being removed, and when the device stops responding a flag is also
added to indicate it's dying.
When that flag is set don't bother to show warnings about a missing
controller.
Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Acked-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Link: https://lore.kernel.org/r/20250717073107.488599-3-mathias.nyman@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/host/xhci.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c
index e726c5edee03..a5ce544860b8 100644
--- a/drivers/usb/host/xhci.c
+++ b/drivers/usb/host/xhci.c
@@ -119,7 +119,8 @@ int xhci_halt(struct xhci_hcd *xhci)
ret = xhci_handshake(&xhci->op_regs->status,
STS_HALT, STS_HALT, XHCI_MAX_HALT_USEC);
if (ret) {
- xhci_warn(xhci, "Host halt failed, %d\n", ret);
+ if (!(xhci->xhc_state & XHCI_STATE_DYING))
+ xhci_warn(xhci, "Host halt failed, %d\n", ret);
return ret;
}
@@ -178,7 +179,8 @@ int xhci_reset(struct xhci_hcd *xhci, u64 timeout_us)
state = readl(&xhci->op_regs->status);
if (state == ~(u32)0) {
- xhci_warn(xhci, "Host not accessible, reset failed.\n");
+ if (!(xhci->xhc_state & XHCI_STATE_DYING))
+ xhci_warn(xhci, "Host not accessible, reset failed.\n");
return -ENODEV;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 070/482] usb: xhci: Set avg_trb_len = 8 for EP0 during Address Device Command
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (68 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 6.1 069/482] usb: xhci: Avoid showing warnings for dying controller Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 071/482] usb: xhci: Avoid showing errors during surprise removal Greg Kroah-Hartman
` (420 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jay Chen, Mathias Nyman, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jay Chen <shawn2000100@gmail.com>
[ Upstream commit f72b9aa821a2bfe4b6dfec4be19f264d0673b008 ]
There is a subtle contradiction between sections of the xHCI 1.2 spec
regarding the initialization of Input Endpoint Context fields. Section
4.8.2 ("Endpoint Context Initialization") states that all fields should
be initialized to 0. However, Section 6.2.3 ("Endpoint Context", p.453)
specifies that the Average TRB Length (avg_trb_len) field shall be
greater than 0, and explicitly notes (p.454): "Software shall set
Average TRB Length to '8' for control endpoints."
Strictly setting all fields to 0 during initialization conflicts with
the specific recommendation for control endpoints. In practice, setting
avg_trb_len = 0 is not meaningful for the hardware/firmware, as the
value is used for bandwidth calculation.
Motivation: Our company is developing a custom Virtual xHC hardware
platform that strictly follows the xHCI spec and its recommendations.
During validation, we observed that enumeration fails and a parameter
error (TRB Completion Code = 5) is reported if avg_trb_len for EP0 is
not set to 8 as recommended by Section 6.2.3. This demonstrates the
importance of assigning a meaningful, non-zero value to avg_trb_len,
even in virtualized or emulated environments.
This patch explicitly sets avg_trb_len to 8 for EP0 in
xhci_setup_addressable_virt_dev(), as recommended in Section 6.2.3, to
prevent potential issues with xHCI host controllers that enforce the
spec strictly.
Link: https://bugzilla.kernel.org/show_bug.cgi?id=220033
Signed-off-by: Jay Chen <shawn2000100@gmail.com>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Link: https://lore.kernel.org/r/20250717073107.488599-4-mathias.nyman@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/host/xhci-mem.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/usb/host/xhci-mem.c b/drivers/usb/host/xhci-mem.c
index 537a0bc0f5e1..57f739f93321 100644
--- a/drivers/usb/host/xhci-mem.c
+++ b/drivers/usb/host/xhci-mem.c
@@ -1200,6 +1200,8 @@ int xhci_setup_addressable_virt_dev(struct xhci_hcd *xhci, struct usb_device *ud
ep0_ctx->deq = cpu_to_le64(dev->eps[0].ring->first_seg->dma |
dev->eps[0].ring->cycle_state);
+ ep0_ctx->tx_info = cpu_to_le32(EP_AVG_TRB_LENGTH(8));
+
trace_xhci_setup_addressable_virt_device(dev);
/* Steps 7 and 8 were done in xhci_alloc_virt_device() */
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 071/482] usb: xhci: Avoid showing errors during surprise removal
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (69 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 6.1 070/482] usb: xhci: Set avg_trb_len = 8 for EP0 during Address Device Command Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 072/482] remoteproc: imx_rproc: skip clock enable when M-core is managed by the SCU Greg Kroah-Hartman
` (419 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mario Limonciello, Mathias Nyman,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mario Limonciello <mario.limonciello@amd.com>
[ Upstream commit 4b9c60e440525b729ac5f071e00bcee12e0a7e84 ]
When a USB4 dock is unplugged from a system it won't respond to ring
events. The PCI core handles the surprise removal event and notifies
all PCI drivers. The XHCI PCI driver sets a flag that the device is
being removed as well.
When that flag is set don't show messages in the cleanup path for
marking the controller dead.
Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Acked-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Link: https://lore.kernel.org/r/20250717073107.488599-2-mathias.nyman@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/host/xhci-ring.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c
index c4880b22f359..c8e1ead0c09e 100644
--- a/drivers/usb/host/xhci-ring.c
+++ b/drivers/usb/host/xhci-ring.c
@@ -1289,12 +1289,15 @@ static void xhci_kill_endpoint_urbs(struct xhci_hcd *xhci,
*/
void xhci_hc_died(struct xhci_hcd *xhci)
{
+ bool notify;
int i, j;
if (xhci->xhc_state & XHCI_STATE_DYING)
return;
- xhci_err(xhci, "xHCI host controller not responding, assume dead\n");
+ notify = !(xhci->xhc_state & XHCI_STATE_REMOVING);
+ if (notify)
+ xhci_err(xhci, "xHCI host controller not responding, assume dead\n");
xhci->xhc_state |= XHCI_STATE_DYING;
xhci_cleanup_command_queue(xhci);
@@ -1308,7 +1311,7 @@ void xhci_hc_died(struct xhci_hcd *xhci)
}
/* inform usb core hc died if PCI remove isn't already handling it */
- if (!(xhci->xhc_state & XHCI_STATE_REMOVING))
+ if (notify)
usb_hc_died(xhci_to_hcd(xhci));
}
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 072/482] remoteproc: imx_rproc: skip clock enable when M-core is managed by the SCU
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (70 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 6.1 071/482] usb: xhci: Avoid showing errors during surprise removal Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 073/482] gpio: wcd934x: check the return value of regmap_update_bits() Greg Kroah-Hartman
` (418 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Peng Fan, Ulf Hansson,
Hiago De Franco, Mathieu Poirier, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hiago De Franco <hiago.franco@toradex.com>
[ Upstream commit 496deecb020d14ba89ba7084fbc3024f91687023 ]
For the i.MX8X and i.MX8 family SoCs, when the Cortex-M core is powered
up and started by the Cortex-A core using the bootloader (e.g., via the
U-Boot bootaux command), both M-core and Linux run within the same SCFW
(System Controller Firmware) partition. With that, Linux has permission
to control the M-core.
But once the M-core is started by the bootloader, the SCFW automatically
enables its clock and sets the clock rate. If Linux later attempts to
enable the same clock via clk_prepare_enable(), the SCFW returns a
'LOCKED' error, as the clock is already configured by the SCFW. This
causes the probe function in imx_rproc.c to fail, leading to the M-core
power domain being shut down while the core is still running. This
results in a fault from the SCU (System Controller Unit) and triggers a
system reset.
To address this issue, ignore handling the clk for i.MX8X and i.MX8
M-core, as SCFW already takes care of enabling and configuring the
clock.
Suggested-by: Peng Fan <peng.fan@nxp.com>
Reviewed-by: Ulf Hansson <ulf.hansson@linaro.org>
Reviewed-by: Peng Fan <peng.fan@nxp.com>
Signed-off-by: Hiago De Franco <hiago.franco@toradex.com>
Acked-by: Mathieu Poirier <mathieu.poirier@linaro.org>
Link: https://lore.kernel.org/r/20250629172512.14857-3-hiagofranco@gmail.com
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/remoteproc/imx_rproc.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/remoteproc/imx_rproc.c b/drivers/remoteproc/imx_rproc.c
index bbaba453383d..ff7acc326f09 100644
--- a/drivers/remoteproc/imx_rproc.c
+++ b/drivers/remoteproc/imx_rproc.c
@@ -750,8 +750,8 @@ static int imx_rproc_clk_enable(struct imx_rproc *priv)
struct device *dev = priv->dev;
int ret;
- /* Remote core is not under control of Linux */
- if (dcfg->method == IMX_RPROC_NONE)
+ /* Remote core is not under control of Linux or it is managed by SCU API */
+ if (dcfg->method == IMX_RPROC_NONE || dcfg->method == IMX_RPROC_SCU_API)
return 0;
priv->clk = devm_clk_get(dev, NULL);
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 073/482] gpio: wcd934x: check the return value of regmap_update_bits()
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (71 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 6.1 072/482] remoteproc: imx_rproc: skip clock enable when M-core is managed by the SCU Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 074/482] cpufreq: Exit governor when failed to start old governor Greg Kroah-Hartman
` (417 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Bartosz Golaszewski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
[ Upstream commit ff0f0d7c6587e38c308be9905e36f86e98fb9c1f ]
regmap_update_bits() can fail so check its return value in
wcd_gpio_direction_output() for consistency with the rest of the code
and propagate any errors.
Link: https://lore.kernel.org/r/20250709-gpiochip-set-rv-gpio-remaining-v1-2-b8950f69618d@linaro.org
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpio/gpio-wcd934x.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/drivers/gpio/gpio-wcd934x.c b/drivers/gpio/gpio-wcd934x.c
index 97e6caedf1f3..c00968ce7a56 100644
--- a/drivers/gpio/gpio-wcd934x.c
+++ b/drivers/gpio/gpio-wcd934x.c
@@ -45,9 +45,12 @@ static int wcd_gpio_direction_output(struct gpio_chip *chip, unsigned int pin,
int val)
{
struct wcd_gpio_data *data = gpiochip_get_data(chip);
+ int ret;
- regmap_update_bits(data->map, WCD_REG_DIR_CTL_OFFSET,
- WCD_PIN_MASK(pin), WCD_PIN_MASK(pin));
+ ret = regmap_update_bits(data->map, WCD_REG_DIR_CTL_OFFSET,
+ WCD_PIN_MASK(pin), WCD_PIN_MASK(pin));
+ if (ret)
+ return ret;
return regmap_update_bits(data->map, WCD_REG_VAL_CTL_OFFSET,
WCD_PIN_MASK(pin),
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 074/482] cpufreq: Exit governor when failed to start old governor
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (72 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 6.1 073/482] gpio: wcd934x: check the return value of regmap_update_bits() Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 075/482] ARM: rockchip: fix kernel hang during smp initialization Greg Kroah-Hartman
` (416 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lifeng Zheng, Rafael J. Wysocki,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lifeng Zheng <zhenglifeng1@huawei.com>
[ Upstream commit 0ae204405095abfbc2d694ee0fbb49bcbbe55c57 ]
Detect the result of starting old governor in cpufreq_set_policy(). If it
fails, exit the governor and clear policy->governor.
Signed-off-by: Lifeng Zheng <zhenglifeng1@huawei.com>
Link: https://patch.msgid.link/20250709104145.2348017-5-zhenglifeng1@huawei.com
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/cpufreq/cpufreq.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/drivers/cpufreq/cpufreq.c b/drivers/cpufreq/cpufreq.c
index 805b4d26e9d2..90bdccab1dff 100644
--- a/drivers/cpufreq/cpufreq.c
+++ b/drivers/cpufreq/cpufreq.c
@@ -2649,10 +2649,12 @@ static int cpufreq_set_policy(struct cpufreq_policy *policy,
pr_debug("starting governor %s failed\n", policy->governor->name);
if (old_gov) {
policy->governor = old_gov;
- if (cpufreq_init_governor(policy))
+ if (cpufreq_init_governor(policy)) {
policy->governor = NULL;
- else
- cpufreq_start_governor(policy);
+ } else if (cpufreq_start_governor(policy)) {
+ cpufreq_exit_governor(policy);
+ policy->governor = NULL;
+ }
}
return ret;
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 075/482] ARM: rockchip: fix kernel hang during smp initialization
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (73 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 6.1 074/482] cpufreq: Exit governor when failed to start old governor Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 076/482] PM / devfreq: governor: Replace sscanf() with kstrtoul() in set_freq_store() Greg Kroah-Hartman
` (415 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexander Kochetkov, Heiko Stuebner,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexander Kochetkov <al.kochet@gmail.com>
[ Upstream commit 7cdb433bb44cdc87dc5260cdf15bf03cc1cd1814 ]
In order to bring up secondary CPUs main CPU write trampoline
code to SRAM. The trampoline code is written while secondary
CPUs are powered on (at least that true for RK3188 CPU).
Sometimes that leads to kernel hang. Probably because secondary
CPU execute trampoline code while kernel doesn't expect.
The patch moves SRAM initialization step to the point where all
secondary CPUs are powered down.
That fixes rarely hangs on RK3188:
[ 0.091568] CPU0: thread -1, cpu 0, socket 0, mpidr 80000000
[ 0.091996] rockchip_smp_prepare_cpus: ncores 4
Signed-off-by: Alexander Kochetkov <al.kochet@gmail.com>
Link: https://lore.kernel.org/r/20250703140453.1273027-1-al.kochet@gmail.com
Signed-off-by: Heiko Stuebner <heiko@sntech.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/mach-rockchip/platsmp.c | 15 +++++++++------
1 file changed, 9 insertions(+), 6 deletions(-)
diff --git a/arch/arm/mach-rockchip/platsmp.c b/arch/arm/mach-rockchip/platsmp.c
index 36915a073c23..f432d22bfed8 100644
--- a/arch/arm/mach-rockchip/platsmp.c
+++ b/arch/arm/mach-rockchip/platsmp.c
@@ -279,11 +279,6 @@ static void __init rockchip_smp_prepare_cpus(unsigned int max_cpus)
}
if (read_cpuid_part() == ARM_CPU_PART_CORTEX_A9) {
- if (rockchip_smp_prepare_sram(node)) {
- of_node_put(node);
- return;
- }
-
/* enable the SCU power domain */
pmu_set_power_domain(PMU_PWRDN_SCU, true);
@@ -316,11 +311,19 @@ static void __init rockchip_smp_prepare_cpus(unsigned int max_cpus)
asm ("mrc p15, 1, %0, c9, c0, 2\n" : "=r" (l2ctlr));
ncores = ((l2ctlr >> 24) & 0x3) + 1;
}
- of_node_put(node);
/* Make sure that all cores except the first are really off */
for (i = 1; i < ncores; i++)
pmu_set_power_domain(0 + i, false);
+
+ if (read_cpuid_part() == ARM_CPU_PART_CORTEX_A9) {
+ if (rockchip_smp_prepare_sram(node)) {
+ of_node_put(node);
+ return;
+ }
+ }
+
+ of_node_put(node);
}
static void __init rk3036_smp_prepare_cpus(unsigned int max_cpus)
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 076/482] PM / devfreq: governor: Replace sscanf() with kstrtoul() in set_freq_store()
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (74 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 6.1 075/482] ARM: rockchip: fix kernel hang during smp initialization Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 077/482] EDAC/synopsys: Clear the ECC counters on init Greg Kroah-Hartman
` (414 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Lifeng Zheng, Chanwoo Choi,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lifeng Zheng <zhenglifeng1@huawei.com>
[ Upstream commit 914cc799b28f17d369d5b4db3b941957d18157e8 ]
Replace sscanf() with kstrtoul() in set_freq_store() and check the result
to avoid invalid input.
Signed-off-by: Lifeng Zheng <zhenglifeng1@huawei.com>
Link: https://lore.kernel.org/lkml/20250421030020.3108405-2-zhenglifeng1@huawei.com/
Signed-off-by: Chanwoo Choi <cw00.choi@samsung.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/devfreq/governor_userspace.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/devfreq/governor_userspace.c b/drivers/devfreq/governor_userspace.c
index d69672ccacc4..8d057cea09d5 100644
--- a/drivers/devfreq/governor_userspace.c
+++ b/drivers/devfreq/governor_userspace.c
@@ -9,6 +9,7 @@
#include <linux/slab.h>
#include <linux/device.h>
#include <linux/devfreq.h>
+#include <linux/kstrtox.h>
#include <linux/pm.h>
#include <linux/mutex.h>
#include <linux/module.h>
@@ -39,10 +40,13 @@ static ssize_t set_freq_store(struct device *dev, struct device_attribute *attr,
unsigned long wanted;
int err = 0;
+ err = kstrtoul(buf, 0, &wanted);
+ if (err)
+ return err;
+
mutex_lock(&devfreq->lock);
data = devfreq->governor_data;
- sscanf(buf, "%lu", &wanted);
data->user_frequency = wanted;
data->valid = true;
err = update_devfreq(devfreq);
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 077/482] EDAC/synopsys: Clear the ECC counters on init
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (75 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 6.1 076/482] PM / devfreq: governor: Replace sscanf() with kstrtoul() in set_freq_store() Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 078/482] ASoC: soc-dapm: set bias_level if snd_soc_dapm_set_bias_level() was successed Greg Kroah-Hartman
` (413 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shubhrajyoti Datta,
Borislav Petkov (AMD), Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shubhrajyoti Datta <shubhrajyoti.datta@amd.com>
[ Upstream commit b1dc7f097b78eb8d25b071ead2384b07a549692b ]
Clear the ECC error and counter registers during initialization/probe to avoid
reporting stale errors that may have occurred before EDAC registration.
For that, unify the Zynq and ZynqMP ECC state reading paths and simplify the
code.
[ bp: Massage commit message.
Fix an -Wsometimes-uninitialized warning as reported by
Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202507141048.obUv3ZUm-lkp@intel.com ]
Signed-off-by: Shubhrajyoti Datta <shubhrajyoti.datta@amd.com>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Link: https://lore.kernel.org/20250713050753.7042-1-shubhrajyoti.datta@amd.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/edac/synopsys_edac.c | 97 +++++++++++++++++-------------------
1 file changed, 46 insertions(+), 51 deletions(-)
diff --git a/drivers/edac/synopsys_edac.c b/drivers/edac/synopsys_edac.c
index e7c18bb61f81..c02ad4f984ad 100644
--- a/drivers/edac/synopsys_edac.c
+++ b/drivers/edac/synopsys_edac.c
@@ -333,20 +333,26 @@ struct synps_edac_priv {
#endif
};
+enum synps_platform_type {
+ ZYNQ,
+ ZYNQMP,
+ SYNPS,
+};
+
/**
* struct synps_platform_data - synps platform data structure.
+ * @platform: Identifies the target hardware platform
* @get_error_info: Get EDAC error info.
* @get_mtype: Get mtype.
* @get_dtype: Get dtype.
- * @get_ecc_state: Get ECC state.
* @get_mem_info: Get EDAC memory info
* @quirks: To differentiate IPs.
*/
struct synps_platform_data {
+ enum synps_platform_type platform;
int (*get_error_info)(struct synps_edac_priv *priv);
enum mem_type (*get_mtype)(const void __iomem *base);
enum dev_type (*get_dtype)(const void __iomem *base);
- bool (*get_ecc_state)(void __iomem *base);
#ifdef CONFIG_EDAC_DEBUG
u64 (*get_mem_info)(struct synps_edac_priv *priv);
#endif
@@ -721,51 +727,38 @@ static enum dev_type zynqmp_get_dtype(const void __iomem *base)
return dt;
}
-/**
- * zynq_get_ecc_state - Return the controller ECC enable/disable status.
- * @base: DDR memory controller base address.
- *
- * Get the ECC enable/disable status of the controller.
- *
- * Return: true if enabled, otherwise false.
- */
-static bool zynq_get_ecc_state(void __iomem *base)
+static bool get_ecc_state(struct synps_edac_priv *priv)
{
+ u32 ecctype, clearval;
enum dev_type dt;
- u32 ecctype;
-
- dt = zynq_get_dtype(base);
- if (dt == DEV_UNKNOWN)
- return false;
- ecctype = readl(base + SCRUB_OFST) & SCRUB_MODE_MASK;
- if ((ecctype == SCRUB_MODE_SECDED) && (dt == DEV_X2))
- return true;
-
- return false;
-}
-
-/**
- * zynqmp_get_ecc_state - Return the controller ECC enable/disable status.
- * @base: DDR memory controller base address.
- *
- * Get the ECC enable/disable status for the controller.
- *
- * Return: a ECC status boolean i.e true/false - enabled/disabled.
- */
-static bool zynqmp_get_ecc_state(void __iomem *base)
-{
- enum dev_type dt;
- u32 ecctype;
-
- dt = zynqmp_get_dtype(base);
- if (dt == DEV_UNKNOWN)
- return false;
-
- ecctype = readl(base + ECC_CFG0_OFST) & SCRUB_MODE_MASK;
- if ((ecctype == SCRUB_MODE_SECDED) &&
- ((dt == DEV_X2) || (dt == DEV_X4) || (dt == DEV_X8)))
- return true;
+ if (priv->p_data->platform == ZYNQ) {
+ dt = zynq_get_dtype(priv->baseaddr);
+ if (dt == DEV_UNKNOWN)
+ return false;
+
+ ecctype = readl(priv->baseaddr + SCRUB_OFST) & SCRUB_MODE_MASK;
+ if (ecctype == SCRUB_MODE_SECDED && dt == DEV_X2) {
+ clearval = ECC_CTRL_CLR_CE_ERR | ECC_CTRL_CLR_UE_ERR;
+ writel(clearval, priv->baseaddr + ECC_CTRL_OFST);
+ writel(0x0, priv->baseaddr + ECC_CTRL_OFST);
+ return true;
+ }
+ } else {
+ dt = zynqmp_get_dtype(priv->baseaddr);
+ if (dt == DEV_UNKNOWN)
+ return false;
+
+ ecctype = readl(priv->baseaddr + ECC_CFG0_OFST) & SCRUB_MODE_MASK;
+ if (ecctype == SCRUB_MODE_SECDED &&
+ (dt == DEV_X2 || dt == DEV_X4 || dt == DEV_X8)) {
+ clearval = readl(priv->baseaddr + ECC_CLR_OFST) |
+ ECC_CTRL_CLR_CE_ERR | ECC_CTRL_CLR_CE_ERRCNT |
+ ECC_CTRL_CLR_UE_ERR | ECC_CTRL_CLR_UE_ERRCNT;
+ writel(clearval, priv->baseaddr + ECC_CLR_OFST);
+ return true;
+ }
+ }
return false;
}
@@ -935,18 +928,18 @@ static int setup_irq(struct mem_ctl_info *mci,
}
static const struct synps_platform_data zynq_edac_def = {
+ .platform = ZYNQ,
.get_error_info = zynq_get_error_info,
.get_mtype = zynq_get_mtype,
.get_dtype = zynq_get_dtype,
- .get_ecc_state = zynq_get_ecc_state,
.quirks = 0,
};
static const struct synps_platform_data zynqmp_edac_def = {
+ .platform = ZYNQMP,
.get_error_info = zynqmp_get_error_info,
.get_mtype = zynqmp_get_mtype,
.get_dtype = zynqmp_get_dtype,
- .get_ecc_state = zynqmp_get_ecc_state,
#ifdef CONFIG_EDAC_DEBUG
.get_mem_info = zynqmp_get_mem_info,
#endif
@@ -958,10 +951,10 @@ static const struct synps_platform_data zynqmp_edac_def = {
};
static const struct synps_platform_data synopsys_edac_def = {
+ .platform = SYNPS,
.get_error_info = zynqmp_get_error_info,
.get_mtype = zynqmp_get_mtype,
.get_dtype = zynqmp_get_dtype,
- .get_ecc_state = zynqmp_get_ecc_state,
.quirks = (DDR_ECC_INTR_SUPPORT | DDR_ECC_INTR_SELF_CLEAR
#ifdef CONFIG_EDAC_DEBUG
| DDR_ECC_DATA_POISON_SUPPORT
@@ -1393,10 +1386,6 @@ static int mc_probe(struct platform_device *pdev)
if (!p_data)
return -ENODEV;
- if (!p_data->get_ecc_state(baseaddr)) {
- edac_printk(KERN_INFO, EDAC_MC, "ECC not enabled\n");
- return -ENXIO;
- }
layers[0].type = EDAC_MC_LAYER_CHIP_SELECT;
layers[0].size = SYNPS_EDAC_NR_CSROWS;
@@ -1416,6 +1405,12 @@ static int mc_probe(struct platform_device *pdev)
priv = mci->pvt_info;
priv->baseaddr = baseaddr;
priv->p_data = p_data;
+ if (!get_ecc_state(priv)) {
+ edac_printk(KERN_INFO, EDAC_MC, "ECC not enabled\n");
+ rc = -ENODEV;
+ goto free_edac_mc;
+ }
+
spin_lock_init(&priv->reglock);
mc_init(mci, pdev);
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 078/482] ASoC: soc-dapm: set bias_level if snd_soc_dapm_set_bias_level() was successed
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (76 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 6.1 077/482] EDAC/synopsys: Clear the ECC counters on init Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 079/482] thermal/drivers/qcom-spmi-temp-alarm: Enable stage 2 shutdown when required Greg Kroah-Hartman
` (412 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kuninori Morimoto, Mark Brown,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
[ Upstream commit f40ecc2743652c0b0f19935f81baf57c601eb7f0 ]
ASoC has 2 functions to set bias level.
(A) snd_soc_dapm_force_bias_level()
(B) snd_soc_dapm_set_bias_level()
snd_soc_dapm_force_bias_level() (A) will set dapm->bias_level (a) if
successed.
(A) int snd_soc_dapm_force_bias_level(...)
{
...
if (ret == 0)
(a) dapm->bias_level = level;
...
}
snd_soc_dapm_set_bias_level() (B) is also a function that sets bias_level.
It will call snd_soc_dapm_force_bias_level() (A) inside, but doesn't
set dapm->bias_level by itself. One note is that (A) might not be called.
(B) static int snd_soc_dapm_set_bias_level(...)
{
...
ret = snd_soc_card_set_bias_level(...);
...
if (dapm != &card->dapm)
(A) ret = snd_soc_dapm_force_bias_level(...);
...
ret = snd_soc_card_set_bias_level_post(...);
...
}
dapm->bias_level will be set if (A) was called, but might not be set
if (B) was called, even though it calles set_bias_level() function.
We should set dapm->bias_level if we calls
snd_soc_dapm_set_bias_level() (B), too.
Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
Link: https://patch.msgid.link/87qzyn4g4h.wl-kuninori.morimoto.gx@renesas.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/soc-dapm.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/sound/soc/soc-dapm.c b/sound/soc/soc-dapm.c
index 4103443770b0..481e5dd593b6 100644
--- a/sound/soc/soc-dapm.c
+++ b/sound/soc/soc-dapm.c
@@ -742,6 +742,10 @@ static int snd_soc_dapm_set_bias_level(struct snd_soc_dapm_context *dapm,
out:
trace_snd_soc_bias_level_done(card, level);
+ /* success */
+ if (ret == 0)
+ snd_soc_dapm_init_bias_level(dapm, level);
+
return ret;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 079/482] thermal/drivers/qcom-spmi-temp-alarm: Enable stage 2 shutdown when required
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (77 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 6.1 078/482] ASoC: soc-dapm: set bias_level if snd_soc_dapm_set_bias_level() was successed Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 080/482] tools/nolibc: define time_t in terms of __kernel_old_time_t Greg Kroah-Hartman
` (411 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Collins, Anjelique Melendez,
Daniel Lezcano, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Collins <david.collins@oss.qualcomm.com>
[ Upstream commit f8e157ff2df46ddabd930815d196895976227831 ]
Certain TEMP_ALARM GEN2 PMIC peripherals need over-temperature stage 2
automatic PMIC partial shutdown. This will ensure that in the event of
reaching the hotter stage 3 over-temperature threshold, repeated faults
will be avoided during the automatic PMIC hardware full shutdown.
Modify the stage 2 shutdown control logic to ensure that stage 2
shutdown is enabled on all affected PMICs. Read the digital major
and minor revision registers to identify these PMICs.
Signed-off-by: David Collins <david.collins@oss.qualcomm.com>
Signed-off-by: Anjelique Melendez <anjelique.melendez@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20250710224555.3047790-2-anjelique.melendez@oss.qualcomm.com
Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/thermal/qcom/qcom-spmi-temp-alarm.c | 43 ++++++++++++++++-----
1 file changed, 34 insertions(+), 9 deletions(-)
diff --git a/drivers/thermal/qcom/qcom-spmi-temp-alarm.c b/drivers/thermal/qcom/qcom-spmi-temp-alarm.c
index ad84978109e6..ccd082bf6fdc 100644
--- a/drivers/thermal/qcom/qcom-spmi-temp-alarm.c
+++ b/drivers/thermal/qcom/qcom-spmi-temp-alarm.c
@@ -1,6 +1,7 @@
// SPDX-License-Identifier: GPL-2.0-only
/*
* Copyright (c) 2011-2015, 2017, 2020, The Linux Foundation. All rights reserved.
+ * Copyright (c) Qualcomm Technologies, Inc. and/or its subsidiaries.
*/
#include <linux/bitops.h>
@@ -18,6 +19,7 @@
#include "../thermal_core.h"
#include "../thermal_hwmon.h"
+#define QPNP_TM_REG_DIG_MINOR 0x00
#define QPNP_TM_REG_DIG_MAJOR 0x01
#define QPNP_TM_REG_TYPE 0x04
#define QPNP_TM_REG_SUBTYPE 0x05
@@ -33,7 +35,7 @@
#define STATUS_GEN2_STATE_MASK GENMASK(6, 4)
#define STATUS_GEN2_STATE_SHIFT 4
-#define SHUTDOWN_CTRL1_OVERRIDE_S2 BIT(6)
+#define SHUTDOWN_CTRL1_OVERRIDE_STAGE2 BIT(6)
#define SHUTDOWN_CTRL1_THRESHOLD_MASK GENMASK(1, 0)
#define SHUTDOWN_CTRL1_RATE_25HZ BIT(3)
@@ -81,6 +83,7 @@ struct qpnp_tm_chip {
/* protects .thresh, .stage and chip registers */
struct mutex lock;
bool initialized;
+ bool require_stage2_shutdown;
struct iio_channel *adc;
const long (*temp_map)[THRESH_COUNT][STAGE_COUNT];
@@ -223,13 +226,13 @@ static int qpnp_tm_update_critical_trip_temp(struct qpnp_tm_chip *chip,
{
long stage2_threshold_min = (*chip->temp_map)[THRESH_MIN][1];
long stage2_threshold_max = (*chip->temp_map)[THRESH_MAX][1];
- bool disable_s2_shutdown = false;
+ bool disable_stage2_shutdown = false;
u8 reg;
WARN_ON(!mutex_is_locked(&chip->lock));
/*
- * Default: S2 and S3 shutdown enabled, thresholds at
+ * Default: Stage 2 and Stage 3 shutdown enabled, thresholds at
* lowest threshold set, monitoring at 25Hz
*/
reg = SHUTDOWN_CTRL1_RATE_25HZ;
@@ -244,12 +247,12 @@ static int qpnp_tm_update_critical_trip_temp(struct qpnp_tm_chip *chip,
chip->thresh = THRESH_MAX -
((stage2_threshold_max - temp) /
TEMP_THRESH_STEP);
- disable_s2_shutdown = true;
+ disable_stage2_shutdown = true;
} else {
chip->thresh = THRESH_MAX;
if (chip->adc)
- disable_s2_shutdown = true;
+ disable_stage2_shutdown = true;
else
dev_warn(chip->dev,
"No ADC is configured and critical temperature %d mC is above the maximum stage 2 threshold of %ld mC! Configuring stage 2 shutdown at %ld mC.\n",
@@ -258,8 +261,8 @@ static int qpnp_tm_update_critical_trip_temp(struct qpnp_tm_chip *chip,
skip:
reg |= chip->thresh;
- if (disable_s2_shutdown)
- reg |= SHUTDOWN_CTRL1_OVERRIDE_S2;
+ if (disable_stage2_shutdown && !chip->require_stage2_shutdown)
+ reg |= SHUTDOWN_CTRL1_OVERRIDE_STAGE2;
return qpnp_tm_write(chip, QPNP_TM_REG_SHUTDOWN_CTRL1, reg);
}
@@ -373,8 +376,8 @@ static int qpnp_tm_probe(struct platform_device *pdev)
{
struct qpnp_tm_chip *chip;
struct device_node *node;
- u8 type, subtype, dig_major;
- u32 res;
+ u8 type, subtype, dig_major, dig_minor;
+ u32 res, dig_revision;
int ret, irq;
node = pdev->dev.of_node;
@@ -429,6 +432,11 @@ static int qpnp_tm_probe(struct platform_device *pdev)
return ret;
}
+ ret = qpnp_tm_read(chip, QPNP_TM_REG_DIG_MINOR, &dig_minor);
+ if (ret < 0)
+ return dev_err_probe(&pdev->dev, ret,
+ "could not read dig_minor\n");
+
if (type != QPNP_TM_TYPE || (subtype != QPNP_TM_SUBTYPE_GEN1
&& subtype != QPNP_TM_SUBTYPE_GEN2)) {
dev_err(&pdev->dev, "invalid type 0x%02x or subtype 0x%02x\n",
@@ -442,6 +450,23 @@ static int qpnp_tm_probe(struct platform_device *pdev)
else
chip->temp_map = &temp_map_gen1;
+ if (chip->subtype == QPNP_TM_SUBTYPE_GEN2) {
+ dig_revision = (dig_major << 8) | dig_minor;
+ /*
+ * Check if stage 2 automatic partial shutdown must remain
+ * enabled to avoid potential repeated faults upon reaching
+ * over-temperature stage 3.
+ */
+ switch (dig_revision) {
+ case 0x0001:
+ case 0x0002:
+ case 0x0100:
+ case 0x0101:
+ chip->require_stage2_shutdown = true;
+ break;
+ }
+ }
+
/*
* Register the sensor before initializing the hardware to be able to
* read the trip points. get_temp() returns the default temperature
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 080/482] tools/nolibc: define time_t in terms of __kernel_old_time_t
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (78 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 6.1 079/482] thermal/drivers/qcom-spmi-temp-alarm: Enable stage 2 shutdown when required Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 081/482] iio: adc: ad_sigma_delta: dont overallocate scan buffer Greg Kroah-Hartman
` (410 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Weißschuh, Willy Tarreau,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Weißschuh <linux@weissschuh.net>
[ Upstream commit d5094bcb5bfdfea2cf0de8aaf77cc65db56cbdb5 ]
Nolibc assumes that the kernel ABI is using a time values that are as
large as a long integer. For most ABIs this holds true.
But for x32 this is not correct, as it uses 32bit longs but 64bit times.
Also the 'struct stat' implementation of nolibc relies on timespec::tv_sec
and time_t being the same type. While timespec::tv_sec comes from the
kernel and is of type __kernel_old_time_t, time_t is defined within nolibc.
Switch to the __kernel_old_time_t to always get the correct type.
Signed-off-by: Thomas Weißschuh <linux@weissschuh.net>
Link: https://lore.kernel.org/r/20250712-nolibc-x32-v1-1-6d81cb798710@weissschuh.net
Acked-by: Willy Tarreau <w@1wt.eu>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/include/nolibc/std.h | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/tools/include/nolibc/std.h b/tools/include/nolibc/std.h
index 1747ae125392..a0ea830e1ba1 100644
--- a/tools/include/nolibc/std.h
+++ b/tools/include/nolibc/std.h
@@ -33,6 +33,8 @@ typedef unsigned long uintptr_t;
typedef signed long intptr_t;
typedef signed long ptrdiff_t;
+#include <linux/types.h>
+
/* those are commonly provided by sys/types.h */
typedef unsigned int dev_t;
typedef unsigned long ino_t;
@@ -44,6 +46,6 @@ typedef unsigned long nlink_t;
typedef signed long off_t;
typedef signed long blksize_t;
typedef signed long blkcnt_t;
-typedef signed long time_t;
+typedef __kernel_old_time_t time_t;
#endif /* _NOLIBC_STD_H */
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 081/482] iio: adc: ad_sigma_delta: dont overallocate scan buffer
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (79 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 6.1 080/482] tools/nolibc: define time_t in terms of __kernel_old_time_t Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 082/482] gpio: tps65912: check the return value of regmap_update_bits() Greg Kroah-Hartman
` (409 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Lechner, Andy Shevchenko,
Nuno Sá, Jonathan Cameron, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Lechner <dlechner@baylibre.com>
[ Upstream commit 5a2f15c5a8e017d0951e6dc62aa7b5b634f56881 ]
Fix overallocating the size of the scan buffer by converting bits to
bytes. The size is meant to be in bytes, so scanbits needs to be
divided by 8.
Signed-off-by: David Lechner <dlechner@baylibre.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Reviewed-by: Nuno Sá <nuno.sa@analog.com>
Link: https://patch.msgid.link/20250701-iio-adc-ad7173-add-spi-offload-support-v3-1-42abb83e3dac@baylibre.com
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/iio/adc/ad_sigma_delta.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/iio/adc/ad_sigma_delta.c b/drivers/iio/adc/ad_sigma_delta.c
index 533667eefe41..71e775a10a91 100644
--- a/drivers/iio/adc/ad_sigma_delta.c
+++ b/drivers/iio/adc/ad_sigma_delta.c
@@ -378,7 +378,7 @@ static int ad_sd_buffer_postenable(struct iio_dev *indio_dev)
return ret;
}
- samples_buf_size = ALIGN(slot * indio_dev->channels[0].scan_type.storagebits, 8);
+ samples_buf_size = ALIGN(slot * indio_dev->channels[0].scan_type.storagebits / 8, 8);
samples_buf_size += sizeof(int64_t);
samples_buf = devm_krealloc(&sigma_delta->spi->dev, sigma_delta->samples_buf,
samples_buf_size, GFP_KERNEL);
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 082/482] gpio: tps65912: check the return value of regmap_update_bits()
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (80 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 6.1 081/482] iio: adc: ad_sigma_delta: dont overallocate scan buffer Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 083/482] ARM: tegra: Use I/O memcpy to write to IRAM Greg Kroah-Hartman
` (408 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Bartosz Golaszewski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
[ Upstream commit a0b2a6bbff8c26aafdecd320f38f52c341d5cafa ]
regmap_update_bits() can fail, check its return value like we do
elsewhere in the driver.
Link: https://lore.kernel.org/r/20250707-gpiochip-set-rv-gpio-round4-v1-2-35668aaaf6d2@linaro.org
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpio/gpio-tps65912.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/drivers/gpio/gpio-tps65912.c b/drivers/gpio/gpio-tps65912.c
index fab771cb6a87..bac757c191c2 100644
--- a/drivers/gpio/gpio-tps65912.c
+++ b/drivers/gpio/gpio-tps65912.c
@@ -49,10 +49,13 @@ static int tps65912_gpio_direction_output(struct gpio_chip *gc,
unsigned offset, int value)
{
struct tps65912_gpio *gpio = gpiochip_get_data(gc);
+ int ret;
/* Set the initial value */
- regmap_update_bits(gpio->tps->regmap, TPS65912_GPIO1 + offset,
- GPIO_SET_MASK, value ? GPIO_SET_MASK : 0);
+ ret = regmap_update_bits(gpio->tps->regmap, TPS65912_GPIO1 + offset,
+ GPIO_SET_MASK, value ? GPIO_SET_MASK : 0);
+ if (ret)
+ return ret;
return regmap_update_bits(gpio->tps->regmap, TPS65912_GPIO1 + offset,
GPIO_CFG_MASK, GPIO_CFG_MASK);
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 083/482] ARM: tegra: Use I/O memcpy to write to IRAM
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (81 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 6.1 082/482] gpio: tps65912: check the return value of regmap_update_bits() Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 084/482] tools/build: Fix s390(x) cross-compilation with clang Greg Kroah-Hartman
` (407 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Aaron Kling, Thierry Reding,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Aaron Kling <webgeek1234@gmail.com>
[ Upstream commit 398e67e0f5ae04b29bcc9cbf342e339fe9d3f6f1 ]
Kasan crashes the kernel trying to check boundaries when using the
normal memcpy.
Signed-off-by: Aaron Kling <webgeek1234@gmail.com>
Link: https://lore.kernel.org/r/20250522-mach-tegra-kasan-v1-1-419041b8addb@gmail.com
Signed-off-by: Thierry Reding <treding@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/mach-tegra/reset.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm/mach-tegra/reset.c b/arch/arm/mach-tegra/reset.c
index d5c805adf7a8..ea706fac6358 100644
--- a/arch/arm/mach-tegra/reset.c
+++ b/arch/arm/mach-tegra/reset.c
@@ -63,7 +63,7 @@ static void __init tegra_cpu_reset_handler_enable(void)
BUG_ON(is_enabled);
BUG_ON(tegra_cpu_reset_handler_size > TEGRA_IRAM_RESET_HANDLER_SIZE);
- memcpy(iram_base, (void *)__tegra_cpu_reset_handler_start,
+ memcpy_toio(iram_base, (void *)__tegra_cpu_reset_handler_start,
tegra_cpu_reset_handler_size);
err = call_firmware_op(set_cpu_boot_addr, 0, reset_address);
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 084/482] tools/build: Fix s390(x) cross-compilation with clang
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (82 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 6.1 083/482] ARM: tegra: Use I/O memcpy to write to IRAM Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 085/482] selftests: tracing: Use mutex_unlock for testing glob filter Greg Kroah-Hartman
` (406 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Weißschuh,
Thomas Weißschuh, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
[ Upstream commit a40f0cdce78be8a559ee8a85c908049c65a410b2 ]
The heuristic to derive a clang target triple from a GCC one does not work
for s390. GCC uses "s390-linux" while clang expects "s390x-linux" or
"powerz-linux".
Add an explicit override.
Signed-off-by: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
Link: https://lore.kernel.org/r/20250620-tools-cross-s390-v2-1-ecda886e00e5@linutronix.de
Signed-off-by: Thomas Weißschuh <linux@weissschuh.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/scripts/Makefile.include | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/tools/scripts/Makefile.include b/tools/scripts/Makefile.include
index 0efb8f2b33ce..5607e2405a72 100644
--- a/tools/scripts/Makefile.include
+++ b/tools/scripts/Makefile.include
@@ -98,7 +98,9 @@ else ifneq ($(CROSS_COMPILE),)
# Allow userspace to override CLANG_CROSS_FLAGS to specify their own
# sysroots and flags or to avoid the GCC call in pure Clang builds.
ifeq ($(CLANG_CROSS_FLAGS),)
-CLANG_CROSS_FLAGS := --target=$(notdir $(CROSS_COMPILE:%-=%))
+CLANG_TARGET := $(notdir $(CROSS_COMPILE:%-=%))
+CLANG_TARGET := $(subst s390-linux,s390x-linux,$(CLANG_TARGET))
+CLANG_CROSS_FLAGS := --target=$(CLANG_TARGET)
GCC_TOOLCHAIN_DIR := $(dir $(shell which $(CROSS_COMPILE)gcc 2>/dev/null))
ifneq ($(GCC_TOOLCHAIN_DIR),)
CLANG_CROSS_FLAGS += --prefix=$(GCC_TOOLCHAIN_DIR)$(notdir $(CROSS_COMPILE))
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 085/482] selftests: tracing: Use mutex_unlock for testing glob filter
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (83 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 6.1 084/482] tools/build: Fix s390(x) cross-compilation with clang Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 086/482] ACPI: PRM: Reduce unnecessary printing to avoid user confusion Greg Kroah-Hartman
` (405 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Masami Hiramatsu (Google),
Steven Rostedt (Google), Shuah Khan, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Masami Hiramatsu (Google) <mhiramat@kernel.org>
[ Upstream commit a089bb2822a49b0c5777a8936f82c1f8629231fb ]
Since commit c5b6ababd21a ("locking/mutex: implement
mutex_trylock_nested") makes mutex_trylock() as an inlined
function if CONFIG_DEBUG_LOCK_ALLOC=y, we can not use
mutex_trylock() for testing the glob filter of ftrace.
Use mutex_unlock instead.
Link: https://lore.kernel.org/r/175151680309.2149615.9795104805153538717.stgit@mhiramat.tok.corp.google.com
Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Acked-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../testing/selftests/ftrace/test.d/ftrace/func-filter-glob.tc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/testing/selftests/ftrace/test.d/ftrace/func-filter-glob.tc b/tools/testing/selftests/ftrace/test.d/ftrace/func-filter-glob.tc
index 4b994b6df5ac..ed81eaf2afd6 100644
--- a/tools/testing/selftests/ftrace/test.d/ftrace/func-filter-glob.tc
+++ b/tools/testing/selftests/ftrace/test.d/ftrace/func-filter-glob.tc
@@ -29,7 +29,7 @@ ftrace_filter_check 'schedule*' '^schedule.*$'
ftrace_filter_check '*pin*lock' '.*pin.*lock$'
# filter by start*mid*
-ftrace_filter_check 'mutex*try*' '^mutex.*try.*'
+ftrace_filter_check 'mutex*unl*' '^mutex.*unl.*'
# Advanced full-glob matching feature is recently supported.
# Skip the tests if we are sure the kernel does not support it.
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 086/482] ACPI: PRM: Reduce unnecessary printing to avoid user confusion
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (84 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 6.1 085/482] selftests: tracing: Use mutex_unlock for testing glob filter Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 087/482] PM: runtime: Clear power.needs_force_resume in pm_runtime_reinit() Greg Kroah-Hartman
` (404 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhu Qiyu, Rafael J. Wysocki,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhu Qiyu <qiyuzhu2@amd.com>
[ Upstream commit 3db5648c4d608b5483470efc1da9780b081242dd ]
Commit 088984c8d54c ("ACPI: PRM: Find EFI_MEMORY_RUNTIME block for PRM
handler and context") introduced non-essential printing "Failed to find
VA for GUID: xxxx, PA: 0x0" which may confuse users to think that
something wrong is going on while it is not the case.
According to the PRM Spec Section 4.1.2 [1], both static data buffer
address and ACPI parameter buffer address may be NULL if they are not
needed, so there is no need to print out the "Failed to find VA ... "
in those cases.
Link: https://uefi.org/sites/default/files/resources/Platform%20Runtime%20Mechanism%20-%20with%20legal%20notice.pdf # [1]
Signed-off-by: Zhu Qiyu <qiyuzhu2@amd.com>
Link: https://patch.msgid.link/20250704014104.82524-1-qiyuzhu2@amd.com
[ rjw: Edits in new comments, subject and changelog ]
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/acpi/prmt.c | 26 ++++++++++++++++++++++++--
1 file changed, 24 insertions(+), 2 deletions(-)
diff --git a/drivers/acpi/prmt.c b/drivers/acpi/prmt.c
index 7747ca4168ab..215ca8d60616 100644
--- a/drivers/acpi/prmt.c
+++ b/drivers/acpi/prmt.c
@@ -85,8 +85,6 @@ static u64 efi_pa_va_lookup(efi_guid_t *guid, u64 pa)
}
}
- pr_warn("Failed to find VA for GUID: %pUL, PA: 0x%llx", guid, pa);
-
return 0;
}
@@ -154,13 +152,37 @@ acpi_parse_prmt(union acpi_subtable_headers *header, const unsigned long end)
guid_copy(&th->guid, (guid_t *)handler_info->handler_guid);
th->handler_addr =
(void *)efi_pa_va_lookup(&th->guid, handler_info->handler_address);
+ /*
+ * Print a warning message if handler_addr is zero which is not expected to
+ * ever happen.
+ */
+ if (unlikely(!th->handler_addr))
+ pr_warn("Failed to find VA of handler for GUID: %pUL, PA: 0x%llx",
+ &th->guid, handler_info->handler_address);
th->static_data_buffer_addr =
efi_pa_va_lookup(&th->guid, handler_info->static_data_buffer_address);
+ /*
+ * According to the PRM specification, static_data_buffer_address can be zero,
+ * so avoid printing a warning message in that case. Otherwise, if the
+ * return value of efi_pa_va_lookup() is zero, print the message.
+ */
+ if (unlikely(!th->static_data_buffer_addr && handler_info->static_data_buffer_address))
+ pr_warn("Failed to find VA of static data buffer for GUID: %pUL, PA: 0x%llx",
+ &th->guid, handler_info->static_data_buffer_address);
th->acpi_param_buffer_addr =
efi_pa_va_lookup(&th->guid, handler_info->acpi_param_buffer_address);
+ /*
+ * According to the PRM specification, acpi_param_buffer_address can be zero,
+ * so avoid printing a warning message in that case. Otherwise, if the
+ * return value of efi_pa_va_lookup() is zero, print the message.
+ */
+ if (unlikely(!th->acpi_param_buffer_addr && handler_info->acpi_param_buffer_address))
+ pr_warn("Failed to find VA of acpi param buffer for GUID: %pUL, PA: 0x%llx",
+ &th->guid, handler_info->acpi_param_buffer_address);
+
} while (++cur_handler < tm->handler_count && (handler_info = get_next_handler(handler_info)));
return 0;
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 087/482] PM: runtime: Clear power.needs_force_resume in pm_runtime_reinit()
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (85 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 6.1 086/482] ACPI: PRM: Reduce unnecessary printing to avoid user confusion Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 088/482] thermal: sysfs: Return ENODATA instead of EAGAIN for reads Greg Kroah-Hartman
` (403 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ulf Hansson, Rafael J. Wysocki,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
[ Upstream commit 89d9cec3b1e9c49bae9375a2db6dc49bc7468af0 ]
Clear power.needs_force_resume in pm_runtime_reinit() in case it has
been set by pm_runtime_force_suspend() invoked from a driver remove
callback.
Suggested-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Reviewed-by: Ulf Hansson <ulf.hansson@linaro.org>
Link: https://patch.msgid.link/9495163.CDJkKcVGEf@rjwysocki.net
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/base/power/runtime.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/base/power/runtime.c b/drivers/base/power/runtime.c
index 313ccb7e7764..61d8ebc2de59 100644
--- a/drivers/base/power/runtime.c
+++ b/drivers/base/power/runtime.c
@@ -1753,6 +1753,11 @@ void pm_runtime_reinit(struct device *dev)
pm_runtime_put(dev->parent);
}
}
+ /*
+ * Clear power.needs_force_resume in case it has been set by
+ * pm_runtime_force_suspend() invoked from a driver remove callback.
+ */
+ dev->power.needs_force_resume = false;
}
/**
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 088/482] thermal: sysfs: Return ENODATA instead of EAGAIN for reads
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (86 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 6.1 087/482] PM: runtime: Clear power.needs_force_resume in pm_runtime_reinit() Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 089/482] PM: sleep: console: Fix the black screen issue Greg Kroah-Hartman
` (402 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hsin-Te Yuan, Rafael J. Wysocki,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hsin-Te Yuan <yuanhsinte@chromium.org>
[ Upstream commit 1a4aabc27e95674837f2e25f4ef340c0469e6203 ]
According to POSIX spec, EAGAIN returned by read with O_NONBLOCK set
means the read would block. Hence, the common implementation in
nonblocking model will poll the file when the nonblocking read returns
EAGAIN. However, when the target file is thermal zone, this mechanism
will totally malfunction because thermal zone doesn't implement sysfs
notification and thus the poll will never return.
For example, the read in Golang implemnts such method and sometimes
hangs at reading some thermal zones via sysfs.
Change to return -ENODATA instead of -EAGAIN to userspace.
Signed-off-by: Hsin-Te Yuan <yuanhsinte@chromium.org>
Link: https://patch.msgid.link/20250620-temp-v3-1-6becc6aeb66c@chromium.org
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/thermal/thermal_sysfs.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/drivers/thermal/thermal_sysfs.c b/drivers/thermal/thermal_sysfs.c
index bd7596125461..7ee89e99acbf 100644
--- a/drivers/thermal/thermal_sysfs.c
+++ b/drivers/thermal/thermal_sysfs.c
@@ -39,10 +39,13 @@ temp_show(struct device *dev, struct device_attribute *attr, char *buf)
ret = thermal_zone_get_temp(tz, &temperature);
- if (ret)
- return ret;
+ if (!ret)
+ return sprintf(buf, "%d\n", temperature);
- return sprintf(buf, "%d\n", temperature);
+ if (ret == -EAGAIN)
+ return -ENODATA;
+
+ return ret;
}
static ssize_t
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 089/482] PM: sleep: console: Fix the black screen issue
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (87 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 6.1 088/482] thermal: sysfs: Return ENODATA instead of EAGAIN for reads Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 090/482] ACPI: processor: fix acpi_object initialization Greg Kroah-Hartman
` (401 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, tuhaowen, Rafael J. Wysocki,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: tuhaowen <tuhaowen@uniontech.com>
[ Upstream commit 4266e8fa56d3d982bf451d382a410b9db432015c ]
When the computer enters sleep status without a monitor
connected, the system switches the console to the virtual
terminal tty63(SUSPEND_CONSOLE).
If a monitor is subsequently connected before waking up,
the system skips the required VT restoration process
during wake-up, leaving the console on tty63 instead of
switching back to tty1.
To fix this issue, a global flag vt_switch_done is introduced
to record whether the system has successfully switched to
the suspend console via vt_move_to_console() during suspend.
If the switch was completed, vt_switch_done is set to 1.
Later during resume, this flag is checked to ensure that
the original console is restored properly by calling
vt_move_to_console(orig_fgconsole, 0).
This prevents scenarios where the resume logic skips console
restoration due to incorrect detection of the console state,
especially when a monitor is reconnected before waking up.
Signed-off-by: tuhaowen <tuhaowen@uniontech.com>
Link: https://patch.msgid.link/20250611032345.29962-1-tuhaowen@uniontech.com
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/power/console.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/kernel/power/console.c b/kernel/power/console.c
index fcdf0e14a47d..19c48aa5355d 100644
--- a/kernel/power/console.c
+++ b/kernel/power/console.c
@@ -16,6 +16,7 @@
#define SUSPEND_CONSOLE (MAX_NR_CONSOLES-1)
static int orig_fgconsole, orig_kmsg;
+static bool vt_switch_done;
static DEFINE_MUTEX(vt_switch_mutex);
@@ -136,17 +137,21 @@ void pm_prepare_console(void)
if (orig_fgconsole < 0)
return;
+ vt_switch_done = true;
+
orig_kmsg = vt_kmsg_redirect(SUSPEND_CONSOLE);
return;
}
void pm_restore_console(void)
{
- if (!pm_vt_switch())
+ if (!pm_vt_switch() && !vt_switch_done)
return;
if (orig_fgconsole >= 0) {
vt_move_to_console(orig_fgconsole, 0);
vt_kmsg_redirect(orig_kmsg);
}
+
+ vt_switch_done = false;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 090/482] ACPI: processor: fix acpi_object initialization
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (88 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 6.1 089/482] PM: sleep: console: Fix the black screen issue Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 091/482] mmc: sdhci-msm: Ensure SD card power isnt ON when card removed Greg Kroah-Hartman
` (400 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sebastian Ott, Rafael J. Wysocki,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sebastian Ott <sebott@redhat.com>
[ Upstream commit 13edf7539211d8f7d0068ce3ed143005f1da3547 ]
Initialization of the local acpi_object in acpi_processor_get_info()
only sets the first 4 bytes to zero and is thus incomplete. This is
indicated by messages like:
acpi ACPI0007:be: Invalid PBLK length [166288104]
Fix this by initializing all 16 bytes of the processor member of that
union.
Signed-off-by: Sebastian Ott <sebott@redhat.com>
Link: https://patch.msgid.link/20250703124215.12522-1-sebott@redhat.com
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/acpi/acpi_processor.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/acpi/acpi_processor.c b/drivers/acpi/acpi_processor.c
index 8bd5c4fa91f2..cfa75b14caa2 100644
--- a/drivers/acpi/acpi_processor.c
+++ b/drivers/acpi/acpi_processor.c
@@ -216,7 +216,7 @@ static inline int acpi_processor_hotadd_init(struct acpi_processor *pr)
static int acpi_processor_get_info(struct acpi_device *device)
{
- union acpi_object object = { 0 };
+ union acpi_object object = { .processor = { 0 } };
struct acpi_buffer buffer = { sizeof(union acpi_object), &object };
struct acpi_processor *pr = acpi_driver_data(device);
int device_declaration = 0;
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 091/482] mmc: sdhci-msm: Ensure SD card power isnt ON when card removed
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (89 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 6.1 090/482] ACPI: processor: fix acpi_object initialization Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 092/482] ACPI: APEI: GHES: add TAINT_MACHINE_CHECK on GHES panic path Greg Kroah-Hartman
` (399 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sarthak Garg, Adrian Hunter,
Ulf Hansson, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sarthak Garg <quic_sartgarg@quicinc.com>
[ Upstream commit db58532188ebf51d52b1d7693d9e94c76b926e9f ]
Many mobile phones feature multi-card tray designs, where the same
tray is used for both SD and SIM cards. If the SD card is placed
at the outermost location in the tray, the SIM card may come in
contact with SD card power-supply while removing the tray, possibly
resulting in SIM damage.
To prevent that, make sure the SD card is really inserted by reading
the Card Detect pin state. If it's not, turn off the power in
sdhci_msm_check_power_status() and also set the BUS_FAIL power state
on the controller as part of pwr_irq handling for BUS_ON request.
Signed-off-by: Sarthak Garg <quic_sartgarg@quicinc.com>
Acked-by: Adrian Hunter <adrian.hunter@intel.com>
Link: https://lore.kernel.org/r/20250701100659.3310386-1-quic_sartgarg@quicinc.com
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mmc/host/sdhci-msm.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/drivers/mmc/host/sdhci-msm.c b/drivers/mmc/host/sdhci-msm.c
index c8488b8e2073..f507fa491c58 100644
--- a/drivers/mmc/host/sdhci-msm.c
+++ b/drivers/mmc/host/sdhci-msm.c
@@ -1560,6 +1560,7 @@ static void sdhci_msm_check_power_status(struct sdhci_host *host, u32 req_type)
{
struct sdhci_pltfm_host *pltfm_host = sdhci_priv(host);
struct sdhci_msm_host *msm_host = sdhci_pltfm_priv(pltfm_host);
+ struct mmc_host *mmc = host->mmc;
bool done = false;
u32 val = SWITCHABLE_SIGNALING_VOLTAGE;
const struct sdhci_msm_offset *msm_offset =
@@ -1617,6 +1618,12 @@ static void sdhci_msm_check_power_status(struct sdhci_host *host, u32 req_type)
"%s: pwr_irq for req: (%d) timed out\n",
mmc_hostname(host->mmc), req_type);
}
+
+ if ((req_type & REQ_BUS_ON) && mmc->card && !mmc->ops->get_cd(mmc)) {
+ sdhci_writeb(host, 0, SDHCI_POWER_CONTROL);
+ host->pwr = 0;
+ }
+
pr_debug("%s: %s: request %d done\n", mmc_hostname(host->mmc),
__func__, req_type);
}
@@ -1675,6 +1682,13 @@ static void sdhci_msm_handle_pwr_irq(struct sdhci_host *host, int irq)
udelay(10);
}
+ if ((irq_status & CORE_PWRCTL_BUS_ON) && mmc->card &&
+ !mmc->ops->get_cd(mmc)) {
+ msm_host_writel(msm_host, CORE_PWRCTL_BUS_FAIL, host,
+ msm_offset->core_pwrctl_ctl);
+ return;
+ }
+
/* Handle BUS ON/OFF*/
if (irq_status & CORE_PWRCTL_BUS_ON) {
pwr_state = REQ_BUS_ON;
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 092/482] ACPI: APEI: GHES: add TAINT_MACHINE_CHECK on GHES panic path
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (90 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 6.1 091/482] mmc: sdhci-msm: Ensure SD card power isnt ON when card removed Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 093/482] pps: clients: gpio: fix interrupt handling order in remove path Greg Kroah-Hartman
` (398 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Breno Leitao, Tony Luck,
Rafael J. Wysocki, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Breno Leitao <leitao@debian.org>
[ Upstream commit 4734c8b46b901cff2feda8b82abc710b65dc31c1 ]
When a GHES (Generic Hardware Error Source) triggers a panic, add the
TAINT_MACHINE_CHECK taint flag to the kernel. This explicitly marks the
kernel as tainted due to a machine check event, improving diagnostics
and post-mortem analysis. The taint is set with LOCKDEP_STILL_OK to
indicate lockdep remains valid.
At large scale deployment, this helps to quickly determine panics that
are coming due to hardware failures.
Signed-off-by: Breno Leitao <leitao@debian.org>
Reviewed-by: Tony Luck <tony.luck@intel.com>
Link: https://patch.msgid.link/20250702-add_tain-v1-1-9187b10914b9@debian.org
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/acpi/apei/ghes.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/acpi/apei/ghes.c b/drivers/acpi/apei/ghes.c
index 1f327ec4c30b..3c862acaa28a 100644
--- a/drivers/acpi/apei/ghes.c
+++ b/drivers/acpi/apei/ghes.c
@@ -860,6 +860,8 @@ static void __ghes_panic(struct ghes *ghes,
__ghes_print_estatus(KERN_EMERG, ghes->generic, estatus);
+ add_taint(TAINT_MACHINE_CHECK, LOCKDEP_STILL_OK);
+
ghes_clear_estatus(ghes, estatus, buf_paddr, fixmap_idx);
if (!panic_timeout)
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 093/482] pps: clients: gpio: fix interrupt handling order in remove path
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (91 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 6.1 092/482] ACPI: APEI: GHES: add TAINT_MACHINE_CHECK on GHES panic path Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 094/482] reset: brcmstb: Enable reset drivers for ARCH_BCM2835 Greg Kroah-Hartman
` (397 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Eliav Farber, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eliav Farber <farbere@amazon.com>
[ Upstream commit 6bca1e955830808dc90e0506b2951b4256b81bbb ]
The interrupt handler in pps_gpio_probe() is registered after calling
pps_register_source() using devm_request_irq(). However, in the
corresponding remove function, pps_unregister_source() is called before
the IRQ is freed, since devm-managed resources are released after the
remove function completes.
This creates a potential race condition where an interrupt may occur
after the PPS source is unregistered but before the handler is removed,
possibly leading to a kernel panic.
To prevent this, switch from devm-managed IRQ registration to manual
management by using request_irq() and calling free_irq() explicitly in
the remove path before unregistering the PPS source. This ensures the
interrupt handler is safely removed before deactivating the PPS source.
Signed-off-by: Eliav Farber <farbere@amazon.com>
Link: https://lore.kernel.org/r/20250527053355.37185-1-farbere@amazon.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pps/clients/pps-gpio.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/pps/clients/pps-gpio.c b/drivers/pps/clients/pps-gpio.c
index bf3b6f1aa984..41e1fdbcda16 100644
--- a/drivers/pps/clients/pps-gpio.c
+++ b/drivers/pps/clients/pps-gpio.c
@@ -206,8 +206,8 @@ static int pps_gpio_probe(struct platform_device *pdev)
}
/* register IRQ interrupt handler */
- ret = devm_request_irq(dev, data->irq, pps_gpio_irq_handler,
- get_irqf_trigger_flags(data), data->info.name, data);
+ ret = request_irq(data->irq, pps_gpio_irq_handler,
+ get_irqf_trigger_flags(data), data->info.name, data);
if (ret) {
pps_unregister_source(data->pps);
dev_err(dev, "failed to acquire IRQ %d\n", data->irq);
@@ -224,6 +224,7 @@ static int pps_gpio_remove(struct platform_device *pdev)
{
struct pps_gpio_device_data *data = platform_get_drvdata(pdev);
+ free_irq(data->irq, data);
pps_unregister_source(data->pps);
del_timer_sync(&data->echo_timer);
/* reset echo pin in any case */
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 094/482] reset: brcmstb: Enable reset drivers for ARCH_BCM2835
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (92 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 6.1 093/482] pps: clients: gpio: fix interrupt handling order in remove path Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 095/482] mei: bus: Check for still connected devices in mei_cl_bus_dev_release() Greg Kroah-Hartman
` (396 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Peter Robinson, Florian Fainelli,
Philipp Zabel, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Robinson <pbrobinson@gmail.com>
[ Upstream commit 1d99f92f71b6b4b2eee776562c991428490f71ef ]
The BRCMSTB and BRCMSTB_RESCAL reset drivers are also
used in the BCM2712, AKA the RPi5. The RPi platforms
have typically used the ARCH_BCM2835, and the PCIe
support for this SoC can use this config which depends
on these drivers so enable building them when just that
arch option is enabled to ensure the platform works as
expected.
Signed-off-by: Peter Robinson <pbrobinson@gmail.com>
Acked-by: Florian Fainelli <florian.fainelli@broadcom.com>
Link: https://lore.kernel.org/r/20250630175301.846082-1-pbrobinson@gmail.com
Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/reset/Kconfig | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/drivers/reset/Kconfig b/drivers/reset/Kconfig
index 2a52c990d4fe..c561a93af655 100644
--- a/drivers/reset/Kconfig
+++ b/drivers/reset/Kconfig
@@ -51,8 +51,8 @@ config RESET_BERLIN
config RESET_BRCMSTB
tristate "Broadcom STB reset controller"
- depends on ARCH_BRCMSTB || COMPILE_TEST
- default ARCH_BRCMSTB
+ depends on ARCH_BRCMSTB || ARCH_BCM2835 || COMPILE_TEST
+ default ARCH_BRCMSTB || ARCH_BCM2835
help
This enables the reset controller driver for Broadcom STB SoCs using
a SUN_TOP_CTRL_SW_INIT style controller.
@@ -60,11 +60,11 @@ config RESET_BRCMSTB
config RESET_BRCMSTB_RESCAL
tristate "Broadcom STB RESCAL reset controller"
depends on HAS_IOMEM
- depends on ARCH_BRCMSTB || COMPILE_TEST
- default ARCH_BRCMSTB
+ depends on ARCH_BRCMSTB || ARCH_BCM2835 || COMPILE_TEST
+ default ARCH_BRCMSTB || ARCH_BCM2835
help
This enables the RESCAL reset controller for SATA, PCIe0, or PCIe1 on
- BCM7216.
+ BCM7216 or the BCM2712.
config RESET_HSDK
bool "Synopsys HSDK Reset Driver"
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 095/482] mei: bus: Check for still connected devices in mei_cl_bus_dev_release()
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (93 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 6.1 094/482] reset: brcmstb: Enable reset drivers for ARCH_BCM2835 Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 096/482] mmc: rtsx_usb_sdmmc: Fix error-path in sd_set_power_mode() Greg Kroah-Hartman
` (395 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Hans de Goede, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hans de Goede <hansg@kernel.org>
[ Upstream commit 35e8a426b16adbecae7a4e0e3c00fc8d0273db53 ]
mei_cl_bus_dev_release() also frees the mei-client (struct mei_cl)
belonging to the device being released.
If there are bugs like the just fixed bug in the ACE/CSI2 mei drivers,
the mei-client being freed might still be part of the mei_device's
file_list and iterating over this list after the freeing will then trigger
a use-afer-free bug.
Add a check to mei_cl_bus_dev_release() to make sure that the to-be-freed
mei-client is not on the mei_device's file_list.
Signed-off-by: Hans de Goede <hansg@kernel.org>
Link: https://lore.kernel.org/r/20250623085052.12347-11-hansg@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/misc/mei/bus.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/misc/mei/bus.c b/drivers/misc/mei/bus.c
index 7b7f4190cd02..19bc1e9eeb7f 100644
--- a/drivers/misc/mei/bus.c
+++ b/drivers/misc/mei/bus.c
@@ -1113,6 +1113,8 @@ static void mei_dev_bus_put(struct mei_device *bus)
static void mei_cl_bus_dev_release(struct device *dev)
{
struct mei_cl_device *cldev = to_mei_cl_device(dev);
+ struct mei_device *mdev = cldev->cl->dev;
+ struct mei_cl *cl;
if (!cldev)
return;
@@ -1120,6 +1122,10 @@ static void mei_cl_bus_dev_release(struct device *dev)
mei_cl_flush_queues(cldev->cl, NULL);
mei_me_cl_put(cldev->me_cl);
mei_dev_bus_put(cldev->bus);
+
+ list_for_each_entry(cl, &mdev->file_list, link)
+ WARN_ON(cl == cldev->cl);
+
kfree(cldev->cl);
kfree(cldev);
}
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 096/482] mmc: rtsx_usb_sdmmc: Fix error-path in sd_set_power_mode()
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (94 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 6.1 095/482] mei: bus: Check for still connected devices in mei_cl_bus_dev_release() Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 097/482] ALSA: hda: Handle the jack polling always via a work Greg Kroah-Hartman
` (394 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Avri Altman, Ulf Hansson, Ricky Wu,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ulf Hansson <ulf.hansson@linaro.org>
[ Upstream commit 47a255f7d2eabee06cfbf5b1c2379749442fd01d ]
In the error path of sd_set_power_mode() we don't update host->power_mode,
which could lead to an imbalance of the runtime PM usage count. Fix this by
always updating host->power_mode.
Reviewed-by: Avri Altman <avri.altman@sandisk.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Acked-by: Ricky Wu <ricky_wu@realtek.com>
Link: https://lore.kernel.org/r/20250610111633.504366-2-ulf.hansson@linaro.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mmc/host/rtsx_usb_sdmmc.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/drivers/mmc/host/rtsx_usb_sdmmc.c b/drivers/mmc/host/rtsx_usb_sdmmc.c
index 2c650cd58693..c5a6bbc06953 100644
--- a/drivers/mmc/host/rtsx_usb_sdmmc.c
+++ b/drivers/mmc/host/rtsx_usb_sdmmc.c
@@ -1032,9 +1032,7 @@ static int sd_set_power_mode(struct rtsx_usb_sdmmc *host,
err = sd_power_on(host);
}
- if (!err)
- host->power_mode = power_mode;
-
+ host->power_mode = power_mode;
return err;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 097/482] ALSA: hda: Handle the jack polling always via a work
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (95 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 6.1 096/482] mmc: rtsx_usb_sdmmc: Fix error-path in sd_set_power_mode() Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 098/482] ALSA: hda: Disable jack polling at shutdown Greg Kroah-Hartman
` (393 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Joakim Zhang, Takashi Iwai,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
[ Upstream commit 5f7e54b23e4d253eff3b10b12d6fa92d28d7dddc ]
We used to call directly hda_jackpoll_work() from a couple of places
for updating the jack and notify to user-space, but this makes rather
the code flow fragile. Namely, because of those direct calls,
hda_jackpoll_work() uses snd_hda_power_up_pm() and *_down_pm() calls
instead of the standard snd_hda_power_up() and *_down() calls. The
latter pair assures the runtime PM resume sync, so it can avoid the
race against the PM callbacks gracefully, while the former pair may
continue if called concurrently, hence it may race (by design).
In this patch, we change the call pattern of hda_jackpoll_work(); now
all callers are replaced with the standard snd_hda_jack_report_sync()
and the additional schedule_delayed_work().
Since hda_jackpoll_work() is called only from the associated work,
it's always outside the PM code path, and we can safely use
snd_hda_power_up() and *_down() there instead. This allows us to
remove the racy check of power-state in hda_jackpoll_work(), as well
as the tricky cancel_delayed_work() and rescheduling at
hda_codec_runtime_suspend().
Reported-by: Joakim Zhang <joakim.zhang@cixtech.com>
Closes: https://lore.kernel.org/20250619020844.2974160-1-joakim.zhang@cixtech.com
Tested-by: Joakim Zhang <joakim.zhang@cixtech.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Link: https://patch.msgid.link/20250623131437.10670-4-tiwai@suse.de
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/pci/hda/hda_codec.c | 41 +++++++++++++--------------------------
1 file changed, 14 insertions(+), 27 deletions(-)
diff --git a/sound/pci/hda/hda_codec.c b/sound/pci/hda/hda_codec.c
index 9d7d99b584fe..94b3732e6cb2 100644
--- a/sound/pci/hda/hda_codec.c
+++ b/sound/pci/hda/hda_codec.c
@@ -641,24 +641,16 @@ static void hda_jackpoll_work(struct work_struct *work)
struct hda_codec *codec =
container_of(work, struct hda_codec, jackpoll_work.work);
- /* for non-polling trigger: we need nothing if already powered on */
- if (!codec->jackpoll_interval && snd_hdac_is_power_on(&codec->core))
+ if (!codec->jackpoll_interval)
return;
/* the power-up/down sequence triggers the runtime resume */
- snd_hda_power_up_pm(codec);
+ snd_hda_power_up(codec);
/* update jacks manually if polling is required, too */
- if (codec->jackpoll_interval) {
- snd_hda_jack_set_dirty_all(codec);
- snd_hda_jack_poll_all(codec);
- }
- snd_hda_power_down_pm(codec);
-
- if (!codec->jackpoll_interval)
- return;
-
- schedule_delayed_work(&codec->jackpoll_work,
- codec->jackpoll_interval);
+ snd_hda_jack_set_dirty_all(codec);
+ snd_hda_jack_poll_all(codec);
+ schedule_delayed_work(&codec->jackpoll_work, codec->jackpoll_interval);
+ snd_hda_power_down(codec);
}
/* release all pincfg lists */
@@ -2922,12 +2914,12 @@ static void hda_call_codec_resume(struct hda_codec *codec)
snd_hda_regmap_sync(codec);
}
- if (codec->jackpoll_interval)
- hda_jackpoll_work(&codec->jackpoll_work.work);
- else
- snd_hda_jack_report_sync(codec);
+ snd_hda_jack_report_sync(codec);
codec->core.dev.power.power_state = PMSG_ON;
snd_hdac_leave_pm(&codec->core);
+ if (codec->jackpoll_interval)
+ schedule_delayed_work(&codec->jackpoll_work,
+ codec->jackpoll_interval);
}
static int hda_codec_runtime_suspend(struct device *dev)
@@ -2939,8 +2931,6 @@ static int hda_codec_runtime_suspend(struct device *dev)
if (!codec->card)
return 0;
- cancel_delayed_work_sync(&codec->jackpoll_work);
-
state = hda_call_codec_suspend(codec);
if (codec->link_down_at_suspend ||
(codec_has_clkstop(codec) && codec_has_epss(codec) &&
@@ -2948,10 +2938,6 @@ static int hda_codec_runtime_suspend(struct device *dev)
snd_hdac_codec_link_down(&codec->core);
snd_hda_codec_display_power(codec, false);
- if (codec->bus->jackpoll_in_suspend &&
- (dev->power.power_state.event != PM_EVENT_SUSPEND))
- schedule_delayed_work(&codec->jackpoll_work,
- codec->jackpoll_interval);
return 0;
}
@@ -3120,10 +3106,11 @@ int snd_hda_codec_build_controls(struct hda_codec *codec)
if (err < 0)
return err;
+ snd_hda_jack_report_sync(codec); /* call at the last init point */
if (codec->jackpoll_interval)
- hda_jackpoll_work(&codec->jackpoll_work.work);
- else
- snd_hda_jack_report_sync(codec); /* call at the last init point */
+ schedule_delayed_work(&codec->jackpoll_work,
+ codec->jackpoll_interval);
+
sync_power_up_states(codec);
return 0;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 098/482] ALSA: hda: Disable jack polling at shutdown
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (96 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 6.1 097/482] ALSA: hda: Handle the jack polling always via a work Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 099/482] x86/bugs: Avoid warning when overriding return thunk Greg Kroah-Hartman
` (392 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Joakim Zhang, Takashi Iwai,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
[ Upstream commit 1adcbdf54f76e1004bdf71df4eb1888c26e7ad06 ]
Although the jack polling is canceled at shutdown in
snd_hda_codec_shutdown(), it might be still re-triggered when the work
is being processed at cancel_delayed_work_sync() call. This may
result in the unexpected hardware access that should have been already
disabled.
For assuring to stop the jack polling, clear codec->jackpoll_interval
at shutdown.
Reported-by: Joakim Zhang <joakim.zhang@cixtech.com>
Closes: https://lore.kernel.org/20250619020844.2974160-4-joakim.zhang@cixtech.com
Tested-by: Joakim Zhang <joakim.zhang@cixtech.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Link: https://patch.msgid.link/20250623131437.10670-2-tiwai@suse.de
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/pci/hda/hda_codec.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/sound/pci/hda/hda_codec.c b/sound/pci/hda/hda_codec.c
index 94b3732e6cb2..aef60044cb8a 100644
--- a/sound/pci/hda/hda_codec.c
+++ b/sound/pci/hda/hda_codec.c
@@ -3040,6 +3040,7 @@ void snd_hda_codec_shutdown(struct hda_codec *codec)
if (!codec->core.registered)
return;
+ codec->jackpoll_interval = 0; /* don't poll any longer */
cancel_delayed_work_sync(&codec->jackpoll_work);
list_for_each_entry(cpcm, &codec->pcm_list_head, list)
snd_pcm_suspend_all(cpcm->pcm);
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 099/482] x86/bugs: Avoid warning when overriding return thunk
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (97 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 6.1 098/482] ALSA: hda: Disable jack polling at shutdown Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 100/482] ASoC: hdac_hdmi: Rate limit logging on connection and disconnection Greg Kroah-Hartman
` (391 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Borislav Petkov, Pawan Gupta,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
[ Upstream commit 9f85fdb9fc5a1bd308a10a0a7d7e34f2712ba58b ]
The purpose of the warning is to prevent an unexpected change to the return
thunk mitigation. However, there are legitimate cases where the return
thunk is intentionally set more than once. For example, ITS and SRSO both
can set the return thunk after retbleed has set it. In both the cases
retbleed is still mitigated.
Replace the warning with an info about the active return thunk.
Suggested-by: Borislav Petkov <bp@alien8.de>
Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Link: https://lore.kernel.org/20250611-eibrs-fix-v4-3-5ff86cac6c61@linux.intel.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/kernel/cpu/bugs.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
index dba5262e1509..4fbb5b15ab75 100644
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -70,10 +70,9 @@ void (*x86_return_thunk)(void) __ro_after_init = &__x86_return_thunk;
static void __init set_return_thunk(void *thunk)
{
- if (x86_return_thunk != __x86_return_thunk)
- pr_warn("x86/bugs: return thunk changed\n");
-
x86_return_thunk = thunk;
+
+ pr_info("active return thunk: %ps\n", thunk);
}
/* Update SPEC_CTRL MSR and its cached copy unconditionally */
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 100/482] ASoC: hdac_hdmi: Rate limit logging on connection and disconnection
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (98 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 6.1 099/482] x86/bugs: Avoid warning when overriding return thunk Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 101/482] ALSA: intel8x0: Fix incorrect codec index usage in mixer for ICH4 Greg Kroah-Hartman
` (390 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Mark Brown, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mark Brown <broonie@kernel.org>
[ Upstream commit c4ca928a6db1593802cd945f075a7e21dd0430c1 ]
We currently log parse failures for ELD data and some disconnection events
as errors without rate limiting. These log messages can be triggered very
frequently in some situations, especially ELD parsing when there is nothing
connected to a HDMI port which will generate:
hdmi-audio-codec hdmi-audio-codec.1.auto: HDMI: Unknown ELD version 0
While there's doubtless work that could be done on reducing the number of
connection notification callbacks it's possible these may be legitimately
generated by poor quality physical connections so let's use rate limiting
to mitigate the log spam for the parse errors and lower the severity for
disconnect logging to debug level.
Signed-off-by: Mark Brown <broonie@kernel.org>
Link: https://patch.msgid.link/20250613-asoc-hdmi-eld-logging-v1-1-76d64154d969@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/codecs/hdac_hdmi.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/sound/soc/codecs/hdac_hdmi.c b/sound/soc/codecs/hdac_hdmi.c
index d8e83150ea28..90baca4c2b4d 100644
--- a/sound/soc/codecs/hdac_hdmi.c
+++ b/sound/soc/codecs/hdac_hdmi.c
@@ -1230,7 +1230,8 @@ static int hdac_hdmi_parse_eld(struct hdac_device *hdev,
>> DRM_ELD_VER_SHIFT;
if (ver != ELD_VER_CEA_861D && ver != ELD_VER_PARTIAL) {
- dev_err(&hdev->dev, "HDMI: Unknown ELD version %d\n", ver);
+ dev_err_ratelimited(&hdev->dev,
+ "HDMI: Unknown ELD version %d\n", ver);
return -EINVAL;
}
@@ -1238,7 +1239,8 @@ static int hdac_hdmi_parse_eld(struct hdac_device *hdev,
DRM_ELD_MNL_MASK) >> DRM_ELD_MNL_SHIFT;
if (mnl > ELD_MAX_MNL) {
- dev_err(&hdev->dev, "HDMI: MNL Invalid %d\n", mnl);
+ dev_err_ratelimited(&hdev->dev,
+ "HDMI: MNL Invalid %d\n", mnl);
return -EINVAL;
}
@@ -1297,8 +1299,8 @@ static void hdac_hdmi_present_sense(struct hdac_hdmi_pin *pin,
if (!port->eld.monitor_present || !port->eld.eld_valid) {
- dev_err(&hdev->dev, "%s: disconnect for pin:port %d:%d\n",
- __func__, pin->nid, port->id);
+ dev_dbg(&hdev->dev, "%s: disconnect for pin:port %d:%d\n",
+ __func__, pin->nid, port->id);
/*
* PCMs are not registered during device probe, so don't
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 101/482] ALSA: intel8x0: Fix incorrect codec index usage in mixer for ICH4
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (99 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 6.1 100/482] ASoC: hdac_hdmi: Rate limit logging on connection and disconnection Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 102/482] ASoC: core: Check for rtd == NULL in snd_soc_remove_pcm_runtime() Greg Kroah-Hartman
` (389 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Alok Tiwari, Takashi Iwai,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alok Tiwari <alok.a.tiwari@oracle.com>
[ Upstream commit 87aafc8580acf87fcaf1a7e30ed858d8c8d37d81 ]
code mistakenly used a hardcoded index (codec[1]) instead of
iterating, over the codec array using the loop variable i.
Use codec[i] instead of codec[1] to match the loop iteration.
Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
Link: https://patch.msgid.link/20250621185233.4081094-1-alok.a.tiwari@oracle.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/pci/intel8x0.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sound/pci/intel8x0.c b/sound/pci/intel8x0.c
index ae285c0a629c..f3df6fe2b7f1 100644
--- a/sound/pci/intel8x0.c
+++ b/sound/pci/intel8x0.c
@@ -2252,7 +2252,7 @@ static int snd_intel8x0_mixer(struct intel8x0 *chip, int ac97_clock,
tmp |= chip->ac97_sdin[0] << ICH_DI1L_SHIFT;
for (i = 1; i < 4; i++) {
if (pcm->r[0].codec[i]) {
- tmp |= chip->ac97_sdin[pcm->r[0].codec[1]->num] << ICH_DI2L_SHIFT;
+ tmp |= chip->ac97_sdin[pcm->r[0].codec[i]->num] << ICH_DI2L_SHIFT;
break;
}
}
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 102/482] ASoC: core: Check for rtd == NULL in snd_soc_remove_pcm_runtime()
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (100 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 6.1 101/482] ALSA: intel8x0: Fix incorrect codec index usage in mixer for ICH4 Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 103/482] usb: typec: intel_pmc_mux: Defer probe if SCU IPC isnt present Greg Kroah-Hartman
` (388 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Peter Ujfalusi, Bard Liao,
Ranjani Sridharan, Liam Girdwood, Kai Vehmanen, Mark Brown,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
[ Upstream commit 2d91cb261cac6d885954b8f5da28b5c176c18131 ]
snd_soc_remove_pcm_runtime() might be called with rtd == NULL which will
leads to null pointer dereference.
This was reproduced with topology loading and marking a link as ignore
due to missing hardware component on the system.
On module removal the soc_tplg_remove_link() would call
snd_soc_remove_pcm_runtime() with rtd == NULL since the link was ignored,
no runtime was created.
Signed-off-by: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
Reviewed-by: Bard Liao <yung-chuan.liao@linux.intel.com>
Reviewed-by: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
Reviewed-by: Liam Girdwood <liam.r.girdwood@intel.com>
Reviewed-by: Kai Vehmanen <kai.vehmanen@linux.intel.com>
Link: https://patch.msgid.link/20250619084222.559-3-peter.ujfalusi@linux.intel.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/soc-core.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c
index b13370d2ec1d..1ff7a0b0a236 100644
--- a/sound/soc/soc-core.c
+++ b/sound/soc/soc-core.c
@@ -937,6 +937,9 @@ static int soc_dai_link_sanity_check(struct snd_soc_card *card,
void snd_soc_remove_pcm_runtime(struct snd_soc_card *card,
struct snd_soc_pcm_runtime *rtd)
{
+ if (!rtd)
+ return;
+
lockdep_assert_held(&client_mutex);
/* release machine specific resources */
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 103/482] usb: typec: intel_pmc_mux: Defer probe if SCU IPC isnt present
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (101 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 6.1 102/482] ASoC: core: Check for rtd == NULL in snd_soc_remove_pcm_runtime() Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 104/482] usb: core: usb_submit_urb: downgrade type check Greg Kroah-Hartman
` (387 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tomasz Michalec, Heikki Krogerus,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tomasz Michalec <tmichalec@google.com>
[ Upstream commit df9a825f330e76c72d1985bc9bdc4b8981e3d15f ]
If pmc_usb_probe is called before SCU IPC is registered, pmc_usb_probe
will fail.
Return -EPROBE_DEFER when pmc_usb_probe doesn't get SCU IPC device, so
the probe function can be called again after SCU IPC is initialized.
Signed-off-by: Tomasz Michalec <tmichalec@google.com>
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Link: https://lore.kernel.org/r/20250610154058.1859812-1-tmichalec@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/typec/mux/intel_pmc_mux.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/usb/typec/mux/intel_pmc_mux.c b/drivers/usb/typec/mux/intel_pmc_mux.c
index 87e2c9130607..a6936fc59d1e 100644
--- a/drivers/usb/typec/mux/intel_pmc_mux.c
+++ b/drivers/usb/typec/mux/intel_pmc_mux.c
@@ -667,7 +667,7 @@ static int pmc_usb_probe(struct platform_device *pdev)
pmc->ipc = devm_intel_scu_ipc_dev_get(&pdev->dev);
if (!pmc->ipc)
- return -ENODEV;
+ return -EPROBE_DEFER;
pmc->dev = &pdev->dev;
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 104/482] usb: core: usb_submit_urb: downgrade type check
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (102 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 6.1 103/482] usb: typec: intel_pmc_mux: Defer probe if SCU IPC isnt present Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 105/482] pm: cpupower: Fix the snapshot-order of tsc,mperf, clock in mperf_stop() Greg Kroah-Hartman
` (386 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Oliver Neukum, Alan Stern,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oliver Neukum <oneukum@suse.com>
[ Upstream commit 503bbde34cc3dd2acd231f277ba70c3f9ed22e59 ]
Checking for the endpoint type is no reason for a WARN, as that can
cause a reboot. A driver not checking the endpoint type must not cause a
reboot, as there is just no point in this. We cannot prevent a device
from doing something incorrect as a reaction to a transfer. Hence
warning for a mere assumption being wrong is not sensible.
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Link: https://lore.kernel.org/r/20250612122149.2559724-1-oneukum@suse.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/core/urb.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/usb/core/urb.c b/drivers/usb/core/urb.c
index 9f3c54032556..64f6592b27ce 100644
--- a/drivers/usb/core/urb.c
+++ b/drivers/usb/core/urb.c
@@ -501,7 +501,7 @@ int usb_submit_urb(struct urb *urb, gfp_t mem_flags)
/* Check that the pipe's type matches the endpoint's type */
if (usb_pipe_type_check(urb->dev, urb->pipe))
- dev_WARN(&dev->dev, "BOGUS urb xfer, pipe %x != type %x\n",
+ dev_warn_once(&dev->dev, "BOGUS urb xfer, pipe %x != type %x\n",
usb_pipetype(urb->pipe), pipetypes[xfertype]);
/* Check against a simple/standard policy */
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 105/482] pm: cpupower: Fix the snapshot-order of tsc,mperf, clock in mperf_stop()
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (103 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 6.1 104/482] usb: core: usb_submit_urb: downgrade type check Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 106/482] platform/x86: thinkpad_acpi: Handle KCOV __init vs inline mismatches Greg Kroah-Hartman
` (385 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gautham R. Shenoy, Shuah Khan,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gautham R. Shenoy <gautham.shenoy@amd.com>
[ Upstream commit cda7ac8ce7de84cf32a3871ba5f318aa3b79381e ]
In the function mperf_start(), mperf_monitor snapshots the time, tsc
and finally the aperf,mperf MSRs. However, this order of snapshotting
in is reversed in mperf_stop(). As a result, the C0 residency (which
is computed as delta_mperf * 100 / delta_tsc) is under-reported on
CPUs that is 100% busy.
Fix this by snapshotting time, tsc and then aperf,mperf in
mperf_stop() in the same order as in mperf_start().
Link: https://lore.kernel.org/r/20250612122355.19629-2-gautham.shenoy@amd.com
Signed-off-by: Gautham R. Shenoy <gautham.shenoy@amd.com>
Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/power/cpupower/utils/idle_monitor/mperf_monitor.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/tools/power/cpupower/utils/idle_monitor/mperf_monitor.c b/tools/power/cpupower/utils/idle_monitor/mperf_monitor.c
index 08a399b0be28..6ab9139f16af 100644
--- a/tools/power/cpupower/utils/idle_monitor/mperf_monitor.c
+++ b/tools/power/cpupower/utils/idle_monitor/mperf_monitor.c
@@ -240,9 +240,9 @@ static int mperf_stop(void)
int cpu;
for (cpu = 0; cpu < cpu_count; cpu++) {
- mperf_measure_stats(cpu);
- mperf_get_tsc(&tsc_at_measure_end[cpu]);
clock_gettime(CLOCK_REALTIME, &time_end[cpu]);
+ mperf_get_tsc(&tsc_at_measure_end[cpu]);
+ mperf_measure_stats(cpu);
}
return 0;
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 106/482] platform/x86: thinkpad_acpi: Handle KCOV __init vs inline mismatches
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (104 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 6.1 105/482] pm: cpupower: Fix the snapshot-order of tsc,mperf, clock in mperf_stop() Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 107/482] platform/chrome: cros_ec_typec: Defer probe on missing EC parent Greg Kroah-Hartman
` (384 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kees Cook, Ilpo Järvinen,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kees Cook <kees@kernel.org>
[ Upstream commit 6418a8504187dc7f5b6f9d0649c03e362cb0664b ]
When KCOV is enabled all functions get instrumented, unless the
__no_sanitize_coverage attribute is used. To prepare for
__no_sanitize_coverage being applied to __init functions[1], we have
to handle differences in how GCC's inline optimizations get resolved.
For thinkpad_acpi routines, this means forcing two functions to be
inline with __always_inline.
Link: https://lore.kernel.org/lkml/20250523043935.2009972-11-kees@kernel.org/ [1]
Signed-off-by: Kees Cook <kees@kernel.org>
Link: https://lore.kernel.org/r/20250529181831.work.439-kees@kernel.org
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/platform/x86/thinkpad_acpi.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/platform/x86/thinkpad_acpi.c b/drivers/platform/x86/thinkpad_acpi.c
index 17d74434e604..c0977ffec96c 100644
--- a/drivers/platform/x86/thinkpad_acpi.c
+++ b/drivers/platform/x86/thinkpad_acpi.c
@@ -544,12 +544,12 @@ static unsigned long __init tpacpi_check_quirks(
return 0;
}
-static inline bool __pure __init tpacpi_is_lenovo(void)
+static __always_inline bool __pure __init tpacpi_is_lenovo(void)
{
return thinkpad_id.vendor == PCI_VENDOR_ID_LENOVO;
}
-static inline bool __pure __init tpacpi_is_ibm(void)
+static __always_inline bool __pure __init tpacpi_is_ibm(void)
{
return thinkpad_id.vendor == PCI_VENDOR_ID_IBM;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 107/482] platform/chrome: cros_ec_typec: Defer probe on missing EC parent
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (105 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 6.1 106/482] platform/x86: thinkpad_acpi: Handle KCOV __init vs inline mismatches Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 108/482] ALSA: hda/ca0132: Fix buffer overflow in add_tuning_control Greg Kroah-Hartman
` (383 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tomasz Michalec,
Abhishek Pandit-Subedi, Tzung-Bi Shih, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tomasz Michalec <tmichalec@google.com>
[ Upstream commit 8866f4e557eba43e991f99711515217a95f62d2e ]
If cros_typec_probe is called before EC device is registered,
cros_typec_probe will fail. It may happen when cros-ec-typec.ko is
loaded before EC bus layer module (e.g. cros_ec_lpcs.ko,
cros_ec_spi.ko).
Return -EPROBE_DEFER when cros_typec_probe doesn't get EC device, so
the probe function can be called again after EC device is registered.
Signed-off-by: Tomasz Michalec <tmichalec@google.com>
Reviewed-by: Abhishek Pandit-Subedi <abhishekpandit@chromium.org>
Link: https://lore.kernel.org/r/20250610153748.1858519-1-tmichalec@google.com
Signed-off-by: Tzung-Bi Shih <tzungbi@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/platform/chrome/cros_ec_typec.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/platform/chrome/cros_ec_typec.c b/drivers/platform/chrome/cros_ec_typec.c
index 51b98f6c7b39..748efa73378c 100644
--- a/drivers/platform/chrome/cros_ec_typec.c
+++ b/drivers/platform/chrome/cros_ec_typec.c
@@ -1194,8 +1194,8 @@ static int cros_typec_probe(struct platform_device *pdev)
typec->ec = dev_get_drvdata(pdev->dev.parent);
if (!typec->ec) {
- dev_err(dev, "couldn't find parent EC device\n");
- return -ENODEV;
+ dev_warn(dev, "couldn't find parent EC device\n");
+ return -EPROBE_DEFER;
}
platform_set_drvdata(pdev, typec);
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 108/482] ALSA: hda/ca0132: Fix buffer overflow in add_tuning_control
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (106 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 6.1 107/482] platform/chrome: cros_ec_typec: Defer probe on missing EC parent Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 109/482] ALSA: pcm: Rewrite recalculate_boundary() to avoid costly loop Greg Kroah-Hartman
` (382 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, kernel test robot, Lucy Thrun,
Takashi Iwai, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lucy Thrun <lucy.thrun@digital-rabbithole.de>
[ Upstream commit a409c60111e6bb98fcabab2aeaa069daa9434ca0 ]
The 'sprintf' call in 'add_tuning_control' may exceed the 44-byte
buffer if either string argument is too long. This triggers a compiler
warning.
Replaced 'sprintf' with 'snprintf' to limit string lengths to prevent
overflow.
Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202506100642.95jpuMY1-lkp@intel.com/
Signed-off-by: Lucy Thrun <lucy.thrun@digital-rabbithole.de>
Link: https://patch.msgid.link/20250610175012.918-3-lucy.thrun@digital-rabbithole.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/pci/hda/patch_ca0132.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sound/pci/hda/patch_ca0132.c b/sound/pci/hda/patch_ca0132.c
index d825fcce05ee..45b267c02a98 100644
--- a/sound/pci/hda/patch_ca0132.c
+++ b/sound/pci/hda/patch_ca0132.c
@@ -4399,7 +4399,7 @@ static int add_tuning_control(struct hda_codec *codec,
}
knew.private_value =
HDA_COMPOSE_AMP_VAL(nid, 1, 0, type);
- sprintf(namestr, "%s %s Volume", name, dirstr[dir]);
+ snprintf(namestr, sizeof(namestr), "%s %s Volume", name, dirstr[dir]);
return snd_hda_ctl_add(codec, nid, snd_ctl_new1(&knew, codec));
}
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 109/482] ALSA: pcm: Rewrite recalculate_boundary() to avoid costly loop
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (107 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 6.1 108/482] ALSA: hda/ca0132: Fix buffer overflow in add_tuning_control Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 110/482] ALSA: usb-audio: Avoid precedence issues in mixer_quirks macros Greg Kroah-Hartman
` (381 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christophe Leroy, Takashi Iwai,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christophe Leroy <christophe.leroy@csgroup.eu>
[ Upstream commit 92f59aeb13252265c20e7aef1379a8080c57e0a2 ]
At the time being recalculate_boundary() is implemented with a
loop which shows up as costly in a perf profile, as depicted by
the annotate below:
0.00 : c057e934: 3d 40 7f ff lis r10,32767
0.03 : c057e938: 61 4a ff ff ori r10,r10,65535
0.21 : c057e93c: 7d 49 50 50 subf r10,r9,r10
5.39 : c057e940: 7d 3c 4b 78 mr r28,r9
2.11 : c057e944: 55 29 08 3c slwi r9,r9,1
3.04 : c057e948: 7c 09 50 40 cmplw r9,r10
2.47 : c057e94c: 40 81 ff f4 ble c057e940 <snd_pcm_ioctl+0xee0>
Total: 13.2% on that simple loop.
But what the loop does is to multiply the boundary by 2 until it is
over the wanted border. This can be avoided by using fls() to get the
boundary value order and shift it by the appropriate number of bits at
once.
This change provides the following profile:
0.04 : c057f6e8: 3d 20 7f ff lis r9,32767
0.02 : c057f6ec: 61 29 ff ff ori r9,r9,65535
0.34 : c057f6f0: 7d 5a 48 50 subf r10,r26,r9
0.23 : c057f6f4: 7c 1a 50 40 cmplw r26,r10
0.02 : c057f6f8: 41 81 00 20 bgt c057f718 <snd_pcm_ioctl+0xf08>
0.26 : c057f6fc: 7f 47 00 34 cntlzw r7,r26
0.09 : c057f700: 7d 48 00 34 cntlzw r8,r10
0.22 : c057f704: 7d 08 38 50 subf r8,r8,r7
0.04 : c057f708: 7f 5a 40 30 slw r26,r26,r8
0.35 : c057f70c: 7c 0a d0 40 cmplw r10,r26
0.13 : c057f710: 40 80 05 f8 bge c057fd08 <snd_pcm_ioctl+0x14f8>
0.00 : c057f714: 57 5a f8 7e srwi r26,r26,1
Total: 1.7% with that loopless alternative.
Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
Link: https://patch.msgid.link/4836e2cde653eebaf2709ebe30eec736bb8c67fd.1749202237.git.christophe.leroy@csgroup.eu
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/core/pcm_native.c | 19 +++++++++++++++----
1 file changed, 15 insertions(+), 4 deletions(-)
diff --git a/sound/core/pcm_native.c b/sound/core/pcm_native.c
index bf752b188b05..900525df53f0 100644
--- a/sound/core/pcm_native.c
+++ b/sound/core/pcm_native.c
@@ -24,6 +24,7 @@
#include <sound/minors.h>
#include <linux/uio.h>
#include <linux/delay.h>
+#include <linux/bitops.h>
#include "pcm_local.h"
@@ -3123,13 +3124,23 @@ struct snd_pcm_sync_ptr32 {
static snd_pcm_uframes_t recalculate_boundary(struct snd_pcm_runtime *runtime)
{
snd_pcm_uframes_t boundary;
+ snd_pcm_uframes_t border;
+ int order;
if (! runtime->buffer_size)
return 0;
- boundary = runtime->buffer_size;
- while (boundary * 2 <= 0x7fffffffUL - runtime->buffer_size)
- boundary *= 2;
- return boundary;
+
+ border = 0x7fffffffUL - runtime->buffer_size;
+ if (runtime->buffer_size > border)
+ return runtime->buffer_size;
+
+ order = __fls(border) - __fls(runtime->buffer_size);
+ boundary = runtime->buffer_size << order;
+
+ if (boundary <= border)
+ return boundary;
+ else
+ return boundary / 2;
}
static int snd_pcm_ioctl_sync_ptr_compat(struct snd_pcm_substream *substream,
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 110/482] ALSA: usb-audio: Avoid precedence issues in mixer_quirks macros
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (108 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 6.1 109/482] ALSA: pcm: Rewrite recalculate_boundary() to avoid costly loop Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 111/482] iio: adc: ad7768-1: Ensure SYNC_IN pulse minimum timing requirement Greg Kroah-Hartman
` (380 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Cristian Ciocaltea, Takashi Iwai,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cristian Ciocaltea <cristian.ciocaltea@collabora.com>
[ Upstream commit fd3ab72e42e9871a9902b945a2bf8bb87b49c718 ]
Fix all macro related issues identified by checkpatch.pl:
CHECK: Macro argument 'x' may be better as '(x)' to avoid precedence issues
Signed-off-by: Cristian Ciocaltea <cristian.ciocaltea@collabora.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Link: https://patch.msgid.link/20250526-dualsense-alsa-jack-v1-3-1a821463b632@collabora.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/usb/mixer_quirks.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/sound/usb/mixer_quirks.c b/sound/usb/mixer_quirks.c
index be0b3c8ac705..f2cce15be4e2 100644
--- a/sound/usb/mixer_quirks.c
+++ b/sound/usb/mixer_quirks.c
@@ -2150,15 +2150,15 @@ static int dell_dock_mixer_init(struct usb_mixer_interface *mixer)
#define SND_RME_CLK_FREQMUL_SHIFT 18
#define SND_RME_CLK_FREQMUL_MASK 0x7
#define SND_RME_CLK_SYSTEM(x) \
- ((x >> SND_RME_CLK_SYSTEM_SHIFT) & SND_RME_CLK_SYSTEM_MASK)
+ (((x) >> SND_RME_CLK_SYSTEM_SHIFT) & SND_RME_CLK_SYSTEM_MASK)
#define SND_RME_CLK_AES(x) \
- ((x >> SND_RME_CLK_AES_SHIFT) & SND_RME_CLK_AES_SPDIF_MASK)
+ (((x) >> SND_RME_CLK_AES_SHIFT) & SND_RME_CLK_AES_SPDIF_MASK)
#define SND_RME_CLK_SPDIF(x) \
- ((x >> SND_RME_CLK_SPDIF_SHIFT) & SND_RME_CLK_AES_SPDIF_MASK)
+ (((x) >> SND_RME_CLK_SPDIF_SHIFT) & SND_RME_CLK_AES_SPDIF_MASK)
#define SND_RME_CLK_SYNC(x) \
- ((x >> SND_RME_CLK_SYNC_SHIFT) & SND_RME_CLK_SYNC_MASK)
+ (((x) >> SND_RME_CLK_SYNC_SHIFT) & SND_RME_CLK_SYNC_MASK)
#define SND_RME_CLK_FREQMUL(x) \
- ((x >> SND_RME_CLK_FREQMUL_SHIFT) & SND_RME_CLK_FREQMUL_MASK)
+ (((x) >> SND_RME_CLK_FREQMUL_SHIFT) & SND_RME_CLK_FREQMUL_MASK)
#define SND_RME_CLK_AES_LOCK 0x1
#define SND_RME_CLK_AES_SYNC 0x4
#define SND_RME_CLK_SPDIF_LOCK 0x2
@@ -2167,9 +2167,9 @@ static int dell_dock_mixer_init(struct usb_mixer_interface *mixer)
#define SND_RME_SPDIF_FORMAT_SHIFT 5
#define SND_RME_BINARY_MASK 0x1
#define SND_RME_SPDIF_IF(x) \
- ((x >> SND_RME_SPDIF_IF_SHIFT) & SND_RME_BINARY_MASK)
+ (((x) >> SND_RME_SPDIF_IF_SHIFT) & SND_RME_BINARY_MASK)
#define SND_RME_SPDIF_FORMAT(x) \
- ((x >> SND_RME_SPDIF_FORMAT_SHIFT) & SND_RME_BINARY_MASK)
+ (((x) >> SND_RME_SPDIF_FORMAT_SHIFT) & SND_RME_BINARY_MASK)
static const u32 snd_rme_rate_table[] = {
32000, 44100, 48000, 50000,
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 111/482] iio: adc: ad7768-1: Ensure SYNC_IN pulse minimum timing requirement
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (109 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 6.1 110/482] ALSA: usb-audio: Avoid precedence issues in mixer_quirks macros Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 112/482] ASoC: codecs: rt5640: Retry DEVICE_ID verification Greg Kroah-Hartman
` (379 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jonathan Santos, David Lechner,
Andy Shevchenko, Jonathan Cameron, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jonathan Santos <Jonathan.Santos@analog.com>
[ Upstream commit 7e54d932873d91a55d1b89b7389876d78aeeab32 ]
The SYNC_IN pulse width must be at least 1.5 x Tmclk, corresponding to
~2.5 µs at the lowest supported MCLK frequency. Add a 3 µs delay to
ensure reliable synchronization timing even for the worst-case scenario.
Signed-off-by: Jonathan Santos <Jonathan.Santos@analog.com>
Reviewed-by: David Lechner <dlechner@baylibre.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Link: https://patch.msgid.link/d3ee92a533cd1207cf5c5cc4d7bdbb5c6c267f68.1749063024.git.Jonathan.Santos@analog.com
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/iio/adc/ad7768-1.c | 23 +++++++++++++++++++----
1 file changed, 19 insertions(+), 4 deletions(-)
diff --git a/drivers/iio/adc/ad7768-1.c b/drivers/iio/adc/ad7768-1.c
index 967f06cd3f94..e147eaf1a3b1 100644
--- a/drivers/iio/adc/ad7768-1.c
+++ b/drivers/iio/adc/ad7768-1.c
@@ -203,6 +203,24 @@ static int ad7768_spi_reg_write(struct ad7768_state *st,
return spi_write(st->spi, st->data.d8, 2);
}
+static int ad7768_send_sync_pulse(struct ad7768_state *st)
+{
+ /*
+ * The datasheet specifies a minimum SYNC_IN pulse width of 1.5 × Tmclk,
+ * where Tmclk is the MCLK period. The supported MCLK frequencies range
+ * from 0.6 MHz to 17 MHz, which corresponds to a minimum SYNC_IN pulse
+ * width of approximately 2.5 µs in the worst-case scenario (0.6 MHz).
+ *
+ * Add a delay to ensure the pulse width is always sufficient to
+ * trigger synchronization.
+ */
+ gpiod_set_value_cansleep(st->gpio_sync_in, 1);
+ fsleep(3);
+ gpiod_set_value_cansleep(st->gpio_sync_in, 0);
+
+ return 0;
+}
+
static int ad7768_set_mode(struct ad7768_state *st,
enum ad7768_conv_mode mode)
{
@@ -288,10 +306,7 @@ static int ad7768_set_dig_fil(struct ad7768_state *st,
return ret;
/* A sync-in pulse is required every time the filter dec rate changes */
- gpiod_set_value(st->gpio_sync_in, 1);
- gpiod_set_value(st->gpio_sync_in, 0);
-
- return 0;
+ return ad7768_send_sync_pulse(st);
}
static int ad7768_set_freq(struct ad7768_state *st,
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 112/482] ASoC: codecs: rt5640: Retry DEVICE_ID verification
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (110 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 6.1 111/482] iio: adc: ad7768-1: Ensure SYNC_IN pulse minimum timing requirement Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 113/482] xen/netfront: Fix TX response spurious interrupts Greg Kroah-Hartman
` (378 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Amadeusz Sławiński,
Cezary Rojewski, Xinxin Wan, Mark Brown, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xinxin Wan <xinxin.wan@intel.com>
[ Upstream commit 19f971057b2d7b99c80530ec1052b45de236a8da ]
To be more resilient to codec-detection failures when the hardware
powers on slowly, add retry mechanism to the device verification check.
Similar pattern is found throughout a number of Realtek codecs. Our
tests show that 60ms delay is sufficient to address readiness issues on
rt5640 chip.
Reviewed-by: Amadeusz Sławiński <amadeuszx.slawinski@linux.intel.com>
Reviewed-by: Cezary Rojewski <cezary.rojewski@intel.com>
Signed-off-by: Xinxin Wan <xinxin.wan@intel.com>
Signed-off-by: Cezary Rojewski <cezary.rojewski@intel.com>
Link: https://patch.msgid.link/20250530142120.2944095-3-cezary.rojewski@intel.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/codecs/rt5640.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/sound/soc/codecs/rt5640.c b/sound/soc/codecs/rt5640.c
index 37ea4d854cb5..3185bf13dc42 100644
--- a/sound/soc/codecs/rt5640.c
+++ b/sound/soc/codecs/rt5640.c
@@ -3026,6 +3026,11 @@ static int rt5640_i2c_probe(struct i2c_client *i2c)
}
regmap_read(rt5640->regmap, RT5640_VENDOR_ID2, &val);
+ if (val != RT5640_DEVICE_ID) {
+ usleep_range(60000, 100000);
+ regmap_read(rt5640->regmap, RT5640_VENDOR_ID2, &val);
+ }
+
if (val != RT5640_DEVICE_ID) {
dev_err(&i2c->dev,
"Device with ID register %#x is not rt5640/39\n", val);
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 113/482] xen/netfront: Fix TX response spurious interrupts
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (111 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 6.1 112/482] ASoC: codecs: rt5640: Retry DEVICE_ID verification Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 114/482] net: usb: cdc-ncm: check for filtering capability Greg Kroah-Hartman
` (377 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Anthoine Bourgeois, Juergen Gross,
Elliott Mitchell, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Anthoine Bourgeois <anthoine.bourgeois@vates.tech>
[ Upstream commit 114a2de6fa86d99ed9546cc9113a3cad58beef79 ]
We found at Vates that there are lot of spurious interrupts when
benchmarking the xen-net PV driver frontend. This issue appeared with a
patch that addresses security issue XSA-391 (b27d47950e48 "xen/netfront:
harden netfront against event channel storms"). On an iperf benchmark,
spurious interrupts can represent up to 50% of the interrupts.
Spurious interrupts are interrupts that are rised for nothing, there is
no work to do. This appends because the function that handles the
interrupts ("xennet_tx_buf_gc") is also called at the end of the request
path to garbage collect the responses received during the transmission
load.
The request path is doing the work that the interrupt handler should
have done otherwise. This is particurary true when there is more than
one vcpu and get worse linearly with the number of vcpu/queue.
Moreover, this problem is amplifyed by the penalty imposed by a spurious
interrupt. When an interrupt is found spurious the interrupt chip will
delay the EOI to slowdown the backend. This delay will allow more
responses to be handled by the request path and then there will be more
chance the next interrupt will not find any work to do, creating a new
spurious interrupt.
This causes performance issue. The solution here is to remove the calls
from the request path and let the interrupt handler do the processing of
the responses. This approch removes most of the spurious interrupts
(<0.05%) and also has the benefit of freeing up cycles in the request
path, allowing it to process more work, which improves performance
compared to masking the spurious interrupt one way or another.
This optimization changes a part of the code that is present since the
net frontend driver was upstreamed. There is no similar pattern in the
other xen PV drivers. Since the first commit of xen-netfront is a blob
that doesn't explain all the design choices I can only guess why this
specific mecanism was here. This could have been introduce to compensate
a slow backend at the time (maybe the backend was fixed or optimize
later) or a small queue. In 18 years, both frontend and backend gain lot
of features and optimizations that could have obsolete the feature of
reaping completions from the TX path.
Some vif throughput performance figures from a 8 vCPUs, 4GB of RAM HVM
guest(s):
Without this patch on the :
vm -> dom0: 4.5Gb/s
vm -> vm: 7.0Gb/s
Without XSA-391 patch (revert of b27d47950e48):
vm -> dom0: 8.3Gb/s
vm -> vm: 8.7Gb/s
With XSA-391 and this patch:
vm -> dom0: 11.5Gb/s
vm -> vm: 12.6Gb/s
v2:
- add revewed and tested by tags
- resend with the maintainers in the recipients list
v3:
- remove Fixes tag but keep the commit ref in the explanation
- add a paragraph on why this code was here
Signed-off-by: Anthoine Bourgeois <anthoine.bourgeois@vates.tech>
Reviewed-by: Juergen Gross <jgross@suse.com>
Tested-by: Elliott Mitchell <ehem+xen@m5p.com>
Signed-off-by: Juergen Gross <jgross@suse.com>
Message-ID: <20250721093316.23560-1-anthoine.bourgeois@vates.tech>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/xen-netfront.c | 5 -----
1 file changed, 5 deletions(-)
diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c
index 69ef50fb2e1b..74925e166462 100644
--- a/drivers/net/xen-netfront.c
+++ b/drivers/net/xen-netfront.c
@@ -637,8 +637,6 @@ static int xennet_xdp_xmit_one(struct net_device *dev,
tx_stats->packets++;
u64_stats_update_end(&tx_stats->syncp);
- xennet_tx_buf_gc(queue);
-
return 0;
}
@@ -848,9 +846,6 @@ static netdev_tx_t xennet_start_xmit(struct sk_buff *skb, struct net_device *dev
tx_stats->packets++;
u64_stats_update_end(&tx_stats->syncp);
- /* Note: It is not safe to access skb after xennet_tx_buf_gc()! */
- xennet_tx_buf_gc(queue);
-
if (!netfront_tx_slot_available(queue))
netif_tx_stop_queue(netdev_get_tx_queue(dev, queue->id));
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 114/482] net: usb: cdc-ncm: check for filtering capability
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (112 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 6.1 113/482] xen/netfront: Fix TX response spurious interrupts Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 115/482] ktest.pl: Prevent recursion of default variable options Greg Kroah-Hartman
` (376 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Oliver Neukum, Jakub Kicinski,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oliver Neukum <oneukum@suse.com>
[ Upstream commit 61c3e8940f2d8b5bfeaeec4bedc2f3e7d873abb3 ]
If the decice does not support filtering, filtering
must not be used and all packets delivered for the
upper layers to sort.
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Link: https://patch.msgid.link/20250717120649.2090929-1-oneukum@suse.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/usb/cdc_ncm.c | 20 ++++++++++++++++----
include/linux/usb/cdc_ncm.h | 1 +
2 files changed, 17 insertions(+), 4 deletions(-)
diff --git a/drivers/net/usb/cdc_ncm.c b/drivers/net/usb/cdc_ncm.c
index 789e3647f979..9eb3c6b66a38 100644
--- a/drivers/net/usb/cdc_ncm.c
+++ b/drivers/net/usb/cdc_ncm.c
@@ -892,6 +892,10 @@ int cdc_ncm_bind_common(struct usbnet *dev, struct usb_interface *intf, u8 data_
}
}
+ if (ctx->func_desc)
+ ctx->filtering_supported = !!(ctx->func_desc->bmNetworkCapabilities
+ & USB_CDC_NCM_NCAP_ETH_FILTER);
+
iface_no = ctx->data->cur_altsetting->desc.bInterfaceNumber;
/* Device-specific flags */
@@ -1897,6 +1901,14 @@ static void cdc_ncm_status(struct usbnet *dev, struct urb *urb)
}
}
+static void cdc_ncm_update_filter(struct usbnet *dev)
+{
+ struct cdc_ncm_ctx *ctx = (struct cdc_ncm_ctx *)dev->data[0];
+
+ if (ctx->filtering_supported)
+ usbnet_cdc_update_filter(dev);
+}
+
static const struct driver_info cdc_ncm_info = {
.description = "CDC NCM (NO ZLP)",
.flags = FLAG_POINTTOPOINT | FLAG_NO_SETINT | FLAG_MULTI_PACKET
@@ -1907,7 +1919,7 @@ static const struct driver_info cdc_ncm_info = {
.status = cdc_ncm_status,
.rx_fixup = cdc_ncm_rx_fixup,
.tx_fixup = cdc_ncm_tx_fixup,
- .set_rx_mode = usbnet_cdc_update_filter,
+ .set_rx_mode = cdc_ncm_update_filter,
};
/* Same as cdc_ncm_info, but with FLAG_SEND_ZLP */
@@ -1921,7 +1933,7 @@ static const struct driver_info cdc_ncm_zlp_info = {
.status = cdc_ncm_status,
.rx_fixup = cdc_ncm_rx_fixup,
.tx_fixup = cdc_ncm_tx_fixup,
- .set_rx_mode = usbnet_cdc_update_filter,
+ .set_rx_mode = cdc_ncm_update_filter,
};
/* Same as cdc_ncm_info, but with FLAG_WWAN */
@@ -1935,7 +1947,7 @@ static const struct driver_info wwan_info = {
.status = cdc_ncm_status,
.rx_fixup = cdc_ncm_rx_fixup,
.tx_fixup = cdc_ncm_tx_fixup,
- .set_rx_mode = usbnet_cdc_update_filter,
+ .set_rx_mode = cdc_ncm_update_filter,
};
/* Same as wwan_info, but with FLAG_NOARP */
@@ -1949,7 +1961,7 @@ static const struct driver_info wwan_noarp_info = {
.status = cdc_ncm_status,
.rx_fixup = cdc_ncm_rx_fixup,
.tx_fixup = cdc_ncm_tx_fixup,
- .set_rx_mode = usbnet_cdc_update_filter,
+ .set_rx_mode = cdc_ncm_update_filter,
};
static const struct usb_device_id cdc_devs[] = {
diff --git a/include/linux/usb/cdc_ncm.h b/include/linux/usb/cdc_ncm.h
index 2d207cb4837d..4ac082a63173 100644
--- a/include/linux/usb/cdc_ncm.h
+++ b/include/linux/usb/cdc_ncm.h
@@ -119,6 +119,7 @@ struct cdc_ncm_ctx {
u32 timer_interval;
u32 max_ndp_size;
u8 is_ndp16;
+ u8 filtering_supported;
union {
struct usb_cdc_ncm_ndp16 *delayed_ndp16;
struct usb_cdc_ncm_ndp32 *delayed_ndp32;
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 115/482] ktest.pl: Prevent recursion of default variable options
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (113 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 6.1 114/482] net: usb: cdc-ncm: check for filtering capability Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 116/482] wifi: cfg80211: reject HTC bit for management frames Greg Kroah-Hartman
` (375 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, John Warthog9 Hawley, Dhaval Giani,
Steven Rostedt, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Steven Rostedt <rostedt@goodmis.org>
[ Upstream commit 61f7e318e99d3b398670518dd3f4f8510d1800fc ]
If a default variable contains itself, do not recurse on it.
For example:
ADD_CONFIG := ${CONFIG_DIR}/temp_config
DEFAULTS
ADD_CONFIG = ${CONFIG_DIR}/default_config ${ADD_CONFIG}
The above works because the temp variable ADD_CONFIG (is a temp because it
is created with ":=") is already defined, it will be substituted in the
variable option. But if it gets commented out:
# ADD_CONFIG := ${CONFIG_DIR}/temp_config
DEFAULTS
ADD_CONFIG = ${CONFIG_DIR}/default_config ${ADD_CONFIG}
Then the above will go into a recursive loop where ${ADD_CONFIG} will
get replaced with the current definition of ADD_CONFIG which contains the
${ADD_CONFIG} and that will also try to get converted. ktest.pl will error
after 100 attempts of recursion and fail.
When replacing a variable with the default variable, if the default
variable contains itself, do not replace it.
Cc: "John Warthog9 Hawley" <warthog9@kernel.org>
Cc: Dhaval Giani <dhaval.giani@gmail.com>
Cc: Greg KH <gregkh@linuxfoundation.org>
Link: https://lore.kernel.org/20250718202053.732189428@kernel.org
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/ktest/ktest.pl | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/tools/testing/ktest/ktest.pl b/tools/testing/ktest/ktest.pl
index 2109bd42c144..26544bba3f8f 100755
--- a/tools/testing/ktest/ktest.pl
+++ b/tools/testing/ktest/ktest.pl
@@ -1351,7 +1351,10 @@ sub __eval_option {
# If a variable contains itself, use the default var
if (($var eq $name) && defined($opt{$var})) {
$o = $opt{$var};
- $retval = "$retval$o";
+ # Only append if the default doesn't contain itself
+ if ($o !~ m/\$\{$var\}/) {
+ $retval = "$retval$o";
+ }
} elsif (defined($opt{$o})) {
$o = $opt{$o};
$retval = "$retval$o";
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 116/482] wifi: cfg80211: reject HTC bit for management frames
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (114 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 6.1 115/482] ktest.pl: Prevent recursion of default variable options Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 117/482] s390/time: Use monotonic clock in get_cycles() Greg Kroah-Hartman
` (374 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Johannes Berg, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johannes Berg <johannes.berg@intel.com>
[ Upstream commit be06a8c7313943109fa870715356503c4c709cbc ]
Management frames sent by userspace should never have the
order/HTC bit set, reject that. It could also cause some
confusion with the length of the buffer and the header so
the validation might end up wrong.
Link: https://patch.msgid.link/20250718202307.97a0455f0f35.I1805355c7e331352df16611839bc8198c855a33f@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/wireless/mlme.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/wireless/mlme.c b/net/wireless/mlme.c
index e7fa0608341d..e0246ed9f66f 100644
--- a/net/wireless/mlme.c
+++ b/net/wireless/mlme.c
@@ -700,7 +700,8 @@ int cfg80211_mlme_mgmt_tx(struct cfg80211_registered_device *rdev,
mgmt = (const struct ieee80211_mgmt *)params->buf;
- if (!ieee80211_is_mgmt(mgmt->frame_control))
+ if (!ieee80211_is_mgmt(mgmt->frame_control) ||
+ ieee80211_has_order(mgmt->frame_control))
return -EINVAL;
stype = le16_to_cpu(mgmt->frame_control) & IEEE80211_FCTL_STYPE;
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 117/482] s390/time: Use monotonic clock in get_cycles()
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (115 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 6.1 116/482] wifi: cfg80211: reject HTC bit for management frames Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 118/482] be2net: Use correct byte order and format string for TCP seq and ack_seq Greg Kroah-Hartman
` (373 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sven Schnelle, Heiko Carstens,
Alexander Gordeev, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Schnelle <svens@linux.ibm.com>
[ Upstream commit 09e7e29d2b49ba84bcefb3dc1657726d2de5bb24 ]
Otherwise the code might not work correctly when the clock
is changed.
Signed-off-by: Sven Schnelle <svens@linux.ibm.com>
Reviewed-by: Heiko Carstens <hca@linux.ibm.com>
Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/s390/include/asm/timex.h | 13 ++++++-------
1 file changed, 6 insertions(+), 7 deletions(-)
diff --git a/arch/s390/include/asm/timex.h b/arch/s390/include/asm/timex.h
index ce878e85b6e4..d0255aa5b36e 100644
--- a/arch/s390/include/asm/timex.h
+++ b/arch/s390/include/asm/timex.h
@@ -192,13 +192,6 @@ static inline unsigned long get_tod_clock_fast(void)
asm volatile("stckf %0" : "=Q" (clk) : : "cc");
return clk;
}
-
-static inline cycles_t get_cycles(void)
-{
- return (cycles_t) get_tod_clock() >> 2;
-}
-#define get_cycles get_cycles
-
int get_phys_clock(unsigned long *clock);
void init_cpu_timer(void);
@@ -221,6 +214,12 @@ static inline unsigned long get_tod_clock_monotonic(void)
return tod;
}
+static inline cycles_t get_cycles(void)
+{
+ return (cycles_t)get_tod_clock_monotonic() >> 2;
+}
+#define get_cycles get_cycles
+
/**
* tod_to_ns - convert a TOD format value to nanoseconds
* @todval: to be converted TOD format value
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 118/482] be2net: Use correct byte order and format string for TCP seq and ack_seq
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (116 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 6.1 117/482] s390/time: Use monotonic clock in get_cycles() Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 119/482] wifi: rtw89: Lower the timeout in rtw89_fw_read_c2h_reg() for USB Greg Kroah-Hartman
` (372 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alok Tiwari, Simon Horman,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alok Tiwari <alok.a.tiwari@oracle.com>
[ Upstream commit 4701ee5044fb3992f1c910630a9673c2dc600ce5 ]
The TCP header fields seq and ack_seq are 32-bit values in network
byte order as (__be32). these fields were earlier printed using
ntohs(), which converts only 16-bit values and produces incorrect
results for 32-bit fields. This patch is changeing the conversion
to ntohl(), ensuring correct interpretation of these sequence numbers.
Notably, the format specifier is updated from %d to %u to reflect the
unsigned nature of these fields.
improves the accuracy of debug log messages for TCP sequence and
acknowledgment numbers during TX timeouts.
Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20250717193552.3648791-1-alok.a.tiwari@oracle.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/emulex/benet/be_main.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/net/ethernet/emulex/benet/be_main.c b/drivers/net/ethernet/emulex/benet/be_main.c
index 173625a10886..7a3f7b4b859e 100644
--- a/drivers/net/ethernet/emulex/benet/be_main.c
+++ b/drivers/net/ethernet/emulex/benet/be_main.c
@@ -1466,10 +1466,10 @@ static void be_tx_timeout(struct net_device *netdev, unsigned int txqueue)
ntohs(tcphdr->source));
dev_info(dev, "TCP dest port %d\n",
ntohs(tcphdr->dest));
- dev_info(dev, "TCP sequence num %d\n",
- ntohs(tcphdr->seq));
- dev_info(dev, "TCP ack_seq %d\n",
- ntohs(tcphdr->ack_seq));
+ dev_info(dev, "TCP sequence num %u\n",
+ ntohl(tcphdr->seq));
+ dev_info(dev, "TCP ack_seq %u\n",
+ ntohl(tcphdr->ack_seq));
} else if (ip_hdr(skb)->protocol ==
IPPROTO_UDP) {
udphdr = udp_hdr(skb);
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 119/482] wifi: rtw89: Lower the timeout in rtw89_fw_read_c2h_reg() for USB
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (117 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 6.1 118/482] be2net: Use correct byte order and format string for TCP seq and ack_seq Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 120/482] et131x: Add missing check after DMA map Greg Kroah-Hartman
` (371 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bitterblue Smith, Ping-Ke Shih,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bitterblue Smith <rtl8821cerfe2@gmail.com>
[ Upstream commit 671be46afd1f03de9dc6e4679c88e1a7a81cdff6 ]
This read_poll_timeout_atomic() with a delay of 1 µs and a timeout of
1000000 µs can take ~250 seconds in the worst case because sending a
USB control message takes ~250 µs.
Lower the timeout to 4000 for USB in order to reduce the maximum polling
time to ~1 second.
This problem was observed with RTL8851BU while suspending to RAM with
WOWLAN enabled. The computer sat for 4 minutes with a black screen
before suspending.
Signed-off-by: Bitterblue Smith <rtl8821cerfe2@gmail.com>
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/09313da6-c865-4e91-b758-4cb38a878796@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/realtek/rtw89/fw.c | 9 +++++++--
drivers/net/wireless/realtek/rtw89/fw.h | 2 ++
2 files changed, 9 insertions(+), 2 deletions(-)
diff --git a/drivers/net/wireless/realtek/rtw89/fw.c b/drivers/net/wireless/realtek/rtw89/fw.c
index 0f022a5192ac..977aadfdf997 100644
--- a/drivers/net/wireless/realtek/rtw89/fw.c
+++ b/drivers/net/wireless/realtek/rtw89/fw.c
@@ -2397,13 +2397,18 @@ static int rtw89_fw_read_c2h_reg(struct rtw89_dev *rtwdev,
{
const struct rtw89_chip_info *chip = rtwdev->chip;
const u32 *c2h_reg = chip->c2h_regs;
- u32 ret;
+ u32 ret, timeout;
u8 i, val;
info->id = RTW89_FWCMD_C2HREG_FUNC_NULL;
+ if (rtwdev->hci.type == RTW89_HCI_TYPE_USB)
+ timeout = RTW89_C2H_TIMEOUT_USB;
+ else
+ timeout = RTW89_C2H_TIMEOUT;
+
ret = read_poll_timeout_atomic(rtw89_read8, val, val, 1,
- RTW89_C2H_TIMEOUT, false, rtwdev,
+ timeout, false, rtwdev,
chip->c2h_ctrl_reg);
if (ret) {
rtw89_warn(rtwdev, "c2h reg timeout\n");
diff --git a/drivers/net/wireless/realtek/rtw89/fw.h b/drivers/net/wireless/realtek/rtw89/fw.h
index 0047d5d0e9b1..d0f2c5b22513 100644
--- a/drivers/net/wireless/realtek/rtw89/fw.h
+++ b/drivers/net/wireless/realtek/rtw89/fw.h
@@ -33,6 +33,8 @@ enum rtw89_fw_dl_status {
#define RTW89_C2HREG_HDR_LEN 2
#define RTW89_H2CREG_HDR_LEN 2
#define RTW89_C2H_TIMEOUT 1000000
+#define RTW89_C2H_TIMEOUT_USB 4000
+
struct rtw89_mac_c2h_info {
u8 id;
u8 content_len;
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 120/482] et131x: Add missing check after DMA map
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (118 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 6.1 119/482] wifi: rtw89: Lower the timeout in rtw89_fw_read_c2h_reg() for USB Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 121/482] net: ag71xx: " Greg Kroah-Hartman
` (370 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Fourier, Mark Einon,
Simon Horman, Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Fourier <fourier.thomas@gmail.com>
[ Upstream commit d61f6cb6f6ef3c70d2ccc0d9c85c508cb8017da9 ]
The DMA map functions can fail and should be tested for errors.
If the mapping fails, unmap and return an error.
Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
Acked-by: Mark Einon <mark.einon@gmail.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20250716094733.28734-2-fourier.thomas@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/agere/et131x.c | 36 +++++++++++++++++++++++++++++
1 file changed, 36 insertions(+)
diff --git a/drivers/net/ethernet/agere/et131x.c b/drivers/net/ethernet/agere/et131x.c
index 5fab589b3ddf..03e7f8084965 100644
--- a/drivers/net/ethernet/agere/et131x.c
+++ b/drivers/net/ethernet/agere/et131x.c
@@ -2459,6 +2459,10 @@ static int nic_send_packet(struct et131x_adapter *adapter, struct tcb *tcb)
skb->data,
skb_headlen(skb),
DMA_TO_DEVICE);
+ if (dma_mapping_error(&adapter->pdev->dev,
+ dma_addr))
+ return -ENOMEM;
+
desc[frag].addr_lo = lower_32_bits(dma_addr);
desc[frag].addr_hi = upper_32_bits(dma_addr);
frag++;
@@ -2468,6 +2472,10 @@ static int nic_send_packet(struct et131x_adapter *adapter, struct tcb *tcb)
skb->data,
skb_headlen(skb) / 2,
DMA_TO_DEVICE);
+ if (dma_mapping_error(&adapter->pdev->dev,
+ dma_addr))
+ return -ENOMEM;
+
desc[frag].addr_lo = lower_32_bits(dma_addr);
desc[frag].addr_hi = upper_32_bits(dma_addr);
frag++;
@@ -2478,6 +2486,10 @@ static int nic_send_packet(struct et131x_adapter *adapter, struct tcb *tcb)
skb_headlen(skb) / 2,
skb_headlen(skb) / 2,
DMA_TO_DEVICE);
+ if (dma_mapping_error(&adapter->pdev->dev,
+ dma_addr))
+ goto unmap_first_out;
+
desc[frag].addr_lo = lower_32_bits(dma_addr);
desc[frag].addr_hi = upper_32_bits(dma_addr);
frag++;
@@ -2489,6 +2501,9 @@ static int nic_send_packet(struct et131x_adapter *adapter, struct tcb *tcb)
0,
desc[frag].len_vlan,
DMA_TO_DEVICE);
+ if (dma_mapping_error(&adapter->pdev->dev, dma_addr))
+ goto unmap_out;
+
desc[frag].addr_lo = lower_32_bits(dma_addr);
desc[frag].addr_hi = upper_32_bits(dma_addr);
frag++;
@@ -2578,6 +2593,27 @@ static int nic_send_packet(struct et131x_adapter *adapter, struct tcb *tcb)
&adapter->regs->global.watchdog_timer);
}
return 0;
+
+unmap_out:
+ // Unmap the body of the packet with map_page
+ while (--i) {
+ frag--;
+ dma_addr = desc[frag].addr_lo;
+ dma_addr |= (u64)desc[frag].addr_hi << 32;
+ dma_unmap_page(&adapter->pdev->dev, dma_addr,
+ desc[frag].len_vlan, DMA_TO_DEVICE);
+ }
+
+unmap_first_out:
+ // Unmap the header with map_single
+ while (frag--) {
+ dma_addr = desc[frag].addr_lo;
+ dma_addr |= (u64)desc[frag].addr_hi << 32;
+ dma_unmap_single(&adapter->pdev->dev, dma_addr,
+ desc[frag].len_vlan, DMA_TO_DEVICE);
+ }
+
+ return -ENOMEM;
}
static int send_packet(struct sk_buff *skb, struct et131x_adapter *adapter)
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 121/482] net: ag71xx: Add missing check after DMA map
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (119 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 6.1 120/482] et131x: Add missing check after DMA map Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 122/482] net/mlx5e: Properly access RCU protected qdisc_sleeping variable Greg Kroah-Hartman
` (369 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Fourier, Simon Horman,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Fourier <fourier.thomas@gmail.com>
[ Upstream commit 96a1e15e60216b52da0e6da5336b6d7f5b0188b0 ]
The DMA map functions can fail and should be tested for errors.
Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20250716095733.37452-3-fourier.thomas@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/atheros/ag71xx.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/drivers/net/ethernet/atheros/ag71xx.c b/drivers/net/ethernet/atheros/ag71xx.c
index 4a1efe9b37d0..ff93b00dcd61 100644
--- a/drivers/net/ethernet/atheros/ag71xx.c
+++ b/drivers/net/ethernet/atheros/ag71xx.c
@@ -1234,6 +1234,11 @@ static bool ag71xx_fill_rx_buf(struct ag71xx *ag, struct ag71xx_buf *buf,
buf->rx.rx_buf = data;
buf->rx.dma_addr = dma_map_single(&ag->pdev->dev, data, ag->rx_buf_size,
DMA_FROM_DEVICE);
+ if (dma_mapping_error(&ag->pdev->dev, buf->rx.dma_addr)) {
+ skb_free_frag(data);
+ buf->rx.rx_buf = NULL;
+ return false;
+ }
desc->data = (u32)buf->rx.dma_addr + offset;
return true;
}
@@ -1532,6 +1537,10 @@ static netdev_tx_t ag71xx_hard_start_xmit(struct sk_buff *skb,
dma_addr = dma_map_single(&ag->pdev->dev, skb->data, skb->len,
DMA_TO_DEVICE);
+ if (dma_mapping_error(&ag->pdev->dev, dma_addr)) {
+ netif_dbg(ag, tx_err, ndev, "DMA mapping error\n");
+ goto err_drop;
+ }
i = ring->curr & ring_mask;
desc = ag71xx_ring_desc(ring, i);
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 122/482] net/mlx5e: Properly access RCU protected qdisc_sleeping variable
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (120 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 6.1 121/482] net: ag71xx: " Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 123/482] arm64: Mark kernel as tainted on SAE and SError panic Greg Kroah-Hartman
` (368 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Leon Romanovsky, Tariq Toukan,
Michal Swiatkowski, Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Leon Romanovsky <leonro@nvidia.com>
[ Upstream commit 2a601b2d35623065d31ebaf697b07502d54878c9 ]
qdisc_sleeping variable is declared as "struct Qdisc __rcu" and
as such needs proper annotation while accessing it.
Without rtnl_dereference(), the following error is generated by sparse:
drivers/net/ethernet/mellanox/mlx5/core/en/qos.c:377:40: warning:
incorrect type in initializer (different address spaces)
drivers/net/ethernet/mellanox/mlx5/core/en/qos.c:377:40: expected
struct Qdisc *qdisc
drivers/net/ethernet/mellanox/mlx5/core/en/qos.c:377:40: got struct
Qdisc [noderef] __rcu *qdisc_sleeping
Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
Reviewed-by: Michal Swiatkowski <michal.swiatkowski@linux.intel.com>
Link: https://patch.msgid.link/1752675472-201445-4-git-send-email-tariqt@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/mellanox/mlx5/core/en/qos.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/qos.c b/drivers/net/ethernet/mellanox/mlx5/core/en/qos.c
index 1e887d640cff..c72ac4dbdb21 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en/qos.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en/qos.c
@@ -362,7 +362,7 @@ void mlx5e_reactivate_qos_sq(struct mlx5e_priv *priv, u16 qid, struct netdev_que
void mlx5e_reset_qdisc(struct net_device *dev, u16 qid)
{
struct netdev_queue *dev_queue = netdev_get_tx_queue(dev, qid);
- struct Qdisc *qdisc = dev_queue->qdisc_sleeping;
+ struct Qdisc *qdisc = rtnl_dereference(dev_queue->qdisc_sleeping);
if (!qdisc)
return;
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 123/482] arm64: Mark kernel as tainted on SAE and SError panic
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (121 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 6.1 122/482] net/mlx5e: Properly access RCU protected qdisc_sleeping variable Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 124/482] rcu: Protect ->defer_qs_iw_pending from data race Greg Kroah-Hartman
` (367 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Breno Leitao, Mark Rutland,
Will Deacon, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Breno Leitao <leitao@debian.org>
[ Upstream commit d7ce7e3a84642aadf7c4787f7ec4f58eb163d129 ]
Set TAINT_MACHINE_CHECK when SError or Synchronous External Abort (SEA)
interrupts trigger a panic to flag potential hardware faults. This
tainting mechanism aids in debugging and enables correlation of
hardware-related crashes in large-scale deployments.
This change aligns with similar patches[1] that mark machine check
events when the system crashes due to hardware errors.
Link: https://lore.kernel.org/all/20250702-add_tain-v1-1-9187b10914b9@debian.org/ [1]
Signed-off-by: Breno Leitao <leitao@debian.org>
Acked-by: Mark Rutland <mark.rutland@arm.com>
Link: https://lore.kernel.org/r/20250716-vmcore_hw_error-v2-1-f187f7d62aba@debian.org
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/kernel/traps.c | 1 +
arch/arm64/mm/fault.c | 1 +
2 files changed, 2 insertions(+)
diff --git a/arch/arm64/kernel/traps.c b/arch/arm64/kernel/traps.c
index 23d281ed7621..09489e92ff94 100644
--- a/arch/arm64/kernel/traps.c
+++ b/arch/arm64/kernel/traps.c
@@ -911,6 +911,7 @@ void panic_bad_stack(struct pt_regs *regs, unsigned long esr, unsigned long far)
void __noreturn arm64_serror_panic(struct pt_regs *regs, unsigned long esr)
{
+ add_taint(TAINT_MACHINE_CHECK, LOCKDEP_STILL_OK);
console_verbose();
pr_crit("SError Interrupt on CPU%d, code 0x%016lx -- %s\n",
diff --git a/arch/arm64/mm/fault.c b/arch/arm64/mm/fault.c
index 6b6b8a82f294..0776c98ad27f 100644
--- a/arch/arm64/mm/fault.c
+++ b/arch/arm64/mm/fault.c
@@ -710,6 +710,7 @@ static int do_sea(unsigned long far, unsigned long esr, struct pt_regs *regs)
*/
siaddr = untagged_addr(far);
}
+ add_taint(TAINT_MACHINE_CHECK, LOCKDEP_STILL_OK);
arm64_notify_die(inf->name, regs, inf->sig, inf->code, siaddr, esr);
return 0;
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 124/482] rcu: Protect ->defer_qs_iw_pending from data race
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (122 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 6.1 123/482] arm64: Mark kernel as tainted on SAE and SError panic Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 125/482] net: mctp: Prevent duplicate binds Greg Kroah-Hartman
` (366 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paul E. McKenney,
Frederic Weisbecker, Neeraj Upadhyay (AMD), Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paul E. McKenney <paulmck@kernel.org>
[ Upstream commit 90c09d57caeca94e6f3f87c49e96a91edd40cbfd ]
On kernels built with CONFIG_IRQ_WORK=y, when rcu_read_unlock() is
invoked within an interrupts-disabled region of code [1], it will invoke
rcu_read_unlock_special(), which uses an irq-work handler to force the
system to notice when the RCU read-side critical section actually ends.
That end won't happen until interrupts are enabled at the soonest.
In some kernels, such as those booted with rcutree.use_softirq=y, the
irq-work handler is used unconditionally.
The per-CPU rcu_data structure's ->defer_qs_iw_pending field is
updated by the irq-work handler and is both read and updated by
rcu_read_unlock_special(). This resulted in the following KCSAN splat:
------------------------------------------------------------------------
BUG: KCSAN: data-race in rcu_preempt_deferred_qs_handler / rcu_read_unlock_special
read to 0xffff96b95f42d8d8 of 1 bytes by task 90 on cpu 8:
rcu_read_unlock_special+0x175/0x260
__rcu_read_unlock+0x92/0xa0
rt_spin_unlock+0x9b/0xc0
__local_bh_enable+0x10d/0x170
__local_bh_enable_ip+0xfb/0x150
rcu_do_batch+0x595/0xc40
rcu_cpu_kthread+0x4e9/0x830
smpboot_thread_fn+0x24d/0x3b0
kthread+0x3bd/0x410
ret_from_fork+0x35/0x40
ret_from_fork_asm+0x1a/0x30
write to 0xffff96b95f42d8d8 of 1 bytes by task 88 on cpu 8:
rcu_preempt_deferred_qs_handler+0x1e/0x30
irq_work_single+0xaf/0x160
run_irq_workd+0x91/0xc0
smpboot_thread_fn+0x24d/0x3b0
kthread+0x3bd/0x410
ret_from_fork+0x35/0x40
ret_from_fork_asm+0x1a/0x30
no locks held by irq_work/8/88.
irq event stamp: 200272
hardirqs last enabled at (200272): [<ffffffffb0f56121>] finish_task_switch+0x131/0x320
hardirqs last disabled at (200271): [<ffffffffb25c7859>] __schedule+0x129/0xd70
softirqs last enabled at (0): [<ffffffffb0ee093f>] copy_process+0x4df/0x1cc0
softirqs last disabled at (0): [<0000000000000000>] 0x0
------------------------------------------------------------------------
The problem is that irq-work handlers run with interrupts enabled, which
means that rcu_preempt_deferred_qs_handler() could be interrupted,
and that interrupt handler might contain an RCU read-side critical
section, which might invoke rcu_read_unlock_special(). In the strict
KCSAN mode of operation used by RCU, this constitutes a data race on
the ->defer_qs_iw_pending field.
This commit therefore disables interrupts across the portion of the
rcu_preempt_deferred_qs_handler() that updates the ->defer_qs_iw_pending
field. This suffices because this handler is not a fast path.
Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
Reviewed-by: Frederic Weisbecker <frederic@kernel.org>
Signed-off-by: Neeraj Upadhyay (AMD) <neeraj.upadhyay@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/rcu/tree_plugin.h | 3 +++
1 file changed, 3 insertions(+)
diff --git a/kernel/rcu/tree_plugin.h b/kernel/rcu/tree_plugin.h
index 3929ef8148c1..6fc1ff14bfdf 100644
--- a/kernel/rcu/tree_plugin.h
+++ b/kernel/rcu/tree_plugin.h
@@ -612,10 +612,13 @@ notrace void rcu_preempt_deferred_qs(struct task_struct *t)
*/
static void rcu_preempt_deferred_qs_handler(struct irq_work *iwp)
{
+ unsigned long flags;
struct rcu_data *rdp;
rdp = container_of(iwp, struct rcu_data, defer_qs_iw);
+ local_irq_save(flags);
rdp->defer_qs_iw_pending = false;
+ local_irq_restore(flags);
}
/*
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 125/482] net: mctp: Prevent duplicate binds
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (123 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 6.1 124/482] rcu: Protect ->defer_qs_iw_pending from data race Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 126/482] wifi: cfg80211: Fix interface type validation Greg Kroah-Hartman
` (365 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Matt Johnston, Paolo Abeni,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matt Johnston <matt@codeconstruct.com.au>
[ Upstream commit 3954502377ec05a1b37e2dc9bef0bacd4bbd71b2 ]
Disallow bind() calls that have the same arguments as existing bound
sockets. Previously multiple sockets could bind() to the same
type/local address, with an arbitrary socket receiving matched messages.
This is only a partial fix, a future commit will define precedence order
for MCTP_ADDR_ANY versus specific EID bind(), which are allowed to exist
together.
Signed-off-by: Matt Johnston <matt@codeconstruct.com.au>
Link: https://patch.msgid.link/20250710-mctp-bind-v4-2-8ec2f6460c56@codeconstruct.com.au
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/mctp/af_mctp.c | 26 +++++++++++++++++++++++---
1 file changed, 23 insertions(+), 3 deletions(-)
diff --git a/net/mctp/af_mctp.c b/net/mctp/af_mctp.c
index 6a963eac1cc2..0f49b41570f5 100644
--- a/net/mctp/af_mctp.c
+++ b/net/mctp/af_mctp.c
@@ -73,7 +73,6 @@ static int mctp_bind(struct socket *sock, struct sockaddr *addr, int addrlen)
lock_sock(sk);
- /* TODO: allow rebind */
if (sk_hashed(sk)) {
rc = -EADDRINUSE;
goto out_release;
@@ -550,15 +549,36 @@ static void mctp_sk_close(struct sock *sk, long timeout)
static int mctp_sk_hash(struct sock *sk)
{
struct net *net = sock_net(sk);
+ struct sock *existing;
+ struct mctp_sock *msk;
+ int rc;
+
+ msk = container_of(sk, struct mctp_sock, sk);
/* Bind lookup runs under RCU, remain live during that. */
sock_set_flag(sk, SOCK_RCU_FREE);
mutex_lock(&net->mctp.bind_lock);
+
+ /* Prevent duplicate binds. */
+ sk_for_each(existing, &net->mctp.binds) {
+ struct mctp_sock *mex =
+ container_of(existing, struct mctp_sock, sk);
+
+ if (mex->bind_type == msk->bind_type &&
+ mex->bind_addr == msk->bind_addr &&
+ mex->bind_net == msk->bind_net) {
+ rc = -EADDRINUSE;
+ goto out;
+ }
+ }
+
sk_add_node_rcu(sk, &net->mctp.binds);
- mutex_unlock(&net->mctp.bind_lock);
+ rc = 0;
- return 0;
+out:
+ mutex_unlock(&net->mctp.bind_lock);
+ return rc;
}
static void mctp_sk_unhash(struct sock *sk)
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 126/482] wifi: cfg80211: Fix interface type validation
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (124 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 6.1 125/482] net: mctp: Prevent duplicate binds Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 127/482] net: ipv4: fix incorrect MTU in broadcast routes Greg Kroah-Hartman
` (364 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ilan Peer, Miri Korenblit,
Johannes Berg, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ilan Peer <ilan.peer@intel.com>
[ Upstream commit 14450be2332a49445106403492a367412b8c23f4 ]
Fix a condition that verified valid values of interface types.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
Link: https://patch.msgid.link/20250709233537.7ad199ca5939.I0ac1ff74798bf59a87a57f2e18f2153c308b119b@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/cfg80211.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/net/cfg80211.h b/include/net/cfg80211.h
index 2a0fc4a64af1..e35bc5c35732 100644
--- a/include/net/cfg80211.h
+++ b/include/net/cfg80211.h
@@ -559,7 +559,7 @@ ieee80211_get_sband_iftype_data(const struct ieee80211_supported_band *sband,
{
int i;
- if (WARN_ON(iftype >= NL80211_IFTYPE_MAX))
+ if (WARN_ON(iftype >= NUM_NL80211_IFTYPES))
return NULL;
if (iftype == NL80211_IFTYPE_AP_VLAN)
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 127/482] net: ipv4: fix incorrect MTU in broadcast routes
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (125 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 6.1 126/482] wifi: cfg80211: Fix interface type validation Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 128/482] net: thunderx: Fix format-truncation warning in bgx_acpi_match_id() Greg Kroah-Hartman
` (363 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Oscar Maes, Jakub Kicinski,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oscar Maes <oscmaes92@gmail.com>
[ Upstream commit 9e30ecf23b1b8f091f7d08b27968dea83aae7908 ]
Currently, __mkroute_output overrules the MTU value configured for
broadcast routes.
This buggy behaviour can be reproduced with:
ip link set dev eth1 mtu 9000
ip route del broadcast 192.168.0.255 dev eth1 proto kernel scope link src 192.168.0.2
ip route add broadcast 192.168.0.255 dev eth1 proto kernel scope link src 192.168.0.2 mtu 1500
The maximum packet size should be 1500, but it is actually 8000:
ping -b 192.168.0.255 -s 8000
Fix __mkroute_output to allow MTU values to be configured for
for broadcast routes (to support a mixed-MTU local-area-network).
Signed-off-by: Oscar Maes <oscmaes92@gmail.com>
Link: https://patch.msgid.link/20250710142714.12986-1-oscmaes92@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/route.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index 870108101017..c57a1cee98e2 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -2562,7 +2562,6 @@ static struct rtable *__mkroute_output(const struct fib_result *res,
do_cache = true;
if (type == RTN_BROADCAST) {
flags |= RTCF_BROADCAST | RTCF_LOCAL;
- fi = NULL;
} else if (type == RTN_MULTICAST) {
flags |= RTCF_MULTICAST | RTCF_LOCAL;
if (!ip_check_mc_rcu(in_dev, fl4->daddr, fl4->saddr,
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 128/482] net: thunderx: Fix format-truncation warning in bgx_acpi_match_id()
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (126 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 6.1 127/482] net: ipv4: fix incorrect MTU in broadcast routes Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 129/482] um: Re-evaluate thread flags repeatedly Greg Kroah-Hartman
` (362 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alok Tiwari, Simon Horman,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alok Tiwari <alok.a.tiwari@oracle.com>
[ Upstream commit 53d20606c40678d425cc03f0978c614dca51f25e ]
The buffer bgx_sel used in snprintf() was too small to safely hold
the formatted string "BGX%d" for all valid bgx_id values. This caused
a -Wformat-truncation warning with `Werror` enabled during build.
Increase the buffer size from 5 to 7 and use `sizeof(bgx_sel)` in
snprintf() to ensure safety and suppress the warning.
Build warning:
CC drivers/net/ethernet/cavium/thunder/thunder_bgx.o
drivers/net/ethernet/cavium/thunder/thunder_bgx.c: In function
‘bgx_acpi_match_id’:
drivers/net/ethernet/cavium/thunder/thunder_bgx.c:1434:27: error: ‘%d’
directive output may be truncated writing between 1 and 3 bytes into a
region of size 2 [-Werror=format-truncation=]
snprintf(bgx_sel, 5, "BGX%d", bgx->bgx_id);
^~
drivers/net/ethernet/cavium/thunder/thunder_bgx.c:1434:23: note:
directive argument in the range [0, 255]
snprintf(bgx_sel, 5, "BGX%d", bgx->bgx_id);
^~~~~~~
drivers/net/ethernet/cavium/thunder/thunder_bgx.c:1434:2: note:
‘snprintf’ output between 5 and 7 bytes into a destination of size 5
snprintf(bgx_sel, 5, "BGX%d", bgx->bgx_id);
compiler warning due to insufficient snprintf buffer size.
Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20250711140532.2463602-1-alok.a.tiwari@oracle.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/cavium/thunder/thunder_bgx.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/cavium/thunder/thunder_bgx.c b/drivers/net/ethernet/cavium/thunder/thunder_bgx.c
index 7eb2ddbe9bad..8c955eefc7e4 100644
--- a/drivers/net/ethernet/cavium/thunder/thunder_bgx.c
+++ b/drivers/net/ethernet/cavium/thunder/thunder_bgx.c
@@ -1428,9 +1428,9 @@ static acpi_status bgx_acpi_match_id(acpi_handle handle, u32 lvl,
{
struct acpi_buffer string = { ACPI_ALLOCATE_BUFFER, NULL };
struct bgx *bgx = context;
- char bgx_sel[5];
+ char bgx_sel[7];
- snprintf(bgx_sel, 5, "BGX%d", bgx->bgx_id);
+ snprintf(bgx_sel, sizeof(bgx_sel), "BGX%d", bgx->bgx_id);
if (ACPI_FAILURE(acpi_get_name(handle, ACPI_SINGLE_NAME, &string))) {
pr_warn("Invalid link device\n");
return AE_OK;
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 129/482] um: Re-evaluate thread flags repeatedly
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (127 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 6.1 128/482] net: thunderx: Fix format-truncation warning in bgx_acpi_match_id() Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 130/482] wifi: iwlwifi: mvm: fix scan request validation Greg Kroah-Hartman
` (361 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Weißschuh, Nam Cao,
Johannes Berg, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
[ Upstream commit b9e2f2246eb2b5617d53af7b5e4e1b8c916f26a8 ]
The thread flags may change during their processing.
For example a task_work can queue a new signal to be sent.
This signal should be delivered before returning to usespace again.
Evaluate the flags repeatedly similar to other architectures.
Signed-off-by: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
Reviewed-by: Nam Cao <namcao@linutronix.de>
Link: https://patch.msgid.link/20250704-uml-thread_flags-v1-1-0e293fd8d627@linutronix.de
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/um/include/asm/thread_info.h | 4 ++++
arch/um/kernel/process.c | 20 ++++++++++++--------
2 files changed, 16 insertions(+), 8 deletions(-)
diff --git a/arch/um/include/asm/thread_info.h b/arch/um/include/asm/thread_info.h
index c7b4b49826a2..40d823f36c09 100644
--- a/arch/um/include/asm/thread_info.h
+++ b/arch/um/include/asm/thread_info.h
@@ -68,7 +68,11 @@ static inline struct thread_info *current_thread_info(void)
#define _TIF_NOTIFY_SIGNAL (1 << TIF_NOTIFY_SIGNAL)
#define _TIF_MEMDIE (1 << TIF_MEMDIE)
#define _TIF_SYSCALL_AUDIT (1 << TIF_SYSCALL_AUDIT)
+#define _TIF_NOTIFY_RESUME (1 << TIF_NOTIFY_RESUME)
#define _TIF_SECCOMP (1 << TIF_SECCOMP)
#define _TIF_SINGLESTEP (1 << TIF_SINGLESTEP)
+#define _TIF_WORK_MASK (_TIF_NEED_RESCHED | _TIF_SIGPENDING | _TIF_NOTIFY_SIGNAL | \
+ _TIF_NOTIFY_RESUME)
+
#endif
diff --git a/arch/um/kernel/process.c b/arch/um/kernel/process.c
index c5281ce31685..d8c274d99390 100644
--- a/arch/um/kernel/process.c
+++ b/arch/um/kernel/process.c
@@ -97,14 +97,18 @@ void *__switch_to(struct task_struct *from, struct task_struct *to)
void interrupt_end(void)
{
struct pt_regs *regs = ¤t->thread.regs;
-
- if (need_resched())
- schedule();
- if (test_thread_flag(TIF_SIGPENDING) ||
- test_thread_flag(TIF_NOTIFY_SIGNAL))
- do_signal(regs);
- if (test_thread_flag(TIF_NOTIFY_RESUME))
- resume_user_mode_work(regs);
+ unsigned long thread_flags;
+
+ thread_flags = read_thread_flags();
+ while (thread_flags & _TIF_WORK_MASK) {
+ if (thread_flags & _TIF_NEED_RESCHED)
+ schedule();
+ if (thread_flags & (_TIF_SIGPENDING | _TIF_NOTIFY_SIGNAL))
+ do_signal(regs);
+ if (thread_flags & _TIF_NOTIFY_RESUME)
+ resume_user_mode_work(regs);
+ thread_flags = read_thread_flags();
+ }
}
int get_current_pid(void)
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 130/482] wifi: iwlwifi: mvm: fix scan request validation
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (128 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 6.1 129/482] um: Re-evaluate thread flags repeatedly Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 131/482] s390/stp: Remove udelay from stp_sync_clock() Greg Kroah-Hartman
` (360 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Avraham Stern, Ilan Peer,
Miri Korenblit, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Avraham Stern <avraham.stern@intel.com>
[ Upstream commit 7c2f3ec7707188d8d5269ae2dce97d7be3e9f261 ]
The scan request validation function uses bitwise and instead
of logical and. Fix it.
Signed-off-by: Avraham Stern <avraham.stern@intel.com>
Reviewed-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
Link: https://patch.msgid.link/20250709230308.3fbc1f27871b.I7a8ee91f463c1a2d9d8561c8232e196885d02c43@changeid
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/intel/iwlwifi/mvm/scan.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/scan.c b/drivers/net/wireless/intel/iwlwifi/mvm/scan.c
index 2a4c59c71448..1d9798775f8a 100644
--- a/drivers/net/wireless/intel/iwlwifi/mvm/scan.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/scan.c
@@ -822,7 +822,7 @@ static inline bool iwl_mvm_scan_fits(struct iwl_mvm *mvm, int n_ssids,
int n_channels)
{
return ((n_ssids <= PROBE_OPTION_MAX) &&
- (n_channels <= mvm->fw->ucode_capa.n_scan_channels) &
+ (n_channels <= mvm->fw->ucode_capa.n_scan_channels) &&
(ies->common_ie_len +
ies->len[NL80211_BAND_2GHZ] + ies->len[NL80211_BAND_5GHZ] +
ies->len[NL80211_BAND_6GHZ] <=
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 131/482] s390/stp: Remove udelay from stp_sync_clock()
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (129 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 6.1 130/482] wifi: iwlwifi: mvm: fix scan request validation Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 132/482] sched/fair: Bump sd->max_newidle_lb_cost when newidle balance fails Greg Kroah-Hartman
` (359 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Heiko Carstens, Sven Schnelle,
Alexander Gordeev, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Schnelle <svens@linux.ibm.com>
[ Upstream commit b367017cdac21781a74eff4e208d3d38e1f38d3f ]
When an stp sync check is handled on a system with multiple
cpus each cpu gets a machine check but only the first one
actually handles the sync operation. All other CPUs spin
waiting for the first one to finish with a short udelay().
But udelay can't be used here as the first CPU modifies tod_clock_base
before performing the sync op. During this timeframe
get_tod_clock_monotonic() might return a non-monotonic time.
The time spent waiting should be very short and udelay is a busy loop
anyways, therefore simply remove the udelay.
Reviewed-by: Heiko Carstens <hca@linux.ibm.com>
Signed-off-by: Sven Schnelle <svens@linux.ibm.com>
Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/s390/kernel/time.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/s390/kernel/time.c b/arch/s390/kernel/time.c
index 6b7b6d5e3632..add2862e835b 100644
--- a/arch/s390/kernel/time.c
+++ b/arch/s390/kernel/time.c
@@ -574,7 +574,7 @@ static int stp_sync_clock(void *data)
atomic_dec(&sync->cpus);
/* Wait for in_sync to be set. */
while (READ_ONCE(sync->in_sync) == 0)
- __udelay(1);
+ ;
}
if (sync->in_sync != 1)
/* Didn't work. Clear per-cpu in sync bit again. */
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 132/482] sched/fair: Bump sd->max_newidle_lb_cost when newidle balance fails
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (130 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 6.1 131/482] s390/stp: Remove udelay from stp_sync_clock() Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 133/482] wifi: mac80211: dont complete management TX on SAE commit Greg Kroah-Hartman
` (358 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chris Mason, Peter Zijlstra (Intel),
Vincent Guittot, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chris Mason <clm@fb.com>
[ Upstream commit 155213a2aed42c85361bf4f5c817f5cb68951c3b ]
schbench (https://github.com/masoncl/schbench.git) is showing a
regression from previous production kernels that bisected down to:
sched/fair: Remove sysctl_sched_migration_cost condition (c5b0a7eefc)
The schbench command line was:
schbench -L -m 4 -M auto -t 256 -n 0 -r 0 -s 0
This creates 4 message threads pinned to CPUs 0-3, and 256x4 worker
threads spread across the rest of the CPUs. Neither the worker threads
or the message threads do any work, they just wake each other up and go
back to sleep as soon as possible.
The end result is the first 4 CPUs are pegged waking up those 1024
workers, and the rest of the CPUs are constantly banging in and out of
idle. If I take a v6.9 Linus kernel and revert that one commit,
performance goes from 3.4M RPS to 5.4M RPS.
schedstat shows there are ~100x more new idle balance operations, and
profiling shows the worker threads are spending ~20% of their CPU time
on new idle balance. schedstats also shows that almost all of these new
idle balance attemps are failing to find busy groups.
The fix used here is to crank up the cost of the newidle balance whenever it
fails. Since we don't want sd->max_newidle_lb_cost to grow out of
control, this also changes update_newidle_cost() to use
sysctl_sched_migration_cost as the upper limit on max_newidle_lb_cost.
Signed-off-by: Chris Mason <clm@fb.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Acked-by: Vincent Guittot <vincent.guittot@linaro.org>
Link: https://lkml.kernel.org/r/20250626144017.1510594-2-clm@fb.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/sched/fair.c | 19 ++++++++++++++++---
1 file changed, 16 insertions(+), 3 deletions(-)
diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c
index d30e0936cfec..2deb896883d3 100644
--- a/kernel/sched/fair.c
+++ b/kernel/sched/fair.c
@@ -10941,8 +10941,14 @@ static inline bool update_newidle_cost(struct sched_domain *sd, u64 cost)
/*
* Track max cost of a domain to make sure to not delay the
* next wakeup on the CPU.
+ *
+ * sched_balance_newidle() bumps the cost whenever newidle
+ * balance fails, and we don't want things to grow out of
+ * control. Use the sysctl_sched_migration_cost as the upper
+ * limit, plus a litle extra to avoid off by ones.
*/
- sd->max_newidle_lb_cost = cost;
+ sd->max_newidle_lb_cost =
+ min(cost, sysctl_sched_migration_cost + 200);
sd->last_decay_max_lb_cost = jiffies;
} else if (time_after(jiffies, sd->last_decay_max_lb_cost + HZ)) {
/*
@@ -11624,10 +11630,17 @@ static int newidle_balance(struct rq *this_rq, struct rq_flags *rf)
t1 = sched_clock_cpu(this_cpu);
domain_cost = t1 - t0;
- update_newidle_cost(sd, domain_cost);
-
curr_cost += domain_cost;
t0 = t1;
+
+ /*
+ * Failing newidle means it is not effective;
+ * bump the cost so we end up doing less of it.
+ */
+ if (!pulled_task)
+ domain_cost = (3 * sd->max_newidle_lb_cost) / 2;
+
+ update_newidle_cost(sd, domain_cost);
}
/*
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 133/482] wifi: mac80211: dont complete management TX on SAE commit
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (131 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 6.1 132/482] sched/fair: Bump sd->max_newidle_lb_cost when newidle balance fails Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 134/482] (powerpc/512) Fix possible `dma_unmap_single()` on uninitialized pointer Greg Kroah-Hartman
` (357 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jan Hendrik Farr, Johannes Berg,
Miri Korenblit, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johannes Berg <johannes.berg@intel.com>
[ Upstream commit 6b04716cdcac37bdbacde34def08bc6fdb5fc4e2 ]
When SAE commit is sent and received in response, there's no
ordering for the SAE confirm messages. As such, don't call
drivers to stop listening on the channel when the confirm
message is still expected.
This fixes an issue if the local confirm is transmitted later
than the AP's confirm, for iwlwifi (and possibly mt76) the
AP's confirm would then get lost since the device isn't on
the channel at the time the AP transmit the confirm.
For iwlwifi at least, this also improves the overall timing
of the authentication handshake (by about 15ms according to
the report), likely since the session protection won't be
aborted and rescheduled.
Note that even before this, mgd_complete_tx() wasn't always
called for each call to mgd_prepare_tx() (e.g. in the case
of WEP key shared authentication), and the current drivers
that have the complete callback don't seem to mind. Document
this as well though.
Reported-by: Jan Hendrik Farr <kernel@jfarr.cc>
Closes: https://lore.kernel.org/all/aB30Ea2kRG24LINR@archlinux/
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
Link: https://patch.msgid.link/20250609213232.12691580e140.I3f1d3127acabcd58348a110ab11044213cf147d3@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/mac80211.h | 2 ++
net/mac80211/mlme.c | 9 ++++++++-
2 files changed, 10 insertions(+), 1 deletion(-)
diff --git a/include/net/mac80211.h b/include/net/mac80211.h
index 6ef8348b5e93..28a9b9c00e6b 100644
--- a/include/net/mac80211.h
+++ b/include/net/mac80211.h
@@ -4011,6 +4011,8 @@ struct ieee80211_prep_tx_info {
* @mgd_complete_tx: Notify the driver that the response frame for a previously
* transmitted frame announced with @mgd_prepare_tx was received, the data
* is filled similarly to @mgd_prepare_tx though the duration is not used.
+ * Note that this isn't always called for each mgd_prepare_tx() call, for
+ * example for SAE the 'confirm' messages can be on the air in any order.
*
* @mgd_protect_tdls_discover: Protect a TDLS discovery session. After sending
* a TDLS discovery-request, we expect a reply to arrive on the AP's
diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index b300972c3150..cc47d6b88f04 100644
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -3595,6 +3595,7 @@ static void ieee80211_rx_mgmt_auth(struct ieee80211_sub_if_data *sdata,
struct ieee80211_prep_tx_info info = {
.subtype = IEEE80211_STYPE_AUTH,
};
+ bool sae_need_confirm = false;
sdata_assert_lock(sdata);
@@ -3638,6 +3639,8 @@ static void ieee80211_rx_mgmt_auth(struct ieee80211_sub_if_data *sdata,
jiffies + IEEE80211_AUTH_WAIT_SAE_RETRY;
ifmgd->auth_data->timeout_started = true;
run_again(sdata, ifmgd->auth_data->timeout);
+ if (auth_transaction == 1)
+ sae_need_confirm = true;
goto notify_driver;
}
@@ -3680,6 +3683,9 @@ static void ieee80211_rx_mgmt_auth(struct ieee80211_sub_if_data *sdata,
ifmgd->auth_data->expected_transaction == 2)) {
if (!ieee80211_mark_sta_auth(sdata))
return; /* ignore frame -- wait for timeout */
+ } else if (ifmgd->auth_data->algorithm == WLAN_AUTH_SAE &&
+ auth_transaction == 1) {
+ sae_need_confirm = true;
} else if (ifmgd->auth_data->algorithm == WLAN_AUTH_SAE &&
auth_transaction == 2) {
sdata_info(sdata, "SAE peer confirmed\n");
@@ -3688,7 +3694,8 @@ static void ieee80211_rx_mgmt_auth(struct ieee80211_sub_if_data *sdata,
cfg80211_rx_mlme_mgmt(sdata->dev, (u8 *)mgmt, len);
notify_driver:
- drv_mgd_complete_tx(sdata->local, sdata, &info);
+ if (!sae_need_confirm)
+ drv_mgd_complete_tx(sdata->local, sdata, &info);
}
#define case_WLAN(type) \
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 134/482] (powerpc/512) Fix possible `dma_unmap_single()` on uninitialized pointer
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (132 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 6.1 133/482] wifi: mac80211: dont complete management TX on SAE commit Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 135/482] ipv6: mcast: Check inet6_dev->dead under idev->mc_lock in __ipv6_dev_mc_inc() Greg Kroah-Hartman
` (356 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Fourier, Christophe Leroy,
Madhavan Srinivasan, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Fourier <fourier.thomas@gmail.com>
[ Upstream commit 760b9b4f6de9a33ca56a05f950cabe82138d25bd ]
If the device configuration fails (if `dma_dev->device_config()`),
`sg_dma_address(&sg)` is not initialized and the jump to `err_dma_prep`
leads to calling `dma_unmap_single()` on `sg_dma_address(&sg)`.
Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
Reviewed-by: Christophe Leroy <christophe.leroy@csgroup.eu>
Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
Link: https://patch.msgid.link/20250610142918.169540-2-fourier.thomas@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/powerpc/platforms/512x/mpc512x_lpbfifo.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/arch/powerpc/platforms/512x/mpc512x_lpbfifo.c b/arch/powerpc/platforms/512x/mpc512x_lpbfifo.c
index 04bf6ecf7d55..85e0fa7d902b 100644
--- a/arch/powerpc/platforms/512x/mpc512x_lpbfifo.c
+++ b/arch/powerpc/platforms/512x/mpc512x_lpbfifo.c
@@ -240,10 +240,8 @@ static int mpc512x_lpbfifo_kick(void)
dma_conf.src_addr_width = DMA_SLAVE_BUSWIDTH_4_BYTES;
/* Make DMA channel work with LPB FIFO data register */
- if (dma_dev->device_config(lpbfifo.chan, &dma_conf)) {
- ret = -EINVAL;
- goto err_dma_prep;
- }
+ if (dma_dev->device_config(lpbfifo.chan, &dma_conf))
+ return -EINVAL;
sg_init_table(&sg, 1);
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 135/482] ipv6: mcast: Check inet6_dev->dead under idev->mc_lock in __ipv6_dev_mc_inc().
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (133 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 6.1 134/482] (powerpc/512) Fix possible `dma_unmap_single()` on uninitialized pointer Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 136/482] drm/msm: use trylock for debugfs Greg Kroah-Hartman
` (355 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kuniyuki Iwashima, Eric Dumazet,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuniyuki Iwashima <kuniyu@google.com>
[ Upstream commit dbd40f318cf2f59759bd170c401adc20ba360a3e ]
Since commit 63ed8de4be81 ("mld: add mc_lock for protecting
per-interface mld data"), every multicast resource is protected
by inet6_dev->mc_lock.
RTNL is unnecessary in terms of protection but still needed for
synchronisation between addrconf_ifdown() and __ipv6_dev_mc_inc().
Once we removed RTNL, there would be a race below, where we could
add a multicast address to a dead inet6_dev.
CPU1 CPU2
==== ====
addrconf_ifdown() __ipv6_dev_mc_inc()
if (idev->dead) <-- false
dead = true return -ENODEV;
ipv6_mc_destroy_dev() / ipv6_mc_down()
mutex_lock(&idev->mc_lock)
...
mutex_unlock(&idev->mc_lock)
mutex_lock(&idev->mc_lock)
...
mutex_unlock(&idev->mc_lock)
The race window can be easily closed by checking inet6_dev->dead
under inet6_dev->mc_lock in __ipv6_dev_mc_inc() as addrconf_ifdown()
will acquire it after marking inet6_dev dead.
Let's check inet6_dev->dead under mc_lock in __ipv6_dev_mc_inc().
Note that now __ipv6_dev_mc_inc() no longer depends on RTNL and
we can remove ASSERT_RTNL() there and the RTNL comment above
addrconf_join_solict().
Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20250702230210.3115355-4-kuni1840@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv6/addrconf.c | 7 +++----
net/ipv6/mcast.c | 11 +++++------
2 files changed, 8 insertions(+), 10 deletions(-)
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index 69915bb8b96d..cbdb510b40ea 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -2185,13 +2185,12 @@ void addrconf_dad_failure(struct sk_buff *skb, struct inet6_ifaddr *ifp)
in6_ifa_put(ifp);
}
-/* Join to solicited addr multicast group.
- * caller must hold RTNL */
+/* Join to solicited addr multicast group. */
void addrconf_join_solict(struct net_device *dev, const struct in6_addr *addr)
{
struct in6_addr maddr;
- if (dev->flags&(IFF_LOOPBACK|IFF_NOARP))
+ if (READ_ONCE(dev->flags) & (IFF_LOOPBACK | IFF_NOARP))
return;
addrconf_addr_solict_mult(addr, &maddr);
@@ -3807,7 +3806,7 @@ static int addrconf_ifdown(struct net_device *dev, bool unregister)
* Do not dev_put!
*/
if (unregister) {
- idev->dead = 1;
+ WRITE_ONCE(idev->dead, 1);
/* protected by rtnl_lock */
RCU_INIT_POINTER(dev->ip6_ptr, NULL);
diff --git a/net/ipv6/mcast.c b/net/ipv6/mcast.c
index e9e59a83ba9b..e7f569875e71 100644
--- a/net/ipv6/mcast.c
+++ b/net/ipv6/mcast.c
@@ -906,23 +906,22 @@ static struct ifmcaddr6 *mca_alloc(struct inet6_dev *idev,
static int __ipv6_dev_mc_inc(struct net_device *dev,
const struct in6_addr *addr, unsigned int mode)
{
- struct ifmcaddr6 *mc;
struct inet6_dev *idev;
-
- ASSERT_RTNL();
+ struct ifmcaddr6 *mc;
/* we need to take a reference on idev */
idev = in6_dev_get(dev);
-
if (!idev)
return -EINVAL;
- if (idev->dead) {
+ mutex_lock(&idev->mc_lock);
+
+ if (READ_ONCE(idev->dead)) {
+ mutex_unlock(&idev->mc_lock);
in6_dev_put(idev);
return -ENODEV;
}
- mutex_lock(&idev->mc_lock);
for_each_mc_mclock(idev, mc) {
if (ipv6_addr_equal(&mc->mca_addr, addr)) {
mc->mca_users++;
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 136/482] drm/msm: use trylock for debugfs
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (134 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 6.1 135/482] ipv6: mcast: Check inet6_dev->dead under idev->mc_lock in __ipv6_dev_mc_inc() Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 137/482] wifi: rtw89: Fix rtw89_mac_power_switch() for USB Greg Kroah-Hartman
` (354 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rob Clark, Rob Clark,
Antonino Maniscalco, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rob Clark <robdclark@chromium.org>
[ Upstream commit 0a1ff88ec5b60b41ba830c5bf08b6cd8f45ab411 ]
This resolves a potential deadlock vs msm_gem_vm_close(). Otherwise for
_NO_SHARE buffers msm_gem_describe() could be trying to acquire the
shared vm resv, while already holding priv->obj_lock. But _vm_close()
might drop the last reference to a GEM obj while already holding the vm
resv, and msm_gem_free_object() needs to grab priv->obj_lock, a locking
inversion.
OTOH this is only for debugfs and it isn't critical if we undercount by
skipping a locked obj. So just use trylock() and move along if we can't
get the lock.
Signed-off-by: Rob Clark <robdclark@chromium.org>
Signed-off-by: Rob Clark <robin.clark@oss.qualcomm.com>
Tested-by: Antonino Maniscalco <antomani103@gmail.com>
Reviewed-by: Antonino Maniscalco <antomani103@gmail.com>
Patchwork: https://patchwork.freedesktop.org/patch/661525/
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/msm/msm_gem.c | 3 ++-
drivers/gpu/drm/msm/msm_gem.h | 6 ++++++
2 files changed, 8 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/msm/msm_gem.c b/drivers/gpu/drm/msm/msm_gem.c
index 1dee0d18abbb..7116c2aac4cb 100644
--- a/drivers/gpu/drm/msm/msm_gem.c
+++ b/drivers/gpu/drm/msm/msm_gem.c
@@ -874,7 +874,8 @@ void msm_gem_describe(struct drm_gem_object *obj, struct seq_file *m,
uint64_t off = drm_vma_node_start(&obj->vma_node);
const char *madv;
- msm_gem_lock(obj);
+ if (!msm_gem_trylock(obj))
+ return;
stats->all.count++;
stats->all.size += obj->size;
diff --git a/drivers/gpu/drm/msm/msm_gem.h b/drivers/gpu/drm/msm/msm_gem.h
index c4844cf3a585..4c8e0a022c24 100644
--- a/drivers/gpu/drm/msm/msm_gem.h
+++ b/drivers/gpu/drm/msm/msm_gem.h
@@ -185,6 +185,12 @@ msm_gem_lock(struct drm_gem_object *obj)
dma_resv_lock(obj->resv, NULL);
}
+static inline bool __must_check
+msm_gem_trylock(struct drm_gem_object *obj)
+{
+ return dma_resv_trylock(obj->resv);
+}
+
static inline int
msm_gem_lock_interruptible(struct drm_gem_object *obj)
{
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 137/482] wifi: rtw89: Fix rtw89_mac_power_switch() for USB
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (135 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 6.1 136/482] drm/msm: use trylock for debugfs Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 138/482] wifi: rtw89: Disable deep power saving for USB/SDIO Greg Kroah-Hartman
` (353 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bitterblue Smith, Ping-Ke Shih,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bitterblue Smith <rtl8821cerfe2@gmail.com>
[ Upstream commit e2b71603333a9dd73ee88347d8894fffc3456ac1 ]
Clear some bits in some registers in order to allow RTL8851BU to power
on. This is done both when powering on and when powering off because
that's what the vendor driver does.
Also tested with RTL8832BU and RTL8832CU.
Signed-off-by: Bitterblue Smith <rtl8821cerfe2@gmail.com>
Acked-by: Ping-Ke Shih <pkshih@realtek.com>
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/a39da939-d640-4486-ad38-f658f220afc8@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/realtek/rtw89/mac.c | 19 +++++++++++++++++++
drivers/net/wireless/realtek/rtw89/reg.h | 1 +
2 files changed, 20 insertions(+)
diff --git a/drivers/net/wireless/realtek/rtw89/mac.c b/drivers/net/wireless/realtek/rtw89/mac.c
index 4a1c9e18c530..f15a2c6874cb 100644
--- a/drivers/net/wireless/realtek/rtw89/mac.c
+++ b/drivers/net/wireless/realtek/rtw89/mac.c
@@ -1093,6 +1093,23 @@ void rtw89_mac_notify_wake(struct rtw89_dev *rtwdev)
rtw89_mac_send_rpwm(rtwdev, state, true);
}
+static void rtw89_mac_power_switch_boot_mode(struct rtw89_dev *rtwdev)
+{
+ u32 boot_mode;
+
+ if (rtwdev->hci.type != RTW89_HCI_TYPE_USB)
+ return;
+
+ boot_mode = rtw89_read32_mask(rtwdev, R_AX_GPIO_MUXCFG, B_AX_BOOT_MODE);
+ if (!boot_mode)
+ return;
+
+ rtw89_write32_clr(rtwdev, R_AX_SYS_PW_CTRL, B_AX_APFN_ONMAC);
+ rtw89_write32_clr(rtwdev, R_AX_SYS_STATUS1, B_AX_AUTO_WLPON);
+ rtw89_write32_clr(rtwdev, R_AX_GPIO_MUXCFG, B_AX_BOOT_MODE);
+ rtw89_write32_clr(rtwdev, R_AX_RSV_CTRL, B_AX_R_DIS_PRST);
+}
+
static int rtw89_mac_power_switch(struct rtw89_dev *rtwdev, bool on)
{
#define PWR_ACT 1
@@ -1102,6 +1119,8 @@ static int rtw89_mac_power_switch(struct rtw89_dev *rtwdev, bool on)
int ret;
u8 val;
+ rtw89_mac_power_switch_boot_mode(rtwdev);
+
if (on) {
cfg_seq = chip->pwr_on_seq;
cfg_func = chip->ops->pwr_on_func;
diff --git a/drivers/net/wireless/realtek/rtw89/reg.h b/drivers/net/wireless/realtek/rtw89/reg.h
index 0291aff94016..52dd24a6216d 100644
--- a/drivers/net/wireless/realtek/rtw89/reg.h
+++ b/drivers/net/wireless/realtek/rtw89/reg.h
@@ -157,6 +157,7 @@
#define R_AX_SYS_STATUS1 0x00F4
#define B_AX_SEL_0XC0_MASK GENMASK(17, 16)
+#define B_AX_AUTO_WLPON BIT(10)
#define B_AX_PAD_HCI_SEL_V2_MASK GENMASK(5, 3)
#define MAC_AX_HCI_SEL_SDIO_UART 0
#define MAC_AX_HCI_SEL_MULTI_USB 1
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 138/482] wifi: rtw89: Disable deep power saving for USB/SDIO
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (136 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 6.1 137/482] wifi: rtw89: Fix rtw89_mac_power_switch() for USB Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 139/482] kselftest/arm64: Specify SVE data when testing VL set in sve-ptrace Greg Kroah-Hartman
` (352 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bitterblue Smith, Ping-Ke Shih,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bitterblue Smith <rtl8821cerfe2@gmail.com>
[ Upstream commit a3b871a0f7c083c2a632a31da8bc3de554ae8550 ]
Disable deep power saving for USB and SDIO because rtw89_mac_send_rpwm()
is called in atomic context and accessing hardware registers results in
"scheduling while atomic" errors.
Signed-off-by: Bitterblue Smith <rtl8821cerfe2@gmail.com>
Acked-by: Ping-Ke Shih <pkshih@realtek.com>
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/0f49eceb-0de0-47e2-ba36-3c6a0dddd17d@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/realtek/rtw89/core.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/net/wireless/realtek/rtw89/core.c b/drivers/net/wireless/realtek/rtw89/core.c
index 9e4a02a322ff..ff3a31bf3a87 100644
--- a/drivers/net/wireless/realtek/rtw89/core.c
+++ b/drivers/net/wireless/realtek/rtw89/core.c
@@ -1721,6 +1721,9 @@ static enum rtw89_ps_mode rtw89_update_ps_mode(struct rtw89_dev *rtwdev)
{
const struct rtw89_chip_info *chip = rtwdev->chip;
+ if (rtwdev->hci.type != RTW89_HCI_TYPE_PCIE)
+ return RTW89_PS_MODE_NONE;
+
if (rtw89_disable_ps_mode || !chip->ps_mode_supported ||
RTW89_CHK_FW_FEATURE(NO_DEEP_PS, &rtwdev->fw))
return RTW89_PS_MODE_NONE;
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 139/482] kselftest/arm64: Specify SVE data when testing VL set in sve-ptrace
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (137 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 6.1 138/482] wifi: rtw89: Disable deep power saving for USB/SDIO Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 140/482] net: thunderbolt: Enable end-to-end flow control also in transmit Greg Kroah-Hartman
` (351 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mark Rutland, Mark Brown,
Catalin Marinas, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mark Brown <broonie@kernel.org>
[ Upstream commit 9e8ebfe677f9101bbfe1f75d548a5aec581e8213 ]
Since f916dd32a943 ("arm64/fpsimd: ptrace: Mandate SVE payload for
streaming-mode state") we reject attempts to write to the streaming mode
regset even if there is no register data supplied, causing the tests for
setting vector lengths and setting SVE_VL_INHERIT in sve-ptrace to
spuriously fail. Set the flag to avoid the issue, we still support not
supplying register data.
Acked-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Link: https://lore.kernel.org/r/20250609-kselftest-arm64-ssve-fixups-v2-3-998fcfa6f240@kernel.org
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/selftests/arm64/fp/sve-ptrace.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/tools/testing/selftests/arm64/fp/sve-ptrace.c b/tools/testing/selftests/arm64/fp/sve-ptrace.c
index 91dd31629ffe..9f5461cd5b8f 100644
--- a/tools/testing/selftests/arm64/fp/sve-ptrace.c
+++ b/tools/testing/selftests/arm64/fp/sve-ptrace.c
@@ -158,7 +158,7 @@ static void ptrace_set_get_inherit(pid_t child, const struct vec_type *type)
memset(&sve, 0, sizeof(sve));
sve.size = sizeof(sve);
sve.vl = sve_vl_from_vq(SVE_VQ_MIN);
- sve.flags = SVE_PT_VL_INHERIT;
+ sve.flags = SVE_PT_VL_INHERIT | SVE_PT_REGS_SVE;
ret = set_sve(child, type, &sve);
if (ret != 0) {
ksft_test_result_fail("Failed to set %s SVE_PT_VL_INHERIT\n",
@@ -223,6 +223,7 @@ static void ptrace_set_get_vl(pid_t child, const struct vec_type *type,
/* Set the VL by doing a set with no register payload */
memset(&sve, 0, sizeof(sve));
sve.size = sizeof(sve);
+ sve.flags = SVE_PT_REGS_SVE;
sve.vl = vl;
ret = set_sve(child, type, &sve);
if (ret != 0) {
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 140/482] net: thunderbolt: Enable end-to-end flow control also in transmit
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (138 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 6.1 139/482] kselftest/arm64: Specify SVE data when testing VL set in sve-ptrace Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 141/482] net: thunderbolt: Fix the parameter passing of tb_xdomain_enable_paths()/tb_xdomain_disable_paths() Greg Kroah-Hartman
` (350 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mika Westerberg, zhangjianrong,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: zhangjianrong <zhangjianrong5@huawei.com>
[ Upstream commit a8065af3346ebd7c76ebc113451fb3ba94cf7769 ]
According to USB4 specification, if E2E flow control is disabled for
the Transmit Descriptor Ring, the Host Interface Adapter Layer shall
not require any credits to be available before transmitting a Tunneled
Packet from this Transmit Descriptor Ring, so e2e flow control should
be enabled in both directions.
Acked-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Link: https://lore.kernel.org/20250624153805.GC2824380@black.fi.intel.com
Signed-off-by: zhangjianrong <zhangjianrong5@huawei.com>
Link: https://patch.msgid.link/20250628093813.647005-1-zhangjianrong5@huawei.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/thunderbolt.c | 13 ++++++-------
1 file changed, 6 insertions(+), 7 deletions(-)
diff --git a/drivers/net/thunderbolt.c b/drivers/net/thunderbolt.c
index 5966e36875de..6b184f6b7273 100644
--- a/drivers/net/thunderbolt.c
+++ b/drivers/net/thunderbolt.c
@@ -884,8 +884,12 @@ static int tbnet_open(struct net_device *dev)
netif_carrier_off(dev);
- ring = tb_ring_alloc_tx(xd->tb->nhi, -1, TBNET_RING_SIZE,
- RING_FLAG_FRAME);
+ flags = RING_FLAG_FRAME;
+ /* Only enable full E2E if the other end supports it too */
+ if (tbnet_e2e && net->svc->prtcstns & TBNET_E2E)
+ flags |= RING_FLAG_E2E;
+
+ ring = tb_ring_alloc_tx(xd->tb->nhi, -1, TBNET_RING_SIZE, flags);
if (!ring) {
netdev_err(dev, "failed to allocate Tx ring\n");
return -ENOMEM;
@@ -904,11 +908,6 @@ static int tbnet_open(struct net_device *dev)
sof_mask = BIT(TBIP_PDF_FRAME_START);
eof_mask = BIT(TBIP_PDF_FRAME_END);
- flags = RING_FLAG_FRAME;
- /* Only enable full E2E if the other end supports it too */
- if (tbnet_e2e && net->svc->prtcstns & TBNET_E2E)
- flags |= RING_FLAG_E2E;
-
ring = tb_ring_alloc_rx(xd->tb->nhi, -1, TBNET_RING_SIZE, flags,
net->tx_ring.ring->hop, sof_mask,
eof_mask, tbnet_start_poll, net);
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 141/482] net: thunderbolt: Fix the parameter passing of tb_xdomain_enable_paths()/tb_xdomain_disable_paths()
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (139 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 6.1 140/482] net: thunderbolt: Enable end-to-end flow control also in transmit Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 142/482] net: atlantic: add set_power to fw_ops for atl2 to fix wol Greg Kroah-Hartman
` (349 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mika Westerberg, zhangjianrong,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: zhangjianrong <zhangjianrong5@huawei.com>
[ Upstream commit 8ec31cb17cd355cea25cdb8496d9b3fbf1321647 ]
According to the description of tb_xdomain_enable_paths(), the third
parameter represents the transmit ring and the fifth parameter represents
the receive ring. tb_xdomain_disable_paths() is the same case.
[Jakub] Mika says: it works now because both rings ->hop is the same
Acked-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Link: https://lore.kernel.org/20250625051149.GD2824380@black.fi.intel.com
Signed-off-by: zhangjianrong <zhangjianrong5@huawei.com>
Link: https://patch.msgid.link/20250628094920.656658-1-zhangjianrong5@huawei.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/thunderbolt.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/net/thunderbolt.c b/drivers/net/thunderbolt.c
index 6b184f6b7273..ef13aa36e55e 100644
--- a/drivers/net/thunderbolt.c
+++ b/drivers/net/thunderbolt.c
@@ -386,9 +386,9 @@ static void tbnet_tear_down(struct tbnet *net, bool send_logout)
ret = tb_xdomain_disable_paths(net->xd,
net->local_transmit_path,
- net->rx_ring.ring->hop,
+ net->tx_ring.ring->hop,
net->remote_transmit_path,
- net->tx_ring.ring->hop);
+ net->rx_ring.ring->hop);
if (ret)
netdev_warn(net->dev, "failed to disable DMA paths\n");
@@ -637,9 +637,9 @@ static void tbnet_connected_work(struct work_struct *work)
goto err_free_rx_buffers;
ret = tb_xdomain_enable_paths(net->xd, net->local_transmit_path,
- net->rx_ring.ring->hop,
+ net->tx_ring.ring->hop,
net->remote_transmit_path,
- net->tx_ring.ring->hop);
+ net->rx_ring.ring->hop);
if (ret) {
netdev_err(net->dev, "failed to enable DMA paths\n");
goto err_free_tx_buffers;
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 142/482] net: atlantic: add set_power to fw_ops for atl2 to fix wol
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (140 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 6.1 141/482] net: thunderbolt: Fix the parameter passing of tb_xdomain_enable_paths()/tb_xdomain_disable_paths() Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 143/482] net: fec: allow disable coalescing Greg Kroah-Hartman
` (348 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Work, Igor Russkikh,
Jakub Kicinski, Sasha Levin, Mark Starovoitov, Dmitry Bogdanov,
Pavel Belous, Nikita Danilov
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Work <work.eric@gmail.com>
[ Upstream commit fad9cf216597a71936ac87143d1618fbbcf97cbe ]
Aquantia AQC113(C) using ATL2FW doesn't properly prepare the NIC for
enabling wake-on-lan. The FW operation `set_power` was only implemented
for `hw_atl` and not `hw_atl2`. Implement the `set_power` functionality
for `hw_atl2`.
Tested with both AQC113 and AQC113C devices. Confirmed you can shutdown
the system and wake from S5 using magic packets. NIC was previously
powered off when entering S5. If the NIC was configured for WOL by the
Windows driver, loading the atlantic driver would disable WOL.
Partially cherry-picks changes from commit,
https://github.com/Aquantia/AQtion/commit/37bd5cc
Attributing original authors from Marvell for the referenced commit.
Closes: https://github.com/Aquantia/AQtion/issues/70
Co-developed-by: Igor Russkikh <irusskikh@marvell.com>
Co-developed-by: Mark Starovoitov <mstarovoitov@marvell.com>
Co-developed-by: Dmitry Bogdanov <dbogdanov@marvell.com>
Co-developed-by: Pavel Belous <pbelous@marvell.com>
Co-developed-by: Nikita Danilov <ndanilov@marvell.com>
Signed-off-by: Eric Work <work.eric@gmail.com>
Reviewed-by: Igor Russkikh <irusskikh@marvell.com>
Link: https://patch.msgid.link/20250629051535.5172-1-work.eric@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../net/ethernet/aquantia/atlantic/aq_hw.h | 2 +
.../atlantic/hw_atl2/hw_atl2_utils_fw.c | 39 +++++++++++++++++++
2 files changed, 41 insertions(+)
diff --git a/drivers/net/ethernet/aquantia/atlantic/aq_hw.h b/drivers/net/ethernet/aquantia/atlantic/aq_hw.h
index dbd284660135..7f616abd3db2 100644
--- a/drivers/net/ethernet/aquantia/atlantic/aq_hw.h
+++ b/drivers/net/ethernet/aquantia/atlantic/aq_hw.h
@@ -113,6 +113,8 @@ struct aq_stats_s {
#define AQ_HW_POWER_STATE_D0 0U
#define AQ_HW_POWER_STATE_D3 3U
+#define AQ_FW_WAKE_ON_LINK_RTPM BIT(10)
+
#define AQ_HW_FLAG_STARTED 0x00000004U
#define AQ_HW_FLAG_STOPPING 0x00000008U
#define AQ_HW_FLAG_RESETTING 0x00000010U
diff --git a/drivers/net/ethernet/aquantia/atlantic/hw_atl2/hw_atl2_utils_fw.c b/drivers/net/ethernet/aquantia/atlantic/hw_atl2/hw_atl2_utils_fw.c
index 58d426dda3ed..1c5c27a9f30d 100644
--- a/drivers/net/ethernet/aquantia/atlantic/hw_atl2/hw_atl2_utils_fw.c
+++ b/drivers/net/ethernet/aquantia/atlantic/hw_atl2/hw_atl2_utils_fw.c
@@ -462,6 +462,44 @@ static int aq_a2_fw_get_mac_temp(struct aq_hw_s *self, int *temp)
return aq_a2_fw_get_phy_temp(self, temp);
}
+static int aq_a2_fw_set_wol_params(struct aq_hw_s *self, const u8 *mac, u32 wol)
+{
+ struct mac_address_aligned_s mac_address;
+ struct link_control_s link_control;
+ struct wake_on_lan_s wake_on_lan;
+
+ memcpy(mac_address.aligned.mac_address, mac, ETH_ALEN);
+ hw_atl2_shared_buffer_write(self, mac_address, mac_address);
+
+ memset(&wake_on_lan, 0, sizeof(wake_on_lan));
+
+ if (wol & WAKE_MAGIC)
+ wake_on_lan.wake_on_magic_packet = 1U;
+
+ if (wol & (WAKE_PHY | AQ_FW_WAKE_ON_LINK_RTPM))
+ wake_on_lan.wake_on_link_up = 1U;
+
+ hw_atl2_shared_buffer_write(self, sleep_proxy, wake_on_lan);
+
+ hw_atl2_shared_buffer_get(self, link_control, link_control);
+ link_control.mode = AQ_HOST_MODE_SLEEP_PROXY;
+ hw_atl2_shared_buffer_write(self, link_control, link_control);
+
+ return hw_atl2_shared_buffer_finish_ack(self);
+}
+
+static int aq_a2_fw_set_power(struct aq_hw_s *self, unsigned int power_state,
+ const u8 *mac)
+{
+ u32 wol = self->aq_nic_cfg->wol;
+ int err = 0;
+
+ if (wol)
+ err = aq_a2_fw_set_wol_params(self, mac, wol);
+
+ return err;
+}
+
static int aq_a2_fw_set_eee_rate(struct aq_hw_s *self, u32 speed)
{
struct link_options_s link_options;
@@ -605,6 +643,7 @@ const struct aq_fw_ops aq_a2_fw_ops = {
.set_state = aq_a2_fw_set_state,
.update_link_status = aq_a2_fw_update_link_status,
.update_stats = aq_a2_fw_update_stats,
+ .set_power = aq_a2_fw_set_power,
.get_mac_temp = aq_a2_fw_get_mac_temp,
.get_phy_temp = aq_a2_fw_get_phy_temp,
.set_eee_rate = aq_a2_fw_set_eee_rate,
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 143/482] net: fec: allow disable coalescing
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (141 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 6.1 142/482] net: atlantic: add set_power to fw_ops for atl2 to fix wol Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 144/482] drm/amd/display: Separate set_gsl from set_gsl_source_select Greg Kroah-Hartman
` (347 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jonas Rebmann, Wei Fang,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jonas Rebmann <jre@pengutronix.de>
[ Upstream commit b7ad21258f9e9a7f58b19595d5ceed2cde3bed68 ]
In the current implementation, IP coalescing is always enabled and
cannot be disabled.
As setting maximum frames to 0 or 1, or setting delay to zero implies
immediate delivery of single packets/IRQs, disable coalescing in
hardware in these cases.
This also guarantees that coalescing is never enabled with ICFT or ICTT
set to zero, a configuration that could lead to unpredictable behaviour
according to i.MX8MP reference manual.
Signed-off-by: Jonas Rebmann <jre@pengutronix.de>
Reviewed-by: Wei Fang <wei.fang@nxp.com>
Link: https://patch.msgid.link/20250626-fec_deactivate_coalescing-v2-1-0b217f2e80da@pengutronix.de
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/freescale/fec_main.c | 34 +++++++++++------------
1 file changed, 16 insertions(+), 18 deletions(-)
diff --git a/drivers/net/ethernet/freescale/fec_main.c b/drivers/net/ethernet/freescale/fec_main.c
index 4a513dba8f53..d10db5d6d226 100644
--- a/drivers/net/ethernet/freescale/fec_main.c
+++ b/drivers/net/ethernet/freescale/fec_main.c
@@ -2831,27 +2831,25 @@ static int fec_enet_us_to_itr_clock(struct net_device *ndev, int us)
static void fec_enet_itr_coal_set(struct net_device *ndev)
{
struct fec_enet_private *fep = netdev_priv(ndev);
- int rx_itr, tx_itr;
+ u32 rx_itr = 0, tx_itr = 0;
+ int rx_ictt, tx_ictt;
- /* Must be greater than zero to avoid unpredictable behavior */
- if (!fep->rx_time_itr || !fep->rx_pkts_itr ||
- !fep->tx_time_itr || !fep->tx_pkts_itr)
- return;
-
- /* Select enet system clock as Interrupt Coalescing
- * timer Clock Source
- */
- rx_itr = FEC_ITR_CLK_SEL;
- tx_itr = FEC_ITR_CLK_SEL;
+ rx_ictt = fec_enet_us_to_itr_clock(ndev, fep->rx_time_itr);
+ tx_ictt = fec_enet_us_to_itr_clock(ndev, fep->tx_time_itr);
- /* set ICFT and ICTT */
- rx_itr |= FEC_ITR_ICFT(fep->rx_pkts_itr);
- rx_itr |= FEC_ITR_ICTT(fec_enet_us_to_itr_clock(ndev, fep->rx_time_itr));
- tx_itr |= FEC_ITR_ICFT(fep->tx_pkts_itr);
- tx_itr |= FEC_ITR_ICTT(fec_enet_us_to_itr_clock(ndev, fep->tx_time_itr));
+ if (rx_ictt > 0 && fep->rx_pkts_itr > 1) {
+ /* Enable with enet system clock as Interrupt Coalescing timer Clock Source */
+ rx_itr = FEC_ITR_EN | FEC_ITR_CLK_SEL;
+ rx_itr |= FEC_ITR_ICFT(fep->rx_pkts_itr);
+ rx_itr |= FEC_ITR_ICTT(rx_ictt);
+ }
- rx_itr |= FEC_ITR_EN;
- tx_itr |= FEC_ITR_EN;
+ if (tx_ictt > 0 && fep->tx_pkts_itr > 1) {
+ /* Enable with enet system clock as Interrupt Coalescing timer Clock Source */
+ tx_itr = FEC_ITR_EN | FEC_ITR_CLK_SEL;
+ tx_itr |= FEC_ITR_ICFT(fep->tx_pkts_itr);
+ tx_itr |= FEC_ITR_ICTT(tx_ictt);
+ }
writel(tx_itr, fep->hwp + FEC_TXIC0);
writel(rx_itr, fep->hwp + FEC_RXIC0);
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 144/482] drm/amd/display: Separate set_gsl from set_gsl_source_select
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (142 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 6.1 143/482] net: fec: allow disable coalescing Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 145/482] wifi: iwlwifi: dvm: fix potential overflow in rs_fill_link_cmd() Greg Kroah-Hartman
` (346 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nevenko Stupar, Ilya Bakoulin,
Ray Wu, Daniel Wheeler, Alex Deucher, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ilya Bakoulin <Ilya.Bakoulin@amd.com>
[ Upstream commit 660a467a5e7366cd6642de61f1aaeaf0d253ee68 ]
[Why/How]
Separate the checks for set_gsl and set_gsl_source_select, since
source_select may not be implemented/necessary.
Reviewed-by: Nevenko Stupar <nevenko.stupar@amd.com>
Signed-off-by: Ilya Bakoulin <Ilya.Bakoulin@amd.com>
Signed-off-by: Ray Wu <ray.wu@amd.com>
Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c b/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c
index 81b1ab55338a..d8cf5f20ef3b 100644
--- a/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c
+++ b/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c
@@ -164,14 +164,13 @@ static void dcn20_setup_gsl_group_as_lock(
}
/* at this point we want to program whether it's to enable or disable */
- if (pipe_ctx->stream_res.tg->funcs->set_gsl != NULL &&
- pipe_ctx->stream_res.tg->funcs->set_gsl_source_select != NULL) {
+ if (pipe_ctx->stream_res.tg->funcs->set_gsl != NULL) {
pipe_ctx->stream_res.tg->funcs->set_gsl(
pipe_ctx->stream_res.tg,
&gsl);
-
- pipe_ctx->stream_res.tg->funcs->set_gsl_source_select(
- pipe_ctx->stream_res.tg, group_idx, enable ? 4 : 0);
+ if (pipe_ctx->stream_res.tg->funcs->set_gsl_source_select != NULL)
+ pipe_ctx->stream_res.tg->funcs->set_gsl_source_select(
+ pipe_ctx->stream_res.tg, group_idx, enable ? 4 : 0);
} else
BREAK_TO_DEBUGGER();
}
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 145/482] wifi: iwlwifi: dvm: fix potential overflow in rs_fill_link_cmd()
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (143 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 6.1 144/482] drm/amd/display: Separate set_gsl from set_gsl_source_select Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 146/482] wifi: iwlwifi: fw: Fix possible memory leak in iwl_fw_dbg_collect Greg Kroah-Hartman
` (345 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Rand Deeb, Miri Korenblit,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rand Deeb <rand.sec96@gmail.com>
[ Upstream commit e3ad987e9dc7d1e12e3f2f1e623f0e174cd0ca78 ]
The 'index' variable in the rs_fill_link_cmd() function can reach
LINK_QUAL_MAX_RETRY_NUM during the execution of the inner loop. This
variable is used as an index for the lq_cmd->rs_table array, which has a
size of LINK_QUAL_MAX_RETRY_NUM, without proper validation.
Modify the condition of the inner loop to ensure that the 'index' variable
does not exceed LINK_QUAL_MAX_RETRY_NUM - 1, thereby preventing any
potential overflow issues.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Signed-off-by: Rand Deeb <rand.sec96@gmail.com>
Link: https://patch.msgid.link/20240313101755.269209-1-rand.sec96@gmail.com
Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/intel/iwlwifi/dvm/rs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/wireless/intel/iwlwifi/dvm/rs.c b/drivers/net/wireless/intel/iwlwifi/dvm/rs.c
index 4b1f006c105b..2df93078cffe 100644
--- a/drivers/net/wireless/intel/iwlwifi/dvm/rs.c
+++ b/drivers/net/wireless/intel/iwlwifi/dvm/rs.c
@@ -2921,7 +2921,7 @@ static void rs_fill_link_cmd(struct iwl_priv *priv,
/* Repeat initial/next rate.
* For legacy IWL_NUMBER_TRY == 1, this loop will not execute.
* For HT IWL_HT_NUMBER_TRY == 3, this executes twice. */
- while (repeat_rate > 0 && (index < LINK_QUAL_MAX_RETRY_NUM)) {
+ while (repeat_rate > 0 && index < (LINK_QUAL_MAX_RETRY_NUM - 1)) {
if (is_legacy(tbl_type.lq_type)) {
if (ant_toggle_cnt < NUM_TRY_BEFORE_ANT_TOGGLE)
ant_toggle_cnt++;
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 146/482] wifi: iwlwifi: fw: Fix possible memory leak in iwl_fw_dbg_collect
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (144 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 6.1 145/482] wifi: iwlwifi: dvm: fix potential overflow in rs_fill_link_cmd() Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 147/482] drm/amd/display: Fix failed to blank crtc! Greg Kroah-Hartman
` (344 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pagadala Yesu Anjaneyulu,
Miri Korenblit, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pagadala Yesu Anjaneyulu <pagadala.yesu.anjaneyulu@intel.com>
[ Upstream commit cc8d9cbf269dab363c768bfa9312265bc807fca5 ]
Ensure descriptor is freed on error to avoid memory leak.
Signed-off-by: Pagadala Yesu Anjaneyulu <pagadala.yesu.anjaneyulu@intel.com>
Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
Link: https://patch.msgid.link/20250611222325.8158d15ec866.Ifa3e422c302397111f20a16da7509e6574bc19e3@changeid
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/intel/iwlwifi/fw/dbg.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/intel/iwlwifi/fw/dbg.c b/drivers/net/wireless/intel/iwlwifi/fw/dbg.c
index 4c5dbd8248e7..20db79f34163 100644
--- a/drivers/net/wireless/intel/iwlwifi/fw/dbg.c
+++ b/drivers/net/wireless/intel/iwlwifi/fw/dbg.c
@@ -2786,6 +2786,7 @@ int iwl_fw_dbg_collect(struct iwl_fw_runtime *fwrt,
struct iwl_fw_dump_desc *desc;
unsigned int delay = 0;
bool monitor_only = false;
+ int ret;
if (trigger) {
u16 occurrences = le16_to_cpu(trigger->occurrences) - 1;
@@ -2816,7 +2817,11 @@ int iwl_fw_dbg_collect(struct iwl_fw_runtime *fwrt,
desc->trig_desc.type = cpu_to_le32(trig);
memcpy(desc->trig_desc.data, str, len);
- return iwl_fw_dbg_collect_desc(fwrt, desc, monitor_only, delay);
+ ret = iwl_fw_dbg_collect_desc(fwrt, desc, monitor_only, delay);
+ if (ret)
+ kfree(desc);
+
+ return ret;
}
IWL_EXPORT_SYMBOL(iwl_fw_dbg_collect);
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 147/482] drm/amd/display: Fix failed to blank crtc!
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (145 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 6.1 146/482] wifi: iwlwifi: fw: Fix possible memory leak in iwl_fw_dbg_collect Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 148/482] wifi: mac80211: update radar_required in channel context after channel switch Greg Kroah-Hartman
` (343 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nicholas Kazlauskas, Wen Chen,
Fangzhi Zuo, Daniel Wheeler, Alex Deucher, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wen Chen <Wen.Chen3@amd.com>
[ Upstream commit 01f60348d8fb6b3fbcdfc7bdde5d669f95b009a4 ]
[why]
DCN35 is having “DC: failed to blank crtc!” when running HPO
test cases. It's caused by not having sufficient udelay time.
[how]
Replace the old wait_for_blank_complete function with fsleep function to
sleep just until the next frame should come up. This way it doesn't poll
in case the pixel clock or other clock was bugged or until vactive and
the vblank are hit again.
Reviewed-by: Nicholas Kazlauskas <nicholas.kazlauskas@amd.com>
Signed-off-by: Wen Chen <Wen.Chen3@amd.com>
Signed-off-by: Fangzhi Zuo <jerry.zuo@amd.com>
Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c b/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c
index d8cf5f20ef3b..d252d10c8134 100644
--- a/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c
+++ b/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c
@@ -757,7 +757,7 @@ enum dc_status dcn20_enable_stream_timing(
return DC_ERROR_UNEXPECTED;
}
- hws->funcs.wait_for_blank_complete(pipe_ctx->stream_res.opp);
+ fsleep(stream->timing.v_total * (stream->timing.h_total * 10000u / stream->timing.pix_clk_100hz));
params.vertical_total_min = stream->adjust.v_total_min;
params.vertical_total_max = stream->adjust.v_total_max;
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 148/482] wifi: mac80211: update radar_required in channel context after channel switch
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (146 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 6.1 147/482] drm/amd/display: Fix failed to blank crtc! Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 149/482] wifi: rtlwifi: fix possible skb memory leak in `_rtl_pci_rx_interrupt()` Greg Kroah-Hartman
` (342 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ramya Gnanasekar, Ramasamy Kaliappan,
Johannes Berg, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ramya Gnanasekar <ramya.gnanasekar@oss.qualcomm.com>
[ Upstream commit 140c6a61d83cbd85adba769b5ef8d61acfa5b392 ]
Currently, when a non-DFS channel is brought up and the bandwidth is
expanded from 80 MHz to 160 MHz, where the primary 80 MHz is non-DFS
and the secondary 80 MHz consists of DFS channels, radar detection
fails if radar occurs in the secondary 80 MHz.
When the channel is switched from 80 MHz to 160 MHz, with the primary
80 MHz being non-DFS and the secondary 80 MHz consisting of DFS
channels, the radar required flag in the channel switch parameters
is set to true. However, when using a reserved channel context,
it is not updated in sdata, which disables radar detection in the
secondary 80 MHz DFS channels.
Update the radar required flag in sdata to fix this issue when using
a reserved channel context.
Signed-off-by: Ramya Gnanasekar <ramya.gnanasekar@oss.qualcomm.com>
Signed-off-by: Ramasamy Kaliappan <ramasamy.kaliappan@oss.qualcomm.com>
Link: https://patch.msgid.link/20250608140324.1687117-1-ramasamy.kaliappan@oss.qualcomm.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/mac80211/chan.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/mac80211/chan.c b/net/mac80211/chan.c
index f07e34bed8f3..648af67b8ec8 100644
--- a/net/mac80211/chan.c
+++ b/net/mac80211/chan.c
@@ -1308,6 +1308,7 @@ ieee80211_link_use_reserved_reassign(struct ieee80211_link_data *link)
goto out;
}
+ link->radar_required = link->reserved_radar_required;
list_move(&link->assigned_chanctx_list, &new_ctx->assigned_links);
rcu_assign_pointer(link_conf->chanctx_conf, &new_ctx->conf);
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 149/482] wifi: rtlwifi: fix possible skb memory leak in `_rtl_pci_rx_interrupt()`.
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (147 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 6.1 148/482] wifi: mac80211: update radar_required in channel context after channel switch Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 150/482] powerpc: floppy: Add missing checks after DMA map Greg Kroah-Hartman
` (341 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Fourier, Ping-Ke Shih,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Fourier <fourier.thomas@gmail.com>
[ Upstream commit 44c0e191004f0e3aa1bdee3be248be14dbe5b020 ]
The function `_rtl_pci_init_one_rxdesc()` can fail even when the new
`skb` is passed because of a DMA mapping error. If it fails, the `skb`
is not saved in the rx ringbuffer and thus lost.
Compile tested only
Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
Acked-by: Ping-Ke Shih <pkshih@realtek.com>
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/20250616105631.444309-4-fourier.thomas@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/realtek/rtlwifi/pci.c | 18 ++++++++++++------
1 file changed, 12 insertions(+), 6 deletions(-)
diff --git a/drivers/net/wireless/realtek/rtlwifi/pci.c b/drivers/net/wireless/realtek/rtlwifi/pci.c
index b423caea2c58..f796b16eac53 100644
--- a/drivers/net/wireless/realtek/rtlwifi/pci.c
+++ b/drivers/net/wireless/realtek/rtlwifi/pci.c
@@ -803,13 +803,19 @@ static void _rtl_pci_rx_interrupt(struct ieee80211_hw *hw)
skb = new_skb;
no_new:
if (rtlpriv->use_new_trx_flow) {
- _rtl_pci_init_one_rxdesc(hw, skb, (u8 *)buffer_desc,
- rxring_idx,
- rtlpci->rx_ring[rxring_idx].idx);
+ if (!_rtl_pci_init_one_rxdesc(hw, skb, (u8 *)buffer_desc,
+ rxring_idx,
+ rtlpci->rx_ring[rxring_idx].idx)) {
+ if (new_skb)
+ dev_kfree_skb_any(skb);
+ }
} else {
- _rtl_pci_init_one_rxdesc(hw, skb, (u8 *)pdesc,
- rxring_idx,
- rtlpci->rx_ring[rxring_idx].idx);
+ if (!_rtl_pci_init_one_rxdesc(hw, skb, (u8 *)pdesc,
+ rxring_idx,
+ rtlpci->rx_ring[rxring_idx].idx)) {
+ if (new_skb)
+ dev_kfree_skb_any(skb);
+ }
if (rtlpci->rx_ring[rxring_idx].idx ==
rtlpci->rxringcount - 1)
rtlpriv->cfg->ops->set_desc(hw, (u8 *)pdesc,
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 150/482] powerpc: floppy: Add missing checks after DMA map
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (148 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 6.1 149/482] wifi: rtlwifi: fix possible skb memory leak in `_rtl_pci_rx_interrupt()` Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 151/482] netmem: fix skb_frag_address_safe with unreadable skbs Greg Kroah-Hartman
` (340 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Fourier, Christophe Leroy,
Madhavan Srinivasan, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Fourier <fourier.thomas@gmail.com>
[ Upstream commit cf183c1730f2634245da35e9b5d53381b787d112 ]
The DMA map functions can fail and should be tested for errors.
Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
Reviewed-by: Christophe Leroy <christophe.leroy@csgroup.eu>
Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
Link: https://patch.msgid.link/20250620075602.12575-1-fourier.thomas@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/powerpc/include/asm/floppy.h | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/arch/powerpc/include/asm/floppy.h b/arch/powerpc/include/asm/floppy.h
index f8ce178b43b7..34abf8bea2cc 100644
--- a/arch/powerpc/include/asm/floppy.h
+++ b/arch/powerpc/include/asm/floppy.h
@@ -144,9 +144,12 @@ static int hard_dma_setup(char *addr, unsigned long size, int mode, int io)
bus_addr = 0;
}
- if (!bus_addr) /* need to map it */
+ if (!bus_addr) { /* need to map it */
bus_addr = dma_map_single(&isa_bridge_pcidev->dev, addr, size,
dir);
+ if (dma_mapping_error(&isa_bridge_pcidev->dev, bus_addr))
+ return -ENOMEM;
+ }
/* remember this one as prev */
prev_addr = addr;
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 151/482] netmem: fix skb_frag_address_safe with unreadable skbs
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (149 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 6.1 150/482] powerpc: floppy: Add missing checks after DMA map Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 152/482] wifi: iwlegacy: Check rate_idx range after addition Greg Kroah-Hartman
` (339 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, ap420073, Mina Almasry,
Stanislav Fomichev, Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mina Almasry <almasrymina@google.com>
[ Upstream commit 4672aec56d2e8edabcb74c3e2320301d106a377e ]
skb_frag_address_safe() needs a check that the
skb_frag_page exists check similar to skb_frag_address().
Cc: ap420073@gmail.com
Signed-off-by: Mina Almasry <almasrymina@google.com>
Acked-by: Stanislav Fomichev <sdf@fomichev.me>
Link: https://patch.msgid.link/20250619175239.3039329-1-almasrymina@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/skbuff.h | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
index 8014a335414e..9a04a188b9f8 100644
--- a/include/linux/skbuff.h
+++ b/include/linux/skbuff.h
@@ -3495,7 +3495,13 @@ static inline void *skb_frag_address(const skb_frag_t *frag)
*/
static inline void *skb_frag_address_safe(const skb_frag_t *frag)
{
- void *ptr = page_address(skb_frag_page(frag));
+ struct page *page = skb_frag_page(frag);
+ void *ptr;
+
+ if (!page)
+ return NULL;
+
+ ptr = page_address(page);
if (unlikely(!ptr))
return NULL;
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 152/482] wifi: iwlegacy: Check rate_idx range after addition
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (150 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 6.1 151/482] netmem: fix skb_frag_address_safe with unreadable skbs Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 153/482] neighbour: add support for NUD_PERMANENT proxy entries Greg Kroah-Hartman
` (338 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Fedor Pchelkin, Alexei Safin,
Stanislaw Gruszka, Johannes Berg, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stanislaw Gruszka <stf_xl@wp.pl>
[ Upstream commit 0de19d5ae0b2c5b18b88c5c7f0442f707a207409 ]
Limit rate_idx to IL_LAST_OFDM_RATE for 5GHz band for thinkable case
the index is incorrect.
Reported-by: Fedor Pchelkin <pchelkin@ispras.ru>
Reported-by: Alexei Safin <a.safin@rosa.ru>
Signed-off-by: Stanislaw Gruszka <stf_xl@wp.pl>
Reviewed-by: Fedor Pchelkin <pchelkin@ispras.ru>
Link: https://patch.msgid.link/20250525144524.GA172583@wp.pl
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/intel/iwlegacy/4965-mac.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/intel/iwlegacy/4965-mac.c b/drivers/net/wireless/intel/iwlegacy/4965-mac.c
index 78dee8ccfebf..1c22a29d20d6 100644
--- a/drivers/net/wireless/intel/iwlegacy/4965-mac.c
+++ b/drivers/net/wireless/intel/iwlegacy/4965-mac.c
@@ -1575,8 +1575,11 @@ il4965_tx_cmd_build_rate(struct il_priv *il,
|| rate_idx > RATE_COUNT_LEGACY)
rate_idx = rate_lowest_index(&il->bands[info->band], sta);
/* For 5 GHZ band, remap mac80211 rate indices into driver indices */
- if (info->band == NL80211_BAND_5GHZ)
+ if (info->band == NL80211_BAND_5GHZ) {
rate_idx += IL_FIRST_OFDM_RATE;
+ if (rate_idx > IL_LAST_OFDM_RATE)
+ rate_idx = IL_LAST_OFDM_RATE;
+ }
/* Get PLCP rate for tx_cmd->rate_n_flags */
rate_plcp = il_rates[rate_idx].plcp;
/* Zero out flags for this packet */
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 153/482] neighbour: add support for NUD_PERMANENT proxy entries
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (151 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 6.1 152/482] wifi: iwlegacy: Check rate_idx range after addition Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 154/482] dpaa_eth: dont use fixed_phy_change_carrier Greg Kroah-Hartman
` (337 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nicolas Escande, Kuniyuki Iwashima,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nicolas Escande <nico.escande@gmail.com>
[ Upstream commit c7d78566bbd30544a0618a6ffbc97bc0ddac7035 ]
As discussesd before in [0] proxy entries (which are more configuration
than runtime data) should stay when the link (carrier) goes does down.
This is what happens for regular neighbour entries.
So lets fix this by:
- storing in proxy entries the fact that it was added as NUD_PERMANENT
- not removing NUD_PERMANENT proxy entries when the carrier goes down
(same as how it's done in neigh_flush_dev() for regular neigh entries)
[0]: https://lore.kernel.org/netdev/c584ef7e-6897-01f3-5b80-12b53f7b4bf4@kernel.org/
Signed-off-by: Nicolas Escande <nico.escande@gmail.com>
Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
Link: https://patch.msgid.link/20250617141334.3724863-1-nico.escande@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/neighbour.h | 1 +
net/core/neighbour.c | 12 +++++++++---
2 files changed, 10 insertions(+), 3 deletions(-)
diff --git a/include/net/neighbour.h b/include/net/neighbour.h
index ccc4a0f8b4ad..93aecfaa7628 100644
--- a/include/net/neighbour.h
+++ b/include/net/neighbour.h
@@ -180,6 +180,7 @@ struct pneigh_entry {
netdevice_tracker dev_tracker;
u32 flags;
u8 protocol;
+ bool permanent;
u32 key[];
};
diff --git a/net/core/neighbour.c b/net/core/neighbour.c
index bcc3950638b9..92dc1f1788de 100644
--- a/net/core/neighbour.c
+++ b/net/core/neighbour.c
@@ -55,7 +55,8 @@ static void __neigh_notify(struct neighbour *n, int type, int flags,
u32 pid);
static void neigh_update_notify(struct neighbour *neigh, u32 nlmsg_pid);
static int pneigh_ifdown_and_unlock(struct neigh_table *tbl,
- struct net_device *dev);
+ struct net_device *dev,
+ bool skip_perm);
#ifdef CONFIG_PROC_FS
static const struct seq_operations neigh_stat_seq_ops;
@@ -444,7 +445,7 @@ static int __neigh_ifdown(struct neigh_table *tbl, struct net_device *dev,
{
write_lock_bh(&tbl->lock);
neigh_flush_dev(tbl, dev, skip_perm);
- pneigh_ifdown_and_unlock(tbl, dev);
+ pneigh_ifdown_and_unlock(tbl, dev, skip_perm);
pneigh_queue_purge(&tbl->proxy_queue, dev ? dev_net(dev) : NULL,
tbl->family);
if (skb_queue_empty_lockless(&tbl->proxy_queue))
@@ -845,7 +846,8 @@ int pneigh_delete(struct neigh_table *tbl, struct net *net, const void *pkey,
}
static int pneigh_ifdown_and_unlock(struct neigh_table *tbl,
- struct net_device *dev)
+ struct net_device *dev,
+ bool skip_perm)
{
struct pneigh_entry *n, **np, *freelist = NULL;
u32 h;
@@ -853,12 +855,15 @@ static int pneigh_ifdown_and_unlock(struct neigh_table *tbl,
for (h = 0; h <= PNEIGH_HASHMASK; h++) {
np = &tbl->phash_buckets[h];
while ((n = *np) != NULL) {
+ if (skip_perm && n->permanent)
+ goto skip;
if (!dev || n->dev == dev) {
*np = n->next;
n->next = freelist;
freelist = n;
continue;
}
+skip:
np = &n->next;
}
}
@@ -2023,6 +2028,7 @@ static int neigh_add(struct sk_buff *skb, struct nlmsghdr *nlh,
pn = pneigh_lookup(tbl, net, dst, dev, 1);
if (pn) {
pn->flags = ndm_flags;
+ pn->permanent = !!(ndm->ndm_state & NUD_PERMANENT);
if (protocol)
pn->protocol = protocol;
err = 0;
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 154/482] dpaa_eth: dont use fixed_phy_change_carrier
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (152 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 6.1 153/482] neighbour: add support for NUD_PERMANENT proxy entries Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 155/482] drm/amd: Allow printing VanGogh OD SCLK levels without setting dpm to manual Greg Kroah-Hartman
` (336 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Heiner Kallweit, Jacob Keller,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Heiner Kallweit <hkallweit1@gmail.com>
[ Upstream commit d8155c1df5c8b717052567b188455d41fa7a8908 ]
This effectively reverts 6e8b0ff1ba4c ("dpaa_eth: Add change_carrier()
for Fixed PHYs"). Usage of fixed_phy_change_carrier() requires that
fixed_phy_register() has been called before, directly or indirectly.
And that's not the case in this driver.
Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
Link: https://patch.msgid.link/7eb189b3-d5fd-4be6-8517-a66671a4e4e3@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/freescale/dpaa/dpaa_eth.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/drivers/net/ethernet/freescale/dpaa/dpaa_eth.c b/drivers/net/ethernet/freescale/dpaa/dpaa_eth.c
index 6f5c22861dc9..5cf12c27553d 100644
--- a/drivers/net/ethernet/freescale/dpaa/dpaa_eth.c
+++ b/drivers/net/ethernet/freescale/dpaa/dpaa_eth.c
@@ -27,7 +27,6 @@
#include <linux/percpu.h>
#include <linux/dma-mapping.h>
#include <linux/sort.h>
-#include <linux/phy_fixed.h>
#include <linux/bpf.h>
#include <linux/bpf_trace.h>
#include <soc/fsl/bman.h>
@@ -3179,7 +3178,6 @@ static const struct net_device_ops dpaa_ops = {
.ndo_stop = dpaa_eth_stop,
.ndo_tx_timeout = dpaa_tx_timeout,
.ndo_get_stats64 = dpaa_get_stats64,
- .ndo_change_carrier = fixed_phy_change_carrier,
.ndo_set_mac_address = dpaa_set_mac_address,
.ndo_validate_addr = eth_validate_addr,
.ndo_set_rx_mode = dpaa_set_rx_mode,
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 155/482] drm/amd: Allow printing VanGogh OD SCLK levels without setting dpm to manual
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (153 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 6.1 154/482] dpaa_eth: dont use fixed_phy_change_carrier Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 156/482] net: vlan: Replace BUG() with WARN_ON_ONCE() in vlan_dev_* stubs Greg Kroah-Hartman
` (335 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pierre-Loup A. Griffais, Vicki Pfau,
Alex Deucher, Mario Limonciello, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mario Limonciello <mario.limonciello@amd.com>
[ Upstream commit 2d1ec1e955414e8e8358178011c35afca1a1c0b1 ]
Several other ASICs allow printing OD SCLK levels without setting DPM
control to manual. When OD is disabled it will show the range the
hardware supports. When OD is enabled it will show what values have
been programmed. Adjust VanGogh to work the same.
Cc: Pierre-Loup A. Griffais <pgriffais@valvesoftware.com>
Reported-by: Vicki Pfau <vi@endrift.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Link: https://lore.kernel.org/r/20250609031227.479079-1-superm1@kernel.org
Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../gpu/drm/amd/pm/swsmu/smu11/vangogh_ppt.c | 37 ++++++++-----------
1 file changed, 15 insertions(+), 22 deletions(-)
diff --git a/drivers/gpu/drm/amd/pm/swsmu/smu11/vangogh_ppt.c b/drivers/gpu/drm/amd/pm/swsmu/smu11/vangogh_ppt.c
index c9c0aa6376e3..e2fa0ee0dc92 100644
--- a/drivers/gpu/drm/amd/pm/swsmu/smu11/vangogh_ppt.c
+++ b/drivers/gpu/drm/amd/pm/swsmu/smu11/vangogh_ppt.c
@@ -681,7 +681,6 @@ static int vangogh_print_clk_levels(struct smu_context *smu,
{
DpmClocks_t *clk_table = smu->smu_table.clocks_table;
SmuMetrics_t metrics;
- struct smu_dpm_context *smu_dpm_ctx = &(smu->smu_dpm);
int i, idx, size = 0, ret = 0;
uint32_t cur_value = 0, value = 0, count = 0;
bool cur_value_match_level = false;
@@ -697,31 +696,25 @@ static int vangogh_print_clk_levels(struct smu_context *smu,
switch (clk_type) {
case SMU_OD_SCLK:
- if (smu_dpm_ctx->dpm_level == AMD_DPM_FORCED_LEVEL_MANUAL) {
- size += sysfs_emit_at(buf, size, "%s:\n", "OD_SCLK");
- size += sysfs_emit_at(buf, size, "0: %10uMhz\n",
- (smu->gfx_actual_hard_min_freq > 0) ? smu->gfx_actual_hard_min_freq : smu->gfx_default_hard_min_freq);
- size += sysfs_emit_at(buf, size, "1: %10uMhz\n",
- (smu->gfx_actual_soft_max_freq > 0) ? smu->gfx_actual_soft_max_freq : smu->gfx_default_soft_max_freq);
- }
+ size += sysfs_emit_at(buf, size, "%s:\n", "OD_SCLK");
+ size += sysfs_emit_at(buf, size, "0: %10uMhz\n",
+ (smu->gfx_actual_hard_min_freq > 0) ? smu->gfx_actual_hard_min_freq : smu->gfx_default_hard_min_freq);
+ size += sysfs_emit_at(buf, size, "1: %10uMhz\n",
+ (smu->gfx_actual_soft_max_freq > 0) ? smu->gfx_actual_soft_max_freq : smu->gfx_default_soft_max_freq);
break;
case SMU_OD_CCLK:
- if (smu_dpm_ctx->dpm_level == AMD_DPM_FORCED_LEVEL_MANUAL) {
- size += sysfs_emit_at(buf, size, "CCLK_RANGE in Core%d:\n", smu->cpu_core_id_select);
- size += sysfs_emit_at(buf, size, "0: %10uMhz\n",
- (smu->cpu_actual_soft_min_freq > 0) ? smu->cpu_actual_soft_min_freq : smu->cpu_default_soft_min_freq);
- size += sysfs_emit_at(buf, size, "1: %10uMhz\n",
- (smu->cpu_actual_soft_max_freq > 0) ? smu->cpu_actual_soft_max_freq : smu->cpu_default_soft_max_freq);
- }
+ size += sysfs_emit_at(buf, size, "CCLK_RANGE in Core%d:\n", smu->cpu_core_id_select);
+ size += sysfs_emit_at(buf, size, "0: %10uMhz\n",
+ (smu->cpu_actual_soft_min_freq > 0) ? smu->cpu_actual_soft_min_freq : smu->cpu_default_soft_min_freq);
+ size += sysfs_emit_at(buf, size, "1: %10uMhz\n",
+ (smu->cpu_actual_soft_max_freq > 0) ? smu->cpu_actual_soft_max_freq : smu->cpu_default_soft_max_freq);
break;
case SMU_OD_RANGE:
- if (smu_dpm_ctx->dpm_level == AMD_DPM_FORCED_LEVEL_MANUAL) {
- size += sysfs_emit_at(buf, size, "%s:\n", "OD_RANGE");
- size += sysfs_emit_at(buf, size, "SCLK: %7uMhz %10uMhz\n",
- smu->gfx_default_hard_min_freq, smu->gfx_default_soft_max_freq);
- size += sysfs_emit_at(buf, size, "CCLK: %7uMhz %10uMhz\n",
- smu->cpu_default_soft_min_freq, smu->cpu_default_soft_max_freq);
- }
+ size += sysfs_emit_at(buf, size, "%s:\n", "OD_RANGE");
+ size += sysfs_emit_at(buf, size, "SCLK: %7uMhz %10uMhz\n",
+ smu->gfx_default_hard_min_freq, smu->gfx_default_soft_max_freq);
+ size += sysfs_emit_at(buf, size, "CCLK: %7uMhz %10uMhz\n",
+ smu->cpu_default_soft_min_freq, smu->cpu_default_soft_max_freq);
break;
case SMU_SOCCLK:
/* the level 3 ~ 6 of socclk use the same frequency for vangogh */
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 156/482] net: vlan: Replace BUG() with WARN_ON_ONCE() in vlan_dev_* stubs
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (154 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 6.1 155/482] drm/amd: Allow printing VanGogh OD SCLK levels without setting dpm to manual Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 157/482] gve: Return error for unknown admin queue command Greg Kroah-Hartman
` (334 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alex Lazar, Dragos Tatulea,
Gal Pressman, Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gal Pressman <gal@nvidia.com>
[ Upstream commit 60a8b1a5d0824afda869f18dc0ecfe72f8dfda42 ]
When CONFIG_VLAN_8021Q=n, a set of stub helpers are used, three of these
helpers use BUG() unconditionally.
This code should not be reached, as callers of these functions should
always check for is_vlan_dev() first, but the usage of BUG() is not
recommended, replace it with WARN_ON() instead.
Reviewed-by: Alex Lazar <alazar@nvidia.com>
Reviewed-by: Dragos Tatulea <dtatulea@nvidia.com>
Signed-off-by: Gal Pressman <gal@nvidia.com>
Link: https://patch.msgid.link/20250616132626.1749331-3-gal@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/if_vlan.h | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/include/linux/if_vlan.h b/include/linux/if_vlan.h
index 9f7dbbb34094..f4eb8dd7308a 100644
--- a/include/linux/if_vlan.h
+++ b/include/linux/if_vlan.h
@@ -253,19 +253,19 @@ vlan_for_each(struct net_device *dev,
static inline struct net_device *vlan_dev_real_dev(const struct net_device *dev)
{
- BUG();
+ WARN_ON_ONCE(1);
return NULL;
}
static inline u16 vlan_dev_vlan_id(const struct net_device *dev)
{
- BUG();
+ WARN_ON_ONCE(1);
return 0;
}
static inline __be16 vlan_dev_vlan_proto(const struct net_device *dev)
{
- BUG();
+ WARN_ON_ONCE(1);
return 0;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 157/482] gve: Return error for unknown admin queue command
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (155 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 6.1 156/482] net: vlan: Replace BUG() with WARN_ON_ONCE() in vlan_dev_* stubs Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 158/482] net: dsa: b53: fix b53_imp_vlan_setup for BCM5325 Greg Kroah-Hartman
` (333 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alok Tiwari, Jakub Kicinski,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alok Tiwari <alok.a.tiwari@oracle.com>
[ Upstream commit b11344f63fdd9e8c5121148a6965b41079071dd2 ]
In gve_adminq_issue_cmd(), return -EINVAL instead of 0 when an unknown
admin queue command opcode is encountered.
This prevents the function from silently succeeding on invalid input
and prevents undefined behavior by ensuring the function fails gracefully
when an unrecognized opcode is provided.
These changes improve error handling.
Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
Link: https://patch.msgid.link/20250616054504.1644770-2-alok.a.tiwari@oracle.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/google/gve/gve_adminq.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/ethernet/google/gve/gve_adminq.c b/drivers/net/ethernet/google/gve/gve_adminq.c
index f7621ab672b9..32a9943432ac 100644
--- a/drivers/net/ethernet/google/gve/gve_adminq.c
+++ b/drivers/net/ethernet/google/gve/gve_adminq.c
@@ -409,6 +409,7 @@ static int gve_adminq_issue_cmd(struct gve_priv *priv,
break;
default:
dev_err(&priv->pdev->dev, "unknown AQ command opcode %d\n", opcode);
+ return -EINVAL;
}
return 0;
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 158/482] net: dsa: b53: fix b53_imp_vlan_setup for BCM5325
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (156 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 6.1 157/482] gve: Return error for unknown admin queue command Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 159/482] net: dsa: b53: prevent GMII_PORT_OVERRIDE_CTRL access on BCM5325 Greg Kroah-Hartman
` (332 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Florian Fainelli,
Álvaro Fernández Rojas, Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Álvaro Fernández Rojas <noltari@gmail.com>
[ Upstream commit c00df1018791185ea398f78af415a2a0aaa0c79c ]
CPU port should be B53_CPU_PORT instead of B53_CPU_PORT_25 for
B53_PVLAN_PORT_MASK register.
Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
Link: https://patch.msgid.link/20250614080000.1884236-14-noltari@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/dsa/b53/b53_common.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c
index 1a23fcc0445c..ecc887b5c8c0 100644
--- a/drivers/net/dsa/b53/b53_common.c
+++ b/drivers/net/dsa/b53/b53_common.c
@@ -507,6 +507,10 @@ void b53_imp_vlan_setup(struct dsa_switch *ds, int cpu_port)
unsigned int i;
u16 pvlan;
+ /* BCM5325 CPU port is at 8 */
+ if ((is5325(dev) || is5365(dev)) && cpu_port == B53_CPU_PORT_25)
+ cpu_port = B53_CPU_PORT;
+
/* Enable the IMP port to be in the same VLAN as the other ports
* on a per-port basis such that we only have Port i and IMP in
* the same VLAN.
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 159/482] net: dsa: b53: prevent GMII_PORT_OVERRIDE_CTRL access on BCM5325
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (157 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 6.1 158/482] net: dsa: b53: fix b53_imp_vlan_setup for BCM5325 Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 160/482] net: dsa: b53: prevent DIS_LEARNING " Greg Kroah-Hartman
` (331 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Florian Fainelli,
Álvaro Fernández Rojas, Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Álvaro Fernández Rojas <noltari@gmail.com>
[ Upstream commit 37883bbc45a8555d6eca88d3a9730504d2dac86c ]
BCM5325 doesn't implement GMII_PORT_OVERRIDE_CTRL register so we should
avoid reading or writing it.
PORT_OVERRIDE_RX_FLOW and PORT_OVERRIDE_TX_FLOW aren't defined on BCM5325
and we should use PORT_OVERRIDE_LP_FLOW_25 instead.
Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
Link: https://patch.msgid.link/20250614080000.1884236-12-noltari@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/dsa/b53/b53_common.c | 21 +++++++++++++++++----
drivers/net/dsa/b53/b53_regs.h | 1 +
2 files changed, 18 insertions(+), 4 deletions(-)
diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c
index ecc887b5c8c0..6bd7ed19ce28 100644
--- a/drivers/net/dsa/b53/b53_common.c
+++ b/drivers/net/dsa/b53/b53_common.c
@@ -1167,6 +1167,8 @@ static void b53_force_link(struct b53_device *dev, int port, int link)
if (port == dev->imp_port) {
off = B53_PORT_OVERRIDE_CTRL;
val = PORT_OVERRIDE_EN;
+ } else if (is5325(dev)) {
+ return;
} else {
off = B53_GMII_PORT_OVERRIDE_CTRL(port);
val = GMII_PO_EN;
@@ -1191,6 +1193,8 @@ static void b53_force_port_config(struct b53_device *dev, int port,
if (port == dev->imp_port) {
off = B53_PORT_OVERRIDE_CTRL;
val = PORT_OVERRIDE_EN;
+ } else if (is5325(dev)) {
+ return;
} else {
off = B53_GMII_PORT_OVERRIDE_CTRL(port);
val = GMII_PO_EN;
@@ -1221,10 +1225,19 @@ static void b53_force_port_config(struct b53_device *dev, int port,
return;
}
- if (rx_pause)
- reg |= PORT_OVERRIDE_RX_FLOW;
- if (tx_pause)
- reg |= PORT_OVERRIDE_TX_FLOW;
+ if (rx_pause) {
+ if (is5325(dev))
+ reg |= PORT_OVERRIDE_LP_FLOW_25;
+ else
+ reg |= PORT_OVERRIDE_RX_FLOW;
+ }
+
+ if (tx_pause) {
+ if (is5325(dev))
+ reg |= PORT_OVERRIDE_LP_FLOW_25;
+ else
+ reg |= PORT_OVERRIDE_TX_FLOW;
+ }
b53_write8(dev, B53_CTRL_PAGE, off, reg);
}
diff --git a/drivers/net/dsa/b53/b53_regs.h b/drivers/net/dsa/b53/b53_regs.h
index b2c539a42154..e5776545a8a0 100644
--- a/drivers/net/dsa/b53/b53_regs.h
+++ b/drivers/net/dsa/b53/b53_regs.h
@@ -92,6 +92,7 @@
#define PORT_OVERRIDE_SPEED_10M (0 << PORT_OVERRIDE_SPEED_S)
#define PORT_OVERRIDE_SPEED_100M (1 << PORT_OVERRIDE_SPEED_S)
#define PORT_OVERRIDE_SPEED_1000M (2 << PORT_OVERRIDE_SPEED_S)
+#define PORT_OVERRIDE_LP_FLOW_25 BIT(3) /* BCM5325 only */
#define PORT_OVERRIDE_RV_MII_25 BIT(4) /* BCM5325 only */
#define PORT_OVERRIDE_RX_FLOW BIT(4)
#define PORT_OVERRIDE_TX_FLOW BIT(5)
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 160/482] net: dsa: b53: prevent DIS_LEARNING access on BCM5325
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (158 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 6.1 159/482] net: dsa: b53: prevent GMII_PORT_OVERRIDE_CTRL access on BCM5325 Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 161/482] net: dsa: b53: prevent SWITCH_CTRL " Greg Kroah-Hartman
` (330 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Florian Fainelli,
Álvaro Fernández Rojas, Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Álvaro Fernández Rojas <noltari@gmail.com>
[ Upstream commit 800728abd9f83bda4de62a30ce62a8b41c242020 ]
BCM5325 doesn't implement DIS_LEARNING register so we should avoid reading
or writing it.
Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
Link: https://patch.msgid.link/20250614080000.1884236-10-noltari@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/dsa/b53/b53_common.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c
index 6bd7ed19ce28..5bf390707505 100644
--- a/drivers/net/dsa/b53/b53_common.c
+++ b/drivers/net/dsa/b53/b53_common.c
@@ -561,6 +561,9 @@ static void b53_port_set_learning(struct b53_device *dev, int port,
{
u16 reg;
+ if (is5325(dev))
+ return;
+
b53_read16(dev, B53_CTRL_PAGE, B53_DIS_LEARNING, ®);
if (learning)
reg &= ~BIT(port);
@@ -2031,7 +2034,13 @@ int b53_br_flags_pre(struct dsa_switch *ds, int port,
struct switchdev_brport_flags flags,
struct netlink_ext_ack *extack)
{
- if (flags.mask & ~(BR_FLOOD | BR_MCAST_FLOOD | BR_LEARNING))
+ struct b53_device *dev = ds->priv;
+ unsigned long mask = (BR_FLOOD | BR_MCAST_FLOOD);
+
+ if (!is5325(dev))
+ mask |= BR_LEARNING;
+
+ if (flags.mask & ~mask)
return -EINVAL;
return 0;
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 161/482] net: dsa: b53: prevent SWITCH_CTRL access on BCM5325
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (159 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 6.1 160/482] net: dsa: b53: prevent DIS_LEARNING " Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 162/482] ptp: Use ratelimite for freerun error message Greg Kroah-Hartman
` (329 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Florian Fainelli,
Álvaro Fernández Rojas, Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Álvaro Fernández Rojas <noltari@gmail.com>
[ Upstream commit 22ccaaca43440e90a3b68d2183045b42247dc4be ]
BCM5325 doesn't implement SWITCH_CTRL register so we should avoid reading
or writing it.
Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
Link: https://patch.msgid.link/20250614080000.1884236-8-noltari@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/dsa/b53/b53_common.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c
index 5bf390707505..3a1266f535e2 100644
--- a/drivers/net/dsa/b53/b53_common.c
+++ b/drivers/net/dsa/b53/b53_common.c
@@ -339,11 +339,12 @@ static void b53_set_forwarding(struct b53_device *dev, int enable)
b53_write8(dev, B53_CTRL_PAGE, B53_SWITCH_MODE, mgmt);
- /* Include IMP port in dumb forwarding mode
- */
- b53_read8(dev, B53_CTRL_PAGE, B53_SWITCH_CTRL, &mgmt);
- mgmt |= B53_MII_DUMB_FWDG_EN;
- b53_write8(dev, B53_CTRL_PAGE, B53_SWITCH_CTRL, mgmt);
+ if (!is5325(dev)) {
+ /* Include IMP port in dumb forwarding mode */
+ b53_read8(dev, B53_CTRL_PAGE, B53_SWITCH_CTRL, &mgmt);
+ mgmt |= B53_MII_DUMB_FWDG_EN;
+ b53_write8(dev, B53_CTRL_PAGE, B53_SWITCH_CTRL, mgmt);
+ }
/* Look at B53_UC_FWD_EN and B53_MC_FWD_EN to decide whether
* frames should be flooded or not.
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 162/482] ptp: Use ratelimite for freerun error message
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (160 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 6.1 161/482] net: dsa: b53: prevent SWITCH_CTRL " Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 163/482] wifi: rtlwifi: fix possible skb memory leak in _rtl_pci_init_one_rxdesc() Greg Kroah-Hartman
` (328 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Breno Leitao, Simon Horman,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Breno Leitao <leitao@debian.org>
[ Upstream commit e9a7795e75b78b56997fb0070c18d6e1057b6462 ]
Replace pr_err() with pr_err_ratelimited() in ptp_clock_settime() to
prevent log flooding when the physical clock is free running, which
happens on some of my hosts. This ensures error messages are
rate-limited and improves kernel log readability.
Signed-off-by: Breno Leitao <leitao@debian.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20250613-ptp-v1-1-ee44260ce9e2@debian.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/ptp/ptp_clock.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/ptp/ptp_clock.c b/drivers/ptp/ptp_clock.c
index 642c939d4523..e6bcccf87cd6 100644
--- a/drivers/ptp/ptp_clock.c
+++ b/drivers/ptp/ptp_clock.c
@@ -79,7 +79,7 @@ static int ptp_clock_settime(struct posix_clock *pc, const struct timespec64 *tp
struct ptp_clock *ptp = container_of(pc, struct ptp_clock, clock);
if (ptp_clock_freerun(ptp)) {
- pr_err("ptp: physical clock is free running\n");
+ pr_err_ratelimited("ptp: physical clock is free running\n");
return -EBUSY;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 163/482] wifi: rtlwifi: fix possible skb memory leak in _rtl_pci_init_one_rxdesc()
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (161 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 6.1 162/482] ptp: Use ratelimite for freerun error message Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 164/482] ionic: clean dbpage in de-init Greg Kroah-Hartman
` (327 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Fourier, Ping-Ke Shih,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Fourier <fourier.thomas@gmail.com>
[ Upstream commit 76b3e5078d76f0eeadb7aacf9845399f8473da0d ]
When `dma_mapping_error()` is true, if a new `skb` has been allocated,
then it must be de-allocated.
Compile tested only
Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/20250613074014.69856-2-fourier.thomas@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/realtek/rtlwifi/pci.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/realtek/rtlwifi/pci.c b/drivers/net/wireless/realtek/rtlwifi/pci.c
index f796b16eac53..4029e4e590fa 100644
--- a/drivers/net/wireless/realtek/rtlwifi/pci.c
+++ b/drivers/net/wireless/realtek/rtlwifi/pci.c
@@ -573,8 +573,11 @@ static int _rtl_pci_init_one_rxdesc(struct ieee80211_hw *hw,
dma_map_single(&rtlpci->pdev->dev, skb_tail_pointer(skb),
rtlpci->rxbuffersize, DMA_FROM_DEVICE);
bufferaddress = *((dma_addr_t *)skb->cb);
- if (dma_mapping_error(&rtlpci->pdev->dev, bufferaddress))
+ if (dma_mapping_error(&rtlpci->pdev->dev, bufferaddress)) {
+ if (!new_skb)
+ kfree_skb(skb);
return 0;
+ }
rtlpci->rx_ring[rxring_idx].rx_buf[desc_idx] = skb;
if (rtlpriv->use_new_trx_flow) {
/* skb->cb may be 64 bit address */
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 164/482] ionic: clean dbpage in de-init
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (162 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 6.1 163/482] wifi: rtlwifi: fix possible skb memory leak in _rtl_pci_init_one_rxdesc() Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 165/482] net: ncsi: Fix buffer overflow in fetching version id Greg Kroah-Hartman
` (326 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shannon Nelson, Simon Horman,
Joe Damato, David S. Miller, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shannon Nelson <shannon.nelson@amd.com>
[ Upstream commit c9080abea1e69b8b1408ec7dec0acdfdc577a3e2 ]
Since the kern_dbpage gets set up in ionic_lif_init() and that
function's error path will clean it if needed, the kern_dbpage
on teardown should be cleaned in ionic_lif_deinit(), not in
ionic_lif_free(). As it is currently we get a double call
to iounmap() on kern_dbpage if the PCI ionic fails setting up
the lif. One example of this is when firmware isn't responding
to AdminQ requests and ionic's first AdminQ call fails to
setup the NotifyQ.
Signed-off-by: Shannon Nelson <shannon.nelson@amd.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Reviewed-by: Joe Damato <joe@dama.to>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/pensando/ionic/ionic_lif.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/drivers/net/ethernet/pensando/ionic/ionic_lif.c b/drivers/net/ethernet/pensando/ionic/ionic_lif.c
index b746944bcd2a..7ed77a8304e6 100644
--- a/drivers/net/ethernet/pensando/ionic/ionic_lif.c
+++ b/drivers/net/ethernet/pensando/ionic/ionic_lif.c
@@ -3142,10 +3142,6 @@ void ionic_lif_free(struct ionic_lif *lif)
lif->info = NULL;
lif->info_pa = 0;
- /* unmap doorbell page */
- ionic_bus_unmap_dbpage(lif->ionic, lif->kern_dbpage);
- lif->kern_dbpage = NULL;
-
mutex_destroy(&lif->config_lock);
mutex_destroy(&lif->queue_lock);
@@ -3171,6 +3167,9 @@ void ionic_lif_deinit(struct ionic_lif *lif)
ionic_lif_qcq_deinit(lif, lif->notifyqcq);
ionic_lif_qcq_deinit(lif, lif->adminqcq);
+ ionic_bus_unmap_dbpage(lif->ionic, lif->kern_dbpage);
+ lif->kern_dbpage = NULL;
+
ionic_lif_reset(lif);
}
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 165/482] net: ncsi: Fix buffer overflow in fetching version id
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (163 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 6.1 164/482] ionic: clean dbpage in de-init Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 166/482] drm/ttm: Should to return the evict error Greg Kroah-Hartman
` (325 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hari Kalavakunta, Paul Fertser,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hari Kalavakunta <kalavakunta.hari.prasad@gmail.com>
[ Upstream commit 8e16170ae972c7fed132bc928914a2ffb94690fc ]
In NC-SI spec v1.2 section 8.4.44.2, the firmware name doesn't
need to be null terminated while its size occupies the full size
of the field. Fix the buffer overflow issue by adding one
additional byte for null terminator.
Signed-off-by: Hari Kalavakunta <kalavakunta.hari.prasad@gmail.com>
Reviewed-by: Paul Fertser <fercerpav@gmail.com>
Link: https://patch.msgid.link/20250610193338.1368-1-kalavakunta.hari.prasad@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ncsi/internal.h | 2 +-
net/ncsi/ncsi-rsp.c | 1 +
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/ncsi/internal.h b/net/ncsi/internal.h
index 2c260f33b55c..ad1f671ffc37 100644
--- a/net/ncsi/internal.h
+++ b/net/ncsi/internal.h
@@ -110,7 +110,7 @@ struct ncsi_channel_version {
u8 update; /* NCSI version update */
char alpha1; /* NCSI version alpha1 */
char alpha2; /* NCSI version alpha2 */
- u8 fw_name[12]; /* Firmware name string */
+ u8 fw_name[12 + 1]; /* Firmware name string */
u32 fw_version; /* Firmware version */
u16 pci_ids[4]; /* PCI identification */
u32 mf_id; /* Manufacture ID */
diff --git a/net/ncsi/ncsi-rsp.c b/net/ncsi/ncsi-rsp.c
index 8668888c5a2f..d5ed80731e89 100644
--- a/net/ncsi/ncsi-rsp.c
+++ b/net/ncsi/ncsi-rsp.c
@@ -775,6 +775,7 @@ static int ncsi_rsp_handler_gvi(struct ncsi_request *nr)
ncv->alpha1 = rsp->alpha1;
ncv->alpha2 = rsp->alpha2;
memcpy(ncv->fw_name, rsp->fw_name, 12);
+ ncv->fw_name[12] = '\0';
ncv->fw_version = ntohl(rsp->fw_version);
for (i = 0; i < ARRAY_SIZE(ncv->pci_ids); i++)
ncv->pci_ids[i] = ntohs(rsp->pci_ids[i]);
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 166/482] drm/ttm: Should to return the evict error
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (164 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 6.1 165/482] net: ncsi: Fix buffer overflow in fetching version id Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 167/482] uapi: in6: restore visibility of most IPv6 socket options Greg Kroah-Hartman
` (324 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Emily Deng, Christian König,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Emily Deng <Emily.Deng@amd.com>
[ Upstream commit 4e16a9a00239db5d819197b9a00f70665951bf50 ]
For the evict fail case, the evict error should be returned.
v2: Consider ENOENT case.
v3: Abort directly when the eviction failed for some reason (except for -ENOENT)
and not wait for the move to finish
Signed-off-by: Emily Deng <Emily.Deng@amd.com>
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Christian König <christian.koenig@amd.com>
Link: https://lore.kernel.org/r/20250603091154.3472646-1-Emily.Deng@amd.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/ttm/ttm_resource.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/gpu/drm/ttm/ttm_resource.c b/drivers/gpu/drm/ttm/ttm_resource.c
index 3287032a2f8e..ad3c398fc278 100644
--- a/drivers/gpu/drm/ttm/ttm_resource.c
+++ b/drivers/gpu/drm/ttm/ttm_resource.c
@@ -437,6 +437,9 @@ int ttm_resource_manager_evict_all(struct ttm_device *bdev,
}
spin_unlock(&bdev->lru_lock);
+ if (ret && ret != -ENOENT)
+ return ret;
+
spin_lock(&man->move_lock);
fence = dma_fence_get(man->move);
spin_unlock(&man->move_lock);
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 167/482] uapi: in6: restore visibility of most IPv6 socket options
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (165 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 6.1 166/482] drm/ttm: Should to return the evict error Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 168/482] selftests/bpf: Fix a user_ringbuf failure with arm64 64KB page size Greg Kroah-Hartman
` (323 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jakub Kicinski <kuba@kernel.org>
[ Upstream commit 31557b3487b349464daf42bc4366153743c1e727 ]
A decade ago commit 6d08acd2d32e ("in6: fix conflict with glibc")
hid the definitions of IPV6 options, because GCC was complaining
about duplicates. The commit did not list the warnings seen, but
trying to recreate them now I think they are (building iproute2):
In file included from ./include/uapi/rdma/rdma_user_cm.h:39,
from rdma.h:16,
from res.h:9,
from res-ctx.c:7:
../include/uapi/linux/in6.h:171:9: warning: ‘IPV6_ADD_MEMBERSHIP’ redefined
171 | #define IPV6_ADD_MEMBERSHIP 20
| ^~~~~~~~~~~~~~~~~~~
In file included from /usr/include/netinet/in.h:37,
from rdma.h:13:
/usr/include/bits/in.h:233:10: note: this is the location of the previous definition
233 | # define IPV6_ADD_MEMBERSHIP IPV6_JOIN_GROUP
| ^~~~~~~~~~~~~~~~~~~
../include/uapi/linux/in6.h:172:9: warning: ‘IPV6_DROP_MEMBERSHIP’ redefined
172 | #define IPV6_DROP_MEMBERSHIP 21
| ^~~~~~~~~~~~~~~~~~~~
/usr/include/bits/in.h:234:10: note: this is the location of the previous definition
234 | # define IPV6_DROP_MEMBERSHIP IPV6_LEAVE_GROUP
| ^~~~~~~~~~~~~~~~~~~~
Compilers don't complain about redefinition if the defines
are identical, but here we have the kernel using the literal
value, and glibc using an indirection (defining to a name
of another define, with the same numerical value).
Problem is, the commit in question hid all the IPV6 socket
options, and glibc has a pretty sparse list. For instance
it lacks Flow Label related options. Willem called this out
in commit 3fb321fde22d ("selftests/net: ipv6 flowlabel"):
/* uapi/glibc weirdness may leave this undefined */
#ifndef IPV6_FLOWINFO
#define IPV6_FLOWINFO 11
#endif
More interestingly some applications (socat) use
a #ifdef IPV6_FLOWINFO to gate compilation of thier
rudimentary flow label support. (For added confusion
socat misspells it as IPV4_FLOWINFO in some places.)
Hide only the two defines we know glibc has a problem
with. If we discover more warnings we can hide more
but we should avoid covering the entire block of
defines for "IPV6 socket options".
Link: https://patch.msgid.link/20250609143933.1654417-1-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/uapi/linux/in6.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/include/uapi/linux/in6.h b/include/uapi/linux/in6.h
index ff8d21f9e95b..5a47339ef7d7 100644
--- a/include/uapi/linux/in6.h
+++ b/include/uapi/linux/in6.h
@@ -152,7 +152,6 @@ struct in6_flowlabel_req {
/*
* IPV6 socket options
*/
-#if __UAPI_DEF_IPV6_OPTIONS
#define IPV6_ADDRFORM 1
#define IPV6_2292PKTINFO 2
#define IPV6_2292HOPOPTS 3
@@ -169,8 +168,10 @@ struct in6_flowlabel_req {
#define IPV6_MULTICAST_IF 17
#define IPV6_MULTICAST_HOPS 18
#define IPV6_MULTICAST_LOOP 19
+#if __UAPI_DEF_IPV6_OPTIONS
#define IPV6_ADD_MEMBERSHIP 20
#define IPV6_DROP_MEMBERSHIP 21
+#endif
#define IPV6_ROUTER_ALERT 22
#define IPV6_MTU_DISCOVER 23
#define IPV6_MTU 24
@@ -203,7 +204,6 @@ struct in6_flowlabel_req {
#define IPV6_IPSEC_POLICY 34
#define IPV6_XFRM_POLICY 35
#define IPV6_HDRINCL 36
-#endif
/*
* Multicast:
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 168/482] selftests/bpf: Fix a user_ringbuf failure with arm64 64KB page size
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (166 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 6.1 167/482] uapi: in6: restore visibility of most IPv6 socket options Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 169/482] drm/ttm: Respect the shrinker core free target Greg Kroah-Hartman
` (322 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yonghong Song, Alexei Starovoitov,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yonghong Song <yonghong.song@linux.dev>
[ Upstream commit bbc7bd658ddc662083639b9e9a280b90225ecd9a ]
The ringbuf max_entries must be PAGE_ALIGNED. See kernel function
ringbuf_map_alloc(). So for arm64 64KB page size, adjust max_entries
properly.
Signed-off-by: Yonghong Song <yonghong.song@linux.dev>
Link: https://lore.kernel.org/r/20250607013626.1553001-1-yonghong.song@linux.dev
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/selftests/bpf/prog_tests/user_ringbuf.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/tools/testing/selftests/bpf/prog_tests/user_ringbuf.c b/tools/testing/selftests/bpf/prog_tests/user_ringbuf.c
index ca81d660eb96..5e88d37973c5 100644
--- a/tools/testing/selftests/bpf/prog_tests/user_ringbuf.c
+++ b/tools/testing/selftests/bpf/prog_tests/user_ringbuf.c
@@ -23,8 +23,7 @@
static size_t log_buf_sz = 1 << 20; /* 1 MB */
static char obj_log_buf[1048576];
static const long c_sample_size = sizeof(struct sample) + BPF_RINGBUF_HDR_SZ;
-static const long c_ringbuf_size = 1 << 12; /* 1 small page */
-static const long c_max_entries = c_ringbuf_size / c_sample_size;
+static long c_ringbuf_size, c_max_entries;
static void drain_current_samples(void)
{
@@ -426,7 +425,9 @@ static void test_user_ringbuf_loop(void)
uint32_t remaining_samples = total_samples;
int err;
- BUILD_BUG_ON(total_samples <= c_max_entries);
+ if (!ASSERT_LT(c_max_entries, total_samples, "compare_c_max_entries"))
+ return;
+
err = load_skel_create_user_ringbuf(&skel, &ringbuf);
if (err)
return;
@@ -739,6 +740,9 @@ void test_user_ringbuf(void)
{
int i;
+ c_ringbuf_size = getpagesize(); /* 1 page */
+ c_max_entries = c_ringbuf_size / c_sample_size;
+
for (i = 0; i < ARRAY_SIZE(success_tests); i++) {
if (!test__start_subtest(success_tests[i].test_name))
continue;
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 169/482] drm/ttm: Respect the shrinker core free target
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (167 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 6.1 168/482] selftests/bpf: Fix a user_ringbuf failure with arm64 64KB page size Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 170/482] net: dsa: b53: fix IP_MULTICAST_CTRL on BCM5325 Greg Kroah-Hartman
` (321 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tvrtko Ursulin, Christian König,
Thomas Hellström, Tvrtko Ursulin, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tvrtko Ursulin <tvrtko.ursulin@igalia.com>
[ Upstream commit eac21f8ebeb4f84d703cf41dc3f81d16fa9dc00a ]
Currently the TTM shrinker aborts shrinking as soon as it frees pages from
any of the page order pools and by doing so it can fail to respect the
freeing target which was configured by the shrinker core.
We use the wording "can fail" because the number of freed pages will
depend on the presence of pages in the pools and the order of the pools on
the LRU list. For example if there are no free pages in the high order
pools the shrinker core may require multiple passes over the TTM shrinker
before it will free the default target of 128 pages (assuming there are
free pages in the low order pools). This inefficiency can be compounded by
the pool LRU where multiple further calls into the TTM shrinker are
required to end up looking at the pool with pages.
Improve this by never freeing less than the shrinker core has requested.
At the same time we start reporting the number of scanned pages (freed in
this case), which prevents the core shrinker from giving up on the TTM
shrinker too soon and moving on.
v2:
* Simplify loop logic. (Christian)
* Improve commit message.
Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin@igalia.com>
Cc: Christian König <christian.koenig@amd.com>
Cc: Thomas Hellström <thomas.hellstrom@linux.intel.com>
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Tvrtko Ursulin <tursulin@ursulin.net>
Link: https://lore.kernel.org/r/20250603112750.34997-2-tvrtko.ursulin@igalia.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/ttm/ttm_pool.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/drivers/gpu/drm/ttm/ttm_pool.c b/drivers/gpu/drm/ttm/ttm_pool.c
index 393b97b4a991..a223208b83e0 100644
--- a/drivers/gpu/drm/ttm/ttm_pool.c
+++ b/drivers/gpu/drm/ttm/ttm_pool.c
@@ -592,7 +592,6 @@ void ttm_pool_fini(struct ttm_pool *pool)
synchronize_shrinkers();
}
-/* As long as pages are available make sure to release at least one */
static unsigned long ttm_pool_shrinker_scan(struct shrinker *shrink,
struct shrink_control *sc)
{
@@ -600,9 +599,12 @@ static unsigned long ttm_pool_shrinker_scan(struct shrinker *shrink,
do
num_freed += ttm_pool_shrink();
- while (!num_freed && atomic_long_read(&allocated_pages));
+ while (num_freed < sc->nr_to_scan &&
+ atomic_long_read(&allocated_pages));
- return num_freed;
+ sc->nr_scanned = num_freed;
+
+ return num_freed ?: SHRINK_STOP;
}
/* Return the number of pages available or SHRINK_EMPTY if we have none */
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 170/482] net: dsa: b53: fix IP_MULTICAST_CTRL on BCM5325
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (168 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 6.1 169/482] drm/ttm: Respect the shrinker core free target Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 171/482] vsock/virtio: Resize receive buffers so that each SKB fits in a 4K page Greg Kroah-Hartman
` (320 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Florian Fainelli,
Álvaro Fernández Rojas, Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Álvaro Fernández Rojas <noltari@gmail.com>
[ Upstream commit 044d5ce2788b165798bfd173548e61bf7b6baf4d ]
BCM5325 doesn't implement B53_UC_FWD_EN, B53_MC_FWD_EN or B53_IPMC_FWD_EN.
Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
Link: https://patch.msgid.link/20250614080000.1884236-9-noltari@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/dsa/b53/b53_common.c | 18 +++++++++++-------
drivers/net/dsa/b53/b53_regs.h | 1 +
2 files changed, 12 insertions(+), 7 deletions(-)
diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c
index 3a1266f535e2..b0e283bc3efb 100644
--- a/drivers/net/dsa/b53/b53_common.c
+++ b/drivers/net/dsa/b53/b53_common.c
@@ -344,14 +344,18 @@ static void b53_set_forwarding(struct b53_device *dev, int enable)
b53_read8(dev, B53_CTRL_PAGE, B53_SWITCH_CTRL, &mgmt);
mgmt |= B53_MII_DUMB_FWDG_EN;
b53_write8(dev, B53_CTRL_PAGE, B53_SWITCH_CTRL, mgmt);
- }
- /* Look at B53_UC_FWD_EN and B53_MC_FWD_EN to decide whether
- * frames should be flooded or not.
- */
- b53_read8(dev, B53_CTRL_PAGE, B53_IP_MULTICAST_CTRL, &mgmt);
- mgmt |= B53_UC_FWD_EN | B53_MC_FWD_EN | B53_IPMC_FWD_EN;
- b53_write8(dev, B53_CTRL_PAGE, B53_IP_MULTICAST_CTRL, mgmt);
+ /* Look at B53_UC_FWD_EN and B53_MC_FWD_EN to decide whether
+ * frames should be flooded or not.
+ */
+ b53_read8(dev, B53_CTRL_PAGE, B53_IP_MULTICAST_CTRL, &mgmt);
+ mgmt |= B53_UC_FWD_EN | B53_MC_FWD_EN | B53_IPMC_FWD_EN;
+ b53_write8(dev, B53_CTRL_PAGE, B53_IP_MULTICAST_CTRL, mgmt);
+ } else {
+ b53_read8(dev, B53_CTRL_PAGE, B53_IP_MULTICAST_CTRL, &mgmt);
+ mgmt |= B53_IP_MCAST_25;
+ b53_write8(dev, B53_CTRL_PAGE, B53_IP_MULTICAST_CTRL, mgmt);
+ }
}
static void b53_enable_vlan(struct b53_device *dev, int port, bool enable,
diff --git a/drivers/net/dsa/b53/b53_regs.h b/drivers/net/dsa/b53/b53_regs.h
index e5776545a8a0..77fb7ae660b8 100644
--- a/drivers/net/dsa/b53/b53_regs.h
+++ b/drivers/net/dsa/b53/b53_regs.h
@@ -104,6 +104,7 @@
/* IP Multicast control (8 bit) */
#define B53_IP_MULTICAST_CTRL 0x21
+#define B53_IP_MCAST_25 BIT(0)
#define B53_IPMC_FWD_EN BIT(1)
#define B53_UC_FWD_EN BIT(6)
#define B53_MC_FWD_EN BIT(7)
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 171/482] vsock/virtio: Resize receive buffers so that each SKB fits in a 4K page
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (169 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 6.1 170/482] net: dsa: b53: fix IP_MULTICAST_CTRL on BCM5325 Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 172/482] vhost: fail early when __vhost_add_used() fails Greg Kroah-Hartman
` (319 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stefano Garzarella, Will Deacon,
Michael S. Tsirkin, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Will Deacon <will@kernel.org>
[ Upstream commit 03a92f036a04fed2b00d69f5f46f1a486e70dc5c ]
When allocating receive buffers for the vsock virtio RX virtqueue, an
SKB is allocated with a 4140 data payload (the 44-byte packet header +
VIRTIO_VSOCK_DEFAULT_RX_BUF_SIZE). Even when factoring in the SKB
overhead, the resulting 8KiB allocation thanks to the rounding in
kmalloc_reserve() is wasteful (~3700 unusable bytes) and results in a
higher-order page allocation on systems with 4KiB pages just for the
sake of a few hundred bytes of packet data.
Limit the vsock virtio RX buffers to 4KiB per SKB, resulting in much
better memory utilisation and removing the need to allocate higher-order
pages entirely.
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
Signed-off-by: Will Deacon <will@kernel.org>
Message-Id: <20250717090116.11987-5-will@kernel.org>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/virtio_vsock.h | 7 ++++++-
net/vmw_vsock/virtio_transport.c | 2 +-
2 files changed, 7 insertions(+), 2 deletions(-)
diff --git a/include/linux/virtio_vsock.h b/include/linux/virtio_vsock.h
index 3f9c16611306..689e9fc50e1b 100644
--- a/include/linux/virtio_vsock.h
+++ b/include/linux/virtio_vsock.h
@@ -110,7 +110,12 @@ static inline size_t virtio_vsock_skb_len(struct sk_buff *skb)
return (size_t)(skb_end_pointer(skb) - skb->head);
}
-#define VIRTIO_VSOCK_DEFAULT_RX_BUF_SIZE (1024 * 4)
+/* Dimension the RX SKB so that the entire thing fits exactly into
+ * a single 4KiB page. This avoids wasting memory due to alloc_skb()
+ * rounding up to the next page order and also means that we
+ * don't leave higher-order pages sitting around in the RX queue.
+ */
+#define VIRTIO_VSOCK_DEFAULT_RX_BUF_SIZE SKB_WITH_OVERHEAD(1024 * 4)
#define VIRTIO_VSOCK_MAX_BUF_SIZE 0xFFFFFFFFUL
#define VIRTIO_VSOCK_MAX_PKT_BUF_SIZE (1024 * 64)
diff --git a/net/vmw_vsock/virtio_transport.c b/net/vmw_vsock/virtio_transport.c
index 5434c9f11d28..e2cd69c127f9 100644
--- a/net/vmw_vsock/virtio_transport.c
+++ b/net/vmw_vsock/virtio_transport.c
@@ -221,7 +221,7 @@ virtio_transport_cancel_pkt(struct vsock_sock *vsk)
static void virtio_vsock_rx_fill(struct virtio_vsock *vsock)
{
- int total_len = VIRTIO_VSOCK_DEFAULT_RX_BUF_SIZE + VIRTIO_VSOCK_SKB_HEADROOM;
+ int total_len = VIRTIO_VSOCK_DEFAULT_RX_BUF_SIZE;
struct scatterlist pkt, *p;
struct virtqueue *vq;
struct sk_buff *skb;
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 172/482] vhost: fail early when __vhost_add_used() fails
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (170 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 6.1 171/482] vsock/virtio: Resize receive buffers so that each SKB fits in a 4K page Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 173/482] drm/amd/display: Only finalize atomic_obj if it was initialized Greg Kroah-Hartman
` (318 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eugenio Pérez, Jason Wang,
Michael S. Tsirkin, Lei Yang, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jason Wang <jasowang@redhat.com>
[ Upstream commit b4ba1207d45adaafa2982c035898b36af2d3e518 ]
This patch fails vhost_add_used_n() early when __vhost_add_used()
fails to make sure used idx is not updated with stale used ring
information.
Reported-by: Eugenio Pérez <eperezma@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Message-Id: <20250714084755.11921-2-jasowang@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Tested-by: Lei Yang <leiyang@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/vhost/vhost.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c
index 1b00ed5ef1cf..0db46b016004 100644
--- a/drivers/vhost/vhost.c
+++ b/drivers/vhost/vhost.c
@@ -2426,6 +2426,9 @@ int vhost_add_used_n(struct vhost_virtqueue *vq, struct vring_used_elem *heads,
}
r = __vhost_add_used_n(vq, heads, count);
+ if (r < 0)
+ return r;
+
/* Make sure buffer is written before we update index. */
smp_wmb();
if (vhost_put_used_idx(vq)) {
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 173/482] drm/amd/display: Only finalize atomic_obj if it was initialized
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (171 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 6.1 172/482] vhost: fail early when __vhost_add_used() fails Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 174/482] watchdog: sbsa: Adjust keepalive timeout to avoid MediaTek WS0 race condition Greg Kroah-Hartman
` (317 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Harry Wentland, Mario Limonciello,
Ivan Lipski, Daniel Wheeler, Alex Deucher, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mario Limonciello <mario.limonciello@amd.com>
[ Upstream commit b174084b3fe15ad1acc69530e673c1535d2e4f85 ]
[Why]
If amdgpu_dm failed to initalize before amdgpu_dm_initialize_drm_device()
completed then freeing atomic_obj will lead to list corruption.
[How]
Check if atomic_obj state is initialized before trying to free.
Reviewed-by: Harry Wentland <harry.wentland@amd.com>
Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
Signed-off-by: Ivan Lipski <ivan.lipski@amd.com>
Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
index 64f626cc7913..8cd88b2aa54c 100644
--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
@@ -4638,7 +4638,8 @@ static int amdgpu_dm_initialize_drm_device(struct amdgpu_device *adev)
static void amdgpu_dm_destroy_drm_device(struct amdgpu_display_manager *dm)
{
- drm_atomic_private_obj_fini(&dm->atomic_obj);
+ if (dm->atomic_obj.state)
+ drm_atomic_private_obj_fini(&dm->atomic_obj);
}
/******************************************************************************
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 174/482] watchdog: sbsa: Adjust keepalive timeout to avoid MediaTek WS0 race condition
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (172 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 6.1 173/482] drm/amd/display: Only finalize atomic_obj if it was initialized Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 175/482] cifs: Fix calling CIFSFindFirst() for root path without msearch Greg Kroah-Hartman
` (316 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Aaron Plattner, Timur Tabi,
Guenter Roeck, Wim Van Sebroeck, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Aaron Plattner <aplattner@nvidia.com>
[ Upstream commit 48defdf6b083f74a44e1f742db284960d3444aec ]
The MediaTek implementation of the sbsa_gwdt watchdog has a race
condition where a write to SBSA_GWDT_WRR is ignored if it occurs while
the hardware is processing a timeout refresh that asserts WS0.
Detect this based on the hardware implementer and adjust
wdd->min_hw_heartbeat_ms to avoid the race by forcing the keepalive ping
to be one second later.
Signed-off-by: Aaron Plattner <aplattner@nvidia.com>
Acked-by: Timur Tabi <ttabi@nvidia.com>
Reviewed-by: Guenter Roeck <linux@roeck-us.net>
Link: https://lore.kernel.org/r/20250721230640.2244915-1-aplattner@nvidia.com
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Wim Van Sebroeck <wim@linux-watchdog.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/watchdog/sbsa_gwdt.c | 50 +++++++++++++++++++++++++++++++++---
1 file changed, 47 insertions(+), 3 deletions(-)
diff --git a/drivers/watchdog/sbsa_gwdt.c b/drivers/watchdog/sbsa_gwdt.c
index 7bf28545b47a..f07ffc7b8312 100644
--- a/drivers/watchdog/sbsa_gwdt.c
+++ b/drivers/watchdog/sbsa_gwdt.c
@@ -76,11 +76,17 @@
#define SBSA_GWDT_VERSION_MASK 0xF
#define SBSA_GWDT_VERSION_SHIFT 16
+#define SBSA_GWDT_IMPL_MASK 0x7FF
+#define SBSA_GWDT_IMPL_SHIFT 0
+#define SBSA_GWDT_IMPL_MEDIATEK 0x426
+
/**
* struct sbsa_gwdt - Internal representation of the SBSA GWDT
* @wdd: kernel watchdog_device structure
* @clk: store the System Counter clock frequency, in Hz.
* @version: store the architecture version
+ * @need_ws0_race_workaround:
+ * indicate whether to adjust wdd->timeout to avoid a race with WS0
* @refresh_base: Virtual address of the watchdog refresh frame
* @control_base: Virtual address of the watchdog control frame
*/
@@ -88,6 +94,7 @@ struct sbsa_gwdt {
struct watchdog_device wdd;
u32 clk;
int version;
+ bool need_ws0_race_workaround;
void __iomem *refresh_base;
void __iomem *control_base;
};
@@ -162,6 +169,31 @@ static int sbsa_gwdt_set_timeout(struct watchdog_device *wdd,
*/
sbsa_gwdt_reg_write(((u64)gwdt->clk / 2) * timeout, gwdt);
+ /*
+ * Some watchdog hardware has a race condition where it will ignore
+ * sbsa_gwdt_keepalive() if it is called at the exact moment that a
+ * timeout occurs and WS0 is being asserted. Unfortunately, the default
+ * behavior of the watchdog core is very likely to trigger this race
+ * when action=0 because it programs WOR to be half of the desired
+ * timeout, and watchdog_next_keepalive() chooses the exact same time to
+ * send keepalive pings.
+ *
+ * This triggers a race where sbsa_gwdt_keepalive() can be called right
+ * as WS0 is being asserted, and affected hardware will ignore that
+ * write and continue to assert WS0. After another (timeout / 2)
+ * seconds, the same race happens again. If the driver wins then the
+ * explicit refresh will reset WS0 to false but if the hardware wins,
+ * then WS1 is asserted and the system resets.
+ *
+ * Avoid the problem by scheduling keepalive heartbeats one second later
+ * than the WOR timeout.
+ *
+ * This workaround might not be needed in a future revision of the
+ * hardware.
+ */
+ if (gwdt->need_ws0_race_workaround)
+ wdd->min_hw_heartbeat_ms = timeout * 500 + 1000;
+
return 0;
}
@@ -203,12 +235,15 @@ static int sbsa_gwdt_keepalive(struct watchdog_device *wdd)
static void sbsa_gwdt_get_version(struct watchdog_device *wdd)
{
struct sbsa_gwdt *gwdt = watchdog_get_drvdata(wdd);
- int ver;
+ int iidr, ver, impl;
- ver = readl(gwdt->control_base + SBSA_GWDT_W_IIDR);
- ver = (ver >> SBSA_GWDT_VERSION_SHIFT) & SBSA_GWDT_VERSION_MASK;
+ iidr = readl(gwdt->control_base + SBSA_GWDT_W_IIDR);
+ ver = (iidr >> SBSA_GWDT_VERSION_SHIFT) & SBSA_GWDT_VERSION_MASK;
+ impl = (iidr >> SBSA_GWDT_IMPL_SHIFT) & SBSA_GWDT_IMPL_MASK;
gwdt->version = ver;
+ gwdt->need_ws0_race_workaround =
+ !action && (impl == SBSA_GWDT_IMPL_MEDIATEK);
}
static int sbsa_gwdt_start(struct watchdog_device *wdd)
@@ -300,6 +335,15 @@ static int sbsa_gwdt_probe(struct platform_device *pdev)
else
wdd->max_hw_heartbeat_ms = GENMASK_ULL(47, 0) / gwdt->clk * 1000;
+ if (gwdt->need_ws0_race_workaround) {
+ /*
+ * A timeout of 3 seconds means that WOR will be set to 1.5
+ * seconds and the heartbeat will be scheduled every 2.5
+ * seconds.
+ */
+ wdd->min_timeout = 3;
+ }
+
status = readl(cf_base + SBSA_GWDT_WCS);
if (status & SBSA_GWDT_WCS_WS1) {
dev_warn(dev, "System reset by WDT.\n");
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 175/482] cifs: Fix calling CIFSFindFirst() for root path without msearch
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (173 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 6.1 174/482] watchdog: sbsa: Adjust keepalive timeout to avoid MediaTek WS0 race condition Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 176/482] fbdev: fix potential buffer overflow in do_register_framebuffer() Greg Kroah-Hartman
` (315 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pali Rohár, Steve French,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pali Rohár <pali@kernel.org>
[ Upstream commit b460249b9a1dab7a9f58483e5349d045ad6d585c ]
To query root path (without msearch wildcard) it is needed to
send pattern '\' instead of '' (empty string).
This allows to use CIFSFindFirst() to query information about root path
which is being used in followup changes.
This change fixes the stat() syscall called on the root path on the mount.
It is because stat() syscall uses the cifs_query_path_info() function and
it can fallback to the CIFSFindFirst() usage with msearch=false.
Signed-off-by: Pali Rohár <pali@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/smb/client/cifssmb.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/fs/smb/client/cifssmb.c b/fs/smb/client/cifssmb.c
index 0c6ade196894..49d772683004 100644
--- a/fs/smb/client/cifssmb.c
+++ b/fs/smb/client/cifssmb.c
@@ -3933,6 +3933,12 @@ CIFSFindFirst(const unsigned int xid, struct cifs_tcon *tcon,
pSMB->FileName[name_len] = 0;
pSMB->FileName[name_len+1] = 0;
name_len += 2;
+ } else if (!searchName[0]) {
+ pSMB->FileName[0] = CIFS_DIR_SEP(cifs_sb);
+ pSMB->FileName[1] = 0;
+ pSMB->FileName[2] = 0;
+ pSMB->FileName[3] = 0;
+ name_len = 4;
}
} else {
name_len = copy_path_name(pSMB->FileName, searchName);
@@ -3944,6 +3950,10 @@ CIFSFindFirst(const unsigned int xid, struct cifs_tcon *tcon,
pSMB->FileName[name_len] = '*';
pSMB->FileName[name_len+1] = 0;
name_len += 2;
+ } else if (!searchName[0]) {
+ pSMB->FileName[0] = CIFS_DIR_SEP(cifs_sb);
+ pSMB->FileName[1] = 0;
+ name_len = 2;
}
}
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 176/482] fbdev: fix potential buffer overflow in do_register_framebuffer()
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (174 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 6.1 175/482] cifs: Fix calling CIFSFindFirst() for root path without msearch Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 177/482] crypto: hisilicon/hpre - fix dma unmap sequence Greg Kroah-Hartman
` (314 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yongzhen Zhang, Helge Deller,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yongzhen Zhang <zhangyongzhen@kylinos.cn>
[ Upstream commit 523b84dc7ccea9c4d79126d6ed1cf9033cf83b05 ]
The current implementation may lead to buffer overflow when:
1. Unregistration creates NULL gaps in registered_fb[]
2. All array slots become occupied despite num_registered_fb < FB_MAX
3. The registration loop exceeds array bounds
Add boundary check to prevent registered_fb[FB_MAX] access.
Signed-off-by: Yongzhen Zhang <zhangyongzhen@kylinos.cn>
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/video/fbdev/core/fbmem.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/video/fbdev/core/fbmem.c b/drivers/video/fbdev/core/fbmem.c
index f8c32c58b5b2..5128ffed6a23 100644
--- a/drivers/video/fbdev/core/fbmem.c
+++ b/drivers/video/fbdev/core/fbmem.c
@@ -1549,6 +1549,9 @@ static int do_register_framebuffer(struct fb_info *fb_info)
if (!registered_fb[i])
break;
+ if (i >= FB_MAX)
+ return -ENXIO;
+
if (!fb_info->modelist.prev || !fb_info->modelist.next)
INIT_LIST_HEAD(&fb_info->modelist);
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 177/482] crypto: hisilicon/hpre - fix dma unmap sequence
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (175 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 6.1 176/482] fbdev: fix potential buffer overflow in do_register_framebuffer() Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 178/482] ext4: do not BUG when INLINE_DATA_FL lacks system.data xattr Greg Kroah-Hartman
` (313 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhiqi Song, Chenghai Huang,
Herbert Xu, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhiqi Song <songzhiqi1@huawei.com>
[ Upstream commit 982fd1a74de63c388c060e4fa6f7fbd088d6d02e ]
Perform DMA unmapping operations before processing data.
Otherwise, there may be unsynchronized data accessed by
the CPU when the SWIOTLB is enabled.
Signed-off-by: Zhiqi Song <songzhiqi1@huawei.com>
Signed-off-by: Chenghai Huang <huangchenghai2@huawei.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/crypto/hisilicon/hpre/hpre_crypto.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/drivers/crypto/hisilicon/hpre/hpre_crypto.c b/drivers/crypto/hisilicon/hpre/hpre_crypto.c
index ef02dadd6217..541f5eb76b6e 100644
--- a/drivers/crypto/hisilicon/hpre/hpre_crypto.c
+++ b/drivers/crypto/hisilicon/hpre/hpre_crypto.c
@@ -1461,11 +1461,13 @@ static void hpre_ecdh_cb(struct hpre_ctx *ctx, void *resp)
if (overtime_thrhld && hpre_is_bd_timeout(req, overtime_thrhld))
atomic64_inc(&dfx[HPRE_OVER_THRHLD_CNT].value);
+ /* Do unmap before data processing */
+ hpre_ecdh_hw_data_clr_all(ctx, req, areq->dst, areq->src);
+
p = sg_virt(areq->dst);
memmove(p, p + ctx->key_sz - curve_sz, curve_sz);
memmove(p + curve_sz, p + areq->dst_len - curve_sz, curve_sz);
- hpre_ecdh_hw_data_clr_all(ctx, req, areq->dst, areq->src);
kpp_request_complete(areq, ret);
atomic64_inc(&dfx[HPRE_RECV_CNT].value);
@@ -1769,9 +1771,11 @@ static void hpre_curve25519_cb(struct hpre_ctx *ctx, void *resp)
if (overtime_thrhld && hpre_is_bd_timeout(req, overtime_thrhld))
atomic64_inc(&dfx[HPRE_OVER_THRHLD_CNT].value);
+ /* Do unmap before data processing */
+ hpre_curve25519_hw_data_clr_all(ctx, req, areq->dst, areq->src);
+
hpre_key_to_big_end(sg_virt(areq->dst), CURVE25519_KEY_SIZE);
- hpre_curve25519_hw_data_clr_all(ctx, req, areq->dst, areq->src);
kpp_request_complete(areq, ret);
atomic64_inc(&dfx[HPRE_RECV_CNT].value);
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 178/482] ext4: do not BUG when INLINE_DATA_FL lacks system.data xattr
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (176 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 6.1 177/482] crypto: hisilicon/hpre - fix dma unmap sequence Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 179/482] scsi: libiscsi: Initialize iscsi_conn->dd_data only if memory is allocated Greg Kroah-Hartman
` (312 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+544248a761451c0df72f,
Theodore Tso, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Theodore Ts'o <tytso@mit.edu>
[ Upstream commit 099b847ccc6c1ad2f805d13cfbcc83f5b6d4bc42 ]
A syzbot fuzzed image triggered a BUG_ON in ext4_update_inline_data()
when an inode had the INLINE_DATA_FL flag set but was missing the
system.data extended attribute.
Since this can happen due to a maiciouly fuzzed file system, we
shouldn't BUG, but rather, report it as a corrupted file system.
Add similar replacements of BUG_ON with EXT4_ERROR_INODE() ii
ext4_create_inline_data() and ext4_inline_data_truncate().
Reported-by: syzbot+544248a761451c0df72f@syzkaller.appspotmail.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ext4/inline.c | 19 ++++++++++++++++---
1 file changed, 16 insertions(+), 3 deletions(-)
diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c
index 312be3d7cfb3..af2d6e92cb7f 100644
--- a/fs/ext4/inline.c
+++ b/fs/ext4/inline.c
@@ -299,7 +299,11 @@ static int ext4_create_inline_data(handle_t *handle,
if (error)
goto out;
- BUG_ON(!is.s.not_found);
+ if (!is.s.not_found) {
+ EXT4_ERROR_INODE(inode, "unexpected inline data xattr");
+ error = -EFSCORRUPTED;
+ goto out;
+ }
error = ext4_xattr_ibody_set(handle, inode, &i, &is);
if (error) {
@@ -350,7 +354,11 @@ static int ext4_update_inline_data(handle_t *handle, struct inode *inode,
if (error)
goto out;
- BUG_ON(is.s.not_found);
+ if (is.s.not_found) {
+ EXT4_ERROR_INODE(inode, "missing inline data xattr");
+ error = -EFSCORRUPTED;
+ goto out;
+ }
len -= EXT4_MIN_INLINE_DATA_SIZE;
value = kzalloc(len, GFP_NOFS);
@@ -2002,7 +2010,12 @@ int ext4_inline_data_truncate(struct inode *inode, int *has_inline)
if ((err = ext4_xattr_ibody_find(inode, &i, &is)) != 0)
goto out_error;
- BUG_ON(is.s.not_found);
+ if (is.s.not_found) {
+ EXT4_ERROR_INODE(inode,
+ "missing inline data xattr");
+ err = -EFSCORRUPTED;
+ goto out_error;
+ }
value_len = le32_to_cpu(is.s.here->e_value_size);
value = kmalloc(value_len, GFP_NOFS);
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 179/482] scsi: libiscsi: Initialize iscsi_conn->dd_data only if memory is allocated
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (177 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 6.1 178/482] ext4: do not BUG when INLINE_DATA_FL lacks system.data xattr Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 180/482] fs/orangefs: use snprintf() instead of sprintf() Greg Kroah-Hartman
` (311 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Showrya M N, Potnuri Bharat Teja,
Chris Leech, Martin K. Petersen, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Showrya M N <showrya@chelsio.com>
[ Upstream commit 3ea3a256ed81f95ab0f3281a0e234b01a9cae605 ]
In case of an ib_fast_reg_mr allocation failure during iSER setup, the
machine hits a panic because iscsi_conn->dd_data is initialized
unconditionally, even when no memory is allocated (dd_size == 0). This
leads invalid pointer dereference during connection teardown.
Fix by setting iscsi_conn->dd_data only if memory is actually allocated.
Panic trace:
------------
iser: iser_create_fastreg_desc: Failed to allocate ib_fast_reg_mr err=-12
iser: iser_alloc_rx_descriptors: failed allocating rx descriptors / data buffers
BUG: unable to handle page fault for address: fffffffffffffff8
RIP: 0010:swake_up_locked.part.5+0xa/0x40
Call Trace:
complete+0x31/0x40
iscsi_iser_conn_stop+0x88/0xb0 [ib_iser]
iscsi_stop_conn+0x66/0xc0 [scsi_transport_iscsi]
iscsi_if_stop_conn+0x14a/0x150 [scsi_transport_iscsi]
iscsi_if_rx+0x1135/0x1834 [scsi_transport_iscsi]
? netlink_lookup+0x12f/0x1b0
? netlink_deliver_tap+0x2c/0x200
netlink_unicast+0x1ab/0x280
netlink_sendmsg+0x257/0x4f0
? _copy_from_user+0x29/0x60
sock_sendmsg+0x5f/0x70
Signed-off-by: Showrya M N <showrya@chelsio.com>
Signed-off-by: Potnuri Bharat Teja <bharat@chelsio.com>
Link: https://lore.kernel.org/r/20250627112329.19763-1-showrya@chelsio.com
Reviewed-by: Chris Leech <cleech@redhat.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/libiscsi.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/scsi/libiscsi.c b/drivers/scsi/libiscsi.c
index 6e811d753cb1..ee4e3feedd10 100644
--- a/drivers/scsi/libiscsi.c
+++ b/drivers/scsi/libiscsi.c
@@ -3184,7 +3184,8 @@ iscsi_conn_setup(struct iscsi_cls_session *cls_session, int dd_size,
return NULL;
conn = cls_conn->dd_data;
- conn->dd_data = cls_conn->dd_data + sizeof(*conn);
+ if (dd_size)
+ conn->dd_data = cls_conn->dd_data + sizeof(*conn);
conn->session = session;
conn->cls_conn = cls_conn;
conn->c_stage = ISCSI_CONN_INITIAL_STAGE;
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 180/482] fs/orangefs: use snprintf() instead of sprintf()
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (178 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 6.1 179/482] scsi: libiscsi: Initialize iscsi_conn->dd_data only if memory is allocated Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 181/482] watchdog: dw_wdt: Fix default timeout Greg Kroah-Hartman
` (310 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Amir Mohammad Jahangirzad,
Mike Marshall, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Amir Mohammad Jahangirzad <a.jahangirzad@gmail.com>
[ Upstream commit cdfa1304657d6f23be8fd2bb0516380a3c89034e ]
sprintf() is discouraged for use with bounded destination buffers
as it does not prevent buffer overflows when the formatted output
exceeds the destination buffer size. snprintf() is a safer
alternative as it limits the number of bytes written and ensures
NUL-termination.
Replace sprintf() with snprintf() for copying the debug string
into a temporary buffer, using ORANGEFS_MAX_DEBUG_STRING_LEN as
the maximum size to ensure safe formatting and prevent memory
corruption in edge cases.
EDIT: After this patch sat on linux-next for a few days, Dan
Carpenter saw it and suggested that I use scnprintf instead of
snprintf. I made the change and retested.
Signed-off-by: Amir Mohammad Jahangirzad <a.jahangirzad@gmail.com>
Signed-off-by: Mike Marshall <hubcap@omnibond.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/orangefs/orangefs-debugfs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/orangefs/orangefs-debugfs.c b/fs/orangefs/orangefs-debugfs.c
index b57140ebfad0..cd4bfd92ebd6 100644
--- a/fs/orangefs/orangefs-debugfs.c
+++ b/fs/orangefs/orangefs-debugfs.c
@@ -354,7 +354,7 @@ static ssize_t orangefs_debug_read(struct file *file,
goto out;
mutex_lock(&orangefs_debug_lock);
- sprintf_ret = sprintf(buf, "%s", (char *)file->private_data);
+ sprintf_ret = scnprintf(buf, ORANGEFS_MAX_DEBUG_STRING_LEN, "%s", (char *)file->private_data);
mutex_unlock(&orangefs_debug_lock);
read_ret = simple_read_from_buffer(ubuf, count, ppos, buf, sprintf_ret);
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 181/482] watchdog: dw_wdt: Fix default timeout
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (179 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 6.1 180/482] fs/orangefs: use snprintf() instead of sprintf() Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 182/482] hwmon: (emc2305) Set initial PWM minimum value during probe based on thermal state Greg Kroah-Hartman
` (309 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sebastian Reichel, Guenter Roeck,
Wim Van Sebroeck, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sebastian Reichel <sebastian.reichel@collabora.com>
[ Upstream commit ac3dbb91e0167d017f44701dd51c1efe30d0c256 ]
The Synopsys Watchdog driver sets the default timeout to 30 seconds,
but on some devices this is not a valid timeout. E.g. on RK3588 the
actual timeout being used is 44 seconds instead.
Once the watchdog is started the value is updated accordingly, but
it would be better to expose a sensible timeout to userspace without
the need to first start the watchdog.
Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
Reviewed-by: Guenter Roeck <linux@roeck-us.net>
Link: https://lore.kernel.org/r/20250717-dw-wdt-fix-initial-timeout-v1-1-86dc864d48dd@kernel.org
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Wim Van Sebroeck <wim@linux-watchdog.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/watchdog/dw_wdt.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/watchdog/dw_wdt.c b/drivers/watchdog/dw_wdt.c
index 61af5d1332ac..e3e09dc38c65 100644
--- a/drivers/watchdog/dw_wdt.c
+++ b/drivers/watchdog/dw_wdt.c
@@ -658,6 +658,8 @@ static int dw_wdt_drv_probe(struct platform_device *pdev)
} else {
wdd->timeout = DW_WDT_DEFAULT_SECONDS;
watchdog_init_timeout(wdd, 0, dev);
+ /* Limit timeout value to hardware constraints. */
+ dw_wdt_set_timeout(wdd, wdd->timeout);
}
platform_set_drvdata(pdev, dw_wdt);
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 182/482] hwmon: (emc2305) Set initial PWM minimum value during probe based on thermal state
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (180 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 6.1 181/482] watchdog: dw_wdt: Fix default timeout Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 183/482] MIPS: vpe-mt: add missing prototypes for vpe_{alloc,start,stop,free} Greg Kroah-Hartman
` (308 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Florin Leotescu, Guenter Roeck,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florin Leotescu <florin.leotescu@nxp.com>
[ Upstream commit 0429415a084a15466e87d504e8c2a502488184a5 ]
Prevent the PWM value from being set to minimum when thermal zone
temperature exceeds any trip point during driver probe. Otherwise, the
PWM fan speed will remains at minimum speed and not respond to
temperature changes.
Signed-off-by: Florin Leotescu <florin.leotescu@nxp.com>
Link: https://lore.kernel.org/r/20250603113125.3175103-5-florin.leotescu@oss.nxp.com
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hwmon/emc2305.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/drivers/hwmon/emc2305.c b/drivers/hwmon/emc2305.c
index e42ae43f3de4..286582e99c28 100644
--- a/drivers/hwmon/emc2305.c
+++ b/drivers/hwmon/emc2305.c
@@ -301,6 +301,12 @@ static int emc2305_set_single_tz(struct device *dev, int idx)
dev_err(dev, "Failed to register cooling device %s\n", emc2305_fan_name[idx]);
return PTR_ERR(data->cdev_data[cdev_idx].cdev);
}
+
+ if (data->cdev_data[cdev_idx].cur_state > 0)
+ /* Update pwm when temperature is above trips */
+ pwm = EMC2305_PWM_STATE2DUTY(data->cdev_data[cdev_idx].cur_state,
+ data->max_state, EMC2305_FAN_MAX);
+
/* Set minimal PWM speed. */
if (data->pwm_separate) {
ret = emc2305_set_pwm(dev, pwm, cdev_idx);
@@ -314,10 +320,10 @@ static int emc2305_set_single_tz(struct device *dev, int idx)
}
}
data->cdev_data[cdev_idx].cur_state =
- EMC2305_PWM_DUTY2STATE(data->pwm_min[cdev_idx], data->max_state,
+ EMC2305_PWM_DUTY2STATE(pwm, data->max_state,
EMC2305_FAN_MAX);
data->cdev_data[cdev_idx].last_hwmon_state =
- EMC2305_PWM_DUTY2STATE(data->pwm_min[cdev_idx], data->max_state,
+ EMC2305_PWM_DUTY2STATE(pwm, data->max_state,
EMC2305_FAN_MAX);
return 0;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 183/482] MIPS: vpe-mt: add missing prototypes for vpe_{alloc,start,stop,free}
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (181 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 6.1 182/482] hwmon: (emc2305) Set initial PWM minimum value during probe based on thermal state Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 184/482] watchdog: iTCO_wdt: Report error if timeout configuration fails Greg Kroah-Hartman
` (307 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shiji Yang, Thomas Bogendoerfer,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shiji Yang <yangshiji66@outlook.com>
[ Upstream commit 844615dd0f2d95c018ec66b943e08af22b62aff3 ]
These functions are exported but their prototypes are not defined.
This patch adds the missing function prototypes to fix the following
compilation warnings:
arch/mips/kernel/vpe-mt.c:180:7: error: no previous prototype for 'vpe_alloc' [-Werror=missing-prototypes]
180 | void *vpe_alloc(void)
| ^~~~~~~~~
arch/mips/kernel/vpe-mt.c:198:5: error: no previous prototype for 'vpe_start' [-Werror=missing-prototypes]
198 | int vpe_start(void *vpe, unsigned long start)
| ^~~~~~~~~
arch/mips/kernel/vpe-mt.c:208:5: error: no previous prototype for 'vpe_stop' [-Werror=missing-prototypes]
208 | int vpe_stop(void *vpe)
| ^~~~~~~~
arch/mips/kernel/vpe-mt.c:229:5: error: no previous prototype for 'vpe_free' [-Werror=missing-prototypes]
229 | int vpe_free(void *vpe)
| ^~~~~~~~
Signed-off-by: Shiji Yang <yangshiji66@outlook.com>
Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/mips/include/asm/vpe.h | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/arch/mips/include/asm/vpe.h b/arch/mips/include/asm/vpe.h
index baa949a744cb..babbe8742b81 100644
--- a/arch/mips/include/asm/vpe.h
+++ b/arch/mips/include/asm/vpe.h
@@ -124,4 +124,12 @@ void cleanup_tc(struct tc *tc);
int __init vpe_module_init(void);
void __exit vpe_module_exit(void);
+
+#ifdef CONFIG_MIPS_VPE_LOADER_MT
+void *vpe_alloc(void);
+int vpe_start(void *vpe, unsigned long start);
+int vpe_stop(void *vpe);
+int vpe_free(void *vpe);
+#endif /* CONFIG_MIPS_VPE_LOADER_MT */
+
#endif /* _ASM_VPE_H */
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 184/482] watchdog: iTCO_wdt: Report error if timeout configuration fails
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (182 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 6.1 183/482] MIPS: vpe-mt: add missing prototypes for vpe_{alloc,start,stop,free} Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 185/482] scsi: bfa: Double-free fix Greg Kroah-Hartman
` (306 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ziyan Fu, Guenter Roeck,
Wim Van Sebroeck, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ziyan Fu <fuzy5@lenovo.com>
[ Upstream commit 40efc43eb7ffb5a4e2f998c13b8cfb555e671b92 ]
The driver probes with the invalid timeout value when
'iTCO_wdt_set_timeout()' fails, as its return value is not checked. In
this case, when executing "wdctl", we may get:
Device: /dev/watchdog0
Timeout: 30 seconds
Timeleft: 613 seconds
The timeout value is the value of "heartbeat" or "WATCHDOG_TIMEOUT", and
the timeleft value is calculated from the register value we actually read
(0xffff) by masking with 0x3ff and converting ticks to seconds (* 6 / 10).
Add error handling to return the failure code if 'iTCO_wdt_set_timeout()'
fails, ensuring the driver probe fails and prevents invalid operation.
Signed-off-by: Ziyan Fu <fuzy5@lenovo.com>
Reviewed-by: Guenter Roeck <linux@roeck-us.net>
Link: https://lore.kernel.org/r/20250704073518.7838-1-13281011316@163.com
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Wim Van Sebroeck <wim@linux-watchdog.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/watchdog/iTCO_wdt.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/watchdog/iTCO_wdt.c b/drivers/watchdog/iTCO_wdt.c
index 35ae40b35f55..75fb7cf7325b 100644
--- a/drivers/watchdog/iTCO_wdt.c
+++ b/drivers/watchdog/iTCO_wdt.c
@@ -601,7 +601,11 @@ static int iTCO_wdt_probe(struct platform_device *pdev)
/* Check that the heartbeat value is within it's range;
if not reset to the default */
if (iTCO_wdt_set_timeout(&p->wddev, heartbeat)) {
- iTCO_wdt_set_timeout(&p->wddev, WATCHDOG_TIMEOUT);
+ ret = iTCO_wdt_set_timeout(&p->wddev, WATCHDOG_TIMEOUT);
+ if (ret != 0) {
+ dev_err(dev, "Failed to set watchdog timeout (%d)\n", WATCHDOG_TIMEOUT);
+ return ret;
+ }
dev_info(dev, "timeout value out of range, using %d\n",
WATCHDOG_TIMEOUT);
}
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 185/482] scsi: bfa: Double-free fix
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (183 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 6.1 184/482] watchdog: iTCO_wdt: Report error if timeout configuration fails Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 186/482] jfs: truncate good inode pages when hard link is 0 Greg Kroah-Hartman
` (305 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, jackysliu, Martin K. Petersen,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: jackysliu <1972843537@qq.com>
[ Upstream commit add4c4850363d7c1b72e8fce9ccb21fdd2cf5dc9 ]
When the bfad_im_probe() function fails during initialization, the memory
pointed to by bfad->im is freed without setting bfad->im to NULL.
Subsequently, during driver uninstallation, when the state machine enters
the bfad_sm_stopping state and calls the bfad_im_probe_undo() function,
it attempts to free the memory pointed to by bfad->im again, thereby
triggering a double-free vulnerability.
Set bfad->im to NULL if probing fails.
Signed-off-by: jackysliu <1972843537@qq.com>
Link: https://lore.kernel.org/r/tencent_3BB950D6D2D470976F55FC879206DE0B9A09@qq.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/bfa/bfad_im.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/scsi/bfa/bfad_im.c b/drivers/scsi/bfa/bfad_im.c
index c335f7a188d2..8f2bd0a6a08c 100644
--- a/drivers/scsi/bfa/bfad_im.c
+++ b/drivers/scsi/bfa/bfad_im.c
@@ -706,6 +706,7 @@ bfad_im_probe(struct bfad_s *bfad)
if (bfad_thread_workq(bfad) != BFA_STATUS_OK) {
kfree(im);
+ bfad->im = NULL;
return BFA_STATUS_FAILED;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 186/482] jfs: truncate good inode pages when hard link is 0
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (184 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 6.1 185/482] scsi: bfa: Double-free fix Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 187/482] jfs: Regular file corruption check Greg Kroah-Hartman
` (304 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+6e516bb515d93230bc7b,
Lizhi Xu, Dave Kleikamp, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lizhi Xu <lizhi.xu@windriver.com>
[ Upstream commit 2d91b3765cd05016335cd5df5e5c6a29708ec058 ]
The fileset value of the inode copy from the disk by the reproducer is
AGGR_RESERVED_I. When executing evict, its hard link number is 0, so its
inode pages are not truncated. This causes the bugon to be triggered when
executing clear_inode() because nrpages is greater than 0.
Reported-by: syzbot+6e516bb515d93230bc7b@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=6e516bb515d93230bc7b
Signed-off-by: Lizhi Xu <lizhi.xu@windriver.com>
Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/jfs/inode.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/jfs/inode.c b/fs/jfs/inode.c
index d1ec920aa030..d41891bb617a 100644
--- a/fs/jfs/inode.c
+++ b/fs/jfs/inode.c
@@ -145,9 +145,9 @@ void jfs_evict_inode(struct inode *inode)
if (!inode->i_nlink && !is_bad_inode(inode)) {
dquot_initialize(inode);
+ truncate_inode_pages_final(&inode->i_data);
if (JFS_IP(inode)->fileset == FILESYSTEM_I) {
struct inode *ipimap = JFS_SBI(inode->i_sb)->ipimap;
- truncate_inode_pages_final(&inode->i_data);
if (test_cflag(COMMIT_Freewmap, inode))
jfs_free_zero_link(inode);
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 187/482] jfs: Regular file corruption check
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (185 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 6.1 186/482] jfs: truncate good inode pages when hard link is 0 Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 188/482] jfs: upper bound check of tree index in dbAllocAG Greg Kroah-Hartman
` (303 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+630f6d40b3ccabc8e96e,
Edward Adam Davis, Dave Kleikamp, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Edward Adam Davis <eadavis@qq.com>
[ Upstream commit 2d04df8116426b6c7b9f8b9b371250f666a2a2fb ]
The reproducer builds a corrupted file on disk with a negative i_size value.
Add a check when opening this file to avoid subsequent operation failures.
Reported-by: syzbot+630f6d40b3ccabc8e96e@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=630f6d40b3ccabc8e96e
Tested-by: syzbot+630f6d40b3ccabc8e96e@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/jfs/file.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/fs/jfs/file.c b/fs/jfs/file.c
index 332dc9ac47a9..ae8df3d11663 100644
--- a/fs/jfs/file.c
+++ b/fs/jfs/file.c
@@ -44,6 +44,9 @@ static int jfs_open(struct inode *inode, struct file *file)
{
int rc;
+ if (S_ISREG(inode->i_mode) && inode->i_size < 0)
+ return -EIO;
+
if ((rc = dquot_file_open(inode, file)))
return rc;
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 188/482] jfs: upper bound check of tree index in dbAllocAG
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (186 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 6.1 187/482] jfs: Regular file corruption check Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 189/482] MIPS: Dont crash in stack_top() for tasks without ABI or vDSO Greg Kroah-Hartman
` (302 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+cffd18309153948f3c3e,
Arnaud Lecomte, Dave Kleikamp, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arnaud Lecomte <contact@arnaud-lcm.com>
[ Upstream commit c214006856ff52a8ff17ed8da52d50601d54f9ce ]
When computing the tree index in dbAllocAG, we never check if we are
out of bounds realative to the size of the stree.
This could happen in a scenario where the filesystem metadata are
corrupted.
Reported-by: syzbot+cffd18309153948f3c3e@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=cffd18309153948f3c3e
Tested-by: syzbot+cffd18309153948f3c3e@syzkaller.appspotmail.com
Signed-off-by: Arnaud Lecomte <contact@arnaud-lcm.com>
Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/jfs/jfs_dmap.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
index c761291f59ac..277f3175477f 100644
--- a/fs/jfs/jfs_dmap.c
+++ b/fs/jfs/jfs_dmap.c
@@ -1389,6 +1389,12 @@ dbAllocAG(struct bmap * bmp, int agno, s64 nblocks, int l2nb, s64 * results)
(1 << (L2LPERCTL - (bmp->db_agheight << 1))) / bmp->db_agwidth;
ti = bmp->db_agstart + bmp->db_agwidth * (agno & (agperlev - 1));
+ if (ti < 0 || ti >= le32_to_cpu(dcp->nleafs)) {
+ jfs_error(bmp->db_ipbmap->i_sb, "Corrupt dmapctl page\n");
+ release_metapage(mp);
+ return -EIO;
+ }
+
/* dmap control page trees fan-out by 4 and a single allocation
* group may be described by 1 or 2 subtrees within the ag level
* dmap control page, depending upon the ag size. examine the ag's
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 189/482] MIPS: Dont crash in stack_top() for tasks without ABI or vDSO
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (187 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 6.1 188/482] jfs: upper bound check of tree index in dbAllocAG Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 190/482] MIPS: lantiq: falcon: sysctrl: fix request memory check logic Greg Kroah-Hartman
` (301 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Weißschuh, David Gow,
Huacai Chen, Thomas Bogendoerfer, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
[ Upstream commit e9f4a6b3421e936c3ee9d74710243897d74dbaa2 ]
Not all tasks have an ABI associated or vDSO mapped,
for example kthreads never do.
If such a task ever ends up calling stack_top(), it will derefence the
NULL ABI pointer and crash.
This can for example happen when using kunit:
mips_stack_top+0x28/0xc0
arch_pick_mmap_layout+0x190/0x220
kunit_vm_mmap_init+0xf8/0x138
__kunit_add_resource+0x40/0xa8
kunit_vm_mmap+0x88/0xd8
usercopy_test_init+0xb8/0x240
kunit_try_run_case+0x5c/0x1a8
kunit_generic_run_threadfn_adapter+0x28/0x50
kthread+0x118/0x240
ret_from_kernel_thread+0x14/0x1c
Only dereference the ABI point if it is set.
The GIC page is also included as it is specific to the vDSO.
Also move the randomization adjustment into the same conditional.
Signed-off-by: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
Reviewed-by: David Gow <davidgow@google.com>
Reviewed-by: Huacai Chen <chenhuacai@loongson.cn>
Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/mips/kernel/process.c | 16 +++++++++-------
1 file changed, 9 insertions(+), 7 deletions(-)
diff --git a/arch/mips/kernel/process.c b/arch/mips/kernel/process.c
index 17d80e2f2e4c..86deab01c578 100644
--- a/arch/mips/kernel/process.c
+++ b/arch/mips/kernel/process.c
@@ -690,18 +690,20 @@ unsigned long mips_stack_top(void)
}
/* Space for the VDSO, data page & GIC user page */
- top -= PAGE_ALIGN(current->thread.abi->vdso->size);
- top -= PAGE_SIZE;
- top -= mips_gic_present() ? PAGE_SIZE : 0;
+ if (current->thread.abi) {
+ top -= PAGE_ALIGN(current->thread.abi->vdso->size);
+ top -= PAGE_SIZE;
+ top -= mips_gic_present() ? PAGE_SIZE : 0;
+
+ /* Space to randomize the VDSO base */
+ if (current->flags & PF_RANDOMIZE)
+ top -= VDSO_RANDOMIZE_SIZE;
+ }
/* Space for cache colour alignment */
if (cpu_has_dc_aliases)
top -= shm_align_mask + 1;
- /* Space to randomize the VDSO base */
- if (current->flags & PF_RANDOMIZE)
- top -= VDSO_RANDOMIZE_SIZE;
-
return top;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 190/482] MIPS: lantiq: falcon: sysctrl: fix request memory check logic
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (188 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 6.1 189/482] MIPS: Dont crash in stack_top() for tasks without ABI or vDSO Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 191/482] media: v4l2-common: Reduce warnings about missing V4L2_CID_LINK_FREQ control Greg Kroah-Hartman
` (300 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shiji Yang, Thomas Bogendoerfer,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shiji Yang <yangshiji66@outlook.com>
[ Upstream commit 9c9a7ff9882fc6ba7d2f4050697e8bb80383e8dc ]
request_mem_region() will return NULL instead of error code
when the memory request fails. Therefore, we should check if
the return value is non-zero instead of less than zero. In
this way, this patch also fixes the build warnings:
arch/mips/lantiq/falcon/sysctrl.c:214:50: error: ordered comparison of pointer with integer zero [-Werror=extra]
214 | res_status.name) < 0) ||
| ^
arch/mips/lantiq/falcon/sysctrl.c:216:47: error: ordered comparison of pointer with integer zero [-Werror=extra]
216 | res_ebu.name) < 0) ||
| ^
arch/mips/lantiq/falcon/sysctrl.c:219:50: error: ordered comparison of pointer with integer zero [-Werror=extra]
219 | res_sys[0].name) < 0) ||
| ^
arch/mips/lantiq/falcon/sysctrl.c:222:50: error: ordered comparison of pointer with integer zero [-Werror=extra]
222 | res_sys[1].name) < 0) ||
| ^
arch/mips/lantiq/falcon/sysctrl.c:225:50: error: ordered comparison of pointer with integer zero [-Werror=extra]
225 | res_sys[2].name) < 0))
|
Signed-off-by: Shiji Yang <yangshiji66@outlook.com>
Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/mips/lantiq/falcon/sysctrl.c | 23 ++++++++++-------------
1 file changed, 10 insertions(+), 13 deletions(-)
diff --git a/arch/mips/lantiq/falcon/sysctrl.c b/arch/mips/lantiq/falcon/sysctrl.c
index 1187729d8cbb..357543996ee6 100644
--- a/arch/mips/lantiq/falcon/sysctrl.c
+++ b/arch/mips/lantiq/falcon/sysctrl.c
@@ -214,19 +214,16 @@ void __init ltq_soc_init(void)
of_node_put(np_syseth);
of_node_put(np_sysgpe);
- if ((request_mem_region(res_status.start, resource_size(&res_status),
- res_status.name) < 0) ||
- (request_mem_region(res_ebu.start, resource_size(&res_ebu),
- res_ebu.name) < 0) ||
- (request_mem_region(res_sys[0].start,
- resource_size(&res_sys[0]),
- res_sys[0].name) < 0) ||
- (request_mem_region(res_sys[1].start,
- resource_size(&res_sys[1]),
- res_sys[1].name) < 0) ||
- (request_mem_region(res_sys[2].start,
- resource_size(&res_sys[2]),
- res_sys[2].name) < 0))
+ if ((!request_mem_region(res_status.start, resource_size(&res_status),
+ res_status.name)) ||
+ (!request_mem_region(res_ebu.start, resource_size(&res_ebu),
+ res_ebu.name)) ||
+ (!request_mem_region(res_sys[0].start, resource_size(&res_sys[0]),
+ res_sys[0].name)) ||
+ (!request_mem_region(res_sys[1].start, resource_size(&res_sys[1]),
+ res_sys[1].name)) ||
+ (!request_mem_region(res_sys[2].start, resource_size(&res_sys[2]),
+ res_sys[2].name)))
pr_err("Failed to request core resources");
status_membase = ioremap(res_status.start,
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 191/482] media: v4l2-common: Reduce warnings about missing V4L2_CID_LINK_FREQ control
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (189 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 6.1 190/482] MIPS: lantiq: falcon: sysctrl: fix request memory check logic Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 192/482] leds: leds-lp50xx: Handle reg to get correct multi_index Greg Kroah-Hartman
` (299 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Niklas Söderlund, Sakari Ailus,
Hans Verkuil, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
[ Upstream commit 5a0abb8909b9dcf347fce1d201ac6686ac33fd64 ]
When operating a pipeline with a missing V4L2_CID_LINK_FREQ control this
two line warning is printed each time the pipeline is started. Reduce
this excessive logging by only warning once for the missing control.
Signed-off-by: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/v4l2-core/v4l2-common.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/media/v4l2-core/v4l2-common.c b/drivers/media/v4l2-core/v4l2-common.c
index 40f56e044640..1c8d36684809 100644
--- a/drivers/media/v4l2-core/v4l2-common.c
+++ b/drivers/media/v4l2-core/v4l2-common.c
@@ -475,10 +475,10 @@ s64 v4l2_get_link_freq(struct v4l2_ctrl_handler *handler, unsigned int mul,
freq = div_u64(v4l2_ctrl_g_ctrl_int64(ctrl) * mul, div);
- pr_warn("%s: Link frequency estimated using pixel rate: result might be inaccurate\n",
- __func__);
- pr_warn("%s: Consider implementing support for V4L2_CID_LINK_FREQ in the transmitter driver\n",
- __func__);
+ pr_warn_once("%s: Link frequency estimated using pixel rate: result might be inaccurate\n",
+ __func__);
+ pr_warn_once("%s: Consider implementing support for V4L2_CID_LINK_FREQ in the transmitter driver\n",
+ __func__);
}
return freq > 0 ? freq : -EINVAL;
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 192/482] leds: leds-lp50xx: Handle reg to get correct multi_index
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (190 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 6.1 191/482] media: v4l2-common: Reduce warnings about missing V4L2_CID_LINK_FREQ control Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 193/482] dmaengine: stm32-dma: configure next sg only if there are more than 2 sgs Greg Kroah-Hartman
` (298 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Johan Adolfsson, Jacek Anaszewski,
Lee Jones, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Adolfsson <johan.adolfsson@axis.com>
[ Upstream commit 2e84a5e5374232e6f356ce5c079a5658d7e4af2c ]
mc_subled used for multi_index needs well defined array indexes,
to guarantee the desired result, use reg for that.
If devicetree child nodes is processed in random or reverse order
you may end up with multi_index "blue green red" instead of the expected
"red green blue".
If user space apps uses multi_index to deduce how to control the leds
they would most likely be broken without this patch if devicetree
processing is reversed (which it appears to be).
arch/arm/boot/dts/aspeed/aspeed-bmc-facebook-fuji.dts has reg set
but I don't see how it can have worked without this change.
If reg is not set, an error is returned,
If reg is out of range, an error is returned.
reg within led child nodes starts with 0, to map to the iout in each bank.
Signed-off-by: Johan Adolfsson <johan.adolfsson@axis.com>
Reviewed-by: Jacek Anaszewski <jacek.anaszewski@gmail.com>
Link: https://lore.kernel.org/r/20250617-led-fix-v7-1-cdbe8efc88fa@axis.com
Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/leds/leds-lp50xx.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/drivers/leds/leds-lp50xx.c b/drivers/leds/leds-lp50xx.c
index 28d6b39fa72d..cda62e3d3a3a 100644
--- a/drivers/leds/leds-lp50xx.c
+++ b/drivers/leds/leds-lp50xx.c
@@ -486,6 +486,7 @@ static int lp50xx_probe_dt(struct lp50xx *priv)
}
fwnode_for_each_child_node(child, led_node) {
+ int multi_index;
ret = fwnode_property_read_u32(led_node, "color",
&color_id);
if (ret) {
@@ -493,8 +494,16 @@ static int lp50xx_probe_dt(struct lp50xx *priv)
dev_err(priv->dev, "Cannot read color\n");
goto child_out;
}
+ ret = fwnode_property_read_u32(led_node, "reg", &multi_index);
+ if (ret != 0) {
+ dev_err(priv->dev, "reg must be set\n");
+ return -EINVAL;
+ } else if (multi_index >= LP50XX_LEDS_PER_MODULE) {
+ dev_err(priv->dev, "reg %i out of range\n", multi_index);
+ return -EINVAL;
+ }
- mc_led_info[num_colors].color_index = color_id;
+ mc_led_info[multi_index].color_index = color_id;
num_colors++;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 193/482] dmaengine: stm32-dma: configure next sg only if there are more than 2 sgs
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (191 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 6.1 192/482] leds: leds-lp50xx: Handle reg to get correct multi_index Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 194/482] RDMA: hfi1: fix possible divide-by-zero in find_hw_thread_mask() Greg Kroah-Hartman
` (297 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Amelie Delaunay, Vinod Koul,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Amelie Delaunay <amelie.delaunay@foss.st.com>
[ Upstream commit e19bdbaa31082b43dab1d936e20efcebc30aa73d ]
DMA operates in Double Buffer Mode (DBM) when the transfer is cyclic and
there are at least two periods.
When DBM is enabled, the DMA toggles between two memory targets (SxM0AR and
SxM1AR), indicated by the SxSCR.CT bit (Current Target).
There is no need to update the next memory address if two periods are
configured, as SxM0AR and SxM1AR are already properly set up before the
transfer begins in the stm32_dma_start_transfer() function.
This avoids unnecessary updates to SxM0AR/SxM1AR, thereby preventing
potential Transfer Errors. Specifically, when the channel is enabled,
SxM0AR and SxM1AR can only be written if SxSCR.CT=1 and SxSCR.CT=0,
respectively. Otherwise, a Transfer Error interrupt is triggered, and the
stream is automatically disabled.
Signed-off-by: Amelie Delaunay <amelie.delaunay@foss.st.com>
Link: https://lore.kernel.org/r/20250624-stm32_dma_dbm_fix-v1-1-337c40d6c93e@foss.st.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/dma/stm32-dma.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/dma/stm32-dma.c b/drivers/dma/stm32-dma.c
index 7abcd7f2848e..34a906e4b1ff 100644
--- a/drivers/dma/stm32-dma.c
+++ b/drivers/dma/stm32-dma.c
@@ -745,7 +745,7 @@ static void stm32_dma_handle_chan_done(struct stm32_dma_chan *chan, u32 scr)
/* cyclic while CIRC/DBM disable => post resume reconfiguration needed */
if (!(scr & (STM32_DMA_SCR_CIRC | STM32_DMA_SCR_DBM)))
stm32_dma_post_resume_reconfigure(chan);
- else if (scr & STM32_DMA_SCR_DBM)
+ else if (scr & STM32_DMA_SCR_DBM && chan->desc->num_sgs > 2)
stm32_dma_configure_next_sg(chan);
} else {
chan->busy = false;
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 194/482] RDMA: hfi1: fix possible divide-by-zero in find_hw_thread_mask()
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (192 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 6.1 193/482] dmaengine: stm32-dma: configure next sg only if there are more than 2 sgs Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 195/482] RDMA/core: reduce stack using in nldev_stat_get_doit() Greg Kroah-Hartman
` (296 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yury Norov [NVIDIA], Leon Romanovsky,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yury Norov [NVIDIA] <yury.norov@gmail.com>
[ Upstream commit 59f7d2138591ef8f0e4e4ab5f1ab674e8181ad3a ]
The function divides number of online CPUs by num_core_siblings, and
later checks the divider by zero. This implies a possibility to get
and divide-by-zero runtime error. Fix it by moving the check prior to
division. This also helps to save one indentation level.
Signed-off-by: Yury Norov [NVIDIA] <yury.norov@gmail.com>
Link: https://patch.msgid.link/20250604193947.11834-3-yury.norov@gmail.com
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/hw/hfi1/affinity.c | 44 +++++++++++++++------------
1 file changed, 24 insertions(+), 20 deletions(-)
diff --git a/drivers/infiniband/hw/hfi1/affinity.c b/drivers/infiniband/hw/hfi1/affinity.c
index 77ee77d4000f..7382b85c72a6 100644
--- a/drivers/infiniband/hw/hfi1/affinity.c
+++ b/drivers/infiniband/hw/hfi1/affinity.c
@@ -966,31 +966,35 @@ static void find_hw_thread_mask(uint hw_thread_no, cpumask_var_t hw_thread_mask,
struct hfi1_affinity_node_list *affinity)
{
int possible, curr_cpu, i;
- uint num_cores_per_socket = node_affinity.num_online_cpus /
+ uint num_cores_per_socket;
+
+ cpumask_copy(hw_thread_mask, &affinity->proc.mask);
+
+ if (affinity->num_core_siblings == 0)
+ return;
+
+ num_cores_per_socket = node_affinity.num_online_cpus /
affinity->num_core_siblings /
node_affinity.num_online_nodes;
- cpumask_copy(hw_thread_mask, &affinity->proc.mask);
- if (affinity->num_core_siblings > 0) {
- /* Removing other siblings not needed for now */
- possible = cpumask_weight(hw_thread_mask);
- curr_cpu = cpumask_first(hw_thread_mask);
- for (i = 0;
- i < num_cores_per_socket * node_affinity.num_online_nodes;
- i++)
- curr_cpu = cpumask_next(curr_cpu, hw_thread_mask);
-
- for (; i < possible; i++) {
- cpumask_clear_cpu(curr_cpu, hw_thread_mask);
- curr_cpu = cpumask_next(curr_cpu, hw_thread_mask);
- }
+ /* Removing other siblings not needed for now */
+ possible = cpumask_weight(hw_thread_mask);
+ curr_cpu = cpumask_first(hw_thread_mask);
+ for (i = 0;
+ i < num_cores_per_socket * node_affinity.num_online_nodes;
+ i++)
+ curr_cpu = cpumask_next(curr_cpu, hw_thread_mask);
- /* Identifying correct HW threads within physical cores */
- cpumask_shift_left(hw_thread_mask, hw_thread_mask,
- num_cores_per_socket *
- node_affinity.num_online_nodes *
- hw_thread_no);
+ for (; i < possible; i++) {
+ cpumask_clear_cpu(curr_cpu, hw_thread_mask);
+ curr_cpu = cpumask_next(curr_cpu, hw_thread_mask);
}
+
+ /* Identifying correct HW threads within physical cores */
+ cpumask_shift_left(hw_thread_mask, hw_thread_mask,
+ num_cores_per_socket *
+ node_affinity.num_online_nodes *
+ hw_thread_no);
}
int hfi1_get_proc_affinity(int node)
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 195/482] RDMA/core: reduce stack using in nldev_stat_get_doit()
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (193 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 6.1 194/482] RDMA: hfi1: fix possible divide-by-zero in find_hw_thread_mask() Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 196/482] scsi: lpfc: Check for hdwq null ptr when cleaning up lpfc_vport structure Greg Kroah-Hartman
` (295 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Arnd Bergmann, Leon Romanovsky,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arnd Bergmann <arnd@arndb.de>
[ Upstream commit 43163f4c30f94d2103c948a247cdf2cda5068ca7 ]
In the s390 defconfig, gcc-10 and earlier end up inlining three functions
into nldev_stat_get_doit(), and each of them uses some 600 bytes of stack.
The result is a function with an overly large stack frame and a warning:
drivers/infiniband/core/nldev.c:2466:1: error: the frame size of 1720 bytes is larger than 1280 bytes [-Werror=frame-larger-than=]
Mark the three functions noinline_for_stack to prevent this, ensuring
that only one copy of the nlattr array is on the stack of each function.
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Link: https://patch.msgid.link/20250620113335.3776965-1-arnd@kernel.org
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/core/nldev.c | 22 ++++++++++++----------
1 file changed, 12 insertions(+), 10 deletions(-)
diff --git a/drivers/infiniband/core/nldev.c b/drivers/infiniband/core/nldev.c
index 1adf20198afd..7e08ce963125 100644
--- a/drivers/infiniband/core/nldev.c
+++ b/drivers/infiniband/core/nldev.c
@@ -1400,10 +1400,11 @@ static const struct nldev_fill_res_entry fill_entries[RDMA_RESTRACK_MAX] = {
};
-static int res_get_common_doit(struct sk_buff *skb, struct nlmsghdr *nlh,
- struct netlink_ext_ack *extack,
- enum rdma_restrack_type res_type,
- res_fill_func_t fill_func)
+static noinline_for_stack int
+res_get_common_doit(struct sk_buff *skb, struct nlmsghdr *nlh,
+ struct netlink_ext_ack *extack,
+ enum rdma_restrack_type res_type,
+ res_fill_func_t fill_func)
{
const struct nldev_fill_res_entry *fe = &fill_entries[res_type];
struct nlattr *tb[RDMA_NLDEV_ATTR_MAX];
@@ -2129,10 +2130,10 @@ static int nldev_stat_del_doit(struct sk_buff *skb, struct nlmsghdr *nlh,
return ret;
}
-static int stat_get_doit_default_counter(struct sk_buff *skb,
- struct nlmsghdr *nlh,
- struct netlink_ext_ack *extack,
- struct nlattr *tb[])
+static noinline_for_stack int
+stat_get_doit_default_counter(struct sk_buff *skb, struct nlmsghdr *nlh,
+ struct netlink_ext_ack *extack,
+ struct nlattr *tb[])
{
struct rdma_hw_stats *stats;
struct nlattr *table_attr;
@@ -2222,8 +2223,9 @@ static int stat_get_doit_default_counter(struct sk_buff *skb,
return ret;
}
-static int stat_get_doit_qp(struct sk_buff *skb, struct nlmsghdr *nlh,
- struct netlink_ext_ack *extack, struct nlattr *tb[])
+static noinline_for_stack int
+stat_get_doit_qp(struct sk_buff *skb, struct nlmsghdr *nlh,
+ struct netlink_ext_ack *extack, struct nlattr *tb[])
{
static enum rdma_nl_counter_mode mode;
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 196/482] scsi: lpfc: Check for hdwq null ptr when cleaning up lpfc_vport structure
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (194 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 6.1 195/482] RDMA/core: reduce stack using in nldev_stat_get_doit() Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 197/482] scsi: mpt3sas: Correctly handle ATA device errors Greg Kroah-Hartman
` (294 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Justin Tee, Martin K. Petersen,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Justin Tee <justin.tee@broadcom.com>
[ Upstream commit 6698796282e828733cde3329c887b4ae9e5545e9 ]
If a call to lpfc_sli4_read_rev() from lpfc_sli4_hba_setup() fails, the
resultant cleanup routine lpfc_sli4_vport_delete_fcp_xri_aborted() may
occur before sli4_hba.hdwqs are allocated. This may result in a null
pointer dereference when attempting to take the abts_io_buf_list_lock for
the first hardware queue. Fix by adding a null ptr check on
phba->sli4_hba.hdwq and early return because this situation means there
must have been an error during port initialization.
Signed-off-by: Justin Tee <justin.tee@broadcom.com>
Link: https://lore.kernel.org/r/20250618192138.124116-4-justintee8345@gmail.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/lpfc/lpfc_scsi.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/scsi/lpfc/lpfc_scsi.c b/drivers/scsi/lpfc/lpfc_scsi.c
index ed32aa01c711..6d4777a5f3d4 100644
--- a/drivers/scsi/lpfc/lpfc_scsi.c
+++ b/drivers/scsi/lpfc/lpfc_scsi.c
@@ -390,6 +390,10 @@ lpfc_sli4_vport_delete_fcp_xri_aborted(struct lpfc_vport *vport)
if (!(vport->cfg_enable_fc4_type & LPFC_ENABLE_FCP))
return;
+ /* may be called before queues established if hba_setup fails */
+ if (!phba->sli4_hba.hdwq)
+ return;
+
spin_lock_irqsave(&phba->hbalock, iflag);
for (idx = 0; idx < phba->cfg_hdw_queue; idx++) {
qp = &phba->sli4_hba.hdwq[idx];
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 197/482] scsi: mpt3sas: Correctly handle ATA device errors
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (195 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 6.1 196/482] scsi: lpfc: Check for hdwq null ptr when cleaning up lpfc_vport structure Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 198/482] scsi: mpi3mr: " Greg Kroah-Hartman
` (293 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Damien Le Moal, Yafang Shao,
Martin K. Petersen, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Damien Le Moal <dlemoal@kernel.org>
[ Upstream commit 15592a11d5a5c8411ac8494ec49736b658f6fbff ]
With the ATA error model, an NCQ command failure always triggers an abort
(termination) of all NCQ commands queued on the device. In such case, the
SAT or the host must handle the failed command according to the command
sense data and immediately retry all other NCQ commands that were aborted
due to the failed NCQ command.
For SAS HBAs controlled by the mpt3sas driver, NCQ command aborts are not
handled by the HBA SAT and sent back to the host, with an ioc log
information equal to 0x31080000 (IOC_LOGINFO_PREFIX_PL with the PL code
PL_LOGINFO_CODE_SATA_NCQ_FAIL_ALL_CMDS_AFTR_ERR). The function
_scsih_io_done() always forces a retry of commands terminated with the
status MPI2_IOCSTATUS_SCSI_IOC_TERMINATED using the SCSI result
DID_SOFT_ERROR, regardless of the log_info for the command. This
correctly forces the retry of collateral NCQ abort commands, but with the
retry counter for the command being incremented. If a command to an ATA
device is subject to too many retries due to other NCQ commands failing
(e.g. read commands trying to access unreadable sectors), the collateral
NCQ abort commands may be terminated with an error as they run out of
retries. This violates the SAT specification and causes hard-to-debug
command errors.
Solve this issue by modifying the handling of the
MPI2_IOCSTATUS_SCSI_IOC_TERMINATED status to check if a command is for an
ATA device and if the command loginfo indicates an NCQ collateral
abort. If that is the case, force the command retry using the SCSI result
DID_IMM_RETRY to avoid incrementing the command retry count.
Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
Link: https://lore.kernel.org/r/20250606052747.742998-3-dlemoal@kernel.org
Tested-by: Yafang Shao <laoar.shao@gmail.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/mpt3sas/mpt3sas_scsih.c | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/drivers/scsi/mpt3sas/mpt3sas_scsih.c b/drivers/scsi/mpt3sas/mpt3sas_scsih.c
index b5b77b82d69f..06c3ab0225d3 100644
--- a/drivers/scsi/mpt3sas/mpt3sas_scsih.c
+++ b/drivers/scsi/mpt3sas/mpt3sas_scsih.c
@@ -197,6 +197,14 @@ struct sense_info {
#define MPT3SAS_PORT_ENABLE_COMPLETE (0xFFFD)
#define MPT3SAS_ABRT_TASK_SET (0xFFFE)
#define MPT3SAS_REMOVE_UNRESPONDING_DEVICES (0xFFFF)
+
+/*
+ * SAS Log info code for a NCQ collateral abort after an NCQ error:
+ * IOC_LOGINFO_PREFIX_PL | PL_LOGINFO_CODE_SATA_NCQ_FAIL_ALL_CMDS_AFTR_ERR
+ * See: drivers/message/fusion/lsi/mpi_log_sas.h
+ */
+#define IOC_LOGINFO_SATA_NCQ_FAIL_AFTER_ERR 0x31080000
+
/**
* struct fw_event_work - firmware event struct
* @list: link list framework
@@ -5825,6 +5833,17 @@ _scsih_io_done(struct MPT3SAS_ADAPTER *ioc, u16 smid, u8 msix_index, u32 reply)
scmd->result = DID_TRANSPORT_DISRUPTED << 16;
goto out;
}
+ if (log_info == IOC_LOGINFO_SATA_NCQ_FAIL_AFTER_ERR) {
+ /*
+ * This is a ATA NCQ command aborted due to another NCQ
+ * command failure. We must retry this command
+ * immediately but without incrementing its retry
+ * counter.
+ */
+ WARN_ON_ONCE(xfer_cnt != 0);
+ scmd->result = DID_IMM_RETRY << 16;
+ break;
+ }
if (log_info == 0x31110630) {
if (scmd->retries > 2) {
scmd->result = DID_NO_CONNECT << 16;
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 198/482] scsi: mpi3mr: Correctly handle ATA device errors
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (196 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 6.1 197/482] scsi: mpt3sas: Correctly handle ATA device errors Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 199/482] pinctrl: stm32: Manage irq affinity settings Greg Kroah-Hartman
` (292 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Damien Le Moal, Yafang Shao,
Martin K. Petersen, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Damien Le Moal <dlemoal@kernel.org>
[ Upstream commit 04caad5a7ba86e830d04750417a15bad8ac2613c ]
With the ATA error model, an NCQ command failure always triggers an abort
(termination) of all NCQ commands queued on the device. In such case, the
SAT or the host must handle the failed command according to the command
sense data and immediately retry all other NCQ commands that were aborted
due to the failed NCQ command.
For SAS HBAs controlled by the mpi3mr driver, NCQ command aborts are not
handled by the HBA SAT and sent back to the host, with an ioc log
information equal to 0x31080000 (IOC_LOGINFO_PREFIX_PL with the PL code
PL_LOGINFO_CODE_SATA_NCQ_FAIL_ALL_CMDS_AFTR_ERR). The function
mpi3mr_process_op_reply_desc() always forces a retry of commands
terminated with the status MPI3_IOCSTATUS_SCSI_IOC_TERMINATED using the
SCSI result DID_SOFT_ERROR, regardless of the ioc_loginfo for the
command. This correctly forces the retry of collateral NCQ abort
commands, but with the retry counter for the command being incremented.
If a command to an ATA device is subject to too many retries due to other
NCQ commands failing (e.g. read commands trying to access unreadable
sectors), the collateral NCQ abort commands may be terminated with an
error as they run out of retries. This violates the SAT specification and
causes hard-to-debug command errors.
Solve this issue by modifying the handling of the
MPI3_IOCSTATUS_SCSI_IOC_TERMINATED status to check if a command is for an
ATA device and if the command ioc_loginfo indicates an NCQ collateral
abort. If that is the case, force the command retry using the SCSI result
DID_IMM_RETRY to avoid incrementing the command retry count.
Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
Link: https://lore.kernel.org/r/20250606052747.742998-2-dlemoal@kernel.org
Tested-by: Yafang Shao <laoar.shao@gmail.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/mpi3mr/mpi3mr_os.c | 20 +++++++++++++++++++-
1 file changed, 19 insertions(+), 1 deletion(-)
diff --git a/drivers/scsi/mpi3mr/mpi3mr_os.c b/drivers/scsi/mpi3mr/mpi3mr_os.c
index 7bd24f71cc38..9dc14ed6567d 100644
--- a/drivers/scsi/mpi3mr/mpi3mr_os.c
+++ b/drivers/scsi/mpi3mr/mpi3mr_os.c
@@ -42,6 +42,13 @@ static void mpi3mr_send_event_ack(struct mpi3mr_ioc *mrioc, u8 event,
#define MPI3_EVENT_WAIT_FOR_DEVICES_TO_REFRESH (0xFFFE)
+/*
+ * SAS Log info code for a NCQ collateral abort after an NCQ error:
+ * IOC_LOGINFO_PREFIX_PL | PL_LOGINFO_CODE_SATA_NCQ_FAIL_ALL_CMDS_AFTR_ERR
+ * See: drivers/message/fusion/lsi/mpi_log_sas.h
+ */
+#define IOC_LOGINFO_SATA_NCQ_FAIL_AFTER_ERR 0x31080000
+
/**
* mpi3mr_host_tag_for_scmd - Get host tag for a scmd
* @mrioc: Adapter instance reference
@@ -3211,7 +3218,18 @@ void mpi3mr_process_op_reply_desc(struct mpi3mr_ioc *mrioc,
scmd->result = DID_NO_CONNECT << 16;
break;
case MPI3_IOCSTATUS_SCSI_IOC_TERMINATED:
- scmd->result = DID_SOFT_ERROR << 16;
+ if (ioc_loginfo == IOC_LOGINFO_SATA_NCQ_FAIL_AFTER_ERR) {
+ /*
+ * This is a ATA NCQ command aborted due to another NCQ
+ * command failure. We must retry this command
+ * immediately but without incrementing its retry
+ * counter.
+ */
+ WARN_ON_ONCE(xfer_count != 0);
+ scmd->result = DID_IMM_RETRY << 16;
+ } else {
+ scmd->result = DID_SOFT_ERROR << 16;
+ }
break;
case MPI3_IOCSTATUS_SCSI_TASK_TERMINATED:
case MPI3_IOCSTATUS_SCSI_EXT_TERMINATED:
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 199/482] pinctrl: stm32: Manage irq affinity settings
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (197 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 6.1 198/482] scsi: mpi3mr: " Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 200/482] media: tc358743: Check I2C succeeded during probe Greg Kroah-Hartman
` (291 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Cheick Traore, Antonio Borneo,
Linus Walleij, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cheick Traore <cheick.traore@foss.st.com>
[ Upstream commit 4c5cc2f65386e22166ce006efe515c667aa075e4 ]
Trying to set the affinity of the interrupts associated to stm32
pinctrl results in a write error.
Fill struct irq_chip::irq_set_affinity to use the default helper
function.
Signed-off-by: Cheick Traore <cheick.traore@foss.st.com>
Signed-off-by: Antonio Borneo <antonio.borneo@foss.st.com>
Link: https://lore.kernel.org/20250610143042.295376-3-antonio.borneo@foss.st.com
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pinctrl/stm32/pinctrl-stm32.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/pinctrl/stm32/pinctrl-stm32.c b/drivers/pinctrl/stm32/pinctrl-stm32.c
index 4a3f5f5b966d..661eb0c1f797 100644
--- a/drivers/pinctrl/stm32/pinctrl-stm32.c
+++ b/drivers/pinctrl/stm32/pinctrl-stm32.c
@@ -417,6 +417,7 @@ static struct irq_chip stm32_gpio_irq_chip = {
.irq_set_wake = irq_chip_set_wake_parent,
.irq_request_resources = stm32_gpio_irq_request_resources,
.irq_release_resources = stm32_gpio_irq_release_resources,
+ .irq_set_affinity = IS_ENABLED(CONFIG_SMP) ? irq_chip_set_affinity_parent : NULL,
};
static int stm32_gpio_domain_translate(struct irq_domain *d,
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 200/482] media: tc358743: Check I2C succeeded during probe
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (198 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 6.1 199/482] pinctrl: stm32: Manage irq affinity settings Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 201/482] media: tc358743: Return an appropriate colorspace from tc358743_set_fmt Greg Kroah-Hartman
` (290 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dave Stevenson, Hans Verkuil,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dave Stevenson <dave.stevenson@raspberrypi.com>
[ Upstream commit 303d81635e1d9c949b370215cc94526ed81f2e3d ]
The probe for the TC358743 reads the CHIPID register from
the device and compares it to the expected value of 0.
If the I2C request fails then that also returns 0, so
the driver loads thinking that the device is there.
Generally I2C communications are reliable so there is
limited need to check the return value on every transfer,
therefore only amend the one read during probe to check
for I2C errors.
Signed-off-by: Dave Stevenson <dave.stevenson@raspberrypi.com>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/i2c/tc358743.c | 27 +++++++++++++++++++++++----
1 file changed, 23 insertions(+), 4 deletions(-)
diff --git a/drivers/media/i2c/tc358743.c b/drivers/media/i2c/tc358743.c
index 2c8189e04a13..7251d25106d6 100644
--- a/drivers/media/i2c/tc358743.c
+++ b/drivers/media/i2c/tc358743.c
@@ -110,7 +110,7 @@ static inline struct tc358743_state *to_state(struct v4l2_subdev *sd)
/* --------------- I2C --------------- */
-static void i2c_rd(struct v4l2_subdev *sd, u16 reg, u8 *values, u32 n)
+static int i2c_rd(struct v4l2_subdev *sd, u16 reg, u8 *values, u32 n)
{
struct tc358743_state *state = to_state(sd);
struct i2c_client *client = state->i2c_client;
@@ -136,6 +136,7 @@ static void i2c_rd(struct v4l2_subdev *sd, u16 reg, u8 *values, u32 n)
v4l2_err(sd, "%s: reading register 0x%x from 0x%x failed\n",
__func__, reg, client->addr);
}
+ return err != ARRAY_SIZE(msgs);
}
static void i2c_wr(struct v4l2_subdev *sd, u16 reg, u8 *values, u32 n)
@@ -192,15 +193,24 @@ static void i2c_wr(struct v4l2_subdev *sd, u16 reg, u8 *values, u32 n)
}
}
-static noinline u32 i2c_rdreg(struct v4l2_subdev *sd, u16 reg, u32 n)
+static noinline u32 i2c_rdreg_err(struct v4l2_subdev *sd, u16 reg, u32 n,
+ int *err)
{
+ int error;
__le32 val = 0;
- i2c_rd(sd, reg, (u8 __force *)&val, n);
+ error = i2c_rd(sd, reg, (u8 __force *)&val, n);
+ if (err)
+ *err = error;
return le32_to_cpu(val);
}
+static inline u32 i2c_rdreg(struct v4l2_subdev *sd, u16 reg, u32 n)
+{
+ return i2c_rdreg_err(sd, reg, n, NULL);
+}
+
static noinline void i2c_wrreg(struct v4l2_subdev *sd, u16 reg, u32 val, u32 n)
{
__le32 raw = cpu_to_le32(val);
@@ -229,6 +239,13 @@ static u16 i2c_rd16(struct v4l2_subdev *sd, u16 reg)
return i2c_rdreg(sd, reg, 2);
}
+static int i2c_rd16_err(struct v4l2_subdev *sd, u16 reg, u16 *value)
+{
+ int err;
+ *value = i2c_rdreg_err(sd, reg, 2, &err);
+ return err;
+}
+
static void i2c_wr16(struct v4l2_subdev *sd, u16 reg, u16 val)
{
i2c_wrreg(sd, reg, val, 2);
@@ -2021,6 +2038,7 @@ static int tc358743_probe(struct i2c_client *client)
struct tc358743_platform_data *pdata = client->dev.platform_data;
struct v4l2_subdev *sd;
u16 irq_mask = MASK_HDMI_MSK | MASK_CSI_MSK;
+ u16 chipid;
int err;
if (!i2c_check_functionality(client->adapter, I2C_FUNC_SMBUS_BYTE_DATA))
@@ -2052,7 +2070,8 @@ static int tc358743_probe(struct i2c_client *client)
sd->flags |= V4L2_SUBDEV_FL_HAS_DEVNODE | V4L2_SUBDEV_FL_HAS_EVENTS;
/* i2c access */
- if ((i2c_rd16(sd, CHIPID) & MASK_CHIPID) != 0) {
+ if (i2c_rd16_err(sd, CHIPID, &chipid) ||
+ (chipid & MASK_CHIPID) != 0) {
v4l2_info(sd, "not a TC358743 on address 0x%x\n",
client->addr << 1);
return -ENODEV;
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 201/482] media: tc358743: Return an appropriate colorspace from tc358743_set_fmt
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (199 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 6.1 200/482] media: tc358743: Check I2C succeeded during probe Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 202/482] media: tc358743: Increase FIFO trigger level to 374 Greg Kroah-Hartman
` (289 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dave Stevenson, Hans Verkuil,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dave Stevenson <dave.stevenson@raspberrypi.com>
[ Upstream commit 377cc006a364dfdab2f3f221cfad63a9265200b8 ]
When calling tc358743_set_fmt, the code was calling tc358743_get_fmt
to choose a valid format. However that sets the colorspace
based on information read back from the chip, not the colour
format requested.
The result was that if you called try or set format for UYVY
when the current format was RGB3 then you would get told SRGB,
and try RGB3 when current was UYVY and you would get told
SMPTE170M.
The value programmed in the VI_REP register for the colorspace
is always set by this driver, therefore there is no need to read
back the value, and never set to REC709.
Return the colorspace based on the format set/tried instead.
Signed-off-by: Dave Stevenson <dave.stevenson@raspberrypi.com>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/i2c/tc358743.c | 44 ++++++++++++++----------------------
1 file changed, 17 insertions(+), 27 deletions(-)
diff --git a/drivers/media/i2c/tc358743.c b/drivers/media/i2c/tc358743.c
index 7251d25106d6..0f9fd9cb77b3 100644
--- a/drivers/media/i2c/tc358743.c
+++ b/drivers/media/i2c/tc358743.c
@@ -1668,12 +1668,23 @@ static int tc358743_enum_mbus_code(struct v4l2_subdev *sd,
return 0;
}
+static u32 tc358743_g_colorspace(u32 code)
+{
+ switch (code) {
+ case MEDIA_BUS_FMT_RGB888_1X24:
+ return V4L2_COLORSPACE_SRGB;
+ case MEDIA_BUS_FMT_UYVY8_1X16:
+ return V4L2_COLORSPACE_SMPTE170M;
+ default:
+ return 0;
+ }
+}
+
static int tc358743_get_fmt(struct v4l2_subdev *sd,
struct v4l2_subdev_state *sd_state,
struct v4l2_subdev_format *format)
{
struct tc358743_state *state = to_state(sd);
- u8 vi_rep = i2c_rd8(sd, VI_REP);
if (format->pad != 0)
return -EINVAL;
@@ -1683,23 +1694,7 @@ static int tc358743_get_fmt(struct v4l2_subdev *sd,
format->format.height = state->timings.bt.height;
format->format.field = V4L2_FIELD_NONE;
- switch (vi_rep & MASK_VOUT_COLOR_SEL) {
- case MASK_VOUT_COLOR_RGB_FULL:
- case MASK_VOUT_COLOR_RGB_LIMITED:
- format->format.colorspace = V4L2_COLORSPACE_SRGB;
- break;
- case MASK_VOUT_COLOR_601_YCBCR_LIMITED:
- case MASK_VOUT_COLOR_601_YCBCR_FULL:
- format->format.colorspace = V4L2_COLORSPACE_SMPTE170M;
- break;
- case MASK_VOUT_COLOR_709_YCBCR_FULL:
- case MASK_VOUT_COLOR_709_YCBCR_LIMITED:
- format->format.colorspace = V4L2_COLORSPACE_REC709;
- break;
- default:
- format->format.colorspace = 0;
- break;
- }
+ format->format.colorspace = tc358743_g_colorspace(format->format.code);
return 0;
}
@@ -1713,19 +1708,14 @@ static int tc358743_set_fmt(struct v4l2_subdev *sd,
u32 code = format->format.code; /* is overwritten by get_fmt */
int ret = tc358743_get_fmt(sd, sd_state, format);
- format->format.code = code;
+ if (code == MEDIA_BUS_FMT_RGB888_1X24 ||
+ code == MEDIA_BUS_FMT_UYVY8_1X16)
+ format->format.code = code;
+ format->format.colorspace = tc358743_g_colorspace(format->format.code);
if (ret)
return ret;
- switch (code) {
- case MEDIA_BUS_FMT_RGB888_1X24:
- case MEDIA_BUS_FMT_UYVY8_1X16:
- break;
- default:
- return -EINVAL;
- }
-
if (format->which == V4L2_SUBDEV_FORMAT_TRY)
return 0;
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 202/482] media: tc358743: Increase FIFO trigger level to 374
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (200 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 6.1 201/482] media: tc358743: Return an appropriate colorspace from tc358743_set_fmt Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 203/482] media: usb: hdpvr: disable zero-length read messages Greg Kroah-Hartman
` (288 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dave Stevenson, Hans Verkuil,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dave Stevenson <dave.stevenson@raspberrypi.com>
[ Upstream commit 86addd25314a1e77dbdcfddfeed0bab2f27da0e2 ]
The existing fixed value of 16 worked for UYVY 720P60 over
2 lanes at 594MHz, or UYVY 1080P60 over 4 lanes. (RGB888
1080P60 needs 6 lanes at 594MHz).
It doesn't allow for lower resolutions to work as the FIFO
underflows.
374 is required for 1080P24 or 1080P30 UYVY over 2 lanes @
972Mbit/s, but >374 means that the FIFO underflows on 1080P50
UYVY over 2 lanes @ 972Mbit/s.
Whilst it would be nice to compute it, the required information
isn't published by Toshiba.
Signed-off-by: Dave Stevenson <dave.stevenson@raspberrypi.com>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/i2c/tc358743.c | 15 +++++++++++++--
1 file changed, 13 insertions(+), 2 deletions(-)
diff --git a/drivers/media/i2c/tc358743.c b/drivers/media/i2c/tc358743.c
index 0f9fd9cb77b3..d13e8f19278f 100644
--- a/drivers/media/i2c/tc358743.c
+++ b/drivers/media/i2c/tc358743.c
@@ -1939,8 +1939,19 @@ static int tc358743_probe_of(struct tc358743_state *state)
state->pdata.refclk_hz = clk_get_rate(refclk);
state->pdata.ddc5v_delay = DDC5V_DELAY_100_MS;
state->pdata.enable_hdcp = false;
- /* A FIFO level of 16 should be enough for 2-lane 720p60 at 594 MHz. */
- state->pdata.fifo_level = 16;
+ /*
+ * Ideally the FIFO trigger level should be set based on the input and
+ * output data rates, but the calculations required are buried in
+ * Toshiba's register settings spreadsheet.
+ * A value of 16 works with a 594Mbps data rate for 720p60 (using 2
+ * lanes) and 1080p60 (using 4 lanes), but fails when the data rate
+ * is increased, or a lower pixel clock is used that result in CSI
+ * reading out faster than the data is arriving.
+ *
+ * A value of 374 works with both those modes at 594Mbps, and with most
+ * modes on 972Mbps.
+ */
+ state->pdata.fifo_level = 374;
/*
* The PLL input clock is obtained by dividing refclk by pll_prd.
* It must be between 6 MHz and 40 MHz, lower frequency is better.
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 203/482] media: usb: hdpvr: disable zero-length read messages
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (201 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 6.1 202/482] media: tc358743: Increase FIFO trigger level to 374 Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 204/482] media: dvb-frontends: dib7090p: fix null-ptr-deref in dib7090p_rw_on_apb() Greg Kroah-Hartman
` (287 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Wolfram Sang, Hans Verkuil,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wolfram Sang <wsa+renesas@sang-engineering.com>
[ Upstream commit b5ae5a79825ba8037b0be3ef677a24de8c063abf ]
This driver passes the length of an i2c_msg directly to
usb_control_msg(). If the message is now a read and of length 0, it
violates the USB protocol and a warning will be printed. Enable the
I2C_AQ_NO_ZERO_LEN_READ quirk for this adapter thus forbidding 0-length
read messages altogether.
Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/usb/hdpvr/hdpvr-i2c.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/media/usb/hdpvr/hdpvr-i2c.c b/drivers/media/usb/hdpvr/hdpvr-i2c.c
index 070559b01b01..54956a8ff15e 100644
--- a/drivers/media/usb/hdpvr/hdpvr-i2c.c
+++ b/drivers/media/usb/hdpvr/hdpvr-i2c.c
@@ -165,10 +165,16 @@ static const struct i2c_algorithm hdpvr_algo = {
.functionality = hdpvr_functionality,
};
+/* prevent invalid 0-length usb_control_msg */
+static const struct i2c_adapter_quirks hdpvr_quirks = {
+ .flags = I2C_AQ_NO_ZERO_LEN_READ,
+};
+
static const struct i2c_adapter hdpvr_i2c_adapter_template = {
.name = "Hauppauge HD PVR I2C",
.owner = THIS_MODULE,
.algo = &hdpvr_algo,
+ .quirks = &hdpvr_quirks,
};
static int hdpvr_activate_ir(struct hdpvr_device *dev)
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 204/482] media: dvb-frontends: dib7090p: fix null-ptr-deref in dib7090p_rw_on_apb()
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (202 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 6.1 203/482] media: usb: hdpvr: disable zero-length read messages Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 205/482] media: dvb-frontends: w7090p: fix null-ptr-deref in w7090p_tuner_write_serpar and w7090p_tuner_read_serpar Greg Kroah-Hartman
` (286 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alex Guo, Mauro Carvalho Chehab,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alex Guo <alexguo1023@gmail.com>
[ Upstream commit ce5cac69b2edac3e3246fee03e8f4c2a1075238b ]
In dib7090p_rw_on_apb, msg is controlled by user. When msg[0].buf is null and
msg[0].len is zero, former checks on msg[0].buf would be passed. If accessing
msg[0].buf[2] without sanity check, null pointer deref would happen. We add
check on msg[0].len to prevent crash. Similar issue occurs when access
msg[1].buf[0] and msg[1].buf[1].
Similar commit: commit 0ed554fd769a ("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()")
Signed-off-by: Alex Guo <alexguo1023@gmail.com>
Link: https://lore.kernel.org/r/20250616013231.730221-1-alexguo1023@gmail.com
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/dvb-frontends/dib7000p.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/media/dvb-frontends/dib7000p.c b/drivers/media/dvb-frontends/dib7000p.c
index d1e53de5206a..aae8335644f3 100644
--- a/drivers/media/dvb-frontends/dib7000p.c
+++ b/drivers/media/dvb-frontends/dib7000p.c
@@ -2261,8 +2261,12 @@ static int dib7090p_rw_on_apb(struct i2c_adapter *i2c_adap,
u16 word;
if (num == 1) { /* write */
+ if (msg[0].len < 3)
+ return -EOPNOTSUPP;
dib7000p_write_word(state, apb_address, ((msg[0].buf[1] << 8) | (msg[0].buf[2])));
} else {
+ if (msg[1].len < 2)
+ return -EOPNOTSUPP;
word = dib7000p_read_word(state, apb_address);
msg[1].buf[0] = (word >> 8) & 0xff;
msg[1].buf[1] = (word) & 0xff;
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 205/482] media: dvb-frontends: w7090p: fix null-ptr-deref in w7090p_tuner_write_serpar and w7090p_tuner_read_serpar
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (203 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 6.1 204/482] media: dvb-frontends: dib7090p: fix null-ptr-deref in dib7090p_rw_on_apb() Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 206/482] media: uvcvideo: Fix bandwidth issue for Alcor camera Greg Kroah-Hartman
` (285 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alex Guo, Mauro Carvalho Chehab,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alex Guo <alexguo1023@gmail.com>
[ Upstream commit ed0234c8458b3149f15e496b48a1c9874dd24a1b ]
In w7090p_tuner_write_serpar, msg is controlled by user. When msg[0].buf is null and msg[0].len is zero, former checks on msg[0].buf would be passed. If accessing msg[0].buf[2] without sanity check, null pointer deref would happen. We add
check on msg[0].len to prevent crash.
Similar commit: commit 0ed554fd769a ("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()")
Signed-off-by: Alex Guo <alexguo1023@gmail.com>
Link: https://lore.kernel.org/r/20250616013353.738790-1-alexguo1023@gmail.com
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/dvb-frontends/dib7000p.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/media/dvb-frontends/dib7000p.c b/drivers/media/dvb-frontends/dib7000p.c
index aae8335644f3..f40bc835649c 100644
--- a/drivers/media/dvb-frontends/dib7000p.c
+++ b/drivers/media/dvb-frontends/dib7000p.c
@@ -2198,6 +2198,8 @@ static int w7090p_tuner_write_serpar(struct i2c_adapter *i2c_adap, struct i2c_ms
struct dib7000p_state *state = i2c_get_adapdata(i2c_adap);
u8 n_overflow = 1;
u16 i = 1000;
+ if (msg[0].len < 3)
+ return -EOPNOTSUPP;
u16 serpar_num = msg[0].buf[0];
while (n_overflow == 1 && i) {
@@ -2217,6 +2219,8 @@ static int w7090p_tuner_read_serpar(struct i2c_adapter *i2c_adap, struct i2c_msg
struct dib7000p_state *state = i2c_get_adapdata(i2c_adap);
u8 n_overflow = 1, n_empty = 1;
u16 i = 1000;
+ if (msg[0].len < 1 || msg[1].len < 2)
+ return -EOPNOTSUPP;
u16 serpar_num = msg[0].buf[0];
u16 read_word;
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 206/482] media: uvcvideo: Fix bandwidth issue for Alcor camera
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (204 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 6.1 205/482] media: dvb-frontends: w7090p: fix null-ptr-deref in w7090p_tuner_write_serpar and w7090p_tuner_read_serpar Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 207/482] crypto: octeontx2 - add timeout for load_fvc completion poll Greg Kroah-Hartman
` (284 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, chenchangcheng, Ricardo Ribalda,
Laurent Pinchart, Hans Verkuil, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: chenchangcheng <chenchangcheng@kylinos.cn>
[ Upstream commit 9764401bf6f8a20eb11c2e78470f20fee91a9ea7 ]
Some broken device return wrong dwMaxPayloadTransferSize fields as
follows:
[ 218.632537] uvcvideo: Device requested 2752512 B/frame bandwidth.
[ 218.632598] uvcvideo: No fast enough alt setting for requested bandwidth.
When dwMaxPayloadTransferSize is greater than maxpsize, it will prevent
the camera from starting. So use the bandwidth of maxpsize.
Signed-off-by: chenchangcheng <chenchangcheng@kylinos.cn>
Reviewed-by: Ricardo Ribalda <ribalda@chromium.org>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Link: https://lore.kernel.org/r/20250510061803.811433-1-ccc194101@163.com
Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/usb/uvc/uvc_video.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/drivers/media/usb/uvc/uvc_video.c b/drivers/media/usb/uvc/uvc_video.c
index aa0a879a9c64..29efccd5aa09 100644
--- a/drivers/media/usb/uvc/uvc_video.c
+++ b/drivers/media/usb/uvc/uvc_video.c
@@ -234,6 +234,15 @@ static void uvc_fixup_video_ctrl(struct uvc_streaming *stream,
ctrl->dwMaxPayloadTransferSize = bandwidth;
}
+
+ if (stream->intf->num_altsetting > 1 &&
+ ctrl->dwMaxPayloadTransferSize > stream->maxpsize) {
+ dev_warn_ratelimited(&stream->intf->dev,
+ "UVC non compliance: the max payload transmission size (%u) exceeds the size of the ep max packet (%u). Using the max size.\n",
+ ctrl->dwMaxPayloadTransferSize,
+ stream->maxpsize);
+ ctrl->dwMaxPayloadTransferSize = stream->maxpsize;
+ }
}
static size_t uvc_video_ctrl_size(struct uvc_streaming *stream)
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 207/482] crypto: octeontx2 - add timeout for load_fvc completion poll
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (205 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 6.1 206/482] media: uvcvideo: Fix bandwidth issue for Alcor camera Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 208/482] md: dm-zoned-target: Initialize return variable r to avoid uninitialized use Greg Kroah-Hartman
` (283 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Srujana Challa, Bharat Bhushan,
Herbert Xu, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bharat Bhushan <bbhushan2@marvell.com>
[ Upstream commit 2157e50f65d2030f07ea27ef7ac4cfba772e98ac ]
Adds timeout to exit from possible infinite loop, which polls
on CPT instruction(load_fvc) completion.
Signed-off-by: Srujana Challa <schalla@marvell.com>
Signed-off-by: Bharat Bhushan <bbhushan2@marvell.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../crypto/marvell/octeontx2/otx2_cptpf_ucode.c | 16 ++++++++++++++--
1 file changed, 14 insertions(+), 2 deletions(-)
diff --git a/drivers/crypto/marvell/octeontx2/otx2_cptpf_ucode.c b/drivers/crypto/marvell/octeontx2/otx2_cptpf_ucode.c
index 1577986677f6..b73a13ae55c4 100644
--- a/drivers/crypto/marvell/octeontx2/otx2_cptpf_ucode.c
+++ b/drivers/crypto/marvell/octeontx2/otx2_cptpf_ucode.c
@@ -1485,6 +1485,7 @@ int otx2_cpt_discover_eng_capabilities(struct otx2_cptpf_dev *cptpf)
dma_addr_t rptr_baddr;
struct pci_dev *pdev;
u32 len, compl_rlen;
+ int timeout = 10000;
int ret, etype;
void *rptr;
@@ -1549,16 +1550,27 @@ int otx2_cpt_discover_eng_capabilities(struct otx2_cptpf_dev *cptpf)
etype);
otx2_cpt_fill_inst(&inst, &iq_cmd, rptr_baddr);
lfs->ops->send_cmd(&inst, 1, &cptpf->lfs.lf[0]);
+ timeout = 10000;
while (lfs->ops->cpt_get_compcode(result) ==
- OTX2_CPT_COMPLETION_CODE_INIT)
+ OTX2_CPT_COMPLETION_CODE_INIT) {
cpu_relax();
+ udelay(1);
+ timeout--;
+ if (!timeout) {
+ ret = -ENODEV;
+ cptpf->is_eng_caps_discovered = false;
+ dev_warn(&pdev->dev, "Timeout on CPT load_fvc completion poll\n");
+ goto error_no_response;
+ }
+ }
cptpf->eng_caps[etype].u = be64_to_cpup(rptr);
}
- dma_unmap_single(&pdev->dev, rptr_baddr, len, DMA_BIDIRECTIONAL);
cptpf->is_eng_caps_discovered = true;
+error_no_response:
+ dma_unmap_single(&pdev->dev, rptr_baddr, len, DMA_BIDIRECTIONAL);
free_result:
kfree(result);
lf_cleanup:
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 208/482] md: dm-zoned-target: Initialize return variable r to avoid uninitialized use
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (206 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 6.1 207/482] crypto: octeontx2 - add timeout for load_fvc completion poll Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 209/482] module: Prevent silent truncation of module name in delete_module(2) Greg Kroah-Hartman
` (282 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Purva Yeshi, Mikulas Patocka,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Purva Yeshi <purvayeshi550@gmail.com>
[ Upstream commit 487767bff572d46f7c37ad846c4078f6d6c9cc55 ]
Fix Smatch-detected error:
drivers/md/dm-zoned-target.c:1073 dmz_iterate_devices()
error: uninitialized symbol 'r'.
Smatch detects a possible use of the uninitialized variable 'r' in
dmz_iterate_devices() because if dmz->nr_ddevs is zero, the loop is
skipped and 'r' is returned without being set, leading to undefined
behavior.
Initialize 'r' to 0 before the loop. This ensures that if there are no
devices to iterate over, the function still returns a defined value.
Signed-off-by: Purva Yeshi <purvayeshi550@gmail.com>
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/md/dm-zoned-target.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/md/dm-zoned-target.c b/drivers/md/dm-zoned-target.c
index 4abe1e2f8ad8..cbcfadbdd51d 100644
--- a/drivers/md/dm-zoned-target.c
+++ b/drivers/md/dm-zoned-target.c
@@ -1062,7 +1062,7 @@ static int dmz_iterate_devices(struct dm_target *ti,
struct dmz_target *dmz = ti->private;
unsigned int zone_nr_sectors = dmz_zone_nr_sectors(dmz->metadata);
sector_t capacity;
- int i, r;
+ int i, r = 0;
for (i = 0; i < dmz->nr_ddevs; i++) {
capacity = dmz->dev[i].capacity & ~(zone_nr_sectors - 1);
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 209/482] module: Prevent silent truncation of module name in delete_module(2)
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (207 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 6.1 208/482] md: dm-zoned-target: Initialize return variable r to avoid uninitialized use Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 210/482] i3c: add missing include to internal header Greg Kroah-Hartman
` (281 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Petr Pavlu, Daniel Gomez,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Petr Pavlu <petr.pavlu@suse.com>
[ Upstream commit a6323bd4e611567913e23df5b58f2d4e4da06789 ]
Passing a module name longer than MODULE_NAME_LEN to the delete_module
syscall results in its silent truncation. This really isn't much of
a problem in practice, but it could theoretically lead to the removal of an
incorrect module. It is more sensible to return ENAMETOOLONG or ENOENT in
such a case.
Update the syscall to return ENOENT, as documented in the delete_module(2)
man page to mean "No module by that name exists." This is appropriate
because a module with a name longer than MODULE_NAME_LEN cannot be loaded
in the first place.
Signed-off-by: Petr Pavlu <petr.pavlu@suse.com>
Reviewed-by: Daniel Gomez <da.gomez@samsung.com>
Link: https://lore.kernel.org/r/20250630143535.267745-2-petr.pavlu@suse.com
Signed-off-by: Daniel Gomez <da.gomez@samsung.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/module/main.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/kernel/module/main.c b/kernel/module/main.c
index 554aba47ab68..3269f6c46814 100644
--- a/kernel/module/main.c
+++ b/kernel/module/main.c
@@ -699,14 +699,16 @@ SYSCALL_DEFINE2(delete_module, const char __user *, name_user,
struct module *mod;
char name[MODULE_NAME_LEN];
char buf[MODULE_FLAGS_BUF_SIZE];
- int ret, forced = 0;
+ int ret, len, forced = 0;
if (!capable(CAP_SYS_MODULE) || modules_disabled)
return -EPERM;
- if (strncpy_from_user(name, name_user, MODULE_NAME_LEN-1) < 0)
- return -EFAULT;
- name[MODULE_NAME_LEN-1] = '\0';
+ len = strncpy_from_user(name, name_user, MODULE_NAME_LEN);
+ if (len == 0 || len == MODULE_NAME_LEN)
+ return -ENOENT;
+ if (len < 0)
+ return len;
audit_log_kern_module(name);
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 210/482] i3c: add missing include to internal header
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (208 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 6.1 209/482] module: Prevent silent truncation of module name in delete_module(2) Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 211/482] rtc: ds1307: handle oscillator stop flag (OSF) for ds1341 Greg Kroah-Hartman
` (280 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, kernel test robot, Wolfram Sang,
Frank Li, Alexandre Belloni, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wolfram Sang <wsa+renesas@sang-engineering.com>
[ Upstream commit 3b661ca549b9e5bb11d0bc97ada6110aac3282d2 ]
LKP found a random config which failed to build because IO accessors
were not defined:
In file included from drivers/i3c/master.c:21:
drivers/i3c/internals.h: In function 'i3c_writel_fifo':
>> drivers/i3c/internals.h:35:9: error: implicit declaration of function 'writesl' [-Werror=implicit-function-declaration]
Add the proper header to where the IO accessors are used.
Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202507150208.BZDzzJ5E-lkp@intel.com/
Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Link: https://lore.kernel.org/r/20250717120046.9022-2-wsa+renesas@sang-engineering.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/i3c/internals.h | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/i3c/internals.h b/drivers/i3c/internals.h
index 86b7b44cfca2..1906c711f38a 100644
--- a/drivers/i3c/internals.h
+++ b/drivers/i3c/internals.h
@@ -9,6 +9,7 @@
#define I3C_INTERNALS_H
#include <linux/i3c/master.h>
+#include <linux/io.h>
extern struct bus_type i3c_bus_type;
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 211/482] rtc: ds1307: handle oscillator stop flag (OSF) for ds1341
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (209 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 6.1 210/482] i3c: add missing include to internal header Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 212/482] i3c: dont fail if GETHDRCAP is unsupported Greg Kroah-Hartman
` (279 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Meagan Lloyd, Tyler Hicks,
Rodolfo Giometti, Alexandre Belloni, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Meagan Lloyd <meaganlloyd@linux.microsoft.com>
[ Upstream commit 523923cfd5d622b8f4ba893fdaf29fa6adeb8c3e ]
In using CONFIG_RTC_HCTOSYS, rtc_hctosys() will sync the RTC time to the
kernel time as long as rtc_read_time() succeeds. In some power loss
situations, our supercapacitor-backed DS1342 RTC comes up with either an
unpredictable future time or the default 01/01/00 from the datasheet.
The oscillator stop flag (OSF) is set in these scenarios due to the
power loss and can be used to determine the validity of the RTC data.
This change expands the oscillator stop flag (OSF) handling that has
already been implemented for some chips to the ds1341 chip (DS1341 and
DS1342 share a datasheet). This handling manages the validity of the RTC
data in .read_time and .set_time based on the OSF.
Signed-off-by: Meagan Lloyd <meaganlloyd@linux.microsoft.com>
Reviewed-by: Tyler Hicks <code@tyhicks.com>
Acked-by: Rodolfo Giometti <giometti@enneenne.com>
Link: https://lore.kernel.org/r/1749665656-30108-3-git-send-email-meaganlloyd@linux.microsoft.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/rtc/rtc-ds1307.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/drivers/rtc/rtc-ds1307.c b/drivers/rtc/rtc-ds1307.c
index 73f2dd3af4d4..530b9340db21 100644
--- a/drivers/rtc/rtc-ds1307.c
+++ b/drivers/rtc/rtc-ds1307.c
@@ -273,6 +273,13 @@ static int ds1307_get_time(struct device *dev, struct rtc_time *t)
if (tmp & DS1340_BIT_OSF)
return -EINVAL;
break;
+ case ds_1341:
+ ret = regmap_read(ds1307->regmap, DS1337_REG_STATUS, &tmp);
+ if (ret)
+ return ret;
+ if (tmp & DS1337_BIT_OSF)
+ return -EINVAL;
+ break;
case ds_1388:
ret = regmap_read(ds1307->regmap, DS1388_REG_FLAG, &tmp);
if (ret)
@@ -371,6 +378,10 @@ static int ds1307_set_time(struct device *dev, struct rtc_time *t)
regmap_update_bits(ds1307->regmap, DS1340_REG_FLAG,
DS1340_BIT_OSF, 0);
break;
+ case ds_1341:
+ regmap_update_bits(ds1307->regmap, DS1337_REG_STATUS,
+ DS1337_BIT_OSF, 0);
+ break;
case ds_1388:
regmap_update_bits(ds1307->regmap, DS1388_REG_FLAG,
DS1388_BIT_OSF, 0);
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 212/482] i3c: dont fail if GETHDRCAP is unsupported
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (210 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 6.1 211/482] rtc: ds1307: handle oscillator stop flag (OSF) for ds1341 Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 213/482] i3c: master: Initialize ret in i3c_i2c_notifier_call() Greg Kroah-Hartman
` (278 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wolfram Sang, Frank Li,
Alexandre Belloni, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wolfram Sang <wsa+renesas@sang-engineering.com>
[ Upstream commit 447270cdb41b1c8c3621bb14b93a6749f942556e ]
'I3C_BCR_HDR_CAP' is still spec v1.0 and has been renamed to 'advanced
capabilities' in v1.1 onwards. The ST pressure sensor LPS22DF does not
have HDR, but has the 'advanced cap' bit set. The core still wants to
get additional information using the CCC 'GETHDRCAP' (or GETCAPS in v1.1
onwards). Not all controllers support this CCC and will notify the upper
layers about it. For instantiating the device, we can ignore this
unsupported CCC as standard communication will work. Without this patch,
the device will not be instantiated at all.
Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Link: https://lore.kernel.org/r/20250704204524.6124-1-wsa+renesas@sang-engineering.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/i3c/master.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/i3c/master.c b/drivers/i3c/master.c
index 18103c1e8d76..513c79e26d9a 100644
--- a/drivers/i3c/master.c
+++ b/drivers/i3c/master.c
@@ -1386,7 +1386,7 @@ static int i3c_master_retrieve_dev_info(struct i3c_dev_desc *dev)
if (dev->info.bcr & I3C_BCR_HDR_CAP) {
ret = i3c_master_gethdrcap_locked(master, &dev->info);
- if (ret)
+ if (ret && ret != -ENOTSUPP)
return ret;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 213/482] i3c: master: Initialize ret in i3c_i2c_notifier_call()
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (211 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 6.1 212/482] i3c: dont fail if GETHDRCAP is unsupported Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 214/482] dm-mpath: dont print the "loaded" message if registering fails Greg Kroah-Hartman
` (277 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jorge Marques, Frank Li,
Alexandre Belloni, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jorge Marques <jorge.marques@analog.com>
[ Upstream commit 290ce8b2d0745e45a3155268184523a8c75996f1 ]
Set ret to -EINVAL if i3c_i2c_notifier_call() receives an invalid
action, resolving uninitialized warning.
Signed-off-by: Jorge Marques <jorge.marques@analog.com>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Link: https://lore.kernel.org/r/20250622-i3c-master-ret-uninitialized-v1-1-aabb5625c932@analog.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/i3c/master.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/i3c/master.c b/drivers/i3c/master.c
index 513c79e26d9a..019fd9bd928d 100644
--- a/drivers/i3c/master.c
+++ b/drivers/i3c/master.c
@@ -2413,6 +2413,8 @@ static int i3c_i2c_notifier_call(struct notifier_block *nb, unsigned long action
case BUS_NOTIFY_DEL_DEVICE:
ret = i3c_master_i2c_detach(adap, client);
break;
+ default:
+ ret = -EINVAL;
}
i3c_bus_maintenance_unlock(&master->bus);
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 214/482] dm-mpath: dont print the "loaded" message if registering fails
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (212 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 6.1 213/482] i3c: master: Initialize ret in i3c_i2c_notifier_call() Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 215/482] dm-table: fix checking for rq stackable devices Greg Kroah-Hartman
` (276 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Mikulas Patocka, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mikulas Patocka <mpatocka@redhat.com>
[ Upstream commit 6e11952a6abc4641dc8ae63f01b318b31b44e8db ]
If dm_register_path_selector, don't print the "version X loaded" message.
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/md/dm-ps-historical-service-time.c | 4 +++-
drivers/md/dm-ps-queue-length.c | 4 +++-
drivers/md/dm-ps-round-robin.c | 4 +++-
drivers/md/dm-ps-service-time.c | 4 +++-
4 files changed, 12 insertions(+), 4 deletions(-)
diff --git a/drivers/md/dm-ps-historical-service-time.c b/drivers/md/dm-ps-historical-service-time.c
index 1d82c95d323d..d0d1f97d21b6 100644
--- a/drivers/md/dm-ps-historical-service-time.c
+++ b/drivers/md/dm-ps-historical-service-time.c
@@ -541,8 +541,10 @@ static int __init dm_hst_init(void)
{
int r = dm_register_path_selector(&hst_ps);
- if (r < 0)
+ if (r < 0) {
DMERR("register failed %d", r);
+ return r;
+ }
DMINFO("version " HST_VERSION " loaded");
diff --git a/drivers/md/dm-ps-queue-length.c b/drivers/md/dm-ps-queue-length.c
index 6fbec9fc242d..8e298570c8d2 100644
--- a/drivers/md/dm-ps-queue-length.c
+++ b/drivers/md/dm-ps-queue-length.c
@@ -259,8 +259,10 @@ static int __init dm_ql_init(void)
{
int r = dm_register_path_selector(&ql_ps);
- if (r < 0)
+ if (r < 0) {
DMERR("register failed %d", r);
+ return r;
+ }
DMINFO("version " QL_VERSION " loaded");
diff --git a/drivers/md/dm-ps-round-robin.c b/drivers/md/dm-ps-round-robin.c
index 1d07392b5ed4..22c68ca81a24 100644
--- a/drivers/md/dm-ps-round-robin.c
+++ b/drivers/md/dm-ps-round-robin.c
@@ -216,8 +216,10 @@ static int __init dm_rr_init(void)
{
int r = dm_register_path_selector(&rr_ps);
- if (r < 0)
+ if (r < 0) {
DMERR("register failed %d", r);
+ return r;
+ }
DMINFO("version " RR_VERSION " loaded");
diff --git a/drivers/md/dm-ps-service-time.c b/drivers/md/dm-ps-service-time.c
index eba2293be686..d1e77eefaf2b 100644
--- a/drivers/md/dm-ps-service-time.c
+++ b/drivers/md/dm-ps-service-time.c
@@ -340,8 +340,10 @@ static int __init dm_st_init(void)
{
int r = dm_register_path_selector(&st_ps);
- if (r < 0)
+ if (r < 0) {
DMERR("register failed %d", r);
+ return r;
+ }
DMINFO("version " ST_VERSION " loaded");
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 215/482] dm-table: fix checking for rq stackable devices
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (213 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 6.1 214/482] dm-mpath: dont print the "loaded" message if registering fails Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 216/482] apparmor: use the condition in AA_BUG_FMT even with debug disabled Greg Kroah-Hartman
` (275 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Benjamin Marzinski, Mike Snitzer,
Mikulas Patocka, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Benjamin Marzinski <bmarzins@redhat.com>
[ Upstream commit 8ca719b81987be690f197e82fdb030580c0a07f3 ]
Due to the semantics of iterate_devices(), the current code allows a
request-based dm table as long as it includes one request-stackable
device. It is supposed to only allow tables where there are no
non-request-stackable devices.
Signed-off-by: Benjamin Marzinski <bmarzins@redhat.com>
Reviewed-by: Mike Snitzer <snitzer@kernel.org>
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/md/dm-table.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/drivers/md/dm-table.c b/drivers/md/dm-table.c
index 8b23b8bc5a03..f18e47a24454 100644
--- a/drivers/md/dm-table.c
+++ b/drivers/md/dm-table.c
@@ -863,17 +863,17 @@ static bool dm_table_supports_dax(struct dm_table *t,
return true;
}
-static int device_is_rq_stackable(struct dm_target *ti, struct dm_dev *dev,
- sector_t start, sector_t len, void *data)
+static int device_is_not_rq_stackable(struct dm_target *ti, struct dm_dev *dev,
+ sector_t start, sector_t len, void *data)
{
struct block_device *bdev = dev->bdev;
struct request_queue *q = bdev_get_queue(bdev);
/* request-based cannot stack on partitions! */
if (bdev_is_partition(bdev))
- return false;
+ return true;
- return queue_is_mq(q);
+ return !queue_is_mq(q);
}
static int dm_table_determine_type(struct dm_table *t)
@@ -969,7 +969,7 @@ static int dm_table_determine_type(struct dm_table *t)
/* Non-request-stackable devices can't be used for request-based dm */
if (!ti->type->iterate_devices ||
- !ti->type->iterate_devices(ti, device_is_rq_stackable, NULL)) {
+ ti->type->iterate_devices(ti, device_is_not_rq_stackable, NULL)) {
DMERR("table load rejected: including non-request-stackable devices");
return -EINVAL;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 216/482] apparmor: use the condition in AA_BUG_FMT even with debug disabled
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (214 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 6.1 215/482] dm-table: fix checking for rq stackable devices Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 217/482] i2c: Force DLL0945 touchpad i2c freq to 100khz Greg Kroah-Hartman
` (274 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mateusz Guzik, John Johansen,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mateusz Guzik <mjguzik@gmail.com>
[ Upstream commit 67e370aa7f968f6a4f3573ed61a77b36d1b26475 ]
This follows the established practice and fixes a build failure for me:
security/apparmor/file.c: In function ‘__file_sock_perm’:
security/apparmor/file.c:544:24: error: unused variable ‘sock’ [-Werror=unused-variable]
544 | struct socket *sock = (struct socket *) file->private_data;
| ^~~~
Signed-off-by: Mateusz Guzik <mjguzik@gmail.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
security/apparmor/include/lib.h | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/security/apparmor/include/lib.h b/security/apparmor/include/lib.h
index d468c8b90298..fd57e9ffc139 100644
--- a/security/apparmor/include/lib.h
+++ b/security/apparmor/include/lib.h
@@ -46,7 +46,11 @@
#define AA_BUG_FMT(X, fmt, args...) \
WARN((X), "AppArmor WARN %s: (" #X "): " fmt, __func__, ##args)
#else
-#define AA_BUG_FMT(X, fmt, args...) no_printk(fmt, ##args)
+#define AA_BUG_FMT(X, fmt, args...) \
+ do { \
+ BUILD_BUG_ON_INVALID(X); \
+ no_printk(fmt, ##args); \
+ } while (0)
#endif
#define AA_ERROR(fmt, args...) \
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 217/482] i2c: Force DLL0945 touchpad i2c freq to 100khz
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (215 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 6.1 216/482] apparmor: use the condition in AA_BUG_FMT even with debug disabled Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 218/482] kconfig: lxdialog: replace strcpy() with strncpy() in inputbox.c Greg Kroah-Hartman
` (273 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, fangzhong.zhou, Wolfram Sang,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: fangzhong.zhou <myth5@myth5.com>
[ Upstream commit 0b7c9528facdb5a73ad78fea86d2e95a6c48dbc4 ]
This patch fixes an issue where the touchpad cursor movement becomes
slow on the Dell Precision 5560. Force the touchpad freq to 100khz
as a workaround.
Tested on Dell Precision 5560 with 6.14 to 6.14.6. Cursor movement
is now smooth and responsive.
Signed-off-by: fangzhong.zhou <myth5@myth5.com>
[wsa: kept sorting and removed unnecessary parts from commit msg]
Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/i2c/i2c-core-acpi.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/i2c/i2c-core-acpi.c b/drivers/i2c/i2c-core-acpi.c
index d2499f302b50..f43067f6797e 100644
--- a/drivers/i2c/i2c-core-acpi.c
+++ b/drivers/i2c/i2c-core-acpi.c
@@ -370,6 +370,7 @@ static const struct acpi_device_id i2c_acpi_force_100khz_device_ids[] = {
* the device works without issues on Windows at what is expected to be
* a 400KHz frequency. The root cause of the issue is not known.
*/
+ { "DLL0945", 0 },
{ "ELAN06FA", 0 },
{}
};
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 218/482] kconfig: lxdialog: replace strcpy() with strncpy() in inputbox.c
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (216 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 6.1 217/482] i2c: Force DLL0945 touchpad i2c freq to 100khz Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 219/482] vfio/type1: conditional rescheduling while pinning Greg Kroah-Hartman
` (272 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Suchit Karunakaran, Nicolas Schier,
Masahiro Yamada, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Suchit Karunakaran <suchitkarunakaran@gmail.com>
[ Upstream commit 5ac726653a1029a2eccba93bbe59e01fc9725828 ]
strcpy() performs no bounds checking and can lead to buffer overflows if
the input string exceeds the destination buffer size. This patch replaces
it with strncpy(), and null terminates the input string.
Signed-off-by: Suchit Karunakaran <suchitkarunakaran@gmail.com>
Reviewed-by: Nicolas Schier <nicolas.schier@linux.dev>
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
scripts/kconfig/lxdialog/inputbox.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/scripts/kconfig/lxdialog/inputbox.c b/scripts/kconfig/lxdialog/inputbox.c
index 1dcfb288ee63..327b60cdb8da 100644
--- a/scripts/kconfig/lxdialog/inputbox.c
+++ b/scripts/kconfig/lxdialog/inputbox.c
@@ -39,8 +39,10 @@ int dialog_inputbox(const char *title, const char *prompt, int height, int width
if (!init)
instr[0] = '\0';
- else
- strcpy(instr, init);
+ else {
+ strncpy(instr, init, sizeof(dialog_input_result) - 1);
+ instr[sizeof(dialog_input_result) - 1] = '\0';
+ }
do_resize:
if (getmaxy(stdscr) <= (height - INPUTBOX_HEIGTH_MIN))
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 219/482] vfio/type1: conditional rescheduling while pinning
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (217 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 6.1 218/482] kconfig: lxdialog: replace strcpy() with strncpy() in inputbox.c Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 220/482] kconfig: nconf: Ensure null termination where strncpy is used Greg Kroah-Hartman
` (271 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Keith Busch, Paul E. McKenney,
Alex Williamson, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Keith Busch <kbusch@kernel.org>
[ Upstream commit b1779e4f209c7ff7e32f3c79d69bca4e3a3a68b6 ]
A large DMA mapping request can loop through dma address pinning for
many pages. In cases where THP can not be used, the repeated vmf_insert_pfn can
be costly, so let the task reschedule as need to prevent CPU stalls. Failure to
do so has potential harmful side effects, like increased memory pressure
as unrelated rcu tasks are unable to make their reclaim callbacks and
result in OOM conditions.
rcu: INFO: rcu_sched self-detected stall on CPU
rcu: 36-....: (20999 ticks this GP) idle=b01c/1/0x4000000000000000 softirq=35839/35839 fqs=3538
rcu: hardirqs softirqs csw/system
rcu: number: 0 107 0
rcu: cputime: 50 0 10446 ==> 10556(ms)
rcu: (t=21075 jiffies g=377761 q=204059 ncpus=384)
...
<TASK>
? asm_sysvec_apic_timer_interrupt+0x16/0x20
? walk_system_ram_range+0x63/0x120
? walk_system_ram_range+0x46/0x120
? pgprot_writethrough+0x20/0x20
lookup_memtype+0x67/0xf0
track_pfn_insert+0x20/0x40
vmf_insert_pfn_prot+0x88/0x140
vfio_pci_mmap_huge_fault+0xf9/0x1b0 [vfio_pci_core]
__do_fault+0x28/0x1b0
handle_mm_fault+0xef1/0x2560
fixup_user_fault+0xf5/0x270
vaddr_get_pfns+0x169/0x2f0 [vfio_iommu_type1]
vfio_pin_pages_remote+0x162/0x8e0 [vfio_iommu_type1]
vfio_iommu_type1_ioctl+0x1121/0x1810 [vfio_iommu_type1]
? futex_wake+0x1c1/0x260
x64_sys_call+0x234/0x17a0
do_syscall_64+0x63/0x130
? exc_page_fault+0x63/0x130
entry_SYSCALL_64_after_hwframe+0x4b/0x53
Signed-off-by: Keith Busch <kbusch@kernel.org>
Reviewed-by: Paul E. McKenney <paulmck@kernel.org>
Link: https://lore.kernel.org/r/20250715184622.3561598-1-kbusch@meta.com
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/vfio/vfio_iommu_type1.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/vfio/vfio_iommu_type1.c b/drivers/vfio/vfio_iommu_type1.c
index 26fac124231f..888f7eeb3d6a 100644
--- a/drivers/vfio/vfio_iommu_type1.c
+++ b/drivers/vfio/vfio_iommu_type1.c
@@ -692,6 +692,13 @@ static long vfio_pin_pages_remote(struct vfio_dma *dma, unsigned long vaddr,
while (npage) {
if (!batch->size) {
+ /*
+ * Large mappings may take a while to repeatedly refill
+ * the batch, so conditionally relinquish the CPU when
+ * needed to avoid stalls.
+ */
+ cond_resched();
+
/* Empty batch, so refill it. */
long req_pages = min_t(long, npage, batch->capacity);
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 220/482] kconfig: nconf: Ensure null termination where strncpy is used
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (218 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 6.1 219/482] vfio/type1: conditional rescheduling while pinning Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 221/482] scsi: Fix sas_user_scan() to handle wildcard and multi-channel scans Greg Kroah-Hartman
` (270 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shankari Anand, Masahiro Yamada,
Randy Dunlap, Nicolas Schier, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shankari Anand <shankari.ak0208@gmail.com>
[ Upstream commit f468992936894c9ce3b1659cf38c230d33b77a16 ]
strncpy() does not guarantee null-termination if the source string is
longer than the destination buffer.
Ensure the buffer is explicitly null-terminated to prevent potential
string overflows or undefined behavior.
Signed-off-by: Shankari Anand <shankari.ak0208@gmail.com>
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
Acked-by: Randy Dunlap <rdunlap@infradead.org>
Tested-by: Randy Dunlap <rdunlap@infradead.org>
Tested-by: Nicolas Schier <n.schier@avm.de>
Acked-by: Nicolas Schier <n.schier@avm.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
scripts/kconfig/nconf.c | 2 ++
scripts/kconfig/nconf.gui.c | 1 +
2 files changed, 3 insertions(+)
diff --git a/scripts/kconfig/nconf.c b/scripts/kconfig/nconf.c
index 3ba8b1af390f..16a2db59432a 100644
--- a/scripts/kconfig/nconf.c
+++ b/scripts/kconfig/nconf.c
@@ -585,6 +585,8 @@ static void item_add_str(const char *fmt, ...)
tmp_str,
sizeof(k_menu_items[index].str));
+ k_menu_items[index].str[sizeof(k_menu_items[index].str) - 1] = '\0';
+
free_item(curses_menu_items[index]);
curses_menu_items[index] = new_item(
k_menu_items[index].str,
diff --git a/scripts/kconfig/nconf.gui.c b/scripts/kconfig/nconf.gui.c
index 9aedf40f1dc0..da06ea2afe08 100644
--- a/scripts/kconfig/nconf.gui.c
+++ b/scripts/kconfig/nconf.gui.c
@@ -349,6 +349,7 @@ int dialog_inputbox(WINDOW *main_window,
x = (columns-win_cols)/2;
strncpy(result, init, *result_len);
+ result[*result_len - 1] = '\0';
/* create the windows */
win = newwin(win_lines, win_cols, y, x);
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 221/482] scsi: Fix sas_user_scan() to handle wildcard and multi-channel scans
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (219 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 6.1 220/482] kconfig: nconf: Ensure null termination where strncpy is used Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 222/482] scsi: target: core: Generate correct identifiers for PR OUT transport IDs Greg Kroah-Hartman
` (269 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ranjan Kumar, Martin K. Petersen,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ranjan Kumar <ranjan.kumar@broadcom.com>
[ Upstream commit 37c4e72b0651e7697eb338cd1fb09feef472cc1a ]
sas_user_scan() did not fully process wildcard channel scans
(SCAN_WILD_CARD) when a transport-specific user_scan() callback was
present. Only channel 0 would be scanned via user_scan(), while the
remaining channels were skipped, potentially missing devices.
user_scan() invokes updated sas_user_scan() for channel 0, and if
successful, iteratively scans remaining channels (1 to
shost->max_channel) via scsi_scan_host_selected(). This ensures complete
wildcard scanning without affecting transport-specific scanning behavior.
Signed-off-by: Ranjan Kumar <ranjan.kumar@broadcom.com>
Link: https://lore.kernel.org/r/20250624061649.17990-1-ranjan.kumar@broadcom.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/scsi_scan.c | 2 +-
drivers/scsi/scsi_transport_sas.c | 60 ++++++++++++++++++++++++-------
2 files changed, 49 insertions(+), 13 deletions(-)
diff --git a/drivers/scsi/scsi_scan.c b/drivers/scsi/scsi_scan.c
index 69288303e600..6fb995153abd 100644
--- a/drivers/scsi/scsi_scan.c
+++ b/drivers/scsi/scsi_scan.c
@@ -1842,7 +1842,7 @@ int scsi_scan_host_selected(struct Scsi_Host *shost, unsigned int channel,
return 0;
}
-
+EXPORT_SYMBOL(scsi_scan_host_selected);
static void scsi_sysfs_add_devices(struct Scsi_Host *shost)
{
struct scsi_device *sdev;
diff --git a/drivers/scsi/scsi_transport_sas.c b/drivers/scsi/scsi_transport_sas.c
index 6941d8cfb9ba..5a19de2c7006 100644
--- a/drivers/scsi/scsi_transport_sas.c
+++ b/drivers/scsi/scsi_transport_sas.c
@@ -40,6 +40,8 @@
#include <scsi/scsi_transport_sas.h>
#include "scsi_sas_internal.h"
+#include "scsi_priv.h"
+
struct sas_host_attrs {
struct list_head rphy_list;
struct mutex lock;
@@ -1681,32 +1683,66 @@ int scsi_is_sas_rphy(const struct device *dev)
}
EXPORT_SYMBOL(scsi_is_sas_rphy);
-
-/*
- * SCSI scan helper
- */
-
-static int sas_user_scan(struct Scsi_Host *shost, uint channel,
- uint id, u64 lun)
+static void scan_channel_zero(struct Scsi_Host *shost, uint id, u64 lun)
{
struct sas_host_attrs *sas_host = to_sas_host_attrs(shost);
struct sas_rphy *rphy;
- mutex_lock(&sas_host->lock);
list_for_each_entry(rphy, &sas_host->rphy_list, list) {
if (rphy->identify.device_type != SAS_END_DEVICE ||
rphy->scsi_target_id == -1)
continue;
- if ((channel == SCAN_WILD_CARD || channel == 0) &&
- (id == SCAN_WILD_CARD || id == rphy->scsi_target_id)) {
+ if (id == SCAN_WILD_CARD || id == rphy->scsi_target_id) {
scsi_scan_target(&rphy->dev, 0, rphy->scsi_target_id,
lun, SCSI_SCAN_MANUAL);
}
}
- mutex_unlock(&sas_host->lock);
+}
- return 0;
+/*
+ * SCSI scan helper
+ */
+
+static int sas_user_scan(struct Scsi_Host *shost, uint channel,
+ uint id, u64 lun)
+{
+ struct sas_host_attrs *sas_host = to_sas_host_attrs(shost);
+ int res = 0;
+ int i;
+
+ switch (channel) {
+ case 0:
+ mutex_lock(&sas_host->lock);
+ scan_channel_zero(shost, id, lun);
+ mutex_unlock(&sas_host->lock);
+ break;
+
+ case SCAN_WILD_CARD:
+ mutex_lock(&sas_host->lock);
+ scan_channel_zero(shost, id, lun);
+ mutex_unlock(&sas_host->lock);
+
+ for (i = 1; i <= shost->max_channel; i++) {
+ res = scsi_scan_host_selected(shost, i, id, lun,
+ SCSI_SCAN_MANUAL);
+ if (res)
+ goto exit_scan;
+ }
+ break;
+
+ default:
+ if (channel < shost->max_channel) {
+ res = scsi_scan_host_selected(shost, channel, id, lun,
+ SCSI_SCAN_MANUAL);
+ } else {
+ res = -EINVAL;
+ }
+ break;
+ }
+
+exit_scan:
+ return res;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 222/482] scsi: target: core: Generate correct identifiers for PR OUT transport IDs
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (220 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 6.1 221/482] scsi: Fix sas_user_scan() to handle wildcard and multi-channel scans Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 223/482] scsi: aacraid: Stop using PCI_IRQ_AFFINITY Greg Kroah-Hartman
` (268 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maurizio Lombardi, Dmitry Bogdanov,
Martin K. Petersen, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maurizio Lombardi <mlombard@redhat.com>
[ Upstream commit 6e0f6aa44b68335df404a2df955055f416b5f2aa ]
Fix target_parse_pr_out_transport_id() to return a string representing
the transport ID in a human-readable format (e.g., naa.xxxxxxxx...) for
various SCSI protocol types (SAS, FCP, SRP, SBP).
Previously, the function returned a pointer to the raw binary buffer,
which was incorrectly compared against human-readable strings, causing
comparisons to fail. Now, the function writes a properly formatted
string into a buffer provided by the caller. The output format depends
on the transport protocol:
* SAS: 64-bit identifier, "naa." prefix.
* FCP: 64-bit identifier, colon separated values.
* SBP: 64-bit identifier, no prefix.
* SRP: 128-bit identifier, "0x" prefix.
* iSCSI: IQN string.
Signed-off-by: Maurizio Lombardi <mlombard@redhat.com>
Link: https://lore.kernel.org/r/20250714133738.11054-1-mlombard@redhat.com
Reviewed-by: Dmitry Bogdanov <d.bogdanov@yadro.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/target/target_core_fabric_lib.c | 63 +++++++++++++++++++------
drivers/target/target_core_internal.h | 4 +-
drivers/target/target_core_pr.c | 18 +++----
3 files changed, 60 insertions(+), 25 deletions(-)
diff --git a/drivers/target/target_core_fabric_lib.c b/drivers/target/target_core_fabric_lib.c
index 6600ae44f29d..d3ab251ba049 100644
--- a/drivers/target/target_core_fabric_lib.c
+++ b/drivers/target/target_core_fabric_lib.c
@@ -257,11 +257,41 @@ static int iscsi_get_pr_transport_id_len(
return len;
}
-static char *iscsi_parse_pr_out_transport_id(
+static void sas_parse_pr_out_transport_id(char *buf, char *i_str)
+{
+ char hex[17] = {};
+
+ bin2hex(hex, buf + 4, 8);
+ snprintf(i_str, TRANSPORT_IQN_LEN, "naa.%s", hex);
+}
+
+static void srp_parse_pr_out_transport_id(char *buf, char *i_str)
+{
+ char hex[33] = {};
+
+ bin2hex(hex, buf + 8, 16);
+ snprintf(i_str, TRANSPORT_IQN_LEN, "0x%s", hex);
+}
+
+static void fcp_parse_pr_out_transport_id(char *buf, char *i_str)
+{
+ snprintf(i_str, TRANSPORT_IQN_LEN, "%8phC", buf + 8);
+}
+
+static void sbp_parse_pr_out_transport_id(char *buf, char *i_str)
+{
+ char hex[17] = {};
+
+ bin2hex(hex, buf + 8, 8);
+ snprintf(i_str, TRANSPORT_IQN_LEN, "%s", hex);
+}
+
+static bool iscsi_parse_pr_out_transport_id(
struct se_portal_group *se_tpg,
char *buf,
u32 *out_tid_len,
- char **port_nexus_ptr)
+ char **port_nexus_ptr,
+ char *i_str)
{
char *p;
int i;
@@ -282,7 +312,7 @@ static char *iscsi_parse_pr_out_transport_id(
if ((format_code != 0x00) && (format_code != 0x40)) {
pr_err("Illegal format code: 0x%02x for iSCSI"
" Initiator Transport ID\n", format_code);
- return NULL;
+ return false;
}
/*
* If the caller wants the TransportID Length, we set that value for the
@@ -306,7 +336,7 @@ static char *iscsi_parse_pr_out_transport_id(
pr_err("Unable to locate \",i,0x\" separator"
" for Initiator port identifier: %s\n",
&buf[4]);
- return NULL;
+ return false;
}
*p = '\0'; /* Terminate iSCSI Name */
p += 5; /* Skip over ",i,0x" separator */
@@ -339,7 +369,8 @@ static char *iscsi_parse_pr_out_transport_id(
} else
*port_nexus_ptr = NULL;
- return &buf[4];
+ strscpy(i_str, &buf[4], TRANSPORT_IQN_LEN);
+ return true;
}
int target_get_pr_transport_id_len(struct se_node_acl *nacl,
@@ -387,33 +418,35 @@ int target_get_pr_transport_id(struct se_node_acl *nacl,
}
}
-const char *target_parse_pr_out_transport_id(struct se_portal_group *tpg,
- char *buf, u32 *out_tid_len, char **port_nexus_ptr)
+bool target_parse_pr_out_transport_id(struct se_portal_group *tpg,
+ char *buf, u32 *out_tid_len, char **port_nexus_ptr, char *i_str)
{
- u32 offset;
-
switch (tpg->proto_id) {
case SCSI_PROTOCOL_SAS:
/*
* Assume the FORMAT CODE 00b from spc4r17, 7.5.4.7 TransportID
* for initiator ports using SCSI over SAS Serial SCSI Protocol.
*/
- offset = 4;
+ sas_parse_pr_out_transport_id(buf, i_str);
break;
- case SCSI_PROTOCOL_SBP:
case SCSI_PROTOCOL_SRP:
+ srp_parse_pr_out_transport_id(buf, i_str);
+ break;
case SCSI_PROTOCOL_FCP:
- offset = 8;
+ fcp_parse_pr_out_transport_id(buf, i_str);
+ break;
+ case SCSI_PROTOCOL_SBP:
+ sbp_parse_pr_out_transport_id(buf, i_str);
break;
case SCSI_PROTOCOL_ISCSI:
return iscsi_parse_pr_out_transport_id(tpg, buf, out_tid_len,
- port_nexus_ptr);
+ port_nexus_ptr, i_str);
default:
pr_err("Unknown proto_id: 0x%02x\n", tpg->proto_id);
- return NULL;
+ return false;
}
*port_nexus_ptr = NULL;
*out_tid_len = 24;
- return buf + offset;
+ return true;
}
diff --git a/drivers/target/target_core_internal.h b/drivers/target/target_core_internal.h
index 85e35cf582e5..84a399a997d8 100644
--- a/drivers/target/target_core_internal.h
+++ b/drivers/target/target_core_internal.h
@@ -104,8 +104,8 @@ int target_get_pr_transport_id_len(struct se_node_acl *nacl,
int target_get_pr_transport_id(struct se_node_acl *nacl,
struct t10_pr_registration *pr_reg, int *format_code,
unsigned char *buf);
-const char *target_parse_pr_out_transport_id(struct se_portal_group *tpg,
- char *buf, u32 *out_tid_len, char **port_nexus_ptr);
+bool target_parse_pr_out_transport_id(struct se_portal_group *tpg,
+ char *buf, u32 *out_tid_len, char **port_nexus_ptr, char *i_str);
/* target_core_hba.c */
struct se_hba *core_alloc_hba(const char *, u32, u32);
diff --git a/drivers/target/target_core_pr.c b/drivers/target/target_core_pr.c
index a355661e8202..e0a6133bba98 100644
--- a/drivers/target/target_core_pr.c
+++ b/drivers/target/target_core_pr.c
@@ -1477,11 +1477,12 @@ core_scsi3_decode_spec_i_port(
LIST_HEAD(tid_dest_list);
struct pr_transport_id_holder *tidh_new, *tidh, *tidh_tmp;
unsigned char *buf, *ptr, proto_ident;
- const unsigned char *i_str = NULL;
+ unsigned char i_str[TRANSPORT_IQN_LEN];
char *iport_ptr = NULL, i_buf[PR_REG_ISID_ID_LEN];
sense_reason_t ret;
u32 tpdl, tid_len = 0;
u32 dest_rtpi = 0;
+ bool tid_found;
/*
* Allocate a struct pr_transport_id_holder and setup the
@@ -1570,9 +1571,9 @@ core_scsi3_decode_spec_i_port(
dest_rtpi = tmp_lun->lun_rtpi;
iport_ptr = NULL;
- i_str = target_parse_pr_out_transport_id(tmp_tpg,
- ptr, &tid_len, &iport_ptr);
- if (!i_str)
+ tid_found = target_parse_pr_out_transport_id(tmp_tpg,
+ ptr, &tid_len, &iport_ptr, i_str);
+ if (!tid_found)
continue;
/*
* Determine if this SCSI device server requires that
@@ -3152,13 +3153,14 @@ core_scsi3_emulate_pro_register_and_move(struct se_cmd *cmd, u64 res_key,
struct t10_pr_registration *pr_reg, *pr_res_holder, *dest_pr_reg;
struct t10_reservation *pr_tmpl = &dev->t10_pr;
unsigned char *buf;
- const unsigned char *initiator_str;
+ unsigned char initiator_str[TRANSPORT_IQN_LEN];
char *iport_ptr = NULL, i_buf[PR_REG_ISID_ID_LEN] = { };
u32 tid_len, tmp_tid_len;
int new_reg = 0, type, scope, matching_iname;
sense_reason_t ret;
unsigned short rtpi;
unsigned char proto_ident;
+ bool tid_found;
if (!se_sess || !se_lun) {
pr_err("SPC-3 PR: se_sess || struct se_lun is NULL!\n");
@@ -3277,9 +3279,9 @@ core_scsi3_emulate_pro_register_and_move(struct se_cmd *cmd, u64 res_key,
ret = TCM_INVALID_PARAMETER_LIST;
goto out;
}
- initiator_str = target_parse_pr_out_transport_id(dest_se_tpg,
- &buf[24], &tmp_tid_len, &iport_ptr);
- if (!initiator_str) {
+ tid_found = target_parse_pr_out_transport_id(dest_se_tpg,
+ &buf[24], &tmp_tid_len, &iport_ptr, initiator_str);
+ if (!tid_found) {
pr_err("SPC-3 PR REGISTER_AND_MOVE: Unable to locate"
" initiator_str from Transport ID\n");
ret = TCM_INVALID_PARAMETER_LIST;
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 223/482] scsi: aacraid: Stop using PCI_IRQ_AFFINITY
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (221 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 6.1 222/482] scsi: target: core: Generate correct identifiers for PR OUT transport IDs Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 224/482] vfio/mlx5: fix possible overflow in tracking max message size Greg Kroah-Hartman
` (267 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, John Garry, John Meneghini,
Martin K. Petersen, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: John Garry <john.g.garry@oracle.com>
[ Upstream commit dafeaf2c03e71255438ffe5a341d94d180e6c88e ]
When PCI_IRQ_AFFINITY is set for calling pci_alloc_irq_vectors(), it
means interrupts are spread around the available CPUs. It also means that
the interrupts become managed, which means that an interrupt is shutdown
when all the CPUs in the interrupt affinity mask go offline.
Using managed interrupts in this way means that we should ensure that
completions should not occur on HW queues where the associated interrupt
is shutdown. This is typically achieved by ensuring only CPUs which are
online can generate IO completion traffic to the HW queue which they are
mapped to (so that they can also serve completion interrupts for that HW
queue).
The problem in the driver is that a CPU can generate completions to a HW
queue whose interrupt may be shutdown, as the CPUs in the HW queue
interrupt affinity mask may be offline. This can cause IOs to never
complete and hang the system. The driver maintains its own CPU <-> HW
queue mapping for submissions, see aac_fib_vector_assign(), but this does
not reflect the CPU <-> HW queue interrupt affinity mapping.
Commit 9dc704dcc09e ("scsi: aacraid: Reply queue mapping to CPUs based on
IRQ affinity") tried to remedy this issue may mapping CPUs properly to HW
queue interrupts. However this was later reverted in commit c5becf57dd56
("Revert "scsi: aacraid: Reply queue mapping to CPUs based on IRQ
affinity") - it seems that there were other reports of hangs. I guess
that this was due to some implementation issue in the original commit or
maybe a HW issue.
Fix the very original hang by just not using managed interrupts by not
setting PCI_IRQ_AFFINITY. In this way, all CPUs will be in each HW queue
affinity mask, so should not create completion problems if any CPUs go
offline.
Signed-off-by: John Garry <john.g.garry@oracle.com>
Link: https://lore.kernel.org/r/20250715111535.499853-1-john.g.garry@oracle.com
Closes: https://lore.kernel.org/linux-scsi/20250618192427.3845724-1-jmeneghi@redhat.com/
Reviewed-by: John Meneghini <jmeneghi@redhat.com>
Tested-by: John Meneghini <jmeneghi@redhat.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/aacraid/comminit.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/scsi/aacraid/comminit.c b/drivers/scsi/aacraid/comminit.c
index 0f64b0244303..31b95e6c96c5 100644
--- a/drivers/scsi/aacraid/comminit.c
+++ b/drivers/scsi/aacraid/comminit.c
@@ -481,8 +481,7 @@ void aac_define_int_mode(struct aac_dev *dev)
pci_find_capability(dev->pdev, PCI_CAP_ID_MSIX)) {
min_msix = 2;
i = pci_alloc_irq_vectors(dev->pdev,
- min_msix, msi_count,
- PCI_IRQ_MSIX | PCI_IRQ_AFFINITY);
+ min_msix, msi_count, PCI_IRQ_MSIX);
if (i > 0) {
dev->msi_enabled = 1;
msi_count = i;
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 224/482] vfio/mlx5: fix possible overflow in tracking max message size
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (222 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 6.1 223/482] scsi: aacraid: Stop using PCI_IRQ_AFFINITY Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 225/482] ipmi: Use dev_warn_ratelimited() for incorrect message warnings Greg Kroah-Hartman
` (266 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alex Williamson, Artem Sadovnikov,
Yishai Hadas, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Artem Sadovnikov <a.sadovnikov@ispras.ru>
[ Upstream commit b3060198483bac43ec113c62ae3837076f61f5de ]
MLX cap pg_track_log_max_msg_size consists of 5 bits, value of which is
used as power of 2 for max_msg_size. This can lead to multiplication
overflow between max_msg_size (u32) and integer constant, and afterwards
incorrect value is being written to rq_size.
Fix this issue by extending integer constant to u64 type.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Suggested-by: Alex Williamson <alex.williamson@redhat.com>
Signed-off-by: Artem Sadovnikov <a.sadovnikov@ispras.ru>
Reviewed-by: Yishai Hadas <yishaih@nvidia.com>
Link: https://lore.kernel.org/r/20250701144017.2410-2-a.sadovnikov@ispras.ru
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/vfio/pci/mlx5/cmd.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/vfio/pci/mlx5/cmd.c b/drivers/vfio/pci/mlx5/cmd.c
index 3f93b5c3f099..06794c48170c 100644
--- a/drivers/vfio/pci/mlx5/cmd.c
+++ b/drivers/vfio/pci/mlx5/cmd.c
@@ -1127,8 +1127,8 @@ int mlx5vf_start_page_tracker(struct vfio_device *vdev,
log_max_msg_size = MLX5_CAP_ADV_VIRTUALIZATION(mdev, pg_track_log_max_msg_size);
max_msg_size = (1ULL << log_max_msg_size);
/* The RQ must hold at least 4 WQEs/messages for successful QP creation */
- if (rq_size < 4 * max_msg_size)
- rq_size = 4 * max_msg_size;
+ if (rq_size < 4ULL * max_msg_size)
+ rq_size = 4ULL * max_msg_size;
memset(tracker, 0, sizeof(*tracker));
tracker->uar = mlx5_get_uars_page(mdev);
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 225/482] ipmi: Use dev_warn_ratelimited() for incorrect message warnings
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (223 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 6.1 224/482] vfio/mlx5: fix possible overflow in tracking max message size Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 226/482] kconfig: gconf: avoid hardcoding model2 in on_treeview2_cursor_changed() Greg Kroah-Hartman
` (265 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Breno Leitao, Corey Minyard,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Breno Leitao <leitao@debian.org>
[ Upstream commit ec50ec378e3fd83bde9b3d622ceac3509a60b6b5 ]
During BMC firmware upgrades on live systems, the ipmi_msghandler
generates excessive "BMC returned incorrect response" warnings
while the BMC is temporarily offline. This can flood system logs
in large deployments.
Replace dev_warn() with dev_warn_ratelimited() to throttle these
warnings and prevent log spam during BMC maintenance operations.
Signed-off-by: Breno Leitao <leitao@debian.org>
Message-ID: <20250710-ipmi_ratelimit-v1-1-6d417015ebe9@debian.org>
Signed-off-by: Corey Minyard <corey@minyard.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/char/ipmi/ipmi_msghandler.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/char/ipmi/ipmi_msghandler.c b/drivers/char/ipmi/ipmi_msghandler.c
index e4ac38b39889..653e07171dc6 100644
--- a/drivers/char/ipmi/ipmi_msghandler.c
+++ b/drivers/char/ipmi/ipmi_msghandler.c
@@ -4618,10 +4618,10 @@ static int handle_one_recv_msg(struct ipmi_smi *intf,
* The NetFN and Command in the response is not even
* marginally correct.
*/
- dev_warn(intf->si_dev,
- "BMC returned incorrect response, expected netfn %x cmd %x, got netfn %x cmd %x\n",
- (msg->data[0] >> 2) | 1, msg->data[1],
- msg->rsp[0] >> 2, msg->rsp[1]);
+ dev_warn_ratelimited(intf->si_dev,
+ "BMC returned incorrect response, expected netfn %x cmd %x, got netfn %x cmd %x\n",
+ (msg->data[0] >> 2) | 1, msg->data[1],
+ msg->rsp[0] >> 2, msg->rsp[1]);
goto return_unspecified;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 226/482] kconfig: gconf: avoid hardcoding model2 in on_treeview2_cursor_changed()
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (224 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 6.1 225/482] ipmi: Use dev_warn_ratelimited() for incorrect message warnings Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 227/482] kconfig: gconf: fix potential memory leak in renderer_edited() Greg Kroah-Hartman
` (264 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Masahiro Yamada, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Masahiro Yamada <masahiroy@kernel.org>
[ Upstream commit cae9cdbcd9af044810bcceeb43a87accca47c71d ]
The on_treeview2_cursor_changed() handler is connected to both the left
and right tree views, but it hardcodes model2 (the GtkTreeModel of the
right tree view). This is incorrect. Get the associated model from the
view.
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
scripts/kconfig/gconf.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/scripts/kconfig/gconf.c b/scripts/kconfig/gconf.c
index 5d1404178e48..87f8a4db5bc6 100644
--- a/scripts/kconfig/gconf.c
+++ b/scripts/kconfig/gconf.c
@@ -977,13 +977,14 @@ on_treeview2_key_press_event(GtkWidget * widget,
void
on_treeview2_cursor_changed(GtkTreeView * treeview, gpointer user_data)
{
+ GtkTreeModel *model = gtk_tree_view_get_model(treeview);
GtkTreeSelection *selection;
GtkTreeIter iter;
struct menu *menu;
selection = gtk_tree_view_get_selection(treeview);
- if (gtk_tree_selection_get_selected(selection, &model2, &iter)) {
- gtk_tree_model_get(model2, &iter, COL_MENU, &menu, -1);
+ if (gtk_tree_selection_get_selected(selection, &model, &iter)) {
+ gtk_tree_model_get(model, &iter, COL_MENU, &menu, -1);
text_insert_help(menu);
}
}
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 227/482] kconfig: gconf: fix potential memory leak in renderer_edited()
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (225 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 6.1 226/482] kconfig: gconf: avoid hardcoding model2 in on_treeview2_cursor_changed() Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 228/482] kconfig: lxdialog: fix space to (de)select options Greg Kroah-Hartman
` (263 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Masahiro Yamada, Randy Dunlap,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Masahiro Yamada <masahiroy@kernel.org>
[ Upstream commit f72ed4c6a375e52a3f4b75615e4a89d29d8acea7 ]
If gtk_tree_model_get_iter() fails, gtk_tree_path_free() is not called.
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
Acked-by: Randy Dunlap <rdunlap@infradead.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
scripts/kconfig/gconf.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/scripts/kconfig/gconf.c b/scripts/kconfig/gconf.c
index 87f8a4db5bc6..3c726ead8f7e 100644
--- a/scripts/kconfig/gconf.c
+++ b/scripts/kconfig/gconf.c
@@ -783,7 +783,7 @@ static void renderer_edited(GtkCellRendererText * cell,
struct symbol *sym;
if (!gtk_tree_model_get_iter(model2, &iter, path))
- return;
+ goto free;
gtk_tree_model_get(model2, &iter, COL_MENU, &menu, -1);
sym = menu->sym;
@@ -795,6 +795,7 @@ static void renderer_edited(GtkCellRendererText * cell,
update_tree(&rootmenu, NULL);
+free:
gtk_tree_path_free(path);
}
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 228/482] kconfig: lxdialog: fix space to (de)select options
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (226 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 6.1 227/482] kconfig: gconf: fix potential memory leak in renderer_edited() Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 229/482] ipmi: Fix strcpy source and destination the same Greg Kroah-Hartman
` (262 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yann E. MORIN, Peter Korsgaard,
Cherniaev Andrei, Masahiro Yamada, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yann E. MORIN <yann.morin.1998@free.fr>
[ Upstream commit 694174f94ebeeb5ec5cc0e9de9b40c82057e1d95 ]
In case a menu has comment without letters/numbers (eg. characters
matching the regexp '^[^[:alpha:][:digit:]]+$', for example - or *),
hitting space will cycle through those comments, rather than
selecting/deselecting the currently-highlighted option.
This is the behaviour of hitting any letter/digit: jump to the next
option which prompt starts with that letter. The only letters that
do not behave as such are 'y' 'm' and 'n'. Prompts that start with
one of those three letters are instead matched on the first letter
that is not 'y', 'm' or 'n'.
Fix that by treating 'space' as we treat y/m/n, ie. as an action key,
not as shortcut to jump to prompt.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Cherniaev Andrei <dungeonlords789@naver.com>
[masahiro: took from Buildroot, adjusted the commit subject]
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
| 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--git a/scripts/kconfig/lxdialog/menubox.c b/scripts/kconfig/lxdialog/menubox.c
index 58c2f8afe59b..7e10e919fbdc 100644
--- a/scripts/kconfig/lxdialog/menubox.c
+++ b/scripts/kconfig/lxdialog/menubox.c
@@ -272,7 +272,7 @@ int dialog_menu(const char *title, const char *prompt,
if (key < 256 && isalpha(key))
key = tolower(key);
- if (strchr("ynmh", key))
+ if (strchr("ynmh ", key))
i = max_choice;
else {
for (i = choice + 1; i < max_choice; i++) {
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 229/482] ipmi: Fix strcpy source and destination the same
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (227 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 6.1 228/482] kconfig: lxdialog: fix space to (de)select options Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 230/482] net: phy: smsc: add proper reset flags for LAN8710A Greg Kroah-Hartman
` (261 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, kernel test robot, Corey Minyard,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Corey Minyard <corey@minyard.net>
[ Upstream commit 8ffcb7560b4a15faf821df95e3ab532b2b020f8c ]
The source and destination of some strcpy operations was the same.
Split out the part of the operations that needed to be done for those
particular calls so the unnecessary copy wasn't done.
Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202506140756.EFXXvIP4-lkp@intel.com/
Signed-off-by: Corey Minyard <corey@minyard.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/char/ipmi/ipmi_watchdog.c | 59 ++++++++++++++++++++++---------
1 file changed, 42 insertions(+), 17 deletions(-)
diff --git a/drivers/char/ipmi/ipmi_watchdog.c b/drivers/char/ipmi/ipmi_watchdog.c
index 5b4e677929ca..5eb614f954fd 100644
--- a/drivers/char/ipmi/ipmi_watchdog.c
+++ b/drivers/char/ipmi/ipmi_watchdog.c
@@ -1190,14 +1190,8 @@ static struct ipmi_smi_watcher smi_watcher = {
.smi_gone = ipmi_smi_gone
};
-static int action_op(const char *inval, char *outval)
+static int action_op_set_val(const char *inval)
{
- if (outval)
- strcpy(outval, action);
-
- if (!inval)
- return 0;
-
if (strcmp(inval, "reset") == 0)
action_val = WDOG_TIMEOUT_RESET;
else if (strcmp(inval, "none") == 0)
@@ -1208,18 +1202,26 @@ static int action_op(const char *inval, char *outval)
action_val = WDOG_TIMEOUT_POWER_DOWN;
else
return -EINVAL;
- strcpy(action, inval);
return 0;
}
-static int preaction_op(const char *inval, char *outval)
+static int action_op(const char *inval, char *outval)
{
+ int rv;
+
if (outval)
- strcpy(outval, preaction);
+ strcpy(outval, action);
if (!inval)
return 0;
+ rv = action_op_set_val(inval);
+ if (!rv)
+ strcpy(action, inval);
+ return rv;
+}
+static int preaction_op_set_val(const char *inval)
+{
if (strcmp(inval, "pre_none") == 0)
preaction_val = WDOG_PRETIMEOUT_NONE;
else if (strcmp(inval, "pre_smi") == 0)
@@ -1232,18 +1234,26 @@ static int preaction_op(const char *inval, char *outval)
preaction_val = WDOG_PRETIMEOUT_MSG_INT;
else
return -EINVAL;
- strcpy(preaction, inval);
return 0;
}
-static int preop_op(const char *inval, char *outval)
+static int preaction_op(const char *inval, char *outval)
{
+ int rv;
+
if (outval)
- strcpy(outval, preop);
+ strcpy(outval, preaction);
if (!inval)
return 0;
+ rv = preaction_op_set_val(inval);
+ if (!rv)
+ strcpy(preaction, inval);
+ return 0;
+}
+static int preop_op_set_val(const char *inval)
+{
if (strcmp(inval, "preop_none") == 0)
preop_val = WDOG_PREOP_NONE;
else if (strcmp(inval, "preop_panic") == 0)
@@ -1252,7 +1262,22 @@ static int preop_op(const char *inval, char *outval)
preop_val = WDOG_PREOP_GIVE_DATA;
else
return -EINVAL;
- strcpy(preop, inval);
+ return 0;
+}
+
+static int preop_op(const char *inval, char *outval)
+{
+ int rv;
+
+ if (outval)
+ strcpy(outval, preop);
+
+ if (!inval)
+ return 0;
+
+ rv = preop_op_set_val(inval);
+ if (!rv)
+ strcpy(preop, inval);
return 0;
}
@@ -1289,18 +1314,18 @@ static int __init ipmi_wdog_init(void)
{
int rv;
- if (action_op(action, NULL)) {
+ if (action_op_set_val(action)) {
action_op("reset", NULL);
pr_info("Unknown action '%s', defaulting to reset\n", action);
}
- if (preaction_op(preaction, NULL)) {
+ if (preaction_op_set_val(preaction)) {
preaction_op("pre_none", NULL);
pr_info("Unknown preaction '%s', defaulting to none\n",
preaction);
}
- if (preop_op(preop, NULL)) {
+ if (preop_op_set_val(preop)) {
preop_op("preop_none", NULL);
pr_info("Unknown preop '%s', defaulting to none\n", preop);
}
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 230/482] net: phy: smsc: add proper reset flags for LAN8710A
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (228 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 6.1 229/482] ipmi: Fix strcpy source and destination the same Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 231/482] ASoC: Intel: avs: Fix uninitialized pointer error in probe() Greg Kroah-Hartman
` (260 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Buday Csaba, Csókás Bence,
Andrew Lunn, Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Buday Csaba <buday.csaba@prolan.hu>
[ Upstream commit 57ec5a8735dc5dccd1ee68afdb1114956a3fce0d ]
According to the LAN8710A datasheet (Rev. B, section 3.8.5.1), a hardware
reset is required after power-on, and the reference clock (REF_CLK) must be
established before asserting reset.
Signed-off-by: Buday Csaba <buday.csaba@prolan.hu>
Cc: Csókás Bence <csokas.bence@prolan.hu>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Link: https://patch.msgid.link/20250728152916.46249-2-csokas.bence@prolan.hu
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/phy/smsc.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/phy/smsc.c b/drivers/net/phy/smsc.c
index 5186cc97c655..cf72aae88fbd 100644
--- a/drivers/net/phy/smsc.c
+++ b/drivers/net/phy/smsc.c
@@ -424,6 +424,7 @@ static struct phy_driver smsc_phy_driver[] = {
/* PHY_BASIC_FEATURES */
+ .flags = PHY_RST_AFTER_CLK_EN,
.probe = smsc_phy_probe,
/* basic functions */
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 231/482] ASoC: Intel: avs: Fix uninitialized pointer error in probe()
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (229 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 6.1 230/482] net: phy: smsc: add proper reset flags for LAN8710A Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 232/482] block: avoid possible overflow for chunk_sectors check in blk_stack_limits() Greg Kroah-Hartman
` (259 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Amadeusz Sławiński,
Cezary Rojewski, Mark Brown, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cezary Rojewski <cezary.rojewski@intel.com>
[ Upstream commit 11f74f48c14c1f4fe16541900ea5944c42e30ccf ]
If pcim_request_all_regions() fails, error path operates on
uninitialized 'bus' pointer. Found out by Coverity static analyzer.
Reviewed-by: Amadeusz Sławiński <amadeuszx.slawinski@linux.intel.com>
Signed-off-by: Cezary Rojewski <cezary.rojewski@intel.com>
Link: https://patch.msgid.link/20250730124906.351798-1-cezary.rojewski@intel.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/intel/avs/core.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/sound/soc/intel/avs/core.c b/sound/soc/intel/avs/core.c
index 5bb3eee2f783..04d0099adb8f 100644
--- a/sound/soc/intel/avs/core.c
+++ b/sound/soc/intel/avs/core.c
@@ -410,6 +410,8 @@ static int avs_pci_probe(struct pci_dev *pci, const struct pci_device_id *id)
adev = devm_kzalloc(dev, sizeof(*adev), GFP_KERNEL);
if (!adev)
return -ENOMEM;
+ bus = &adev->base.core;
+
ret = avs_bus_init(adev, pci, id);
if (ret < 0) {
dev_err(dev, "failed to init avs bus: %d\n", ret);
@@ -420,7 +422,6 @@ static int avs_pci_probe(struct pci_dev *pci, const struct pci_device_id *id)
if (ret < 0)
return ret;
- bus = &adev->base.core;
bus->addr = pci_resource_start(pci, 0);
bus->remap_addr = pci_ioremap_bar(pci, 0);
if (!bus->remap_addr) {
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 232/482] block: avoid possible overflow for chunk_sectors check in blk_stack_limits()
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (230 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 6.1 231/482] ASoC: Intel: avs: Fix uninitialized pointer error in probe() Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 233/482] pNFS: Fix stripe mapping in block/scsi layout Greg Kroah-Hartman
` (258 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hannes Reinecke, Martin K. Petersen,
John Garry, Damien Le Moal, Jens Axboe, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: John Garry <john.g.garry@oracle.com>
[ Upstream commit 448dfecc7ff807822ecd47a5c052acedca7d09e8 ]
In blk_stack_limits(), we check that the t->chunk_sectors value is a
multiple of the t->physical_block_size value.
However, by finding the chunk_sectors value in bytes, we may overflow
the unsigned int which holds chunk_sectors, so change the check to be
based on sectors.
Reviewed-by: Hannes Reinecke <hare@suse.de>
Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: John Garry <john.g.garry@oracle.com>
Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
Link: https://lore.kernel.org/r/20250729091448.1691334-2-john.g.garry@oracle.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
block/blk-settings.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/block/blk-settings.c b/block/blk-settings.c
index c702f408bbc0..305b47a38429 100644
--- a/block/blk-settings.c
+++ b/block/blk-settings.c
@@ -628,7 +628,7 @@ int blk_stack_limits(struct queue_limits *t, struct queue_limits *b,
}
/* chunk_sectors a multiple of the physical block size? */
- if ((t->chunk_sectors << 9) & (t->physical_block_size - 1)) {
+ if (t->chunk_sectors % (t->physical_block_size >> SECTOR_SHIFT)) {
t->chunk_sectors = 0;
t->misaligned = 1;
ret = -1;
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 233/482] pNFS: Fix stripe mapping in block/scsi layout
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (231 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 6.1 232/482] block: avoid possible overflow for chunk_sectors check in blk_stack_limits() Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 234/482] pNFS: Fix disk addr range check " Greg Kroah-Hartman
` (257 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sergey Bashirov, Christoph Hellwig,
Trond Myklebust, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sergey Bashirov <sergeybashirov@gmail.com>
[ Upstream commit 81438498a285759f31e843ac4800f82a5ce6521f ]
Because of integer division, we need to carefully calculate the
disk offset. Consider the example below for a stripe of 6 volumes,
a chunk size of 4096, and an offset of 70000.
chunk = div_u64(offset, dev->chunk_size) = 70000 / 4096 = 17
offset = chunk * dev->chunk_size = 17 * 4096 = 69632
disk_offset_wrong = div_u64(offset, dev->nr_children) = 69632 / 6 = 11605
disk_chunk = div_u64(chunk, dev->nr_children) = 17 / 6 = 2
disk_offset = disk_chunk * dev->chunk_size = 2 * 4096 = 8192
Signed-off-by: Sergey Bashirov <sergeybashirov@gmail.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Link: https://lore.kernel.org/r/20250701122341.199112-1-sergeybashirov@gmail.com
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nfs/blocklayout/dev.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/fs/nfs/blocklayout/dev.c b/fs/nfs/blocklayout/dev.c
index ce2ea6239797..fc6413953600 100644
--- a/fs/nfs/blocklayout/dev.c
+++ b/fs/nfs/blocklayout/dev.c
@@ -199,10 +199,11 @@ static bool bl_map_stripe(struct pnfs_block_dev *dev, u64 offset,
struct pnfs_block_dev *child;
u64 chunk;
u32 chunk_idx;
+ u64 disk_chunk;
u64 disk_offset;
chunk = div_u64(offset, dev->chunk_size);
- div_u64_rem(chunk, dev->nr_children, &chunk_idx);
+ disk_chunk = div_u64_rem(chunk, dev->nr_children, &chunk_idx);
if (chunk_idx >= dev->nr_children) {
dprintk("%s: invalid chunk idx %d (%lld/%lld)\n",
@@ -215,7 +216,7 @@ static bool bl_map_stripe(struct pnfs_block_dev *dev, u64 offset,
offset = chunk * dev->chunk_size;
/* disk offset of the stripe */
- disk_offset = div_u64(offset, dev->nr_children);
+ disk_offset = disk_chunk * dev->chunk_size;
child = &dev->children[chunk_idx];
child->map(child, disk_offset, map);
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 234/482] pNFS: Fix disk addr range check in block/scsi layout
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (232 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 6.1 233/482] pNFS: Fix stripe mapping in block/scsi layout Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 235/482] pNFS: Handle RPC size limit for layoutcommits Greg Kroah-Hartman
` (256 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sergey Bashirov, Christoph Hellwig,
Trond Myklebust, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sergey Bashirov <sergeybashirov@gmail.com>
[ Upstream commit 7db6e66663681abda54f81d5916db3a3b8b1a13d ]
At the end of the isect translation, disc_addr represents the physical
disk offset. Thus, end calculated from disk_addr is also a physical disk
offset. Therefore, range checking should be done using map->disk_offset,
not map->start.
Signed-off-by: Sergey Bashirov <sergeybashirov@gmail.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Link: https://lore.kernel.org/r/20250702133226.212537-1-sergeybashirov@gmail.com
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nfs/blocklayout/blocklayout.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/fs/nfs/blocklayout/blocklayout.c b/fs/nfs/blocklayout/blocklayout.c
index 6be13e0ec170..e498aade8c47 100644
--- a/fs/nfs/blocklayout/blocklayout.c
+++ b/fs/nfs/blocklayout/blocklayout.c
@@ -149,8 +149,8 @@ do_add_page_to_bio(struct bio *bio, int npg, enum req_op op, sector_t isect,
/* limit length to what the device mapping allows */
end = disk_addr + *len;
- if (end >= map->start + map->len)
- *len = map->start + map->len - disk_addr;
+ if (end >= map->disk_offset + map->len)
+ *len = map->disk_offset + map->len - disk_addr;
retry:
if (!bio) {
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 235/482] pNFS: Handle RPC size limit for layoutcommits
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (233 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 6.1 234/482] pNFS: Fix disk addr range check " Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 236/482] pNFS: Fix uninited ptr deref in block/scsi layout Greg Kroah-Hartman
` (255 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Konstantin Evtushenko,
Sergey Bashirov, Christoph Hellwig, Trond Myklebust, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sergey Bashirov <sergeybashirov@gmail.com>
[ Upstream commit d897d81671bc4615c80f4f3bd5e6b218f59df50c ]
When there are too many block extents for a layoutcommit, they may not
all fit into the maximum-sized RPC. This patch allows the generic pnfs
code to properly handle -ENOSPC returned by the block/scsi layout driver
and trigger additional layoutcommits if necessary.
Co-developed-by: Konstantin Evtushenko <koevtushenko@yandex.com>
Signed-off-by: Konstantin Evtushenko <koevtushenko@yandex.com>
Signed-off-by: Sergey Bashirov <sergeybashirov@gmail.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Link: https://lore.kernel.org/r/20250630183537.196479-5-sergeybashirov@gmail.com
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nfs/pnfs.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/fs/nfs/pnfs.c b/fs/nfs/pnfs.c
index 7f48e0d870bd..86f008241c56 100644
--- a/fs/nfs/pnfs.c
+++ b/fs/nfs/pnfs.c
@@ -3216,6 +3216,7 @@ pnfs_layoutcommit_inode(struct inode *inode, bool sync)
struct nfs_inode *nfsi = NFS_I(inode);
loff_t end_pos;
int status;
+ bool mark_as_dirty = false;
if (!pnfs_layoutcommit_outstanding(inode))
return 0;
@@ -3267,19 +3268,23 @@ pnfs_layoutcommit_inode(struct inode *inode, bool sync)
if (ld->prepare_layoutcommit) {
status = ld->prepare_layoutcommit(&data->args);
if (status) {
- put_cred(data->cred);
+ if (status != -ENOSPC)
+ put_cred(data->cred);
spin_lock(&inode->i_lock);
set_bit(NFS_INO_LAYOUTCOMMIT, &nfsi->flags);
if (end_pos > nfsi->layout->plh_lwb)
nfsi->layout->plh_lwb = end_pos;
- goto out_unlock;
+ if (status != -ENOSPC)
+ goto out_unlock;
+ spin_unlock(&inode->i_lock);
+ mark_as_dirty = true;
}
}
status = nfs4_proc_layoutcommit(data, sync);
out:
- if (status)
+ if (status || mark_as_dirty)
mark_inode_dirty_sync(inode);
dprintk("<-- %s status %d\n", __func__, status);
return status;
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 236/482] pNFS: Fix uninited ptr deref in block/scsi layout
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (234 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 6.1 235/482] pNFS: Handle RPC size limit for layoutcommits Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 237/482] rtc: ds1307: remove clear of oscillator stop flag (OSF) in probe Greg Kroah-Hartman
` (254 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Konstantin Evtushenko,
Sergey Bashirov, Christoph Hellwig, Trond Myklebust, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sergey Bashirov <sergeybashirov@gmail.com>
[ Upstream commit 9768797c219326699778fba9cd3b607b2f1e7950 ]
The error occurs on the third attempt to encode extents. When function
ext_tree_prepare_commit() reallocates a larger buffer to retry encoding
extents, the "layoutupdate_pages" page array is initialized only after the
retry loop. But ext_tree_free_commitdata() is called on every iteration
and tries to put pages in the array, thus dereferencing uninitialized
pointers.
An additional problem is that there is no limit on the maximum possible
buffer_size. When there are too many extents, the client may create a
layoutcommit that is larger than the maximum possible RPC size accepted
by the server.
During testing, we observed two typical scenarios. First, one memory page
for extents is enough when we work with small files, append data to the
end of the file, or preallocate extents before writing. But when we fill
a new large file without preallocating, the number of extents can be huge,
and counting the number of written extents in ext_tree_encode_commit()
does not help much. Since this number increases even more between
unlocking and locking of ext_tree, the reallocated buffer may not be
large enough again and again.
Co-developed-by: Konstantin Evtushenko <koevtushenko@yandex.com>
Signed-off-by: Konstantin Evtushenko <koevtushenko@yandex.com>
Signed-off-by: Sergey Bashirov <sergeybashirov@gmail.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Link: https://lore.kernel.org/r/20250630183537.196479-2-sergeybashirov@gmail.com
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nfs/blocklayout/extent_tree.c | 20 +++++++++++++++-----
1 file changed, 15 insertions(+), 5 deletions(-)
diff --git a/fs/nfs/blocklayout/extent_tree.c b/fs/nfs/blocklayout/extent_tree.c
index 8f7cff7a4293..0add0f329816 100644
--- a/fs/nfs/blocklayout/extent_tree.c
+++ b/fs/nfs/blocklayout/extent_tree.c
@@ -552,6 +552,15 @@ static int ext_tree_encode_commit(struct pnfs_block_layout *bl, __be32 *p,
return ret;
}
+/**
+ * ext_tree_prepare_commit - encode extents that need to be committed
+ * @arg: layout commit data
+ *
+ * Return values:
+ * %0: Success, all required extents are encoded
+ * %-ENOSPC: Some extents are encoded, but not all, due to RPC size limit
+ * %-ENOMEM: Out of memory, extents not encoded
+ */
int
ext_tree_prepare_commit(struct nfs4_layoutcommit_args *arg)
{
@@ -568,12 +577,12 @@ ext_tree_prepare_commit(struct nfs4_layoutcommit_args *arg)
start_p = page_address(arg->layoutupdate_page);
arg->layoutupdate_pages = &arg->layoutupdate_page;
-retry:
- ret = ext_tree_encode_commit(bl, start_p + 1, buffer_size, &count, &arg->lastbytewritten);
+ ret = ext_tree_encode_commit(bl, start_p + 1, buffer_size,
+ &count, &arg->lastbytewritten);
if (unlikely(ret)) {
ext_tree_free_commitdata(arg, buffer_size);
- buffer_size = ext_tree_layoutupdate_size(bl, count);
+ buffer_size = NFS_SERVER(arg->inode)->wsize;
count = 0;
arg->layoutupdate_pages =
@@ -588,7 +597,8 @@ ext_tree_prepare_commit(struct nfs4_layoutcommit_args *arg)
return -ENOMEM;
}
- goto retry;
+ ret = ext_tree_encode_commit(bl, start_p + 1, buffer_size,
+ &count, &arg->lastbytewritten);
}
*start_p = cpu_to_be32(count);
@@ -608,7 +618,7 @@ ext_tree_prepare_commit(struct nfs4_layoutcommit_args *arg)
}
dprintk("%s found %zu ranges\n", __func__, count);
- return 0;
+ return ret;
}
void
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 237/482] rtc: ds1307: remove clear of oscillator stop flag (OSF) in probe
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (235 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 6.1 236/482] pNFS: Fix uninited ptr deref in block/scsi layout Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 238/482] scsi: lpfc: Remove redundant assignment to avoid memory leak Greg Kroah-Hartman
` (253 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Meagan Lloyd, Tyler Hicks,
Rodolfo Giometti, Alexandre Belloni, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Meagan Lloyd <meaganlloyd@linux.microsoft.com>
[ Upstream commit 48458654659c9c2e149c211d86637f1592470da5 ]
In using CONFIG_RTC_HCTOSYS, rtc_hctosys() will sync the RTC time to the
kernel time as long as rtc_read_time() succeeds. In some power loss
situations, our supercapacitor-backed DS1342 RTC comes up with either an
unpredictable future time or the default 01/01/00 from the datasheet.
The oscillator stop flag (OSF) is set in these scenarios due to the
power loss and can be used to determine the validity of the RTC data.
Some chip types in the ds1307 driver already have OSF handling to
determine whether .read_time provides valid RTC data or returns -EINVAL.
This change removes the clear of the OSF in .probe as the OSF needs to
be preserved to expand the OSF handling to the ds1341 chip type (note
that DS1341 and DS1342 share a datasheet).
Signed-off-by: Meagan Lloyd <meaganlloyd@linux.microsoft.com>
Reviewed-by: Tyler Hicks <code@tyhicks.com>
Acked-by: Rodolfo Giometti <giometti@enneenne.com>
Link: https://lore.kernel.org/r/1749665656-30108-2-git-send-email-meaganlloyd@linux.microsoft.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/rtc/rtc-ds1307.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/drivers/rtc/rtc-ds1307.c b/drivers/rtc/rtc-ds1307.c
index 530b9340db21..6d82fb45e9a8 100644
--- a/drivers/rtc/rtc-ds1307.c
+++ b/drivers/rtc/rtc-ds1307.c
@@ -1819,10 +1819,8 @@ static int ds1307_probe(struct i2c_client *client,
regmap_write(ds1307->regmap, DS1337_REG_CONTROL,
regs[0]);
- /* oscillator fault? clear flag, and warn */
+ /* oscillator fault? warn */
if (regs[1] & DS1337_BIT_OSF) {
- regmap_write(ds1307->regmap, DS1337_REG_STATUS,
- regs[1] & ~DS1337_BIT_OSF);
dev_warn(ds1307->dev, "SET TIME!\n");
}
break;
--
2.39.5
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 238/482] scsi: lpfc: Remove redundant assignment to avoid memory leak
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (236 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 6.1 237/482] rtc: ds1307: remove clear of oscillator stop flag (OSF) in probe Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 239/482] ASoC: soc-dai.c: add missing flag check at snd_soc_pcm_dai_probe() Greg Kroah-Hartman
` (252 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jiasheng Jiang, Justin Tee,
Martin K. Petersen, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiasheng Jiang <jiashengjiangcool@gmail.com>
[ Upstream commit eea6cafb5890db488fce1c69d05464214616d800 ]
Remove the redundant assignment if kzalloc() succeeds to avoid memory
leak.
Fixes: bd2cdd5e400f ("scsi: lpfc: NVME Initiator: Add debugfs support")
Signed-off-by: Jiasheng Jiang <jiashengjiangcool@gmail.com>
Link: https://lore.kernel.org/r/20250801185202.42631-1-jiashengjiangcool@gmail.com
Reviewed-by: Justin Tee <justin.tee@broadcom.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/lpfc/lpfc_debugfs.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/scsi/lpfc/lpfc_debugfs.c b/drivers/scsi/lpfc/lpfc_debugfs.c
index 250d423710ca..f149753e62ec 100644
--- a/drivers/scsi/lpfc/lpfc_debugfs.c
+++ b/drivers/scsi/lpfc/lpfc_debugfs.c
@@ -6287,7 +6287,6 @@ lpfc_debugfs_initialize(struct lpfc_vport *vport)
}
phba->nvmeio_trc_on = 1;
phba->nvmeio_trc_output_idx = 0;
- phba->nvmeio_trc = NULL;
} else {
nvmeio_off:
phba->nvmeio_trc_size = 0;
--
2.50.1
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 239/482] ASoC: soc-dai.c: add missing flag check at snd_soc_pcm_dai_probe()
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (237 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 6.1 238/482] scsi: lpfc: Remove redundant assignment to avoid memory leak Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 240/482] ASoC: soc-dai.h: merge DAI call back functions into ops Greg Kroah-Hartman
` (251 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kuninori Morimoto, Mark Brown,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
[ Upstream commit 5c5a7521e9364a40fe2c1b67ab79991e3e9085df ]
dai->probed is used at snd_soc_pcm_dai_probe/remove(),
and used to call real remove() function only when it was probed.
int snd_soc_pcm_dai_probe(...)
{
...
for_each_rtd_dais(rtd, i, dai) {
...
if (dai->driver->probe) {
(A) int ret = dai->driver->probe(dai);
if (ret < 0)
return soc_dai_ret(dai, ret);
}
=> dai->probed = 1;
}
...
}
int snd_soc_pcm_dai_remove(...)
{
...
for_each_rtd_dais(rtd, i, dai) {
...
=> if (dai->probed &&
...) {
...
}
=> dai->probed = 0;
}
...
}
But on probe() case, we need to check dai->probed before calling
real probe() function at (A), otherwise real probe() might be called
multi times (but real remove() will be called only once).
This patch checks it at probe().
Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
Link: https://lore.kernel.org/r/87wn3u64e6.wl-kuninori.morimoto.gx@renesas.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Stable-dep-of: 0e270f32975f ("ASoC: fsl_sai: replace regmap_write with regmap_update_bits")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/soc-dai.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/sound/soc/soc-dai.c b/sound/soc/soc-dai.c
index ba8a99124869..5eac6a7559c7 100644
--- a/sound/soc/soc-dai.c
+++ b/sound/soc/soc-dai.c
@@ -548,6 +548,9 @@ int snd_soc_pcm_dai_probe(struct snd_soc_pcm_runtime *rtd, int order)
if (dai->driver->probe_order != order)
continue;
+ if (dai->probed)
+ continue;
+
if (dai->driver->probe) {
int ret = dai->driver->probe(dai);
--
2.50.1
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 240/482] ASoC: soc-dai.h: merge DAI call back functions into ops
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (238 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 6.1 239/482] ASoC: soc-dai.c: add missing flag check at snd_soc_pcm_dai_probe() Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 241/482] ASoC: fsl: " Greg Kroah-Hartman
` (250 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kuninori Morimoto, Mark Brown,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
[ Upstream commit 3e8bcec0787d1a73703c915c31cb00a2fd18ccbf ]
snd_soc_dai_driver has .ops for call back functions (A), but it also
has other call back functions (B). It is duplicated and confusable.
struct snd_soc_dai_driver {
...
^ int (*probe)(...);
| int (*remove)(...);
(B) int (*compress_new)(...);
| int (*pcm_new)(...);
v ...
(A) const struct snd_soc_dai_ops *ops;
...
}
This patch merges (B) into (A).
Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
Link: https://lore.kernel.org/r/87v8dpb0w6.wl-kuninori.morimoto.gx@renesas.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Stable-dep-of: 0e270f32975f ("ASoC: fsl_sai: replace regmap_write with regmap_update_bits")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/sound/soc-dai.h | 13 ++++++++
sound/soc/generic/audio-graph-card.c | 2 +-
sound/soc/soc-core.c | 25 ++++++++++++++++
sound/soc/soc-dai.c | 44 ++++++++++++++++------------
4 files changed, 64 insertions(+), 20 deletions(-)
diff --git a/include/sound/soc-dai.h b/include/sound/soc-dai.h
index ea7509672086..9fece4e37828 100644
--- a/include/sound/soc-dai.h
+++ b/include/sound/soc-dai.h
@@ -272,6 +272,15 @@ int snd_soc_dai_compr_get_metadata(struct snd_soc_dai *dai,
struct snd_compr_metadata *metadata);
struct snd_soc_dai_ops {
+ /* DAI driver callbacks */
+ int (*probe)(struct snd_soc_dai *dai);
+ int (*remove)(struct snd_soc_dai *dai);
+ /* compress dai */
+ int (*compress_new)(struct snd_soc_pcm_runtime *rtd, int num);
+ /* Optional Callback used at pcm creation*/
+ int (*pcm_new)(struct snd_soc_pcm_runtime *rtd,
+ struct snd_soc_dai *dai);
+
/*
* DAI clocking configuration, all optional.
* Called by soc_card drivers, normally in their hw_params.
@@ -353,6 +362,10 @@ struct snd_soc_dai_ops {
u64 *auto_selectable_formats;
int num_auto_selectable_formats;
+ /* probe ordering - for components with runtime dependencies */
+ int probe_order;
+ int remove_order;
+
/* bit field */
unsigned int no_capture_mute:1;
};
diff --git a/sound/soc/generic/audio-graph-card.c b/sound/soc/generic/audio-graph-card.c
index 5daa824a4ffc..e5481142c6c4 100644
--- a/sound/soc/generic/audio-graph-card.c
+++ b/sound/soc/generic/audio-graph-card.c
@@ -114,7 +114,7 @@ static bool soc_component_is_pcm(struct snd_soc_dai_link_component *dlc)
struct snd_soc_dai *dai = snd_soc_find_dai_with_mutex(dlc);
if (dai && (dai->component->driver->pcm_construct ||
- dai->driver->pcm_new))
+ (dai->driver->ops && dai->driver->ops->pcm_new)))
return true;
return false;
diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c
index 1ff7a0b0a236..80192b089f25 100644
--- a/sound/soc/soc-core.c
+++ b/sound/soc/soc-core.c
@@ -2426,6 +2426,7 @@ struct snd_soc_dai *snd_soc_register_dai(struct snd_soc_component *component,
{
struct device *dev = component->dev;
struct snd_soc_dai *dai;
+ struct snd_soc_dai_ops *ops; /* REMOVE ME */
dev_dbg(dev, "ASoC: dynamically register DAI %s\n", dev_name(dev));
@@ -2456,6 +2457,30 @@ struct snd_soc_dai *snd_soc_register_dai(struct snd_soc_component *component,
if (!dai->name)
return NULL;
+ /* REMOVE ME */
+ if (dai_drv->probe ||
+ dai_drv->remove ||
+ dai_drv->compress_new ||
+ dai_drv->pcm_new ||
+ dai_drv->probe_order ||
+ dai_drv->remove_order) {
+
+ ops = devm_kzalloc(dev, sizeof(struct snd_soc_dai_ops), GFP_KERNEL);
+ if (!ops)
+ return NULL;
+ if (dai_drv->ops)
+ memcpy(ops, dai_drv->ops, sizeof(struct snd_soc_dai_ops));
+
+ ops->probe = dai_drv->probe;
+ ops->remove = dai_drv->remove;
+ ops->compress_new = dai_drv->compress_new;
+ ops->pcm_new = dai_drv->pcm_new;
+ ops->probe_order = dai_drv->probe_order;
+ ops->remove_order = dai_drv->remove_order;
+
+ dai_drv->ops = ops;
+ }
+
dai->component = component;
dai->dev = dev;
dai->driver = dai_drv;
diff --git a/sound/soc/soc-dai.c b/sound/soc/soc-dai.c
index 5eac6a7559c7..8e12f1059e72 100644
--- a/sound/soc/soc-dai.c
+++ b/sound/soc/soc-dai.c
@@ -460,8 +460,9 @@ int snd_soc_dai_compress_new(struct snd_soc_dai *dai,
struct snd_soc_pcm_runtime *rtd, int num)
{
int ret = -ENOTSUPP;
- if (dai->driver->compress_new)
- ret = dai->driver->compress_new(rtd, num);
+ if (dai->driver->ops &&
+ dai->driver->ops->compress_new)
+ ret = dai->driver->ops->compress_new(rtd, num);
return soc_dai_ret(dai, ret);
}
@@ -545,19 +546,20 @@ int snd_soc_pcm_dai_probe(struct snd_soc_pcm_runtime *rtd, int order)
int i;
for_each_rtd_dais(rtd, i, dai) {
- if (dai->driver->probe_order != order)
- continue;
-
if (dai->probed)
continue;
- if (dai->driver->probe) {
- int ret = dai->driver->probe(dai);
+ if (dai->driver->ops) {
+ if (dai->driver->ops->probe_order != order)
+ continue;
- if (ret < 0)
- return soc_dai_ret(dai, ret);
- }
+ if (dai->driver->ops->probe) {
+ int ret = dai->driver->ops->probe(dai);
+ if (ret < 0)
+ return soc_dai_ret(dai, ret);
+ }
+ }
dai->probed = 1;
}
@@ -570,16 +572,19 @@ int snd_soc_pcm_dai_remove(struct snd_soc_pcm_runtime *rtd, int order)
int i, r, ret = 0;
for_each_rtd_dais(rtd, i, dai) {
- if (dai->driver->remove_order != order)
+ if (!dai->probed)
continue;
- if (dai->probed &&
- dai->driver->remove) {
- r = dai->driver->remove(dai);
- if (r < 0)
- ret = r; /* use last error */
- }
+ if (dai->driver->ops) {
+ if (dai->driver->ops->remove_order != order)
+ continue;
+ if (dai->driver->ops->remove) {
+ r = dai->driver->ops->remove(dai);
+ if (r < 0)
+ ret = r; /* use last error */
+ }
+ }
dai->probed = 0;
}
@@ -592,8 +597,9 @@ int snd_soc_pcm_dai_new(struct snd_soc_pcm_runtime *rtd)
int i;
for_each_rtd_dais(rtd, i, dai) {
- if (dai->driver->pcm_new) {
- int ret = dai->driver->pcm_new(rtd, dai);
+ if (dai->driver->ops &&
+ dai->driver->ops->pcm_new) {
+ int ret = dai->driver->ops->pcm_new(rtd, dai);
if (ret < 0)
return soc_dai_ret(dai, ret);
}
--
2.50.1
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 241/482] ASoC: fsl: merge DAI call back functions into ops
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (239 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 6.1 240/482] ASoC: soc-dai.h: merge DAI call back functions into ops Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 242/482] ASoC: fsl_sai: replace regmap_write with regmap_update_bits Greg Kroah-Hartman
` (249 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kuninori Morimoto, Mark Brown,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
[ Upstream commit 5e5f68ca836e740c1d788f04efa84b37ed185606 ]
ALSA SoC merges DAI call backs into .ops.
This patch merge these into one.
Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
Link: https://lore.kernel.org/r/87jzu5b0ue.wl-kuninori.morimoto.gx@renesas.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Stable-dep-of: 0e270f32975f ("ASoC: fsl_sai: replace regmap_write with regmap_update_bits")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/fsl/fsl_asrc.c | 16 ++++++++--------
sound/soc/fsl/fsl_aud2htx.c | 10 +++++-----
sound/soc/fsl/fsl_easrc.c | 16 ++++++++--------
sound/soc/fsl/fsl_esai.c | 20 ++++++++++----------
sound/soc/fsl/fsl_micfil.c | 14 +++++++-------
sound/soc/fsl/fsl_sai.c | 24 ++++++++++++------------
sound/soc/fsl/fsl_spdif.c | 17 ++++++++---------
sound/soc/fsl/fsl_ssi.c | 3 +--
sound/soc/fsl/fsl_xcvr.c | 16 ++++++++--------
9 files changed, 67 insertions(+), 69 deletions(-)
diff --git a/sound/soc/fsl/fsl_asrc.c b/sound/soc/fsl/fsl_asrc.c
index c541e2a0202a..3ec5b88bd9a2 100644
--- a/sound/soc/fsl/fsl_asrc.c
+++ b/sound/soc/fsl/fsl_asrc.c
@@ -781,13 +781,6 @@ static int fsl_asrc_dai_trigger(struct snd_pcm_substream *substream, int cmd,
return 0;
}
-static const struct snd_soc_dai_ops fsl_asrc_dai_ops = {
- .startup = fsl_asrc_dai_startup,
- .hw_params = fsl_asrc_dai_hw_params,
- .hw_free = fsl_asrc_dai_hw_free,
- .trigger = fsl_asrc_dai_trigger,
-};
-
static int fsl_asrc_dai_probe(struct snd_soc_dai *dai)
{
struct fsl_asrc *asrc = snd_soc_dai_get_drvdata(dai);
@@ -798,12 +791,19 @@ static int fsl_asrc_dai_probe(struct snd_soc_dai *dai)
return 0;
}
+static const struct snd_soc_dai_ops fsl_asrc_dai_ops = {
+ .probe = fsl_asrc_dai_probe,
+ .startup = fsl_asrc_dai_startup,
+ .hw_params = fsl_asrc_dai_hw_params,
+ .hw_free = fsl_asrc_dai_hw_free,
+ .trigger = fsl_asrc_dai_trigger,
+};
+
#define FSL_ASRC_FORMATS (SNDRV_PCM_FMTBIT_S24_LE | \
SNDRV_PCM_FMTBIT_S16_LE | \
SNDRV_PCM_FMTBIT_S24_3LE)
static struct snd_soc_dai_driver fsl_asrc_dai = {
- .probe = fsl_asrc_dai_probe,
.playback = {
.stream_name = "ASRC-Playback",
.channels_min = 1,
diff --git a/sound/soc/fsl/fsl_aud2htx.c b/sound/soc/fsl/fsl_aud2htx.c
index 1e421d9a03fb..402d9bbdbab5 100644
--- a/sound/soc/fsl/fsl_aud2htx.c
+++ b/sound/soc/fsl/fsl_aud2htx.c
@@ -49,10 +49,6 @@ static int fsl_aud2htx_trigger(struct snd_pcm_substream *substream, int cmd,
return 0;
}
-static const struct snd_soc_dai_ops fsl_aud2htx_dai_ops = {
- .trigger = fsl_aud2htx_trigger,
-};
-
static int fsl_aud2htx_dai_probe(struct snd_soc_dai *cpu_dai)
{
struct fsl_aud2htx *aud2htx = dev_get_drvdata(cpu_dai->dev);
@@ -84,8 +80,12 @@ static int fsl_aud2htx_dai_probe(struct snd_soc_dai *cpu_dai)
return 0;
}
+static const struct snd_soc_dai_ops fsl_aud2htx_dai_ops = {
+ .probe = fsl_aud2htx_dai_probe,
+ .trigger = fsl_aud2htx_trigger,
+};
+
static struct snd_soc_dai_driver fsl_aud2htx_dai = {
- .probe = fsl_aud2htx_dai_probe,
.playback = {
.stream_name = "CPU-Playback",
.channels_min = 1,
diff --git a/sound/soc/fsl/fsl_easrc.c b/sound/soc/fsl/fsl_easrc.c
index 84e6f9eb784d..210ca7199ada 100644
--- a/sound/soc/fsl/fsl_easrc.c
+++ b/sound/soc/fsl/fsl_easrc.c
@@ -1531,13 +1531,6 @@ static int fsl_easrc_hw_free(struct snd_pcm_substream *substream,
return 0;
}
-static const struct snd_soc_dai_ops fsl_easrc_dai_ops = {
- .startup = fsl_easrc_startup,
- .trigger = fsl_easrc_trigger,
- .hw_params = fsl_easrc_hw_params,
- .hw_free = fsl_easrc_hw_free,
-};
-
static int fsl_easrc_dai_probe(struct snd_soc_dai *cpu_dai)
{
struct fsl_asrc *easrc = dev_get_drvdata(cpu_dai->dev);
@@ -1548,8 +1541,15 @@ static int fsl_easrc_dai_probe(struct snd_soc_dai *cpu_dai)
return 0;
}
+static const struct snd_soc_dai_ops fsl_easrc_dai_ops = {
+ .probe = fsl_easrc_dai_probe,
+ .startup = fsl_easrc_startup,
+ .trigger = fsl_easrc_trigger,
+ .hw_params = fsl_easrc_hw_params,
+ .hw_free = fsl_easrc_hw_free,
+};
+
static struct snd_soc_dai_driver fsl_easrc_dai = {
- .probe = fsl_easrc_dai_probe,
.playback = {
.stream_name = "ASRC-Playback",
.channels_min = 1,
diff --git a/sound/soc/fsl/fsl_esai.c b/sound/soc/fsl/fsl_esai.c
index 17fefd27ec90..c7f4c1734825 100644
--- a/sound/soc/fsl/fsl_esai.c
+++ b/sound/soc/fsl/fsl_esai.c
@@ -785,15 +785,6 @@ static int fsl_esai_trigger(struct snd_pcm_substream *substream, int cmd,
return 0;
}
-static const struct snd_soc_dai_ops fsl_esai_dai_ops = {
- .startup = fsl_esai_startup,
- .trigger = fsl_esai_trigger,
- .hw_params = fsl_esai_hw_params,
- .set_sysclk = fsl_esai_set_dai_sysclk,
- .set_fmt = fsl_esai_set_dai_fmt,
- .set_tdm_slot = fsl_esai_set_dai_tdm_slot,
-};
-
static int fsl_esai_dai_probe(struct snd_soc_dai *dai)
{
struct fsl_esai *esai_priv = snd_soc_dai_get_drvdata(dai);
@@ -804,8 +795,17 @@ static int fsl_esai_dai_probe(struct snd_soc_dai *dai)
return 0;
}
+static const struct snd_soc_dai_ops fsl_esai_dai_ops = {
+ .probe = fsl_esai_dai_probe,
+ .startup = fsl_esai_startup,
+ .trigger = fsl_esai_trigger,
+ .hw_params = fsl_esai_hw_params,
+ .set_sysclk = fsl_esai_set_dai_sysclk,
+ .set_fmt = fsl_esai_set_dai_fmt,
+ .set_tdm_slot = fsl_esai_set_dai_tdm_slot,
+};
+
static struct snd_soc_dai_driver fsl_esai_dai = {
- .probe = fsl_esai_dai_probe,
.playback = {
.stream_name = "CPU-Playback",
.channels_min = 1,
diff --git a/sound/soc/fsl/fsl_micfil.c b/sound/soc/fsl/fsl_micfil.c
index 8ee6f41563ea..1b6f5e33ff93 100644
--- a/sound/soc/fsl/fsl_micfil.c
+++ b/sound/soc/fsl/fsl_micfil.c
@@ -358,12 +358,6 @@ static int fsl_micfil_hw_params(struct snd_pcm_substream *substream,
return 0;
}
-static const struct snd_soc_dai_ops fsl_micfil_dai_ops = {
- .startup = fsl_micfil_startup,
- .trigger = fsl_micfil_trigger,
- .hw_params = fsl_micfil_hw_params,
-};
-
static int fsl_micfil_dai_probe(struct snd_soc_dai *cpu_dai)
{
struct fsl_micfil *micfil = dev_get_drvdata(cpu_dai->dev);
@@ -400,8 +394,14 @@ static int fsl_micfil_dai_probe(struct snd_soc_dai *cpu_dai)
return 0;
}
+static const struct snd_soc_dai_ops fsl_micfil_dai_ops = {
+ .probe = fsl_micfil_dai_probe,
+ .startup = fsl_micfil_startup,
+ .trigger = fsl_micfil_trigger,
+ .hw_params = fsl_micfil_hw_params,
+};
+
static struct snd_soc_dai_driver fsl_micfil_dai = {
- .probe = fsl_micfil_dai_probe,
.capture = {
.stream_name = "CPU-Capture",
.channels_min = 1,
diff --git a/sound/soc/fsl/fsl_sai.c b/sound/soc/fsl/fsl_sai.c
index 27ad825c78f2..33d01a5e9b31 100644
--- a/sound/soc/fsl/fsl_sai.c
+++ b/sound/soc/fsl/fsl_sai.c
@@ -883,17 +883,6 @@ static int fsl_sai_startup(struct snd_pcm_substream *substream,
return ret;
}
-static const struct snd_soc_dai_ops fsl_sai_pcm_dai_ops = {
- .set_bclk_ratio = fsl_sai_set_dai_bclk_ratio,
- .set_sysclk = fsl_sai_set_dai_sysclk,
- .set_fmt = fsl_sai_set_dai_fmt,
- .set_tdm_slot = fsl_sai_set_dai_tdm_slot,
- .hw_params = fsl_sai_hw_params,
- .hw_free = fsl_sai_hw_free,
- .trigger = fsl_sai_trigger,
- .startup = fsl_sai_startup,
-};
-
static int fsl_sai_dai_probe(struct snd_soc_dai *cpu_dai)
{
struct fsl_sai *sai = dev_get_drvdata(cpu_dai->dev);
@@ -919,6 +908,18 @@ static int fsl_sai_dai_probe(struct snd_soc_dai *cpu_dai)
return 0;
}
+static const struct snd_soc_dai_ops fsl_sai_pcm_dai_ops = {
+ .probe = fsl_sai_dai_probe,
+ .set_bclk_ratio = fsl_sai_set_dai_bclk_ratio,
+ .set_sysclk = fsl_sai_set_dai_sysclk,
+ .set_fmt = fsl_sai_set_dai_fmt,
+ .set_tdm_slot = fsl_sai_set_dai_tdm_slot,
+ .hw_params = fsl_sai_hw_params,
+ .hw_free = fsl_sai_hw_free,
+ .trigger = fsl_sai_trigger,
+ .startup = fsl_sai_startup,
+};
+
static int fsl_sai_dai_resume(struct snd_soc_component *component)
{
struct fsl_sai *sai = snd_soc_component_get_drvdata(component);
@@ -937,7 +938,6 @@ static int fsl_sai_dai_resume(struct snd_soc_component *component)
}
static struct snd_soc_dai_driver fsl_sai_dai_template = {
- .probe = fsl_sai_dai_probe,
.playback = {
.stream_name = "CPU-Playback",
.channels_min = 1,
diff --git a/sound/soc/fsl/fsl_spdif.c b/sound/soc/fsl/fsl_spdif.c
index fb6806b2db85..d89963b8171d 100644
--- a/sound/soc/fsl/fsl_spdif.c
+++ b/sound/soc/fsl/fsl_spdif.c
@@ -761,14 +761,6 @@ static int fsl_spdif_trigger(struct snd_pcm_substream *substream,
return 0;
}
-static const struct snd_soc_dai_ops fsl_spdif_dai_ops = {
- .startup = fsl_spdif_startup,
- .hw_params = fsl_spdif_hw_params,
- .trigger = fsl_spdif_trigger,
- .shutdown = fsl_spdif_shutdown,
-};
-
-
/*
* FSL SPDIF IEC958 controller(mixer) functions
*
@@ -1279,8 +1271,15 @@ static int fsl_spdif_dai_probe(struct snd_soc_dai *dai)
return 0;
}
+static const struct snd_soc_dai_ops fsl_spdif_dai_ops = {
+ .probe = fsl_spdif_dai_probe,
+ .startup = fsl_spdif_startup,
+ .hw_params = fsl_spdif_hw_params,
+ .trigger = fsl_spdif_trigger,
+ .shutdown = fsl_spdif_shutdown,
+};
+
static struct snd_soc_dai_driver fsl_spdif_dai = {
- .probe = &fsl_spdif_dai_probe,
.playback = {
.stream_name = "CPU-Playback",
.channels_min = 2,
diff --git a/sound/soc/fsl/fsl_ssi.c b/sound/soc/fsl/fsl_ssi.c
index 6af00b62a60f..17887359dca1 100644
--- a/sound/soc/fsl/fsl_ssi.c
+++ b/sound/soc/fsl/fsl_ssi.c
@@ -1152,6 +1152,7 @@ static int fsl_ssi_dai_probe(struct snd_soc_dai *dai)
}
static const struct snd_soc_dai_ops fsl_ssi_dai_ops = {
+ .probe = fsl_ssi_dai_probe,
.startup = fsl_ssi_startup,
.shutdown = fsl_ssi_shutdown,
.hw_params = fsl_ssi_hw_params,
@@ -1162,7 +1163,6 @@ static const struct snd_soc_dai_ops fsl_ssi_dai_ops = {
};
static struct snd_soc_dai_driver fsl_ssi_dai_template = {
- .probe = fsl_ssi_dai_probe,
.playback = {
.stream_name = "CPU-Playback",
.channels_min = 1,
@@ -1187,7 +1187,6 @@ static const struct snd_soc_component_driver fsl_ssi_component = {
static struct snd_soc_dai_driver fsl_ssi_ac97_dai = {
.symmetric_channels = 1,
- .probe = fsl_ssi_dai_probe,
.playback = {
.stream_name = "CPU AC97 Playback",
.channels_min = 2,
diff --git a/sound/soc/fsl/fsl_xcvr.c b/sound/soc/fsl/fsl_xcvr.c
index c043efe4548d..4c5864e8267d 100644
--- a/sound/soc/fsl/fsl_xcvr.c
+++ b/sound/soc/fsl/fsl_xcvr.c
@@ -864,13 +864,6 @@ static struct snd_kcontrol_new fsl_xcvr_tx_ctls[] = {
},
};
-static const struct snd_soc_dai_ops fsl_xcvr_dai_ops = {
- .prepare = fsl_xcvr_prepare,
- .startup = fsl_xcvr_startup,
- .shutdown = fsl_xcvr_shutdown,
- .trigger = fsl_xcvr_trigger,
-};
-
static int fsl_xcvr_dai_probe(struct snd_soc_dai *dai)
{
struct fsl_xcvr *xcvr = snd_soc_dai_get_drvdata(dai);
@@ -887,8 +880,15 @@ static int fsl_xcvr_dai_probe(struct snd_soc_dai *dai)
return 0;
}
+static const struct snd_soc_dai_ops fsl_xcvr_dai_ops = {
+ .probe = fsl_xcvr_dai_probe,
+ .prepare = fsl_xcvr_prepare,
+ .startup = fsl_xcvr_startup,
+ .shutdown = fsl_xcvr_shutdown,
+ .trigger = fsl_xcvr_trigger,
+};
+
static struct snd_soc_dai_driver fsl_xcvr_dai = {
- .probe = fsl_xcvr_dai_probe,
.ops = &fsl_xcvr_dai_ops,
.playback = {
.stream_name = "CPU-Playback",
--
2.50.1
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 242/482] ASoC: fsl_sai: replace regmap_write with regmap_update_bits
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (240 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 6.1 241/482] ASoC: fsl: " Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 243/482] drm/amdgpu: fix incorrect vm flags to map bo Greg Kroah-Hartman
` (248 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Shengjiu Wang, Mark Brown,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shengjiu Wang <shengjiu.wang@nxp.com>
[ Upstream commit 0e270f32975fd21874185ba53653630dd40bf560 ]
Use the regmap_write() for software reset in fsl_sai_config_disable would
cause the FSL_SAI_CSR_BCE bit to be cleared. Refer to
commit 197c53c8ecb34 ("ASoC: fsl_sai: Don't disable bitclock for i.MX8MP")
FSL_SAI_CSR_BCE should not be cleared. So need to use regmap_update_bits()
instead of regmap_write() for these bit operations.
Fixes: dc78f7e59169d ("ASoC: fsl_sai: Force a software reset when starting in consumer mode")
Signed-off-by: Shengjiu Wang <shengjiu.wang@nxp.com>
Link: https://patch.msgid.link/20250807020318.2143219-1-shengjiu.wang@nxp.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/fsl/fsl_sai.c | 20 ++++++++++----------
1 file changed, 10 insertions(+), 10 deletions(-)
diff --git a/sound/soc/fsl/fsl_sai.c b/sound/soc/fsl/fsl_sai.c
index 33d01a5e9b31..e622c8375a46 100644
--- a/sound/soc/fsl/fsl_sai.c
+++ b/sound/soc/fsl/fsl_sai.c
@@ -768,9 +768,9 @@ static void fsl_sai_config_disable(struct fsl_sai *sai, int dir)
* are running concurrently.
*/
/* Software Reset */
- regmap_write(sai->regmap, FSL_SAI_xCSR(tx, ofs), FSL_SAI_CSR_SR);
+ regmap_update_bits(sai->regmap, FSL_SAI_xCSR(tx, ofs), FSL_SAI_CSR_SR, FSL_SAI_CSR_SR);
/* Clear SR bit to finish the reset */
- regmap_write(sai->regmap, FSL_SAI_xCSR(tx, ofs), 0);
+ regmap_update_bits(sai->regmap, FSL_SAI_xCSR(tx, ofs), FSL_SAI_CSR_SR, 0);
}
static int fsl_sai_trigger(struct snd_pcm_substream *substream, int cmd,
@@ -889,11 +889,11 @@ static int fsl_sai_dai_probe(struct snd_soc_dai *cpu_dai)
unsigned int ofs = sai->soc_data->reg_offset;
/* Software Reset for both Tx and Rx */
- regmap_write(sai->regmap, FSL_SAI_TCSR(ofs), FSL_SAI_CSR_SR);
- regmap_write(sai->regmap, FSL_SAI_RCSR(ofs), FSL_SAI_CSR_SR);
+ regmap_update_bits(sai->regmap, FSL_SAI_TCSR(ofs), FSL_SAI_CSR_SR, FSL_SAI_CSR_SR);
+ regmap_update_bits(sai->regmap, FSL_SAI_RCSR(ofs), FSL_SAI_CSR_SR, FSL_SAI_CSR_SR);
/* Clear SR bit to finish the reset */
- regmap_write(sai->regmap, FSL_SAI_TCSR(ofs), 0);
- regmap_write(sai->regmap, FSL_SAI_RCSR(ofs), 0);
+ regmap_update_bits(sai->regmap, FSL_SAI_TCSR(ofs), FSL_SAI_CSR_SR, 0);
+ regmap_update_bits(sai->regmap, FSL_SAI_RCSR(ofs), FSL_SAI_CSR_SR, 0);
regmap_update_bits(sai->regmap, FSL_SAI_TCR1(ofs),
FSL_SAI_CR1_RFW_MASK(sai->soc_data->fifo_depth),
@@ -1694,11 +1694,11 @@ static int fsl_sai_runtime_resume(struct device *dev)
regcache_cache_only(sai->regmap, false);
regcache_mark_dirty(sai->regmap);
- regmap_write(sai->regmap, FSL_SAI_TCSR(ofs), FSL_SAI_CSR_SR);
- regmap_write(sai->regmap, FSL_SAI_RCSR(ofs), FSL_SAI_CSR_SR);
+ regmap_update_bits(sai->regmap, FSL_SAI_TCSR(ofs), FSL_SAI_CSR_SR, FSL_SAI_CSR_SR);
+ regmap_update_bits(sai->regmap, FSL_SAI_RCSR(ofs), FSL_SAI_CSR_SR, FSL_SAI_CSR_SR);
usleep_range(1000, 2000);
- regmap_write(sai->regmap, FSL_SAI_TCSR(ofs), 0);
- regmap_write(sai->regmap, FSL_SAI_RCSR(ofs), 0);
+ regmap_update_bits(sai->regmap, FSL_SAI_TCSR(ofs), FSL_SAI_CSR_SR, 0);
+ regmap_update_bits(sai->regmap, FSL_SAI_RCSR(ofs), FSL_SAI_CSR_SR, 0);
ret = regcache_sync(sai->regmap);
if (ret)
--
2.50.1
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 243/482] drm/amdgpu: fix incorrect vm flags to map bo
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (241 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 6.1 242/482] ASoC: fsl_sai: replace regmap_write with regmap_update_bits Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 244/482] ext4: fix zombie groups in average fragment size lists Greg Kroah-Hartman
` (247 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jack Xiao, Likun Gao, Alex Deucher,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jack Xiao <Jack.Xiao@amd.com>
[ Upstream commit 040bc6d0e0e9c814c9c663f6f1544ebaff6824a8 ]
It should use vm flags instead of pte flags
to specify bo vm attributes.
Fixes: 7946340fa389 ("drm/amdgpu: Move csa related code to separate file")
Signed-off-by: Jack Xiao <Jack.Xiao@amd.com>
Reviewed-by: Likun Gao <Likun.Gao@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit b08425fa77ad2f305fe57a33dceb456be03b653f)
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_csa.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_csa.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_csa.c
index c6d4d41c4393..35e635c833f0 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_csa.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_csa.c
@@ -93,8 +93,8 @@ int amdgpu_map_static_csa(struct amdgpu_device *adev, struct amdgpu_vm *vm,
}
r = amdgpu_vm_bo_map(adev, *bo_va, csa_addr, 0, size,
- AMDGPU_PTE_READABLE | AMDGPU_PTE_WRITEABLE |
- AMDGPU_PTE_EXECUTABLE);
+ AMDGPU_VM_PAGE_READABLE | AMDGPU_VM_PAGE_WRITEABLE |
+ AMDGPU_VM_PAGE_EXECUTABLE);
if (r) {
DRM_ERROR("failed to do bo_map on static CSA, err=%d\n", r);
--
2.50.1
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 244/482] ext4: fix zombie groups in average fragment size lists
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (242 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 6.1 243/482] drm/amdgpu: fix incorrect vm flags to map bo Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 245/482] ext4: fix largest free orders lists corruption on mb_optimize_scan switch Greg Kroah-Hartman
` (246 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Baokun Li, Jan Kara, Zhang Yi,
Theodore Tso
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Baokun Li <libaokun1@huawei.com>
commit 1c320d8e92925bb7615f83a7b6e3f402a5c2ca63 upstream.
Groups with no free blocks shouldn't be in any average fragment size list.
However, when all blocks in a group are allocated(i.e., bb_fragments or
bb_free is 0), we currently skip updating the average fragment size, which
means the group isn't removed from its previous s_mb_avg_fragment_size[old]
list.
This created "zombie" groups that were always skipped during traversal as
they couldn't satisfy any block allocation requests, negatively impacting
traversal efficiency.
Therefore, when a group becomes completely full, bb_avg_fragment_size_order
is now set to -1. If the old order was not -1, a removal operation is
performed; if the new order is not -1, an insertion is performed.
Fixes: 196e402adf2e ("ext4: improve cr 0 / cr 1 group scanning")
CC: stable@vger.kernel.org
Signed-off-by: Baokun Li <libaokun1@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Reviewed-by: Zhang Yi <yi.zhang@huawei.com>
Link: https://patch.msgid.link/20250714130327.1830534-11-libaokun1@huawei.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/mballoc.c | 34 +++++++++++++++++-----------------
1 file changed, 17 insertions(+), 17 deletions(-)
--- a/fs/ext4/mballoc.c
+++ b/fs/ext4/mballoc.c
@@ -829,30 +829,30 @@ static void
mb_update_avg_fragment_size(struct super_block *sb, struct ext4_group_info *grp)
{
struct ext4_sb_info *sbi = EXT4_SB(sb);
- int new_order;
+ int new, old;
- if (!test_opt2(sb, MB_OPTIMIZE_SCAN) || grp->bb_fragments == 0)
+ if (!test_opt2(sb, MB_OPTIMIZE_SCAN))
return;
- new_order = mb_avg_fragment_size_order(sb,
- grp->bb_free / grp->bb_fragments);
- if (new_order == grp->bb_avg_fragment_size_order)
+ old = grp->bb_avg_fragment_size_order;
+ new = grp->bb_fragments == 0 ? -1 :
+ mb_avg_fragment_size_order(sb, grp->bb_free / grp->bb_fragments);
+ if (new == old)
return;
- if (grp->bb_avg_fragment_size_order != -1) {
- write_lock(&sbi->s_mb_avg_fragment_size_locks[
- grp->bb_avg_fragment_size_order]);
+ if (old >= 0) {
+ write_lock(&sbi->s_mb_avg_fragment_size_locks[old]);
list_del(&grp->bb_avg_fragment_size_node);
- write_unlock(&sbi->s_mb_avg_fragment_size_locks[
- grp->bb_avg_fragment_size_order]);
+ write_unlock(&sbi->s_mb_avg_fragment_size_locks[old]);
+ }
+
+ grp->bb_avg_fragment_size_order = new;
+ if (new >= 0) {
+ write_lock(&sbi->s_mb_avg_fragment_size_locks[new]);
+ list_add_tail(&grp->bb_avg_fragment_size_node,
+ &sbi->s_mb_avg_fragment_size[new]);
+ write_unlock(&sbi->s_mb_avg_fragment_size_locks[new]);
}
- grp->bb_avg_fragment_size_order = new_order;
- write_lock(&sbi->s_mb_avg_fragment_size_locks[
- grp->bb_avg_fragment_size_order]);
- list_add_tail(&grp->bb_avg_fragment_size_node,
- &sbi->s_mb_avg_fragment_size[grp->bb_avg_fragment_size_order]);
- write_unlock(&sbi->s_mb_avg_fragment_size_locks[
- grp->bb_avg_fragment_size_order]);
}
/*
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 245/482] ext4: fix largest free orders lists corruption on mb_optimize_scan switch
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (243 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 6.1 244/482] ext4: fix zombie groups in average fragment size lists Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 246/482] usb: core: config: Prevent OOB read in SS endpoint companion parsing Greg Kroah-Hartman
` (245 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jan Kara, Baokun Li, Zhang Yi,
Theodore Tso
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Baokun Li <libaokun1@huawei.com>
commit 7d345aa1fac4c2ec9584fbd6f389f2c2368671d5 upstream.
The grp->bb_largest_free_order is updated regardless of whether
mb_optimize_scan is enabled. This can lead to inconsistencies between
grp->bb_largest_free_order and the actual s_mb_largest_free_orders list
index when mb_optimize_scan is repeatedly enabled and disabled via remount.
For example, if mb_optimize_scan is initially enabled, largest free
order is 3, and the group is in s_mb_largest_free_orders[3]. Then,
mb_optimize_scan is disabled via remount, block allocations occur,
updating largest free order to 2. Finally, mb_optimize_scan is re-enabled
via remount, more block allocations update largest free order to 1.
At this point, the group would be removed from s_mb_largest_free_orders[3]
under the protection of s_mb_largest_free_orders_locks[2]. This lock
mismatch can lead to list corruption.
To fix this, whenever grp->bb_largest_free_order changes, we now always
attempt to remove the group from its old order list. However, we only
insert the group into the new order list if `mb_optimize_scan` is enabled.
This approach helps prevent lock inconsistencies and ensures the data in
the order lists remains reliable.
Fixes: 196e402adf2e ("ext4: improve cr 0 / cr 1 group scanning")
CC: stable@vger.kernel.org
Suggested-by: Jan Kara <jack@suse.cz>
Signed-off-by: Baokun Li <libaokun1@huawei.com>
Reviewed-by: Zhang Yi <yi.zhang@huawei.com>
Link: https://patch.msgid.link/20250714130327.1830534-12-libaokun1@huawei.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/mballoc.c | 33 ++++++++++++++-------------------
1 file changed, 14 insertions(+), 19 deletions(-)
--- a/fs/ext4/mballoc.c
+++ b/fs/ext4/mballoc.c
@@ -1032,33 +1032,28 @@ static void
mb_set_largest_free_order(struct super_block *sb, struct ext4_group_info *grp)
{
struct ext4_sb_info *sbi = EXT4_SB(sb);
- int i;
+ int new, old = grp->bb_largest_free_order;
- for (i = MB_NUM_ORDERS(sb) - 1; i >= 0; i--)
- if (grp->bb_counters[i] > 0)
+ for (new = MB_NUM_ORDERS(sb) - 1; new >= 0; new--)
+ if (grp->bb_counters[new] > 0)
break;
+
/* No need to move between order lists? */
- if (!test_opt2(sb, MB_OPTIMIZE_SCAN) ||
- i == grp->bb_largest_free_order) {
- grp->bb_largest_free_order = i;
+ if (new == old)
return;
- }
- if (grp->bb_largest_free_order >= 0) {
- write_lock(&sbi->s_mb_largest_free_orders_locks[
- grp->bb_largest_free_order]);
+ if (old >= 0 && !list_empty(&grp->bb_largest_free_order_node)) {
+ write_lock(&sbi->s_mb_largest_free_orders_locks[old]);
list_del_init(&grp->bb_largest_free_order_node);
- write_unlock(&sbi->s_mb_largest_free_orders_locks[
- grp->bb_largest_free_order]);
+ write_unlock(&sbi->s_mb_largest_free_orders_locks[old]);
}
- grp->bb_largest_free_order = i;
- if (grp->bb_largest_free_order >= 0 && grp->bb_free) {
- write_lock(&sbi->s_mb_largest_free_orders_locks[
- grp->bb_largest_free_order]);
+
+ grp->bb_largest_free_order = new;
+ if (test_opt2(sb, MB_OPTIMIZE_SCAN) && new >= 0 && grp->bb_free) {
+ write_lock(&sbi->s_mb_largest_free_orders_locks[new]);
list_add_tail(&grp->bb_largest_free_order_node,
- &sbi->s_mb_largest_free_orders[grp->bb_largest_free_order]);
- write_unlock(&sbi->s_mb_largest_free_orders_locks[
- grp->bb_largest_free_order]);
+ &sbi->s_mb_largest_free_orders[new]);
+ write_unlock(&sbi->s_mb_largest_free_orders_locks[new]);
}
}
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 246/482] usb: core: config: Prevent OOB read in SS endpoint companion parsing
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (244 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 6.1 245/482] ext4: fix largest free orders lists corruption on mb_optimize_scan switch Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 247/482] misc: rtsx: usb: Ensure mmc child device is active when card is present Greg Kroah-Hartman
` (244 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Xinyu Liu, stable
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xinyu Liu <katieeliu@tencent.com>
commit cf16f408364efd8a68f39011a3b073c83a03612d upstream.
usb_parse_ss_endpoint_companion() checks descriptor type before length,
enabling a potentially odd read outside of the buffer size.
Fix this up by checking the size first before looking at any of the
fields in the descriptor.
Signed-off-by: Xinyu Liu <katieeliu@tencent.com>
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/core/config.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
--- a/drivers/usb/core/config.c
+++ b/drivers/usb/core/config.c
@@ -81,8 +81,14 @@ static void usb_parse_ss_endpoint_compan
*/
desc = (struct usb_ss_ep_comp_descriptor *) buffer;
- if (desc->bDescriptorType != USB_DT_SS_ENDPOINT_COMP ||
- size < USB_DT_SS_EP_COMP_SIZE) {
+ if (size < USB_DT_SS_EP_COMP_SIZE) {
+ dev_notice(ddev,
+ "invalid SuperSpeed endpoint companion descriptor "
+ "of length %d, skipping\n", size);
+ return;
+ }
+
+ if (desc->bDescriptorType != USB_DT_SS_ENDPOINT_COMP) {
dev_notice(ddev, "No SuperSpeed endpoint companion for config %d "
" interface %d altsetting %d ep %d: "
"using minimum values\n",
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 247/482] misc: rtsx: usb: Ensure mmc child device is active when card is present
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (245 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 6.1 246/482] usb: core: config: Prevent OOB read in SS endpoint companion parsing Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 248/482] usb: typec: ucsi: Update power_supply on power role change Greg Kroah-Hartman
` (243 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ricky Wu, Ulf Hansson
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ricky Wu <ricky_wu@realtek.com>
commit 966c5cd72be8989c8a559ddef8e8ff07a37c5eb0 upstream.
When a card is present in the reader, the driver currently defers
autosuspend by returning -EAGAIN during the suspend callback to
trigger USB remote wakeup signaling. However, this does not guarantee
that the mmc child device has been resumed, which may cause issues if
it remains suspended while the card is accessible.
This patch ensures that all child devices, including the mmc host
controller, are explicitly resumed before returning -EAGAIN. This
fixes a corner case introduced by earlier remote wakeup handling,
improving reliability of runtime PM when a card is inserted.
Fixes: 883a87ddf2f1 ("misc: rtsx_usb: Use USB remote wakeup signaling for card insertion detection")
Cc: stable@vger.kernel.org
Signed-off-by: Ricky Wu <ricky_wu@realtek.com>
Reviewed-by: Ulf Hansson <ulf.hansson@linaro.org>
Link: https://lore.kernel.org/r/20250711140143.2105224-1-ricky_wu@realtek.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/misc/cardreader/rtsx_usb.c | 16 +++++++++-------
1 file changed, 9 insertions(+), 7 deletions(-)
--- a/drivers/misc/cardreader/rtsx_usb.c
+++ b/drivers/misc/cardreader/rtsx_usb.c
@@ -698,6 +698,12 @@ static void rtsx_usb_disconnect(struct u
}
#ifdef CONFIG_PM
+static int rtsx_usb_resume_child(struct device *dev, void *data)
+{
+ pm_request_resume(dev);
+ return 0;
+}
+
static int rtsx_usb_suspend(struct usb_interface *intf, pm_message_t message)
{
struct rtsx_ucr *ucr =
@@ -713,8 +719,10 @@ static int rtsx_usb_suspend(struct usb_i
mutex_unlock(&ucr->dev_mutex);
/* Defer the autosuspend if card exists */
- if (val & (SD_CD | MS_CD))
+ if (val & (SD_CD | MS_CD)) {
+ device_for_each_child(&intf->dev, NULL, rtsx_usb_resume_child);
return -EAGAIN;
+ }
} else {
/* There is an ongoing operation*/
return -EAGAIN;
@@ -724,12 +732,6 @@ static int rtsx_usb_suspend(struct usb_i
return 0;
}
-static int rtsx_usb_resume_child(struct device *dev, void *data)
-{
- pm_request_resume(dev);
- return 0;
-}
-
static int rtsx_usb_resume(struct usb_interface *intf)
{
device_for_each_child(&intf->dev, NULL, rtsx_usb_resume_child);
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 248/482] usb: typec: ucsi: Update power_supply on power role change
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (246 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 6.1 247/482] misc: rtsx: usb: Ensure mmc child device is active when card is present Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 249/482] comedi: fix race between polling and detaching Greg Kroah-Hartman
` (242 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Myrrh Periwinkle,
Heikki Krogerus
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Myrrh Periwinkle <myrrhperiwinkle@qtmlabs.xyz>
commit 7616f006db07017ef5d4ae410fca99279aaca7aa upstream.
The current power direction of an USB-C port also influences the
power_supply's online status, so a power role change should also update
the power_supply.
Fixes an issue on some systems where plugging in a normal USB device in
for the first time after a reboot will cause upower to erroneously
consider the system to be connected to AC power.
Cc: stable <stable@kernel.org>
Fixes: 0e6371fbfba3 ("usb: typec: ucsi: Report power supply changes")
Signed-off-by: Myrrh Periwinkle <myrrhperiwinkle@qtmlabs.xyz>
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Link: https://lore.kernel.org/r/20250721-fix-ucsi-pwr-dir-notify-v1-1-e53d5340cb38@qtmlabs.xyz
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/typec/ucsi/ucsi.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/usb/typec/ucsi/ucsi.c
+++ b/drivers/usb/typec/ucsi/ucsi.c
@@ -806,6 +806,7 @@ static void ucsi_handle_connector_change
if (con->status.change & UCSI_CONSTAT_POWER_DIR_CHANGE) {
typec_set_pwr_role(con->port, role);
+ ucsi_port_psy_changed(con);
/* Complete pending power role swap */
if (!completion_done(&con->complete))
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 249/482] comedi: fix race between polling and detaching
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (247 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 6.1 248/482] usb: typec: ucsi: Update power_supply on power role change Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 250/482] thunderbolt: Fix copy+paste error in match_service_id() Greg Kroah-Hartman
` (241 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, syzbot+01523a0ae5600aef5895,
Jens Axboe, Ian Abbott
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ian Abbott <abbotti@mev.co.uk>
commit 35b6fc51c666fc96355be5cd633ed0fe4ccf68b2 upstream.
syzbot reports a use-after-free in comedi in the below link, which is
due to comedi gladly removing the allocated async area even though poll
requests are still active on the wait_queue_head inside of it. This can
cause a use-after-free when the poll entries are later triggered or
removed, as the memory for the wait_queue_head has been freed. We need
to check there are no tasks queued on any of the subdevices' wait queues
before allowing the device to be detached by the `COMEDI_DEVCONFIG`
ioctl.
Tasks will read-lock `dev->attach_lock` before adding themselves to the
subdevice wait queue, so fix the problem in the `COMEDI_DEVCONFIG` ioctl
handler by write-locking `dev->attach_lock` before checking that all of
the subdevices are safe to be deleted. This includes testing for any
sleepers on the subdevices' wait queues. It remains locked until the
device has been detached. This requires the `comedi_device_detach()`
function to be refactored slightly, moving the bulk of it into new
function `comedi_device_detach_locked()`.
Note that the refactor of `comedi_device_detach()` results in
`comedi_device_cancel_all()` now being called while `dev->attach_lock`
is write-locked, which wasn't the case previously, but that does not
matter.
Thanks to Jens Axboe for diagnosing the problem and co-developing this
patch.
Cc: stable <stable@kernel.org>
Fixes: 2f3fdcd7ce93 ("staging: comedi: add rw_semaphore to protect against device detachment")
Link: https://lore.kernel.org/all/687bd5fe.a70a0220.693ce.0091.GAE@google.com/
Reported-by: syzbot+01523a0ae5600aef5895@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=01523a0ae5600aef5895
Co-developed-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Tested-by: Jens Axboe <axboe@kernel.dk>
Link: https://lore.kernel.org/r/20250722155316.27432-1-abbotti@mev.co.uk
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/comedi/comedi_fops.c | 33 +++++++++++++++++++++++++--------
drivers/comedi/comedi_internal.h | 1 +
drivers/comedi/drivers.c | 13 ++++++++++---
3 files changed, 36 insertions(+), 11 deletions(-)
--- a/drivers/comedi/comedi_fops.c
+++ b/drivers/comedi/comedi_fops.c
@@ -783,6 +783,7 @@ static int is_device_busy(struct comedi_
struct comedi_subdevice *s;
int i;
+ lockdep_assert_held_write(&dev->attach_lock);
lockdep_assert_held(&dev->mutex);
if (!dev->attached)
return 0;
@@ -791,7 +792,16 @@ static int is_device_busy(struct comedi_
s = &dev->subdevices[i];
if (s->busy)
return 1;
- if (s->async && comedi_buf_is_mmapped(s))
+ if (!s->async)
+ continue;
+ if (comedi_buf_is_mmapped(s))
+ return 1;
+ /*
+ * There may be tasks still waiting on the subdevice's wait
+ * queue, although they should already be about to be removed
+ * from it since the subdevice has no active async command.
+ */
+ if (wq_has_sleeper(&s->async->wait_head))
return 1;
}
@@ -821,15 +831,22 @@ static int do_devconfig_ioctl(struct com
return -EPERM;
if (!arg) {
- if (is_device_busy(dev))
- return -EBUSY;
- if (dev->attached) {
- struct module *driver_module = dev->driver->module;
+ int rc = 0;
- comedi_device_detach(dev);
- module_put(driver_module);
+ if (dev->attached) {
+ down_write(&dev->attach_lock);
+ if (is_device_busy(dev)) {
+ rc = -EBUSY;
+ } else {
+ struct module *driver_module =
+ dev->driver->module;
+
+ comedi_device_detach_locked(dev);
+ module_put(driver_module);
+ }
+ up_write(&dev->attach_lock);
}
- return 0;
+ return rc;
}
if (copy_from_user(&it, arg, sizeof(it)))
--- a/drivers/comedi/comedi_internal.h
+++ b/drivers/comedi/comedi_internal.h
@@ -50,6 +50,7 @@ extern struct mutex comedi_drivers_list_
int insn_inval(struct comedi_device *dev, struct comedi_subdevice *s,
struct comedi_insn *insn, unsigned int *data);
+void comedi_device_detach_locked(struct comedi_device *dev);
void comedi_device_detach(struct comedi_device *dev);
int comedi_device_attach(struct comedi_device *dev,
struct comedi_devconfig *it);
--- a/drivers/comedi/drivers.c
+++ b/drivers/comedi/drivers.c
@@ -158,7 +158,7 @@ static void comedi_device_detach_cleanup
int i;
struct comedi_subdevice *s;
- lockdep_assert_held(&dev->attach_lock);
+ lockdep_assert_held_write(&dev->attach_lock);
lockdep_assert_held(&dev->mutex);
if (dev->subdevices) {
for (i = 0; i < dev->n_subdevices; i++) {
@@ -195,16 +195,23 @@ static void comedi_device_detach_cleanup
comedi_clear_hw_dev(dev);
}
-void comedi_device_detach(struct comedi_device *dev)
+void comedi_device_detach_locked(struct comedi_device *dev)
{
+ lockdep_assert_held_write(&dev->attach_lock);
lockdep_assert_held(&dev->mutex);
comedi_device_cancel_all(dev);
- down_write(&dev->attach_lock);
dev->attached = false;
dev->detach_count++;
if (dev->driver)
dev->driver->detach(dev);
comedi_device_detach_cleanup(dev);
+}
+
+void comedi_device_detach(struct comedi_device *dev)
+{
+ lockdep_assert_held(&dev->mutex);
+ down_write(&dev->attach_lock);
+ comedi_device_detach_locked(dev);
up_write(&dev->attach_lock);
}
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 250/482] thunderbolt: Fix copy+paste error in match_service_id()
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (248 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 6.1 249/482] comedi: fix race between polling and detaching Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 251/482] cdc-acm: fix race between initial clearing halt and open Greg Kroah-Hartman
` (240 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Eric Biggers
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@kernel.org>
commit 5cc1f66cb23cccc704e3def27ad31ed479e934a5 upstream.
The second instance of TBSVC_MATCH_PROTOCOL_VERSION seems to have been
intended to be TBSVC_MATCH_PROTOCOL_REVISION.
Fixes: d1ff70241a27 ("thunderbolt: Add support for XDomain discovery protocol")
Cc: stable <stable@kernel.org>
Signed-off-by: Eric Biggers <ebiggers@kernel.org>
Link: https://lore.kernel.org/r/20250721050136.30004-1-ebiggers@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/thunderbolt/domain.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/thunderbolt/domain.c
+++ b/drivers/thunderbolt/domain.c
@@ -36,7 +36,7 @@ static bool match_service_id(const struc
return false;
}
- if (id->match_flags & TBSVC_MATCH_PROTOCOL_VERSION) {
+ if (id->match_flags & TBSVC_MATCH_PROTOCOL_REVISION) {
if (id->protocol_revision != svc->prtcrevs)
return false;
}
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 251/482] cdc-acm: fix race between initial clearing halt and open
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (249 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 6.1 250/482] thunderbolt: Fix copy+paste error in match_service_id() Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 252/482] btrfs: zoned: use filesystem size not disk size for reclaim decision Greg Kroah-Hartman
` (239 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Oliver Neukum
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oliver Neukum <oneukum@suse.com>
commit 64690a90cd7c6db16d3af8616be1f4bf8d492850 upstream.
On the devices that need their endpoints to get an
initial clear_halt, this needs to be done before
the devices can be opened. That means it needs to be
before the devices are registered.
Fixes: 15bf722e6f6c0 ("cdc-acm: Add support of ATOL FPrint fiscal printers")
Cc: stable <stable@kernel.org>
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Link: https://lore.kernel.org/r/20250717141259.2345605-1-oneukum@suse.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/class/cdc-acm.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
--- a/drivers/usb/class/cdc-acm.c
+++ b/drivers/usb/class/cdc-acm.c
@@ -1496,6 +1496,12 @@ skip_countries:
goto err_remove_files;
}
+ if (quirks & CLEAR_HALT_CONDITIONS) {
+ /* errors intentionally ignored */
+ usb_clear_halt(usb_dev, acm->in);
+ usb_clear_halt(usb_dev, acm->out);
+ }
+
tty_dev = tty_port_register_device(&acm->port, acm_tty_driver, minor,
&control_interface->dev);
if (IS_ERR(tty_dev)) {
@@ -1503,11 +1509,6 @@ skip_countries:
goto err_release_data_interface;
}
- if (quirks & CLEAR_HALT_CONDITIONS) {
- usb_clear_halt(usb_dev, acm->in);
- usb_clear_halt(usb_dev, acm->out);
- }
-
dev_info(&intf->dev, "ttyACM%d: USB ACM device\n", minor);
return 0;
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 252/482] btrfs: zoned: use filesystem size not disk size for reclaim decision
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (250 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 6.1 251/482] cdc-acm: fix race between initial clearing halt and open Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 253/482] btrfs: abort transaction during log replay if walk_log_tree() failed Greg Kroah-Hartman
` (238 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Damien Le Moal, Johannes Thumshirn,
David Sterba
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johannes Thumshirn <johannes.thumshirn@wdc.com>
commit 55f7c65b2f69c7e4cb7aa7c1654a228ccf734fd8 upstream.
When deciding if a zoned filesystem is reaching the threshold to reclaim
data block groups, look at the size of the filesystem not to potentially
total available size of all drives in the filesystem.
Especially if a filesystem was created with mkfs' -b option, constraining
it to only a portion of the block device, the numbers won't match and
potentially garbage collection is kicking in too late.
Fixes: 3687fcb0752a ("btrfs: zoned: make auto-reclaim less aggressive")
CC: stable@vger.kernel.org # 6.1+
Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
Tested-by: Damien Le Moal <dlemoal@kernel.org>
Signed-off-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/zoned.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/fs/btrfs/zoned.c
+++ b/fs/btrfs/zoned.c
@@ -2229,8 +2229,8 @@ bool btrfs_zoned_should_reclaim(struct b
{
struct btrfs_fs_devices *fs_devices = fs_info->fs_devices;
struct btrfs_device *device;
+ u64 total = btrfs_super_total_bytes(fs_info->super_copy);
u64 used = 0;
- u64 total = 0;
u64 factor;
ASSERT(btrfs_is_zoned(fs_info));
@@ -2243,7 +2243,6 @@ bool btrfs_zoned_should_reclaim(struct b
if (!device->bdev)
continue;
- total += device->disk_total_bytes;
used += device->bytes_used;
}
mutex_unlock(&fs_devices->device_list_mutex);
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 253/482] btrfs: abort transaction during log replay if walk_log_tree() failed
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (251 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 6.1 252/482] btrfs: zoned: use filesystem size not disk size for reclaim decision Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 254/482] btrfs: zoned: do not remove unwritten non-data block group Greg Kroah-Hartman
` (237 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Qu Wenruo, Filipe Manana,
David Sterba
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Filipe Manana <fdmanana@suse.com>
commit 2a5898c4aac67494c2f0f7fe38373c95c371c930 upstream.
If we failed walking a log tree during replay, we have a missing
transaction abort to prevent committing a transaction where we didn't
fully replay all the changes from a log tree and therefore can leave the
respective subvolume tree in some inconsistent state. So add the missing
transaction abort.
CC: stable@vger.kernel.org # 6.1+
Reviewed-by: Qu Wenruo <wqu@suse.com>
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/tree-log.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
--- a/fs/btrfs/tree-log.c
+++ b/fs/btrfs/tree-log.c
@@ -7252,11 +7252,14 @@ again:
wc.replay_dest->log_root = log;
ret = btrfs_record_root_in_trans(trans, wc.replay_dest);
- if (ret)
+ if (ret) {
/* The loop needs to continue due to the root refs */
btrfs_abort_transaction(trans, ret);
- else
+ } else {
ret = walk_log_tree(trans, log, &wc);
+ if (ret)
+ btrfs_abort_transaction(trans, ret);
+ }
if (!ret && wc.stage == LOG_WALK_REPLAY_ALL) {
ret = fixup_inode_link_counts(trans, wc.replay_dest,
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 254/482] btrfs: zoned: do not remove unwritten non-data block group
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (252 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 6.1 253/482] btrfs: abort transaction during log replay if walk_log_tree() failed Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 255/482] btrfs: fix log tree replay failure due to file with 0 links and extents Greg Kroah-Hartman
` (236 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Johannes Thumshirn, Naohiro Aota,
David Sterba
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Naohiro Aota <naohiro.aota@wdc.com>
commit 3061801420469610c8fa6080a950e56770773ef1 upstream.
There are some reports of "unable to find chunk map for logical 2147483648
length 16384" error message appears in dmesg. This means some IOs are
occurring after a block group is removed.
When a metadata tree node is cleaned on a zoned setup, we keep that node
still dirty and write it out not to create a write hole. However, this can
make a block group's used bytes == 0 while there is a dirty region left.
Such an unused block group is moved into the unused_bg list and processed
for removal. When the removal succeeds, the block group is removed from the
transaction->dirty_bgs list, so the unused dirty nodes in the block group
are not sent at the transaction commit time. It will be written at some
later time e.g, sync or umount, and causes "unable to find chunk map"
errors.
This can happen relatively easy on SMR whose zone size is 256MB. However,
calling do_zone_finish() on such block group returns -EAGAIN and keep that
block group intact, which is why the issue is hidden until now.
Fixes: afba2bc036b0 ("btrfs: zoned: implement active zone tracking")
CC: stable@vger.kernel.org # 6.1+
Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
Signed-off-by: Naohiro Aota <naohiro.aota@wdc.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/block-group.c | 27 +++++++++++++++++++++++++--
1 file changed, 25 insertions(+), 2 deletions(-)
--- a/fs/btrfs/block-group.c
+++ b/fs/btrfs/block-group.c
@@ -46,6 +46,19 @@ static u64 get_restripe_target(struct bt
return target;
}
+static inline bool has_unwritten_metadata(struct btrfs_block_group *block_group)
+{
+ /* The meta_write_pointer is available only on the zoned setup. */
+ if (!btrfs_is_zoned(block_group->fs_info))
+ return false;
+
+ if (block_group->flags & BTRFS_BLOCK_GROUP_DATA)
+ return false;
+
+ return block_group->start + block_group->alloc_offset >
+ block_group->meta_write_pointer;
+}
+
/*
* @flags: available profiles in extended format (see ctree.h)
*
@@ -1091,6 +1104,15 @@ int btrfs_remove_block_group(struct btrf
goto out;
spin_lock(&block_group->lock);
+ /*
+ * Hitting this WARN means we removed a block group with an unwritten
+ * region. It will cause "unable to find chunk map for logical" errors.
+ */
+ if (WARN_ON(has_unwritten_metadata(block_group)))
+ btrfs_warn(fs_info,
+ "block group %llu is removed before metadata write out",
+ block_group->start);
+
set_bit(BLOCK_GROUP_FLAG_REMOVED, &block_group->runtime_flags);
/*
@@ -1414,8 +1436,9 @@ void btrfs_delete_unused_bgs(struct btrf
* needing to allocate extents from the block group.
*/
used = btrfs_space_info_used(space_info, true);
- if (space_info->total_bytes - block_group->length < used &&
- block_group->zone_unusable < block_group->length) {
+ if ((space_info->total_bytes - block_group->length < used &&
+ block_group->zone_unusable < block_group->length) ||
+ has_unwritten_metadata(block_group)) {
/*
* Add a reference for the list, compensate for the ref
* drop under the "next" label for the
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 255/482] btrfs: fix log tree replay failure due to file with 0 links and extents
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (253 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 6.1 254/482] btrfs: zoned: do not remove unwritten non-data block group Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 256/482] btrfs: do not allow relocation of partially dropped subvolumes Greg Kroah-Hartman
` (235 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Peter Jung, burneddi, Russell Haley,
Boris Burkov, Filipe Manana, David Sterba
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Filipe Manana <fdmanana@suse.com>
commit 0a32e4f0025a74c70dcab4478e9b29c22f5ecf2f upstream.
If we log a new inode (not persisted in a past transaction) that has 0
links and extents, then log another inode with an higher inode number, we
end up with failing to replay the log tree with -EINVAL. The steps for
this are:
1) create new file A
2) write some data to file A
3) open an fd on file A
4) unlink file A
5) fsync file A using the previously open fd
6) create file B (has higher inode number than file A)
7) fsync file B
8) power fail before current transaction commits
Now when attempting to mount the fs, the log replay will fail with
-ENOENT at replay_one_extent() when attempting to replay the first
extent of file A. The failure comes when trying to open the inode for
file A in the subvolume tree, since it doesn't exist.
Before commit 5f61b961599a ("btrfs: fix inode lookup error handling
during log replay"), the returned error was -EIO instead of -ENOENT,
since we converted any errors when attempting to read an inode during
log replay to -EIO.
The reason for this is that the log replay procedure fails to ignore
the current inode when we are at the stage LOG_WALK_REPLAY_ALL, our
current inode has 0 links and last inode we processed in the previous
stage has a non 0 link count. In other words, the issue is that at
replay_one_extent() we only update wc->ignore_cur_inode if the current
replay stage is LOG_WALK_REPLAY_INODES.
Fix this by updating wc->ignore_cur_inode whenever we find an inode item
regardless of the current replay stage. This is a simple solution and easy
to backport, but later we can do other alternatives like avoid logging
extents or inode items other than the inode item for inodes with a link
count of 0.
The problem with the wc->ignore_cur_inode logic has been around since
commit f2d72f42d5fa ("Btrfs: fix warning when replaying log after fsync
of a tmpfile") but it only became frequent to hit since the more recent
commit 5e85262e542d ("btrfs: fix fsync of files with no hard links not
persisting deletion"), because we stopped skipping inodes with a link
count of 0 when logging, while before the problem would only be triggered
if trying to replay a log tree created with an older kernel which has a
logged inode with 0 links.
A test case for fstests will be submitted soon.
Reported-by: Peter Jung <ptr1337@cachyos.org>
Link: https://lore.kernel.org/linux-btrfs/fce139db-4458-4788-bb97-c29acf6cb1df@cachyos.org/
Reported-by: burneddi <burneddi@protonmail.com>
Link: https://lore.kernel.org/linux-btrfs/lh4W-Lwc0Mbk-QvBhhQyZxf6VbM3E8VtIvU3fPIQgweP_Q1n7wtlUZQc33sYlCKYd-o6rryJQfhHaNAOWWRKxpAXhM8NZPojzsJPyHMf2qY=@protonmail.com/#t
Reported-by: Russell Haley <yumpusamongus@gmail.com>
Link: https://lore.kernel.org/linux-btrfs/598ecc75-eb80-41b3-83c2-f2317fbb9864@gmail.com/
Fixes: f2d72f42d5fa ("Btrfs: fix warning when replaying log after fsync of a tmpfile")
CC: stable@vger.kernel.org # 5.4+
Reviewed-by: Boris Burkov <boris@bur.io>
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/tree-log.c | 48 ++++++++++++++++++++++++++++++------------------
1 file changed, 30 insertions(+), 18 deletions(-)
--- a/fs/btrfs/tree-log.c
+++ b/fs/btrfs/tree-log.c
@@ -298,8 +298,7 @@ struct walk_control {
/*
* Ignore any items from the inode currently being processed. Needs
- * to be set every time we find a BTRFS_INODE_ITEM_KEY and we are in
- * the LOG_WALK_REPLAY_INODES stage.
+ * to be set every time we find a BTRFS_INODE_ITEM_KEY.
*/
bool ignore_cur_inode;
@@ -2427,23 +2426,30 @@ static int replay_one_buffer(struct btrf
nritems = btrfs_header_nritems(eb);
for (i = 0; i < nritems; i++) {
- btrfs_item_key_to_cpu(eb, &key, i);
+ struct btrfs_inode_item *inode_item;
- /* inode keys are done during the first stage */
- if (key.type == BTRFS_INODE_ITEM_KEY &&
- wc->stage == LOG_WALK_REPLAY_INODES) {
- struct btrfs_inode_item *inode_item;
- u32 mode;
+ btrfs_item_key_to_cpu(eb, &key, i);
- inode_item = btrfs_item_ptr(eb, i,
- struct btrfs_inode_item);
+ if (key.type == BTRFS_INODE_ITEM_KEY) {
+ inode_item = btrfs_item_ptr(eb, i, struct btrfs_inode_item);
/*
- * If we have a tmpfile (O_TMPFILE) that got fsync'ed
- * and never got linked before the fsync, skip it, as
- * replaying it is pointless since it would be deleted
- * later. We skip logging tmpfiles, but it's always
- * possible we are replaying a log created with a kernel
- * that used to log tmpfiles.
+ * An inode with no links is either:
+ *
+ * 1) A tmpfile (O_TMPFILE) that got fsync'ed and never
+ * got linked before the fsync, skip it, as replaying
+ * it is pointless since it would be deleted later.
+ * We skip logging tmpfiles, but it's always possible
+ * we are replaying a log created with a kernel that
+ * used to log tmpfiles;
+ *
+ * 2) A non-tmpfile which got its last link deleted
+ * while holding an open fd on it and later got
+ * fsynced through that fd. We always log the
+ * parent inodes when inode->last_unlink_trans is
+ * set to the current transaction, so ignore all the
+ * inode items for this inode. We will delete the
+ * inode when processing the parent directory with
+ * replay_dir_deletes().
*/
if (btrfs_inode_nlink(eb, inode_item) == 0) {
wc->ignore_cur_inode = true;
@@ -2451,8 +2457,14 @@ static int replay_one_buffer(struct btrf
} else {
wc->ignore_cur_inode = false;
}
- ret = replay_xattr_deletes(wc->trans, root, log,
- path, key.objectid);
+ }
+
+ /* Inode keys are done during the first stage. */
+ if (key.type == BTRFS_INODE_ITEM_KEY &&
+ wc->stage == LOG_WALK_REPLAY_INODES) {
+ u32 mode;
+
+ ret = replay_xattr_deletes(wc->trans, root, log, path, key.objectid);
if (ret)
break;
mode = btrfs_inode_mode(eb, inode_item);
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 256/482] btrfs: do not allow relocation of partially dropped subvolumes
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (254 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 6.1 255/482] btrfs: fix log tree replay failure due to file with 0 links and extents Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 257/482] fbdev: Fix vmalloc out-of-bounds write in fast_imageblit Greg Kroah-Hartman
` (234 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Filipe Manana, Qu Wenruo,
David Sterba
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qu Wenruo <wqu@suse.com>
commit 4289b494ac553e74e86fed1c66b2bf9530bc1082 upstream.
[BUG]
There is an internal report that balance triggered transaction abort,
with the following call trace:
item 85 key (594509824 169 0) itemoff 12599 itemsize 33
extent refs 1 gen 197740 flags 2
ref#0: tree block backref root 7
item 86 key (594558976 169 0) itemoff 12566 itemsize 33
extent refs 1 gen 197522 flags 2
ref#0: tree block backref root 7
...
BTRFS error (device loop0): extent item not found for insert, bytenr 594526208 num_bytes 16384 parent 449921024 root_objectid 934 owner 1 offset 0
BTRFS error (device loop0): failed to run delayed ref for logical 594526208 num_bytes 16384 type 182 action 1 ref_mod 1: -117
------------[ cut here ]------------
BTRFS: Transaction aborted (error -117)
WARNING: CPU: 1 PID: 6963 at ../fs/btrfs/extent-tree.c:2168 btrfs_run_delayed_refs+0xfa/0x110 [btrfs]
And btrfs check doesn't report anything wrong related to the extent
tree.
[CAUSE]
The cause is a little complex, firstly the extent tree indeed doesn't
have the backref for 594526208.
The extent tree only have the following two backrefs around that bytenr
on-disk:
item 65 key (594509824 METADATA_ITEM 0) itemoff 13880 itemsize 33
refs 1 gen 197740 flags TREE_BLOCK
tree block skinny level 0
(176 0x7) tree block backref root CSUM_TREE
item 66 key (594558976 METADATA_ITEM 0) itemoff 13847 itemsize 33
refs 1 gen 197522 flags TREE_BLOCK
tree block skinny level 0
(176 0x7) tree block backref root CSUM_TREE
But the such missing backref item is not an corruption on disk, as the
offending delayed ref belongs to subvolume 934, and that subvolume is
being dropped:
item 0 key (934 ROOT_ITEM 198229) itemoff 15844 itemsize 439
generation 198229 root_dirid 256 bytenr 10741039104 byte_limit 0 bytes_used 345571328
last_snapshot 198229 flags 0x1000000000001(RDONLY) refs 0
drop_progress key (206324 EXTENT_DATA 2711650304) drop_level 2
level 2 generation_v2 198229
And that offending tree block 594526208 is inside the dropped range of
that subvolume. That explains why there is no backref item for that
bytenr and why btrfs check is not reporting anything wrong.
But this also shows another problem, as btrfs will do all the orphan
subvolume cleanup at a read-write mount.
So half-dropped subvolume should not exist after an RW mount, and
balance itself is also exclusive to subvolume cleanup, meaning we
shouldn't hit a subvolume half-dropped during relocation.
The root cause is, there is no orphan item for this subvolume.
In fact there are 5 subvolumes from around 2021 that have the same
problem.
It looks like the original report has some older kernels running, and
caused those zombie subvolumes.
Thankfully upstream commit 8d488a8c7ba2 ("btrfs: fix subvolume/snapshot
deletion not triggered on mount") has long fixed the bug.
[ENHANCEMENT]
For repairing such old fs, btrfs-progs will be enhanced.
Considering how delayed the problem will show up (at run delayed ref
time) and at that time we have to abort transaction already, it is too
late.
Instead here we reject any half-dropped subvolume for reloc tree at the
earliest time, preventing confusion and extra time wasted on debugging
similar bugs.
CC: stable@vger.kernel.org # 5.15+
Reviewed-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: Qu Wenruo <wqu@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/relocation.c | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
--- a/fs/btrfs/relocation.c
+++ b/fs/btrfs/relocation.c
@@ -751,6 +751,25 @@ static struct btrfs_root *create_reloc_r
if (root->root_key.objectid == objectid) {
u64 commit_root_gen;
+ /*
+ * Relocation will wait for cleaner thread, and any half-dropped
+ * subvolume will be fully cleaned up at mount time.
+ * So here we shouldn't hit a subvolume with non-zero drop_progress.
+ *
+ * If this isn't the case, error out since it can make us attempt to
+ * drop references for extents that were already dropped before.
+ */
+ if (unlikely(btrfs_disk_key_objectid(&root->root_item.drop_progress))) {
+ struct btrfs_key cpu_key;
+
+ btrfs_disk_key_to_cpu(&cpu_key, &root->root_item.drop_progress);
+ btrfs_err(fs_info,
+ "cannot relocate partially dropped subvolume %llu, drop progress key (%llu %u %llu)",
+ objectid, cpu_key.objectid, cpu_key.type, cpu_key.offset);
+ ret = -EUCLEAN;
+ goto fail;
+ }
+
/* called by btrfs_init_reloc_root */
ret = btrfs_copy_root(trans, root, root->commit_root, &eb,
BTRFS_TREE_RELOC_OBJECTID);
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 257/482] fbdev: Fix vmalloc out-of-bounds write in fast_imageblit
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (255 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 6.1 256/482] btrfs: do not allow relocation of partially dropped subvolumes Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 258/482] hv_netvsc: Fix panic during namespace deletion with VF Greg Kroah-Hartman
` (233 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sravan Kumar Gundu, Helge Deller,
syzbot+c4b7aa0513823e2ea880
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sravan Kumar Gundu <sravankumarlpu@gmail.com>
commit af0db3c1f898144846d4c172531a199bb3ca375d upstream.
This issue triggers when a userspace program does an ioctl
FBIOPUT_CON2FBMAP by passing console number and frame buffer number.
Ideally this maps console to frame buffer and updates the screen if
console is visible.
As part of mapping it has to do resize of console according to frame
buffer info. if this resize fails and returns from vc_do_resize() and
continues further. At this point console and new frame buffer are mapped
and sets display vars. Despite failure still it continue to proceed
updating the screen at later stages where vc_data is related to previous
frame buffer and frame buffer info and display vars are mapped to new
frame buffer and eventully leading to out-of-bounds write in
fast_imageblit(). This bheviour is excepted only when fg_console is
equal to requested console which is a visible console and updates screen
with invalid struct references in fbcon_putcs().
Reported-and-tested-by: syzbot+c4b7aa0513823e2ea880@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=c4b7aa0513823e2ea880
Signed-off-by: Sravan Kumar Gundu <sravankumarlpu@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/video/fbdev/core/fbcon.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
--- a/drivers/video/fbdev/core/fbcon.c
+++ b/drivers/video/fbdev/core/fbcon.c
@@ -808,7 +808,8 @@ static void con2fb_init_display(struct v
fg_vc->vc_rows);
}
- update_screen(vc_cons[fg_console].d);
+ if (fg_console != unit)
+ update_screen(vc_cons[fg_console].d);
}
/**
@@ -1353,6 +1354,7 @@ static void fbcon_set_disp(struct fb_inf
struct vc_data *svc;
struct fbcon_ops *ops = info->fbcon_par;
int rows, cols;
+ unsigned long ret = 0;
p = &fb_display[unit];
@@ -1403,11 +1405,10 @@ static void fbcon_set_disp(struct fb_inf
rows = FBCON_SWAP(ops->rotate, info->var.yres, info->var.xres);
cols /= vc->vc_font.width;
rows /= vc->vc_font.height;
- vc_resize(vc, cols, rows);
+ ret = vc_resize(vc, cols, rows);
- if (con_is_visible(vc)) {
+ if (con_is_visible(vc) && !ret)
update_screen(vc);
- }
}
static __inline__ void ywrap_up(struct vc_data *vc, int count)
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 258/482] hv_netvsc: Fix panic during namespace deletion with VF
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (256 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 6.1 257/482] fbdev: Fix vmalloc out-of-bounds write in fast_imageblit Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 259/482] parisc: Makefile: fix a typo in palo.conf Greg Kroah-Hartman
` (232 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Haiyang Zhang, Jakub Kicinski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haiyang Zhang <haiyangz@microsoft.com>
commit 33caa208dba6fa639e8a92fd0c8320b652e5550c upstream.
The existing code move the VF NIC to new namespace when NETDEV_REGISTER is
received on netvsc NIC. During deletion of the namespace,
default_device_exit_batch() >> default_device_exit_net() is called. When
netvsc NIC is moved back and registered to the default namespace, it
automatically brings VF NIC back to the default namespace. This will cause
the default_device_exit_net() >> for_each_netdev_safe loop unable to detect
the list end, and hit NULL ptr:
[ 231.449420] mana 7870:00:00.0 enP30832s1: Moved VF to namespace with: eth0
[ 231.449656] BUG: kernel NULL pointer dereference, address: 0000000000000010
[ 231.450246] #PF: supervisor read access in kernel mode
[ 231.450579] #PF: error_code(0x0000) - not-present page
[ 231.450916] PGD 17b8a8067 P4D 0
[ 231.451163] Oops: Oops: 0000 [#1] SMP NOPTI
[ 231.451450] CPU: 82 UID: 0 PID: 1394 Comm: kworker/u768:1 Not tainted 6.16.0-rc4+ #3 VOLUNTARY
[ 231.452042] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 11/21/2024
[ 231.452692] Workqueue: netns cleanup_net
[ 231.452947] RIP: 0010:default_device_exit_batch+0x16c/0x3f0
[ 231.453326] Code: c0 0c f5 b3 e8 d5 db fe ff 48 85 c0 74 15 48 c7 c2 f8 fd ca b2 be 10 00 00 00 48 8d 7d c0 e8 7b 77 25 00 49 8b 86 28 01 00 00 <48> 8b 50 10 4c 8b 2a 4c 8d 62 f0 49 83 ed 10 4c 39 e0 0f 84 d6 00
[ 231.454294] RSP: 0018:ff75fc7c9bf9fd00 EFLAGS: 00010246
[ 231.454610] RAX: 0000000000000000 RBX: 0000000000000002 RCX: 61c8864680b583eb
[ 231.455094] RDX: ff1fa9f71462d800 RSI: ff75fc7c9bf9fd38 RDI: 0000000030766564
[ 231.455686] RBP: ff75fc7c9bf9fd78 R08: 0000000000000000 R09: 0000000000000000
[ 231.456126] R10: 0000000000000001 R11: 0000000000000004 R12: ff1fa9f70088e340
[ 231.456621] R13: ff1fa9f70088e340 R14: ffffffffb3f50c20 R15: ff1fa9f7103e6340
[ 231.457161] FS: 0000000000000000(0000) GS:ff1faa6783a08000(0000) knlGS:0000000000000000
[ 231.457707] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 231.458031] CR2: 0000000000000010 CR3: 0000000179ab2006 CR4: 0000000000b73ef0
[ 231.458434] Call Trace:
[ 231.458600] <TASK>
[ 231.458777] ops_undo_list+0x100/0x220
[ 231.459015] cleanup_net+0x1b8/0x300
[ 231.459285] process_one_work+0x184/0x340
To fix it, move the ns change to a workqueue, and take rtnl_lock to avoid
changing the netdev list when default_device_exit_net() is using it.
Cc: stable@vger.kernel.org
Fixes: 4c262801ea60 ("hv_netvsc: Fix VF namespace also in synthetic NIC NETDEV_REGISTER event")
Signed-off-by: Haiyang Zhang <haiyangz@microsoft.com>
Link: https://patch.msgid.link/1754511711-11188-1-git-send-email-haiyangz@linux.microsoft.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/hyperv/hyperv_net.h | 3 +++
drivers/net/hyperv/netvsc_drv.c | 29 ++++++++++++++++++++++++++++-
2 files changed, 31 insertions(+), 1 deletion(-)
--- a/drivers/net/hyperv/hyperv_net.h
+++ b/drivers/net/hyperv/hyperv_net.h
@@ -1057,6 +1057,7 @@ struct net_device_context {
struct net_device __rcu *vf_netdev;
struct netvsc_vf_pcpu_stats __percpu *vf_stats;
struct delayed_work vf_takeover;
+ struct delayed_work vfns_work;
/* 1: allocated, serial number is valid. 0: not allocated */
u32 vf_alloc;
@@ -1071,6 +1072,8 @@ struct net_device_context {
struct netvsc_device_info *saved_netvsc_dev_info;
};
+void netvsc_vfns_work(struct work_struct *w);
+
/* Azure hosts don't support non-TCP port numbers in hashing for fragmented
* packets. We can use ethtool to change UDP hash level when necessary.
*/
--- a/drivers/net/hyperv/netvsc_drv.c
+++ b/drivers/net/hyperv/netvsc_drv.c
@@ -2508,6 +2508,7 @@ static int netvsc_probe(struct hv_device
spin_lock_init(&net_device_ctx->lock);
INIT_LIST_HEAD(&net_device_ctx->reconfig_events);
INIT_DELAYED_WORK(&net_device_ctx->vf_takeover, netvsc_vf_setup);
+ INIT_DELAYED_WORK(&net_device_ctx->vfns_work, netvsc_vfns_work);
net_device_ctx->vf_stats
= netdev_alloc_pcpu_stats(struct netvsc_vf_pcpu_stats);
@@ -2647,6 +2648,8 @@ static int netvsc_remove(struct hv_devic
cancel_delayed_work_sync(&ndev_ctx->dwork);
rtnl_lock();
+ cancel_delayed_work_sync(&ndev_ctx->vfns_work);
+
nvdev = rtnl_dereference(ndev_ctx->nvdev);
if (nvdev) {
cancel_work_sync(&nvdev->subchan_work);
@@ -2689,6 +2692,7 @@ static int netvsc_suspend(struct hv_devi
cancel_delayed_work_sync(&ndev_ctx->dwork);
rtnl_lock();
+ cancel_delayed_work_sync(&ndev_ctx->vfns_work);
nvdev = rtnl_dereference(ndev_ctx->nvdev);
if (nvdev == NULL) {
@@ -2782,6 +2786,27 @@ static void netvsc_event_set_vf_ns(struc
}
}
+void netvsc_vfns_work(struct work_struct *w)
+{
+ struct net_device_context *ndev_ctx =
+ container_of(w, struct net_device_context, vfns_work.work);
+ struct net_device *ndev;
+
+ if (!rtnl_trylock()) {
+ schedule_delayed_work(&ndev_ctx->vfns_work, 1);
+ return;
+ }
+
+ ndev = hv_get_drvdata(ndev_ctx->device_ctx);
+ if (!ndev)
+ goto out;
+
+ netvsc_event_set_vf_ns(ndev);
+
+out:
+ rtnl_unlock();
+}
+
/*
* On Hyper-V, every VF interface is matched with a corresponding
* synthetic interface. The synthetic interface is presented first
@@ -2792,10 +2817,12 @@ static int netvsc_netdev_event(struct no
unsigned long event, void *ptr)
{
struct net_device *event_dev = netdev_notifier_info_to_dev(ptr);
+ struct net_device_context *ndev_ctx;
int ret = 0;
if (event_dev->netdev_ops == &device_ops && event == NETDEV_REGISTER) {
- netvsc_event_set_vf_ns(event_dev);
+ ndev_ctx = netdev_priv(event_dev);
+ schedule_delayed_work(&ndev_ctx->vfns_work, 0);
return NOTIFY_DONE;
}
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 259/482] parisc: Makefile: fix a typo in palo.conf
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (257 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 6.1 258/482] hv_netvsc: Fix panic during namespace deletion with VF Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 260/482] mm/kmemleak: avoid soft lockup in __kmemleak_do_cleanup() Greg Kroah-Hartman
` (231 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Randy Dunlap, Masahiro Yamada,
James E.J. Bottomley, Helge Deller, linux-parisc
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Randy Dunlap <rdunlap@infradead.org>
commit 963f1b20a8d2a098954606b9725cd54336a2a86c upstream.
Correct "objree" to "objtree". "objree" is not defined.
Fixes: 75dd47472b92 ("kbuild: remove src and obj from the top Makefile")
Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
Cc: Masahiro Yamada <masahiroy@kernel.org>
Cc: "James E.J. Bottomley" <James.Bottomley@HansenPartnership.com>
Cc: Helge Deller <deller@gmx.de>
Cc: linux-parisc@vger.kernel.org
Signed-off-by: Helge Deller <deller@gmx.de>
Cc: stable@vger.kernel.org # v5.3+
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/parisc/Makefile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/parisc/Makefile
+++ b/arch/parisc/Makefile
@@ -137,7 +137,7 @@ palo lifimage: vmlinuz
fi
@if test ! -f "$(PALOCONF)"; then \
cp $(srctree)/arch/parisc/defpalo.conf $(objtree)/palo.conf; \
- echo 'A generic palo config file ($(objree)/palo.conf) has been created for you.'; \
+ echo 'A generic palo config file ($(objtree)/palo.conf) has been created for you.'; \
echo 'You should check it and re-run "make palo".'; \
echo 'WARNING: the "lifimage" file is now placed in this directory by default!'; \
false; \
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 260/482] mm/kmemleak: avoid soft lockup in __kmemleak_do_cleanup()
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (258 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 6.1 259/482] parisc: Makefile: fix a typo in palo.conf Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 261/482] mm/kmemleak: avoid deadlock by moving pr_warn() outside kmemleak_lock Greg Kroah-Hartman
` (230 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Waiman Long, Catalin Marinas,
Andrew Morton
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Waiman Long <longman@redhat.com>
commit d1534ae23c2b6be350c8ab060803fbf6e9682adc upstream.
A soft lockup warning was observed on a relative small system x86-64
system with 16 GB of memory when running a debug kernel with kmemleak
enabled.
watchdog: BUG: soft lockup - CPU#8 stuck for 33s! [kworker/8:1:134]
The test system was running a workload with hot unplug happening in
parallel. Then kemleak decided to disable itself due to its inability to
allocate more kmemleak objects. The debug kernel has its
CONFIG_DEBUG_KMEMLEAK_MEM_POOL_SIZE set to 40,000.
The soft lockup happened in kmemleak_do_cleanup() when the existing
kmemleak objects were being removed and deleted one-by-one in a loop via a
workqueue. In this particular case, there are at least 40,000 objects
that need to be processed and given the slowness of a debug kernel and the
fact that a raw_spinlock has to be acquired and released in
__delete_object(), it could take a while to properly handle all these
objects.
As kmemleak has been disabled in this case, the object removal and
deletion process can be further optimized as locking isn't really needed.
However, it is probably not worth the effort to optimize for such an edge
case that should rarely happen. So the simple solution is to call
cond_resched() at periodic interval in the iteration loop to avoid soft
lockup.
Link: https://lkml.kernel.org/r/20250728190248.605750-1-longman@redhat.com
Signed-off-by: Waiman Long <longman@redhat.com>
Acked-by: Catalin Marinas <catalin.marinas@arm.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/kmemleak.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/mm/kmemleak.c
+++ b/mm/kmemleak.c
@@ -1992,6 +1992,7 @@ static const struct file_operations kmem
static void __kmemleak_do_cleanup(void)
{
struct kmemleak_object *object, *tmp;
+ unsigned int cnt = 0;
/*
* Kmemleak has already been disabled, no need for RCU list traversal
@@ -2000,6 +2001,10 @@ static void __kmemleak_do_cleanup(void)
list_for_each_entry_safe(object, tmp, &object_list, object_list) {
__remove_object(object);
__delete_object(object);
+
+ /* Call cond_resched() once per 64 iterations to avoid soft lockup */
+ if (!(++cnt & 0x3f))
+ cond_resched();
}
}
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 261/482] mm/kmemleak: avoid deadlock by moving pr_warn() outside kmemleak_lock
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (259 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 6.1 260/482] mm/kmemleak: avoid soft lockup in __kmemleak_do_cleanup() Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 262/482] media: uvcvideo: Fix 1-byte out-of-bounds read in uvc_parse_format() Greg Kroah-Hartman
` (229 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Breno Leitao, Jakub Kicinski,
Catalin Marinas, Andrew Morton
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Breno Leitao <leitao@debian.org>
commit 47b0f6d8f0d2be4d311a49e13d2fd5f152f492b2 upstream.
When netpoll is enabled, calling pr_warn_once() while holding
kmemleak_lock in mem_pool_alloc() can cause a deadlock due to lock
inversion with the netconsole subsystem. This occurs because
pr_warn_once() may trigger netpoll, which eventually leads to
__alloc_skb() and back into kmemleak code, attempting to reacquire
kmemleak_lock.
This is the path for the deadlock.
mem_pool_alloc()
-> raw_spin_lock_irqsave(&kmemleak_lock, flags);
-> pr_warn_once()
-> netconsole subsystem
-> netpoll
-> __alloc_skb
-> __create_object
-> raw_spin_lock_irqsave(&kmemleak_lock, flags);
Fix this by setting a flag and issuing the pr_warn_once() after
kmemleak_lock is released.
Link: https://lkml.kernel.org/r/20250731-kmemleak_lock-v1-1-728fd470198f@debian.org
Fixes: c5665868183f ("mm: kmemleak: use the memory pool for early allocations")
Signed-off-by: Breno Leitao <leitao@debian.org>
Reported-by: Jakub Kicinski <kuba@kernel.org>
Acked-by: Catalin Marinas <catalin.marinas@arm.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/kmemleak.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/mm/kmemleak.c
+++ b/mm/kmemleak.c
@@ -441,6 +441,7 @@ static struct kmemleak_object *mem_pool_
{
unsigned long flags;
struct kmemleak_object *object;
+ bool warn = false;
/* try the slab allocator first */
if (object_cache) {
@@ -458,8 +459,10 @@ static struct kmemleak_object *mem_pool_
else if (mem_pool_free_count)
object = &mem_pool[--mem_pool_free_count];
else
- pr_warn_once("Memory pool empty, consider increasing CONFIG_DEBUG_KMEMLEAK_MEM_POOL_SIZE\n");
+ warn = true;
raw_spin_unlock_irqrestore(&kmemleak_lock, flags);
+ if (warn)
+ pr_warn_once("Memory pool empty, consider increasing CONFIG_DEBUG_KMEMLEAK_MEM_POOL_SIZE\n");
return object;
}
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 262/482] media: uvcvideo: Fix 1-byte out-of-bounds read in uvc_parse_format()
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (260 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 6.1 261/482] mm/kmemleak: avoid deadlock by moving pr_warn() outside kmemleak_lock Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 263/482] media: uvcvideo: Do not mark valid metadata as invalid Greg Kroah-Hartman
` (228 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Youngjun Lee, Laurent Pinchart,
Ricardo Ribalda, Hans Verkuil
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Youngjun Lee <yjjuny.lee@samsung.com>
commit 782b6a718651eda3478b1824b37a8b3185d2740c upstream.
The buffer length check before calling uvc_parse_format() only ensured
that the buffer has at least 3 bytes (buflen > 2), buf the function
accesses buffer[3], requiring at least 4 bytes.
This can lead to an out-of-bounds read if the buffer has exactly 3 bytes.
Fix it by checking that the buffer has at least 4 bytes in
uvc_parse_format().
Signed-off-by: Youngjun Lee <yjjuny.lee@samsung.com>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Fixes: c0efd232929c ("V4L/DVB (8145a): USB Video Class driver")
Cc: stable@vger.kernel.org
Reviewed-by: Ricardo Ribalda <ribalda@chromium.org>
Link: https://lore.kernel.org/r/20250610124107.37360-1-yjjuny.lee@samsung.com
Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/usb/uvc/uvc_driver.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/media/usb/uvc/uvc_driver.c
+++ b/drivers/media/usb/uvc/uvc_driver.c
@@ -233,6 +233,9 @@ static int uvc_parse_format(struct uvc_d
unsigned int i, n;
u8 ftype;
+ if (buflen < 4)
+ return -EINVAL;
+
format->type = buffer[2];
format->index = buffer[3];
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 263/482] media: uvcvideo: Do not mark valid metadata as invalid
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (261 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 6.1 262/482] media: uvcvideo: Fix 1-byte out-of-bounds read in uvc_parse_format() Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 264/482] tools/nolibc: fix spelling of FD_SETBITMASK in FD_* macros Greg Kroah-Hartman
` (227 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Laurent Pinchart, Hans de Goede,
Ricardo Ribalda, Hans Verkuil
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ricardo Ribalda <ribalda@chromium.org>
commit bda2859bff0b9596a19648f3740c697ce4c71496 upstream.
Currently, the driver performs a length check of the metadata buffer
before the actual metadata size is known and before the metadata is
decided to be copied. This results in valid metadata buffers being
incorrectly marked as invalid.
Move the length check to occur after the metadata size is determined and
is decided to be copied.
Cc: stable@vger.kernel.org
Fixes: 088ead255245 ("media: uvcvideo: Add a metadata device node")
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Reviewed-by: Hans de Goede <hansg@kernel.org>
Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
Link: https://lore.kernel.org/r/20250707-uvc-meta-v8-1-ed17f8b1218b@chromium.org
Signed-off-by: Hans de Goede <hansg@kernel.org>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/usb/uvc/uvc_video.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
--- a/drivers/media/usb/uvc/uvc_video.c
+++ b/drivers/media/usb/uvc/uvc_video.c
@@ -1353,12 +1353,6 @@ static void uvc_video_decode_meta(struct
if (!meta_buf || length == 2)
return;
- if (meta_buf->length - meta_buf->bytesused <
- length + sizeof(meta->ns) + sizeof(meta->sof)) {
- meta_buf->error = 1;
- return;
- }
-
has_pts = mem[1] & UVC_STREAM_PTS;
has_scr = mem[1] & UVC_STREAM_SCR;
@@ -1379,6 +1373,12 @@ static void uvc_video_decode_meta(struct
!memcmp(scr, stream->clock.last_scr, 6)))
return;
+ if (meta_buf->length - meta_buf->bytesused <
+ length + sizeof(meta->ns) + sizeof(meta->sof)) {
+ meta_buf->error = 1;
+ return;
+ }
+
meta = (struct uvc_meta_buf *)((u8 *)meta_buf->mem + meta_buf->bytesused);
local_irq_save(flags);
time = uvc_video_get_time();
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 264/482] tools/nolibc: fix spelling of FD_SETBITMASK in FD_* macros
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (262 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 6.1 263/482] media: uvcvideo: Do not mark valid metadata as invalid Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 265/482] HID: magicmouse: avoid setting up battery timer when not needed Greg Kroah-Hartman
` (226 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Thomas Weißschuh, Willy Tarreau
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Willy Tarreau <w@1wt.eu>
commit a477629baa2a0e9991f640af418e8c973a1c08e3 upstream.
While nolibc-test does test syscalls, it doesn't test as much the rest
of the macros, and a wrong spelling of FD_SETBITMASK in commit
feaf75658783a broke programs using either FD_SET() or FD_CLR() without
being noticed. Let's fix these macros.
Fixes: feaf75658783a ("nolibc: fix fd_set type")
Cc: stable@vger.kernel.org # v6.2+
Acked-by: Thomas Weißschuh <linux@weissschuh.net>
Signed-off-by: Willy Tarreau <w@1wt.eu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/include/nolibc/types.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/tools/include/nolibc/types.h
+++ b/tools/include/nolibc/types.h
@@ -102,7 +102,7 @@ typedef struct {
int __fd = (fd); \
if (__fd >= 0) \
__set->fds[__fd / FD_SETIDXMASK] &= \
- ~(1U << (__fd & FX_SETBITMASK)); \
+ ~(1U << (__fd & FD_SETBITMASK)); \
} while (0)
#define FD_SET(fd, set) do { \
@@ -119,7 +119,7 @@ typedef struct {
int __r = 0; \
if (__fd >= 0) \
__r = !!(__set->fds[__fd / FD_SETIDXMASK] & \
-1U << (__fd & FD_SET_BITMASK)); \
+1U << (__fd & FD_SETBITMASK)); \
__r; \
})
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 265/482] HID: magicmouse: avoid setting up battery timer when not needed
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (263 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 6.1 264/482] tools/nolibc: fix spelling of FD_SETBITMASK in FD_* macros Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 266/482] HID: apple: avoid setting up battery timer for devices without battery Greg Kroah-Hartman
` (225 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Aditya Garg, Jiri Kosina
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Aditya Garg <gargaditya08@live.com>
commit 9bdc30e35cbc1aa78ccf01040354209f1e11ca22 upstream.
Currently, the battery timer is set up for all devices using
hid-magicmouse, irrespective of whether they actually need it or not.
The current implementation requires the battery timer for Magic Mouse 2
and Magic Trackpad 2 when connected via USB only. Add checks to ensure
that the battery timer is only set up when they are connected via USB.
Fixes: 0b91b4e4dae6 ("HID: magicmouse: Report battery level over USB")
Cc: stable@vger.kernel.org
Signed-off-by: Aditya Garg <gargaditya08@live.com>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
---
drivers/hid/hid-magicmouse.c | 58 ++++++++++++++++++++++++++++---------------
1 file changed, 38 insertions(+), 20 deletions(-)
--- a/drivers/hid/hid-magicmouse.c
+++ b/drivers/hid/hid-magicmouse.c
@@ -772,16 +772,30 @@ static void magicmouse_enable_mt_work(st
hid_err(msc->hdev, "unable to request touch data (%d)\n", ret);
}
+static bool is_usb_magicmouse2(__u32 vendor, __u32 product)
+{
+ if (vendor != USB_VENDOR_ID_APPLE)
+ return false;
+ return product == USB_DEVICE_ID_APPLE_MAGICMOUSE2;
+}
+
+static bool is_usb_magictrackpad2(__u32 vendor, __u32 product)
+{
+ if (vendor != USB_VENDOR_ID_APPLE)
+ return false;
+ return product == USB_DEVICE_ID_APPLE_MAGICTRACKPAD2 ||
+ product == USB_DEVICE_ID_APPLE_MAGICTRACKPAD2_USBC;
+}
+
static int magicmouse_fetch_battery(struct hid_device *hdev)
{
#ifdef CONFIG_HID_BATTERY_STRENGTH
struct hid_report_enum *report_enum;
struct hid_report *report;
- if (!hdev->battery || hdev->vendor != USB_VENDOR_ID_APPLE ||
- (hdev->product != USB_DEVICE_ID_APPLE_MAGICMOUSE2 &&
- hdev->product != USB_DEVICE_ID_APPLE_MAGICTRACKPAD2 &&
- hdev->product != USB_DEVICE_ID_APPLE_MAGICTRACKPAD2_USBC))
+ if (!hdev->battery ||
+ (!is_usb_magicmouse2(hdev->vendor, hdev->product) &&
+ !is_usb_magictrackpad2(hdev->vendor, hdev->product)))
return -1;
report_enum = &hdev->report_enum[hdev->battery_report_type];
@@ -843,16 +857,17 @@ static int magicmouse_probe(struct hid_d
return ret;
}
- timer_setup(&msc->battery_timer, magicmouse_battery_timer_tick, 0);
- mod_timer(&msc->battery_timer,
- jiffies + msecs_to_jiffies(USB_BATTERY_TIMEOUT_MS));
- magicmouse_fetch_battery(hdev);
-
- if (id->vendor == USB_VENDOR_ID_APPLE &&
- (id->product == USB_DEVICE_ID_APPLE_MAGICMOUSE2 ||
- ((id->product == USB_DEVICE_ID_APPLE_MAGICTRACKPAD2 ||
- id->product == USB_DEVICE_ID_APPLE_MAGICTRACKPAD2_USBC) &&
- hdev->type != HID_TYPE_USBMOUSE)))
+ if (is_usb_magicmouse2(id->vendor, id->product) ||
+ is_usb_magictrackpad2(id->vendor, id->product)) {
+ timer_setup(&msc->battery_timer, magicmouse_battery_timer_tick, 0);
+ mod_timer(&msc->battery_timer,
+ jiffies + msecs_to_jiffies(USB_BATTERY_TIMEOUT_MS));
+ magicmouse_fetch_battery(hdev);
+ }
+
+ if (is_usb_magicmouse2(id->vendor, id->product) ||
+ (is_usb_magictrackpad2(id->vendor, id->product) &&
+ hdev->type != HID_TYPE_USBMOUSE))
return 0;
if (!msc->input) {
@@ -908,7 +923,10 @@ static int magicmouse_probe(struct hid_d
return 0;
err_stop_hw:
- del_timer_sync(&msc->battery_timer);
+ if (is_usb_magicmouse2(id->vendor, id->product) ||
+ is_usb_magictrackpad2(id->vendor, id->product))
+ del_timer_sync(&msc->battery_timer);
+
hid_hw_stop(hdev);
return ret;
}
@@ -919,7 +937,9 @@ static void magicmouse_remove(struct hid
if (msc) {
cancel_delayed_work_sync(&msc->work);
- del_timer_sync(&msc->battery_timer);
+ if (is_usb_magicmouse2(hdev->vendor, hdev->product) ||
+ is_usb_magictrackpad2(hdev->vendor, hdev->product))
+ del_timer_sync(&msc->battery_timer);
}
hid_hw_stop(hdev);
@@ -936,10 +956,8 @@ static __u8 *magicmouse_report_fixup(str
* 0x05, 0x01, // Usage Page (Generic Desktop) 0
* 0x09, 0x02, // Usage (Mouse) 2
*/
- if (hdev->vendor == USB_VENDOR_ID_APPLE &&
- (hdev->product == USB_DEVICE_ID_APPLE_MAGICMOUSE2 ||
- hdev->product == USB_DEVICE_ID_APPLE_MAGICTRACKPAD2 ||
- hdev->product == USB_DEVICE_ID_APPLE_MAGICTRACKPAD2_USBC) &&
+ if ((is_usb_magicmouse2(hdev->vendor, hdev->product) ||
+ is_usb_magictrackpad2(hdev->vendor, hdev->product)) &&
*rsize == 83 && rdesc[46] == 0x84 && rdesc[58] == 0x85) {
hid_info(hdev,
"fixing up magicmouse battery report descriptor\n");
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 266/482] HID: apple: avoid setting up battery timer for devices without battery
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (264 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 6.1 265/482] HID: magicmouse: avoid setting up battery timer when not needed Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 267/482] serial: 8250: fix panic due to PSLVERR Greg Kroah-Hartman
` (224 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Aditya Garg, Jiri Kosina
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Aditya Garg <gargaditya08@live.com>
commit c061046fe9ce3ff31fb9a807144a2630ad349c17 upstream.
Currently, the battery timer is set up for all devices using hid-apple,
irrespective of whether they actually have a battery or not.
APPLE_RDESC_BATTERY is a quirk that indicates the device has a battery
and needs the battery timer. This patch checks for this quirk before
setting up the timer, ensuring that only devices with a battery will
have the timer set up.
Fixes: 6e143293e17a ("HID: apple: Report Magic Keyboard battery over USB")
Cc: stable@vger.kernel.org
Signed-off-by: Aditya Garg <gargaditya08@live.com>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hid/hid-apple.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
--- a/drivers/hid/hid-apple.c
+++ b/drivers/hid/hid-apple.c
@@ -824,10 +824,12 @@ static int apple_probe(struct hid_device
return ret;
}
- timer_setup(&asc->battery_timer, apple_battery_timer_tick, 0);
- mod_timer(&asc->battery_timer,
- jiffies + msecs_to_jiffies(APPLE_BATTERY_TIMEOUT_MS));
- apple_fetch_battery(hdev);
+ if (quirks & APPLE_RDESC_BATTERY) {
+ timer_setup(&asc->battery_timer, apple_battery_timer_tick, 0);
+ mod_timer(&asc->battery_timer,
+ jiffies + msecs_to_jiffies(APPLE_BATTERY_TIMEOUT_MS));
+ apple_fetch_battery(hdev);
+ }
if (quirks & APPLE_BACKLIGHT_CTL)
apple_backlight_init(hdev);
@@ -839,7 +841,8 @@ static void apple_remove(struct hid_devi
{
struct apple_sc *asc = hid_get_drvdata(hdev);
- del_timer_sync(&asc->battery_timer);
+ if (asc->quirks & APPLE_RDESC_BATTERY)
+ del_timer_sync(&asc->battery_timer);
hid_hw_stop(hdev);
}
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 267/482] serial: 8250: fix panic due to PSLVERR
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (265 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 6.1 266/482] HID: apple: avoid setting up battery timer for devices without battery Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 268/482] cpufreq: armada-8k: Fix off by one in armada_8k_cpufreq_free_table() Greg Kroah-Hartman
` (223 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yunhui Cui, John Ogness, stable,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yunhui Cui <cuiyunhui@bytedance.com>
commit 7f8fdd4dbffc05982b96caf586f77a014b2a9353 upstream.
When the PSLVERR_RESP_EN parameter is set to 1, the device generates
an error response if an attempt is made to read an empty RBR (Receive
Buffer Register) while the FIFO is enabled.
In serial8250_do_startup(), calling serial_port_out(port, UART_LCR,
UART_LCR_WLEN8) triggers dw8250_check_lcr(), which invokes
dw8250_force_idle() and serial8250_clear_and_reinit_fifos(). The latter
function enables the FIFO via serial_out(p, UART_FCR, p->fcr).
Execution proceeds to the serial_port_in(port, UART_RX).
This satisfies the PSLVERR trigger condition.
When another CPU (e.g., using printk()) is accessing the UART (UART
is busy), the current CPU fails the check (value & ~UART_LCR_SPAR) ==
(lcr & ~UART_LCR_SPAR) in dw8250_check_lcr(), causing it to enter
dw8250_force_idle().
Put serial_port_out(port, UART_LCR, UART_LCR_WLEN8) under the port->lock
to fix this issue.
Panic backtrace:
[ 0.442336] Oops - unknown exception [#1]
[ 0.442343] epc : dw8250_serial_in32+0x1e/0x4a
[ 0.442351] ra : serial8250_do_startup+0x2c8/0x88e
...
[ 0.442416] console_on_rootfs+0x26/0x70
Fixes: c49436b657d0 ("serial: 8250_dw: Improve unwritable LCR workaround")
Link: https://lore.kernel.org/all/84cydt5peu.fsf@jogness.linutronix.de/T/
Signed-off-by: Yunhui Cui <cuiyunhui@bytedance.com>
Reviewed-by: John Ogness <john.ogness@linutronix.de>
Cc: stable <stable@kernel.org>
Link: https://lore.kernel.org/r/20250723023322.464-2-cuiyunhui@bytedance.com
[ Applied fix to serial8250_do_startup() instead of serial8250_initialize() ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/8250/8250_port.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/drivers/tty/serial/8250/8250_port.c
+++ b/drivers/tty/serial/8250/8250_port.c
@@ -2370,9 +2370,8 @@ int serial8250_do_startup(struct uart_po
/*
* Now, initialize the UART
*/
- serial_port_out(port, UART_LCR, UART_LCR_WLEN8);
-
spin_lock_irqsave(&port->lock, flags);
+ serial_port_out(port, UART_LCR, UART_LCR_WLEN8);
if (up->port.flags & UPF_FOURPORT) {
if (!up->port.irq)
up->port.mctrl |= TIOCM_OUT1;
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 268/482] cpufreq: armada-8k: Fix off by one in armada_8k_cpufreq_free_table()
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (266 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 6.1 267/482] serial: 8250: fix panic due to PSLVERR Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 269/482] m68k: Fix lost column on framebuffer debug console Greg Kroah-Hartman
` (222 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Viresh Kumar
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@linaro.org>
commit 4a26df233266a628157d7f0285451d8655defdfc upstream.
The freq_tables[] array has num_possible_cpus() elements so, to avoid an
out of bounds access, this loop should be capped at "< nb_cpus" instead
of "<= nb_cpus". The freq_tables[] array is allocated in
armada_8k_cpufreq_init().
Cc: stable@vger.kernel.org
Fixes: f525a670533d ("cpufreq: ap806: add cpufreq driver for Armada 8K")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/cpufreq/armada-8k-cpufreq.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/cpufreq/armada-8k-cpufreq.c
+++ b/drivers/cpufreq/armada-8k-cpufreq.c
@@ -96,7 +96,7 @@ static void armada_8k_cpufreq_free_table
{
int opps_index, nb_cpus = num_possible_cpus();
- for (opps_index = 0 ; opps_index <= nb_cpus; opps_index++) {
+ for (opps_index = 0 ; opps_index < nb_cpus; opps_index++) {
int i;
/* If cpu_dev is NULL then we reached the end of the array */
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 269/482] m68k: Fix lost column on framebuffer debug console
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (267 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 6.1 268/482] cpufreq: armada-8k: Fix off by one in armada_8k_cpufreq_free_table() Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 270/482] usb: atm: cxacru: Merge cxacru_upload_firmware() into cxacru_heavy_init() Greg Kroah-Hartman
` (221 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Finn Thain, Stan Johnson,
Geert Uytterhoeven
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Finn Thain <fthain@linux-m68k.org>
commit 210a1ce8ed4391b64a888b3fb4b5611a13f5ccc7 upstream.
Move the cursor position rightward after rendering the character,
not before. This avoids complications that arise when the recursive
console_putc call has to wrap the line and/or scroll the display.
This also fixes the linewrap bug that crops off the rightmost column.
When the cursor is at the bottom of the display, a linefeed will not
move the cursor position further downward. Instead, the display scrolls
upward. Avoid the repeated add/subtract sequence by way of a single
subtraction at the initialization of console_struct_num_rows.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Finn Thain <fthain@linux-m68k.org>
Tested-by: Stan Johnson <userm57@yahoo.com>
Reviewed-by: Geert Uytterhoeven <geert@linux-m68k.org>
Link: https://lore.kernel.org/9d4e8c68a456d5f2bc254ac6f87a472d066ebd5e.1743115195.git.fthain@linux-m68k.org
Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/m68k/kernel/head.S | 31 +++++++++++++++++++++----------
1 file changed, 21 insertions(+), 10 deletions(-)
--- a/arch/m68k/kernel/head.S
+++ b/arch/m68k/kernel/head.S
@@ -3404,6 +3404,7 @@ L(console_clear_loop):
movel %d4,%d1 /* screen height in pixels */
divul %a0@(FONT_DESC_HEIGHT),%d1 /* d1 = max num rows */
+ subql #1,%d1 /* row range is 0 to num - 1 */
movel %d0,%a2@(Lconsole_struct_num_columns)
movel %d1,%a2@(Lconsole_struct_num_rows)
@@ -3550,15 +3551,14 @@ func_start console_putc,%a0/%a1/%d0-%d7
cmpib #10,%d7
jne L(console_not_lf)
movel %a0@(Lconsole_struct_cur_row),%d0
- addil #1,%d0
- movel %d0,%a0@(Lconsole_struct_cur_row)
movel %a0@(Lconsole_struct_num_rows),%d1
cmpl %d1,%d0
jcs 1f
- subil #1,%d0
- movel %d0,%a0@(Lconsole_struct_cur_row)
console_scroll
+ jra L(console_exit)
1:
+ addql #1,%d0
+ movel %d0,%a0@(Lconsole_struct_cur_row)
jra L(console_exit)
L(console_not_lf):
@@ -3585,12 +3585,6 @@ L(console_not_cr):
*/
L(console_not_home):
movel %a0@(Lconsole_struct_cur_column),%d0
- addql #1,%a0@(Lconsole_struct_cur_column)
- movel %a0@(Lconsole_struct_num_columns),%d1
- cmpl %d1,%d0
- jcs 1f
- console_putc #'\n' /* recursion is OK! */
-1:
movel %a0@(Lconsole_struct_cur_row),%d1
/*
@@ -3637,6 +3631,23 @@ L(console_do_font_scanline):
addq #1,%d1
dbra %d7,L(console_read_char_scanline)
+ /*
+ * Register usage in the code below:
+ * a0 = pointer to console globals
+ * d0 = cursor column
+ * d1 = cursor column limit
+ */
+
+ lea %pc@(L(console_globals)),%a0
+
+ movel %a0@(Lconsole_struct_cur_column),%d0
+ addql #1,%d0
+ movel %d0,%a0@(Lconsole_struct_cur_column) /* Update cursor pos */
+ movel %a0@(Lconsole_struct_num_columns),%d1
+ cmpl %d1,%d0
+ jcs L(console_exit)
+ console_putc #'\n' /* Line wrap using tail recursion */
+
L(console_exit):
func_return console_putc
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 270/482] usb: atm: cxacru: Merge cxacru_upload_firmware() into cxacru_heavy_init()
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (268 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 6.1 269/482] m68k: Fix lost column on framebuffer debug console Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 271/482] usb: gadget: udc: renesas_usb3: fix device leak at unbind Greg Kroah-Hartman
` (220 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Nathan Chancellor
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nathan Chancellor <nathan@kernel.org>
commit 8d1b02e5d7e3a6d2acffb1f4c094678fda9e3456 upstream.
After a recent change in clang to expose uninitialized warnings from
const variables [1], there is a warning in cxacru_heavy_init():
drivers/usb/atm/cxacru.c:1104:6: error: variable 'bp' is used uninitialized whenever 'if' condition is false [-Werror,-Wsometimes-uninitialized]
1104 | if (instance->modem_type->boot_rom_patch) {
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/usb/atm/cxacru.c:1113:39: note: uninitialized use occurs here
1113 | cxacru_upload_firmware(instance, fw, bp);
| ^~
drivers/usb/atm/cxacru.c:1104:2: note: remove the 'if' if its condition is always true
1104 | if (instance->modem_type->boot_rom_patch) {
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/usb/atm/cxacru.c:1095:32: note: initialize the variable 'bp' to silence this warning
1095 | const struct firmware *fw, *bp;
| ^
| = NULL
While the warning is technically correct that bp is conditionally passed
uninitialized to cxacru_upload_firmware(), it is ultimately a false
positive warning on the uninitialized use of bp because the same
condition that initializes bp, instance->modem_type->boot_rom_patch, is
the same one that gates the use of bp within cxacru_upload_firmware().
As this warning occurs in clang's frontend before inlining occurs, it
cannot know that these conditions are indentical to avoid the warning.
Manually inline cxacru_upload_firmware() into cxacru_heavy_init(), as
that is its only callsite, so that clang can see that bp is initialized
and used under the same condition, clearing up the warning without any
functional changes to the code (LLVM was already doing this inlining
later).
Cc: stable@vger.kernel.org
Fixes: 1b0e61465234 ("[PATCH] USB ATM: driver for the Conexant AccessRunner chipset cxacru")
Closes: https://github.com/ClangBuiltLinux/linux/issues/2102
Link: https://github.com/llvm/llvm-project/commit/2464313eef01c5b1edf0eccf57a32cdee01472c7 [1]
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Link: https://lore.kernel.org/r/20250722-usb-cxacru-fix-clang-21-uninit-warning-v2-1-6708a18decd2@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/atm/cxacru.c | 106 +++++++++++++++++++++--------------------------
1 file changed, 49 insertions(+), 57 deletions(-)
--- a/drivers/usb/atm/cxacru.c
+++ b/drivers/usb/atm/cxacru.c
@@ -980,25 +980,60 @@ cleanup:
return ret;
}
-static void cxacru_upload_firmware(struct cxacru_data *instance,
- const struct firmware *fw,
- const struct firmware *bp)
+
+static int cxacru_find_firmware(struct cxacru_data *instance,
+ char *phase, const struct firmware **fw_p)
{
- int ret;
+ struct usbatm_data *usbatm = instance->usbatm;
+ struct device *dev = &usbatm->usb_intf->dev;
+ char buf[16];
+
+ sprintf(buf, "cxacru-%s.bin", phase);
+ usb_dbg(usbatm, "cxacru_find_firmware: looking for %s\n", buf);
+
+ if (request_firmware(fw_p, buf, dev)) {
+ usb_dbg(usbatm, "no stage %s firmware found\n", phase);
+ return -ENOENT;
+ }
+
+ usb_info(usbatm, "found firmware %s\n", buf);
+
+ return 0;
+}
+
+static int cxacru_heavy_init(struct usbatm_data *usbatm_instance,
+ struct usb_interface *usb_intf)
+{
+ const struct firmware *fw, *bp;
+ struct cxacru_data *instance = usbatm_instance->driver_data;
struct usbatm_data *usbatm = instance->usbatm;
struct usb_device *usb_dev = usbatm->usb_dev;
__le16 signature[] = { usb_dev->descriptor.idVendor,
usb_dev->descriptor.idProduct };
__le32 val;
+ int ret;
+
+ ret = cxacru_find_firmware(instance, "fw", &fw);
+ if (ret) {
+ usb_warn(usbatm_instance, "firmware (cxacru-fw.bin) unavailable (system misconfigured?)\n");
+ return ret;
+ }
- usb_dbg(usbatm, "%s\n", __func__);
+ if (instance->modem_type->boot_rom_patch) {
+ ret = cxacru_find_firmware(instance, "bp", &bp);
+ if (ret) {
+ usb_warn(usbatm_instance, "boot ROM patch (cxacru-bp.bin) unavailable (system misconfigured?)\n");
+ release_firmware(fw);
+ return ret;
+ }
+ }
/* FirmwarePllFClkValue */
val = cpu_to_le32(instance->modem_type->pll_f_clk);
ret = cxacru_fw(usb_dev, FW_WRITE_MEM, 0x2, 0x0, PLLFCLK_ADDR, (u8 *) &val, 4);
if (ret) {
usb_err(usbatm, "FirmwarePllFClkValue failed: %d\n", ret);
- return;
+ goto done;
}
/* FirmwarePllBClkValue */
@@ -1006,7 +1041,7 @@ static void cxacru_upload_firmware(struc
ret = cxacru_fw(usb_dev, FW_WRITE_MEM, 0x2, 0x0, PLLBCLK_ADDR, (u8 *) &val, 4);
if (ret) {
usb_err(usbatm, "FirmwarePllBClkValue failed: %d\n", ret);
- return;
+ goto done;
}
/* Enable SDRAM */
@@ -1014,7 +1049,7 @@ static void cxacru_upload_firmware(struc
ret = cxacru_fw(usb_dev, FW_WRITE_MEM, 0x2, 0x0, SDRAMEN_ADDR, (u8 *) &val, 4);
if (ret) {
usb_err(usbatm, "Enable SDRAM failed: %d\n", ret);
- return;
+ goto done;
}
/* Firmware */
@@ -1022,7 +1057,7 @@ static void cxacru_upload_firmware(struc
ret = cxacru_fw(usb_dev, FW_WRITE_MEM, 0x2, 0x0, FW_ADDR, fw->data, fw->size);
if (ret) {
usb_err(usbatm, "Firmware upload failed: %d\n", ret);
- return;
+ goto done;
}
/* Boot ROM patch */
@@ -1031,7 +1066,7 @@ static void cxacru_upload_firmware(struc
ret = cxacru_fw(usb_dev, FW_WRITE_MEM, 0x2, 0x0, BR_ADDR, bp->data, bp->size);
if (ret) {
usb_err(usbatm, "Boot ROM patching failed: %d\n", ret);
- return;
+ goto done;
}
}
@@ -1039,7 +1074,7 @@ static void cxacru_upload_firmware(struc
ret = cxacru_fw(usb_dev, FW_WRITE_MEM, 0x2, 0x0, SIG_ADDR, (u8 *) signature, 4);
if (ret) {
usb_err(usbatm, "Signature storing failed: %d\n", ret);
- return;
+ goto done;
}
usb_info(usbatm, "starting device\n");
@@ -1051,7 +1086,7 @@ static void cxacru_upload_firmware(struc
}
if (ret) {
usb_err(usbatm, "Passing control to firmware failed: %d\n", ret);
- return;
+ goto done;
}
/* Delay to allow firmware to start up. */
@@ -1065,53 +1100,10 @@ static void cxacru_upload_firmware(struc
ret = cxacru_cm(instance, CM_REQUEST_CARD_GET_STATUS, NULL, 0, NULL, 0);
if (ret < 0) {
usb_err(usbatm, "modem failed to initialize: %d\n", ret);
- return;
- }
-}
-
-static int cxacru_find_firmware(struct cxacru_data *instance,
- char *phase, const struct firmware **fw_p)
-{
- struct usbatm_data *usbatm = instance->usbatm;
- struct device *dev = &usbatm->usb_intf->dev;
- char buf[16];
-
- sprintf(buf, "cxacru-%s.bin", phase);
- usb_dbg(usbatm, "cxacru_find_firmware: looking for %s\n", buf);
-
- if (request_firmware(fw_p, buf, dev)) {
- usb_dbg(usbatm, "no stage %s firmware found\n", phase);
- return -ENOENT;
+ goto done;
}
- usb_info(usbatm, "found firmware %s\n", buf);
-
- return 0;
-}
-
-static int cxacru_heavy_init(struct usbatm_data *usbatm_instance,
- struct usb_interface *usb_intf)
-{
- const struct firmware *fw, *bp;
- struct cxacru_data *instance = usbatm_instance->driver_data;
- int ret = cxacru_find_firmware(instance, "fw", &fw);
-
- if (ret) {
- usb_warn(usbatm_instance, "firmware (cxacru-fw.bin) unavailable (system misconfigured?)\n");
- return ret;
- }
-
- if (instance->modem_type->boot_rom_patch) {
- ret = cxacru_find_firmware(instance, "bp", &bp);
- if (ret) {
- usb_warn(usbatm_instance, "boot ROM patch (cxacru-bp.bin) unavailable (system misconfigured?)\n");
- release_firmware(fw);
- return ret;
- }
- }
-
- cxacru_upload_firmware(instance, fw, bp);
-
+done:
if (instance->modem_type->boot_rom_patch)
release_firmware(bp);
release_firmware(fw);
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 271/482] usb: gadget: udc: renesas_usb3: fix device leak at unbind
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (269 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 6.1 270/482] usb: atm: cxacru: Merge cxacru_upload_firmware() into cxacru_heavy_init() Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 272/482] usb: dwc3: meson-g12a: fix device leaks " Greg Kroah-Hartman
` (219 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yoshihiro Shimoda, Johan Hovold
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 868837b0a94c6b1b1fdbc04d3ba218ca83432393 upstream.
Make sure to drop the reference to the companion device taken during
probe when the driver is unbound.
Fixes: 39facfa01c9f ("usb: gadget: udc: renesas_usb3: Add register of usb role switch")
Cc: stable@vger.kernel.org # 4.19
Cc: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://lore.kernel.org/r/20250724091910.21092-4-johan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/gadget/udc/renesas_usb3.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/usb/gadget/udc/renesas_usb3.c
+++ b/drivers/usb/gadget/udc/renesas_usb3.c
@@ -2594,6 +2594,7 @@ static int renesas_usb3_remove(struct pl
struct renesas_usb3 *usb3 = platform_get_drvdata(pdev);
debugfs_remove_recursive(usb3->dentry);
+ put_device(usb3->host_dev);
device_remove_file(&pdev->dev, &dev_attr_role);
cancel_work_sync(&usb3->role_work);
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 272/482] usb: dwc3: meson-g12a: fix device leaks at unbind
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (270 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 6.1 271/482] usb: gadget: udc: renesas_usb3: fix device leak at unbind Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 273/482] bus: mhi: host: Fix endianness of BHI vector table Greg Kroah-Hartman
` (218 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Neil Armstrong, Johan Hovold,
Martin Blumenstingl
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 93b400f4951404d040197943a25d6fef9f8ccabb upstream.
Make sure to drop the references taken to the child devices by
of_find_device_by_node() during probe on driver unbind.
Fixes: c99993376f72 ("usb: dwc3: Add Amlogic G12A DWC3 glue")
Cc: stable@vger.kernel.org # 5.2
Cc: Neil Armstrong <neil.armstrong@linaro.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Reviewed-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
Link: https://lore.kernel.org/r/20250724091910.21092-3-johan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/dwc3/dwc3-meson-g12a.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/usb/dwc3/dwc3-meson-g12a.c
+++ b/drivers/usb/dwc3/dwc3-meson-g12a.c
@@ -847,6 +847,9 @@ static int dwc3_meson_g12a_remove(struct
if (priv->drvdata->otg_switch_supported)
usb_role_switch_unregister(priv->role_switch);
+ put_device(priv->switch_desc.udc);
+ put_device(priv->switch_desc.usb2_port);
+
of_platform_depopulate(dev);
for (i = 0 ; i < PHY_COUNT ; ++i) {
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 273/482] bus: mhi: host: Fix endianness of BHI vector table
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (271 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 6.1 272/482] usb: dwc3: meson-g12a: fix device leaks " Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 274/482] bus: mhi: host: Detect events pointing to unexpected TREs Greg Kroah-Hartman
` (217 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexander Wilhelm,
Manivannan Sadhasivam, Jeff Hugo, Krishna Chaitanya Chundru
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexander Wilhelm <alexander.wilhelm@westermo.com>
commit f471578e8b1a90623674433a01a8845110bc76ce upstream.
On big endian platform like PowerPC, the MHI bus (which is little endian)
does not start properly. The following example shows the error messages by
using QCN9274 WLAN device with ath12k driver:
ath12k_pci 0001:01:00.0: BAR 0: assigned [mem 0xc00000000-0xc001fffff 64bit]
ath12k_pci 0001:01:00.0: MSI vectors: 1
ath12k_pci 0001:01:00.0: Hardware name: qcn9274 hw2.0
ath12k_pci 0001:01:00.0: failed to set mhi state: POWER_ON(2)
ath12k_pci 0001:01:00.0: failed to start mhi: -110
ath12k_pci 0001:01:00.0: failed to power up :-110
ath12k_pci 0001:01:00.0: failed to create soc core: -110
ath12k_pci 0001:01:00.0: failed to init core: -110
ath12k_pci: probe of 0001:01:00.0 failed with error -110
The issue seems to be with the incorrect DMA address/size used for
transferring the firmware image over BHI. So fix it by converting the DMA
address and size of the BHI vector table to little endian format before
sending them to the device.
Fixes: 6cd330ae76ff ("bus: mhi: core: Add support for ringing channel/event ring doorbells")
Signed-off-by: Alexander Wilhelm <alexander.wilhelm@westermo.com>
[mani: added stable tag and reworded commit message]
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
Reviewed-by: Jeff Hugo <jeff.hugo@oss.qualcomm.com>
Reviewed-by: Krishna Chaitanya Chundru <krishna.chundru@oss.qualcomm.com>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20250519145837.958153-1-alexander.wilhelm@westermo.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/bus/mhi/host/boot.c | 8 ++++----
drivers/bus/mhi/host/internal.h | 4 ++--
2 files changed, 6 insertions(+), 6 deletions(-)
--- a/drivers/bus/mhi/host/boot.c
+++ b/drivers/bus/mhi/host/boot.c
@@ -31,8 +31,8 @@ int mhi_rddm_prepare(struct mhi_controll
int ret;
for (i = 0; i < img_info->entries - 1; i++, mhi_buf++, bhi_vec++) {
- bhi_vec->dma_addr = mhi_buf->dma_addr;
- bhi_vec->size = mhi_buf->len;
+ bhi_vec->dma_addr = cpu_to_le64(mhi_buf->dma_addr);
+ bhi_vec->size = cpu_to_le64(mhi_buf->len);
}
dev_dbg(dev, "BHIe programming for RDDM\n");
@@ -379,8 +379,8 @@ static void mhi_firmware_copy(struct mhi
while (remainder) {
to_cpy = min(remainder, mhi_buf->len);
memcpy(mhi_buf->buf, buf, to_cpy);
- bhi_vec->dma_addr = mhi_buf->dma_addr;
- bhi_vec->size = to_cpy;
+ bhi_vec->dma_addr = cpu_to_le64(mhi_buf->dma_addr);
+ bhi_vec->size = cpu_to_le64(to_cpy);
buf += to_cpy;
remainder -= to_cpy;
--- a/drivers/bus/mhi/host/internal.h
+++ b/drivers/bus/mhi/host/internal.h
@@ -31,8 +31,8 @@ struct mhi_ctxt {
};
struct bhi_vec_entry {
- u64 dma_addr;
- u64 size;
+ __le64 dma_addr;
+ __le64 size;
};
enum mhi_ch_state_type {
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 274/482] bus: mhi: host: Detect events pointing to unexpected TREs
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (272 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 6.1 273/482] bus: mhi: host: Fix endianness of BHI vector table Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 275/482] vt: keyboard: Dont process Unicode characters in K_OFF mode Greg Kroah-Hartman
` (216 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Youssef Samir, Manivannan Sadhasivam,
Jeff Hugo
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Youssef Samir <quic_yabdulra@quicinc.com>
commit 5bd398e20f0833ae8a1267d4f343591a2dd20185 upstream.
When a remote device sends a completion event to the host, it contains a
pointer to the consumed TRE. The host uses this pointer to process all of
the TREs between it and the host's local copy of the ring's read pointer.
This works when processing completion for chained transactions, but can
lead to nasty results if the device sends an event for a single-element
transaction with a read pointer that is multiple elements ahead of the
host's read pointer.
For instance, if the host accesses an event ring while the device is
updating it, the pointer inside of the event might still point to an old
TRE. If the host uses the channel's xfer_cb() to directly free the buffer
pointed to by the TRE, the buffer will be double-freed.
This behavior was observed on an ep that used upstream EP stack without
'commit 6f18d174b73d ("bus: mhi: ep: Update read pointer only after buffer
is written")'. Where the device updated the events ring pointer before
updating the event contents, so it left a window where the host was able to
access the stale data the event pointed to, before the device had the
chance to update them. The usual pattern was that the host received an
event pointing to a TRE that is not immediately after the last processed
one, so it got treated as if it was a chained transaction, processing all
of the TREs in between the two read pointers.
This commit aims to harden the host by ensuring transactions where the
event points to a TRE that isn't local_rp + 1 are chained.
Fixes: 1d3173a3bae7 ("bus: mhi: core: Add support for processing events from client device")
Signed-off-by: Youssef Samir <quic_yabdulra@quicinc.com>
[mani: added stable tag and reworded commit message]
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
Reviewed-by: Jeff Hugo <jeff.hugo@oss.qualcomm.com>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20250714163039.3438985-1-quic_yabdulra@quicinc.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/bus/mhi/host/main.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
--- a/drivers/bus/mhi/host/main.c
+++ b/drivers/bus/mhi/host/main.c
@@ -603,7 +603,7 @@ static int parse_xfer_event(struct mhi_c
{
dma_addr_t ptr = MHI_TRE_GET_EV_PTR(event);
struct mhi_ring_element *local_rp, *ev_tre;
- void *dev_rp;
+ void *dev_rp, *next_rp;
struct mhi_buf_info *buf_info;
u16 xfer_len;
@@ -622,6 +622,16 @@ static int parse_xfer_event(struct mhi_c
result.dir = mhi_chan->dir;
local_rp = tre_ring->rp;
+
+ next_rp = local_rp + 1;
+ if (next_rp >= tre_ring->base + tre_ring->len)
+ next_rp = tre_ring->base;
+ if (dev_rp != next_rp && !MHI_TRE_DATA_GET_CHAIN(local_rp)) {
+ dev_err(&mhi_cntrl->mhi_dev->dev,
+ "Event element points to an unexpected TRE\n");
+ break;
+ }
+
while (local_rp != dev_rp) {
buf_info = buf_ring->rp;
/* If it's the last TRE, get length from the event */
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 275/482] vt: keyboard: Dont process Unicode characters in K_OFF mode
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (273 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 6.1 274/482] bus: mhi: host: Detect events pointing to unexpected TREs Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 276/482] vt: defkeymap: Map keycodes above 127 to K_HOLE Greg Kroah-Hartman
` (215 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Myrrh Periwinkle, stable, Jiri Slaby
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Myrrh Periwinkle <myrrhperiwinkle@qtmlabs.xyz>
commit b1cc2092ea7a52e2c435aee6d2b1bcb773202663 upstream.
We don't process Unicode characters if the virtual terminal is in raw
mode, so there's no reason why we shouldn't do the same for K_OFF
(especially since people would expect K_OFF to actually turn off all VT
key processing).
Fixes: 9fc3de9c8356 ("vt: Add virtual console keyboard mode OFF")
Signed-off-by: Myrrh Periwinkle <myrrhperiwinkle@qtmlabs.xyz>
Cc: stable <stable@kernel.org>
Reviewed-by: Jiri Slaby <jirislaby@kernel.org>
Link: https://lore.kernel.org/r/20250702-vt-misc-unicode-fixes-v1-1-c27e143cc2eb@qtmlabs.xyz
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/vt/keyboard.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/tty/vt/keyboard.c
+++ b/drivers/tty/vt/keyboard.c
@@ -1496,7 +1496,7 @@ static void kbd_keycode(unsigned int key
rc = atomic_notifier_call_chain(&keyboard_notifier_list,
KBD_UNICODE, ¶m);
if (rc != NOTIFY_STOP)
- if (down && !raw_mode)
+ if (down && !(raw_mode || kbd->kbdmode == VC_OFF))
k_unicode(vc, keysym, !down);
return;
}
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 276/482] vt: defkeymap: Map keycodes above 127 to K_HOLE
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (274 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 6.1 275/482] vt: keyboard: Dont process Unicode characters in K_OFF mode Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 277/482] lib/crypto: mips/chacha: Fix clang build and remove unneeded byteswap Greg Kroah-Hartman
` (214 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Myrrh Periwinkle, stable, Jiri Slaby
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Myrrh Periwinkle <myrrhperiwinkle@qtmlabs.xyz>
commit b43cb4ff85da5cf29c4cd351ef1d7dd8210780f7 upstream.
The maximum number of keycodes got bumped to 256 a very long time ago,
but the default keymaps were never adjusted to match. This is causing
the kernel to interpret keycodes above 127 as U+0000 if the shipped
generated keymap is used.
Fix this by mapping all keycodes above 127 to K_HOLE so the kernel
ignores them.
The contents of this patche were generated by rerunning `loadkeys
--mktable --unicode` and only including the changes to map keycodes
above 127 to K_HOLE.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Myrrh Periwinkle <myrrhperiwinkle@qtmlabs.xyz>
Cc: stable <stable@kernel.org>
Reviewed-by: Jiri Slaby <jirislaby@kernel.org>
Link: https://lore.kernel.org/r/20250702-vt-misc-unicode-fixes-v1-2-c27e143cc2eb@qtmlabs.xyz
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/vt/defkeymap.c_shipped | 112 +++++++++++++++++++++++++++++++++++++
1 file changed, 112 insertions(+)
--- a/drivers/tty/vt/defkeymap.c_shipped
+++ b/drivers/tty/vt/defkeymap.c_shipped
@@ -23,6 +23,22 @@ unsigned short plain_map[NR_KEYS] = {
0xf118, 0xf601, 0xf602, 0xf117, 0xf600, 0xf119, 0xf115, 0xf116,
0xf11a, 0xf10c, 0xf10d, 0xf11b, 0xf11c, 0xf110, 0xf311, 0xf11d,
0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
};
static unsigned short shift_map[NR_KEYS] = {
@@ -42,6 +58,22 @@ static unsigned short shift_map[NR_KEYS]
0xf20b, 0xf601, 0xf602, 0xf117, 0xf600, 0xf20a, 0xf115, 0xf116,
0xf11a, 0xf10c, 0xf10d, 0xf11b, 0xf11c, 0xf110, 0xf311, 0xf11d,
0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
};
static unsigned short altgr_map[NR_KEYS] = {
@@ -61,6 +93,22 @@ static unsigned short altgr_map[NR_KEYS]
0xf118, 0xf601, 0xf602, 0xf117, 0xf600, 0xf119, 0xf115, 0xf116,
0xf11a, 0xf10c, 0xf10d, 0xf11b, 0xf11c, 0xf110, 0xf311, 0xf11d,
0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
};
static unsigned short ctrl_map[NR_KEYS] = {
@@ -80,6 +128,22 @@ static unsigned short ctrl_map[NR_KEYS]
0xf118, 0xf601, 0xf602, 0xf117, 0xf600, 0xf119, 0xf115, 0xf116,
0xf11a, 0xf10c, 0xf10d, 0xf11b, 0xf11c, 0xf110, 0xf311, 0xf11d,
0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
};
static unsigned short shift_ctrl_map[NR_KEYS] = {
@@ -99,6 +163,22 @@ static unsigned short shift_ctrl_map[NR_
0xf118, 0xf601, 0xf602, 0xf117, 0xf600, 0xf119, 0xf115, 0xf116,
0xf11a, 0xf10c, 0xf10d, 0xf11b, 0xf11c, 0xf110, 0xf311, 0xf11d,
0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
};
static unsigned short alt_map[NR_KEYS] = {
@@ -118,6 +198,22 @@ static unsigned short alt_map[NR_KEYS] =
0xf118, 0xf210, 0xf211, 0xf117, 0xf600, 0xf119, 0xf115, 0xf116,
0xf11a, 0xf10c, 0xf10d, 0xf11b, 0xf11c, 0xf110, 0xf311, 0xf11d,
0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
};
static unsigned short ctrl_alt_map[NR_KEYS] = {
@@ -137,6 +233,22 @@ static unsigned short ctrl_alt_map[NR_KE
0xf118, 0xf601, 0xf602, 0xf117, 0xf600, 0xf119, 0xf115, 0xf20c,
0xf11a, 0xf10c, 0xf10d, 0xf11b, 0xf11c, 0xf110, 0xf311, 0xf11d,
0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
};
unsigned short *key_maps[MAX_NR_KEYMAPS] = {
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 277/482] lib/crypto: mips/chacha: Fix clang build and remove unneeded byteswap
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (275 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 6.1 276/482] vt: defkeymap: Map keycodes above 127 to K_HOLE Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 278/482] Revert "vgacon: Add check for vc_origin address range in vgacon_scroll()" Greg Kroah-Hartman
` (213 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, kernel test robot, Eric Biggers
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@kernel.org>
commit 22375adaa0d9fbba9646c8e2b099c6e87c97bfae upstream.
The MIPS32r2 ChaCha code has never been buildable with the clang
assembler. First, clang doesn't support the 'rotl' pseudo-instruction:
error: unknown instruction, did you mean: rol, rotr?
Second, clang requires that both operands of the 'wsbh' instruction be
explicitly given:
error: too few operands for instruction
To fix this, align the code with the real instruction set by (1) using
the real instruction 'rotr' instead of the nonstandard pseudo-
instruction 'rotl', and (2) explicitly giving both operands to 'wsbh'.
To make removing the use of 'rotl' a bit easier, also remove the
unnecessary special-casing for big endian CPUs at
.Lchacha_mips_xor_bytes. The tail handling is actually
endian-independent since it processes one byte at a time. On big endian
CPUs the old code byte-swapped SAVED_X, then iterated through it in
reverse order. But the byteswap and reverse iteration canceled out.
Tested with chacha20poly1305-selftest in QEMU using "-M malta" with both
little endian and big endian mips32r2 kernels.
Fixes: 49aa7c00eddf ("crypto: mips/chacha - import 32r2 ChaCha code from Zinc")
Cc: stable@vger.kernel.org
Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202505080409.EujEBwA0-lkp@intel.com/
Link: https://lore.kernel.org/r/20250619225535.679301-1-ebiggers@kernel.org
Signed-off-by: Eric Biggers <ebiggers@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/mips/crypto/chacha-core.S | 20 +++++++-------------
1 file changed, 7 insertions(+), 13 deletions(-)
--- a/arch/mips/crypto/chacha-core.S
+++ b/arch/mips/crypto/chacha-core.S
@@ -55,17 +55,13 @@
#if __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__
#define MSB 0
#define LSB 3
-#define ROTx rotl
-#define ROTR(n) rotr n, 24
#define CPU_TO_LE32(n) \
- wsbh n; \
+ wsbh n, n; \
rotr n, 16;
#else
#define MSB 3
#define LSB 0
-#define ROTx rotr
#define CPU_TO_LE32(n)
-#define ROTR(n)
#endif
#define FOR_EACH_WORD(x) \
@@ -192,10 +188,10 @@ CONCAT3(.Lchacha_mips_xor_aligned_, PLUS
xor X(W), X(B); \
xor X(Y), X(C); \
xor X(Z), X(D); \
- rotl X(V), S; \
- rotl X(W), S; \
- rotl X(Y), S; \
- rotl X(Z), S;
+ rotr X(V), 32 - S; \
+ rotr X(W), 32 - S; \
+ rotr X(Y), 32 - S; \
+ rotr X(Z), 32 - S;
.text
.set reorder
@@ -372,21 +368,19 @@ chacha_crypt_arch:
/* First byte */
lbu T1, 0(IN)
addiu $at, BYTES, 1
- CPU_TO_LE32(SAVED_X)
- ROTR(SAVED_X)
xor T1, SAVED_X
sb T1, 0(OUT)
beqz $at, .Lchacha_mips_xor_done
/* Second byte */
lbu T1, 1(IN)
addiu $at, BYTES, 2
- ROTx SAVED_X, 8
+ rotr SAVED_X, 8
xor T1, SAVED_X
sb T1, 1(OUT)
beqz $at, .Lchacha_mips_xor_done
/* Third byte */
lbu T1, 2(IN)
- ROTx SAVED_X, 8
+ rotr SAVED_X, 8
xor T1, SAVED_X
sb T1, 2(OUT)
b .Lchacha_mips_xor_done
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 278/482] Revert "vgacon: Add check for vc_origin address range in vgacon_scroll()"
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (276 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 6.1 277/482] lib/crypto: mips/chacha: Fix clang build and remove unneeded byteswap Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 279/482] ksmbd: extend the connection limiting mechanism to support IPv6 Greg Kroah-Hartman
` (212 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jari Ruusu, Yi Yang, GONG Ruiqi,
Helge Deller
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Helge Deller <deller@gmx.de>
commit e4fc307d8e24f122402907ebf585248cad52841d upstream.
This reverts commit 864f9963ec6b4b76d104d595ba28110b87158003.
The patch is wrong as it checks vc_origin against vc_screenbuf,
while in text mode it should compare against vga_vram_base.
As such it broke VGA text scrolling, which can be reproduced like this:
(1) boot a kernel that is configured to use text mode VGA-console
(2) type commands: ls -l /usr/bin | less -S
(3) scroll up/down with cursor-down/up keys
Reported-by: Jari Ruusu <jariruusu@protonmail.com>
Cc: stable@vger.kernel.org
Cc: Yi Yang <yiyang13@huawei.com>
Cc: GONG Ruiqi <gongruiqi1@huawei.com>
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/video/console/vgacon.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/video/console/vgacon.c
+++ b/drivers/video/console/vgacon.c
@@ -1149,7 +1149,7 @@ static bool vgacon_scroll(struct vc_data
c->vc_screenbuf_size - delta);
c->vc_origin = vga_vram_end - c->vc_screenbuf_size;
vga_rolled_over = 0;
- } else if (oldo - delta >= (unsigned long)c->vc_screenbuf)
+ } else
c->vc_origin -= delta;
c->vc_scr_end = c->vc_origin + c->vc_screenbuf_size;
scr_memsetw((u16 *) (c->vc_origin), c->vc_video_erase_char,
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 279/482] ksmbd: extend the connection limiting mechanism to support IPv6
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (277 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 6.1 278/482] Revert "vgacon: Add check for vc_origin address range in vgacon_scroll()" Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 280/482] ext4: check fast symlink for ea_inode correctly Greg Kroah-Hartman
` (211 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Namjae Jeon, Steve French
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Namjae Jeon <linkinjeon@kernel.org>
commit c0d41112f1a5828c194b59cca953114bc3776ef2 upstream.
Update the connection tracking logic to handle both IPv4 and IPv6
address families.
Cc: stable@vger.kernel.org
Fixes: e6bb91939740 ("ksmbd: limit repeated connections from clients with the same IP")
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/server/connection.h | 7 ++++++-
fs/smb/server/transport_tcp.c | 26 +++++++++++++++++++++++---
2 files changed, 29 insertions(+), 4 deletions(-)
--- a/fs/smb/server/connection.h
+++ b/fs/smb/server/connection.h
@@ -45,7 +45,12 @@ struct ksmbd_conn {
struct mutex srv_mutex;
int status;
unsigned int cli_cap;
- __be32 inet_addr;
+ union {
+ __be32 inet_addr;
+#if IS_ENABLED(CONFIG_IPV6)
+ u8 inet6_addr[16];
+#endif
+ };
char *request_buf;
struct ksmbd_transport *transport;
struct nls_table *local_nls;
--- a/fs/smb/server/transport_tcp.c
+++ b/fs/smb/server/transport_tcp.c
@@ -87,7 +87,14 @@ static struct tcp_transport *alloc_trans
return NULL;
}
+#if IS_ENABLED(CONFIG_IPV6)
+ if (client_sk->sk->sk_family == AF_INET6)
+ memcpy(&conn->inet6_addr, &client_sk->sk->sk_v6_daddr, 16);
+ else
+ conn->inet_addr = inet_sk(client_sk->sk)->inet_daddr;
+#else
conn->inet_addr = inet_sk(client_sk->sk)->inet_daddr;
+#endif
conn->transport = KSMBD_TRANS(t);
KSMBD_TRANS(t)->conn = conn;
KSMBD_TRANS(t)->ops = &ksmbd_tcp_transport_ops;
@@ -227,7 +234,6 @@ static int ksmbd_kthread_fn(void *p)
{
struct socket *client_sk = NULL;
struct interface *iface = (struct interface *)p;
- struct inet_sock *csk_inet;
struct ksmbd_conn *conn;
int ret;
@@ -250,13 +256,27 @@ static int ksmbd_kthread_fn(void *p)
/*
* Limits repeated connections from clients with the same IP.
*/
- csk_inet = inet_sk(client_sk->sk);
down_read(&conn_list_lock);
list_for_each_entry(conn, &conn_list, conns_list)
- if (csk_inet->inet_daddr == conn->inet_addr) {
+#if IS_ENABLED(CONFIG_IPV6)
+ if (client_sk->sk->sk_family == AF_INET6) {
+ if (memcmp(&client_sk->sk->sk_v6_daddr,
+ &conn->inet6_addr, 16) == 0) {
+ ret = -EAGAIN;
+ break;
+ }
+ } else if (inet_sk(client_sk->sk)->inet_daddr ==
+ conn->inet_addr) {
ret = -EAGAIN;
break;
}
+#else
+ if (inet_sk(client_sk->sk)->inet_daddr ==
+ conn->inet_addr) {
+ ret = -EAGAIN;
+ break;
+ }
+#endif
up_read(&conn_list_lock);
if (ret == -EAGAIN)
continue;
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 280/482] ext4: check fast symlink for ea_inode correctly
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (278 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 6.1 279/482] ksmbd: extend the connection limiting mechanism to support IPv6 Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 281/482] ext4: fix fsmap end of range reporting with bigalloc Greg Kroah-Hartman
` (210 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andreas Dilger, Li Dongyang,
Alex Zhuravlev, Oleg Drokin, Theodore Tso
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andreas Dilger <adilger@dilger.ca>
commit b4cc4a4077268522e3d0d34de4b2dc144e2330fa upstream.
The check for a fast symlink in the presence of only an
external xattr inode is incorrect. If a fast symlink does
not have an xattr block (i_file_acl == 0), but does have
an external xattr inode that increases inode i_blocks, then
the check for a fast symlink will incorrectly fail and
__ext4_iget()->ext4_ind_check_inode() will report the inode
is corrupt when it "validates" i_data[] on the next read:
# ln -s foo /mnt/tmp/bar
# setfattr -h -n trusted.test \
-v "$(yes | head -n 4000)" /mnt/tmp/bar
# umount /mnt/tmp
# mount /mnt/tmp
# ls -l /mnt/tmp
ls: cannot access '/mnt/tmp/bar': Structure needs cleaning
total 4
? l?????????? ? ? ? ? ? bar
# dmesg | tail -1
EXT4-fs error (device dm-8): __ext4_iget:5098:
inode #24578: block 7303014: comm ls: invalid block
(note that "block 7303014" = 0x6f6f66 = "foo" in LE order).
ext4_inode_is_fast_symlink() should check the superblock
EXT4_FEATURE_INCOMPAT_EA_INODE feature flag, not the inode
EXT4_EA_INODE_FL, since the latter is only set on the xattr
inode itself, and not on the inode that uses this xattr.
Cc: stable@vger.kernel.org
Fixes: fc82228a5e38 ("ext4: support fast symlinks from ext3 file systems")
Signed-off-by: Andreas Dilger <adilger@whamcloud.com>
Reviewed-by: Li Dongyang <dongyangli@ddn.com>
Reviewed-by: Alex Zhuravlev <bzzz@whamcloud.com>
Reviewed-by: Oleg Drokin <green@whamcloud.com>
Reviewed-on: https://review.whamcloud.com/59879
Lustre-bug-id: https://jira.whamcloud.com/browse/LU-19121
Link: https://patch.msgid.link/20250717063709.757077-1-adilger@dilger.ca
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/inode.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -146,7 +146,7 @@ static int ext4_meta_trans_blocks(struct
*/
int ext4_inode_is_fast_symlink(struct inode *inode)
{
- if (!(EXT4_I(inode)->i_flags & EXT4_EA_INODE_FL)) {
+ if (!ext4_has_feature_ea_inode(inode->i_sb)) {
int ea_blocks = EXT4_I(inode)->i_file_acl ?
EXT4_CLUSTER_SIZE(inode->i_sb) >> 9 : 0;
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 281/482] ext4: fix fsmap end of range reporting with bigalloc
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (279 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 6.1 280/482] ext4: check fast symlink for ea_inode correctly Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 282/482] ext4: fix reserved gdt blocks handling in fsmap Greg Kroah-Hartman
` (209 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Disha Goel, Ojaswin Mujoo,
Darrick J. Wong, Theodore Tso
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ojaswin Mujoo <ojaswin@linux.ibm.com>
commit bae76c035bf0852844151e68098c9b7cd63ef238 upstream.
With bigalloc enabled, the logic to report last extent has a bug since
we try to use cluster units instead of block units. This can cause an
issue where extra incorrect entries might be returned back to the
user. This was flagged by generic/365 with 64k bs and -O bigalloc.
** Details of issue **
The issue was noticed on 5G 64k blocksize FS with -O bigalloc which has
only 1 bg.
$ xfs_io -c "fsmap -d" /mnt/scratch
0: 253:48 [0..127]: static fs metadata 128 /* sb */
1: 253:48 [128..255]: special 102:1 128 /* gdt */
3: 253:48 [256..383]: special 102:3 128 /* block bitmap */
4: 253:48 [384..2303]: unknown 1920 /* flex bg empty space */
5: 253:48 [2304..2431]: special 102:4 128 /* inode bitmap */
6: 253:48 [2432..4351]: unknown 1920 /* flex bg empty space */
7: 253:48 [4352..6911]: inodes 2560
8: 253:48 [6912..538623]: unknown 531712
9: 253:48 [538624..10485759]: free space 9947136
The issue can be seen with:
$ xfs_io -c "fsmap -d 0 3" /mnt/scratch
0: 253:48 [0..127]: static fs metadata 128
1: 253:48 [384..2047]: unknown 1664
Only the first entry was expected to be returned but we get 2. This is
because:
ext4_getfsmap_datadev()
first_cluster, last_cluster = 0
...
info->gfi_last = true;
ext4_getfsmap_datadev_helper(sb, end_ag, last_cluster + 1, 0, info);
fsb = C2B(1) = 16
fslen = 0
...
/* Merge in any relevant extents from the meta_list */
list_for_each_entry_safe(p, tmp, &info->gfi_meta_list, fmr_list) {
...
// since fsb = 16, considers all metadata which starts before 16 blockno
iter 1: error = ext4_getfsmap_helper(sb, info, p); // p = sb (0,1), nop
info->gfi_next_fsblk = 1
iter 2: error = ext4_getfsmap_helper(sb, info, p); // p = gdt (1,2), nop
info->gfi_next_fsblk = 2
iter 3: error = ext4_getfsmap_helper(sb, info, p); // p = blk bitmap (2,3), nop
info->gfi_next_fsblk = 3
iter 4: error = ext4_getfsmap_helper(sb, info, p); // p = ino bitmap (18,19)
if (rec_blk > info->gfi_next_fsblk) { // (18 > 3)
// emits an extra entry ** BUG **
}
}
Fix this by directly calling ext4_getfsmap_datadev() with a dummy
record that has fmr_physical set to (end_fsb + 1) instead of
last_cluster + 1. By using the block instead of cluster we get the
correct behavior.
Replacing ext4_getfsmap_datadev_helper() with ext4_getfsmap_helper()
is okay since the gfi_lastfree and metadata checks in
ext4_getfsmap_datadev_helper() are anyways redundant when we only want
to emit the last allocated block of the range, as we have already
taken care of emitting metadata and any last free blocks.
Cc: stable@kernel.org
Reported-by: Disha Goel <disgoel@linux.ibm.com>
Fixes: 4a622e4d477b ("ext4: fix FS_IOC_GETFSMAP handling")
Signed-off-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
Reviewed-by: Darrick J. Wong <djwong@kernel.org>
Link: https://patch.msgid.link/e7472c8535c9c5ec10f425f495366864ea12c9da.1754377641.git.ojaswin@linux.ibm.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/fsmap.c | 15 ++++++++++++---
1 file changed, 12 insertions(+), 3 deletions(-)
--- a/fs/ext4/fsmap.c
+++ b/fs/ext4/fsmap.c
@@ -526,6 +526,7 @@ static int ext4_getfsmap_datadev(struct
ext4_group_t end_ag;
ext4_grpblk_t first_cluster;
ext4_grpblk_t last_cluster;
+ struct ext4_fsmap irec;
int error = 0;
bofs = le32_to_cpu(sbi->s_es->s_first_data_block);
@@ -609,10 +610,18 @@ static int ext4_getfsmap_datadev(struct
goto err;
}
- /* Report any gaps at the end of the bg */
+ /*
+ * The dummy record below will cause ext4_getfsmap_helper() to report
+ * any allocated blocks at the end of the range.
+ */
+ irec.fmr_device = 0;
+ irec.fmr_physical = end_fsb + 1;
+ irec.fmr_length = 0;
+ irec.fmr_owner = EXT4_FMR_OWN_FREE;
+ irec.fmr_flags = 0;
+
info->gfi_last = true;
- error = ext4_getfsmap_datadev_helper(sb, end_ag, last_cluster + 1,
- 0, info);
+ error = ext4_getfsmap_helper(sb, info, &irec);
if (error)
goto err;
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 282/482] ext4: fix reserved gdt blocks handling in fsmap
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (280 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 6.1 281/482] ext4: fix fsmap end of range reporting with bigalloc Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 283/482] ext4: dont try to clear the orphan_present feature block device is r/o Greg Kroah-Hartman
` (208 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Ojaswin Mujoo,
Darrick J. Wong, Theodore Tso
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ojaswin Mujoo <ojaswin@linux.ibm.com>
commit 3ffbdd1f1165f1b2d6a94d1b1aabef57120deaf7 upstream.
In some cases like small FSes with no meta_bg and where the resize
doesn't need extra gdt blocks as it can fit in the current one,
s_reserved_gdt_blocks is set as 0, which causes fsmap to emit a 0
length entry, which is incorrect.
$ mkfs.ext4 -b 65536 -O bigalloc /dev/sda 5G
$ mount /dev/sda /mnt/scratch
$ xfs_io -c "fsmap -d" /mnt/scartch
0: 253:48 [0..127]: static fs metadata 128
1: 253:48 [128..255]: special 102:1 128
2: 253:48 [256..255]: special 102:2 0 <---- 0 len entry
3: 253:48 [256..383]: special 102:3 128
Fix this by adding a check for this case.
Cc: stable@kernel.org
Fixes: 0c9ec4beecac ("ext4: support GETFSMAP ioctls")
Signed-off-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
Reviewed-by: Darrick J. Wong <djwong@kernel.org>
Link: https://patch.msgid.link/08781b796453a5770112aa96ad14c864fbf31935.1754377641.git.ojaswin@linux.ibm.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/fsmap.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/fs/ext4/fsmap.c
+++ b/fs/ext4/fsmap.c
@@ -393,6 +393,14 @@ static unsigned int ext4_getfsmap_find_s
/* Reserved GDT blocks */
if (!ext4_has_feature_meta_bg(sb) || metagroup < first_meta_bg) {
len = le16_to_cpu(sbi->s_es->s_reserved_gdt_blocks);
+
+ /*
+ * mkfs.ext4 can set s_reserved_gdt_blocks as 0 in some cases,
+ * check for that.
+ */
+ if (!len)
+ return 0;
+
error = ext4_getfsmap_fill(meta_list, fsb, len,
EXT4_FMR_OWN_RESV_GDT);
if (error)
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 283/482] ext4: dont try to clear the orphan_present feature block device is r/o
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (281 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 6.1 282/482] ext4: fix reserved gdt blocks handling in fsmap Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 284/482] ext4: use kmalloc_array() for array space allocation Greg Kroah-Hartman
` (207 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Theodore Tso
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Theodore Ts'o <tytso@mit.edu>
commit c5e104a91e7b6fa12c1dc2d8bf84abb7ef9b89ad upstream.
When the file system is frozen in preparation for taking an LVM
snapshot, the journal is checkpointed and if the orphan_file feature
is enabled, and the orphan file is empty, we clear the orphan_present
feature flag. But if there are pending inodes that need to be removed
the orphan_present feature flag can't be cleared.
The problem comes if the block device is read-only. In that case, we
can't process the orphan inode list, so it is skipped in
ext4_orphan_cleanup(). But then in ext4_mark_recovery_complete(),
this results in the ext4 error "Orphan file not empty on read-only fs"
firing and the file system mount is aborted.
Fix this by clearing the needs_recovery flag in the block device is
read-only. We do this after the call to ext4_load_and_init-journal()
since there are some error checks need to be done in case the journal
needs to be replayed and the block device is read-only, or if the
block device containing the externa journal is read-only, etc.
Cc: stable@kernel.org
Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108271
Cc: stable@vger.kernel.org
Fixes: 02f310fcf47f ("ext4: Speedup ext4 orphan inode handling")
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/super.c | 2 ++
1 file changed, 2 insertions(+)
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -5295,6 +5295,8 @@ static int __ext4_fill_super(struct fs_c
err = ext4_load_and_init_journal(sb, es, ctx);
if (err)
goto failed_mount3a;
+ if (bdev_read_only(sb->s_bdev))
+ needs_recovery = 0;
} else if (test_opt(sb, NOLOAD) && !sb_rdonly(sb) &&
ext4_has_feature_journal_needs_recovery(sb)) {
ext4_msg(sb, KERN_ERR, "required journal recovery "
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 284/482] ext4: use kmalloc_array() for array space allocation
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (282 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 6.1 283/482] ext4: dont try to clear the orphan_present feature block device is r/o Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 285/482] ext4: fix hole length calculation overflow in non-extent inodes Greg Kroah-Hartman
` (206 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Liao Yuanhong, Theodore Tso
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Liao Yuanhong <liaoyuanhong@vivo.com>
commit 76dba1fe277f6befd6ef650e1946f626c547387a upstream.
Replace kmalloc(size * sizeof) with kmalloc_array() for safer memory
allocation and overflow prevention.
Cc: stable@kernel.org
Signed-off-by: Liao Yuanhong <liaoyuanhong@vivo.com>
Link: https://patch.msgid.link/20250811125816.570142-1-liaoyuanhong@vivo.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/orphan.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/fs/ext4/orphan.c
+++ b/fs/ext4/orphan.c
@@ -590,8 +590,9 @@ int ext4_init_orphan_info(struct super_b
}
oi->of_blocks = inode->i_size >> sb->s_blocksize_bits;
oi->of_csum_seed = EXT4_I(inode)->i_csum_seed;
- oi->of_binfo = kmalloc(oi->of_blocks*sizeof(struct ext4_orphan_block),
- GFP_KERNEL);
+ oi->of_binfo = kmalloc_array(oi->of_blocks,
+ sizeof(struct ext4_orphan_block),
+ GFP_KERNEL);
if (!oi->of_binfo) {
ret = -ENOMEM;
goto out_put;
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 285/482] ext4: fix hole length calculation overflow in non-extent inodes
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (283 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 6.1 284/482] ext4: use kmalloc_array() for array space allocation Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 286/482] dt-bindings: display: sprd,sharkl3-dpu: Fix missing clocks constraints Greg Kroah-Hartman
` (205 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Qu Wenruo, Zhang Yi,
Theodore Tso
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhang Yi <yi.zhang@huawei.com>
commit 02c7f7219ac0e2277b3379a3a0e9841ef464b6d4 upstream.
In a filesystem with a block size larger than 4KB, the hole length
calculation for a non-extent inode in ext4_ind_map_blocks() can easily
exceed INT_MAX. Then it could return a zero length hole and trigger the
following waring and infinite in the iomap infrastructure.
------------[ cut here ]------------
WARNING: CPU: 3 PID: 434101 at fs/iomap/iter.c:34 iomap_iter_done+0x148/0x190
CPU: 3 UID: 0 PID: 434101 Comm: fsstress Not tainted 6.16.0-rc7+ #128 PREEMPT(voluntary)
Hardware name: QEMU KVM Virtual Machine, BIOS unknown 2/2/2022
pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : iomap_iter_done+0x148/0x190
lr : iomap_iter+0x174/0x230
sp : ffff8000880af740
x29: ffff8000880af740 x28: ffff0000db8e6840 x27: 0000000000000000
x26: 0000000000000000 x25: ffff8000880af830 x24: 0000004000000000
x23: 0000000000000002 x22: 000001bfdbfa8000 x21: ffffa6a41c002e48
x20: 0000000000000001 x19: ffff8000880af808 x18: 0000000000000000
x17: 0000000000000000 x16: ffffa6a495ee6cd0 x15: 0000000000000000
x14: 00000000000003d4 x13: 00000000fa83b2da x12: 0000b236fc95f18c
x11: ffffa6a4978b9c08 x10: 0000000000001da0 x9 : ffffa6a41c1a2a44
x8 : ffff8000880af5c8 x7 : 0000000001000000 x6 : 0000000000000000
x5 : 0000000000000004 x4 : 000001bfdbfa8000 x3 : 0000000000000000
x2 : 0000000000000000 x1 : 0000004004030000 x0 : 0000000000000000
Call trace:
iomap_iter_done+0x148/0x190 (P)
iomap_iter+0x174/0x230
iomap_fiemap+0x154/0x1d8
ext4_fiemap+0x110/0x140 [ext4]
do_vfs_ioctl+0x4b8/0xbc0
__arm64_sys_ioctl+0x8c/0x120
invoke_syscall+0x6c/0x100
el0_svc_common.constprop.0+0x48/0xf0
do_el0_svc+0x24/0x38
el0_svc+0x38/0x120
el0t_64_sync_handler+0x10c/0x138
el0t_64_sync+0x198/0x1a0
---[ end trace 0000000000000000 ]---
Cc: stable@kernel.org
Fixes: facab4d9711e ("ext4: return hole from ext4_map_blocks()")
Reported-by: Qu Wenruo <wqu@suse.com>
Closes: https://lore.kernel.org/linux-ext4/9b650a52-9672-4604-a765-bb6be55d1e4a@gmx.com/
Tested-by: Qu Wenruo <wqu@suse.com>
Signed-off-by: Zhang Yi <yi.zhang@huawei.com>
Link: https://patch.msgid.link/20250811064532.1788289-1-yi.zhang@huaweicloud.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/indirect.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/fs/ext4/indirect.c
+++ b/fs/ext4/indirect.c
@@ -539,7 +539,7 @@ int ext4_ind_map_blocks(handle_t *handle
int indirect_blks;
int blocks_to_boundary = 0;
int depth;
- int count = 0;
+ u64 count = 0;
ext4_fsblk_t first_block = 0;
trace_ext4_ind_map_blocks_enter(inode, map->m_lblk, map->m_len, flags);
@@ -588,7 +588,7 @@ int ext4_ind_map_blocks(handle_t *handle
count++;
/* Fill in size of a hole we found */
map->m_pblk = 0;
- map->m_len = min_t(unsigned int, map->m_len, count);
+ map->m_len = umin(map->m_len, count);
goto cleanup;
}
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 286/482] dt-bindings: display: sprd,sharkl3-dpu: Fix missing clocks constraints
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (284 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 6.1 285/482] ext4: fix hole length calculation overflow in non-extent inodes Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 287/482] dt-bindings: display: sprd,sharkl3-dsi-host: " Greg Kroah-Hartman
` (204 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Krzysztof Kozlowski,
Rob Herring (Arm)
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
commit 934da599e694d476f493d3927a30414e98a81561 upstream.
'minItems' alone does not impose upper bound, unlike 'maxItems' which
implies lower bound. Add missing clock constraint so the list will have
exact number of items (clocks).
Fixes: 8cae15c60cf0 ("dt-bindings: display: add Unisoc's dpu bindings")
Cc: stable@vger.kernel.org
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Link: https://lore.kernel.org/r/20250720123003.37662-3-krzysztof.kozlowski@linaro.org
Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
Documentation/devicetree/bindings/display/sprd/sprd,sharkl3-dpu.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/Documentation/devicetree/bindings/display/sprd/sprd,sharkl3-dpu.yaml
+++ b/Documentation/devicetree/bindings/display/sprd/sprd,sharkl3-dpu.yaml
@@ -25,7 +25,7 @@ properties:
maxItems: 1
clocks:
- minItems: 2
+ maxItems: 2
clock-names:
items:
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 287/482] dt-bindings: display: sprd,sharkl3-dsi-host: Fix missing clocks constraints
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (285 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 6.1 286/482] dt-bindings: display: sprd,sharkl3-dpu: Fix missing clocks constraints Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 288/482] scsi: mpi3mr: Fix race between config read submit and interrupt completion Greg Kroah-Hartman
` (203 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Krzysztof Kozlowski,
Rob Herring (Arm)
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
commit 2558df8c13ae3bd6c303b28f240ceb0189519c91 upstream.
'minItems' alone does not impose upper bound, unlike 'maxItems' which
implies lower bound. Add missing clock constraint so the list will have
exact number of items (clocks).
Fixes: 2295bbd35edb ("dt-bindings: display: add Unisoc's mipi dsi controller bindings")
Cc: stable@vger.kernel.org
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Link: https://lore.kernel.org/r/20250720123003.37662-4-krzysztof.kozlowski@linaro.org
Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
Documentation/devicetree/bindings/display/sprd/sprd,sharkl3-dsi-host.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/Documentation/devicetree/bindings/display/sprd/sprd,sharkl3-dsi-host.yaml
+++ b/Documentation/devicetree/bindings/display/sprd/sprd,sharkl3-dsi-host.yaml
@@ -20,7 +20,7 @@ properties:
maxItems: 2
clocks:
- minItems: 1
+ maxItems: 1
clock-names:
items:
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 288/482] scsi: mpi3mr: Fix race between config read submit and interrupt completion
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (286 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 6.1 287/482] dt-bindings: display: sprd,sharkl3-dsi-host: " Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 289/482] ata: libata-scsi: Fix ata_to_sense_error() status handling Greg Kroah-Hartman
` (202 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chandrakanth Patil, Ranjan Kumar,
Martin K. Petersen
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ranjan Kumar <ranjan.kumar@broadcom.com>
commit e6327c4acf925bb6d6d387d76fc3bd94471e10d8 upstream.
The "is_waiting" flag was updated after calling complete(), which could
lead to a race where the waiting thread wakes up before the flag is
cleared. This may cause a missed wakeup or stale state check.
Reorder the operations to update "is_waiting" before signaling completion
to ensure consistent state.
Fixes: 824a156633df ("scsi: mpi3mr: Base driver code")
Cc: stable@vger.kernel.org
Co-developed-by: Chandrakanth Patil <chandrakanth.patil@broadcom.com>
Signed-off-by: Chandrakanth Patil <chandrakanth.patil@broadcom.com>
Signed-off-by: Ranjan Kumar <ranjan.kumar@broadcom.com>
Link: https://lore.kernel.org/r/20250627194539.48851-2-ranjan.kumar@broadcom.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/scsi/mpi3mr/mpi3mr_fw.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/scsi/mpi3mr/mpi3mr_fw.c
+++ b/drivers/scsi/mpi3mr/mpi3mr_fw.c
@@ -411,8 +411,8 @@ static void mpi3mr_process_admin_reply_d
MPI3MR_SENSE_BUF_SZ);
}
if (cmdptr->is_waiting) {
- complete(&cmdptr->done);
cmdptr->is_waiting = 0;
+ complete(&cmdptr->done);
} else if (cmdptr->callback)
cmdptr->callback(mrioc, cmdptr);
}
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 289/482] ata: libata-scsi: Fix ata_to_sense_error() status handling
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (287 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 6.1 288/482] scsi: mpi3mr: Fix race between config read submit and interrupt completion Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 290/482] scsi: ufs: ufs-pci: Fix hibernate state transition for Intel MTL-like host controllers Greg Kroah-Hartman
` (201 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lorenz Brun, Brandon Schwartz,
Damien Le Moal, Hannes Reinecke, Martin K. Petersen
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Damien Le Moal <dlemoal@kernel.org>
commit cf3fc037623c54de48d2ec1a1ee686e2d1de2d45 upstream.
Commit 8ae720449fca ("libata: whitespace fixes in ata_to_sense_error()")
inadvertantly added the entry 0x40 (ATA_DRDY) to the stat_table array in
the function ata_to_sense_error(). This entry ties a failed qc which has
a status filed equal to ATA_DRDY to the sense key ILLEGAL REQUEST with
the additional sense code UNALIGNED WRITE COMMAND. This entry will be
used to generate a failed qc sense key and sense code when the qc is
missing sense data and there is no match for the qc error field in the
sense_table array of ata_to_sense_error().
As a result, for a failed qc for which we failed to get sense data (e.g.
read log 10h failed if qc is an NCQ command, or REQUEST SENSE EXT
command failed for the non-ncq case, the user very often end up seeing
the completely misleading "unaligned write command" error, even if qc
was not a write command. E.g.:
sd 0:0:0:0: [sda] tag#12 FAILED Result: hostbyte=DID_OK driverbyte=DRIVER_OK cmd_age=0s
sd 0:0:0:0: [sda] tag#12 Sense Key : Illegal Request [current]
sd 0:0:0:0: [sda] tag#12 Add. Sense: Unaligned write command
sd 0:0:0:0: [sda] tag#12 CDB: Read(10) 28 00 00 00 10 00 00 00 08 00
I/O error, dev sda, sector 4096 op 0x0:(READ) flags 0x80700 phys_seg 1 prio class 0
Fix this by removing the ATA_DRDY entry from the stat_table array so
that we default to always returning ABORTED COMMAND without any
additional sense code, since we do not know any better. The entry 0x08
(ATA_DRQ) is also removed since signaling ABORTED COMMAND with a parity
error is also misleading (as a parity error would likely be signaled
through a bus error). So for this case, also default to returning
ABORTED COMMAND without any additional sense code. With this, the
previous example error case becomes:
sd 0:0:0:0: [sda] tag#17 FAILED Result: hostbyte=DID_OK driverbyte=DRIVER_OK cmd_age=0s
sd 0:0:0:0: [sda] tag#17 Sense Key : Aborted Command [current]
sd 0:0:0:0: [sda] tag#17 Add. Sense: No additional sense information
sd 0:0:0:0: [sda] tag#17 CDB: Read(10) 28 00 00 00 10 00 00 00 08 00
I/O error, dev sda, sector 4096 op 0x0:(READ) flags 0x80700 phys_seg 1 prio class 0
Together with these fixes, refactor stat_table to make it more readable
by putting the entries comments in front of the entries and using the
defined status bits macros instead of hardcoded values.
Reported-by: Lorenz Brun <lorenz@brun.one>
Reported-by: Brandon Schwartz <Brandon.Schwartz@wdc.com>
Fixes: 8ae720449fca ("libata: whitespace fixes in ata_to_sense_error()")
Cc: stable@vger.kernel.org
Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
Reviewed-by: Hannes Reinecke <hare@suse.de>
Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/ata/libata-scsi.c | 20 ++++++++------------
1 file changed, 8 insertions(+), 12 deletions(-)
--- a/drivers/ata/libata-scsi.c
+++ b/drivers/ata/libata-scsi.c
@@ -798,18 +798,14 @@ static void ata_to_sense_error(unsigned
{0xFF, 0xFF, 0xFF, 0xFF}, // END mark
};
static const unsigned char stat_table[][4] = {
- /* Must be first because BUSY means no other bits valid */
- {0x80, ABORTED_COMMAND, 0x47, 0x00},
- // Busy, fake parity for now
- {0x40, ILLEGAL_REQUEST, 0x21, 0x04},
- // Device ready, unaligned write command
- {0x20, HARDWARE_ERROR, 0x44, 0x00},
- // Device fault, internal target failure
- {0x08, ABORTED_COMMAND, 0x47, 0x00},
- // Timed out in xfer, fake parity for now
- {0x04, RECOVERED_ERROR, 0x11, 0x00},
- // Recovered ECC error Medium error, recovered
- {0xFF, 0xFF, 0xFF, 0xFF}, // END mark
+ /* Busy: must be first because BUSY means no other bits valid */
+ { ATA_BUSY, ABORTED_COMMAND, 0x00, 0x00 },
+ /* Device fault: INTERNAL TARGET FAILURE */
+ { ATA_DF, HARDWARE_ERROR, 0x44, 0x00 },
+ /* Corrected data error */
+ { ATA_CORR, RECOVERED_ERROR, 0x00, 0x00 },
+
+ { 0xFF, 0xFF, 0xFF, 0xFF }, /* END mark */
};
/*
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 290/482] scsi: ufs: ufs-pci: Fix hibernate state transition for Intel MTL-like host controllers
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (288 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 6.1 289/482] ata: libata-scsi: Fix ata_to_sense_error() status handling Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 291/482] scsi: ufs: ufs-pci: Fix default runtime and system PM levels Greg Kroah-Hartman
` (200 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Archana Patni, Bart Van Assche,
Martin K. Petersen
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Archana Patni <archana.patni@intel.com>
commit 4428ddea832cfdb63e476eb2e5c8feb5d36057fe upstream.
UFSHCD core disables the UIC completion interrupt when issuing UIC
hibernation commands, and re-enables it afterwards if it was enabled to
start with, refer ufshcd_uic_pwr_ctrl(). For Intel MTL-like host
controllers, accessing the register to re-enable the interrupt disrupts
the state transition.
Use hibern8_notify variant operation to disable the interrupt during the
entire hibernation, thereby preventing the disruption.
Fixes: 4049f7acef3e ("scsi: ufs: ufs-pci: Add support for Intel MTL")
Cc: stable@vger.kernel.org
Signed-off-by: Archana Patni <archana.patni@intel.com>
Link: https://lore.kernel.org/r/20250723165856.145750-2-adrian.hunter@intel.com
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/ufs/host/ufshcd-pci.c | 27 +++++++++++++++++++++++++++
1 file changed, 27 insertions(+)
--- a/drivers/ufs/host/ufshcd-pci.c
+++ b/drivers/ufs/host/ufshcd-pci.c
@@ -213,6 +213,32 @@ out:
return ret;
}
+static void ufs_intel_ctrl_uic_compl(struct ufs_hba *hba, bool enable)
+{
+ u32 set = ufshcd_readl(hba, REG_INTERRUPT_ENABLE);
+
+ if (enable)
+ set |= UIC_COMMAND_COMPL;
+ else
+ set &= ~UIC_COMMAND_COMPL;
+ ufshcd_writel(hba, set, REG_INTERRUPT_ENABLE);
+}
+
+static void ufs_intel_mtl_h8_notify(struct ufs_hba *hba,
+ enum uic_cmd_dme cmd,
+ enum ufs_notify_change_status status)
+{
+ /*
+ * Disable UIC COMPL INTR to prevent access to UFSHCI after
+ * checking HCS.UPMCRS
+ */
+ if (status == PRE_CHANGE && cmd == UIC_CMD_DME_HIBER_ENTER)
+ ufs_intel_ctrl_uic_compl(hba, false);
+
+ if (status == POST_CHANGE && cmd == UIC_CMD_DME_HIBER_EXIT)
+ ufs_intel_ctrl_uic_compl(hba, true);
+}
+
#define INTEL_ACTIVELTR 0x804
#define INTEL_IDLELTR 0x808
@@ -487,6 +513,7 @@ static struct ufs_hba_variant_ops ufs_in
.init = ufs_intel_mtl_init,
.exit = ufs_intel_common_exit,
.hce_enable_notify = ufs_intel_hce_enable_notify,
+ .hibern8_notify = ufs_intel_mtl_h8_notify,
.link_startup_notify = ufs_intel_link_startup_notify,
.resume = ufs_intel_resume,
.device_reset = ufs_intel_device_reset,
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 291/482] scsi: ufs: ufs-pci: Fix default runtime and system PM levels
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (289 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 6.1 290/482] scsi: ufs: ufs-pci: Fix hibernate state transition for Intel MTL-like host controllers Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 292/482] zynq_fpga: use sgtable-based scatterlist wrappers Greg Kroah-Hartman
` (199 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Adrian Hunter, Bart Van Assche,
Martin K. Petersen
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Adrian Hunter <adrian.hunter@intel.com>
commit 6de7435e6b81fe52c0ab4c7e181f6b5decd18eb1 upstream.
Intel MTL-like host controllers support auto-hibernate. Using
auto-hibernate with manual (driver initiated) hibernate produces more
complex operation. For example, the host controller will have to exit
auto-hibernate simply to allow the driver to enter hibernate state
manually. That is not recommended.
The default rpm_lvl and spm_lvl is 3, which includes manual hibernate.
Change the default values to 2, which does not.
Note, to be simpler to backport to stable kernels, utilize the UFS PCI
driver's ->late_init() call back. Recent commits have made it possible
to set up a controller-specific default in the regular ->init() call
back, but not all stable kernels have those changes.
Fixes: 4049f7acef3e ("scsi: ufs: ufs-pci: Add support for Intel MTL")
Cc: stable@vger.kernel.org
Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
Link: https://lore.kernel.org/r/20250723165856.145750-3-adrian.hunter@intel.com
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/ufs/host/ufshcd-pci.c | 15 ++++++++++++++-
1 file changed, 14 insertions(+), 1 deletion(-)
--- a/drivers/ufs/host/ufshcd-pci.c
+++ b/drivers/ufs/host/ufshcd-pci.c
@@ -465,10 +465,23 @@ static int ufs_intel_adl_init(struct ufs
return ufs_intel_common_init(hba);
}
+static void ufs_intel_mtl_late_init(struct ufs_hba *hba)
+{
+ hba->rpm_lvl = UFS_PM_LVL_2;
+ hba->spm_lvl = UFS_PM_LVL_2;
+}
+
static int ufs_intel_mtl_init(struct ufs_hba *hba)
{
+ struct ufs_host *ufs_host;
+ int err;
+
hba->caps |= UFSHCD_CAP_CRYPTO | UFSHCD_CAP_WB_EN;
- return ufs_intel_common_init(hba);
+ err = ufs_intel_common_init(hba);
+ /* Get variant after it is set in ufs_intel_common_init() */
+ ufs_host = ufshcd_get_variant(hba);
+ ufs_host->late_init = ufs_intel_mtl_late_init;
+ return err;
}
static struct ufs_hba_variant_ops ufs_intel_cnl_hba_vops = {
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 292/482] zynq_fpga: use sgtable-based scatterlist wrappers
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (290 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 6.1 291/482] scsi: ufs: ufs-pci: Fix default runtime and system PM levels Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 293/482] iio: imu: bno055: fix OOB access of hw_xlate array Greg Kroah-Hartman
` (198 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Marek Szyprowski, Jason Gunthorpe,
Xu Yilun, Xu Yilun
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marek Szyprowski <m.szyprowski@samsung.com>
commit 37e00703228ab44d0aacc32a97809a4f6f58df1b upstream.
Use common wrappers operating directly on the struct sg_table objects to
fix incorrect use of statterlists related calls. dma_unmap_sg() function
has to be called with the number of elements originally passed to the
dma_map_sg() function, not the one returned in sgtable's nents.
CC: stable@vger.kernel.org
Fixes: 425902f5c8e3 ("fpga zynq: Use the scatterlist interface")
Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>
Reviewed-by: Xu Yilun <yilun.xu@intel.com>
Link: https://lore.kernel.org/r/20250616120932.1090614-1-m.szyprowski@samsung.com
Signed-off-by: Xu Yilun <yilun.xu@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/fpga/zynq-fpga.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/fpga/zynq-fpga.c
+++ b/drivers/fpga/zynq-fpga.c
@@ -406,7 +406,7 @@ static int zynq_fpga_ops_write(struct fp
}
priv->dma_nelms =
- dma_map_sg(mgr->dev.parent, sgt->sgl, sgt->nents, DMA_TO_DEVICE);
+ dma_map_sgtable(mgr->dev.parent, sgt, DMA_TO_DEVICE, 0);
if (priv->dma_nelms == 0) {
dev_err(&mgr->dev, "Unable to DMA map (TO_DEVICE)\n");
return -ENOMEM;
@@ -478,7 +478,7 @@ out_clk:
clk_disable(priv->clk);
out_free:
- dma_unmap_sg(mgr->dev.parent, sgt->sgl, sgt->nents, DMA_TO_DEVICE);
+ dma_unmap_sgtable(mgr->dev.parent, sgt, DMA_TO_DEVICE, 0);
return err;
}
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 293/482] iio: imu: bno055: fix OOB access of hw_xlate array
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (291 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 6.1 292/482] zynq_fpga: use sgtable-based scatterlist wrappers Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 294/482] iio: adc: ad_sigma_delta: change to buffer predisable Greg Kroah-Hartman
` (197 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, kernel test robot, David Lechner,
Stable, Jonathan Cameron
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Lechner <dlechner@baylibre.com>
commit 399b883ec828e436f1a721bf8551b4da8727e65b upstream.
Fix a potential out-of-bounds array access of the hw_xlate array in
bno055.c.
In bno055_get_regmask(), hw_xlate was iterated over the length of the
vals array instead of the length of the hw_xlate array. In the case of
bno055_gyr_scale, the vals array is larger than the hw_xlate array,
so this could result in an out-of-bounds access. In practice, this
shouldn't happen though because a match should always be found which
breaks out of the for loop before it iterates beyond the end of the
hw_xlate array.
By adding a new hw_xlate_len field to the bno055_sysfs_attr, we can be
sure we are iterating over the correct length.
Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202507100510.rGt1YOOx-lkp@intel.com/
Fixes: 4aefe1c2bd0c ("iio: imu: add Bosch Sensortec BNO055 core driver")
Signed-off-by: David Lechner <dlechner@baylibre.com>
Link: https://patch.msgid.link/20250709-iio-const-data-19-v2-1-fb3fc9191251@baylibre.com
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/imu/bno055/bno055.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/drivers/iio/imu/bno055/bno055.c b/drivers/iio/imu/bno055/bno055.c
index 3f4c18dc3ee9..0eb5e1334e55 100644
--- a/drivers/iio/imu/bno055/bno055.c
+++ b/drivers/iio/imu/bno055/bno055.c
@@ -118,6 +118,7 @@ struct bno055_sysfs_attr {
int len;
int *fusion_vals;
int *hw_xlate;
+ int hw_xlate_len;
int type;
};
@@ -170,20 +171,24 @@ static int bno055_gyr_scale_vals[] = {
1000, 1877467, 2000, 1877467,
};
+static int bno055_gyr_scale_hw_xlate[] = {0, 1, 2, 3, 4};
static struct bno055_sysfs_attr bno055_gyr_scale = {
.vals = bno055_gyr_scale_vals,
.len = ARRAY_SIZE(bno055_gyr_scale_vals),
.fusion_vals = (int[]){1, 900},
- .hw_xlate = (int[]){4, 3, 2, 1, 0},
+ .hw_xlate = bno055_gyr_scale_hw_xlate,
+ .hw_xlate_len = ARRAY_SIZE(bno055_gyr_scale_hw_xlate),
.type = IIO_VAL_FRACTIONAL,
};
static int bno055_gyr_lpf_vals[] = {12, 23, 32, 47, 64, 116, 230, 523};
+static int bno055_gyr_lpf_hw_xlate[] = {5, 4, 7, 3, 6, 2, 1, 0};
static struct bno055_sysfs_attr bno055_gyr_lpf = {
.vals = bno055_gyr_lpf_vals,
.len = ARRAY_SIZE(bno055_gyr_lpf_vals),
.fusion_vals = (int[]){32},
- .hw_xlate = (int[]){5, 4, 7, 3, 6, 2, 1, 0},
+ .hw_xlate = bno055_gyr_lpf_hw_xlate,
+ .hw_xlate_len = ARRAY_SIZE(bno055_gyr_lpf_hw_xlate),
.type = IIO_VAL_INT,
};
@@ -561,7 +566,7 @@ static int bno055_get_regmask(struct bno055_priv *priv, int *val, int *val2,
idx = (hwval & mask) >> shift;
if (attr->hw_xlate)
- for (i = 0; i < attr->len; i++)
+ for (i = 0; i < attr->hw_xlate_len; i++)
if (attr->hw_xlate[i] == idx) {
idx = i;
break;
--
2.50.1
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 294/482] iio: adc: ad_sigma_delta: change to buffer predisable
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (292 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 6.1 293/482] iio: imu: bno055: fix OOB access of hw_xlate array Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 295/482] wifi: brcmsmac: Remove const from tbl_ptr parameter in wlc_lcnphy_common_read_table() Greg Kroah-Hartman
` (196 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Lechner, Nuno Sá,
Jonathan Cameron
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Lechner <dlechner@baylibre.com>
commit 66d4374d97f85516b5a22418c5e798aed2606dec upstream.
Change the buffer disable callback from postdisable to predisable.
This balances the existing posteanble callback. Using postdisable
with posteanble can be problematic, for example, if update_scan_mode
fails, it would call postdisable without ever having called posteanble,
so the drivers using this would be in an unexpected state when
postdisable was called.
Fixes: af3008485ea0 ("iio:adc: Add common code for ADI Sigma Delta devices")
Signed-off-by: David Lechner <dlechner@baylibre.com>
Reviewed-by: Nuno Sá <nuno.sa@analog.com>
Link: https://patch.msgid.link/20250703-iio-adc-ad_sigma_delta-buffer-predisable-v1-1-f2ab85138f1f@baylibre.com
Cc: <stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/adc/ad_sigma_delta.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/iio/adc/ad_sigma_delta.c
+++ b/drivers/iio/adc/ad_sigma_delta.c
@@ -406,7 +406,7 @@ err_unlock:
return ret;
}
-static int ad_sd_buffer_postdisable(struct iio_dev *indio_dev)
+static int ad_sd_buffer_predisable(struct iio_dev *indio_dev)
{
struct ad_sigma_delta *sigma_delta = iio_device_get_drvdata(indio_dev);
@@ -534,7 +534,7 @@ static bool ad_sd_validate_scan_mask(str
static const struct iio_buffer_setup_ops ad_sd_buffer_setup_ops = {
.postenable = &ad_sd_buffer_postenable,
- .postdisable = &ad_sd_buffer_postdisable,
+ .predisable = &ad_sd_buffer_predisable,
.validate_scan_mask = &ad_sd_validate_scan_mask,
};
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 295/482] wifi: brcmsmac: Remove const from tbl_ptr parameter in wlc_lcnphy_common_read_table()
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (293 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 6.1 294/482] iio: adc: ad_sigma_delta: change to buffer predisable Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 296/482] wifi: ath11k: fix dest ring-buffer corruption Greg Kroah-Hartman
` (195 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nathan Chancellor, Johannes Berg,
Arend van Spriel
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nathan Chancellor <nathan@kernel.org>
commit 81284e86bf8849f8e98e8ead3ff5811926b2107f upstream.
A new warning in clang [1] complains that diq_start in
wlc_lcnphy_tx_iqlo_cal() is passed uninitialized as a const pointer to
wlc_lcnphy_common_read_table():
drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_lcn.c:2728:13: error: variable 'diq_start' is uninitialized when passed as a const pointer argument here [-Werror,-Wuninitialized-const-pointer]
2728 | &diq_start, 1, 16, 69);
| ^~~~~~~~~
The table pointer passed to wlc_lcnphy_common_read_table() should not be
considered constant, as wlc_phy_read_table() is ultimately going to
update it. Remove the const qualifier from the tbl_ptr to clear up the
warning.
Cc: stable@vger.kernel.org
Closes: https://github.com/ClangBuiltLinux/linux/issues/2108
Fixes: 5b435de0d786 ("net: wireless: add brcm80211 drivers")
Link: https://github.com/llvm/llvm-project/commit/00dacf8c22f065cb52efb14cd091d441f19b319e [1]
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>>
Link: https://patch.msgid.link/20250715-brcmsmac-fix-uninit-const-pointer-v1-1-16e6a51a8ef4@kernel.org
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_lcn.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_lcn.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_lcn.c
@@ -919,7 +919,7 @@ void wlc_lcnphy_read_table(struct brcms_
static void
wlc_lcnphy_common_read_table(struct brcms_phy *pi, u32 tbl_id,
- const u16 *tbl_ptr, u32 tbl_len,
+ u16 *tbl_ptr, u32 tbl_len,
u32 tbl_width, u32 tbl_offset)
{
struct phytbl_info tab;
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 296/482] wifi: ath11k: fix dest ring-buffer corruption
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (294 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 6.1 295/482] wifi: brcmsmac: Remove const from tbl_ptr parameter in wlc_lcnphy_common_read_table() Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 297/482] wifi: ath11k: fix source " Greg Kroah-Hartman
` (194 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Johan Hovold, Baochen Qiang,
Jeff Johnson
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan+linaro@kernel.org>
commit 8c1ba5091fa9a2d1478da63173b16a701bdf86bb upstream.
Add the missing memory barrier to make sure that destination ring
descriptors are read after the head pointers to avoid using stale data
on weakly ordered architectures like aarch64.
The barrier is added to the ath11k_hal_srng_access_begin() helper for
symmetry with follow-on fixes for source ring buffer corruption which
will add barriers to ath11k_hal_srng_access_end().
Tested-on: WCN6855 hw2.1 WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.41
Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices")
Cc: stable@vger.kernel.org # 5.6
Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
Reviewed-by: Baochen Qiang <quic_bqiang@quicinc.com>
Link: https://patch.msgid.link/20250604143457.26032-2-johan+linaro@kernel.org
Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/ath/ath11k/ce.c | 3 ---
drivers/net/wireless/ath/ath11k/dp_rx.c | 3 ---
drivers/net/wireless/ath/ath11k/hal.c | 12 +++++++++++-
3 files changed, 11 insertions(+), 7 deletions(-)
--- a/drivers/net/wireless/ath/ath11k/ce.c
+++ b/drivers/net/wireless/ath/ath11k/ce.c
@@ -393,9 +393,6 @@ static int ath11k_ce_completed_recv_next
goto err;
}
- /* Make sure descriptor is read after the head pointer. */
- dma_rmb();
-
*nbytes = ath11k_hal_ce_dst_status_get_length(desc);
*skb = pipe->dest_ring->skb[sw_index];
--- a/drivers/net/wireless/ath/ath11k/dp_rx.c
+++ b/drivers/net/wireless/ath/ath11k/dp_rx.c
@@ -2661,9 +2661,6 @@ int ath11k_dp_process_rx(struct ath11k_b
try_again:
ath11k_hal_srng_access_begin(ab, srng);
- /* Make sure descriptor is read after the head pointer. */
- dma_rmb();
-
while (likely(desc =
(struct hal_reo_dest_ring *)ath11k_hal_srng_dst_get_next_entry(ab,
srng))) {
--- a/drivers/net/wireless/ath/ath11k/hal.c
+++ b/drivers/net/wireless/ath/ath11k/hal.c
@@ -796,13 +796,23 @@ u32 *ath11k_hal_srng_src_peek(struct ath
void ath11k_hal_srng_access_begin(struct ath11k_base *ab, struct hal_srng *srng)
{
+ u32 hp;
+
lockdep_assert_held(&srng->lock);
if (srng->ring_dir == HAL_SRNG_DIR_SRC) {
srng->u.src_ring.cached_tp =
*(volatile u32 *)srng->u.src_ring.tp_addr;
} else {
- srng->u.dst_ring.cached_hp = READ_ONCE(*srng->u.dst_ring.hp_addr);
+ hp = READ_ONCE(*srng->u.dst_ring.hp_addr);
+
+ if (hp != srng->u.dst_ring.cached_hp) {
+ srng->u.dst_ring.cached_hp = hp;
+ /* Make sure descriptor is read after the head
+ * pointer.
+ */
+ dma_rmb();
+ }
/* Try to prefetch the next descriptor in the ring */
if (srng->flags & HAL_SRNG_FLAGS_CACHED)
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 297/482] wifi: ath11k: fix source ring-buffer corruption
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (295 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 6.1 296/482] wifi: ath11k: fix dest ring-buffer corruption Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 298/482] wifi: ath11k: fix dest ring-buffer corruption when ring is full Greg Kroah-Hartman
` (193 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Johan Hovold, Baochen Qiang,
Jeff Johnson
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan+linaro@kernel.org>
commit 6efa0df54022c6c9fd4d294b87622c7fcdc418c8 upstream.
Add the missing memory barrier to make sure that LMAC source ring
descriptors are written before updating the head pointer to avoid
passing stale data to the firmware on weakly ordered architectures like
aarch64.
Note that non-LMAC rings use MMIO write accessors which have the
required write memory barrier.
Tested-on: WCN6855 hw2.1 WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.41
Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices")
Cc: stable@vger.kernel.org # 5.6
Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
Reviewed-by: Baochen Qiang <quic_bqiang@quicinc.com>
Link: https://patch.msgid.link/20250604143457.26032-5-johan+linaro@kernel.org
Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/ath/ath11k/hal.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
--- a/drivers/net/wireless/ath/ath11k/hal.c
+++ b/drivers/net/wireless/ath/ath11k/hal.c
@@ -835,7 +835,11 @@ void ath11k_hal_srng_access_end(struct a
if (srng->ring_dir == HAL_SRNG_DIR_SRC) {
srng->u.src_ring.last_tp =
*(volatile u32 *)srng->u.src_ring.tp_addr;
- *srng->u.src_ring.hp_addr = srng->u.src_ring.hp;
+ /* Make sure descriptor is written before updating the
+ * head pointer.
+ */
+ dma_wmb();
+ WRITE_ONCE(*srng->u.src_ring.hp_addr, srng->u.src_ring.hp);
} else {
srng->u.dst_ring.last_hp = *srng->u.dst_ring.hp_addr;
*srng->u.dst_ring.tp_addr = srng->u.dst_ring.tp;
@@ -844,6 +848,10 @@ void ath11k_hal_srng_access_end(struct a
if (srng->ring_dir == HAL_SRNG_DIR_SRC) {
srng->u.src_ring.last_tp =
*(volatile u32 *)srng->u.src_ring.tp_addr;
+ /* Assume implementation use an MMIO write accessor
+ * which has the required wmb() so that the descriptor
+ * is written before the updating the head pointer.
+ */
ath11k_hif_write32(ab,
(unsigned long)srng->u.src_ring.hp_addr -
(unsigned long)ab->mem,
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 298/482] wifi: ath11k: fix dest ring-buffer corruption when ring is full
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (296 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 6.1 297/482] wifi: ath11k: fix source " Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 299/482] pwm: imx-tpm: Reset counter if CMOD is 0 Greg Kroah-Hartman
` (192 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Johan Hovold, Baochen Qiang,
Jeff Johnson
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan+linaro@kernel.org>
commit aa6956150f820e6a6deba44be325ddfcb5b10f88 upstream.
Add the missing memory barriers to make sure that destination ring
descriptors are read before updating the tail pointer (and passing
ownership to the device) to avoid memory corruption on weakly ordered
architectures like aarch64 when the ring is full.
Tested-on: WCN6855 hw2.1 WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.41
Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices")
Cc: stable@vger.kernel.org # 5.6
Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
Reviewed-by: Baochen Qiang <quic_bqiang@quicinc.com>
Link: https://patch.msgid.link/20250604143457.26032-6-johan+linaro@kernel.org
Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/ath/ath11k/hal.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
--- a/drivers/net/wireless/ath/ath11k/hal.c
+++ b/drivers/net/wireless/ath/ath11k/hal.c
@@ -827,7 +827,6 @@ void ath11k_hal_srng_access_end(struct a
{
lockdep_assert_held(&srng->lock);
- /* TODO: See if we need a write memory barrier here */
if (srng->flags & HAL_SRNG_FLAGS_LMAC_RING) {
/* For LMAC rings, ring pointer updates are done through FW and
* hence written to a shared memory location that is read by FW
@@ -842,7 +841,11 @@ void ath11k_hal_srng_access_end(struct a
WRITE_ONCE(*srng->u.src_ring.hp_addr, srng->u.src_ring.hp);
} else {
srng->u.dst_ring.last_hp = *srng->u.dst_ring.hp_addr;
- *srng->u.dst_ring.tp_addr = srng->u.dst_ring.tp;
+ /* Make sure descriptor is read before updating the
+ * tail pointer.
+ */
+ dma_mb();
+ WRITE_ONCE(*srng->u.dst_ring.tp_addr, srng->u.dst_ring.tp);
}
} else {
if (srng->ring_dir == HAL_SRNG_DIR_SRC) {
@@ -858,6 +861,10 @@ void ath11k_hal_srng_access_end(struct a
srng->u.src_ring.hp);
} else {
srng->u.dst_ring.last_hp = *srng->u.dst_ring.hp_addr;
+ /* Make sure descriptor is read before updating the
+ * tail pointer.
+ */
+ mb();
ath11k_hif_write32(ab,
(unsigned long)srng->u.dst_ring.tp_addr -
(unsigned long)ab->mem,
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 299/482] pwm: imx-tpm: Reset counter if CMOD is 0
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (297 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 6.1 298/482] wifi: ath11k: fix dest ring-buffer corruption when ring is full Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 300/482] pwm: mediatek: Handle hardware enable and clock enable separately Greg Kroah-Hartman
` (191 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Laurentiu Mihalcea,
Uwe Kleine-König
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Laurentiu Mihalcea <laurentiu.mihalcea@nxp.com>
commit 65c6f742ab14ab1a2679fba72b82dcc0289d96f1 upstream.
As per the i.MX93 TRM, section 67.3.2.1 "MOD register update", the value
of the TPM counter does NOT get updated when writing MOD.MOD unless
SC.CMOD != 0. Therefore, with the current code, assuming the following
sequence:
1) pwm_disable()
2) pwm_apply_might_sleep() /* period is changed here */
3) pwm_enable()
and assuming only one channel is active, if CNT.COUNT is higher than the
MOD.MOD value written during the pwm_apply_might_sleep() call then, when
re-enabling the PWM during pwm_enable(), the counter will end up resetting
after UINT32_MAX - CNT.COUNT + MOD.MOD cycles instead of MOD.MOD cycles as
normally expected.
Fix this problem by forcing a reset of the TPM counter before MOD.MOD is
written.
Fixes: 738a1cfec2ed ("pwm: Add i.MX TPM PWM driver support")
Cc: stable@vger.kernel.org
Signed-off-by: Laurentiu Mihalcea <laurentiu.mihalcea@nxp.com>
Link: https://lore.kernel.org/r/20250728194144.22884-1-laurentiumihalcea111@gmail.com
Signed-off-by: Uwe Kleine-König <ukleinek@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pwm/pwm-imx-tpm.c | 9 +++++++++
1 file changed, 9 insertions(+)
--- a/drivers/pwm/pwm-imx-tpm.c
+++ b/drivers/pwm/pwm-imx-tpm.c
@@ -205,6 +205,15 @@ static int pwm_imx_tpm_apply_hw(struct p
writel(val, tpm->base + PWM_IMX_TPM_SC);
/*
+ * if the counter is disabled (CMOD == 0), programming the new
+ * period length (MOD) will not reset the counter (CNT). If
+ * CNT.COUNT happens to be bigger than the new MOD value then
+ * the counter will end up being reset way too late. Therefore,
+ * manually reset it to 0.
+ */
+ if (!cmod)
+ writel(0x0, tpm->base + PWM_IMX_TPM_CNT);
+ /*
* set period count:
* if the PWM is disabled (CMOD[1:0] = 2b00), then MOD register
* is updated when MOD register is written.
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 300/482] pwm: mediatek: Handle hardware enable and clock enable separately
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (298 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 6.1 299/482] pwm: imx-tpm: Reset counter if CMOD is 0 Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 301/482] pwm: mediatek: Fix duty and period setting Greg Kroah-Hartman
` (190 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Uwe Kleine-König,
AngeloGioacchino Del Regno, Uwe Kleine-König
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Uwe Kleine-König <u.kleine-koenig@baylibre.com>
commit 704d918341c378c5f9505dfdf32d315e256d3846 upstream.
Stop handling the clocks in pwm_mediatek_enable() and
pwm_mediatek_disable(). This is a preparing change for the next commit
that requires that clocks and the enable bit are handled separately.
Also move these two functions a bit further up in the source file to
make them usable in pwm_mediatek_config(), which is needed in the next
commit, too.
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@baylibre.com>
Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Link: https://lore.kernel.org/r/55c94fe2917ece152ee1e998f4675642a7716f13.1753717973.git.u.kleine-koenig@baylibre.com
Cc: stable@vger.kernel.org
Signed-off-by: Uwe Kleine-König <ukleinek@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pwm/pwm-mediatek.c | 60 +++++++++++++++++++++------------------------
1 file changed, 28 insertions(+), 32 deletions(-)
--- a/drivers/pwm/pwm-mediatek.c
+++ b/drivers/pwm/pwm-mediatek.c
@@ -114,6 +114,26 @@ static inline void pwm_mediatek_writel(s
writel(value, chip->regs + pwm_mediatek_reg_offset[num] + offset);
}
+static void pwm_mediatek_enable(struct pwm_chip *chip, struct pwm_device *pwm)
+{
+ struct pwm_mediatek_chip *pc = to_pwm_mediatek_chip(chip);
+ u32 value;
+
+ value = readl(pc->regs);
+ value |= BIT(pwm->hwpwm);
+ writel(value, pc->regs);
+}
+
+static void pwm_mediatek_disable(struct pwm_chip *chip, struct pwm_device *pwm)
+{
+ struct pwm_mediatek_chip *pc = to_pwm_mediatek_chip(chip);
+ u32 value;
+
+ value = readl(pc->regs);
+ value &= ~BIT(pwm->hwpwm);
+ writel(value, pc->regs);
+}
+
static int pwm_mediatek_config(struct pwm_chip *chip, struct pwm_device *pwm,
int duty_ns, int period_ns)
{
@@ -176,35 +196,6 @@ out:
return ret;
}
-static int pwm_mediatek_enable(struct pwm_chip *chip, struct pwm_device *pwm)
-{
- struct pwm_mediatek_chip *pc = to_pwm_mediatek_chip(chip);
- u32 value;
- int ret;
-
- ret = pwm_mediatek_clk_enable(chip, pwm);
- if (ret < 0)
- return ret;
-
- value = readl(pc->regs);
- value |= BIT(pwm->hwpwm);
- writel(value, pc->regs);
-
- return 0;
-}
-
-static void pwm_mediatek_disable(struct pwm_chip *chip, struct pwm_device *pwm)
-{
- struct pwm_mediatek_chip *pc = to_pwm_mediatek_chip(chip);
- u32 value;
-
- value = readl(pc->regs);
- value &= ~BIT(pwm->hwpwm);
- writel(value, pc->regs);
-
- pwm_mediatek_clk_disable(chip, pwm);
-}
-
static int pwm_mediatek_apply(struct pwm_chip *chip, struct pwm_device *pwm,
const struct pwm_state *state)
{
@@ -214,8 +205,10 @@ static int pwm_mediatek_apply(struct pwm
return -EINVAL;
if (!state->enabled) {
- if (pwm->state.enabled)
+ if (pwm->state.enabled) {
pwm_mediatek_disable(chip, pwm);
+ pwm_mediatek_clk_disable(chip, pwm);
+ }
return 0;
}
@@ -224,8 +217,11 @@ static int pwm_mediatek_apply(struct pwm
if (err)
return err;
- if (!pwm->state.enabled)
- err = pwm_mediatek_enable(chip, pwm);
+ if (!pwm->state.enabled) {
+ err = pwm_mediatek_clk_enable(chip, pwm);
+ if (!err)
+ pwm_mediatek_enable(chip, pwm);
+ }
return err;
}
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 301/482] pwm: mediatek: Fix duty and period setting
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (299 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 6.1 300/482] pwm: mediatek: Handle hardware enable and clock enable separately Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 302/482] hwmon: (gsc-hwmon) fix fan pwm setpoint show functions Greg Kroah-Hartman
` (189 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Uwe Kleine-König,
AngeloGioacchino Del Regno, Uwe Kleine-König
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Uwe Kleine-König <u.kleine-koenig@baylibre.com>
commit f21d136caf8171f94159d975ea4620c164431bd9 upstream.
The period generated by the hardware is
(PWMDWIDTH + 1) << CLKDIV) / freq
according to my tests with a signal analyser and also the documentation.
The current algorithm doesn't consider the `+ 1` part and so configures
slightly too high periods. The same issue exists for the duty cycle
setting. So subtract 1 from both the register values for period and
duty cycle. If period is 0, bail out, if duty_cycle is 0, just disable
the PWM which results in a constant low output.
Fixes: caf065f8fd58 ("pwm: Add MediaTek PWM support")
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@baylibre.com>
Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Link: https://lore.kernel.org/r/6d1fa87a76f8020bfe3171529b8e19baffceab10.1753717973.git.u.kleine-koenig@baylibre.com
Cc: stable@vger.kernel.org
Signed-off-by: Uwe Kleine-König <ukleinek@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pwm/pwm-mediatek.c | 21 ++++++++++++++-------
1 file changed, 14 insertions(+), 7 deletions(-)
--- a/drivers/pwm/pwm-mediatek.c
+++ b/drivers/pwm/pwm-mediatek.c
@@ -163,7 +163,10 @@ static int pwm_mediatek_config(struct pw
do_div(resolution, clk_rate);
cnt_period = DIV_ROUND_CLOSEST_ULL((u64)period_ns * 1000, resolution);
- while (cnt_period > 8191) {
+ if (!cnt_period)
+ return -EINVAL;
+
+ while (cnt_period > 8192) {
resolution *= 2;
clkdiv++;
cnt_period = DIV_ROUND_CLOSEST_ULL((u64)period_ns * 1000,
@@ -186,9 +189,16 @@ static int pwm_mediatek_config(struct pw
}
cnt_duty = DIV_ROUND_CLOSEST_ULL((u64)duty_ns * 1000, resolution);
+
pwm_mediatek_writel(pc, pwm->hwpwm, PWMCON, BIT(15) | clkdiv);
- pwm_mediatek_writel(pc, pwm->hwpwm, reg_width, cnt_period);
- pwm_mediatek_writel(pc, pwm->hwpwm, reg_thres, cnt_duty);
+ pwm_mediatek_writel(pc, pwm->hwpwm, reg_width, cnt_period - 1);
+
+ if (cnt_duty) {
+ pwm_mediatek_writel(pc, pwm->hwpwm, reg_thres, cnt_duty - 1);
+ pwm_mediatek_enable(chip, pwm);
+ } else {
+ pwm_mediatek_disable(chip, pwm);
+ }
out:
pwm_mediatek_clk_disable(chip, pwm);
@@ -217,11 +227,8 @@ static int pwm_mediatek_apply(struct pwm
if (err)
return err;
- if (!pwm->state.enabled) {
+ if (!pwm->state.enabled)
err = pwm_mediatek_clk_enable(chip, pwm);
- if (!err)
- pwm_mediatek_enable(chip, pwm);
- }
return err;
}
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 302/482] hwmon: (gsc-hwmon) fix fan pwm setpoint show functions
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (300 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 6.1 301/482] pwm: mediatek: Fix duty and period setting Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 303/482] mtd: spi-nor: Fix spi_nor_try_unlock_all() Greg Kroah-Hartman
` (188 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Tim Harvey, Guenter Roeck
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tim Harvey <tharvey@gateworks.com>
commit 9c62e2282900332c8b711d9f9e37af369a8ef71b upstream.
The Linux hwmon sysfs API values for pwmX_auto_pointY_pwm represent an
integer value between 0 (0%) to 255 (100%) and the pwmX_auto_pointY_temp
represent millidegrees Celcius.
Commit a6d80df47ee2 ("hwmon: (gsc-hwmon) fix fan pwm temperature
scaling") properly addressed the incorrect scaling in the
pwm_auto_point_temp_store implementation but erroneously scaled
the pwm_auto_point_pwm_show (pwm value) instead of the
pwm_auto_point_temp_show (temp value) resulting in:
# cat /sys/class/hwmon/hwmon0/pwm1_auto_point6_pwm
25500
# cat /sys/class/hwmon/hwmon0/pwm1_auto_point6_temp
4500
Fix the scaling of these attributes:
# cat /sys/class/hwmon/hwmon0/pwm1_auto_point6_pwm
255
# cat /sys/class/hwmon/hwmon0/pwm1_auto_point6_temp
45000
Fixes: a6d80df47ee2 ("hwmon: (gsc-hwmon) fix fan pwm temperature scaling")
Cc: stable@vger.kernel.org
Signed-off-by: Tim Harvey <tharvey@gateworks.com>
Link: https://lore.kernel.org/r/20250718200259.1840792-1-tharvey@gateworks.com
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hwmon/gsc-hwmon.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/hwmon/gsc-hwmon.c
+++ b/drivers/hwmon/gsc-hwmon.c
@@ -65,7 +65,7 @@ static ssize_t pwm_auto_point_temp_show(
return ret;
ret = regs[0] | regs[1] << 8;
- return sprintf(buf, "%d\n", ret * 10);
+ return sprintf(buf, "%d\n", ret * 100);
}
static ssize_t pwm_auto_point_temp_store(struct device *dev,
@@ -100,7 +100,7 @@ static ssize_t pwm_auto_point_pwm_show(s
{
struct sensor_device_attribute *attr = to_sensor_dev_attr(devattr);
- return sprintf(buf, "%d\n", 255 * (50 + (attr->index * 10)));
+ return sprintf(buf, "%d\n", 255 * (50 + (attr->index * 10)) / 100);
}
static SENSOR_DEVICE_ATTR_RO(pwm1_auto_point1_pwm, pwm_auto_point_pwm, 0);
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 303/482] mtd: spi-nor: Fix spi_nor_try_unlock_all()
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (301 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 6.1 302/482] hwmon: (gsc-hwmon) fix fan pwm setpoint show functions Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 304/482] mtd: spinand: propagate spinand_wait() errors from spinand_write_page() Greg Kroah-Hartman
` (187 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jean-Marc Ranger, Michael Walle,
Pratyush Yadav
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Walle <mwalle@kernel.org>
commit 2e3a7476ec3989e77270b9481e76e137824b17c0 upstream.
Commit ff67592cbdfc ("mtd: spi-nor: Introduce spi_nor_set_mtd_info()")
moved all initialization of the mtd fields at the end of spi_nor_scan().
Normally, the mtd info is only needed for the mtd ops on the device,
with one exception: spi_nor_try_unlock_all(), which will also make use
of the mtd->size parameter. With that commit, the size will always be
zero because it is not initialized. Fix that by not using the size of
the mtd_info struct, but use the size from struct spi_nor_flash_parameter.
Fixes: ff67592cbdfc ("mtd: spi-nor: Introduce spi_nor_set_mtd_info()")
Cc: stable@vger.kernel.org
Reported-by: Jean-Marc Ranger <jmranger@hotmail.com>
Closes: https://lore.kernel.org/all/DM6PR06MB561177323DC5207E34AF2A06C547A@DM6PR06MB5611.namprd06.prod.outlook.com/
Tested-by: Jean-Marc Ranger <jmranger@hotmail.com>
Signed-off-by: Michael Walle <mwalle@kernel.org>
Reviewed-by: Pratyush Yadav <pratyush@kernel.org>
Signed-off-by: Pratyush Yadav <pratyush@kernel.org>
Link: https://lore.kernel.org/r/20250701140426.2355182-1-mwalle@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mtd/spi-nor/swp.c | 19 ++++++++-----------
1 file changed, 8 insertions(+), 11 deletions(-)
--- a/drivers/mtd/spi-nor/swp.c
+++ b/drivers/mtd/spi-nor/swp.c
@@ -50,7 +50,6 @@ static u64 spi_nor_get_min_prot_length_s
static void spi_nor_get_locked_range_sr(struct spi_nor *nor, u8 sr, loff_t *ofs,
uint64_t *len)
{
- struct mtd_info *mtd = &nor->mtd;
u64 min_prot_len;
u8 mask = spi_nor_get_sr_bp_mask(nor);
u8 tb_mask = spi_nor_get_sr_tb_mask(nor);
@@ -71,13 +70,13 @@ static void spi_nor_get_locked_range_sr(
min_prot_len = spi_nor_get_min_prot_length_sr(nor);
*len = min_prot_len << (bp - 1);
- if (*len > mtd->size)
- *len = mtd->size;
+ if (*len > nor->params->size)
+ *len = nor->params->size;
if (nor->flags & SNOR_F_HAS_SR_TB && sr & tb_mask)
*ofs = 0;
else
- *ofs = mtd->size - *len;
+ *ofs = nor->params->size - *len;
}
/*
@@ -153,7 +152,6 @@ static bool spi_nor_is_unlocked_sr(struc
*/
static int spi_nor_sr_lock(struct spi_nor *nor, loff_t ofs, uint64_t len)
{
- struct mtd_info *mtd = &nor->mtd;
u64 min_prot_len;
int ret, status_old, status_new;
u8 mask = spi_nor_get_sr_bp_mask(nor);
@@ -178,7 +176,7 @@ static int spi_nor_sr_lock(struct spi_no
can_be_bottom = false;
/* If anything above us is unlocked, we can't use 'top' protection */
- if (!spi_nor_is_locked_sr(nor, ofs + len, mtd->size - (ofs + len),
+ if (!spi_nor_is_locked_sr(nor, ofs + len, nor->params->size - (ofs + len),
status_old))
can_be_top = false;
@@ -190,11 +188,11 @@ static int spi_nor_sr_lock(struct spi_no
/* lock_len: length of region that should end up locked */
if (use_top)
- lock_len = mtd->size - ofs;
+ lock_len = nor->params->size - ofs;
else
lock_len = ofs + len;
- if (lock_len == mtd->size) {
+ if (lock_len == nor->params->size) {
val = mask;
} else {
min_prot_len = spi_nor_get_min_prot_length_sr(nor);
@@ -238,7 +236,6 @@ static int spi_nor_sr_lock(struct spi_no
*/
static int spi_nor_sr_unlock(struct spi_nor *nor, loff_t ofs, uint64_t len)
{
- struct mtd_info *mtd = &nor->mtd;
u64 min_prot_len;
int ret, status_old, status_new;
u8 mask = spi_nor_get_sr_bp_mask(nor);
@@ -263,7 +260,7 @@ static int spi_nor_sr_unlock(struct spi_
can_be_top = false;
/* If anything above us is locked, we can't use 'bottom' protection */
- if (!spi_nor_is_unlocked_sr(nor, ofs + len, mtd->size - (ofs + len),
+ if (!spi_nor_is_unlocked_sr(nor, ofs + len, nor->params->size - (ofs + len),
status_old))
can_be_bottom = false;
@@ -275,7 +272,7 @@ static int spi_nor_sr_unlock(struct spi_
/* lock_len: length of region that should remain locked */
if (use_top)
- lock_len = mtd->size - (ofs + len);
+ lock_len = nor->params->size - (ofs + len);
else
lock_len = ofs;
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 304/482] mtd: spinand: propagate spinand_wait() errors from spinand_write_page()
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (302 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 6.1 303/482] mtd: spi-nor: Fix spi_nor_try_unlock_all() Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 305/482] mtd: rawnand: fsmc: Add missing check after DMA map Greg Kroah-Hartman
` (186 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Gabor Juhos, Miquel Raynal
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gabor Juhos <j4g8y7@gmail.com>
commit 091d9e35b85b0f8f7e1c73535299f91364a5c73a upstream.
Since commit 3d1f08b032dc ("mtd: spinand: Use the external ECC engine
logic") the spinand_write_page() function ignores the errors returned
by spinand_wait(). Change the code to propagate those up to the stack
as it was done before the offending change.
Cc: stable@vger.kernel.org
Fixes: 3d1f08b032dc ("mtd: spinand: Use the external ECC engine logic")
Signed-off-by: Gabor Juhos <j4g8y7@gmail.com>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mtd/nand/spi/core.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/drivers/mtd/nand/spi/core.c
+++ b/drivers/mtd/nand/spi/core.c
@@ -624,7 +624,10 @@ static int spinand_write_page(struct spi
SPINAND_WRITE_INITIAL_DELAY_US,
SPINAND_WRITE_POLL_DELAY_US,
&status);
- if (!ret && (status & STATUS_PROG_FAILED))
+ if (ret)
+ return ret;
+
+ if (status & STATUS_PROG_FAILED)
return -EIO;
return nand_ecc_finish_io_req(nand, (struct nand_page_io_req *)req);
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 305/482] mtd: rawnand: fsmc: Add missing check after DMA map
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (303 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 6.1 304/482] mtd: spinand: propagate spinand_wait() errors from spinand_write_page() Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 306/482] mtd: rawnand: renesas: " Greg Kroah-Hartman
` (185 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Thomas Fourier, Miquel Raynal
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Fourier <fourier.thomas@gmail.com>
commit 6c4dab38431fee3d39a841d66ba6f2890b31b005 upstream.
The DMA map functions can fail and should be tested for errors.
Fixes: 4774fb0a48aa ("mtd: nand/fsmc: Add DMA support")
Cc: stable@vger.kernel.org
Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
Rule: add
Link: https://lore.kernel.org/stable/20250702065806.20983-2-fourier.thomas%40gmail.com
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mtd/nand/raw/fsmc_nand.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/mtd/nand/raw/fsmc_nand.c
+++ b/drivers/mtd/nand/raw/fsmc_nand.c
@@ -503,6 +503,8 @@ static int dma_xfer(struct fsmc_nand_dat
dma_dev = chan->device;
dma_addr = dma_map_single(dma_dev->dev, buffer, len, direction);
+ if (dma_mapping_error(dma_dev->dev, dma_addr))
+ return -EINVAL;
if (direction == DMA_TO_DEVICE) {
dma_src = dma_addr;
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 306/482] mtd: rawnand: renesas: Add missing check after DMA map
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (304 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 6.1 305/482] mtd: rawnand: fsmc: Add missing check after DMA map Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 307/482] PCI: endpoint: Fix configfs group list head handling Greg Kroah-Hartman
` (184 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Thomas Fourier, Miquel Raynal
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Fourier <fourier.thomas@gmail.com>
commit 79e441ee47949376e3bc20f085cf017b70523d0f upstream.
The DMA map functions can fail and should be tested for errors.
Fixes: d8701fe890ec ("mtd: rawnand: renesas: Add new NAND controller driver")
Cc: stable@vger.kernel.org
Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mtd/nand/raw/renesas-nand-controller.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/drivers/mtd/nand/raw/renesas-nand-controller.c
+++ b/drivers/mtd/nand/raw/renesas-nand-controller.c
@@ -426,6 +426,9 @@ static int rnandc_read_page_hw_ecc(struc
/* Configure DMA */
dma_addr = dma_map_single(rnandc->dev, rnandc->buf, mtd->writesize,
DMA_FROM_DEVICE);
+ if (dma_mapping_error(rnandc->dev, dma_addr))
+ return -ENOMEM;
+
writel(dma_addr, rnandc->regs + DMA_ADDR_LOW_REG);
writel(mtd->writesize, rnandc->regs + DMA_CNT_REG);
writel(DMA_TLVL_MAX, rnandc->regs + DMA_TLVL_REG);
@@ -606,6 +609,9 @@ static int rnandc_write_page_hw_ecc(stru
/* Configure DMA */
dma_addr = dma_map_single(rnandc->dev, (void *)rnandc->buf, mtd->writesize,
DMA_TO_DEVICE);
+ if (dma_mapping_error(rnandc->dev, dma_addr))
+ return -ENOMEM;
+
writel(dma_addr, rnandc->regs + DMA_ADDR_LOW_REG);
writel(mtd->writesize, rnandc->regs + DMA_CNT_REG);
writel(DMA_TLVL_MAX, rnandc->regs + DMA_TLVL_REG);
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 307/482] PCI: endpoint: Fix configfs group list head handling
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (305 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 6.1 306/482] mtd: rawnand: renesas: " Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 308/482] PCI: endpoint: Fix configfs group removal on driver teardown Greg Kroah-Hartman
` (183 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Damien Le Moal,
Manivannan Sadhasivam, Niklas Cassel
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Damien Le Moal <dlemoal@kernel.org>
commit d79123d79a8154b4318529b7b2ff7e15806f480b upstream.
Doing a list_del() on the epf_group field of struct pci_epf_driver in
pci_epf_remove_cfs() is not correct as this field is a list head, not
a list entry. This list_del() call triggers a KASAN warning when an
endpoint function driver which has a configfs attribute group is torn
down:
==================================================================
BUG: KASAN: slab-use-after-free in pci_epf_remove_cfs+0x17c/0x198
Write of size 8 at addr ffff00010f4a0d80 by task rmmod/319
CPU: 3 UID: 0 PID: 319 Comm: rmmod Not tainted 6.16.0-rc2 #1 NONE
Hardware name: Radxa ROCK 5B (DT)
Call trace:
show_stack+0x2c/0x84 (C)
dump_stack_lvl+0x70/0x98
print_report+0x17c/0x538
kasan_report+0xb8/0x190
__asan_report_store8_noabort+0x20/0x2c
pci_epf_remove_cfs+0x17c/0x198
pci_epf_unregister_driver+0x18/0x30
nvmet_pci_epf_cleanup_module+0x24/0x30 [nvmet_pci_epf]
__arm64_sys_delete_module+0x264/0x424
invoke_syscall+0x70/0x260
el0_svc_common.constprop.0+0xac/0x230
do_el0_svc+0x40/0x58
el0_svc+0x48/0xdc
el0t_64_sync_handler+0x10c/0x138
el0t_64_sync+0x198/0x19c
...
Remove this incorrect list_del() call from pci_epf_remove_cfs().
Fixes: ef1433f717a2 ("PCI: endpoint: Create configfs entry for each pci_epf_device_id table entry")
Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
Reviewed-by: Niklas Cassel <cassel@kernel.org>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20250624114544.342159-2-dlemoal@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pci/endpoint/pci-epf-core.c | 1 -
1 file changed, 1 deletion(-)
--- a/drivers/pci/endpoint/pci-epf-core.c
+++ b/drivers/pci/endpoint/pci-epf-core.c
@@ -343,7 +343,6 @@ static void pci_epf_remove_cfs(struct pc
mutex_lock(&pci_epf_mutex);
list_for_each_entry_safe(group, tmp, &driver->epf_group, group_entry)
pci_ep_cfs_remove_epf_group(group);
- list_del(&driver->epf_group);
mutex_unlock(&pci_epf_mutex);
}
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 308/482] PCI: endpoint: Fix configfs group removal on driver teardown
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (306 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 6.1 307/482] PCI: endpoint: Fix configfs group list head handling Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 309/482] vsock/virtio: Validate length in packet header before skb_put() Greg Kroah-Hartman
` (182 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Damien Le Moal,
Manivannan Sadhasivam, Niklas Cassel
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Damien Le Moal <dlemoal@kernel.org>
commit 910bdb8197f9322790c738bb32feaa11dba26909 upstream.
An endpoint driver configfs attributes group is added to the
epf_group list of struct pci_epf_driver by pci_epf_add_cfs() but an
added group is not removed from this list when the attribute group is
unregistered with pci_ep_cfs_remove_epf_group().
Add the missing list_del() call in pci_ep_cfs_remove_epf_group()
to correctly remove the attribute group from the driver list.
With this change, once the loop over all attribute groups in
pci_epf_remove_cfs() completes, the driver epf_group list should be
empty. Add a WARN_ON() to make sure of that.
Fixes: ef1433f717a2 ("PCI: endpoint: Create configfs entry for each pci_epf_device_id table entry")
Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
Reviewed-by: Niklas Cassel <cassel@kernel.org>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20250624114544.342159-3-dlemoal@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pci/endpoint/pci-ep-cfs.c | 1 +
drivers/pci/endpoint/pci-epf-core.c | 1 +
2 files changed, 2 insertions(+)
--- a/drivers/pci/endpoint/pci-ep-cfs.c
+++ b/drivers/pci/endpoint/pci-ep-cfs.c
@@ -646,6 +646,7 @@ void pci_ep_cfs_remove_epf_group(struct
if (IS_ERR_OR_NULL(group))
return;
+ list_del(&group->group_entry);
configfs_unregister_default_group(group);
}
EXPORT_SYMBOL(pci_ep_cfs_remove_epf_group);
--- a/drivers/pci/endpoint/pci-epf-core.c
+++ b/drivers/pci/endpoint/pci-epf-core.c
@@ -343,6 +343,7 @@ static void pci_epf_remove_cfs(struct pc
mutex_lock(&pci_epf_mutex);
list_for_each_entry_safe(group, tmp, &driver->epf_group, group_entry)
pci_ep_cfs_remove_epf_group(group);
+ WARN_ON(!list_empty(&driver->epf_group));
mutex_unlock(&pci_epf_mutex);
}
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 309/482] vsock/virtio: Validate length in packet header before skb_put()
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (307 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 6.1 308/482] PCI: endpoint: Fix configfs group removal on driver teardown Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 310/482] vhost/vsock: Avoid allocating arbitrarily-sized SKBs Greg Kroah-Hartman
` (181 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Will Deacon, Michael S. Tsirkin,
Stefano Garzarella
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Will Deacon <will@kernel.org>
commit 0dab92484474587b82e8e0455839eaf5ac7bf894 upstream.
When receiving a vsock packet in the guest, only the virtqueue buffer
size is validated prior to virtio_vsock_skb_rx_put(). Unfortunately,
virtio_vsock_skb_rx_put() uses the length from the packet header as the
length argument to skb_put(), potentially resulting in SKB overflow if
the host has gone wonky.
Validate the length as advertised by the packet header before calling
virtio_vsock_skb_rx_put().
Cc: <stable@vger.kernel.org>
Fixes: 71dc9ec9ac7d ("virtio/vsock: replace virtio_vsock_pkt with sk_buff")
Signed-off-by: Will Deacon <will@kernel.org>
Message-Id: <20250717090116.11987-3-will@kernel.org>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/vmw_vsock/virtio_transport.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
--- a/net/vmw_vsock/virtio_transport.c
+++ b/net/vmw_vsock/virtio_transport.c
@@ -494,8 +494,9 @@ static void virtio_transport_rx_work(str
do {
virtqueue_disable_cb(vq);
for (;;) {
+ unsigned int len, payload_len;
+ struct virtio_vsock_hdr *hdr;
struct sk_buff *skb;
- unsigned int len;
if (!virtio_transport_more_replies(vsock)) {
/* Stop rx until the device processes already
@@ -512,11 +513,18 @@ static void virtio_transport_rx_work(str
vsock->rx_buf_nr--;
/* Drop short/long packets */
- if (unlikely(len < sizeof(struct virtio_vsock_hdr) ||
+ if (unlikely(len < sizeof(*hdr) ||
len > virtio_vsock_skb_len(skb))) {
kfree_skb(skb);
continue;
}
+
+ hdr = virtio_vsock_hdr(skb);
+ payload_len = le32_to_cpu(hdr->len);
+ if (unlikely(payload_len > len - sizeof(*hdr))) {
+ kfree_skb(skb);
+ continue;
+ }
virtio_vsock_skb_rx_put(skb);
virtio_transport_deliver_tap_pkt(skb);
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 310/482] vhost/vsock: Avoid allocating arbitrarily-sized SKBs
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (308 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 6.1 309/482] vsock/virtio: Validate length in packet header before skb_put() Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 311/482] jbd2: prevent softlockup in jbd2_log_do_checkpoint() Greg Kroah-Hartman
` (180 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stefano Garzarella, Will Deacon,
Michael S. Tsirkin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Will Deacon <will@kernel.org>
commit 10a886aaed293c4db3417951f396827216299e3d upstream.
vhost_vsock_alloc_skb() returns NULL for packets advertising a length
larger than VIRTIO_VSOCK_MAX_PKT_BUF_SIZE in the packet header. However,
this is only checked once the SKB has been allocated and, if the length
in the packet header is zero, the SKB may not be freed immediately.
Hoist the size check before the SKB allocation so that an iovec larger
than VIRTIO_VSOCK_MAX_PKT_BUF_SIZE + the header size is rejected
outright. The subsequent check on the length field in the header can
then simply check that the allocated SKB is indeed large enough to hold
the packet.
Cc: <stable@vger.kernel.org>
Fixes: 71dc9ec9ac7d ("virtio/vsock: replace virtio_vsock_pkt with sk_buff")
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
Signed-off-by: Will Deacon <will@kernel.org>
Message-Id: <20250717090116.11987-2-will@kernel.org>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/vhost/vsock.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/drivers/vhost/vsock.c
+++ b/drivers/vhost/vsock.c
@@ -340,6 +340,9 @@ vhost_vsock_alloc_skb(struct vhost_virtq
len = iov_length(vq->iov, out);
+ if (len > VIRTIO_VSOCK_MAX_PKT_BUF_SIZE + VIRTIO_VSOCK_SKB_HEADROOM)
+ return NULL;
+
/* len contains both payload and hdr */
skb = virtio_vsock_alloc_skb(len, GFP_KERNEL);
if (!skb)
@@ -363,8 +366,7 @@ vhost_vsock_alloc_skb(struct vhost_virtq
return skb;
/* The pkt is too big or the length in the header is invalid */
- if (payload_len > VIRTIO_VSOCK_MAX_PKT_BUF_SIZE ||
- payload_len + sizeof(*hdr) > len) {
+ if (payload_len + sizeof(*hdr) > len) {
kfree_skb(skb);
return NULL;
}
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 311/482] jbd2: prevent softlockup in jbd2_log_do_checkpoint()
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (309 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 6.1 310/482] vhost/vsock: Avoid allocating arbitrarily-sized SKBs Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 312/482] soc/tegra: pmc: Ensure power-domains are in a known state Greg Kroah-Hartman
` (179 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Baokun Li, Theodore Tso
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Baokun Li <libaokun1@huawei.com>
commit 9d98cf4632258720f18265a058e62fde120c0151 upstream.
Both jbd2_log_do_checkpoint() and jbd2_journal_shrink_checkpoint_list()
periodically release j_list_lock after processing a batch of buffers to
avoid long hold times on the j_list_lock. However, since both functions
contend for j_list_lock, the combined time spent waiting and processing
can be significant.
jbd2_journal_shrink_checkpoint_list() explicitly calls cond_resched() when
need_resched() is true to avoid softlockups during prolonged operations.
But jbd2_log_do_checkpoint() only exits its loop when need_resched() is
true, relying on potentially sleeping functions like __flush_batch() or
wait_on_buffer() to trigger rescheduling. If those functions do not sleep,
the kernel may hit a softlockup.
watchdog: BUG: soft lockup - CPU#3 stuck for 156s! [kworker/u129:2:373]
CPU: 3 PID: 373 Comm: kworker/u129:2 Kdump: loaded Not tainted 6.6.0+ #10
Hardware name: Huawei TaiShan 2280 /BC11SPCD, BIOS 1.27 06/13/2017
Workqueue: writeback wb_workfn (flush-7:2)
pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : native_queued_spin_lock_slowpath+0x358/0x418
lr : jbd2_log_do_checkpoint+0x31c/0x438 [jbd2]
Call trace:
native_queued_spin_lock_slowpath+0x358/0x418
jbd2_log_do_checkpoint+0x31c/0x438 [jbd2]
__jbd2_log_wait_for_space+0xfc/0x2f8 [jbd2]
add_transaction_credits+0x3bc/0x418 [jbd2]
start_this_handle+0xf8/0x560 [jbd2]
jbd2__journal_start+0x118/0x228 [jbd2]
__ext4_journal_start_sb+0x110/0x188 [ext4]
ext4_do_writepages+0x3dc/0x740 [ext4]
ext4_writepages+0xa4/0x190 [ext4]
do_writepages+0x94/0x228
__writeback_single_inode+0x48/0x318
writeback_sb_inodes+0x204/0x590
__writeback_inodes_wb+0x54/0xf8
wb_writeback+0x2cc/0x3d8
wb_do_writeback+0x2e0/0x2f8
wb_workfn+0x80/0x2a8
process_one_work+0x178/0x3e8
worker_thread+0x234/0x3b8
kthread+0xf0/0x108
ret_from_fork+0x10/0x20
So explicitly call cond_resched() in jbd2_log_do_checkpoint() to avoid
softlockup.
Cc: stable@kernel.org
Signed-off-by: Baokun Li <libaokun1@huawei.com>
Link: https://patch.msgid.link/20250812063752.912130-1-libaokun@huaweicloud.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/jbd2/checkpoint.c | 1 +
1 file changed, 1 insertion(+)
--- a/fs/jbd2/checkpoint.c
+++ b/fs/jbd2/checkpoint.c
@@ -297,6 +297,7 @@ restart:
retry:
if (batch_count)
__flush_batch(journal, &batch_count);
+ cond_resched();
spin_lock(&journal->j_list_lock);
goto restart;
}
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 312/482] soc/tegra: pmc: Ensure power-domains are in a known state
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (310 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 6.1 311/482] jbd2: prevent softlockup in jbd2_log_do_checkpoint() Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 313/482] parisc: Check region is readable by user in raw_copy_from_user() Greg Kroah-Hartman
` (178 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jon Hunter, Ulf Hansson
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jon Hunter <jonathanh@nvidia.com>
commit b6bcbce3359619d05bf387d4f5cc3af63668dbaa upstream.
After commit 13a4b7fb6260 ("pmdomain: core: Leave powered-on genpds on
until late_initcall_sync") was applied, the Tegra210 Jetson TX1 board
failed to boot. Looking into this issue, before this commit was applied,
if any of the Tegra power-domains were in 'on' state when the kernel
booted, they were being turned off by the genpd core before any driver
had chance to request them. This was purely by luck and a consequence of
the power-domains being turned off earlier during boot. After this
commit was applied, any power-domains in the 'on' state are kept on for
longer during boot and therefore, may never transitioned to the off
state before they are requested/used. The hang on the Tegra210 Jetson
TX1 is caused because devices in some power-domains are accessed without
the power-domain being turned off and on, indicating that the
power-domain is not in a completely on state.
>From reviewing the Tegra PMC driver code, if a power-domain is in the
'on' state there is no guarantee that all the necessary clocks
associated with the power-domain are on and even if they are they would
not have been requested via the clock framework and so could be turned
off later. Some power-domains also have a 'clamping' register that needs
to be configured as well. In short, if a power-domain is already 'on' it
is difficult to know if it has been configured correctly. Given that the
power-domains happened to be switched off during boot previously, to
ensure that they are in a good known state on boot, fix this by
switching off any power-domains that are on initially when registering
the power-domains with the genpd framework.
Note that commit 05cfb988a4d0 ("soc/tegra: pmc: Initialise resets
associated with a power partition") updated the
tegra_powergate_of_get_resets() function to pass the 'off' to ensure
that the resets for the power-domain are in the correct state on boot.
However, now that we may power off a domain on boot, if it is on, it is
better to move this logic into the tegra_powergate_add() function so
that there is a single place where we are handling the initial state of
the power-domain.
Fixes: a38045121bf4 ("soc/tegra: pmc: Add generic PM domain support")
Signed-off-by: Jon Hunter <jonathanh@nvidia.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20250731121832.213671-1-jonathanh@nvidia.com
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/soc/tegra/pmc.c | 51 +++++++++++++++++++++++++++---------------------
1 file changed, 29 insertions(+), 22 deletions(-)
--- a/drivers/soc/tegra/pmc.c
+++ b/drivers/soc/tegra/pmc.c
@@ -1224,7 +1224,7 @@ err:
}
static int tegra_powergate_of_get_resets(struct tegra_powergate *pg,
- struct device_node *np, bool off)
+ struct device_node *np)
{
struct device *dev = pg->pmc->dev;
int err;
@@ -1239,22 +1239,6 @@ static int tegra_powergate_of_get_resets
err = reset_control_acquire(pg->reset);
if (err < 0) {
pr_err("failed to acquire resets: %d\n", err);
- goto out;
- }
-
- if (off) {
- err = reset_control_assert(pg->reset);
- } else {
- err = reset_control_deassert(pg->reset);
- if (err < 0)
- goto out;
-
- reset_control_release(pg->reset);
- }
-
-out:
- if (err) {
- reset_control_release(pg->reset);
reset_control_put(pg->reset);
}
@@ -1299,20 +1283,43 @@ static int tegra_powergate_add(struct te
goto set_available;
}
- err = tegra_powergate_of_get_resets(pg, np, off);
+ err = tegra_powergate_of_get_resets(pg, np);
if (err < 0) {
dev_err(dev, "failed to get resets for %pOFn: %d\n", np, err);
goto remove_clks;
}
- if (!IS_ENABLED(CONFIG_PM_GENERIC_DOMAINS)) {
- if (off)
- WARN_ON(tegra_powergate_power_up(pg, true));
+ /*
+ * If the power-domain is off, then ensure the resets are asserted.
+ * If the power-domain is on, then power down to ensure that when is
+ * it turned on the power-domain, clocks and resets are all in the
+ * expected state.
+ */
+ if (off) {
+ err = reset_control_assert(pg->reset);
+ if (err) {
+ pr_err("failed to assert resets: %d\n", err);
+ goto remove_resets;
+ }
+ } else {
+ err = tegra_powergate_power_down(pg);
+ if (err) {
+ dev_err(dev, "failed to turn off PM domain %s: %d\n",
+ pg->genpd.name, err);
+ goto remove_resets;
+ }
+ }
+ /*
+ * If PM_GENERIC_DOMAINS is not enabled, power-on
+ * the domain and skip the genpd registration.
+ */
+ if (!IS_ENABLED(CONFIG_PM_GENERIC_DOMAINS)) {
+ WARN_ON(tegra_powergate_power_up(pg, true));
goto remove_resets;
}
- err = pm_genpd_init(&pg->genpd, NULL, off);
+ err = pm_genpd_init(&pg->genpd, NULL, true);
if (err < 0) {
dev_err(dev, "failed to initialise PM domain %pOFn: %d\n", np,
err);
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 313/482] parisc: Check region is readable by user in raw_copy_from_user()
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (311 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 6.1 312/482] soc/tegra: pmc: Ensure power-domains are in a known state Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 314/482] parisc: Makefile: explain that 64BIT requires both 32-bit and 64-bit compilers Greg Kroah-Hartman
` (177 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, John David Anglin, Helge Deller
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: John David Anglin <dave.anglin@bell.net>
commit 91428ca9320edbab1211851d82429d33b9cd73ef upstream.
Because of the way the _PAGE_READ is handled in the parisc PTE, an
access interruption is not generated when the kernel reads from a
region where the _PAGE_READ is zero. The current code was written
assuming read access faults would also occur in the kernel.
This change adds user access checks to raw_copy_from_user(). The
prober_user() define checks whether user code has read access to
a virtual address. Note that page faults are not handled in the
exception support for the probe instruction. For this reason, we
precede the probe by a ldb access check.
Signed-off-by: John David Anglin <dave.anglin@bell.net>
Signed-off-by: Helge Deller <deller@gmx.de>
Cc: stable@vger.kernel.org # v5.12+
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/parisc/include/asm/special_insns.h | 28 ++++++++++++++++++++++++++++
arch/parisc/lib/memcpy.c | 19 ++++++++++++++++++-
2 files changed, 46 insertions(+), 1 deletion(-)
--- a/arch/parisc/include/asm/special_insns.h
+++ b/arch/parisc/include/asm/special_insns.h
@@ -32,6 +32,34 @@
pa; \
})
+/**
+ * prober_user() - Probe user read access
+ * @sr: Space regster.
+ * @va: Virtual address.
+ *
+ * Return: Non-zero if address is accessible.
+ *
+ * Due to the way _PAGE_READ is handled in TLB entries, we need
+ * a special check to determine whether a user address is accessible.
+ * The ldb instruction does the initial access check. If it is
+ * successful, the probe instruction checks user access rights.
+ */
+#define prober_user(sr, va) ({ \
+ unsigned long read_allowed; \
+ __asm__ __volatile__( \
+ "copy %%r0,%0\n" \
+ "8:\tldb 0(%%sr%1,%2),%%r0\n" \
+ "\tproberi (%%sr%1,%2),%3,%0\n" \
+ "9:\n" \
+ ASM_EXCEPTIONTABLE_ENTRY(8b, 9b, \
+ "or %%r0,%%r0,%%r0") \
+ : "=&r" (read_allowed) \
+ : "i" (sr), "r" (va), "i" (PRIV_USER) \
+ : "memory" \
+ ); \
+ read_allowed; \
+})
+
#define CR_EIEM 15 /* External Interrupt Enable Mask */
#define CR_CR16 16 /* CR16 Interval Timer */
#define CR_EIRR 23 /* External Interrupt Request Register */
--- a/arch/parisc/lib/memcpy.c
+++ b/arch/parisc/lib/memcpy.c
@@ -12,6 +12,7 @@
#include <linux/module.h>
#include <linux/compiler.h>
#include <linux/uaccess.h>
+#include <linux/mm.h>
#define get_user_space() mfsp(SR_USER)
#define get_kernel_space() SR_KERNEL
@@ -32,9 +33,25 @@ EXPORT_SYMBOL(raw_copy_to_user);
unsigned long raw_copy_from_user(void *dst, const void __user *src,
unsigned long len)
{
+ unsigned long start = (unsigned long) src;
+ unsigned long end = start + len;
+ unsigned long newlen = len;
+
mtsp(get_user_space(), SR_TEMP1);
mtsp(get_kernel_space(), SR_TEMP2);
- return pa_memcpy(dst, (void __force *)src, len);
+
+ /* Check region is user accessible */
+ if (start)
+ while (start < end) {
+ if (!prober_user(SR_TEMP1, start)) {
+ newlen = (start - (unsigned long) src);
+ break;
+ }
+ start += PAGE_SIZE;
+ /* align to page boundry which may have different permission */
+ start = PAGE_ALIGN_DOWN(start);
+ }
+ return len - newlen + pa_memcpy(dst, (void __force *)src, newlen);
}
EXPORT_SYMBOL(raw_copy_from_user);
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 314/482] parisc: Makefile: explain that 64BIT requires both 32-bit and 64-bit compilers
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (312 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 6.1 313/482] parisc: Check region is readable by user in raw_copy_from_user() Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 315/482] parisc: Revise __get_user() to probe user read access Greg Kroah-Hartman
` (176 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Randy Dunlap, James E.J. Bottomley,
Helge Deller, linux-parisc
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Randy Dunlap <rdunlap@infradead.org>
commit 305ab0a748c52eeaeb01d8cff6408842d19e5cb5 upstream.
For building a 64-bit kernel, both 32-bit and 64-bit VDSO binaries
are built, so both 32-bit and 64-bit compilers (and tools) should be
in the PATH environment variable.
Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
Cc: "James E.J. Bottomley" <James.Bottomley@HansenPartnership.com>
Cc: Helge Deller <deller@gmx.de>
Cc: linux-parisc@vger.kernel.org
Signed-off-by: Helge Deller <deller@gmx.de>
Cc: stable@vger.kernel.org # v5.3+
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/parisc/Makefile | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/arch/parisc/Makefile
+++ b/arch/parisc/Makefile
@@ -39,7 +39,9 @@ endif
export LD_BFD
-# Set default 32 bits cross compilers for vdso
+# Set default 32 bits cross compilers for vdso.
+# This means that for 64BIT, both the 64-bit tools and the 32-bit tools
+# need to be in the path.
CC_ARCHES_32 = hppa hppa2.0 hppa1.1
CC_SUFFIXES = linux linux-gnu unknown-linux-gnu suse-linux
CROSS32_COMPILE := $(call cc-cross-prefix, \
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 315/482] parisc: Revise __get_user() to probe user read access
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (313 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 6.1 314/482] parisc: Makefile: explain that 64BIT requires both 32-bit and 64-bit compilers Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 316/482] parisc: Revise gateway LWS calls " Greg Kroah-Hartman
` (175 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, John David Anglin, Helge Deller
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: John David Anglin <dave.anglin@bell.net>
commit 89f686a0fb6e473a876a9a60a13aec67a62b9a7e upstream.
Because of the way read access support is implemented, read access
interruptions are only triggered at privilege levels 2 and 3. The
kernel executes at privilege level 0, so __get_user() never triggers
a read access interruption (code 26). Thus, it is currently possible
for user code to access a read protected address via a system call.
Fix this by probing read access rights at privilege level 3 (PRIV_USER)
and setting __gu_err to -EFAULT (-14) if access isn't allowed.
Note the cmpiclr instruction does a 32-bit compare because COND macro
doesn't work inside asm.
Signed-off-by: John David Anglin <dave.anglin@bell.net>
Signed-off-by: Helge Deller <deller@gmx.de>
Cc: stable@vger.kernel.org # v5.12+
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/parisc/include/asm/uaccess.h | 21 ++++++++++++++++++---
1 file changed, 18 insertions(+), 3 deletions(-)
--- a/arch/parisc/include/asm/uaccess.h
+++ b/arch/parisc/include/asm/uaccess.h
@@ -42,9 +42,24 @@
__gu_err; \
})
-#define __get_user(val, ptr) \
-({ \
- __get_user_internal(SR_USER, val, ptr); \
+#define __probe_user_internal(sr, error, ptr) \
+({ \
+ __asm__("\tproberi (%%sr%1,%2),%3,%0\n" \
+ "\tcmpiclr,= 1,%0,%0\n" \
+ "\tldi %4,%0\n" \
+ : "=r"(error) \
+ : "i"(sr), "r"(ptr), "i"(PRIV_USER), \
+ "i"(-EFAULT)); \
+})
+
+#define __get_user(val, ptr) \
+({ \
+ register long __gu_err; \
+ \
+ __gu_err = __get_user_internal(SR_USER, val, ptr); \
+ if (likely(!__gu_err)) \
+ __probe_user_internal(SR_USER, __gu_err, ptr); \
+ __gu_err; \
})
#define __get_user_asm(sr, val, ldx, ptr) \
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 316/482] parisc: Revise gateway LWS calls to probe user read access
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (314 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 6.1 315/482] parisc: Revise __get_user() to probe user read access Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 317/482] parisc: Try to fixup kernel exception in bad_area_nosemaphore path of do_page_fault() Greg Kroah-Hartman
` (174 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, John David Anglin, Helge Deller
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: John David Anglin <dave.anglin@bell.net>
commit f6334f4ae9a4e962ba74b026e1d965dfdf8cbef8 upstream.
We use load and stbys,e instructions to trigger memory reference
interruptions without writing to memory. Because of the way read
access support is implemented, read access interruptions are only
triggered at privilege levels 2 and 3. The kernel and gateway
page execute at privilege level 0, so this code never triggers
a read access interruption. Thus, it is currently possible for
user code to execute a LWS compare and swap operation at an
address that is read protected at privilege level 3 (PRIV_USER).
Fix this by probing read access rights at privilege level 3 and
branching to lws_fault if access isn't allowed.
Signed-off-by: John David Anglin <dave.anglin@bell.net>
Signed-off-by: Helge Deller <deller@gmx.de>
Cc: stable@vger.kernel.org # v5.12+
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/parisc/kernel/syscall.S | 30 +++++++++++++++++++++---------
1 file changed, 21 insertions(+), 9 deletions(-)
--- a/arch/parisc/kernel/syscall.S
+++ b/arch/parisc/kernel/syscall.S
@@ -600,6 +600,9 @@ lws_compare_and_swap32:
lws_compare_and_swap:
/* Trigger memory reference interruptions without writing to memory */
1: ldw 0(%r26), %r28
+ proberi (%r26), PRIV_USER, %r28
+ comb,=,n %r28, %r0, lws_fault /* backwards, likely not taken */
+ nop
2: stbys,e %r0, 0(%r26)
/* Calculate 8-bit hash index from virtual address */
@@ -753,6 +756,9 @@ cas2_lock_start:
copy %r26, %r28
depi_safe 0, 31, 2, %r28
10: ldw 0(%r28), %r1
+ proberi (%r28), PRIV_USER, %r1
+ comb,=,n %r1, %r0, lws_fault /* backwards, likely not taken */
+ nop
11: stbys,e %r0, 0(%r28)
/* Calculate 8-bit hash index from virtual address */
@@ -936,41 +942,47 @@ atomic_xchg_begin:
/* 8-bit exchange */
1: ldb 0(%r24), %r20
+ proberi (%r24), PRIV_USER, %r20
+ comb,=,n %r20, %r0, lws_fault /* backwards, likely not taken */
+ nop
copy %r23, %r20
depi_safe 0, 31, 2, %r20
b atomic_xchg_start
2: stbys,e %r0, 0(%r20)
- nop
- nop
- nop
/* 16-bit exchange */
3: ldh 0(%r24), %r20
+ proberi (%r24), PRIV_USER, %r20
+ comb,=,n %r20, %r0, lws_fault /* backwards, likely not taken */
+ nop
copy %r23, %r20
depi_safe 0, 31, 2, %r20
b atomic_xchg_start
4: stbys,e %r0, 0(%r20)
- nop
- nop
- nop
/* 32-bit exchange */
5: ldw 0(%r24), %r20
+ proberi (%r24), PRIV_USER, %r20
+ comb,=,n %r20, %r0, lws_fault /* backwards, likely not taken */
+ nop
b atomic_xchg_start
6: stbys,e %r0, 0(%r23)
nop
nop
- nop
- nop
- nop
/* 64-bit exchange */
#ifdef CONFIG_64BIT
7: ldd 0(%r24), %r20
+ proberi (%r24), PRIV_USER, %r20
+ comb,=,n %r20, %r0, lws_fault /* backwards, likely not taken */
+ nop
8: stdby,e %r0, 0(%r23)
#else
7: ldw 0(%r24), %r20
8: ldw 4(%r24), %r20
+ proberi (%r24), PRIV_USER, %r20
+ comb,=,n %r20, %r0, lws_fault /* backwards, likely not taken */
+ nop
copy %r23, %r20
depi_safe 0, 31, 2, %r20
9: stbys,e %r0, 0(%r20)
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 317/482] parisc: Try to fixup kernel exception in bad_area_nosemaphore path of do_page_fault()
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (315 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 6.1 316/482] parisc: Revise gateway LWS calls " Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 318/482] parisc: Update comments in make_insert_tlb Greg Kroah-Hartman
` (173 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, John David Anglin, Helge Deller
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: John David Anglin <dave.anglin@bell.net>
commit f92a5e36b0c45cd12ac0d1bc44680c0dfae34543 upstream.
Signed-off-by: John David Anglin <dave.anglin@bell.net>
Signed-off-by: Helge Deller <deller@gmx.de>
Cc: stable@vger.kernel.org # v5.12+
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/parisc/mm/fault.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/arch/parisc/mm/fault.c
+++ b/arch/parisc/mm/fault.c
@@ -358,6 +358,10 @@ bad_area:
mmap_read_unlock(mm);
bad_area_nosemaphore:
+ if (!user_mode(regs) && fixup_exception(regs)) {
+ return;
+ }
+
if (user_mode(regs)) {
int signo, si_code;
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 318/482] parisc: Update comments in make_insert_tlb
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (316 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 6.1 317/482] parisc: Try to fixup kernel exception in bad_area_nosemaphore path of do_page_fault() Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 319/482] media: gspca: Add bounds checking to firmware parser Greg Kroah-Hartman
` (172 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, John David Anglin, Helge Deller
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: John David Anglin <dave.anglin@bell.net>
commit cb22f247f371bd206a88cf0e0c05d80b8b62fb26 upstream.
The following testcase exposed a problem with our read access checks
in get_user() and raw_copy_from_user():
#include <stdint.h>
#include <stddef.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <errno.h>
#include <sys/mman.h>
#include <sys/types.h>
int main(int argc, char **argv)
{
unsigned long page_size = sysconf(_SC_PAGESIZE);
char *p = malloc(3 * page_size);
char *p_aligned;
/* initialize memory region. If not initialized, write syscall below will correctly return EFAULT. */
if (1)
memset(p, 'X', 3 * page_size);
p_aligned = (char *) ((((uintptr_t) p) + (2*page_size - 1)) & ~(page_size - 1));
/* Drop PROT_READ protection. Kernel and userspace should fault when accessing that memory region */
mprotect(p_aligned, page_size, PROT_NONE);
/* the following write() should return EFAULT, since PROT_READ was dropped by previous mprotect() */
int ret = write(2, p_aligned, 1);
if (!ret || errno != EFAULT)
printf("\n FAILURE: write() did not returned expected EFAULT value\n");
return 0;
}
Because of the way _PAGE_READ is handled, kernel code never generates
a read access fault when it access a page as the kernel privilege level
is always less than PL1 in the PTE.
This patch reworks the comments in the make_insert_tlb macro to try
to make this clearer.
Signed-off-by: John David Anglin <dave.anglin@bell.net>
Signed-off-by: Helge Deller <deller@gmx.de>
Cc: stable@vger.kernel.org # v5.12+
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/parisc/kernel/entry.S | 17 ++++++++++++-----
1 file changed, 12 insertions(+), 5 deletions(-)
--- a/arch/parisc/kernel/entry.S
+++ b/arch/parisc/kernel/entry.S
@@ -486,6 +486,12 @@
* this happens is quite subtle, read below */
.macro make_insert_tlb spc,pte,prot,tmp
space_to_prot \spc \prot /* create prot id from space */
+
+#if _PAGE_SPECIAL_BIT == _PAGE_DMB_BIT
+ /* need to drop DMB bit, as it's used as SPECIAL flag */
+ depi 0,_PAGE_SPECIAL_BIT,1,\pte
+#endif
+
/* The following is the real subtlety. This is depositing
* T <-> _PAGE_REFTRAP
* D <-> _PAGE_DIRTY
@@ -498,17 +504,18 @@
* Finally, _PAGE_READ goes in the top bit of PL1 (so we
* trigger an access rights trap in user space if the user
* tries to read an unreadable page */
-#if _PAGE_SPECIAL_BIT == _PAGE_DMB_BIT
- /* need to drop DMB bit, as it's used as SPECIAL flag */
- depi 0,_PAGE_SPECIAL_BIT,1,\pte
-#endif
depd \pte,8,7,\prot
/* PAGE_USER indicates the page can be read with user privileges,
* so deposit X1|11 to PL1|PL2 (remember the upper bit of PL1
- * contains _PAGE_READ) */
+ * contains _PAGE_READ). While the kernel can't directly write
+ * user pages which have _PAGE_WRITE zero, it can read pages
+ * which have _PAGE_READ zero (PL <= PL1). Thus, the kernel
+ * exception fault handler doesn't trigger when reading pages
+ * that aren't user read accessible */
extrd,u,*= \pte,_PAGE_USER_BIT+32,1,%r0
depdi 7,11,3,\prot
+
/* If we're a gateway page, drop PL2 back to zero for promotion
* to kernel privilege (so we can execute the page as kernel).
* Any privilege promotion page always denys read and write */
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 319/482] media: gspca: Add bounds checking to firmware parser
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (317 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 6.1 318/482] parisc: Update comments in make_insert_tlb Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 320/482] media: hi556: correct the test pattern configuration Greg Kroah-Hartman
` (171 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Hans Verkuil
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@linaro.org>
commit aef89c0b2417da79cb2062a95476288f9f203ab0 upstream.
This sd_init() function reads the firmware. The firmware data holds a
series of records and the function reads each record and sends the data
to the device. The request_ihex_firmware() function
calls ihex_validate_fw() which ensures that the total length of all the
records won't read out of bounds of the fw->data[].
However, a potential issue is if there is a single very large
record (larger than PAGE_SIZE) and that would result in memory
corruption. Generally we trust the firmware, but it's always better to
double check.
Fixes: 49b61ec9b5af ("[media] gspca: Add new vicam subdriver")
Cc: stable@vger.kernel.org
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/usb/gspca/vicam.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
--- a/drivers/media/usb/gspca/vicam.c
+++ b/drivers/media/usb/gspca/vicam.c
@@ -227,6 +227,7 @@ static int sd_init(struct gspca_dev *gsp
const struct ihex_binrec *rec;
const struct firmware *fw;
u8 *firmware_buf;
+ int len;
ret = request_ihex_firmware(&fw, VICAM_FIRMWARE,
&gspca_dev->dev->dev);
@@ -241,9 +242,14 @@ static int sd_init(struct gspca_dev *gsp
goto exit;
}
for (rec = (void *)fw->data; rec; rec = ihex_next_binrec(rec)) {
- memcpy(firmware_buf, rec->data, be16_to_cpu(rec->len));
+ len = be16_to_cpu(rec->len);
+ if (len > PAGE_SIZE) {
+ ret = -EINVAL;
+ break;
+ }
+ memcpy(firmware_buf, rec->data, len);
ret = vicam_control_msg(gspca_dev, 0xff, 0, 0, firmware_buf,
- be16_to_cpu(rec->len));
+ len);
if (ret < 0)
break;
}
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 320/482] media: hi556: correct the test pattern configuration
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (318 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 6.1 319/482] media: gspca: Add bounds checking to firmware parser Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 321/482] media: imx: fix a potential memory leak in imx_media_csc_scaler_device_init() Greg Kroah-Hartman
` (170 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Bingbu Cao, Sakari Ailus,
Hans Verkuil
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bingbu Cao <bingbu.cao@intel.com>
commit 020f602b068c9ce18d5056d02c8302199377d98d upstream.
Hynix hi556 support 8 test pattern modes:
hi556_test_pattern_menu[] = {
{
"Disabled",
"Solid Colour",
"100% Colour Bars",
"Fade To Grey Colour Bars",
"PN9",
"Gradient Horizontal",
"Gradient Vertical",
"Check Board",
"Slant Pattern",
}
The test pattern is set by a 8-bit register according to the
specification.
+--------+-------------------------------+
| BIT[0] | Solid color |
+--------+-------------------------------+
| BIT[1] | Color bar |
+--------+-------------------------------+
| BIT[2] | Fade to grey color bar |
+--------+-------------------------------+
| BIT[3] | PN9 |
+--------+-------------------------------+
| BIT[4] | Gradient horizontal |
+--------+-------------------------------+
| BIT[5] | Gradient vertical |
+--------+-------------------------------+
| BIT[6] | Check board |
+--------+-------------------------------+
| BIT[7] | Slant pattern |
+--------+-------------------------------+
Based on function above, current test pattern programming is wrong.
This patch fixes it by 'BIT(pattern - 1)'. If pattern is 0, driver
will disable the test pattern generation and set the pattern to 0.
Fixes: e62138403a84 ("media: hi556: Add support for Hi-556 sensor")
Cc: stable@vger.kernel.org
Signed-off-by: Bingbu Cao <bingbu.cao@intel.com>
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/i2c/hi556.c | 28 +++++++++++++++-------------
1 file changed, 15 insertions(+), 13 deletions(-)
--- a/drivers/media/i2c/hi556.c
+++ b/drivers/media/i2c/hi556.c
@@ -605,21 +605,23 @@ static int hi556_test_pattern(struct hi5
int ret;
u32 val;
- if (pattern) {
- ret = hi556_read_reg(hi556, HI556_REG_ISP,
- HI556_REG_VALUE_08BIT, &val);
- if (ret)
- return ret;
-
- ret = hi556_write_reg(hi556, HI556_REG_ISP,
- HI556_REG_VALUE_08BIT,
- val | HI556_REG_ISP_TPG_EN);
- if (ret)
- return ret;
- }
+ ret = hi556_read_reg(hi556, HI556_REG_ISP,
+ HI556_REG_VALUE_08BIT, &val);
+ if (ret)
+ return ret;
+
+ val = pattern ? (val | HI556_REG_ISP_TPG_EN) :
+ (val & ~HI556_REG_ISP_TPG_EN);
+
+ ret = hi556_write_reg(hi556, HI556_REG_ISP,
+ HI556_REG_VALUE_08BIT, val);
+ if (ret)
+ return ret;
+
+ val = pattern ? BIT(pattern - 1) : 0;
return hi556_write_reg(hi556, HI556_REG_TEST_PATTERN,
- HI556_REG_VALUE_08BIT, pattern);
+ HI556_REG_VALUE_08BIT, val);
}
static int hi556_set_ctrl(struct v4l2_ctrl *ctrl)
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 321/482] media: imx: fix a potential memory leak in imx_media_csc_scaler_device_init()
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (319 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 6.1 320/482] media: hi556: correct the test pattern configuration Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 322/482] media: vivid: fix wrong pixel_array control size Greg Kroah-Hartman
` (169 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Haoxiang Li, Dan Carpenter,
Nicolas Dufresne, Hans Verkuil
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haoxiang Li <haoxiang_li2024@163.com>
commit fc5f8aec77704373ee804b5dba0e0e5029c0f180 upstream.
Add video_device_release() in label 'err_m2m' to release the memory
allocated by video_device_alloc() and prevent potential memory leaks.
Remove the reduntant code in label 'err_m2m'.
Fixes: a8ef0488cc59 ("media: imx: add csc/scaler mem2mem device")
Cc: stable@vger.kernel.org
Signed-off-by: Haoxiang Li <haoxiang_li2024@163.com>
Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org>
Signed-off-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/staging/media/imx/imx-media-csc-scaler.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/staging/media/imx/imx-media-csc-scaler.c
+++ b/drivers/staging/media/imx/imx-media-csc-scaler.c
@@ -914,7 +914,7 @@ imx_media_csc_scaler_device_init(struct
return &priv->vdev;
err_m2m:
- video_set_drvdata(vfd, NULL);
+ video_device_release(vfd);
err_vfd:
kfree(priv);
return ERR_PTR(ret);
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 322/482] media: vivid: fix wrong pixel_array control size
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (320 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 6.1 321/482] media: imx: fix a potential memory leak in imx_media_csc_scaler_device_init() Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 323/482] media: v4l2-ctrls: Dont reset handlers error in v4l2_ctrl_handler_free() Greg Kroah-Hartman
` (168 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Hans Verkuil, Mauro Carvalho Chehab
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hans Verkuil <hverkuil@xs4all.nl>
commit 3e43442d4994c9e1e202c98129a87e330f7faaed upstream.
The pixel_array control size was calculated incorrectly:
the dimensions were swapped (dims[0] should be the height), and the
values should be the width or height divided by PIXEL_ARRAY_DIV
and rounded up. So don't use roundup, but use DIV_ROUND_UP instead.
This bug is harmless in the sense that nothing will break, except that
it consumes way too much memory for this control.
Fixes: 6bc7643d1b9c ("media: vivid: add pixel_array test control")
Cc: <stable@vger.kernel.org>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/test-drivers/vivid/vivid-ctrls.c | 3 ++-
drivers/media/test-drivers/vivid/vivid-vid-cap.c | 4 ++--
2 files changed, 4 insertions(+), 3 deletions(-)
--- a/drivers/media/test-drivers/vivid/vivid-ctrls.c
+++ b/drivers/media/test-drivers/vivid/vivid-ctrls.c
@@ -238,7 +238,8 @@ static const struct v4l2_ctrl_config viv
.min = 0x00,
.max = 0xff,
.step = 1,
- .dims = { 640 / PIXEL_ARRAY_DIV, 360 / PIXEL_ARRAY_DIV },
+ .dims = { DIV_ROUND_UP(360, PIXEL_ARRAY_DIV),
+ DIV_ROUND_UP(640, PIXEL_ARRAY_DIV) },
};
static const char * const vivid_ctrl_menu_strings[] = {
--- a/drivers/media/test-drivers/vivid/vivid-vid-cap.c
+++ b/drivers/media/test-drivers/vivid/vivid-vid-cap.c
@@ -475,8 +475,8 @@ void vivid_update_format_cap(struct vivi
if (keep_controls)
return;
- dims[0] = roundup(dev->src_rect.width, PIXEL_ARRAY_DIV);
- dims[1] = roundup(dev->src_rect.height, PIXEL_ARRAY_DIV);
+ dims[0] = DIV_ROUND_UP(dev->src_rect.height, PIXEL_ARRAY_DIV);
+ dims[1] = DIV_ROUND_UP(dev->src_rect.width, PIXEL_ARRAY_DIV);
v4l2_ctrl_modify_dimensions(dev->pixel_array, dims);
}
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 323/482] media: v4l2-ctrls: Dont reset handlers error in v4l2_ctrl_handler_free()
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (321 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 6.1 322/482] media: vivid: fix wrong pixel_array control size Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 324/482] media: usbtv: Lock resolution while streaming Greg Kroah-Hartman
` (167 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sakari Ailus, Hans Verkuil,
Laurent Pinchart
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sakari Ailus <sakari.ailus@linux.intel.com>
commit 5a0400aca5fa7c6b8ba456c311a460e733571c88 upstream.
It's a common pattern in drivers to free the control handler's resources
and then return the handler's error code on drivers' error handling paths.
Alas, the v4l2_ctrl_handler_free() function also zeroes the error field,
effectively indicating successful return to the caller.
There's no apparent need to touch the error field while releasing the
control handler's resources and cleaning up stale pointers. Not touching
the handler's error field is a more certain way to address this problem
than changing all the users, in which case the pattern would be likely to
re-emerge in new drivers.
Do just that, don't touch the control handler's error field in
v4l2_ctrl_handler_free().
Fixes: 0996517cf8ea ("V4L/DVB: v4l2: Add new control handling framework")
Cc: stable@vger.kernel.org
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Reviewed-by: Hans Verkuil <hverkuil@xs4all.nl>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/v4l2-core/v4l2-ctrls-core.c | 1 -
1 file changed, 1 deletion(-)
--- a/drivers/media/v4l2-core/v4l2-ctrls-core.c
+++ b/drivers/media/v4l2-core/v4l2-ctrls-core.c
@@ -1327,7 +1327,6 @@ void v4l2_ctrl_handler_free(struct v4l2_
kvfree(hdl->buckets);
hdl->buckets = NULL;
hdl->cached = NULL;
- hdl->error = 0;
mutex_unlock(hdl->lock);
mutex_destroy(&hdl->_lock);
}
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 324/482] media: usbtv: Lock resolution while streaming
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (322 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 6.1 323/482] media: v4l2-ctrls: Dont reset handlers error in v4l2_ctrl_handler_free() Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 325/482] media: rainshadow-cec: fix TOCTOU race condition in rain_interrupt() Greg Kroah-Hartman
` (166 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ludwig Disterhof, Hans Verkuil
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ludwig Disterhof <ludwig@disterhof.eu>
commit 7e40e0bb778907b2441bff68d73c3eb6b6cd319f upstream.
When an program is streaming (ffplay) and another program (qv4l2)
changes the TV standard from NTSC to PAL, the kernel crashes due to trying
to copy to unmapped memory.
Changing from NTSC to PAL increases the resolution in the usbtv struct,
but the video plane buffer isn't adjusted, so it overflows.
Fixes: 0e0fe3958fdd13d ("[media] usbtv: Add support for PAL video source")
Cc: stable@vger.kernel.org
Signed-off-by: Ludwig Disterhof <ludwig@disterhof.eu>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
[hverkuil: call vb2_is_busy instead of vb2_is_streaming]
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/usb/usbtv/usbtv-video.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/media/usb/usbtv/usbtv-video.c
+++ b/drivers/media/usb/usbtv/usbtv-video.c
@@ -73,6 +73,10 @@ static int usbtv_configure_for_norm(stru
}
if (params) {
+ if (vb2_is_busy(&usbtv->vb2q) &&
+ (usbtv->width != params->cap_width ||
+ usbtv->height != params->cap_height))
+ return -EBUSY;
usbtv->width = params->cap_width;
usbtv->height = params->cap_height;
usbtv->n_chunks = usbtv->width * usbtv->height
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 325/482] media: rainshadow-cec: fix TOCTOU race condition in rain_interrupt()
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (323 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 6.1 324/482] media: usbtv: Lock resolution while streaming Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 326/482] media: ov2659: Fix memory leaks in ov2659_probe() Greg Kroah-Hartman
` (165 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Gui-Dong Han, Hans Verkuil
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gui-Dong Han <hanguidong02@gmail.com>
commit 7af160aea26c7dc9e6734d19306128cce156ec40 upstream.
In the interrupt handler rain_interrupt(), the buffer full check on
rain->buf_len is performed before acquiring rain->buf_lock. This
creates a Time-of-Check to Time-of-Use (TOCTOU) race condition, as
rain->buf_len is concurrently accessed and modified in the work
handler rain_irq_work_handler() under the same lock.
Multiple interrupt invocations can race, with each reading buf_len
before it becomes full and then proceeding. This can lead to both
interrupts attempting to write to the buffer, incrementing buf_len
beyond its capacity (DATA_SIZE) and causing a buffer overflow.
Fix this bug by moving the spin_lock() to before the buffer full
check. This ensures that the check and the subsequent buffer modification
are performed atomically, preventing the race condition. An corresponding
spin_unlock() is added to the overflow path to correctly release the
lock.
This possible bug was found by an experimental static analysis tool
developed by our team.
Fixes: 0f314f6c2e77 ("[media] rainshadow-cec: new RainShadow Tech HDMI CEC driver")
Cc: stable@vger.kernel.org
Signed-off-by: Gui-Dong Han <hanguidong02@gmail.com>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/cec/usb/rainshadow/rainshadow-cec.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/media/cec/usb/rainshadow/rainshadow-cec.c
+++ b/drivers/media/cec/usb/rainshadow/rainshadow-cec.c
@@ -171,11 +171,12 @@ static irqreturn_t rain_interrupt(struct
{
struct rain *rain = serio_get_drvdata(serio);
+ spin_lock(&rain->buf_lock);
if (rain->buf_len == DATA_SIZE) {
+ spin_unlock(&rain->buf_lock);
dev_warn_once(rain->dev, "buffer overflow\n");
return IRQ_HANDLED;
}
- spin_lock(&rain->buf_lock);
rain->buf_len++;
rain->buf[rain->buf_wr_idx] = data;
rain->buf_wr_idx = (rain->buf_wr_idx + 1) & 0xff;
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 326/482] media: ov2659: Fix memory leaks in ov2659_probe()
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (324 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 6.1 325/482] media: rainshadow-cec: fix TOCTOU race condition in rain_interrupt() Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 327/482] media: qcom: camss: cleanup media device allocated resource on error path Greg Kroah-Hartman
` (164 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhang Shurong, Sakari Ailus,
Hans Verkuil
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhang Shurong <zhang_shurong@foxmail.com>
commit 76142b137b968d47b35cdd8d1dc924677d319c8b upstream.
ov2659_probe() doesn't properly free control handler resources in failure
paths, causing memory leaks. Add v4l2_ctrl_handler_free() to prevent these
memory leaks and reorder the ctrl_handler assignment for better code flow.
Fixes: c4c0283ab3cd ("[media] media: i2c: add support for omnivision's ov2659 sensor")
Cc: stable@vger.kernel.org
Signed-off-by: Zhang Shurong <zhang_shurong@foxmail.com>
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/i2c/ov2659.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/media/i2c/ov2659.c
+++ b/drivers/media/i2c/ov2659.c
@@ -1479,14 +1479,15 @@ static int ov2659_probe(struct i2c_clien
V4L2_CID_TEST_PATTERN,
ARRAY_SIZE(ov2659_test_pattern_menu) - 1,
0, 0, ov2659_test_pattern_menu);
- ov2659->sd.ctrl_handler = &ov2659->ctrls;
if (ov2659->ctrls.error) {
dev_err(&client->dev, "%s: control initialization error %d\n",
__func__, ov2659->ctrls.error);
+ v4l2_ctrl_handler_free(&ov2659->ctrls);
return ov2659->ctrls.error;
}
+ ov2659->sd.ctrl_handler = &ov2659->ctrls;
sd = &ov2659->sd;
client->flags |= I2C_CLIENT_SCCB;
#ifdef CONFIG_VIDEO_V4L2_SUBDEV_API
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 327/482] media: qcom: camss: cleanup media device allocated resource on error path
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (325 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 6.1 326/482] media: ov2659: Fix memory leaks in ov2659_probe() Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 328/482] media: venus: Add a check for packet size after reading from shared memory Greg Kroah-Hartman
` (163 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vladimir Zapolskiy, Bryan ODonoghue,
Bryan ODonoghue, Hans Verkuil
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
commit 69080ec3d0daba8a894025476c98ab16b5a505a4 upstream.
A call to media_device_init() requires media_device_cleanup() counterpart
to complete cleanup and release any allocated resources.
This has been done in the driver .remove() right from the beginning, but
error paths on .probe() shall also be fixed.
Fixes: a1d7c116fcf7 ("media: camms: Add core files")
Cc: stable@vger.kernel.org
Signed-off-by: Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Signed-off-by: Bryan O'Donoghue <bod@kernel.org>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/qcom/camss/camss.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/media/platform/qcom/camss/camss.c
+++ b/drivers/media/platform/qcom/camss/camss.c
@@ -1658,7 +1658,7 @@ static int camss_probe(struct platform_d
ret = v4l2_device_register(camss->dev, &camss->v4l2_dev);
if (ret < 0) {
dev_err(dev, "Failed to register V4L2 device: %d\n", ret);
- goto err_genpd_cleanup;
+ goto err_media_device_cleanup;
}
v4l2_async_nf_init(&camss->notifier);
@@ -1710,6 +1710,8 @@ err_v4l2_device_unregister:
v4l2_device_unregister(&camss->v4l2_dev);
v4l2_async_nf_cleanup(&camss->notifier);
pm_runtime_disable(dev);
+err_media_device_cleanup:
+ media_device_cleanup(&camss->media_dev);
err_genpd_cleanup:
camss_genpd_cleanup(camss);
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 328/482] media: venus: Add a check for packet size after reading from shared memory
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (326 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 6.1 327/482] media: qcom: camss: cleanup media device allocated resource on error path Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 329/482] media: venus: hfi: explicitly release IRQ during teardown Greg Kroah-Hartman
` (162 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vedang Nagar, Dikshita Agarwal,
Bryan ODonoghue, Bryan ODonoghue, Hans Verkuil
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vedang Nagar <quic_vnagar@quicinc.com>
commit 49befc830daa743e051a65468c05c2ff9e8580e6 upstream.
Add a check to ensure that the packet size does not exceed the number of
available words after reading the packet header from shared memory. This
ensures that the size provided by the firmware is safe to process and
prevent potential out-of-bounds memory access.
Fixes: d96d3f30c0f2 ("[media] media: venus: hfi: add Venus HFI files")
Cc: stable@vger.kernel.org
Signed-off-by: Vedang Nagar <quic_vnagar@quicinc.com>
Co-developed-by: Dikshita Agarwal <quic_dikshita@quicinc.com>
Signed-off-by: Dikshita Agarwal <quic_dikshita@quicinc.com>
Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Signed-off-by: Bryan O'Donoghue <bod@kernel.org>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/qcom/venus/hfi_venus.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/media/platform/qcom/venus/hfi_venus.c
+++ b/drivers/media/platform/qcom/venus/hfi_venus.c
@@ -239,6 +239,7 @@ static int venus_write_queue(struct venu
static int venus_read_queue(struct venus_hfi_device *hdev,
struct iface_queue *queue, void *pkt, u32 *tx_req)
{
+ struct hfi_pkt_hdr *pkt_hdr = NULL;
struct hfi_queue_header *qhdr;
u32 dwords, new_rd_idx;
u32 rd_idx, wr_idx, type, qsize;
@@ -304,6 +305,9 @@ static int venus_read_queue(struct venus
memcpy(pkt, rd_ptr, len);
memcpy(pkt + len, queue->qmem.kva, new_rd_idx << 2);
}
+ pkt_hdr = (struct hfi_pkt_hdr *)(pkt);
+ if ((pkt_hdr->size >> 2) != dwords)
+ return -EINVAL;
} else {
/* bad packet received, dropping */
new_rd_idx = qhdr->write_idx;
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 329/482] media: venus: hfi: explicitly release IRQ during teardown
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (327 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 6.1 328/482] media: venus: Add a check for packet size after reading from shared memory Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 330/482] media: venus: protect against spurious interrupts during probe Greg Kroah-Hartman
` (161 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jorge Ramirez-Ortiz,
Dikshita Agarwal, Bryan ODonoghue, Bryan ODonoghue, Hans Verkuil
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jorge Ramirez-Ortiz <jorge.ramirez@oss.qualcomm.com>
commit 640803003cd903cea73dc6a86bf6963e238e2b3f upstream.
Ensure the IRQ is disabled - and all pending handlers completed - before
dismantling the interrupt routing and clearing related pointers.
This prevents any possibility of the interrupt triggering after the
handler context has been invalidated.
Fixes: d96d3f30c0f2 ("[media] media: venus: hfi: add Venus HFI files")
Cc: stable@vger.kernel.org
Signed-off-by: Jorge Ramirez-Ortiz <jorge.ramirez@oss.qualcomm.com>
Reviewed-by: Dikshita Agarwal <quic_dikshita@quicinc.com>
Tested-by: Dikshita Agarwal <quic_dikshita@quicinc.com> # RB5
Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Signed-off-by: Bryan O'Donoghue <bod@kernel.org>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/qcom/venus/hfi_venus.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/media/platform/qcom/venus/hfi_venus.c
+++ b/drivers/media/platform/qcom/venus/hfi_venus.c
@@ -1711,6 +1711,7 @@ void venus_hfi_destroy(struct venus_core
venus_interface_queues_release(hdev);
mutex_destroy(&hdev->lock);
kfree(hdev);
+ disable_irq(core->irq);
core->ops = NULL;
}
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 330/482] media: venus: protect against spurious interrupts during probe
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (328 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 6.1 329/482] media: venus: hfi: explicitly release IRQ during teardown Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 331/482] media: venus: vdec: Clamp param smaller than 1fps and bigger than 240 Greg Kroah-Hartman
` (160 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jorge Ramirez-Ortiz, Bryan ODonoghue,
Vikash Garodia, Dikshita Agarwal, Bryan ODonoghue, Hans Verkuil
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jorge Ramirez-Ortiz <jorge.ramirez@oss.qualcomm.com>
commit 3200144a2fa4209dc084a19941b9b203b43580f0 upstream.
Make sure the interrupt handler is initialized before the interrupt is
registered.
If the IRQ is registered before hfi_create(), it's possible that an
interrupt fires before the handler setup is complete, leading to a NULL
dereference.
This error condition has been observed during system boot on Rb3Gen2.
Fixes: af2c3834c8ca ("[media] media: venus: adding core part and helper functions")
Cc: stable@vger.kernel.org
Signed-off-by: Jorge Ramirez-Ortiz <jorge.ramirez@oss.qualcomm.com>
Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Reviewed-by: Vikash Garodia <quic_vgarodia@quicinc.com>
Reviewed-by: Dikshita Agarwal <quic_dikshita@quicinc.com>
Tested-by: Dikshita Agarwal <quic_dikshita@quicinc.com> # RB5
Signed-off-by: Bryan O'Donoghue <bod@kernel.org>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/qcom/venus/core.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/drivers/media/platform/qcom/venus/core.c
+++ b/drivers/media/platform/qcom/venus/core.c
@@ -333,13 +333,13 @@ static int venus_probe(struct platform_d
INIT_DELAYED_WORK(&core->work, venus_sys_error_handler);
init_waitqueue_head(&core->sys_err_done);
- ret = devm_request_threaded_irq(dev, core->irq, hfi_isr, venus_isr_thread,
- IRQF_TRIGGER_HIGH | IRQF_ONESHOT,
- "venus", core);
+ ret = hfi_create(core, &venus_core_ops);
if (ret)
goto err_core_put;
- ret = hfi_create(core, &venus_core_ops);
+ ret = devm_request_threaded_irq(dev, core->irq, hfi_isr, venus_isr_thread,
+ IRQF_TRIGGER_HIGH | IRQF_ONESHOT,
+ "venus", core);
if (ret)
goto err_core_put;
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 331/482] media: venus: vdec: Clamp param smaller than 1fps and bigger than 240.
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (329 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 6.1 330/482] media: venus: protect against spurious interrupts during probe Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 332/482] media: venus: venc: " Greg Kroah-Hartman
` (159 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hans Verkuil, Bryan ODonoghue,
Ricardo Ribalda, Bryan ODonoghue
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ricardo Ribalda <ribalda@chromium.org>
commit 377dc500d253f0b26732b2cb062e89668aef890a upstream.
The driver uses "whole" fps in all its calculations (e.g. in
load_per_instance()). Those calculation expect an fps bigger than 1, and
not big enough to overflow.
Clamp the value if the user provides a param that will result in an invalid
fps.
Reported-by: Hans Verkuil <hverkuil@xs4all.nl>
Closes: https://lore.kernel.org/linux-media/f11653a7-bc49-48cd-9cdb-1659147453e4@xs4all.nl/T/#m91cd962ac942834654f94c92206e2f85ff7d97f0
Fixes: 7472c1c69138 ("[media] media: venus: vdec: add video decoder files")
Cc: stable@vger.kernel.org
Tested-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org> # qrb5615-rb5
Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
[bod: Change "parm" to "param"]
Signed-off-by: Bryan O'Donoghue <bod@kernel.org>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/qcom/venus/core.h | 2 ++
drivers/media/platform/qcom/venus/vdec.c | 5 ++---
2 files changed, 4 insertions(+), 3 deletions(-)
--- a/drivers/media/platform/qcom/venus/core.h
+++ b/drivers/media/platform/qcom/venus/core.h
@@ -28,6 +28,8 @@
#define VIDC_PMDOMAINS_NUM_MAX 3
#define VIDC_RESETS_NUM_MAX 2
+#define VENUS_MAX_FPS 240
+
extern int venus_fw_debug;
struct freq_tbl {
--- a/drivers/media/platform/qcom/venus/vdec.c
+++ b/drivers/media/platform/qcom/venus/vdec.c
@@ -458,11 +458,10 @@ static int vdec_s_parm(struct file *file
us_per_frame = timeperframe->numerator * (u64)USEC_PER_SEC;
do_div(us_per_frame, timeperframe->denominator);
- if (!us_per_frame)
- return -EINVAL;
-
+ us_per_frame = clamp(us_per_frame, 1, USEC_PER_SEC);
fps = (u64)USEC_PER_SEC;
do_div(fps, us_per_frame);
+ fps = min(VENUS_MAX_FPS, fps);
inst->fps = fps;
inst->timeperframe = *timeperframe;
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 332/482] media: venus: venc: Clamp param smaller than 1fps and bigger than 240
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (330 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 6.1 331/482] media: venus: vdec: Clamp param smaller than 1fps and bigger than 240 Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 333/482] drm/amd: Restore cached power limit during resume Greg Kroah-Hartman
` (158 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hans Verkuil, Ricardo Ribalda,
Bryan ODonoghue
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ricardo Ribalda <ribalda@chromium.org>
commit 417c01b92ec278a1118a05c6ad8a796eaa0c9c52 upstream.
The driver uses "whole" fps in all its calculations (e.g. in
load_per_instance()). Those calculation expect an fps bigger than 1, and
not big enough to overflow.
Clamp the param if the user provides a value that will result in an invalid
fps.
Reported-by: Hans Verkuil <hverkuil@xs4all.nl>
Closes: https://lore.kernel.org/linux-media/f11653a7-bc49-48cd-9cdb-1659147453e4@xs4all.nl/T/#m91cd962ac942834654f94c92206e2f85ff7d97f0
Fixes: aaaa93eda64b ("[media] media: venus: venc: add video encoder files")
Cc: stable@vger.kernel.org
Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
[bod: Change "parm" to "param"]
Signed-off-by: Bryan O'Donoghue <bod@kernel.org>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/qcom/venus/venc.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
--- a/drivers/media/platform/qcom/venus/venc.c
+++ b/drivers/media/platform/qcom/venus/venc.c
@@ -406,11 +406,10 @@ static int venc_s_parm(struct file *file
us_per_frame = timeperframe->numerator * (u64)USEC_PER_SEC;
do_div(us_per_frame, timeperframe->denominator);
- if (!us_per_frame)
- return -EINVAL;
-
+ us_per_frame = clamp(us_per_frame, 1, USEC_PER_SEC);
fps = (u64)USEC_PER_SEC;
do_div(fps, us_per_frame);
+ fps = min(VENUS_MAX_FPS, fps);
inst->timeperframe = *timeperframe;
inst->fps = fps;
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 333/482] drm/amd: Restore cached power limit during resume
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (331 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 6.1 332/482] media: venus: venc: " Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 334/482] drm/amdgpu: Avoid extra evict-restore process Greg Kroah-Hartman
` (157 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Alex Deucher, Mario Limonciello
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mario Limonciello <mario.limonciello@amd.com>
commit ed4efe426a49729952b3dc05d20e33b94409bdd1 upstream.
The power limit will be cached in smu->current_power_limit but
if the ASIC goes into S3 this value won't be restored.
Restore the value during SMU resume.
Acked-by: Alex Deucher <alexander.deucher@amd.com>
Link: https://lore.kernel.org/r/20250725031222.3015095-2-superm1@kernel.org
Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 26a609e053a6fc494403e95403bc6a2470383bec)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c
+++ b/drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c
@@ -1738,6 +1738,12 @@ static int smu_resume(void *handle)
adev->pm.dpm_enabled = true;
+ if (smu->current_power_limit) {
+ ret = smu_set_power_limit(smu, smu->current_power_limit);
+ if (ret && ret != -EOPNOTSUPP)
+ return ret;
+ }
+
dev_info(adev->dev, "SMU is resumed successfully!\n");
return 0;
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 334/482] drm/amdgpu: Avoid extra evict-restore process.
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (332 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 6.1 333/482] drm/amd: Restore cached power limit during resume Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 335/482] drm/amdgpu: update mmhub 3.0.1 client id mappings Greg Kroah-Hartman
` (156 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christian König, Gang Ba,
Alex Deucher
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gang Ba <Gang.Ba@amd.com>
commit 1f02f2044bda1db1fd995bc35961ab075fa7b5a2 upstream.
If vm belongs to another process, this is fclose after fork,
wait may enable signaling KFD eviction fence and cause parent process queue evicted.
[677852.634569] amdkfd_fence_enable_signaling+0x56/0x70 [amdgpu]
[677852.634814] __dma_fence_enable_signaling+0x3e/0xe0
[677852.634820] dma_fence_wait_timeout+0x3a/0x140
[677852.634825] amddma_resv_wait_timeout+0x7f/0xf0 [amdkcl]
[677852.634831] amdgpu_vm_wait_idle+0x2d/0x60 [amdgpu]
[677852.635026] amdgpu_flush+0x34/0x50 [amdgpu]
[677852.635208] filp_flush+0x38/0x90
[677852.635213] filp_close+0x14/0x30
[677852.635216] do_close_on_exec+0xdd/0x130
[677852.635221] begin_new_exec+0x1da/0x490
[677852.635225] load_elf_binary+0x307/0xea0
[677852.635231] ? srso_alias_return_thunk+0x5/0xfbef5
[677852.635235] ? ima_bprm_check+0xa2/0xd0
[677852.635240] search_binary_handler+0xda/0x260
[677852.635245] exec_binprm+0x58/0x1a0
[677852.635249] bprm_execve.part.0+0x16f/0x210
[677852.635254] bprm_execve+0x45/0x80
[677852.635257] do_execveat_common.isra.0+0x190/0x200
Suggested-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Gang Ba <Gang.Ba@amd.com>
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c
@@ -2024,13 +2024,11 @@ void amdgpu_vm_adjust_size(struct amdgpu
*/
long amdgpu_vm_wait_idle(struct amdgpu_vm *vm, long timeout)
{
- timeout = dma_resv_wait_timeout(vm->root.bo->tbo.base.resv,
- DMA_RESV_USAGE_BOOKKEEP,
- true, timeout);
+ timeout = drm_sched_entity_flush(&vm->immediate, timeout);
if (timeout <= 0)
return timeout;
- return dma_fence_wait_timeout(vm->last_unlocked, true, timeout);
+ return drm_sched_entity_flush(&vm->delayed, timeout);
}
/**
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 335/482] drm/amdgpu: update mmhub 3.0.1 client id mappings
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (333 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 6.1 334/482] drm/amdgpu: Avoid extra evict-restore process Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 336/482] drm/amdkfd: Destroy KFD debugfs after destroy KFD wq Greg Kroah-Hartman
` (155 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, David (Ming Qiang) Wu, Alex Deucher
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alex Deucher <alexander.deucher@amd.com>
commit 0bae62cc989fa99ac9cb564eb573aad916d1eb61 upstream.
Update the client id mapping so the correct clients
get printed when there is a mmhub page fault.
Reviewed-by: David (Ming Qiang) Wu <David.Wu3@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 2a2681eda73b99a2c1ee8cdb006099ea5d0c2505)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/amdgpu/mmhub_v3_0_1.c | 57 ++++++++++++++++--------------
1 file changed, 32 insertions(+), 25 deletions(-)
--- a/drivers/gpu/drm/amd/amdgpu/mmhub_v3_0_1.c
+++ b/drivers/gpu/drm/amd/amdgpu/mmhub_v3_0_1.c
@@ -36,40 +36,47 @@
static const char *mmhub_client_ids_v3_0_1[][2] = {
[0][0] = "VMC",
+ [1][0] = "ISPXT",
+ [2][0] = "ISPIXT",
[4][0] = "DCEDMC",
[5][0] = "DCEVGA",
[6][0] = "MP0",
[7][0] = "MP1",
- [8][0] = "MPIO",
- [16][0] = "HDP",
- [17][0] = "LSDMA",
- [18][0] = "JPEG",
- [19][0] = "VCNU0",
- [21][0] = "VSCH",
- [22][0] = "VCNU1",
- [23][0] = "VCN1",
- [32+20][0] = "VCN0",
- [2][1] = "DBGUNBIO",
+ [8][0] = "MPM",
+ [12][0] = "ISPTNR",
+ [14][0] = "ISPCRD0",
+ [15][0] = "ISPCRD1",
+ [16][0] = "ISPCRD2",
+ [22][0] = "HDP",
+ [23][0] = "LSDMA",
+ [24][0] = "JPEG",
+ [27][0] = "VSCH",
+ [28][0] = "VCNU",
+ [29][0] = "VCN",
+ [1][1] = "ISPXT",
+ [2][1] = "ISPIXT",
[3][1] = "DCEDWB",
[4][1] = "DCEDMC",
[5][1] = "DCEVGA",
[6][1] = "MP0",
[7][1] = "MP1",
- [8][1] = "MPIO",
- [10][1] = "DBGU0",
- [11][1] = "DBGU1",
- [12][1] = "DBGU2",
- [13][1] = "DBGU3",
- [14][1] = "XDP",
- [15][1] = "OSSSYS",
- [16][1] = "HDP",
- [17][1] = "LSDMA",
- [18][1] = "JPEG",
- [19][1] = "VCNU0",
- [20][1] = "VCN0",
- [21][1] = "VSCH",
- [22][1] = "VCNU1",
- [23][1] = "VCN1",
+ [8][1] = "MPM",
+ [10][1] = "ISPMWR0",
+ [11][1] = "ISPMWR1",
+ [12][1] = "ISPTNR",
+ [13][1] = "ISPSWR",
+ [14][1] = "ISPCWR0",
+ [15][1] = "ISPCWR1",
+ [16][1] = "ISPCWR2",
+ [17][1] = "ISPCWR3",
+ [18][1] = "XDP",
+ [21][1] = "OSSSYS",
+ [22][1] = "HDP",
+ [23][1] = "LSDMA",
+ [24][1] = "JPEG",
+ [27][1] = "VSCH",
+ [28][1] = "VCNU",
+ [29][1] = "VCN",
};
static uint32_t mmhub_v3_0_1_get_invalidate_req(unsigned int vmid,
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 336/482] drm/amdkfd: Destroy KFD debugfs after destroy KFD wq
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (334 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 6.1 335/482] drm/amdgpu: update mmhub 3.0.1 client id mappings Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 337/482] drm/amd/display: Dont overwrite dce60_clk_mgr Greg Kroah-Hartman
` (154 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Amber Lin, Eric Huang, Alex Deucher
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Amber Lin <Amber.Lin@amd.com>
commit 2e58401a24e7b2d4ec619104e1a76590c1284a4c upstream.
Since KFD proc content was moved to kernel debugfs, we can't destroy KFD
debugfs before kfd_process_destroy_wq. Move kfd_process_destroy_wq prior
to kfd_debugfs_fini to fix a kernel NULL pointer problem. It happens
when /sys/kernel/debug/kfd was already destroyed in kfd_debugfs_fini but
kfd_process_destroy_wq calls kfd_debugfs_remove_process. This line
debugfs_remove_recursive(entry->proc_dentry);
tries to remove /sys/kernel/debug/kfd/proc/<pid> while
/sys/kernel/debug/kfd is already gone. It hangs the kernel by kernel
NULL pointer.
Signed-off-by: Amber Lin <Amber.Lin@amd.com>
Reviewed-by: Eric Huang <jinhuieric.huang@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 0333052d90683d88531558dcfdbf2525cc37c233)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/amdkfd/kfd_module.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/gpu/drm/amd/amdkfd/kfd_module.c
+++ b/drivers/gpu/drm/amd/amdkfd/kfd_module.c
@@ -78,8 +78,8 @@ err_ioctl:
static void kfd_exit(void)
{
kfd_cleanup_processes();
- kfd_debugfs_fini();
kfd_process_destroy_wq();
+ kfd_debugfs_fini();
kfd_procfs_shutdown();
kfd_topology_shutdown();
kfd_chardev_exit();
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 337/482] drm/amd/display: Dont overwrite dce60_clk_mgr
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (335 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 6.1 336/482] drm/amdkfd: Destroy KFD debugfs after destroy KFD wq Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 338/482] net, hsr: reject HSR frame if skb cant hold tag Greg Kroah-Hartman
` (153 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rodrigo Siqueira, Alex Deucher,
Timur Kristóf
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Timur Kristóf <timur.kristof@gmail.com>
commit 4db9cd554883e051df1840d4d58d636043101034 upstream.
dc_clk_mgr_create accidentally overwrites the dce60_clk_mgr
with the dce_clk_mgr, causing incorrect behaviour on DCE6.
Fix it by removing the extra dce_clk_mgr_construct.
Fixes: 62eab49faae7 ("drm/amd/display: hide VGH asic specific structs")
Reviewed-by: Rodrigo Siqueira <siqueira@igalia.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Timur Kristóf <timur.kristof@gmail.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit bbddcbe36a686af03e91341b9bbfcca94bd45fb6)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/display/dc/clk_mgr/clk_mgr.c | 1 -
1 file changed, 1 deletion(-)
--- a/drivers/gpu/drm/amd/display/dc/clk_mgr/clk_mgr.c
+++ b/drivers/gpu/drm/amd/display/dc/clk_mgr/clk_mgr.c
@@ -158,7 +158,6 @@ struct clk_mgr *dc_clk_mgr_create(struct
return NULL;
}
dce60_clk_mgr_construct(ctx, clk_mgr);
- dce_clk_mgr_construct(ctx, clk_mgr);
return &clk_mgr->base;
}
#endif
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 338/482] net, hsr: reject HSR frame if skb cant hold tag
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (336 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 6.1 337/482] drm/amd/display: Dont overwrite dce60_clk_mgr Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 339/482] ipv6: sr: Fix MAC comparison to be constant-time Greg Kroah-Hartman
` (152 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, syzbot+a81f2759d022496b40ab,
Jakub Acs, Eric Dumazet, Jakub Kicinski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jakub Acs <acsjakub@amazon.de>
commit 7af76e9d18a9fd6f8611b3313c86c190f9b6a5a7 upstream.
Receiving HSR frame with insufficient space to hold HSR tag in the skb
can result in a crash (kernel BUG):
[ 45.390915] skbuff: skb_under_panic: text:ffffffff86f32cac len:26 put:14 head:ffff888042418000 data:ffff888042417ff4 tail:0xe end:0x180 dev:bridge_slave_1
[ 45.392559] ------------[ cut here ]------------
[ 45.392912] kernel BUG at net/core/skbuff.c:211!
[ 45.393276] Oops: invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN NOPTI
[ 45.393809] CPU: 1 UID: 0 PID: 2496 Comm: reproducer Not tainted 6.15.0 #12 PREEMPT(undef)
[ 45.394433] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 45.395273] RIP: 0010:skb_panic+0x15b/0x1d0
<snip registers, remove unreliable trace>
[ 45.402911] Call Trace:
[ 45.403105] <IRQ>
[ 45.404470] skb_push+0xcd/0xf0
[ 45.404726] br_dev_queue_push_xmit+0x7c/0x6c0
[ 45.406513] br_forward_finish+0x128/0x260
[ 45.408483] __br_forward+0x42d/0x590
[ 45.409464] maybe_deliver+0x2eb/0x420
[ 45.409763] br_flood+0x174/0x4a0
[ 45.410030] br_handle_frame_finish+0xc7c/0x1bc0
[ 45.411618] br_handle_frame+0xac3/0x1230
[ 45.413674] __netif_receive_skb_core.constprop.0+0x808/0x3df0
[ 45.422966] __netif_receive_skb_one_core+0xb4/0x1f0
[ 45.424478] __netif_receive_skb+0x22/0x170
[ 45.424806] process_backlog+0x242/0x6d0
[ 45.425116] __napi_poll+0xbb/0x630
[ 45.425394] net_rx_action+0x4d1/0xcc0
[ 45.427613] handle_softirqs+0x1a4/0x580
[ 45.427926] do_softirq+0x74/0x90
[ 45.428196] </IRQ>
This issue was found by syzkaller.
The panic happens in br_dev_queue_push_xmit() once it receives a
corrupted skb with ETH header already pushed in linear data. When it
attempts the skb_push() call, there's not enough headroom and
skb_push() panics.
The corrupted skb is put on the queue by HSR layer, which makes a
sequence of unintended transformations when it receives a specific
corrupted HSR frame (with incomplete TAG).
Fix it by dropping and consuming frames that are not long enough to
contain both ethernet and hsr headers.
Alternative fix would be to check for enough headroom before skb_push()
in br_dev_queue_push_xmit().
In the reproducer, this is injected via AF_PACKET, but I don't easily
see why it couldn't be sent over the wire from adjacent network.
Further Details:
In the reproducer, the following network interface chain is set up:
┌────────────────┐ ┌────────────────┐
│ veth0_to_hsr ├───┤ hsr_slave0 ┼───┐
└────────────────┘ └────────────────┘ │
│ ┌──────┐
├─┤ hsr0 ├───┐
│ └──────┘ │
┌────────────────┐ ┌────────────────┐ │ │┌────────┐
│ veth1_to_hsr ┼───┤ hsr_slave1 ├───┘ └┤ │
└────────────────┘ └────────────────┘ ┌┼ bridge │
││ │
│└────────┘
│
┌───────┐ │
│ ... ├──────┘
└───────┘
To trigger the events leading up to crash, reproducer sends a corrupted
HSR frame with incomplete TAG, via AF_PACKET socket on 'veth0_to_hsr'.
The first HSR-layer function to process this frame is
hsr_handle_frame(). It and then checks if the
protocol is ETH_P_PRP or ETH_P_HSR. If it is, it calls
skb_set_network_header(skb, ETH_HLEN + HSR_HLEN), without checking that
the skb is long enough. For the crashing frame it is not, and hence the
skb->network_header and skb->mac_len fields are set incorrectly,
pointing after the end of the linear buffer.
I will call this a BUG#1 and it is what is addressed by this patch. In
the crashing scenario before the fix, the skb continues to go down the
hsr path as follows.
hsr_handle_frame() then calls this sequence
hsr_forward_skb()
fill_frame_info()
hsr->proto_ops->fill_frame_info()
hsr_fill_frame_info()
hsr_fill_frame_info() contains a check that intends to check whether the
skb actually contains the HSR header. But the check relies on the
skb->mac_len field which was erroneously setup due to BUG#1, so the
check passes and the execution continues back in the hsr_forward_skb():
hsr_forward_skb()
hsr_forward_do()
hsr->proto_ops->get_untagged_frame()
hsr_get_untagged_frame()
create_stripped_skb_hsr()
In create_stripped_skb_hsr(), a copy of the skb is created and is
further corrupted by operation that attempts to strip the HSR tag in a
call to __pskb_copy().
The skb enters create_stripped_skb_hsr() with ethernet header pushed in
linear buffer. The skb_pull(skb_in, HSR_HLEN) thus pulls 6 bytes of
ethernet header into the headroom, creating skb_in with a headroom of
size 8. The subsequent __pskb_copy() then creates an skb with headroom
of just 2 and skb->len of just 12, this is how it looks after the copy:
gdb) p skb->len
$10 = 12
(gdb) p skb->data
$11 = (unsigned char *) 0xffff888041e45382 "\252\252\252\252\252!\210\373",
(gdb) p skb->head
$12 = (unsigned char *) 0xffff888041e45380 ""
It seems create_stripped_skb_hsr() assumes that ETH header is pulled
in the headroom when it's entered, because it just pulls HSR header on
top. But that is not the case in our code-path and we end up with the
corrupted skb instead. I will call this BUG#2
*I got confused here because it seems that under no conditions can
create_stripped_skb_hsr() work well, the assumption it makes is not true
during the processing of hsr frames - since the skb_push() in
hsr_handle_frame to skb_pull in hsr_deliver_master(). I wonder whether I
missed something here.*
Next, the execution arrives in hsr_deliver_master(). It calls
skb_pull(ETH_HLEN), which just returns NULL - the SKB does not have
enough space for the pull (as it only has 12 bytes in total at this
point).
*The skb_pull() here further suggests that ethernet header is meant
to be pushed through the whole hsr processing and
create_stripped_skb_hsr() should pull it before doing the HSR header
pull.*
hsr_deliver_master() then puts the corrupted skb on the queue, it is
then picked up from there by bridge frame handling layer and finally
lands in br_dev_queue_push_xmit where it panics.
Cc: stable@kernel.org
Fixes: 48b491a5cc74 ("net: hsr: fix mac_len checks")
Reported-by: syzbot+a81f2759d022496b40ab@syzkaller.appspotmail.com
Signed-off-by: Jakub Acs <acsjakub@amazon.de>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20250819082842.94378-1-acsjakub@amazon.de
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/hsr/hsr_slave.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/net/hsr/hsr_slave.c
+++ b/net/hsr/hsr_slave.c
@@ -62,8 +62,14 @@ static rx_handler_result_t hsr_handle_fr
skb_push(skb, ETH_HLEN);
skb_reset_mac_header(skb);
if ((!hsr->prot_version && protocol == htons(ETH_P_PRP)) ||
- protocol == htons(ETH_P_HSR))
+ protocol == htons(ETH_P_HSR)) {
+ if (!pskb_may_pull(skb, ETH_HLEN + HSR_HLEN)) {
+ kfree_skb(skb);
+ goto finish_consume;
+ }
+
skb_set_network_header(skb, ETH_HLEN + HSR_HLEN);
+ }
skb_reset_mac_len(skb);
hsr_forward_skb(skb, port);
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 339/482] ipv6: sr: Fix MAC comparison to be constant-time
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (337 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 6.1 338/482] net, hsr: reject HSR frame if skb cant hold tag Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 340/482] ACPI: pfr_update: Fix the driver update version check Greg Kroah-Hartman
` (151 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Biggers, Andrea Mayer,
Jakub Kicinski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@kernel.org>
commit a458b2902115b26a25d67393b12ddd57d1216aaa upstream.
To prevent timing attacks, MACs need to be compared in constant time.
Use the appropriate helper function for this.
Fixes: bf355b8d2c30 ("ipv6: sr: add core files for SR HMAC support")
Cc: stable@vger.kernel.org
Signed-off-by: Eric Biggers <ebiggers@kernel.org>
Reviewed-by: Andrea Mayer <andrea.mayer@uniroma2.it>
Link: https://patch.msgid.link/20250818202724.15713-1-ebiggers@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv6/seg6_hmac.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/net/ipv6/seg6_hmac.c
+++ b/net/ipv6/seg6_hmac.c
@@ -35,6 +35,7 @@
#include <net/xfrm.h>
#include <crypto/hash.h>
+#include <crypto/algapi.h>
#include <net/seg6.h>
#include <net/genetlink.h>
#include <net/seg6_hmac.h>
@@ -269,7 +270,7 @@ bool seg6_hmac_validate_skb(struct sk_bu
if (seg6_hmac_compute(hinfo, srh, &ipv6_hdr(skb)->saddr, hmac_output))
return false;
- if (memcmp(hmac_output, tlv->hmac, SEG6_HMAC_FIELD_LEN) != 0)
+ if (crypto_memneq(hmac_output, tlv->hmac, SEG6_HMAC_FIELD_LEN))
return false;
return true;
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 340/482] ACPI: pfr_update: Fix the driver update version check
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (338 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 6.1 339/482] ipv6: sr: Fix MAC comparison to be constant-time Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 341/482] mptcp: drop skb if MPTCP skb extension allocation fails Greg Kroah-Hartman
` (150 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Govindarajulu, Hariganesh, Chen Yu,
Rafael J. Wysocki
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chen Yu <yu.c.chen@intel.com>
commit 8151320c747efb22d30b035af989fed0d502176e upstream.
The security-version-number check should be used rather
than the runtime version check for driver updates.
Otherwise, the firmware update would fail when the update binary had
a lower runtime version number than the current one.
Fixes: 0db89fa243e5 ("ACPI: Introduce Platform Firmware Runtime Update device driver")
Cc: 5.17+ <stable@vger.kernel.org> # 5.17+
Reported-by: "Govindarajulu, Hariganesh" <hariganesh.govindarajulu@intel.com>
Signed-off-by: Chen Yu <yu.c.chen@intel.com>
Link: https://patch.msgid.link/20250722143233.3970607-1-yu.c.chen@intel.com
[ rjw: Changelog edits ]
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/acpi/pfr_update.c | 2 +-
include/uapi/linux/pfrut.h | 1 +
2 files changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/acpi/pfr_update.c
+++ b/drivers/acpi/pfr_update.c
@@ -310,7 +310,7 @@ static bool applicable_image(const void
if (type == PFRU_CODE_INJECT_TYPE)
return payload_hdr->rt_ver >= cap->code_rt_version;
- return payload_hdr->rt_ver >= cap->drv_rt_version;
+ return payload_hdr->svn_ver >= cap->drv_svn;
}
static void print_update_debug_info(struct pfru_updated_result *result,
--- a/include/uapi/linux/pfrut.h
+++ b/include/uapi/linux/pfrut.h
@@ -89,6 +89,7 @@ struct pfru_payload_hdr {
__u32 hw_ver;
__u32 rt_ver;
__u8 platform_id[16];
+ __u32 svn_ver;
};
enum pfru_dsm_status {
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 341/482] mptcp: drop skb if MPTCP skb extension allocation fails
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (339 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 6.1 340/482] ACPI: pfr_update: Fix the driver update version check Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 342/482] mptcp: pm: kernel: flush: do not reset ADD_ADDR limit Greg Kroah-Hartman
` (149 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christoph Paasch,
Matthieu Baerts (NGI0), Jakub Kicinski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christoph Paasch <cpaasch@openai.com>
commit ccab044697980c6c01ab51f43f48f13b8a3e5c33 upstream.
When skb_ext_add(skb, SKB_EXT_MPTCP) fails in mptcp_incoming_options(),
we used to return true, letting the segment proceed through the TCP
receive path without a DSS mapping. Such segments can leave inconsistent
mapping state and trigger a mid-stream fallback to TCP, which in testing
collapsed (by artificially forcing failures in skb_ext_add) throughput
to zero.
Return false instead so the TCP input path drops the skb (see
tcp_data_queue() and step-7 processing). This is the safer choice
under memory pressure: it preserves MPTCP correctness and provides
backpressure to the sender.
Control packets remain unaffected: ACK updates and DATA_FIN handling
happen before attempting the extension allocation, and tcp_reset()
continues to ignore the return value.
With this change, MPTCP continues to work at high throughput if we
artificially inject failures into skb_ext_add.
Fixes: 6787b7e350d3 ("mptcp: avoid processing packet if a subflow reset")
Cc: stable@vger.kernel.org
Signed-off-by: Christoph Paasch <cpaasch@openai.com>
Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20250815-net-mptcp-misc-fixes-6-17-rc2-v1-1-521fe9957892@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/options.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/net/mptcp/options.c
+++ b/net/mptcp/options.c
@@ -1100,7 +1100,9 @@ static bool add_addr_hmac_valid(struct m
return hmac == mp_opt->ahmac;
}
-/* Return false if a subflow has been reset, else return true */
+/* Return false in case of error (or subflow has been reset),
+ * else return true.
+ */
bool mptcp_incoming_options(struct sock *sk, struct sk_buff *skb)
{
struct mptcp_subflow_context *subflow = mptcp_subflow_ctx(sk);
@@ -1198,7 +1200,7 @@ bool mptcp_incoming_options(struct sock
mpext = skb_ext_add(skb, SKB_EXT_MPTCP);
if (!mpext)
- return true;
+ return false;
memset(mpext, 0, sizeof(*mpext));
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 342/482] mptcp: pm: kernel: flush: do not reset ADD_ADDR limit
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (340 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 6.1 341/482] mptcp: drop skb if MPTCP skb extension allocation fails Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 343/482] f2fs: fix to do sanity check on ino and xnid Greg Kroah-Hartman
` (148 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Dreibholz, Mat Martineau,
Matthieu Baerts (NGI0), Jakub Kicinski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
commit 68fc0f4b0d25692940cdc85c68e366cae63e1757 upstream.
A flush of the MPTCP endpoints should not affect the MPTCP limits. In
other words, 'ip mptcp endpoint flush' should not change 'ip mptcp
limits'.
But it was the case: the MPTCP_PM_ATTR_RCV_ADD_ADDRS (add_addr_accepted)
limit was reset by accident. Removing the reset of this counter during a
flush fixes this issue.
Fixes: 01cacb00b35c ("mptcp: add netlink-based PM")
Cc: stable@vger.kernel.org
Reported-by: Thomas Dreibholz <dreibh@simula.no>
Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/579
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20250815-net-mptcp-misc-fixes-6-17-rc2-v1-2-521fe9957892@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/pm_netlink.c | 1 -
1 file changed, 1 deletion(-)
--- a/net/mptcp/pm_netlink.c
+++ b/net/mptcp/pm_netlink.c
@@ -1778,7 +1778,6 @@ static void __flush_addrs(struct list_he
static void __reset_counters(struct pm_nl_pernet *pernet)
{
WRITE_ONCE(pernet->add_addr_signal_max, 0);
- WRITE_ONCE(pernet->add_addr_accept_max, 0);
WRITE_ONCE(pernet->local_addr_max, 0);
pernet->addrs = 0;
}
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 343/482] f2fs: fix to do sanity check on ino and xnid
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (341 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 6.1 342/482] mptcp: pm: kernel: flush: do not reset ADD_ADDR limit Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 344/482] iio: hid-sensor-prox: Restore lost scale assignments Greg Kroah-Hartman
` (147 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+cc448dcdc7ae0b4e4ffa, Chao Yu,
Jaegeuk Kim, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chao Yu <chao@kernel.org>
[ Upstream commit 061cf3a84bde038708eb0f1d065b31b7c2456533 ]
syzbot reported a f2fs bug as below:
INFO: task syz-executor140:5308 blocked for more than 143 seconds.
Not tainted 6.14.0-rc7-syzkaller-00069-g81e4f8d68c66 #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor140 state:D stack:24016 pid:5308 tgid:5308 ppid:5306 task_flags:0x400140 flags:0x00000006
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5378 [inline]
__schedule+0x190e/0x4c90 kernel/sched/core.c:6765
__schedule_loop kernel/sched/core.c:6842 [inline]
schedule+0x14b/0x320 kernel/sched/core.c:6857
io_schedule+0x8d/0x110 kernel/sched/core.c:7690
folio_wait_bit_common+0x839/0xee0 mm/filemap.c:1317
__folio_lock mm/filemap.c:1664 [inline]
folio_lock include/linux/pagemap.h:1163 [inline]
__filemap_get_folio+0x147/0xb40 mm/filemap.c:1917
pagecache_get_page+0x2c/0x130 mm/folio-compat.c:87
find_get_page_flags include/linux/pagemap.h:842 [inline]
f2fs_grab_cache_page+0x2b/0x320 fs/f2fs/f2fs.h:2776
__get_node_page+0x131/0x11b0 fs/f2fs/node.c:1463
read_xattr_block+0xfb/0x190 fs/f2fs/xattr.c:306
lookup_all_xattrs fs/f2fs/xattr.c:355 [inline]
f2fs_getxattr+0x676/0xf70 fs/f2fs/xattr.c:533
__f2fs_get_acl+0x52/0x870 fs/f2fs/acl.c:179
f2fs_acl_create fs/f2fs/acl.c:375 [inline]
f2fs_init_acl+0xd7/0x9b0 fs/f2fs/acl.c:418
f2fs_init_inode_metadata+0xa0f/0x1050 fs/f2fs/dir.c:539
f2fs_add_inline_entry+0x448/0x860 fs/f2fs/inline.c:666
f2fs_add_dentry+0xba/0x1e0 fs/f2fs/dir.c:765
f2fs_do_add_link+0x28c/0x3a0 fs/f2fs/dir.c:808
f2fs_add_link fs/f2fs/f2fs.h:3616 [inline]
f2fs_mknod+0x2e8/0x5b0 fs/f2fs/namei.c:766
vfs_mknod+0x36d/0x3b0 fs/namei.c:4191
unix_bind_bsd net/unix/af_unix.c:1286 [inline]
unix_bind+0x563/0xe30 net/unix/af_unix.c:1379
__sys_bind_socket net/socket.c:1817 [inline]
__sys_bind+0x1e4/0x290 net/socket.c:1848
__do_sys_bind net/socket.c:1853 [inline]
__se_sys_bind net/socket.c:1851 [inline]
__x64_sys_bind+0x7a/0x90 net/socket.c:1851
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Let's dump and check metadata of corrupted inode, it shows its xattr_nid
is the same to its i_ino.
dump.f2fs -i 3 chaseyu.img.raw
i_xattr_nid [0x 3 : 3]
So that, during mknod in the corrupted directory, it tries to get and
lock inode page twice, result in deadlock.
- f2fs_mknod
- f2fs_add_inline_entry
- f2fs_get_inode_page --- lock dir's inode page
- f2fs_init_acl
- f2fs_acl_create(dir,..)
- __f2fs_get_acl
- f2fs_getxattr
- lookup_all_xattrs
- __get_node_page --- try to lock dir's inode page
In order to fix this, let's add sanity check on ino and xnid.
Cc: stable@vger.kernel.org
Reported-by: syzbot+cc448dcdc7ae0b4e4ffa@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/linux-f2fs-devel/67e06150.050a0220.21942d.0005.GAE@google.com
Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
[ add set_sbi_flag(sbi, SBI_NEED_FSCK) to match error handling pattern ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/inode.c | 7 +++++++
1 file changed, 7 insertions(+)
--- a/fs/f2fs/inode.c
+++ b/fs/f2fs/inode.c
@@ -210,6 +210,13 @@ static bool sanity_check_inode(struct in
return false;
}
+ if (ino_of_node(node_page) == fi->i_xattr_nid) {
+ set_sbi_flag(sbi, SBI_NEED_FSCK);
+ f2fs_warn(sbi, "%s: corrupted inode i_ino=%lx, xnid=%x, run fsck to fix.",
+ __func__, inode->i_ino, fi->i_xattr_nid);
+ return false;
+ }
+
if (f2fs_sb_has_flexible_inline_xattr(sbi)
&& !f2fs_has_extra_attr(inode)) {
set_sbi_flag(sbi, SBI_NEED_FSCK);
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 344/482] iio: hid-sensor-prox: Restore lost scale assignments
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (342 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 6.1 343/482] f2fs: fix to do sanity check on ino and xnid Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 345/482] iio: hid-sensor-prox: Fix incorrect OFFSET calculation Greg Kroah-Hartman
` (146 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhang Lixu, Srinivas Pandruvada,
Jonathan Cameron, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhang Lixu <lixu.zhang@intel.com>
[ Upstream commit 83ded7cfaccccd2f4041769c313b58b4c9e265ad ]
The variables `scale_pre_decml`, `scale_post_decml`, and `scale_precision`
were assigned in commit d68c592e02f6 ("iio: hid-sensor-prox: Fix scale not
correct issue"), but due to a merge conflict in
commit 9c15db92a8e5 ("Merge tag 'iio-for-5.13a' of
https://git.kernel.org/pub/scm/linux/kernel/git/jic23/iio into staging-next"),
these assignments were lost.
Add back lost assignments and replace `st->prox_attr` with
`st->prox_attr[0]` because commit 596ef5cf654b ("iio: hid-sensor-prox: Add
support for more channels") changed `prox_attr` to an array.
Cc: stable@vger.kernel.org # 5.13+
Fixes: 9c15db92a8e5 ("Merge tag 'iio-for-5.13a' of https://git.kernel.org/pub/scm/linux/kernel/git/jic23/iio into staging-next")
Signed-off-by: Zhang Lixu <lixu.zhang@intel.com>
Acked-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
Link: https://patch.msgid.link/20250331055022.1149736-2-lixu.zhang@intel.com
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
[ changed st->prox_attr[0] array access to st->prox_attr single struct member ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/light/hid-sensor-prox.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/iio/light/hid-sensor-prox.c
+++ b/drivers/iio/light/hid-sensor-prox.c
@@ -222,6 +222,11 @@ static int prox_parse_report(struct plat
dev_dbg(&pdev->dev, "prox %x:%x\n", st->prox_attr.index,
st->prox_attr.report_id);
+ st->scale_precision = hid_sensor_format_scale(hsdev->usage,
+ &st->prox_attr,
+ &st->scale_pre_decml,
+ &st->scale_post_decml);
+
return ret;
}
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 345/482] iio: hid-sensor-prox: Fix incorrect OFFSET calculation
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (343 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 6.1 344/482] iio: hid-sensor-prox: Restore lost scale assignments Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 346/482] perf/x86/intel: Fix crash in icl_update_topdown_event() Greg Kroah-Hartman
` (145 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhang Lixu, Srinivas Pandruvada,
Jonathan Cameron, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhang Lixu <lixu.zhang@intel.com>
[ Upstream commit 79dabbd505210e41c88060806c92c052496dd61c ]
The OFFSET calculation in the prox_read_raw() was incorrectly using the
unit exponent, which is intended for SCALE calculations.
Remove the incorrect OFFSET calculation and set it to a fixed value of 0.
Cc: stable@vger.kernel.org
Fixes: 39a3a0138f61 ("iio: hid-sensors: Added Proximity Sensor Driver")
Signed-off-by: Zhang Lixu <lixu.zhang@intel.com>
Acked-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
Link: https://patch.msgid.link/20250331055022.1149736-4-lixu.zhang@intel.com
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
[ adapted prox_attr array access to single structure member access ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/light/hid-sensor-prox.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/drivers/iio/light/hid-sensor-prox.c
+++ b/drivers/iio/light/hid-sensor-prox.c
@@ -103,8 +103,7 @@ static int prox_read_raw(struct iio_dev
ret_type = prox_state->scale_precision;
break;
case IIO_CHAN_INFO_OFFSET:
- *val = hid_sensor_convert_exponent(
- prox_state->prox_attr.unit_expo);
+ *val = 0;
ret_type = IIO_VAL_INT;
break;
case IIO_CHAN_INFO_SAMP_FREQ:
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 346/482] perf/x86/intel: Fix crash in icl_update_topdown_event()
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (344 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 6.1 345/482] iio: hid-sensor-prox: Fix incorrect OFFSET calculation Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 347/482] x86/mce/amd: Add default names for MCA banks and blocks Greg Kroah-Hartman
` (144 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vince Weaver, Kan Liang,
Peter Zijlstra (Intel), Ingo Molnar, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kan Liang <kan.liang@linux.intel.com>
[ Upstream commit b0823d5fbacb1c551d793cbfe7af24e0d1fa45ed ]
The perf_fuzzer found a hard-lockup crash on a RaptorLake machine:
Oops: general protection fault, maybe for address 0xffff89aeceab400: 0000
CPU: 23 UID: 0 PID: 0 Comm: swapper/23
Tainted: [W]=WARN
Hardware name: Dell Inc. Precision 9660/0VJ762
RIP: 0010:native_read_pmc+0x7/0x40
Code: cc e8 8d a9 01 00 48 89 03 5b cd cc cc cc cc 0f 1f ...
RSP: 000:fffb03100273de8 EFLAGS: 00010046
....
Call Trace:
<TASK>
icl_update_topdown_event+0x165/0x190
? ktime_get+0x38/0xd0
intel_pmu_read_event+0xf9/0x210
__perf_event_read+0xf9/0x210
CPUs 16-23 are E-core CPUs that don't support the perf metrics feature.
The icl_update_topdown_event() should not be invoked on these CPUs.
It's a regression of commit:
f9bdf1f95339 ("perf/x86/intel: Avoid disable PMU if !cpuc->enabled in sample read")
The bug introduced by that commit is that the is_topdown_event() function
is mistakenly used to replace the is_topdown_count() call to check if the
topdown functions for the perf metrics feature should be invoked.
Fix it.
Fixes: f9bdf1f95339 ("perf/x86/intel: Avoid disable PMU if !cpuc->enabled in sample read")
Closes: https://lore.kernel.org/lkml/352f0709-f026-cd45-e60c-60dfd97f73f3@maine.edu/
Reported-by: Vince Weaver <vincent.weaver@maine.edu>
Signed-off-by: Kan Liang <kan.liang@linux.intel.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Tested-by: Vince Weaver <vincent.weaver@maine.edu>
Cc: stable@vger.kernel.org # v6.15+
Link: https://lore.kernel.org/r/20250612143818.2889040-1-kan.liang@linux.intel.com
[ omitted PEBS check ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/events/intel/core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/x86/events/intel/core.c
+++ b/arch/x86/events/intel/core.c
@@ -2703,7 +2703,7 @@ static void intel_pmu_read_event(struct
if (pmu_enabled)
intel_pmu_disable_all();
- if (is_topdown_event(event))
+ if (is_topdown_count(event))
static_call(intel_pmu_update_topdown_event)(event);
else
intel_pmu_drain_pebs_buffer();
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 347/482] x86/mce/amd: Add default names for MCA banks and blocks
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (345 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 6.1 346/482] perf/x86/intel: Fix crash in icl_update_topdown_event() Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 348/482] net: add netdev_lockdep_set_classes() to virtual drivers Greg Kroah-Hartman
` (143 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yazen Ghannam, Borislav Petkov (AMD),
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yazen Ghannam <yazen.ghannam@amd.com>
[ Upstream commit d66e1e90b16055d2f0ee76e5384e3f119c3c2773 ]
Ensure that sysfs init doesn't fail for new/unrecognized bank types or if
a bank has additional blocks available.
Most MCA banks have a single thresholding block, so the block takes the same
name as the bank.
Unified Memory Controllers (UMCs) are a special case where there are two
blocks and each has a unique name.
However, the microarchitecture allows for five blocks. Any new MCA bank types
with more than one block will be missing names for the extra blocks. The MCE
sysfs will fail to initialize in this case.
Fixes: 87a6d4091bd7 ("x86/mce/AMD: Update sysfs bank names for SMCA systems")
Signed-off-by: Yazen Ghannam <yazen.ghannam@amd.com>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/20250624-wip-mca-updates-v4-3-236dd74f645f@amd.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kernel/cpu/mce/amd.c | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
--- a/arch/x86/kernel/cpu/mce/amd.c
+++ b/arch/x86/kernel/cpu/mce/amd.c
@@ -1052,13 +1052,20 @@ static const char *get_name(unsigned int
}
bank_type = smca_get_bank_type(cpu, bank);
- if (bank_type >= N_SMCA_BANK_TYPES)
- return NULL;
if (b && bank_type == SMCA_UMC) {
if (b->block < ARRAY_SIZE(smca_umc_block_names))
return smca_umc_block_names[b->block];
- return NULL;
+ }
+
+ if (b && b->block) {
+ snprintf(buf_mcatype, MAX_MCATYPE_NAME_LEN, "th_block_%u", b->block);
+ return buf_mcatype;
+ }
+
+ if (bank_type >= N_SMCA_BANK_TYPES) {
+ snprintf(buf_mcatype, MAX_MCATYPE_NAME_LEN, "th_bank_%u", bank);
+ return buf_mcatype;
}
if (per_cpu(smca_bank_counts, cpu)[bank_type] == 1)
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 348/482] net: add netdev_lockdep_set_classes() to virtual drivers
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (346 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 6.1 347/482] x86/mce/amd: Add default names for MCA banks and blocks Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 349/482] btrfs: fix qgroup reservation leak on failure to allocate ordered extent Greg Kroah-Hartman
` (142 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot, Eric Dumazet, Jakub Kicinski,
Sumanth Gavini
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
commit 0bef512012b1cd8820f0c9ec80e5f8ceb43fdd59 upstream.
Based on a syzbot report, it appears many virtual
drivers do not yet use netdev_lockdep_set_classes(),
triggerring lockdep false positives.
WARNING: possible recursive locking detected
6.8.0-rc4-next-20240212-syzkaller #0 Not tainted
syz-executor.0/19016 is trying to acquire lock:
ffff8880162cb298 (_xmit_ETHER#2){+.-.}-{2:2}, at: spin_lock include/linux/spinlock.h:351 [inline]
ffff8880162cb298 (_xmit_ETHER#2){+.-.}-{2:2}, at: __netif_tx_lock include/linux/netdevice.h:4452 [inline]
ffff8880162cb298 (_xmit_ETHER#2){+.-.}-{2:2}, at: sch_direct_xmit+0x1c4/0x5f0 net/sched/sch_generic.c:340
but task is already holding lock:
ffff8880223db4d8 (_xmit_ETHER#2){+.-.}-{2:2}, at: spin_lock include/linux/spinlock.h:351 [inline]
ffff8880223db4d8 (_xmit_ETHER#2){+.-.}-{2:2}, at: __netif_tx_lock include/linux/netdevice.h:4452 [inline]
ffff8880223db4d8 (_xmit_ETHER#2){+.-.}-{2:2}, at: sch_direct_xmit+0x1c4/0x5f0 net/sched/sch_generic.c:340
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0
lock(_xmit_ETHER#2);
lock(_xmit_ETHER#2);
*** DEADLOCK ***
May be due to missing lock nesting notation
9 locks held by syz-executor.0/19016:
#0: ffffffff8f385208 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:79 [inline]
#0: ffffffff8f385208 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x82c/0x1040 net/core/rtnetlink.c:6603
#1: ffffc90000a08c00 ((&in_dev->mr_ifc_timer)){+.-.}-{0:0}, at: call_timer_fn+0xc0/0x600 kernel/time/timer.c:1697
#2: ffffffff8e131520 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:298 [inline]
#2: ffffffff8e131520 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:750 [inline]
#2: ffffffff8e131520 (rcu_read_lock){....}-{1:2}, at: ip_finish_output2+0x45f/0x1360 net/ipv4/ip_output.c:228
#3: ffffffff8e131580 (rcu_read_lock_bh){....}-{1:2}, at: local_bh_disable include/linux/bottom_half.h:20 [inline]
#3: ffffffff8e131580 (rcu_read_lock_bh){....}-{1:2}, at: rcu_read_lock_bh include/linux/rcupdate.h:802 [inline]
#3: ffffffff8e131580 (rcu_read_lock_bh){....}-{1:2}, at: __dev_queue_xmit+0x2c4/0x3b10 net/core/dev.c:4284
#4: ffff8880416e3258 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock){+...}-{2:2}, at: spin_trylock include/linux/spinlock.h:361 [inline]
#4: ffff8880416e3258 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock){+...}-{2:2}, at: qdisc_run_begin include/net/sch_generic.h:195 [inline]
#4: ffff8880416e3258 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock){+...}-{2:2}, at: __dev_xmit_skb net/core/dev.c:3771 [inline]
#4: ffff8880416e3258 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock){+...}-{2:2}, at: __dev_queue_xmit+0x1262/0x3b10 net/core/dev.c:4325
#5: ffff8880223db4d8 (_xmit_ETHER#2){+.-.}-{2:2}, at: spin_lock include/linux/spinlock.h:351 [inline]
#5: ffff8880223db4d8 (_xmit_ETHER#2){+.-.}-{2:2}, at: __netif_tx_lock include/linux/netdevice.h:4452 [inline]
#5: ffff8880223db4d8 (_xmit_ETHER#2){+.-.}-{2:2}, at: sch_direct_xmit+0x1c4/0x5f0 net/sched/sch_generic.c:340
#6: ffffffff8e131520 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:298 [inline]
#6: ffffffff8e131520 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:750 [inline]
#6: ffffffff8e131520 (rcu_read_lock){....}-{1:2}, at: ip_finish_output2+0x45f/0x1360 net/ipv4/ip_output.c:228
#7: ffffffff8e131580 (rcu_read_lock_bh){....}-{1:2}, at: local_bh_disable include/linux/bottom_half.h:20 [inline]
#7: ffffffff8e131580 (rcu_read_lock_bh){....}-{1:2}, at: rcu_read_lock_bh include/linux/rcupdate.h:802 [inline]
#7: ffffffff8e131580 (rcu_read_lock_bh){....}-{1:2}, at: __dev_queue_xmit+0x2c4/0x3b10 net/core/dev.c:4284
#8: ffff888014d9d258 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock){+...}-{2:2}, at: spin_trylock include/linux/spinlock.h:361 [inline]
#8: ffff888014d9d258 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock){+...}-{2:2}, at: qdisc_run_begin include/net/sch_generic.h:195 [inline]
#8: ffff888014d9d258 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock){+...}-{2:2}, at: __dev_xmit_skb net/core/dev.c:3771 [inline]
#8: ffff888014d9d258 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock){+...}-{2:2}, at: __dev_queue_xmit+0x1262/0x3b10 net/core/dev.c:4325
stack backtrace:
CPU: 1 PID: 19016 Comm: syz-executor.0 Not tainted 6.8.0-rc4-next-20240212-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114
check_deadlock kernel/locking/lockdep.c:3062 [inline]
validate_chain+0x15c1/0x58e0 kernel/locking/lockdep.c:3856
__lock_acquire+0x1346/0x1fd0 kernel/locking/lockdep.c:5137
lock_acquire+0x1e4/0x530 kernel/locking/lockdep.c:5754
__raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
_raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
spin_lock include/linux/spinlock.h:351 [inline]
__netif_tx_lock include/linux/netdevice.h:4452 [inline]
sch_direct_xmit+0x1c4/0x5f0 net/sched/sch_generic.c:340
__dev_xmit_skb net/core/dev.c:3784 [inline]
__dev_queue_xmit+0x1912/0x3b10 net/core/dev.c:4325
neigh_output include/net/neighbour.h:542 [inline]
ip_finish_output2+0xe66/0x1360 net/ipv4/ip_output.c:235
iptunnel_xmit+0x540/0x9b0 net/ipv4/ip_tunnel_core.c:82
ip_tunnel_xmit+0x20ee/0x2960 net/ipv4/ip_tunnel.c:831
erspan_xmit+0x9de/0x1460 net/ipv4/ip_gre.c:720
__netdev_start_xmit include/linux/netdevice.h:4989 [inline]
netdev_start_xmit include/linux/netdevice.h:5003 [inline]
xmit_one net/core/dev.c:3555 [inline]
dev_hard_start_xmit+0x242/0x770 net/core/dev.c:3571
sch_direct_xmit+0x2b6/0x5f0 net/sched/sch_generic.c:342
__dev_xmit_skb net/core/dev.c:3784 [inline]
__dev_queue_xmit+0x1912/0x3b10 net/core/dev.c:4325
neigh_output include/net/neighbour.h:542 [inline]
ip_finish_output2+0xe66/0x1360 net/ipv4/ip_output.c:235
igmpv3_send_cr net/ipv4/igmp.c:723 [inline]
igmp_ifc_timer_expire+0xb71/0xd90 net/ipv4/igmp.c:813
call_timer_fn+0x17e/0x600 kernel/time/timer.c:1700
expire_timers kernel/time/timer.c:1751 [inline]
__run_timers+0x621/0x830 kernel/time/timer.c:2038
run_timer_softirq+0x67/0xf0 kernel/time/timer.c:2051
__do_softirq+0x2bc/0x943 kernel/softirq.c:554
invoke_softirq kernel/softirq.c:428 [inline]
__irq_exit_rcu+0xf2/0x1c0 kernel/softirq.c:633
irq_exit_rcu+0x9/0x30 kernel/softirq.c:645
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1076 [inline]
sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1076
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:resched_offsets_ok kernel/sched/core.c:10127 [inline]
RIP: 0010:__might_resched+0x16f/0x780 kernel/sched/core.c:10142
Code: 00 4c 89 e8 48 c1 e8 03 48 ba 00 00 00 00 00 fc ff df 48 89 44 24 38 0f b6 04 10 84 c0 0f 85 87 04 00 00 41 8b 45 00 c1 e0 08 <01> d8 44 39 e0 0f 85 d6 00 00 00 44 89 64 24 1c 48 8d bc 24 a0 00
RSP: 0018:ffffc9000ee069e0 EFLAGS: 00000246
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff8880296a9e00
RDX: dffffc0000000000 RSI: ffff8880296a9e00 RDI: ffffffff8bfe8fa0
RBP: ffffc9000ee06b00 R08: ffffffff82326877 R09: 1ffff11002b5ad1b
R10: dffffc0000000000 R11: ffffed1002b5ad1c R12: 0000000000000000
R13: ffff8880296aa23c R14: 000000000000062a R15: 1ffff92001dc0d44
down_write+0x19/0x50 kernel/locking/rwsem.c:1578
kernfs_activate fs/kernfs/dir.c:1403 [inline]
kernfs_add_one+0x4af/0x8b0 fs/kernfs/dir.c:819
__kernfs_create_file+0x22e/0x2e0 fs/kernfs/file.c:1056
sysfs_add_file_mode_ns+0x24a/0x310 fs/sysfs/file.c:307
create_files fs/sysfs/group.c:64 [inline]
internal_create_group+0x4f4/0xf20 fs/sysfs/group.c:152
internal_create_groups fs/sysfs/group.c:192 [inline]
sysfs_create_groups+0x56/0x120 fs/sysfs/group.c:218
create_dir lib/kobject.c:78 [inline]
kobject_add_internal+0x472/0x8d0 lib/kobject.c:240
kobject_add_varg lib/kobject.c:374 [inline]
kobject_init_and_add+0x124/0x190 lib/kobject.c:457
netdev_queue_add_kobject net/core/net-sysfs.c:1706 [inline]
netdev_queue_update_kobjects+0x1f3/0x480 net/core/net-sysfs.c:1758
register_queue_kobjects net/core/net-sysfs.c:1819 [inline]
netdev_register_kobject+0x265/0x310 net/core/net-sysfs.c:2059
register_netdevice+0x1191/0x19c0 net/core/dev.c:10298
bond_newlink+0x3b/0x90 drivers/net/bonding/bond_netlink.c:576
rtnl_newlink_create net/core/rtnetlink.c:3506 [inline]
__rtnl_newlink net/core/rtnetlink.c:3726 [inline]
rtnl_newlink+0x158f/0x20a0 net/core/rtnetlink.c:3739
rtnetlink_rcv_msg+0x885/0x1040 net/core/rtnetlink.c:6606
netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2543
netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline]
netlink_unicast+0x7ea/0x980 net/netlink/af_netlink.c:1367
netlink_sendmsg+0xa3c/0xd70 net/netlink/af_netlink.c:1908
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg+0x221/0x270 net/socket.c:745
__sys_sendto+0x3a4/0x4f0 net/socket.c:2191
__do_sys_sendto net/socket.c:2203 [inline]
__se_sys_sendto net/socket.c:2199 [inline]
__x64_sys_sendto+0xde/0x100 net/socket.c:2199
do_syscall_64+0xfb/0x240
entry_SYSCALL_64_after_hwframe+0x6d/0x75
RIP: 0033:0x7fc3fa87fa9c
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Link: https://lore.kernel.org/r/20240212140700.2795436-4-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sumanth Gavini <sumanth.gavini@yahoo.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/dummy.c | 1 +
drivers/net/geneve.c | 1 +
drivers/net/loopback.c | 1 +
drivers/net/veth.c | 1 +
drivers/net/vxlan/vxlan_core.c | 1 +
net/ipv4/ip_tunnel.c | 1 +
net/ipv6/ip6_gre.c | 2 ++
net/ipv6/ip6_tunnel.c | 1 +
net/ipv6/ip6_vti.c | 1 +
net/ipv6/sit.c | 1 +
10 files changed, 11 insertions(+)
--- a/drivers/net/dummy.c
+++ b/drivers/net/dummy.c
@@ -71,6 +71,7 @@ static int dummy_dev_init(struct net_dev
if (!dev->lstats)
return -ENOMEM;
+ netdev_lockdep_set_classes(dev);
return 0;
}
--- a/drivers/net/geneve.c
+++ b/drivers/net/geneve.c
@@ -349,6 +349,7 @@ static int geneve_init(struct net_device
gro_cells_destroy(&geneve->gro_cells);
return err;
}
+ netdev_lockdep_set_classes(dev);
return 0;
}
--- a/drivers/net/loopback.c
+++ b/drivers/net/loopback.c
@@ -144,6 +144,7 @@ static int loopback_dev_init(struct net_
dev->lstats = netdev_alloc_pcpu_stats(struct pcpu_lstats);
if (!dev->lstats)
return -ENOMEM;
+ netdev_lockdep_set_classes(dev);
return 0;
}
--- a/drivers/net/veth.c
+++ b/drivers/net/veth.c
@@ -1373,6 +1373,7 @@ static void veth_free_queues(struct net_
static int veth_dev_init(struct net_device *dev)
{
+ netdev_lockdep_set_classes(dev);
return veth_alloc_queues(dev);
}
--- a/drivers/net/vxlan/vxlan_core.c
+++ b/drivers/net/vxlan/vxlan_core.c
@@ -2998,6 +2998,7 @@ static int vxlan_init(struct net_device
if (err)
goto err_free_percpu;
+ netdev_lockdep_set_classes(dev);
return 0;
err_free_percpu:
--- a/net/ipv4/ip_tunnel.c
+++ b/net/ipv4/ip_tunnel.c
@@ -1298,6 +1298,7 @@ int ip_tunnel_init(struct net_device *de
if (tunnel->collect_md)
netif_keep_dst(dev);
+ netdev_lockdep_set_classes(dev);
return 0;
}
EXPORT_SYMBOL_GPL(ip_tunnel_init);
--- a/net/ipv6/ip6_gre.c
+++ b/net/ipv6/ip6_gre.c
@@ -1537,6 +1537,7 @@ static int ip6gre_tunnel_init_common(str
ip6gre_tnl_init_features(dev);
netdev_hold(dev, &tunnel->dev_tracker, GFP_KERNEL);
+ netdev_lockdep_set_classes(dev);
return 0;
cleanup_dst_cache_init:
@@ -1929,6 +1930,7 @@ static int ip6erspan_tap_init(struct net
ip6erspan_tnl_link_config(tunnel, 1);
netdev_hold(dev, &tunnel->dev_tracker, GFP_KERNEL);
+ netdev_lockdep_set_classes(dev);
return 0;
cleanup_dst_cache_init:
--- a/net/ipv6/ip6_tunnel.c
+++ b/net/ipv6/ip6_tunnel.c
@@ -1902,6 +1902,7 @@ ip6_tnl_dev_init_gen(struct net_device *
dev->max_mtu = IP6_MAX_MTU - dev->hard_header_len - t_hlen;
netdev_hold(dev, &t->dev_tracker, GFP_KERNEL);
+ netdev_lockdep_set_classes(dev);
return 0;
destroy_dst:
--- a/net/ipv6/ip6_vti.c
+++ b/net/ipv6/ip6_vti.c
@@ -937,6 +937,7 @@ static inline int vti6_dev_init_gen(stru
if (!dev->tstats)
return -ENOMEM;
netdev_hold(dev, &t->dev_tracker, GFP_KERNEL);
+ netdev_lockdep_set_classes(dev);
return 0;
}
--- a/net/ipv6/sit.c
+++ b/net/ipv6/sit.c
@@ -1460,6 +1460,7 @@ static int ipip6_tunnel_init(struct net_
return err;
}
netdev_hold(dev, &tunnel->dev_tracker, GFP_KERNEL);
+ netdev_lockdep_set_classes(dev);
return 0;
}
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 349/482] btrfs: fix qgroup reservation leak on failure to allocate ordered extent
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (347 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 6.1 348/482] net: add netdev_lockdep_set_classes() to virtual drivers Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 350/482] ARM: 9448/1: Use an absolute path to unified.h in KBUILD_AFLAGS Greg Kroah-Hartman
` (141 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Boris Burkov, Qu Wenruo,
Filipe Manana, David Sterba, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Filipe Manana <fdmanana@suse.com>
[ Upstream commit 1f2889f5594a2bc4c6a52634c4a51b93e785def5 ]
If we fail to allocate an ordered extent for a COW write we end up leaking
a qgroup data reservation since we called btrfs_qgroup_release_data() but
we didn't call btrfs_qgroup_free_refroot() (which would happen when
running the respective data delayed ref created by ordered extent
completion or when finishing the ordered extent in case an error happened).
So make sure we call btrfs_qgroup_free_refroot() if we fail to allocate an
ordered extent for a COW write.
Fixes: 7dbeaad0af7d ("btrfs: change timing for qgroup reserved space for ordered extents to fix reserved space leak")
CC: stable@vger.kernel.org # 6.1+
Reviewed-by: Boris Burkov <boris@bur.io>
Reviewed-by: Qu Wenruo <wqu@suse.com>
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
[ adjust to code movements ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/ordered-data.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
--- a/fs/btrfs/ordered-data.c
+++ b/fs/btrfs/ordered-data.c
@@ -173,9 +173,10 @@ int btrfs_add_ordered_extent(struct btrf
struct btrfs_ordered_extent *entry;
int ret;
u64 qgroup_rsv = 0;
+ const bool is_nocow = (flags &
+ ((1U << BTRFS_ORDERED_NOCOW) | (1U << BTRFS_ORDERED_PREALLOC)));
- if (flags &
- ((1 << BTRFS_ORDERED_NOCOW) | (1 << BTRFS_ORDERED_PREALLOC))) {
+ if (is_nocow) {
/* For nocow write, we can release the qgroup rsv right now */
ret = btrfs_qgroup_free_data(inode, NULL, file_offset, num_bytes, &qgroup_rsv);
if (ret < 0)
@@ -191,8 +192,13 @@ int btrfs_add_ordered_extent(struct btrf
return ret;
}
entry = kmem_cache_zalloc(btrfs_ordered_extent_cache, GFP_NOFS);
- if (!entry)
+ if (!entry) {
+ if (!is_nocow)
+ btrfs_qgroup_free_refroot(inode->root->fs_info,
+ btrfs_root_id(inode->root),
+ qgroup_rsv, BTRFS_QGROUP_RSV_DATA);
return -ENOMEM;
+ }
entry->file_offset = file_offset;
entry->num_bytes = num_bytes;
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 350/482] ARM: 9448/1: Use an absolute path to unified.h in KBUILD_AFLAGS
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (348 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 6.1 349/482] btrfs: fix qgroup reservation leak on failure to allocate ordered extent Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 351/482] arm64/entry: Mask DAIF in cpu_switch_to(), call_on_irq_stack() Greg Kroah-Hartman
` (140 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, KernelCI bot, Masahiro Yamada,
Nathan Chancellor, Russell King (Oracle), Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nathan Chancellor <nathan@kernel.org>
[ Upstream commit 87c4e1459e80bf65066f864c762ef4dc932fad4b ]
After commit d5c8d6e0fa61 ("kbuild: Update assembler calls to use proper
flags and language target"), which updated as-instr to use the
'assembler-with-cpp' language option, the Kbuild version of as-instr
always fails internally for arch/arm with
<command-line>: fatal error: asm/unified.h: No such file or directory
compilation terminated.
because '-include' flags are now taken into account by the compiler
driver and as-instr does not have '$(LINUXINCLUDE)', so unified.h is not
found.
This went unnoticed at the time of the Kbuild change because the last
use of as-instr in Kbuild that arch/arm could reach was removed in 5.7
by commit 541ad0150ca4 ("arm: Remove 32bit KVM host support") but a
stable backport of the Kbuild change to before that point exposed this
potential issue if one were to be reintroduced.
Follow the general pattern of '-include' paths throughout the tree and
make unified.h absolute using '$(srctree)' to ensure KBUILD_AFLAGS can
be used independently.
Closes: https://lore.kernel.org/CACo-S-1qbCX4WAVFA63dWfHtrRHZBTyyr2js8Lx=Az03XHTTHg@mail.gmail.com/
Cc: stable@vger.kernel.org
Fixes: d5c8d6e0fa61 ("kbuild: Update assembler calls to use proper flags and language target")
Reported-by: KernelCI bot <bot@kernelci.org>
Reviewed-by: Masahiro Yamada <masahiroy@kernel.org>
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
[ adapted to missing -Wa ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm/Makefile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/arm/Makefile
+++ b/arch/arm/Makefile
@@ -133,7 +133,7 @@ endif
# Need -Uarm for gcc < 3.x
KBUILD_CFLAGS +=$(CFLAGS_ABI) $(CFLAGS_ISA) $(arch-y) $(tune-y) $(call cc-option,-mshort-load-bytes,$(call cc-option,-malignment-traps,)) -msoft-float -Uarm
-KBUILD_AFLAGS +=$(CFLAGS_ABI) $(AFLAGS_ISA) $(arch-y) $(tune-y) -include asm/unified.h -msoft-float
+KBUILD_AFLAGS +=$(CFLAGS_ABI) $(AFLAGS_ISA) $(arch-y) $(tune-y) -include $(srctree)/arch/arm/include/asm/unified.h -msoft-float
CHECKFLAGS += -D__arm__
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 351/482] arm64/entry: Mask DAIF in cpu_switch_to(), call_on_irq_stack()
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (349 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 6.1 350/482] ARM: 9448/1: Use an absolute path to unified.h in KBUILD_AFLAGS Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 352/482] drm/sched: Remove optimization that causes hang when killing dependent jobs Greg Kroah-Hartman
` (139 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ada Couprie Diaz, Cristian Prundeanu,
Will Deacon, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ada Couprie Diaz <ada.coupriediaz@arm.com>
[ Upstream commit d42e6c20de6192f8e4ab4cf10be8c694ef27e8cb ]
`cpu_switch_to()` and `call_on_irq_stack()` manipulate SP to change
to different stacks along with the Shadow Call Stack if it is enabled.
Those two stack changes cannot be done atomically and both functions
can be interrupted by SErrors or Debug Exceptions which, though unlikely,
is very much broken : if interrupted, we can end up with mismatched stacks
and Shadow Call Stack leading to clobbered stacks.
In `cpu_switch_to()`, it can happen when SP_EL0 points to the new task,
but x18 stills points to the old task's SCS. When the interrupt handler
tries to save the task's SCS pointer, it will save the old task
SCS pointer (x18) into the new task struct (pointed to by SP_EL0),
clobbering it.
In `call_on_irq_stack()`, it can happen when switching from the task stack
to the IRQ stack and when switching back. In both cases, we can be
interrupted when the SCS pointer points to the IRQ SCS, but SP points to
the task stack. The nested interrupt handler pushes its return addresses
on the IRQ SCS. It then detects that SP points to the task stack,
calls `call_on_irq_stack()` and clobbers the task SCS pointer with
the IRQ SCS pointer, which it will also use !
This leads to tasks returning to addresses on the wrong SCS,
or even on the IRQ SCS, triggering kernel panics via CONFIG_VMAP_STACK
or FPAC if enabled.
This is possible on a default config, but unlikely.
However, when enabling CONFIG_ARM64_PSEUDO_NMI, DAIF is unmasked and
instead the GIC is responsible for filtering what interrupts the CPU
should receive based on priority.
Given the goal of emulating NMIs, pseudo-NMIs can be received by the CPU
even in `cpu_switch_to()` and `call_on_irq_stack()`, possibly *very*
frequently depending on the system configuration and workload, leading
to unpredictable kernel panics.
Completely mask DAIF in `cpu_switch_to()` and restore it when returning.
Do the same in `call_on_irq_stack()`, but restore and mask around
the branch.
Mask DAIF even if CONFIG_SHADOW_CALL_STACK is not enabled for consistency
of behaviour between all configurations.
Introduce and use an assembly macro for saving and masking DAIF,
as the existing one saves but only masks IF.
Cc: <stable@vger.kernel.org>
Signed-off-by: Ada Couprie Diaz <ada.coupriediaz@arm.com>
Reported-by: Cristian Prundeanu <cpru@amazon.com>
Fixes: 59b37fe52f49 ("arm64: Stash shadow stack pointer in the task struct on interrupt")
Tested-by: Cristian Prundeanu <cpru@amazon.com>
Acked-by: Will Deacon <will@kernel.org>
Link: https://lore.kernel.org/r/20250718142814.133329-1-ada.coupriediaz@arm.com
Signed-off-by: Will Deacon <will@kernel.org>
[ removed duplicate save_and_disable_daif macro ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/kernel/entry.S | 6 ++++++
1 file changed, 6 insertions(+)
--- a/arch/arm64/kernel/entry.S
+++ b/arch/arm64/kernel/entry.S
@@ -827,6 +827,7 @@ SYM_CODE_END(__bp_harden_el1_vectors)
*
*/
SYM_FUNC_START(cpu_switch_to)
+ save_and_disable_daif x11
mov x10, #THREAD_CPU_CONTEXT
add x8, x0, x10
mov x9, sp
@@ -850,6 +851,7 @@ SYM_FUNC_START(cpu_switch_to)
ptrauth_keys_install_kernel x1, x8, x9, x10
scs_save x0
scs_load_current
+ restore_irq x11
ret
SYM_FUNC_END(cpu_switch_to)
NOKPROBE(cpu_switch_to)
@@ -876,6 +878,7 @@ NOKPROBE(ret_from_fork)
* Calls func(regs) using this CPU's irq stack and shadow irq stack.
*/
SYM_FUNC_START(call_on_irq_stack)
+ save_and_disable_daif x9
#ifdef CONFIG_SHADOW_CALL_STACK
get_current_task x16
scs_save x16
@@ -890,8 +893,10 @@ SYM_FUNC_START(call_on_irq_stack)
/* Move to the new stack and call the function there */
add sp, x16, #IRQ_STACK_SIZE
+ restore_irq x9
blr x1
+ save_and_disable_daif x9
/*
* Restore the SP from the FP, and restore the FP and LR from the frame
* record.
@@ -899,6 +904,7 @@ SYM_FUNC_START(call_on_irq_stack)
mov sp, x29
ldp x29, x30, [sp], #16
scs_load_current
+ restore_irq x9
ret
SYM_FUNC_END(call_on_irq_stack)
NOKPROBE(call_on_irq_stack)
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 352/482] drm/sched: Remove optimization that causes hang when killing dependent jobs
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (350 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 6.1 351/482] arm64/entry: Mask DAIF in cpu_switch_to(), call_on_irq_stack() Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 353/482] net: enetc: fix device and OF node leak at probe Greg Kroah-Hartman
` (138 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lin.Cao, Christian König,
Philipp Stanner, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: "Lin.Cao" <lincao12@amd.com>
[ Upstream commit 15f77764e90a713ee3916ca424757688e4f565b9 ]
When application A submits jobs and application B submits a job with a
dependency on A's fence, the normal flow wakes up the scheduler after
processing each job. However, the optimization in
drm_sched_entity_add_dependency_cb() uses a callback that only clears
dependencies without waking up the scheduler.
When application A is killed before its jobs can run, the callback gets
triggered but only clears the dependency without waking up the scheduler,
causing the scheduler to enter sleep state and application B to hang.
Remove the optimization by deleting drm_sched_entity_clear_dep() and its
usage, ensuring the scheduler is always woken up when dependencies are
cleared.
Fixes: 777dbd458c89 ("drm/amdgpu: drop a dummy wakeup scheduler")
Cc: stable@vger.kernel.org # v4.6+
Signed-off-by: Lin.Cao <lincao12@amd.com>
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Philipp Stanner <phasta@kernel.org>
Link: https://lore.kernel.org/r/20250717084453.921097-1-lincao12@amd.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/scheduler/sched_entity.c | 21 ++-------------------
1 file changed, 2 insertions(+), 19 deletions(-)
--- a/drivers/gpu/drm/scheduler/sched_entity.c
+++ b/drivers/gpu/drm/scheduler/sched_entity.c
@@ -327,17 +327,6 @@ void drm_sched_entity_destroy(struct drm
}
EXPORT_SYMBOL(drm_sched_entity_destroy);
-/* drm_sched_entity_clear_dep - callback to clear the entities dependency */
-static void drm_sched_entity_clear_dep(struct dma_fence *f,
- struct dma_fence_cb *cb)
-{
- struct drm_sched_entity *entity =
- container_of(cb, struct drm_sched_entity, cb);
-
- entity->dependency = NULL;
- dma_fence_put(f);
-}
-
/*
* drm_sched_entity_clear_dep - callback to clear the entities dependency and
* wake up scheduler
@@ -348,7 +337,8 @@ static void drm_sched_entity_wakeup(stru
struct drm_sched_entity *entity =
container_of(cb, struct drm_sched_entity, cb);
- drm_sched_entity_clear_dep(f, cb);
+ entity->dependency = NULL;
+ dma_fence_put(f);
drm_sched_wakeup(entity->rq->sched);
}
@@ -401,13 +391,6 @@ static bool drm_sched_entity_add_depende
fence = dma_fence_get(&s_fence->scheduled);
dma_fence_put(entity->dependency);
entity->dependency = fence;
- if (!dma_fence_add_callback(fence, &entity->cb,
- drm_sched_entity_clear_dep))
- return true;
-
- /* Ignore it when it is already scheduled */
- dma_fence_put(fence);
- return false;
}
if (!dma_fence_add_callback(entity->dependency, &entity->cb,
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 353/482] net: enetc: fix device and OF node leak at probe
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (351 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 6.1 352/482] drm/sched: Remove optimization that causes hang when killing dependent jobs Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 354/482] fscrypt: Dont use problematic non-inline crypto engines Greg Kroah-Hartman
` (137 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vladimir Oltean, Johan Hovold,
Simon Horman, Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
[ Upstream commit 70458f8a6b44daf3ad39f0d9b6d1097c8a7780ed ]
Make sure to drop the references to the IERB OF node and platform device
taken by of_parse_phandle() and of_find_device_by_node() during probe.
Fixes: e7d48e5fbf30 ("net: enetc: add a mini driver for the Integrated Endpoint Register Block")
Cc: stable@vger.kernel.org # 5.13
Cc: Vladimir Oltean <vladimir.oltean@nxp.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20250725171213.880-3-johan@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/freescale/enetc/enetc_pf.c | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
--- a/drivers/net/ethernet/freescale/enetc/enetc_pf.c
+++ b/drivers/net/ethernet/freescale/enetc/enetc_pf.c
@@ -1207,6 +1207,7 @@ static int enetc_pf_register_with_ierb(s
struct device_node *node = pdev->dev.of_node;
struct platform_device *ierb_pdev;
struct device_node *ierb_node;
+ int ret;
/* Don't register with the IERB if the PF itself is disabled */
if (!node || !of_device_is_available(node))
@@ -1214,16 +1215,25 @@ static int enetc_pf_register_with_ierb(s
ierb_node = of_find_compatible_node(NULL, NULL,
"fsl,ls1028a-enetc-ierb");
- if (!ierb_node || !of_device_is_available(ierb_node))
+ if (!ierb_node)
return -ENODEV;
+ if (!of_device_is_available(ierb_node)) {
+ of_node_put(ierb_node);
+ return -ENODEV;
+ }
+
ierb_pdev = of_find_device_by_node(ierb_node);
of_node_put(ierb_node);
if (!ierb_pdev)
return -EPROBE_DEFER;
- return enetc_ierb_register_pf(ierb_pdev, pdev);
+ ret = enetc_ierb_register_pf(ierb_pdev, pdev);
+
+ put_device(&ierb_pdev->dev);
+
+ return ret;
}
static int enetc_pf_probe(struct pci_dev *pdev,
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 354/482] fscrypt: Dont use problematic non-inline crypto engines
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (352 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 6.1 353/482] net: enetc: fix device and OF node leak at probe Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 355/482] block: reject invalid operation in submit_bio_noacct Greg Kroah-Hartman
` (136 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ard Biesheuvel, Eric Biggers,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@kernel.org>
[ Upstream commit b41c1d8d07906786c60893980d52688f31d114a6 ]
Make fscrypt no longer use Crypto API drivers for non-inline crypto
engines, even when the Crypto API prioritizes them over CPU-based code
(which unfortunately it often does). These drivers tend to be really
problematic, especially for fscrypt's workload. This commit has no
effect on inline crypto engines, which are different and do work well.
Specifically, exclude drivers that have CRYPTO_ALG_KERN_DRIVER_ONLY or
CRYPTO_ALG_ALLOCATES_MEMORY set. (Later, CRYPTO_ALG_ASYNC should be
excluded too. That's omitted for now to keep this commit backportable,
since until recently some CPU-based code had CRYPTO_ALG_ASYNC set.)
There are two major issues with these drivers: bugs and performance.
First, these drivers tend to be buggy. They're fundamentally much more
error-prone and harder to test than the CPU-based code. They often
don't get tested before kernel releases, and even if they do, the crypto
self-tests don't properly test these drivers. Released drivers have
en/decrypted or hashed data incorrectly. These bugs cause issues for
fscrypt users who often didn't even want to use these drivers, e.g.:
- https://github.com/google/fscryptctl/issues/32
- https://github.com/google/fscryptctl/issues/9
- https://lore.kernel.org/r/PH0PR02MB731916ECDB6C613665863B6CFFAA2@PH0PR02MB7319.namprd02.prod.outlook.com
These drivers have also similarly caused issues for dm-crypt users,
including data corruption and deadlocks. Since Linux v5.10, dm-crypt
has disabled most of them by excluding CRYPTO_ALG_ALLOCATES_MEMORY.
Second, these drivers tend to be *much* slower than the CPU-based code.
This may seem counterintuitive, but benchmarks clearly show it. There's
a *lot* of overhead associated with going to a hardware driver, off the
CPU, and back again. To prove this, I gathered as many systems with
this type of crypto engine as I could, and I measured synchronous
encryption of 4096-byte messages (which matches fscrypt's workload):
Intel Emerald Rapids server:
AES-256-XTS:
xts-aes-vaes-avx512 16171 MB/s [CPU-based, Vector AES]
qat_aes_xts 289 MB/s [Offload, Intel QuickAssist]
Qualcomm SM8650 HDK:
AES-256-XTS:
xts-aes-ce 4301 MB/s [CPU-based, ARMv8 Crypto Extensions]
xts-aes-qce 73 MB/s [Offload, Qualcomm Crypto Engine]
i.MX 8M Nano LPDDR4 EVK:
AES-256-XTS:
xts-aes-ce 647 MB/s [CPU-based, ARMv8 Crypto Extensions]
xts(ecb-aes-caam) 20 MB/s [Offload, CAAM]
AES-128-CBC-ESSIV:
essiv(cbc-aes-caam,sha256-lib) 23 MB/s [Offload, CAAM]
STM32MP157F-DK2:
AES-256-XTS:
xts-aes-neonbs 13.2 MB/s [CPU-based, ARM NEON]
xts(stm32-ecb-aes) 3.1 MB/s [Offload, STM32 crypto engine]
AES-128-CBC-ESSIV:
essiv(cbc-aes-neonbs,sha256-lib)
14.7 MB/s [CPU-based, ARM NEON]
essiv(stm32-cbc-aes,sha256-lib)
3.2 MB/s [Offload, STM32 crypto engine]
Adiantum:
adiantum(xchacha12-arm,aes-arm,nhpoly1305-neon)
52.8 MB/s [CPU-based, ARM scalar + NEON]
So, there was no case in which the crypto engine was even *close* to
being faster. On the first three, which have AES instructions in the
CPU, the CPU was 30 to 55 times faster (!). Even on STM32MP157F-DK2
which has a Cortex-A7 CPU that doesn't have AES instructions, AES was
over 4 times faster on the CPU. And Adiantum encryption, which is what
actually should be used on CPUs like that, was over 17 times faster.
Other justifications that have been given for these non-inline crypto
engines (almost always coming from the hardware vendors, not actual
users) don't seem very plausible either:
- The crypto engine throughput could be improved by processing
multiple requests concurrently. Currently irrelevant to fscrypt,
since it doesn't do that. This would also be complex, and unhelpful
in many cases. 2 of the 4 engines I tested even had only one queue.
- Some of the engines, e.g. STM32, support hardware keys. Also
currently irrelevant to fscrypt, since it doesn't support these.
Interestingly, the STM32 driver itself doesn't support this either.
- Free up CPU for other tasks and/or reduce energy usage. Not very
plausible considering the "short" message length, driver overhead,
and scheduling overhead. There's just very little time for the CPU
to do something else like run another task or enter low-power state,
before the message finishes and it's time to process the next one.
- Some of these engines resist power analysis and electromagnetic
attacks, while the CPU-based crypto generally does not. In theory,
this sounds great. In practice, if this benefit requires the use of
an off-CPU offload that massively regresses performance and has a
low-quality, buggy driver, the price for this hardening (which is
not relevant to most fscrypt users, and tends to be incomplete) is
just too high. Inline crypto engines are much more promising here,
as are on-CPU solutions like RISC-V High Assurance Cryptography.
Fixes: b30ab0e03407 ("ext4 crypto: add ext4 encryption facilities")
Cc: stable@vger.kernel.org
Acked-by: Ard Biesheuvel <ardb@kernel.org>
Link: https://lore.kernel.org/r/20250704070322.20692-1-ebiggers@kernel.org
Signed-off-by: Eric Biggers <ebiggers@kernel.org>
[ Drop some documentation changes ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/crypto/fscrypt_private.h | 17 +++++++++++++++++
fs/crypto/hkdf.c | 2 +-
fs/crypto/keysetup.c | 3 ++-
fs/crypto/keysetup_v1.c | 3 ++-
4 files changed, 22 insertions(+), 3 deletions(-)
--- a/fs/crypto/fscrypt_private.h
+++ b/fs/crypto/fscrypt_private.h
@@ -27,6 +27,23 @@
*/
#define FSCRYPT_MIN_KEY_SIZE 16
+/*
+ * This mask is passed as the third argument to the crypto_alloc_*() functions
+ * to prevent fscrypt from using the Crypto API drivers for non-inline crypto
+ * engines. Those drivers have been problematic for fscrypt. fscrypt users
+ * have reported hangs and even incorrect en/decryption with these drivers.
+ * Since going to the driver, off CPU, and back again is really slow, such
+ * drivers can be over 50 times slower than the CPU-based code for fscrypt's
+ * workload. Even on platforms that lack AES instructions on the CPU, using the
+ * offloads has been shown to be slower, even staying with AES. (Of course,
+ * Adiantum is faster still, and is the recommended option on such platforms...)
+ *
+ * Note that fscrypt also supports inline crypto engines. Those don't use the
+ * Crypto API and work much better than the old-style (non-inline) engines.
+ */
+#define FSCRYPT_CRYPTOAPI_MASK \
+ (CRYPTO_ALG_ALLOCATES_MEMORY | CRYPTO_ALG_KERN_DRIVER_ONLY)
+
#define FSCRYPT_CONTEXT_V1 1
#define FSCRYPT_CONTEXT_V2 2
--- a/fs/crypto/hkdf.c
+++ b/fs/crypto/hkdf.c
@@ -72,7 +72,7 @@ int fscrypt_init_hkdf(struct fscrypt_hkd
u8 prk[HKDF_HASHLEN];
int err;
- hmac_tfm = crypto_alloc_shash(HKDF_HMAC_ALG, 0, 0);
+ hmac_tfm = crypto_alloc_shash(HKDF_HMAC_ALG, 0, FSCRYPT_CRYPTOAPI_MASK);
if (IS_ERR(hmac_tfm)) {
fscrypt_err(NULL, "Error allocating " HKDF_HMAC_ALG ": %ld",
PTR_ERR(hmac_tfm));
--- a/fs/crypto/keysetup.c
+++ b/fs/crypto/keysetup.c
@@ -88,7 +88,8 @@ fscrypt_allocate_skcipher(struct fscrypt
struct crypto_skcipher *tfm;
int err;
- tfm = crypto_alloc_skcipher(mode->cipher_str, 0, 0);
+ tfm = crypto_alloc_skcipher(mode->cipher_str, 0,
+ FSCRYPT_CRYPTOAPI_MASK);
if (IS_ERR(tfm)) {
if (PTR_ERR(tfm) == -ENOENT) {
fscrypt_warn(inode,
--- a/fs/crypto/keysetup_v1.c
+++ b/fs/crypto/keysetup_v1.c
@@ -52,7 +52,8 @@ static int derive_key_aes(const u8 *mast
struct skcipher_request *req = NULL;
DECLARE_CRYPTO_WAIT(wait);
struct scatterlist src_sg, dst_sg;
- struct crypto_skcipher *tfm = crypto_alloc_skcipher("ecb(aes)", 0, 0);
+ struct crypto_skcipher *tfm =
+ crypto_alloc_skcipher("ecb(aes)", 0, FSCRYPT_CRYPTOAPI_MASK);
if (IS_ERR(tfm)) {
res = PTR_ERR(tfm);
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 355/482] block: reject invalid operation in submit_bio_noacct
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (353 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 6.1 354/482] fscrypt: Dont use problematic non-inline crypto engines Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 356/482] block: Make REQ_OP_ZONE_FINISH a write operation Greg Kroah-Hartman
` (135 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christoph Hellwig, Jens Axboe,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christoph Hellwig <hch@lst.de>
[ Upstream commit 1c042f8d4bc342b7985b1de3d76836f1a1083b65 ]
submit_bio_noacct allows completely invalid operations, or operations
that are not supported in the bio path. Extent the existing switch
statement to rejcect all invalid types.
Move the code point for REQ_OP_ZONE_APPEND so that it's not right in the
middle of the zone management operations and the switch statement can
follow the numerical order of the operations.
Signed-off-by: Christoph Hellwig <hch@lst.de>
Link: https://lore.kernel.org/r/20231221070538.1112446-1-hch@lst.de
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Stable-dep-of: 3f66ccbaaef3 ("block: Make REQ_OP_ZONE_FINISH a write operation")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
block/blk-core.c | 26 +++++++++++++++++++++-----
include/linux/blk_types.h | 8 ++++----
2 files changed, 25 insertions(+), 9 deletions(-)
--- a/block/blk-core.c
+++ b/block/blk-core.c
@@ -755,6 +755,15 @@ void submit_bio_noacct(struct bio *bio)
bio_clear_polled(bio);
switch (bio_op(bio)) {
+ case REQ_OP_READ:
+ case REQ_OP_WRITE:
+ break;
+ case REQ_OP_FLUSH:
+ /*
+ * REQ_OP_FLUSH can't be submitted through bios, it is only
+ * synthetized in struct request by the flush state machine.
+ */
+ goto not_supported;
case REQ_OP_DISCARD:
if (!bdev_max_discard_sectors(bdev))
goto not_supported;
@@ -768,6 +777,10 @@ void submit_bio_noacct(struct bio *bio)
if (status != BLK_STS_OK)
goto end_io;
break;
+ case REQ_OP_WRITE_ZEROES:
+ if (!q->limits.max_write_zeroes_sectors)
+ goto not_supported;
+ break;
case REQ_OP_ZONE_RESET:
case REQ_OP_ZONE_OPEN:
case REQ_OP_ZONE_CLOSE:
@@ -779,12 +792,15 @@ void submit_bio_noacct(struct bio *bio)
if (!bdev_is_zoned(bio->bi_bdev) || !blk_queue_zone_resetall(q))
goto not_supported;
break;
- case REQ_OP_WRITE_ZEROES:
- if (!q->limits.max_write_zeroes_sectors)
- goto not_supported;
- break;
+ case REQ_OP_DRV_IN:
+ case REQ_OP_DRV_OUT:
+ /*
+ * Driver private operations are only used with passthrough
+ * requests.
+ */
+ fallthrough;
default:
- break;
+ goto not_supported;
}
if (blk_throtl_bio(bio))
--- a/include/linux/blk_types.h
+++ b/include/linux/blk_types.h
@@ -366,6 +366,8 @@ enum req_op {
REQ_OP_DISCARD = (__force blk_opf_t)3,
/* securely erase sectors */
REQ_OP_SECURE_ERASE = (__force blk_opf_t)5,
+ /* write data at the current zone write pointer */
+ REQ_OP_ZONE_APPEND = (__force blk_opf_t)7,
/* write the zero filled sector many times */
REQ_OP_WRITE_ZEROES = (__force blk_opf_t)9,
/* Open a zone */
@@ -374,12 +376,10 @@ enum req_op {
REQ_OP_ZONE_CLOSE = (__force blk_opf_t)11,
/* Transition a zone to full */
REQ_OP_ZONE_FINISH = (__force blk_opf_t)12,
- /* write data at the current zone write pointer */
- REQ_OP_ZONE_APPEND = (__force blk_opf_t)13,
/* reset a zone write pointer */
- REQ_OP_ZONE_RESET = (__force blk_opf_t)15,
+ REQ_OP_ZONE_RESET = (__force blk_opf_t)13,
/* reset all the zone present on the device */
- REQ_OP_ZONE_RESET_ALL = (__force blk_opf_t)17,
+ REQ_OP_ZONE_RESET_ALL = (__force blk_opf_t)15,
/* Driver private requests */
REQ_OP_DRV_IN = (__force blk_opf_t)34,
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 356/482] block: Make REQ_OP_ZONE_FINISH a write operation
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (354 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 6.1 355/482] block: reject invalid operation in submit_bio_noacct Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 357/482] PCI/ACPI: Fix runtime PM ref imbalance on Hot-Plug Capable ports Greg Kroah-Hartman
` (134 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Damien Le Moal, Bart Van Assche,
Johannes Thumshirn, Christoph Hellwig, Jens Axboe, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Damien Le Moal <dlemoal@kernel.org>
[ Upstream commit 3f66ccbaaef3a0c5bd844eab04e3207b4061c546 ]
REQ_OP_ZONE_FINISH is defined as "12", which makes
op_is_write(REQ_OP_ZONE_FINISH) return false, despite the fact that a
zone finish operation is an operation that modifies a zone (transition
it to full) and so should be considered as a write operation (albeit
one that does not transfer any data to the device).
Fix this by redefining REQ_OP_ZONE_FINISH to be an odd number (13), and
redefine REQ_OP_ZONE_RESET and REQ_OP_ZONE_RESET_ALL using sequential
odd numbers from that new value.
Fixes: 6c1b1da58f8c ("block: add zone open, close and finish operations")
Cc: stable@vger.kernel.org
Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Link: https://lore.kernel.org/r/20250625093327.548866-2-dlemoal@kernel.org
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/blk_types.h | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/include/linux/blk_types.h
+++ b/include/linux/blk_types.h
@@ -375,11 +375,11 @@ enum req_op {
/* Close a zone */
REQ_OP_ZONE_CLOSE = (__force blk_opf_t)11,
/* Transition a zone to full */
- REQ_OP_ZONE_FINISH = (__force blk_opf_t)12,
+ REQ_OP_ZONE_FINISH = (__force blk_opf_t)13,
/* reset a zone write pointer */
- REQ_OP_ZONE_RESET = (__force blk_opf_t)13,
+ REQ_OP_ZONE_RESET = (__force blk_opf_t)15,
/* reset all the zone present on the device */
- REQ_OP_ZONE_RESET_ALL = (__force blk_opf_t)15,
+ REQ_OP_ZONE_RESET_ALL = (__force blk_opf_t)17,
/* Driver private requests */
REQ_OP_DRV_IN = (__force blk_opf_t)34,
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 357/482] PCI/ACPI: Fix runtime PM ref imbalance on Hot-Plug Capable ports
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (355 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 6.1 356/482] block: Make REQ_OP_ZONE_FINISH a write operation Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 358/482] cifs: reset iface weights when we cannot find a candidate Greg Kroah-Hartman
` (133 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Laurent Bigonville,
Mario Limonciello, Lukas Wunner, Bjorn Helgaas, Rafael J. Wysocki,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lukas Wunner <lukas@wunner.de>
[ Upstream commit 6cff20ce3b92ffbf2fc5eb9e5a030b3672aa414a ]
pci_bridge_d3_possible() is called from both pcie_portdrv_probe() and
pcie_portdrv_remove() to determine whether runtime power management shall
be enabled (on probe) or disabled (on remove) on a PCIe port.
The underlying assumption is that pci_bridge_d3_possible() always returns
the same value, else a runtime PM reference imbalance would occur. That
assumption is not given if the PCIe port is inaccessible on remove due to
hot-unplug: pci_bridge_d3_possible() calls pciehp_is_native(), which
accesses Config Space to determine whether the port is Hot-Plug Capable.
An inaccessible port returns "all ones", which is converted to "all
zeroes" by pcie_capability_read_dword(). Hence the port no longer seems
Hot-Plug Capable on remove even though it was on probe.
The resulting runtime PM ref imbalance causes warning messages such as:
pcieport 0000:02:04.0: Runtime PM usage count underflow!
Avoid the Config Space access (and thus the runtime PM ref imbalance) by
caching the Hot-Plug Capable bit in struct pci_dev.
The struct already contains an "is_hotplug_bridge" flag, which however is
not only set on Hot-Plug Capable PCIe ports, but also Conventional PCI
Hot-Plug bridges and ACPI slots. The flag identifies bridges which are
allocated additional MMIO and bus number resources to allow for hierarchy
expansion.
The kernel is somewhat sloppily using "is_hotplug_bridge" in a number of
places to identify Hot-Plug Capable PCIe ports, even though the flag
encompasses other devices. Subsequent commits replace these occurrences
with the new flag to clearly delineate Hot-Plug Capable PCIe ports from
other kinds of hotplug bridges.
Document the existing "is_hotplug_bridge" and the new "is_pciehp" flag
and document the (non-obvious) requirement that pci_bridge_d3_possible()
always returns the same value across the entire lifetime of a bridge,
including its hot-removal.
Fixes: 5352a44a561d ("PCI: pciehp: Make pciehp_is_native() stricter")
Reported-by: Laurent Bigonville <bigon@bigon.be>
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220216
Reported-by: Mario Limonciello <mario.limonciello@amd.com>
Closes: https://lore.kernel.org/r/20250609020223.269407-3-superm1@kernel.org/
Link: https://lore.kernel.org/all/20250620025535.3425049-3-superm1@kernel.org/T/#u
Signed-off-by: Lukas Wunner <lukas@wunner.de>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Acked-by: Rafael J. Wysocki <rafael@kernel.org>
Cc: stable@vger.kernel.org # v4.18+
Link: https://patch.msgid.link/fe5dcc3b2e62ee1df7905d746bde161eb1b3291c.1752390101.git.lukas@wunner.de
[ changed "recent enough PCIe ports" comment to "some PCIe ports" ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pci/pci-acpi.c | 4 +---
drivers/pci/pci.c | 8 ++++++--
drivers/pci/probe.c | 2 +-
include/linux/pci.h | 10 +++++++++-
4 files changed, 17 insertions(+), 7 deletions(-)
--- a/drivers/pci/pci-acpi.c
+++ b/drivers/pci/pci-acpi.c
@@ -793,13 +793,11 @@ int pci_acpi_program_hp_params(struct pc
bool pciehp_is_native(struct pci_dev *bridge)
{
const struct pci_host_bridge *host;
- u32 slot_cap;
if (!IS_ENABLED(CONFIG_HOTPLUG_PCI_PCIE))
return false;
- pcie_capability_read_dword(bridge, PCI_EXP_SLTCAP, &slot_cap);
- if (!(slot_cap & PCI_EXP_SLTCAP_HPC))
+ if (!bridge->is_pciehp)
return false;
if (pcie_ports_native)
--- a/drivers/pci/pci.c
+++ b/drivers/pci/pci.c
@@ -3019,8 +3019,12 @@ static const struct dmi_system_id bridge
* pci_bridge_d3_possible - Is it possible to put the bridge into D3
* @bridge: Bridge to check
*
- * This function checks if it is possible to move the bridge to D3.
- * Currently we only allow D3 for recent enough PCIe ports and Thunderbolt.
+ * Currently we only allow D3 for some PCIe ports and for Thunderbolt.
+ *
+ * Return: Whether it is possible to move the bridge to D3.
+ *
+ * The return value is guaranteed to be constant across the entire lifetime
+ * of the bridge, including its hot-removal.
*/
bool pci_bridge_d3_possible(struct pci_dev *bridge)
{
--- a/drivers/pci/probe.c
+++ b/drivers/pci/probe.c
@@ -1592,7 +1592,7 @@ void set_pcie_hotplug_bridge(struct pci_
pcie_capability_read_dword(pdev, PCI_EXP_SLTCAP, ®32);
if (reg32 & PCI_EXP_SLTCAP_HPC)
- pdev->is_hotplug_bridge = 1;
+ pdev->is_hotplug_bridge = pdev->is_pciehp = 1;
}
static void set_pcie_thunderbolt(struct pci_dev *dev)
--- a/include/linux/pci.h
+++ b/include/linux/pci.h
@@ -317,7 +317,14 @@ struct pci_sriov;
struct pci_p2pdma;
struct rcec_ea;
-/* The pci_dev structure describes PCI devices */
+/* struct pci_dev - describes a PCI device
+ *
+ * @is_hotplug_bridge: Hotplug bridge of any kind (e.g. PCIe Hot-Plug Capable,
+ * Conventional PCI Hot-Plug, ACPI slot).
+ * Such bridges are allocated additional MMIO and bus
+ * number resources to allow for hierarchy expansion.
+ * @is_pciehp: PCIe Hot-Plug Capable bridge.
+ */
struct pci_dev {
struct list_head bus_list; /* Node in per-bus list */
struct pci_bus *bus; /* Bus this device is on */
@@ -438,6 +445,7 @@ struct pci_dev {
unsigned int is_physfn:1;
unsigned int is_virtfn:1;
unsigned int is_hotplug_bridge:1;
+ unsigned int is_pciehp:1;
unsigned int shpc_managed:1; /* SHPC owned by shpchp */
unsigned int is_thunderbolt:1; /* Thunderbolt controller */
/*
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 358/482] cifs: reset iface weights when we cannot find a candidate
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (356 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 6.1 357/482] PCI/ACPI: Fix runtime PM ref imbalance on Hot-Plug Capable ports Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 359/482] usb: typec: fusb302: cache PD RX state Greg Kroah-Hartman
` (132 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shyam Prasad N, Steve French,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shyam Prasad N <sprasad@microsoft.com>
[ Upstream commit 9d5eff7821f6d70f7d1b4d8a60680fba4de868a7 ]
We now do a weighted selection of server interfaces when allocating
new channels. The weights are decided based on the speed advertised.
The fulfilled weight for an interface is a counter that is used to
track the interface selection. It should be reset back to zero once
all interfaces fulfilling their weight.
In cifs_chan_update_iface, this reset logic was missing. As a result
when the server interface list changes, the client may not be able
to find a new candidate for other channels after all interfaces have
been fulfilled.
Fixes: a6d8fb54a515 ("cifs: distribute channels across interfaces based on speed")
Cc: <stable@vger.kernel.org>
Signed-off-by: Shyam Prasad N <sprasad@microsoft.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
[ Kept both int rc and int retry variables ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/client/sess.c | 9 +++++++++
1 file changed, 9 insertions(+)
--- a/fs/smb/client/sess.c
+++ b/fs/smb/client/sess.c
@@ -292,6 +292,7 @@ cifs_chan_update_iface(struct cifs_ses *
struct cifs_server_iface *last_iface = NULL;
struct sockaddr_storage ss;
int rc = 0;
+ int retry = 0;
spin_lock(&ses->chan_lock);
chan_index = cifs_ses_get_chan_index(ses, server);
@@ -320,6 +321,7 @@ cifs_chan_update_iface(struct cifs_ses *
return 0;
}
+try_again:
last_iface = list_last_entry(&ses->iface_list, struct cifs_server_iface,
iface_head);
iface_min_speed = last_iface->speed;
@@ -358,6 +360,13 @@ cifs_chan_update_iface(struct cifs_ses *
if (list_entry_is_head(iface, &ses->iface_list, iface_head)) {
rc = 1;
+ list_for_each_entry(iface, &ses->iface_list, iface_head)
+ iface->weight_fulfilled = 0;
+
+ /* see if it can be satisfied in second attempt */
+ if (!retry++)
+ goto try_again;
+
iface = NULL;
cifs_dbg(FYI, "unable to find a suitable iface\n");
}
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 359/482] usb: typec: fusb302: cache PD RX state
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (357 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 6.1 358/482] cifs: reset iface weights when we cannot find a candidate Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 360/482] btrfs: qgroup: fix race between quota disable and quota rescan ioctl Greg Kroah-Hartman
` (131 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Sebastian Reichel,
Heikki Krogerus, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sebastian Reichel <sebastian.reichel@collabora.com>
[ Upstream commit 1e61f6ab08786d66a11cfc51e13d6f08a6b06c56 ]
This patch fixes a race condition communication error, which ends up in
PD hard resets when losing the race. Some systems, like the Radxa ROCK
5B are powered through USB-C without any backup power source and use a
FUSB302 chip to do the PD negotiation. This means it is quite important
to avoid hard resets, since that effectively kills the system's
power-supply.
I've found the following race condition while debugging unplanned power
loss during booting the board every now and then:
1. lots of TCPM/FUSB302/PD initialization stuff
2. TCPM ends up in SNK_WAIT_CAPABILITIES (tcpm_set_pd_rx is enabled here)
3. the remote PD source does not send anything, so TCPM does a SOFT RESET
4. TCPM ends up in SNK_WAIT_CAPABILITIES for the second time
(tcpm_set_pd_rx is enabled again, even though it is still on)
At this point I've seen broken CRC good messages being send by the
FUSB302 with a logic analyzer sniffing the CC lines. Also it looks like
messages are being lost and things generally going haywire with one of
the two sides doing a hard reset once a broken CRC good message was send
to the bus.
I think the system is running into a race condition, that the FIFOs are
being cleared and/or the automatic good CRC message generation flag is
being updated while a message is already arriving.
Let's avoid this by caching the PD RX enabled state, as we have already
processed anything in the FIFOs and are in a good state. As a side
effect that this also optimizes I2C bus usage :)
As far as I can tell the problem theoretically also exists when TCPM
enters SNK_WAIT_CAPABILITIES the first time, but I believe this is less
critical for the following reason:
On devices like the ROCK 5B, which are powered through a TCPM backed
USB-C port, the bootloader must have done some prior PD communication
(initial communication must happen within 5 seconds after plugging the
USB-C plug). This means the first time the kernel TCPM state machine
reaches SNK_WAIT_CAPABILITIES, the remote side is not sending messages
actively. On other devices a hard reset simply adds some extra delay and
things should be good afterwards.
Fixes: c034a43e72dda ("staging: typec: Fairchild FUSB302 Type-c chip driver")
Cc: stable <stable@kernel.org>
Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Link: https://lore.kernel.org/r/20250704-fusb302-race-condition-fix-v1-1-239012c0e27a@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Adjust context ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/typec/tcpm/fusb302.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/drivers/usb/typec/tcpm/fusb302.c
+++ b/drivers/usb/typec/tcpm/fusb302.c
@@ -103,6 +103,7 @@ struct fusb302_chip {
bool vconn_on;
bool vbus_on;
bool charge_on;
+ bool pd_rx_on;
bool vbus_present;
enum typec_cc_polarity cc_polarity;
enum typec_cc_status cc1;
@@ -841,6 +842,11 @@ static int tcpm_set_pd_rx(struct tcpc_de
int ret = 0;
mutex_lock(&chip->lock);
+ if (chip->pd_rx_on == on) {
+ fusb302_log(chip, "pd is already %s", str_on_off(on));
+ goto done;
+ }
+
ret = fusb302_pd_rx_flush(chip);
if (ret < 0) {
fusb302_log(chip, "cannot flush pd rx buffer, ret=%d", ret);
@@ -863,6 +869,8 @@ static int tcpm_set_pd_rx(struct tcpc_de
on ? "on" : "off", ret);
goto done;
}
+
+ chip->pd_rx_on = on;
fusb302_log(chip, "pd := %s", on ? "on" : "off");
done:
mutex_unlock(&chip->lock);
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 360/482] btrfs: qgroup: fix race between quota disable and quota rescan ioctl
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (358 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 6.1 359/482] usb: typec: fusb302: cache PD RX state Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 361/482] btrfs: abort transaction on unexpected eb generation at btrfs_copy_root() Greg Kroah-Hartman
` (130 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, cen zhang, Boris Burkov, Qu Wenruo,
Filipe Manana, David Sterba, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Filipe Manana <fdmanana@suse.com>
[ Upstream commit e1249667750399a48cafcf5945761d39fa584edf ]
There's a race between a task disabling quotas and another running the
rescan ioctl that can result in a use-after-free of qgroup records from
the fs_info->qgroup_tree rbtree.
This happens as follows:
1) Task A enters btrfs_ioctl_quota_rescan() -> btrfs_qgroup_rescan();
2) Task B enters btrfs_quota_disable() and calls
btrfs_qgroup_wait_for_completion(), which does nothing because at that
point fs_info->qgroup_rescan_running is false (it wasn't set yet by
task A);
3) Task B calls btrfs_free_qgroup_config() which starts freeing qgroups
from fs_info->qgroup_tree without taking the lock fs_info->qgroup_lock;
4) Task A enters qgroup_rescan_zero_tracking() which starts iterating
the fs_info->qgroup_tree tree while holding fs_info->qgroup_lock,
but task B is freeing qgroup records from that tree without holding
the lock, resulting in a use-after-free.
Fix this by taking fs_info->qgroup_lock at btrfs_free_qgroup_config().
Also at btrfs_qgroup_rescan() don't start the rescan worker if quotas
were already disabled.
Reported-by: cen zhang <zzzccc427@gmail.com>
Link: https://lore.kernel.org/linux-btrfs/CAFRLqsV+cMDETFuzqdKSHk_FDm6tneea45krsHqPD6B3FetLpQ@mail.gmail.com/
CC: stable@vger.kernel.org # 6.1+
Reviewed-by: Boris Burkov <boris@bur.io>
Reviewed-by: Qu Wenruo <wqu@suse.com>
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
[ Check for BTRFS_FS_QUOTA_ENABLED, instead of btrfs_qgroup_full_accounting() ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/qgroup.c | 31 ++++++++++++++++++++++++-------
1 file changed, 24 insertions(+), 7 deletions(-)
--- a/fs/btrfs/qgroup.c
+++ b/fs/btrfs/qgroup.c
@@ -573,22 +573,30 @@ bool btrfs_check_quota_leak(struct btrfs
/*
* This is called from close_ctree() or open_ctree() or btrfs_quota_disable(),
- * first two are in single-threaded paths.And for the third one, we have set
- * quota_root to be null with qgroup_lock held before, so it is safe to clean
- * up the in-memory structures without qgroup_lock held.
+ * first two are in single-threaded paths.
*/
void btrfs_free_qgroup_config(struct btrfs_fs_info *fs_info)
{
struct rb_node *n;
struct btrfs_qgroup *qgroup;
+ /*
+ * btrfs_quota_disable() can be called concurrently with
+ * btrfs_qgroup_rescan() -> qgroup_rescan_zero_tracking(), so take the
+ * lock.
+ */
+ spin_lock(&fs_info->qgroup_lock);
while ((n = rb_first(&fs_info->qgroup_tree))) {
qgroup = rb_entry(n, struct btrfs_qgroup, node);
rb_erase(n, &fs_info->qgroup_tree);
__del_qgroup_rb(fs_info, qgroup);
+ spin_unlock(&fs_info->qgroup_lock);
btrfs_sysfs_del_one_qgroup(fs_info, qgroup);
kfree(qgroup);
+ spin_lock(&fs_info->qgroup_lock);
}
+ spin_unlock(&fs_info->qgroup_lock);
+
/*
* We call btrfs_free_qgroup_config() when unmounting
* filesystem and disabling quota, so we set qgroup_ulist
@@ -3597,12 +3605,21 @@ btrfs_qgroup_rescan(struct btrfs_fs_info
qgroup_rescan_zero_tracking(fs_info);
mutex_lock(&fs_info->qgroup_rescan_lock);
- fs_info->qgroup_rescan_running = true;
- btrfs_queue_work(fs_info->qgroup_rescan_workers,
- &fs_info->qgroup_rescan_work);
+ /*
+ * The rescan worker is only for full accounting qgroups, check if it's
+ * enabled as it is pointless to queue it otherwise. A concurrent quota
+ * disable may also have just cleared BTRFS_FS_QUOTA_ENABLED.
+ */
+ if (test_bit(BTRFS_FS_QUOTA_ENABLED, &fs_info->flags)) {
+ fs_info->qgroup_rescan_running = true;
+ btrfs_queue_work(fs_info->qgroup_rescan_workers,
+ &fs_info->qgroup_rescan_work);
+ } else {
+ ret = -ENOTCONN;
+ }
mutex_unlock(&fs_info->qgroup_rescan_lock);
- return 0;
+ return ret;
}
int btrfs_qgroup_wait_for_completion(struct btrfs_fs_info *fs_info,
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 361/482] btrfs: abort transaction on unexpected eb generation at btrfs_copy_root()
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (359 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 6.1 360/482] btrfs: qgroup: fix race between quota disable and quota rescan ioctl Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 362/482] xfs: fully decouple XFS_IBULK* flags from XFS_IWALK* flags Greg Kroah-Hartman
` (129 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Daniel Vacek, Qu Wenruo,
Filipe Manana, David Sterba, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Filipe Manana <fdmanana@suse.com>
[ Upstream commit 33e8f24b52d2796b8cfb28c19a1a7dd6476323a8 ]
If we find an unexpected generation for the extent buffer we are cloning
at btrfs_copy_root(), we just WARN_ON() and don't error out and abort the
transaction, meaning we allow to persist metadata with an unexpected
generation. Instead of warning only, abort the transaction and return
-EUCLEAN.
CC: stable@vger.kernel.org # 6.1+
Reviewed-by: Daniel Vacek <neelx@suse.com>
Reviewed-by: Qu Wenruo <wqu@suse.com>
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/ctree.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
--- a/fs/btrfs/ctree.c
+++ b/fs/btrfs/ctree.c
@@ -237,7 +237,14 @@ int btrfs_copy_root(struct btrfs_trans_h
write_extent_buffer_fsid(cow, fs_info->fs_devices->metadata_uuid);
- WARN_ON(btrfs_header_generation(buf) > trans->transid);
+ if (unlikely(btrfs_header_generation(buf) > trans->transid)) {
+ btrfs_tree_unlock(cow);
+ free_extent_buffer(cow);
+ ret = -EUCLEAN;
+ btrfs_abort_transaction(trans, ret);
+ return ret;
+ }
+
if (new_root_objectid == BTRFS_TREE_RELOC_OBJECTID)
ret = btrfs_inc_ref(trans, root, cow, 1);
else
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 362/482] xfs: fully decouple XFS_IBULK* flags from XFS_IWALK* flags
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (360 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 6.1 361/482] btrfs: abort transaction on unexpected eb generation at btrfs_copy_root() Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 363/482] btrfs: send: use fallocate for hole punching with send stream v2 Greg Kroah-Hartman
` (128 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, cen zhang, Christoph Hellwig,
Darrick J. Wong, Carlos Maiolino, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christoph Hellwig <hch@lst.de>
[ Upstream commit d2845519b0723c5d5a0266cbf410495f9b8fd65c ]
Fix up xfs_inumbers to now pass in the XFS_IBULK* flags into the flags
argument to xfs_inobt_walk, which expects the XFS_IWALK* flags.
Currently passing the wrong flags works for non-debug builds because
the only XFS_IWALK* flag has the same encoding as the corresponding
XFS_IBULK* flag, but in debug builds it can trigger an assert that no
incorrect flag is passed. Instead just extra the relevant flag.
Fixes: 5b35d922c52798 ("xfs: Decouple XFS_IBULK flags from XFS_IWALK flags")
Cc: <stable@vger.kernel.org> # v5.19
Reported-by: cen zhang <zzzccc427@gmail.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Darrick J. Wong <djwong@kernel.org>
Signed-off-by: Carlos Maiolino <cem@kernel.org>
[ Adjust context ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/xfs/xfs_itable.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/fs/xfs/xfs_itable.c
+++ b/fs/xfs/xfs_itable.c
@@ -422,11 +422,15 @@ xfs_inumbers(
.breq = breq,
};
struct xfs_trans *tp;
+ unsigned int iwalk_flags = 0;
int error = 0;
if (xfs_bulkstat_already_done(breq->mp, breq->startino))
return 0;
+ if (breq->flags & XFS_IBULK_SAME_AG)
+ iwalk_flags |= XFS_IWALK_SAME_AG;
+
/*
* Grab an empty transaction so that we can use its recursive buffer
* locking abilities to detect cycles in the inobt without deadlocking.
@@ -435,7 +439,7 @@ xfs_inumbers(
if (error)
goto out;
- error = xfs_inobt_walk(breq->mp, tp, breq->startino, breq->flags,
+ error = xfs_inobt_walk(breq->mp, tp, breq->startino, iwalk_flags,
xfs_inumbers_walk, breq->icount, &ic);
xfs_trans_cancel(tp);
out:
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 363/482] btrfs: send: use fallocate for hole punching with send stream v2
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (361 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 6.1 362/482] xfs: fully decouple XFS_IBULK* flags from XFS_IWALK* flags Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 364/482] net_sched: sch_ets: implement lockless ets_dump() Greg Kroah-Hartman
` (127 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Boris Burkov, Filipe Manana,
David Sterba, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Filipe Manana <fdmanana@suse.com>
[ Upstream commit 005b0a0c24e1628313e951516b675109a92cacfe ]
Currently holes are sent as writes full of zeroes, which results in
unnecessarily using disk space at the receiving end and increasing the
stream size.
In some cases we avoid sending writes of zeroes, like during a full
send operation where we just skip writes for holes.
But for some cases we fill previous holes with writes of zeroes too, like
in this scenario:
1) We have a file with a hole in the range [2M, 3M), we snapshot the
subvolume and do a full send. The range [2M, 3M) stays as a hole at
the receiver since we skip sending write commands full of zeroes;
2) We punch a hole for the range [3M, 4M) in our file, so that now it
has a 2M hole in the range [2M, 4M), and snapshot the subvolume.
Now if we do an incremental send, we will send write commands full
of zeroes for the range [2M, 4M), removing the hole for [2M, 3M) at
the receiver.
We could improve cases such as this last one by doing additional
comparisons of file extent items (or their absence) between the parent
and send snapshots, but that's a lot of code to add plus additional CPU
and IO costs.
Since the send stream v2 already has a fallocate command and btrfs-progs
implements a callback to execute fallocate since the send stream v2
support was added to it, update the kernel to use fallocate for punching
holes for V2+ streams.
Test coverage is provided by btrfs/284 which is a version of btrfs/007
that exercises send stream v2 instead of v1, using fsstress with random
operations and fssum to verify file contents.
Link: https://github.com/kdave/btrfs-progs/issues/1001
CC: stable@vger.kernel.org # 6.1+
Reviewed-by: Boris Burkov <boris@bur.io>
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
[ Replaced get_cur_inode_path() with fs_path_alloc() and get_cur_path() ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/send.c | 39 +++++++++++++++++++++++++++++++++++++++
1 file changed, 39 insertions(+)
--- a/fs/btrfs/send.c
+++ b/fs/btrfs/send.c
@@ -4,6 +4,7 @@
*/
#include <linux/bsearch.h>
+#include <linux/falloc.h>
#include <linux/fs.h>
#include <linux/file.h>
#include <linux/sort.h>
@@ -5231,6 +5232,36 @@ out:
return ret;
}
+static int send_fallocate(struct send_ctx *sctx, u32 mode, u64 offset, u64 len)
+{
+ struct fs_path *p;
+ int ret;
+
+ p = fs_path_alloc();
+ if (!p)
+ return -ENOMEM;
+
+ ret = get_cur_path(sctx, sctx->cur_ino, sctx->cur_inode_gen, p);
+ if (ret < 0)
+ goto out;
+
+ ret = begin_cmd(sctx, BTRFS_SEND_C_FALLOCATE);
+ if (ret < 0)
+ goto out;
+
+ TLV_PUT_PATH(sctx, BTRFS_SEND_A_PATH, p);
+ TLV_PUT_U32(sctx, BTRFS_SEND_A_FALLOCATE_MODE, mode);
+ TLV_PUT_U64(sctx, BTRFS_SEND_A_FILE_OFFSET, offset);
+ TLV_PUT_U64(sctx, BTRFS_SEND_A_SIZE, len);
+
+ ret = send_cmd(sctx);
+
+tlv_put_failure:
+out:
+ fs_path_free(p);
+ return ret;
+}
+
static int send_hole(struct send_ctx *sctx, u64 end)
{
struct fs_path *p = NULL;
@@ -5239,6 +5270,14 @@ static int send_hole(struct send_ctx *sc
int ret = 0;
/*
+ * Starting with send stream v2 we have fallocate and can use it to
+ * punch holes instead of sending writes full of zeroes.
+ */
+ if (proto_cmd_ok(sctx, BTRFS_SEND_C_FALLOCATE))
+ return send_fallocate(sctx, FALLOC_FL_PUNCH_HOLE | FALLOC_FL_KEEP_SIZE,
+ offset, end - offset);
+
+ /*
* A hole that starts at EOF or beyond it. Since we do not yet support
* fallocate (for extent preallocation and hole punching), sending a
* write of zeroes starting at EOF or beyond would later require issuing
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 364/482] net_sched: sch_ets: implement lockless ets_dump()
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (362 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 6.1 363/482] btrfs: send: use fallocate for hole punching with send stream v2 Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 365/482] net/sched: ets: use old nbands while purging unused classes Greg Kroah-Hartman
` (126 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Simon Horman,
David S. Miller, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit c5f1dde7f731e7bf2e7c169ca42cb4989fc2f8b9 ]
Instead of relying on RTNL, ets_dump() can use READ_ONCE()
annotations, paired with WRITE_ONCE() ones in ets_change().
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stable-dep-of: 87c6efc5ce9c ("net/sched: ets: use old 'nbands' while purging unused classes")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/sched/sch_ets.c | 25 ++++++++++++++-----------
1 file changed, 14 insertions(+), 11 deletions(-)
--- a/net/sched/sch_ets.c
+++ b/net/sched/sch_ets.c
@@ -651,7 +651,7 @@ static int ets_qdisc_change(struct Qdisc
sch_tree_lock(sch);
- q->nbands = nbands;
+ WRITE_ONCE(q->nbands, nbands);
for (i = nstrict; i < q->nstrict; i++) {
if (q->classes[i].qdisc->q.qlen) {
list_add_tail(&q->classes[i].alist, &q->active);
@@ -663,11 +663,11 @@ static int ets_qdisc_change(struct Qdisc
list_del_init(&q->classes[i].alist);
qdisc_purge_queue(q->classes[i].qdisc);
}
- q->nstrict = nstrict;
+ WRITE_ONCE(q->nstrict, nstrict);
memcpy(q->prio2band, priomap, sizeof(priomap));
for (i = 0; i < q->nbands; i++)
- q->classes[i].quantum = quanta[i];
+ WRITE_ONCE(q->classes[i].quantum, quanta[i]);
for (i = oldbands; i < q->nbands; i++) {
q->classes[i].qdisc = queues[i];
@@ -681,7 +681,7 @@ static int ets_qdisc_change(struct Qdisc
for (i = q->nbands; i < oldbands; i++) {
qdisc_put(q->classes[i].qdisc);
q->classes[i].qdisc = NULL;
- q->classes[i].quantum = 0;
+ WRITE_ONCE(q->classes[i].quantum, 0);
q->classes[i].deficit = 0;
gnet_stats_basic_sync_init(&q->classes[i].bstats);
memset(&q->classes[i].qstats, 0, sizeof(q->classes[i].qstats));
@@ -738,6 +738,7 @@ static int ets_qdisc_dump(struct Qdisc *
struct ets_sched *q = qdisc_priv(sch);
struct nlattr *opts;
struct nlattr *nest;
+ u8 nbands, nstrict;
int band;
int prio;
int err;
@@ -750,21 +751,22 @@ static int ets_qdisc_dump(struct Qdisc *
if (!opts)
goto nla_err;
- if (nla_put_u8(skb, TCA_ETS_NBANDS, q->nbands))
+ nbands = READ_ONCE(q->nbands);
+ if (nla_put_u8(skb, TCA_ETS_NBANDS, nbands))
goto nla_err;
- if (q->nstrict &&
- nla_put_u8(skb, TCA_ETS_NSTRICT, q->nstrict))
+ nstrict = READ_ONCE(q->nstrict);
+ if (nstrict && nla_put_u8(skb, TCA_ETS_NSTRICT, nstrict))
goto nla_err;
- if (q->nbands > q->nstrict) {
+ if (nbands > nstrict) {
nest = nla_nest_start(skb, TCA_ETS_QUANTA);
if (!nest)
goto nla_err;
- for (band = q->nstrict; band < q->nbands; band++) {
+ for (band = nstrict; band < nbands; band++) {
if (nla_put_u32(skb, TCA_ETS_QUANTA_BAND,
- q->classes[band].quantum))
+ READ_ONCE(q->classes[band].quantum)))
goto nla_err;
}
@@ -776,7 +778,8 @@ static int ets_qdisc_dump(struct Qdisc *
goto nla_err;
for (prio = 0; prio <= TC_PRIO_MAX; prio++) {
- if (nla_put_u8(skb, TCA_ETS_PRIOMAP_BAND, q->prio2band[prio]))
+ if (nla_put_u8(skb, TCA_ETS_PRIOMAP_BAND,
+ READ_ONCE(q->prio2band[prio])))
goto nla_err;
}
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 365/482] net/sched: ets: use old nbands while purging unused classes
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (363 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 6.1 364/482] net_sched: sch_ets: implement lockless ets_dump() Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 366/482] mm/ptdump: take the memory hotplug lock inside ptdump_walk_pgd() Greg Kroah-Hartman
` (125 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Li Shuang, Petr Machata, Ivan Vecera,
Davide Caratti, Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Davide Caratti <dcaratti@redhat.com>
[ Upstream commit 87c6efc5ce9c126ae4a781bc04504b83780e3650 ]
Shuang reported sch_ets test-case [1] crashing in ets_class_qlen_notify()
after recent changes from Lion [2]. The problem is: in ets_qdisc_change()
we purge unused DWRR queues; the value of 'q->nbands' is the new one, and
the cleanup should be done with the old one. The problem is here since my
first attempts to fix ets_qdisc_change(), but it surfaced again after the
recent qdisc len accounting fixes. Fix it purging idle DWRR queues before
assigning a new value of 'q->nbands', so that all purge operations find a
consistent configuration:
- old 'q->nbands' because it's needed by ets_class_find()
- old 'q->nstrict' because it's needed by ets_class_is_strict()
BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0
Oops: Oops: 0000 [#1] SMP NOPTI
CPU: 62 UID: 0 PID: 39457 Comm: tc Kdump: loaded Not tainted 6.12.0-116.el10.x86_64 #1 PREEMPT(voluntary)
Hardware name: Dell Inc. PowerEdge R640/06DKY5, BIOS 2.12.2 07/09/2021
RIP: 0010:__list_del_entry_valid_or_report+0x4/0x80
Code: ff 4c 39 c7 0f 84 39 19 8e ff b8 01 00 00 00 c3 cc cc cc cc 66 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa <48> 8b 17 48 8b 4f 08 48 85 d2 0f 84 56 19 8e ff 48 85 c9 0f 84 ab
RSP: 0018:ffffba186009f400 EFLAGS: 00010202
RAX: 00000000000000d6 RBX: 0000000000000000 RCX: 0000000000000004
RDX: ffff9f0fa29b69c0 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffffffc12c2400 R08: 0000000000000008 R09: 0000000000000004
R10: ffffffffffffffff R11: 0000000000000004 R12: 0000000000000000
R13: ffff9f0f8cfe0000 R14: 0000000000100005 R15: 0000000000000000
FS: 00007f2154f37480(0000) GS:ffff9f269c1c0000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 00000001530be001 CR4: 00000000007726f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
<TASK>
ets_class_qlen_notify+0x65/0x90 [sch_ets]
qdisc_tree_reduce_backlog+0x74/0x110
ets_qdisc_change+0x630/0xa40 [sch_ets]
__tc_modify_qdisc.constprop.0+0x216/0x7f0
tc_modify_qdisc+0x7c/0x120
rtnetlink_rcv_msg+0x145/0x3f0
netlink_rcv_skb+0x53/0x100
netlink_unicast+0x245/0x390
netlink_sendmsg+0x21b/0x470
____sys_sendmsg+0x39d/0x3d0
___sys_sendmsg+0x9a/0xe0
__sys_sendmsg+0x7a/0xd0
do_syscall_64+0x7d/0x160
entry_SYSCALL_64_after_hwframe+0x76/0x7e
RIP: 0033:0x7f2155114084
Code: 89 02 b8 ff ff ff ff eb bb 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 80 3d 25 f0 0c 00 00 74 13 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 c3 0f 1f 00 48 83 ec 28 89 54 24 1c 48 89
RSP: 002b:00007fff1fd7a988 EFLAGS: 00000202 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 0000560ec063e5e0 RCX: 00007f2155114084
RDX: 0000000000000000 RSI: 00007fff1fd7a9f0 RDI: 0000000000000003
RBP: 00007fff1fd7aa60 R08: 0000000000000010 R09: 000000000000003f
R10: 0000560ee9b3a010 R11: 0000000000000202 R12: 00007fff1fd7aae0
R13: 000000006891ccde R14: 0000560ec063e5e0 R15: 00007fff1fd7aad0
</TASK>
[1] https://lore.kernel.org/netdev/e08c7f4a6882f260011909a868311c6e9b54f3e4.1639153474.git.dcaratti@redhat.com/
[2] https://lore.kernel.org/netdev/d912cbd7-193b-4269-9857-525bee8bbb6a@gmail.com/
Cc: stable@vger.kernel.org
Fixes: 103406b38c60 ("net/sched: Always pass notifications when child class becomes empty")
Fixes: c062f2a0b04d ("net/sched: sch_ets: don't remove idle classes from the round-robin list")
Fixes: dcc68b4d8084 ("net: sch_ets: Add a new Qdisc")
Reported-by: Li Shuang <shuali@redhat.com>
Closes: https://issues.redhat.com/browse/RHEL-108026
Reviewed-by: Petr Machata <petrm@nvidia.com>
Co-developed-by: Ivan Vecera <ivecera@redhat.com>
Signed-off-by: Ivan Vecera <ivecera@redhat.com>
Signed-off-by: Davide Caratti <dcaratti@redhat.com>
Link: https://patch.msgid.link/7928ff6d17db47a2ae7cc205c44777b1f1950545.1755016081.git.dcaratti@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/sched/sch_ets.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
--- a/net/sched/sch_ets.c
+++ b/net/sched/sch_ets.c
@@ -651,6 +651,12 @@ static int ets_qdisc_change(struct Qdisc
sch_tree_lock(sch);
+ for (i = nbands; i < oldbands; i++) {
+ if (i >= q->nstrict && q->classes[i].qdisc->q.qlen)
+ list_del_init(&q->classes[i].alist);
+ qdisc_purge_queue(q->classes[i].qdisc);
+ }
+
WRITE_ONCE(q->nbands, nbands);
for (i = nstrict; i < q->nstrict; i++) {
if (q->classes[i].qdisc->q.qlen) {
@@ -658,11 +664,6 @@ static int ets_qdisc_change(struct Qdisc
q->classes[i].deficit = quanta[i];
}
}
- for (i = q->nbands; i < oldbands; i++) {
- if (i >= q->nstrict && q->classes[i].qdisc->q.qlen)
- list_del_init(&q->classes[i].alist);
- qdisc_purge_queue(q->classes[i].qdisc);
- }
WRITE_ONCE(q->nstrict, nstrict);
memcpy(q->prio2band, priomap, sizeof(priomap));
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 366/482] mm/ptdump: take the memory hotplug lock inside ptdump_walk_pgd()
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (364 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 6.1 365/482] net/sched: ets: use old nbands while purging unused classes Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 367/482] media: venus: Introduce accessors for remapped hfi_buffer_reqs members Greg Kroah-Hartman
` (124 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Anshuman Khandual, David Hildenbrand,
Dev Jain, Catalin Marinas, Will Deacon, Ryan Roberts,
Paul Walmsley, Palmer Dabbelt, Alexander Gordeev, Gerald Schaefer,
Heiko Carstens, Vasily Gorbik, Christian Borntraeger,
Sven Schnelle, Andrew Morton, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Anshuman Khandual <anshuman.khandual@arm.com>
[ Upstream commit 59305202c67fea50378dcad0cc199dbc13a0e99a ]
Memory hot remove unmaps and tears down various kernel page table regions
as required. The ptdump code can race with concurrent modifications of
the kernel page tables. When leaf entries are modified concurrently, the
dump code may log stale or inconsistent information for a VA range, but
this is otherwise not harmful.
But when intermediate levels of kernel page table are freed, the dump code
will continue to use memory that has been freed and potentially
reallocated for another purpose. In such cases, the ptdump code may
dereference bogus addresses, leading to a number of potential problems.
To avoid the above mentioned race condition, platforms such as arm64,
riscv and s390 take memory hotplug lock, while dumping kernel page table
via the sysfs interface /sys/kernel/debug/kernel_page_tables.
Similar race condition exists while checking for pages that might have
been marked W+X via /sys/kernel/debug/kernel_page_tables/check_wx_pages
which in turn calls ptdump_check_wx(). Instead of solving this race
condition again, let's just move the memory hotplug lock inside generic
ptdump_check_wx() which will benefit both the scenarios.
Drop get_online_mems() and put_online_mems() combination from all existing
platform ptdump code paths.
Link: https://lkml.kernel.org/r/20250620052427.2092093-1-anshuman.khandual@arm.com
Fixes: bbd6ec605c0f ("arm64/mm: Enable memory hot remove")
Signed-off-by: Anshuman Khandual <anshuman.khandual@arm.com>
Acked-by: David Hildenbrand <david@redhat.com>
Reviewed-by: Dev Jain <dev.jain@arm.com>
Acked-by: Alexander Gordeev <agordeev@linux.ibm.com> [s390]
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Will Deacon <will@kernel.org>
Cc: Ryan Roberts <ryan.roberts@arm.com>
Cc: Paul Walmsley <paul.walmsley@sifive.com>
Cc: Palmer Dabbelt <palmer@dabbelt.com>
Cc: Alexander Gordeev <agordeev@linux.ibm.com>
Cc: Gerald Schaefer <gerald.schaefer@linux.ibm.com>
Cc: Heiko Carstens <hca@linux.ibm.com>
Cc: Vasily Gorbik <gor@linux.ibm.com>
Cc: Christian Borntraeger <borntraeger@linux.ibm.com>
Cc: Sven Schnelle <svens@linux.ibm.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/mm/ptdump_debugfs.c | 3 ---
arch/s390/mm/dump_pagetables.c | 2 --
mm/ptdump.c | 2 ++
3 files changed, 2 insertions(+), 5 deletions(-)
--- a/arch/arm64/mm/ptdump_debugfs.c
+++ b/arch/arm64/mm/ptdump_debugfs.c
@@ -1,6 +1,5 @@
// SPDX-License-Identifier: GPL-2.0
#include <linux/debugfs.h>
-#include <linux/memory_hotplug.h>
#include <linux/seq_file.h>
#include <asm/ptdump.h>
@@ -9,9 +8,7 @@ static int ptdump_show(struct seq_file *
{
struct ptdump_info *info = m->private;
- get_online_mems();
ptdump_walk(m, info);
- put_online_mems();
return 0;
}
DEFINE_SHOW_ATTRIBUTE(ptdump);
--- a/arch/s390/mm/dump_pagetables.c
+++ b/arch/s390/mm/dump_pagetables.c
@@ -249,11 +249,9 @@ static int ptdump_show(struct seq_file *
.marker = address_markers,
};
- get_online_mems();
mutex_lock(&cpa_mutex);
ptdump_walk_pgd(&st.ptdump, &init_mm, NULL);
mutex_unlock(&cpa_mutex);
- put_online_mems();
return 0;
}
DEFINE_SHOW_ATTRIBUTE(ptdump);
--- a/mm/ptdump.c
+++ b/mm/ptdump.c
@@ -152,6 +152,7 @@ void ptdump_walk_pgd(struct ptdump_state
{
const struct ptdump_range *range = st->range;
+ get_online_mems();
mmap_write_lock(mm);
while (range->start != range->end) {
walk_page_range_novma(mm, range->start, range->end,
@@ -159,6 +160,7 @@ void ptdump_walk_pgd(struct ptdump_state
range++;
}
mmap_write_unlock(mm);
+ put_online_mems();
/* Flush out the last page */
st->note_page(st, 0, -1, 0);
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 367/482] media: venus: Introduce accessors for remapped hfi_buffer_reqs members
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (365 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 6.1 366/482] mm/ptdump: take the memory hotplug lock inside ptdump_walk_pgd() Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 368/482] media: venus: Fix OOB read due to missing payload bound check Greg Kroah-Hartman
` (123 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bryan ODonoghue, Konrad Dybcio,
Stanimir Varbanov, Hans Verkuil, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Konrad Dybcio <konrad.dybcio@linaro.org>
[ Upstream commit bbfc89e6f67ccb1ddefc3e8a284248bcfea58544 ]
Currently we have macros to access these, but they don't provide a
way to override the remapped fields. Replace the macros with actual
get/set pairs to fix that.
Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Signed-off-by: Konrad Dybcio <konrad.dybcio@linaro.org>
Signed-off-by: Stanimir Varbanov <stanimir.k.varbanov@gmail.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Stable-dep-of: 06d6770ff0d8 ("media: venus: Fix OOB read due to missing payload bound check")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/qcom/venus/helpers.c | 2
drivers/media/platform/qcom/venus/hfi_helper.h | 61 +++++++++++++++++++++----
drivers/media/platform/qcom/venus/hfi_msgs.c | 2
drivers/media/platform/qcom/venus/vdec.c | 8 +--
drivers/media/platform/qcom/venus/vdec_ctrls.c | 2
drivers/media/platform/qcom/venus/venc.c | 4 -
drivers/media/platform/qcom/venus/venc_ctrls.c | 2
7 files changed, 63 insertions(+), 18 deletions(-)
--- a/drivers/media/platform/qcom/venus/helpers.c
+++ b/drivers/media/platform/qcom/venus/helpers.c
@@ -189,7 +189,7 @@ int venus_helper_alloc_dpb_bufs(struct v
if (ret)
return ret;
- count = HFI_BUFREQ_COUNT_MIN(&bufreq, ver);
+ count = hfi_bufreq_get_count_min(&bufreq, ver);
for (i = 0; i < count; i++) {
buf = kzalloc(sizeof(*buf), GFP_KERNEL);
--- a/drivers/media/platform/qcom/venus/hfi_helper.h
+++ b/drivers/media/platform/qcom/venus/hfi_helper.h
@@ -1150,14 +1150,6 @@ struct hfi_buffer_display_hold_count_act
u32 hold_count;
};
-/* HFI 4XX reorder the fields, use these macros */
-#define HFI_BUFREQ_HOLD_COUNT(bufreq, ver) \
- ((ver) == HFI_VERSION_4XX ? 0 : (bufreq)->hold_count)
-#define HFI_BUFREQ_COUNT_MIN(bufreq, ver) \
- ((ver) == HFI_VERSION_4XX ? (bufreq)->hold_count : (bufreq)->count_min)
-#define HFI_BUFREQ_COUNT_MIN_HOST(bufreq, ver) \
- ((ver) == HFI_VERSION_4XX ? (bufreq)->count_min : 0)
-
struct hfi_buffer_requirements {
u32 type;
u32 size;
@@ -1169,6 +1161,59 @@ struct hfi_buffer_requirements {
u32 alignment;
};
+/* On HFI 4XX, some of the struct members have been swapped. */
+static inline u32 hfi_bufreq_get_hold_count(struct hfi_buffer_requirements *req,
+ u32 ver)
+{
+ if (ver == HFI_VERSION_4XX)
+ return 0;
+
+ return req->hold_count;
+};
+
+static inline u32 hfi_bufreq_get_count_min(struct hfi_buffer_requirements *req,
+ u32 ver)
+{
+ if (ver == HFI_VERSION_4XX)
+ return req->hold_count;
+
+ return req->count_min;
+};
+
+static inline u32 hfi_bufreq_get_count_min_host(struct hfi_buffer_requirements *req,
+ u32 ver)
+{
+ if (ver == HFI_VERSION_4XX)
+ return req->count_min;
+
+ return 0;
+};
+
+static inline void hfi_bufreq_set_hold_count(struct hfi_buffer_requirements *req,
+ u32 ver, u32 val)
+{
+ if (ver == HFI_VERSION_4XX)
+ return;
+
+ req->hold_count = val;
+};
+
+static inline void hfi_bufreq_set_count_min(struct hfi_buffer_requirements *req,
+ u32 ver, u32 val)
+{
+ if (ver == HFI_VERSION_4XX)
+ req->hold_count = val;
+
+ req->count_min = val;
+};
+
+static inline void hfi_bufreq_set_count_min_host(struct hfi_buffer_requirements *req,
+ u32 ver, u32 val)
+{
+ if (ver == HFI_VERSION_4XX)
+ req->count_min = val;
+};
+
struct hfi_data_payload {
u32 size;
u8 data[1];
--- a/drivers/media/platform/qcom/venus/hfi_msgs.c
+++ b/drivers/media/platform/qcom/venus/hfi_msgs.c
@@ -99,7 +99,7 @@ static void event_seq_changed(struct ven
case HFI_PROPERTY_CONFIG_BUFFER_REQUIREMENTS:
data_ptr += sizeof(u32);
bufreq = (struct hfi_buffer_requirements *)data_ptr;
- event.buf_count = HFI_BUFREQ_COUNT_MIN(bufreq, ver);
+ event.buf_count = hfi_bufreq_get_count_min(bufreq, ver);
data_ptr += sizeof(*bufreq);
break;
case HFI_INDEX_EXTRADATA_INPUT_CROP:
--- a/drivers/media/platform/qcom/venus/vdec.c
+++ b/drivers/media/platform/qcom/venus/vdec.c
@@ -864,13 +864,13 @@ static int vdec_num_buffers(struct venus
if (ret)
return ret;
- *in_num = HFI_BUFREQ_COUNT_MIN(&bufreq, ver);
+ *in_num = hfi_bufreq_get_count_min(&bufreq, ver);
ret = venus_helper_get_bufreq(inst, HFI_BUFFER_OUTPUT, &bufreq);
if (ret)
return ret;
- *out_num = HFI_BUFREQ_COUNT_MIN(&bufreq, ver);
+ *out_num = hfi_bufreq_get_count_min(&bufreq, ver);
return 0;
}
@@ -984,14 +984,14 @@ static int vdec_verify_conf(struct venus
return ret;
if (inst->num_output_bufs < bufreq.count_actual ||
- inst->num_output_bufs < HFI_BUFREQ_COUNT_MIN(&bufreq, ver))
+ inst->num_output_bufs < hfi_bufreq_get_count_min(&bufreq, ver))
return -EINVAL;
ret = venus_helper_get_bufreq(inst, HFI_BUFFER_INPUT, &bufreq);
if (ret)
return ret;
- if (inst->num_input_bufs < HFI_BUFREQ_COUNT_MIN(&bufreq, ver))
+ if (inst->num_input_bufs < hfi_bufreq_get_count_min(&bufreq, ver))
return -EINVAL;
return 0;
--- a/drivers/media/platform/qcom/venus/vdec_ctrls.c
+++ b/drivers/media/platform/qcom/venus/vdec_ctrls.c
@@ -79,7 +79,7 @@ static int vdec_op_g_volatile_ctrl(struc
case V4L2_CID_MIN_BUFFERS_FOR_CAPTURE:
ret = venus_helper_get_bufreq(inst, HFI_BUFFER_OUTPUT, &bufreq);
if (!ret)
- ctrl->val = HFI_BUFREQ_COUNT_MIN(&bufreq, ver);
+ ctrl->val = hfi_bufreq_get_count_min(&bufreq, ver);
break;
default:
return -EINVAL;
--- a/drivers/media/platform/qcom/venus/venc.c
+++ b/drivers/media/platform/qcom/venus/venc.c
@@ -1176,7 +1176,7 @@ static int venc_verify_conf(struct venus
return ret;
if (inst->num_output_bufs < bufreq.count_actual ||
- inst->num_output_bufs < HFI_BUFREQ_COUNT_MIN(&bufreq, ver))
+ inst->num_output_bufs < hfi_bufreq_get_count_min(&bufreq, ver))
return -EINVAL;
ret = venus_helper_get_bufreq(inst, HFI_BUFFER_INPUT, &bufreq);
@@ -1184,7 +1184,7 @@ static int venc_verify_conf(struct venus
return ret;
if (inst->num_input_bufs < bufreq.count_actual ||
- inst->num_input_bufs < HFI_BUFREQ_COUNT_MIN(&bufreq, ver))
+ inst->num_input_bufs < hfi_bufreq_get_count_min(&bufreq, ver))
return -EINVAL;
return 0;
--- a/drivers/media/platform/qcom/venus/venc_ctrls.c
+++ b/drivers/media/platform/qcom/venus/venc_ctrls.c
@@ -358,7 +358,7 @@ static int venc_op_g_volatile_ctrl(struc
case V4L2_CID_MIN_BUFFERS_FOR_OUTPUT:
ret = venus_helper_get_bufreq(inst, HFI_BUFFER_INPUT, &bufreq);
if (!ret)
- ctrl->val = HFI_BUFREQ_COUNT_MIN(&bufreq, ver);
+ ctrl->val = hfi_bufreq_get_count_min(&bufreq, ver);
break;
default:
return -EINVAL;
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 368/482] media: venus: Fix OOB read due to missing payload bound check
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (366 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 6.1 367/482] media: venus: Introduce accessors for remapped hfi_buffer_reqs members Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 369/482] usb: musb: omap2430: Convert to platform remove callback returning void Greg Kroah-Hartman
` (122 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vedang Nagar, Vikash Garodia,
Bryan ODonoghue, Dikshita Agarwal, Bryan ODonoghue, Hans Verkuil,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vedang Nagar <quic_vnagar@quicinc.com>
[ Upstream commit 06d6770ff0d8cc8dfd392329a8cc03e2a83e7289 ]
Currently, The event_seq_changed() handler processes a variable number
of properties sent by the firmware. The number of properties is indicated
by the firmware and used to iterate over the payload. However, the
payload size is not being validated against the actual message length.
This can lead to out-of-bounds memory access if the firmware provides a
property count that exceeds the data available in the payload. Such a
condition can result in kernel crashes or potential information leaks if
memory beyond the buffer is accessed.
Fix this by properly validating the remaining size of the payload before
each property access and updating bounds accordingly as properties are
parsed.
This ensures that property parsing is safely bounded within the received
message buffer and protects against malformed or malicious firmware
behavior.
Fixes: 09c2845e8fe4 ("[media] media: venus: hfi: add Host Firmware Interface (HFI)")
Cc: stable@vger.kernel.org
Signed-off-by: Vedang Nagar <quic_vnagar@quicinc.com>
Reviewed-by: Vikash Garodia <quic_vgarodia@quicinc.com>
Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Co-developed-by: Dikshita Agarwal <quic_dikshita@quicinc.com>
Signed-off-by: Dikshita Agarwal <quic_dikshita@quicinc.com>
Signed-off-by: Bryan O'Donoghue <bod@kernel.org>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/qcom/venus/hfi_msgs.c | 83 ++++++++++++++++++---------
1 file changed, 58 insertions(+), 25 deletions(-)
--- a/drivers/media/platform/qcom/venus/hfi_msgs.c
+++ b/drivers/media/platform/qcom/venus/hfi_msgs.c
@@ -33,8 +33,9 @@ static void event_seq_changed(struct ven
struct hfi_buffer_requirements *bufreq;
struct hfi_extradata_input_crop *crop;
struct hfi_dpb_counts *dpb_count;
+ u32 ptype, rem_bytes;
+ u32 size_read = 0;
u8 *data_ptr;
- u32 ptype;
inst->error = HFI_ERR_NONE;
@@ -44,86 +45,118 @@ static void event_seq_changed(struct ven
break;
default:
inst->error = HFI_ERR_SESSION_INVALID_PARAMETER;
- goto done;
+ inst->ops->event_notify(inst, EVT_SYS_EVENT_CHANGE, &event);
+ return;
}
event.event_type = pkt->event_data1;
num_properties_changed = pkt->event_data2;
- if (!num_properties_changed) {
- inst->error = HFI_ERR_SESSION_INSUFFICIENT_RESOURCES;
- goto done;
- }
+ if (!num_properties_changed)
+ goto error;
data_ptr = (u8 *)&pkt->ext_event_data[0];
+ rem_bytes = pkt->shdr.hdr.size - sizeof(*pkt);
+
do {
+ if (rem_bytes < sizeof(u32))
+ goto error;
ptype = *((u32 *)data_ptr);
+
+ data_ptr += sizeof(u32);
+ rem_bytes -= sizeof(u32);
+
switch (ptype) {
case HFI_PROPERTY_PARAM_FRAME_SIZE:
- data_ptr += sizeof(u32);
+ if (rem_bytes < sizeof(struct hfi_framesize))
+ goto error;
+
frame_sz = (struct hfi_framesize *)data_ptr;
event.width = frame_sz->width;
event.height = frame_sz->height;
- data_ptr += sizeof(*frame_sz);
+ size_read = sizeof(struct hfi_framesize);
break;
case HFI_PROPERTY_PARAM_PROFILE_LEVEL_CURRENT:
- data_ptr += sizeof(u32);
+ if (rem_bytes < sizeof(struct hfi_profile_level))
+ goto error;
+
profile_level = (struct hfi_profile_level *)data_ptr;
event.profile = profile_level->profile;
event.level = profile_level->level;
- data_ptr += sizeof(*profile_level);
+ size_read = sizeof(struct hfi_profile_level);
break;
case HFI_PROPERTY_PARAM_VDEC_PIXEL_BITDEPTH:
- data_ptr += sizeof(u32);
+ if (rem_bytes < sizeof(struct hfi_bit_depth))
+ goto error;
+
pixel_depth = (struct hfi_bit_depth *)data_ptr;
event.bit_depth = pixel_depth->bit_depth;
- data_ptr += sizeof(*pixel_depth);
+ size_read = sizeof(struct hfi_bit_depth);
break;
case HFI_PROPERTY_PARAM_VDEC_PIC_STRUCT:
- data_ptr += sizeof(u32);
+ if (rem_bytes < sizeof(struct hfi_pic_struct))
+ goto error;
+
pic_struct = (struct hfi_pic_struct *)data_ptr;
event.pic_struct = pic_struct->progressive_only;
- data_ptr += sizeof(*pic_struct);
+ size_read = sizeof(struct hfi_pic_struct);
break;
case HFI_PROPERTY_PARAM_VDEC_COLOUR_SPACE:
- data_ptr += sizeof(u32);
+ if (rem_bytes < sizeof(struct hfi_colour_space))
+ goto error;
+
colour_info = (struct hfi_colour_space *)data_ptr;
event.colour_space = colour_info->colour_space;
- data_ptr += sizeof(*colour_info);
+ size_read = sizeof(struct hfi_colour_space);
break;
case HFI_PROPERTY_CONFIG_VDEC_ENTROPY:
- data_ptr += sizeof(u32);
+ if (rem_bytes < sizeof(u32))
+ goto error;
+
event.entropy_mode = *(u32 *)data_ptr;
- data_ptr += sizeof(u32);
+ size_read = sizeof(u32);
break;
case HFI_PROPERTY_CONFIG_BUFFER_REQUIREMENTS:
- data_ptr += sizeof(u32);
+ if (rem_bytes < sizeof(struct hfi_buffer_requirements))
+ goto error;
+
bufreq = (struct hfi_buffer_requirements *)data_ptr;
event.buf_count = hfi_bufreq_get_count_min(bufreq, ver);
- data_ptr += sizeof(*bufreq);
+ size_read = sizeof(struct hfi_buffer_requirements);
break;
case HFI_INDEX_EXTRADATA_INPUT_CROP:
- data_ptr += sizeof(u32);
+ if (rem_bytes < sizeof(struct hfi_extradata_input_crop))
+ goto error;
+
crop = (struct hfi_extradata_input_crop *)data_ptr;
event.input_crop.left = crop->left;
event.input_crop.top = crop->top;
event.input_crop.width = crop->width;
event.input_crop.height = crop->height;
- data_ptr += sizeof(*crop);
+ size_read = sizeof(struct hfi_extradata_input_crop);
break;
case HFI_PROPERTY_PARAM_VDEC_DPB_COUNTS:
- data_ptr += sizeof(u32);
+ if (rem_bytes < sizeof(struct hfi_dpb_counts))
+ goto error;
+
dpb_count = (struct hfi_dpb_counts *)data_ptr;
event.buf_count = dpb_count->fw_min_cnt;
- data_ptr += sizeof(*dpb_count);
+ size_read = sizeof(struct hfi_dpb_counts);
break;
default:
+ size_read = 0;
break;
}
+ data_ptr += size_read;
+ rem_bytes -= size_read;
num_properties_changed--;
} while (num_properties_changed > 0);
-done:
+ inst->ops->event_notify(inst, EVT_SYS_EVENT_CHANGE, &event);
+ return;
+
+error:
+ inst->error = HFI_ERR_SESSION_INSUFFICIENT_RESOURCES;
inst->ops->event_notify(inst, EVT_SYS_EVENT_CHANGE, &event);
}
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 369/482] usb: musb: omap2430: Convert to platform remove callback returning void
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (367 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 6.1 368/482] media: venus: Fix OOB read due to missing payload bound check Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 370/482] usb: musb: omap2430: fix device leak at unbind Greg Kroah-Hartman
` (121 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Uwe Kleine-König, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
[ Upstream commit cb020bf52253327fe382e10bcae02a4f1da33c04 ]
The .remove() callback for a platform driver returns an int which makes
many driver authors wrongly assume it's possible to do error handling by
returning an error code. However the value returned is (mostly) ignored
and this typically results in resource leaks. To improve here there is a
quest to make the remove callback return void. In the first step of this
quest all drivers are converted to .remove_new() which already returns
void.
Trivially convert this driver from always returning zero in the remove
callback to the void returning variant.
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Link: https://lore.kernel.org/r/20230405141009.3400693-8-u.kleine-koenig@pengutronix.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Stable-dep-of: 1473e9e7679b ("usb: musb: omap2430: fix device leak at unbind")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/musb/omap2430.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
--- a/drivers/usb/musb/omap2430.c
+++ b/drivers/usb/musb/omap2430.c
@@ -471,14 +471,12 @@ err0:
return ret;
}
-static int omap2430_remove(struct platform_device *pdev)
+static void omap2430_remove(struct platform_device *pdev)
{
struct omap2430_glue *glue = platform_get_drvdata(pdev);
platform_device_unregister(glue->musb);
pm_runtime_disable(glue->dev);
-
- return 0;
}
#ifdef CONFIG_PM
@@ -610,7 +608,7 @@ MODULE_DEVICE_TABLE(of, omap2430_id_tabl
static struct platform_driver omap2430_driver = {
.probe = omap2430_probe,
- .remove = omap2430_remove,
+ .remove_new = omap2430_remove,
.driver = {
.name = "musb-omap2430",
.pm = DEV_PM_OPS,
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 370/482] usb: musb: omap2430: fix device leak at unbind
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (368 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 6.1 369/482] usb: musb: omap2430: Convert to platform remove callback returning void Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 371/482] platform/chrome: cros_ec: Use per-device lockdep key Greg Kroah-Hartman
` (120 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Roger Quadros, Johan Hovold,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
[ Upstream commit 1473e9e7679bd4f5a62d1abccae894fb86de280f ]
Make sure to drop the reference to the control device taken by
of_find_device_by_node() during probe when the driver is unbound.
Fixes: 8934d3e4d0e7 ("usb: musb: omap2430: Don't use omap_get_control_dev()")
Cc: stable@vger.kernel.org # 3.13
Cc: Roger Quadros <rogerq@kernel.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://lore.kernel.org/r/20250724091910.21092-5-johan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/musb/omap2430.c | 14 +++++++++-----
1 file changed, 9 insertions(+), 5 deletions(-)
--- a/drivers/usb/musb/omap2430.c
+++ b/drivers/usb/musb/omap2430.c
@@ -400,7 +400,7 @@ static int omap2430_probe(struct platfor
ret = platform_device_add_resources(musb, pdev->resource, pdev->num_resources);
if (ret) {
dev_err(&pdev->dev, "failed to add resources\n");
- goto err2;
+ goto err_put_control_otghs;
}
if (populate_irqs) {
@@ -413,7 +413,7 @@ static int omap2430_probe(struct platfor
res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
if (!res) {
ret = -EINVAL;
- goto err2;
+ goto err_put_control_otghs;
}
musb_res[i].start = res->start;
@@ -441,14 +441,14 @@ static int omap2430_probe(struct platfor
ret = platform_device_add_resources(musb, musb_res, i);
if (ret) {
dev_err(&pdev->dev, "failed to add IRQ resources\n");
- goto err2;
+ goto err_put_control_otghs;
}
}
ret = platform_device_add_data(musb, pdata, sizeof(*pdata));
if (ret) {
dev_err(&pdev->dev, "failed to add platform_data\n");
- goto err2;
+ goto err_put_control_otghs;
}
pm_runtime_enable(glue->dev);
@@ -463,7 +463,9 @@ static int omap2430_probe(struct platfor
err3:
pm_runtime_disable(glue->dev);
-
+err_put_control_otghs:
+ if (!IS_ERR(glue->control_otghs))
+ put_device(glue->control_otghs);
err2:
platform_device_put(musb);
@@ -477,6 +479,8 @@ static void omap2430_remove(struct platf
platform_device_unregister(glue->musb);
pm_runtime_disable(glue->dev);
+ if (!IS_ERR(glue->control_otghs))
+ put_device(glue->control_otghs);
}
#ifdef CONFIG_PM
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 371/482] platform/chrome: cros_ec: Use per-device lockdep key
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (369 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 6.1 370/482] usb: musb: omap2430: fix device leak at unbind Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 372/482] platform/chrome: cros_ec: remove unneeded label and if-condition Greg Kroah-Hartman
` (119 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chen-Yu Tsai, Tzung-Bi Shih,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chen-Yu Tsai <wenst@chromium.org>
[ Upstream commit 961a325becd9a142ae5c8b258e5c2f221f8bfac8 ]
Lockdep reports a bogus possible deadlock on MT8192 Chromebooks due to
the following lock sequences:
1. lock(i2c_register_adapter) [1]; lock(&ec_dev->lock)
2. lock(&ec_dev->lock); lock(prepare_lock);
The actual dependency chains are much longer. The shortened version
looks somewhat like:
1. cros-ec-rpmsg on mtk-scp
ec_dev->lock -> prepare_lock
2. In rt5682_i2c_probe() on native I2C bus:
prepare_lock -> regmap->lock -> (possibly) i2c_adapter->bus_lock
3. In rt5682_i2c_probe() on native I2C bus:
regmap->lock -> i2c_adapter->bus_lock
4. In sbs_probe() on i2c-cros-ec-tunnel I2C bus attached on cros-ec:
i2c_adapter->bus_lock -> ec_dev->lock
While lockdep is correct that the shared lockdep classes have a circular
dependency, it is bogus because
a) 2+3 happen on a native I2C bus
b) 4 happens on the actual EC on ChromeOS devices
c) 1 happens on the SCP coprocessor on MediaTek Chromebooks that just
happens to expose a cros-ec interface, but does not have an
i2c-cros-ec-tunnel I2C bus
In short, the "dependencies" are actually on different devices.
Setup a per-device lockdep key for cros_ec devices so lockdep can tell
the two instances apart. This helps with getting rid of the bogus
lockdep warning. For ChromeOS devices that only have one cros-ec
instance this doesn't change anything.
Also add a missing mutex_destroy, just to make the teardown complete.
[1] This is likely the per I2C bus lock with shared lockdep class
Signed-off-by: Chen-Yu Tsai <wenst@chromium.org>
Signed-off-by: Tzung-Bi Shih <tzungbi@kernel.org>
Link: https://lore.kernel.org/r/20230111074146.2624496-1-wenst@chromium.org
Stable-dep-of: e23749534619 ("platform/chrome: cros_ec: Unregister notifier in cros_ec_unregister()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/platform/chrome/cros_ec.c | 14 +++++++++++---
include/linux/platform_data/cros_ec_proto.h | 4 ++++
2 files changed, 15 insertions(+), 3 deletions(-)
--- a/drivers/platform/chrome/cros_ec.c
+++ b/drivers/platform/chrome/cros_ec.c
@@ -198,12 +198,14 @@ int cros_ec_register(struct cros_ec_devi
if (!ec_dev->dout)
return -ENOMEM;
+ lockdep_register_key(&ec_dev->lockdep_key);
mutex_init(&ec_dev->lock);
+ lockdep_set_class(&ec_dev->lock, &ec_dev->lockdep_key);
err = cros_ec_query_all(ec_dev);
if (err) {
dev_err(dev, "Cannot identify the EC: error %d\n", err);
- return err;
+ goto destroy_mutex;
}
if (ec_dev->irq > 0) {
@@ -215,7 +217,7 @@ int cros_ec_register(struct cros_ec_devi
if (err) {
dev_err(dev, "Failed to request IRQ %d: %d\n",
ec_dev->irq, err);
- return err;
+ goto destroy_mutex;
}
}
@@ -226,7 +228,8 @@ int cros_ec_register(struct cros_ec_devi
if (IS_ERR(ec_dev->ec)) {
dev_err(ec_dev->dev,
"Failed to create CrOS EC platform device\n");
- return PTR_ERR(ec_dev->ec);
+ err = PTR_ERR(ec_dev->ec);
+ goto destroy_mutex;
}
if (ec_dev->max_passthru) {
@@ -292,6 +295,9 @@ int cros_ec_register(struct cros_ec_devi
exit:
platform_device_unregister(ec_dev->ec);
platform_device_unregister(ec_dev->pd);
+destroy_mutex:
+ mutex_destroy(&ec_dev->lock);
+ lockdep_unregister_key(&ec_dev->lockdep_key);
return err;
}
EXPORT_SYMBOL(cros_ec_register);
@@ -309,6 +315,8 @@ void cros_ec_unregister(struct cros_ec_d
if (ec_dev->pd)
platform_device_unregister(ec_dev->pd);
platform_device_unregister(ec_dev->ec);
+ mutex_destroy(&ec_dev->lock);
+ lockdep_unregister_key(&ec_dev->lockdep_key);
}
EXPORT_SYMBOL(cros_ec_unregister);
--- a/include/linux/platform_data/cros_ec_proto.h
+++ b/include/linux/platform_data/cros_ec_proto.h
@@ -9,6 +9,7 @@
#define __LINUX_CROS_EC_PROTO_H
#include <linux/device.h>
+#include <linux/lockdep_types.h>
#include <linux/mutex.h>
#include <linux/notifier.h>
@@ -116,6 +117,8 @@ struct cros_ec_command {
* command. The caller should check msg.result for the EC's result
* code.
* @pkt_xfer: Send packet to EC and get response.
+ * @lockdep_key: Lockdep class for each instance. Unused if CONFIG_LOCKDEP is
+ * not enabled.
* @lock: One transaction at a time.
* @mkbp_event_supported: 0 if MKBP not supported. Otherwise its value is
* the maximum supported version of the MKBP host event
@@ -160,6 +163,7 @@ struct cros_ec_device {
struct cros_ec_command *msg);
int (*pkt_xfer)(struct cros_ec_device *ec,
struct cros_ec_command *msg);
+ struct lock_class_key lockdep_key;
struct mutex lock;
u8 mkbp_event_supported;
bool host_sleep_v1;
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 372/482] platform/chrome: cros_ec: remove unneeded label and if-condition
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (370 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 6.1 371/482] platform/chrome: cros_ec: Use per-device lockdep key Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 373/482] platform/chrome: cros_ec: Unregister notifier in cros_ec_unregister() Greg Kroah-Hartman
` (118 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tzung-Bi Shih, Guenter Roeck,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tzung-Bi Shih <tzungbi@kernel.org>
[ Upstream commit 554ec02c97254962bbb0a8776c3160d294fc7e51 ]
Both `ec_dev->ec` and `ec_dev->pd` are initialized to NULL at the
beginning of cros_ec_register(). Also, platform_device_unregister()
takes care if the given platform_device is NULL.
Remove the unneeded goto-label and if-condition.
Signed-off-by: Tzung-Bi Shih <tzungbi@kernel.org>
Reviewed-by: Guenter Roeck <groeck@chromium.org>
Link: https://lore.kernel.org/r/20230308031247.2866401-1-tzungbi@kernel.org
Stable-dep-of: e23749534619 ("platform/chrome: cros_ec: Unregister notifier in cros_ec_unregister()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/platform/chrome/cros_ec.c | 10 ++++------
1 file changed, 4 insertions(+), 6 deletions(-)
--- a/drivers/platform/chrome/cros_ec.c
+++ b/drivers/platform/chrome/cros_ec.c
@@ -205,7 +205,7 @@ int cros_ec_register(struct cros_ec_devi
err = cros_ec_query_all(ec_dev);
if (err) {
dev_err(dev, "Cannot identify the EC: error %d\n", err);
- goto destroy_mutex;
+ goto exit;
}
if (ec_dev->irq > 0) {
@@ -217,7 +217,7 @@ int cros_ec_register(struct cros_ec_devi
if (err) {
dev_err(dev, "Failed to request IRQ %d: %d\n",
ec_dev->irq, err);
- goto destroy_mutex;
+ goto exit;
}
}
@@ -229,7 +229,7 @@ int cros_ec_register(struct cros_ec_devi
dev_err(ec_dev->dev,
"Failed to create CrOS EC platform device\n");
err = PTR_ERR(ec_dev->ec);
- goto destroy_mutex;
+ goto exit;
}
if (ec_dev->max_passthru) {
@@ -295,7 +295,6 @@ int cros_ec_register(struct cros_ec_devi
exit:
platform_device_unregister(ec_dev->ec);
platform_device_unregister(ec_dev->pd);
-destroy_mutex:
mutex_destroy(&ec_dev->lock);
lockdep_unregister_key(&ec_dev->lockdep_key);
return err;
@@ -312,8 +311,7 @@ EXPORT_SYMBOL(cros_ec_register);
*/
void cros_ec_unregister(struct cros_ec_device *ec_dev)
{
- if (ec_dev->pd)
- platform_device_unregister(ec_dev->pd);
+ platform_device_unregister(ec_dev->pd);
platform_device_unregister(ec_dev->ec);
mutex_destroy(&ec_dev->lock);
lockdep_unregister_key(&ec_dev->lockdep_key);
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 373/482] platform/chrome: cros_ec: Unregister notifier in cros_ec_unregister()
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (371 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 6.1 372/482] platform/chrome: cros_ec: remove unneeded label and if-condition Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 374/482] usb: dwc3: imx8mp: fix device leak at unbind Greg Kroah-Hartman
` (117 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Benson Leung, Tzung-Bi Shih,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tzung-Bi Shih <tzungbi@kernel.org>
[ Upstream commit e2374953461947eee49f69b3e3204ff080ef31b1 ]
The blocking notifier is registered in cros_ec_register(); however, it
isn't unregistered in cros_ec_unregister().
Fix it.
Fixes: 42cd0ab476e2 ("platform/chrome: cros_ec: Query EC protocol version if EC transitions between RO/RW")
Cc: stable@vger.kernel.org
Reviewed-by: Benson Leung <bleung@chromium.org>
Link: https://lore.kernel.org/r/20250722120513.234031-1-tzungbi@kernel.org
Signed-off-by: Tzung-Bi Shih <tzungbi@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/platform/chrome/cros_ec.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/platform/chrome/cros_ec.c
+++ b/drivers/platform/chrome/cros_ec.c
@@ -311,6 +311,9 @@ EXPORT_SYMBOL(cros_ec_register);
*/
void cros_ec_unregister(struct cros_ec_device *ec_dev)
{
+ if (ec_dev->mkbp_event_supported)
+ blocking_notifier_chain_unregister(&ec_dev->event_notifier,
+ &ec_dev->notifier_ready);
platform_device_unregister(ec_dev->pd);
platform_device_unregister(ec_dev->ec);
mutex_destroy(&ec_dev->lock);
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 374/482] usb: dwc3: imx8mp: fix device leak at unbind
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (372 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 6.1 373/482] platform/chrome: cros_ec: Unregister notifier in cros_ec_unregister() Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 375/482] ata: Fix SATA_MOBILE_LPM_POLICY description in Kconfig Greg Kroah-Hartman
` (116 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Li Jun, Johan Hovold, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
[ Upstream commit 086a0e516f7b3844e6328a5c69e2708b66b0ce18 ]
Make sure to drop the reference to the dwc3 device taken by
of_find_device_by_node() on probe errors and on driver unbind.
Fixes: 6dd2565989b4 ("usb: dwc3: add imx8mp dwc3 glue layer driver")
Cc: stable@vger.kernel.org # 5.12
Cc: Li Jun <jun.li@nxp.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://lore.kernel.org/r/20250724091910.21092-2-johan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/dwc3/dwc3-imx8mp.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/drivers/usb/dwc3/dwc3-imx8mp.c
+++ b/drivers/usb/dwc3/dwc3-imx8mp.c
@@ -243,7 +243,7 @@ static int dwc3_imx8mp_probe(struct plat
IRQF_ONESHOT, dev_name(dev), dwc3_imx);
if (err) {
dev_err(dev, "failed to request IRQ #%d --> %d\n", irq, err);
- goto depopulate;
+ goto put_dwc3;
}
device_set_wakeup_capable(dev, true);
@@ -251,6 +251,8 @@ static int dwc3_imx8mp_probe(struct plat
return 0;
+put_dwc3:
+ put_device(&dwc3_imx->dwc3->dev);
depopulate:
of_platform_depopulate(dev);
err_node_put:
@@ -271,6 +273,8 @@ static int dwc3_imx8mp_remove(struct pla
struct dwc3_imx8mp *dwc3_imx = platform_get_drvdata(pdev);
struct device *dev = &pdev->dev;
+ put_device(&dwc3_imx->dwc3->dev);
+
pm_runtime_get_sync(dev);
of_platform_depopulate(dev);
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 375/482] ata: Fix SATA_MOBILE_LPM_POLICY description in Kconfig
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (373 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 6.1 374/482] usb: dwc3: imx8mp: fix device leak at unbind Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 376/482] btrfs: populate otime when logging an inode item Greg Kroah-Hartman
` (115 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Damien Le Moal, Hannes Reinecke,
Niklas Cassel, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Damien Le Moal <dlemoal@kernel.org>
[ Upstream commit ed62a62a18bc144f73eadf866ae46842e8f6606e ]
Improve the description of the possible default SATA link power
management policies and add the missing description for policy 5.
No functional changes.
Fixes: a5ec5a7bfd1f ("ata: ahci: Support state with min power but Partial low power state")
Cc: stable@vger.kernel.org
Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
Reviewed-by: Hannes Reinecke <hare@suse.de>
Reviewed-by: Niklas Cassel <cassel@kernel.org>
[ Adjust context ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/ata/Kconfig | 33 +++++++++++++++++++++++++--------
1 file changed, 25 insertions(+), 8 deletions(-)
--- a/drivers/ata/Kconfig
+++ b/drivers/ata/Kconfig
@@ -117,7 +117,7 @@ config SATA_AHCI
config SATA_MOBILE_LPM_POLICY
int "Default SATA Link Power Management policy for low power chipsets"
- range 0 4
+ range 0 5
default 0
depends on SATA_AHCI
help
@@ -126,15 +126,32 @@ config SATA_MOBILE_LPM_POLICY
chipsets are typically found on most laptops but desktops and
servers now also widely use chipsets supporting low power modes.
- The value set has the following meanings:
+ Each policy combines power saving states and features:
+ - Partial: The Phy logic is powered but is in a reduced power
+ state. The exit latency from this state is no longer than
+ 10us).
+ - Slumber: The Phy logic is powered but is in an even lower power
+ state. The exit latency from this state is potentially
+ longer, but no longer than 10ms.
+ - DevSleep: The Phy logic may be powered down. The exit latency from
+ this state is no longer than 20 ms, unless otherwise
+ specified by DETO in the device Identify Device Data log.
+ - HIPM: Host Initiated Power Management (host automatically
+ transitions to partial and slumber).
+ - DIPM: Device Initiated Power Management (device automatically
+ transitions to partial and slumber).
+
+ The possible values for the default SATA link power management
+ policies are:
0 => Keep firmware settings
- 1 => Maximum performance
- 2 => Medium power
- 3 => Medium power with Device Initiated PM enabled
- 4 => Minimum power
+ 1 => No power savings (maximum performance)
+ 2 => HIPM (Partial)
+ 3 => HIPM (Partial) and DIPM (Partial and Slumber)
+ 4 => HIPM (Partial and DevSleep) and DIPM (Partial and Slumber)
+ 5 => HIPM (Slumber and DevSleep) and DIPM (Partial and Slumber)
- Note "Minimum power" is known to cause issues, including disk
- corruption, with some disks and should not be used.
+ Excluding the value 0, higher values represent policies with higher
+ power savings.
config SATA_AHCI_PLATFORM
tristate "Platform AHCI SATA support"
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 376/482] btrfs: populate otime when logging an inode item
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (374 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 6.1 375/482] ata: Fix SATA_MOBILE_LPM_POLICY description in Kconfig Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 377/482] tls: separate no-async decryption request handling from async Greg Kroah-Hartman
` (114 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Filipe Manana, Qu Wenruo,
David Sterba, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qu Wenruo <wqu@suse.com>
[ Upstream commit 1ef94169db0958d6de39f9ea6e063ce887342e2d ]
[TEST FAILURE WITH EXPERIMENTAL FEATURES]
When running test case generic/508, the test case will fail with the new
btrfs shutdown support:
generic/508 - output mismatch (see /home/adam/xfstests/results//generic/508.out.bad)
# --- tests/generic/508.out 2022-05-11 11:25:30.806666664 +0930
# +++ /home/adam/xfstests/results//generic/508.out.bad 2025-07-02 14:53:22.401824212 +0930
# @@ -1,2 +1,6 @@
# QA output created by 508
# Silence is golden
# +Before:
# +After : stat.btime = Thu Jan 1 09:30:00 1970
# +Before:
# +After : stat.btime = Wed Jul 2 14:53:22 2025
# ...
# (Run 'diff -u /home/adam/xfstests/tests/generic/508.out /home/adam/xfstests/results//generic/508.out.bad' to see the entire diff)
Ran: generic/508
Failures: generic/508
Failed 1 of 1 tests
Please note that the test case requires shutdown support, thus the test
case will be skipped using the current upstream kernel, as it doesn't
have shutdown ioctl support.
[CAUSE]
The direct cause the 0 time stamp in the log tree:
leaf 30507008 items 2 free space 16057 generation 9 owner TREE_LOG
leaf 30507008 flags 0x1(WRITTEN) backref revision 1
checksum stored e522548d
checksum calced e522548d
fs uuid 57d45451-481e-43e4-aa93-289ad707a3a0
chunk uuid d52bd3fd-5163-4337-98a7-7986993ad398
item 0 key (257 INODE_ITEM 0) itemoff 16123 itemsize 160
generation 9 transid 9 size 0 nbytes 0
block group 0 mode 100644 links 1 uid 0 gid 0 rdev 0
sequence 1 flags 0x0(none)
atime 1751432947.492000000 (2025-07-02 14:39:07)
ctime 1751432947.492000000 (2025-07-02 14:39:07)
mtime 1751432947.492000000 (2025-07-02 14:39:07)
otime 0.0 (1970-01-01 09:30:00) <<<
But the old fs tree has all the correct time stamp:
btrfs-progs v6.12
fs tree key (FS_TREE ROOT_ITEM 0)
leaf 30425088 items 2 free space 16061 generation 5 owner FS_TREE
leaf 30425088 flags 0x1(WRITTEN) backref revision 1
checksum stored 48f6c57e
checksum calced 48f6c57e
fs uuid 57d45451-481e-43e4-aa93-289ad707a3a0
chunk uuid d52bd3fd-5163-4337-98a7-7986993ad398
item 0 key (256 INODE_ITEM 0) itemoff 16123 itemsize 160
generation 3 transid 0 size 0 nbytes 16384
block group 0 mode 40755 links 1 uid 0 gid 0 rdev 0
sequence 0 flags 0x0(none)
atime 1751432947.0 (2025-07-02 14:39:07)
ctime 1751432947.0 (2025-07-02 14:39:07)
mtime 1751432947.0 (2025-07-02 14:39:07)
otime 1751432947.0 (2025-07-02 14:39:07) <<<
The root cause is that fill_inode_item() in tree-log.c is only
populating a/c/m time, not the otime (or btime in statx output).
Part of the reason is that, the vfs inode only has a/c/m time, no native
btime support yet.
[FIX]
Thankfully btrfs has its otime stored in btrfs_inode::i_otime_sec and
btrfs_inode::i_otime_nsec.
So what we really need is just fill the otime time stamp in
fill_inode_item() of tree-log.c
There is another fill_inode_item() in inode.c, which is doing the proper
otime population.
Fixes: 94edf4ae43a5 ("Btrfs: don't bother committing delayed inode updates when fsyncing")
CC: stable@vger.kernel.org
Reviewed-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: Qu Wenruo <wqu@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
[ timespec changes in older tree ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/tree-log.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/fs/btrfs/tree-log.c
+++ b/fs/btrfs/tree-log.c
@@ -4210,6 +4210,11 @@ static void fill_inode_item(struct btrfs
btrfs_set_token_timespec_nsec(&token, &item->ctime,
inode->i_ctime.tv_nsec);
+ btrfs_set_token_timespec_sec(&token, &item->otime,
+ BTRFS_I(inode)->i_otime.tv_sec);
+ btrfs_set_token_timespec_nsec(&token, &item->otime,
+ BTRFS_I(inode)->i_otime.tv_nsec);
+
/*
* We do not need to set the nbytes field, in fact during a fast fsync
* its value may not even be correct, since a fast fsync does not wait
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 377/482] tls: separate no-async decryption request handling from async
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (375 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 6.1 376/482] btrfs: populate otime when logging an inode item Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 378/482] crypto: qat - fix ring to service map for QAT GEN4 Greg Kroah-Hartman
` (113 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sabrina Dubroca, Jakub Kicinski,
William Liu
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sabrina Dubroca <sd@queasysnail.net>
commit 41532b785e9d79636b3815a64ddf6a096647d011 upstream.
If we're not doing async, the handling is much simpler. There's no
reference counting, we just need to wait for the completion to wake us
up and return its result.
We should preferably also use a separate crypto_wait. I'm not seeing a
UAF as I did in the past, I think aec7961916f3 ("tls: fix race between
async notify and socket close") took care of it.
This will make the next fix easier.
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Link: https://lore.kernel.org/r/47bde5f649707610eaef9f0d679519966fc31061.1709132643.git.sd@queasysnail.net
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[ William: The original patch did not apply cleanly due to deletions of
non-existent lines in 6.1.y. The UAF the author stopped seeing can still
be reproduced on systems without AVX in conjunction with cryptd.
Also removed an extraneous statement after a return statement that is
adjacent to diff. ]
Link: https://lore.kernel.org/netdev/he2K1yz_u7bZ-CnYcTSQ4OxuLuHZXN6xZRgp6_ICSWnq8J5FpI_uD1i_1lTSf7WMrYb5ThiX1OR2GTOB2IltgT49Koy7Hhutr4du4KtLvyk=@willsroot.io/
Signed-off-by: William Liu <will@willsroot.io>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/tls/tls_sw.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
--- a/net/tls/tls_sw.c
+++ b/net/tls/tls_sw.c
@@ -274,9 +274,15 @@ static int tls_do_decryption(struct sock
DEBUG_NET_WARN_ON_ONCE(atomic_read(&ctx->decrypt_pending) < 1);
atomic_inc(&ctx->decrypt_pending);
} else {
+ DECLARE_CRYPTO_WAIT(wait);
+
aead_request_set_callback(aead_req,
CRYPTO_TFM_REQ_MAY_BACKLOG,
- crypto_req_done, &ctx->async_wait);
+ crypto_req_done, &wait);
+ ret = crypto_aead_decrypt(aead_req);
+ if (ret == -EINPROGRESS || ret == -EBUSY)
+ ret = crypto_wait_req(ret, &wait);
+ return ret;
}
ret = crypto_aead_decrypt(aead_req);
@@ -289,7 +295,6 @@ static int tls_do_decryption(struct sock
/* all completions have run, we're not doing async anymore */
darg->async = false;
return ret;
- ret = ret ?: -EINPROGRESS;
}
atomic_dec(&ctx->decrypt_pending);
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 378/482] crypto: qat - fix ring to service map for QAT GEN4
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (376 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 6.1 377/482] tls: separate no-async decryption request handling from async Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 379/482] arm64/cpufeatures/kvm: Add ARMv8.9 FEAT_ECBHB bits in ID_AA64MMFR1 register Greg Kroah-Hartman
` (112 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Giovanni Cabiddu, Damian Muszynski,
Tero Kristo, Herbert Xu, Ahsan Atta
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
commit a238487f7965d102794ed9f8aff0b667cd2ae886 upstream.
The 4xxx drivers hardcode the ring to service mapping. However, when
additional configurations where added to the driver, the mappings were
not updated. This implies that an incorrect mapping might be reported
through pfvf for certain configurations.
Add an algorithm that computes the correct ring to service mapping based
on the firmware loaded on the device.
Fixes: 0cec19c761e5 ("crypto: qat - add support for compression for 4xxx")
Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
Reviewed-by: Damian Muszynski <damian.muszynski@intel.com>
Reviewed-by: Tero Kristo <tero.kristo@linux.intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
[Giovanni: backport to 6.1.y, conflict resolved simplifying the logic
in the function get_ring_to_svc_map() as the QAT driver in v6.1 supports
only limited configurations (crypto only and compression). Differs from
upstream as the ring to service mapping is hardcoded rather than being
dynamically computed.]
Reviewed-by: Ahsan Atta <ahsan.atta@intel.com>
Tested-by: Ahsan Atta <ahsan.atta@intel.com>
Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/crypto/qat/qat_4xxx/adf_4xxx_hw_data.c | 13 +++++++++++++
drivers/crypto/qat/qat_common/adf_accel_devices.h | 1 +
drivers/crypto/qat/qat_common/adf_gen4_hw_data.h | 6 ++++++
drivers/crypto/qat/qat_common/adf_init.c | 3 +++
4 files changed, 23 insertions(+)
--- a/drivers/crypto/qat/qat_4xxx/adf_4xxx_hw_data.c
+++ b/drivers/crypto/qat/qat_4xxx/adf_4xxx_hw_data.c
@@ -297,6 +297,18 @@ static char *uof_get_name(struct adf_acc
return NULL;
}
+static u16 get_ring_to_svc_map(struct adf_accel_dev *accel_dev)
+{
+ switch (get_service_enabled(accel_dev)) {
+ case SVC_CY:
+ return ADF_GEN4_DEFAULT_RING_TO_SRV_MAP;
+ case SVC_DC:
+ return ADF_GEN4_DEFAULT_RING_TO_SRV_MAP_DC;
+ }
+
+ return 0;
+}
+
static u32 uof_get_ae_mask(struct adf_accel_dev *accel_dev, u32 obj_num)
{
switch (get_service_enabled(accel_dev)) {
@@ -353,6 +365,7 @@ void adf_init_hw_data_4xxx(struct adf_hw
hw_data->uof_get_ae_mask = uof_get_ae_mask;
hw_data->set_msix_rttable = set_msix_default_rttable;
hw_data->set_ssm_wdtimer = adf_gen4_set_ssm_wdtimer;
+ hw_data->get_ring_to_svc_map = get_ring_to_svc_map;
hw_data->disable_iov = adf_disable_sriov;
hw_data->ring_pair_reset = adf_gen4_ring_pair_reset;
hw_data->enable_pm = adf_gen4_enable_pm;
--- a/drivers/crypto/qat/qat_common/adf_accel_devices.h
+++ b/drivers/crypto/qat/qat_common/adf_accel_devices.h
@@ -176,6 +176,7 @@ struct adf_hw_device_data {
void (*get_arb_info)(struct arb_info *arb_csrs_info);
void (*get_admin_info)(struct admin_info *admin_csrs_info);
enum dev_sku_info (*get_sku)(struct adf_hw_device_data *self);
+ u16 (*get_ring_to_svc_map)(struct adf_accel_dev *accel_dev);
int (*alloc_irq)(struct adf_accel_dev *accel_dev);
void (*free_irq)(struct adf_accel_dev *accel_dev);
void (*enable_error_correction)(struct adf_accel_dev *accel_dev);
--- a/drivers/crypto/qat/qat_common/adf_gen4_hw_data.h
+++ b/drivers/crypto/qat/qat_common/adf_gen4_hw_data.h
@@ -95,6 +95,12 @@ do { \
ADF_RING_BUNDLE_SIZE * (bank) + \
ADF_RING_CSR_RING_SRV_ARB_EN, (value))
+#define ADF_GEN4_DEFAULT_RING_TO_SRV_MAP_DC \
+ (COMP << ADF_CFG_SERV_RING_PAIR_0_SHIFT | \
+ COMP << ADF_CFG_SERV_RING_PAIR_1_SHIFT | \
+ COMP << ADF_CFG_SERV_RING_PAIR_2_SHIFT | \
+ COMP << ADF_CFG_SERV_RING_PAIR_3_SHIFT)
+
/* Default ring mapping */
#define ADF_GEN4_DEFAULT_RING_TO_SRV_MAP \
(ASYM << ADF_CFG_SERV_RING_PAIR_0_SHIFT | \
--- a/drivers/crypto/qat/qat_common/adf_init.c
+++ b/drivers/crypto/qat/qat_common/adf_init.c
@@ -95,6 +95,9 @@ int adf_dev_init(struct adf_accel_dev *a
return -EFAULT;
}
+ if (hw_data->get_ring_to_svc_map)
+ hw_data->ring_to_svc_map = hw_data->get_ring_to_svc_map(accel_dev);
+
if (adf_ae_init(accel_dev)) {
dev_err(&GET_DEV(accel_dev),
"Failed to initialise Acceleration Engine\n");
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 379/482] arm64/cpufeatures/kvm: Add ARMv8.9 FEAT_ECBHB bits in ID_AA64MMFR1 register
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (377 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 6.1 378/482] crypto: qat - fix ring to service map for QAT GEN4 Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 380/482] KVM: x86: Take irqfds.lock when adding/deleting IRQ bypass producer Greg Kroah-Hartman
` (111 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nianyao Tang, Catalin Marinas,
Patrick Roy
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nianyao Tang <tangnianyao@huawei.com>
commit e8cde32f111f7f5681a7bad3ec747e9e697569a9 upstream.
Enable ECBHB bits in ID_AA64MMFR1 register as per ARM DDI 0487K.a
specification.
When guest OS read ID_AA64MMFR1_EL1, kvm emulate this reg using
ftr_id_aa64mmfr1 and always return ID_AA64MMFR1_EL1.ECBHB=0 to guest.
It results in guest syscall jump to tramp ventry, which is not needed
in implementation with ID_AA64MMFR1_EL1.ECBHB=1.
Let's make the guest syscall process the same as the host.
Signed-off-by: Nianyao Tang <tangnianyao@huawei.com>
Link: https://lore.kernel.org/r/20240611122049.2758600-1-tangnianyao@huawei.com
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Patrick Roy <roypat@amazon.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/kernel/cpufeature.c | 1 +
1 file changed, 1 insertion(+)
--- a/arch/arm64/kernel/cpufeature.c
+++ b/arch/arm64/kernel/cpufeature.c
@@ -343,6 +343,7 @@ static const struct arm64_ftr_bits ftr_i
};
static const struct arm64_ftr_bits ftr_id_aa64mmfr1[] = {
+ ARM64_FTR_BITS(FTR_HIDDEN, FTR_STRICT, FTR_LOWER_SAFE, ID_AA64MMFR1_EL1_ECBHB_SHIFT, 4, 0),
ARM64_FTR_BITS(FTR_HIDDEN, FTR_NONSTRICT, FTR_LOWER_SAFE, ID_AA64MMFR1_EL1_TIDCP1_SHIFT, 4, 0),
ARM64_FTR_BITS(FTR_VISIBLE, FTR_STRICT, FTR_LOWER_SAFE, ID_AA64MMFR1_EL1_AFP_SHIFT, 4, 0),
ARM64_FTR_BITS(FTR_HIDDEN, FTR_STRICT, FTR_LOWER_SAFE, ID_AA64MMFR1_EL1_ETS_SHIFT, 4, 0),
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 380/482] KVM: x86: Take irqfds.lock when adding/deleting IRQ bypass producer
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (378 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 6.1 379/482] arm64/cpufeatures/kvm: Add ARMv8.9 FEAT_ECBHB bits in ID_AA64MMFR1 register Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 381/482] mptcp: make fallback action and fallback decision atomic Greg Kroah-Hartman
` (110 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sean Christopherson, Paolo Bonzini
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
commit f1fb088d9cecde5c3066d8ff8846789667519b7d upstream.
Take irqfds.lock when adding/deleting an IRQ bypass producer to ensure
irqfd->producer isn't modified while kvm_irq_routing_update() is running.
The only lock held when a producer is added/removed is irqbypass's mutex.
Fixes: 872768800652 ("KVM: x86: select IRQ_BYPASS_MANAGER")
Cc: stable@vger.kernel.org
Signed-off-by: Sean Christopherson <seanjc@google.com>
Message-ID: <20250404193923.1413163-5-seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
[sean: account for lack of kvm_x86_call()]
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/x86.c | 19 ++++++++++++++++---
1 file changed, 16 insertions(+), 3 deletions(-)
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -13387,16 +13387,22 @@ int kvm_arch_irq_bypass_add_producer(str
{
struct kvm_kernel_irqfd *irqfd =
container_of(cons, struct kvm_kernel_irqfd, consumer);
+ struct kvm *kvm = irqfd->kvm;
int ret;
- irqfd->producer = prod;
kvm_arch_start_assignment(irqfd->kvm);
+
+ spin_lock_irq(&kvm->irqfds.lock);
+ irqfd->producer = prod;
+
ret = static_call(kvm_x86_pi_update_irte)(irqfd->kvm,
prod->irq, irqfd->gsi, 1);
-
if (ret)
kvm_arch_end_assignment(irqfd->kvm);
+ spin_unlock_irq(&kvm->irqfds.lock);
+
+
return ret;
}
@@ -13406,9 +13412,9 @@ void kvm_arch_irq_bypass_del_producer(st
int ret;
struct kvm_kernel_irqfd *irqfd =
container_of(cons, struct kvm_kernel_irqfd, consumer);
+ struct kvm *kvm = irqfd->kvm;
WARN_ON(irqfd->producer != prod);
- irqfd->producer = NULL;
/*
* When producer of consumer is unregistered, we change back to
@@ -13416,11 +13422,18 @@ void kvm_arch_irq_bypass_del_producer(st
* when the irq is masked/disabled or the consumer side (KVM
* int this case doesn't want to receive the interrupts.
*/
+ spin_lock_irq(&kvm->irqfds.lock);
+ irqfd->producer = NULL;
+
+
ret = static_call(kvm_x86_pi_update_irte)(irqfd->kvm, prod->irq, irqfd->gsi, 0);
if (ret)
printk(KERN_INFO "irq bypass consumer (token %p) unregistration"
" fails: %d\n", irqfd->consumer.token, ret);
+ spin_unlock_irq(&kvm->irqfds.lock);
+
+
kvm_arch_end_assignment(irqfd->kvm);
}
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 381/482] mptcp: make fallback action and fallback decision atomic
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (379 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 6.1 380/482] KVM: x86: Take irqfds.lock when adding/deleting IRQ bypass producer Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 382/482] mptcp: plug races between subflow fail and subflow creation Greg Kroah-Hartman
` (109 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matthieu Baerts,
syzbot+5cf807c20386d699b524, Paolo Abeni, Jakub Kicinski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Abeni <pabeni@redhat.com>
commit f8a1d9b18c5efc76784f5a326e905f641f839894 upstream.
Syzkaller reported the following splat:
WARNING: CPU: 1 PID: 7704 at net/mptcp/protocol.h:1223 __mptcp_do_fallback net/mptcp/protocol.h:1223 [inline]
WARNING: CPU: 1 PID: 7704 at net/mptcp/protocol.h:1223 mptcp_do_fallback net/mptcp/protocol.h:1244 [inline]
WARNING: CPU: 1 PID: 7704 at net/mptcp/protocol.h:1223 check_fully_established net/mptcp/options.c:982 [inline]
WARNING: CPU: 1 PID: 7704 at net/mptcp/protocol.h:1223 mptcp_incoming_options+0x21a8/0x2510 net/mptcp/options.c:1153
Modules linked in:
CPU: 1 UID: 0 PID: 7704 Comm: syz.3.1419 Not tainted 6.16.0-rc3-gbd5ce2324dba #20 PREEMPT(voluntary)
Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
RIP: 0010:__mptcp_do_fallback net/mptcp/protocol.h:1223 [inline]
RIP: 0010:mptcp_do_fallback net/mptcp/protocol.h:1244 [inline]
RIP: 0010:check_fully_established net/mptcp/options.c:982 [inline]
RIP: 0010:mptcp_incoming_options+0x21a8/0x2510 net/mptcp/options.c:1153
Code: 24 18 e8 bb 2a 00 fd e9 1b df ff ff e8 b1 21 0f 00 e8 ec 5f c4 fc 44 0f b7 ac 24 b0 00 00 00 e9 54 f1 ff ff e8 d9 5f c4 fc 90 <0f> 0b 90 e9 b8 f4 ff ff e8 8b 2a 00 fd e9 8d e6 ff ff e8 81 2a 00
RSP: 0018:ffff8880a3f08448 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff8880180a8000 RCX: ffffffff84afcf45
RDX: ffff888090223700 RSI: ffffffff84afdaa7 RDI: 0000000000000001
RBP: ffff888017955780 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: ffff8880180a8910 R14: ffff8880a3e9d058 R15: 0000000000000000
FS: 00005555791b8500(0000) GS:ffff88811c495000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000110c2800b7 CR3: 0000000058e44000 CR4: 0000000000350ef0
Call Trace:
<IRQ>
tcp_reset+0x26f/0x2b0 net/ipv4/tcp_input.c:4432
tcp_validate_incoming+0x1057/0x1b60 net/ipv4/tcp_input.c:5975
tcp_rcv_established+0x5b5/0x21f0 net/ipv4/tcp_input.c:6166
tcp_v4_do_rcv+0x5dc/0xa70 net/ipv4/tcp_ipv4.c:1925
tcp_v4_rcv+0x3473/0x44a0 net/ipv4/tcp_ipv4.c:2363
ip_protocol_deliver_rcu+0xba/0x480 net/ipv4/ip_input.c:205
ip_local_deliver_finish+0x2f1/0x500 net/ipv4/ip_input.c:233
NF_HOOK include/linux/netfilter.h:317 [inline]
NF_HOOK include/linux/netfilter.h:311 [inline]
ip_local_deliver+0x1be/0x560 net/ipv4/ip_input.c:254
dst_input include/net/dst.h:469 [inline]
ip_rcv_finish net/ipv4/ip_input.c:447 [inline]
NF_HOOK include/linux/netfilter.h:317 [inline]
NF_HOOK include/linux/netfilter.h:311 [inline]
ip_rcv+0x514/0x810 net/ipv4/ip_input.c:567
__netif_receive_skb_one_core+0x197/0x1e0 net/core/dev.c:5975
__netif_receive_skb+0x1f/0x120 net/core/dev.c:6088
process_backlog+0x301/0x1360 net/core/dev.c:6440
__napi_poll.constprop.0+0xba/0x550 net/core/dev.c:7453
napi_poll net/core/dev.c:7517 [inline]
net_rx_action+0xb44/0x1010 net/core/dev.c:7644
handle_softirqs+0x1d0/0x770 kernel/softirq.c:579
do_softirq+0x3f/0x90 kernel/softirq.c:480
</IRQ>
<TASK>
__local_bh_enable_ip+0xed/0x110 kernel/softirq.c:407
local_bh_enable include/linux/bottom_half.h:33 [inline]
inet_csk_listen_stop+0x2c5/0x1070 net/ipv4/inet_connection_sock.c:1524
mptcp_check_listen_stop.part.0+0x1cc/0x220 net/mptcp/protocol.c:2985
mptcp_check_listen_stop net/mptcp/mib.h:118 [inline]
__mptcp_close+0x9b9/0xbd0 net/mptcp/protocol.c:3000
mptcp_close+0x2f/0x140 net/mptcp/protocol.c:3066
inet_release+0xed/0x200 net/ipv4/af_inet.c:435
inet6_release+0x4f/0x70 net/ipv6/af_inet6.c:487
__sock_release+0xb3/0x270 net/socket.c:649
sock_close+0x1c/0x30 net/socket.c:1439
__fput+0x402/0xb70 fs/file_table.c:465
task_work_run+0x150/0x240 kernel/task_work.c:227
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
exit_to_user_mode_loop+0xd4/0xe0 kernel/entry/common.c:114
exit_to_user_mode_prepare include/linux/entry-common.h:330 [inline]
syscall_exit_to_user_mode_work include/linux/entry-common.h:414 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:449 [inline]
do_syscall_64+0x245/0x360 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fc92f8a36ad
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffcf52802d8 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4
RAX: 0000000000000000 RBX: 00007ffcf52803a8 RCX: 00007fc92f8a36ad
RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003
RBP: 00007fc92fae7ba0 R08: 0000000000000001 R09: 0000002800000000
R10: 00007fc92f700000 R11: 0000000000000246 R12: 00007fc92fae5fac
R13: 00007fc92fae5fa0 R14: 0000000000026d00 R15: 0000000000026c51
</TASK>
irq event stamp: 4068
hardirqs last enabled at (4076): [<ffffffff81544816>] __up_console_sem+0x76/0x80 kernel/printk/printk.c:344
hardirqs last disabled at (4085): [<ffffffff815447fb>] __up_console_sem+0x5b/0x80 kernel/printk/printk.c:342
softirqs last enabled at (3096): [<ffffffff840e1be0>] local_bh_enable include/linux/bottom_half.h:33 [inline]
softirqs last enabled at (3096): [<ffffffff840e1be0>] inet_csk_listen_stop+0x2c0/0x1070 net/ipv4/inet_connection_sock.c:1524
softirqs last disabled at (3097): [<ffffffff813b6b9f>] do_softirq+0x3f/0x90 kernel/softirq.c:480
Since we need to track the 'fallback is possible' condition and the
fallback status separately, there are a few possible races open between
the check and the actual fallback action.
Add a spinlock to protect the fallback related information and use it
close all the possible related races. While at it also remove the
too-early clearing of allow_infinite_fallback in __mptcp_subflow_connect():
the field will be correctly cleared by subflow_finish_connect() if/when
the connection will complete successfully.
If fallback is not possible, as per RFC, reset the current subflow.
Since the fallback operation can now fail and return value should be
checked, rename the helper accordingly.
Fixes: 0530020a7c8f ("mptcp: track and update contiguous data status")
Cc: stable@vger.kernel.org
Reported-by: Matthieu Baerts <matttbe@kernel.org>
Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/570
Reported-by: syzbot+5cf807c20386d699b524@syzkaller.appspotmail.com
Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/555
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20250714-net-mptcp-fallback-races-v1-1-391aff963322@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[ Conflicts in protocol.h, because commit 6ebf6f90ab4a ("mptcp: add
mptcpi_subflows_total counter") is not in this version, and this
causes conflicts in the context. Commit 65b02260a0e0 ("mptcp: export
mptcp_subflow_early_fallback()") is also not in this version, and
moves code from protocol.c to protocol.h, but the modification can
still apply there. Conflicts in protocol.c because commit ee2708aedad0
("mptcp: use get_retrans wrapper") is not in this version and refactor
the code in __mptcp_retrans(), but the modification can still be
applied, just not at the same indentation level. There were other
conflicts in the context due to commit 8005184fd1ca ("mptcp: refactor
sndbuf auto-tuning"), commit b3ea6b272d79 ("mptcp: consolidate initial
ack seq generation"), and commit 013e3179dbd2 ("mptcp: fix rcv space
initialization") that are not in this version. ]
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/options.c | 3 ++-
net/mptcp/protocol.c | 39 +++++++++++++++++++++++++++++++++------
net/mptcp/protocol.h | 24 ++++++++++++++++++------
net/mptcp/subflow.c | 11 +++++------
4 files changed, 58 insertions(+), 19 deletions(-)
--- a/net/mptcp/options.c
+++ b/net/mptcp/options.c
@@ -973,8 +973,9 @@ static bool check_fully_established(stru
if (subflow->mp_join)
goto reset;
subflow->mp_capable = 0;
+ if (!mptcp_try_fallback(ssk))
+ goto reset;
pr_fallback(msk);
- mptcp_do_fallback(ssk);
return false;
}
--- a/net/mptcp/protocol.c
+++ b/net/mptcp/protocol.c
@@ -633,10 +633,9 @@ static bool mptcp_check_data_fin(struct
static void mptcp_dss_corruption(struct mptcp_sock *msk, struct sock *ssk)
{
- if (READ_ONCE(msk->allow_infinite_fallback)) {
+ if (mptcp_try_fallback(ssk)) {
MPTCP_INC_STATS(sock_net(ssk),
MPTCP_MIB_DSSCORRUPTIONFALLBACK);
- mptcp_do_fallback(ssk);
} else {
MPTCP_INC_STATS(sock_net(ssk), MPTCP_MIB_DSSCORRUPTIONRESET);
mptcp_subflow_reset(ssk);
@@ -897,6 +896,14 @@ static bool __mptcp_finish_join(struct m
if (sk->sk_state != TCP_ESTABLISHED)
return false;
+ spin_lock_bh(&msk->fallback_lock);
+ if (__mptcp_check_fallback(msk)) {
+ spin_unlock_bh(&msk->fallback_lock);
+ return false;
+ }
+ mptcp_subflow_joined(msk, ssk);
+ spin_unlock_bh(&msk->fallback_lock);
+
/* attach to msk socket only after we are sure we will deal with it
* at close time
*/
@@ -904,7 +911,6 @@ static bool __mptcp_finish_join(struct m
mptcp_sock_graft(ssk, sk->sk_socket);
mptcp_sockopt_sync_locked(msk, ssk);
- mptcp_subflow_joined(msk, ssk);
mptcp_stop_tout_timer(sk);
return true;
}
@@ -1288,10 +1294,14 @@ static void mptcp_update_infinite_map(st
mpext->infinite_map = 1;
mpext->data_len = 0;
+ if (!mptcp_try_fallback(ssk)) {
+ mptcp_subflow_reset(ssk);
+ return;
+ }
+
MPTCP_INC_STATS(sock_net(ssk), MPTCP_MIB_INFINITEMAPTX);
mptcp_subflow_ctx(ssk)->send_infinite_map = 0;
pr_fallback(msk);
- mptcp_do_fallback(ssk);
}
#define MPTCP_MAX_GSO_SIZE (GSO_LEGACY_MAX_SIZE - (MAX_TCP_HEADER + 1))
@@ -2638,8 +2648,8 @@ static void mptcp_check_fastclose(struct
static void __mptcp_retrans(struct sock *sk)
{
+ struct mptcp_sendmsg_info info = { .data_lock_held = true, };
struct mptcp_sock *msk = mptcp_sk(sk);
- struct mptcp_sendmsg_info info = {};
struct mptcp_data_frag *dfrag;
size_t copied = 0;
struct sock *ssk;
@@ -2675,6 +2685,15 @@ static void __mptcp_retrans(struct sock
/* limit retransmission to the bytes already sent on some subflows */
info.sent = 0;
info.limit = READ_ONCE(msk->csum_enabled) ? dfrag->data_len : dfrag->already_sent;
+
+ /* make the whole retrans decision, xmit, disallow fallback atomic */
+ spin_lock_bh(&msk->fallback_lock);
+ if (__mptcp_check_fallback(msk)) {
+ spin_unlock_bh(&msk->fallback_lock);
+ release_sock(ssk);
+ return;
+ }
+
while (info.sent < info.limit) {
ret = mptcp_sendmsg_frag(sk, ssk, dfrag, &info);
if (ret <= 0)
@@ -2690,6 +2709,7 @@ static void __mptcp_retrans(struct sock
info.size_goal);
WRITE_ONCE(msk->allow_infinite_fallback, false);
}
+ spin_unlock_bh(&msk->fallback_lock);
release_sock(ssk);
@@ -2819,6 +2839,7 @@ static int __mptcp_init_sock(struct sock
msk->recovery = false;
mptcp_pm_data_init(msk);
+ spin_lock_init(&msk->fallback_lock);
/* re-use the csk retrans timer for MPTCP-level retrans */
timer_setup(&msk->sk.icsk_retransmit_timer, mptcp_retransmit_timer, 0);
@@ -3651,7 +3672,13 @@ bool mptcp_finish_join(struct sock *ssk)
/* active subflow, already present inside the conn_list */
if (!list_empty(&subflow->node)) {
+ spin_lock_bh(&msk->fallback_lock);
+ if (__mptcp_check_fallback(msk)) {
+ spin_unlock_bh(&msk->fallback_lock);
+ return false;
+ }
mptcp_subflow_joined(msk, ssk);
+ spin_unlock_bh(&msk->fallback_lock);
return true;
}
@@ -3764,7 +3791,7 @@ static void mptcp_subflow_early_fallback
struct mptcp_subflow_context *subflow)
{
subflow->request_mptcp = 0;
- __mptcp_do_fallback(msk);
+ WARN_ON_ONCE(!__mptcp_try_fallback(msk));
}
static int mptcp_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
--- a/net/mptcp/protocol.h
+++ b/net/mptcp/protocol.h
@@ -317,6 +317,10 @@ struct mptcp_sock {
u32 setsockopt_seq;
char ca_name[TCP_CA_NAME_MAX];
+
+ spinlock_t fallback_lock; /* protects fallback and
+ * allow_infinite_fallback
+ */
};
#define mptcp_data_lock(sk) spin_lock_bh(&(sk)->sk_lock.slock)
@@ -975,25 +979,32 @@ static inline bool mptcp_check_fallback(
return __mptcp_check_fallback(msk);
}
-static inline void __mptcp_do_fallback(struct mptcp_sock *msk)
+static inline bool __mptcp_try_fallback(struct mptcp_sock *msk)
{
if (test_bit(MPTCP_FALLBACK_DONE, &msk->flags)) {
pr_debug("TCP fallback already done (msk=%p)\n", msk);
- return;
+ return true;
}
- if (WARN_ON_ONCE(!READ_ONCE(msk->allow_infinite_fallback)))
- return;
+ spin_lock_bh(&msk->fallback_lock);
+ if (!msk->allow_infinite_fallback) {
+ spin_unlock_bh(&msk->fallback_lock);
+ return false;
+ }
+
set_bit(MPTCP_FALLBACK_DONE, &msk->flags);
+ spin_unlock_bh(&msk->fallback_lock);
+ return true;
}
-static inline void mptcp_do_fallback(struct sock *ssk)
+static inline bool mptcp_try_fallback(struct sock *ssk)
{
struct mptcp_subflow_context *subflow = mptcp_subflow_ctx(ssk);
struct sock *sk = subflow->conn;
struct mptcp_sock *msk;
msk = mptcp_sk(sk);
- __mptcp_do_fallback(msk);
+ if (!__mptcp_try_fallback(msk))
+ return false;
if (READ_ONCE(msk->snd_data_fin_enable) && !(ssk->sk_shutdown & SEND_SHUTDOWN)) {
gfp_t saved_allocation = ssk->sk_allocation;
@@ -1005,6 +1016,7 @@ static inline void mptcp_do_fallback(str
tcp_shutdown(ssk, SEND_SHUTDOWN);
ssk->sk_allocation = saved_allocation;
}
+ return true;
}
#define pr_fallback(a) pr_debug("%s:fallback to TCP (msk=%p)\n", __func__, a)
--- a/net/mptcp/subflow.c
+++ b/net/mptcp/subflow.c
@@ -431,9 +431,11 @@ static void subflow_finish_connect(struc
mptcp_get_options(skb, &mp_opt);
if (subflow->request_mptcp) {
if (!(mp_opt.suboptions & OPTION_MPTCP_MPC_SYNACK)) {
+ if (!mptcp_try_fallback(sk))
+ goto do_reset;
+
MPTCP_INC_STATS(sock_net(sk),
MPTCP_MIB_MPCAPABLEACTIVEFALLBACK);
- mptcp_do_fallback(sk);
pr_fallback(mptcp_sk(subflow->conn));
goto fallback;
}
@@ -1269,7 +1271,7 @@ fallback:
return true;
}
- if (!READ_ONCE(msk->allow_infinite_fallback)) {
+ if (!mptcp_try_fallback(ssk)) {
/* fatal protocol error, close the socket.
* subflow_error_report() will introduce the appropriate barriers
*/
@@ -1285,8 +1287,6 @@ reset:
WRITE_ONCE(subflow->data_avail, MPTCP_SUBFLOW_NODATA);
return false;
}
-
- mptcp_do_fallback(ssk);
}
skb = skb_peek(&ssk->sk_receive_queue);
@@ -1519,7 +1519,6 @@ int __mptcp_subflow_connect(struct sock
/* discard the subflow socket */
mptcp_sock_graft(ssk, sk->sk_socket);
iput(SOCK_INODE(sf));
- WRITE_ONCE(msk->allow_infinite_fallback, false);
mptcp_stop_tout_timer(sk);
return 0;
@@ -1690,7 +1689,7 @@ static void subflow_state_change(struct
msk = mptcp_sk(parent);
if (subflow_simultaneous_connect(sk)) {
mptcp_propagate_sndbuf(parent, sk);
- mptcp_do_fallback(sk);
+ WARN_ON_ONCE(!mptcp_try_fallback(sk));
mptcp_rcv_space_init(msk, sk);
pr_fallback(msk);
subflow->conn_finished = 1;
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 382/482] mptcp: plug races between subflow fail and subflow creation
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (380 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 6.1 381/482] mptcp: make fallback action and fallback decision atomic Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 383/482] mptcp: reset fallback status gracefully at disconnect() time Greg Kroah-Hartman
` (108 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paolo Abeni, Matthieu Baerts (NGI0),
Jakub Kicinski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Abeni <pabeni@redhat.com>
commit def5b7b2643ebba696fc60ddf675dca13f073486 upstream.
We have races similar to the one addressed by the previous patch between
subflow failing and additional subflow creation. They are just harder to
trigger.
The solution is similar. Use a separate flag to track the condition
'socket state prevent any additional subflow creation' protected by the
fallback lock.
The socket fallback makes such flag true, and also receiving or sending
an MP_FAIL option.
The field 'allow_infinite_fallback' is now always touched under the
relevant lock, we can drop the ONCE annotation on write.
Fixes: 478d770008b0 ("mptcp: send out MP_FAIL when data checksum fails")
Cc: stable@vger.kernel.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20250714-net-mptcp-fallback-races-v1-2-391aff963322@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[ Conflicts in subflow.c, because commit f1f26512a9bf ("mptcp: use plain
bool instead of custom binary enum") and commit 46a5d3abedbe
("mptcp: fix typos in comments") are not in this version. Both are
causing conflicts in the context, and the same modifications can still
be applied. Same in protocol.h with commit b8dc6d6ce931 ("mptcp: fix
rcv buffer auto-tuning"). Conflicts in protocol.c because commit
ee2708aedad0 ("mptcp: use get_retrans wrapper") is not in this version
and refactor the code in __mptcp_retrans(), but the modification can
still be applied, just not at the same indentation level. ]
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/pm.c | 8 +++++++-
net/mptcp/protocol.c | 11 ++++++-----
net/mptcp/protocol.h | 7 +++++--
net/mptcp/subflow.c | 19 ++++++++++++++-----
4 files changed, 32 insertions(+), 13 deletions(-)
--- a/net/mptcp/pm.c
+++ b/net/mptcp/pm.c
@@ -309,8 +309,14 @@ void mptcp_pm_mp_fail_received(struct so
pr_debug("fail_seq=%llu\n", fail_seq);
- if (!READ_ONCE(msk->allow_infinite_fallback))
+ /* After accepting the fail, we can't create any other subflows */
+ spin_lock_bh(&msk->fallback_lock);
+ if (!msk->allow_infinite_fallback) {
+ spin_unlock_bh(&msk->fallback_lock);
return;
+ }
+ msk->allow_subflows = false;
+ spin_unlock_bh(&msk->fallback_lock);
if (!subflow->fail_tout) {
pr_debug("send MP_FAIL response and infinite map\n");
--- a/net/mptcp/protocol.c
+++ b/net/mptcp/protocol.c
@@ -885,7 +885,7 @@ void mptcp_data_ready(struct sock *sk, s
static void mptcp_subflow_joined(struct mptcp_sock *msk, struct sock *ssk)
{
mptcp_subflow_ctx(ssk)->map_seq = READ_ONCE(msk->ack_seq);
- WRITE_ONCE(msk->allow_infinite_fallback, false);
+ msk->allow_infinite_fallback = false;
mptcp_event(MPTCP_EVENT_SUB_ESTABLISHED, msk, ssk, GFP_ATOMIC);
}
@@ -897,7 +897,7 @@ static bool __mptcp_finish_join(struct m
return false;
spin_lock_bh(&msk->fallback_lock);
- if (__mptcp_check_fallback(msk)) {
+ if (!msk->allow_subflows) {
spin_unlock_bh(&msk->fallback_lock);
return false;
}
@@ -2707,7 +2707,7 @@ static void __mptcp_retrans(struct sock
dfrag->already_sent = max(dfrag->already_sent, info.sent);
tcp_push(ssk, 0, info.mss_now, tcp_sk(ssk)->nonagle,
info.size_goal);
- WRITE_ONCE(msk->allow_infinite_fallback, false);
+ msk->allow_infinite_fallback = false;
}
spin_unlock_bh(&msk->fallback_lock);
@@ -2835,7 +2835,8 @@ static int __mptcp_init_sock(struct sock
WRITE_ONCE(msk->first, NULL);
inet_csk(sk)->icsk_sync_mss = mptcp_sync_mss;
WRITE_ONCE(msk->csum_enabled, mptcp_is_checksum_enabled(sock_net(sk)));
- WRITE_ONCE(msk->allow_infinite_fallback, true);
+ msk->allow_infinite_fallback = true;
+ msk->allow_subflows = true;
msk->recovery = false;
mptcp_pm_data_init(msk);
@@ -3673,7 +3674,7 @@ bool mptcp_finish_join(struct sock *ssk)
/* active subflow, already present inside the conn_list */
if (!list_empty(&subflow->node)) {
spin_lock_bh(&msk->fallback_lock);
- if (__mptcp_check_fallback(msk)) {
+ if (!msk->allow_subflows) {
spin_unlock_bh(&msk->fallback_lock);
return false;
}
--- a/net/mptcp/protocol.h
+++ b/net/mptcp/protocol.h
@@ -314,12 +314,14 @@ struct mptcp_sock {
u64 time; /* start time of measurement window */
u64 rtt_us; /* last maximum rtt of subflows */
} rcvq_space;
+ bool allow_subflows;
u32 setsockopt_seq;
char ca_name[TCP_CA_NAME_MAX];
- spinlock_t fallback_lock; /* protects fallback and
- * allow_infinite_fallback
+ spinlock_t fallback_lock; /* protects fallback,
+ * allow_infinite_fallback and
+ * allow_join
*/
};
@@ -991,6 +993,7 @@ static inline bool __mptcp_try_fallback(
return false;
}
+ msk->allow_subflows = false;
set_bit(MPTCP_FALLBACK_DONE, &msk->flags);
spin_unlock_bh(&msk->fallback_lock);
return true;
--- a/net/mptcp/subflow.c
+++ b/net/mptcp/subflow.c
@@ -1168,20 +1168,29 @@ static void subflow_sched_work_if_closed
mptcp_schedule_work(sk);
}
-static void mptcp_subflow_fail(struct mptcp_sock *msk, struct sock *ssk)
+static bool mptcp_subflow_fail(struct mptcp_sock *msk, struct sock *ssk)
{
struct mptcp_subflow_context *subflow = mptcp_subflow_ctx(ssk);
unsigned long fail_tout;
+ /* we are really failing, prevent any later subflow join */
+ spin_lock_bh(&msk->fallback_lock);
+ if (!msk->allow_infinite_fallback) {
+ spin_unlock_bh(&msk->fallback_lock);
+ return false;
+ }
+ msk->allow_subflows = false;
+ spin_unlock_bh(&msk->fallback_lock);
+
/* greceful failure can happen only on the MPC subflow */
if (WARN_ON_ONCE(ssk != READ_ONCE(msk->first)))
- return;
+ return false;
/* since the close timeout take precedence on the fail one,
* no need to start the latter when the first is already set
*/
if (sock_flag((struct sock *)msk, SOCK_DEAD))
- return;
+ return true;
/* we don't need extreme accuracy here, use a zero fail_tout as special
* value meaning no fail timeout at all;
@@ -1193,6 +1202,7 @@ static void mptcp_subflow_fail(struct mp
tcp_send_ack(ssk);
mptcp_reset_tout_timer(msk, subflow->fail_tout);
+ return true;
}
static bool subflow_check_data_avail(struct sock *ssk)
@@ -1261,12 +1271,11 @@ fallback:
(subflow->mp_join || subflow->valid_csum_seen)) {
subflow->send_mp_fail = 1;
- if (!READ_ONCE(msk->allow_infinite_fallback)) {
+ if (!mptcp_subflow_fail(msk, ssk)) {
subflow->reset_transient = 0;
subflow->reset_reason = MPTCP_RST_EMIDDLEBOX;
goto reset;
}
- mptcp_subflow_fail(msk, ssk);
WRITE_ONCE(subflow->data_avail, MPTCP_SUBFLOW_DATA_AVAIL);
return true;
}
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 383/482] mptcp: reset fallback status gracefully at disconnect() time
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (381 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 6.1 382/482] mptcp: plug races between subflow fail and subflow creation Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 384/482] mm: drop the assumption that VM_SHARED always implies writable Greg Kroah-Hartman
` (107 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paolo Abeni, Matthieu Baerts (NGI0),
Jakub Kicinski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Abeni <pabeni@redhat.com>
commit da9b2fc7b73d147d88abe1922de5ab72d72d7756 upstream.
mptcp_disconnect() clears the fallback bit unconditionally, without
touching the associated flags.
The bit clear is safe, as no fallback operation can race with that --
all subflow are already in TCP_CLOSE status thanks to the previous
FASTCLOSE -- but we need to consistently reset all the fallback related
status.
Also acquire the relevant lock, to avoid fouling static analyzers.
Fixes: b29fcfb54cd7 ("mptcp: full disconnect implementation")
Cc: stable@vger.kernel.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20250714-net-mptcp-fallback-races-v1-3-391aff963322@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[ Conflicts in protocol.c, because commit ebc1e08f01eb ("mptcp: drop
last_snd and MPTCP_RESET_SCHEDULER") is not in this version and
changed the context. The same modification can still be applied at the
same place. ]
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/protocol.c | 9 +++++++++
1 file changed, 9 insertions(+)
--- a/net/mptcp/protocol.c
+++ b/net/mptcp/protocol.c
@@ -3204,7 +3204,16 @@ static int mptcp_disconnect(struct sock
*/
mptcp_destroy_common(msk, MPTCP_CF_FASTCLOSE);
msk->last_snd = NULL;
+
+ /* The first subflow is already in TCP_CLOSE status, the following
+ * can't overlap with a fallback anymore
+ */
+ spin_lock_bh(&msk->fallback_lock);
+ msk->allow_subflows = true;
+ msk->allow_infinite_fallback = true;
WRITE_ONCE(msk->flags, 0);
+ spin_unlock_bh(&msk->fallback_lock);
+
msk->cb_flags = 0;
msk->recovery = false;
msk->can_ack = false;
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 384/482] mm: drop the assumption that VM_SHARED always implies writable
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (382 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 6.1 383/482] mptcp: reset fallback status gracefully at disconnect() time Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 385/482] mm: update memfd seal write check to include F_SEAL_WRITE Greg Kroah-Hartman
` (106 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lorenzo Stoakes, Andy Lutomirski,
Jan Kara, Alexander Viro, Christian Brauner, Hugh Dickins,
Matthew Wilcox (Oracle), Mike Kravetz, Muchun Song, Andrew Morton,
Isaac J. Manjarres
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lorenzo Stoakes <lstoakes@gmail.com>
[ Upstream commit e8e17ee90eaf650c855adb0a3e5e965fd6692ff1 ]
Patch series "permit write-sealed memfd read-only shared mappings", v4.
The man page for fcntl() describing memfd file seals states the following
about F_SEAL_WRITE:-
Furthermore, trying to create new shared, writable memory-mappings via
mmap(2) will also fail with EPERM.
With emphasis on 'writable'. In turns out in fact that currently the
kernel simply disallows all new shared memory mappings for a memfd with
F_SEAL_WRITE applied, rendering this documentation inaccurate.
This matters because users are therefore unable to obtain a shared mapping
to a memfd after write sealing altogether, which limits their usefulness.
This was reported in the discussion thread [1] originating from a bug
report [2].
This is a product of both using the struct address_space->i_mmap_writable
atomic counter to determine whether writing may be permitted, and the
kernel adjusting this counter when any VM_SHARED mapping is performed and
more generally implicitly assuming VM_SHARED implies writable.
It seems sensible that we should only update this mapping if VM_MAYWRITE
is specified, i.e. whether it is possible that this mapping could at any
point be written to.
If we do so then all we need to do to permit write seals to function as
documented is to clear VM_MAYWRITE when mapping read-only. It turns out
this functionality already exists for F_SEAL_FUTURE_WRITE - we can
therefore simply adapt this logic to do the same for F_SEAL_WRITE.
We then hit a chicken and egg situation in mmap_region() where the check
for VM_MAYWRITE occurs before we are able to clear this flag. To work
around this, perform this check after we invoke call_mmap(), with careful
consideration of error paths.
Thanks to Andy Lutomirski for the suggestion!
[1]:https://lore.kernel.org/all/20230324133646.16101dfa666f253c4715d965@linux-foundation.org/
[2]:https://bugzilla.kernel.org/show_bug.cgi?id=217238
This patch (of 3):
There is a general assumption that VMAs with the VM_SHARED flag set are
writable. If the VM_MAYWRITE flag is not set, then this is simply not the
case.
Update those checks which affect the struct address_space->i_mmap_writable
field to explicitly test for this by introducing
[vma_]is_shared_maywrite() helper functions.
This remains entirely conservative, as the lack of VM_MAYWRITE guarantees
that the VMA cannot be written to.
Link: https://lkml.kernel.org/r/cover.1697116581.git.lstoakes@gmail.com
Link: https://lkml.kernel.org/r/d978aefefa83ec42d18dfa964ad180dbcde34795.1697116581.git.lstoakes@gmail.com
Signed-off-by: Lorenzo Stoakes <lstoakes@gmail.com>
Suggested-by: Andy Lutomirski <luto@kernel.org>
Reviewed-by: Jan Kara <jack@suse.cz>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: Christian Brauner <brauner@kernel.org>
Cc: Hugh Dickins <hughd@google.com>
Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
Cc: Mike Kravetz <mike.kravetz@oracle.com>
Cc: Muchun Song <muchun.song@linux.dev>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Cc: stable@vger.kernel.org
[isaacmanjarres: resolved merge conflicts due to
due to refactoring that happened in upstream commit
5de195060b2e ("mm: resolve faulty mmap_region() error path behaviour")]
Signed-off-by: Isaac J. Manjarres <isaacmanjarres@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/fs.h | 4 ++--
include/linux/mm.h | 11 +++++++++++
kernel/fork.c | 2 +-
mm/filemap.c | 2 +-
mm/madvise.c | 2 +-
mm/mmap.c | 8 ++++----
6 files changed, 20 insertions(+), 9 deletions(-)
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -410,7 +410,7 @@ extern const struct address_space_operat
* It is also used to block modification of page cache contents through
* memory mappings.
* @gfp_mask: Memory allocation flags to use for allocating pages.
- * @i_mmap_writable: Number of VM_SHARED mappings.
+ * @i_mmap_writable: Number of VM_SHARED, VM_MAYWRITE mappings.
* @nr_thps: Number of THPs in the pagecache (non-shmem only).
* @i_mmap: Tree of private and shared mappings.
* @i_mmap_rwsem: Protects @i_mmap and @i_mmap_writable.
@@ -513,7 +513,7 @@ static inline int mapping_mapped(struct
/*
* Might pages of this file have been modified in userspace?
- * Note that i_mmap_writable counts all VM_SHARED vmas: do_mmap
+ * Note that i_mmap_writable counts all VM_SHARED, VM_MAYWRITE vmas: do_mmap
* marks vma as VM_SHARED if it is shared, and the file was opened for
* writing i.e. vma may be mprotected writable even if now readonly.
*
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -673,6 +673,17 @@ static inline bool vma_is_accessible(str
return vma->vm_flags & VM_ACCESS_FLAGS;
}
+static inline bool is_shared_maywrite(vm_flags_t vm_flags)
+{
+ return (vm_flags & (VM_SHARED | VM_MAYWRITE)) ==
+ (VM_SHARED | VM_MAYWRITE);
+}
+
+static inline bool vma_is_shared_maywrite(struct vm_area_struct *vma)
+{
+ return is_shared_maywrite(vma->vm_flags);
+}
+
static inline
struct vm_area_struct *vma_find(struct vma_iterator *vmi, unsigned long max)
{
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -669,7 +669,7 @@ static __latent_entropy int dup_mmap(str
get_file(file);
i_mmap_lock_write(mapping);
- if (tmp->vm_flags & VM_SHARED)
+ if (vma_is_shared_maywrite(tmp))
mapping_allow_writable(mapping);
flush_dcache_mmap_lock(mapping);
/* insert tmp into the share list, just after mpnt */
--- a/mm/filemap.c
+++ b/mm/filemap.c
@@ -3554,7 +3554,7 @@ int generic_file_mmap(struct file *file,
*/
int generic_file_readonly_mmap(struct file *file, struct vm_area_struct *vma)
{
- if ((vma->vm_flags & VM_SHARED) && (vma->vm_flags & VM_MAYWRITE))
+ if (vma_is_shared_maywrite(vma))
return -EINVAL;
return generic_file_mmap(file, vma);
}
--- a/mm/madvise.c
+++ b/mm/madvise.c
@@ -980,7 +980,7 @@ static long madvise_remove(struct vm_are
return -EINVAL;
}
- if ((vma->vm_flags & (VM_SHARED|VM_WRITE)) != (VM_SHARED|VM_WRITE))
+ if (!vma_is_shared_maywrite(vma))
return -EACCES;
offset = (loff_t)(start - vma->vm_start)
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -106,7 +106,7 @@ void vma_set_page_prot(struct vm_area_st
static void __remove_shared_vm_struct(struct vm_area_struct *vma,
struct file *file, struct address_space *mapping)
{
- if (vma->vm_flags & VM_SHARED)
+ if (vma_is_shared_maywrite(vma))
mapping_unmap_writable(mapping);
flush_dcache_mmap_lock(mapping);
@@ -408,7 +408,7 @@ static unsigned long count_vma_pages_ran
static void __vma_link_file(struct vm_area_struct *vma,
struct address_space *mapping)
{
- if (vma->vm_flags & VM_SHARED)
+ if (vma_is_shared_maywrite(vma))
mapping_allow_writable(mapping);
flush_dcache_mmap_lock(mapping);
@@ -2827,7 +2827,7 @@ cannot_expand:
vma_mas_store(vma, &mas);
mm->map_count++;
if (vma->vm_file) {
- if (vma->vm_flags & VM_SHARED)
+ if (vma_is_shared_maywrite(vma))
mapping_allow_writable(vma->vm_file->f_mapping);
flush_dcache_mmap_lock(vma->vm_file->f_mapping);
@@ -2901,7 +2901,7 @@ unsigned long mmap_region(struct file *f
return -EINVAL;
/* Map writable and ensure this isn't a sealed memfd. */
- if (file && (vm_flags & VM_SHARED)) {
+ if (file && is_shared_maywrite(vm_flags)) {
int error = mapping_map_writable(file->f_mapping);
if (error)
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 385/482] mm: update memfd seal write check to include F_SEAL_WRITE
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (383 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 6.1 384/482] mm: drop the assumption that VM_SHARED always implies writable Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 386/482] mm: reinstate ability to map write-sealed memfd mappings read-only Greg Kroah-Hartman
` (105 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lorenzo Stoakes, Jan Kara,
Alexander Viro, Andy Lutomirski, Christian Brauner, Hugh Dickins,
Matthew Wilcox (Oracle), Mike Kravetz, Muchun Song, Andrew Morton,
Isaac J. Manjarres
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lorenzo Stoakes <lstoakes@gmail.com>
[ Upstream commit 28464bbb2ddc199433383994bcb9600c8034afa1 ]
The seal_check_future_write() function is called by shmem_mmap() or
hugetlbfs_file_mmap() to disallow any future writable mappings of an memfd
sealed this way.
The F_SEAL_WRITE flag is not checked here, as that is handled via the
mapping->i_mmap_writable mechanism and so any attempt at a mapping would
fail before this could be run.
However we intend to change this, meaning this check can be performed for
F_SEAL_WRITE mappings also.
The logic here is equally applicable to both flags, so update this
function to accommodate both and rename it accordingly.
Link: https://lkml.kernel.org/r/913628168ce6cce77df7d13a63970bae06a526e0.1697116581.git.lstoakes@gmail.com
Signed-off-by: Lorenzo Stoakes <lstoakes@gmail.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Christian Brauner <brauner@kernel.org>
Cc: Hugh Dickins <hughd@google.com>
Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
Cc: Mike Kravetz <mike.kravetz@oracle.com>
Cc: Muchun Song <muchun.song@linux.dev>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Cc: stable@vger.kernel.org
Signed-off-by: Isaac J. Manjarres <isaacmanjarres@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/hugetlbfs/inode.c | 2 +-
include/linux/mm.h | 15 ++++++++-------
mm/shmem.c | 2 +-
3 files changed, 10 insertions(+), 9 deletions(-)
--- a/fs/hugetlbfs/inode.c
+++ b/fs/hugetlbfs/inode.c
@@ -136,7 +136,7 @@ static int hugetlbfs_file_mmap(struct fi
vma->vm_flags |= VM_HUGETLB | VM_DONTEXPAND;
vma->vm_ops = &hugetlb_vm_ops;
- ret = seal_check_future_write(info->seals, vma);
+ ret = seal_check_write(info->seals, vma);
if (ret)
return ret;
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -3526,25 +3526,26 @@ static inline void mem_dump_obj(void *ob
#endif
/**
- * seal_check_future_write - Check for F_SEAL_FUTURE_WRITE flag and handle it
+ * seal_check_write - Check for F_SEAL_WRITE or F_SEAL_FUTURE_WRITE flags and
+ * handle them.
* @seals: the seals to check
* @vma: the vma to operate on
*
- * Check whether F_SEAL_FUTURE_WRITE is set; if so, do proper check/handling on
- * the vma flags. Return 0 if check pass, or <0 for errors.
+ * Check whether F_SEAL_WRITE or F_SEAL_FUTURE_WRITE are set; if so, do proper
+ * check/handling on the vma flags. Return 0 if check pass, or <0 for errors.
*/
-static inline int seal_check_future_write(int seals, struct vm_area_struct *vma)
+static inline int seal_check_write(int seals, struct vm_area_struct *vma)
{
- if (seals & F_SEAL_FUTURE_WRITE) {
+ if (seals & (F_SEAL_WRITE | F_SEAL_FUTURE_WRITE)) {
/*
* New PROT_WRITE and MAP_SHARED mmaps are not allowed when
- * "future write" seal active.
+ * write seals are active.
*/
if ((vma->vm_flags & VM_SHARED) && (vma->vm_flags & VM_WRITE))
return -EPERM;
/*
- * Since an F_SEAL_FUTURE_WRITE sealed memfd can be mapped as
+ * Since an F_SEAL_[FUTURE_]WRITE sealed memfd can be mapped as
* MAP_SHARED and read-only, take care to not allow mprotect to
* revert protections on such mappings. Do this only for shared
* mappings. For private mappings, don't need to mask
--- a/mm/shmem.c
+++ b/mm/shmem.c
@@ -2302,7 +2302,7 @@ static int shmem_mmap(struct file *file,
struct shmem_inode_info *info = SHMEM_I(file_inode(file));
int ret;
- ret = seal_check_future_write(info->seals, vma);
+ ret = seal_check_write(info->seals, vma);
if (ret)
return ret;
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 386/482] mm: reinstate ability to map write-sealed memfd mappings read-only
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (384 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 6.1 385/482] mm: update memfd seal write check to include F_SEAL_WRITE Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 387/482] selftests/memfd: add test for mapping write-sealed memfd read-only Greg Kroah-Hartman
` (104 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lorenzo Stoakes, Julian Orth,
Jann Horn, Liam R. Howlett, Linus Torvalds, Shuah Khan,
Vlastimil Babka, Andrew Morton, Isaac J. Manjarres
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
[ Upstream commit 8ec396d05d1b737c87311fb7311f753b02c2a6b1 ]
Patch series "mm: reinstate ability to map write-sealed memfd mappings
read-only".
In commit 158978945f31 ("mm: perform the mapping_map_writable() check
after call_mmap()") (and preceding changes in the same series) it became
possible to mmap() F_SEAL_WRITE sealed memfd mappings read-only.
Commit 5de195060b2e ("mm: resolve faulty mmap_region() error path
behaviour") unintentionally undid this logic by moving the
mapping_map_writable() check before the shmem_mmap() hook is invoked,
thereby regressing this change.
This series reworks how we both permit write-sealed mappings being mapped
read-only and disallow mprotect() from undoing the write-seal, fixing this
regression.
We also add a regression test to ensure that we do not accidentally
regress this in future.
Thanks to Julian Orth for reporting this regression.
This patch (of 2):
In commit 158978945f31 ("mm: perform the mapping_map_writable() check
after call_mmap()") (and preceding changes in the same series) it became
possible to mmap() F_SEAL_WRITE sealed memfd mappings read-only.
This was previously unnecessarily disallowed, despite the man page
documentation indicating that it would be, thereby limiting the usefulness
of F_SEAL_WRITE logic.
We fixed this by adapting logic that existed for the F_SEAL_FUTURE_WRITE
seal (one which disallows future writes to the memfd) to also be used for
F_SEAL_WRITE.
For background - the F_SEAL_FUTURE_WRITE seal clears VM_MAYWRITE for a
read-only mapping to disallow mprotect() from overriding the seal - an
operation performed by seal_check_write(), invoked from shmem_mmap(), the
f_op->mmap() hook used by shmem mappings.
By extending this to F_SEAL_WRITE and critically - checking
mapping_map_writable() to determine if we may map the memfd AFTER we
invoke shmem_mmap() - the desired logic becomes possible. This is because
mapping_map_writable() explicitly checks for VM_MAYWRITE, which we will
have cleared.
Commit 5de195060b2e ("mm: resolve faulty mmap_region() error path
behaviour") unintentionally undid this logic by moving the
mapping_map_writable() check before the shmem_mmap() hook is invoked,
thereby regressing this change.
We reinstate this functionality by moving the check out of shmem_mmap()
and instead performing it in do_mmap() at the point at which VMA flags are
being determined, which seems in any case to be a more appropriate place
in which to make this determination.
In order to achieve this we rework memfd seal logic to allow us access to
this information using existing logic and eliminate the clearing of
VM_MAYWRITE from seal_check_write() which we are performing in do_mmap()
instead.
Link: https://lkml.kernel.org/r/99fc35d2c62bd2e05571cf60d9f8b843c56069e0.1732804776.git.lorenzo.stoakes@oracle.com
Fixes: 5de195060b2e ("mm: resolve faulty mmap_region() error path behaviour")
Signed-off-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Reported-by: Julian Orth <ju.orth@gmail.com>
Closes: https://lore.kernel.org/all/CAHijbEUMhvJTN9Xw1GmbM266FXXv=U7s4L_Jem5x3AaPZxrYpQ@mail.gmail.com/
Cc: Jann Horn <jannh@google.com>
Cc: Liam R. Howlett <Liam.Howlett@Oracle.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Shuah Khan <shuah@kernel.org>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Isaac J. Manjarres <isaacmanjarres@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/memfd.h | 14 ++++++++++++
include/linux/mm.h | 58 ++++++++++++++++++++++++++++++++++----------------
mm/memfd.c | 2 -
mm/mmap.c | 4 +++
4 files changed, 59 insertions(+), 19 deletions(-)
--- a/include/linux/memfd.h
+++ b/include/linux/memfd.h
@@ -6,11 +6,25 @@
#ifdef CONFIG_MEMFD_CREATE
extern long memfd_fcntl(struct file *file, unsigned int cmd, unsigned long arg);
+unsigned int *memfd_file_seals_ptr(struct file *file);
#else
static inline long memfd_fcntl(struct file *f, unsigned int c, unsigned long a)
{
return -EINVAL;
}
+
+static inline unsigned int *memfd_file_seals_ptr(struct file *file)
+{
+ return NULL;
+}
#endif
+/* Retrieve memfd seals associated with the file, if any. */
+static inline unsigned int memfd_file_seals(struct file *file)
+{
+ unsigned int *sealsp = memfd_file_seals_ptr(file);
+
+ return sealsp ? *sealsp : 0;
+}
+
#endif /* __LINUX_MEMFD_H */
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -3525,6 +3525,37 @@ void mem_dump_obj(void *object);
static inline void mem_dump_obj(void *object) {}
#endif
+static inline bool is_write_sealed(int seals)
+{
+ return seals & (F_SEAL_WRITE | F_SEAL_FUTURE_WRITE);
+}
+
+/**
+ * is_readonly_sealed - Checks whether write-sealed but mapped read-only,
+ * in which case writes should be disallowing moving
+ * forwards.
+ * @seals: the seals to check
+ * @vm_flags: the VMA flags to check
+ *
+ * Returns whether readonly sealed, in which case writess should be disallowed
+ * going forward.
+ */
+static inline bool is_readonly_sealed(int seals, vm_flags_t vm_flags)
+{
+ /*
+ * Since an F_SEAL_[FUTURE_]WRITE sealed memfd can be mapped as
+ * MAP_SHARED and read-only, take care to not allow mprotect to
+ * revert protections on such mappings. Do this only for shared
+ * mappings. For private mappings, don't need to mask
+ * VM_MAYWRITE as we still want them to be COW-writable.
+ */
+ if (is_write_sealed(seals) &&
+ ((vm_flags & (VM_SHARED | VM_WRITE)) == VM_SHARED))
+ return true;
+
+ return false;
+}
+
/**
* seal_check_write - Check for F_SEAL_WRITE or F_SEAL_FUTURE_WRITE flags and
* handle them.
@@ -3536,24 +3567,15 @@ static inline void mem_dump_obj(void *ob
*/
static inline int seal_check_write(int seals, struct vm_area_struct *vma)
{
- if (seals & (F_SEAL_WRITE | F_SEAL_FUTURE_WRITE)) {
- /*
- * New PROT_WRITE and MAP_SHARED mmaps are not allowed when
- * write seals are active.
- */
- if ((vma->vm_flags & VM_SHARED) && (vma->vm_flags & VM_WRITE))
- return -EPERM;
-
- /*
- * Since an F_SEAL_[FUTURE_]WRITE sealed memfd can be mapped as
- * MAP_SHARED and read-only, take care to not allow mprotect to
- * revert protections on such mappings. Do this only for shared
- * mappings. For private mappings, don't need to mask
- * VM_MAYWRITE as we still want them to be COW-writable.
- */
- if (vma->vm_flags & VM_SHARED)
- vma->vm_flags &= ~(VM_MAYWRITE);
- }
+ if (!is_write_sealed(seals))
+ return 0;
+
+ /*
+ * New PROT_WRITE and MAP_SHARED mmaps are not allowed when
+ * write seals are active.
+ */
+ if ((vma->vm_flags & VM_SHARED) && (vma->vm_flags & VM_WRITE))
+ return -EPERM;
return 0;
}
--- a/mm/memfd.c
+++ b/mm/memfd.c
@@ -133,7 +133,7 @@ static int memfd_wait_for_pins(struct ad
return error;
}
-static unsigned int *memfd_file_seals_ptr(struct file *file)
+unsigned int *memfd_file_seals_ptr(struct file *file)
{
if (shmem_file(file))
return &SHMEM_I(file_inode(file))->seals;
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -46,6 +46,7 @@
#include <linux/pkeys.h>
#include <linux/oom.h>
#include <linux/sched/mm.h>
+#include <linux/memfd.h>
#include <linux/uaccess.h>
#include <asm/cacheflush.h>
@@ -1336,6 +1337,7 @@ unsigned long do_mmap(struct file *file,
if (file) {
struct inode *inode = file_inode(file);
+ unsigned int seals = memfd_file_seals(file);
unsigned long flags_mask;
if (!file_mmap_ok(file, inode, pgoff, len))
@@ -1374,6 +1376,8 @@ unsigned long do_mmap(struct file *file,
vm_flags |= VM_SHARED | VM_MAYSHARE;
if (!(file->f_mode & FMODE_WRITE))
vm_flags &= ~(VM_MAYWRITE | VM_SHARED);
+ else if (is_readonly_sealed(seals, vm_flags))
+ vm_flags &= ~VM_MAYWRITE;
fallthrough;
case MAP_PRIVATE:
if (!(file->f_mode & FMODE_READ))
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 387/482] selftests/memfd: add test for mapping write-sealed memfd read-only
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (385 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 6.1 386/482] mm: reinstate ability to map write-sealed memfd mappings read-only Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 388/482] Bluetooth: hci_sync: Fix UAF on hci_abort_conn_sync Greg Kroah-Hartman
` (103 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lorenzo Stoakes, Jann Horn,
Julian Orth, Liam R. Howlett, Linus Torvalds, Shuah Khan,
Vlastimil Babka, Andrew Morton, Isaac J. Manjarres
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
[ Upstream commit ea0916e01d0b0f2cce1369ac1494239a79827270 ]
Now we have reinstated the ability to map F_SEAL_WRITE mappings read-only,
assert that we are able to do this in a test to ensure that we do not
regress this again.
Link: https://lkml.kernel.org/r/a6377ec470b14c0539b4600cf8fa24bf2e4858ae.1732804776.git.lorenzo.stoakes@oracle.com
Signed-off-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Cc: Jann Horn <jannh@google.com>
Cc: Julian Orth <ju.orth@gmail.com>
Cc: Liam R. Howlett <Liam.Howlett@Oracle.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Shuah Khan <shuah@kernel.org>
Cc: Vlastimil Babka <vbabka@suse.cz>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Cc: stable@vger.kernel.org
Signed-off-by: Isaac J. Manjarres <isaacmanjarres@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/testing/selftests/memfd/memfd_test.c | 43 +++++++++++++++++++++++++++++
1 file changed, 43 insertions(+)
--- a/tools/testing/selftests/memfd/memfd_test.c
+++ b/tools/testing/selftests/memfd/memfd_test.c
@@ -186,6 +186,24 @@ static void *mfd_assert_mmap_shared(int
return p;
}
+static void *mfd_assert_mmap_read_shared(int fd)
+{
+ void *p;
+
+ p = mmap(NULL,
+ mfd_def_size,
+ PROT_READ,
+ MAP_SHARED,
+ fd,
+ 0);
+ if (p == MAP_FAILED) {
+ printf("mmap() failed: %m\n");
+ abort();
+ }
+
+ return p;
+}
+
static void *mfd_assert_mmap_private(int fd)
{
void *p;
@@ -802,6 +820,30 @@ static void test_seal_future_write(void)
close(fd);
}
+static void test_seal_write_map_read_shared(void)
+{
+ int fd;
+ void *p;
+
+ printf("%s SEAL-WRITE-MAP-READ\n", memfd_str);
+
+ fd = mfd_assert_new("kern_memfd_seal_write_map_read",
+ mfd_def_size,
+ MFD_CLOEXEC | MFD_ALLOW_SEALING);
+
+ mfd_assert_add_seals(fd, F_SEAL_WRITE);
+ mfd_assert_has_seals(fd, F_SEAL_WRITE);
+
+ p = mfd_assert_mmap_read_shared(fd);
+
+ mfd_assert_read(fd);
+ mfd_assert_read_shared(fd);
+ mfd_fail_write(fd);
+
+ munmap(p, mfd_def_size);
+ close(fd);
+}
+
/*
* Test SEAL_SHRINK
* Test whether SEAL_SHRINK actually prevents shrinking
@@ -1056,6 +1098,7 @@ int main(int argc, char **argv)
test_seal_write();
test_seal_future_write();
+ test_seal_write_map_read_shared();
test_seal_shrink();
test_seal_grow();
test_seal_resize();
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 388/482] Bluetooth: hci_sync: Fix UAF on hci_abort_conn_sync
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (386 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 6.1 387/482] selftests/memfd: add test for mapping write-sealed memfd read-only Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 389/482] kbuild: userprogs: use correct linker when mixing clang and GNU ld Greg Kroah-Hartman
` (102 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Luiz Augusto von Dentz,
Sumanth Gavini
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sumanth Gavini <sumanth.gavini@yahoo.com>
commit 5af1f84ed13a416297ab9ced7537f4d5ae7f329a upstream.
Connections may be cleanup while waiting for the commands to complete so
this attempts to check if the connection handle remains valid in case of
errors that would lead to call hci_conn_failed:
BUG: KASAN: slab-use-after-free in hci_conn_failed+0x1f/0x160
Read of size 8 at addr ffff888001376958 by task kworker/u3:0/52
CPU: 0 PID: 52 Comm: kworker/u3:0 Not tainted
6.5.0-rc1-00527-g2dfe76d58d3a #5615
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
1.16.2-1.fc38 04/01/2014
Workqueue: hci0 hci_cmd_sync_work
Call Trace:
<TASK>
dump_stack_lvl+0x1d/0x70
print_report+0xce/0x620
? __virt_addr_valid+0xd4/0x150
? hci_conn_failed+0x1f/0x160
kasan_report+0xd1/0x100
? hci_conn_failed+0x1f/0x160
hci_conn_failed+0x1f/0x160
hci_abort_conn_sync+0x237/0x360
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sumanth Gavini <sumanth.gavini@yahoo.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bluetooth/hci_sync.c | 43 +++++++++++++++++++++++++++++--------------
1 file changed, 29 insertions(+), 14 deletions(-)
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -5525,31 +5525,46 @@ static int hci_reject_conn_sync(struct h
int hci_abort_conn_sync(struct hci_dev *hdev, struct hci_conn *conn, u8 reason)
{
- int err;
+ int err = 0;
+ u16 handle = conn->handle;
switch (conn->state) {
case BT_CONNECTED:
case BT_CONFIG:
- return hci_disconnect_sync(hdev, conn, reason);
+ err = hci_disconnect_sync(hdev, conn, reason);
+ break;
case BT_CONNECT:
err = hci_connect_cancel_sync(hdev, conn);
- /* Cleanup hci_conn object if it cannot be cancelled as it
- * likelly means the controller and host stack are out of sync.
- */
- if (err) {
- hci_dev_lock(hdev);
- hci_conn_failed(conn, err);
- hci_dev_unlock(hdev);
- }
- return err;
+ break;
case BT_CONNECT2:
- return hci_reject_conn_sync(hdev, conn, reason);
+ err = hci_reject_conn_sync(hdev, conn, reason);
+ break;
default:
conn->state = BT_CLOSED;
- break;
+ return 0;
+ }
+
+ /* Cleanup hci_conn object if it cannot be cancelled as it
+ * likelly means the controller and host stack are out of sync
+ * or in case of LE it was still scanning so it can be cleanup
+ * safely.
+ */
+ if (err) {
+ struct hci_conn *c;
+
+ /* Check if the connection hasn't been cleanup while waiting
+ * commands to complete.
+ */
+ c = hci_conn_hash_lookup_handle(hdev, handle);
+ if (!c || c != conn)
+ return 0;
+
+ hci_dev_lock(hdev);
+ hci_conn_failed(conn, err);
+ hci_dev_unlock(hdev);
}
- return 0;
+ return err;
}
static int hci_disconnect_all_sync(struct hci_dev *hdev, u8 reason)
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 389/482] kbuild: userprogs: use correct linker when mixing clang and GNU ld
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (387 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 6.1 388/482] Bluetooth: hci_sync: Fix UAF on hci_abort_conn_sync Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 390/482] x86/reboot: Harden virtualization hooks for emergency reboot Greg Kroah-Hartman
` (101 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Weißschuh,
Nathan Chancellor, Masahiro Yamada
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
commit 936599ca514973d44a766b7376c6bbdc96b6a8cc upstream.
The userprogs infrastructure does not expect clang being used with GNU ld
and in that case uses /usr/bin/ld for linking, not the configured $(LD).
This fallback is problematic as it will break when cross-compiling.
Mixing clang and GNU ld is used for example when building for SPARC64,
as ld.lld is not sufficient; see Documentation/kbuild/llvm.rst.
Relax the check around --ld-path so it gets used for all linkers.
Fixes: dfc1b168a8c4 ("kbuild: userprogs: use correct lld when linking through clang")
Cc: stable@vger.kernel.org
Signed-off-by: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
Reviewed-by: Nathan Chancellor <nathan@kernel.org>
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
[nathan: Work around wrapping '--ld-path' in cc-option in older stable
branches due to older minimum LLVM version]
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
Makefile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/Makefile
+++ b/Makefile
@@ -1143,7 +1143,7 @@ KBUILD_USERCFLAGS += $(filter -m32 -m64
KBUILD_USERLDFLAGS += $(filter -m32 -m64 --target=%, $(KBUILD_CPPFLAGS) $(KBUILD_CFLAGS))
# userspace programs are linked via the compiler, use the correct linker
-ifeq ($(CONFIG_CC_IS_CLANG)$(CONFIG_LD_IS_LLD),yy)
+ifdef CONFIG_CC_IS_CLANG
KBUILD_USERLDFLAGS += $(call cc-option, --ld-path=$(LD))
endif
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 390/482] x86/reboot: Harden virtualization hooks for emergency reboot
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (388 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 6.1 389/482] kbuild: userprogs: use correct linker when mixing clang and GNU ld Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 391/482] x86/reboot: KVM: Handle VMXOFF in KVMs reboot callback Greg Kroah-Hartman
` (100 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kai Huang, Sean Christopherson,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
[ Upstream commit 5e408396c60cd0f0b53a43713016b6d6af8d69e0 ]
Provide dedicated helpers to (un)register virt hooks used during an
emergency crash/reboot, and WARN if there is an attempt to overwrite
the registered callback, or an attempt to do an unpaired unregister.
Opportunsitically use rcu_assign_pointer() instead of RCU_INIT_POINTER(),
mainly so that the set/unset paths are more symmetrical, but also because
any performance gains from using RCU_INIT_POINTER() are meaningless for
this code.
Reviewed-by: Kai Huang <kai.huang@intel.com>
Link: https://lore.kernel.org/r/20230721201859.2307736-3-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
Stable-dep-of: a0ee1d5faff1 ("KVM: VMX: Flush shadow VMCS on emergency reboot")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/include/asm/reboot.h | 5 +++--
arch/x86/kernel/reboot.c | 30 ++++++++++++++++++++++++------
arch/x86/kvm/vmx/vmx.c | 6 ++----
3 files changed, 29 insertions(+), 12 deletions(-)
--- a/arch/x86/include/asm/reboot.h
+++ b/arch/x86/include/asm/reboot.h
@@ -25,8 +25,9 @@ void __noreturn machine_real_restart(uns
#define MRR_BIOS 0
#define MRR_APM 1
-typedef void crash_vmclear_fn(void);
-extern crash_vmclear_fn __rcu *crash_vmclear_loaded_vmcss;
+typedef void (cpu_emergency_virt_cb)(void);
+void cpu_emergency_register_virt_callback(cpu_emergency_virt_cb *callback);
+void cpu_emergency_unregister_virt_callback(cpu_emergency_virt_cb *callback);
void cpu_emergency_disable_virtualization(void);
typedef void (*nmi_shootdown_cb)(int, struct pt_regs*);
--- a/arch/x86/kernel/reboot.c
+++ b/arch/x86/kernel/reboot.c
@@ -794,17 +794,35 @@ void machine_crash_shutdown(struct pt_re
*
* protected by rcu.
*/
-crash_vmclear_fn __rcu *crash_vmclear_loaded_vmcss;
-EXPORT_SYMBOL_GPL(crash_vmclear_loaded_vmcss);
+static cpu_emergency_virt_cb __rcu *cpu_emergency_virt_callback;
+
+void cpu_emergency_register_virt_callback(cpu_emergency_virt_cb *callback)
+{
+ if (WARN_ON_ONCE(rcu_access_pointer(cpu_emergency_virt_callback)))
+ return;
+
+ rcu_assign_pointer(cpu_emergency_virt_callback, callback);
+}
+EXPORT_SYMBOL_GPL(cpu_emergency_register_virt_callback);
+
+void cpu_emergency_unregister_virt_callback(cpu_emergency_virt_cb *callback)
+{
+ if (WARN_ON_ONCE(rcu_access_pointer(cpu_emergency_virt_callback) != callback))
+ return;
+
+ rcu_assign_pointer(cpu_emergency_virt_callback, NULL);
+ synchronize_rcu();
+}
+EXPORT_SYMBOL_GPL(cpu_emergency_unregister_virt_callback);
static inline void cpu_crash_vmclear_loaded_vmcss(void)
{
- crash_vmclear_fn *do_vmclear_operation = NULL;
+ cpu_emergency_virt_cb *callback;
rcu_read_lock();
- do_vmclear_operation = rcu_dereference(crash_vmclear_loaded_vmcss);
- if (do_vmclear_operation)
- do_vmclear_operation();
+ callback = rcu_dereference(cpu_emergency_virt_callback);
+ if (callback)
+ callback();
rcu_read_unlock();
}
--- a/arch/x86/kvm/vmx/vmx.c
+++ b/arch/x86/kvm/vmx/vmx.c
@@ -8602,8 +8602,7 @@ static void __vmx_exit(void)
{
allow_smaller_maxphyaddr = false;
- RCU_INIT_POINTER(crash_vmclear_loaded_vmcss, NULL);
- synchronize_rcu();
+ cpu_emergency_unregister_virt_callback(crash_vmclear_local_loaded_vmcss);
vmx_cleanup_l1d_flush();
}
@@ -8677,8 +8676,7 @@ static int __init vmx_init(void)
pi_init_cpu(cpu);
}
- rcu_assign_pointer(crash_vmclear_loaded_vmcss,
- crash_vmclear_local_loaded_vmcss);
+ cpu_emergency_register_virt_callback(crash_vmclear_local_loaded_vmcss);
vmx_check_vmcs12_offsets();
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 391/482] x86/reboot: KVM: Handle VMXOFF in KVMs reboot callback
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (389 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 6.1 390/482] x86/reboot: Harden virtualization hooks for emergency reboot Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 392/482] KVM: VMX: Flush shadow VMCS on emergency reboot Greg Kroah-Hartman
` (99 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kai Huang, Sean Christopherson,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
[ Upstream commit 119b5cb4ffd0166f3e98e9ee042f5046f7744f28 ]
Use KVM VMX's reboot/crash callback to do VMXOFF in an emergency instead
of manually and blindly doing VMXOFF. There's no need to attempt VMXOFF
if a hypervisor, i.e. KVM, isn't loaded/active, i.e. if the CPU can't
possibly be post-VMXON.
Reviewed-by: Kai Huang <kai.huang@intel.com>
Link: https://lore.kernel.org/r/20230721201859.2307736-4-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
Stable-dep-of: a0ee1d5faff1 ("KVM: VMX: Flush shadow VMCS on emergency reboot")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/include/asm/virtext.h | 10 ----------
arch/x86/kernel/reboot.c | 29 +++++++++--------------------
arch/x86/kvm/vmx/vmx.c | 8 +++++---
3 files changed, 14 insertions(+), 33 deletions(-)
--- a/arch/x86/include/asm/virtext.h
+++ b/arch/x86/include/asm/virtext.h
@@ -70,16 +70,6 @@ static inline void __cpu_emergency_vmxof
cpu_vmxoff();
}
-/** Disable VMX if it is supported and enabled on the current CPU
- */
-static inline void cpu_emergency_vmxoff(void)
-{
- if (cpu_has_vmx())
- __cpu_emergency_vmxoff();
-}
-
-
-
/*
* SVM functions:
--- a/arch/x86/kernel/reboot.c
+++ b/arch/x86/kernel/reboot.c
@@ -787,13 +787,7 @@ void machine_crash_shutdown(struct pt_re
}
#endif
-/*
- * This is used to VMCLEAR all VMCSs loaded on the
- * processor. And when loading kvm_intel module, the
- * callback function pointer will be assigned.
- *
- * protected by rcu.
- */
+/* RCU-protected callback to disable virtualization prior to reboot. */
static cpu_emergency_virt_cb __rcu *cpu_emergency_virt_callback;
void cpu_emergency_register_virt_callback(cpu_emergency_virt_cb *callback)
@@ -815,17 +809,6 @@ void cpu_emergency_unregister_virt_callb
}
EXPORT_SYMBOL_GPL(cpu_emergency_unregister_virt_callback);
-static inline void cpu_crash_vmclear_loaded_vmcss(void)
-{
- cpu_emergency_virt_cb *callback;
-
- rcu_read_lock();
- callback = rcu_dereference(cpu_emergency_virt_callback);
- if (callback)
- callback();
- rcu_read_unlock();
-}
-
/* This is the CPU performing the emergency shutdown work. */
int crashing_cpu = -1;
@@ -836,9 +819,15 @@ int crashing_cpu = -1;
*/
void cpu_emergency_disable_virtualization(void)
{
- cpu_crash_vmclear_loaded_vmcss();
+ cpu_emergency_virt_cb *callback;
+
+ rcu_read_lock();
+ callback = rcu_dereference(cpu_emergency_virt_callback);
+ if (callback)
+ callback();
+ rcu_read_unlock();
- cpu_emergency_vmxoff();
+ /* KVM_AMD doesn't yet utilize the common callback. */
cpu_emergency_svm_disable();
}
--- a/arch/x86/kvm/vmx/vmx.c
+++ b/arch/x86/kvm/vmx/vmx.c
@@ -707,7 +707,7 @@ static int vmx_set_guest_uret_msr(struct
return ret;
}
-static void crash_vmclear_local_loaded_vmcss(void)
+static void vmx_emergency_disable(void)
{
int cpu = raw_smp_processor_id();
struct loaded_vmcs *v;
@@ -715,6 +715,8 @@ static void crash_vmclear_local_loaded_v
list_for_each_entry(v, &per_cpu(loaded_vmcss_on_cpu, cpu),
loaded_vmcss_on_cpu_link)
vmcs_clear(v->vmcs);
+
+ __cpu_emergency_vmxoff();
}
static void __loaded_vmcs_clear(void *arg)
@@ -8602,7 +8604,7 @@ static void __vmx_exit(void)
{
allow_smaller_maxphyaddr = false;
- cpu_emergency_unregister_virt_callback(crash_vmclear_local_loaded_vmcss);
+ cpu_emergency_unregister_virt_callback(vmx_emergency_disable);
vmx_cleanup_l1d_flush();
}
@@ -8676,7 +8678,7 @@ static int __init vmx_init(void)
pi_init_cpu(cpu);
}
- cpu_emergency_register_virt_callback(crash_vmclear_local_loaded_vmcss);
+ cpu_emergency_register_virt_callback(vmx_emergency_disable);
vmx_check_vmcs12_offsets();
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 392/482] KVM: VMX: Flush shadow VMCS on emergency reboot
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (390 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 6.1 391/482] x86/reboot: KVM: Handle VMXOFF in KVMs reboot callback Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 393/482] KVM: arm64: Fix kernel BUG() due to bad backport of FPSIMD/SVE/SME fix Greg Kroah-Hartman
` (98 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chao Gao, Kai Huang,
Sean Christopherson, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chao Gao <chao.gao@intel.com>
[ Upstream commit a0ee1d5faff135e28810f29e0f06328c66f89852 ]
Ensure the shadow VMCS cache is evicted during an emergency reboot to
prevent potential memory corruption if the cache is evicted after reboot.
This issue was identified through code inspection, as __loaded_vmcs_clear()
flushes both the normal VMCS and the shadow VMCS.
Avoid checking the "launched" state during an emergency reboot, unlike the
behavior in __loaded_vmcs_clear(). This is important because reboot NMIs
can interfere with operations like copy_shadow_to_vmcs12(), where shadow
VMCSes are loaded directly using VMPTRLD. In such cases, if NMIs occur
right after the VMCS load, the shadow VMCSes will be active but the
"launched" state may not be set.
Fixes: 16f5b9034b69 ("KVM: nVMX: Copy processor-specific shadow-vmcs to VMCS12")
Cc: stable@vger.kernel.org
Signed-off-by: Chao Gao <chao.gao@intel.com>
Reviewed-by: Kai Huang <kai.huang@intel.com>
Link: https://lore.kernel.org/r/20250324140849.2099723-1-chao.gao@intel.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/vmx/vmx.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/arch/x86/kvm/vmx/vmx.c
+++ b/arch/x86/kvm/vmx/vmx.c
@@ -713,8 +713,11 @@ static void vmx_emergency_disable(void)
struct loaded_vmcs *v;
list_for_each_entry(v, &per_cpu(loaded_vmcss_on_cpu, cpu),
- loaded_vmcss_on_cpu_link)
+ loaded_vmcss_on_cpu_link) {
vmcs_clear(v->vmcs);
+ if (v->shadow_vmcs)
+ vmcs_clear(v->shadow_vmcs);
+ }
__cpu_emergency_vmxoff();
}
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 393/482] KVM: arm64: Fix kernel BUG() due to bad backport of FPSIMD/SVE/SME fix
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (391 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 6.1 392/482] KVM: VMX: Flush shadow VMCS on emergency reboot Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 394/482] memstick: Fix deadlock by moving removing flag earlier Greg Kroah-Hartman
` (97 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ard Biesheuvel, Lee Jones,
Sasha Levin, Mark Rutland, Fuad Tabba, Marc Zyngier, Will Deacon
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Will Deacon <will@kernel.org>
Upstream commit fbc7e61195e2 ("KVM: arm64: Unconditionally save+flush
host FPSIMD/SVE/SME state") relies on interrupts being disabled during
fpsimd_save_and_flush_cpu_state() so that a softirq cannot be taken
while the host floating point context is being saved and potentially try
to use kernel-mode NEON.
Unfortunately, stable kernels without 9b19700e623f ("arm64: fpsimd: Drop
unneeded 'busy' flag") leave interrupts enabled in
fpsimd_save_and_flush_cpu_state() and so the BUG_ON(!may_use_simd()) in
kernel_neon_begin() has been observed to trigger in real-world usage:
| kernel BUG at arch/arm64/kernel/fpsimd.c:1904!
| Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP
|
| Call trace:
| kernel_neon_begin+0xdc/0x12c
| ...
| crypto_aead_decrypt+0x5c/0x6c
| seqiv_aead_decrypt+0x88/0x9c
| crypto_aead_decrypt+0x5c/0x6c
| esp_input+0x280/0x364
| xfrm_input+0x6ac/0x16f8
| ...
| net_rx_action+0x13c/0x31c
| handle_softirqs+0x124/0x3d0
| __do_softirq+0x14/0x20
| ____do_softirq+0x10/0x20
| call_on_irq_stack+0x3c/0x74
| do_softirq_own_stack+0x1c/0x2c
| __irq_exit_rcu+0x54/0xb4
| irq_exit_rcu+0x10/0x1c
| el1_interrupt+0x38/0x58
| el1h_64_irq_handler+0x18/0x24
| el1h_64_irq+0x68/0x6c
| fpsimd_save+0xe4/0x130
| kvm_arch_vcpu_load_fp+0x2c/0x58
| kvm_arch_vcpu_load+0x88/0x26c
| kvm_sched_in+0x2c/0x3c
Given that 9b19700e623f ("arm64: fpsimd: Drop unneeded 'busy' flag") is
not a fix in its own right, has non-trivial dependencies and is a
reasonably invasive change to the in-kernel use of fpsimd, opt instead
for a simple fix to use the softirq-safe {get,put}_cpu_fpsimd_context()
helpers in fpsimd_save_and_flush_cpu_state().
Cc: Ard Biesheuvel <ardb@kernel.org>
Cc: Lee Jones <lee@kernel.org>
Cc: Sasha Levin <sashal@kernel.org>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Fuad Tabba <tabba@google.com>
Cc: Marc Zyngier <maz@kernel.org>
Cc: <stable@vger.kernel.org> # 5.15.y, 6.1.y and 6.6.y
Fixes: 806d5c1e1d2e ("KVM: arm64: Unconditionally save+flush host FPSIMD/SVE/SME state") # 6.6.y
Fixes: 04c50cc23a49 ("KVM: arm64: Unconditionally save+flush host FPSIMD/SVE/SME state") # 6.1.y
Fixes: 5289ac43b69c ("KVM: arm64: Unconditionally save+flush host FPSIMD/SVE/SME state") # 5.15.y
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/kernel/fpsimd.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/arch/arm64/kernel/fpsimd.c
+++ b/arch/arm64/kernel/fpsimd.c
@@ -1851,10 +1851,10 @@ void fpsimd_save_and_flush_cpu_state(voi
if (!system_supports_fpsimd())
return;
WARN_ON(preemptible());
- __get_cpu_fpsimd_context();
+ get_cpu_fpsimd_context();
fpsimd_save();
fpsimd_flush_cpu_state();
- __put_cpu_fpsimd_context();
+ put_cpu_fpsimd_context();
}
#ifdef CONFIG_KERNEL_MODE_NEON
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 394/482] memstick: Fix deadlock by moving removing flag earlier
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (392 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 6.1 393/482] KVM: arm64: Fix kernel BUG() due to bad backport of FPSIMD/SVE/SME fix Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 395/482] mmc: sdhci-pci-gli: GL9763e: Rename the gli_set_gl9763e() for consistency Greg Kroah-Hartman
` (96 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jiayi Li, Ulf Hansson
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiayi Li <lijiayi@kylinos.cn>
commit 99d7ab8db9d8230b243f5ed20ba0229e54cc0dfa upstream.
The existing memstick core patch: commit 62c59a8786e6 ("memstick: Skip
allocating card when removing host") sets host->removing in
memstick_remove_host(),but still exists a critical time window where
memstick_check can run after host->eject is set but before removing is set.
In the rtsx_usb_ms driver, the problematic sequence is:
rtsx_usb_ms_drv_remove: memstick_check:
host->eject = true
cancel_work_sync(handle_req) if(!host->removing)
... memstick_alloc_card()
memstick_set_rw_addr()
memstick_new_req()
rtsx_usb_ms_request()
if(!host->eject)
skip schedule_work
wait_for_completion()
memstick_remove_host: [blocks indefinitely]
host->removing = true
flush_workqueue()
[block]
1. rtsx_usb_ms_drv_remove sets host->eject = true
2. cancel_work_sync(&host->handle_req) runs
3. memstick_check work may be executed here <-- danger window
4. memstick_remove_host sets removing = 1
During this window (step 3), memstick_check calls memstick_alloc_card,
which may indefinitely waiting for mrq_complete completion that will
never occur because rtsx_usb_ms_request sees eject=true and skips
scheduling work, memstick_set_rw_addr waits forever for completion.
This causes a deadlock when memstick_remove_host tries to flush_workqueue,
waiting for memstick_check to complete, while memstick_check is blocked
waiting for mrq_complete completion.
Fix this by setting removing=true at the start of rtsx_usb_ms_drv_remove,
before any work cancellation. This ensures memstick_check will see the
removing flag immediately and exit early, avoiding the deadlock.
Fixes: 62c59a8786e6 ("memstick: Skip allocating card when removing host")
Signed-off-by: Jiayi Li <lijiayi@kylinos.cn>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20250804013604.1311218-1-lijiayi@kylinos.cn
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/memstick/core/memstick.c | 1 -
drivers/memstick/host/rtsx_usb_ms.c | 1 +
2 files changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/memstick/core/memstick.c
+++ b/drivers/memstick/core/memstick.c
@@ -548,7 +548,6 @@ EXPORT_SYMBOL(memstick_add_host);
*/
void memstick_remove_host(struct memstick_host *host)
{
- host->removing = 1;
flush_workqueue(workqueue);
mutex_lock(&host->lock);
if (host->card)
--- a/drivers/memstick/host/rtsx_usb_ms.c
+++ b/drivers/memstick/host/rtsx_usb_ms.c
@@ -812,6 +812,7 @@ static int rtsx_usb_ms_drv_remove(struct
int err;
host->eject = true;
+ msh->removing = true;
cancel_work_sync(&host->handle_req);
cancel_delayed_work_sync(&host->poll_card);
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 395/482] mmc: sdhci-pci-gli: GL9763e: Rename the gli_set_gl9763e() for consistency
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (393 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 6.1 394/482] memstick: Fix deadlock by moving removing flag earlier Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 396/482] squashfs: fix memory leak in squashfs_fill_super Greg Kroah-Hartman
` (95 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Victor Shih, Adrian Hunter,
Ulf Hansson
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Victor Shih <victor.shih@genesyslogic.com.tw>
commit 293ed0f5f34e1e9df888456af4b0a021f57b5f54 upstream.
In preparation to fix replay timer timeout, rename the
gli_set_gl9763e() to gl9763e_hw_setting() for consistency.
Signed-off-by: Victor Shih <victor.shih@genesyslogic.com.tw>
Fixes: 1ae1d2d6e555 ("mmc: sdhci-pci-gli: Add Genesys Logic GL9763E support")
Cc: stable@vger.kernel.org
Acked-by: Adrian Hunter <adrian.hunter@intel.com>
Link: https://lore.kernel.org/r/20250731065752.450231-3-victorshihgli@gmail.com
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mmc/host/sdhci-pci-gli.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/mmc/host/sdhci-pci-gli.c
+++ b/drivers/mmc/host/sdhci-pci-gli.c
@@ -953,7 +953,7 @@ static void sdhci_gl9763e_reset(struct s
sdhci_reset(host, mask);
}
-static void gli_set_gl9763e(struct sdhci_pci_slot *slot)
+static void gl9763e_hw_setting(struct sdhci_pci_slot *slot)
{
struct pci_dev *pdev = slot->chip->pdev;
u32 value;
@@ -1125,7 +1125,7 @@ static int gli_probe_slot_gl9763e(struct
gli_pcie_enable_msi(slot);
host->mmc_host_ops.hs400_enhanced_strobe =
gl9763e_hs400_enhanced_strobe;
- gli_set_gl9763e(slot);
+ gl9763e_hw_setting(slot);
sdhci_enable_v4_mode(host);
return 0;
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 396/482] squashfs: fix memory leak in squashfs_fill_super
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (394 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 6.1 395/482] mmc: sdhci-pci-gli: GL9763e: Rename the gli_set_gl9763e() for consistency Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 397/482] mm/debug_vm_pgtable: clear page table entries at destroy_args() Greg Kroah-Hartman
` (94 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Phillip Lougher, Scott GUO,
Andrew Morton
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Phillip Lougher <phillip@squashfs.org.uk>
commit b64700d41bdc4e9f82f1346c15a3678ebb91a89c upstream.
If sb_min_blocksize returns 0, squashfs_fill_super exits without freeing
allocated memory (sb->s_fs_info).
Fix this by moving the call to sb_min_blocksize to before memory is
allocated.
Link: https://lkml.kernel.org/r/20250811223740.110392-1-phillip@squashfs.org.uk
Fixes: 734aa85390ea ("Squashfs: check return result of sb_min_blocksize")
Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk>
Reported-by: Scott GUO <scottzhguo@tencent.com>
Closes: https://lore.kernel.org/all/20250811061921.3807353-1-scott_gzh@163.com
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/squashfs/super.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
--- a/fs/squashfs/super.c
+++ b/fs/squashfs/super.c
@@ -123,10 +123,15 @@ static int squashfs_fill_super(struct su
unsigned short flags;
unsigned int fragments;
u64 lookup_table_start, xattr_id_table_start, next_table;
- int err;
+ int err, devblksize = sb_min_blocksize(sb, SQUASHFS_DEVBLK_SIZE);
TRACE("Entered squashfs_fill_superblock\n");
+ if (!devblksize) {
+ errorf(fc, "squashfs: unable to set blocksize\n");
+ return -EINVAL;
+ }
+
sb->s_fs_info = kzalloc(sizeof(*msblk), GFP_KERNEL);
if (sb->s_fs_info == NULL) {
ERROR("Failed to allocate squashfs_sb_info\n");
@@ -136,12 +141,7 @@ static int squashfs_fill_super(struct su
msblk->panic_on_errors = (opts->errors == Opt_errors_panic);
- msblk->devblksize = sb_min_blocksize(sb, SQUASHFS_DEVBLK_SIZE);
- if (!msblk->devblksize) {
- errorf(fc, "squashfs: unable to set blocksize\n");
- return -EINVAL;
- }
-
+ msblk->devblksize = devblksize;
msblk->devblksize_log2 = ffz(~msblk->devblksize);
mutex_init(&msblk->meta_index_mutex);
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 397/482] mm/debug_vm_pgtable: clear page table entries at destroy_args()
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (395 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 6.1 396/482] squashfs: fix memory leak in squashfs_fill_super Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 398/482] ALSA: hda/realtek: Add support for HP EliteBook x360 830 G6 and EliteBook 830 G6 Greg Kroah-Hartman
` (93 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Herton R. Krzesinski,
Anshuman Khandual, Christophe Leroy, Gavin Shan, Gerald Schaefer,
Andrew Morton
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Herton R. Krzesinski <herton@redhat.com>
commit dde30854bddfb5d69f30022b53c5955a41088b33 upstream.
The mm/debug_vm_pagetable test allocates manually page table entries for
the tests it runs, using also its manually allocated mm_struct. That in
itself is ok, but when it exits, at destroy_args() it fails to clear those
entries with the *_clear functions.
The problem is that leaves stale entries. If another process allocates an
mm_struct with a pgd at the same address, it may end up running into the
stale entry. This is happening in practice on a debug kernel with
CONFIG_DEBUG_VM_PGTABLE=y, for example this is the output with some extra
debugging I added (it prints a warning trace if pgtables_bytes goes
negative, in addition to the warning at check_mm() function):
[ 2.539353] debug_vm_pgtable: [get_random_vaddr ]: random_vaddr is 0x7ea247140000
[ 2.539366] kmem_cache info
[ 2.539374] kmem_cachep 0x000000002ce82385 - freelist 0x0000000000000000 - offset 0x508
[ 2.539447] debug_vm_pgtable: [init_args ]: args->mm is 0x000000002267cc9e
(...)
[ 2.552800] WARNING: CPU: 5 PID: 116 at include/linux/mm.h:2841 free_pud_range+0x8bc/0x8d0
[ 2.552816] Modules linked in:
[ 2.552843] CPU: 5 UID: 0 PID: 116 Comm: modprobe Not tainted 6.12.0-105.debug_vm2.el10.ppc64le+debug #1 VOLUNTARY
[ 2.552859] Hardware name: IBM,9009-41A POWER9 (architected) 0x4e0202 0xf000005 of:IBM,FW910.00 (VL910_062) hv:phyp pSeries
[ 2.552872] NIP: c0000000007eef3c LR: c0000000007eef30 CTR: c0000000003d8c90
[ 2.552885] REGS: c0000000622e73b0 TRAP: 0700 Not tainted (6.12.0-105.debug_vm2.el10.ppc64le+debug)
[ 2.552899] MSR: 800000000282b033 <SF,VEC,VSX,EE,FP,ME,IR,DR,RI,LE> CR: 24002822 XER: 0000000a
[ 2.552954] CFAR: c0000000008f03f0 IRQMASK: 0
[ 2.552954] GPR00: c0000000007eef30 c0000000622e7650 c000000002b1ac00 0000000000000001
[ 2.552954] GPR04: 0000000000000008 0000000000000000 c0000000007eef30 ffffffffffffffff
[ 2.552954] GPR08: 00000000ffff00f5 0000000000000001 0000000000000048 0000000000004000
[ 2.552954] GPR12: 00000003fa440000 c000000017ffa300 c0000000051d9f80 ffffffffffffffdb
[ 2.552954] GPR16: 0000000000000000 0000000000000008 000000000000000a 60000000000000e0
[ 2.552954] GPR20: 4080000000000000 c0000000113af038 00007fffcf130000 0000700000000000
[ 2.552954] GPR24: c000000062a6a000 0000000000000001 8000000062a68000 0000000000000001
[ 2.552954] GPR28: 000000000000000a c000000062ebc600 0000000000002000 c000000062ebc760
[ 2.553170] NIP [c0000000007eef3c] free_pud_range+0x8bc/0x8d0
[ 2.553185] LR [c0000000007eef30] free_pud_range+0x8b0/0x8d0
[ 2.553199] Call Trace:
[ 2.553207] [c0000000622e7650] [c0000000007eef30] free_pud_range+0x8b0/0x8d0 (unreliable)
[ 2.553229] [c0000000622e7750] [c0000000007f40b4] free_pgd_range+0x284/0x3b0
[ 2.553248] [c0000000622e7800] [c0000000007f4630] free_pgtables+0x450/0x570
[ 2.553274] [c0000000622e78e0] [c0000000008161c0] exit_mmap+0x250/0x650
[ 2.553292] [c0000000622e7a30] [c0000000001b95b8] __mmput+0x98/0x290
[ 2.558344] [c0000000622e7a80] [c0000000001d1018] exit_mm+0x118/0x1b0
[ 2.558361] [c0000000622e7ac0] [c0000000001d141c] do_exit+0x2ec/0x870
[ 2.558376] [c0000000622e7b60] [c0000000001d1ca8] do_group_exit+0x88/0x150
[ 2.558391] [c0000000622e7bb0] [c0000000001d1db8] sys_exit_group+0x48/0x50
[ 2.558407] [c0000000622e7be0] [c00000000003d810] system_call_exception+0x1e0/0x4c0
[ 2.558423] [c0000000622e7e50] [c00000000000d05c] system_call_vectored_common+0x15c/0x2ec
(...)
[ 2.558892] ---[ end trace 0000000000000000 ]---
[ 2.559022] BUG: Bad rss-counter state mm:000000002267cc9e type:MM_ANONPAGES val:1
[ 2.559037] BUG: non-zero pgtables_bytes on freeing mm: -6144
Here the modprobe process ended up with an allocated mm_struct from the
mm_struct slab that was used before by the debug_vm_pgtable test. That is
not a problem, since the mm_struct is initialized again etc., however, if
it ends up using the same pgd table, it bumps into the old stale entry
when clearing/freeing the page table entries, so it tries to free an entry
already gone (that one which was allocated by the debug_vm_pgtable test),
which also explains the negative pgtables_bytes since it's accounting for
not allocated entries in the current process.
As far as I looked pgd_{alloc,free} etc. does not clear entries, and
clearing of the entries is explicitly done in the free_pgtables->
free_pgd_range->free_p4d_range->free_pud_range->free_pmd_range->
free_pte_range path. However, the debug_vm_pgtable test does not call
free_pgtables, since it allocates mm_struct and entries manually for its
test and eg. not goes through page faults. So it also should clear
manually the entries before exit at destroy_args().
This problem was noticed on a reboot X number of times test being done on
a powerpc host, with a debug kernel with CONFIG_DEBUG_VM_PGTABLE enabled.
Depends on the system, but on a 100 times reboot loop the problem could
manifest once or twice, if a process ends up getting the right mm->pgd
entry with the stale entries used by mm/debug_vm_pagetable. After using
this patch, I couldn't reproduce/experience the problems anymore. I was
able to reproduce the problem as well on latest upstream kernel (6.16).
I also modified destroy_args() to use mmput() instead of mmdrop(), there
is no reason to hold mm_users reference and not release the mm_struct
entirely, and in the output above with my debugging prints I already had
patched it to use mmput, it did not fix the problem, but helped in the
debugging as well.
Link: https://lkml.kernel.org/r/20250731214051.4115182-1-herton@redhat.com
Fixes: 3c9b84f044a9 ("mm/debug_vm_pgtable: introduce struct pgtable_debug_args")
Signed-off-by: Herton R. Krzesinski <herton@redhat.com>
Cc: Anshuman Khandual <anshuman.khandual@arm.com>
Cc: Christophe Leroy <christophe.leroy@csgroup.eu>
Cc: Gavin Shan <gshan@redhat.com>
Cc: Gerald Schaefer <gerald.schaefer@linux.ibm.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/debug_vm_pgtable.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
--- a/mm/debug_vm_pgtable.c
+++ b/mm/debug_vm_pgtable.c
@@ -1063,29 +1063,34 @@ static void __init destroy_args(struct p
/* Free page table entries */
if (args->start_ptep) {
+ pmd_clear(args->pmdp);
pte_free(args->mm, args->start_ptep);
mm_dec_nr_ptes(args->mm);
}
if (args->start_pmdp) {
+ pud_clear(args->pudp);
pmd_free(args->mm, args->start_pmdp);
mm_dec_nr_pmds(args->mm);
}
if (args->start_pudp) {
+ p4d_clear(args->p4dp);
pud_free(args->mm, args->start_pudp);
mm_dec_nr_puds(args->mm);
}
- if (args->start_p4dp)
+ if (args->start_p4dp) {
+ pgd_clear(args->pgdp);
p4d_free(args->mm, args->start_p4dp);
+ }
/* Free vma and mm struct */
if (args->vma)
vm_area_free(args->vma);
if (args->mm)
- mmdrop(args->mm);
+ mmput(args->mm);
}
static struct page * __init
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 398/482] ALSA: hda/realtek: Add support for HP EliteBook x360 830 G6 and EliteBook 830 G6
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (396 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 6.1 397/482] mm/debug_vm_pgtable: clear page table entries at destroy_args() Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 399/482] s390/sclp: Fix SCCB present check Greg Kroah-Hartman
` (92 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Evgeniy Harchenko, Takashi Iwai
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Evgeniy Harchenko <evgeniyharchenko.dev@gmail.com>
commit eafae0fdd115a71b3a200ef1a31f86da04bac77f upstream.
The HP EliteBook x360 830 G6 and HP EliteBook 830 G6 have
Realtek HDA codec ALC215. It needs the ALC285_FIXUP_HP_GPIO_LED
quirk to enable the mute LED.
Cc: <stable@vger.kernel.org>
Signed-off-by: Evgeniy Harchenko <evgeniyharchenko.dev@gmail.com>
Link: https://patch.msgid.link/20250815095814.75845-1-evgeniyharchenko.dev@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/pci/hda/patch_realtek.c | 2 ++
1 file changed, 2 insertions(+)
--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -9915,6 +9915,8 @@ static const struct snd_pci_quirk alc269
SND_PCI_QUIRK(0x103c, 0x84e7, "HP Pavilion 15", ALC269_FIXUP_HP_MUTE_LED_MIC3),
SND_PCI_QUIRK(0x103c, 0x8519, "HP Spectre x360 15-df0xxx", ALC285_FIXUP_HP_SPECTRE_X360),
SND_PCI_QUIRK(0x103c, 0x8537, "HP ProBook 440 G6", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF),
+ SND_PCI_QUIRK(0x103c, 0x8548, "HP EliteBook x360 830 G6", ALC285_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x854a, "HP EliteBook 830 G6", ALC285_FIXUP_HP_GPIO_LED),
SND_PCI_QUIRK(0x103c, 0x85c6, "HP Pavilion x360 Convertible 14-dy1xxx", ALC295_FIXUP_HP_MUTE_LED_COEFBIT11),
SND_PCI_QUIRK(0x103c, 0x85de, "HP Envy x360 13-ar0xxx", ALC285_FIXUP_HP_ENVY_X360),
SND_PCI_QUIRK(0x103c, 0x860f, "HP ZBook 15 G6", ALC285_FIXUP_HP_GPIO_AMP_INIT),
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 399/482] s390/sclp: Fix SCCB present check
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (397 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 6.1 398/482] ALSA: hda/realtek: Add support for HP EliteBook x360 830 G6 and EliteBook 830 G6 Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 400/482] drm/amd/display: Avoid a NULL pointer dereference Greg Kroah-Hartman
` (91 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Alexander Gordeev,
Peter Oberparleiter
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Oberparleiter <oberpar@linux.ibm.com>
commit 430fa71027b6ac9bb0ce5532b8d0676777d4219a upstream.
Tracing code called by the SCLP interrupt handler contains early exits
if the SCCB address associated with an interrupt is NULL. This check is
performed after physical to virtual address translation.
If the kernel identity mapping does not start at address zero, the
resulting virtual address is never zero, so that the NULL checks won't
work. Subsequently this may result in incorrect accesses to the first
page of the identity mapping.
Fix this by introducing a function that handles the NULL case before
address translation.
Fixes: ada1da31ce34 ("s390/sclp: sort out physical vs virtual pointers usage")
Cc: stable@vger.kernel.org
Reviewed-by: Alexander Gordeev <agordeev@linux.ibm.com>
Signed-off-by: Peter Oberparleiter <oberpar@linux.ibm.com>
Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/s390/char/sclp.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
--- a/drivers/s390/char/sclp.c
+++ b/drivers/s390/char/sclp.c
@@ -76,6 +76,13 @@ unsigned long sclp_console_full;
/* The currently active SCLP command word. */
static sclp_cmdw_t active_cmd;
+static inline struct sccb_header *sclpint_to_sccb(u32 sccb_int)
+{
+ if (sccb_int)
+ return __va(sccb_int);
+ return NULL;
+}
+
static inline void sclp_trace(int prio, char *id, u32 a, u64 b, bool err)
{
struct sclp_trace_entry e;
@@ -625,7 +632,7 @@ __sclp_find_req(u32 sccb)
static bool ok_response(u32 sccb_int, sclp_cmdw_t cmd)
{
- struct sccb_header *sccb = (struct sccb_header *)__va(sccb_int);
+ struct sccb_header *sccb = sclpint_to_sccb(sccb_int);
struct evbuf_header *evbuf;
u16 response;
@@ -664,7 +671,7 @@ static void sclp_interrupt_handler(struc
/* INT: Interrupt received (a=intparm, b=cmd) */
sclp_trace_sccb(0, "INT", param32, active_cmd, active_cmd,
- (struct sccb_header *)__va(finished_sccb),
+ sclpint_to_sccb(finished_sccb),
!ok_response(finished_sccb, active_cmd));
if (finished_sccb) {
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 400/482] drm/amd/display: Avoid a NULL pointer dereference
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (398 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 6.1 399/482] s390/sclp: Fix SCCB present check Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 401/482] drm/amd/display: Fix fractional fb divider in set_pixel_clock_v3 Greg Kroah-Hartman
` (90 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mario Limonciello, Alex Deucher,
Harry Wentland, Alex Hung, Dan Wheeler
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mario Limonciello <mario.limonciello@amd.com>
commit 07b93a5704b0b72002f0c4bd1076214af67dc661 upstream.
[WHY]
Although unlikely drm_atomic_get_new_connector_state() or
drm_atomic_get_old_connector_state() can return NULL.
[HOW]
Check returns before dereference.
Cc: Mario Limonciello <mario.limonciello@amd.com>
Cc: Alex Deucher <alexander.deucher@amd.com>
Reviewed-by: Harry Wentland <harry.wentland@amd.com>
Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
Signed-off-by: Alex Hung <alex.hung@amd.com>
Tested-by: Dan Wheeler <daniel.wheeler@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 1e5e8d672fec9f2ab352be121be971877bff2af9)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
@@ -6620,6 +6620,9 @@ amdgpu_dm_connector_atomic_check(struct
struct amdgpu_dm_connector *aconn = to_amdgpu_dm_connector(conn);
int ret;
+ if (WARN_ON(unlikely(!old_con_state || !new_con_state)))
+ return -EINVAL;
+
trace_amdgpu_dm_connector_atomic_check(new_con_state);
if (conn->connector_type == DRM_MODE_CONNECTOR_DisplayPort) {
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 401/482] drm/amd/display: Fix fractional fb divider in set_pixel_clock_v3
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (399 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 6.1 400/482] drm/amd/display: Avoid a NULL pointer dereference Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 402/482] drm/amd/display: Fix DP audio DTO1 clock source on DCE 6 Greg Kroah-Hartman
` (89 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Timur Kristóf, Alex Deucher,
Rodrigo Siqueira, Alex Hung
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Timur Kristóf <timur.kristof@gmail.com>
commit 10507478468f165ea681605d133991ed05cdff62 upstream.
For later VBIOS versions, the fractional feedback divider is
calculated as the remainder of dividing the feedback divider by
a factor, which is set to 1000000. For reference, see:
- calculate_fb_and_fractional_fb_divider
- calc_pll_max_vco_construct
However, in case of old VBIOS versions that have
set_pixel_clock_v3, they only have 1 byte available for the
fractional feedback divider, and it's expected to be set to the
remainder from dividing the feedback divider by 10.
For reference see the legacy display code:
- amdgpu_pll_compute
- amdgpu_atombios_crtc_program_pll
This commit fixes set_pixel_clock_v3 by dividing the fractional
feedback divider passed to the function by 100000.
Fixes: 4562236b3bc0 ("drm/amd/dc: Add dc display driver (v2)")
Signed-off-by: Timur Kristóf <timur.kristof@gmail.com>
Acked-by: Alex Deucher <alexander.deucher@amd.com>
Reviewed-by: Rodrigo Siqueira <siqueira@igalia.com>
Reviewed-by: Alex Hung <alex.hung@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 027e7acc7e17802ebf28e1edb88a404836ad50d6)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/display/dc/bios/command_table.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/gpu/drm/amd/display/dc/bios/command_table.c
+++ b/drivers/gpu/drm/amd/display/dc/bios/command_table.c
@@ -993,7 +993,7 @@ static enum bp_result set_pixel_clock_v3
allocation.sPCLKInput.usFbDiv =
cpu_to_le16((uint16_t)bp_params->feedback_divider);
allocation.sPCLKInput.ucFracFbDiv =
- (uint8_t)bp_params->fractional_feedback_divider;
+ (uint8_t)(bp_params->fractional_feedback_divider / 100000);
allocation.sPCLKInput.ucPostDiv =
(uint8_t)bp_params->pixel_clock_post_divider;
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 402/482] drm/amd/display: Fix DP audio DTO1 clock source on DCE 6.
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (400 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 6.1 401/482] drm/amd/display: Fix fractional fb divider in set_pixel_clock_v3 Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 403/482] drm/amd/display: Find first CRTC and its line time in dce110_fill_display_configs Greg Kroah-Hartman
` (88 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alex Deucher, Rodrigo Siqueira,
Timur Kristóf
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Timur Kristóf <timur.kristof@gmail.com>
commit 297a4833a68aac3316eb808b4123eb016ef242d7 upstream.
On DCE 6, DP audio was not working. However, it worked when an
HDMI monitor was also plugged in.
Looking at dce_aud_wall_dto_setup it seems that the main
difference is that we use DTO1 when only DP is plugged in.
When programming DTO1, it uses audio_dto_source_clock_in_khz
which is set from get_dp_ref_freq_khz
The dce60_get_dp_ref_freq_khz implementation looks incorrect,
because DENTIST_DISPCLK_CNTL seems to be always zero on DCE 6,
so it isn't usable.
I compared dce60_get_dp_ref_freq_khz to the legacy display code,
specifically dce_v6_0_audio_set_dto, and it turns out that in
case of DCE 6, it needs to use the display clock. With that,
DP audio started working on Pitcairn, Oland and Cape Verde.
However, it still didn't work on Tahiti. Despite having the
same DCE version, Tahiti seems to have a different audio device.
After some trial and error I realized that it works with the
default display clock as reported by the VBIOS, not the current
display clock.
The patch was tested on all four SI GPUs:
* Pitcairn (DCE 6.0)
* Oland (DCE 6.4)
* Cape Verde (DCE 6.0)
* Tahiti (DCE 6.0 but different)
The testing was done on Samsung Odyssey G7 LS28BG700EPXEN on
each of the above GPUs, at the following settings:
* 4K 60 Hz
* 1080p 60 Hz
* 1080p 144 Hz
Acked-by: Alex Deucher <alexander.deucher@amd.com>
Reviewed-by: Rodrigo Siqueira <siqueira@igalia.com>
Signed-off-by: Timur Kristóf <timur.kristof@gmail.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 645cc7863da5de700547d236697dffd6760cf051)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/display/dc/clk_mgr/dce60/dce60_clk_mgr.c | 21 +++--------
1 file changed, 6 insertions(+), 15 deletions(-)
--- a/drivers/gpu/drm/amd/display/dc/clk_mgr/dce60/dce60_clk_mgr.c
+++ b/drivers/gpu/drm/amd/display/dc/clk_mgr/dce60/dce60_clk_mgr.c
@@ -83,22 +83,13 @@ static const struct state_dependent_cloc
static int dce60_get_dp_ref_freq_khz(struct clk_mgr *clk_mgr_base)
{
struct clk_mgr_internal *clk_mgr = TO_CLK_MGR_INTERNAL(clk_mgr_base);
- int dprefclk_wdivider;
- int dp_ref_clk_khz;
- int target_div;
+ struct dc_context *ctx = clk_mgr_base->ctx;
+ int dp_ref_clk_khz = 0;
- /* DCE6 has no DPREFCLK_CNTL to read DP Reference Clock source */
-
- /* Read the mmDENTIST_DISPCLK_CNTL to get the currently
- * programmed DID DENTIST_DPREFCLK_WDIVIDER*/
- REG_GET(DENTIST_DISPCLK_CNTL, DENTIST_DPREFCLK_WDIVIDER, &dprefclk_wdivider);
-
- /* Convert DENTIST_DPREFCLK_WDIVIDERto actual divider*/
- target_div = dentist_get_divider_from_did(dprefclk_wdivider);
-
- /* Calculate the current DFS clock, in kHz.*/
- dp_ref_clk_khz = (DENTIST_DIVIDER_RANGE_SCALE_FACTOR
- * clk_mgr->base.dentist_vco_freq_khz) / target_div;
+ if (ASIC_REV_IS_TAHITI_P(ctx->asic_id.hw_internal_rev))
+ dp_ref_clk_khz = ctx->dc_bios->fw_info.default_display_engine_pll_frequency;
+ else
+ dp_ref_clk_khz = clk_mgr_base->clks.dispclk_khz;
return dce_adjust_dp_ref_freq_for_ss(clk_mgr, dp_ref_clk_khz);
}
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 403/482] drm/amd/display: Find first CRTC and its line time in dce110_fill_display_configs
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (401 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 6.1 402/482] drm/amd/display: Fix DP audio DTO1 clock source on DCE 6 Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 404/482] drm/amd/display: Fill display clock and vblank " Greg Kroah-Hartman
` (87 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Timur Kristóf, Alex Deucher,
Rodrigo Siqueira, Alex Hung
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Timur Kristóf <timur.kristof@gmail.com>
commit 669f73a26f6112eedbadac53a2f2707ac6d0b9c8 upstream.
dce110_fill_display_configs is shared between DCE 6-11, and
finding the first CRTC and its line time is relevant to DCE 6 too.
Move the code to find it from DCE 11 specific code.
Signed-off-by: Timur Kristóf <timur.kristof@gmail.com>
Acked-by: Alex Deucher <alexander.deucher@amd.com>
Reviewed-by: Rodrigo Siqueira <siqueira@igalia.com>
Reviewed-by: Alex Hung <alex.hung@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 4ab09785f8d5d03df052827af073d5c508ff5f63)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/display/dc/clk_mgr/dce110/dce110_clk_mgr.c | 30 ++++++----
1 file changed, 20 insertions(+), 10 deletions(-)
--- a/drivers/gpu/drm/amd/display/dc/clk_mgr/dce110/dce110_clk_mgr.c
+++ b/drivers/gpu/drm/amd/display/dc/clk_mgr/dce110/dce110_clk_mgr.c
@@ -120,9 +120,12 @@ void dce110_fill_display_configs(
const struct dc_state *context,
struct dm_pp_display_configuration *pp_display_cfg)
{
+ struct dc *dc = context->clk_mgr->ctx->dc;
int j;
int num_cfgs = 0;
+ pp_display_cfg->crtc_index = dc->res_pool->res_cap->num_timing_generator;
+
for (j = 0; j < context->stream_count; j++) {
int k;
@@ -164,6 +167,23 @@ void dce110_fill_display_configs(
cfg->v_refresh /= stream->timing.h_total;
cfg->v_refresh = (cfg->v_refresh + stream->timing.v_total / 2)
/ stream->timing.v_total;
+
+ /* Find first CRTC index and calculate its line time.
+ * This is necessary for DPM on SI GPUs.
+ */
+ if (cfg->pipe_idx < pp_display_cfg->crtc_index) {
+ const struct dc_crtc_timing *timing =
+ &context->streams[0]->timing;
+
+ pp_display_cfg->crtc_index = cfg->pipe_idx;
+ pp_display_cfg->line_time_in_us =
+ timing->h_total * 10000 / timing->pix_clk_100hz;
+ }
+ }
+
+ if (!num_cfgs) {
+ pp_display_cfg->crtc_index = 0;
+ pp_display_cfg->line_time_in_us = 0;
}
pp_display_cfg->display_count = num_cfgs;
@@ -232,16 +252,6 @@ void dce11_pplib_apply_display_requireme
dce110_fill_display_configs(context, pp_display_cfg);
- /* TODO: is this still applicable?*/
- if (pp_display_cfg->display_count == 1) {
- const struct dc_crtc_timing *timing =
- &context->streams[0]->timing;
-
- pp_display_cfg->crtc_index =
- pp_display_cfg->disp_configs[0].pipe_idx;
- pp_display_cfg->line_time_in_us = timing->h_total * 10000 / timing->pix_clk_100hz;
- }
-
if (memcmp(&dc->current_state->pp_display_cfg, pp_display_cfg, sizeof(*pp_display_cfg)) != 0)
dm_pp_apply_display_requirements(dc->ctx, pp_display_cfg);
}
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 404/482] drm/amd/display: Fill display clock and vblank time in dce110_fill_display_configs
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (402 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 6.1 403/482] drm/amd/display: Find first CRTC and its line time in dce110_fill_display_configs Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 405/482] smb: server: split ksmbd_rdma_stop_listening() out of ksmbd_rdma_destroy() Greg Kroah-Hartman
` (86 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Timur Kristóf, Alex Deucher,
Rodrigo Siqueira, Alex Hung
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Timur Kristóf <timur.kristof@gmail.com>
commit 7d07140d37f792f01cfdb8ca9a6a792ab1d29126 upstream.
Also needed by DCE 6.
This way the code that gathers this info can be shared between
different DCE versions and doesn't have to be repeated.
Signed-off-by: Timur Kristóf <timur.kristof@gmail.com>
Acked-by: Alex Deucher <alexander.deucher@amd.com>
Reviewed-by: Rodrigo Siqueira <siqueira@igalia.com>
Reviewed-by: Alex Hung <alex.hung@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 8107432dff37db26fcb641b6cebeae8981cd73a0)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/display/dc/clk_mgr/dce100/dce_clk_mgr.c | 2 --
drivers/gpu/drm/amd/display/dc/clk_mgr/dce110/dce110_clk_mgr.c | 10 +++-------
drivers/gpu/drm/amd/display/dc/clk_mgr/dce60/dce60_clk_mgr.c | 2 --
3 files changed, 3 insertions(+), 11 deletions(-)
--- a/drivers/gpu/drm/amd/display/dc/clk_mgr/dce100/dce_clk_mgr.c
+++ b/drivers/gpu/drm/amd/display/dc/clk_mgr/dce100/dce_clk_mgr.c
@@ -386,8 +386,6 @@ static void dce_pplib_apply_display_requ
{
struct dm_pp_display_configuration *pp_display_cfg = &context->pp_display_cfg;
- pp_display_cfg->avail_mclk_switch_time_us = dce110_get_min_vblank_time_us(context);
-
dce110_fill_display_configs(context, pp_display_cfg);
if (memcmp(&dc->current_state->pp_display_cfg, pp_display_cfg, sizeof(*pp_display_cfg)) != 0)
--- a/drivers/gpu/drm/amd/display/dc/clk_mgr/dce110/dce110_clk_mgr.c
+++ b/drivers/gpu/drm/amd/display/dc/clk_mgr/dce110/dce110_clk_mgr.c
@@ -124,6 +124,9 @@ void dce110_fill_display_configs(
int j;
int num_cfgs = 0;
+ pp_display_cfg->avail_mclk_switch_time_us = dce110_get_min_vblank_time_us(context);
+ pp_display_cfg->disp_clk_khz = dc->clk_mgr->clks.dispclk_khz;
+ pp_display_cfg->avail_mclk_switch_time_in_disp_active_us = 0;
pp_display_cfg->crtc_index = dc->res_pool->res_cap->num_timing_generator;
for (j = 0; j < context->stream_count; j++) {
@@ -243,13 +246,6 @@ void dce11_pplib_apply_display_requireme
pp_display_cfg->min_engine_clock_deep_sleep_khz
= context->bw_ctx.bw.dce.sclk_deep_sleep_khz;
- pp_display_cfg->avail_mclk_switch_time_us =
- dce110_get_min_vblank_time_us(context);
- /* TODO: dce11.2*/
- pp_display_cfg->avail_mclk_switch_time_in_disp_active_us = 0;
-
- pp_display_cfg->disp_clk_khz = dc->clk_mgr->clks.dispclk_khz;
-
dce110_fill_display_configs(context, pp_display_cfg);
if (memcmp(&dc->current_state->pp_display_cfg, pp_display_cfg, sizeof(*pp_display_cfg)) != 0)
--- a/drivers/gpu/drm/amd/display/dc/clk_mgr/dce60/dce60_clk_mgr.c
+++ b/drivers/gpu/drm/amd/display/dc/clk_mgr/dce60/dce60_clk_mgr.c
@@ -100,8 +100,6 @@ static void dce60_pplib_apply_display_re
{
struct dm_pp_display_configuration *pp_display_cfg = &context->pp_display_cfg;
- pp_display_cfg->avail_mclk_switch_time_us = dce110_get_min_vblank_time_us(context);
-
dce110_fill_display_configs(context, pp_display_cfg);
if (memcmp(&dc->current_state->pp_display_cfg, pp_display_cfg, sizeof(*pp_display_cfg)) != 0)
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 405/482] smb: server: split ksmbd_rdma_stop_listening() out of ksmbd_rdma_destroy()
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (403 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 6.1 404/482] drm/amd/display: Fill display clock and vblank " Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 406/482] fs/buffer: fix use-after-free when call bh_read() helper Greg Kroah-Hartman
` (85 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Namjae Jeon, Steve French,
Tom Talpey, linux-cifs, samba-technical, Stefan Metzmacher,
Steve French, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stefan Metzmacher <metze@samba.org>
[ Upstream commit bac7b996d42e458a94578f4227795a0d4deef6fa ]
We can't call destroy_workqueue(smb_direct_wq); before stop_sessions()!
Otherwise already existing connections try to use smb_direct_wq as
a NULL pointer.
Cc: Namjae Jeon <linkinjeon@kernel.org>
Cc: Steve French <smfrench@gmail.com>
Cc: Tom Talpey <tom@talpey.com>
Cc: linux-cifs@vger.kernel.org
Cc: samba-technical@lists.samba.org
Fixes: 0626e6641f6b ("cifsd: add server handler for central processing and tranport layers")
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/smb/server/connection.c | 3 ++-
fs/smb/server/transport_rdma.c | 5 ++++-
fs/smb/server/transport_rdma.h | 4 +++-
3 files changed, 9 insertions(+), 3 deletions(-)
diff --git a/fs/smb/server/connection.c b/fs/smb/server/connection.c
index 09e1e7771592..92d8a0d898eb 100644
--- a/fs/smb/server/connection.c
+++ b/fs/smb/server/connection.c
@@ -436,7 +436,8 @@ void ksmbd_conn_transport_destroy(void)
{
mutex_lock(&init_lock);
ksmbd_tcp_destroy();
- ksmbd_rdma_destroy();
+ ksmbd_rdma_stop_listening();
stop_sessions();
+ ksmbd_rdma_destroy();
mutex_unlock(&init_lock);
}
diff --git a/fs/smb/server/transport_rdma.c b/fs/smb/server/transport_rdma.c
index 7d59ed6e1383..3006d76d8059 100644
--- a/fs/smb/server/transport_rdma.c
+++ b/fs/smb/server/transport_rdma.c
@@ -2188,7 +2188,7 @@ int ksmbd_rdma_init(void)
return 0;
}
-void ksmbd_rdma_destroy(void)
+void ksmbd_rdma_stop_listening(void)
{
if (!smb_direct_listener.cm_id)
return;
@@ -2197,7 +2197,10 @@ void ksmbd_rdma_destroy(void)
rdma_destroy_id(smb_direct_listener.cm_id);
smb_direct_listener.cm_id = NULL;
+}
+void ksmbd_rdma_destroy(void)
+{
if (smb_direct_wq) {
destroy_workqueue(smb_direct_wq);
smb_direct_wq = NULL;
diff --git a/fs/smb/server/transport_rdma.h b/fs/smb/server/transport_rdma.h
index 77aee4e5c9dc..a2291b77488a 100644
--- a/fs/smb/server/transport_rdma.h
+++ b/fs/smb/server/transport_rdma.h
@@ -54,13 +54,15 @@ struct smb_direct_data_transfer {
#ifdef CONFIG_SMB_SERVER_SMBDIRECT
int ksmbd_rdma_init(void);
+void ksmbd_rdma_stop_listening(void);
void ksmbd_rdma_destroy(void);
bool ksmbd_rdma_capable_netdev(struct net_device *netdev);
void init_smbd_max_io_size(unsigned int sz);
unsigned int get_smbd_max_read_write_size(void);
#else
static inline int ksmbd_rdma_init(void) { return 0; }
-static inline int ksmbd_rdma_destroy(void) { return 0; }
+static inline void ksmbd_rdma_stop_listening(void) { }
+static inline void ksmbd_rdma_destroy(void) { }
static inline bool ksmbd_rdma_capable_netdev(struct net_device *netdev) { return false; }
static inline void init_smbd_max_io_size(unsigned int sz) { }
static inline unsigned int get_smbd_max_read_write_size(void) { return 0; }
--
2.50.1
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 406/482] fs/buffer: fix use-after-free when call bh_read() helper
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (404 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 6.1 405/482] smb: server: split ksmbd_rdma_stop_listening() out of ksmbd_rdma_destroy() Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 407/482] use uniform permission checks for all mount propagation changes Greg Kroah-Hartman
` (84 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ye Bin, Matthew Wilcox (Oracle),
Christian Brauner, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ye Bin <yebin10@huawei.com>
[ Upstream commit 7375f22495e7cd1c5b3b5af9dcc4f6dffe34ce49 ]
There's issue as follows:
BUG: KASAN: stack-out-of-bounds in end_buffer_read_sync+0xe3/0x110
Read of size 8 at addr ffffc9000168f7f8 by task swapper/3/0
CPU: 3 UID: 0 PID: 0 Comm: swapper/3 Not tainted 6.16.0-862.14.0.6.x86_64
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)
Call Trace:
<IRQ>
dump_stack_lvl+0x55/0x70
print_address_description.constprop.0+0x2c/0x390
print_report+0xb4/0x270
kasan_report+0xb8/0xf0
end_buffer_read_sync+0xe3/0x110
end_bio_bh_io_sync+0x56/0x80
blk_update_request+0x30a/0x720
scsi_end_request+0x51/0x2b0
scsi_io_completion+0xe3/0x480
? scsi_device_unbusy+0x11e/0x160
blk_complete_reqs+0x7b/0x90
handle_softirqs+0xef/0x370
irq_exit_rcu+0xa5/0xd0
sysvec_apic_timer_interrupt+0x6e/0x90
</IRQ>
Above issue happens when do ntfs3 filesystem mount, issue may happens
as follows:
mount IRQ
ntfs_fill_super
read_cache_page
do_read_cache_folio
filemap_read_folio
mpage_read_folio
do_mpage_readpage
ntfs_get_block_vbo
bh_read
submit_bh
wait_on_buffer(bh);
blk_complete_reqs
scsi_io_completion
scsi_end_request
blk_update_request
end_bio_bh_io_sync
end_buffer_read_sync
__end_buffer_read_notouch
unlock_buffer
wait_on_buffer(bh);--> return will return to caller
put_bh
--> trigger stack-out-of-bounds
In the mpage_read_folio() function, the stack variable 'map_bh' is
passed to ntfs_get_block_vbo(). Once unlock_buffer() unlocks and
wait_on_buffer() returns to continue processing, the stack variable
is likely to be reclaimed. Consequently, during the end_buffer_read_sync()
process, calling put_bh() may result in stack overrun.
If the bh is not allocated on the stack, it belongs to a folio. Freeing
a buffer head which belongs to a folio is done by drop_buffers() which
will fail to free buffers which are still locked. So it is safe to call
put_bh() before __end_buffer_read_notouch().
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Ye Bin <yebin10@huawei.com>
Link: https://lore.kernel.org/20250811141830.343774-1-yebin@huaweicloud.com
Reviewed-by: Matthew Wilcox (Oracle) <willy@infradead.org>
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/buffer.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/buffer.c b/fs/buffer.c
index d9c6d1fbb6dd..3033a937e3a5 100644
--- a/fs/buffer.c
+++ b/fs/buffer.c
@@ -156,8 +156,8 @@ static void __end_buffer_read_notouch(struct buffer_head *bh, int uptodate)
*/
void end_buffer_read_sync(struct buffer_head *bh, int uptodate)
{
- __end_buffer_read_notouch(bh, uptodate);
put_bh(bh);
+ __end_buffer_read_notouch(bh, uptodate);
}
EXPORT_SYMBOL(end_buffer_read_sync);
--
2.50.1
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 407/482] use uniform permission checks for all mount propagation changes
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (405 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 6.1 406/482] fs/buffer: fix use-after-free when call bh_read() helper Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 408/482] fpga: zynq_fpga: Fix the wrong usage of dma_map_sgtable() Greg Kroah-Hartman
` (83 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andrei Vagin, Pavel Tikhomirov,
Christian Brauner, Al Viro, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
[ Upstream commit cffd0441872e7f6b1fce5e78fb1c99187a291330 ]
do_change_type() and do_set_group() are operating on different
aspects of the same thing - propagation graph. The latter
asks for mounts involved to be mounted in namespace(s) the caller
has CAP_SYS_ADMIN for. The former is a mess - originally it
didn't even check that mount *is* mounted. That got fixed,
but the resulting check turns out to be too strict for userland -
in effect, we check that mount is in our namespace, having already
checked that we have CAP_SYS_ADMIN there.
What we really need (in both cases) is
* only touch mounts that are mounted. That's a must-have
constraint - data corruption happens if it get violated.
* don't allow to mess with a namespace unless you already
have enough permissions to do so (i.e. CAP_SYS_ADMIN in its userns).
That's an equivalent of what do_set_group() does; let's extract that
into a helper (may_change_propagation()) and use it in both
do_set_group() and do_change_type().
Fixes: 12f147ddd6de "do_change_type(): refuse to operate on unmounted/not ours mounts"
Acked-by: Andrei Vagin <avagin@gmail.com>
Reviewed-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
Tested-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
Reviewed-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/namespace.c | 34 ++++++++++++++++++++--------------
1 file changed, 20 insertions(+), 14 deletions(-)
diff --git a/fs/namespace.c b/fs/namespace.c
index f0fa2a1a6b05..2a76269f2a4e 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -2340,6 +2340,19 @@ static int graft_tree(struct mount *mnt, struct mount *p, struct mountpoint *mp)
return attach_recursive_mnt(mnt, p, mp, false);
}
+static int may_change_propagation(const struct mount *m)
+{
+ struct mnt_namespace *ns = m->mnt_ns;
+
+ // it must be mounted in some namespace
+ if (IS_ERR_OR_NULL(ns)) // is_mounted()
+ return -EINVAL;
+ // and the caller must be admin in userns of that namespace
+ if (!ns_capable(ns->user_ns, CAP_SYS_ADMIN))
+ return -EPERM;
+ return 0;
+}
+
/*
* Sanity check the flags to change_mnt_propagation.
*/
@@ -2376,10 +2389,10 @@ static int do_change_type(struct path *path, int ms_flags)
return -EINVAL;
namespace_lock();
- if (!check_mnt(mnt)) {
- err = -EINVAL;
+ err = may_change_propagation(mnt);
+ if (err)
goto out_unlock;
- }
+
if (type == MS_SHARED) {
err = invent_group_ids(mnt, recurse);
if (err)
@@ -2774,18 +2787,11 @@ static int do_set_group(struct path *from_path, struct path *to_path)
namespace_lock();
- err = -EINVAL;
- /* To and From must be mounted */
- if (!is_mounted(&from->mnt))
- goto out;
- if (!is_mounted(&to->mnt))
- goto out;
-
- err = -EPERM;
- /* We should be allowed to modify mount namespaces of both mounts */
- if (!ns_capable(from->mnt_ns->user_ns, CAP_SYS_ADMIN))
+ err = may_change_propagation(from);
+ if (err)
goto out;
- if (!ns_capable(to->mnt_ns->user_ns, CAP_SYS_ADMIN))
+ err = may_change_propagation(to);
+ if (err)
goto out;
err = -EINVAL;
--
2.50.1
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 408/482] fpga: zynq_fpga: Fix the wrong usage of dma_map_sgtable()
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (406 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 6.1 407/482] use uniform permission checks for all mount propagation changes Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 409/482] ftrace: Also allocate and copy hash for reading of filter files Greg Kroah-Hartman
` (82 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pavel Pisa, Jason Gunthorpe,
Marek Szyprowski, Xu Yilun
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xu Yilun <yilun.xu@linux.intel.com>
commit 1ca61060de92a4320d73adfe5dc8d335653907ac upstream.
dma_map_sgtable() returns only 0 or the error code. Read sgt->nents to
get the number of mapped segments.
Fixes: 37e00703228a ("zynq_fpga: use sgtable-based scatterlist wrappers")
Reported-by: Pavel Pisa <pisa@fel.cvut.cz>
Closes: https://lore.kernel.org/linux-fpga/202508041548.22955.pisa@fel.cvut.cz/
Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>
Reviewed-by: Marek Szyprowski <m.szyprowski@samsung.com>
Signed-off-by: Xu Yilun <yilun.xu@linux.intel.com>
Tested-by: Pavel Pisa <pisa@fel.cvut.cz>
Link: https://lore.kernel.org/r/20250806070605.1920909-2-yilun.xu@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/fpga/zynq-fpga.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/drivers/fpga/zynq-fpga.c
+++ b/drivers/fpga/zynq-fpga.c
@@ -405,12 +405,12 @@ static int zynq_fpga_ops_write(struct fp
}
}
- priv->dma_nelms =
- dma_map_sgtable(mgr->dev.parent, sgt, DMA_TO_DEVICE, 0);
- if (priv->dma_nelms == 0) {
+ err = dma_map_sgtable(mgr->dev.parent, sgt, DMA_TO_DEVICE, 0);
+ if (err) {
dev_err(&mgr->dev, "Unable to DMA map (TO_DEVICE)\n");
- return -ENOMEM;
+ return err;
}
+ priv->dma_nelms = sgt->nents;
/* enable clock */
err = clk_enable(priv->clk);
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 409/482] ftrace: Also allocate and copy hash for reading of filter files
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (407 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 6.1 408/482] fpga: zynq_fpga: Fix the wrong usage of dma_map_sgtable() Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 410/482] iio: pressure: bmp280: Use IS_ERR() in bmp280_common_probe() Greg Kroah-Hartman
` (81 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Masami Hiramatsu, Mathieu Desnoyers,
Nathan Chancellor, Linus Torvalds, Tengda Wu,
Steven Rostedt (Google)
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Steven Rostedt <rostedt@goodmis.org>
commit bfb336cf97df7b37b2b2edec0f69773e06d11955 upstream.
Currently the reader of set_ftrace_filter and set_ftrace_notrace just adds
the pointer to the global tracer hash to its iterator. Unlike the writer
that allocates a copy of the hash, the reader keeps the pointer to the
filter hashes. This is problematic because this pointer is static across
function calls that release the locks that can update the global tracer
hashes. This can cause UAF and similar bugs.
Allocate and copy the hash for reading the filter files like it is done
for the writers. This not only fixes UAF bugs, but also makes the code a
bit simpler as it doesn't have to differentiate when to free the
iterator's hash between writers and readers.
Cc: stable@vger.kernel.org
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Cc: Nathan Chancellor <nathan@kernel.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Link: https://lore.kernel.org/20250822183606.12962cc3@batman.local.home
Fixes: c20489dad156 ("ftrace: Assign iter->hash to filter or notrace hashes on seq read")
Closes: https://lore.kernel.org/all/20250813023044.2121943-1-wutengda@huaweicloud.com/
Closes: https://lore.kernel.org/all/20250822192437.GA458494@ax162/
Reported-by: Tengda Wu <wutengda@huaweicloud.com>
Tested-by: Tengda Wu <wutengda@huaweicloud.com>
Tested-by: Nathan Chancellor <nathan@kernel.org>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/trace/ftrace.c | 19 ++++++++++---------
1 file changed, 10 insertions(+), 9 deletions(-)
--- a/kernel/trace/ftrace.c
+++ b/kernel/trace/ftrace.c
@@ -3934,13 +3934,17 @@ ftrace_regex_open(struct ftrace_ops *ops
} else {
iter->hash = alloc_and_copy_ftrace_hash(size_bits, hash);
}
+ } else {
+ if (hash)
+ iter->hash = alloc_and_copy_ftrace_hash(hash->size_bits, hash);
+ else
+ iter->hash = EMPTY_HASH;
+ }
- if (!iter->hash) {
- trace_parser_put(&iter->parser);
- goto out_unlock;
- }
- } else
- iter->hash = hash;
+ if (!iter->hash) {
+ trace_parser_put(&iter->parser);
+ goto out_unlock;
+ }
ret = 0;
@@ -6132,9 +6136,6 @@ int ftrace_regex_release(struct inode *i
ftrace_hash_move_and_update_ops(iter->ops, orig_hash,
iter->hash, filter_hash);
mutex_unlock(&ftrace_lock);
- } else {
- /* For read only, the hash is the ops hash */
- iter->hash = NULL;
}
mutex_unlock(&iter->ops->func_hash->regex_lock);
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 410/482] iio: pressure: bmp280: Use IS_ERR() in bmp280_common_probe()
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (408 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 6.1 409/482] ftrace: Also allocate and copy hash for reading of filter files Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 411/482] iio: proximity: isl29501: fix buffered read on big-endian systems Greg Kroah-Hartman
` (80 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Salah Triki, David Lechner, Stable,
Jonathan Cameron
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Salah Triki <salah.triki@gmail.com>
commit 43c0f6456f801181a80b73d95def0e0fd134e1cc upstream.
`devm_gpiod_get_optional()` may return non-NULL error pointer on failure.
Check its return value using `IS_ERR()` and propagate the error if
necessary.
Fixes: df6e71256c84 ("iio: pressure: bmp280: Explicitly mark GPIO optional")
Signed-off-by: Salah Triki <salah.triki@gmail.com>
Reviewed-by: David Lechner <dlechner@baylibre.com>
Link: https://patch.msgid.link/20250818092740.545379-2-salah.triki@gmail.com
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/pressure/bmp280-core.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
--- a/drivers/iio/pressure/bmp280-core.c
+++ b/drivers/iio/pressure/bmp280-core.c
@@ -1740,11 +1740,12 @@ int bmp280_common_probe(struct device *d
/* Bring chip out of reset if there is an assigned GPIO line */
gpiod = devm_gpiod_get_optional(dev, "reset", GPIOD_OUT_HIGH);
+ if (IS_ERR(gpiod))
+ return dev_err_probe(dev, PTR_ERR(gpiod), "failed to get reset GPIO\n");
+
/* Deassert the signal */
- if (gpiod) {
- dev_info(dev, "release reset\n");
- gpiod_set_value(gpiod, 0);
- }
+ dev_info(dev, "release reset\n");
+ gpiod_set_value(gpiod, 0);
data->regmap = regmap;
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 411/482] iio: proximity: isl29501: fix buffered read on big-endian systems
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (409 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 6.1 410/482] iio: pressure: bmp280: Use IS_ERR() in bmp280_common_probe() Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 412/482] most: core: Drop device reference after usage in get_channel() Greg Kroah-Hartman
` (79 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, David Lechner, Stable,
Jonathan Cameron
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Lechner <dlechner@baylibre.com>
commit de18e978d0cda23e4c102e18092b63a5b0b3a800 upstream.
Fix passing a u32 value as a u16 buffer scan item. This works on little-
endian systems, but not on big-endian systems.
A new local variable is introduced for getting the register value and
the array is changed to a struct to make the data layout more explicit
rather than just changing the type and having to recalculate the proper
length needed for the timestamp.
Fixes: 1c28799257bc ("iio: light: isl29501: Add support for the ISL29501 ToF sensor.")
Signed-off-by: David Lechner <dlechner@baylibre.com>
Link: https://patch.msgid.link/20250722-iio-use-more-iio_declare_buffer_with_ts-7-v2-1-d3ebeb001ed3@baylibre.com
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/proximity/isl29501.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
--- a/drivers/iio/proximity/isl29501.c
+++ b/drivers/iio/proximity/isl29501.c
@@ -938,12 +938,18 @@ static irqreturn_t isl29501_trigger_hand
struct iio_dev *indio_dev = pf->indio_dev;
struct isl29501_private *isl29501 = iio_priv(indio_dev);
const unsigned long *active_mask = indio_dev->active_scan_mask;
- u32 buffer[4] __aligned(8) = {}; /* 1x16-bit + naturally aligned ts */
+ u32 value;
+ struct {
+ u16 data;
+ aligned_s64 ts;
+ } scan = { };
- if (test_bit(ISL29501_DISTANCE_SCAN_INDEX, active_mask))
- isl29501_register_read(isl29501, REG_DISTANCE, buffer);
+ if (test_bit(ISL29501_DISTANCE_SCAN_INDEX, active_mask)) {
+ isl29501_register_read(isl29501, REG_DISTANCE, &value);
+ scan.data = value;
+ }
- iio_push_to_buffers_with_timestamp(indio_dev, buffer, pf->timestamp);
+ iio_push_to_buffers_with_timestamp(indio_dev, &scan, pf->timestamp);
iio_trigger_notify_done(indio_dev->trig);
return IRQ_HANDLED;
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 412/482] most: core: Drop device reference after usage in get_channel()
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (410 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 6.1 411/482] iio: proximity: isl29501: fix buffered read on big-endian systems Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 413/482] usb: quirks: Add DELAY_INIT quick for another SanDisk 3.2Gen1 Flash Drive Greg Kroah-Hartman
` (78 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Miaoqian Lin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Miaoqian Lin <linmq006@gmail.com>
commit b47b493d6387ae437098112936f32be27f73516c upstream.
In get_channel(), the reference obtained by bus_find_device_by_name()
was dropped via put_device() before accessing the device's driver data
Move put_device() after usage to avoid potential issues.
Fixes: 2485055394be ("staging: most: core: drop device reference")
Cc: stable <stable@kernel.org>
Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
Link: https://lore.kernel.org/r/20250804082955.3621026-1-linmq006@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/most/core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/most/core.c
+++ b/drivers/most/core.c
@@ -538,8 +538,8 @@ static struct most_channel *get_channel(
dev = bus_find_device_by_name(&mostbus, NULL, mdev);
if (!dev)
return NULL;
- put_device(dev);
iface = dev_get_drvdata(dev);
+ put_device(dev);
list_for_each_entry_safe(c, tmp, &iface->p->channel_list, list) {
if (!strcmp(dev_name(&c->dev), mdev_ch))
return c;
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 413/482] usb: quirks: Add DELAY_INIT quick for another SanDisk 3.2Gen1 Flash Drive
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (411 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 6.1 412/482] most: core: Drop device reference after usage in get_channel() Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 414/482] comedi: Make insn_rw_emulate_bits() do insn->n samples Greg Kroah-Hartman
` (77 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Miao Li, stable
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Miao Li <limiao@kylinos.cn>
commit e664036cf36480414936cd91f4cfa2179a3d8367 upstream.
Another SanDisk 3.2Gen1 Flash Drive also need DELAY_INIT quick,
or it will randomly work incorrectly on Huawei hisi platforms
when doing reboot test.
Signed-off-by: Miao Li <limiao@kylinos.cn>
Cc: stable <stable@kernel.org>
Link: https://lore.kernel.org/r/20250801082728.469406-1-limiao870622@163.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/core/quirks.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/usb/core/quirks.c
+++ b/drivers/usb/core/quirks.c
@@ -371,6 +371,7 @@ static const struct usb_device_id usb_qu
{ USB_DEVICE(0x0781, 0x5591), .driver_info = USB_QUIRK_NO_LPM },
/* SanDisk Corp. SanDisk 3.2Gen1 */
+ { USB_DEVICE(0x0781, 0x5596), .driver_info = USB_QUIRK_DELAY_INIT },
{ USB_DEVICE(0x0781, 0x55a3), .driver_info = USB_QUIRK_DELAY_INIT },
/* SanDisk Extreme 55AE */
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 414/482] comedi: Make insn_rw_emulate_bits() do insn->n samples
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (412 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 6.1 413/482] usb: quirks: Add DELAY_INIT quick for another SanDisk 3.2Gen1 Flash Drive Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 415/482] comedi: pcl726: Prevent invalid irq number Greg Kroah-Hartman
` (76 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ian Abbott, stable
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ian Abbott <abbotti@mev.co.uk>
commit 7afba9221f70d4cbce0f417c558879cba0eb5e66 upstream.
The `insn_rw_emulate_bits()` function is used as a default handler for
`INSN_READ` instructions for subdevices that have a handler for
`INSN_BITS` but not for `INSN_READ`. Similarly, it is used as a default
handler for `INSN_WRITE` instructions for subdevices that have a handler
for `INSN_BITS` but not for `INSN_WRITE`. It works by emulating the
`INSN_READ` or `INSN_WRITE` instruction handling with a constructed
`INSN_BITS` instruction. However, `INSN_READ` and `INSN_WRITE`
instructions are supposed to be able read or write multiple samples,
indicated by the `insn->n` value, but `insn_rw_emulate_bits()` currently
only handles a single sample. For `INSN_READ`, the comedi core will
copy `insn->n` samples back to user-space. (That triggered KASAN
kernel-infoleak errors when `insn->n` was greater than 1, but that is
being fixed more generally elsewhere in the comedi core.)
Make `insn_rw_emulate_bits()` either handle `insn->n` samples, or return
an error, to conform to the general expectation for `INSN_READ` and
`INSN_WRITE` handlers.
Fixes: ed9eccbe8970 ("Staging: add comedi core")
Cc: stable <stable@kernel.org> # 5.13+
Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Link: https://lore.kernel.org/r/20250725141034.87297-1-abbotti@mev.co.uk
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/comedi/drivers.c | 25 +++++++++++++------------
1 file changed, 13 insertions(+), 12 deletions(-)
--- a/drivers/comedi/drivers.c
+++ b/drivers/comedi/drivers.c
@@ -619,11 +619,9 @@ static int insn_rw_emulate_bits(struct c
unsigned int chan = CR_CHAN(insn->chanspec);
unsigned int base_chan = (chan < 32) ? 0 : chan;
unsigned int _data[2];
+ unsigned int i;
int ret;
- if (insn->n == 0)
- return 0;
-
memset(_data, 0, sizeof(_data));
memset(&_insn, 0, sizeof(_insn));
_insn.insn = INSN_BITS;
@@ -634,18 +632,21 @@ static int insn_rw_emulate_bits(struct c
if (insn->insn == INSN_WRITE) {
if (!(s->subdev_flags & SDF_WRITABLE))
return -EINVAL;
- _data[0] = 1U << (chan - base_chan); /* mask */
- _data[1] = data[0] ? (1U << (chan - base_chan)) : 0; /* bits */
+ _data[0] = 1U << (chan - base_chan); /* mask */
}
+ for (i = 0; i < insn->n; i++) {
+ if (insn->insn == INSN_WRITE)
+ _data[1] = data[i] ? _data[0] : 0; /* bits */
+
+ ret = s->insn_bits(dev, s, &_insn, _data);
+ if (ret < 0)
+ return ret;
- ret = s->insn_bits(dev, s, &_insn, _data);
- if (ret < 0)
- return ret;
-
- if (insn->insn == INSN_READ)
- data[0] = (_data[1] >> (chan - base_chan)) & 1;
+ if (insn->insn == INSN_READ)
+ data[i] = (_data[1] >> (chan - base_chan)) & 1;
+ }
- return 1;
+ return insn->n;
}
static int __comedi_device_postconfig_async(struct comedi_device *dev,
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 415/482] comedi: pcl726: Prevent invalid irq number
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (413 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 6.1 414/482] comedi: Make insn_rw_emulate_bits() do insn->n samples Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 416/482] comedi: Fix use of uninitialized memory in do_insn_ioctl() and do_insnlist_ioctl() Greg Kroah-Hartman
` (75 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+5cd373521edd68bebcb3,
Edward Adam Davis, Ian Abbott, stable
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Edward Adam Davis <eadavis@qq.com>
commit 96cb948408b3adb69df7e451ba7da9d21f814d00 upstream.
The reproducer passed in an irq number(0x80008000) that was too large,
which triggered the oob.
Added an interrupt number check to prevent users from passing in an irq
number that was too large.
If `it->options[1]` is 31, then `1 << it->options[1]` is still invalid
because it shifts a 1-bit into the sign bit (which is UB in C).
Possible solutions include reducing the upper bound on the
`it->options[1]` value to 30 or lower, or using `1U << it->options[1]`.
The old code would just not attempt to request the IRQ if the
`options[1]` value were invalid. And it would still configure the
device without interrupts even if the call to `request_irq` returned an
error. So it would be better to combine this test with the test below.
Fixes: fff46207245c ("staging: comedi: pcl726: enable the interrupt support code")
Cc: stable <stable@kernel.org> # 5.13+
Reported-by: syzbot+5cd373521edd68bebcb3@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=5cd373521edd68bebcb3
Tested-by: syzbot+5cd373521edd68bebcb3@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
Reviewed-by: Ian Abbott <abbotti@mev.co.uk>
Link: https://lore.kernel.org/r/tencent_3C66983CC1369E962436264A50759176BF09@qq.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/comedi/drivers/pcl726.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/comedi/drivers/pcl726.c
+++ b/drivers/comedi/drivers/pcl726.c
@@ -328,7 +328,8 @@ static int pcl726_attach(struct comedi_d
* Hook up the external trigger source interrupt only if the
* user config option is valid and the board supports interrupts.
*/
- if (it->options[1] && (board->irq_mask & (1 << it->options[1]))) {
+ if (it->options[1] > 0 && it->options[1] < 16 &&
+ (board->irq_mask & (1U << it->options[1]))) {
ret = request_irq(it->options[1], pcl726_interrupt, 0,
dev->board_name, dev);
if (ret == 0) {
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 416/482] comedi: Fix use of uninitialized memory in do_insn_ioctl() and do_insnlist_ioctl()
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (414 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 6.1 415/482] comedi: pcl726: Prevent invalid irq number Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 417/482] usb: core: hcd: fix accessing unmapped memory in SINGLE_STEP_SET_FEATURE test Greg Kroah-Hartman
` (74 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+a5e45f768aab5892da5d,
syzbot+fb4362a104d45ab09cf9, Arnaud Lecomte, Ian Abbott, stable
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ian Abbott <abbotti@mev.co.uk>
commit 3cd212e895ca2d58963fdc6422502b10dd3966bb upstream.
syzbot reports a KMSAN kernel-infoleak in `do_insn_ioctl()`. A kernel
buffer is allocated to hold `insn->n` samples (each of which is an
`unsigned int`). For some instruction types, `insn->n` samples are
copied back to user-space, unless an error code is being returned. The
problem is that not all the instruction handlers that need to return
data to userspace fill in the whole `insn->n` samples, so that there is
an information leak. There is a similar syzbot report for
`do_insnlist_ioctl()`, although it does not have a reproducer for it at
the time of writing.
One culprit is `insn_rw_emulate_bits()` which is used as the handler for
`INSN_READ` or `INSN_WRITE` instructions for subdevices that do not have
a specific handler for that instruction, but do have an `INSN_BITS`
handler. For `INSN_READ` it only fills in at most 1 sample, so if
`insn->n` is greater than 1, the remaining `insn->n - 1` samples copied
to userspace will be uninitialized kernel data.
Another culprit is `vm80xx_ai_insn_read()` in the "vm80xx" driver. It
never returns an error, even if it fails to fill the buffer.
Fix it in `do_insn_ioctl()` and `do_insnlist_ioctl()` by making sure
that uninitialized parts of the allocated buffer are zeroed before
handling each instruction.
Thanks to Arnaud Lecomte for their fix to `do_insn_ioctl()`. That fix
replaced the call to `kmalloc_array()` with `kcalloc()`, but it is not
always necessary to clear the whole buffer.
Fixes: ed9eccbe8970 ("Staging: add comedi core")
Reported-by: syzbot+a5e45f768aab5892da5d@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=a5e45f768aab5892da5d
Reported-by: syzbot+fb4362a104d45ab09cf9@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=fb4362a104d45ab09cf9
Cc: stable <stable@kernel.org> # 5.13+
Cc: Arnaud Lecomte <contact@arnaud-lcm.com>
Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Link: https://lore.kernel.org/r/20250725125324.80276-1-abbotti@mev.co.uk
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/comedi/comedi_fops.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/comedi/comedi_fops.c
+++ b/drivers/comedi/comedi_fops.c
@@ -1582,6 +1582,9 @@ static int do_insnlist_ioctl(struct come
memset(&data[n], 0, (MIN_SAMPLES - n) *
sizeof(unsigned int));
}
+ } else {
+ memset(data, 0, max_t(unsigned int, n, MIN_SAMPLES) *
+ sizeof(unsigned int));
}
ret = parse_insn(dev, insns + i, data, file);
if (ret < 0)
@@ -1665,6 +1668,8 @@ static int do_insn_ioctl(struct comedi_d
memset(&data[insn->n], 0,
(MIN_SAMPLES - insn->n) * sizeof(unsigned int));
}
+ } else {
+ memset(data, 0, n_data * sizeof(unsigned int));
}
ret = parse_insn(dev, insn, data, file);
if (ret < 0)
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 417/482] usb: core: hcd: fix accessing unmapped memory in SINGLE_STEP_SET_FEATURE test
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (415 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 6.1 416/482] comedi: Fix use of uninitialized memory in do_insn_ioctl() and do_insnlist_ioctl() Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 418/482] usb: renesas-xhci: Fix External ROM access timeouts Greg Kroah-Hartman
` (73 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Jun Li, Xu Yang, Alan Stern
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xu Yang <xu.yang_2@nxp.com>
commit 8fe06185e11ae753414aa6117f0e798aa77567ff upstream.
The USB core will unmap urb->transfer_dma after SETUP stage completes.
Then the USB controller will access unmapped memory when it received
device descriptor. If iommu is equipped, the entire test can't be
completed due to the memory accessing is blocked.
Fix it by calling map_urb_for_dma() again for IN stage. To reduce
redundant map for urb->transfer_buffer, this will also set
URB_NO_TRANSFER_DMA_MAP flag before first map_urb_for_dma() to skip
dma map for urb->transfer_buffer and clear URB_NO_TRANSFER_DMA_MAP
flag before second map_urb_for_dma().
Fixes: 216e0e563d81 ("usb: core: hcd: use map_urb_for_dma for single step set feature urb")
Cc: stable <stable@kernel.org>
Reviewed-by: Jun Li <jun.li@nxp.com>
Signed-off-by: Xu Yang <xu.yang_2@nxp.com>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Link: https://lore.kernel.org/r/20250806083955.3325299-1-xu.yang_2@nxp.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/core/hcd.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/drivers/usb/core/hcd.c
+++ b/drivers/usb/core/hcd.c
@@ -2177,7 +2177,7 @@ static struct urb *request_single_step_s
urb->complete = usb_ehset_completion;
urb->status = -EINPROGRESS;
urb->actual_length = 0;
- urb->transfer_flags = URB_DIR_IN;
+ urb->transfer_flags = URB_DIR_IN | URB_NO_TRANSFER_DMA_MAP;
usb_get_urb(urb);
atomic_inc(&urb->use_count);
atomic_inc(&urb->dev->urbnum);
@@ -2241,9 +2241,15 @@ int ehset_single_step_set_feature(struct
/* Complete remaining DATA and STATUS stages using the same URB */
urb->status = -EINPROGRESS;
+ urb->transfer_flags &= ~URB_NO_TRANSFER_DMA_MAP;
usb_get_urb(urb);
atomic_inc(&urb->use_count);
atomic_inc(&urb->dev->urbnum);
+ if (map_urb_for_dma(hcd, urb, GFP_KERNEL)) {
+ usb_put_urb(urb);
+ goto out1;
+ }
+
retval = hcd->driver->submit_single_step_set_feature(hcd, urb, 0);
if (!retval && !wait_for_completion_timeout(&done,
msecs_to_jiffies(2000))) {
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 418/482] usb: renesas-xhci: Fix External ROM access timeouts
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (416 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 6.1 417/482] usb: core: hcd: fix accessing unmapped memory in SINGLE_STEP_SET_FEATURE test Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 419/482] USB: storage: Add unusual-devs entry for Novatek NTK96550-based camera Greg Kroah-Hartman
` (72 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Marek Vasut
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marek Vasut <marek.vasut+renesas@mailbox.org>
commit f9420f4757752f056144896024d5ea89e5a611f1 upstream.
Increase the External ROM access timeouts to prevent failures during
programming of External SPI EEPROM chips. The current timeouts are
too short for some SPI EEPROMs used with uPD720201 controllers.
The current timeout for Chip Erase in renesas_rom_erase() is 100 ms ,
the current timeout for Sector Erase issued by the controller before
Page Program in renesas_fw_download_image() is also 100 ms. Neither
timeout is sufficient for e.g. the Macronix MX25L5121E or MX25V5126F.
MX25L5121E reference manual [1] page 35 section "ERASE AND PROGRAMMING
PERFORMANCE" and page 23 section "Table 8. AC CHARACTERISTICS (Temperature
= 0°C to 70°C for Commercial grade, VCC = 2.7V ~ 3.6V)" row "tCE" indicate
that the maximum time required for Chip Erase opcode to complete is 2 s,
and for Sector Erase it is 300 ms .
MX25V5126F reference manual [2] page 47 section "13. ERASE AND PROGRAMMING
PERFORMANCE (2.3V - 3.6V)" and page 42 section "Table 8. AC CHARACTERISTICS
(Temperature = -40°C to 85°C for Industrial grade, VCC = 2.3V - 3.6V)" row
"tCE" indicate that the maximum time required for Chip Erase opcode to
complete is 3.2 s, and for Sector Erase it is 400 ms .
Update the timeouts such, that Chip Erase timeout is set to 5 seconds,
and Sector Erase timeout is set to 500 ms. Such lengthy timeouts ought
to be sufficient for majority of SPI EEPROM chips.
[1] https://www.macronix.com/Lists/Datasheet/Attachments/8634/MX25L5121E,%203V,%20512Kb,%20v1.3.pdf
[2] https://www.macronix.com/Lists/Datasheet/Attachments/8750/MX25V5126F,%202.5V,%20512Kb,%20v1.1.pdf
Fixes: 2478be82de44 ("usb: renesas-xhci: Add ROM loader for uPD720201")
Cc: stable <stable@kernel.org>
Signed-off-by: Marek Vasut <marek.vasut+renesas@mailbox.org>
Link: https://lore.kernel.org/r/20250802225526.25431-1-marek.vasut+renesas@mailbox.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/host/xhci-pci-renesas.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
--- a/drivers/usb/host/xhci-pci-renesas.c
+++ b/drivers/usb/host/xhci-pci-renesas.c
@@ -47,8 +47,9 @@
#define RENESAS_ROM_ERASE_MAGIC 0x5A65726F
#define RENESAS_ROM_WRITE_MAGIC 0x53524F4D
-#define RENESAS_RETRY 10000
-#define RENESAS_DELAY 10
+#define RENESAS_RETRY 50000 /* 50000 * RENESAS_DELAY ~= 500ms */
+#define RENESAS_CHIP_ERASE_RETRY 500000 /* 500000 * RENESAS_DELAY ~= 5s */
+#define RENESAS_DELAY 10
static int renesas_fw_download_image(struct pci_dev *dev,
const u32 *fw, size_t step, bool rom)
@@ -405,7 +406,7 @@ static void renesas_rom_erase(struct pci
/* sleep a bit while ROM is erased */
msleep(20);
- for (i = 0; i < RENESAS_RETRY; i++) {
+ for (i = 0; i < RENESAS_CHIP_ERASE_RETRY; i++) {
retval = pci_read_config_byte(pdev, RENESAS_ROM_STATUS,
&status);
status &= RENESAS_ROM_STATUS_ERASE;
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 419/482] USB: storage: Add unusual-devs entry for Novatek NTK96550-based camera
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (417 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 6.1 418/482] usb: renesas-xhci: Fix External ROM access timeouts Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 420/482] usb: storage: realtek_cr: Use correct byte order for bcs->Residue Greg Kroah-Hartman
` (71 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Mael GUERIN, stable, Alan Stern
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mael GUERIN <mael.guerin@murena.io>
commit 6ca8af3c8fb584f3424a827f554ff74f898c27cd upstream.
Add the US_FL_BULK_IGNORE_TAG quirk for Novatek NTK96550-based camera
to fix USB resets after sending SCSI vendor commands due to CBW and
CSW tags difference, leading to undesired slowness while communicating
with the device.
Please find below the copy of /sys/kernel/debug/usb/devices with my
device plugged in (listed as TechSys USB mass storage here, the
underlying chipset being the Novatek NTK96550-based camera):
T: Bus=03 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 3 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=0603 ProdID=8611 Rev= 0.01
S: Manufacturer=TechSys
S: Product=USB Mass Storage
S: SerialNumber=966110000000100
C:* #Ifs= 1 Cfg#= 1 Atr=c0 MxPwr=100mA
I:* If#= 0 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=06 Prot=50 Driver=usb-storage
E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
Signed-off-by: Mael GUERIN <mael.guerin@murena.io>
Cc: stable <stable@kernel.org>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Link: https://lore.kernel.org/r/20250806164406.43450-1-mael.guerin@murena.io
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/storage/unusual_devs.h | 7 +++++++
1 file changed, 7 insertions(+)
--- a/drivers/usb/storage/unusual_devs.h
+++ b/drivers/usb/storage/unusual_devs.h
@@ -934,6 +934,13 @@ UNUSUAL_DEV( 0x05e3, 0x0723, 0x9451, 0x
USB_SC_DEVICE, USB_PR_DEVICE, NULL,
US_FL_SANE_SENSE ),
+/* Added by Maël GUERIN <mael.guerin@murena.io> */
+UNUSUAL_DEV( 0x0603, 0x8611, 0x0000, 0xffff,
+ "Novatek",
+ "NTK96550-based camera",
+ USB_SC_SCSI, USB_PR_BULK, NULL,
+ US_FL_BULK_IGNORE_TAG ),
+
/*
* Reported by Hanno Boeck <hanno@gmx.de>
* Taken from the Lycoris Kernel
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 420/482] usb: storage: realtek_cr: Use correct byte order for bcs->Residue
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (418 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 6.1 419/482] USB: storage: Add unusual-devs entry for Novatek NTK96550-based camera Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 421/482] USB: storage: Ignore driver CD mode for Realtek multi-mode Wi-Fi dongles Greg Kroah-Hartman
` (70 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Alan Stern, Thorsten Blum
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thorsten Blum <thorsten.blum@linux.dev>
commit 98da66a70ad2396e5a508c4245367797ebc052ce upstream.
Since 'bcs->Residue' has the data type '__le32', convert it to the
correct byte order of the CPU using this driver when assigning it to
the local variable 'residue'.
Cc: stable <stable@kernel.org>
Fixes: 50a6cb932d5c ("USB: usb_storage: add ums-realtek driver")
Suggested-by: Alan Stern <stern@rowland.harvard.edu>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
Link: https://lore.kernel.org/r/20250813145247.184717-3-thorsten.blum@linux.dev
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/storage/realtek_cr.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/usb/storage/realtek_cr.c
+++ b/drivers/usb/storage/realtek_cr.c
@@ -252,7 +252,7 @@ static int rts51x_bulk_transport(struct
return USB_STOR_TRANSPORT_ERROR;
}
- residue = bcs->Residue;
+ residue = le32_to_cpu(bcs->Residue);
if (bcs->Tag != us->tag)
return USB_STOR_TRANSPORT_ERROR;
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 421/482] USB: storage: Ignore driver CD mode for Realtek multi-mode Wi-Fi dongles
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (419 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 6.1 420/482] usb: storage: realtek_cr: Use correct byte order for bcs->Residue Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 422/482] usb: dwc3: Ignore late xferNotReady event to prevent halt timeout Greg Kroah-Hartman
` (69 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Zenm Chen, Alan Stern
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zenm Chen <zenmchen@gmail.com>
commit a3dc32c635bae0ae569f489e00de0e8f015bfc25 upstream.
Many Realtek USB Wi-Fi dongles released in recent years have two modes:
one is driver CD mode which has Windows driver onboard, another one is
Wi-Fi mode. Add the US_FL_IGNORE_DEVICE quirk for these multi-mode devices.
Otherwise, usb_modeswitch may fail to switch them to Wi-Fi mode.
Currently there are only two USB IDs known to be used by these multi-mode
Wi-Fi dongles: 0bda:1a2b and 0bda:a192.
Information about Mercury MW310UH in /sys/kernel/debug/usb/devices.
T: Bus=02 Lev=01 Prnt=01 Port=01 Cnt=01 Dev#= 12 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=0bda ProdID=a192 Rev= 2.00
S: Manufacturer=Realtek
S: Product=DISK
C:* #Ifs= 1 Cfg#= 1 Atr=80 MxPwr=500mA
I:* If#= 0 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=06 Prot=50 Driver=(none)
E: Ad=8a(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=0b(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
Information about D-Link AX9U rev. A1 in /sys/kernel/debug/usb/devices.
T: Bus=03 Lev=01 Prnt=01 Port=02 Cnt=01 Dev#= 55 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=0bda ProdID=1a2b Rev= 0.00
S: Manufacturer=Realtek
S: Product=DISK
C:* #Ifs= 1 Cfg#= 1 Atr=e0 MxPwr=500mA
I:* If#= 0 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=06 Prot=50 Driver=(none)
E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
Cc: stable <stable@kernel.org>
Signed-off-by: Zenm Chen <zenmchen@gmail.com>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Link: https://lore.kernel.org/r/20250813162415.2630-1-zenmchen@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/storage/unusual_devs.h | 22 ++++++++++++++++++++++
1 file changed, 22 insertions(+)
--- a/drivers/usb/storage/unusual_devs.h
+++ b/drivers/usb/storage/unusual_devs.h
@@ -1501,6 +1501,28 @@ UNUSUAL_DEV( 0x0bc2, 0x3332, 0x0000, 0x9
USB_SC_DEVICE, USB_PR_DEVICE, NULL,
US_FL_NO_WP_DETECT ),
+/*
+ * Reported by Zenm Chen <zenmchen@gmail.com>
+ * Ignore driver CD mode, otherwise usb_modeswitch may fail to switch
+ * the device into Wi-Fi mode.
+ */
+UNUSUAL_DEV( 0x0bda, 0x1a2b, 0x0000, 0xffff,
+ "Realtek",
+ "DISK",
+ USB_SC_DEVICE, USB_PR_DEVICE, NULL,
+ US_FL_IGNORE_DEVICE ),
+
+/*
+ * Reported by Zenm Chen <zenmchen@gmail.com>
+ * Ignore driver CD mode, otherwise usb_modeswitch may fail to switch
+ * the device into Wi-Fi mode.
+ */
+UNUSUAL_DEV( 0x0bda, 0xa192, 0x0000, 0xffff,
+ "Realtek",
+ "DISK",
+ USB_SC_DEVICE, USB_PR_DEVICE, NULL,
+ US_FL_IGNORE_DEVICE ),
+
UNUSUAL_DEV( 0x0d49, 0x7310, 0x0000, 0x9999,
"Maxtor",
"USB to SATA",
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 422/482] usb: dwc3: Ignore late xferNotReady event to prevent halt timeout
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (420 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 6.1 421/482] USB: storage: Ignore driver CD mode for Realtek multi-mode Wi-Fi dongles Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 423/482] usb: dwc3: Remove WARN_ON for device endpoint command timeouts Greg Kroah-Hartman
` (68 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Kuen-Han Tsai, Thinh Nguyen
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuen-Han Tsai <khtsai@google.com>
commit 58577118cc7cec9eb7c1836bf88f865ff2c5e3a3 upstream.
During a device-initiated disconnect, the End Transfer command resets
the event filter, allowing a new xferNotReady event to be generated
before the controller is fully halted. Processing this late event
incorrectly triggers a Start Transfer, which prevents the controller
from halting and results in a DSTS.DEVCTLHLT bit polling timeout.
Ignore the late xferNotReady event if the controller is already in a
disconnected state.
Fixes: 72246da40f37 ("usb: Introduce DesignWare USB3 DRD Driver")
Cc: stable <stable@kernel.org>
Signed-off-by: Kuen-Han Tsai <khtsai@google.com>
Acked-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
Link: https://lore.kernel.org/r/20250807090700.2397190-1-khtsai@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/dwc3/gadget.c | 9 +++++++++
1 file changed, 9 insertions(+)
--- a/drivers/usb/dwc3/gadget.c
+++ b/drivers/usb/dwc3/gadget.c
@@ -3590,6 +3590,15 @@ static void dwc3_gadget_endpoint_transfe
static void dwc3_gadget_endpoint_transfer_not_ready(struct dwc3_ep *dep,
const struct dwc3_event_depevt *event)
{
+ /*
+ * During a device-initiated disconnect, a late xferNotReady event can
+ * be generated after the End Transfer command resets the event filter,
+ * but before the controller is halted. Ignore it to prevent a new
+ * transfer from starting.
+ */
+ if (!dep->dwc->connected)
+ return;
+
dwc3_gadget_endpoint_frame_from_event(dep, event);
/*
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 423/482] usb: dwc3: Remove WARN_ON for device endpoint command timeouts
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (421 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 6.1 422/482] usb: dwc3: Ignore late xferNotReady event to prevent halt timeout Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 424/482] arm64: dts: ti: k3-am62-main: Remove eMMC High Speed DDR support Greg Kroah-Hartman
` (67 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Akash M, Selvarasu Ganesan,
Thinh Nguyen, Sebastian Andrzej Siewior
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Selvarasu Ganesan <selvarasu.g@samsung.com>
commit 45eae113dccaf8e502090ecf5b3d9e9b805add6f upstream.
This commit addresses a rarely observed endpoint command timeout
which causes kernel panic due to warn when 'panic_on_warn' is enabled
and unnecessary call trace prints when 'panic_on_warn' is disabled.
It is seen during fast software-controlled connect/disconnect testcases.
The following is one such endpoint command timeout that we observed:
1. Connect
=======
->dwc3_thread_interrupt
->dwc3_ep0_interrupt
->configfs_composite_setup
->composite_setup
->usb_ep_queue
->dwc3_gadget_ep0_queue
->__dwc3_gadget_ep0_queue
->__dwc3_ep0_do_control_data
->dwc3_send_gadget_ep_cmd
2. Disconnect
==========
->dwc3_thread_interrupt
->dwc3_gadget_disconnect_interrupt
->dwc3_ep0_reset_state
->dwc3_ep0_end_control_data
->dwc3_send_gadget_ep_cmd
In the issue scenario, in Exynos platforms, we observed that control
transfers for the previous connect have not yet been completed and end
transfer command sent as a part of the disconnect sequence and
processing of USB_ENDPOINT_HALT feature request from the host timeout.
This maybe an expected scenario since the controller is processing EP
commands sent as a part of the previous connect. It maybe better to
remove WARN_ON in all places where device endpoint commands are sent to
avoid unnecessary kernel panic due to warn.
Cc: stable <stable@kernel.org>
Co-developed-by: Akash M <akash.m5@samsung.com>
Signed-off-by: Akash M <akash.m5@samsung.com>
Signed-off-by: Selvarasu Ganesan <selvarasu.g@samsung.com>
Acked-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
Reviewed-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Link: https://lore.kernel.org/r/20250808125315.1607-1-selvarasu.g@samsung.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/dwc3/ep0.c | 20 ++++++++++++++++----
drivers/usb/dwc3/gadget.c | 10 ++++++++--
2 files changed, 24 insertions(+), 6 deletions(-)
--- a/drivers/usb/dwc3/ep0.c
+++ b/drivers/usb/dwc3/ep0.c
@@ -286,7 +286,9 @@ void dwc3_ep0_out_start(struct dwc3 *dwc
dwc3_ep0_prepare_one_trb(dep, dwc->ep0_trb_addr, 8,
DWC3_TRBCTL_CONTROL_SETUP, false);
ret = dwc3_ep0_start_trans(dep);
- WARN_ON(ret < 0);
+ if (ret < 0)
+ dev_err(dwc->dev, "ep0 out start transfer failed: %d\n", ret);
+
for (i = 2; i < DWC3_ENDPOINTS_NUM; i++) {
struct dwc3_ep *dwc3_ep;
@@ -1058,7 +1060,9 @@ static void __dwc3_ep0_do_control_data(s
ret = dwc3_ep0_start_trans(dep);
}
- WARN_ON(ret < 0);
+ if (ret < 0)
+ dev_err(dwc->dev,
+ "ep0 data phase start transfer failed: %d\n", ret);
}
static int dwc3_ep0_start_control_status(struct dwc3_ep *dep)
@@ -1075,7 +1079,12 @@ static int dwc3_ep0_start_control_status
static void __dwc3_ep0_do_control_status(struct dwc3 *dwc, struct dwc3_ep *dep)
{
- WARN_ON(dwc3_ep0_start_control_status(dep));
+ int ret;
+
+ ret = dwc3_ep0_start_control_status(dep);
+ if (ret)
+ dev_err(dwc->dev,
+ "ep0 status phase start transfer failed: %d\n", ret);
}
static void dwc3_ep0_do_control_status(struct dwc3 *dwc,
@@ -1118,7 +1127,10 @@ void dwc3_ep0_end_control_data(struct dw
cmd |= DWC3_DEPCMD_PARAM(dep->resource_index);
memset(¶ms, 0, sizeof(params));
ret = dwc3_send_gadget_ep_cmd(dep, cmd, ¶ms);
- WARN_ON_ONCE(ret);
+ if (ret)
+ dev_err_ratelimited(dwc->dev,
+ "ep0 data phase end transfer failed: %d\n", ret);
+
dep->resource_index = 0;
}
--- a/drivers/usb/dwc3/gadget.c
+++ b/drivers/usb/dwc3/gadget.c
@@ -1724,7 +1724,11 @@ static int __dwc3_stop_active_transfer(s
dep->flags |= DWC3_EP_DELAY_STOP;
return 0;
}
- WARN_ON_ONCE(ret);
+
+ if (ret)
+ dev_err_ratelimited(dep->dwc->dev,
+ "end transfer failed: %d\n", ret);
+
dep->resource_index = 0;
if (!interrupt)
@@ -3897,7 +3901,9 @@ static void dwc3_clear_stall_all_ep(stru
dep->flags &= ~DWC3_EP_STALL;
ret = dwc3_send_clear_stall_ep_cmd(dep);
- WARN_ON_ONCE(ret);
+ if (ret)
+ dev_err_ratelimited(dwc->dev,
+ "failed to clear STALL on %s\n", dep->name);
}
}
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 424/482] arm64: dts: ti: k3-am62-main: Remove eMMC High Speed DDR support
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (422 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 6.1 423/482] usb: dwc3: Remove WARN_ON for device endpoint command timeouts Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 425/482] scsi: ufs: exynos: Fix programming of HCI_UTRL_NEXUS_TYPE Greg Kroah-Hartman
` (66 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Judith Mendez, Vignesh Raghavendra,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Judith Mendez <jm@ti.com>
[ Upstream commit 265f70af805f33a0dfc90f50cc0f116f702c3811 ]
For eMMC, High Speed DDR mode is not supported [0], so remove
mmc-ddr-1_8v flag which adds the capability.
[0] https://www.ti.com/lit/gpn/am625
Fixes: c37c58fdeb8a ("arm64: dts: ti: k3-am62: Add more peripheral nodes")
Cc: stable@vger.kernel.org
Signed-off-by: Judith Mendez <jm@ti.com>
Link: https://lore.kernel.org/r/20250707191250.3953990-1-jm@ti.com
Signed-off-by: Vignesh Raghavendra <vigneshr@ti.com>
[ adapted context ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/boot/dts/ti/k3-am62-main.dtsi | 1 -
1 file changed, 1 deletion(-)
--- a/arch/arm64/boot/dts/ti/k3-am62-main.dtsi
+++ b/arch/arm64/boot/dts/ti/k3-am62-main.dtsi
@@ -386,7 +386,6 @@
clock-names = "clk_ahb", "clk_xin";
assigned-clocks = <&k3_clks 57 6>;
assigned-clock-parents = <&k3_clks 57 8>;
- mmc-ddr-1_8v;
mmc-hs200-1_8v;
ti,trm-icp = <0x2>;
bus-width = <8>;
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 425/482] scsi: ufs: exynos: Fix programming of HCI_UTRL_NEXUS_TYPE
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (423 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 6.1 424/482] arm64: dts: ti: k3-am62-main: Remove eMMC High Speed DDR support Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 426/482] ext4: preserve SB_I_VERSION on remount Greg Kroah-Hartman
` (65 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, André Draszik, Bart Van Assche,
Peter Griffin, Martin K. Petersen, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: André Draszik <andre.draszik@linaro.org>
[ Upstream commit 01aad16c2257ab8ff33b152b972c9f2e1af47912 ]
On Google gs101, the number of UTP transfer request slots (nutrs) is 32,
and in this case the driver ends up programming the UTRL_NEXUS_TYPE
incorrectly as 0.
This is because the left hand side of the shift is 1, which is of type
int, i.e. 31 bits wide. Shifting by more than that width results in
undefined behaviour.
Fix this by switching to the BIT() macro, which applies correct type
casting as required. This ensures the correct value is written to
UTRL_NEXUS_TYPE (0xffffffff on gs101), and it also fixes a UBSAN shift
warning:
UBSAN: shift-out-of-bounds in drivers/ufs/host/ufs-exynos.c:1113:21
shift exponent 32 is too large for 32-bit type 'int'
For consistency, apply the same change to the nutmrs / UTMRL_NEXUS_TYPE
write.
Fixes: 55f4b1f73631 ("scsi: ufs: ufs-exynos: Add UFS host support for Exynos SoCs")
Cc: stable@vger.kernel.org
Signed-off-by: André Draszik <andre.draszik@linaro.org>
Link: https://lore.kernel.org/r/20250707-ufs-exynos-shift-v1-1-1418e161ae40@linaro.org
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Reviewed-by: Peter Griffin <peter.griffin@linaro.org>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
[ Adapted context ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/ufs/host/ufs-exynos.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/ufs/host/ufs-exynos.c
+++ b/drivers/ufs/host/ufs-exynos.c
@@ -1028,8 +1028,8 @@ static int exynos_ufs_post_link(struct u
hci_writel(ufs, 0xa, HCI_DATA_REORDER);
hci_writel(ufs, PRDT_SET_SIZE(12), HCI_TXPRDT_ENTRY_SIZE);
hci_writel(ufs, PRDT_SET_SIZE(12), HCI_RXPRDT_ENTRY_SIZE);
- hci_writel(ufs, (1 << hba->nutrs) - 1, HCI_UTRL_NEXUS_TYPE);
- hci_writel(ufs, (1 << hba->nutmrs) - 1, HCI_UTMRL_NEXUS_TYPE);
+ hci_writel(ufs, BIT(hba->nutrs) - 1, HCI_UTRL_NEXUS_TYPE);
+ hci_writel(ufs, BIT(hba->nutmrs) - 1, HCI_UTMRL_NEXUS_TYPE);
hci_writel(ufs, 0xf, HCI_AXIDMA_RWDATA_BURST_LEN);
if (ufs->opts & EXYNOS_UFS_OPT_SKIP_CONNECTION_ESTAB)
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 426/482] ext4: preserve SB_I_VERSION on remount
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (424 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 6.1 425/482] scsi: ufs: exynos: Fix programming of HCI_UTRL_NEXUS_TYPE Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 427/482] scsi: mpi3mr: Drop unnecessary volatile from __iomem pointers Greg Kroah-Hartman
` (64 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Baokun Li, Jan Kara,
Theodore Tso, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Baokun Li <libaokun1@huawei.com>
[ Upstream commit f2326fd14a224e4cccbab89e14c52279ff79b7ec ]
IMA testing revealed that after an ext4 remount, file accesses triggered
full measurements even without modifications, instead of skipping as
expected when i_version is unchanged.
Debugging showed `SB_I_VERSION` was cleared in reconfigure_super() during
remount due to commit 1ff20307393e ("ext4: unconditionally enable the
i_version counter") removing the fix from commit 960e0ab63b2e ("ext4: fix
i_version handling on remount").
To rectify this, `SB_I_VERSION` is always set for `fc->sb_flags` in
ext4_init_fs_context(), instead of `sb->s_flags` in __ext4_fill_super(),
ensuring it persists across all mounts.
Cc: stable@kernel.org
Fixes: 1ff20307393e ("ext4: unconditionally enable the i_version counter")
Signed-off-by: Baokun Li <libaokun1@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://patch.msgid.link/20250703073903.6952-2-libaokun@huaweicloud.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
[ Adjust context ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/super.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -1937,6 +1937,9 @@ int ext4_init_fs_context(struct fs_conte
fc->fs_private = ctx;
fc->ops = &ext4_context_ops;
+ /* i_version is always enabled now */
+ fc->sb_flags |= SB_I_VERSION;
+
return 0;
}
@@ -5113,9 +5116,6 @@ static int __ext4_fill_super(struct fs_c
sb->s_flags = (sb->s_flags & ~SB_POSIXACL) |
(test_opt(sb, POSIX_ACL) ? SB_POSIXACL : 0);
- /* i_version is always enabled now */
- sb->s_flags |= SB_I_VERSION;
-
if (ext4_check_feature_compatibility(sb, es, silent))
goto failed_mount;
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 427/482] scsi: mpi3mr: Drop unnecessary volatile from __iomem pointers
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (425 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 6.1 426/482] ext4: preserve SB_I_VERSION on remount Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 428/482] scsi: mpi3mr: Serialize admin queue BAR writes on 32-bit systems Greg Kroah-Hartman
` (63 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ranjan Kumar, Martin K. Petersen,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ranjan Kumar <ranjan.kumar@broadcom.com>
[ Upstream commit 6853885b21cb1d7157cc14c9d30cc17141565bae ]
The volatile qualifier is redundant for __iomem pointers.
Cleaned up usage in mpi3mr_writeq() and sysif_regs pointer as per
Upstream compliance.
Signed-off-by: Ranjan Kumar <ranjan.kumar@broadcom.com>
Link: https://lore.kernel.org/r/20250627194539.48851-3-ranjan.kumar@broadcom.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Stable-dep-of: c91e140c82eb ("scsi: mpi3mr: Serialize admin queue BAR writes on 32-bit systems")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/scsi/mpi3mr/mpi3mr.h | 2 +-
drivers/scsi/mpi3mr/mpi3mr_fw.c | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/scsi/mpi3mr/mpi3mr.h
+++ b/drivers/scsi/mpi3mr/mpi3mr.h
@@ -1035,7 +1035,7 @@ struct mpi3mr_ioc {
char name[MPI3MR_NAME_LENGTH];
char driver_name[MPI3MR_NAME_LENGTH];
- volatile struct mpi3_sysif_registers __iomem *sysif_regs;
+ struct mpi3_sysif_registers __iomem *sysif_regs;
resource_size_t sysif_regs_phys;
int bars;
u64 dma_mask;
--- a/drivers/scsi/mpi3mr/mpi3mr_fw.c
+++ b/drivers/scsi/mpi3mr/mpi3mr_fw.c
@@ -23,12 +23,12 @@ module_param(poll_queues, int, 0444);
MODULE_PARM_DESC(poll_queues, "Number of queues for io_uring poll mode. (Range 1 - 126)");
#if defined(writeq) && defined(CONFIG_64BIT)
-static inline void mpi3mr_writeq(__u64 b, volatile void __iomem *addr)
+static inline void mpi3mr_writeq(__u64 b, void __iomem *addr)
{
writeq(b, addr);
}
#else
-static inline void mpi3mr_writeq(__u64 b, volatile void __iomem *addr)
+static inline void mpi3mr_writeq(__u64 b, void __iomem *addr)
{
__u64 data_out = b;
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 428/482] scsi: mpi3mr: Serialize admin queue BAR writes on 32-bit systems
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (426 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 6.1 427/482] scsi: mpi3mr: Drop unnecessary volatile from __iomem pointers Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 429/482] PCI: rockchip: Use standard PCIe definitions Greg Kroah-Hartman
` (62 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ranjan Kumar, Martin K. Petersen,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ranjan Kumar <ranjan.kumar@broadcom.com>
[ Upstream commit c91e140c82eb58724c435f623702e51cc7896646 ]
On 32-bit systems, 64-bit BAR writes to admin queue registers are
performed as two 32-bit writes. Without locking, this can cause partial
writes when accessed concurrently.
Updated per-queue spinlocks is used to serialize these writes and prevent
race conditions.
Fixes: 824a156633df ("scsi: mpi3mr: Base driver code")
Cc: stable@vger.kernel.org
Signed-off-by: Ranjan Kumar <ranjan.kumar@broadcom.com>
Link: https://lore.kernel.org/r/20250627194539.48851-4-ranjan.kumar@broadcom.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/scsi/mpi3mr/mpi3mr.h | 4 ++++
drivers/scsi/mpi3mr/mpi3mr_fw.c | 15 +++++++++++----
drivers/scsi/mpi3mr/mpi3mr_os.c | 2 ++
3 files changed, 17 insertions(+), 4 deletions(-)
--- a/drivers/scsi/mpi3mr/mpi3mr.h
+++ b/drivers/scsi/mpi3mr/mpi3mr.h
@@ -1005,6 +1005,8 @@ struct scmd_priv {
* @logdata_buf: Circular buffer to store log data entries
* @logdata_buf_idx: Index of entry in buffer to store
* @logdata_entry_sz: log data entry size
+ * @adm_req_q_bar_writeq_lock: Admin request queue lock
+ * @adm_reply_q_bar_writeq_lock: Admin reply queue lock
* @pend_large_data_sz: Counter to track pending large data
* @io_throttle_data_length: I/O size to track in 512b blocks
* @io_throttle_high: I/O size to start throttle in 512b blocks
@@ -1186,6 +1188,8 @@ struct mpi3mr_ioc {
u8 *logdata_buf;
u16 logdata_buf_idx;
u16 logdata_entry_sz;
+ spinlock_t adm_req_q_bar_writeq_lock;
+ spinlock_t adm_reply_q_bar_writeq_lock;
atomic_t pend_large_data_sz;
u32 io_throttle_data_length;
--- a/drivers/scsi/mpi3mr/mpi3mr_fw.c
+++ b/drivers/scsi/mpi3mr/mpi3mr_fw.c
@@ -23,17 +23,22 @@ module_param(poll_queues, int, 0444);
MODULE_PARM_DESC(poll_queues, "Number of queues for io_uring poll mode. (Range 1 - 126)");
#if defined(writeq) && defined(CONFIG_64BIT)
-static inline void mpi3mr_writeq(__u64 b, void __iomem *addr)
+static inline void mpi3mr_writeq(__u64 b, void __iomem *addr,
+ spinlock_t *write_queue_lock)
{
writeq(b, addr);
}
#else
-static inline void mpi3mr_writeq(__u64 b, void __iomem *addr)
+static inline void mpi3mr_writeq(__u64 b, void __iomem *addr,
+ spinlock_t *write_queue_lock)
{
__u64 data_out = b;
+ unsigned long flags;
+ spin_lock_irqsave(write_queue_lock, flags);
writel((u32)(data_out), addr);
writel((u32)(data_out >> 32), (addr + 4));
+ spin_unlock_irqrestore(write_queue_lock, flags);
}
#endif
@@ -2662,9 +2667,11 @@ static int mpi3mr_setup_admin_qpair(stru
(mrioc->num_admin_req);
writel(num_admin_entries, &mrioc->sysif_regs->admin_queue_num_entries);
mpi3mr_writeq(mrioc->admin_req_dma,
- &mrioc->sysif_regs->admin_request_queue_address);
+ &mrioc->sysif_regs->admin_request_queue_address,
+ &mrioc->adm_req_q_bar_writeq_lock);
mpi3mr_writeq(mrioc->admin_reply_dma,
- &mrioc->sysif_regs->admin_reply_queue_address);
+ &mrioc->sysif_regs->admin_reply_queue_address,
+ &mrioc->adm_reply_q_bar_writeq_lock);
writel(mrioc->admin_req_pi, &mrioc->sysif_regs->admin_request_queue_pi);
writel(mrioc->admin_reply_ci, &mrioc->sysif_regs->admin_reply_queue_ci);
return retval;
--- a/drivers/scsi/mpi3mr/mpi3mr_os.c
+++ b/drivers/scsi/mpi3mr/mpi3mr_os.c
@@ -4966,6 +4966,8 @@ mpi3mr_probe(struct pci_dev *pdev, const
spin_lock_init(&mrioc->tgtdev_lock);
spin_lock_init(&mrioc->watchdog_lock);
spin_lock_init(&mrioc->chain_buf_lock);
+ spin_lock_init(&mrioc->adm_req_q_bar_writeq_lock);
+ spin_lock_init(&mrioc->adm_reply_q_bar_writeq_lock);
spin_lock_init(&mrioc->sas_node_lock);
INIT_LIST_HEAD(&mrioc->fwevt_list);
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 429/482] PCI: rockchip: Use standard PCIe definitions
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (427 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 6.1 428/482] scsi: mpi3mr: Serialize admin queue BAR writes on 32-bit systems Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 430/482] PCI: rockchip: Set Target Link Speed to 5.0 GT/s before retraining Greg Kroah-Hartman
` (61 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bjorn Helgaas, Geraldo Nascimento,
Manivannan Sadhasivam, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Geraldo Nascimento <geraldogabriel@gmail.com>
[ Upstream commit cbbfe9f683f0f9b6a1da2eaa53b995a4b5961086 ]
Current code uses custom-defined register offsets and bitfields for the
standard PCIe registers. This creates duplication as the PCI header already
defines them. So, switch to using the standard PCIe definitions and drop
the custom ones.
Suggested-by: Bjorn Helgaas <bhelgaas@google.com>
Signed-off-by: Geraldo Nascimento <geraldogabriel@gmail.com>
[mani: commit message rewording]
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
[bhelgaas: include bitfield.h]
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Link: https://patch.msgid.link/e81700ef4b49f584bc8834bfb07b6d8995fc1f42.1751322015.git.geraldogabriel@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pci/controller/pcie-rockchip-host.c | 45 ++++++++++++++--------------
drivers/pci/controller/pcie-rockchip.h | 11 ------
2 files changed, 24 insertions(+), 32 deletions(-)
--- a/drivers/pci/controller/pcie-rockchip-host.c
+++ b/drivers/pci/controller/pcie-rockchip-host.c
@@ -11,6 +11,7 @@
* ARM PCI Host generic driver.
*/
+#include <linux/bitfield.h>
#include <linux/bitrev.h>
#include <linux/clk.h>
#include <linux/delay.h>
@@ -43,18 +44,18 @@ static void rockchip_pcie_enable_bw_int(
{
u32 status;
- status = rockchip_pcie_read(rockchip, PCIE_RC_CONFIG_LCS);
+ status = rockchip_pcie_read(rockchip, PCIE_RC_CONFIG_CR + PCI_EXP_LNKCTL);
status |= (PCI_EXP_LNKCTL_LBMIE | PCI_EXP_LNKCTL_LABIE);
- rockchip_pcie_write(rockchip, status, PCIE_RC_CONFIG_LCS);
+ rockchip_pcie_write(rockchip, status, PCIE_RC_CONFIG_CR + PCI_EXP_LNKCTL);
}
static void rockchip_pcie_clr_bw_int(struct rockchip_pcie *rockchip)
{
u32 status;
- status = rockchip_pcie_read(rockchip, PCIE_RC_CONFIG_LCS);
+ status = rockchip_pcie_read(rockchip, PCIE_RC_CONFIG_CR + PCI_EXP_LNKCTL);
status |= (PCI_EXP_LNKSTA_LBMS | PCI_EXP_LNKSTA_LABS) << 16;
- rockchip_pcie_write(rockchip, status, PCIE_RC_CONFIG_LCS);
+ rockchip_pcie_write(rockchip, status, PCIE_RC_CONFIG_CR + PCI_EXP_LNKCTL);
}
static void rockchip_pcie_update_txcredit_mui(struct rockchip_pcie *rockchip)
@@ -272,7 +273,7 @@ static void rockchip_pcie_set_power_limi
scale = 3; /* 0.001x */
curr = curr / 1000; /* convert to mA */
power = (curr * 3300) / 1000; /* milliwatt */
- while (power > PCIE_RC_CONFIG_DCR_CSPL_LIMIT) {
+ while (power > FIELD_MAX(PCI_EXP_DEVCAP_PWR_VAL)) {
if (!scale) {
dev_warn(rockchip->dev, "invalid power supply\n");
return;
@@ -281,10 +282,10 @@ static void rockchip_pcie_set_power_limi
power = power / 10;
}
- status = rockchip_pcie_read(rockchip, PCIE_RC_CONFIG_DCR);
- status |= (power << PCIE_RC_CONFIG_DCR_CSPL_SHIFT) |
- (scale << PCIE_RC_CONFIG_DCR_CPLS_SHIFT);
- rockchip_pcie_write(rockchip, status, PCIE_RC_CONFIG_DCR);
+ status = rockchip_pcie_read(rockchip, PCIE_RC_CONFIG_CR + PCI_EXP_DEVCAP);
+ status |= FIELD_PREP(PCI_EXP_DEVCAP_PWR_VAL, power);
+ status |= FIELD_PREP(PCI_EXP_DEVCAP_PWR_SCL, scale);
+ rockchip_pcie_write(rockchip, status, PCIE_RC_CONFIG_CR + PCI_EXP_DEVCAP);
}
/**
@@ -312,14 +313,14 @@ static int rockchip_pcie_host_init_port(
rockchip_pcie_set_power_limit(rockchip);
/* Set RC's clock architecture as common clock */
- status = rockchip_pcie_read(rockchip, PCIE_RC_CONFIG_LCS);
+ status = rockchip_pcie_read(rockchip, PCIE_RC_CONFIG_CR + PCI_EXP_LNKCTL);
status |= PCI_EXP_LNKSTA_SLC << 16;
- rockchip_pcie_write(rockchip, status, PCIE_RC_CONFIG_LCS);
+ rockchip_pcie_write(rockchip, status, PCIE_RC_CONFIG_CR + PCI_EXP_LNKCTL);
/* Set RC's RCB to 128 */
- status = rockchip_pcie_read(rockchip, PCIE_RC_CONFIG_LCS);
+ status = rockchip_pcie_read(rockchip, PCIE_RC_CONFIG_CR + PCI_EXP_LNKCTL);
status |= PCI_EXP_LNKCTL_RCB;
- rockchip_pcie_write(rockchip, status, PCIE_RC_CONFIG_LCS);
+ rockchip_pcie_write(rockchip, status, PCIE_RC_CONFIG_CR + PCI_EXP_LNKCTL);
/* Enable Gen1 training */
rockchip_pcie_write(rockchip, PCIE_CLIENT_LINK_TRAIN_ENABLE,
@@ -341,9 +342,9 @@ static int rockchip_pcie_host_init_port(
* Enable retrain for gen2. This should be configured only after
* gen1 finished.
*/
- status = rockchip_pcie_read(rockchip, PCIE_RC_CONFIG_LCS);
+ status = rockchip_pcie_read(rockchip, PCIE_RC_CONFIG_CR + PCI_EXP_LNKCTL);
status |= PCI_EXP_LNKCTL_RL;
- rockchip_pcie_write(rockchip, status, PCIE_RC_CONFIG_LCS);
+ rockchip_pcie_write(rockchip, status, PCIE_RC_CONFIG_CR + PCI_EXP_LNKCTL);
err = readl_poll_timeout(rockchip->apb_base + PCIE_CORE_CTRL,
status, PCIE_LINK_IS_GEN2(status), 20,
@@ -380,15 +381,15 @@ static int rockchip_pcie_host_init_port(
/* Clear L0s from RC's link cap */
if (of_property_read_bool(dev->of_node, "aspm-no-l0s")) {
- status = rockchip_pcie_read(rockchip, PCIE_RC_CONFIG_LINK_CAP);
- status &= ~PCIE_RC_CONFIG_LINK_CAP_L0S;
- rockchip_pcie_write(rockchip, status, PCIE_RC_CONFIG_LINK_CAP);
+ status = rockchip_pcie_read(rockchip, PCIE_RC_CONFIG_CR + PCI_EXP_LNKCAP);
+ status &= ~PCI_EXP_LNKCAP_ASPM_L0S;
+ rockchip_pcie_write(rockchip, status, PCIE_RC_CONFIG_CR + PCI_EXP_LNKCAP);
}
- status = rockchip_pcie_read(rockchip, PCIE_RC_CONFIG_DCSR);
- status &= ~PCIE_RC_CONFIG_DCSR_MPS_MASK;
- status |= PCIE_RC_CONFIG_DCSR_MPS_256;
- rockchip_pcie_write(rockchip, status, PCIE_RC_CONFIG_DCSR);
+ status = rockchip_pcie_read(rockchip, PCIE_RC_CONFIG_CR + PCI_EXP_DEVCTL);
+ status &= ~PCI_EXP_DEVCTL_PAYLOAD;
+ status |= PCI_EXP_DEVCTL_PAYLOAD_256B;
+ rockchip_pcie_write(rockchip, status, PCIE_RC_CONFIG_CR + PCI_EXP_DEVCTL);
return 0;
err_power_off_phy:
--- a/drivers/pci/controller/pcie-rockchip.h
+++ b/drivers/pci/controller/pcie-rockchip.h
@@ -144,16 +144,7 @@
#define PCIE_EP_CONFIG_BASE 0xa00000
#define PCIE_EP_CONFIG_DID_VID (PCIE_EP_CONFIG_BASE + 0x00)
#define PCIE_RC_CONFIG_RID_CCR (PCIE_RC_CONFIG_BASE + 0x08)
-#define PCIE_RC_CONFIG_DCR (PCIE_RC_CONFIG_BASE + 0xc4)
-#define PCIE_RC_CONFIG_DCR_CSPL_SHIFT 18
-#define PCIE_RC_CONFIG_DCR_CSPL_LIMIT 0xff
-#define PCIE_RC_CONFIG_DCR_CPLS_SHIFT 26
-#define PCIE_RC_CONFIG_DCSR (PCIE_RC_CONFIG_BASE + 0xc8)
-#define PCIE_RC_CONFIG_DCSR_MPS_MASK GENMASK(7, 5)
-#define PCIE_RC_CONFIG_DCSR_MPS_256 (0x1 << 5)
-#define PCIE_RC_CONFIG_LINK_CAP (PCIE_RC_CONFIG_BASE + 0xcc)
-#define PCIE_RC_CONFIG_LINK_CAP_L0S BIT(10)
-#define PCIE_RC_CONFIG_LCS (PCIE_RC_CONFIG_BASE + 0xd0)
+#define PCIE_RC_CONFIG_CR (PCIE_RC_CONFIG_BASE + 0xc0)
#define PCIE_RC_CONFIG_L1_SUBSTATE_CTRL2 (PCIE_RC_CONFIG_BASE + 0x90c)
#define PCIE_RC_CONFIG_THP_CAP (PCIE_RC_CONFIG_BASE + 0x274)
#define PCIE_RC_CONFIG_THP_CAP_NEXT_MASK GENMASK(31, 20)
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 430/482] PCI: rockchip: Set Target Link Speed to 5.0 GT/s before retraining
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (428 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 6.1 429/482] PCI: rockchip: Use standard PCIe definitions Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 431/482] soc: qcom: mdt_loader: Enhance split binary detection Greg Kroah-Hartman
` (60 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Geraldo Nascimento,
Manivannan Sadhasivam, Bjorn Helgaas, Robin Murphy, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Geraldo Nascimento <geraldogabriel@gmail.com>
[ Upstream commit 114b06ee108cabc82b995fbac6672230a9776936 ]
Rockchip controllers can support up to 5.0 GT/s link speed. But the driver
doesn't set the Target Link Speed currently. This may cause failure in
retraining the link to 5.0 GT/s if supported by the endpoint. So set the
Target Link Speed to 5.0 GT/s in the Link Control and Status Register 2.
Fixes: e77f847df54c ("PCI: rockchip: Add Rockchip PCIe controller support")
Signed-off-by: Geraldo Nascimento <geraldogabriel@gmail.com>
[mani: fixed whitespace warning, commit message rewording, added fixes tag]
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Tested-by: Robin Murphy <robin.murphy@arm.com>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/0afa6bc47b7f50e2e81b0b47d51c66feb0fb565f.1751322015.git.geraldogabriel@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pci/controller/pcie-rockchip-host.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/pci/controller/pcie-rockchip-host.c
+++ b/drivers/pci/controller/pcie-rockchip-host.c
@@ -342,6 +342,10 @@ static int rockchip_pcie_host_init_port(
* Enable retrain for gen2. This should be configured only after
* gen1 finished.
*/
+ status = rockchip_pcie_read(rockchip, PCIE_RC_CONFIG_CR + PCI_EXP_LNKCTL2);
+ status &= ~PCI_EXP_LNKCTL2_TLS;
+ status |= PCI_EXP_LNKCTL2_TLS_5_0GT;
+ rockchip_pcie_write(rockchip, status, PCIE_RC_CONFIG_CR + PCI_EXP_LNKCTL2);
status = rockchip_pcie_read(rockchip, PCIE_RC_CONFIG_CR + PCI_EXP_LNKCTL);
status |= PCI_EXP_LNKCTL_RL;
rockchip_pcie_write(rockchip, status, PCIE_RC_CONFIG_CR + PCI_EXP_LNKCTL);
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 431/482] soc: qcom: mdt_loader: Enhance split binary detection
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (429 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 6.1 430/482] PCI: rockchip: Set Target Link Speed to 5.0 GT/s before retraining Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 432/482] soc: qcom: mdt_loader: Ensure we dont read past the ELF header Greg Kroah-Hartman
` (59 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Melody Olvera,
Gokul krishna Krishnakumar, Bjorn Andersson, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gokul krishna Krishnakumar <quic_gokukris@quicinc.com>
[ Upstream commit 210d12c8197a551caa2979be421aa42381156aec ]
It may be that the offset of the first program header lies inside the mdt's
filesize, in this case the loader would incorrectly assume that the bins
were not split and in this scenario the firmware authentication fails.
This change updates the logic used by the mdt loader to understand whether
the firmware images are split or not. It figures this out by checking if
each programs header's segment lies within the file or not.
Co-developed-by: Melody Olvera <quic_molvera@quicinc.com>
Signed-off-by: Melody Olvera <quic_molvera@quicinc.com>
Signed-off-by: Gokul krishna Krishnakumar <quic_gokukris@quicinc.com>
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Link: https://lore.kernel.org/r/20230509001821.24010-1-quic_gokukris@quicinc.com
Stable-dep-of: 9f9967fed9d0 ("soc: qcom: mdt_loader: Ensure we don't read past the ELF header")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/soc/qcom/mdt_loader.c | 25 +++++++++++++++++++++++--
1 file changed, 23 insertions(+), 2 deletions(-)
--- a/drivers/soc/qcom/mdt_loader.c
+++ b/drivers/soc/qcom/mdt_loader.c
@@ -264,6 +264,26 @@ out:
}
EXPORT_SYMBOL_GPL(qcom_mdt_pas_init);
+static bool qcom_mdt_bins_are_split(const struct firmware *fw, const char *fw_name)
+{
+ const struct elf32_phdr *phdrs;
+ const struct elf32_hdr *ehdr;
+ uint64_t seg_start, seg_end;
+ int i;
+
+ ehdr = (struct elf32_hdr *)fw->data;
+ phdrs = (struct elf32_phdr *)(ehdr + 1);
+
+ for (i = 0; i < ehdr->e_phnum; i++) {
+ seg_start = phdrs[i].p_offset;
+ seg_end = phdrs[i].p_offset + phdrs[i].p_filesz;
+ if (seg_start > fw->size || seg_end > fw->size)
+ return true;
+ }
+
+ return false;
+}
+
static int __qcom_mdt_load(struct device *dev, const struct firmware *fw,
const char *fw_name, int pas_id, void *mem_region,
phys_addr_t mem_phys, size_t mem_size,
@@ -276,6 +296,7 @@ static int __qcom_mdt_load(struct device
phys_addr_t min_addr = PHYS_ADDR_MAX;
ssize_t offset;
bool relocate = false;
+ bool is_split;
void *ptr;
int ret = 0;
int i;
@@ -283,6 +304,7 @@ static int __qcom_mdt_load(struct device
if (!fw || !mem_region || !mem_phys || !mem_size)
return -EINVAL;
+ is_split = qcom_mdt_bins_are_split(fw, fw_name);
ehdr = (struct elf32_hdr *)fw->data;
phdrs = (struct elf32_phdr *)(ehdr + 1);
@@ -336,8 +358,7 @@ static int __qcom_mdt_load(struct device
ptr = mem_region + offset;
- if (phdr->p_filesz && phdr->p_offset < fw->size &&
- phdr->p_offset + phdr->p_filesz <= fw->size) {
+ if (phdr->p_filesz && !is_split) {
/* Firmware is large enough to be non-split */
if (phdr->p_offset + phdr->p_filesz > fw->size) {
dev_err(dev, "file %s segment %d would be truncated\n",
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 432/482] soc: qcom: mdt_loader: Ensure we dont read past the ELF header
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (430 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 6.1 431/482] soc: qcom: mdt_loader: Enhance split binary detection Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 433/482] f2fs: fix to call clear_page_private_reference in .{release,invalid}_folio Greg Kroah-Hartman
` (58 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Doug Anderson, Bjorn Andersson,
Dmitry Baryshkov, Bjorn Andersson, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
[ Upstream commit 9f9967fed9d066ed3dae9372b45ffa4f6fccfeef ]
When the MDT loader is used in remoteproc, the ELF header is sanitized
beforehand, but that's not necessary the case for other clients.
Validate the size of the firmware buffer to ensure that we don't read
past the end as we iterate over the header. e_phentsize and e_shentsize
are validated as well, to ensure that the assumptions about step size in
the traversal are valid.
Fixes: 2aad40d911ee ("remoteproc: Move qcom_mdt_loader into drivers/soc/qcom")
Cc: stable@vger.kernel.org
Reported-by: Doug Anderson <dianders@chromium.org>
Signed-off-by: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20250610-mdt-loader-validation-and-fixes-v2-1-f7073e9ab899@oss.qualcomm.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/soc/qcom/mdt_loader.c | 43 ++++++++++++++++++++++++++++++++++++++++++
1 file changed, 43 insertions(+)
--- a/drivers/soc/qcom/mdt_loader.c
+++ b/drivers/soc/qcom/mdt_loader.c
@@ -17,6 +17,37 @@
#include <linux/slab.h>
#include <linux/soc/qcom/mdt_loader.h>
+static bool mdt_header_valid(const struct firmware *fw)
+{
+ const struct elf32_hdr *ehdr;
+ size_t phend;
+ size_t shend;
+
+ if (fw->size < sizeof(*ehdr))
+ return false;
+
+ ehdr = (struct elf32_hdr *)fw->data;
+
+ if (memcmp(ehdr->e_ident, ELFMAG, SELFMAG))
+ return false;
+
+ if (ehdr->e_phentsize != sizeof(struct elf32_phdr))
+ return -EINVAL;
+
+ phend = size_add(size_mul(sizeof(struct elf32_phdr), ehdr->e_phnum), ehdr->e_phoff);
+ if (phend > fw->size)
+ return false;
+
+ if (ehdr->e_shentsize != sizeof(struct elf32_shdr))
+ return -EINVAL;
+
+ shend = size_add(size_mul(sizeof(struct elf32_shdr), ehdr->e_shnum), ehdr->e_shoff);
+ if (shend > fw->size)
+ return false;
+
+ return true;
+}
+
static bool mdt_phdr_valid(const struct elf32_phdr *phdr)
{
if (phdr->p_type != PT_LOAD)
@@ -84,6 +115,9 @@ ssize_t qcom_mdt_get_size(const struct f
phys_addr_t max_addr = 0;
int i;
+ if (!mdt_header_valid(fw))
+ return -EINVAL;
+
ehdr = (struct elf32_hdr *)fw->data;
phdrs = (struct elf32_phdr *)(ehdr + 1);
@@ -136,6 +170,9 @@ void *qcom_mdt_read_metadata(const struc
ssize_t ret;
void *data;
+ if (!mdt_header_valid(fw))
+ return ERR_PTR(-EINVAL);
+
ehdr = (struct elf32_hdr *)fw->data;
phdrs = (struct elf32_phdr *)(ehdr + 1);
@@ -216,6 +253,9 @@ int qcom_mdt_pas_init(struct device *dev
int ret;
int i;
+ if (!mdt_header_valid(fw))
+ return -EINVAL;
+
ehdr = (struct elf32_hdr *)fw->data;
phdrs = (struct elf32_phdr *)(ehdr + 1);
@@ -304,6 +344,9 @@ static int __qcom_mdt_load(struct device
if (!fw || !mem_region || !mem_phys || !mem_size)
return -EINVAL;
+ if (!mdt_header_valid(fw))
+ return -EINVAL;
+
is_split = qcom_mdt_bins_are_split(fw, fw_name);
ehdr = (struct elf32_hdr *)fw->data;
phdrs = (struct elf32_phdr *)(ehdr + 1);
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 433/482] f2fs: fix to call clear_page_private_reference in .{release,invalid}_folio
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (431 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 6.1 432/482] soc: qcom: mdt_loader: Ensure we dont read past the ELF header Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 434/482] f2fs: fix to avoid out-of-boundary access in dnode page Greg Kroah-Hartman
` (57 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Chao Yu, Jaegeuk Kim, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chao Yu <chao@kernel.org>
[ Upstream commit 6779b5db90c5b925293f7ccc5ed5336c5b24ed50 ]
b763f3bedc2d ("f2fs: restructure f2fs page.private layout") missed
to call clear_page_private_reference() in .{release,invalid}_folio,
fix it, though it's not a big deal since folio_detach_private() was
called to clear all privae info and reference count in the page.
BTW, remove page_private_reference() definition as it never be used.
Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Stable-dep-of: 77de19b6867f ("f2fs: fix to avoid out-of-boundary access in dnode page")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/data.c | 2 ++
fs/f2fs/f2fs.h | 1 -
2 files changed, 2 insertions(+), 1 deletion(-)
--- a/fs/f2fs/data.c
+++ b/fs/f2fs/data.c
@@ -3729,6 +3729,7 @@ void f2fs_invalidate_folio(struct folio
}
}
+ clear_page_private_reference(&folio->page);
clear_page_private_gcing(&folio->page);
if (test_opt(sbi, COMPRESS_CACHE) &&
@@ -3754,6 +3755,7 @@ bool f2fs_release_folio(struct folio *fo
clear_page_private_data(&folio->page);
}
+ clear_page_private_reference(&folio->page);
clear_page_private_gcing(&folio->page);
folio_detach_private(folio);
--- a/fs/f2fs/f2fs.h
+++ b/fs/f2fs/f2fs.h
@@ -1428,7 +1428,6 @@ static inline void clear_page_private_##
}
PAGE_PRIVATE_GET_FUNC(nonpointer, NOT_POINTER);
-PAGE_PRIVATE_GET_FUNC(reference, REF_RESOURCE);
PAGE_PRIVATE_GET_FUNC(inline, INLINE_INODE);
PAGE_PRIVATE_GET_FUNC(gcing, ONGOING_MIGRATION);
PAGE_PRIVATE_GET_FUNC(atomic, ATOMIC_WRITE);
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 434/482] f2fs: fix to avoid out-of-boundary access in dnode page
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (432 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 6.1 433/482] f2fs: fix to call clear_page_private_reference in .{release,invalid}_folio Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 435/482] mptcp: disable add_addr retransmission when timeout is 0 Greg Kroah-Hartman
` (56 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Jiaming Zhang, Chao Yu,
Jaegeuk Kim, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chao Yu <chao@kernel.org>
[ Upstream commit 77de19b6867f2740cdcb6c9c7e50d522b47847a4 ]
As Jiaming Zhang reported:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x1c1/0x2a0 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0x17e/0x800 mm/kasan/report.c:480
kasan_report+0x147/0x180 mm/kasan/report.c:593
data_blkaddr fs/f2fs/f2fs.h:3053 [inline]
f2fs_data_blkaddr fs/f2fs/f2fs.h:3058 [inline]
f2fs_get_dnode_of_data+0x1a09/0x1c40 fs/f2fs/node.c:855
f2fs_reserve_block+0x53/0x310 fs/f2fs/data.c:1195
prepare_write_begin fs/f2fs/data.c:3395 [inline]
f2fs_write_begin+0xf39/0x2190 fs/f2fs/data.c:3594
generic_perform_write+0x2c7/0x910 mm/filemap.c:4112
f2fs_buffered_write_iter fs/f2fs/file.c:4988 [inline]
f2fs_file_write_iter+0x1ec8/0x2410 fs/f2fs/file.c:5216
new_sync_write fs/read_write.c:593 [inline]
vfs_write+0x546/0xa90 fs/read_write.c:686
ksys_write+0x149/0x250 fs/read_write.c:738
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xf3/0x3d0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The root cause is in the corrupted image, there is a dnode has the same
node id w/ its inode, so during f2fs_get_dnode_of_data(), it tries to
access block address in dnode at offset 934, however it parses the dnode
as inode node, so that get_dnode_addr() returns 360, then it tries to
access page address from 360 + 934 * 4 = 4096 w/ 4 bytes.
To fix this issue, let's add sanity check for node id of all direct nodes
during f2fs_get_dnode_of_data().
Cc: stable@kernel.org
Reported-by: Jiaming Zhang <r772577952@gmail.com>
Closes: https://groups.google.com/g/syzkaller/c/-ZnaaOOfO3M
Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/node.c | 10 ++++++++++
1 file changed, 10 insertions(+)
--- a/fs/f2fs/node.c
+++ b/fs/f2fs/node.c
@@ -797,6 +797,16 @@ int f2fs_get_dnode_of_data(struct dnode_
for (i = 1; i <= level; i++) {
bool done = false;
+ if (nids[i] && nids[i] == dn->inode->i_ino) {
+ err = -EFSCORRUPTED;
+ f2fs_err(sbi,
+ "inode mapping table is corrupted, run fsck to fix it, "
+ "ino:%lu, nid:%u, level:%d, offset:%d",
+ dn->inode->i_ino, nids[i], level, offset[level]);
+ set_sbi_flag(sbi, SBI_NEED_FSCK);
+ goto release_pages;
+ }
+
if (!nids[i] && mode == ALLOC_NODE) {
/* alloc new node */
if (!f2fs_alloc_nid(sbi, &(nids[i]))) {
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 435/482] mptcp: disable add_addr retransmission when timeout is 0
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (433 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 6.1 434/482] f2fs: fix to avoid out-of-boundary access in dnode page Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 436/482] drm/dp: Change AUX DPCD probe address from DPCD_REV to LANE0_1_STATUS Greg Kroah-Hartman
` (55 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matthieu Baerts, Geliang Tang,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Geliang Tang <tanggeliang@kylinos.cn>
[ Upstream commit f5ce0714623cffd00bf2a83e890d09c609b7f50a ]
When add_addr_timeout was set to 0, this caused the ADD_ADDR to be
retransmitted immediately, which looks like a buggy behaviour. Instead,
interpret 0 as "no retransmissions needed".
The documentation is updated to explicitly state that setting the timeout
to 0 disables retransmission.
Fixes: 93f323b9cccc ("mptcp: add a new sysctl add_addr_timeout")
Cc: stable@vger.kernel.org
Suggested-by: Matthieu Baerts <matttbe@kernel.org>
Signed-off-by: Geliang Tang <tanggeliang@kylinos.cn>
Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20250815-net-mptcp-misc-fixes-6-17-rc2-v1-5-521fe9957892@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[ Apply to net/mptcp/pm_netlink.c , structural changes in mptcp_pm_alloc_anno_list ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
Documentation/networking/mptcp-sysctl.rst | 2 ++
net/mptcp/pm_netlink.c | 18 ++++++++++++------
2 files changed, 14 insertions(+), 6 deletions(-)
--- a/Documentation/networking/mptcp-sysctl.rst
+++ b/Documentation/networking/mptcp-sysctl.rst
@@ -20,6 +20,8 @@ add_addr_timeout - INTEGER (seconds)
resent to an MPTCP peer that has not acknowledged a previous
ADD_ADDR message.
+ Do not retransmit if set to 0.
+
The default value matches TCP_RTO_MAX. This is a per-namespace
sysctl.
--- a/net/mptcp/pm_netlink.c
+++ b/net/mptcp/pm_netlink.c
@@ -304,6 +304,7 @@ static void mptcp_pm_add_timer(struct ti
struct mptcp_pm_add_entry *entry = from_timer(entry, timer, add_timer);
struct mptcp_sock *msk = entry->sock;
struct sock *sk = (struct sock *)msk;
+ unsigned int timeout;
pr_debug("msk=%p\n", msk);
@@ -321,6 +322,10 @@ static void mptcp_pm_add_timer(struct ti
goto out;
}
+ timeout = mptcp_get_add_addr_timeout(sock_net(sk));
+ if (!timeout)
+ goto out;
+
spin_lock_bh(&msk->pm.lock);
if (!mptcp_pm_should_add_signal_addr(msk)) {
@@ -332,7 +337,7 @@ static void mptcp_pm_add_timer(struct ti
if (entry->retrans_times < ADD_ADDR_RETRANS_MAX)
sk_reset_timer(sk, timer,
- jiffies + mptcp_get_add_addr_timeout(sock_net(sk)));
+ jiffies + timeout);
spin_unlock_bh(&msk->pm.lock);
@@ -374,6 +379,7 @@ bool mptcp_pm_alloc_anno_list(struct mpt
struct mptcp_pm_add_entry *add_entry = NULL;
struct sock *sk = (struct sock *)msk;
struct net *net = sock_net(sk);
+ unsigned int timeout;
lockdep_assert_held(&msk->pm.lock);
@@ -383,9 +389,7 @@ bool mptcp_pm_alloc_anno_list(struct mpt
if (WARN_ON_ONCE(mptcp_pm_is_kernel(msk)))
return false;
- sk_reset_timer(sk, &add_entry->add_timer,
- jiffies + mptcp_get_add_addr_timeout(net));
- return true;
+ goto reset_timer;
}
add_entry = kmalloc(sizeof(*add_entry), GFP_ATOMIC);
@@ -399,8 +403,10 @@ bool mptcp_pm_alloc_anno_list(struct mpt
add_entry->retrans_times = 0;
timer_setup(&add_entry->add_timer, mptcp_pm_add_timer, 0);
- sk_reset_timer(sk, &add_entry->add_timer,
- jiffies + mptcp_get_add_addr_timeout(net));
+reset_timer:
+ timeout = mptcp_get_add_addr_timeout(net);
+ if (timeout)
+ sk_reset_timer(sk, &add_entry->add_timer, jiffies + timeout);
return true;
}
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 436/482] drm/dp: Change AUX DPCD probe address from DPCD_REV to LANE0_1_STATUS
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (434 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 6.1 435/482] mptcp: disable add_addr retransmission when timeout is 0 Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 437/482] mmc: sdhci-pci-gli: Use PCI AER definitions, not hard-coded values Greg Kroah-Hartman
` (54 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ville Syrjälä, Jani Nikula,
Jani Nikula, Imre Deak, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Imre Deak <imre.deak@intel.com>
[ Upstream commit a40c5d727b8111b5db424a1e43e14a1dcce1e77f ]
Reading DPCD registers has side-effects in general. In particular
accessing registers outside of the link training register range
(0x102-0x106, 0x202-0x207, 0x200c-0x200f, 0x2216) is explicitly
forbidden by the DP v2.1 Standard, see
3.6.5.1 DPTX AUX Transaction Handling Mandates
3.6.7.4 128b/132b DP Link Layer LTTPR Link Training Mandates
Based on my tests, accessing the DPCD_REV register during the link
training of an UHBR TBT DP tunnel sink leads to link training failures.
Solve the above by using the DP_LANE0_1_STATUS (0x202) register for the
DPCD register access quirk.
Cc: <stable@vger.kernel.org>
Cc: Ville Syrjälä <ville.syrjala@linux.intel.com>
Cc: Jani Nikula <jani.nikula@linux.intel.com>
Acked-by: Jani Nikula <jani.nikula@intel.com>
Signed-off-by: Imre Deak <imre.deak@intel.com>
Link: https://lore.kernel.org/r/20250605082850.65136-2-imre.deak@intel.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/display/drm_dp_helper.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/gpu/drm/display/drm_dp_helper.c
+++ b/drivers/gpu/drm/display/drm_dp_helper.c
@@ -663,7 +663,7 @@ ssize_t drm_dp_dpcd_read(struct drm_dp_a
* monitor doesn't power down exactly after the throw away read.
*/
if (!aux->is_remote) {
- ret = drm_dp_dpcd_probe(aux, DP_DPCD_REV);
+ ret = drm_dp_dpcd_probe(aux, DP_LANE0_1_STATUS);
if (ret < 0)
return ret;
}
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 437/482] mmc: sdhci-pci-gli: Use PCI AER definitions, not hard-coded values
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (435 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 6.1 436/482] drm/dp: Change AUX DPCD probe address from DPCD_REV to LANE0_1_STATUS Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 438/482] mmc: sdhci-pci-gli: Add a new function to simplify the code Greg Kroah-Hartman
` (53 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Bjorn Helgaas, Ulf Hansson,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bjorn Helgaas <bhelgaas@google.com>
[ Upstream commit 951b7ccc54591ba48755b5e0c7fc8b9623a64640 ]
015c9cbcf0ad ("mmc: sdhci-pci-gli: GL9750: Mask the replay timer timeout of
AER") added PCI_GLI_9750_CORRERR_MASK, the offset of the AER Capability in
config space, and PCI_GLI_9750_CORRERR_MASK_REPLAY_TIMER_TIMEOUT, the
Replay Timer Timeout bit in the AER Correctable Error Status register.
Use pci_find_ext_capability() to locate the AER Capability and use the
existing PCI_ERR_COR_REP_TIMER definition to mask the bit.
This removes a little bit of unnecessarily device-specific code and makes
AER-related things more greppable.
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Link: https://lore.kernel.org/r/20240327214831.1544595-2-helgaas@kernel.org
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mmc/host/sdhci-pci-gli.c | 12 ++----------
1 file changed, 2 insertions(+), 10 deletions(-)
--- a/drivers/mmc/host/sdhci-pci-gli.c
+++ b/drivers/mmc/host/sdhci-pci-gli.c
@@ -27,8 +27,6 @@
#define PCI_GLI_9750_PM_CTRL 0xFC
#define PCI_GLI_9750_PM_STATE GENMASK(1, 0)
-#define PCI_GLI_9750_CORRERR_MASK 0x214
-#define PCI_GLI_9750_CORRERR_MASK_REPLAY_TIMER_TIMEOUT BIT(12)
#define SDHCI_GLI_9750_CFG2 0x848
#define SDHCI_GLI_9750_CFG2_L1DLY GENMASK(28, 24)
@@ -154,8 +152,6 @@
#define PCI_GLI_9755_PM_CTRL 0xFC
#define PCI_GLI_9755_PM_STATE GENMASK(1, 0)
-#define PCI_GLI_9755_CORRERR_MASK 0x214
-#define PCI_GLI_9755_CORRERR_MASK_REPLAY_TIMER_TIMEOUT BIT(12)
#define GLI_MAX_TUNING_LOOP 40
@@ -501,9 +497,7 @@ static void gl9750_hw_setting(struct sdh
pci_write_config_dword(pdev, PCI_GLI_9750_PM_CTRL, value);
/* mask the replay timer timeout of AER */
- pci_read_config_dword(pdev, PCI_GLI_9750_CORRERR_MASK, &value);
- value |= PCI_GLI_9750_CORRERR_MASK_REPLAY_TIMER_TIMEOUT;
- pci_write_config_dword(pdev, PCI_GLI_9750_CORRERR_MASK, value);
+ sdhci_gli_mask_replay_timer_timeout(pdev);
gl9750_wt_off(host);
}
@@ -715,9 +709,7 @@ static void gl9755_hw_setting(struct sdh
pci_write_config_dword(pdev, PCI_GLI_9755_PM_CTRL, value);
/* mask the replay timer timeout of AER */
- pci_read_config_dword(pdev, PCI_GLI_9755_CORRERR_MASK, &value);
- value |= PCI_GLI_9755_CORRERR_MASK_REPLAY_TIMER_TIMEOUT;
- pci_write_config_dword(pdev, PCI_GLI_9755_CORRERR_MASK, value);
+ sdhci_gli_mask_replay_timer_timeout(pdev);
gl9755_wt_off(pdev);
}
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 438/482] mmc: sdhci-pci-gli: Add a new function to simplify the code
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (436 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 6.1 437/482] mmc: sdhci-pci-gli: Use PCI AER definitions, not hard-coded values Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 439/482] mmc: sdhci-pci-gli: GL9763e: Mask the replay timer timeout of AER Greg Kroah-Hartman
` (52 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Victor Shih, Adrian Hunter,
Ulf Hansson, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Victor Shih <victor.shih@genesyslogic.com.tw>
[ Upstream commit dec8b38be4b35cae5f7fa086daf2631e2cfa09c1 ]
In preparation to fix replay timer timeout, add
sdhci_gli_mask_replay_timer_timeout() function
to simplify some of the code, allowing it to be re-used.
Signed-off-by: Victor Shih <victor.shih@genesyslogic.com.tw>
Fixes: 1ae1d2d6e555 ("mmc: sdhci-pci-gli: Add Genesys Logic GL9763E support")
Cc: stable@vger.kernel.org
Acked-by: Adrian Hunter <adrian.hunter@intel.com>
Link: https://lore.kernel.org/r/20250731065752.450231-2-victorshihgli@gmail.com
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Stable-dep-of: 340be332e420 ("mmc: sdhci-pci-gli: GL9763e: Mask the replay timer timeout of AER")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mmc/host/sdhci-pci-gli.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
--- a/drivers/mmc/host/sdhci-pci-gli.c
+++ b/drivers/mmc/host/sdhci-pci-gli.c
@@ -156,6 +156,20 @@
#define GLI_MAX_TUNING_LOOP 40
/* Genesys Logic chipset */
+static void sdhci_gli_mask_replay_timer_timeout(struct pci_dev *pdev)
+{
+ int aer;
+ u32 value;
+
+ /* mask the replay timer timeout of AER */
+ aer = pci_find_ext_capability(pdev, PCI_EXT_CAP_ID_ERR);
+ if (aer) {
+ pci_read_config_dword(pdev, aer + PCI_ERR_COR_MASK, &value);
+ value |= PCI_ERR_COR_REP_TIMER;
+ pci_write_config_dword(pdev, aer + PCI_ERR_COR_MASK, value);
+ }
+}
+
static inline void gl9750_wt_on(struct sdhci_host *host)
{
u32 wt_value;
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 439/482] mmc: sdhci-pci-gli: GL9763e: Mask the replay timer timeout of AER
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (437 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 6.1 438/482] mmc: sdhci-pci-gli: Add a new function to simplify the code Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 440/482] mm/memory-failure: fix infinite UCE for VM_PFNMAP pfn Greg Kroah-Hartman
` (51 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Victor Shih, Adrian Hunter,
Ulf Hansson, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Victor Shih <victor.shih@genesyslogic.com.tw>
[ Upstream commit 340be332e420ed37d15d4169a1b4174e912ad6cb ]
Due to a flaw in the hardware design, the GL9763e replay timer frequently
times out when ASPM is enabled. As a result, the warning messages will
often appear in the system log when the system accesses the GL9763e
PCI config. Therefore, the replay timer timeout must be masked.
Signed-off-by: Victor Shih <victor.shih@genesyslogic.com.tw>
Fixes: 1ae1d2d6e555 ("mmc: sdhci-pci-gli: Add Genesys Logic GL9763E support")
Cc: stable@vger.kernel.org
Acked-by: Adrian Hunter <adrian.hunter@intel.com>
Link: https://lore.kernel.org/r/20250731065752.450231-4-victorshihgli@gmail.com
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mmc/host/sdhci-pci-gli.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/mmc/host/sdhci-pci-gli.c
+++ b/drivers/mmc/host/sdhci-pci-gli.c
@@ -988,6 +988,9 @@ static void gl9763e_hw_setting(struct sd
value |= FIELD_PREP(GLI_9763E_HS400_RXDLY, GLI_9763E_HS400_RXDLY_5);
pci_write_config_dword(pdev, PCIE_GLI_9763E_CLKRXDLY, value);
+ /* mask the replay timer timeout of AER */
+ sdhci_gli_mask_replay_timer_timeout(pdev);
+
pci_read_config_dword(pdev, PCIE_GLI_9763E_VHS, &value);
value &= ~GLI_9763E_VHS_REV;
value |= FIELD_PREP(GLI_9763E_VHS_REV, GLI_9763E_VHS_REV_R);
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 440/482] mm/memory-failure: fix infinite UCE for VM_PFNMAP pfn
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (438 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 6.1 439/482] mmc: sdhci-pci-gli: GL9763e: Mask the replay timer timeout of AER Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 441/482] drm/amd/display: Dont overclock DCE 6 by 15% Greg Kroah-Hartman
` (50 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jinjiang Tu, David Hildenbrand,
Miaohe Lin, Jane Chu, Kefeng Wang, Naoya Horiguchi,
Oscar Salvador, Shuai Xue, Zi Yan, Andrew Morton, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jinjiang Tu <tujinjiang@huawei.com>
[ Upstream commit 2e6053fea379806269c4f7f5e36b523c9c0fb35c ]
When memory_failure() is called for a already hwpoisoned pfn,
kill_accessing_process() will be called to kill current task. However, if
the vma of the accessing vaddr is VM_PFNMAP, walk_page_range() will skip
the vma in walk_page_test() and return 0.
Before commit aaf99ac2ceb7 ("mm/hwpoison: do not send SIGBUS to processes
with recovered clean pages"), kill_accessing_process() will return EFAULT.
For x86, the current task will be killed in kill_me_maybe().
However, after this commit, kill_accessing_process() simplies return 0,
that means UCE is handled properly, but it doesn't actually. In such
case, the user task will trigger UCE infinitely.
To fix it, add .test_walk callback for hwpoison_walk_ops to scan all vmas.
Link: https://lkml.kernel.org/r/20250815073209.1984582-1-tujinjiang@huawei.com
Fixes: aaf99ac2ceb7 ("mm/hwpoison: do not send SIGBUS to processes with recovered clean pages")
Signed-off-by: Jinjiang Tu <tujinjiang@huawei.com>
Acked-by: David Hildenbrand <david@redhat.com>
Acked-by: Miaohe Lin <linmiaohe@huawei.com>
Reviewed-by: Jane Chu <jane.chu@oracle.com>
Cc: Kefeng Wang <wangkefeng.wang@huawei.com>
Cc: Naoya Horiguchi <nao.horiguchi@gmail.com>
Cc: Oscar Salvador <osalvador@suse.de>
Cc: Shuai Xue <xueshuai@linux.alibaba.com>
Cc: Zi Yan <ziy@nvidia.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
[ Adjust context ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/memory-failure.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/mm/memory-failure.c
+++ b/mm/memory-failure.c
@@ -731,9 +731,17 @@ static int hwpoison_hugetlb_range(pte_t
#define hwpoison_hugetlb_range NULL
#endif
+static int hwpoison_test_walk(unsigned long start, unsigned long end,
+ struct mm_walk *walk)
+{
+ /* We also want to consider pages mapped into VM_PFNMAP. */
+ return 0;
+}
+
static const struct mm_walk_ops hwp_walk_ops = {
.pmd_entry = hwpoison_pte_range,
.hugetlb_entry = hwpoison_hugetlb_range,
+ .test_walk = hwpoison_test_walk,
};
/*
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 441/482] drm/amd/display: Dont overclock DCE 6 by 15%
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (439 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 6.1 440/482] mm/memory-failure: fix infinite UCE for VM_PFNMAP pfn Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 442/482] selftests: mptcp: pm: check flush doesnt reset limits Greg Kroah-Hartman
` (49 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Timur Kristóf, Alex Deucher,
Rodrigo Siqueira, Alex Hung, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Timur Kristóf <timur.kristof@gmail.com>
[ Upstream commit cb7b7ae53b557d168b4af5cd8549f3eff920bfb5 ]
The extra 15% clock was added as a workaround for a Polaris issue
which uses DCE 11, and should not have been used on DCE 6 which
is already hardcoded to the highest possible display clock.
Unfortunately, the extra 15% was mistakenly copied and kept
even on code paths which don't affect Polaris.
This commit fixes that and also adds a check to make sure
not to exceed the maximum DCE 6 display clock.
Fixes: 8cd61c313d8b ("drm/amd/display: Raise dispclk value for Polaris")
Fixes: dc88b4a684d2 ("drm/amd/display: make clk mgr soc specific")
Fixes: 3ecb3b794e2c ("drm/amd/display: dc/clk_mgr: add support for SI parts (v2)")
Signed-off-by: Timur Kristóf <timur.kristof@gmail.com>
Acked-by: Alex Deucher <alexander.deucher@amd.com>
Reviewed-by: Rodrigo Siqueira <siqueira@igalia.com>
Reviewed-by: Alex Hung <alex.hung@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 427980c1cbd22bb256b9385f5ce73c0937562408)
Cc: stable@vger.kernel.org
[ `MIN` => `min` ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/display/dc/clk_mgr/dce60/dce60_clk_mgr.c | 8 +++-----
1 file changed, 3 insertions(+), 5 deletions(-)
--- a/drivers/gpu/drm/amd/display/dc/clk_mgr/dce60/dce60_clk_mgr.c
+++ b/drivers/gpu/drm/amd/display/dc/clk_mgr/dce60/dce60_clk_mgr.c
@@ -112,11 +112,9 @@ static void dce60_update_clocks(struct c
{
struct clk_mgr_internal *clk_mgr_dce = TO_CLK_MGR_INTERNAL(clk_mgr_base);
struct dm_pp_power_level_change_request level_change_req;
- int patched_disp_clk = context->bw_ctx.bw.dce.dispclk_khz;
-
- /*TODO: W/A for dal3 linux, investigate why this works */
- if (!clk_mgr_dce->dfs_bypass_active)
- patched_disp_clk = patched_disp_clk * 115 / 100;
+ const int max_disp_clk =
+ clk_mgr_dce->max_clks_by_state[DM_PP_CLOCKS_STATE_PERFORMANCE].display_clk_khz;
+ int patched_disp_clk = min(max_disp_clk, context->bw_ctx.bw.dce.dispclk_khz);
level_change_req.power_level = dce_get_required_clocks_state(clk_mgr_base, context);
/* get max clock state from PPLIB */
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 442/482] selftests: mptcp: pm: check flush doesnt reset limits
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (440 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 6.1 441/482] drm/amd/display: Dont overclock DCE 6 by 15% Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 443/482] wifi: mac80211: avoid lockdep checking when removing deflink Greg Kroah-Hartman
` (48 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mat Martineau,
Matthieu Baerts (NGI0), Jakub Kicinski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
commit 452690be7de2f91cc0de68cb9e95252875b33503 upstream.
This modification is linked to the parent commit where the received
ADD_ADDR limit was accidentally reset when the endpoints were flushed.
To validate that, the test is now flushing endpoints after having set
new limits, and before checking them.
The 'Fixes' tag here below is the same as the one from the previous
commit: this patch here is not fixing anything wrong in the selftests,
but it validates the previous fix for an issue introduced by this commit
ID.
Fixes: 01cacb00b35c ("mptcp: add netlink-based PM")
Cc: stable@vger.kernel.org
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20250815-net-mptcp-misc-fixes-6-17-rc2-v1-3-521fe9957892@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[ Conflicts in pm_netlink.sh, because some refactoring have been done
later on: commit 3188309c8ceb ("selftests: mptcp: netlink:
add 'limits' helpers") and commit c99d57d0007a ("selftests: mptcp: use
pm_nl endpoint ops") are not in this version. The same operation can
still be done at the same place, without using the new helper. ]
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/testing/selftests/net/mptcp/pm_netlink.sh | 1 +
1 file changed, 1 insertion(+)
--- a/tools/testing/selftests/net/mptcp/pm_netlink.sh
+++ b/tools/testing/selftests/net/mptcp/pm_netlink.sh
@@ -131,6 +131,7 @@ ip netns exec $ns1 ./pm_nl_ctl limits 1
check "ip netns exec $ns1 ./pm_nl_ctl limits" "$default_limits" "subflows above hard limit"
ip netns exec $ns1 ./pm_nl_ctl limits 8 8
+ip netns exec $ns1 ./pm_nl_ctl flush
check "ip netns exec $ns1 ./pm_nl_ctl limits" "accept 8
subflows 8" "set limits"
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 443/482] wifi: mac80211: avoid lockdep checking when removing deflink
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (441 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 6.1 442/482] selftests: mptcp: pm: check flush doesnt reset limits Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 444/482] wifi: mac80211: check basic rates validity in sta_link_apply_parameters Greg Kroah-Hartman
` (47 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Benjamin Berg, Gregory Greenman,
Johannes Berg, Hanne-Lotta Mäenpää
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Benjamin Berg <benjamin.berg@intel.com>
commit b8b80770b26c4591f20f1cde3328e5f1489c4488 upstream.
struct sta_info may be removed without holding sta_mtx if it has not
yet been inserted. To support this, only assert that the lock is held
for links other than the deflink.
This fixes lockdep issues that may be triggered in error cases.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Signed-off-by: Gregory Greenman <gregory.greenman@intel.com>
Link: https://lore.kernel.org/r/20230619161906.cdd81377dea0.If5a6734b4b85608a2275a09b4f99b5564d82997f@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Hanne-Lotta Mäenpää <hannelotta@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mac80211/sta_info.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/net/mac80211/sta_info.c
+++ b/net/mac80211/sta_info.c
@@ -357,8 +357,9 @@ static void sta_remove_link(struct sta_i
struct sta_link_alloc *alloc = NULL;
struct link_sta_info *link_sta;
- link_sta = rcu_dereference_protected(sta->link[link_id],
- lockdep_is_held(&sta->local->sta_mtx));
+ link_sta = rcu_access_pointer(sta->link[link_id]);
+ if (link_sta != &sta->deflink)
+ lockdep_assert_held(&sta->local->sta_mtx);
if (WARN_ON(!link_sta))
return;
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 444/482] wifi: mac80211: check basic rates validity in sta_link_apply_parameters
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (442 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 6.1 443/482] wifi: mac80211: avoid lockdep checking when removing deflink Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 445/482] tls: fix handling of zero-length records on the rx_list Greg Kroah-Hartman
` (46 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mikhail Lobanov, Johannes Berg,
Hanne-Lotta Mäenpää
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mikhail Lobanov <m.lobanov@rosa.ru>
commit 16ee3ea8faef8ff042acc15867a6c458c573de61 upstream.
When userspace sets supported rates for a new station via
NL80211_CMD_NEW_STATION, it might send a list that's empty
or contains only invalid values. Currently, we process these
values in sta_link_apply_parameters() without checking the result of
ieee80211_parse_bitrates(), which can lead to an empty rates bitmap.
A similar issue was addressed for NL80211_CMD_SET_BSS in commit
ce04abc3fcc6 ("wifi: mac80211: check basic rates validity").
This patch applies the same approach in sta_link_apply_parameters()
for NL80211_CMD_NEW_STATION, ensuring there is at least one valid
rate by inspecting the result of ieee80211_parse_bitrates().
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
Fixes: b95eb7f0eee4 ("wifi: cfg80211/mac80211: separate link params from station params")
Signed-off-by: Mikhail Lobanov <m.lobanov@rosa.ru>
Link: https://patch.msgid.link/20250317103139.17625-1-m.lobanov@rosa.ru
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
[ Summary of conflict resolutions:
- The function ieee80211_parse_bitrates() takes channel width as
its first parameter, and the chandef struct has been refactored
in kernel version 6.9, in commit
6092077ad09ce880c61735c314060f0bd79ae4aa so that the width is
contained in chanreq.oper.width. In kernel version 6.1 the
width parameter is defined directly in the chandef struct. ]
Signed-off-by: Hanne-Lotta Mäenpää <hannelotta@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mac80211/cfg.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
--- a/net/mac80211/cfg.c
+++ b/net/mac80211/cfg.c
@@ -1735,12 +1735,12 @@ static int sta_link_apply_parameters(str
}
if (params->supported_rates &&
- params->supported_rates_len) {
- ieee80211_parse_bitrates(link->conf->chandef.width,
- sband, params->supported_rates,
- params->supported_rates_len,
- &link_sta->pub->supp_rates[sband->band]);
- }
+ params->supported_rates_len &&
+ !ieee80211_parse_bitrates(link->conf->chandef.width,
+ sband, params->supported_rates,
+ params->supported_rates_len,
+ &link_sta->pub->supp_rates[sband->band]))
+ return -EINVAL;
if (params->ht_capa)
ieee80211_ht_cap_ie_to_sta_ht_cap(sdata, sband,
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 445/482] tls: fix handling of zero-length records on the rx_list
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (443 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 6.1 444/482] wifi: mac80211: check basic rates validity in sta_link_apply_parameters Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 446/482] iio: imu: inv_icm42600: change invalid data error to -EBUSY Greg Kroah-Hartman
` (45 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Muhammad Alifa Ramdhan,
Billy Jheng Bing-Jhong, Sabrina Dubroca, Jakub Kicinski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jakub Kicinski <kuba@kernel.org>
commit 62708b9452f8eb77513115b17c4f8d1a22ebf843 upstream.
Each recvmsg() call must process either
- only contiguous DATA records (any number of them)
- one non-DATA record
If the next record has different type than what has already been
processed we break out of the main processing loop. If the record
has already been decrypted (which may be the case for TLS 1.3 where
we don't know type until decryption) we queue the pending record
to the rx_list. Next recvmsg() will pick it up from there.
Queuing the skb to rx_list after zero-copy decrypt is not possible,
since in that case we decrypted directly to the user space buffer,
and we don't have an skb to queue (darg.skb points to the ciphertext
skb for access to metadata like length).
Only data records are allowed zero-copy, and we break the processing
loop after each non-data record. So we should never zero-copy and
then find out that the record type has changed. The corner case
we missed is when the initial record comes from rx_list, and it's
zero length.
Reported-by: Muhammad Alifa Ramdhan <ramdhan@starlabs.sg>
Reported-by: Billy Jheng Bing-Jhong <billy@starlabs.sg>
Fixes: 84c61fe1a75b ("tls: rx: do not use the standard strparser")
Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
Link: https://patch.msgid.link/20250820021952.143068-1-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/tls/tls_sw.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/net/tls/tls_sw.c
+++ b/net/tls/tls_sw.c
@@ -1864,6 +1864,9 @@ int decrypt_skb(struct sock *sk, struct
return tls_decrypt_sg(sk, NULL, sgout, &darg);
}
+/* All records returned from a recvmsg() call must have the same type.
+ * 0 is not a valid content type. Use it as "no type reported, yet".
+ */
static int tls_record_content_type(struct msghdr *msg, struct tls_msg *tlm,
u8 *control)
{
@@ -2107,8 +2110,10 @@ int tls_sw_recvmsg(struct sock *sk,
if (err < 0)
goto end;
+ /* process_rx_list() will set @control if it processed any records */
copied = err;
- if (len <= copied || (copied && control != TLS_RECORD_TYPE_DATA) || rx_more)
+ if (len <= copied || rx_more ||
+ (control && control != TLS_RECORD_TYPE_DATA))
goto end;
target = sock_rcvlowat(sk, flags & MSG_WAITALL, len);
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 446/482] iio: imu: inv_icm42600: change invalid data error to -EBUSY
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (444 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 6.1 445/482] tls: fix handling of zero-length records on the rx_list Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 447/482] tracing: Remove unneeded goto out logic Greg Kroah-Hartman
` (44 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jean-Baptiste Maneyrol,
Andy Shevchenko, Sean Nyekjaer, Jonathan Cameron, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jean-Baptiste Maneyrol <jean-baptiste.maneyrol@tdk.com>
[ Upstream commit dfdc31e7ccf3ac1d5ec01d5120c71e14745e3dd8 ]
Temperature sensor returns the temperature of the mechanical parts
of the chip. If both accel and gyro are off, the temperature sensor is
also automatically turned off and returns invalid data.
In this case, returning -EBUSY error code is better then -EINVAL and
indicates userspace that it needs to retry reading temperature in
another context.
Fixes: bc3eb0207fb5 ("iio: imu: inv_icm42600: add temperature sensor support")
Signed-off-by: Jean-Baptiste Maneyrol <jean-baptiste.maneyrol@tdk.com>
Cc: stable@vger.kernel.org
Reviewed-by: Andy Shevchenko <andy@kernel.org>
Reviewed-by: Sean Nyekjaer <sean@geanix.com>
Link: https://patch.msgid.link/20250808-inv-icm42600-change-temperature-error-code-v1-1-986fbf63b77d@tdk.com
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
[ Adjust context ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/imu/inv_icm42600/inv_icm42600_temp.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/drivers/iio/imu/inv_icm42600/inv_icm42600_temp.c
+++ b/drivers/iio/imu/inv_icm42600/inv_icm42600_temp.c
@@ -32,8 +32,12 @@ static int inv_icm42600_temp_read(struct
goto exit;
*temp = (int16_t)be16_to_cpup(raw);
+ /*
+ * Temperature data is invalid if both accel and gyro are off.
+ * Return -EBUSY in this case.
+ */
if (*temp == INV_ICM42600_DATA_INVALID)
- ret = -EINVAL;
+ ret = -EBUSY;
exit:
mutex_unlock(&st->lock);
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 447/482] tracing: Remove unneeded goto out logic
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (445 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 6.1 446/482] iio: imu: inv_icm42600: change invalid data error to -EBUSY Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 448/482] tracing: Limit access to parser->buffer when trace_get_user failed Greg Kroah-Hartman
` (43 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Masami Hiramatsu, Mark Rutland,
Mathieu Desnoyers, Andrew Morton, Steven Rostedt (Google),
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Steven Rostedt <rostedt@goodmis.org>
[ Upstream commit c89504a703fb779052213add0e8ed642f4a4f1c8 ]
Several places in the trace.c file there's a goto out where the out is
simply a return. There's no reason to jump to the out label if it's not
doing any more logic but simply returning from the function.
Replace the goto outs with a return and remove the out labels.
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Link: https://lore.kernel.org/20250801203857.538726745@kernel.org
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/trace/trace.c | 37 ++++++++++++++-----------------------
1 file changed, 14 insertions(+), 23 deletions(-)
--- a/kernel/trace/trace.c
+++ b/kernel/trace/trace.c
@@ -1618,7 +1618,7 @@ int trace_get_user(struct trace_parser *
ret = get_user(ch, ubuf++);
if (ret)
- goto out;
+ return ret;
read++;
cnt--;
@@ -1632,7 +1632,7 @@ int trace_get_user(struct trace_parser *
while (cnt && isspace(ch)) {
ret = get_user(ch, ubuf++);
if (ret)
- goto out;
+ return ret;
read++;
cnt--;
}
@@ -1642,8 +1642,7 @@ int trace_get_user(struct trace_parser *
/* only spaces were written */
if (isspace(ch) || !ch) {
*ppos += read;
- ret = read;
- goto out;
+ return read;
}
}
@@ -1651,13 +1650,12 @@ int trace_get_user(struct trace_parser *
while (cnt && !isspace(ch) && ch) {
if (parser->idx < parser->size - 1)
parser->buffer[parser->idx++] = ch;
- else {
- ret = -EINVAL;
- goto out;
- }
+ else
+ return -EINVAL;
+
ret = get_user(ch, ubuf++);
if (ret)
- goto out;
+ return ret;
read++;
cnt--;
}
@@ -1672,15 +1670,11 @@ int trace_get_user(struct trace_parser *
/* Make sure the parsed string always terminates with '\0'. */
parser->buffer[parser->idx] = 0;
} else {
- ret = -EINVAL;
- goto out;
+ return -EINVAL;
}
*ppos += read;
- ret = read;
-
-out:
- return ret;
+ return read;
}
/* TODO add a seq_buf_to_buffer() */
@@ -2149,10 +2143,10 @@ int __init register_tracer(struct tracer
mutex_unlock(&trace_types_lock);
if (ret || !default_bootup_tracer)
- goto out_unlock;
+ return ret;
if (strncmp(default_bootup_tracer, type->name, MAX_TRACER_SIZE))
- goto out_unlock;
+ return 0;
printk(KERN_INFO "Starting tracer '%s'\n", type->name);
/* Do we want this tracer to start on bootup? */
@@ -2164,8 +2158,7 @@ int __init register_tracer(struct tracer
/* disable other selftests, since this will break it. */
disable_tracing_selftest("running a tracer");
- out_unlock:
- return ret;
+ return 0;
}
static void tracing_reset_cpu(struct array_buffer *buf, int cpu)
@@ -8761,11 +8754,10 @@ ftrace_trace_snapshot_callback(struct tr
out_reg:
ret = tracing_alloc_snapshot_instance(tr);
if (ret < 0)
- goto out;
+ return ret;
ret = register_ftrace_function_probe(glob, tr, ops, count);
- out:
return ret < 0 ? ret : 0;
}
@@ -10292,7 +10284,7 @@ __init static int tracer_alloc_buffers(v
BUILD_BUG_ON(TRACE_ITER_LAST_BIT > TRACE_FLAGS_MAX_SIZE);
if (!alloc_cpumask_var(&tracing_buffer_mask, GFP_KERNEL))
- goto out;
+ return -ENOMEM;
if (!alloc_cpumask_var(&global_trace.tracing_cpumask, GFP_KERNEL))
goto out_free_buffer_mask;
@@ -10405,7 +10397,6 @@ out_free_cpumask:
free_cpumask_var(global_trace.tracing_cpumask);
out_free_buffer_mask:
free_cpumask_var(tracing_buffer_mask);
-out:
return ret;
}
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 448/482] tracing: Limit access to parser->buffer when trace_get_user failed
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (446 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 6.1 447/482] tracing: Remove unneeded goto out logic Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 449/482] iio: light: as73211: Ensure buffer holes are zeroed Greg Kroah-Hartman
` (42 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pu Lehui, Steven Rostedt (Google),
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pu Lehui <pulehui@huawei.com>
[ Upstream commit 6a909ea83f226803ea0e718f6e88613df9234d58 ]
When the length of the string written to set_ftrace_filter exceeds
FTRACE_BUFF_MAX, the following KASAN alarm will be triggered:
BUG: KASAN: slab-out-of-bounds in strsep+0x18c/0x1b0
Read of size 1 at addr ffff0000d00bd5ba by task ash/165
CPU: 1 UID: 0 PID: 165 Comm: ash Not tainted 6.16.0-g6bcdbd62bd56-dirty
Hardware name: linux,dummy-virt (DT)
Call trace:
show_stack+0x34/0x50 (C)
dump_stack_lvl+0xa0/0x158
print_address_description.constprop.0+0x88/0x398
print_report+0xb0/0x280
kasan_report+0xa4/0xf0
__asan_report_load1_noabort+0x20/0x30
strsep+0x18c/0x1b0
ftrace_process_regex.isra.0+0x100/0x2d8
ftrace_regex_release+0x484/0x618
__fput+0x364/0xa58
____fput+0x28/0x40
task_work_run+0x154/0x278
do_notify_resume+0x1f0/0x220
el0_svc+0xec/0xf0
el0t_64_sync_handler+0xa0/0xe8
el0t_64_sync+0x1ac/0x1b0
The reason is that trace_get_user will fail when processing a string
longer than FTRACE_BUFF_MAX, but not set the end of parser->buffer to 0.
Then an OOB access will be triggered in ftrace_regex_release->
ftrace_process_regex->strsep->strpbrk. We can solve this problem by
limiting access to parser->buffer when trace_get_user failed.
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/20250813040232.1344527-1-pulehui@huaweicloud.com
Fixes: 8c9af478c06b ("ftrace: Handle commands when closing set_ftrace_filter file")
Signed-off-by: Pu Lehui <pulehui@huawei.com>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/trace/trace.c | 18 ++++++++++++------
kernel/trace/trace.h | 8 +++++++-
2 files changed, 19 insertions(+), 7 deletions(-)
--- a/kernel/trace/trace.c
+++ b/kernel/trace/trace.c
@@ -1618,7 +1618,7 @@ int trace_get_user(struct trace_parser *
ret = get_user(ch, ubuf++);
if (ret)
- return ret;
+ goto fail;
read++;
cnt--;
@@ -1632,7 +1632,7 @@ int trace_get_user(struct trace_parser *
while (cnt && isspace(ch)) {
ret = get_user(ch, ubuf++);
if (ret)
- return ret;
+ goto fail;
read++;
cnt--;
}
@@ -1650,12 +1650,14 @@ int trace_get_user(struct trace_parser *
while (cnt && !isspace(ch) && ch) {
if (parser->idx < parser->size - 1)
parser->buffer[parser->idx++] = ch;
- else
- return -EINVAL;
+ else {
+ ret = -EINVAL;
+ goto fail;
+ }
ret = get_user(ch, ubuf++);
if (ret)
- return ret;
+ goto fail;
read++;
cnt--;
}
@@ -1670,11 +1672,15 @@ int trace_get_user(struct trace_parser *
/* Make sure the parsed string always terminates with '\0'. */
parser->buffer[parser->idx] = 0;
} else {
- return -EINVAL;
+ ret = -EINVAL;
+ goto fail;
}
*ppos += read;
return read;
+fail:
+ trace_parser_fail(parser);
+ return ret;
}
/* TODO add a seq_buf_to_buffer() */
--- a/kernel/trace/trace.h
+++ b/kernel/trace/trace.h
@@ -1131,6 +1131,7 @@ bool ftrace_event_is_function(struct tra
*/
struct trace_parser {
bool cont;
+ bool fail;
char *buffer;
unsigned idx;
unsigned size;
@@ -1138,7 +1139,7 @@ struct trace_parser {
static inline bool trace_parser_loaded(struct trace_parser *parser)
{
- return (parser->idx != 0);
+ return !parser->fail && parser->idx != 0;
}
static inline bool trace_parser_cont(struct trace_parser *parser)
@@ -1152,6 +1153,11 @@ static inline void trace_parser_clear(st
parser->idx = 0;
}
+static inline void trace_parser_fail(struct trace_parser *parser)
+{
+ parser->fail = true;
+}
+
extern int trace_parser_get_init(struct trace_parser *parser, int size);
extern void trace_parser_put(struct trace_parser *parser);
extern int trace_get_user(struct trace_parser *parser, const char __user *ubuf,
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 449/482] iio: light: as73211: Ensure buffer holes are zeroed
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (447 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 6.1 448/482] tracing: Limit access to parser->buffer when trace_get_user failed Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 450/482] iio: temperature: maxim_thermocouple: use DMA-safe buffer for spi_read() Greg Kroah-Hartman
` (41 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matti Vaittinen, Andy Shevchenko,
Stable, Jonathan Cameron, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
[ Upstream commit 433b99e922943efdfd62b9a8e3ad1604838181f2 ]
Given that the buffer is copied to a kfifo that ultimately user space
can read, ensure we zero it.
Fixes: 403e5586b52e ("iio: light: as73211: New driver")
Reviewed-by: Matti Vaittinen <mazziesaccount@gmail.com>
Reviewed-by: Andy Shevchenko <andy@kernel.org>
Link: https://patch.msgid.link/20250802164436.515988-2-jic23@kernel.org
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
[ Adjust context ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/light/as73211.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/iio/light/as73211.c
+++ b/drivers/iio/light/as73211.c
@@ -573,7 +573,7 @@ static irqreturn_t as73211_trigger_handl
struct {
__le16 chan[4];
s64 ts __aligned(8);
- } scan;
+ } scan = { };
int data_result, ret;
mutex_lock(&data->mutex);
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 450/482] iio: temperature: maxim_thermocouple: use DMA-safe buffer for spi_read()
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (448 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 6.1 449/482] iio: light: as73211: Ensure buffer holes are zeroed Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 451/482] compiler: remove __ADDRESSABLE_ASM{_STR,}() again Greg Kroah-Hartman
` (40 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Lechner, Nuno Sá, Stable,
Jonathan Cameron, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Lechner <dlechner@baylibre.com>
[ Upstream commit ae5bc07ec9f73a41734270ef3f800c5c8a7e0ad3 ]
Replace using stack-allocated buffers with a DMA-safe buffer for use
with spi_read(). This allows the driver to be safely used with
DMA-enabled SPI controllers.
The buffer array is also converted to a struct with a union to make the
usage of the memory in the buffer more clear and ensure proper alignment.
Fixes: 1f25ca11d84a ("iio: temperature: add support for Maxim thermocouple chips")
Signed-off-by: David Lechner <dlechner@baylibre.com>
Reviewed-by: Nuno Sá <nuno.sa@analog.com>
Link: https://patch.msgid.link/20250721-iio-use-more-iio_declare_buffer_with_ts-3-v2-1-0c68d41ccf6c@baylibre.com
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
[ iio_push_to_buffers_with_ts() => iio_push_to_buffers_with_timestamp() ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/temperature/maxim_thermocouple.c | 26 ++++++++++++++++----------
1 file changed, 16 insertions(+), 10 deletions(-)
--- a/drivers/iio/temperature/maxim_thermocouple.c
+++ b/drivers/iio/temperature/maxim_thermocouple.c
@@ -12,6 +12,7 @@
#include <linux/mutex.h>
#include <linux/err.h>
#include <linux/spi/spi.h>
+#include <linux/types.h>
#include <linux/iio/iio.h>
#include <linux/iio/sysfs.h>
#include <linux/iio/trigger.h>
@@ -122,8 +123,15 @@ struct maxim_thermocouple_data {
struct spi_device *spi;
const struct maxim_thermocouple_chip *chip;
char tc_type;
-
- u8 buffer[16] __aligned(IIO_DMA_MINALIGN);
+ /* Buffer for reading up to 2 hardware channels. */
+ struct {
+ union {
+ __be16 raw16;
+ __be32 raw32;
+ __be16 raw[2];
+ };
+ aligned_s64 timestamp;
+ } buffer __aligned(IIO_DMA_MINALIGN);
};
static int maxim_thermocouple_read(struct maxim_thermocouple_data *data,
@@ -131,18 +139,16 @@ static int maxim_thermocouple_read(struc
{
unsigned int storage_bytes = data->chip->read_size;
unsigned int shift = chan->scan_type.shift + (chan->address * 8);
- __be16 buf16;
- __be32 buf32;
int ret;
switch (storage_bytes) {
case 2:
- ret = spi_read(data->spi, (void *)&buf16, storage_bytes);
- *val = be16_to_cpu(buf16);
+ ret = spi_read(data->spi, &data->buffer.raw16, storage_bytes);
+ *val = be16_to_cpu(data->buffer.raw16);
break;
case 4:
- ret = spi_read(data->spi, (void *)&buf32, storage_bytes);
- *val = be32_to_cpu(buf32);
+ ret = spi_read(data->spi, &data->buffer.raw32, storage_bytes);
+ *val = be32_to_cpu(data->buffer.raw32);
break;
default:
ret = -EINVAL;
@@ -167,9 +173,9 @@ static irqreturn_t maxim_thermocouple_tr
struct maxim_thermocouple_data *data = iio_priv(indio_dev);
int ret;
- ret = spi_read(data->spi, data->buffer, data->chip->read_size);
+ ret = spi_read(data->spi, data->buffer.raw, data->chip->read_size);
if (!ret) {
- iio_push_to_buffers_with_timestamp(indio_dev, data->buffer,
+ iio_push_to_buffers_with_timestamp(indio_dev, &data->buffer,
iio_get_time_ns(indio_dev));
}
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 451/482] compiler: remove __ADDRESSABLE_ASM{_STR,}() again
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (449 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 6.1 450/482] iio: temperature: maxim_thermocouple: use DMA-safe buffer for spi_read() Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 452/482] x86/cpu/hygon: Add missing resctrl_cpu_detect() in bsp_init helper Greg Kroah-Hartman
` (39 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jan Beulich, Josh Poimboeuf,
Juergen Gross, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jan Beulich <jbeulich@suse.com>
[ Upstream commit 8ea815399c3fcce1889bd951fec25b5b9a3979c1 ]
__ADDRESSABLE_ASM_STR() is where the necessary stringification happens.
As long as "sym" doesn't contain any odd characters, no quoting is
required for its use with .quad / .long. In fact the quotation gets in
the way with gas 2.25; it's only from 2.26 onwards that quoted symbols
are half-way properly supported.
However, assembly being different from C anyway, drop
__ADDRESSABLE_ASM_STR() and its helper macro altogether. A simple
.global directive will suffice to get the symbol "declared", i.e. into
the symbol table. While there also stop open-coding STATIC_CALL_TRAMP()
and STATIC_CALL_KEY().
Fixes: 0ef8047b737d ("x86/static-call: provide a way to do very early static-call updates")
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Josh Poimboeuf <jpoimboe@kernel.org>
Cc: stable@vger.kernel.org
Signed-off-by: Juergen Gross <jgross@suse.com>
Message-ID: <609d2c74-de13-4fae-ab1a-1ec44afb948d@suse.com>
[ Adjust context ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/include/asm/xen/hypercall.h | 5 +++--
include/linux/compiler.h | 8 --------
2 files changed, 3 insertions(+), 10 deletions(-)
--- a/arch/x86/include/asm/xen/hypercall.h
+++ b/arch/x86/include/asm/xen/hypercall.h
@@ -94,12 +94,13 @@ DECLARE_STATIC_CALL(xen_hypercall, xen_h
#ifdef MODULE
#define __ADDRESSABLE_xen_hypercall
#else
-#define __ADDRESSABLE_xen_hypercall __ADDRESSABLE_ASM_STR(__SCK__xen_hypercall)
+#define __ADDRESSABLE_xen_hypercall \
+ __stringify(.global STATIC_CALL_KEY(xen_hypercall);)
#endif
#define __HYPERCALL \
__ADDRESSABLE_xen_hypercall \
- "call __SCT__xen_hypercall"
+ __stringify(call STATIC_CALL_TRAMP(xen_hypercall))
#define __HYPERCALL_ENTRY(x) "a" (x)
--- a/include/linux/compiler.h
+++ b/include/linux/compiler.h
@@ -235,14 +235,6 @@ static inline void *offset_to_ptr(const
#define __ADDRESSABLE(sym) \
___ADDRESSABLE(sym, __section(".discard.addressable"))
-#define __ADDRESSABLE_ASM(sym) \
- .pushsection .discard.addressable,"aw"; \
- .align ARCH_SEL(8,4); \
- ARCH_SEL(.quad, .long) __stringify(sym); \
- .popsection;
-
-#define __ADDRESSABLE_ASM_STR(sym) __stringify(__ADDRESSABLE_ASM(sym))
-
/* &a[0] degrades to a pointer: a different type from an array */
#define __must_be_array(a) BUILD_BUG_ON_ZERO(__same_type((a), &(a)[0]))
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 452/482] x86/cpu/hygon: Add missing resctrl_cpu_detect() in bsp_init helper
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (450 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 6.1 451/482] compiler: remove __ADDRESSABLE_ASM{_STR,}() again Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 453/482] cgroup/cpuset: Use static_branch_enable_cpuslocked() on cpusets_insane_config_key Greg Kroah-Hartman
` (38 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tianxiang Peng,
Borislav Petkov (AMD), Hui Li, stable
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tianxiang Peng <txpeng@tencent.com>
commit d8df126349dad855cdfedd6bbf315bad2e901c2f upstream.
Since
923f3a2b48bd ("x86/resctrl: Query LLC monitoring properties once during boot")
resctrl_cpu_detect() has been moved from common CPU initialization code to
the vendor-specific BSP init helper, while Hygon didn't put that call in their
code.
This triggers a division by zero fault during early booting stage on our
machines with X86_FEATURE_CQM* supported, where get_rdt_mon_resources() tries
to calculate mon_l3_config with uninitialized boot_cpu_data.x86_cache_occ_scale.
Add the missing resctrl_cpu_detect() in the Hygon BSP init helper.
[ bp: Massage commit message. ]
Fixes: 923f3a2b48bd ("x86/resctrl: Query LLC monitoring properties once during boot")
Signed-off-by: Tianxiang Peng <txpeng@tencent.com>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Reviewed-by: Hui Li <caelli@tencent.com>
Cc: <stable@kernel.org>
Link: https://lore.kernel.org/20250623093153.3016937-1-txpeng@tencent.com
Signed-off-by: Tianxiang Peng <txpeng@tencent.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kernel/cpu/hygon.c | 3 +++
1 file changed, 3 insertions(+)
--- a/arch/x86/kernel/cpu/hygon.c
+++ b/arch/x86/kernel/cpu/hygon.c
@@ -14,6 +14,7 @@
#include <asm/cacheinfo.h>
#include <asm/spec-ctrl.h>
#include <asm/delay.h>
+#include <asm/resctrl.h>
#include "cpu.h"
@@ -239,6 +240,8 @@ static void bsp_init_hygon(struct cpuinf
x86_amd_ls_cfg_ssbd_mask = 1ULL << 10;
}
}
+
+ resctrl_cpu_detect(c);
}
static void early_init_hygon(struct cpuinfo_x86 *c)
^ permalink raw reply [flat|nested] 492+ messages in thread
* [PATCH 6.1 453/482] cgroup/cpuset: Use static_branch_enable_cpuslocked() on cpusets_insane_config_key
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (451 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 6.1 452/482] x86/cpu/hygon: Add missing resctrl_cpu_detect() in bsp_init helper Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 454/482] iosys-map: Fix undefined behavior in iosys_map_clear() Greg Kroah-Hartman
` (37 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Waiman Long, Juri Lelli, Tejun Heo,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Waiman Long <longman@redhat.com>
[ Upstream commit 65f97cc81b0adc5f49cf6cff5d874be0058e3f41 ]
The following lockdep splat was observed.
[ 812.359086] ============================================
[ 812.359089] WARNING: possible recursive locking detected
[ 812.359097] --------------------------------------------
[ 812.359100] runtest.sh/30042 is trying to acquire lock:
[ 812.359105] ffffffffa7f27420 (cpu_hotplug_lock){++++}-{0:0}, at: static_key_enable+0xe/0x20
[ 812.359131]
[ 812.359131] but task is already holding lock:
[ 812.359134] ffffffffa7f27420 (cpu_hotplug_lock){++++}-{0:0}, at: cpuset_write_resmask+0x98/0xa70
:
[ 812.359267] Call Trace:
[ 812.359272] <TASK>
[ 812.359367] cpus_read_lock+0x3c/0xe0
[ 812.359382] static_key_enable+0xe/0x20
[ 812.359389] check_insane_mems_config.part.0+0x11/0x30
[ 812.359398] cpuset_write_resmask+0x9f2/0xa70
[ 812.359411] cgroup_file_write+0x1c7/0x660
[ 812.359467] kernfs_fop_write_iter+0x358/0x530
[ 812.359479] vfs_write+0xabe/0x1250
[ 812.359529] ksys_write+0xf9/0x1d0
[ 812.359558] do_syscall_64+0x5f/0xe0
Since commit d74b27d63a8b ("cgroup/cpuset: Change cpuset_rwsem
and hotplug lock order"), the ordering of cpu hotplug lock
and cpuset_mutex had been reversed. That patch correctly
used the cpuslocked version of the static branch API to enable
cpusets_pre_enable_key and cpusets_enabled_key, but it didn't do the
same for cpusets_insane_config_key.
The cpusets_insane_config_key can be enabled in the
check_insane_mems_config() which is called from update_nodemask()
or cpuset_hotplug_update_tasks() with both cpu hotplug lock and
cpuset_mutex held. Deadlock can happen with a pending hotplug event that
tries to acquire the cpu hotplug write lock which will block further
cpus_read_lock() attempt from check_insane_mems_config(). Fix that by
switching to use static_branch_enable_cpuslocked().
Fixes: d74b27d63a8b ("cgroup/cpuset: Change cpuset_rwsem and hotplug lock order")
Signed-off-by: Waiman Long <longman@redhat.com>
Reviewed-by: Juri Lelli <juri.lelli@redhat.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/cgroup/cpuset.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/cgroup/cpuset.c b/kernel/cgroup/cpuset.c
index 370a6bce20a8..216bdebd9426 100644
--- a/kernel/cgroup/cpuset.c
+++ b/kernel/cgroup/cpuset.c
@@ -455,7 +455,7 @@ static inline void check_insane_mems_config(nodemask_t *nodes)
{
if (!cpusets_insane_config() &&
movable_only_nodes(nodes)) {
- static_branch_enable(&cpusets_insane_config_key);
+ static_branch_enable_cpuslocked(&cpusets_insane_config_key);
pr_info("Unsupported (movable nodes only) cpuset configuration detected (nmask=%*pbl)!\n"
"Cpuset allocations might fail even with a lot of memory available.\n",
nodemask_pr_args(nodes));
--
2.50.1
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 454/482] iosys-map: Fix undefined behavior in iosys_map_clear()
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (452 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 6.1 453/482] cgroup/cpuset: Use static_branch_enable_cpuslocked() on cpusets_insane_config_key Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 455/482] RDMA/erdma: Fix ignored return value of init_kernel_qp Greg Kroah-Hartman
` (36 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nitin Gote, Andi Shyti,
Thomas Zimmermann, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nitin Gote <nitin.r.gote@intel.com>
[ Upstream commit 5634c8cb298a7146b4e38873473e280b50e27a2c ]
The current iosys_map_clear() implementation reads the potentially
uninitialized 'is_iomem' boolean field to decide which union member
to clear. This causes undefined behavior when called on uninitialized
structures, as 'is_iomem' may contain garbage values like 0xFF.
UBSAN detects this as:
UBSAN: invalid-load in include/linux/iosys-map.h:267
load of value 255 is not a valid value for type '_Bool'
Fix by unconditionally clearing the entire structure with memset(),
eliminating the need to read uninitialized data and ensuring all
fields are set to known good values.
Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/14639
Fixes: 01fd30da0474 ("dma-buf: Add struct dma-buf-map for storing struct dma_buf.vaddr_ptr")
Signed-off-by: Nitin Gote <nitin.r.gote@intel.com>
Reviewed-by: Andi Shyti <andi.shyti@linux.intel.com>
Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>
Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
Link: https://lore.kernel.org/r/20250718105051.2709487-1-nitin.r.gote@intel.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/iosys-map.h | 7 +------
1 file changed, 1 insertion(+), 6 deletions(-)
diff --git a/include/linux/iosys-map.h b/include/linux/iosys-map.h
index cb71aa616bd3..631d58d0b838 100644
--- a/include/linux/iosys-map.h
+++ b/include/linux/iosys-map.h
@@ -264,12 +264,7 @@ static inline bool iosys_map_is_set(const struct iosys_map *map)
*/
static inline void iosys_map_clear(struct iosys_map *map)
{
- if (map->is_iomem) {
- map->vaddr_iomem = NULL;
- map->is_iomem = false;
- } else {
- map->vaddr = NULL;
- }
+ memset(map, 0, sizeof(*map));
}
/**
--
2.50.1
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 455/482] RDMA/erdma: Fix ignored return value of init_kernel_qp
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (453 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 6.1 454/482] iosys-map: Fix undefined behavior in iosys_map_clear() Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 456/482] RDMA/bnxt_re: Fix to initialize the PBL array Greg Kroah-Hartman
` (35 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Cheng Xu, Boshi Yu, Leon Romanovsky,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Boshi Yu <boshiyu@linux.alibaba.com>
[ Upstream commit d5c74713f0117d07f91eb48b10bc2ad44e23c9b9 ]
The init_kernel_qp interface may fail. Check its return value and free
related resources properly when it does.
Fixes: 155055771704 ("RDMA/erdma: Add verbs implementation")
Reviewed-by: Cheng Xu <chengyou@linux.alibaba.com>
Signed-off-by: Boshi Yu <boshiyu@linux.alibaba.com>
Link: https://patch.msgid.link/20250725055410.67520-3-boshiyu@linux.alibaba.com
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/hw/erdma/erdma_verbs.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/infiniband/hw/erdma/erdma_verbs.c b/drivers/infiniband/hw/erdma/erdma_verbs.c
index 2edf0d882c6a..cc2b20c8b050 100644
--- a/drivers/infiniband/hw/erdma/erdma_verbs.c
+++ b/drivers/infiniband/hw/erdma/erdma_verbs.c
@@ -727,7 +727,9 @@ int erdma_create_qp(struct ib_qp *ibqp, struct ib_qp_init_attr *attrs,
if (ret)
goto err_out_cmd;
} else {
- init_kernel_qp(dev, qp, attrs);
+ ret = init_kernel_qp(dev, qp, attrs);
+ if (ret)
+ goto err_out_xa;
}
qp->attrs.max_send_sge = attrs->cap.max_send_sge;
--
2.50.1
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 456/482] RDMA/bnxt_re: Fix to initialize the PBL array
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (454 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 6.1 455/482] RDMA/erdma: Fix ignored return value of init_kernel_qp Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 457/482] net: bridge: fix soft lockup in br_multicast_query_expired() Greg Kroah-Hartman
` (34 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Anantha Prabhu, Saravanan Vajravel,
Selvin Xavier, Kalesh AP, Leon Romanovsky, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Anantha Prabhu <anantha.prabhu@broadcom.com>
[ Upstream commit 806b9f494f62791ee6d68f515a8056c615a0e7b2 ]
memset the PBL page pointer and page map arrays before
populating the SGL addresses of the HWQ.
Fixes: 0c4dcd602817 ("RDMA/bnxt_re: Refactor hardware queue memory allocation")
Signed-off-by: Anantha Prabhu <anantha.prabhu@broadcom.com>
Reviewed-by: Saravanan Vajravel <saravanan.vajravel@broadcom.com>
Reviewed-by: Selvin Xavier <selvin.xavier@broadcom.com>
Signed-off-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
Link: https://patch.msgid.link/20250805101000.233310-5-kalesh-anakkur.purayil@broadcom.com
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/hw/bnxt_re/qplib_res.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/infiniband/hw/bnxt_re/qplib_res.c b/drivers/infiniband/hw/bnxt_re/qplib_res.c
index 203350c6e00f..4962d68bf217 100644
--- a/drivers/infiniband/hw/bnxt_re/qplib_res.c
+++ b/drivers/infiniband/hw/bnxt_re/qplib_res.c
@@ -121,6 +121,7 @@ static int __alloc_pbl(struct bnxt_qplib_res *res,
pbl->pg_arr = vmalloc(pages * sizeof(void *));
if (!pbl->pg_arr)
return -ENOMEM;
+ memset(pbl->pg_arr, 0, pages * sizeof(void *));
pbl->pg_map_arr = vmalloc(pages * sizeof(dma_addr_t));
if (!pbl->pg_map_arr) {
@@ -128,6 +129,7 @@ static int __alloc_pbl(struct bnxt_qplib_res *res,
pbl->pg_arr = NULL;
return -ENOMEM;
}
+ memset(pbl->pg_map_arr, 0, pages * sizeof(dma_addr_t));
pbl->pg_count = 0;
pbl->pg_size = sginfo->pgsize;
--
2.50.1
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 457/482] net: bridge: fix soft lockup in br_multicast_query_expired()
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (455 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 6.1 456/482] RDMA/bnxt_re: Fix to initialize the PBL array Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 458/482] scsi: qla4xxx: Prevent a potential error pointer dereference Greg Kroah-Hartman
` (33 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nikolay Aleksandrov, Wang Liang,
Ido Schimmel, Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wang Liang <wangliang74@huawei.com>
[ Upstream commit d1547bf460baec718b3398365f8de33d25c5f36f ]
When set multicast_query_interval to a large value, the local variable
'time' in br_multicast_send_query() may overflow. If the time is smaller
than jiffies, the timer will expire immediately, and then call mod_timer()
again, which creates a loop and may trigger the following soft lockup
issue.
watchdog: BUG: soft lockup - CPU#1 stuck for 221s! [rb_consumer:66]
CPU: 1 UID: 0 PID: 66 Comm: rb_consumer Not tainted 6.16.0+ #259 PREEMPT(none)
Call Trace:
<IRQ>
__netdev_alloc_skb+0x2e/0x3a0
br_ip6_multicast_alloc_query+0x212/0x1b70
__br_multicast_send_query+0x376/0xac0
br_multicast_send_query+0x299/0x510
br_multicast_query_expired.constprop.0+0x16d/0x1b0
call_timer_fn+0x3b/0x2a0
__run_timers+0x619/0x950
run_timer_softirq+0x11c/0x220
handle_softirqs+0x18e/0x560
__irq_exit_rcu+0x158/0x1a0
sysvec_apic_timer_interrupt+0x76/0x90
</IRQ>
This issue can be reproduced with:
ip link add br0 type bridge
echo 1 > /sys/class/net/br0/bridge/multicast_querier
echo 0xffffffffffffffff >
/sys/class/net/br0/bridge/multicast_query_interval
ip link set dev br0 up
The multicast_startup_query_interval can also cause this issue. Similar to
the commit 99b40610956a ("net: bridge: mcast: add and enforce query
interval minimum"), add check for the query interval maximum to fix this
issue.
Link: https://lore.kernel.org/netdev/20250806094941.1285944-1-wangliang74@huawei.com/
Link: https://lore.kernel.org/netdev/20250812091818.542238-1-wangliang74@huawei.com/
Fixes: d902eee43f19 ("bridge: Add multicast count/interval sysfs entries")
Suggested-by: Nikolay Aleksandrov <razor@blackwall.org>
Signed-off-by: Wang Liang <wangliang74@huawei.com>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Acked-by: Nikolay Aleksandrov <razor@blackwall.org>
Link: https://patch.msgid.link/20250813021054.1643649-1-wangliang74@huawei.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bridge/br_multicast.c | 16 ++++++++++++++++
net/bridge/br_private.h | 2 ++
2 files changed, 18 insertions(+)
diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c
index e28c9db0c4db..140dbcfc8b94 100644
--- a/net/bridge/br_multicast.c
+++ b/net/bridge/br_multicast.c
@@ -4634,6 +4634,14 @@ void br_multicast_set_query_intvl(struct net_bridge_mcast *brmctx,
intvl_jiffies = BR_MULTICAST_QUERY_INTVL_MIN;
}
+ if (intvl_jiffies > BR_MULTICAST_QUERY_INTVL_MAX) {
+ br_info(brmctx->br,
+ "trying to set multicast query interval above maximum, setting to %lu (%ums)\n",
+ jiffies_to_clock_t(BR_MULTICAST_QUERY_INTVL_MAX),
+ jiffies_to_msecs(BR_MULTICAST_QUERY_INTVL_MAX));
+ intvl_jiffies = BR_MULTICAST_QUERY_INTVL_MAX;
+ }
+
brmctx->multicast_query_interval = intvl_jiffies;
}
@@ -4650,6 +4658,14 @@ void br_multicast_set_startup_query_intvl(struct net_bridge_mcast *brmctx,
intvl_jiffies = BR_MULTICAST_STARTUP_QUERY_INTVL_MIN;
}
+ if (intvl_jiffies > BR_MULTICAST_STARTUP_QUERY_INTVL_MAX) {
+ br_info(brmctx->br,
+ "trying to set multicast startup query interval above maximum, setting to %lu (%ums)\n",
+ jiffies_to_clock_t(BR_MULTICAST_STARTUP_QUERY_INTVL_MAX),
+ jiffies_to_msecs(BR_MULTICAST_STARTUP_QUERY_INTVL_MAX));
+ intvl_jiffies = BR_MULTICAST_STARTUP_QUERY_INTVL_MAX;
+ }
+
brmctx->multicast_startup_query_interval = intvl_jiffies;
}
diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h
index 767f0e81dd26..20c96cb406d5 100644
--- a/net/bridge/br_private.h
+++ b/net/bridge/br_private.h
@@ -30,6 +30,8 @@
#define BR_MULTICAST_DEFAULT_HASH_MAX 4096
#define BR_MULTICAST_QUERY_INTVL_MIN msecs_to_jiffies(1000)
#define BR_MULTICAST_STARTUP_QUERY_INTVL_MIN BR_MULTICAST_QUERY_INTVL_MIN
+#define BR_MULTICAST_QUERY_INTVL_MAX msecs_to_jiffies(86400000) /* 24 hours */
+#define BR_MULTICAST_STARTUP_QUERY_INTVL_MAX BR_MULTICAST_QUERY_INTVL_MAX
#define BR_HWDOM_MAX BITS_PER_LONG
--
2.50.1
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 458/482] scsi: qla4xxx: Prevent a potential error pointer dereference
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (456 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 6.1 457/482] net: bridge: fix soft lockup in br_multicast_query_expired() Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 459/482] iommu/amd: Avoid stack buffer overflow from kernel cmdline Greg Kroah-Hartman
` (32 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Chris Leech,
Martin K. Petersen, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@linaro.org>
[ Upstream commit 9dcf111dd3e7ed5fce82bb108e3a3fc001c07225 ]
The qla4xxx_get_ep_fwdb() function is supposed to return NULL on error,
but qla4xxx_ep_connect() returns error pointers. Propagating the error
pointers will lead to an Oops in the caller, so change the error pointers
to NULL.
Fixes: 13483730a13b ("[SCSI] qla4xxx: fix flash/ddb support")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Link: https://lore.kernel.org/r/aJwnVKS9tHsw1tEu@stanley.mountain
Reviewed-by: Chris Leech <cleech@redhat.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/qla4xxx/ql4_os.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/scsi/qla4xxx/ql4_os.c b/drivers/scsi/qla4xxx/ql4_os.c
index 2925823a494a..837ea487cc82 100644
--- a/drivers/scsi/qla4xxx/ql4_os.c
+++ b/drivers/scsi/qla4xxx/ql4_os.c
@@ -6606,6 +6606,8 @@ static struct iscsi_endpoint *qla4xxx_get_ep_fwdb(struct scsi_qla_host *ha,
ep = qla4xxx_ep_connect(ha->host, (struct sockaddr *)dst_addr, 0);
vfree(dst_addr);
+ if (IS_ERR(ep))
+ return NULL;
return ep;
}
--
2.50.1
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 459/482] iommu/amd: Avoid stack buffer overflow from kernel cmdline
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (457 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 6.1 458/482] scsi: qla4xxx: Prevent a potential error pointer dereference Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 460/482] Bluetooth: hci_conn: do return error from hci_enhanced_setup_sync() Greg Kroah-Hartman
` (31 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Simcha Kosman, Kees Cook, Ankit Soni,
Joerg Roedel, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kees Cook <kees@kernel.org>
[ Upstream commit 8503d0fcb1086a7cfe26df67ca4bd9bd9e99bdec ]
While the kernel command line is considered trusted in most environments,
avoid writing 1 byte past the end of "acpiid" if the "str" argument is
maximum length.
Reported-by: Simcha Kosman <simcha.kosman@cyberark.com>
Closes: https://lore.kernel.org/all/AS8P193MB2271C4B24BCEDA31830F37AE84A52@AS8P193MB2271.EURP193.PROD.OUTLOOK.COM
Fixes: b6b26d86c61c ("iommu/amd: Add a length limitation for the ivrs_acpihid command-line parameter")
Signed-off-by: Kees Cook <kees@kernel.org>
Reviewed-by: Ankit Soni <Ankit.Soni@amd.com>
Link: https://lore.kernel.org/r/20250804154023.work.970-kees@kernel.org
Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/iommu/amd/init.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/iommu/amd/init.c b/drivers/iommu/amd/init.c
index bc78e8665551..23804270eda1 100644
--- a/drivers/iommu/amd/init.c
+++ b/drivers/iommu/amd/init.c
@@ -3553,7 +3553,7 @@ static int __init parse_ivrs_acpihid(char *str)
{
u32 seg = 0, bus, dev, fn;
char *hid, *uid, *p, *addr;
- char acpiid[ACPIID_LEN] = {0};
+ char acpiid[ACPIID_LEN + 1] = { }; /* size with NULL terminator */
int i;
addr = strchr(str, '@');
@@ -3579,7 +3579,7 @@ static int __init parse_ivrs_acpihid(char *str)
/* We have the '@', make it the terminator to get just the acpiid */
*addr++ = 0;
- if (strlen(str) > ACPIID_LEN + 1)
+ if (strlen(str) > ACPIID_LEN)
goto not_found;
if (sscanf(str, "=%s", acpiid) != 1)
--
2.50.1
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 460/482] Bluetooth: hci_conn: do return error from hci_enhanced_setup_sync()
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (458 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 6.1 459/482] iommu/amd: Avoid stack buffer overflow from kernel cmdline Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 461/482] mlxsw: spectrum: Forward packets with an IPv4 link-local source IP Greg Kroah-Hartman
` (30 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sergey Shtylyov, Paul Menzel,
Luiz Augusto von Dentz, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sergey Shtylyov <s.shtylyov@omp.ru>
[ Upstream commit 0eaf7c7e85da7495c0e03a99375707fc954f5e7b ]
The commit e07a06b4eb41 ("Bluetooth: Convert SCO configure_datapath to
hci_sync") missed to update the *return* statement under the *case* of
BT_CODEC_TRANSPARENT in hci_enhanced_setup_sync(), which led to returning
success (0) instead of the negative error code (-EINVAL). However, the
result of hci_enhanced_setup_sync() seems to be ignored anyway, since NULL
gets passed to hci_cmd_sync_queue() as the last argument in that case and
the only function interested in that result is specified by that argument.
Fixes: e07a06b4eb41 ("Bluetooth: Convert SCO configure_datapath to hci_sync")
Signed-off-by: Sergey Shtylyov <s.shtylyov@omp.ru>
Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/hci_conn.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
index 49b9dd21b73e..5f6785fd6af5 100644
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -439,7 +439,8 @@ static int hci_enhanced_setup_sync(struct hci_dev *hdev, void *data)
case BT_CODEC_TRANSPARENT:
if (!find_next_esco_param(conn, esco_param_msbc,
ARRAY_SIZE(esco_param_msbc)))
- return false;
+ return -EINVAL;
+
param = &esco_param_msbc[conn->attempt - 1];
cp.tx_coding_format.id = 0x03;
cp.rx_coding_format.id = 0x03;
--
2.50.1
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 461/482] mlxsw: spectrum: Forward packets with an IPv4 link-local source IP
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (459 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 6.1 460/482] Bluetooth: hci_conn: do return error from hci_enhanced_setup_sync() Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 462/482] drm/hisilicon/hibmc: fix the hibmc loaded failed bug Greg Kroah-Hartman
` (29 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zoey Mertes, Ido Schimmel,
Petr Machata, Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ido Schimmel <idosch@nvidia.com>
[ Upstream commit f604d3aaf64ff0d90cc875295474d3abf4155629 ]
By default, the device does not forward IPv4 packets with a link-local
source IP (i.e., 169.254.0.0/16). This behavior does not align with the
kernel which does forward them.
Fix by instructing the device to forward such packets instead of
dropping them.
Fixes: ca360db4b825 ("mlxsw: spectrum: Disable DIP_LINK_LOCAL check in hardware pipeline")
Reported-by: Zoey Mertes <zoey@cloudflare.com>
Signed-off-by: Ido Schimmel <idosch@nvidia.com>
Reviewed-by: Petr Machata <petrm@nvidia.com>
Signed-off-by: Petr Machata <petrm@nvidia.com>
Link: https://patch.msgid.link/6721e6b2c96feb80269e72ce8d0b426e2f32d99c.1755174341.git.petrm@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/mellanox/mlxsw/spectrum.c | 2 ++
drivers/net/ethernet/mellanox/mlxsw/trap.h | 1 +
2 files changed, 3 insertions(+)
diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum.c b/drivers/net/ethernet/mellanox/mlxsw/spectrum.c
index 67ecdb9e708f..2aec55dd07c6 100644
--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum.c
+++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum.c
@@ -2522,6 +2522,8 @@ static const struct mlxsw_listener mlxsw_sp_listener[] = {
ROUTER_EXP, false),
MLXSW_SP_RXL_NO_MARK(DISCARD_ING_ROUTER_DIP_LINK_LOCAL, FORWARD,
ROUTER_EXP, false),
+ MLXSW_SP_RXL_NO_MARK(DISCARD_ING_ROUTER_SIP_LINK_LOCAL, FORWARD,
+ ROUTER_EXP, false),
/* Multicast Router Traps */
MLXSW_SP_RXL_MARK(ACL1, TRAP_TO_CPU, MULTICAST, false),
MLXSW_SP_RXL_L3_MARK(ACL2, TRAP_TO_CPU, MULTICAST, false),
diff --git a/drivers/net/ethernet/mellanox/mlxsw/trap.h b/drivers/net/ethernet/mellanox/mlxsw/trap.h
index 8da169663bda..f44c8548c7e3 100644
--- a/drivers/net/ethernet/mellanox/mlxsw/trap.h
+++ b/drivers/net/ethernet/mellanox/mlxsw/trap.h
@@ -93,6 +93,7 @@ enum {
MLXSW_TRAP_ID_DISCARD_ING_ROUTER_IPV4_SIP_BC = 0x16A,
MLXSW_TRAP_ID_DISCARD_ING_ROUTER_IPV4_DIP_LOCAL_NET = 0x16B,
MLXSW_TRAP_ID_DISCARD_ING_ROUTER_DIP_LINK_LOCAL = 0x16C,
+ MLXSW_TRAP_ID_DISCARD_ING_ROUTER_SIP_LINK_LOCAL = 0x16D,
MLXSW_TRAP_ID_DISCARD_ROUTER_IRIF_EN = 0x178,
MLXSW_TRAP_ID_DISCARD_ROUTER_ERIF_EN = 0x179,
MLXSW_TRAP_ID_DISCARD_ROUTER_LPM4 = 0x17B,
--
2.50.1
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 462/482] drm/hisilicon/hibmc: fix the hibmc loaded failed bug
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (460 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 6.1 461/482] mlxsw: spectrum: Forward packets with an IPv4 link-local source IP Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 463/482] ALSA: usb-audio: Fix size validation in convert_chmap_v3() Greg Kroah-Hartman
` (28 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Baihan Li, Yongbang Shi,
Dmitry Baryshkov, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Baihan Li <libaihan@huawei.com>
[ Upstream commit 93a08f856fcc5aaeeecad01f71bef3088588216a ]
When hibmc loaded failed, the driver use hibmc_unload to free the
resource, but the mutexes in mode.config are not init, which will
access an NULL pointer. Just change goto statement to return, because
hibnc_hw_init() doesn't need to free anything.
Fixes: b3df5e65cc03 ("drm/hibmc: Drop drm_vblank_cleanup")
Signed-off-by: Baihan Li <libaihan@huawei.com>
Signed-off-by: Yongbang Shi <shiyongbang@huawei.com>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20250813094238.3722345-5-shiyongbang@huawei.com
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/hisilicon/hibmc/hibmc_drm_drv.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/hisilicon/hibmc/hibmc_drm_drv.c b/drivers/gpu/drm/hisilicon/hibmc/hibmc_drm_drv.c
index fe4269c5aa0a..20c2af66ee53 100644
--- a/drivers/gpu/drm/hisilicon/hibmc/hibmc_drm_drv.c
+++ b/drivers/gpu/drm/hisilicon/hibmc/hibmc_drm_drv.c
@@ -269,12 +269,12 @@ static int hibmc_load(struct drm_device *dev)
ret = hibmc_hw_init(priv);
if (ret)
- goto err;
+ return ret;
ret = drmm_vram_helper_init(dev, pci_resource_start(pdev, 0), priv->fb_size);
if (ret) {
drm_err(dev, "Error initializing VRAM MM; %d\n", ret);
- goto err;
+ return ret;
}
ret = hibmc_kms_init(priv);
--
2.50.1
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 463/482] ALSA: usb-audio: Fix size validation in convert_chmap_v3()
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (461 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 6.1 462/482] drm/hisilicon/hibmc: fix the hibmc loaded failed bug Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 464/482] drm/amd/display: Add null pointer check in mod_hdcp_hdcp1_create_session() Greg Kroah-Hartman
` (27 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Takashi Iwai,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@linaro.org>
[ Upstream commit 89f0addeee3cb2dc49837599330ed9c4612f05b0 ]
The "p" pointer is void so sizeof(*p) is 1. The intent was to check
sizeof(*cs_desc), which is 3, instead.
Fixes: ecfd41166b72 ("ALSA: usb-audio: Validate UAC3 cluster segment descriptors")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Link: https://patch.msgid.link/aKL5kftC1qGt6lpv@stanley.mountain
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/usb/stream.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sound/usb/stream.c b/sound/usb/stream.c
index f5a6e990d07a..12a5e053ec54 100644
--- a/sound/usb/stream.c
+++ b/sound/usb/stream.c
@@ -349,7 +349,7 @@ snd_pcm_chmap_elem *convert_chmap_v3(struct uac3_cluster_header_descriptor
u16 cs_len;
u8 cs_type;
- if (len < sizeof(*p))
+ if (len < sizeof(*cs_desc))
break;
cs_len = le16_to_cpu(cs_desc->wLength);
if (len < cs_len)
--
2.50.1
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 464/482] drm/amd/display: Add null pointer check in mod_hdcp_hdcp1_create_session()
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (462 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 6.1 463/482] ALSA: usb-audio: Fix size validation in convert_chmap_v3() Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 465/482] net: gso: Forbid IPv6 TSO with extensions on devices with only IPV6_CSUM Greg Kroah-Hartman
` (26 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chenyuan Yang, Alex Hung,
Dan Wheeler, Alex Deucher, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chenyuan Yang <chenyuan0y@gmail.com>
[ Upstream commit 7a2ca2ea64b1b63c8baa94a8f5deb70b2248d119 ]
The function mod_hdcp_hdcp1_create_session() calls the function
get_first_active_display(), but does not check its return value.
The return value is a null pointer if the display list is empty.
This will lead to a null pointer dereference.
Add a null pointer check for get_first_active_display() and return
MOD_HDCP_STATUS_DISPLAY_NOT_FOUND if the function return null.
This is similar to the commit c3e9826a2202
("drm/amd/display: Add null pointer check for get_first_active_display()").
Fixes: 2deade5ede56 ("drm/amd/display: Remove hdcp display state with mst fix")
Signed-off-by: Chenyuan Yang <chenyuan0y@gmail.com>
Reviewed-by: Alex Hung <alex.hung@amd.com>
Tested-by: Dan Wheeler <daniel.wheeler@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 5e43eb3cd731649c4f8b9134f857be62a416c893)
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/display/modules/hdcp/hdcp_psp.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/gpu/drm/amd/display/modules/hdcp/hdcp_psp.c b/drivers/gpu/drm/amd/display/modules/hdcp/hdcp_psp.c
index 7f8f127e7722..ab6964ca1c2b 100644
--- a/drivers/gpu/drm/amd/display/modules/hdcp/hdcp_psp.c
+++ b/drivers/gpu/drm/amd/display/modules/hdcp/hdcp_psp.c
@@ -260,6 +260,9 @@ enum mod_hdcp_status mod_hdcp_hdcp1_create_session(struct mod_hdcp *hdcp)
return MOD_HDCP_STATUS_FAILURE;
}
+ if (!display)
+ return MOD_HDCP_STATUS_DISPLAY_NOT_FOUND;
+
hdcp_cmd = (struct ta_hdcp_shared_memory *)psp->hdcp_context.context.mem_context.shared_buf;
mutex_lock(&psp->hdcp_context.mutex);
--
2.50.1
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 465/482] net: gso: Forbid IPv6 TSO with extensions on devices with only IPV6_CSUM
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (463 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 6.1 464/482] drm/amd/display: Add null pointer check in mod_hdcp_hdcp1_create_session() Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 466/482] ipv6: sr: validate HMAC algorithm ID in seg6_hmac_info_add Greg Kroah-Hartman
` (25 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tianhao Zhao, Michal Schmidt,
Willem de Bruijn, Jakub Ramaseuski, Willem de Bruijn,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jakub Ramaseuski <jramaseu@redhat.com>
[ Upstream commit 864e3396976ef41de6cc7bc366276bf4e084fff2 ]
When performing Generic Segmentation Offload (GSO) on an IPv6 packet that
contains extension headers, the kernel incorrectly requests checksum offload
if the egress device only advertises NETIF_F_IPV6_CSUM feature, which has
a strict contract: it supports checksum offload only for plain TCP or UDP
over IPv6 and explicitly does not support packets with extension headers.
The current GSO logic violates this contract by failing to disable the feature
for packets with extension headers, such as those used in GREoIPv6 tunnels.
This violation results in the device being asked to perform an operation
it cannot support, leading to a `skb_warn_bad_offload` warning and a collapse
of network throughput. While device TSO/USO is correctly bypassed in favor
of software GSO for these packets, the GSO stack must be explicitly told not
to request checksum offload.
Mask NETIF_F_IPV6_CSUM, NETIF_F_TSO6 and NETIF_F_GSO_UDP_L4
in gso_features_check if the IPv6 header contains extension headers to compute
checksum in software.
The exception is a BIG TCP extension, which, as stated in commit
68e068cabd2c6c53 ("net: reenable NETIF_F_IPV6_CSUM offload for BIG TCP packets"):
"The feature is only enabled on devices that support BIG TCP TSO.
The header is only present for PF_PACKET taps like tcpdump,
and not transmitted by physical devices."
kernel log output (truncated):
WARNING: CPU: 1 PID: 5273 at net/core/dev.c:3535 skb_warn_bad_offload+0x81/0x140
...
Call Trace:
<TASK>
skb_checksum_help+0x12a/0x1f0
validate_xmit_skb+0x1a3/0x2d0
validate_xmit_skb_list+0x4f/0x80
sch_direct_xmit+0x1a2/0x380
__dev_xmit_skb+0x242/0x670
__dev_queue_xmit+0x3fc/0x7f0
ip6_finish_output2+0x25e/0x5d0
ip6_finish_output+0x1fc/0x3f0
ip6_tnl_xmit+0x608/0xc00 [ip6_tunnel]
ip6gre_tunnel_xmit+0x1c0/0x390 [ip6_gre]
dev_hard_start_xmit+0x63/0x1c0
__dev_queue_xmit+0x6d0/0x7f0
ip6_finish_output2+0x214/0x5d0
ip6_finish_output+0x1fc/0x3f0
ip6_xmit+0x2ca/0x6f0
ip6_finish_output+0x1fc/0x3f0
ip6_xmit+0x2ca/0x6f0
inet6_csk_xmit+0xeb/0x150
__tcp_transmit_skb+0x555/0xa80
tcp_write_xmit+0x32a/0xe90
tcp_sendmsg_locked+0x437/0x1110
tcp_sendmsg+0x2f/0x50
...
skb linear: 00000000: e4 3d 1a 7d ec 30 e4 3d 1a 7e 5d 90 86 dd 60 0e
skb linear: 00000010: 00 0a 1b 34 3c 40 20 11 00 00 00 00 00 00 00 00
skb linear: 00000020: 00 00 00 00 00 12 20 11 00 00 00 00 00 00 00 00
skb linear: 00000030: 00 00 00 00 00 11 2f 00 04 01 04 01 01 00 00 00
skb linear: 00000040: 86 dd 60 0e 00 0a 1b 00 06 40 20 23 00 00 00 00
skb linear: 00000050: 00 00 00 00 00 00 00 00 00 12 20 23 00 00 00 00
skb linear: 00000060: 00 00 00 00 00 00 00 00 00 11 bf 96 14 51 13 f9
skb linear: 00000070: ae 27 a0 a8 2b e3 80 18 00 40 5b 6f 00 00 01 01
skb linear: 00000080: 08 0a 42 d4 50 d5 4b 70 f8 1a
Fixes: 04c20a9356f283da ("net: skip offload for NETIF_F_IPV6_CSUM if ipv6 header contains extension")
Reported-by: Tianhao Zhao <tizhao@redhat.com>
Suggested-by: Michal Schmidt <mschmidt@redhat.com>
Suggested-by: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
Signed-off-by: Jakub Ramaseuski <jramaseu@redhat.com>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Link: https://patch.msgid.link/20250814105119.1525687-1-jramaseu@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/dev.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/net/core/dev.c b/net/core/dev.c
index 212a909b4840..114fc8bc37f8 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -3610,6 +3610,18 @@ static netdev_features_t gso_features_check(const struct sk_buff *skb,
features &= ~NETIF_F_TSO_MANGLEID;
}
+ /* NETIF_F_IPV6_CSUM does not support IPv6 extension headers,
+ * so neither does TSO that depends on it.
+ */
+ if (features & NETIF_F_IPV6_CSUM &&
+ (skb_shinfo(skb)->gso_type & SKB_GSO_TCPV6 ||
+ (skb_shinfo(skb)->gso_type & SKB_GSO_UDP_L4 &&
+ vlan_get_protocol(skb) == htons(ETH_P_IPV6))) &&
+ skb_transport_header_was_set(skb) &&
+ skb_network_header_len(skb) != sizeof(struct ipv6hdr) &&
+ !ipv6_has_hopopt_jumbo(skb))
+ features &= ~(NETIF_F_IPV6_CSUM | NETIF_F_TSO6 | NETIF_F_GSO_UDP_L4);
+
return features;
}
--
2.50.1
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 466/482] ipv6: sr: validate HMAC algorithm ID in seg6_hmac_info_add
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (464 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 6.1 465/482] net: gso: Forbid IPv6 TSO with extensions on devices with only IPV6_CSUM Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:12 ` [PATCH 6.1 467/482] net: ethernet: mtk_ppe: add RCU lock around dev_fill_forward_path Greg Kroah-Hartman
` (24 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Minhong He, Kuniyuki Iwashima,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Minhong He <heminhong@kylinos.cn>
[ Upstream commit 84967deee9d9870b15bc4c3acb50f1d401807902 ]
The seg6_genl_sethmac() directly uses the algorithm ID provided by the
userspace without verifying whether it is an HMAC algorithm supported
by the system.
If an unsupported HMAC algorithm ID is configured, packets using SRv6 HMAC
will be dropped during encapsulation or decapsulation.
Fixes: 4f4853dc1c9c ("ipv6: sr: implement API to control SR HMAC structure")
Signed-off-by: Minhong He <heminhong@kylinos.cn>
Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
Link: https://patch.msgid.link/20250815063845.85426-1-heminhong@kylinos.cn
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv6/seg6_hmac.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/ipv6/seg6_hmac.c b/net/ipv6/seg6_hmac.c
index dd7406a9380f..b90c286d77ed 100644
--- a/net/ipv6/seg6_hmac.c
+++ b/net/ipv6/seg6_hmac.c
@@ -294,6 +294,9 @@ int seg6_hmac_info_add(struct net *net, u32 key, struct seg6_hmac_info *hinfo)
struct seg6_pernet_data *sdata = seg6_pernet(net);
int err;
+ if (!__hmac_get_algo(hinfo->alg_id))
+ return -EINVAL;
+
err = rhashtable_lookup_insert_fast(&sdata->hmac_infos, &hinfo->node,
rht_params);
--
2.50.1
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 467/482] net: ethernet: mtk_ppe: add RCU lock around dev_fill_forward_path
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (465 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 6.1 466/482] ipv6: sr: validate HMAC algorithm ID in seg6_hmac_info_add Greg Kroah-Hartman
@ 2025-08-26 11:12 ` Greg Kroah-Hartman
2025-08-26 11:12 ` [PATCH 6.1 468/482] ppp: fix race conditions in ppp_fill_forward_path Greg Kroah-Hartman
` (23 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:12 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Qingfang Deng, Paolo Abeni,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qingfang Deng <dqfext@gmail.com>
[ Upstream commit 62c30c544359aa18b8fb2734166467a07d435c2d ]
Ensure ndo_fill_forward_path() is called with RCU lock held.
Fixes: 2830e314778d ("net: ethernet: mtk-ppe: fix traffic offload with bridged wlan")
Signed-off-by: Qingfang Deng <dqfext@gmail.com>
Link: https://patch.msgid.link/20250814012559.3705-1-dqfext@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/mediatek/mtk_ppe_offload.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/net/ethernet/mediatek/mtk_ppe_offload.c b/drivers/net/ethernet/mediatek/mtk_ppe_offload.c
index 8cb8d47227f5..cc8f4f5decaf 100644
--- a/drivers/net/ethernet/mediatek/mtk_ppe_offload.c
+++ b/drivers/net/ethernet/mediatek/mtk_ppe_offload.c
@@ -101,7 +101,9 @@ mtk_flow_get_wdma_info(struct net_device *dev, const u8 *addr, struct mtk_wdma_i
if (!IS_ENABLED(CONFIG_NET_MEDIATEK_SOC_WED))
return -1;
+ rcu_read_lock();
err = dev_fill_forward_path(dev, addr, &stack);
+ rcu_read_unlock();
if (err)
return err;
--
2.50.1
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 468/482] ppp: fix race conditions in ppp_fill_forward_path
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (466 preceding siblings ...)
2025-08-26 11:12 ` [PATCH 6.1 467/482] net: ethernet: mtk_ppe: add RCU lock around dev_fill_forward_path Greg Kroah-Hartman
@ 2025-08-26 11:12 ` Greg Kroah-Hartman
2025-08-26 11:12 ` [PATCH 6.1 469/482] phy: mscc: Fix timestamping for vsc8584 Greg Kroah-Hartman
` (22 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:12 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Qingfang Deng, Paolo Abeni,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qingfang Deng <dqfext@gmail.com>
[ Upstream commit 0417adf367a0af11adf7ace849af4638cfb573f7 ]
ppp_fill_forward_path() has two race conditions:
1. The ppp->channels list can change between list_empty() and
list_first_entry(), as ppp_lock() is not held. If the only channel
is deleted in ppp_disconnect_channel(), list_first_entry() may
access an empty head or a freed entry, and trigger a panic.
2. pch->chan can be NULL. When ppp_unregister_channel() is called,
pch->chan is set to NULL before pch is removed from ppp->channels.
Fix these by using a lockless RCU approach:
- Use list_first_or_null_rcu() to safely test and access the first list
entry.
- Convert list modifications on ppp->channels to their RCU variants and
add synchronize_net() after removal.
- Check for a NULL pch->chan before dereferencing it.
Fixes: f6efc675c9dd ("net: ppp: resolve forwarding path for bridge pppoe devices")
Signed-off-by: Qingfang Deng <dqfext@gmail.com>
Link: https://patch.msgid.link/20250814012559.3705-2-dqfext@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ppp/ppp_generic.c | 17 +++++++++++------
1 file changed, 11 insertions(+), 6 deletions(-)
diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c
index 67d9efb05443..cbf1c1f23281 100644
--- a/drivers/net/ppp/ppp_generic.c
+++ b/drivers/net/ppp/ppp_generic.c
@@ -33,6 +33,7 @@
#include <linux/ppp_channel.h>
#include <linux/ppp-comp.h>
#include <linux/skbuff.h>
+#include <linux/rculist.h>
#include <linux/rtnetlink.h>
#include <linux/if_arp.h>
#include <linux/ip.h>
@@ -1613,11 +1614,14 @@ static int ppp_fill_forward_path(struct net_device_path_ctx *ctx,
if (ppp->flags & SC_MULTILINK)
return -EOPNOTSUPP;
- if (list_empty(&ppp->channels))
+ pch = list_first_or_null_rcu(&ppp->channels, struct channel, clist);
+ if (!pch)
+ return -ENODEV;
+
+ chan = READ_ONCE(pch->chan);
+ if (!chan)
return -ENODEV;
- pch = list_first_entry(&ppp->channels, struct channel, clist);
- chan = pch->chan;
if (!chan->ops->fill_forward_path)
return -EOPNOTSUPP;
@@ -3000,7 +3004,7 @@ ppp_unregister_channel(struct ppp_channel *chan)
*/
down_write(&pch->chan_sem);
spin_lock_bh(&pch->downl);
- pch->chan = NULL;
+ WRITE_ONCE(pch->chan, NULL);
spin_unlock_bh(&pch->downl);
up_write(&pch->chan_sem);
ppp_disconnect_channel(pch);
@@ -3506,7 +3510,7 @@ ppp_connect_channel(struct channel *pch, int unit)
hdrlen = pch->file.hdrlen + 2; /* for protocol bytes */
if (hdrlen > ppp->dev->hard_header_len)
ppp->dev->hard_header_len = hdrlen;
- list_add_tail(&pch->clist, &ppp->channels);
+ list_add_tail_rcu(&pch->clist, &ppp->channels);
++ppp->n_channels;
pch->ppp = ppp;
refcount_inc(&ppp->file.refcnt);
@@ -3536,10 +3540,11 @@ ppp_disconnect_channel(struct channel *pch)
if (ppp) {
/* remove it from the ppp unit's list */
ppp_lock(ppp);
- list_del(&pch->clist);
+ list_del_rcu(&pch->clist);
if (--ppp->n_channels == 0)
wake_up_interruptible(&ppp->file.rwait);
ppp_unlock(ppp);
+ synchronize_net();
if (refcount_dec_and_test(&ppp->file.refcnt))
ppp_destroy_interface(ppp);
err = 0;
--
2.50.1
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 469/482] phy: mscc: Fix timestamping for vsc8584
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (467 preceding siblings ...)
2025-08-26 11:12 ` [PATCH 6.1 468/482] ppp: fix race conditions in ppp_fill_forward_path Greg Kroah-Hartman
@ 2025-08-26 11:12 ` Greg Kroah-Hartman
2025-08-26 11:12 ` [PATCH 6.1 470/482] net: usb: asix_devices: Fix PHY address mask in MDIO bus initialization Greg Kroah-Hartman
` (21 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:12 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Horatiu Vultur, Vadim Fedorenko,
Vladimir Oltean, Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Horatiu Vultur <horatiu.vultur@microchip.com>
[ Upstream commit bc1a59cff9f797bfbf8f3104507584d89e9ecf2e ]
There was a problem when we received frames and the frames were
timestamped. The driver is configured to store the nanosecond part of
the timestmap in the ptp reserved bits and it would take the second part
by reading the LTC. The problem is that when reading the LTC we are in
atomic context and to read the second part will go over mdio bus which
might sleep, so we get an error.
The fix consists in actually put all the frames in a queue and start the
aux work and in that work to read the LTC and then calculate the full
received time.
Fixes: 7d272e63e0979d ("net: phy: mscc: timestamping and PHC support")
Signed-off-by: Horatiu Vultur <horatiu.vultur@microchip.com>
Reviewed-by: Vadim Fedorenko <vadim.fedorenko@linux.dev>
Reviewed-by: Vladimir Oltean <vladimir.oltean@nxp.com>
Link: https://patch.msgid.link/20250818081029.1300780-1-horatiu.vultur@microchip.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/phy/mscc/mscc.h | 12 ++++++++
drivers/net/phy/mscc/mscc_main.c | 12 ++++++++
drivers/net/phy/mscc/mscc_ptp.c | 49 ++++++++++++++++++++++++--------
3 files changed, 61 insertions(+), 12 deletions(-)
diff --git a/drivers/net/phy/mscc/mscc.h b/drivers/net/phy/mscc/mscc.h
index 055e4ca5b3b5..878298304430 100644
--- a/drivers/net/phy/mscc/mscc.h
+++ b/drivers/net/phy/mscc/mscc.h
@@ -360,6 +360,13 @@ struct vsc85xx_hw_stat {
u16 mask;
};
+struct vsc8531_skb_cb {
+ u32 ns;
+};
+
+#define VSC8531_SKB_CB(skb) \
+ ((struct vsc8531_skb_cb *)((skb)->cb))
+
struct vsc8531_private {
int rate_magic;
u16 supp_led_modes;
@@ -408,6 +415,11 @@ struct vsc8531_private {
*/
struct mutex ts_lock;
struct mutex phc_lock;
+
+ /* list of skbs that were received and need timestamp information but it
+ * didn't received it yet
+ */
+ struct sk_buff_head rx_skbs_list;
};
/* Shared structure between the PHYs of the same package.
diff --git a/drivers/net/phy/mscc/mscc_main.c b/drivers/net/phy/mscc/mscc_main.c
index 7bd940baec59..36734bb217e4 100644
--- a/drivers/net/phy/mscc/mscc_main.c
+++ b/drivers/net/phy/mscc/mscc_main.c
@@ -2324,6 +2324,13 @@ static int vsc85xx_probe(struct phy_device *phydev)
return vsc85xx_dt_led_modes_get(phydev, default_mode);
}
+static void vsc85xx_remove(struct phy_device *phydev)
+{
+ struct vsc8531_private *priv = phydev->priv;
+
+ skb_queue_purge(&priv->rx_skbs_list);
+}
+
/* Microsemi VSC85xx PHYs */
static struct phy_driver vsc85xx_driver[] = {
{
@@ -2554,6 +2561,7 @@ static struct phy_driver vsc85xx_driver[] = {
.config_intr = &vsc85xx_config_intr,
.suspend = &genphy_suspend,
.resume = &genphy_resume,
+ .remove = &vsc85xx_remove,
.probe = &vsc8574_probe,
.set_wol = &vsc85xx_wol_set,
.get_wol = &vsc85xx_wol_get,
@@ -2579,6 +2587,7 @@ static struct phy_driver vsc85xx_driver[] = {
.config_intr = &vsc85xx_config_intr,
.suspend = &genphy_suspend,
.resume = &genphy_resume,
+ .remove = &vsc85xx_remove,
.probe = &vsc8574_probe,
.set_wol = &vsc85xx_wol_set,
.get_wol = &vsc85xx_wol_get,
@@ -2604,6 +2613,7 @@ static struct phy_driver vsc85xx_driver[] = {
.config_intr = &vsc85xx_config_intr,
.suspend = &genphy_suspend,
.resume = &genphy_resume,
+ .remove = &vsc85xx_remove,
.probe = &vsc8584_probe,
.get_tunable = &vsc85xx_get_tunable,
.set_tunable = &vsc85xx_set_tunable,
@@ -2627,6 +2637,7 @@ static struct phy_driver vsc85xx_driver[] = {
.config_intr = &vsc85xx_config_intr,
.suspend = &genphy_suspend,
.resume = &genphy_resume,
+ .remove = &vsc85xx_remove,
.probe = &vsc8584_probe,
.get_tunable = &vsc85xx_get_tunable,
.set_tunable = &vsc85xx_set_tunable,
@@ -2650,6 +2661,7 @@ static struct phy_driver vsc85xx_driver[] = {
.config_intr = &vsc85xx_config_intr,
.suspend = &genphy_suspend,
.resume = &genphy_resume,
+ .remove = &vsc85xx_remove,
.probe = &vsc8584_probe,
.get_tunable = &vsc85xx_get_tunable,
.set_tunable = &vsc85xx_set_tunable,
diff --git a/drivers/net/phy/mscc/mscc_ptp.c b/drivers/net/phy/mscc/mscc_ptp.c
index d0bd6ab45ebe..add1a9ee721a 100644
--- a/drivers/net/phy/mscc/mscc_ptp.c
+++ b/drivers/net/phy/mscc/mscc_ptp.c
@@ -1193,9 +1193,7 @@ static bool vsc85xx_rxtstamp(struct mii_timestamper *mii_ts,
{
struct vsc8531_private *vsc8531 =
container_of(mii_ts, struct vsc8531_private, mii_ts);
- struct skb_shared_hwtstamps *shhwtstamps = NULL;
struct vsc85xx_ptphdr *ptphdr;
- struct timespec64 ts;
unsigned long ns;
if (!vsc8531->ptp->configured)
@@ -1205,27 +1203,52 @@ static bool vsc85xx_rxtstamp(struct mii_timestamper *mii_ts,
type == PTP_CLASS_NONE)
return false;
- vsc85xx_gettime(&vsc8531->ptp->caps, &ts);
-
ptphdr = get_ptp_header_rx(skb, vsc8531->ptp->rx_filter);
if (!ptphdr)
return false;
- shhwtstamps = skb_hwtstamps(skb);
- memset(shhwtstamps, 0, sizeof(struct skb_shared_hwtstamps));
-
ns = ntohl(ptphdr->rsrvd2);
- /* nsec is in reserved field */
- if (ts.tv_nsec < ns)
- ts.tv_sec--;
+ VSC8531_SKB_CB(skb)->ns = ns;
+ skb_queue_tail(&vsc8531->rx_skbs_list, skb);
- shhwtstamps->hwtstamp = ktime_set(ts.tv_sec, ns);
- netif_rx(skb);
+ ptp_schedule_worker(vsc8531->ptp->ptp_clock, 0);
return true;
}
+static long vsc85xx_do_aux_work(struct ptp_clock_info *info)
+{
+ struct vsc85xx_ptp *ptp = container_of(info, struct vsc85xx_ptp, caps);
+ struct skb_shared_hwtstamps *shhwtstamps = NULL;
+ struct phy_device *phydev = ptp->phydev;
+ struct vsc8531_private *priv = phydev->priv;
+ struct sk_buff_head received;
+ struct sk_buff *rx_skb;
+ struct timespec64 ts;
+ unsigned long flags;
+
+ __skb_queue_head_init(&received);
+ spin_lock_irqsave(&priv->rx_skbs_list.lock, flags);
+ skb_queue_splice_tail_init(&priv->rx_skbs_list, &received);
+ spin_unlock_irqrestore(&priv->rx_skbs_list.lock, flags);
+
+ vsc85xx_gettime(info, &ts);
+ while ((rx_skb = __skb_dequeue(&received)) != NULL) {
+ shhwtstamps = skb_hwtstamps(rx_skb);
+ memset(shhwtstamps, 0, sizeof(struct skb_shared_hwtstamps));
+
+ if (ts.tv_nsec < VSC8531_SKB_CB(rx_skb)->ns)
+ ts.tv_sec--;
+
+ shhwtstamps->hwtstamp = ktime_set(ts.tv_sec,
+ VSC8531_SKB_CB(rx_skb)->ns);
+ netif_rx(rx_skb);
+ }
+
+ return -1;
+}
+
static const struct ptp_clock_info vsc85xx_clk_caps = {
.owner = THIS_MODULE,
.name = "VSC85xx timer",
@@ -1239,6 +1262,7 @@ static const struct ptp_clock_info vsc85xx_clk_caps = {
.adjfine = &vsc85xx_adjfine,
.gettime64 = &vsc85xx_gettime,
.settime64 = &vsc85xx_settime,
+ .do_aux_work = &vsc85xx_do_aux_work,
};
static struct vsc8531_private *vsc8584_base_priv(struct phy_device *phydev)
@@ -1566,6 +1590,7 @@ int vsc8584_ptp_probe(struct phy_device *phydev)
mutex_init(&vsc8531->phc_lock);
mutex_init(&vsc8531->ts_lock);
+ skb_queue_head_init(&vsc8531->rx_skbs_list);
/* Retrieve the shared load/save GPIO. Request it as non exclusive as
* the same GPIO can be requested by all the PHYs of the same package.
--
2.50.1
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 470/482] net: usb: asix_devices: Fix PHY address mask in MDIO bus initialization
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (468 preceding siblings ...)
2025-08-26 11:12 ` [PATCH 6.1 469/482] phy: mscc: Fix timestamping for vsc8584 Greg Kroah-Hartman
@ 2025-08-26 11:12 ` Greg Kroah-Hartman
2025-08-26 11:12 ` [PATCH 6.1 471/482] gve: prevent ethtool ops after shutdown Greg Kroah-Hartman
` (20 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:12 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+20537064367a0f98d597,
Yuichiro Tsuji, Andrew Lunn, Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yuichiro Tsuji <yuichtsu@amazon.com>
[ Upstream commit 24ef2f53c07f273bad99173e27ee88d44d135b1c ]
Syzbot reported shift-out-of-bounds exception on MDIO bus initialization.
The PHY address should be masked to 5 bits (0-31). Without this
mask, invalid PHY addresses could be used, potentially causing issues
with MDIO bus operations.
Fix this by masking the PHY address with 0x1f (31 decimal) to ensure
it stays within the valid range.
Fixes: 4faff70959d5 ("net: usb: asix_devices: add phy_mask for ax88772 mdio bus")
Reported-by: syzbot+20537064367a0f98d597@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=20537064367a0f98d597
Tested-by: syzbot+20537064367a0f98d597@syzkaller.appspotmail.com
Signed-off-by: Yuichiro Tsuji <yuichtsu@amazon.com>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Link: https://patch.msgid.link/20250818084541.1958-1-yuichtsu@amazon.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/usb/asix_devices.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/usb/asix_devices.c b/drivers/net/usb/asix_devices.c
index d1813a2495bc..021f38c25be8 100644
--- a/drivers/net/usb/asix_devices.c
+++ b/drivers/net/usb/asix_devices.c
@@ -676,7 +676,7 @@ static int ax88772_init_mdio(struct usbnet *dev)
priv->mdio->read = &asix_mdio_bus_read;
priv->mdio->write = &asix_mdio_bus_write;
priv->mdio->name = "Asix MDIO Bus";
- priv->mdio->phy_mask = ~(BIT(priv->phy_addr) | BIT(AX_EMBD_PHY_ADDR));
+ priv->mdio->phy_mask = ~(BIT(priv->phy_addr & 0x1f) | BIT(AX_EMBD_PHY_ADDR));
/* mii bus name is usb-<usb bus number>-<usb device number> */
snprintf(priv->mdio->id, MII_BUS_ID_SIZE, "usb-%03d:%03d",
dev->udev->bus->busnum, dev->udev->devnum);
--
2.50.1
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 471/482] gve: prevent ethtool ops after shutdown
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (469 preceding siblings ...)
2025-08-26 11:12 ` [PATCH 6.1 470/482] net: usb: asix_devices: Fix PHY address mask in MDIO bus initialization Greg Kroah-Hartman
@ 2025-08-26 11:12 ` Greg Kroah-Hartman
2025-08-26 11:12 ` [PATCH 6.1 472/482] ixgbe: xsk: resolve the negative overflow of budget in ixgbe_xmit_zc Greg Kroah-Hartman
` (19 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:12 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jordan Rhee, Jeroen de Borst,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jordan Rhee <jordanrhee@google.com>
[ Upstream commit 75a9a46d67f46d608205888f9b34e315c1786345 ]
A crash can occur if an ethtool operation is invoked
after shutdown() is called.
shutdown() is invoked during system shutdown to stop DMA operations
without performing expensive deallocations. It is discouraged to
unregister the netdev in this path, so the device may still be visible
to userspace and kernel helpers.
In gve, shutdown() tears down most internal data structures. If an
ethtool operation is dispatched after shutdown(), it will dereference
freed or NULL pointers, leading to a kernel panic. While graceful
shutdown normally quiesces userspace before invoking the reboot
syscall, forced shutdowns (as observed on GCP VMs) can still trigger
this path.
Fix by calling netif_device_detach() in shutdown().
This marks the device as detached so the ethtool ioctl handler
will skip dispatching operations to the driver.
Fixes: 974365e51861 ("gve: Implement suspend/resume/shutdown")
Signed-off-by: Jordan Rhee <jordanrhee@google.com>
Signed-off-by: Jeroen de Borst <jeroendb@google.com>
Link: https://patch.msgid.link/20250818211245.1156919-1-jeroendb@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/google/gve/gve_main.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/net/ethernet/google/gve/gve_main.c b/drivers/net/ethernet/google/gve/gve_main.c
index 4fee466a8e90..2e8b01b3ee44 100644
--- a/drivers/net/ethernet/google/gve/gve_main.c
+++ b/drivers/net/ethernet/google/gve/gve_main.c
@@ -1683,6 +1683,8 @@ static void gve_shutdown(struct pci_dev *pdev)
struct gve_priv *priv = netdev_priv(netdev);
bool was_up = netif_carrier_ok(priv->dev);
+ netif_device_detach(netdev);
+
rtnl_lock();
if (was_up && gve_close(priv->dev)) {
/* If the dev was up, attempt to close, if close fails, reset */
--
2.50.1
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 472/482] ixgbe: xsk: resolve the negative overflow of budget in ixgbe_xmit_zc
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (470 preceding siblings ...)
2025-08-26 11:12 ` [PATCH 6.1 471/482] gve: prevent ethtool ops after shutdown Greg Kroah-Hartman
@ 2025-08-26 11:12 ` Greg Kroah-Hartman
2025-08-26 11:12 ` [PATCH 6.1 473/482] igc: fix disabling L1.2 PCI-E link substate on I226 on init Greg Kroah-Hartman
` (18 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:12 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jason Xing, Larysa Zaremba,
Paul Menzel, Aleksandr Loktionov, Priya Singh, Tony Nguyen,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jason Xing <kernelxing@tencent.com>
[ Upstream commit 4d4d9ef9dfee877d494e5418f68a1016ef08cad6 ]
Resolve the budget negative overflow which leads to returning true in
ixgbe_xmit_zc even when the budget of descs are thoroughly consumed.
Before this patch, when the budget is decreased to zero and finishes
sending the last allowed desc in ixgbe_xmit_zc, it will always turn back
and enter into the while() statement to see if it should keep processing
packets, but in the meantime it unexpectedly decreases the value again to
'unsigned int (0--)', namely, UINT_MAX. Finally, the ixgbe_xmit_zc returns
true, showing 'we complete cleaning the budget'. That also means
'clean_complete = true' in ixgbe_poll.
The true theory behind this is if that budget number of descs are consumed,
it implies that we might have more descs to be done. So we should return
false in ixgbe_xmit_zc to tell napi poll to find another chance to start
polling to handle the rest of descs. On the contrary, returning true here
means job done and we know we finish all the possible descs this time and
we don't intend to start a new napi poll.
It is apparently against our expectations. Please also see how
ixgbe_clean_tx_irq() handles the problem: it uses do..while() statement
to make sure the budget can be decreased to zero at most and the negative
overflow never happens.
The patch adds 'likely' because we rarely would not hit the loop condition
since the standard budget is 256.
Fixes: 8221c5eba8c1 ("ixgbe: add AF_XDP zero-copy Tx support")
Signed-off-by: Jason Xing <kernelxing@tencent.com>
Reviewed-by: Larysa Zaremba <larysa.zaremba@intel.com>
Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Tested-by: Priya Singh <priyax.singh@intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Link: https://patch.msgid.link/20250819222000.3504873-4-anthony.l.nguyen@intel.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/ixgbe/ixgbe_xsk.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_xsk.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_xsk.c
index 1703c640a434..7ef82c30e857 100644
--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_xsk.c
+++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_xsk.c
@@ -403,7 +403,7 @@ static bool ixgbe_xmit_zc(struct ixgbe_ring *xdp_ring, unsigned int budget)
dma_addr_t dma;
u32 cmd_type;
- while (budget-- > 0) {
+ while (likely(budget)) {
if (unlikely(!ixgbe_desc_unused(xdp_ring))) {
work_done = false;
break;
@@ -438,6 +438,8 @@ static bool ixgbe_xmit_zc(struct ixgbe_ring *xdp_ring, unsigned int budget)
xdp_ring->next_to_use++;
if (xdp_ring->next_to_use == xdp_ring->count)
xdp_ring->next_to_use = 0;
+
+ budget--;
}
if (tx_desc) {
--
2.50.1
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 473/482] igc: fix disabling L1.2 PCI-E link substate on I226 on init
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (471 preceding siblings ...)
2025-08-26 11:12 ` [PATCH 6.1 472/482] ixgbe: xsk: resolve the negative overflow of budget in ixgbe_xmit_zc Greg Kroah-Hartman
@ 2025-08-26 11:12 ` Greg Kroah-Hartman
2025-08-26 11:12 ` [PATCH 6.1 474/482] net/sched: Make cake_enqueue return NET_XMIT_CN when past buffer_limit Greg Kroah-Hartman
` (17 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:12 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, ValdikSS, Vitaly Lifshits,
Paul Menzel, Tony Nguyen, Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: ValdikSS <iam@valdikss.org.ru>
[ Upstream commit 1468c1f97cf32418e34dbb40b784ed9333b9e123 ]
Device ID comparison in igc_is_device_id_i226 is performed before
the ID is set, resulting in always failing check on init.
Before the patch:
* L1.2 is not disabled on init
* L1.2 is properly disabled after suspend-resume cycle
With the patch:
* L1.2 is properly disabled both on init and after suspend-resume
How to test:
Connect to the 1G link with 300+ mbit/s Internet speed, and run
the download speed test, such as:
curl -o /dev/null http://speedtest.selectel.ru/1GB
Without L1.2 disabled, the speed would be no more than ~200 mbit/s.
With L1.2 disabled, the speed would reach 1 gbit/s.
Note: it's required that the latency between your host and the remote
be around 3-5 ms, the test inside LAN (<1 ms latency) won't trigger the
issue.
Link: https://lore.kernel.org/intel-wired-lan/15248b4f-3271-42dd-8e35-02bfc92b25e1@intel.com
Fixes: 0325143b59c6 ("igc: disable L1.2 PCI-E link substate to avoid performance issue")
Signed-off-by: ValdikSS <iam@valdikss.org.ru>
Reviewed-by: Vitaly Lifshits <vitaly.lifshits@intel.com>
Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Link: https://patch.msgid.link/20250819222000.3504873-6-anthony.l.nguyen@intel.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/igc/igc_main.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c
index ca3fd0270810..5bcdb1b7da29 100644
--- a/drivers/net/ethernet/intel/igc/igc_main.c
+++ b/drivers/net/ethernet/intel/igc/igc_main.c
@@ -6553,6 +6553,13 @@ static int igc_probe(struct pci_dev *pdev,
adapter->port_num = hw->bus.func;
adapter->msg_enable = netif_msg_init(debug, DEFAULT_MSG_ENABLE);
+ /* PCI config space info */
+ hw->vendor_id = pdev->vendor;
+ hw->device_id = pdev->device;
+ hw->revision_id = pdev->revision;
+ hw->subsystem_vendor_id = pdev->subsystem_vendor;
+ hw->subsystem_device_id = pdev->subsystem_device;
+
/* Disable ASPM L1.2 on I226 devices to avoid packet loss */
if (igc_is_device_id_i226(hw))
pci_disable_link_state(pdev, PCIE_LINK_STATE_L1_2);
@@ -6577,13 +6584,6 @@ static int igc_probe(struct pci_dev *pdev,
netdev->mem_start = pci_resource_start(pdev, 0);
netdev->mem_end = pci_resource_end(pdev, 0);
- /* PCI config space info */
- hw->vendor_id = pdev->vendor;
- hw->device_id = pdev->device;
- hw->revision_id = pdev->revision;
- hw->subsystem_vendor_id = pdev->subsystem_vendor;
- hw->subsystem_device_id = pdev->subsystem_device;
-
/* Copy the default MAC and PHY function pointers */
memcpy(&hw->mac.ops, ei->mac_ops, sizeof(hw->mac.ops));
memcpy(&hw->phy.ops, ei->phy_ops, sizeof(hw->phy.ops));
--
2.50.1
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 474/482] net/sched: Make cake_enqueue return NET_XMIT_CN when past buffer_limit
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (472 preceding siblings ...)
2025-08-26 11:12 ` [PATCH 6.1 473/482] igc: fix disabling L1.2 PCI-E link substate on I226 on init Greg Kroah-Hartman
@ 2025-08-26 11:12 ` Greg Kroah-Hartman
2025-08-26 11:12 ` [PATCH 6.1 475/482] net/sched: Remove unnecessary WARNING condition for empty child qdisc in htb_activate Greg Kroah-Hartman
` (16 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:12 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, William Liu, Savino Dicanosa,
Toke Høiland-Jørgensen, Jamal Hadi Salim,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: William Liu <will@willsroot.io>
[ Upstream commit 15de71d06a400f7fdc15bf377a2552b0ec437cf5 ]
The following setup can trigger a WARNING in htb_activate due to
the condition: !cl->leaf.q->q.qlen
tc qdisc del dev lo root
tc qdisc add dev lo root handle 1: htb default 1
tc class add dev lo parent 1: classid 1:1 \
htb rate 64bit
tc qdisc add dev lo parent 1:1 handle f: \
cake memlimit 1b
ping -I lo -f -c1 -s64 -W0.001 127.0.0.1
This is because the low memlimit leads to a low buffer_limit, which
causes packet dropping. However, cake_enqueue still returns
NET_XMIT_SUCCESS, causing htb_enqueue to call htb_activate with an
empty child qdisc. We should return NET_XMIT_CN when packets are
dropped from the same tin and flow.
I do not believe return value of NET_XMIT_CN is necessary for packet
drops in the case of ack filtering, as that is meant to optimize
performance, not to signal congestion.
Fixes: 046f6fd5daef ("sched: Add Common Applications Kept Enhanced (cake) qdisc")
Signed-off-by: William Liu <will@willsroot.io>
Reviewed-by: Savino Dicanosa <savy@syst3mfailure.io>
Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
Reviewed-by: Jamal Hadi Salim <jhs@mojatatu.com>
Link: https://patch.msgid.link/20250819033601.579821-1-will@willsroot.io
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_cake.c | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
diff --git a/net/sched/sch_cake.c b/net/sched/sch_cake.c
index 12dd4d41605c..d99e1603c32a 100644
--- a/net/sched/sch_cake.c
+++ b/net/sched/sch_cake.c
@@ -1761,7 +1761,7 @@ static s32 cake_enqueue(struct sk_buff *skb, struct Qdisc *sch,
ktime_t now = ktime_get();
struct cake_tin_data *b;
struct cake_flow *flow;
- u32 idx;
+ u32 idx, tin;
/* choose flow to insert into */
idx = cake_classify(sch, &b, skb, q->flow_mode, &ret);
@@ -1771,6 +1771,7 @@ static s32 cake_enqueue(struct sk_buff *skb, struct Qdisc *sch,
__qdisc_drop(skb, to_free);
return ret;
}
+ tin = (u32)(b - q->tins);
idx--;
flow = &b->flows[idx];
@@ -1938,13 +1939,22 @@ static s32 cake_enqueue(struct sk_buff *skb, struct Qdisc *sch,
q->buffer_max_used = q->buffer_used;
if (q->buffer_used > q->buffer_limit) {
+ bool same_flow = false;
u32 dropped = 0;
+ u32 drop_id;
while (q->buffer_used > q->buffer_limit) {
dropped++;
- cake_drop(sch, to_free);
+ drop_id = cake_drop(sch, to_free);
+
+ if ((drop_id >> 16) == tin &&
+ (drop_id & 0xFFFF) == idx)
+ same_flow = true;
}
b->drop_overlimit += dropped;
+
+ if (same_flow)
+ return NET_XMIT_CN;
}
return NET_XMIT_SUCCESS;
}
--
2.50.1
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 475/482] net/sched: Remove unnecessary WARNING condition for empty child qdisc in htb_activate
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (473 preceding siblings ...)
2025-08-26 11:12 ` [PATCH 6.1 474/482] net/sched: Make cake_enqueue return NET_XMIT_CN when past buffer_limit Greg Kroah-Hartman
@ 2025-08-26 11:12 ` Greg Kroah-Hartman
2025-08-26 11:12 ` [PATCH 6.1 476/482] bonding: update LACP activity flag after setting lacp_active Greg Kroah-Hartman
` (15 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:12 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, William Liu, Savino Dicanosa,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: William Liu <will@willsroot.io>
[ Upstream commit 2c2192e5f9c7c2892fe2363244d1387f62710d83 ]
The WARN_ON trigger based on !cl->leaf.q->q.qlen is unnecessary in
htb_activate. htb_dequeue_tree already accounts for that scenario.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: William Liu <will@willsroot.io>
Reviewed-by: Savino Dicanosa <savy@syst3mfailure.io>
Link: https://patch.msgid.link/20250819033632.579854-1-will@willsroot.io
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_htb.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/sched/sch_htb.c b/net/sched/sch_htb.c
index 1e19d3ffbf21..7aac0916205b 100644
--- a/net/sched/sch_htb.c
+++ b/net/sched/sch_htb.c
@@ -589,7 +589,7 @@ htb_change_class_mode(struct htb_sched *q, struct htb_class *cl, s64 *diff)
*/
static inline void htb_activate(struct htb_sched *q, struct htb_class *cl)
{
- WARN_ON(cl->level || !cl->leaf.q || !cl->leaf.q->q.qlen);
+ WARN_ON(cl->level || !cl->leaf.q);
if (!cl->prio_activity) {
cl->prio_activity = 1 << cl->prio;
--
2.50.1
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 476/482] bonding: update LACP activity flag after setting lacp_active
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (474 preceding siblings ...)
2025-08-26 11:12 ` [PATCH 6.1 475/482] net/sched: Remove unnecessary WARNING condition for empty child qdisc in htb_activate Greg Kroah-Hartman
@ 2025-08-26 11:12 ` Greg Kroah-Hartman
2025-08-26 11:12 ` [PATCH 6.1 477/482] bonding: Add independent control state machine Greg Kroah-Hartman
` (14 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:12 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Hangbin Liu, Paolo Abeni,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hangbin Liu <liuhangbin@gmail.com>
[ Upstream commit b64d035f77b1f02ab449393342264b44950a75ae ]
The port's actor_oper_port_state activity flag should be updated immediately
after changing the lacp_active option to reflect the current mode correctly.
Fixes: 3a755cd8b7c6 ("bonding: add new option lacp_active")
Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
Link: https://patch.msgid.link/20250815062000.22220-2-liuhangbin@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/bonding/bond_3ad.c | 25 +++++++++++++++++++++++++
drivers/net/bonding/bond_options.c | 1 +
include/net/bond_3ad.h | 1 +
3 files changed, 27 insertions(+)
diff --git a/drivers/net/bonding/bond_3ad.c b/drivers/net/bonding/bond_3ad.c
index 9270977e6c7f..7557c525615e 100644
--- a/drivers/net/bonding/bond_3ad.c
+++ b/drivers/net/bonding/bond_3ad.c
@@ -2725,6 +2725,31 @@ void bond_3ad_update_lacp_rate(struct bonding *bond)
spin_unlock_bh(&bond->mode_lock);
}
+/**
+ * bond_3ad_update_lacp_active - change the lacp active
+ * @bond: bonding struct
+ *
+ * Update actor_oper_port_state when lacp_active is modified.
+ */
+void bond_3ad_update_lacp_active(struct bonding *bond)
+{
+ struct port *port = NULL;
+ struct list_head *iter;
+ struct slave *slave;
+ int lacp_active;
+
+ lacp_active = bond->params.lacp_active;
+ spin_lock_bh(&bond->mode_lock);
+ bond_for_each_slave(bond, slave, iter) {
+ port = &(SLAVE_AD_INFO(slave)->port);
+ if (lacp_active)
+ port->actor_oper_port_state |= LACP_STATE_LACP_ACTIVITY;
+ else
+ port->actor_oper_port_state &= ~LACP_STATE_LACP_ACTIVITY;
+ }
+ spin_unlock_bh(&bond->mode_lock);
+}
+
size_t bond_3ad_stats_size(void)
{
return nla_total_size_64bit(sizeof(u64)) + /* BOND_3AD_STAT_LACPDU_RX */
diff --git a/drivers/net/bonding/bond_options.c b/drivers/net/bonding/bond_options.c
index 21ca95cdef42..8a24c016f667 100644
--- a/drivers/net/bonding/bond_options.c
+++ b/drivers/net/bonding/bond_options.c
@@ -1634,6 +1634,7 @@ static int bond_option_lacp_active_set(struct bonding *bond,
netdev_dbg(bond->dev, "Setting LACP active to %s (%llu)\n",
newval->string, newval->value);
bond->params.lacp_active = newval->value;
+ bond_3ad_update_lacp_active(bond);
return 0;
}
diff --git a/include/net/bond_3ad.h b/include/net/bond_3ad.h
index a016f275cb01..2d9596dba84d 100644
--- a/include/net/bond_3ad.h
+++ b/include/net/bond_3ad.h
@@ -303,6 +303,7 @@ int bond_3ad_lacpdu_recv(const struct sk_buff *skb, struct bonding *bond,
int bond_3ad_set_carrier(struct bonding *bond);
void bond_3ad_update_lacp_active(struct bonding *bond);
void bond_3ad_update_lacp_rate(struct bonding *bond);
+void bond_3ad_update_lacp_active(struct bonding *bond);
void bond_3ad_update_ad_actor_settings(struct bonding *bond);
int bond_3ad_stats_fill(struct sk_buff *skb, struct bond_3ad_stats *stats);
size_t bond_3ad_stats_size(void);
--
2.50.1
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 477/482] bonding: Add independent control state machine
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (475 preceding siblings ...)
2025-08-26 11:12 ` [PATCH 6.1 476/482] bonding: update LACP activity flag after setting lacp_active Greg Kroah-Hartman
@ 2025-08-26 11:12 ` Greg Kroah-Hartman
2025-08-26 11:12 ` [PATCH 6.1 478/482] bonding: send LACPDUs periodically in passive mode after receiving partners LACPDU Greg Kroah-Hartman
` (13 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:12 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Aahil Awatramani, Hangbin Liu,
Paolo Abeni, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Aahil Awatramani <aahila@google.com>
[ Upstream commit 240fd405528bbf7fafa0559202ca7aa524c9cd96 ]
Add support for the independent control state machine per IEEE
802.1AX-2008 5.4.15 in addition to the existing implementation of the
coupled control state machine.
Introduces two new states, AD_MUX_COLLECTING and AD_MUX_DISTRIBUTING in
the LACP MUX state machine for separated handling of an initial
Collecting state before the Collecting and Distributing state. This
enables a port to be in a state where it can receive incoming packets
while not still distributing. This is useful for reducing packet loss when
a port begins distributing before its partner is able to collect.
Added new functions such as bond_set_slave_tx_disabled_flags and
bond_set_slave_rx_enabled_flags to precisely manage the port's collecting
and distributing states. Previously, there was no dedicated method to
disable TX while keeping RX enabled, which this patch addresses.
Note that the regular flow process in the kernel's bonding driver remains
unaffected by this patch. The extension requires explicit opt-in by the
user (in order to ensure no disruptions for existing setups) via netlink
support using the new bonding parameter coupled_control. The default value
for coupled_control is set to 1 so as to preserve existing behaviour.
Signed-off-by: Aahil Awatramani <aahila@google.com>
Reviewed-by: Hangbin Liu <liuhangbin@gmail.com>
Link: https://lore.kernel.org/r/20240202175858.1573852-1-aahila@google.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Stable-dep-of: 0599640a21e9 ("bonding: send LACPDUs periodically in passive mode after receiving partner's LACPDU")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
Documentation/networking/bonding.rst | 12 ++
drivers/net/bonding/bond_3ad.c | 157 +++++++++++++++++++++++++--
drivers/net/bonding/bond_main.c | 1 +
drivers/net/bonding/bond_netlink.c | 16 +++
drivers/net/bonding/bond_options.c | 28 ++++-
include/net/bond_3ad.h | 2 +
include/net/bond_options.h | 1 +
include/net/bonding.h | 23 ++++
include/uapi/linux/if_link.h | 1 +
tools/include/uapi/linux/if_link.h | 1 +
10 files changed, 234 insertions(+), 8 deletions(-)
diff --git a/Documentation/networking/bonding.rst b/Documentation/networking/bonding.rst
index 96cd7a26f3d9..870b4e134318 100644
--- a/Documentation/networking/bonding.rst
+++ b/Documentation/networking/bonding.rst
@@ -444,6 +444,18 @@ arp_missed_max
The default value is 2, and the allowable range is 1 - 255.
+coupled_control
+
+ Specifies whether the LACP state machine's MUX in the 802.3ad mode
+ should have separate Collecting and Distributing states.
+
+ This is by implementing the independent control state machine per
+ IEEE 802.1AX-2008 5.4.15 in addition to the existing coupled control
+ state machine.
+
+ The default value is 1. This setting does not separate the Collecting
+ and Distributing states, maintaining the bond in coupled control.
+
downdelay
Specifies the time, in milliseconds, to wait before disabling
diff --git a/drivers/net/bonding/bond_3ad.c b/drivers/net/bonding/bond_3ad.c
index 7557c525615e..c64b87ca067b 100644
--- a/drivers/net/bonding/bond_3ad.c
+++ b/drivers/net/bonding/bond_3ad.c
@@ -105,6 +105,9 @@ static void ad_agg_selection_logic(struct aggregator *aggregator,
static void ad_clear_agg(struct aggregator *aggregator);
static void ad_initialize_agg(struct aggregator *aggregator);
static void ad_initialize_port(struct port *port, int lacp_fast);
+static void ad_enable_collecting(struct port *port);
+static void ad_disable_distributing(struct port *port,
+ bool *update_slave_arr);
static void ad_enable_collecting_distributing(struct port *port,
bool *update_slave_arr);
static void ad_disable_collecting_distributing(struct port *port,
@@ -170,9 +173,38 @@ static inline int __agg_has_partner(struct aggregator *agg)
return !is_zero_ether_addr(agg->partner_system.mac_addr_value);
}
+/**
+ * __disable_distributing_port - disable the port's slave for distributing.
+ * Port will still be able to collect.
+ * @port: the port we're looking at
+ *
+ * This will disable only distributing on the port's slave.
+ */
+static void __disable_distributing_port(struct port *port)
+{
+ bond_set_slave_tx_disabled_flags(port->slave, BOND_SLAVE_NOTIFY_LATER);
+}
+
+/**
+ * __enable_collecting_port - enable the port's slave for collecting,
+ * if it's up
+ * @port: the port we're looking at
+ *
+ * This will enable only collecting on the port's slave.
+ */
+static void __enable_collecting_port(struct port *port)
+{
+ struct slave *slave = port->slave;
+
+ if (slave->link == BOND_LINK_UP && bond_slave_is_up(slave))
+ bond_set_slave_rx_enabled_flags(slave, BOND_SLAVE_NOTIFY_LATER);
+}
+
/**
* __disable_port - disable the port's slave
* @port: the port we're looking at
+ *
+ * This will disable both collecting and distributing on the port's slave.
*/
static inline void __disable_port(struct port *port)
{
@@ -182,6 +214,8 @@ static inline void __disable_port(struct port *port)
/**
* __enable_port - enable the port's slave, if it's up
* @port: the port we're looking at
+ *
+ * This will enable both collecting and distributing on the port's slave.
*/
static inline void __enable_port(struct port *port)
{
@@ -192,10 +226,27 @@ static inline void __enable_port(struct port *port)
}
/**
- * __port_is_enabled - check if the port's slave is in active state
+ * __port_move_to_attached_state - check if port should transition back to attached
+ * state.
+ * @port: the port we're looking at
+ */
+static bool __port_move_to_attached_state(struct port *port)
+{
+ if (!(port->sm_vars & AD_PORT_SELECTED) ||
+ (port->sm_vars & AD_PORT_STANDBY) ||
+ !(port->partner_oper.port_state & LACP_STATE_SYNCHRONIZATION) ||
+ !(port->actor_oper_port_state & LACP_STATE_SYNCHRONIZATION))
+ port->sm_mux_state = AD_MUX_ATTACHED;
+
+ return port->sm_mux_state == AD_MUX_ATTACHED;
+}
+
+/**
+ * __port_is_collecting_distributing - check if the port's slave is in the
+ * combined collecting/distributing state
* @port: the port we're looking at
*/
-static inline int __port_is_enabled(struct port *port)
+static int __port_is_collecting_distributing(struct port *port)
{
return bond_is_active_slave(port->slave);
}
@@ -933,6 +984,7 @@ static int ad_marker_send(struct port *port, struct bond_marker *marker)
*/
static void ad_mux_machine(struct port *port, bool *update_slave_arr)
{
+ struct bonding *bond = __get_bond_by_port(port);
mux_states_t last_state;
/* keep current State Machine state to compare later if it was
@@ -990,9 +1042,13 @@ static void ad_mux_machine(struct port *port, bool *update_slave_arr)
if ((port->sm_vars & AD_PORT_SELECTED) &&
(port->partner_oper.port_state & LACP_STATE_SYNCHRONIZATION) &&
!__check_agg_selection_timer(port)) {
- if (port->aggregator->is_active)
- port->sm_mux_state =
- AD_MUX_COLLECTING_DISTRIBUTING;
+ if (port->aggregator->is_active) {
+ int state = AD_MUX_COLLECTING_DISTRIBUTING;
+
+ if (!bond->params.coupled_control)
+ state = AD_MUX_COLLECTING;
+ port->sm_mux_state = state;
+ }
} else if (!(port->sm_vars & AD_PORT_SELECTED) ||
(port->sm_vars & AD_PORT_STANDBY)) {
/* if UNSELECTED or STANDBY */
@@ -1010,11 +1066,45 @@ static void ad_mux_machine(struct port *port, bool *update_slave_arr)
}
break;
case AD_MUX_COLLECTING_DISTRIBUTING:
+ if (!__port_move_to_attached_state(port)) {
+ /* if port state hasn't changed make
+ * sure that a collecting distributing
+ * port in an active aggregator is enabled
+ */
+ if (port->aggregator->is_active &&
+ !__port_is_collecting_distributing(port)) {
+ __enable_port(port);
+ *update_slave_arr = true;
+ }
+ }
+ break;
+ case AD_MUX_COLLECTING:
+ if (!__port_move_to_attached_state(port)) {
+ if ((port->sm_vars & AD_PORT_SELECTED) &&
+ (port->partner_oper.port_state & LACP_STATE_SYNCHRONIZATION) &&
+ (port->partner_oper.port_state & LACP_STATE_COLLECTING)) {
+ port->sm_mux_state = AD_MUX_DISTRIBUTING;
+ } else {
+ /* If port state hasn't changed, make sure that a collecting
+ * port is enabled for an active aggregator.
+ */
+ struct slave *slave = port->slave;
+
+ if (port->aggregator->is_active &&
+ bond_is_slave_rx_disabled(slave)) {
+ ad_enable_collecting(port);
+ *update_slave_arr = true;
+ }
+ }
+ }
+ break;
+ case AD_MUX_DISTRIBUTING:
if (!(port->sm_vars & AD_PORT_SELECTED) ||
(port->sm_vars & AD_PORT_STANDBY) ||
+ !(port->partner_oper.port_state & LACP_STATE_COLLECTING) ||
!(port->partner_oper.port_state & LACP_STATE_SYNCHRONIZATION) ||
!(port->actor_oper_port_state & LACP_STATE_SYNCHRONIZATION)) {
- port->sm_mux_state = AD_MUX_ATTACHED;
+ port->sm_mux_state = AD_MUX_COLLECTING;
} else {
/* if port state hasn't changed make
* sure that a collecting distributing
@@ -1022,7 +1112,7 @@ static void ad_mux_machine(struct port *port, bool *update_slave_arr)
*/
if (port->aggregator &&
port->aggregator->is_active &&
- !__port_is_enabled(port)) {
+ !__port_is_collecting_distributing(port)) {
__enable_port(port);
*update_slave_arr = true;
}
@@ -1073,6 +1163,20 @@ static void ad_mux_machine(struct port *port, bool *update_slave_arr)
update_slave_arr);
port->ntt = true;
break;
+ case AD_MUX_COLLECTING:
+ port->actor_oper_port_state |= LACP_STATE_COLLECTING;
+ port->actor_oper_port_state &= ~LACP_STATE_DISTRIBUTING;
+ port->actor_oper_port_state |= LACP_STATE_SYNCHRONIZATION;
+ ad_enable_collecting(port);
+ ad_disable_distributing(port, update_slave_arr);
+ port->ntt = true;
+ break;
+ case AD_MUX_DISTRIBUTING:
+ port->actor_oper_port_state |= LACP_STATE_DISTRIBUTING;
+ port->actor_oper_port_state |= LACP_STATE_SYNCHRONIZATION;
+ ad_enable_collecting_distributing(port,
+ update_slave_arr);
+ break;
default:
break;
}
@@ -1897,6 +2001,45 @@ static void ad_initialize_port(struct port *port, int lacp_fast)
}
}
+/**
+ * ad_enable_collecting - enable a port's receive
+ * @port: the port we're looking at
+ *
+ * Enable @port if it's in an active aggregator
+ */
+static void ad_enable_collecting(struct port *port)
+{
+ if (port->aggregator->is_active) {
+ struct slave *slave = port->slave;
+
+ slave_dbg(slave->bond->dev, slave->dev,
+ "Enabling collecting on port %d (LAG %d)\n",
+ port->actor_port_number,
+ port->aggregator->aggregator_identifier);
+ __enable_collecting_port(port);
+ }
+}
+
+/**
+ * ad_disable_distributing - disable a port's transmit
+ * @port: the port we're looking at
+ * @update_slave_arr: Does slave array need update?
+ */
+static void ad_disable_distributing(struct port *port, bool *update_slave_arr)
+{
+ if (port->aggregator &&
+ !MAC_ADDRESS_EQUAL(&port->aggregator->partner_system,
+ &(null_mac_addr))) {
+ slave_dbg(port->slave->bond->dev, port->slave->dev,
+ "Disabling distributing on port %d (LAG %d)\n",
+ port->actor_port_number,
+ port->aggregator->aggregator_identifier);
+ __disable_distributing_port(port);
+ /* Slave array needs an update */
+ *update_slave_arr = true;
+ }
+}
+
/**
* ad_enable_collecting_distributing - enable a port's transmit/receive
* @port: the port we're looking at
diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
index 3cedadef9c8a..11c58b88f9ce 100644
--- a/drivers/net/bonding/bond_main.c
+++ b/drivers/net/bonding/bond_main.c
@@ -6310,6 +6310,7 @@ static int bond_check_params(struct bond_params *params)
params->ad_actor_sys_prio = ad_actor_sys_prio;
eth_zero_addr(params->ad_actor_system);
params->ad_user_port_key = ad_user_port_key;
+ params->coupled_control = 1;
if (packets_per_slave > 0) {
params->reciprocal_packets_per_slave =
reciprocal_value(packets_per_slave);
diff --git a/drivers/net/bonding/bond_netlink.c b/drivers/net/bonding/bond_netlink.c
index 27cbe148f0db..aebc814ad495 100644
--- a/drivers/net/bonding/bond_netlink.c
+++ b/drivers/net/bonding/bond_netlink.c
@@ -122,6 +122,7 @@ static const struct nla_policy bond_policy[IFLA_BOND_MAX + 1] = {
[IFLA_BOND_PEER_NOTIF_DELAY] = NLA_POLICY_FULL_RANGE(NLA_U32, &delay_range),
[IFLA_BOND_MISSED_MAX] = { .type = NLA_U8 },
[IFLA_BOND_NS_IP6_TARGET] = { .type = NLA_NESTED },
+ [IFLA_BOND_COUPLED_CONTROL] = { .type = NLA_U8 },
};
static const struct nla_policy bond_slave_policy[IFLA_BOND_SLAVE_MAX + 1] = {
@@ -549,6 +550,16 @@ static int bond_changelink(struct net_device *bond_dev, struct nlattr *tb[],
return err;
}
+ if (data[IFLA_BOND_COUPLED_CONTROL]) {
+ int coupled_control = nla_get_u8(data[IFLA_BOND_COUPLED_CONTROL]);
+
+ bond_opt_initval(&newval, coupled_control);
+ err = __bond_opt_set(bond, BOND_OPT_COUPLED_CONTROL, &newval,
+ data[IFLA_BOND_COUPLED_CONTROL], extack);
+ if (err)
+ return err;
+ }
+
return 0;
}
@@ -615,6 +626,7 @@ static size_t bond_get_size(const struct net_device *bond_dev)
/* IFLA_BOND_NS_IP6_TARGET */
nla_total_size(sizeof(struct nlattr)) +
nla_total_size(sizeof(struct in6_addr)) * BOND_MAX_NS_TARGETS +
+ nla_total_size(sizeof(u8)) + /* IFLA_BOND_COUPLED_CONTROL */
0;
}
@@ -774,6 +786,10 @@ static int bond_fill_info(struct sk_buff *skb,
bond->params.missed_max))
goto nla_put_failure;
+ if (nla_put_u8(skb, IFLA_BOND_COUPLED_CONTROL,
+ bond->params.coupled_control))
+ goto nla_put_failure;
+
if (BOND_MODE(bond) == BOND_MODE_8023AD) {
struct ad_info info;
diff --git a/drivers/net/bonding/bond_options.c b/drivers/net/bonding/bond_options.c
index 8a24c016f667..1235878d8715 100644
--- a/drivers/net/bonding/bond_options.c
+++ b/drivers/net/bonding/bond_options.c
@@ -85,7 +85,8 @@ static int bond_option_ad_user_port_key_set(struct bonding *bond,
const struct bond_opt_value *newval);
static int bond_option_missed_max_set(struct bonding *bond,
const struct bond_opt_value *newval);
-
+static int bond_option_coupled_control_set(struct bonding *bond,
+ const struct bond_opt_value *newval);
static const struct bond_opt_value bond_mode_tbl[] = {
{ "balance-rr", BOND_MODE_ROUNDROBIN, BOND_VALFLAG_DEFAULT},
@@ -233,6 +234,12 @@ static const struct bond_opt_value bond_missed_max_tbl[] = {
{ NULL, -1, 0},
};
+static const struct bond_opt_value bond_coupled_control_tbl[] = {
+ { "on", 1, BOND_VALFLAG_DEFAULT},
+ { "off", 0, 0},
+ { NULL, -1, 0},
+};
+
static const struct bond_option bond_opts[BOND_OPT_LAST] = {
[BOND_OPT_MODE] = {
.id = BOND_OPT_MODE,
@@ -497,6 +504,15 @@ static const struct bond_option bond_opts[BOND_OPT_LAST] = {
.desc = "Delay between each peer notification on failover event, in milliseconds",
.values = bond_peer_notif_delay_tbl,
.set = bond_option_peer_notif_delay_set
+ },
+ [BOND_OPT_COUPLED_CONTROL] = {
+ .id = BOND_OPT_COUPLED_CONTROL,
+ .name = "coupled_control",
+ .desc = "Opt into using coupled control MUX for LACP states",
+ .unsuppmodes = BOND_MODE_ALL_EX(BIT(BOND_MODE_8023AD)),
+ .flags = BOND_OPTFLAG_IFDOWN,
+ .values = bond_coupled_control_tbl,
+ .set = bond_option_coupled_control_set,
}
};
@@ -1828,3 +1844,13 @@ static int bond_option_ad_user_port_key_set(struct bonding *bond,
bond->params.ad_user_port_key = newval->value;
return 0;
}
+
+static int bond_option_coupled_control_set(struct bonding *bond,
+ const struct bond_opt_value *newval)
+{
+ netdev_info(bond->dev, "Setting coupled_control to %s (%llu)\n",
+ newval->string, newval->value);
+
+ bond->params.coupled_control = newval->value;
+ return 0;
+}
diff --git a/include/net/bond_3ad.h b/include/net/bond_3ad.h
index 2d9596dba84d..5047711944df 100644
--- a/include/net/bond_3ad.h
+++ b/include/net/bond_3ad.h
@@ -54,6 +54,8 @@ typedef enum {
AD_MUX_DETACHED, /* mux machine */
AD_MUX_WAITING, /* mux machine */
AD_MUX_ATTACHED, /* mux machine */
+ AD_MUX_COLLECTING, /* mux machine */
+ AD_MUX_DISTRIBUTING, /* mux machine */
AD_MUX_COLLECTING_DISTRIBUTING /* mux machine */
} mux_states_t;
diff --git a/include/net/bond_options.h b/include/net/bond_options.h
index f631d9f09941..18687ccf0638 100644
--- a/include/net/bond_options.h
+++ b/include/net/bond_options.h
@@ -76,6 +76,7 @@ enum {
BOND_OPT_MISSED_MAX,
BOND_OPT_NS_TARGETS,
BOND_OPT_PRIO,
+ BOND_OPT_COUPLED_CONTROL,
BOND_OPT_LAST
};
diff --git a/include/net/bonding.h b/include/net/bonding.h
index 9a3ac960dfe1..bfd3e4e58f86 100644
--- a/include/net/bonding.h
+++ b/include/net/bonding.h
@@ -152,6 +152,7 @@ struct bond_params {
#if IS_ENABLED(CONFIG_IPV6)
struct in6_addr ns_targets[BOND_MAX_NS_TARGETS];
#endif
+ int coupled_control;
/* 2 bytes of padding : see ether_addr_equal_64bits() */
u8 ad_actor_system[ETH_ALEN + 2];
@@ -171,6 +172,7 @@ struct slave {
u8 backup:1, /* indicates backup slave. Value corresponds with
BOND_STATE_ACTIVE and BOND_STATE_BACKUP */
inactive:1, /* indicates inactive slave */
+ rx_disabled:1, /* indicates whether slave's Rx is disabled */
should_notify:1, /* indicates whether the state changed */
should_notify_link:1; /* indicates whether the link changed */
u8 duplex;
@@ -574,6 +576,14 @@ static inline void bond_set_slave_inactive_flags(struct slave *slave,
bond_set_slave_state(slave, BOND_STATE_BACKUP, notify);
if (!slave->bond->params.all_slaves_active)
slave->inactive = 1;
+ if (BOND_MODE(slave->bond) == BOND_MODE_8023AD)
+ slave->rx_disabled = 1;
+}
+
+static inline void bond_set_slave_tx_disabled_flags(struct slave *slave,
+ bool notify)
+{
+ bond_set_slave_state(slave, BOND_STATE_BACKUP, notify);
}
static inline void bond_set_slave_active_flags(struct slave *slave,
@@ -581,6 +591,14 @@ static inline void bond_set_slave_active_flags(struct slave *slave,
{
bond_set_slave_state(slave, BOND_STATE_ACTIVE, notify);
slave->inactive = 0;
+ if (BOND_MODE(slave->bond) == BOND_MODE_8023AD)
+ slave->rx_disabled = 0;
+}
+
+static inline void bond_set_slave_rx_enabled_flags(struct slave *slave,
+ bool notify)
+{
+ slave->rx_disabled = 0;
}
static inline bool bond_is_slave_inactive(struct slave *slave)
@@ -588,6 +606,11 @@ static inline bool bond_is_slave_inactive(struct slave *slave)
return slave->inactive;
}
+static inline bool bond_is_slave_rx_disabled(struct slave *slave)
+{
+ return slave->rx_disabled;
+}
+
static inline void bond_propose_link_state(struct slave *slave, int state)
{
slave->link_new_state = state;
diff --git a/include/uapi/linux/if_link.h b/include/uapi/linux/if_link.h
index 5e7a1041df3a..feebb4509abd 100644
--- a/include/uapi/linux/if_link.h
+++ b/include/uapi/linux/if_link.h
@@ -938,6 +938,7 @@ enum {
IFLA_BOND_AD_LACP_ACTIVE,
IFLA_BOND_MISSED_MAX,
IFLA_BOND_NS_IP6_TARGET,
+ IFLA_BOND_COUPLED_CONTROL,
__IFLA_BOND_MAX,
};
diff --git a/tools/include/uapi/linux/if_link.h b/tools/include/uapi/linux/if_link.h
index 0242f31e339c..0d2eabfac956 100644
--- a/tools/include/uapi/linux/if_link.h
+++ b/tools/include/uapi/linux/if_link.h
@@ -863,6 +863,7 @@ enum {
IFLA_BOND_AD_LACP_ACTIVE,
IFLA_BOND_MISSED_MAX,
IFLA_BOND_NS_IP6_TARGET,
+ IFLA_BOND_COUPLED_CONTROL,
__IFLA_BOND_MAX,
};
--
2.50.1
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 478/482] bonding: send LACPDUs periodically in passive mode after receiving partners LACPDU
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (476 preceding siblings ...)
2025-08-26 11:12 ` [PATCH 6.1 477/482] bonding: Add independent control state machine Greg Kroah-Hartman
@ 2025-08-26 11:12 ` Greg Kroah-Hartman
2025-08-26 11:12 ` [PATCH 6.1 479/482] ALSA: usb-audio: Use correct sub-type for UAC3 feature unit validation Greg Kroah-Hartman
` (12 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:12 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Hangbin Liu, Paolo Abeni,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hangbin Liu <liuhangbin@gmail.com>
[ Upstream commit 0599640a21e98f0d6a3e9ff85c0a687c90a8103b ]
When `lacp_active` is set to `off`, the bond operates in passive mode, meaning
it only "speaks when spoken to." However, the current kernel implementation
only sends an LACPDU in response when the partner's state changes.
As a result, once LACP negotiation succeeds, the actor stops sending LACPDUs
until the partner times out and sends an "expired" LACPDU. This causes
continuous LACP state flapping.
According to IEEE 802.1AX-2014, 6.4.13 Periodic Transmission machine. The
values of Partner_Oper_Port_State.LACP_Activity and
Actor_Oper_Port_State.LACP_Activity determine whether periodic transmissions
take place. If either or both parameters are set to Active LACP, then periodic
transmissions occur; if both are set to Passive LACP, then periodic
transmissions do not occur.
To comply with this, we remove the `!bond->params.lacp_active` check in
`ad_periodic_machine()`. Instead, we initialize the actor's port's
`LACP_STATE_LACP_ACTIVITY` state based on `lacp_active` setting.
Additionally, we avoid setting the partner's state to
`LACP_STATE_LACP_ACTIVITY` in the EXPIRED state, since we should not assume
the partner is active by default.
This ensures that in passive mode, the bond starts sending periodic LACPDUs
after receiving one from the partner, and avoids flapping due to inactivity.
Fixes: 3a755cd8b7c6 ("bonding: add new option lacp_active")
Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
Link: https://patch.msgid.link/20250815062000.22220-3-liuhangbin@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/bonding/bond_3ad.c | 42 +++++++++++++++++++---------------
1 file changed, 24 insertions(+), 18 deletions(-)
diff --git a/drivers/net/bonding/bond_3ad.c b/drivers/net/bonding/bond_3ad.c
index c64b87ca067b..37364bbfdbdc 100644
--- a/drivers/net/bonding/bond_3ad.c
+++ b/drivers/net/bonding/bond_3ad.c
@@ -98,13 +98,13 @@ static int ad_marker_send(struct port *port, struct bond_marker *marker);
static void ad_mux_machine(struct port *port, bool *update_slave_arr);
static void ad_rx_machine(struct lacpdu *lacpdu, struct port *port);
static void ad_tx_machine(struct port *port);
-static void ad_periodic_machine(struct port *port, struct bond_params *bond_params);
+static void ad_periodic_machine(struct port *port);
static void ad_port_selection_logic(struct port *port, bool *update_slave_arr);
static void ad_agg_selection_logic(struct aggregator *aggregator,
bool *update_slave_arr);
static void ad_clear_agg(struct aggregator *aggregator);
static void ad_initialize_agg(struct aggregator *aggregator);
-static void ad_initialize_port(struct port *port, int lacp_fast);
+static void ad_initialize_port(struct port *port, const struct bond_params *bond_params);
static void ad_enable_collecting(struct port *port);
static void ad_disable_distributing(struct port *port,
bool *update_slave_arr);
@@ -1291,10 +1291,16 @@ static void ad_rx_machine(struct lacpdu *lacpdu, struct port *port)
* case of EXPIRED even if LINK_DOWN didn't arrive for
* the port.
*/
- port->partner_oper.port_state &= ~LACP_STATE_SYNCHRONIZATION;
port->sm_vars &= ~AD_PORT_MATCHED;
+ /* Based on IEEE 8021AX-2014, Figure 6-18 - Receive
+ * machine state diagram, the statue should be
+ * Partner_Oper_Port_State.Synchronization = FALSE;
+ * Partner_Oper_Port_State.LACP_Timeout = Short Timeout;
+ * start current_while_timer(Short Timeout);
+ * Actor_Oper_Port_State.Expired = TRUE;
+ */
+ port->partner_oper.port_state &= ~LACP_STATE_SYNCHRONIZATION;
port->partner_oper.port_state |= LACP_STATE_LACP_TIMEOUT;
- port->partner_oper.port_state |= LACP_STATE_LACP_ACTIVITY;
port->sm_rx_timer_counter = __ad_timer_to_ticks(AD_CURRENT_WHILE_TIMER, (u16)(AD_SHORT_TIMEOUT));
port->actor_oper_port_state |= LACP_STATE_EXPIRED;
port->sm_vars |= AD_PORT_CHURNED;
@@ -1400,11 +1406,10 @@ static void ad_tx_machine(struct port *port)
/**
* ad_periodic_machine - handle a port's periodic state machine
* @port: the port we're looking at
- * @bond_params: bond parameters we will use
*
* Turn ntt flag on priodically to perform periodic transmission of lacpdu's.
*/
-static void ad_periodic_machine(struct port *port, struct bond_params *bond_params)
+static void ad_periodic_machine(struct port *port)
{
periodic_states_t last_state;
@@ -1413,8 +1418,7 @@ static void ad_periodic_machine(struct port *port, struct bond_params *bond_para
/* check if port was reinitialized */
if (((port->sm_vars & AD_PORT_BEGIN) || !(port->sm_vars & AD_PORT_LACP_ENABLED) || !port->is_enabled) ||
- (!(port->actor_oper_port_state & LACP_STATE_LACP_ACTIVITY) && !(port->partner_oper.port_state & LACP_STATE_LACP_ACTIVITY)) ||
- !bond_params->lacp_active) {
+ (!(port->actor_oper_port_state & LACP_STATE_LACP_ACTIVITY) && !(port->partner_oper.port_state & LACP_STATE_LACP_ACTIVITY))) {
port->sm_periodic_state = AD_NO_PERIODIC;
}
/* check if state machine should change state */
@@ -1938,16 +1942,16 @@ static void ad_initialize_agg(struct aggregator *aggregator)
/**
* ad_initialize_port - initialize a given port's parameters
* @port: the port we're looking at
- * @lacp_fast: boolean. whether fast periodic should be used
+ * @bond_params: bond parameters we will use
*/
-static void ad_initialize_port(struct port *port, int lacp_fast)
+static void ad_initialize_port(struct port *port, const struct bond_params *bond_params)
{
static const struct port_params tmpl = {
.system_priority = 0xffff,
.key = 1,
.port_number = 1,
.port_priority = 0xff,
- .port_state = 1,
+ .port_state = 0,
};
static const struct lacpdu lacpdu = {
.subtype = 0x01,
@@ -1965,12 +1969,14 @@ static void ad_initialize_port(struct port *port, int lacp_fast)
port->actor_port_priority = 0xff;
port->actor_port_aggregator_identifier = 0;
port->ntt = false;
- port->actor_admin_port_state = LACP_STATE_AGGREGATION |
- LACP_STATE_LACP_ACTIVITY;
- port->actor_oper_port_state = LACP_STATE_AGGREGATION |
- LACP_STATE_LACP_ACTIVITY;
+ port->actor_admin_port_state = LACP_STATE_AGGREGATION;
+ port->actor_oper_port_state = LACP_STATE_AGGREGATION;
+ if (bond_params->lacp_active) {
+ port->actor_admin_port_state |= LACP_STATE_LACP_ACTIVITY;
+ port->actor_oper_port_state |= LACP_STATE_LACP_ACTIVITY;
+ }
- if (lacp_fast)
+ if (bond_params->lacp_fast)
port->actor_oper_port_state |= LACP_STATE_LACP_TIMEOUT;
memcpy(&port->partner_admin, &tmpl, sizeof(tmpl));
@@ -2186,7 +2192,7 @@ void bond_3ad_bind_slave(struct slave *slave)
/* port initialization */
port = &(SLAVE_AD_INFO(slave)->port);
- ad_initialize_port(port, bond->params.lacp_fast);
+ ad_initialize_port(port, &bond->params);
port->slave = slave;
port->actor_port_number = SLAVE_AD_INFO(slave)->id;
@@ -2498,7 +2504,7 @@ void bond_3ad_state_machine_handler(struct work_struct *work)
}
ad_rx_machine(NULL, port);
- ad_periodic_machine(port, &bond->params);
+ ad_periodic_machine(port);
ad_port_selection_logic(port, &update_slave_arr);
ad_mux_machine(port, &update_slave_arr);
ad_tx_machine(port);
--
2.50.1
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 479/482] ALSA: usb-audio: Use correct sub-type for UAC3 feature unit validation
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (477 preceding siblings ...)
2025-08-26 11:12 ` [PATCH 6.1 478/482] bonding: send LACPDUs periodically in passive mode after receiving partners LACPDU Greg Kroah-Hartman
@ 2025-08-26 11:12 ` Greg Kroah-Hartman
2025-08-26 11:12 ` [PATCH 6.1 480/482] s390/hypfs: Avoid unnecessary ioctl registration in debugfs Greg Kroah-Hartman
` (11 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:12 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Takashi Iwai, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
[ Upstream commit 8410fe81093ff231e964891e215b624dabb734b0 ]
The entry of the validators table for UAC3 feature unit is defined
with a wrong sub-type UAC_FEATURE (= 0x06) while it should have been
UAC3_FEATURE (= 0x07). This patch corrects the entry value.
Fixes: 57f8770620e9 ("ALSA: usb-audio: More validations of descriptor units")
Link: https://patch.msgid.link/20250821150835.8894-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/usb/validate.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sound/usb/validate.c b/sound/usb/validate.c
index 4f4e8e87a14c..a0d55b77c994 100644
--- a/sound/usb/validate.c
+++ b/sound/usb/validate.c
@@ -285,7 +285,7 @@ static const struct usb_desc_validator audio_validators[] = {
/* UAC_VERSION_3, UAC3_EXTENDED_TERMINAL: not implemented yet */
FUNC(UAC_VERSION_3, UAC3_MIXER_UNIT, validate_mixer_unit),
FUNC(UAC_VERSION_3, UAC3_SELECTOR_UNIT, validate_selector_unit),
- FUNC(UAC_VERSION_3, UAC_FEATURE_UNIT, validate_uac3_feature_unit),
+ FUNC(UAC_VERSION_3, UAC3_FEATURE_UNIT, validate_uac3_feature_unit),
/* UAC_VERSION_3, UAC3_EFFECT_UNIT: not implemented yet */
FUNC(UAC_VERSION_3, UAC3_PROCESSING_UNIT, validate_processing_unit),
FUNC(UAC_VERSION_3, UAC3_EXTENSION_UNIT, validate_processing_unit),
--
2.50.1
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 480/482] s390/hypfs: Avoid unnecessary ioctl registration in debugfs
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (478 preceding siblings ...)
2025-08-26 11:12 ` [PATCH 6.1 479/482] ALSA: usb-audio: Use correct sub-type for UAC3 feature unit validation Greg Kroah-Hartman
@ 2025-08-26 11:12 ` Greg Kroah-Hartman
2025-08-26 11:12 ` [PATCH 6.1 481/482] s390/hypfs: Enable limited access during lockdown Greg Kroah-Hartman
` (10 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:12 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mete Durlu, Vasily Gorbik,
Peter Oberparleiter, Alexander Gordeev, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Oberparleiter <oberpar@linux.ibm.com>
[ Upstream commit fec7bdfe7f8694a0c39e6c3ec026ff61ca1058b9 ]
Currently, hypfs registers ioctl callbacks for all debugfs files,
despite only one file requiring them. This leads to unintended exposure
of unused interfaces to user space and can trigger side effects such as
restricted access when kernel lockdown is enabled.
Restrict ioctl registration to only those files that implement ioctl
functionality to avoid interface clutter and unnecessary access
restrictions.
Tested-by: Mete Durlu <meted@linux.ibm.com>
Reviewed-by: Vasily Gorbik <gor@linux.ibm.com>
Fixes: 5496197f9b08 ("debugfs: Restrict debugfs when the kernel is locked down")
Signed-off-by: Peter Oberparleiter <oberpar@linux.ibm.com>
Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/s390/hypfs/hypfs_dbfs.c | 18 +++++++++++-------
1 file changed, 11 insertions(+), 7 deletions(-)
diff --git a/arch/s390/hypfs/hypfs_dbfs.c b/arch/s390/hypfs/hypfs_dbfs.c
index f4c7dbfaf8ee..c5f53dc3dbbc 100644
--- a/arch/s390/hypfs/hypfs_dbfs.c
+++ b/arch/s390/hypfs/hypfs_dbfs.c
@@ -64,24 +64,28 @@ static long dbfs_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
long rc;
mutex_lock(&df->lock);
- if (df->unlocked_ioctl)
- rc = df->unlocked_ioctl(file, cmd, arg);
- else
- rc = -ENOTTY;
+ rc = df->unlocked_ioctl(file, cmd, arg);
mutex_unlock(&df->lock);
return rc;
}
-static const struct file_operations dbfs_ops = {
+static const struct file_operations dbfs_ops_ioctl = {
.read = dbfs_read,
.llseek = no_llseek,
.unlocked_ioctl = dbfs_ioctl,
};
+static const struct file_operations dbfs_ops = {
+ .read = dbfs_read,
+};
+
void hypfs_dbfs_create_file(struct hypfs_dbfs_file *df)
{
- df->dentry = debugfs_create_file(df->name, 0400, dbfs_dir, df,
- &dbfs_ops);
+ const struct file_operations *fops = &dbfs_ops;
+
+ if (df->unlocked_ioctl)
+ fops = &dbfs_ops_ioctl;
+ df->dentry = debugfs_create_file(df->name, 0400, dbfs_dir, df, fops);
mutex_init(&df->lock);
}
--
2.50.1
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 481/482] s390/hypfs: Enable limited access during lockdown
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (479 preceding siblings ...)
2025-08-26 11:12 ` [PATCH 6.1 480/482] s390/hypfs: Avoid unnecessary ioctl registration in debugfs Greg Kroah-Hartman
@ 2025-08-26 11:12 ` Greg Kroah-Hartman
2025-08-26 11:12 ` [PATCH 6.1 482/482] netfilter: nf_reject: dont leak dst refcount for loopback packets Greg Kroah-Hartman
` (9 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:12 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mete Durlu, Vasily Gorbik,
Peter Oberparleiter, Alexander Gordeev, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Oberparleiter <oberpar@linux.ibm.com>
[ Upstream commit 3868f910440c47cd5d158776be4ba4e2186beda7 ]
When kernel lockdown is active, debugfs_locked_down() blocks access to
hypfs files that register ioctl callbacks, even if the ioctl interface
is not required for a function. This unnecessarily breaks userspace
tools that only rely on read operations.
Resolve this by registering a minimal set of file operations during
lockdown, avoiding ioctl registration and preserving access for affected
tooling.
Note that this change restores hypfs functionality when lockdown is
active from early boot (e.g. via lockdown=integrity kernel parameter),
but does not apply to scenarios where lockdown is enabled dynamically
while Linux is running.
Tested-by: Mete Durlu <meted@linux.ibm.com>
Reviewed-by: Vasily Gorbik <gor@linux.ibm.com>
Fixes: 5496197f9b08 ("debugfs: Restrict debugfs when the kernel is locked down")
Signed-off-by: Peter Oberparleiter <oberpar@linux.ibm.com>
Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/s390/hypfs/hypfs_dbfs.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/arch/s390/hypfs/hypfs_dbfs.c b/arch/s390/hypfs/hypfs_dbfs.c
index c5f53dc3dbbc..5848f2e374a6 100644
--- a/arch/s390/hypfs/hypfs_dbfs.c
+++ b/arch/s390/hypfs/hypfs_dbfs.c
@@ -6,6 +6,7 @@
* Author(s): Michael Holzheu <holzheu@linux.vnet.ibm.com>
*/
+#include <linux/security.h>
#include <linux/slab.h>
#include "hypfs.h"
@@ -83,7 +84,7 @@ void hypfs_dbfs_create_file(struct hypfs_dbfs_file *df)
{
const struct file_operations *fops = &dbfs_ops;
- if (df->unlocked_ioctl)
+ if (df->unlocked_ioctl && !security_locked_down(LOCKDOWN_DEBUGFS))
fops = &dbfs_ops_ioctl;
df->dentry = debugfs_create_file(df->name, 0400, dbfs_dir, df, fops);
mutex_init(&df->lock);
--
2.50.1
^ permalink raw reply related [flat|nested] 492+ messages in thread
* [PATCH 6.1 482/482] netfilter: nf_reject: dont leak dst refcount for loopback packets
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (480 preceding siblings ...)
2025-08-26 11:12 ` [PATCH 6.1 481/482] s390/hypfs: Enable limited access during lockdown Greg Kroah-Hartman
@ 2025-08-26 11:12 ` Greg Kroah-Hartman
2025-08-26 14:26 ` [PATCH 6.1 000/482] 6.1.149-rc1 review Miguel Ojeda
` (8 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:12 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Florian Westphal, Jakub Kicinski,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
[ Upstream commit 91a79b792204313153e1bdbbe5acbfc28903b3a5 ]
recent patches to add a WARN() when replacing skb dst entry found an
old bug:
WARNING: include/linux/skbuff.h:1165 skb_dst_check_unset include/linux/skbuff.h:1164 [inline]
WARNING: include/linux/skbuff.h:1165 skb_dst_set include/linux/skbuff.h:1210 [inline]
WARNING: include/linux/skbuff.h:1165 nf_reject_fill_skb_dst+0x2a4/0x330 net/ipv4/netfilter/nf_reject_ipv4.c:234
[..]
Call Trace:
nf_send_unreach+0x17b/0x6e0 net/ipv4/netfilter/nf_reject_ipv4.c:325
nft_reject_inet_eval+0x4bc/0x690 net/netfilter/nft_reject_inet.c:27
expr_call_ops_eval net/netfilter/nf_tables_core.c:237 [inline]
..
This is because blamed commit forgot about loopback packets.
Such packets already have a dst_entry attached, even at PRE_ROUTING stage.
Instead of checking hook just check if the skb already has a route
attached to it.
Fixes: f53b9b0bdc59 ("netfilter: introduce support for reject at prerouting stage")
Signed-off-by: Florian Westphal <fw@strlen.de>
Link: https://patch.msgid.link/20250820123707.10671-1-fw@strlen.de
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/netfilter/nf_reject_ipv4.c | 6 ++----
net/ipv6/netfilter/nf_reject_ipv6.c | 5 ++---
2 files changed, 4 insertions(+), 7 deletions(-)
diff --git a/net/ipv4/netfilter/nf_reject_ipv4.c b/net/ipv4/netfilter/nf_reject_ipv4.c
index 675b5bbed638..2d663fe50f87 100644
--- a/net/ipv4/netfilter/nf_reject_ipv4.c
+++ b/net/ipv4/netfilter/nf_reject_ipv4.c
@@ -247,8 +247,7 @@ void nf_send_reset(struct net *net, struct sock *sk, struct sk_buff *oldskb,
if (!oth)
return;
- if ((hook == NF_INET_PRE_ROUTING || hook == NF_INET_INGRESS) &&
- nf_reject_fill_skb_dst(oldskb) < 0)
+ if (!skb_dst(oldskb) && nf_reject_fill_skb_dst(oldskb) < 0)
return;
if (skb_rtable(oldskb)->rt_flags & (RTCF_BROADCAST | RTCF_MULTICAST))
@@ -321,8 +320,7 @@ void nf_send_unreach(struct sk_buff *skb_in, int code, int hook)
if (iph->frag_off & htons(IP_OFFSET))
return;
- if ((hook == NF_INET_PRE_ROUTING || hook == NF_INET_INGRESS) &&
- nf_reject_fill_skb_dst(skb_in) < 0)
+ if (!skb_dst(skb_in) && nf_reject_fill_skb_dst(skb_in) < 0)
return;
if (skb_csum_unnecessary(skb_in) ||
diff --git a/net/ipv6/netfilter/nf_reject_ipv6.c b/net/ipv6/netfilter/nf_reject_ipv6.c
index e4776bd2ed89..f3579bccf0a5 100644
--- a/net/ipv6/netfilter/nf_reject_ipv6.c
+++ b/net/ipv6/netfilter/nf_reject_ipv6.c
@@ -293,7 +293,7 @@ void nf_send_reset6(struct net *net, struct sock *sk, struct sk_buff *oldskb,
fl6.fl6_sport = otcph->dest;
fl6.fl6_dport = otcph->source;
- if (hook == NF_INET_PRE_ROUTING || hook == NF_INET_INGRESS) {
+ if (!skb_dst(oldskb)) {
nf_ip6_route(net, &dst, flowi6_to_flowi(&fl6), false);
if (!dst)
return;
@@ -397,8 +397,7 @@ void nf_send_unreach6(struct net *net, struct sk_buff *skb_in,
if (hooknum == NF_INET_LOCAL_OUT && skb_in->dev == NULL)
skb_in->dev = net->loopback_dev;
- if ((hooknum == NF_INET_PRE_ROUTING || hooknum == NF_INET_INGRESS) &&
- nf_reject6_fill_skb_dst(skb_in) < 0)
+ if (!skb_dst(skb_in) && nf_reject6_fill_skb_dst(skb_in) < 0)
return;
icmpv6_send(skb_in, ICMPV6_DEST_UNREACH, code, 0);
--
2.50.1
^ permalink raw reply related [flat|nested] 492+ messages in thread
* Re: [PATCH 6.1 000/482] 6.1.149-rc1 review
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (481 preceding siblings ...)
2025-08-26 11:12 ` [PATCH 6.1 482/482] netfilter: nf_reject: dont leak dst refcount for loopback packets Greg Kroah-Hartman
@ 2025-08-26 14:26 ` Miguel Ojeda
2025-08-26 17:38 ` Peter Schneider
` (7 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Miguel Ojeda @ 2025-08-26 14:26 UTC (permalink / raw)
To: gregkh
Cc: achill, akpm, broonie, conor, f.fainelli, hargar, jonathanh,
linux-kernel, linux, lkft-triage, patches, patches, pavel,
rwarsow, shuah, srw, stable, sudipm.mukherjee, torvalds,
Miguel Ojeda
On Tue, 26 Aug 2025 13:04:13 +0200 Greg Kroah-Hartman <gregkh@linuxfoundation.org> wrote:
>
> This is the start of the stable review cycle for the 6.1.149 release.
> There are 482 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 28 Aug 2025 11:08:22 +0000.
> Anything received after that time might be too late.
Boot-tested under QEMU for Rust x86_64:
Tested-by: Miguel Ojeda <ojeda@kernel.org>
Thanks!
Cheers,
Miguel
^ permalink raw reply [flat|nested] 492+ messages in thread
* Re: [PATCH 6.1 000/482] 6.1.149-rc1 review
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (482 preceding siblings ...)
2025-08-26 14:26 ` [PATCH 6.1 000/482] 6.1.149-rc1 review Miguel Ojeda
@ 2025-08-26 17:38 ` Peter Schneider
2025-08-26 17:43 ` Jon Hunter
` (6 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Peter Schneider @ 2025-08-26 17:38 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee, srw,
rwarsow, conor, hargar, broonie, achill
Am 26.08.2025 um 13:04 schrieb Greg Kroah-Hartman:
> This is the start of the stable review cycle for the 6.1.149 release.
> There are 482 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
Builds, boots and works on my 2-socket Ivy Bridge Xeon E5-2697 v2 server. No dmesg oddities or regressions found.
Tested-by: Peter Schneider <pschneider1968@googlemail.com>
Beste Grüße,
Peter Schneider
--
Climb the mountain not to plant your flag, but to embrace the challenge,
enjoy the air and behold the view. Climb it so you can see the world,
not so the world can see you. -- David McCullough Jr.
OpenPGP: 0xA3828BD796CCE11A8CADE8866E3A92C92C3FF244
Download: https://www.peters-netzplatz.de/download/pschneider1968_pub.asc
https://keys.mailvelope.com/pks/lookup?op=get&search=pschneider1968@googlemail.com
https://keys.mailvelope.com/pks/lookup?op=get&search=pschneider1968@gmail.com
^ permalink raw reply [flat|nested] 492+ messages in thread
* Re: [PATCH 6.1 000/482] 6.1.149-rc1 review
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (483 preceding siblings ...)
2025-08-26 17:38 ` Peter Schneider
@ 2025-08-26 17:43 ` Jon Hunter
2025-08-26 17:45 ` Florian Fainelli
` (5 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Jon Hunter @ 2025-08-26 17:43 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: Greg Kroah-Hartman, patches, linux-kernel, torvalds, akpm, linux,
shuah, patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, srw, rwarsow, conor, hargar, broonie, achill,
linux-tegra, stable
On Tue, 26 Aug 2025 13:04:13 +0200, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.1.149 release.
> There are 482 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 28 Aug 2025 11:08:22 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.1.149-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.1.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
All tests passing for Tegra ...
Test results for stable-v6.1:
10 builds: 10 pass, 0 fail
28 boots: 28 pass, 0 fail
119 tests: 119 pass, 0 fail
Linux version: 6.1.149-rc1-g3c70876950c1
Boards tested: tegra124-jetson-tk1, tegra186-p2771-0000,
tegra186-p3509-0000+p3636-0001, tegra194-p2972-0000,
tegra194-p3509-0000+p3668-0000, tegra20-ventana,
tegra210-p2371-2180, tegra210-p3450-0000,
tegra30-cardhu-a04
Tested-by: Jon Hunter <jonathanh@nvidia.com>
Jon
^ permalink raw reply [flat|nested] 492+ messages in thread
* Re: [PATCH 6.1 000/482] 6.1.149-rc1 review
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (484 preceding siblings ...)
2025-08-26 17:43 ` Jon Hunter
@ 2025-08-26 17:45 ` Florian Fainelli
2025-08-26 17:54 ` Brett A C Sheffield
` (4 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Florian Fainelli @ 2025-08-26 17:45 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, sudipm.mukherjee, srw, rwarsow,
conor, hargar, broonie, achill
On 8/26/25 04:04, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.1.149 release.
> There are 482 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 28 Aug 2025 11:08:22 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.1.149-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.1.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
On ARCH_BRCMSTB using 32-bit and 64-bit ARM kernels, build tested on
BMIPS_GENERIC:
Tested-by: Florian Fainelli <florian.fainelli@broadcom.com>
--
Florian
^ permalink raw reply [flat|nested] 492+ messages in thread
* Re: 6.1.149-rc1 review
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (485 preceding siblings ...)
2025-08-26 17:45 ` Florian Fainelli
@ 2025-08-26 17:54 ` Brett A C Sheffield
2025-08-27 9:21 ` [PATCH 6.1 000/482] " Ron Economos
` (3 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Brett A C Sheffield @ 2025-08-26 17:54 UTC (permalink / raw)
To: gregkh
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, srw, rwarsow, conor, hargar, broonie, achill,
Brett A C Sheffield
Upstream commit:
9e30ecf23b1b ("net: ipv4: fix incorrect MTU in broadcast routes")
introduces a regression which breaks IPv4 broadcast, which stops WOL working
(breaking my CI system), among other things:
https://lore.kernel.org/regressions/20250822165231.4353-4-bacs@librecast.net
Mainline fix pending.
# Librecast Test Results
010/010 [ OK ] libmld
120/120 [ OK ] liblibrecast
CPU/kernel: Linux auntie 6.1.149-rc1-00483-g3c70876950c1 #51 SMP PREEMPT_DYNAMIC Tue Aug 26 17:19:50 -00 2025 x86_64 AMD Ryzen 9 9950X 16-Core Processor AuthenticAMD GNU/Linux
Tested-by: Brett A C Sheffield <bacs@librecast.net>
^ permalink raw reply [flat|nested] 492+ messages in thread
* Re: [PATCH 6.1 000/482] 6.1.149-rc1 review
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (486 preceding siblings ...)
2025-08-26 17:54 ` Brett A C Sheffield
@ 2025-08-27 9:21 ` Ron Economos
2025-08-27 9:26 ` Anders Roxell
` (2 subsequent siblings)
490 siblings, 0 replies; 492+ messages in thread
From: Ron Economos @ 2025-08-27 9:21 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee, srw,
rwarsow, conor, hargar, broonie, achill
On 8/26/25 04:04, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.1.149 release.
> There are 482 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 28 Aug 2025 11:08:22 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.1.149-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.1.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
Built and booted successfully on RISC-V RV64 (HiFive Unmatched).
Tested-by: Ron Economos <re@w6rz.net>
^ permalink raw reply [flat|nested] 492+ messages in thread
* Re: [PATCH 6.1 000/482] 6.1.149-rc1 review
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (487 preceding siblings ...)
2025-08-27 9:21 ` [PATCH 6.1 000/482] " Ron Economos
@ 2025-08-27 9:26 ` Anders Roxell
2025-08-27 11:18 ` Mark Brown
2025-08-29 6:20 ` Pavel Machek
490 siblings, 0 replies; 492+ messages in thread
From: Anders Roxell @ 2025-08-27 9:26 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, srw, rwarsow, conor, hargar, broonie, achill
On Tue, 26 Aug 2025 at 13:12, Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
>
> This is the start of the stable review cycle for the 6.1.149 release.
> There are 482 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 28 Aug 2025 11:08:22 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.1.149-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.1.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
Results from Linaro's test farm.
No regressions on arm64, arm, x86_64, and i386.
Tested-by: Linux Kernel Functional Testing <lkft@linaro.org>
## Build
* kernel: 6.1.149-rc1
* git: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
* git commit: 3c70876950c1fcf1008baf5be67b598127de7679
* git describe: v6.1.148-483-g3c70876950c1
* test details:
https://qa-reports.linaro.org/lkft/linux-stable-rc-linux-6.1.y/build/v6.1.148-483-g3c70876950c1
## Test Regressions (compared to v6.1.147-254-g7bc1f1e9d73f)
## Metric Regressions (compared to v6.1.147-254-g7bc1f1e9d73f)
## Test Fixes (compared to v6.1.147-254-g7bc1f1e9d73f)
## Metric Fixes (compared to v6.1.147-254-g7bc1f1e9d73f)
## Test result summary
total: 226713, pass: 211004, fail: 4615, skip: 10850, xfail: 244
## Build Summary
* arc: 5 total, 5 passed, 0 failed
* arm: 133 total, 133 passed, 0 failed
* arm64: 41 total, 41 passed, 0 failed
* i386: 21 total, 21 passed, 0 failed
* mips: 26 total, 25 passed, 1 failed
* parisc: 4 total, 4 passed, 0 failed
* powerpc: 32 total, 31 passed, 1 failed
* riscv: 11 total, 11 passed, 0 failed
* s390: 14 total, 14 passed, 0 failed
* sh: 10 total, 10 passed, 0 failed
* sparc: 7 total, 7 passed, 0 failed
* x86_64: 33 total, 33 passed, 0 failed
## Test suites summary
* boot
* commands
* kselftest-arm64
* kselftest-breakpoints
* kselftest-capabilities
* kselftest-clone3
* kselftest-core
* kselftest-cpu-hotplug
* kselftest-exec
* kselftest-fpu
* kselftest-futex
* kselftest-intel_pstate
* kselftest-kcmp
* kselftest-kvm
* kselftest-livepatch
* kselftest-membarrier
* kselftest-mincore
* kselftest-mqueue
* kselftest-openat2
* kselftest-ptrace
* kselftest-rseq
* kselftest-rtc
* kselftest-sigaltstack
* kselftest-size
* kselftest-timers
* kselftest-tmpfs
* kselftest-tpm2
* kselftest-user_events
* kselftest-vDSO
* kselftest-x86
* kunit
* kvm-unit-tests
* lava
* libgpiod
* libhugetlbfs
* log-parser-boot
* log-parser-build-clang
* log-parser-build-gcc
* log-parser-test
* ltp-capability
* ltp-commands
* ltp-containers
* ltp-controllers
* ltp-cpuhotplug
* ltp-crypto
* ltp-cve
* ltp-dio
* ltp-fcntl-locktests
* ltp-fs
* ltp-fs_bind
* ltp-fs_perms_simple
* ltp-hugetlb
* ltp-math
* ltp-mm
* ltp-nptl
* ltp-pty
* ltp-sched
* ltp-smoke
* ltp-syscalls
* ltp-tracing
* modules
* perf
* rcutorture
--
Linaro LKFT
https://lkft.linaro.org
^ permalink raw reply [flat|nested] 492+ messages in thread
* Re: [PATCH 6.1 000/482] 6.1.149-rc1 review
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (488 preceding siblings ...)
2025-08-27 9:26 ` Anders Roxell
@ 2025-08-27 11:18 ` Mark Brown
2025-08-29 6:20 ` Pavel Machek
490 siblings, 0 replies; 492+ messages in thread
From: Mark Brown @ 2025-08-27 11:18 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, srw, rwarsow, conor, hargar, achill
[-- Attachment #1: Type: text/plain, Size: 346 bytes --]
On Tue, Aug 26, 2025 at 01:04:13PM +0200, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.1.149 release.
> There are 482 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
Tested-by: Mark Brown <broonie@kernel.org>
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
^ permalink raw reply [flat|nested] 492+ messages in thread
* Re: [PATCH 6.1 000/482] 6.1.149-rc1 review
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
` (489 preceding siblings ...)
2025-08-27 11:18 ` Mark Brown
@ 2025-08-29 6:20 ` Pavel Machek
490 siblings, 0 replies; 492+ messages in thread
From: Pavel Machek @ 2025-08-29 6:20 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, jonathanh, f.fainelli, sudipm.mukherjee,
srw, rwarsow, conor, hargar, broonie, achill
[-- Attachment #1: Type: text/plain, Size: 642 bytes --]
Hi!
> This is the start of the stable review cycle for the 6.1.149 release.
> There are 482 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
CIP testing did not find any problems here:
https://gitlab.com/cip-project/cip-testing/linux-stable-rc-ci/-/tree/linux-6.1.y
Tested-by: Pavel Machek (CIP) <pavel@denx.de>
Best regards,
Pavel
--
In cooperation with DENX Software Engineering GmbH, HRB 165235 Munich,
Office: Kirchenstr.5, D-82194 Groebenzell, Germany
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
^ permalink raw reply [flat|nested] 492+ messages in thread
end of thread, other threads:[~2025-08-29 6:20 UTC | newest]
Thread overview: 492+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-08-26 11:04 [PATCH 6.1 000/482] 6.1.149-rc1 review Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 6.1 001/482] io_uring: dont use int for ABI Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 6.1 002/482] ALSA: usb-audio: Validate UAC3 power domain descriptors, too Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 6.1 003/482] ALSA: usb-audio: Validate UAC3 cluster segment descriptors Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 6.1 004/482] ALSA: hda/realtek: Fix headset mic on HONOR BRB-X Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 6.1 005/482] ALSA: hda/realtek: Add Framework Laptop 13 (AMD Ryzen AI 300) to quirks Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 6.1 006/482] smb3: fix for slab out of bounds on mount to ksmbd Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 6.1 007/482] smb: client: remove redundant lstrp update in negotiate protocol Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 6.1 008/482] gpio: virtio: Fix config space reading Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 6.1 009/482] gpio: mlxbf2: use platform_get_irq_optional() Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 6.1 010/482] netlink: avoid infinite retry looping in netlink_unicast() Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 6.1 011/482] net: phy: micrel: fix KSZ8081/KSZ8091 cable test Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 6.1 012/482] net: gianfar: fix device leak when querying time stamp info Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 6.1 013/482] net: mtk_eth_soc: fix device leak at probe Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 6.1 014/482] net: dpaa: fix device leak when querying time stamp info Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 6.1 015/482] net: usb: asix_devices: add phy_mask for ax88772 mdio bus Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 6.1 016/482] nfsd: handle get_client_locked() failure in nfsd4_setclientid_confirm() Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 6.1 017/482] NFSD: detect mismatch of file handle and delegation stateid in OPEN op Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 6.1 018/482] NFS: Fix the setting of capabilities when automounting a new filesystem Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 6.1 019/482] PCI: Extend isolated function probing to LoongArch Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 6.1 020/482] LoongArch: BPF: Fix jump offset calculation in tailcall Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 6.1 021/482] sunvdc: Balance device refcount in vdc_port_mpgroup_check Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 6.1 022/482] fs: Prevent file descriptor table allocations exceeding INT_MAX Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 6.1 023/482] eventpoll: Fix semi-unbounded recursion Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 6.1 024/482] Documentation: ACPI: Fix parent device references Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 6.1 025/482] ACPI: processor: perflib: Fix initial _PPC limit application Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 6.1 026/482] ACPI: processor: perflib: Move problematic pr->performance check Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 6.1 027/482] KVM: SVM: Set RFLAGS.IF=1 in C code, to get VMRUN out of the STI shadow Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 6.1 028/482] KVM: x86: Re-split x2APIC ICR into ICR+ICR2 for AMD (x2AVIC) Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 6.1 029/482] KVM: x86: Plumb in the vCPU to kvm_x86_ops.hwapic_isr_update() Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 6.1 030/482] KVM: nVMX: Defer SVI update to vmcs01 on EOI when L2 is active w/o VID Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 6.1 031/482] KVM: x86: Snapshot the hosts DEBUGCTL in common x86 Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 6.1 032/482] KVM: x86: Snapshot the hosts DEBUGCTL after disabling IRQs Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 6.1 033/482] KVM: x86/pmu: Gate all "unimplemented MSR" prints on report_ignored_msrs Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 6.1 034/482] KVM: x86: Plumb "force_immediate_exit" into kvm_entry() tracepoint Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 6.1 035/482] KVM: VMX: Re-enter guest in fastpath for "spurious" preemption timer exits Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 6.1 036/482] KVM: VMX: Handle forced exit due to preemption timer in fastpath Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 6.1 037/482] KVM: x86: Move handling of is_guest_mode() into fastpath exit handlers Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 6.1 038/482] KVM: VMX: Handle KVM-induced preemption timer exits in fastpath for L2 Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 6.1 039/482] KVM: x86: Fully defer to vendor code to decide how to force immediate exit Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 6.1 040/482] KVM: x86: Convert vcpu_run()s immediate exit param into a generic bitmap Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 6.1 041/482] KVM: x86: Drop kvm_x86_ops.set_dr6() in favor of a new KVM_RUN flag Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 6.1 042/482] KVM: VMX: Allow guest to set DEBUGCTL.RTM_DEBUG if RTM is supported Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 6.1 043/482] KVM: VMX: Extract checking of guests DEBUGCTL into helper Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 6.1 044/482] KVM: nVMX: Check vmcs12->guest_ia32_debugctl on nested VM-Enter Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 6.1 045/482] KVM: VMX: Wrap all accesses to IA32_DEBUGCTL with getter/setter APIs Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 6.1 046/482] KVM: VMX: Preserve hosts DEBUGCTLMSR_FREEZE_IN_SMM while running the guest Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 047/482] udp: also consider secpath when evaluating ipsec use for checksumming Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 048/482] netfilter: ctnetlink: fix refcount leak on table dump Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 049/482] hfs: fix slab-out-of-bounds in hfs_bnode_read() Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 050/482] hfsplus: fix slab-out-of-bounds in hfsplus_bnode_read() Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 051/482] hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc() Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 052/482] hfsplus: dont use BUG_ON() in hfsplus_create_attributes_file() Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 053/482] arm64: Handle KCOV __init vs inline mismatches Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 054/482] smb/server: avoid deadlock when linking with ReplaceIfExists Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 055/482] udf: Verify partition map count Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 056/482] drbd: add missing kref_get in handle_write_conflicts Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 057/482] hfs: fix not erasing deleted b-tree node issue Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 058/482] better lockdep annotations for simple_recursive_removal() Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 059/482] ata: libata-sata: Disallow changing LPM state if not supported Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 060/482] fs/ntfs3: Add sanity check for file name Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 061/482] fs/ntfs3: correctly create symlink for relative path Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 062/482] ext2: Handle fiemap on empty files to prevent EINVAL Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 063/482] fix locking in efi_secret_unlink() Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 064/482] securityfs: dont pin dentries twice, once is enough Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 065/482] usb: xhci: print xhci->xhc_state when queue_command failed Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 066/482] cpufreq: CPPC: Mark driver with NEED_UPDATE_LIMITS flag Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 067/482] selftests/futex: Define SYS_futex on 32-bit architectures with 64-bit time_t Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 068/482] usb: typec: ucsi: psy: Set current max to 100mA for BC 1.2 and Default Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 069/482] usb: xhci: Avoid showing warnings for dying controller Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 070/482] usb: xhci: Set avg_trb_len = 8 for EP0 during Address Device Command Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 071/482] usb: xhci: Avoid showing errors during surprise removal Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 072/482] remoteproc: imx_rproc: skip clock enable when M-core is managed by the SCU Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 073/482] gpio: wcd934x: check the return value of regmap_update_bits() Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 074/482] cpufreq: Exit governor when failed to start old governor Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 075/482] ARM: rockchip: fix kernel hang during smp initialization Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 076/482] PM / devfreq: governor: Replace sscanf() with kstrtoul() in set_freq_store() Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 077/482] EDAC/synopsys: Clear the ECC counters on init Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 078/482] ASoC: soc-dapm: set bias_level if snd_soc_dapm_set_bias_level() was successed Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 079/482] thermal/drivers/qcom-spmi-temp-alarm: Enable stage 2 shutdown when required Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 080/482] tools/nolibc: define time_t in terms of __kernel_old_time_t Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 081/482] iio: adc: ad_sigma_delta: dont overallocate scan buffer Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 082/482] gpio: tps65912: check the return value of regmap_update_bits() Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 083/482] ARM: tegra: Use I/O memcpy to write to IRAM Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 084/482] tools/build: Fix s390(x) cross-compilation with clang Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 085/482] selftests: tracing: Use mutex_unlock for testing glob filter Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 086/482] ACPI: PRM: Reduce unnecessary printing to avoid user confusion Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 087/482] PM: runtime: Clear power.needs_force_resume in pm_runtime_reinit() Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 088/482] thermal: sysfs: Return ENODATA instead of EAGAIN for reads Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 089/482] PM: sleep: console: Fix the black screen issue Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 090/482] ACPI: processor: fix acpi_object initialization Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 091/482] mmc: sdhci-msm: Ensure SD card power isnt ON when card removed Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 092/482] ACPI: APEI: GHES: add TAINT_MACHINE_CHECK on GHES panic path Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 093/482] pps: clients: gpio: fix interrupt handling order in remove path Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 094/482] reset: brcmstb: Enable reset drivers for ARCH_BCM2835 Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 095/482] mei: bus: Check for still connected devices in mei_cl_bus_dev_release() Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 096/482] mmc: rtsx_usb_sdmmc: Fix error-path in sd_set_power_mode() Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 097/482] ALSA: hda: Handle the jack polling always via a work Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 098/482] ALSA: hda: Disable jack polling at shutdown Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 099/482] x86/bugs: Avoid warning when overriding return thunk Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 100/482] ASoC: hdac_hdmi: Rate limit logging on connection and disconnection Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 101/482] ALSA: intel8x0: Fix incorrect codec index usage in mixer for ICH4 Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 102/482] ASoC: core: Check for rtd == NULL in snd_soc_remove_pcm_runtime() Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 103/482] usb: typec: intel_pmc_mux: Defer probe if SCU IPC isnt present Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 104/482] usb: core: usb_submit_urb: downgrade type check Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 105/482] pm: cpupower: Fix the snapshot-order of tsc,mperf, clock in mperf_stop() Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 6.1 106/482] platform/x86: thinkpad_acpi: Handle KCOV __init vs inline mismatches Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 107/482] platform/chrome: cros_ec_typec: Defer probe on missing EC parent Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 108/482] ALSA: hda/ca0132: Fix buffer overflow in add_tuning_control Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 109/482] ALSA: pcm: Rewrite recalculate_boundary() to avoid costly loop Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 110/482] ALSA: usb-audio: Avoid precedence issues in mixer_quirks macros Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 111/482] iio: adc: ad7768-1: Ensure SYNC_IN pulse minimum timing requirement Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 112/482] ASoC: codecs: rt5640: Retry DEVICE_ID verification Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 113/482] xen/netfront: Fix TX response spurious interrupts Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 114/482] net: usb: cdc-ncm: check for filtering capability Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 115/482] ktest.pl: Prevent recursion of default variable options Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 116/482] wifi: cfg80211: reject HTC bit for management frames Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 117/482] s390/time: Use monotonic clock in get_cycles() Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 118/482] be2net: Use correct byte order and format string for TCP seq and ack_seq Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 119/482] wifi: rtw89: Lower the timeout in rtw89_fw_read_c2h_reg() for USB Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 120/482] et131x: Add missing check after DMA map Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 121/482] net: ag71xx: " Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 122/482] net/mlx5e: Properly access RCU protected qdisc_sleeping variable Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 123/482] arm64: Mark kernel as tainted on SAE and SError panic Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 124/482] rcu: Protect ->defer_qs_iw_pending from data race Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 125/482] net: mctp: Prevent duplicate binds Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 126/482] wifi: cfg80211: Fix interface type validation Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 127/482] net: ipv4: fix incorrect MTU in broadcast routes Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 128/482] net: thunderx: Fix format-truncation warning in bgx_acpi_match_id() Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 129/482] um: Re-evaluate thread flags repeatedly Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 130/482] wifi: iwlwifi: mvm: fix scan request validation Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 131/482] s390/stp: Remove udelay from stp_sync_clock() Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 132/482] sched/fair: Bump sd->max_newidle_lb_cost when newidle balance fails Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 133/482] wifi: mac80211: dont complete management TX on SAE commit Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 134/482] (powerpc/512) Fix possible `dma_unmap_single()` on uninitialized pointer Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 135/482] ipv6: mcast: Check inet6_dev->dead under idev->mc_lock in __ipv6_dev_mc_inc() Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 136/482] drm/msm: use trylock for debugfs Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 137/482] wifi: rtw89: Fix rtw89_mac_power_switch() for USB Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 138/482] wifi: rtw89: Disable deep power saving for USB/SDIO Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 139/482] kselftest/arm64: Specify SVE data when testing VL set in sve-ptrace Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 140/482] net: thunderbolt: Enable end-to-end flow control also in transmit Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 141/482] net: thunderbolt: Fix the parameter passing of tb_xdomain_enable_paths()/tb_xdomain_disable_paths() Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 142/482] net: atlantic: add set_power to fw_ops for atl2 to fix wol Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 143/482] net: fec: allow disable coalescing Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 144/482] drm/amd/display: Separate set_gsl from set_gsl_source_select Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 145/482] wifi: iwlwifi: dvm: fix potential overflow in rs_fill_link_cmd() Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 146/482] wifi: iwlwifi: fw: Fix possible memory leak in iwl_fw_dbg_collect Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 147/482] drm/amd/display: Fix failed to blank crtc! Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 148/482] wifi: mac80211: update radar_required in channel context after channel switch Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 149/482] wifi: rtlwifi: fix possible skb memory leak in `_rtl_pci_rx_interrupt()` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 150/482] powerpc: floppy: Add missing checks after DMA map Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 151/482] netmem: fix skb_frag_address_safe with unreadable skbs Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 152/482] wifi: iwlegacy: Check rate_idx range after addition Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 153/482] neighbour: add support for NUD_PERMANENT proxy entries Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 154/482] dpaa_eth: dont use fixed_phy_change_carrier Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 155/482] drm/amd: Allow printing VanGogh OD SCLK levels without setting dpm to manual Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 156/482] net: vlan: Replace BUG() with WARN_ON_ONCE() in vlan_dev_* stubs Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 157/482] gve: Return error for unknown admin queue command Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 158/482] net: dsa: b53: fix b53_imp_vlan_setup for BCM5325 Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 159/482] net: dsa: b53: prevent GMII_PORT_OVERRIDE_CTRL access on BCM5325 Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 160/482] net: dsa: b53: prevent DIS_LEARNING " Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 161/482] net: dsa: b53: prevent SWITCH_CTRL " Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 162/482] ptp: Use ratelimite for freerun error message Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 163/482] wifi: rtlwifi: fix possible skb memory leak in _rtl_pci_init_one_rxdesc() Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 164/482] ionic: clean dbpage in de-init Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 165/482] net: ncsi: Fix buffer overflow in fetching version id Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 6.1 166/482] drm/ttm: Should to return the evict error Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 167/482] uapi: in6: restore visibility of most IPv6 socket options Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 168/482] selftests/bpf: Fix a user_ringbuf failure with arm64 64KB page size Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 169/482] drm/ttm: Respect the shrinker core free target Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 170/482] net: dsa: b53: fix IP_MULTICAST_CTRL on BCM5325 Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 171/482] vsock/virtio: Resize receive buffers so that each SKB fits in a 4K page Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 172/482] vhost: fail early when __vhost_add_used() fails Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 173/482] drm/amd/display: Only finalize atomic_obj if it was initialized Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 174/482] watchdog: sbsa: Adjust keepalive timeout to avoid MediaTek WS0 race condition Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 175/482] cifs: Fix calling CIFSFindFirst() for root path without msearch Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 176/482] fbdev: fix potential buffer overflow in do_register_framebuffer() Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 177/482] crypto: hisilicon/hpre - fix dma unmap sequence Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 178/482] ext4: do not BUG when INLINE_DATA_FL lacks system.data xattr Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 179/482] scsi: libiscsi: Initialize iscsi_conn->dd_data only if memory is allocated Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 180/482] fs/orangefs: use snprintf() instead of sprintf() Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 181/482] watchdog: dw_wdt: Fix default timeout Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 182/482] hwmon: (emc2305) Set initial PWM minimum value during probe based on thermal state Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 183/482] MIPS: vpe-mt: add missing prototypes for vpe_{alloc,start,stop,free} Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 184/482] watchdog: iTCO_wdt: Report error if timeout configuration fails Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 185/482] scsi: bfa: Double-free fix Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 186/482] jfs: truncate good inode pages when hard link is 0 Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 187/482] jfs: Regular file corruption check Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 188/482] jfs: upper bound check of tree index in dbAllocAG Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 189/482] MIPS: Dont crash in stack_top() for tasks without ABI or vDSO Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 190/482] MIPS: lantiq: falcon: sysctrl: fix request memory check logic Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 191/482] media: v4l2-common: Reduce warnings about missing V4L2_CID_LINK_FREQ control Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 192/482] leds: leds-lp50xx: Handle reg to get correct multi_index Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 193/482] dmaengine: stm32-dma: configure next sg only if there are more than 2 sgs Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 194/482] RDMA: hfi1: fix possible divide-by-zero in find_hw_thread_mask() Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 195/482] RDMA/core: reduce stack using in nldev_stat_get_doit() Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 196/482] scsi: lpfc: Check for hdwq null ptr when cleaning up lpfc_vport structure Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 197/482] scsi: mpt3sas: Correctly handle ATA device errors Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 198/482] scsi: mpi3mr: " Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 199/482] pinctrl: stm32: Manage irq affinity settings Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 200/482] media: tc358743: Check I2C succeeded during probe Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 201/482] media: tc358743: Return an appropriate colorspace from tc358743_set_fmt Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 202/482] media: tc358743: Increase FIFO trigger level to 374 Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 203/482] media: usb: hdpvr: disable zero-length read messages Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 204/482] media: dvb-frontends: dib7090p: fix null-ptr-deref in dib7090p_rw_on_apb() Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 205/482] media: dvb-frontends: w7090p: fix null-ptr-deref in w7090p_tuner_write_serpar and w7090p_tuner_read_serpar Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 206/482] media: uvcvideo: Fix bandwidth issue for Alcor camera Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 207/482] crypto: octeontx2 - add timeout for load_fvc completion poll Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 208/482] md: dm-zoned-target: Initialize return variable r to avoid uninitialized use Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 209/482] module: Prevent silent truncation of module name in delete_module(2) Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 210/482] i3c: add missing include to internal header Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 211/482] rtc: ds1307: handle oscillator stop flag (OSF) for ds1341 Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 212/482] i3c: dont fail if GETHDRCAP is unsupported Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 213/482] i3c: master: Initialize ret in i3c_i2c_notifier_call() Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 214/482] dm-mpath: dont print the "loaded" message if registering fails Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 215/482] dm-table: fix checking for rq stackable devices Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 216/482] apparmor: use the condition in AA_BUG_FMT even with debug disabled Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 217/482] i2c: Force DLL0945 touchpad i2c freq to 100khz Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 218/482] kconfig: lxdialog: replace strcpy() with strncpy() in inputbox.c Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 219/482] vfio/type1: conditional rescheduling while pinning Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 220/482] kconfig: nconf: Ensure null termination where strncpy is used Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 221/482] scsi: Fix sas_user_scan() to handle wildcard and multi-channel scans Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 222/482] scsi: target: core: Generate correct identifiers for PR OUT transport IDs Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 223/482] scsi: aacraid: Stop using PCI_IRQ_AFFINITY Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 224/482] vfio/mlx5: fix possible overflow in tracking max message size Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 225/482] ipmi: Use dev_warn_ratelimited() for incorrect message warnings Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 6.1 226/482] kconfig: gconf: avoid hardcoding model2 in on_treeview2_cursor_changed() Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 227/482] kconfig: gconf: fix potential memory leak in renderer_edited() Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 228/482] kconfig: lxdialog: fix space to (de)select options Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 229/482] ipmi: Fix strcpy source and destination the same Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 230/482] net: phy: smsc: add proper reset flags for LAN8710A Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 231/482] ASoC: Intel: avs: Fix uninitialized pointer error in probe() Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 232/482] block: avoid possible overflow for chunk_sectors check in blk_stack_limits() Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 233/482] pNFS: Fix stripe mapping in block/scsi layout Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 234/482] pNFS: Fix disk addr range check " Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 235/482] pNFS: Handle RPC size limit for layoutcommits Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 236/482] pNFS: Fix uninited ptr deref in block/scsi layout Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 237/482] rtc: ds1307: remove clear of oscillator stop flag (OSF) in probe Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 238/482] scsi: lpfc: Remove redundant assignment to avoid memory leak Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 239/482] ASoC: soc-dai.c: add missing flag check at snd_soc_pcm_dai_probe() Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 240/482] ASoC: soc-dai.h: merge DAI call back functions into ops Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 241/482] ASoC: fsl: " Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 242/482] ASoC: fsl_sai: replace regmap_write with regmap_update_bits Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 243/482] drm/amdgpu: fix incorrect vm flags to map bo Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 244/482] ext4: fix zombie groups in average fragment size lists Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 245/482] ext4: fix largest free orders lists corruption on mb_optimize_scan switch Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 246/482] usb: core: config: Prevent OOB read in SS endpoint companion parsing Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 247/482] misc: rtsx: usb: Ensure mmc child device is active when card is present Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 248/482] usb: typec: ucsi: Update power_supply on power role change Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 249/482] comedi: fix race between polling and detaching Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 250/482] thunderbolt: Fix copy+paste error in match_service_id() Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 251/482] cdc-acm: fix race between initial clearing halt and open Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 252/482] btrfs: zoned: use filesystem size not disk size for reclaim decision Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 253/482] btrfs: abort transaction during log replay if walk_log_tree() failed Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 254/482] btrfs: zoned: do not remove unwritten non-data block group Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 255/482] btrfs: fix log tree replay failure due to file with 0 links and extents Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 256/482] btrfs: do not allow relocation of partially dropped subvolumes Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 257/482] fbdev: Fix vmalloc out-of-bounds write in fast_imageblit Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 258/482] hv_netvsc: Fix panic during namespace deletion with VF Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 259/482] parisc: Makefile: fix a typo in palo.conf Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 260/482] mm/kmemleak: avoid soft lockup in __kmemleak_do_cleanup() Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 261/482] mm/kmemleak: avoid deadlock by moving pr_warn() outside kmemleak_lock Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 262/482] media: uvcvideo: Fix 1-byte out-of-bounds read in uvc_parse_format() Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 263/482] media: uvcvideo: Do not mark valid metadata as invalid Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 264/482] tools/nolibc: fix spelling of FD_SETBITMASK in FD_* macros Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 265/482] HID: magicmouse: avoid setting up battery timer when not needed Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 266/482] HID: apple: avoid setting up battery timer for devices without battery Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 267/482] serial: 8250: fix panic due to PSLVERR Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 268/482] cpufreq: armada-8k: Fix off by one in armada_8k_cpufreq_free_table() Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 269/482] m68k: Fix lost column on framebuffer debug console Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 270/482] usb: atm: cxacru: Merge cxacru_upload_firmware() into cxacru_heavy_init() Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 271/482] usb: gadget: udc: renesas_usb3: fix device leak at unbind Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 272/482] usb: dwc3: meson-g12a: fix device leaks " Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 273/482] bus: mhi: host: Fix endianness of BHI vector table Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 274/482] bus: mhi: host: Detect events pointing to unexpected TREs Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 275/482] vt: keyboard: Dont process Unicode characters in K_OFF mode Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 276/482] vt: defkeymap: Map keycodes above 127 to K_HOLE Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 277/482] lib/crypto: mips/chacha: Fix clang build and remove unneeded byteswap Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 278/482] Revert "vgacon: Add check for vc_origin address range in vgacon_scroll()" Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 279/482] ksmbd: extend the connection limiting mechanism to support IPv6 Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 280/482] ext4: check fast symlink for ea_inode correctly Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 281/482] ext4: fix fsmap end of range reporting with bigalloc Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 282/482] ext4: fix reserved gdt blocks handling in fsmap Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 283/482] ext4: dont try to clear the orphan_present feature block device is r/o Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 284/482] ext4: use kmalloc_array() for array space allocation Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 285/482] ext4: fix hole length calculation overflow in non-extent inodes Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 6.1 286/482] dt-bindings: display: sprd,sharkl3-dpu: Fix missing clocks constraints Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 287/482] dt-bindings: display: sprd,sharkl3-dsi-host: " Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 288/482] scsi: mpi3mr: Fix race between config read submit and interrupt completion Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 289/482] ata: libata-scsi: Fix ata_to_sense_error() status handling Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 290/482] scsi: ufs: ufs-pci: Fix hibernate state transition for Intel MTL-like host controllers Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 291/482] scsi: ufs: ufs-pci: Fix default runtime and system PM levels Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 292/482] zynq_fpga: use sgtable-based scatterlist wrappers Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 293/482] iio: imu: bno055: fix OOB access of hw_xlate array Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 294/482] iio: adc: ad_sigma_delta: change to buffer predisable Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 295/482] wifi: brcmsmac: Remove const from tbl_ptr parameter in wlc_lcnphy_common_read_table() Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 296/482] wifi: ath11k: fix dest ring-buffer corruption Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 297/482] wifi: ath11k: fix source " Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 298/482] wifi: ath11k: fix dest ring-buffer corruption when ring is full Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 299/482] pwm: imx-tpm: Reset counter if CMOD is 0 Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 300/482] pwm: mediatek: Handle hardware enable and clock enable separately Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 301/482] pwm: mediatek: Fix duty and period setting Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 302/482] hwmon: (gsc-hwmon) fix fan pwm setpoint show functions Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 303/482] mtd: spi-nor: Fix spi_nor_try_unlock_all() Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 304/482] mtd: spinand: propagate spinand_wait() errors from spinand_write_page() Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 305/482] mtd: rawnand: fsmc: Add missing check after DMA map Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 306/482] mtd: rawnand: renesas: " Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 307/482] PCI: endpoint: Fix configfs group list head handling Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 308/482] PCI: endpoint: Fix configfs group removal on driver teardown Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 309/482] vsock/virtio: Validate length in packet header before skb_put() Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 310/482] vhost/vsock: Avoid allocating arbitrarily-sized SKBs Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 311/482] jbd2: prevent softlockup in jbd2_log_do_checkpoint() Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 312/482] soc/tegra: pmc: Ensure power-domains are in a known state Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 313/482] parisc: Check region is readable by user in raw_copy_from_user() Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 314/482] parisc: Makefile: explain that 64BIT requires both 32-bit and 64-bit compilers Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 315/482] parisc: Revise __get_user() to probe user read access Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 316/482] parisc: Revise gateway LWS calls " Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 317/482] parisc: Try to fixup kernel exception in bad_area_nosemaphore path of do_page_fault() Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 318/482] parisc: Update comments in make_insert_tlb Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 319/482] media: gspca: Add bounds checking to firmware parser Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 320/482] media: hi556: correct the test pattern configuration Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 321/482] media: imx: fix a potential memory leak in imx_media_csc_scaler_device_init() Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 322/482] media: vivid: fix wrong pixel_array control size Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 323/482] media: v4l2-ctrls: Dont reset handlers error in v4l2_ctrl_handler_free() Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 324/482] media: usbtv: Lock resolution while streaming Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 325/482] media: rainshadow-cec: fix TOCTOU race condition in rain_interrupt() Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 326/482] media: ov2659: Fix memory leaks in ov2659_probe() Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 327/482] media: qcom: camss: cleanup media device allocated resource on error path Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 328/482] media: venus: Add a check for packet size after reading from shared memory Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 329/482] media: venus: hfi: explicitly release IRQ during teardown Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 330/482] media: venus: protect against spurious interrupts during probe Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 331/482] media: venus: vdec: Clamp param smaller than 1fps and bigger than 240 Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 332/482] media: venus: venc: " Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 333/482] drm/amd: Restore cached power limit during resume Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 334/482] drm/amdgpu: Avoid extra evict-restore process Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 335/482] drm/amdgpu: update mmhub 3.0.1 client id mappings Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 336/482] drm/amdkfd: Destroy KFD debugfs after destroy KFD wq Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 337/482] drm/amd/display: Dont overwrite dce60_clk_mgr Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 338/482] net, hsr: reject HSR frame if skb cant hold tag Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 339/482] ipv6: sr: Fix MAC comparison to be constant-time Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 340/482] ACPI: pfr_update: Fix the driver update version check Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 341/482] mptcp: drop skb if MPTCP skb extension allocation fails Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 342/482] mptcp: pm: kernel: flush: do not reset ADD_ADDR limit Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 343/482] f2fs: fix to do sanity check on ino and xnid Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 344/482] iio: hid-sensor-prox: Restore lost scale assignments Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 345/482] iio: hid-sensor-prox: Fix incorrect OFFSET calculation Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 6.1 346/482] perf/x86/intel: Fix crash in icl_update_topdown_event() Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 347/482] x86/mce/amd: Add default names for MCA banks and blocks Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 348/482] net: add netdev_lockdep_set_classes() to virtual drivers Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 349/482] btrfs: fix qgroup reservation leak on failure to allocate ordered extent Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 350/482] ARM: 9448/1: Use an absolute path to unified.h in KBUILD_AFLAGS Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 351/482] arm64/entry: Mask DAIF in cpu_switch_to(), call_on_irq_stack() Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 352/482] drm/sched: Remove optimization that causes hang when killing dependent jobs Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 353/482] net: enetc: fix device and OF node leak at probe Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 354/482] fscrypt: Dont use problematic non-inline crypto engines Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 355/482] block: reject invalid operation in submit_bio_noacct Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 356/482] block: Make REQ_OP_ZONE_FINISH a write operation Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 357/482] PCI/ACPI: Fix runtime PM ref imbalance on Hot-Plug Capable ports Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 358/482] cifs: reset iface weights when we cannot find a candidate Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 359/482] usb: typec: fusb302: cache PD RX state Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 360/482] btrfs: qgroup: fix race between quota disable and quota rescan ioctl Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 361/482] btrfs: abort transaction on unexpected eb generation at btrfs_copy_root() Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 362/482] xfs: fully decouple XFS_IBULK* flags from XFS_IWALK* flags Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 363/482] btrfs: send: use fallocate for hole punching with send stream v2 Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 364/482] net_sched: sch_ets: implement lockless ets_dump() Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 365/482] net/sched: ets: use old nbands while purging unused classes Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 366/482] mm/ptdump: take the memory hotplug lock inside ptdump_walk_pgd() Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 367/482] media: venus: Introduce accessors for remapped hfi_buffer_reqs members Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 368/482] media: venus: Fix OOB read due to missing payload bound check Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 369/482] usb: musb: omap2430: Convert to platform remove callback returning void Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 370/482] usb: musb: omap2430: fix device leak at unbind Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 371/482] platform/chrome: cros_ec: Use per-device lockdep key Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 372/482] platform/chrome: cros_ec: remove unneeded label and if-condition Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 373/482] platform/chrome: cros_ec: Unregister notifier in cros_ec_unregister() Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 374/482] usb: dwc3: imx8mp: fix device leak at unbind Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 375/482] ata: Fix SATA_MOBILE_LPM_POLICY description in Kconfig Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 376/482] btrfs: populate otime when logging an inode item Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 377/482] tls: separate no-async decryption request handling from async Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 378/482] crypto: qat - fix ring to service map for QAT GEN4 Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 379/482] arm64/cpufeatures/kvm: Add ARMv8.9 FEAT_ECBHB bits in ID_AA64MMFR1 register Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 380/482] KVM: x86: Take irqfds.lock when adding/deleting IRQ bypass producer Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 381/482] mptcp: make fallback action and fallback decision atomic Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 382/482] mptcp: plug races between subflow fail and subflow creation Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 383/482] mptcp: reset fallback status gracefully at disconnect() time Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 384/482] mm: drop the assumption that VM_SHARED always implies writable Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 385/482] mm: update memfd seal write check to include F_SEAL_WRITE Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 386/482] mm: reinstate ability to map write-sealed memfd mappings read-only Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 387/482] selftests/memfd: add test for mapping write-sealed memfd read-only Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 388/482] Bluetooth: hci_sync: Fix UAF on hci_abort_conn_sync Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 389/482] kbuild: userprogs: use correct linker when mixing clang and GNU ld Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 390/482] x86/reboot: Harden virtualization hooks for emergency reboot Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 391/482] x86/reboot: KVM: Handle VMXOFF in KVMs reboot callback Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 392/482] KVM: VMX: Flush shadow VMCS on emergency reboot Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 393/482] KVM: arm64: Fix kernel BUG() due to bad backport of FPSIMD/SVE/SME fix Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 394/482] memstick: Fix deadlock by moving removing flag earlier Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 395/482] mmc: sdhci-pci-gli: GL9763e: Rename the gli_set_gl9763e() for consistency Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 396/482] squashfs: fix memory leak in squashfs_fill_super Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 397/482] mm/debug_vm_pgtable: clear page table entries at destroy_args() Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 398/482] ALSA: hda/realtek: Add support for HP EliteBook x360 830 G6 and EliteBook 830 G6 Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 399/482] s390/sclp: Fix SCCB present check Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 400/482] drm/amd/display: Avoid a NULL pointer dereference Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 401/482] drm/amd/display: Fix fractional fb divider in set_pixel_clock_v3 Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 402/482] drm/amd/display: Fix DP audio DTO1 clock source on DCE 6 Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 403/482] drm/amd/display: Find first CRTC and its line time in dce110_fill_display_configs Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 404/482] drm/amd/display: Fill display clock and vblank " Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 405/482] smb: server: split ksmbd_rdma_stop_listening() out of ksmbd_rdma_destroy() Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 6.1 406/482] fs/buffer: fix use-after-free when call bh_read() helper Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 407/482] use uniform permission checks for all mount propagation changes Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 408/482] fpga: zynq_fpga: Fix the wrong usage of dma_map_sgtable() Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 409/482] ftrace: Also allocate and copy hash for reading of filter files Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 410/482] iio: pressure: bmp280: Use IS_ERR() in bmp280_common_probe() Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 411/482] iio: proximity: isl29501: fix buffered read on big-endian systems Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 412/482] most: core: Drop device reference after usage in get_channel() Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 413/482] usb: quirks: Add DELAY_INIT quick for another SanDisk 3.2Gen1 Flash Drive Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 414/482] comedi: Make insn_rw_emulate_bits() do insn->n samples Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 415/482] comedi: pcl726: Prevent invalid irq number Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 416/482] comedi: Fix use of uninitialized memory in do_insn_ioctl() and do_insnlist_ioctl() Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 417/482] usb: core: hcd: fix accessing unmapped memory in SINGLE_STEP_SET_FEATURE test Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 418/482] usb: renesas-xhci: Fix External ROM access timeouts Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 419/482] USB: storage: Add unusual-devs entry for Novatek NTK96550-based camera Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 420/482] usb: storage: realtek_cr: Use correct byte order for bcs->Residue Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 421/482] USB: storage: Ignore driver CD mode for Realtek multi-mode Wi-Fi dongles Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 422/482] usb: dwc3: Ignore late xferNotReady event to prevent halt timeout Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 423/482] usb: dwc3: Remove WARN_ON for device endpoint command timeouts Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 424/482] arm64: dts: ti: k3-am62-main: Remove eMMC High Speed DDR support Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 425/482] scsi: ufs: exynos: Fix programming of HCI_UTRL_NEXUS_TYPE Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 426/482] ext4: preserve SB_I_VERSION on remount Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 427/482] scsi: mpi3mr: Drop unnecessary volatile from __iomem pointers Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 428/482] scsi: mpi3mr: Serialize admin queue BAR writes on 32-bit systems Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 429/482] PCI: rockchip: Use standard PCIe definitions Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 430/482] PCI: rockchip: Set Target Link Speed to 5.0 GT/s before retraining Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 431/482] soc: qcom: mdt_loader: Enhance split binary detection Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 432/482] soc: qcom: mdt_loader: Ensure we dont read past the ELF header Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 433/482] f2fs: fix to call clear_page_private_reference in .{release,invalid}_folio Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 434/482] f2fs: fix to avoid out-of-boundary access in dnode page Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 435/482] mptcp: disable add_addr retransmission when timeout is 0 Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 436/482] drm/dp: Change AUX DPCD probe address from DPCD_REV to LANE0_1_STATUS Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 437/482] mmc: sdhci-pci-gli: Use PCI AER definitions, not hard-coded values Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 438/482] mmc: sdhci-pci-gli: Add a new function to simplify the code Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 439/482] mmc: sdhci-pci-gli: GL9763e: Mask the replay timer timeout of AER Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 440/482] mm/memory-failure: fix infinite UCE for VM_PFNMAP pfn Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 441/482] drm/amd/display: Dont overclock DCE 6 by 15% Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 442/482] selftests: mptcp: pm: check flush doesnt reset limits Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 443/482] wifi: mac80211: avoid lockdep checking when removing deflink Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 444/482] wifi: mac80211: check basic rates validity in sta_link_apply_parameters Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 445/482] tls: fix handling of zero-length records on the rx_list Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 446/482] iio: imu: inv_icm42600: change invalid data error to -EBUSY Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 447/482] tracing: Remove unneeded goto out logic Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 448/482] tracing: Limit access to parser->buffer when trace_get_user failed Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 449/482] iio: light: as73211: Ensure buffer holes are zeroed Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 450/482] iio: temperature: maxim_thermocouple: use DMA-safe buffer for spi_read() Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 451/482] compiler: remove __ADDRESSABLE_ASM{_STR,}() again Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 452/482] x86/cpu/hygon: Add missing resctrl_cpu_detect() in bsp_init helper Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 453/482] cgroup/cpuset: Use static_branch_enable_cpuslocked() on cpusets_insane_config_key Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 454/482] iosys-map: Fix undefined behavior in iosys_map_clear() Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 455/482] RDMA/erdma: Fix ignored return value of init_kernel_qp Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 456/482] RDMA/bnxt_re: Fix to initialize the PBL array Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 457/482] net: bridge: fix soft lockup in br_multicast_query_expired() Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 458/482] scsi: qla4xxx: Prevent a potential error pointer dereference Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 459/482] iommu/amd: Avoid stack buffer overflow from kernel cmdline Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 460/482] Bluetooth: hci_conn: do return error from hci_enhanced_setup_sync() Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 461/482] mlxsw: spectrum: Forward packets with an IPv4 link-local source IP Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 462/482] drm/hisilicon/hibmc: fix the hibmc loaded failed bug Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 463/482] ALSA: usb-audio: Fix size validation in convert_chmap_v3() Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 464/482] drm/amd/display: Add null pointer check in mod_hdcp_hdcp1_create_session() Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 465/482] net: gso: Forbid IPv6 TSO with extensions on devices with only IPV6_CSUM Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 6.1 466/482] ipv6: sr: validate HMAC algorithm ID in seg6_hmac_info_add Greg Kroah-Hartman
2025-08-26 11:12 ` [PATCH 6.1 467/482] net: ethernet: mtk_ppe: add RCU lock around dev_fill_forward_path Greg Kroah-Hartman
2025-08-26 11:12 ` [PATCH 6.1 468/482] ppp: fix race conditions in ppp_fill_forward_path Greg Kroah-Hartman
2025-08-26 11:12 ` [PATCH 6.1 469/482] phy: mscc: Fix timestamping for vsc8584 Greg Kroah-Hartman
2025-08-26 11:12 ` [PATCH 6.1 470/482] net: usb: asix_devices: Fix PHY address mask in MDIO bus initialization Greg Kroah-Hartman
2025-08-26 11:12 ` [PATCH 6.1 471/482] gve: prevent ethtool ops after shutdown Greg Kroah-Hartman
2025-08-26 11:12 ` [PATCH 6.1 472/482] ixgbe: xsk: resolve the negative overflow of budget in ixgbe_xmit_zc Greg Kroah-Hartman
2025-08-26 11:12 ` [PATCH 6.1 473/482] igc: fix disabling L1.2 PCI-E link substate on I226 on init Greg Kroah-Hartman
2025-08-26 11:12 ` [PATCH 6.1 474/482] net/sched: Make cake_enqueue return NET_XMIT_CN when past buffer_limit Greg Kroah-Hartman
2025-08-26 11:12 ` [PATCH 6.1 475/482] net/sched: Remove unnecessary WARNING condition for empty child qdisc in htb_activate Greg Kroah-Hartman
2025-08-26 11:12 ` [PATCH 6.1 476/482] bonding: update LACP activity flag after setting lacp_active Greg Kroah-Hartman
2025-08-26 11:12 ` [PATCH 6.1 477/482] bonding: Add independent control state machine Greg Kroah-Hartman
2025-08-26 11:12 ` [PATCH 6.1 478/482] bonding: send LACPDUs periodically in passive mode after receiving partners LACPDU Greg Kroah-Hartman
2025-08-26 11:12 ` [PATCH 6.1 479/482] ALSA: usb-audio: Use correct sub-type for UAC3 feature unit validation Greg Kroah-Hartman
2025-08-26 11:12 ` [PATCH 6.1 480/482] s390/hypfs: Avoid unnecessary ioctl registration in debugfs Greg Kroah-Hartman
2025-08-26 11:12 ` [PATCH 6.1 481/482] s390/hypfs: Enable limited access during lockdown Greg Kroah-Hartman
2025-08-26 11:12 ` [PATCH 6.1 482/482] netfilter: nf_reject: dont leak dst refcount for loopback packets Greg Kroah-Hartman
2025-08-26 14:26 ` [PATCH 6.1 000/482] 6.1.149-rc1 review Miguel Ojeda
2025-08-26 17:38 ` Peter Schneider
2025-08-26 17:43 ` Jon Hunter
2025-08-26 17:45 ` Florian Fainelli
2025-08-26 17:54 ` Brett A C Sheffield
2025-08-27 9:21 ` [PATCH 6.1 000/482] " Ron Economos
2025-08-27 9:26 ` Anders Roxell
2025-08-27 11:18 ` Mark Brown
2025-08-29 6:20 ` Pavel Machek
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).