* [PATCH 5.15 000/279] 5.15.180-rc1 review
@ 2025-04-08 10:46 Greg Kroah-Hartman
2025-04-08 10:46 ` [PATCH 5.15 001/279] vlan: fix memory leak in vlan_newlink() Greg Kroah-Hartman
` (285 more replies)
0 siblings, 286 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, linux-kernel, torvalds, akpm, linux,
shuah, patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, srw, rwarsow, conor, hargar, broonie
This is the start of the stable review cycle for the 5.15.180 release.
There are 279 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Thu, 10 Apr 2025 10:47:53 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.15.180-rc1.gz
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.15.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Linux 5.15.180-rc1
Vlastimil Babka <vbabka@suse.cz>
mm, slab: remove duplicate kernel-doc comment for ksize()
Kamal Dasu <kdasu.kdev@gmail.com>
mmc: sdhci-brcmstb: use clk_get_rate(base_clk) in PM resume
Chuck Lever <chuck.lever@oracle.com>
NFSD: Skip sending CB_RECALL_ANY when the backchannel isn't up
Li Lingfeng <lilingfeng3@huawei.com>
nfsd: put dl_stid if fail to queue dl_recall
Roman Smirnov <r.smirnov@omp.ru>
jfs: add index corruption check to DT_GETPAGE()
Qasim Ijaz <qasdev00@gmail.com>
jfs: fix slab-out-of-bounds read in ea_get()
Acs, Jakub <acsjakub@amazon.de>
ext4: fix OOB read when checking dotdot dir
Theodore Ts'o <tytso@mit.edu>
ext4: don't over-report free space or inodes in statvfs
Ran Xiaokai <ran.xiaokai@zte.com.cn>
tracing/osnoise: Fix possible recursive locking for cpus_read_lock()
Douglas Raillard <douglas.raillard@arm.com>
tracing: Fix synth event printk format for str fields
Douglas Raillard <douglas.raillard@arm.com>
tracing: Ensure module defining synth event cannot be unloaded while tracing
Tengda Wu <wutengda@huaweicloud.com>
tracing: Fix use-after-free in print_graph_function_flags during tracer switching
Karel Balej <balejk@matfyz.cz>
mmc: sdhci-pxav3: set NEED_RSP_BUSY capability
Paul Menzel <pmenzel@molgen.mpg.de>
ACPI: resource: Skip IRQ override on ASUS Vivobook 14 X1404VAP
Murad Masimov <m.masimov@mt-integration.ru>
acpi: nfit: fix narrowing conversion in acpi_nfit_ctl
Jann Horn <jannh@google.com>
x86/mm: Fix flush_tlb_range() when used for zapping normal PMDs
Guilherme G. Piccoli <gpiccoli@igalia.com>
x86/tsc: Always save/restore TSC sched_clock() on suspend/resume
Josef Bacik <josef@toxicpanda.com>
btrfs: handle errors from btrfs_dec_ref() properly
Markus Elfring <elfring@users.sourceforge.net>
ntb_perf: Delete duplicate dmaengine_unmap_put() call in perf_copy_chunk()
Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
platform/x86: ISST: Correct command storage data length
Ying Lu <luying1@xiaomi.com>
usbnet:fix NPE during rx_complete
Hersen Wu <hersenxs.wu@amd.com>
drm/amd/display: Skip inactive planes within ModeSupportAndSystemConfiguration
Jesse Zhang <jesse.zhang@amd.com>
drm/amd/pm: Fix negative array index read
Sherry Sun <sherry.sun@nxp.com>
tty: serial: fsl_lpuart: disable transmitter before changing RS485 related registers
Sherry Sun <sherry.sun@nxp.com>
tty: serial: fsl_lpuart: use UARTMODIR register bits for lpuart32 platform
Kamal Dasu <kamal.dasu@broadcom.com>
mmc: sdhci-brcmstb: add cqhci suspend/resume to PM ops
Kamal Dasu <kdasu.kdev@gmail.com>
mmc: sdhci-brcmstb: Add ability to increase max clock rate for 72116b0
Haibo Chen <haibo.chen@nxp.com>
can: flexcan: disable transceiver during system PM
Haibo Chen <haibo.chen@nxp.com>
can: flexcan: only change CAN state when link up in system PM
Henry Martin <bsdhenrymartin@gmail.com>
arcnet: Add NULL check in com20020pci_probe()
Lin Ma <linma@zju.edu.cn>
net: fix geneve_opt length integer overflow
Fernando Fernandez Mancera <ffmancera@riseup.net>
ipv6: fix omitted netlink attributes when using RTEXT_FILTER_SKIP_STATS
Lin Ma <linma@zju.edu.cn>
netfilter: nft_tunnel: fix geneve_opt type confusion addition
Guillaume Nault <gnault@redhat.com>
tunnels: Accept PACKET_HOST in skb_tunnel_check_pmtu().
Stefano Garzarella <sgarzare@redhat.com>
vsock: avoid timeout during connect() if the socket is closing
Tobias Waldekranz <tobias@waldekranz.com>
net: mvpp2: Prevent parser TCAM memory corruption
Cong Wang <xiyou.wangcong@gmail.com>
net_sched: skbprio: Remove overly strict queue assertions
Debin Zhu <mowenroot@163.com>
netlabel: Fix NULL pointer exception caused by CALIPSO on IPv4 sockets
Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: nft_set_hash: GC reaps elements with conncount for dynamic sets only
Henry Martin <bsdhenrymartin@gmail.com>
ASoC: imx-card: Add NULL check in imx_card_probe()
Nikita Shubin <n.shubin@yadro.com>
ntb: intel: Fix using link status DB's
Yajun Deng <yajun.deng@linux.dev>
ntb_hw_switchtec: Fix shift-out-of-bounds in switchtec_ntb_mw_set_trans
Juhan Jin <juhan.jin@foxmail.com>
riscv: ftrace: Add parentheses in macro definitions of make_call_t0 and make_call_ra
Al Viro <viro@zeniv.linux.org.uk>
spufs: fix a leak in spufs_create_context()
Al Viro <viro@zeniv.linux.org.uk>
spufs: fix a leak on spufs_new_file() failure
Tasos Sahanidis <tasos@tasossah.com>
hwmon: (nct6775-core) Fix out of bounds access for NCT679{8,9}
Oliver Hartkopp <socketcan@hartkopp.net>
can: statistics: use atomic access in hot path
Navon John Lukose <navonjohnlukose@gmail.com>
ALSA: hda/realtek: Add mute LED quirk for HP Pavilion x360 14-dy1xxx
Mario Limonciello <mario.limonciello@amd.com>
drm/amd: Keep display off while going into S4
Vladis Dronov <vdronov@redhat.com>
x86/sgx: Warn explicitly if X86_FEATURE_SGX_LC is not enabled
Waiman Long <longman@redhat.com>
locking/semaphore: Use wake_q to wake up processes outside lock critical section
Shrikanth Hegde <sshegde@linux.ibm.com>
sched/deadline: Use online cpus for validating runtime
Namjae Jeon <linkinjeon@kernel.org>
ksmbd: fix incorrect validation for num_aces field of smb_acl
Simon Tatham <anakin@pobox.com>
affs: don't write overlarge OFS data block size fields
Simon Tatham <anakin@pobox.com>
affs: generate OFS sequence numbers starting at 1
Icenowy Zheng <uwu@icenowy.me>
nvme-pci: skip CMB blocks incompatible with PCI P2P DMA
Icenowy Zheng <uwu@icenowy.me>
nvme-pci: clean up CMBMSC when registering CMB fails
Sagi Grimberg <sagi@grimberg.me>
nvme-tcp: fix possible UAF in nvme_tcp_poll
Johannes Berg <johannes.berg@intel.com>
wifi: iwlwifi: fw: allocate chained SG tables for dump
Josh Poimboeuf <jpoimboe@kernel.org>
sched/smt: Always inline sched_smt_active()
Geetha sowjanya <gakula@marvell.com>
octeontx2-af: Free NIX_AF_INT_VEC_GEN irq
Geetha sowjanya <gakula@marvell.com>
octeontx2-af: Fix mbox INTR handler when num VFs > 64
Giovanni Gherdovich <ggherdovich@suse.cz>
ACPI: processor: idle: Return an error if both P_LVL{2,3} idle states are invalid
Feng Yang <yangfeng@kylinos.cn>
ring-buffer: Fix bytes_dropped calculation issue
Namjae Jeon <linkinjeon@kernel.org>
ksmbd: fix multichannel connection failure
Miaoqian Lin <linmq006@gmail.com>
ksmbd: use aead_request_free to match aead_request_alloc
Mark Zhang <markzhang@nvidia.com>
rtnetlink: Allocate vfinfo size for VF GUIDs when supported
Yuezhang Mo <Yuezhang.Mo@sony.com>
exfat: fix the infinite loop in exfat_find_last_cluster()
Josh Poimboeuf <jpoimboe@kernel.org>
objtool, media: dib8000: Prevent divide-by-zero in dib8000_set_dds()
Bart Van Assche <bvanassche@acm.org>
fs/procfs: fix the comment above proc_pid_wchan()
Arnaldo Carvalho de Melo <acme@redhat.com>
perf python: Check if there is space to copy all the event
Arnaldo Carvalho de Melo <acme@redhat.com>
perf python: Don't keep a raw_data pointer to consumed ring buffer space
Arnaldo Carvalho de Melo <acme@redhat.com>
perf python: Decrement the refcount of just created event on failure
Arnaldo Carvalho de Melo <acme@redhat.com>
perf python: Fixup description of sample.id event member
Stanley Chu <yschu@nuvoton.com>
i3c: master: svc: Fix missing the IBI rules
Alistair Popple <apopple@nvidia.com>
fuse: fix dax truncate/punch_hole fault path
Trond Myklebust <trond.myklebust@hammerspace.com>
NFSv4: Don't trigger uneccessary scans for return-on-close delegations
Vasiliy Kovalev <kovalev@altlinux.org>
ocfs2: validate l_tree_depth to avoid out-of-bounds access
Sourabh Jain <sourabhjain@linux.ibm.com>
kexec: initialize ELF lowest address to ULONG_MAX
Arnaldo Carvalho de Melo <acme@redhat.com>
perf units: Fix insufficient array space
Uwe Kleine-König <u.kleine-koenig@baylibre.com>
iio: adc: ad7124: Fix comparison of channel configs
Dan Carpenter <dan.carpenter@linaro.org>
fs/ntfs3: Fix a couple integer overflows on 32bit systems
Jonathan Cameron <Jonathan.Cameron@huawei.com>
iio: accel: mma8452: Ensure error return on failure to matching oversampling ratio
Ilkka Koskinen <ilkka@os.amperecomputing.com>
coresight: catu: Fix number of pages while using 64k pages
Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp>
soundwire: slave: fix an OF node reference leak in soundwire slave device
Qasim Ijaz <qasdev00@gmail.com>
isofs: fix KMSAN uninit-value bug in do_isofs_readdir()
Barnabás Czémán <barnabas.czeman@mainlining.org>
clk: qcom: mmcc-sdm660: fix stuck video_subcore0 clock
Wenkai Lin <linwenkai6@hisilicon.com>
crypto: hisilicon/sec2 - fix for aead auth key length
Jann Horn <jannh@google.com>
x86/dumpstack: Fix inaccurate unwinding from exception stacks due to misplaced assignment
Nikita Zhandarovich <n.zhandarovich@fintech.ru>
mfd: sm501: Switch to BIT() to mitigate integer overflows
Patrisious Haddad <phaddad@nvidia.com>
RDMA/mlx5: Fix mlx5_poll_one() cur_qp update flow
Herbert Xu <herbert@gondor.apana.org.au>
crypto: nx - Fix uninitialised hv_nxc on error
Artur Weber <aweber.kernel@gmail.com>
power: supply: max77693: Fix wrong conversion of charge input threshold value
Jann Horn <jannh@google.com>
x86/entry: Fix ORC unwinder for PUSH_REGS with save_ret=1
Jerome Brunet <jbrunet@baylibre.com>
clk: amlogic: g12a: fix mmc A peripheral clock
Jerome Brunet <jbrunet@baylibre.com>
clk: amlogic: gxbb: drop non existing 32k clock parent
Jerome Brunet <jbrunet@baylibre.com>
clk: amlogic: g12b: fix cluster A parent data
Prathamesh Shete <pshete@nvidia.com>
pinctrl: tegra: Set SFIO mode to Mux Register
Maher Sanalla <msanalla@nvidia.com>
IB/mad: Check available slots before posting receive WRs
Luca Weiss <luca@lucaweiss.eu>
remoteproc: qcom_q6v5_mss: Handle platforms with one power domain
Roman Gushchin <roman.gushchin@linux.dev>
RDMA/core: Don't expose hw_counters outside of init net namespace
Peter Geis <pgwipeout@gmail.com>
clk: rockchip: rk3328: fix wrong clk_ref_usb3otg parent
Fabrizio Castro <fabrizio.castro.jz@renesas.com>
pinctrl: renesas: rzg2l: Fix missing of_node_put() call
Fabrizio Castro <fabrizio.castro.jz@renesas.com>
pinctrl: renesas: rza2: Fix missing of_node_put() call
Tanya Agarwal <tanyaagarwal25699@gmail.com>
lib: 842: Improve error handling in sw842_compress()
Hou Tao <houtao1@huawei.com>
bpf: Use preempt_count() directly in bpf_send_signal_common()
Vladimir Lypak <vladimir.lypak@gmail.com>
clk: qcom: gcc-msm8953: fix stuck venus0_core0 clock
Will McVicker <willmcvicker@google.com>
clk: samsung: Fix UBSAN panic in samsung_clk_init()
Andrii Nakryiko <andrii@kernel.org>
libbpf: Fix hypothetical STT_SECTION extern NULL deref case
Luca Weiss <luca@lucaweiss.eu>
remoteproc: qcom_q6v5_pas: Make single-PD handling more robust
Zijun Hu <quic_zijuhu@quicinc.com>
of: property: Increase NR_FWNODE_REFERENCE_ARGS
Peng Fan <peng.fan@nxp.com>
remoteproc: core: Clear table_sz when rproc_shutdown
Wenkai Lin <linwenkai6@hisilicon.com>
crypto: hisilicon/sec2 - fix for aead authsize alignment
Jerome Brunet <jbrunet@baylibre.com>
clk: amlogic: gxbb: drop incorrect flag on 32k clock
Danila Chernetsov <listdansp@mail.ru>
fbdev: sm501fb: Add some geometry checks.
Arnd Bergmann <arnd@arndb.de>
mdacon: rework dependency list
Markus Elfring <elfring@users.sourceforge.net>
fbdev: au1100fb: Move a variable assignment behind a null pointer check
Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
PCI: pciehp: Don't enable HPIE when resuming in poll mode
Dan Carpenter <dan.carpenter@linaro.org>
drm/mediatek: dsi: fix error codes in mtk_dsi_host_transfer()
Thippeswamy Havalige <thippeswamy.havalige@amd.com>
PCI: xilinx-cpm: Fix IRQ domain leak in error path of probe
Dan Carpenter <dan.carpenter@linaro.org>
PCI: Remove stray put_device() in pci_register_host_bridge()
Vitaliy Shevtsov <v.shevtsov@mt-integration.ru>
drm/amd/display: fix type mismatch in CalculateDynamicMetadataParameters()
Nishanth Aravamudan <naravamudan@nvidia.com>
PCI: Avoid reset when disabled via sysfs
Feng Tang <feng.tang@linux.alibaba.com>
PCI/portdrv: Only disable pciehp interrupts early when needed
Jim Quinlan <james.quinlan@broadcom.com>
PCI: brcmstb: Use internal register to change link capability
Hans Zhang <18255117159@163.com>
PCI: cadence-ep: Fix the driver to send MSG TLP for INTx without data payload
Daniel Stodden <daniel.stodden@gmail.com>
PCI/ASPM: Fix link state exit during switch upstream function removal
AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
drm/mediatek: mtk_hdmi: Fix typo for aud_sampe_size member
AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
drm/mediatek: mtk_hdmi: Unregister audio platform device on failure
José Expósito <jose.exposito89@gmail.com>
drm/vkms: Fix use after free and double free on init error
Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
drm: xlnx: zynqmp: Fix max dma segment size
Wayne Lin <Wayne.Lin@amd.com>
drm/dp_mst: Fix drm RAD print
Geert Uytterhoeven <geert+renesas@glider.be>
drm/bridge: ti-sn65dsi86: Fix multiple instances
Jayesh Choudhary <j-choudhary@ti.com>
ASoC: ti: j721e-evm: Fix clock configuration for ti,j7200-cpb-audio compatible
Takashi Iwai <tiwai@suse.de>
ALSA: hda/realtek: Always honor no_shutup_pins
Jiri Kosina <jkosina@suse.com>
HID: remove superfluous (and wrong) Makefile entry for CONFIG_INTEL_ISH_FIRMWARE_DOWNLOADER
Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp>
media: platform: allgro-dvt: unregister v4l2_device on the error path
Tao Chen <chen.dylane@linux.dev>
perf/ring_buffer: Allow the EPOLLRDNORM flag for poll
Sebastian Andrzej Siewior <bigeasy@linutronix.de>
lockdep: Don't disable interrupts on RT in disable_irq_nosync_lockdep.*()
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
PM: sleep: Fix handling devices with direct_complete set on errors
Chenyuan Yang <chenyuan0y@gmail.com>
thermal: int340x: Add NULL check for adev
Qiuxu Zhuo <qiuxu.zhuo@intel.com>
EDAC/ie31200: Fix the error path order of ie31200_init()
Qiuxu Zhuo <qiuxu.zhuo@intel.com>
EDAC/ie31200: Fix the DIMM size mask for several SoCs
Qiuxu Zhuo <qiuxu.zhuo@intel.com>
EDAC/ie31200: Fix the size of EDAC_MC_LAYER_CHIP_SELECT layer
Tim Schumacher <tim.schumacher1@huawei.com>
selinux: Chain up tool resolving errors in install_policy.sh
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
PM: sleep: Adjust check before setting power.must_resume
Arnd Bergmann <arnd@arndb.de>
x86/platform: Only allow CONFIG_EISA for 32-bit
Benjamin Berg <benjamin.berg@intel.com>
x86/fpu: Avoid copying dynamic FP state from init_task in arch_dup_task_struct()
Jie Zhan <zhanjie9@hisilicon.com>
cpufreq: governor: Fix negative 'idle_time' handling in dbs_update()
zuoqian <zuoqian113@gmail.com>
cpufreq: scpi: compare kHz instead of Hz
Mike Rapoport (Microsoft) <rppt@kernel.org>
x86/mm/pat: cpa-test: fix length for CPA_ARRAY test
Eric Sandeen <sandeen@redhat.com>
watch_queue: fix pipe accounting mismatch
Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
media: i2c: et8ek8: Don't strip remove function when driver is builtin
John Keeping <jkeeping@inmusicbrands.com>
serial: 8250_dma: terminate correct DMA in tx_dma_flush()
Luo Qiu <luoqiu@kylinsec.com.cn>
memstick: rtsx_usb_ms: Fix slab-use-after-free in rtsx_usb_ms_drv_remove
Dominique Martinet <dominique.martinet@atmark-techno.com>
net: usb: usbnet: restore usb%d name exception for local mac addresses
Fabio Porcedda <fabio.porcedda@gmail.com>
net: usb: qmi_wwan: add Telit Cinterion FE990B composition
Fabio Porcedda <fabio.porcedda@gmail.com>
net: usb: qmi_wwan: add Telit Cinterion FN990B composition
Cameron Williams <cang1@live.co.uk>
tty: serial: 8250: Add Brainboxes XC devices
Cameron Williams <cang1@live.co.uk>
tty: serial: 8250: Add some more device IDs
William Breathitt Gray <wbg@kernel.org>
counter: microchip-tcb-capture: Fix undefined counter channel state on probe
Fabrice Gasnier <fabrice.gasnier@foss.st.com>
counter: stm32-lptimer-cnt: fix error handling when enabling
Dhruv Deshpande <dhrv.d@proton.me>
ALSA: hda/realtek: Support mute LED on HP Laptop 15s-du3xxx
Maxim Mikityanskiy <maxtram95@gmail.com>
netfilter: socket: Lookup orig tuple for IPv6 SNAT
Yanjun Yang <yangyj.ee@gmail.com>
ARM: Remove address checking for MMUless devices
Kees Cook <keescook@chromium.org>
ARM: 9351/1: fault: Add "cut here" line for prefetch aborts
Kees Cook <keescook@chromium.org>
ARM: 9350/1: fault: Implement copy_from_kernel_nofault_allowed()
Minjoong Kim <pwn9uin@gmail.com>
atm: Fix NULL pointer dereference
Terry Junge <linuxhid@cosmicgizmosystems.com>
HID: hid-plantronics: Add mic mute mapping and generalize quirks
Terry Junge <linuxhid@cosmicgizmosystems.com>
ALSA: usb-audio: Add quirk for Plantronics headsets to fix control names
Michal Luczaj <mhal@rbox.co>
bpf, sockmap: Fix race between element replace and close()
Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Bluetooth: hci_event: Align BR/EDR JUST_WORKS paring with LE
Justin Klaassen <justin@tidylabs.net>
arm64: dts: rockchip: fix u2phy1_host status for NanoPi R4S
Arthur Mongodin <amongodin@randorisec.fr>
mptcp: Fix data stream corruption in the address announcement
David Rosca <david.rosca@amd.com>
drm/amdgpu: Fix JPEG video caps max size for navi1x and raven
Nikita Zhandarovich <n.zhandarovich@fintech.ru>
drm/radeon: fix uninitialized size issue in radeon_vce_cs_parse()
Saranya R <quic_sarar@quicinc.com>
soc: qcom: pdr: Fix the potential deadlock
Sven Eckelmann <sven@narfation.org>
batman-adv: Ignore own maximum aggregation size during RX
Geert Uytterhoeven <geert+renesas@glider.be>
ARM: shmobile: smp: Enforce shmobile_smp_* alignment
Ye Bin <yebin10@huawei.com>
proc: fix UAF in proc_get_inode()
Gu Bowen <gubowen5@huawei.com>
mmc: atmel-mci: Add missing clk_disable_unprepare()
Christian Eggers <ceggers@arri.de>
regulator: check that dummy regulator has been probed before using it
Maíra Canal <mcanal@igalia.com>
drm/v3d: Don't run jobs that have errors flagged in its fence
Andreas Kemnade <andreas@kemnade.info>
i2c: omap: fix IRQ storms
Guillaume Nault <gnault@redhat.com>
Revert "gre: Fix IPv6 link-local address generation."
Lin Ma <linma@zju.edu.cn>
net/neighbor: add missing policy for NDTPA_QUEUE_LENBYTES
Dan Carpenter <dan.carpenter@linaro.org>
net: atm: fix use after free in lec_send()
Kuniyuki Iwashima <kuniyu@amazon.com>
ipv6: Set errno after ip_fib_metrics_init() in ip6_route_info_create().
Kuniyuki Iwashima <kuniyu@amazon.com>
ipv6: Fix memleak of nhc_pcpu_rth_output in fib_check_nh_v6_gw().
Dan Carpenter <dan.carpenter@linaro.org>
Bluetooth: Fix error code in chan_alloc_skb_cb()
Junxian Huang <huangjunxian6@hisilicon.com>
RDMA/hns: Fix wrong value of max_sge_rd
Junxian Huang <huangjunxian6@hisilicon.com>
RDMA/hns: Fix a missing rollback in error path of hns_roce_create_qp_common()
Junxian Huang <huangjunxian6@hisilicon.com>
RDMA/hns: Fix unmatched condition in error path of alloc_user_qp_db()
Junxian Huang <huangjunxian6@hisilicon.com>
RDMA/hns: Fix soft lockup during bt pages loop
Chengchang Tang <tangchengchang@huawei.com>
RDMA/hns: Remove redundant 'phy_addr' in hns_roce_hem_list_find_mtt()
Saravanan Vajravel <saravanan.vajravel@broadcom.com>
RDMA/bnxt_re: Avoid clearing VLAN_ID mask in modify qp path
Phil Elwell <phil@raspberrypi.com>
ARM: dts: bcm2711: Don't mark timer regs unconfigured
Kashyap Desai <kashyap.desai@broadcom.com>
RDMA/bnxt_re: Add missing paranthesis in map_qp_id_to_tbl_indx
Phil Elwell <phil@raspberrypi.com>
ARM: dts: bcm2711: PL011 UARTs are actually r1p5
Cosmin Ratiu <cratiu@nvidia.com>
xfrm_output: Force software GSO only in tunnel mode
Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp>
firmware: imx-scu: fix OF node leak in .probe()
Paulo Alcantara <pc@manguebit.com>
smb: client: fix potential UAF in cifs_debug_files_proc_show()
Henrique Carvalho <henrique.carvalho@suse.com>
smb: client: Fix match_session bug preventing session reuse
Ma Ke <make24@iscas.ac.cn>
drm/amd/display: Fix null check for pipe_ctx->plane_state in resource_build_scaling_params
Michael Strauss <michael.strauss@amd.com>
drm/amd/display: Check for invalid input params when building scaling params
Christophe JAILLET <christophe.jaillet@wanadoo.fr>
i2c: sis630: Fix an error handling path in sis630_probe()
Christophe JAILLET <christophe.jaillet@wanadoo.fr>
i2c: ali15x3: Fix an error handling path in ali15x3_probe()
Christophe JAILLET <christophe.jaillet@wanadoo.fr>
i2c: ali1535: Fix an error handling path in ali1535_probe()
Murad Masimov <m.masimov@mt-integration.ru>
cifs: Fix integer overflow while processing closetimeo mount option
Murad Masimov <m.masimov@mt-integration.ru>
cifs: Fix integer overflow while processing actimeo mount option
Murad Masimov <m.masimov@mt-integration.ru>
cifs: Fix integer overflow while processing acdirmax mount option
Murad Masimov <m.masimov@mt-integration.ru>
cifs: Fix integer overflow while processing acregmax mount option
Christophe JAILLET <christophe.jaillet@wanadoo.fr>
ASoC: codecs: wm0010: Fix error handling path in wm0010_spi_probe()
Ivan Abramov <i.abramov@mt-integration.ru>
drm/gma500: Add NULL check for pci_gfx_root in mid_get_vbt_data()
Charles Keepax <ckeepax@opensource.cirrus.com>
ASoC: ops: Consistently treat platform_max as control value
Eric Dumazet <edumazet@google.com>
tcp: fix races in tcp_abort()
Andrii Nakryiko <andrii@kernel.org>
lib/buildid: Handle memfd_secret() files in build_id_parse()
Haoxiang Li <haoxiang_li2024@163.com>
qlcnic: fix memory leak issues in qlcnic_sriov_common.c
Mario Limonciello <mario.limonciello@amd.com>
drm/amd/display: Fix slab-use-after-free on hdcp_work
Alex Hung <alex.hung@amd.com>
drm/amd/display: Assign normalized_pix_clk when color depth = 14
Mario Limonciello <mario.limonciello@amd.com>
drm/amd/display: Restore correct backlight brightness after a GPU reset
Ville Syrjälä <ville.syrjala@linux.intel.com>
drm/atomic: Filter out redundant DPMS calls
Florent Revest <revest@chromium.org>
x86/microcode/AMD: Fix out-of-bounds on systems with CPU-less NUMA nodes
Johan Hovold <johan@kernel.org>
USB: serial: option: match on interface class for Telit FN990B
Fabio Porcedda <fabio.porcedda@gmail.com>
USB: serial: option: fix Telit Cinterion FE990A name
Fabio Porcedda <fabio.porcedda@gmail.com>
USB: serial: option: add Telit Cinterion FE990B compositions
Boon Khai Ng <boon.khai.ng@intel.com>
USB: serial: ftdi_sio: add support for Altera USB Blaster 3
Ming Lei <ming.lei@redhat.com>
block: fix 'kmem_cache of name 'bio-108' already exists'
Thomas Zimmermann <tzimmermann@suse.de>
drm/nouveau: Do not override forced connector status
Matthieu Baerts (NGI0) <matttbe@kernel.org>
mptcp: safety check before fallback
Arnd Bergmann <arnd@arndb.de>
x86/irq: Define trace events conditionally
Miklos Szeredi <mszeredi@redhat.com>
fuse: don't truncate cached, mutated symlink
Hector Martin <marcan@marcan.st>
ASoC: tas2764: Set the SDOUT polarity correctly
Hector Martin <marcan@marcan.st>
ASoC: tas2764: Fix power control mask
Hector Martin <marcan@marcan.st>
ASoC: tas2770: Fix volume scale
Daniel Wagner <wagi@kernel.org>
nvme: only allow entering LIVE from CONNECTING state
Yu-Chun Lin <eleanor15x@gmail.com>
sctp: Fix undefined behavior in left shift operation
Ruozhu Li <david.li@jaguarmicro.com>
nvmet-rdma: recheck queue state is LIVE in state lock in recv done
Stephan Gerhold <stephan.gerhold@linaro.org>
net: wwan: mhi_wwan_mbim: Silence sequence number glitch errors
Terry Cheong <htcheong@chromium.org>
ASoC: SOF: Intel: hda: add softdep pre to snd-hda-codec-hdmi module
Vitaly Rodionov <vitalyr@opensource.cirrus.com>
ASoC: arizona/madera: use fsleep() in up/down DAPM event delays.
Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
ASoC: rsnd: don't indicate warning on rsnd_kctrl_accept_runtime()
Daniel Lezcano <daniel.lezcano@linaro.org>
thermal/cpufreq_cooling: Remove structure member documentation
Peter Oberparleiter <oberpar@linux.ibm.com>
s390/cio: Fix CHPID "configure" attribute caching
Jann Horn <jannh@google.com>
sched: Clarify wake_up_q()'s write to task->wake_q.next
Chia-Lin Kao (AceLan) <acelan.kao@canonical.com>
HID: ignore non-functional sensor in HP 5MP Camera
Zhang Lixu <lixu.zhang@intel.com>
HID: intel-ish-hid: fix the length of MNG_SYNC_FW_CLOCK in doorbell
Brahmajit Das <brahmajit.xyz@gmail.com>
vboxsf: fix building with GCC 15
Eric W. Biederman <ebiederm@xmission.com>
alpha/elf: Fix misc/setarch test of util-linux by removing 32bit support
Gannon Kolding <gannon.kolding@gmail.com>
ACPI: resource: IRQ override for Eluktronics MECH-17
Magnus Lindholm <linmag7@gmail.com>
scsi: qla1280: Fix kernel oops when debug level > 2
Rik van Riel <riel@surriel.com>
scsi: core: Use GFP_NOIO to avoid circular locking dependency
Chengen Du <chengen.du@canonical.com>
iscsi_ibft: Fix UBSAN shift-out-of-bounds warning in ibft_attr_show_nic()
Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp>
powercap: call put_device() on an error path in powercap_register_control_type()
Andy Shevchenko <andriy.shevchenko@linux.intel.com>
hrtimers: Mark is_migration_base() with __always_inline
Daniel Wagner <wagi@kernel.org>
nvme-fc: go straight to connecting state when initializing
Carolina Jubran <cjubran@nvidia.com>
net/mlx5e: Prevent bridge link show failure for non-eswitch-allowed devices
Jianbo Liu <jianbol@nvidia.com>
net/mlx5: Bridge, fix the crash caused by LAG state check
Ilya Maximets <i.maximets@ovn.org>
net: openvswitch: remove misbehaving actions length check
Kees Cook <keescook@chromium.org>
openvswitch: Use kmalloc_size_roundup() to match ksize() usage
Kees Cook <keescook@chromium.org>
slab: Introduce kmalloc_size_roundup()
Kees Cook <keescook@chromium.org>
slab: clean up function prototypes
Guillaume Nault <gnault@redhat.com>
gre: Fix IPv6 link-local address generation.
Alexey Kashavkin <akashavkin@gmail.com>
netfilter: nft_exthdr: fix offset with ipv4_find_option()
Cong Wang <xiyou.wangcong@gmail.com>
net_sched: Prevent creation of classes with TC_H_ROOT
Dan Carpenter <dan.carpenter@linaro.org>
ipvs: prevent integer overflow in do_ip_vs_get_ctl()
Kohei Enju <enjuk@amazon.com>
netfilter: nf_conncount: Fully initialize struct nf_conncount_tuple in insert_tree()
Wentao Liang <vulab@iscas.ac.cn>
net/mlx5: handle errors in mlx5_chains_create_table()
Michael Kelley <mhklinux@outlook.com>
Drivers: hv: vmbus: Don't release fb_mmio resource in vmbus_free_mmio()
Breno Leitao <leitao@debian.org>
netpoll: hold rcu read lock in __netpoll_send_skb()
Joseph Huang <Joseph.Huang@garmin.com>
net: dsa: mv88e6xxx: Verify after ATU Load ops
Grzegorz Nitka <grzegorz.nitka@intel.com>
ice: fix memory leak in aRFS after reset
Sebastian Andrzej Siewior <bigeasy@linutronix.de>
netfilter: nft_ct: Use __refcount_inc() for per-CPU nft_ct_pcpu_template.
Artur Weber <aweber.kernel@gmail.com>
pinctrl: bcm281xx: Fix incorrect regmap max_registers value
Michael Kelley <mhklinux@outlook.com>
fbdev: hyperv_fb: iounmap() the correct memory when removing a device
Wang Yufen <wangyufen@huawei.com>
ipv6: Fix signed integer overflow in __ip6_append_data
Oleg Nesterov <oleg@redhat.com>
sched/isolation: Prevent boot crash when the boot CPU is nohz_full
David Woodhouse <dwmw@amazon.co.uk>
clockevents/drivers/i8253: Fix stop sequence for timer 0
Eric Dumazet <edumazet@google.com>
vlan: fix memory leak in vlan_newlink()
-------------
Diffstat:
Documentation/timers/no_hz.rst | 7 +-
Makefile | 4 +-
arch/alpha/include/asm/elf.h | 6 +-
arch/alpha/include/asm/pgtable.h | 2 +-
arch/alpha/include/asm/processor.h | 8 +-
arch/alpha/kernel/osf_sys.c | 11 +-
arch/arm/boot/dts/bcm2711.dtsi | 11 +-
arch/arm/mach-shmobile/headsmp.S | 1 +
arch/arm/mm/fault.c | 8 +
arch/arm64/boot/dts/rockchip/rk3399-nanopi-r4s.dts | 2 +-
arch/powerpc/platforms/cell/spufs/inode.c | 9 +-
arch/riscv/include/asm/ftrace.h | 4 +-
arch/x86/Kconfig | 2 +-
arch/x86/entry/calling.h | 2 +
arch/x86/include/asm/tlbflush.h | 2 +-
arch/x86/kernel/cpu/microcode/amd.c | 2 +-
arch/x86/kernel/cpu/mshyperv.c | 11 --
arch/x86/kernel/cpu/sgx/driver.c | 10 +-
arch/x86/kernel/dumpstack.c | 5 +-
arch/x86/kernel/irq.c | 2 +
arch/x86/kernel/process.c | 7 +-
arch/x86/kernel/tsc.c | 4 +-
arch/x86/mm/pat/cpa-test.c | 2 +-
block/bio.c | 2 +-
drivers/acpi/nfit/core.c | 2 +-
drivers/acpi/processor_idle.c | 4 +
drivers/acpi/resource.c | 13 ++
drivers/base/power/main.c | 21 +--
drivers/base/power/runtime.c | 2 +-
drivers/clk/meson/g12a.c | 38 ++--
drivers/clk/meson/gxbb.c | 14 +-
drivers/clk/qcom/gcc-msm8953.c | 2 +-
drivers/clk/qcom/mmcc-sdm660.c | 2 +-
drivers/clk/rockchip/clk-rk3328.c | 2 +-
drivers/clk/samsung/clk.c | 2 +-
drivers/clocksource/i8253.c | 36 ++--
drivers/counter/microchip-tcb-capture.c | 19 ++
drivers/counter/stm32-lptimer-cnt.c | 24 ++-
drivers/cpufreq/cpufreq_governor.c | 45 ++---
drivers/cpufreq/scpi-cpufreq.c | 5 +-
drivers/crypto/hisilicon/sec2/sec_crypto.c | 30 ++-
drivers/crypto/nx/nx-common-pseries.c | 37 ++--
drivers/edac/ie31200_edac.c | 19 +-
drivers/firmware/imx/imx-scu.c | 1 +
drivers/firmware/iscsi_ibft.c | 5 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 11 +-
drivers/gpu/drm/amd/amdgpu/nv.c | 2 +-
drivers/gpu/drm/amd/amdgpu/soc15.c | 2 +-
drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 15 ++
.../gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_hdcp.c | 1 +
drivers/gpu/drm/amd/display/dc/core/dc_resource.c | 17 +-
.../amd/display/dc/dml/dcn30/display_mode_vba_30.c | 12 +-
.../gpu/drm/amd/display/dc/dml/display_mode_vba.c | 24 +++
drivers/gpu/drm/amd/pm/swsmu/smu11/navi10_ppt.c | 21 ++-
drivers/gpu/drm/bridge/ti-sn65dsi86.c | 2 +
drivers/gpu/drm/drm_atomic_uapi.c | 4 +
drivers/gpu/drm/drm_connector.c | 4 +
drivers/gpu/drm/drm_dp_mst_topology.c | 8 +-
drivers/gpu/drm/gma500/mid_bios.c | 5 +
drivers/gpu/drm/mediatek/mtk_dsi.c | 6 +-
drivers/gpu/drm/mediatek/mtk_hdmi.c | 33 +++-
drivers/gpu/drm/nouveau/nouveau_connector.c | 1 -
drivers/gpu/drm/radeon/radeon_vce.c | 2 +-
drivers/gpu/drm/v3d/v3d_sched.c | 9 +-
drivers/gpu/drm/vkms/vkms_drv.c | 15 +-
drivers/gpu/drm/xlnx/zynqmp_dpsub.c | 2 +
drivers/hid/Makefile | 1 -
drivers/hid/hid-ids.h | 1 +
drivers/hid/hid-plantronics.c | 144 +++++++--------
drivers/hid/hid-quirks.c | 1 +
drivers/hid/intel-ish-hid/ipc/ipc.c | 6 +-
drivers/hv/vmbus_drv.c | 13 ++
drivers/hwmon/nct6775.c | 4 +-
drivers/hwtracing/coresight/coresight-catu.c | 2 +-
drivers/i2c/busses/i2c-ali1535.c | 12 +-
drivers/i2c/busses/i2c-ali15x3.c | 12 +-
drivers/i2c/busses/i2c-omap.c | 26 +--
drivers/i2c/busses/i2c-sis630.c | 12 +-
drivers/i3c/master/svc-i3c-master.c | 2 +-
drivers/iio/accel/mma8452.c | 10 +-
drivers/iio/adc/ad7124.c | 35 +++-
drivers/infiniband/core/device.c | 9 +
drivers/infiniband/core/mad.c | 38 ++--
drivers/infiniband/core/sysfs.c | 1 +
drivers/infiniband/hw/bnxt_re/qplib_fp.c | 2 -
drivers/infiniband/hw/bnxt_re/qplib_rcfw.h | 3 +-
drivers/infiniband/hw/hns/hns_roce_hem.c | 23 ++-
drivers/infiniband/hw/hns/hns_roce_hem.h | 2 +-
drivers/infiniband/hw/hns/hns_roce_main.c | 2 +-
drivers/infiniband/hw/hns/hns_roce_mr.c | 4 +-
drivers/infiniband/hw/hns/hns_roce_qp.c | 10 +-
drivers/infiniband/hw/mlx5/cq.c | 2 +-
drivers/media/dvb-frontends/dib8000.c | 5 +-
drivers/media/i2c/et8ek8/et8ek8_driver.c | 4 +-
drivers/media/platform/allegro-dvt/allegro-core.c | 1 +
drivers/memstick/host/rtsx_usb_ms.c | 1 +
drivers/mfd/sm501.c | 6 +-
drivers/mmc/host/atmel-mci.c | 4 +-
drivers/mmc/host/sdhci-brcmstb.c | 86 ++++++++-
drivers/mmc/host/sdhci-pxav3.c | 1 +
drivers/net/arcnet/com20020-pci.c | 17 +-
drivers/net/can/flexcan.c | 18 +-
drivers/net/dsa/mv88e6xxx/chip.c | 59 ++++--
drivers/net/ethernet/intel/ice/ice_arfs.c | 2 +-
drivers/net/ethernet/marvell/mvpp2/mvpp2.h | 3 +
drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c | 3 +-
drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.c | 201 ++++++++++++++-------
drivers/net/ethernet/marvell/octeontx2/af/rvu.c | 2 +-
.../ethernet/marvell/octeontx2/af/rvu_devlink.c | 2 +-
.../ethernet/mellanox/mlx5/core/en/rep/bridge.c | 12 +-
drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 6 +-
.../ethernet/mellanox/mlx5/core/lib/fs_chains.c | 5 +
.../ethernet/qlogic/qlcnic/qlcnic_sriov_common.c | 8 +-
drivers/net/usb/qmi_wwan.c | 2 +
drivers/net/usb/usbnet.c | 27 ++-
drivers/net/wireless/intel/iwlwifi/fw/dbg.c | 86 ++++++---
drivers/net/wwan/mhi_wwan_mbim.c | 2 +-
drivers/ntb/hw/intel/ntb_hw_gen3.c | 3 +
drivers/ntb/hw/mscc/ntb_hw_switchtec.c | 2 +-
drivers/ntb/test/ntb_perf.c | 4 +-
drivers/nvme/host/core.c | 2 -
drivers/nvme/host/fc.c | 3 +-
drivers/nvme/host/pci.c | 21 ++-
drivers/nvme/host/tcp.c | 5 +-
drivers/nvme/target/rdma.c | 33 +++-
drivers/pci/controller/cadence/pcie-cadence-ep.c | 3 +-
drivers/pci/controller/cadence/pcie-cadence.h | 2 +-
drivers/pci/controller/pcie-brcmstb.c | 4 +-
drivers/pci/controller/pcie-xilinx-cpm.c | 10 +-
drivers/pci/hotplug/pciehp_hpc.c | 4 +-
drivers/pci/pci.c | 4 +
drivers/pci/pcie/aspm.c | 17 +-
drivers/pci/pcie/portdrv_core.c | 8 +-
drivers/pci/probe.c | 5 +-
drivers/pinctrl/bcm/pinctrl-bcm281xx.c | 2 +-
drivers/pinctrl/renesas/pinctrl-rza2.c | 2 +
drivers/pinctrl/renesas/pinctrl-rzg2l.c | 2 +
drivers/pinctrl/tegra/pinctrl-tegra.c | 3 +
.../x86/intel/speed_select_if/isst_if_common.c | 2 +-
drivers/power/supply/max77693_charger.c | 2 +-
drivers/powercap/powercap_sys.c | 3 +-
drivers/regulator/core.c | 12 +-
drivers/remoteproc/qcom_q6v5_mss.c | 21 ++-
drivers/remoteproc/qcom_q6v5_pas.c | 10 +-
drivers/remoteproc/remoteproc_core.c | 1 +
drivers/s390/cio/chp.c | 3 +-
drivers/scsi/qla1280.c | 2 +-
drivers/scsi/scsi_scan.c | 2 +-
drivers/soc/qcom/pdr_interface.c | 8 +-
drivers/soundwire/slave.c | 1 +
drivers/thermal/cpufreq_cooling.c | 2 -
.../intel/int340x_thermal/int3402_thermal.c | 3 +
drivers/tty/serial/8250/8250_dma.c | 2 +-
drivers/tty/serial/8250/8250_pci.c | 46 +++++
drivers/tty/serial/fsl_lpuart.c | 25 ++-
drivers/usb/serial/ftdi_sio.c | 14 ++
drivers/usb/serial/ftdi_sio_ids.h | 13 ++
drivers/usb/serial/option.c | 48 +++--
drivers/video/console/Kconfig | 2 +-
drivers/video/fbdev/au1100fb.c | 4 +-
drivers/video/fbdev/hyperv_fb.c | 2 +-
drivers/video/fbdev/sm501fb.c | 7 +
fs/affs/file.c | 9 +-
fs/btrfs/extent-tree.c | 5 +-
fs/cifs/cifs_debug.c | 2 +
fs/cifs/cifsglob.h | 8 +
fs/cifs/connect.c | 15 +-
fs/cifs/fs_context.c | 14 +-
fs/exfat/fatent.c | 2 +-
fs/ext4/dir.c | 3 +
fs/ext4/super.c | 27 ++-
fs/fuse/dax.c | 1 -
fs/fuse/dir.c | 4 +-
fs/fuse/file.c | 4 +-
fs/isofs/dir.c | 3 +-
fs/jfs/jfs_dtree.c | 3 +-
fs/jfs/xattr.c | 13 +-
fs/ksmbd/auth.c | 2 +-
fs/ksmbd/mgmt/user_session.c | 16 ++
fs/ksmbd/mgmt/user_session.h | 2 +
fs/ksmbd/smb2pdu.c | 12 +-
fs/ksmbd/smbacl.c | 5 +-
fs/namei.c | 24 ++-
fs/nfs/delegation.c | 33 ++--
fs/nfsd/nfs4state.c | 31 +++-
fs/ntfs3/index.c | 4 +-
fs/ocfs2/alloc.c | 8 +
fs/proc/base.c | 2 +-
fs/proc/generic.c | 10 +-
fs/proc/inode.c | 6 +-
fs/proc/internal.h | 14 ++
fs/vboxsf/super.c | 3 +-
include/drm/drm_dp_mst_helper.h | 7 +
include/linux/fs.h | 2 +
include/linux/fwnode.h | 2 +-
include/linux/i8253.h | 1 -
include/linux/interrupt.h | 8 +-
include/linux/pm_runtime.h | 2 +
include/linux/proc_fs.h | 7 +-
include/linux/sched/smt.h | 2 +-
include/linux/slab.h | 99 ++++++----
include/net/ipv6.h | 4 +-
include/rdma/ib_verbs.h | 1 +
include/sound/soc.h | 5 +-
kernel/events/ring_buffer.c | 2 +-
kernel/kexec_elf.c | 2 +-
kernel/locking/semaphore.c | 13 +-
kernel/sched/core.c | 5 +-
kernel/sched/deadline.c | 2 +-
kernel/time/hrtimer.c | 22 ++-
kernel/trace/bpf_trace.c | 2 +-
kernel/trace/ring_buffer.c | 4 +-
kernel/trace/trace_events_synth.c | 33 +++-
kernel/trace/trace_functions_graph.c | 1 +
kernel/trace/trace_irqsoff.c | 2 -
kernel/trace/trace_osnoise.c | 1 -
kernel/trace/trace_sched_wakeup.c | 2 -
kernel/watch_queue.c | 9 +
lib/842/842_compress.c | 2 +
lib/buildid.c | 5 +
mm/slab.c | 9 +-
mm/slab_common.c | 34 ++--
mm/slob.c | 14 ++
net/8021q/vlan_netlink.c | 10 +-
net/atm/lec.c | 3 +-
net/atm/mpc.c | 2 +
net/batman-adv/bat_iv_ogm.c | 3 +-
net/batman-adv/bat_v_ogm.c | 3 +-
net/bluetooth/6lowpan.c | 7 +-
net/bluetooth/hci_event.c | 13 +-
net/can/af_can.c | 12 +-
net/can/af_can.h | 12 +-
net/can/proc.c | 46 +++--
net/core/neighbour.c | 1 +
net/core/netpoll.c | 9 +-
net/core/rtnetlink.c | 3 +
net/core/sock_map.c | 5 +-
net/ipv4/ip_tunnel_core.c | 4 +-
net/ipv4/tcp.c | 6 +-
net/ipv6/addrconf.c | 37 ++--
net/ipv6/calipso.c | 21 ++-
net/ipv6/ip6_output.c | 6 +-
net/ipv6/netfilter/nf_socket_ipv6.c | 23 +++
net/ipv6/route.c | 5 +-
net/mptcp/options.c | 6 +-
net/mptcp/protocol.h | 2 +
net/netfilter/ipvs/ip_vs_ctl.c | 8 +-
net/netfilter/nf_conncount.c | 2 +
net/netfilter/nft_ct.c | 6 +-
net/netfilter/nft_exthdr.c | 10 +-
net/netfilter/nft_set_hash.c | 3 +-
net/netfilter/nft_tunnel.c | 6 +-
net/openvswitch/actions.c | 6 -
net/openvswitch/flow_netlink.c | 17 +-
net/sched/act_tunnel_key.c | 2 +-
net/sched/cls_flower.c | 2 +-
net/sched/sch_api.c | 6 +
net/sched/sch_skbprio.c | 3 -
net/sctp/stream.c | 2 +-
net/vmw_vsock/af_vsock.c | 6 +-
net/xfrm/xfrm_output.c | 2 +-
scripts/selinux/install_policy.sh | 15 +-
sound/pci/hda/patch_realtek.c | 28 ++-
sound/soc/codecs/arizona.c | 14 +-
sound/soc/codecs/madera.c | 10 +-
sound/soc/codecs/tas2764.c | 10 +-
sound/soc/codecs/tas2764.h | 8 +-
sound/soc/codecs/tas2770.c | 2 +-
sound/soc/codecs/wm0010.c | 13 +-
sound/soc/codecs/wm5110.c | 8 +-
sound/soc/fsl/imx-card.c | 4 +
sound/soc/sh/rcar/core.c | 14 --
sound/soc/sh/rcar/rsnd.h | 1 -
sound/soc/sh/rcar/src.c | 18 +-
sound/soc/soc-ops.c | 15 +-
sound/soc/sof/intel/hda-codec.c | 1 +
sound/soc/ti/j721e-evm.c | 2 +
sound/usb/mixer_quirks.c | 51 ++++++
tools/lib/bpf/linker.c | 2 +-
tools/perf/util/python.c | 17 +-
tools/perf/util/units.c | 2 +-
281 files changed, 2101 insertions(+), 1000 deletions(-)
^ permalink raw reply [flat|nested] 289+ messages in thread
* [PATCH 5.15 001/279] vlan: fix memory leak in vlan_newlink()
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
@ 2025-04-08 10:46 ` Greg Kroah-Hartman
2025-04-08 10:46 ` [PATCH 5.15 002/279] clockevents/drivers/i8253: Fix stop sequence for timer 0 Greg Kroah-Hartman
` (284 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot, Eric Dumazet, Xin Long,
David S. Miller
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
commit 72a0b329114b1caa8e69dfa7cdad1dd3c69b8602 upstream.
Blamed commit added back a bug I fixed in commit 9bbd917e0bec
("vlan: fix memory leak in vlan_dev_set_egress_priority")
If a memory allocation fails in vlan_changelink() after other allocations
succeeded, we need to call vlan_dev_free_egress_priority()
to free all allocated memory because after a failed ->newlink()
we do not call any methods like ndo_uninit() or dev->priv_destructor().
In following example, if the allocation for last element 2000:2001 fails,
we need to free eight prior allocations:
ip link add link dummy0 dummy0.100 type vlan id 100 \
egress-qos-map 1:2 2:3 3:4 4:5 5:6 6:7 7:8 8:9 2000:2001
syzbot report was:
BUG: memory leak
unreferenced object 0xffff888117bd1060 (size 32):
comm "syz-executor408", pid 3759, jiffies 4294956555 (age 34.090s)
hex dump (first 32 bytes):
09 00 00 00 00 a0 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<ffffffff83fc60ad>] kmalloc include/linux/slab.h:600 [inline]
[<ffffffff83fc60ad>] vlan_dev_set_egress_priority+0xed/0x170 net/8021q/vlan_dev.c:193
[<ffffffff83fc6628>] vlan_changelink+0x178/0x1d0 net/8021q/vlan_netlink.c:128
[<ffffffff83fc67c8>] vlan_newlink+0x148/0x260 net/8021q/vlan_netlink.c:185
[<ffffffff838b1278>] rtnl_newlink_create net/core/rtnetlink.c:3363 [inline]
[<ffffffff838b1278>] __rtnl_newlink+0xa58/0xdc0 net/core/rtnetlink.c:3580
[<ffffffff838b1629>] rtnl_newlink+0x49/0x70 net/core/rtnetlink.c:3593
[<ffffffff838ac66c>] rtnetlink_rcv_msg+0x21c/0x5c0 net/core/rtnetlink.c:6089
[<ffffffff839f9c37>] netlink_rcv_skb+0x87/0x1d0 net/netlink/af_netlink.c:2501
[<ffffffff839f8da7>] netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]
[<ffffffff839f8da7>] netlink_unicast+0x397/0x4c0 net/netlink/af_netlink.c:1345
[<ffffffff839f9266>] netlink_sendmsg+0x396/0x710 net/netlink/af_netlink.c:1921
[<ffffffff8384dbf6>] sock_sendmsg_nosec net/socket.c:714 [inline]
[<ffffffff8384dbf6>] sock_sendmsg+0x56/0x80 net/socket.c:734
[<ffffffff8384e15c>] ____sys_sendmsg+0x36c/0x390 net/socket.c:2488
[<ffffffff838523cb>] ___sys_sendmsg+0x8b/0xd0 net/socket.c:2542
[<ffffffff838525b8>] __sys_sendmsg net/socket.c:2571 [inline]
[<ffffffff838525b8>] __do_sys_sendmsg net/socket.c:2580 [inline]
[<ffffffff838525b8>] __se_sys_sendmsg net/socket.c:2578 [inline]
[<ffffffff838525b8>] __x64_sys_sendmsg+0x78/0xf0 net/socket.c:2578
[<ffffffff845ad8d5>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
[<ffffffff845ad8d5>] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
[<ffffffff8460006a>] entry_SYSCALL_64_after_hwframe+0x46/0xb0
Fixes: 37aa50c539bc ("vlan: introduce vlan_dev_free_egress_priority")
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Xin Long <lucien.xin@gmail.com>
Reviewed-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/8021q/vlan_netlink.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
--- a/net/8021q/vlan_netlink.c
+++ b/net/8021q/vlan_netlink.c
@@ -186,10 +186,14 @@ static int vlan_newlink(struct net *src_
else if (dev->mtu > max_mtu)
return -EINVAL;
+ /* Note: If this initial vlan_changelink() fails, we need
+ * to call vlan_dev_free_egress_priority() to free memory.
+ */
err = vlan_changelink(dev, tb, data, extack);
- if (err)
- return err;
- err = register_vlan_dev(dev, extack);
+
+ if (!err)
+ err = register_vlan_dev(dev, extack);
+
if (err)
vlan_dev_free_egress_priority(dev);
return err;
^ permalink raw reply [flat|nested] 289+ messages in thread
* [PATCH 5.15 002/279] clockevents/drivers/i8253: Fix stop sequence for timer 0
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
2025-04-08 10:46 ` [PATCH 5.15 001/279] vlan: fix memory leak in vlan_newlink() Greg Kroah-Hartman
@ 2025-04-08 10:46 ` Greg Kroah-Hartman
2025-04-08 10:46 ` [PATCH 5.15 003/279] sched/isolation: Prevent boot crash when the boot CPU is nohz_full Greg Kroah-Hartman
` (283 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sean Christopherson, Li RongQing,
David Woodhouse, Thomas Gleixner, Michael Kelley
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Woodhouse <dwmw@amazon.co.uk>
commit 531b2ca0a940ac9db03f246c8b77c4201de72b00 upstream.
According to the data sheet, writing the MODE register should stop the
counter (and thus the interrupts). This appears to work on real hardware,
at least modern Intel and AMD systems. It should also work on Hyper-V.
However, on some buggy virtual machines the mode change doesn't have any
effect until the counter is subsequently loaded (or perhaps when the IRQ
next fires).
So, set MODE 0 and then load the counter, to ensure that those buggy VMs
do the right thing and the interrupts stop. And then write MODE 0 *again*
to stop the counter on compliant implementations too.
Apparently, Hyper-V keeps firing the IRQ *repeatedly* even in mode zero
when it should only happen once, but the second MODE write stops that too.
Userspace test program (mostly written by tglx):
=====
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <stdint.h>
#include <sys/io.h>
static __always_inline void __out##bwl(type value, uint16_t port) \
{ \
asm volatile("out" #bwl " %" #bw "0, %w1" \
: : "a"(value), "Nd"(port)); \
} \
\
static __always_inline type __in##bwl(uint16_t port) \
{ \
type value; \
asm volatile("in" #bwl " %w1, %" #bw "0" \
: "=a"(value) : "Nd"(port)); \
return value; \
}
BUILDIO(b, b, uint8_t)
#define inb __inb
#define outb __outb
#define PIT_MODE 0x43
#define PIT_CH0 0x40
#define PIT_CH2 0x42
static int is8254;
static void dump_pit(void)
{
if (is8254) {
// Latch and output counter and status
outb(0xC2, PIT_MODE);
printf("%02x %02x %02x\n", inb(PIT_CH0), inb(PIT_CH0), inb(PIT_CH0));
} else {
// Latch and output counter
outb(0x0, PIT_MODE);
printf("%02x %02x\n", inb(PIT_CH0), inb(PIT_CH0));
}
}
int main(int argc, char* argv[])
{
int nr_counts = 2;
if (argc > 1)
nr_counts = atoi(argv[1]);
if (argc > 2)
is8254 = 1;
if (ioperm(0x40, 4, 1) != 0)
return 1;
dump_pit();
printf("Set oneshot\n");
outb(0x38, PIT_MODE);
outb(0x00, PIT_CH0);
outb(0x0F, PIT_CH0);
dump_pit();
usleep(1000);
dump_pit();
printf("Set periodic\n");
outb(0x34, PIT_MODE);
outb(0x00, PIT_CH0);
outb(0x0F, PIT_CH0);
dump_pit();
usleep(1000);
dump_pit();
dump_pit();
usleep(100000);
dump_pit();
usleep(100000);
dump_pit();
printf("Set stop (%d counter writes)\n", nr_counts);
outb(0x30, PIT_MODE);
while (nr_counts--)
outb(0xFF, PIT_CH0);
dump_pit();
usleep(100000);
dump_pit();
usleep(100000);
dump_pit();
printf("Set MODE 0\n");
outb(0x30, PIT_MODE);
dump_pit();
usleep(100000);
dump_pit();
usleep(100000);
dump_pit();
return 0;
}
=====
Suggested-by: Sean Christopherson <seanjc@google.com>
Co-developed-by: Li RongQing <lirongqing@baidu.com>
Signed-off-by: Li RongQing <lirongqing@baidu.com>
Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Tested-by: Michael Kelley <mhkelley@outlook.com>
Link: https://lore.kernel.org/all/20240802135555.564941-2-dwmw2@infradead.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kernel/cpu/mshyperv.c | 11 -----------
drivers/clocksource/i8253.c | 36 +++++++++++++++++++++++++-----------
include/linux/i8253.h | 1 -
3 files changed, 25 insertions(+), 23 deletions(-)
--- a/arch/x86/kernel/cpu/mshyperv.c
+++ b/arch/x86/kernel/cpu/mshyperv.c
@@ -16,7 +16,6 @@
#include <linux/interrupt.h>
#include <linux/irq.h>
#include <linux/kexec.h>
-#include <linux/i8253.h>
#include <linux/random.h>
#include <asm/processor.h>
#include <asm/hypervisor.h>
@@ -445,16 +444,6 @@ static void __init ms_hyperv_init_platfo
if (efi_enabled(EFI_BOOT))
x86_platform.get_nmi_reason = hv_get_nmi_reason;
- /*
- * Hyper-V VMs have a PIT emulation quirk such that zeroing the
- * counter register during PIT shutdown restarts the PIT. So it
- * continues to interrupt @18.2 HZ. Setting i8253_clear_counter
- * to false tells pit_shutdown() not to zero the counter so that
- * the PIT really is shutdown. Generation 2 VMs don't have a PIT,
- * and setting this value has no effect.
- */
- i8253_clear_counter_on_shutdown = false;
-
#if IS_ENABLED(CONFIG_HYPERV)
/*
* Setup the hook to get control post apic initialization.
--- a/drivers/clocksource/i8253.c
+++ b/drivers/clocksource/i8253.c
@@ -20,13 +20,6 @@
DEFINE_RAW_SPINLOCK(i8253_lock);
EXPORT_SYMBOL(i8253_lock);
-/*
- * Handle PIT quirk in pit_shutdown() where zeroing the counter register
- * restarts the PIT, negating the shutdown. On platforms with the quirk,
- * platform specific code can set this to false.
- */
-bool i8253_clear_counter_on_shutdown __ro_after_init = true;
-
#ifdef CONFIG_CLKSRC_I8253
/*
* Since the PIT overflows every tick, its not very useful
@@ -112,12 +105,33 @@ void clockevent_i8253_disable(void)
{
raw_spin_lock(&i8253_lock);
+ /*
+ * Writing the MODE register should stop the counter, according to
+ * the datasheet. This appears to work on real hardware (well, on
+ * modern Intel and AMD boxes; I didn't dig the Pegasos out of the
+ * shed).
+ *
+ * However, some virtual implementations differ, and the MODE change
+ * doesn't have any effect until either the counter is written (KVM
+ * in-kernel PIT) or the next interrupt (QEMU). And in those cases,
+ * it may not stop the *count*, only the interrupts. Although in
+ * the virt case, that probably doesn't matter, as the value of the
+ * counter will only be calculated on demand if the guest reads it;
+ * it's the interrupts which cause steal time.
+ *
+ * Hyper-V apparently has a bug where even in mode 0, the IRQ keeps
+ * firing repeatedly if the counter is running. But it *does* do the
+ * right thing when the MODE register is written.
+ *
+ * So: write the MODE and then load the counter, which ensures that
+ * the IRQ is stopped on those buggy virt implementations. And then
+ * write the MODE again, which is the right way to stop it.
+ */
outb_p(0x30, PIT_MODE);
+ outb_p(0, PIT_CH0);
+ outb_p(0, PIT_CH0);
- if (i8253_clear_counter_on_shutdown) {
- outb_p(0, PIT_CH0);
- outb_p(0, PIT_CH0);
- }
+ outb_p(0x30, PIT_MODE);
raw_spin_unlock(&i8253_lock);
}
--- a/include/linux/i8253.h
+++ b/include/linux/i8253.h
@@ -21,7 +21,6 @@
#define PIT_LATCH ((PIT_TICK_RATE + HZ/2) / HZ)
extern raw_spinlock_t i8253_lock;
-extern bool i8253_clear_counter_on_shutdown;
extern struct clock_event_device i8253_clockevent;
extern void clockevent_i8253_init(bool oneshot);
extern void clockevent_i8253_disable(void);
^ permalink raw reply [flat|nested] 289+ messages in thread
* [PATCH 5.15 003/279] sched/isolation: Prevent boot crash when the boot CPU is nohz_full
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
2025-04-08 10:46 ` [PATCH 5.15 001/279] vlan: fix memory leak in vlan_newlink() Greg Kroah-Hartman
2025-04-08 10:46 ` [PATCH 5.15 002/279] clockevents/drivers/i8253: Fix stop sequence for timer 0 Greg Kroah-Hartman
@ 2025-04-08 10:46 ` Greg Kroah-Hartman
2025-04-08 10:46 ` [PATCH 5.15 004/279] ipv6: Fix signed integer overflow in __ip6_append_data Greg Kroah-Hartman
` (282 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chris von Recklinghausen,
Oleg Nesterov, Thomas Gleixner, Ingo Molnar, Phil Auld,
Frederic Weisbecker, Krishanth Jagaduri
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oleg Nesterov <oleg@redhat.com>
Documentation/timers/no_hz.rst states that the "nohz_full=" mask must not
include the boot CPU, which is no longer true after:
08ae95f4fd3b ("nohz_full: Allow the boot CPU to be nohz_full").
However after:
aae17ebb53cd ("workqueue: Avoid using isolated cpus' timers on queue_delayed_work")
the kernel will crash at boot time in this case; housekeeping_any_cpu()
returns an invalid CPU number until smp_init() brings the first
housekeeping CPU up.
Change housekeeping_any_cpu() to check the result of cpumask_any_and() and
return smp_processor_id() in this case.
This is just the simple and backportable workaround which fixes the
symptom, but smp_processor_id() at boot time should be safe at least for
type == HK_TYPE_TIMER, this more or less matches the tick_do_timer_boot_cpu
logic.
There is no worry about cpu_down(); tick_nohz_cpu_down() will not allow to
offline tick_do_timer_cpu (the 1st online housekeeping CPU).
[ Apply only documentation changes as commit which causes boot
crash when boot CPU is nohz_full is not backported to stable
kernels - Krishanth ]
Reported-by: Chris von Recklinghausen <crecklin@redhat.com>
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Reviewed-by: Phil Auld <pauld@redhat.com>
Acked-by: Frederic Weisbecker <frederic@kernel.org>
Link: https://lore.kernel.org/r/20240411143905.GA19288@redhat.com
Closes: https://lore.kernel.org/all/20240402105847.GA24832@redhat.com/
Signed-off-by: Krishanth Jagaduri <Krishanth.Jagaduri@sony.com>
[ strip out upstream commit and Fixes: so tools don't get confused that
this commit actually does anything real - gregkh]
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
Documentation/timers/no_hz.rst | 7 ++-----
1 file changed, 2 insertions(+), 5 deletions(-)
--- a/Documentation/timers/no_hz.rst
+++ b/Documentation/timers/no_hz.rst
@@ -129,11 +129,8 @@ adaptive-tick CPUs: At least one non-ad
online to handle timekeeping tasks in order to ensure that system
calls like gettimeofday() returns accurate values on adaptive-tick CPUs.
(This is not an issue for CONFIG_NO_HZ_IDLE=y because there are no running
-user processes to observe slight drifts in clock rate.) Therefore, the
-boot CPU is prohibited from entering adaptive-ticks mode. Specifying a
-"nohz_full=" mask that includes the boot CPU will result in a boot-time
-error message, and the boot CPU will be removed from the mask. Note that
-this means that your system must have at least two CPUs in order for
+user processes to observe slight drifts in clock rate.) Note that this
+means that your system must have at least two CPUs in order for
CONFIG_NO_HZ_FULL=y to do anything for you.
Finally, adaptive-ticks CPUs must have their RCU callbacks offloaded.
^ permalink raw reply [flat|nested] 289+ messages in thread
* [PATCH 5.15 004/279] ipv6: Fix signed integer overflow in __ip6_append_data
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (2 preceding siblings ...)
2025-04-08 10:46 ` [PATCH 5.15 003/279] sched/isolation: Prevent boot crash when the boot CPU is nohz_full Greg Kroah-Hartman
@ 2025-04-08 10:46 ` Greg Kroah-Hartman
2025-04-08 10:46 ` [PATCH 5.15 005/279] fbdev: hyperv_fb: iounmap() the correct memory when removing a device Greg Kroah-Hartman
` (281 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hulk Robot, Wang Yufen,
Jakub Kicinski, Sasha Levin, Abdelkareem Abdelsaamad
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wang Yufen <wangyufen@huawei.com>
commit f93431c86b631bbca5614c66f966bf3ddb3c2803 upstream.
Resurrect ubsan overflow checks and ubsan report this warning,
fix it by change the variable [length] type to size_t.
UBSAN: signed-integer-overflow in net/ipv6/ip6_output.c:1489:19
2147479552 + 8567 cannot be represented in type 'int'
CPU: 0 PID: 253 Comm: err Not tainted 5.16.0+ #1
Hardware name: linux,dummy-virt (DT)
Call trace:
dump_backtrace+0x214/0x230
show_stack+0x30/0x78
dump_stack_lvl+0xf8/0x118
dump_stack+0x18/0x30
ubsan_epilogue+0x18/0x60
handle_overflow+0xd0/0xf0
__ubsan_handle_add_overflow+0x34/0x44
__ip6_append_data.isra.48+0x1598/0x1688
ip6_append_data+0x128/0x260
udpv6_sendmsg+0x680/0xdd0
inet6_sendmsg+0x54/0x90
sock_sendmsg+0x70/0x88
____sys_sendmsg+0xe8/0x368
___sys_sendmsg+0x98/0xe0
__sys_sendmmsg+0xf4/0x3b8
__arm64_sys_sendmmsg+0x34/0x48
invoke_syscall+0x64/0x160
el0_svc_common.constprop.4+0x124/0x300
do_el0_svc+0x44/0xc8
el0_svc+0x3c/0x1e8
el0t_64_sync_handler+0x88/0xb0
el0t_64_sync+0x16c/0x170
Changes since v1:
-Change the variable [length] type to unsigned, as Eric Dumazet suggested.
Changes since v2:
-Don't change exthdrlen type in ip6_make_skb, as Paolo Abeni suggested.
Changes since v3:
-Don't change ulen type in udpv6_sendmsg and l2tp_ip6_sendmsg, as
Jakub Kicinski suggested.
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Wang Yufen <wangyufen@huawei.com>
Link: https://lore.kernel.org/r/20220607120028.845916-1-wangyufen@huawei.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Conflict due to f37a4cc6bb0b ("udp6: pass flow in ip6_make_skb
together with cork") not in the tree ]
Signed-off-by: Abdelkareem Abdelsaamad <kareemem@amazon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/net/ipv6.h | 4 ++--
net/ipv6/ip6_output.c | 6 +++---
2 files changed, 5 insertions(+), 5 deletions(-)
--- a/include/net/ipv6.h
+++ b/include/net/ipv6.h
@@ -1000,7 +1000,7 @@ int ip6_find_1stfragopt(struct sk_buff *
int ip6_append_data(struct sock *sk,
int getfrag(void *from, char *to, int offset, int len,
int odd, struct sk_buff *skb),
- void *from, int length, int transhdrlen,
+ void *from, size_t length, int transhdrlen,
struct ipcm6_cookie *ipc6, struct flowi6 *fl6,
struct rt6_info *rt, unsigned int flags);
@@ -1016,7 +1016,7 @@ struct sk_buff *__ip6_make_skb(struct so
struct sk_buff *ip6_make_skb(struct sock *sk,
int getfrag(void *from, char *to, int offset,
int len, int odd, struct sk_buff *skb),
- void *from, int length, int transhdrlen,
+ void *from, size_t length, int transhdrlen,
struct ipcm6_cookie *ipc6, struct flowi6 *fl6,
struct rt6_info *rt, unsigned int flags,
struct inet_cork_full *cork);
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -1461,7 +1461,7 @@ static int __ip6_append_data(struct sock
struct page_frag *pfrag,
int getfrag(void *from, char *to, int offset,
int len, int odd, struct sk_buff *skb),
- void *from, int length, int transhdrlen,
+ void *from, size_t length, int transhdrlen,
unsigned int flags, struct ipcm6_cookie *ipc6)
{
struct sk_buff *skb, *skb_prev = NULL;
@@ -1806,7 +1806,7 @@ error:
int ip6_append_data(struct sock *sk,
int getfrag(void *from, char *to, int offset, int len,
int odd, struct sk_buff *skb),
- void *from, int length, int transhdrlen,
+ void *from, size_t length, int transhdrlen,
struct ipcm6_cookie *ipc6, struct flowi6 *fl6,
struct rt6_info *rt, unsigned int flags)
{
@@ -2000,7 +2000,7 @@ EXPORT_SYMBOL_GPL(ip6_flush_pending_fram
struct sk_buff *ip6_make_skb(struct sock *sk,
int getfrag(void *from, char *to, int offset,
int len, int odd, struct sk_buff *skb),
- void *from, int length, int transhdrlen,
+ void *from, size_t length, int transhdrlen,
struct ipcm6_cookie *ipc6, struct flowi6 *fl6,
struct rt6_info *rt, unsigned int flags,
struct inet_cork_full *cork)
^ permalink raw reply [flat|nested] 289+ messages in thread
* [PATCH 5.15 005/279] fbdev: hyperv_fb: iounmap() the correct memory when removing a device
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (3 preceding siblings ...)
2025-04-08 10:46 ` [PATCH 5.15 004/279] ipv6: Fix signed integer overflow in __ip6_append_data Greg Kroah-Hartman
@ 2025-04-08 10:46 ` Greg Kroah-Hartman
2025-04-08 10:46 ` [PATCH 5.15 006/279] pinctrl: bcm281xx: Fix incorrect regmap max_registers value Greg Kroah-Hartman
` (280 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michael Kelley, Saurabh Sengar,
Wei Liu, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Kelley <mhklinux@outlook.com>
[ Upstream commit 7241c886a71797cc51efc6fadec7076fcf6435c2 ]
When a Hyper-V framebuffer device is removed, or the driver is unbound
from a device, any allocated and/or mapped memory must be released. In
particular, MMIO address space that was mapped to the framebuffer must
be unmapped. Current code unmaps the wrong address, resulting in an
error like:
[ 4093.980597] iounmap: bad address 00000000c936c05c
followed by a stack dump.
Commit d21987d709e8 ("video: hyperv: hyperv_fb: Support deferred IO for
Hyper-V frame buffer driver") changed the kind of address stored in
info->screen_base, and the iounmap() call in hvfb_putmem() was not
updated accordingly.
Fix this by updating hvfb_putmem() to unmap the correct address.
Fixes: d21987d709e8 ("video: hyperv: hyperv_fb: Support deferred IO for Hyper-V frame buffer driver")
Signed-off-by: Michael Kelley <mhklinux@outlook.com>
Reviewed-by: Saurabh Sengar <ssengar@linux.microsoft.com>
Link: https://lore.kernel.org/r/20250209235252.2987-1-mhklinux@outlook.com
Signed-off-by: Wei Liu <wei.liu@kernel.org>
Message-ID: <20250209235252.2987-1-mhklinux@outlook.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/video/fbdev/hyperv_fb.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/video/fbdev/hyperv_fb.c b/drivers/video/fbdev/hyperv_fb.c
index 6a881cfd7f5c0..5fd1b33d11238 100644
--- a/drivers/video/fbdev/hyperv_fb.c
+++ b/drivers/video/fbdev/hyperv_fb.c
@@ -1130,7 +1130,7 @@ static void hvfb_putmem(struct hv_device *hdev, struct fb_info *info)
if (par->need_docopy) {
vfree(par->dio_vp);
- iounmap(info->screen_base);
+ iounmap(par->mmio_vp);
vmbus_free_mmio(par->mem->start, screen_fb_size);
} else {
hvfb_release_phymem(hdev, info->fix.smem_start,
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 006/279] pinctrl: bcm281xx: Fix incorrect regmap max_registers value
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (4 preceding siblings ...)
2025-04-08 10:46 ` [PATCH 5.15 005/279] fbdev: hyperv_fb: iounmap() the correct memory when removing a device Greg Kroah-Hartman
@ 2025-04-08 10:46 ` Greg Kroah-Hartman
2025-04-08 10:46 ` [PATCH 5.15 007/279] netfilter: nft_ct: Use __refcount_inc() for per-CPU nft_ct_pcpu_template Greg Kroah-Hartman
` (279 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:46 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Artur Weber, Linus Walleij,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Artur Weber <aweber.kernel@gmail.com>
[ Upstream commit 68283c1cb573143c0b7515e93206f3503616bc10 ]
The max_registers value does not take into consideration the stride;
currently, it's set to the number of the last pin, but this does not
accurately represent the final register.
Fix this by multiplying the current value by 4.
Fixes: 54b1aa5a5b16 ("ARM: pinctrl: Add Broadcom Capri pinctrl driver")
Signed-off-by: Artur Weber <aweber.kernel@gmail.com>
Link: https://lore.kernel.org/20250207-bcm21664-pinctrl-v1-2-e7cfac9b2d3b@gmail.com
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pinctrl/bcm/pinctrl-bcm281xx.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/pinctrl/bcm/pinctrl-bcm281xx.c b/drivers/pinctrl/bcm/pinctrl-bcm281xx.c
index 9ab1f427286a7..fbfddcc39d5cc 100644
--- a/drivers/pinctrl/bcm/pinctrl-bcm281xx.c
+++ b/drivers/pinctrl/bcm/pinctrl-bcm281xx.c
@@ -981,7 +981,7 @@ static const struct regmap_config bcm281xx_pinctrl_regmap_config = {
.reg_bits = 32,
.reg_stride = 4,
.val_bits = 32,
- .max_register = BCM281XX_PIN_VC_CAM3_SDA,
+ .max_register = BCM281XX_PIN_VC_CAM3_SDA * 4,
};
static int bcm281xx_pinctrl_get_groups_count(struct pinctrl_dev *pctldev)
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 007/279] netfilter: nft_ct: Use __refcount_inc() for per-CPU nft_ct_pcpu_template.
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (5 preceding siblings ...)
2025-04-08 10:46 ` [PATCH 5.15 006/279] pinctrl: bcm281xx: Fix incorrect regmap max_registers value Greg Kroah-Hartman
@ 2025-04-08 10:46 ` Greg Kroah-Hartman
2025-04-08 10:46 ` [PATCH 5.15 008/279] ice: fix memory leak in aRFS after reset Greg Kroah-Hartman
` (278 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sebastian Andrzej Siewior,
Florian Westphal, Pablo Neira Ayuso, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
[ Upstream commit 5cfe5612ca9590db69b9be29dc83041dbf001108 ]
nft_ct_pcpu_template is a per-CPU variable and relies on disabled BH for its
locking. The refcounter is read and if its value is set to one then the
refcounter is incremented and variable is used - otherwise it is already
in use and left untouched.
Without per-CPU locking in local_bh_disable() on PREEMPT_RT the
read-then-increment operation is not atomic and therefore racy.
This can be avoided by using unconditionally __refcount_inc() which will
increment counter and return the old value as an atomic operation.
In case the returned counter is not one, the variable is in use and we
need to decrement counter. Otherwise we can use it.
Use __refcount_inc() instead of read and a conditional increment.
Fixes: edee4f1e9245 ("netfilter: nft_ct: add zone id set support")
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Reviewed-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nft_ct.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c
index 69214993b5a2c..83bb3f110ea84 100644
--- a/net/netfilter/nft_ct.c
+++ b/net/netfilter/nft_ct.c
@@ -239,6 +239,7 @@ static void nft_ct_set_zone_eval(const struct nft_expr *expr,
enum ip_conntrack_info ctinfo;
u16 value = nft_reg_load16(®s->data[priv->sreg]);
struct nf_conn *ct;
+ int oldcnt;
ct = nf_ct_get(skb, &ctinfo);
if (ct) /* already tracked */
@@ -259,10 +260,11 @@ static void nft_ct_set_zone_eval(const struct nft_expr *expr,
ct = this_cpu_read(nft_ct_pcpu_template);
- if (likely(refcount_read(&ct->ct_general.use) == 1)) {
- refcount_inc(&ct->ct_general.use);
+ __refcount_inc(&ct->ct_general.use, &oldcnt);
+ if (likely(oldcnt == 1)) {
nf_ct_zone_add(ct, &zone);
} else {
+ refcount_dec(&ct->ct_general.use);
/* previous skb got queued to userspace, allocate temporary
* one until percpu template can be reused.
*/
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 008/279] ice: fix memory leak in aRFS after reset
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (6 preceding siblings ...)
2025-04-08 10:46 ` [PATCH 5.15 007/279] netfilter: nft_ct: Use __refcount_inc() for per-CPU nft_ct_pcpu_template Greg Kroah-Hartman
@ 2025-04-08 10:46 ` Greg Kroah-Hartman
2025-04-08 10:46 ` [PATCH 5.15 009/279] net: dsa: mv88e6xxx: Verify after ATU Load ops Greg Kroah-Hartman
` (277 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michal Swiatkowski, Grzegorz Nitka,
Simon Horman, Tony Nguyen, Sasha Levin, Rinitha S
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Grzegorz Nitka <grzegorz.nitka@intel.com>
[ Upstream commit 23d97f18901ef5e4e264e3b1777fe65c760186b5 ]
Fix aRFS (accelerated Receive Flow Steering) structures memory leak by
adding a checker to verify if aRFS memory is already allocated while
configuring VSI. aRFS objects are allocated in two cases:
- as part of VSI initialization (at probe), and
- as part of reset handling
However, VSI reconfiguration executed during reset involves memory
allocation one more time, without prior releasing already allocated
resources. This led to the memory leak with the following signature:
[root@os-delivery ~]# cat /sys/kernel/debug/kmemleak
unreferenced object 0xff3c1ca7252e6000 (size 8192):
comm "kworker/0:0", pid 8, jiffies 4296833052
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc 0):
[<ffffffff991ec485>] __kmalloc_cache_noprof+0x275/0x340
[<ffffffffc0a6e06a>] ice_init_arfs+0x3a/0xe0 [ice]
[<ffffffffc09f1027>] ice_vsi_cfg_def+0x607/0x850 [ice]
[<ffffffffc09f244b>] ice_vsi_setup+0x5b/0x130 [ice]
[<ffffffffc09c2131>] ice_init+0x1c1/0x460 [ice]
[<ffffffffc09c64af>] ice_probe+0x2af/0x520 [ice]
[<ffffffff994fbcd3>] local_pci_probe+0x43/0xa0
[<ffffffff98f07103>] work_for_cpu_fn+0x13/0x20
[<ffffffff98f0b6d9>] process_one_work+0x179/0x390
[<ffffffff98f0c1e9>] worker_thread+0x239/0x340
[<ffffffff98f14abc>] kthread+0xcc/0x100
[<ffffffff98e45a6d>] ret_from_fork+0x2d/0x50
[<ffffffff98e083ba>] ret_from_fork_asm+0x1a/0x30
...
Fixes: 28bf26724fdb ("ice: Implement aRFS")
Reviewed-by: Michal Swiatkowski <michal.swiatkowski@linux.intel.com>
Signed-off-by: Grzegorz Nitka <grzegorz.nitka@intel.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Tested-by: Rinitha S <sx.rinitha@intel.com> (A Contingent worker at Intel)
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/ice/ice_arfs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/intel/ice/ice_arfs.c b/drivers/net/ethernet/intel/ice/ice_arfs.c
index 88d98c9e5f914..9cebae92364eb 100644
--- a/drivers/net/ethernet/intel/ice/ice_arfs.c
+++ b/drivers/net/ethernet/intel/ice/ice_arfs.c
@@ -510,7 +510,7 @@ void ice_init_arfs(struct ice_vsi *vsi)
struct hlist_head *arfs_fltr_list;
unsigned int i;
- if (!vsi || vsi->type != ICE_VSI_PF)
+ if (!vsi || vsi->type != ICE_VSI_PF || ice_is_arfs_active(vsi))
return;
arfs_fltr_list = kzalloc(sizeof(*arfs_fltr_list) * ICE_MAX_ARFS_LIST,
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 009/279] net: dsa: mv88e6xxx: Verify after ATU Load ops
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (7 preceding siblings ...)
2025-04-08 10:46 ` [PATCH 5.15 008/279] ice: fix memory leak in aRFS after reset Greg Kroah-Hartman
@ 2025-04-08 10:46 ` Greg Kroah-Hartman
2025-04-08 10:46 ` [PATCH 5.15 010/279] netpoll: hold rcu read lock in __netpoll_send_skb() Greg Kroah-Hartman
` (276 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Joseph Huang, Andrew Lunn,
Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Joseph Huang <Joseph.Huang@garmin.com>
[ Upstream commit dc5340c3133a3ebe54853fd299116149e528cfaa ]
ATU Load operations could fail silently if there's not enough space
on the device to hold the new entry. When this happens, the symptom
depends on the unknown flood settings. If unknown multicast flood is
disabled, the multicast packets are dropped when the ATU table is
full. If unknown multicast flood is enabled, the multicast packets
will be flooded to all ports. Either way, IGMP snooping is broken
when the ATU Load operation fails silently.
Do a Read-After-Write verification after each fdb/mdb add operation
to make sure that the operation was really successful, and return
-ENOSPC otherwise.
Fixes: defb05b9b9b4 ("net: dsa: mv88e6xxx: Add support for fdb_add, fdb_del, and fdb_getnext")
Signed-off-by: Joseph Huang <Joseph.Huang@garmin.com>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Link: https://patch.msgid.link/20250306172306.3859214-1-Joseph.Huang@garmin.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/dsa/mv88e6xxx/chip.c | 59 ++++++++++++++++++++++++++------
1 file changed, 48 insertions(+), 11 deletions(-)
diff --git a/drivers/net/dsa/mv88e6xxx/chip.c b/drivers/net/dsa/mv88e6xxx/chip.c
index 2a55ecceab8c6..07a3f12e02dd1 100644
--- a/drivers/net/dsa/mv88e6xxx/chip.c
+++ b/drivers/net/dsa/mv88e6xxx/chip.c
@@ -1775,13 +1775,11 @@ mv88e6xxx_port_vlan_prepare(struct dsa_switch *ds, int port,
return err;
}
-static int mv88e6xxx_port_db_load_purge(struct mv88e6xxx_chip *chip, int port,
- const unsigned char *addr, u16 vid,
- u8 state)
+static int mv88e6xxx_port_db_get(struct mv88e6xxx_chip *chip,
+ const unsigned char *addr, u16 vid,
+ u16 *fid, struct mv88e6xxx_atu_entry *entry)
{
- struct mv88e6xxx_atu_entry entry;
struct mv88e6xxx_vtu_entry vlan;
- u16 fid;
int err;
/* Ports have two private address databases: one for when the port is
@@ -1792,7 +1790,7 @@ static int mv88e6xxx_port_db_load_purge(struct mv88e6xxx_chip *chip, int port,
* VLAN ID into the port's database used for VLAN-unaware bridging.
*/
if (vid == 0) {
- fid = MV88E6XXX_FID_BRIDGED;
+ *fid = MV88E6XXX_FID_BRIDGED;
} else {
err = mv88e6xxx_vtu_get(chip, vid, &vlan);
if (err)
@@ -1802,14 +1800,39 @@ static int mv88e6xxx_port_db_load_purge(struct mv88e6xxx_chip *chip, int port,
if (!vlan.valid)
return -EOPNOTSUPP;
- fid = vlan.fid;
+ *fid = vlan.fid;
}
- entry.state = 0;
- ether_addr_copy(entry.mac, addr);
- eth_addr_dec(entry.mac);
+ entry->state = 0;
+ ether_addr_copy(entry->mac, addr);
+ eth_addr_dec(entry->mac);
+
+ return mv88e6xxx_g1_atu_getnext(chip, *fid, entry);
+}
+
+static bool mv88e6xxx_port_db_find(struct mv88e6xxx_chip *chip,
+ const unsigned char *addr, u16 vid)
+{
+ struct mv88e6xxx_atu_entry entry;
+ u16 fid;
+ int err;
- err = mv88e6xxx_g1_atu_getnext(chip, fid, &entry);
+ err = mv88e6xxx_port_db_get(chip, addr, vid, &fid, &entry);
+ if (err)
+ return false;
+
+ return entry.state && ether_addr_equal(entry.mac, addr);
+}
+
+static int mv88e6xxx_port_db_load_purge(struct mv88e6xxx_chip *chip, int port,
+ const unsigned char *addr, u16 vid,
+ u8 state)
+{
+ struct mv88e6xxx_atu_entry entry;
+ u16 fid;
+ int err;
+
+ err = mv88e6xxx_port_db_get(chip, addr, vid, &fid, &entry);
if (err)
return err;
@@ -2324,6 +2347,13 @@ static int mv88e6xxx_port_fdb_add(struct dsa_switch *ds, int port,
mv88e6xxx_reg_lock(chip);
err = mv88e6xxx_port_db_load_purge(chip, port, addr, vid,
MV88E6XXX_G1_ATU_DATA_STATE_UC_STATIC);
+ if (err)
+ goto out;
+
+ if (!mv88e6xxx_port_db_find(chip, addr, vid))
+ err = -ENOSPC;
+
+out:
mv88e6xxx_reg_unlock(chip);
return err;
@@ -5878,6 +5908,13 @@ static int mv88e6xxx_port_mdb_add(struct dsa_switch *ds, int port,
mv88e6xxx_reg_lock(chip);
err = mv88e6xxx_port_db_load_purge(chip, port, mdb->addr, mdb->vid,
MV88E6XXX_G1_ATU_DATA_STATE_MC_STATIC);
+ if (err)
+ goto out;
+
+ if (!mv88e6xxx_port_db_find(chip, mdb->addr, mdb->vid))
+ err = -ENOSPC;
+
+out:
mv88e6xxx_reg_unlock(chip);
return err;
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 010/279] netpoll: hold rcu read lock in __netpoll_send_skb()
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (8 preceding siblings ...)
2025-04-08 10:46 ` [PATCH 5.15 009/279] net: dsa: mv88e6xxx: Verify after ATU Load ops Greg Kroah-Hartman
@ 2025-04-08 10:46 ` Greg Kroah-Hartman
2025-04-08 10:46 ` [PATCH 5.15 011/279] Drivers: hv: vmbus: Dont release fb_mmio resource in vmbus_free_mmio() Greg Kroah-Hartman
` (275 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Breno Leitao, Simon Horman,
Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Breno Leitao <leitao@debian.org>
[ Upstream commit 505ead7ab77f289f12d8a68ac83da068e4d4408b ]
The function __netpoll_send_skb() is being invoked without holding the
RCU read lock. This oversight triggers a warning message when
CONFIG_PROVE_RCU_LIST is enabled:
net/core/netpoll.c:330 suspicious rcu_dereference_check() usage!
netpoll_send_skb
netpoll_send_udp
write_ext_msg
console_flush_all
console_unlock
vprintk_emit
To prevent npinfo from disappearing unexpectedly, ensure that
__netpoll_send_skb() is protected with the RCU read lock.
Fixes: 2899656b494dcd1 ("netpoll: take rcu_read_lock_bh() in netpoll_send_skb_on_dev()")
Signed-off-by: Breno Leitao <leitao@debian.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20250306-netpoll_rcu_v2-v2-1-bc4f5c51742a@debian.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/netpoll.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/net/core/netpoll.c b/net/core/netpoll.c
index 597e83e2bce86..87f5a837410c1 100644
--- a/net/core/netpoll.c
+++ b/net/core/netpoll.c
@@ -326,6 +326,7 @@ static int netpoll_owner_active(struct net_device *dev)
static netdev_tx_t __netpoll_send_skb(struct netpoll *np, struct sk_buff *skb)
{
netdev_tx_t status = NETDEV_TX_BUSY;
+ netdev_tx_t ret = NET_XMIT_DROP;
struct net_device *dev;
unsigned long tries;
/* It is up to the caller to keep npinfo alive. */
@@ -334,11 +335,12 @@ static netdev_tx_t __netpoll_send_skb(struct netpoll *np, struct sk_buff *skb)
lockdep_assert_irqs_disabled();
dev = np->dev;
+ rcu_read_lock();
npinfo = rcu_dereference_bh(dev->npinfo);
if (!npinfo || !netif_running(dev) || !netif_device_present(dev)) {
dev_kfree_skb_irq(skb);
- return NET_XMIT_DROP;
+ goto out;
}
/* don't get messages out of order, and no recursion */
@@ -377,7 +379,10 @@ static netdev_tx_t __netpoll_send_skb(struct netpoll *np, struct sk_buff *skb)
skb_queue_tail(&npinfo->txq, skb);
schedule_delayed_work(&npinfo->tx_work,0);
}
- return NETDEV_TX_OK;
+ ret = NETDEV_TX_OK;
+out:
+ rcu_read_unlock();
+ return ret;
}
netdev_tx_t netpoll_send_skb(struct netpoll *np, struct sk_buff *skb)
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 011/279] Drivers: hv: vmbus: Dont release fb_mmio resource in vmbus_free_mmio()
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (9 preceding siblings ...)
2025-04-08 10:46 ` [PATCH 5.15 010/279] netpoll: hold rcu read lock in __netpoll_send_skb() Greg Kroah-Hartman
@ 2025-04-08 10:46 ` Greg Kroah-Hartman
2025-04-08 10:46 ` [PATCH 5.15 012/279] net/mlx5: handle errors in mlx5_chains_create_table() Greg Kroah-Hartman
` (274 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michael Kelley, Saurabh Sengar,
Wei Liu, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Kelley <mhklinux@outlook.com>
[ Upstream commit 73fe9073c0cc28056cb9de0c8a516dac070f1d1f ]
The VMBus driver manages the MMIO space it owns via the hyperv_mmio
resource tree. Because the synthetic video framebuffer portion of the
MMIO space is initially setup by the Hyper-V host for each guest, the
VMBus driver does an early reserve of that portion of MMIO space in the
hyperv_mmio resource tree. It saves a pointer to that resource in
fb_mmio. When a VMBus driver requests MMIO space and passes "true"
for the "fb_overlap_ok" argument, the reserved framebuffer space is
used if possible. In that case it's not necessary to do another request
against the "shadow" hyperv_mmio resource tree because that resource
was already requested in the early reserve steps.
However, the vmbus_free_mmio() function currently does no special
handling for the fb_mmio resource. When a framebuffer device is
removed, or the driver is unbound, the current code for
vmbus_free_mmio() releases the reserved resource, leaving fb_mmio
pointing to memory that has been freed. If the same or another
driver is subsequently bound to the device, vmbus_allocate_mmio()
checks against fb_mmio, and potentially gets garbage. Furthermore
a second unbind operation produces this "nonexistent resource" error
because of the unbalanced behavior between vmbus_allocate_mmio() and
vmbus_free_mmio():
[ 55.499643] resource: Trying to free nonexistent
resource <0x00000000f0000000-0x00000000f07fffff>
Fix this by adding logic to vmbus_free_mmio() to recognize when
MMIO space in the fb_mmio reserved area would be released, and don't
release it. This filtering ensures the fb_mmio resource always exists,
and makes vmbus_free_mmio() more parallel with vmbus_allocate_mmio().
Fixes: be000f93e5d7 ("drivers:hv: Track allocations of children of hv_vmbus in private resource tree")
Signed-off-by: Michael Kelley <mhklinux@outlook.com>
Tested-by: Saurabh Sengar <ssengar@linux.microsoft.com>
Reviewed-by: Saurabh Sengar <ssengar@linux.microsoft.com>
Link: https://lore.kernel.org/r/20250310035208.275764-1-mhklinux@outlook.com
Signed-off-by: Wei Liu <wei.liu@kernel.org>
Message-ID: <20250310035208.275764-1-mhklinux@outlook.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hv/vmbus_drv.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/drivers/hv/vmbus_drv.c b/drivers/hv/vmbus_drv.c
index 02aeb192e3671..cb3a5b13c3ec2 100644
--- a/drivers/hv/vmbus_drv.c
+++ b/drivers/hv/vmbus_drv.c
@@ -2419,12 +2419,25 @@ void vmbus_free_mmio(resource_size_t start, resource_size_t size)
struct resource *iter;
mutex_lock(&hyperv_mmio_lock);
+
+ /*
+ * If all bytes of the MMIO range to be released are within the
+ * special case fb_mmio shadow region, skip releasing the shadow
+ * region since no corresponding __request_region() was done
+ * in vmbus_allocate_mmio().
+ */
+ if (fb_mmio && start >= fb_mmio->start &&
+ (start + size - 1 <= fb_mmio->end))
+ goto skip_shadow_release;
+
for (iter = hyperv_mmio; iter; iter = iter->sibling) {
if ((iter->start >= start + size) || (iter->end <= start))
continue;
__release_region(iter, start, size);
}
+
+skip_shadow_release:
release_mem_region(start, size);
mutex_unlock(&hyperv_mmio_lock);
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 012/279] net/mlx5: handle errors in mlx5_chains_create_table()
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (10 preceding siblings ...)
2025-04-08 10:46 ` [PATCH 5.15 011/279] Drivers: hv: vmbus: Dont release fb_mmio resource in vmbus_free_mmio() Greg Kroah-Hartman
@ 2025-04-08 10:46 ` Greg Kroah-Hartman
2025-04-08 10:46 ` [PATCH 5.15 013/279] netfilter: nf_conncount: Fully initialize struct nf_conncount_tuple in insert_tree() Greg Kroah-Hartman
` (273 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wentao Liang, Tariq Toukan,
Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wentao Liang <vulab@iscas.ac.cn>
[ Upstream commit eab0396353be1c778eba1c0b5180176f04dd21ce ]
In mlx5_chains_create_table(), the return value of mlx5_get_fdb_sub_ns()
and mlx5_get_flow_namespace() must be checked to prevent NULL pointer
dereferences. If either function fails, the function should log error
message with mlx5_core_warn() and return error pointer.
Fixes: 39ac237ce009 ("net/mlx5: E-Switch, Refactor chains and priorities")
Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
Link: https://patch.msgid.link/20250307021820.2646-1-vulab@iscas.ac.cn
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/mellanox/mlx5/core/lib/fs_chains.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_chains.c b/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_chains.c
index df58cba37930a..64c1071bece8d 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_chains.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_chains.c
@@ -196,6 +196,11 @@ mlx5_chains_create_table(struct mlx5_fs_chains *chains,
ns = mlx5_get_flow_namespace(chains->dev, chains->ns);
}
+ if (!ns) {
+ mlx5_core_warn(chains->dev, "Failed to get flow namespace\n");
+ return ERR_PTR(-EOPNOTSUPP);
+ }
+
ft_attr.autogroup.num_reserved_entries = 2;
ft_attr.autogroup.max_num_groups = chains->group_num;
ft = mlx5_create_auto_grouped_flow_table(ns, &ft_attr);
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 013/279] netfilter: nf_conncount: Fully initialize struct nf_conncount_tuple in insert_tree()
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (11 preceding siblings ...)
2025-04-08 10:46 ` [PATCH 5.15 012/279] net/mlx5: handle errors in mlx5_chains_create_table() Greg Kroah-Hartman
@ 2025-04-08 10:46 ` Greg Kroah-Hartman
2025-04-08 10:46 ` [PATCH 5.15 014/279] ipvs: prevent integer overflow in do_ip_vs_get_ctl() Greg Kroah-Hartman
` (272 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+83fed965338b573115f7,
Kohei Enju, Florian Westphal, Pablo Neira Ayuso, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kohei Enju <enjuk@amazon.com>
[ Upstream commit d653bfeb07ebb3499c403404c21ac58a16531607 ]
Since commit b36e4523d4d5 ("netfilter: nf_conncount: fix garbage
collection confirm race"), `cpu` and `jiffies32` were introduced to
the struct nf_conncount_tuple.
The commit made nf_conncount_add() initialize `conn->cpu` and
`conn->jiffies32` when allocating the struct.
In contrast, count_tree() was not changed to initialize them.
By commit 34848d5c896e ("netfilter: nf_conncount: Split insert and
traversal"), count_tree() was split and the relevant allocation
code now resides in insert_tree().
Initialize `conn->cpu` and `conn->jiffies32` in insert_tree().
BUG: KMSAN: uninit-value in find_or_evict net/netfilter/nf_conncount.c:117 [inline]
BUG: KMSAN: uninit-value in __nf_conncount_add+0xd9c/0x2850 net/netfilter/nf_conncount.c:143
find_or_evict net/netfilter/nf_conncount.c:117 [inline]
__nf_conncount_add+0xd9c/0x2850 net/netfilter/nf_conncount.c:143
count_tree net/netfilter/nf_conncount.c:438 [inline]
nf_conncount_count+0x82f/0x1e80 net/netfilter/nf_conncount.c:521
connlimit_mt+0x7f6/0xbd0 net/netfilter/xt_connlimit.c:72
__nft_match_eval net/netfilter/nft_compat.c:403 [inline]
nft_match_eval+0x1a5/0x300 net/netfilter/nft_compat.c:433
expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline]
nft_do_chain+0x426/0x2290 net/netfilter/nf_tables_core.c:288
nft_do_chain_ipv4+0x1a5/0x230 net/netfilter/nft_chain_filter.c:23
nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]
nf_hook_slow+0xf4/0x400 net/netfilter/core.c:626
nf_hook_slow_list+0x24d/0x860 net/netfilter/core.c:663
NF_HOOK_LIST include/linux/netfilter.h:350 [inline]
ip_sublist_rcv+0x17b7/0x17f0 net/ipv4/ip_input.c:633
ip_list_rcv+0x9ef/0xa40 net/ipv4/ip_input.c:669
__netif_receive_skb_list_ptype net/core/dev.c:5936 [inline]
__netif_receive_skb_list_core+0x15c5/0x1670 net/core/dev.c:5983
__netif_receive_skb_list net/core/dev.c:6035 [inline]
netif_receive_skb_list_internal+0x1085/0x1700 net/core/dev.c:6126
netif_receive_skb_list+0x5a/0x460 net/core/dev.c:6178
xdp_recv_frames net/bpf/test_run.c:280 [inline]
xdp_test_run_batch net/bpf/test_run.c:361 [inline]
bpf_test_run_xdp_live+0x2e86/0x3480 net/bpf/test_run.c:390
bpf_prog_test_run_xdp+0xf1d/0x1ae0 net/bpf/test_run.c:1316
bpf_prog_test_run+0x5e5/0xa30 kernel/bpf/syscall.c:4407
__sys_bpf+0x6aa/0xd90 kernel/bpf/syscall.c:5813
__do_sys_bpf kernel/bpf/syscall.c:5902 [inline]
__se_sys_bpf kernel/bpf/syscall.c:5900 [inline]
__ia32_sys_bpf+0xa0/0xe0 kernel/bpf/syscall.c:5900
ia32_sys_call+0x394d/0x4180 arch/x86/include/generated/asm/syscalls_32.h:358
do_syscall_32_irqs_on arch/x86/entry/common.c:165 [inline]
__do_fast_syscall_32+0xb0/0x110 arch/x86/entry/common.c:387
do_fast_syscall_32+0x38/0x80 arch/x86/entry/common.c:412
do_SYSENTER_32+0x1f/0x30 arch/x86/entry/common.c:450
entry_SYSENTER_compat_after_hwframe+0x84/0x8e
Uninit was created at:
slab_post_alloc_hook mm/slub.c:4121 [inline]
slab_alloc_node mm/slub.c:4164 [inline]
kmem_cache_alloc_noprof+0x915/0xe10 mm/slub.c:4171
insert_tree net/netfilter/nf_conncount.c:372 [inline]
count_tree net/netfilter/nf_conncount.c:450 [inline]
nf_conncount_count+0x1415/0x1e80 net/netfilter/nf_conncount.c:521
connlimit_mt+0x7f6/0xbd0 net/netfilter/xt_connlimit.c:72
__nft_match_eval net/netfilter/nft_compat.c:403 [inline]
nft_match_eval+0x1a5/0x300 net/netfilter/nft_compat.c:433
expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline]
nft_do_chain+0x426/0x2290 net/netfilter/nf_tables_core.c:288
nft_do_chain_ipv4+0x1a5/0x230 net/netfilter/nft_chain_filter.c:23
nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]
nf_hook_slow+0xf4/0x400 net/netfilter/core.c:626
nf_hook_slow_list+0x24d/0x860 net/netfilter/core.c:663
NF_HOOK_LIST include/linux/netfilter.h:350 [inline]
ip_sublist_rcv+0x17b7/0x17f0 net/ipv4/ip_input.c:633
ip_list_rcv+0x9ef/0xa40 net/ipv4/ip_input.c:669
__netif_receive_skb_list_ptype net/core/dev.c:5936 [inline]
__netif_receive_skb_list_core+0x15c5/0x1670 net/core/dev.c:5983
__netif_receive_skb_list net/core/dev.c:6035 [inline]
netif_receive_skb_list_internal+0x1085/0x1700 net/core/dev.c:6126
netif_receive_skb_list+0x5a/0x460 net/core/dev.c:6178
xdp_recv_frames net/bpf/test_run.c:280 [inline]
xdp_test_run_batch net/bpf/test_run.c:361 [inline]
bpf_test_run_xdp_live+0x2e86/0x3480 net/bpf/test_run.c:390
bpf_prog_test_run_xdp+0xf1d/0x1ae0 net/bpf/test_run.c:1316
bpf_prog_test_run+0x5e5/0xa30 kernel/bpf/syscall.c:4407
__sys_bpf+0x6aa/0xd90 kernel/bpf/syscall.c:5813
__do_sys_bpf kernel/bpf/syscall.c:5902 [inline]
__se_sys_bpf kernel/bpf/syscall.c:5900 [inline]
__ia32_sys_bpf+0xa0/0xe0 kernel/bpf/syscall.c:5900
ia32_sys_call+0x394d/0x4180 arch/x86/include/generated/asm/syscalls_32.h:358
do_syscall_32_irqs_on arch/x86/entry/common.c:165 [inline]
__do_fast_syscall_32+0xb0/0x110 arch/x86/entry/common.c:387
do_fast_syscall_32+0x38/0x80 arch/x86/entry/common.c:412
do_SYSENTER_32+0x1f/0x30 arch/x86/entry/common.c:450
entry_SYSENTER_compat_after_hwframe+0x84/0x8e
Reported-by: syzbot+83fed965338b573115f7@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=83fed965338b573115f7
Fixes: b36e4523d4d5 ("netfilter: nf_conncount: fix garbage collection confirm race")
Signed-off-by: Kohei Enju <enjuk@amazon.com>
Reviewed-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nf_conncount.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/netfilter/nf_conncount.c b/net/netfilter/nf_conncount.c
index 0ce12a33ffda4..a66a27fe7f458 100644
--- a/net/netfilter/nf_conncount.c
+++ b/net/netfilter/nf_conncount.c
@@ -366,6 +366,8 @@ insert_tree(struct net *net,
conn->tuple = *tuple;
conn->zone = *zone;
+ conn->cpu = raw_smp_processor_id();
+ conn->jiffies32 = (u32)jiffies;
memcpy(rbconn->key, key, sizeof(u32) * data->keylen);
nf_conncount_list_init(&rbconn->list);
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 014/279] ipvs: prevent integer overflow in do_ip_vs_get_ctl()
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (12 preceding siblings ...)
2025-04-08 10:46 ` [PATCH 5.15 013/279] netfilter: nf_conncount: Fully initialize struct nf_conncount_tuple in insert_tree() Greg Kroah-Hartman
@ 2025-04-08 10:46 ` Greg Kroah-Hartman
2025-04-08 10:46 ` [PATCH 5.15 015/279] net_sched: Prevent creation of classes with TC_H_ROOT Greg Kroah-Hartman
` (271 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Julian Anastasov,
Pablo Neira Ayuso, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@linaro.org>
[ Upstream commit 80b78c39eb86e6b55f56363b709eb817527da5aa ]
The get->num_services variable is an unsigned int which is controlled by
the user. The struct_size() function ensures that the size calculation
does not overflow an unsigned long, however, we are saving the result to
an int so the calculation can overflow.
Both "len" and "get->num_services" come from the user. This check is
just a sanity check to help the user and ensure they are using the API
correctly. An integer overflow here is not a big deal. This has no
security impact.
Save the result from struct_size() type size_t to fix this integer
overflow bug.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Acked-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/ipvs/ip_vs_ctl.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
index d0b64c36471d5..fb9f1badeddbf 100644
--- a/net/netfilter/ipvs/ip_vs_ctl.c
+++ b/net/netfilter/ipvs/ip_vs_ctl.c
@@ -2852,12 +2852,12 @@ do_ip_vs_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
case IP_VS_SO_GET_SERVICES:
{
struct ip_vs_get_services *get;
- int size;
+ size_t size;
get = (struct ip_vs_get_services *)arg;
size = struct_size(get, entrytable, get->num_services);
if (*len != size) {
- pr_err("length: %u != %u\n", *len, size);
+ pr_err("length: %u != %zu\n", *len, size);
ret = -EINVAL;
goto out;
}
@@ -2893,12 +2893,12 @@ do_ip_vs_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
case IP_VS_SO_GET_DESTS:
{
struct ip_vs_get_dests *get;
- int size;
+ size_t size;
get = (struct ip_vs_get_dests *)arg;
size = struct_size(get, entrytable, get->num_dests);
if (*len != size) {
- pr_err("length: %u != %u\n", *len, size);
+ pr_err("length: %u != %zu\n", *len, size);
ret = -EINVAL;
goto out;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 015/279] net_sched: Prevent creation of classes with TC_H_ROOT
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (13 preceding siblings ...)
2025-04-08 10:46 ` [PATCH 5.15 014/279] ipvs: prevent integer overflow in do_ip_vs_get_ctl() Greg Kroah-Hartman
@ 2025-04-08 10:46 ` Greg Kroah-Hartman
2025-04-08 10:46 ` [PATCH 5.15 016/279] netfilter: nft_exthdr: fix offset with ipv4_find_option() Greg Kroah-Hartman
` (270 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mingi Cho, Cong Wang, Simon Horman,
Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cong Wang <xiyou.wangcong@gmail.com>
[ Upstream commit 0c3057a5a04d07120b3d0ec9c79568fceb9c921e ]
The function qdisc_tree_reduce_backlog() uses TC_H_ROOT as a termination
condition when traversing up the qdisc tree to update parent backlog
counters. However, if a class is created with classid TC_H_ROOT, the
traversal terminates prematurely at this class instead of reaching the
actual root qdisc, causing parent statistics to be incorrectly maintained.
In case of DRR, this could lead to a crash as reported by Mingi Cho.
Prevent the creation of any Qdisc class with classid TC_H_ROOT
(0xFFFFFFFF) across all qdisc types, as suggested by Jamal.
Reported-by: Mingi Cho <mincho@theori.io>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Fixes: 066a3b5b2346 ("[NET_SCHED] sch_api: fix qdisc_tree_decrease_qlen() loop")
Link: https://patch.msgid.link/20250306232355.93864-2-xiyou.wangcong@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_api.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c
index 516874d943cd9..d9ce273ba43d8 100644
--- a/net/sched/sch_api.c
+++ b/net/sched/sch_api.c
@@ -2164,6 +2164,12 @@ static int tc_ctl_tclass(struct sk_buff *skb, struct nlmsghdr *n,
return -EOPNOTSUPP;
}
+ /* Prevent creation of traffic classes with classid TC_H_ROOT */
+ if (clid == TC_H_ROOT) {
+ NL_SET_ERR_MSG(extack, "Cannot create traffic class with classid TC_H_ROOT");
+ return -EINVAL;
+ }
+
new_cl = cl;
err = -EOPNOTSUPP;
if (cops->change)
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 016/279] netfilter: nft_exthdr: fix offset with ipv4_find_option()
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (14 preceding siblings ...)
2025-04-08 10:46 ` [PATCH 5.15 015/279] net_sched: Prevent creation of classes with TC_H_ROOT Greg Kroah-Hartman
@ 2025-04-08 10:46 ` Greg Kroah-Hartman
2025-04-08 10:46 ` [PATCH 5.15 017/279] gre: Fix IPv6 link-local address generation Greg Kroah-Hartman
` (269 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexey Kashavkin, Florian Westphal,
Pablo Neira Ayuso, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexey Kashavkin <akashavkin@gmail.com>
[ Upstream commit 6edd78af9506bb182518da7f6feebd75655d9a0e ]
There is an incorrect calculation in the offset variable which causes
the nft_skb_copy_to_reg() function to always return -EFAULT. Adding the
start variable is redundant. In the __ip_options_compile() function the
correct offset is specified when finding the function. There is no need
to add the size of the iphdr structure to the offset.
Fixes: dbb5281a1f84 ("netfilter: nf_tables: add support for matching IPv4 options")
Signed-off-by: Alexey Kashavkin <akashavkin@gmail.com>
Reviewed-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nft_exthdr.c | 10 ++++------
1 file changed, 4 insertions(+), 6 deletions(-)
diff --git a/net/netfilter/nft_exthdr.c b/net/netfilter/nft_exthdr.c
index d1dcf5b2e92e1..7c2931e024bb0 100644
--- a/net/netfilter/nft_exthdr.c
+++ b/net/netfilter/nft_exthdr.c
@@ -85,7 +85,6 @@ static int ipv4_find_option(struct net *net, struct sk_buff *skb,
unsigned char optbuf[sizeof(struct ip_options) + 40];
struct ip_options *opt = (struct ip_options *)optbuf;
struct iphdr *iph, _iph;
- unsigned int start;
bool found = false;
__be32 info;
int optlen;
@@ -93,7 +92,6 @@ static int ipv4_find_option(struct net *net, struct sk_buff *skb,
iph = skb_header_pointer(skb, 0, sizeof(_iph), &_iph);
if (!iph)
return -EBADMSG;
- start = sizeof(struct iphdr);
optlen = iph->ihl * 4 - (int)sizeof(struct iphdr);
if (optlen <= 0)
@@ -103,7 +101,7 @@ static int ipv4_find_option(struct net *net, struct sk_buff *skb,
/* Copy the options since __ip_options_compile() modifies
* the options.
*/
- if (skb_copy_bits(skb, start, opt->__data, optlen))
+ if (skb_copy_bits(skb, sizeof(struct iphdr), opt->__data, optlen))
return -EBADMSG;
opt->optlen = optlen;
@@ -118,18 +116,18 @@ static int ipv4_find_option(struct net *net, struct sk_buff *skb,
found = target == IPOPT_SSRR ? opt->is_strictroute :
!opt->is_strictroute;
if (found)
- *offset = opt->srr + start;
+ *offset = opt->srr;
break;
case IPOPT_RR:
if (!opt->rr)
break;
- *offset = opt->rr + start;
+ *offset = opt->rr;
found = true;
break;
case IPOPT_RA:
if (!opt->router_alert)
break;
- *offset = opt->router_alert + start;
+ *offset = opt->router_alert;
found = true;
break;
default:
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 017/279] gre: Fix IPv6 link-local address generation.
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (15 preceding siblings ...)
2025-04-08 10:46 ` [PATCH 5.15 016/279] netfilter: nft_exthdr: fix offset with ipv4_find_option() Greg Kroah-Hartman
@ 2025-04-08 10:46 ` Greg Kroah-Hartman
2025-04-08 10:46 ` [PATCH 5.15 018/279] slab: clean up function prototypes Greg Kroah-Hartman
` (268 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Guillaume Nault, Ido Schimmel,
Paolo Abeni, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Guillaume Nault <gnault@redhat.com>
[ Upstream commit 183185a18ff96751db52a46ccf93fff3a1f42815 ]
Use addrconf_addr_gen() to generate IPv6 link-local addresses on GRE
devices in most cases and fall back to using add_v4_addrs() only in
case the GRE configuration is incompatible with addrconf_addr_gen().
GRE used to use addrconf_addr_gen() until commit e5dd729460ca
("ip/ip6_gre: use the same logic as SIT interfaces when computing v6LL
address") restricted this use to gretap and ip6gretap devices, and
created add_v4_addrs() (borrowed from SIT) for non-Ethernet GRE ones.
The original problem came when commit 9af28511be10 ("addrconf: refuse
isatap eui64 for INADDR_ANY") made __ipv6_isatap_ifid() fail when its
addr parameter was 0. The commit says that this would create an invalid
address, however, I couldn't find any RFC saying that the generated
interface identifier would be wrong. Anyway, since gre over IPv4
devices pass their local tunnel address to __ipv6_isatap_ifid(), that
commit broke their IPv6 link-local address generation when the local
address was unspecified.
Then commit e5dd729460ca ("ip/ip6_gre: use the same logic as SIT
interfaces when computing v6LL address") tried to fix that case by
defining add_v4_addrs() and calling it to generate the IPv6 link-local
address instead of using addrconf_addr_gen() (apart for gretap and
ip6gretap devices, which would still use the regular
addrconf_addr_gen(), since they have a MAC address).
That broke several use cases because add_v4_addrs() isn't properly
integrated into the rest of IPv6 Neighbor Discovery code. Several of
these shortcomings have been fixed over time, but add_v4_addrs()
remains broken on several aspects. In particular, it doesn't send any
Router Sollicitations, so the SLAAC process doesn't start until the
interface receives a Router Advertisement. Also, add_v4_addrs() mostly
ignores the address generation mode of the interface
(/proc/sys/net/ipv6/conf/*/addr_gen_mode), thus breaking the
IN6_ADDR_GEN_MODE_RANDOM and IN6_ADDR_GEN_MODE_STABLE_PRIVACY cases.
Fix the situation by using add_v4_addrs() only in the specific scenario
where the normal method would fail. That is, for interfaces that have
all of the following characteristics:
* run over IPv4,
* transport IP packets directly, not Ethernet (that is, not gretap
interfaces),
* tunnel endpoint is INADDR_ANY (that is, 0),
* device address generation mode is EUI64.
In all other cases, revert back to the regular addrconf_addr_gen().
Also, remove the special case for ip6gre interfaces in add_v4_addrs(),
since ip6gre devices now always use addrconf_addr_gen() instead.
Fixes: e5dd729460ca ("ip/ip6_gre: use the same logic as SIT interfaces when computing v6LL address")
Signed-off-by: Guillaume Nault <gnault@redhat.com>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Link: https://patch.msgid.link/559c32ce5c9976b269e6337ac9abb6a96abe5096.1741375285.git.gnault@redhat.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv6/addrconf.c | 15 +++++++++------
1 file changed, 9 insertions(+), 6 deletions(-)
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index 932a10f64adcb..f5cca40b71610 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -3145,16 +3145,13 @@ static void add_v4_addrs(struct inet6_dev *idev)
struct in6_addr addr;
struct net_device *dev;
struct net *net = dev_net(idev->dev);
- int scope, plen, offset = 0;
+ int scope, plen;
u32 pflags = 0;
ASSERT_RTNL();
memset(&addr, 0, sizeof(struct in6_addr));
- /* in case of IP6GRE the dev_addr is an IPv6 and therefore we use only the last 4 bytes */
- if (idev->dev->addr_len == sizeof(struct in6_addr))
- offset = sizeof(struct in6_addr) - 4;
- memcpy(&addr.s6_addr32[3], idev->dev->dev_addr + offset, 4);
+ memcpy(&addr.s6_addr32[3], idev->dev->dev_addr, 4);
if (!(idev->dev->flags & IFF_POINTOPOINT) && idev->dev->type == ARPHRD_SIT) {
scope = IPV6_ADDR_COMPATv4;
@@ -3462,7 +3459,13 @@ static void addrconf_gre_config(struct net_device *dev)
return;
}
- if (dev->type == ARPHRD_ETHER) {
+ /* Generate the IPv6 link-local address using addrconf_addr_gen(),
+ * unless we have an IPv4 GRE device not bound to an IP address and
+ * which is in EUI64 mode (as __ipv6_isatap_ifid() would fail in this
+ * case). Such devices fall back to add_v4_addrs() instead.
+ */
+ if (!(dev->type == ARPHRD_IPGRE && *(__be32 *)dev->dev_addr == 0 &&
+ idev->cnf.addr_gen_mode == IN6_ADDR_GEN_MODE_EUI64)) {
addrconf_addr_gen(idev, true);
return;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 018/279] slab: clean up function prototypes
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (16 preceding siblings ...)
2025-04-08 10:46 ` [PATCH 5.15 017/279] gre: Fix IPv6 link-local address generation Greg Kroah-Hartman
@ 2025-04-08 10:46 ` Greg Kroah-Hartman
2025-04-08 10:46 ` [PATCH 5.15 019/279] slab: Introduce kmalloc_size_roundup() Greg Kroah-Hartman
` (267 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kees Cook, Christoph Lameter,
Pekka Enberg, David Rientjes, Joonsoo Kim, Vlastimil Babka,
Alexandre Bounine, Andy Whitcroft, Daniel Micay, Dennis Zhou,
Dwaipayan Ray, Gustavo A. R. Silva, Ira Weiny, Jing Xiangfeng,
Joe Perches, John Hubbard, kernel test robot, Lukas Bulwahn,
Matt Porter, Miguel Ojeda, Nathan Chancellor, Nick Desaulniers,
Randy Dunlap, Souptick Joarder, Tejun Heo, Andrew Morton,
Linus Torvalds, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kees Cook <keescook@chromium.org>
[ Upstream commit 72d67229f522e3331d1eabd9f58d36ae080eb228 ]
Based on feedback from Joe Perches and Linus Torvalds, regularize the
slab function prototypes before making attribute changes.
Link: https://lkml.kernel.org/r/20210930222704.2631604-4-keescook@chromium.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: Christoph Lameter <cl@linux.com>
Cc: Pekka Enberg <penberg@kernel.org>
Cc: David Rientjes <rientjes@google.com>
Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Alexandre Bounine <alex.bou9@gmail.com>
Cc: Andy Whitcroft <apw@canonical.com>
Cc: Daniel Micay <danielmicay@gmail.com>
Cc: Dennis Zhou <dennis@kernel.org>
Cc: Dwaipayan Ray <dwaipayanray1@gmail.com>
Cc: Gustavo A. R. Silva <gustavoars@kernel.org>
Cc: Ira Weiny <ira.weiny@intel.com>
Cc: Jing Xiangfeng <jingxiangfeng@huawei.com>
Cc: Joe Perches <joe@perches.com>
Cc: John Hubbard <jhubbard@nvidia.com>
Cc: kernel test robot <lkp@intel.com>
Cc: Lukas Bulwahn <lukas.bulwahn@gmail.com>
Cc: Matt Porter <mporter@kernel.crashing.org>
Cc: Miguel Ojeda <ojeda@kernel.org>
Cc: Nathan Chancellor <nathan@kernel.org>
Cc: Nick Desaulniers <ndesaulniers@google.com>
Cc: Randy Dunlap <rdunlap@infradead.org>
Cc: Souptick Joarder <jrdr.linux@gmail.com>
Cc: Tejun Heo <tj@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Stable-dep-of: a1e64addf3ff ("net: openvswitch: remove misbehaving actions length check")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/slab.h | 68 ++++++++++++++++++++++----------------------
1 file changed, 34 insertions(+), 34 deletions(-)
diff --git a/include/linux/slab.h b/include/linux/slab.h
index 083f3ce550bca..d9f14125d7a2b 100644
--- a/include/linux/slab.h
+++ b/include/linux/slab.h
@@ -152,8 +152,8 @@ struct kmem_cache *kmem_cache_create_usercopy(const char *name,
slab_flags_t flags,
unsigned int useroffset, unsigned int usersize,
void (*ctor)(void *));
-void kmem_cache_destroy(struct kmem_cache *);
-int kmem_cache_shrink(struct kmem_cache *);
+void kmem_cache_destroy(struct kmem_cache *s);
+int kmem_cache_shrink(struct kmem_cache *s);
/*
* Please use this macro to create slab caches. Simply specify the
@@ -181,11 +181,11 @@ int kmem_cache_shrink(struct kmem_cache *);
/*
* Common kmalloc functions provided by all allocators
*/
-void * __must_check krealloc(const void *, size_t, gfp_t);
-void kfree(const void *);
-void kfree_sensitive(const void *);
-size_t __ksize(const void *);
-size_t ksize(const void *);
+void * __must_check krealloc(const void *objp, size_t new_size, gfp_t flags);
+void kfree(const void *objp);
+void kfree_sensitive(const void *objp);
+size_t __ksize(const void *objp);
+size_t ksize(const void *objp);
#ifdef CONFIG_PRINTK
bool kmem_valid_obj(void *object);
void kmem_dump_obj(void *object);
@@ -426,8 +426,8 @@ static __always_inline unsigned int __kmalloc_index(size_t size,
#endif /* !CONFIG_SLOB */
void *__kmalloc(size_t size, gfp_t flags) __assume_kmalloc_alignment __malloc;
-void *kmem_cache_alloc(struct kmem_cache *, gfp_t flags) __assume_slab_alignment __malloc;
-void kmem_cache_free(struct kmem_cache *, void *);
+void *kmem_cache_alloc(struct kmem_cache *s, gfp_t flags) __assume_slab_alignment __malloc;
+void kmem_cache_free(struct kmem_cache *s, void *objp);
/*
* Bulk allocation and freeing operations. These are accelerated in an
@@ -436,8 +436,8 @@ void kmem_cache_free(struct kmem_cache *, void *);
*
* Note that interrupts must be enabled when calling these functions.
*/
-void kmem_cache_free_bulk(struct kmem_cache *, size_t, void **);
-int kmem_cache_alloc_bulk(struct kmem_cache *, gfp_t, size_t, void **);
+void kmem_cache_free_bulk(struct kmem_cache *s, size_t size, void **p);
+int kmem_cache_alloc_bulk(struct kmem_cache *s, gfp_t flags, size_t size, void **p);
/*
* Caller must not use kfree_bulk() on memory not originally allocated
@@ -450,7 +450,8 @@ static __always_inline void kfree_bulk(size_t size, void **p)
#ifdef CONFIG_NUMA
void *__kmalloc_node(size_t size, gfp_t flags, int node) __assume_kmalloc_alignment __malloc;
-void *kmem_cache_alloc_node(struct kmem_cache *, gfp_t flags, int node) __assume_slab_alignment __malloc;
+void *kmem_cache_alloc_node(struct kmem_cache *s, gfp_t flags, int node) __assume_slab_alignment
+ __malloc;
#else
static __always_inline void *__kmalloc_node(size_t size, gfp_t flags, int node)
{
@@ -464,25 +465,24 @@ static __always_inline void *kmem_cache_alloc_node(struct kmem_cache *s, gfp_t f
#endif
#ifdef CONFIG_TRACING
-extern void *kmem_cache_alloc_trace(struct kmem_cache *, gfp_t, size_t) __assume_slab_alignment __malloc;
+extern void *kmem_cache_alloc_trace(struct kmem_cache *s, gfp_t flags, size_t size)
+ __assume_slab_alignment __malloc;
#ifdef CONFIG_NUMA
-extern void *kmem_cache_alloc_node_trace(struct kmem_cache *s,
- gfp_t gfpflags,
- int node, size_t size) __assume_slab_alignment __malloc;
+extern void *kmem_cache_alloc_node_trace(struct kmem_cache *s, gfp_t gfpflags,
+ int node, size_t size) __assume_slab_alignment __malloc;
#else
-static __always_inline void *
-kmem_cache_alloc_node_trace(struct kmem_cache *s,
- gfp_t gfpflags,
- int node, size_t size)
+static __always_inline void *kmem_cache_alloc_node_trace(struct kmem_cache *s,
+ gfp_t gfpflags, int node,
+ size_t size)
{
return kmem_cache_alloc_trace(s, gfpflags, size);
}
#endif /* CONFIG_NUMA */
#else /* CONFIG_TRACING */
-static __always_inline void *kmem_cache_alloc_trace(struct kmem_cache *s,
- gfp_t flags, size_t size)
+static __always_inline void *kmem_cache_alloc_trace(struct kmem_cache *s, gfp_t flags,
+ size_t size)
{
void *ret = kmem_cache_alloc(s, flags);
@@ -490,10 +490,8 @@ static __always_inline void *kmem_cache_alloc_trace(struct kmem_cache *s,
return ret;
}
-static __always_inline void *
-kmem_cache_alloc_node_trace(struct kmem_cache *s,
- gfp_t gfpflags,
- int node, size_t size)
+static __always_inline void *kmem_cache_alloc_node_trace(struct kmem_cache *s, gfp_t gfpflags,
+ int node, size_t size)
{
void *ret = kmem_cache_alloc_node(s, gfpflags, node);
@@ -502,13 +500,14 @@ kmem_cache_alloc_node_trace(struct kmem_cache *s,
}
#endif /* CONFIG_TRACING */
-extern void *kmalloc_order(size_t size, gfp_t flags, unsigned int order) __assume_page_alignment __malloc;
+extern void *kmalloc_order(size_t size, gfp_t flags, unsigned int order) __assume_page_alignment
+ __malloc;
#ifdef CONFIG_TRACING
-extern void *kmalloc_order_trace(size_t size, gfp_t flags, unsigned int order) __assume_page_alignment __malloc;
+extern void *kmalloc_order_trace(size_t size, gfp_t flags, unsigned int order)
+ __assume_page_alignment __malloc;
#else
-static __always_inline void *
-kmalloc_order_trace(size_t size, gfp_t flags, unsigned int order)
+static __always_inline void *kmalloc_order_trace(size_t size, gfp_t flags, unsigned int order)
{
return kmalloc_order(size, flags, order);
}
@@ -638,8 +637,8 @@ static inline void *kmalloc_array(size_t n, size_t size, gfp_t flags)
* @new_size: new size of a single member of the array
* @flags: the type of memory to allocate (see kmalloc)
*/
-static __must_check inline void *
-krealloc_array(void *p, size_t new_n, size_t new_size, gfp_t flags)
+static inline void * __must_check krealloc_array(void *p, size_t new_n, size_t new_size,
+ gfp_t flags)
{
size_t bytes;
@@ -668,7 +667,7 @@ static inline void *kcalloc(size_t n, size_t size, gfp_t flags)
* allocator where we care about the real place the memory allocation
* request comes from.
*/
-extern void *__kmalloc_track_caller(size_t, gfp_t, unsigned long);
+extern void *__kmalloc_track_caller(size_t size, gfp_t flags, unsigned long caller);
#define kmalloc_track_caller(size, flags) \
__kmalloc_track_caller(size, flags, _RET_IP_)
@@ -691,7 +690,8 @@ static inline void *kcalloc_node(size_t n, size_t size, gfp_t flags, int node)
#ifdef CONFIG_NUMA
-extern void *__kmalloc_node_track_caller(size_t, gfp_t, int, unsigned long);
+extern void *__kmalloc_node_track_caller(size_t size, gfp_t flags, int node,
+ unsigned long caller);
#define kmalloc_node_track_caller(size, flags, node) \
__kmalloc_node_track_caller(size, flags, node, \
_RET_IP_)
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 019/279] slab: Introduce kmalloc_size_roundup()
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (17 preceding siblings ...)
2025-04-08 10:46 ` [PATCH 5.15 018/279] slab: clean up function prototypes Greg Kroah-Hartman
@ 2025-04-08 10:46 ` Greg Kroah-Hartman
2025-04-08 10:46 ` [PATCH 5.15 020/279] openvswitch: Use kmalloc_size_roundup() to match ksize() usage Greg Kroah-Hartman
` (266 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vlastimil Babka, Christoph Lameter,
Pekka Enberg, David Rientjes, Joonsoo Kim, Andrew Morton,
linux-mm, Kees Cook, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kees Cook <keescook@chromium.org>
[ Upstream commit 05a940656e1eb2026d9ee31019d5b47e9545124d ]
In the effort to help the compiler reason about buffer sizes, the
__alloc_size attribute was added to allocators. This improves the scope
of the compiler's ability to apply CONFIG_UBSAN_BOUNDS and (in the near
future) CONFIG_FORTIFY_SOURCE. For most allocations, this works well,
as the vast majority of callers are not expecting to use more memory
than what they asked for.
There is, however, one common exception to this: anticipatory resizing
of kmalloc allocations. These cases all use ksize() to determine the
actual bucket size of a given allocation (e.g. 128 when 126 was asked
for). This comes in two styles in the kernel:
1) An allocation has been determined to be too small, and needs to be
resized. Instead of the caller choosing its own next best size, it
wants to minimize the number of calls to krealloc(), so it just uses
ksize() plus some additional bytes, forcing the realloc into the next
bucket size, from which it can learn how large it is now. For example:
data = krealloc(data, ksize(data) + 1, gfp);
data_len = ksize(data);
2) The minimum size of an allocation is calculated, but since it may
grow in the future, just use all the space available in the chosen
bucket immediately, to avoid needing to reallocate later. A good
example of this is skbuff's allocators:
data = kmalloc_reserve(size, gfp_mask, node, &pfmemalloc);
...
/* kmalloc(size) might give us more room than requested.
* Put skb_shared_info exactly at the end of allocated zone,
* to allow max possible filling before reallocation.
*/
osize = ksize(data);
size = SKB_WITH_OVERHEAD(osize);
In both cases, the "how much was actually allocated?" question is answered
_after_ the allocation, where the compiler hinting is not in an easy place
to make the association any more. This mismatch between the compiler's
view of the buffer length and the code's intention about how much it is
going to actually use has already caused problems[1]. It is possible to
fix this by reordering the use of the "actual size" information.
We can serve the needs of users of ksize() and still have accurate buffer
length hinting for the compiler by doing the bucket size calculation
_before_ the allocation. Code can instead ask "how large an allocation
would I get for a given size?".
Introduce kmalloc_size_roundup(), to serve this function so we can start
replacing the "anticipatory resizing" uses of ksize().
[1] https://github.com/ClangBuiltLinux/linux/issues/1599
https://github.com/KSPP/linux/issues/183
[ vbabka@suse.cz: add SLOB version ]
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Christoph Lameter <cl@linux.com>
Cc: Pekka Enberg <penberg@kernel.org>
Cc: David Rientjes <rientjes@google.com>
Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: linux-mm@kvack.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
Stable-dep-of: a1e64addf3ff ("net: openvswitch: remove misbehaving actions length check")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/slab.h | 31 +++++++++++++++++++++++++++++++
mm/slab.c | 9 ++++++---
mm/slab_common.c | 20 ++++++++++++++++++++
mm/slob.c | 14 ++++++++++++++
4 files changed, 71 insertions(+), 3 deletions(-)
diff --git a/include/linux/slab.h b/include/linux/slab.h
index d9f14125d7a2b..3482c2ced139e 100644
--- a/include/linux/slab.h
+++ b/include/linux/slab.h
@@ -185,7 +185,21 @@ void * __must_check krealloc(const void *objp, size_t new_size, gfp_t flags);
void kfree(const void *objp);
void kfree_sensitive(const void *objp);
size_t __ksize(const void *objp);
+
+/**
+ * ksize - Report actual allocation size of associated object
+ *
+ * @objp: Pointer returned from a prior kmalloc()-family allocation.
+ *
+ * This should not be used for writing beyond the originally requested
+ * allocation size. Either use krealloc() or round up the allocation size
+ * with kmalloc_size_roundup() prior to allocation. If this is used to
+ * access beyond the originally requested allocation size, UBSAN_BOUNDS
+ * and/or FORTIFY_SOURCE may trip, since they only know about the
+ * originally allocated size via the __alloc_size attribute.
+ */
size_t ksize(const void *objp);
+
#ifdef CONFIG_PRINTK
bool kmem_valid_obj(void *object);
void kmem_dump_obj(void *object);
@@ -733,6 +747,23 @@ static inline void *kzalloc_node(size_t size, gfp_t flags, int node)
}
unsigned int kmem_cache_size(struct kmem_cache *s);
+
+/**
+ * kmalloc_size_roundup - Report allocation bucket size for the given size
+ *
+ * @size: Number of bytes to round up from.
+ *
+ * This returns the number of bytes that would be available in a kmalloc()
+ * allocation of @size bytes. For example, a 126 byte request would be
+ * rounded up to the next sized kmalloc bucket, 128 bytes. (This is strictly
+ * for the general-purpose kmalloc()-based allocations, and is not for the
+ * pre-sized kmem_cache_alloc()-based allocations.)
+ *
+ * Use this to kmalloc() the full bucket size ahead of time instead of using
+ * ksize() to query the size after an allocation.
+ */
+size_t kmalloc_size_roundup(size_t size);
+
void __init kmem_cache_init_late(void);
#if defined(CONFIG_SMP) && defined(CONFIG_SLAB)
diff --git a/mm/slab.c b/mm/slab.c
index f5b2246f832da..e53e50d6c29bc 100644
--- a/mm/slab.c
+++ b/mm/slab.c
@@ -4226,11 +4226,14 @@ void __check_heap_object(const void *ptr, unsigned long n, struct page *page,
#endif /* CONFIG_HARDENED_USERCOPY */
/**
- * __ksize -- Uninstrumented ksize.
+ * __ksize -- Report full size of underlying allocation
* @objp: pointer to the object
*
- * Unlike ksize(), __ksize() is uninstrumented, and does not provide the same
- * safety checks as ksize() with KASAN instrumentation enabled.
+ * This should only be used internally to query the true size of allocations.
+ * It is not meant to be a way to discover the usable size of an allocation
+ * after the fact. Instead, use kmalloc_size_roundup(). Using memory beyond
+ * the originally requested allocation size may trigger KASAN, UBSAN_BOUNDS,
+ * and/or FORTIFY_SOURCE.
*
* Return: size of the actual memory used by @objp in bytes
*/
diff --git a/mm/slab_common.c b/mm/slab_common.c
index f684b06649c3e..06958c613b0ac 100644
--- a/mm/slab_common.c
+++ b/mm/slab_common.c
@@ -758,6 +758,26 @@ struct kmem_cache *kmalloc_slab(size_t size, gfp_t flags)
return kmalloc_caches[kmalloc_type(flags)][index];
}
+size_t kmalloc_size_roundup(size_t size)
+{
+ struct kmem_cache *c;
+
+ /* Short-circuit the 0 size case. */
+ if (unlikely(size == 0))
+ return 0;
+ /* Short-circuit saturated "too-large" case. */
+ if (unlikely(size == SIZE_MAX))
+ return SIZE_MAX;
+ /* Above the smaller buckets, size is a multiple of page size. */
+ if (size > KMALLOC_MAX_CACHE_SIZE)
+ return PAGE_SIZE << get_order(size);
+
+ /* The flags don't matter since size_index is common to all. */
+ c = kmalloc_slab(size, GFP_KERNEL);
+ return c ? c->object_size : 0;
+}
+EXPORT_SYMBOL(kmalloc_size_roundup);
+
#ifdef CONFIG_ZONE_DMA
#define KMALLOC_DMA_NAME(sz) .name[KMALLOC_DMA] = "dma-kmalloc-" #sz,
#else
diff --git a/mm/slob.c b/mm/slob.c
index f3fc15df971af..d4c80bf1930d1 100644
--- a/mm/slob.c
+++ b/mm/slob.c
@@ -567,6 +567,20 @@ void kfree(const void *block)
}
EXPORT_SYMBOL(kfree);
+size_t kmalloc_size_roundup(size_t size)
+{
+ /* Short-circuit the 0 size case. */
+ if (unlikely(size == 0))
+ return 0;
+ /* Short-circuit saturated "too-large" case. */
+ if (unlikely(size == SIZE_MAX))
+ return SIZE_MAX;
+
+ return ALIGN(size, ARCH_KMALLOC_MINALIGN);
+}
+
+EXPORT_SYMBOL(kmalloc_size_roundup);
+
/* can't use ksize for kmem_cache_alloc memory, only kmalloc */
size_t __ksize(const void *block)
{
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 020/279] openvswitch: Use kmalloc_size_roundup() to match ksize() usage
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (18 preceding siblings ...)
2025-04-08 10:46 ` [PATCH 5.15 019/279] slab: Introduce kmalloc_size_roundup() Greg Kroah-Hartman
@ 2025-04-08 10:46 ` Greg Kroah-Hartman
2025-04-08 10:46 ` [PATCH 5.15 021/279] net: openvswitch: remove misbehaving actions length check Greg Kroah-Hartman
` (265 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pravin B Shelar, dev, Kees Cook,
Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kees Cook <keescook@chromium.org>
[ Upstream commit ab3f7828c9793a5dfa99a54dc19ae3491c38bfa3 ]
Round up allocations with kmalloc_size_roundup() so that openvswitch's
use of ksize() is always accurate and no special handling of the memory
is needed by KASAN, UBSAN_BOUNDS, nor FORTIFY_SOURCE.
Cc: Pravin B Shelar <pshelar@ovn.org>
Cc: dev@openvswitch.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/20221018090628.never.537-kees@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: a1e64addf3ff ("net: openvswitch: remove misbehaving actions length check")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/openvswitch/flow_netlink.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/openvswitch/flow_netlink.c b/net/openvswitch/flow_netlink.c
index 1cf431d04a468..b8607c3fee4be 100644
--- a/net/openvswitch/flow_netlink.c
+++ b/net/openvswitch/flow_netlink.c
@@ -2281,7 +2281,7 @@ static struct sw_flow_actions *nla_alloc_flow_actions(int size)
WARN_ON_ONCE(size > MAX_ACTIONS_BUFSIZE);
- sfa = kmalloc(sizeof(*sfa) + size, GFP_KERNEL);
+ sfa = kmalloc(kmalloc_size_roundup(sizeof(*sfa) + size), GFP_KERNEL);
if (!sfa)
return ERR_PTR(-ENOMEM);
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 021/279] net: openvswitch: remove misbehaving actions length check
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (19 preceding siblings ...)
2025-04-08 10:46 ` [PATCH 5.15 020/279] openvswitch: Use kmalloc_size_roundup() to match ksize() usage Greg Kroah-Hartman
@ 2025-04-08 10:46 ` Greg Kroah-Hartman
2025-04-08 10:46 ` [PATCH 5.15 022/279] net/mlx5: Bridge, fix the crash caused by LAG state check Greg Kroah-Hartman
` (264 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ilya Maximets, Aaron Conole,
Paolo Abeni, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ilya Maximets <i.maximets@ovn.org>
[ Upstream commit a1e64addf3ff9257b45b78bc7d743781c3f41340 ]
The actions length check is unreliable and produces different results
depending on the initial length of the provided netlink attribute and
the composition of the actual actions inside of it. For example, a
user can add 4088 empty clone() actions without triggering -EMSGSIZE,
on attempt to add 4089 such actions the operation will fail with the
-EMSGSIZE verdict. However, if another 16 KB of other actions will
be *appended* to the previous 4089 clone() actions, the check passes
and the flow is successfully installed into the openvswitch datapath.
The reason for a such a weird behavior is the way memory is allocated.
When ovs_flow_cmd_new() is invoked, it calls ovs_nla_copy_actions(),
that in turn calls nla_alloc_flow_actions() with either the actual
length of the user-provided actions or the MAX_ACTIONS_BUFSIZE. The
function adds the size of the sw_flow_actions structure and then the
actually allocated memory is rounded up to the closest power of two.
So, if the user-provided actions are larger than MAX_ACTIONS_BUFSIZE,
then MAX_ACTIONS_BUFSIZE + sizeof(*sfa) rounded up is 32K + 24 -> 64K.
Later, while copying individual actions, we look at ksize(), which is
64K, so this way the MAX_ACTIONS_BUFSIZE check is not actually
triggered and the user can easily allocate almost 64 KB of actions.
However, when the initial size is less than MAX_ACTIONS_BUFSIZE, but
the actions contain ones that require size increase while copying
(such as clone() or sample()), then the limit check will be performed
during the reserve_sfa_size() and the user will not be allowed to
create actions that yield more than 32 KB internally.
This is one part of the problem. The other part is that it's not
actually possible for the userspace application to know beforehand
if the particular set of actions will be rejected or not.
Certain actions require more space in the internal representation,
e.g. an empty clone() takes 4 bytes in the action list passed in by
the user, but it takes 12 bytes in the internal representation due
to an extra nested attribute, and some actions require less space in
the internal representations, e.g. set(tunnel(..)) normally takes
64+ bytes in the action list provided by the user, but only needs to
store a single pointer in the internal implementation, since all the
data is stored in the tunnel_info structure instead.
And the action size limit is applied to the internal representation,
not to the action list passed by the user. So, it's not possible for
the userpsace application to predict if the certain combination of
actions will be rejected or not, because it is not possible for it to
calculate how much space these actions will take in the internal
representation without knowing kernel internals.
All that is causing random failures in ovs-vswitchd in userspace and
inability to handle certain traffic patterns as a result. For example,
it is reported that adding a bit more than a 1100 VMs in an OpenStack
setup breaks the network due to OVS not being able to handle ARP
traffic anymore in some cases (it tries to install a proper datapath
flow, but the kernel rejects it with -EMSGSIZE, even though the action
list isn't actually that large.)
Kernel behavior must be consistent and predictable in order for the
userspace application to use it in a reasonable way. ovs-vswitchd has
a mechanism to re-direct parts of the traffic and partially handle it
in userspace if the required action list is oversized, but that doesn't
work properly if we can't actually tell if the action list is oversized
or not.
Solution for this is to check the size of the user-provided actions
instead of the internal representation. This commit just removes the
check from the internal part because there is already an implicit size
check imposed by the netlink protocol. The attribute can't be larger
than 64 KB. Realistically, we could reduce the limit to 32 KB, but
we'll be risking to break some existing setups that rely on the fact
that it's possible to create nearly 64 KB action lists today.
Vast majority of flows in real setups are below 100-ish bytes. So
removal of the limit will not change real memory consumption on the
system. The absolutely worst case scenario is if someone adds a flow
with 64 KB of empty clone() actions. That will yield a 192 KB in the
internal representation consuming 256 KB block of memory. However,
that list of actions is not meaningful and also a no-op. Real world
very large action lists (that can occur for a rare cases of BUM
traffic handling) are unlikely to contain a large number of clones and
will likely have a lot of tunnel attributes making the internal
representation comparable in size to the original action list.
So, it should be fine to just remove the limit.
Commit in the 'Fixes' tag is the first one that introduced the
difference between internal representation and the user-provided action
lists, but there were many more afterwards that lead to the situation
we have today.
Fixes: 7d5437c709de ("openvswitch: Add tunneling interface.")
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
Reviewed-by: Aaron Conole <aconole@redhat.com>
Link: https://patch.msgid.link/20250308004609.2881861-1-i.maximets@ovn.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/openvswitch/flow_netlink.c | 15 +--------------
1 file changed, 1 insertion(+), 14 deletions(-)
diff --git a/net/openvswitch/flow_netlink.c b/net/openvswitch/flow_netlink.c
index b8607c3fee4be..d9bef3decd70c 100644
--- a/net/openvswitch/flow_netlink.c
+++ b/net/openvswitch/flow_netlink.c
@@ -2273,14 +2273,10 @@ int ovs_nla_put_mask(const struct sw_flow *flow, struct sk_buff *skb)
OVS_FLOW_ATTR_MASK, true, skb);
}
-#define MAX_ACTIONS_BUFSIZE (32 * 1024)
-
static struct sw_flow_actions *nla_alloc_flow_actions(int size)
{
struct sw_flow_actions *sfa;
- WARN_ON_ONCE(size > MAX_ACTIONS_BUFSIZE);
-
sfa = kmalloc(kmalloc_size_roundup(sizeof(*sfa) + size), GFP_KERNEL);
if (!sfa)
return ERR_PTR(-ENOMEM);
@@ -2436,15 +2432,6 @@ static struct nlattr *reserve_sfa_size(struct sw_flow_actions **sfa,
new_acts_size = max(next_offset + req_size, ksize(*sfa) * 2);
- if (new_acts_size > MAX_ACTIONS_BUFSIZE) {
- if ((next_offset + req_size) > MAX_ACTIONS_BUFSIZE) {
- OVS_NLERR(log, "Flow action size exceeds max %u",
- MAX_ACTIONS_BUFSIZE);
- return ERR_PTR(-EMSGSIZE);
- }
- new_acts_size = MAX_ACTIONS_BUFSIZE;
- }
-
acts = nla_alloc_flow_actions(new_acts_size);
if (IS_ERR(acts))
return (void *)acts;
@@ -3463,7 +3450,7 @@ int ovs_nla_copy_actions(struct net *net, const struct nlattr *attr,
int err;
u32 mpls_label_count = 0;
- *sfa = nla_alloc_flow_actions(min(nla_len(attr), MAX_ACTIONS_BUFSIZE));
+ *sfa = nla_alloc_flow_actions(nla_len(attr));
if (IS_ERR(*sfa))
return PTR_ERR(*sfa);
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 022/279] net/mlx5: Bridge, fix the crash caused by LAG state check
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (20 preceding siblings ...)
2025-04-08 10:46 ` [PATCH 5.15 021/279] net: openvswitch: remove misbehaving actions length check Greg Kroah-Hartman
@ 2025-04-08 10:46 ` Greg Kroah-Hartman
2025-04-08 10:46 ` [PATCH 5.15 023/279] net/mlx5e: Prevent bridge link show failure for non-eswitch-allowed devices Greg Kroah-Hartman
` (263 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jianbo Liu, Vlad Buslov,
Tariq Toukan, Michal Swiatkowski, Paolo Abeni, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jianbo Liu <jianbol@nvidia.com>
[ Upstream commit 4b8eeed4fb105770ce6dc84a2c6ef953c7b71cbb ]
When removing LAG device from bridge, NETDEV_CHANGEUPPER event is
triggered. Driver finds the lower devices (PFs) to flush all the
offloaded entries. And mlx5_lag_is_shared_fdb is checked, it returns
false if one of PF is unloaded. In such case,
mlx5_esw_bridge_lag_rep_get() and its caller return NULL, instead of
the alive PF, and the flush is skipped.
Besides, the bridge fdb entry's lastuse is updated in mlx5 bridge
event handler. But this SWITCHDEV_FDB_ADD_TO_BRIDGE event can be
ignored in this case because the upper interface for bond is deleted,
and the entry will never be aged because lastuse is never updated.
To make things worse, as the entry is alive, mlx5 bridge workqueue
keeps sending that event, which is then handled by kernel bridge
notifier. It causes the following crash when accessing the passed bond
netdev which is already destroyed.
To fix this issue, remove such checks. LAG state is already checked in
commit 15f8f168952f ("net/mlx5: Bridge, verify LAG state when adding
bond to bridge"), driver still need to skip offload if LAG becomes
invalid state after initialization.
Oops: stack segment: 0000 [#1] SMP
CPU: 3 UID: 0 PID: 23695 Comm: kworker/u40:3 Tainted: G OE 6.11.0_mlnx #1
Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
Workqueue: mlx5_bridge_wq mlx5_esw_bridge_update_work [mlx5_core]
RIP: 0010:br_switchdev_event+0x2c/0x110 [bridge]
Code: 44 00 00 48 8b 02 48 f7 00 00 02 00 00 74 69 41 54 55 53 48 83 ec 08 48 8b a8 08 01 00 00 48 85 ed 74 4a 48 83 fe 02 48 89 d3 <4c> 8b 65 00 74 23 76 49 48 83 fe 05 74 7e 48 83 fe 06 75 2f 0f b7
RSP: 0018:ffffc900092cfda0 EFLAGS: 00010297
RAX: ffff888123bfe000 RBX: ffffc900092cfe08 RCX: 00000000ffffffff
RDX: ffffc900092cfe08 RSI: 0000000000000001 RDI: ffffffffa0c585f0
RBP: 6669746f6e690a30 R08: 0000000000000000 R09: ffff888123ae92c8
R10: 0000000000000000 R11: fefefefefefefeff R12: ffff888123ae9c60
R13: 0000000000000001 R14: ffffc900092cfe08 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff88852c980000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f15914c8734 CR3: 0000000002830005 CR4: 0000000000770ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
<TASK>
? __die_body+0x1a/0x60
? die+0x38/0x60
? do_trap+0x10b/0x120
? do_error_trap+0x64/0xa0
? exc_stack_segment+0x33/0x50
? asm_exc_stack_segment+0x22/0x30
? br_switchdev_event+0x2c/0x110 [bridge]
? sched_balance_newidle.isra.149+0x248/0x390
notifier_call_chain+0x4b/0xa0
atomic_notifier_call_chain+0x16/0x20
mlx5_esw_bridge_update+0xec/0x170 [mlx5_core]
mlx5_esw_bridge_update_work+0x19/0x40 [mlx5_core]
process_scheduled_works+0x81/0x390
worker_thread+0x106/0x250
? bh_worker+0x110/0x110
kthread+0xb7/0xe0
? kthread_park+0x80/0x80
ret_from_fork+0x2d/0x50
? kthread_park+0x80/0x80
ret_from_fork_asm+0x11/0x20
</TASK>
Fixes: ff9b7521468b ("net/mlx5: Bridge, support LAG")
Signed-off-by: Jianbo Liu <jianbol@nvidia.com>
Reviewed-by: Vlad Buslov <vladbu@nvidia.com>
Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
Reviewed-by: Michal Swiatkowski <michal.swiatkowski@linux.intel.com>
Link: https://patch.msgid.link/1741644104-97767-6-git-send-email-tariqt@nvidia.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../net/ethernet/mellanox/mlx5/core/en/rep/bridge.c | 12 +++++-------
1 file changed, 5 insertions(+), 7 deletions(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/rep/bridge.c b/drivers/net/ethernet/mellanox/mlx5/core/en/rep/bridge.c
index 291bd59639044..28c3667e323f5 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en/rep/bridge.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en/rep/bridge.c
@@ -48,15 +48,10 @@ mlx5_esw_bridge_lag_rep_get(struct net_device *dev, struct mlx5_eswitch *esw)
struct list_head *iter;
netdev_for_each_lower_dev(dev, lower, iter) {
- struct mlx5_core_dev *mdev;
- struct mlx5e_priv *priv;
-
if (!mlx5e_eswitch_rep(lower))
continue;
- priv = netdev_priv(lower);
- mdev = priv->mdev;
- if (mlx5_lag_is_shared_fdb(mdev) && mlx5_esw_bridge_dev_same_esw(lower, esw))
+ if (mlx5_esw_bridge_dev_same_esw(lower, esw))
return lower;
}
@@ -121,7 +116,7 @@ static bool mlx5_esw_bridge_is_local(struct net_device *dev, struct net_device *
priv = netdev_priv(rep);
mdev = priv->mdev;
if (netif_is_lag_master(dev))
- return mlx5_lag_is_shared_fdb(mdev) && mlx5_lag_is_master(mdev);
+ return mlx5_lag_is_master(mdev);
return true;
}
@@ -430,6 +425,9 @@ static int mlx5_esw_bridge_switchdev_event(struct notifier_block *nb,
if (!rep)
return NOTIFY_DONE;
+ if (netif_is_lag_master(dev) && !mlx5_lag_is_shared_fdb(esw->dev))
+ return NOTIFY_DONE;
+
switch (event) {
case SWITCHDEV_FDB_ADD_TO_BRIDGE:
fdb_info = container_of(info,
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 023/279] net/mlx5e: Prevent bridge link show failure for non-eswitch-allowed devices
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (21 preceding siblings ...)
2025-04-08 10:46 ` [PATCH 5.15 022/279] net/mlx5: Bridge, fix the crash caused by LAG state check Greg Kroah-Hartman
@ 2025-04-08 10:46 ` Greg Kroah-Hartman
2025-04-08 10:46 ` [PATCH 5.15 024/279] nvme-fc: go straight to connecting state when initializing Greg Kroah-Hartman
` (262 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Carolina Jubran, Jianbo Liu,
Tariq Toukan, Michal Swiatkowski, Paolo Abeni, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Carolina Jubran <cjubran@nvidia.com>
[ Upstream commit e92df790d07a8eea873efcb84776e7b71f81c7d5 ]
mlx5_eswitch_get_vepa returns -EPERM if the device lacks
eswitch_manager capability, blocking mlx5e_bridge_getlink from
retrieving VEPA mode. Since mlx5e_bridge_getlink implements
ndo_bridge_getlink, returning -EPERM causes bridge link show to fail
instead of skipping devices without this capability.
To avoid this, return -EOPNOTSUPP from mlx5e_bridge_getlink when
mlx5_eswitch_get_vepa fails, ensuring the command continues processing
other devices while ignoring those without the necessary capability.
Fixes: 4b89251de024 ("net/mlx5: Support ndo bridge_setlink and getlink")
Signed-off-by: Carolina Jubran <cjubran@nvidia.com>
Reviewed-by: Jianbo Liu <jianbol@nvidia.com>
Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
Reviewed-by: Michal Swiatkowski <michal.swiatkowski@linux.intel.com>
Link: https://patch.msgid.link/1741644104-97767-7-git-send-email-tariqt@nvidia.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
index a0870da414538..321441e6ad328 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
@@ -4186,11 +4186,9 @@ static int mlx5e_bridge_getlink(struct sk_buff *skb, u32 pid, u32 seq,
struct mlx5e_priv *priv = netdev_priv(dev);
struct mlx5_core_dev *mdev = priv->mdev;
u8 mode, setting;
- int err;
- err = mlx5_eswitch_get_vepa(mdev->priv.eswitch, &setting);
- if (err)
- return err;
+ if (mlx5_eswitch_get_vepa(mdev->priv.eswitch, &setting))
+ return -EOPNOTSUPP;
mode = setting ? BRIDGE_MODE_VEPA : BRIDGE_MODE_VEB;
return ndo_dflt_bridge_getlink(skb, pid, seq, dev,
mode,
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 024/279] nvme-fc: go straight to connecting state when initializing
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (22 preceding siblings ...)
2025-04-08 10:46 ` [PATCH 5.15 023/279] net/mlx5e: Prevent bridge link show failure for non-eswitch-allowed devices Greg Kroah-Hartman
@ 2025-04-08 10:46 ` Greg Kroah-Hartman
2025-04-08 10:46 ` [PATCH 5.15 025/279] hrtimers: Mark is_migration_base() with __always_inline Greg Kroah-Hartman
` (261 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sagi Grimberg, Hannes Reinecke,
Christoph Hellwig, Daniel Wagner, Keith Busch, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Wagner <wagi@kernel.org>
[ Upstream commit d3d380eded7ee5fc2fc53b3b0e72365ded025c4a ]
The initial controller initialization mimiks the reconnect loop
behavior by switching from NEW to RESETTING and then to CONNECTING.
The transition from NEW to CONNECTING is a valid transition, so there is
no point entering the RESETTING state. TCP and RDMA also transition
directly to CONNECTING state.
Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
Reviewed-by: Hannes Reinecke <hare@suse.de>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Daniel Wagner <wagi@kernel.org>
Signed-off-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/nvme/host/fc.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/nvme/host/fc.c b/drivers/nvme/host/fc.c
index 8dfd317509aa6..ebe8c2f147a33 100644
--- a/drivers/nvme/host/fc.c
+++ b/drivers/nvme/host/fc.c
@@ -3547,8 +3547,7 @@ nvme_fc_init_ctrl(struct device *dev, struct nvmf_ctrl_options *opts,
list_add_tail(&ctrl->ctrl_list, &rport->ctrl_list);
spin_unlock_irqrestore(&rport->lock, flags);
- if (!nvme_change_ctrl_state(&ctrl->ctrl, NVME_CTRL_RESETTING) ||
- !nvme_change_ctrl_state(&ctrl->ctrl, NVME_CTRL_CONNECTING)) {
+ if (!nvme_change_ctrl_state(&ctrl->ctrl, NVME_CTRL_CONNECTING)) {
dev_err(ctrl->ctrl.device,
"NVME-FC{%d}: failed to init ctrl state\n", ctrl->cnum);
goto fail_ctrl;
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 025/279] hrtimers: Mark is_migration_base() with __always_inline
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (23 preceding siblings ...)
2025-04-08 10:46 ` [PATCH 5.15 024/279] nvme-fc: go straight to connecting state when initializing Greg Kroah-Hartman
@ 2025-04-08 10:46 ` Greg Kroah-Hartman
2025-04-08 10:46 ` [PATCH 5.15 026/279] powercap: call put_device() on an error path in powercap_register_control_type() Greg Kroah-Hartman
` (260 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andy Shevchenko, Thomas Gleixner,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
[ Upstream commit 27af31e44949fa85550176520ef7086a0d00fd7b ]
When is_migration_base() is unused, it prevents kernel builds
with clang, `make W=1` and CONFIG_WERROR=y:
kernel/time/hrtimer.c:156:20: error: unused function 'is_migration_base' [-Werror,-Wunused-function]
156 | static inline bool is_migration_base(struct hrtimer_clock_base *base)
| ^~~~~~~~~~~~~~~~~
Fix this by marking it with __always_inline.
[ tglx: Use __always_inline instead of __maybe_unused and move it into the
usage sites conditional ]
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Link: https://lore.kernel.org/all/20250116160745.243358-1-andriy.shevchenko@linux.intel.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/time/hrtimer.c | 22 ++++++++++++----------
1 file changed, 12 insertions(+), 10 deletions(-)
diff --git a/kernel/time/hrtimer.c b/kernel/time/hrtimer.c
index 9e91f69012a73..2e4b63f3c6dda 100644
--- a/kernel/time/hrtimer.c
+++ b/kernel/time/hrtimer.c
@@ -144,11 +144,6 @@ static struct hrtimer_cpu_base migration_cpu_base = {
#define migration_base migration_cpu_base.clock_base[0]
-static inline bool is_migration_base(struct hrtimer_clock_base *base)
-{
- return base == &migration_base;
-}
-
/*
* We are using hashed locking: holding per_cpu(hrtimer_bases)[n].lock
* means that all timers which are tied to this base via timer->base are
@@ -273,11 +268,6 @@ switch_hrtimer_base(struct hrtimer *timer, struct hrtimer_clock_base *base,
#else /* CONFIG_SMP */
-static inline bool is_migration_base(struct hrtimer_clock_base *base)
-{
- return false;
-}
-
static inline struct hrtimer_clock_base *
lock_hrtimer_base(const struct hrtimer *timer, unsigned long *flags)
{
@@ -1377,6 +1367,18 @@ static void hrtimer_sync_wait_running(struct hrtimer_cpu_base *cpu_base,
}
}
+#ifdef CONFIG_SMP
+static __always_inline bool is_migration_base(struct hrtimer_clock_base *base)
+{
+ return base == &migration_base;
+}
+#else
+static __always_inline bool is_migration_base(struct hrtimer_clock_base *base)
+{
+ return false;
+}
+#endif
+
/*
* This function is called on PREEMPT_RT kernels when the fast path
* deletion of a timer failed because the timer callback function was
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 026/279] powercap: call put_device() on an error path in powercap_register_control_type()
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (24 preceding siblings ...)
2025-04-08 10:46 ` [PATCH 5.15 025/279] hrtimers: Mark is_migration_base() with __always_inline Greg Kroah-Hartman
@ 2025-04-08 10:46 ` Greg Kroah-Hartman
2025-04-08 10:46 ` [PATCH 5.15 027/279] iscsi_ibft: Fix UBSAN shift-out-of-bounds warning in ibft_attr_show_nic() Greg Kroah-Hartman
` (259 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Joe Hattori, Rafael J. Wysocki,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp>
[ Upstream commit 93c66fbc280747ea700bd6199633d661e3c819b3 ]
powercap_register_control_type() calls device_register(), but does not
release the refcount of the device when it fails.
Call put_device() before returning an error to balance the refcount.
Since the kfree(control_type) will be done by powercap_release(), remove
the lines in powercap_register_control_type() before returning the error.
This bug was found by an experimental verifier that I am developing.
Signed-off-by: Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp>
Link: https://patch.msgid.link/20250110010554.1583411-1-joe@pf.is.s.u-tokyo.ac.jp
[ rjw: Changelog edits ]
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/powercap/powercap_sys.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/powercap/powercap_sys.c b/drivers/powercap/powercap_sys.c
index ff736b006198f..fd475e463d1fa 100644
--- a/drivers/powercap/powercap_sys.c
+++ b/drivers/powercap/powercap_sys.c
@@ -626,8 +626,7 @@ struct powercap_control_type *powercap_register_control_type(
dev_set_name(&control_type->dev, "%s", name);
result = device_register(&control_type->dev);
if (result) {
- if (control_type->allocated)
- kfree(control_type);
+ put_device(&control_type->dev);
return ERR_PTR(result);
}
idr_init(&control_type->idr);
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 027/279] iscsi_ibft: Fix UBSAN shift-out-of-bounds warning in ibft_attr_show_nic()
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (25 preceding siblings ...)
2025-04-08 10:46 ` [PATCH 5.15 026/279] powercap: call put_device() on an error path in powercap_register_control_type() Greg Kroah-Hartman
@ 2025-04-08 10:46 ` Greg Kroah-Hartman
2025-04-08 10:46 ` [PATCH 5.15 028/279] scsi: core: Use GFP_NOIO to avoid circular locking dependency Greg Kroah-Hartman
` (258 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chengen Du, Konrad Rzeszutek Wilk,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chengen Du <chengen.du@canonical.com>
[ Upstream commit 07e0d99a2f701123ad3104c0f1a1e66bce74d6e5 ]
When performing an iSCSI boot using IPv6, iscsistart still reads the
/sys/firmware/ibft/ethernetX/subnet-mask entry. Since the IPv6 prefix
length is 64, this causes the shift exponent to become negative,
triggering a UBSAN warning. As the concept of a subnet mask does not
apply to IPv6, the value is set to ~0 to suppress the warning message.
Signed-off-by: Chengen Du <chengen.du@canonical.com>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/firmware/iscsi_ibft.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/firmware/iscsi_ibft.c b/drivers/firmware/iscsi_ibft.c
index 6e9788324fea5..371f24569b3b2 100644
--- a/drivers/firmware/iscsi_ibft.c
+++ b/drivers/firmware/iscsi_ibft.c
@@ -310,7 +310,10 @@ static ssize_t ibft_attr_show_nic(void *data, int type, char *buf)
str += sprintf_ipaddr(str, nic->ip_addr);
break;
case ISCSI_BOOT_ETH_SUBNET_MASK:
- val = cpu_to_be32(~((1 << (32-nic->subnet_mask_prefix))-1));
+ if (nic->subnet_mask_prefix > 32)
+ val = cpu_to_be32(~0);
+ else
+ val = cpu_to_be32(~((1 << (32-nic->subnet_mask_prefix))-1));
str += sprintf(str, "%pI4", &val);
break;
case ISCSI_BOOT_ETH_PREFIX_LEN:
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 028/279] scsi: core: Use GFP_NOIO to avoid circular locking dependency
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (26 preceding siblings ...)
2025-04-08 10:46 ` [PATCH 5.15 027/279] iscsi_ibft: Fix UBSAN shift-out-of-bounds warning in ibft_attr_show_nic() Greg Kroah-Hartman
@ 2025-04-08 10:46 ` Greg Kroah-Hartman
2025-04-08 10:46 ` [PATCH 5.15 029/279] scsi: qla1280: Fix kernel oops when debug level > 2 Greg Kroah-Hartman
` (257 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Marc Aurèle La France,
Rik van Riel, Christoph Hellwig, Martin K. Petersen, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rik van Riel <riel@surriel.com>
[ Upstream commit 5363ee9d110e139584c2d92a0b640bc210588506 ]
Filesystems can write to disk from page reclaim with __GFP_FS
set. Marc found a case where scsi_realloc_sdev_budget_map() ends up in
page reclaim with GFP_KERNEL, where it could try to take filesystem
locks again, leading to a deadlock.
WARNING: possible circular locking dependency detected
6.13.0 #1 Not tainted
------------------------------------------------------
kswapd0/70 is trying to acquire lock:
ffff8881025d5d78 (&q->q_usage_counter(io)){++++}-{0:0}, at: blk_mq_submit_bio+0x461/0x6e0
but task is already holding lock:
ffffffff81ef5f40 (fs_reclaim){+.+.}-{0:0}, at: balance_pgdat+0x9f/0x760
The full lockdep splat can be found in Marc's report:
https://lkml.org/lkml/2025/1/24/1101
Avoid the potential deadlock by doing the allocation with GFP_NOIO, which
prevents both filesystem and block layer recursion.
Reported-by: Marc Aurèle La France <tsi@tuyoix.net>
Signed-off-by: Rik van Riel <riel@surriel.com>
Link: https://lore.kernel.org/r/20250129104525.0ae8421e@fangorn
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/scsi_scan.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/scsi/scsi_scan.c b/drivers/scsi/scsi_scan.c
index 9c155d5768144..f00b4624e46b5 100644
--- a/drivers/scsi/scsi_scan.c
+++ b/drivers/scsi/scsi_scan.c
@@ -229,7 +229,7 @@ static int scsi_realloc_sdev_budget_map(struct scsi_device *sdev,
}
ret = sbitmap_init_node(&sdev->budget_map,
scsi_device_max_queue_depth(sdev),
- new_shift, GFP_KERNEL,
+ new_shift, GFP_NOIO,
sdev->request_queue->node, false, true);
if (!ret)
sbitmap_resize(&sdev->budget_map, depth);
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 029/279] scsi: qla1280: Fix kernel oops when debug level > 2
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (27 preceding siblings ...)
2025-04-08 10:46 ` [PATCH 5.15 028/279] scsi: core: Use GFP_NOIO to avoid circular locking dependency Greg Kroah-Hartman
@ 2025-04-08 10:46 ` Greg Kroah-Hartman
2025-04-08 10:46 ` [PATCH 5.15 030/279] ACPI: resource: IRQ override for Eluktronics MECH-17 Greg Kroah-Hartman
` (256 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Magnus Lindholm, Martin K. Petersen,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Magnus Lindholm <linmag7@gmail.com>
[ Upstream commit 5233e3235dec3065ccc632729675575dbe3c6b8a ]
A null dereference or oops exception will eventually occur when qla1280.c
driver is compiled with DEBUG_QLA1280 enabled and ql_debug_level > 2. I
think its clear from the code that the intention here is sg_dma_len(s) not
length of sg_next(s) when printing the debug info.
Signed-off-by: Magnus Lindholm <linmag7@gmail.com>
Link: https://lore.kernel.org/r/20250125095033.26188-1-linmag7@gmail.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/qla1280.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/scsi/qla1280.c b/drivers/scsi/qla1280.c
index d0b4e063bfe1e..eb8e9c54837e0 100644
--- a/drivers/scsi/qla1280.c
+++ b/drivers/scsi/qla1280.c
@@ -2875,7 +2875,7 @@ qla1280_64bit_start_scsi(struct scsi_qla_host *ha, struct srb * sp)
dprintk(3, "S/G Segment phys_addr=%x %x, len=0x%x\n",
cpu_to_le32(upper_32_bits(dma_handle)),
cpu_to_le32(lower_32_bits(dma_handle)),
- cpu_to_le32(sg_dma_len(sg_next(s))));
+ cpu_to_le32(sg_dma_len(s)));
remseg--;
}
dprintk(5, "qla1280_64bit_start_scsi: Scatter/gather "
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 030/279] ACPI: resource: IRQ override for Eluktronics MECH-17
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (28 preceding siblings ...)
2025-04-08 10:46 ` [PATCH 5.15 029/279] scsi: qla1280: Fix kernel oops when debug level > 2 Greg Kroah-Hartman
@ 2025-04-08 10:46 ` Greg Kroah-Hartman
2025-04-08 10:46 ` [PATCH 5.15 031/279] alpha/elf: Fix misc/setarch test of util-linux by removing 32bit support Greg Kroah-Hartman
` (255 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gannon Kolding, Rafael J. Wysocki,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gannon Kolding <gannon.kolding@gmail.com>
[ Upstream commit 607ab6f85f4194b644ea95ac5fe660ef575db3b4 ]
The Eluktronics MECH-17 (GM7RG7N) needs IRQ overriding for the
keyboard to work.
Adding a DMI_MATCH entry for this laptop model makes the internal
keyboard function normally.
Signed-off-by: Gannon Kolding <gannon.kolding@gmail.com>
Link: https://patch.msgid.link/20250127093902.328361-1-gannon.kolding@gmail.com
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/acpi/resource.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/acpi/resource.c b/drivers/acpi/resource.c
index 56bbdd2f9a40d..0735ad7f01e22 100644
--- a/drivers/acpi/resource.c
+++ b/drivers/acpi/resource.c
@@ -556,6 +556,12 @@ static const struct dmi_system_id maingear_laptop[] = {
DMI_MATCH(DMI_BOARD_NAME, "RP-15"),
},
},
+ {
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "Eluktronics Inc."),
+ DMI_MATCH(DMI_BOARD_NAME, "MECH-17"),
+ },
+ },
{
/* TongFang GM6XGxX/TUXEDO Stellaris 16 Gen5 AMD */
.matches = {
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 031/279] alpha/elf: Fix misc/setarch test of util-linux by removing 32bit support
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (29 preceding siblings ...)
2025-04-08 10:46 ` [PATCH 5.15 030/279] ACPI: resource: IRQ override for Eluktronics MECH-17 Greg Kroah-Hartman
@ 2025-04-08 10:46 ` Greg Kroah-Hartman
2025-04-08 10:46 ` [PATCH 5.15 032/279] vboxsf: fix building with GCC 15 Greg Kroah-Hartman
` (254 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric W. Biederman, Richard Henderson,
Arnd Bergmann, John Paul Adrian Glaubitz, Kees Cook, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric W. Biederman <ebiederm@xmission.com>
[ Upstream commit b029628be267cba3c7684ec684749fe3e4372398 ]
Richard Henderson <richard.henderson@linaro.org> writes[1]:
> There was a Spec benchmark (I forget which) which was memory bound and ran
> twice as fast with 32-bit pointers.
>
> I copied the idea from DEC to the ELF abi, but never did all the other work
> to allow the toolchain to take advantage.
>
> Amusingly, a later Spec changed the benchmark data sets to not fit into a
> 32-bit address space, specifically because of this.
>
> I expect one could delete the ELF bit and personality and no one would
> notice. Not even the 10 remaining Alpha users.
In [2] it was pointed out that parts of setarch weren't working
properly on alpha because it has it's own SET_PERSONALITY
implementation. In the discussion that followed Richard Henderson
pointed out that the 32bit pointer support for alpha was never
completed.
Fix this by removing alpha's 32bit pointer support.
As a bit of paranoia refuse to execute any alpha binaries that have
the EF_ALPHA_32BIT flag set. Just in case someone somewhere has
binaries that try to use alpha's 32bit pointer support.
Link: https://lkml.kernel.org/r/CAFXwXrkgu=4Qn-v1PjnOR4SG0oUb9LSa0g6QXpBq4ttm52pJOQ@mail.gmail.com [1]
Link: https://lkml.kernel.org/r/20250103140148.370368-1-glaubitz@physik.fu-berlin.de [2]
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Arnd Bergmann <arnd@arndb.de>
Reviewed-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
Tested-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
Link: https://lore.kernel.org/r/87y0zfs26i.fsf_-_@email.froward.int.ebiederm.org
Signed-off-by: Kees Cook <kees@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/alpha/include/asm/elf.h | 6 +-----
arch/alpha/include/asm/pgtable.h | 2 +-
arch/alpha/include/asm/processor.h | 8 ++------
arch/alpha/kernel/osf_sys.c | 11 ++---------
4 files changed, 6 insertions(+), 21 deletions(-)
diff --git a/arch/alpha/include/asm/elf.h b/arch/alpha/include/asm/elf.h
index 8049997fa372a..2039a8c8d5473 100644
--- a/arch/alpha/include/asm/elf.h
+++ b/arch/alpha/include/asm/elf.h
@@ -74,7 +74,7 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_NFPREG];
/*
* This is used to ensure we don't load something for the wrong architecture.
*/
-#define elf_check_arch(x) ((x)->e_machine == EM_ALPHA)
+#define elf_check_arch(x) (((x)->e_machine == EM_ALPHA) && !((x)->e_flags & EF_ALPHA_32BIT))
/*
* These are used to set parameters in the core dumps.
@@ -145,10 +145,6 @@ extern int dump_elf_task_fp(elf_fpreg_t *dest, struct task_struct *task);
: amask (AMASK_CIX) ? "ev6" : "ev67"); \
})
-#define SET_PERSONALITY(EX) \
- set_personality(((EX).e_flags & EF_ALPHA_32BIT) \
- ? PER_LINUX_32BIT : PER_LINUX)
-
extern int alpha_l1i_cacheshape;
extern int alpha_l1d_cacheshape;
extern int alpha_l2_cacheshape;
diff --git a/arch/alpha/include/asm/pgtable.h b/arch/alpha/include/asm/pgtable.h
index 02f0429f1068a..8e3cf3c9f913d 100644
--- a/arch/alpha/include/asm/pgtable.h
+++ b/arch/alpha/include/asm/pgtable.h
@@ -340,7 +340,7 @@ extern inline pte_t mk_swap_pte(unsigned long type, unsigned long offset)
extern void paging_init(void);
-/* We have our own get_unmapped_area to cope with ADDR_LIMIT_32BIT. */
+/* We have our own get_unmapped_area */
#define HAVE_ARCH_UNMAPPED_AREA
#endif /* _ALPHA_PGTABLE_H */
diff --git a/arch/alpha/include/asm/processor.h b/arch/alpha/include/asm/processor.h
index 6100431da07a3..d27db62c3247d 100644
--- a/arch/alpha/include/asm/processor.h
+++ b/arch/alpha/include/asm/processor.h
@@ -8,23 +8,19 @@
#ifndef __ASM_ALPHA_PROCESSOR_H
#define __ASM_ALPHA_PROCESSOR_H
-#include <linux/personality.h> /* for ADDR_LIMIT_32BIT */
-
/*
* We have a 42-bit user address space: 4TB user VM...
*/
#define TASK_SIZE (0x40000000000UL)
-#define STACK_TOP \
- (current->personality & ADDR_LIMIT_32BIT ? 0x80000000 : 0x00120000000UL)
+#define STACK_TOP (0x00120000000UL)
#define STACK_TOP_MAX 0x00120000000UL
/* This decides where the kernel will search for a free chunk of vm
* space during mmap's.
*/
-#define TASK_UNMAPPED_BASE \
- ((current->personality & ADDR_LIMIT_32BIT) ? 0x40000000 : TASK_SIZE / 2)
+#define TASK_UNMAPPED_BASE (TASK_SIZE / 2)
typedef struct {
unsigned long seg;
diff --git a/arch/alpha/kernel/osf_sys.c b/arch/alpha/kernel/osf_sys.c
index 8bbeebb73cf03..2dfb69a2ae43a 100644
--- a/arch/alpha/kernel/osf_sys.c
+++ b/arch/alpha/kernel/osf_sys.c
@@ -1212,8 +1212,7 @@ SYSCALL_DEFINE1(old_adjtimex, struct timex32 __user *, txc_p)
return ret;
}
-/* Get an address range which is currently unmapped. Similar to the
- generic version except that we know how to honor ADDR_LIMIT_32BIT. */
+/* Get an address range which is currently unmapped. */
static unsigned long
arch_get_unmapped_area_1(unsigned long addr, unsigned long len,
@@ -1235,13 +1234,7 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
unsigned long len, unsigned long pgoff,
unsigned long flags)
{
- unsigned long limit;
-
- /* "32 bit" actually means 31 bit, since pointers sign extend. */
- if (current->personality & ADDR_LIMIT_32BIT)
- limit = 0x80000000;
- else
- limit = TASK_SIZE;
+ unsigned long limit = TASK_SIZE;
if (len > limit)
return -ENOMEM;
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 032/279] vboxsf: fix building with GCC 15
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (30 preceding siblings ...)
2025-04-08 10:46 ` [PATCH 5.15 031/279] alpha/elf: Fix misc/setarch test of util-linux by removing 32bit support Greg Kroah-Hartman
@ 2025-04-08 10:46 ` Greg Kroah-Hartman
2025-04-08 10:46 ` [PATCH 5.15 033/279] HID: intel-ish-hid: fix the length of MNG_SYNC_FW_CLOCK in doorbell Greg Kroah-Hartman
` (253 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Brahmajit Das, Hans de Goede,
Christian Brauner, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Brahmajit Das <brahmajit.xyz@gmail.com>
[ Upstream commit 4e7487245abcbc5a1a1aea54e4d3b33c53804bda ]
Building with GCC 15 results in build error
fs/vboxsf/super.c:24:54: error: initializer-string for array of ‘unsigned char’ is too long [-Werror=unterminated-string-initialization]
24 | static const unsigned char VBSF_MOUNT_SIGNATURE[4] = "\000\377\376\375";
| ^~~~~~~~~~~~~~~~~~
cc1: all warnings being treated as errors
Due to GCC having enabled -Werror=unterminated-string-initialization[0]
by default. Separately initializing each array element of
VBSF_MOUNT_SIGNATURE to ensure NUL termination, thus satisfying GCC 15
and fixing the build error.
[0]: https://gcc.gnu.org/onlinedocs/gcc/Warning-Options.html#index-Wno-unterminated-string-initialization
Signed-off-by: Brahmajit Das <brahmajit.xyz@gmail.com>
Link: https://lore.kernel.org/r/20250121162648.1408743-1-brahmajit.xyz@gmail.com
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/vboxsf/super.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/fs/vboxsf/super.c b/fs/vboxsf/super.c
index 44725007ccc2c..20cfb2a9e8707 100644
--- a/fs/vboxsf/super.c
+++ b/fs/vboxsf/super.c
@@ -21,7 +21,8 @@
#define VBOXSF_SUPER_MAGIC 0x786f4256 /* 'VBox' little endian */
-static const unsigned char VBSF_MOUNT_SIGNATURE[4] = "\000\377\376\375";
+static const unsigned char VBSF_MOUNT_SIGNATURE[4] = { '\000', '\377', '\376',
+ '\375' };
static int follow_symlinks;
module_param(follow_symlinks, int, 0444);
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 033/279] HID: intel-ish-hid: fix the length of MNG_SYNC_FW_CLOCK in doorbell
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (31 preceding siblings ...)
2025-04-08 10:46 ` [PATCH 5.15 032/279] vboxsf: fix building with GCC 15 Greg Kroah-Hartman
@ 2025-04-08 10:46 ` Greg Kroah-Hartman
2025-04-08 10:46 ` [PATCH 5.15 034/279] HID: ignore non-functional sensor in HP 5MP Camera Greg Kroah-Hartman
` (252 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhang Lixu, Srinivas Pandruvada,
Jiri Kosina, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhang Lixu <lixu.zhang@intel.com>
[ Upstream commit 4b54ae69197b9f416baa0fceadff7e89075f8454 ]
The timestamps in the Firmware log and HID sensor samples are incorrect.
They show 1970-01-01 because the current IPC driver only uses the first
8 bytes of bootup time when synchronizing time with the firmware. The
firmware converts the bootup time to UTC time, which results in the
display of 1970-01-01.
In write_ipc_from_queue(), when sending the MNG_SYNC_FW_CLOCK message,
the clock is updated according to the definition of ipc_time_update_msg.
However, in _ish_sync_fw_clock(), the message length is specified as the
size of uint64_t when building the doorbell. As a result, the firmware
only receives the first 8 bytes of struct ipc_time_update_msg.
This patch corrects the length in the doorbell to ensure the entire
ipc_time_update_msg is sent, fixing the timestamp issue.
Signed-off-by: Zhang Lixu <lixu.zhang@intel.com>
Acked-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/intel-ish-hid/ipc/ipc.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/hid/intel-ish-hid/ipc/ipc.c b/drivers/hid/intel-ish-hid/ipc/ipc.c
index ba45605fc6b52..a48f7cd514b0f 100644
--- a/drivers/hid/intel-ish-hid/ipc/ipc.c
+++ b/drivers/hid/intel-ish-hid/ipc/ipc.c
@@ -577,14 +577,14 @@ static void fw_reset_work_fn(struct work_struct *unused)
static void _ish_sync_fw_clock(struct ishtp_device *dev)
{
static unsigned long prev_sync;
- uint64_t usec;
+ struct ipc_time_update_msg time = {};
if (prev_sync && jiffies - prev_sync < 20 * HZ)
return;
prev_sync = jiffies;
- usec = ktime_to_us(ktime_get_boottime());
- ipc_send_mng_msg(dev, MNG_SYNC_FW_CLOCK, &usec, sizeof(uint64_t));
+ /* The fields of time would be updated while sending message */
+ ipc_send_mng_msg(dev, MNG_SYNC_FW_CLOCK, &time, sizeof(time));
}
/**
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 034/279] HID: ignore non-functional sensor in HP 5MP Camera
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (32 preceding siblings ...)
2025-04-08 10:46 ` [PATCH 5.15 033/279] HID: intel-ish-hid: fix the length of MNG_SYNC_FW_CLOCK in doorbell Greg Kroah-Hartman
@ 2025-04-08 10:46 ` Greg Kroah-Hartman
2025-04-08 10:46 ` [PATCH 5.15 035/279] sched: Clarify wake_up_q()s write to task->wake_q.next Greg Kroah-Hartman
` (251 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chia-Lin Kao (AceLan),
Srinivas Pandruvada, Jiri Kosina, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chia-Lin Kao (AceLan) <acelan.kao@canonical.com>
[ Upstream commit 363236d709e75610b628c2a4337ccbe42e454b6d ]
The HP 5MP Camera (USB ID 0408:5473) reports a HID sensor interface that
is not actually implemented. Attempting to access this non-functional
sensor via iio_info causes system hangs as runtime PM tries to wake up
an unresponsive sensor.
[453] hid-sensor-hub 0003:0408:5473.0003: Report latency attributes: ffffffff:ffffffff
[453] hid-sensor-hub 0003:0408:5473.0003: common attributes: 5:1, 2:1, 3:1 ffffffff:ffffffff
Add this device to the HID ignore list since the sensor interface is
non-functional by design and should not be exposed to userspace.
Signed-off-by: Chia-Lin Kao (AceLan) <acelan.kao@canonical.com>
Acked-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/hid-ids.h | 1 +
drivers/hid/hid-quirks.c | 1 +
2 files changed, 2 insertions(+)
diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h
index 81db294dda408..44825a916eeb2 100644
--- a/drivers/hid/hid-ids.h
+++ b/drivers/hid/hid-ids.h
@@ -1037,6 +1037,7 @@
#define USB_DEVICE_ID_QUANTA_OPTICAL_TOUCH_3001 0x3001
#define USB_DEVICE_ID_QUANTA_OPTICAL_TOUCH_3003 0x3003
#define USB_DEVICE_ID_QUANTA_OPTICAL_TOUCH_3008 0x3008
+#define USB_DEVICE_ID_QUANTA_HP_5MP_CAMERA_5473 0x5473
#define I2C_VENDOR_ID_RAYDIUM 0x2386
#define I2C_PRODUCT_ID_RAYDIUM_4B33 0x4b33
diff --git a/drivers/hid/hid-quirks.c b/drivers/hid/hid-quirks.c
index 80e4247a768bd..b5ad4c87daacf 100644
--- a/drivers/hid/hid-quirks.c
+++ b/drivers/hid/hid-quirks.c
@@ -871,6 +871,7 @@ static const struct hid_device_id hid_ignore_list[] = {
{ HID_USB_DEVICE(USB_VENDOR_ID_SYNAPTICS, USB_DEVICE_ID_SYNAPTICS_DPAD) },
#endif
{ HID_USB_DEVICE(USB_VENDOR_ID_YEALINK, USB_DEVICE_ID_YEALINK_P1K_P4K_B2K) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_QUANTA, USB_DEVICE_ID_QUANTA_HP_5MP_CAMERA_5473) },
{ }
};
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 035/279] sched: Clarify wake_up_q()s write to task->wake_q.next
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (33 preceding siblings ...)
2025-04-08 10:46 ` [PATCH 5.15 034/279] HID: ignore non-functional sensor in HP 5MP Camera Greg Kroah-Hartman
@ 2025-04-08 10:46 ` Greg Kroah-Hartman
2025-04-08 10:46 ` [PATCH 5.15 036/279] s390/cio: Fix CHPID "configure" attribute caching Greg Kroah-Hartman
` (250 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jann Horn, Peter Zijlstra (Intel),
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jann Horn <jannh@google.com>
[ Upstream commit bcc6244e13b4d4903511a1ea84368abf925031c0 ]
Clarify that wake_up_q() does an atomic write to task->wake_q.next, after
which a concurrent __wake_q_add() can immediately overwrite
task->wake_q.next again.
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Link: https://lkml.kernel.org/r/20250129-sched-wakeup-prettier-v1-1-2f51f5f663fa@google.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/sched/core.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/kernel/sched/core.c b/kernel/sched/core.c
index 70a7cf563f01e..380938831b130 100644
--- a/kernel/sched/core.c
+++ b/kernel/sched/core.c
@@ -941,9 +941,10 @@ void wake_up_q(struct wake_q_head *head)
struct task_struct *task;
task = container_of(node, struct task_struct, wake_q);
- /* Task can safely be re-inserted now: */
node = node->next;
- task->wake_q.next = NULL;
+ /* pairs with cmpxchg_relaxed() in __wake_q_add() */
+ WRITE_ONCE(task->wake_q.next, NULL);
+ /* Task can safely be re-inserted now. */
/*
* wake_up_process() executes a full barrier, which pairs with
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 036/279] s390/cio: Fix CHPID "configure" attribute caching
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (34 preceding siblings ...)
2025-04-08 10:46 ` [PATCH 5.15 035/279] sched: Clarify wake_up_q()s write to task->wake_q.next Greg Kroah-Hartman
@ 2025-04-08 10:46 ` Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 037/279] thermal/cpufreq_cooling: Remove structure member documentation Greg Kroah-Hartman
` (249 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vineeth Vijayan, Eric Farman,
Peter Oberparleiter, Vasily Gorbik, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Oberparleiter <oberpar@linux.ibm.com>
[ Upstream commit 32ae4a2992529e2c7934e422035fad1d9b0f1fb5 ]
In some environments, the SCLP firmware interface used to query a
CHPID's configured state is not supported. On these environments,
rapidly reading the corresponding sysfs attribute produces inconsistent
results:
$ cat /sys/devices/css0/chp0.00/configure
cat: /sys/devices/css0/chp0.00/configure: Operation not supported
$ cat /sys/devices/css0/chp0.00/configure
3
This occurs for example when Linux is run as a KVM guest. The
inconsistency is a result of CIO using cached results for generating
the value of the "configure" attribute while failing to handle the
situation where no data was returned by SCLP.
Fix this by not updating the cache-expiration timestamp when SCLP
returns no data. With the fix applied, the system response is
consistent:
$ cat /sys/devices/css0/chp0.00/configure
cat: /sys/devices/css0/chp0.00/configure: Operation not supported
$ cat /sys/devices/css0/chp0.00/configure
cat: /sys/devices/css0/chp0.00/configure: Operation not supported
Reviewed-by: Vineeth Vijayan <vneethv@linux.ibm.com>
Reviewed-by: Eric Farman <farman@linux.ibm.com>
Tested-by: Eric Farman <farman@linux.ibm.com>
Signed-off-by: Peter Oberparleiter <oberpar@linux.ibm.com>
Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/s390/cio/chp.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/s390/cio/chp.c b/drivers/s390/cio/chp.c
index 1097e76982a5d..6b0f1b8bf2790 100644
--- a/drivers/s390/cio/chp.c
+++ b/drivers/s390/cio/chp.c
@@ -661,7 +661,8 @@ static int info_update(void)
if (time_after(jiffies, chp_info_expires)) {
/* Data is too old, update. */
rc = sclp_chp_read_info(&chp_info);
- chp_info_expires = jiffies + CHP_INFO_UPDATE_INTERVAL ;
+ if (!rc)
+ chp_info_expires = jiffies + CHP_INFO_UPDATE_INTERVAL;
}
mutex_unlock(&info_lock);
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 037/279] thermal/cpufreq_cooling: Remove structure member documentation
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (35 preceding siblings ...)
2025-04-08 10:46 ` [PATCH 5.15 036/279] s390/cio: Fix CHPID "configure" attribute caching Greg Kroah-Hartman
@ 2025-04-08 10:47 ` Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 038/279] ASoC: rsnd: dont indicate warning on rsnd_kctrl_accept_runtime() Greg Kroah-Hartman
` (248 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, kernel test robot, Daniel Lezcano,
Viresh Kumar, Rafael J. Wysocki, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Lezcano <daniel.lezcano@linaro.org>
[ Upstream commit a6768c4f92e152265590371975d44c071a5279c7 ]
The structure member documentation refers to a member which does not
exist any more. Remove it.
Link: https://lore.kernel.org/all/202501220046.h3PMBCti-lkp@intel.com/
Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202501220046.h3PMBCti-lkp@intel.com/
Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
Link: https://patch.msgid.link/20250211084712.2746705-1-daniel.lezcano@linaro.org
[ rjw: Minor changelog edits ]
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/thermal/cpufreq_cooling.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/drivers/thermal/cpufreq_cooling.c b/drivers/thermal/cpufreq_cooling.c
index 12a60415af955..8171c806f5f6f 100644
--- a/drivers/thermal/cpufreq_cooling.c
+++ b/drivers/thermal/cpufreq_cooling.c
@@ -56,8 +56,6 @@ struct time_in_idle {
* @max_level: maximum cooling level. One less than total number of valid
* cpufreq frequencies.
* @em: Reference on the Energy Model of the device
- * @cdev: thermal_cooling_device pointer to keep track of the
- * registered cooling device.
* @policy: cpufreq policy.
* @idle_time: idle time stats
* @qos_req: PM QoS contraint to apply
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 038/279] ASoC: rsnd: dont indicate warning on rsnd_kctrl_accept_runtime()
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (36 preceding siblings ...)
2025-04-08 10:47 ` [PATCH 5.15 037/279] thermal/cpufreq_cooling: Remove structure member documentation Greg Kroah-Hartman
@ 2025-04-08 10:47 ` Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 039/279] ASoC: arizona/madera: use fsleep() in up/down DAPM event delays Greg Kroah-Hartman
` (247 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kuninori Morimoto, Yoshihiro Shimoda,
Mark Brown, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
[ Upstream commit c3fc002b206c6c83d1e3702b979733002ba6fb2c ]
rsnd_kctrl_accept_runtime() (1) is used for runtime convert rate
(= Synchronous SRC Mode). Now, rsnd driver has 2 kctrls for it
(A): "SRC Out Rate Switch"
(B): "SRC Out Rate" // it calls (1)
(A): can be called anytime
(B): can be called only runtime, and will indicate warning if it was used
at non-runtime.
To use runtime convert rate (= Synchronous SRC Mode), user might uses
command in below order.
(X): > amixer set "SRC Out Rate" on
> aplay xxx.wav &
(Y): > amixer set "SRC Out Rate" 48010 // convert rate to 48010Hz
(Y): calls B
(X): calls both A and B.
In this case, when user calls (X), it calls both (A) and (B), but it is not
yet start running. So, (B) will indicate warning.
This warning was added by commit b5c088689847 ("ASoC: rsnd: add warning
message to rsnd_kctrl_accept_runtime()"), but the message sounds like the
operation was not correct. Let's update warning message.
The message is very SRC specific, implement it in src.c
Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
Reviewed-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
Link: https://patch.msgid.link/8734gt2qed.wl-kuninori.morimoto.gx@renesas.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/sh/rcar/core.c | 14 --------------
sound/soc/sh/rcar/rsnd.h | 1 -
sound/soc/sh/rcar/src.c | 18 +++++++++++++++++-
3 files changed, 17 insertions(+), 16 deletions(-)
diff --git a/sound/soc/sh/rcar/core.c b/sound/soc/sh/rcar/core.c
index af8ef2a27d341..65022ba5c5875 100644
--- a/sound/soc/sh/rcar/core.c
+++ b/sound/soc/sh/rcar/core.c
@@ -1694,20 +1694,6 @@ int rsnd_kctrl_accept_anytime(struct rsnd_dai_stream *io)
return 1;
}
-int rsnd_kctrl_accept_runtime(struct rsnd_dai_stream *io)
-{
- struct snd_pcm_runtime *runtime = rsnd_io_to_runtime(io);
- struct rsnd_priv *priv = rsnd_io_to_priv(io);
- struct device *dev = rsnd_priv_to_dev(priv);
-
- if (!runtime) {
- dev_warn(dev, "Can't update kctrl when idle\n");
- return 0;
- }
-
- return 1;
-}
-
struct rsnd_kctrl_cfg *rsnd_kctrl_init_m(struct rsnd_kctrl_cfg_m *cfg)
{
cfg->cfg.val = cfg->val;
diff --git a/sound/soc/sh/rcar/rsnd.h b/sound/soc/sh/rcar/rsnd.h
index f8ef6836ef84e..690f4932357c1 100644
--- a/sound/soc/sh/rcar/rsnd.h
+++ b/sound/soc/sh/rcar/rsnd.h
@@ -742,7 +742,6 @@ struct rsnd_kctrl_cfg_s {
#define rsnd_kctrl_vals(x) ((x).val) /* = (x).cfg.val[0] */
int rsnd_kctrl_accept_anytime(struct rsnd_dai_stream *io);
-int rsnd_kctrl_accept_runtime(struct rsnd_dai_stream *io);
struct rsnd_kctrl_cfg *rsnd_kctrl_init_m(struct rsnd_kctrl_cfg_m *cfg);
struct rsnd_kctrl_cfg *rsnd_kctrl_init_s(struct rsnd_kctrl_cfg_s *cfg);
int rsnd_kctrl_new(struct rsnd_mod *mod,
diff --git a/sound/soc/sh/rcar/src.c b/sound/soc/sh/rcar/src.c
index f832165e46bc0..9893839666d7b 100644
--- a/sound/soc/sh/rcar/src.c
+++ b/sound/soc/sh/rcar/src.c
@@ -530,6 +530,22 @@ static irqreturn_t rsnd_src_interrupt(int irq, void *data)
return IRQ_HANDLED;
}
+static int rsnd_src_kctrl_accept_runtime(struct rsnd_dai_stream *io)
+{
+ struct snd_pcm_runtime *runtime = rsnd_io_to_runtime(io);
+
+ if (!runtime) {
+ struct rsnd_priv *priv = rsnd_io_to_priv(io);
+ struct device *dev = rsnd_priv_to_dev(priv);
+
+ dev_warn(dev, "\"SRC Out Rate\" can use during running\n");
+
+ return 0;
+ }
+
+ return 1;
+}
+
static int rsnd_src_probe_(struct rsnd_mod *mod,
struct rsnd_dai_stream *io,
struct rsnd_priv *priv)
@@ -593,7 +609,7 @@ static int rsnd_src_pcm_new(struct rsnd_mod *mod,
rsnd_io_is_play(io) ?
"SRC Out Rate" :
"SRC In Rate",
- rsnd_kctrl_accept_runtime,
+ rsnd_src_kctrl_accept_runtime,
rsnd_src_set_convert_rate,
&src->sync, 192000);
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 039/279] ASoC: arizona/madera: use fsleep() in up/down DAPM event delays.
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (37 preceding siblings ...)
2025-04-08 10:47 ` [PATCH 5.15 038/279] ASoC: rsnd: dont indicate warning on rsnd_kctrl_accept_runtime() Greg Kroah-Hartman
@ 2025-04-08 10:47 ` Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 040/279] ASoC: SOF: Intel: hda: add softdep pre to snd-hda-codec-hdmi module Greg Kroah-Hartman
` (246 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vitaly Rodionov, Charles Keepax,
Mark Brown, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vitaly Rodionov <vitalyr@opensource.cirrus.com>
[ Upstream commit 679074942c2502a95842a80471d8fb718165ac77 ]
Using `fsleep` instead of `msleep` resolves some customer complaints
regarding the precision of up/down DAPM event timing. `fsleep()`
automatically selects the appropriate sleep function, making the delay
time more predictable.
Signed-off-by: Vitaly Rodionov <vitalyr@opensource.cirrus.com>
Link: https://patch.msgid.link/20250205160849.500306-1-vitalyr@opensource.cirrus.com
Reviewed-by: Charles Keepax <ckeepax@opensource.cirrus.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/codecs/arizona.c | 14 +++++++-------
sound/soc/codecs/madera.c | 10 +++++-----
sound/soc/codecs/wm5110.c | 8 ++++----
3 files changed, 16 insertions(+), 16 deletions(-)
diff --git a/sound/soc/codecs/arizona.c b/sound/soc/codecs/arizona.c
index e32871b3f68ac..be207350b7124 100644
--- a/sound/soc/codecs/arizona.c
+++ b/sound/soc/codecs/arizona.c
@@ -967,7 +967,7 @@ int arizona_out_ev(struct snd_soc_dapm_widget *w,
case ARIZONA_OUT3L_ENA_SHIFT:
case ARIZONA_OUT3R_ENA_SHIFT:
priv->out_up_pending++;
- priv->out_up_delay += 17;
+ priv->out_up_delay += 17000;
break;
case ARIZONA_OUT4L_ENA_SHIFT:
case ARIZONA_OUT4R_ENA_SHIFT:
@@ -977,7 +977,7 @@ int arizona_out_ev(struct snd_soc_dapm_widget *w,
case WM8997:
break;
default:
- priv->out_up_delay += 10;
+ priv->out_up_delay += 10000;
break;
}
break;
@@ -999,7 +999,7 @@ int arizona_out_ev(struct snd_soc_dapm_widget *w,
if (!priv->out_up_pending && priv->out_up_delay) {
dev_dbg(component->dev, "Power up delay: %d\n",
priv->out_up_delay);
- msleep(priv->out_up_delay);
+ fsleep(priv->out_up_delay);
priv->out_up_delay = 0;
}
break;
@@ -1017,7 +1017,7 @@ int arizona_out_ev(struct snd_soc_dapm_widget *w,
case ARIZONA_OUT3L_ENA_SHIFT:
case ARIZONA_OUT3R_ENA_SHIFT:
priv->out_down_pending++;
- priv->out_down_delay++;
+ priv->out_down_delay += 1000;
break;
case ARIZONA_OUT4L_ENA_SHIFT:
case ARIZONA_OUT4R_ENA_SHIFT:
@@ -1028,10 +1028,10 @@ int arizona_out_ev(struct snd_soc_dapm_widget *w,
break;
case WM8998:
case WM1814:
- priv->out_down_delay += 5;
+ priv->out_down_delay += 5000;
break;
default:
- priv->out_down_delay++;
+ priv->out_down_delay += 1000;
break;
}
break;
@@ -1053,7 +1053,7 @@ int arizona_out_ev(struct snd_soc_dapm_widget *w,
if (!priv->out_down_pending && priv->out_down_delay) {
dev_dbg(component->dev, "Power down delay: %d\n",
priv->out_down_delay);
- msleep(priv->out_down_delay);
+ fsleep(priv->out_down_delay);
priv->out_down_delay = 0;
}
break;
diff --git a/sound/soc/codecs/madera.c b/sound/soc/codecs/madera.c
index fd4fa1d5d2d12..5775898fc6f9e 100644
--- a/sound/soc/codecs/madera.c
+++ b/sound/soc/codecs/madera.c
@@ -2322,10 +2322,10 @@ int madera_out_ev(struct snd_soc_dapm_widget *w,
case CS42L92:
case CS47L92:
case CS47L93:
- out_up_delay = 6;
+ out_up_delay = 6000;
break;
default:
- out_up_delay = 17;
+ out_up_delay = 17000;
break;
}
@@ -2356,7 +2356,7 @@ int madera_out_ev(struct snd_soc_dapm_widget *w,
case MADERA_OUT3R_ENA_SHIFT:
priv->out_up_pending--;
if (!priv->out_up_pending) {
- msleep(priv->out_up_delay);
+ fsleep(priv->out_up_delay);
priv->out_up_delay = 0;
}
break;
@@ -2375,7 +2375,7 @@ int madera_out_ev(struct snd_soc_dapm_widget *w,
case MADERA_OUT3L_ENA_SHIFT:
case MADERA_OUT3R_ENA_SHIFT:
priv->out_down_pending++;
- priv->out_down_delay++;
+ priv->out_down_delay += 1000;
break;
default:
break;
@@ -2392,7 +2392,7 @@ int madera_out_ev(struct snd_soc_dapm_widget *w,
case MADERA_OUT3R_ENA_SHIFT:
priv->out_down_pending--;
if (!priv->out_down_pending) {
- msleep(priv->out_down_delay);
+ fsleep(priv->out_down_delay);
priv->out_down_delay = 0;
}
break;
diff --git a/sound/soc/codecs/wm5110.c b/sound/soc/codecs/wm5110.c
index 7c6e01720d651..bc3dfb53ba953 100644
--- a/sound/soc/codecs/wm5110.c
+++ b/sound/soc/codecs/wm5110.c
@@ -302,7 +302,7 @@ static int wm5110_hp_pre_enable(struct snd_soc_dapm_widget *w)
} else {
wseq = wm5110_no_dre_left_enable;
nregs = ARRAY_SIZE(wm5110_no_dre_left_enable);
- priv->out_up_delay += 10;
+ priv->out_up_delay += 10000;
}
break;
case ARIZONA_OUT1R_ENA_SHIFT:
@@ -312,7 +312,7 @@ static int wm5110_hp_pre_enable(struct snd_soc_dapm_widget *w)
} else {
wseq = wm5110_no_dre_right_enable;
nregs = ARRAY_SIZE(wm5110_no_dre_right_enable);
- priv->out_up_delay += 10;
+ priv->out_up_delay += 10000;
}
break;
default:
@@ -338,7 +338,7 @@ static int wm5110_hp_pre_disable(struct snd_soc_dapm_widget *w)
snd_soc_component_update_bits(component,
ARIZONA_SPARE_TRIGGERS,
ARIZONA_WS_TRG1, 0);
- priv->out_down_delay += 27;
+ priv->out_down_delay += 27000;
}
break;
case ARIZONA_OUT1R_ENA_SHIFT:
@@ -350,7 +350,7 @@ static int wm5110_hp_pre_disable(struct snd_soc_dapm_widget *w)
snd_soc_component_update_bits(component,
ARIZONA_SPARE_TRIGGERS,
ARIZONA_WS_TRG2, 0);
- priv->out_down_delay += 27;
+ priv->out_down_delay += 27000;
}
break;
default:
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 040/279] ASoC: SOF: Intel: hda: add softdep pre to snd-hda-codec-hdmi module
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (38 preceding siblings ...)
2025-04-08 10:47 ` [PATCH 5.15 039/279] ASoC: arizona/madera: use fsleep() in up/down DAPM event delays Greg Kroah-Hartman
@ 2025-04-08 10:47 ` Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 041/279] net: wwan: mhi_wwan_mbim: Silence sequence number glitch errors Greg Kroah-Hartman
` (245 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Terry Cheong, Bard Liao, Johny Lin,
Péter Ujfalusi, Mark Brown, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Terry Cheong <htcheong@chromium.org>
[ Upstream commit 33b7dc7843dbdc9b90c91d11ba30b107f9138ffd ]
In enviornment without KMOD requesting module may fail to load
snd-hda-codec-hdmi, resulting in HDMI audio not usable.
Add softdep to loading HDMI codec module first to ensure we can load it
correctly.
Signed-off-by: Terry Cheong <htcheong@chromium.org>
Reviewed-by: Bard Liao <yung-chuan.liao@linux.intel.com>
Reviewed-by: Johny Lin <lpg76627@gmail.com>
Reviewed-by: Péter Ujfalusi <peter.ujfalusi@linux.intel.com>
Signed-off-by: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
Link: https://patch.msgid.link/20250206094723.18013-1-peter.ujfalusi@linux.intel.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/sof/intel/hda-codec.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/sound/soc/sof/intel/hda-codec.c b/sound/soc/sof/intel/hda-codec.c
index 6744318de612e..0449e7a2669ff 100644
--- a/sound/soc/sof/intel/hda-codec.c
+++ b/sound/soc/sof/intel/hda-codec.c
@@ -258,6 +258,7 @@ int hda_codec_i915_exit(struct snd_sof_dev *sdev)
}
EXPORT_SYMBOL_NS(hda_codec_i915_exit, SND_SOC_SOF_HDA_AUDIO_CODEC_I915);
+MODULE_SOFTDEP("pre: snd-hda-codec-hdmi");
#endif
MODULE_LICENSE("Dual BSD/GPL");
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 041/279] net: wwan: mhi_wwan_mbim: Silence sequence number glitch errors
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (39 preceding siblings ...)
2025-04-08 10:47 ` [PATCH 5.15 040/279] ASoC: SOF: Intel: hda: add softdep pre to snd-hda-codec-hdmi module Greg Kroah-Hartman
@ 2025-04-08 10:47 ` Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 042/279] nvmet-rdma: recheck queue state is LIVE in state lock in recv done Greg Kroah-Hartman
` (244 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stephan Gerhold, Loic Poulain,
Manivannan Sadhasivam, Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stephan Gerhold <stephan.gerhold@linaro.org>
[ Upstream commit 0d1fac6d26aff5df21bb4ec980d9b7a11c410b96 ]
When using the Qualcomm X55 modem on the ThinkPad X13s, the kernel log is
constantly being filled with errors related to a "sequence number glitch",
e.g.:
[ 1903.284538] sequence number glitch prev=16 curr=0
[ 1913.812205] sequence number glitch prev=50 curr=0
[ 1923.698219] sequence number glitch prev=142 curr=0
[ 2029.248276] sequence number glitch prev=1555 curr=0
[ 2046.333059] sequence number glitch prev=70 curr=0
[ 2076.520067] sequence number glitch prev=272 curr=0
[ 2158.704202] sequence number glitch prev=2655 curr=0
[ 2218.530776] sequence number glitch prev=2349 curr=0
[ 2225.579092] sequence number glitch prev=6 curr=0
Internet connectivity is working fine, so this error seems harmless. It
looks like modem does not preserve the sequence number when entering low
power state; the amount of errors depends on how actively the modem is
being used.
A similar issue has also been seen on USB-based MBIM modems [1]. However,
in cdc_ncm.c the "sequence number glitch" message is a debug message
instead of an error. Apply the same to the mhi_wwan_mbim.c driver to
silence these errors when using the modem.
[1]: https://lists.freedesktop.org/archives/libmbim-devel/2016-November/000781.html
Signed-off-by: Stephan Gerhold <stephan.gerhold@linaro.org>
Reviewed-by: Loic Poulain <loic.poulain@linaro.org>
Acked-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
Link: https://patch.msgid.link/20250212-mhi-wwan-mbim-sequence-glitch-v1-1-503735977cbd@linaro.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wwan/mhi_wwan_mbim.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/wwan/mhi_wwan_mbim.c b/drivers/net/wwan/mhi_wwan_mbim.c
index ef70bb7c88ad6..43c20deab3189 100644
--- a/drivers/net/wwan/mhi_wwan_mbim.c
+++ b/drivers/net/wwan/mhi_wwan_mbim.c
@@ -209,7 +209,7 @@ static int mbim_rx_verify_nth16(struct mhi_mbim_context *mbim, struct sk_buff *s
if (mbim->rx_seq + 1 != le16_to_cpu(nth16->wSequence) &&
(mbim->rx_seq || le16_to_cpu(nth16->wSequence)) &&
!(mbim->rx_seq == 0xffff && !le16_to_cpu(nth16->wSequence))) {
- net_err_ratelimited("sequence number glitch prev=%d curr=%d\n",
+ net_dbg_ratelimited("sequence number glitch prev=%d curr=%d\n",
mbim->rx_seq, le16_to_cpu(nth16->wSequence));
}
mbim->rx_seq = le16_to_cpu(nth16->wSequence);
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 042/279] nvmet-rdma: recheck queue state is LIVE in state lock in recv done
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (40 preceding siblings ...)
2025-04-08 10:47 ` [PATCH 5.15 041/279] net: wwan: mhi_wwan_mbim: Silence sequence number glitch errors Greg Kroah-Hartman
@ 2025-04-08 10:47 ` Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 043/279] sctp: Fix undefined behavior in left shift operation Greg Kroah-Hartman
` (243 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ruozhu Li, Sagi Grimberg,
Keith Busch, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ruozhu Li <david.li@jaguarmicro.com>
[ Upstream commit 3988ac1c67e6e84d2feb987d7b36d5791174b3da ]
The queue state checking in nvmet_rdma_recv_done is not in queue state
lock.Queue state can transfer to LIVE in cm establish handler between
state checking and state lock here, cause a silent drop of nvme connect
cmd.
Recheck queue state whether in LIVE state in state lock to prevent this
issue.
Signed-off-by: Ruozhu Li <david.li@jaguarmicro.com>
Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
Signed-off-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/nvme/target/rdma.c | 33 +++++++++++++++++++++++----------
1 file changed, 23 insertions(+), 10 deletions(-)
diff --git a/drivers/nvme/target/rdma.c b/drivers/nvme/target/rdma.c
index 9561ba3d43138..3b4b2d134cf81 100644
--- a/drivers/nvme/target/rdma.c
+++ b/drivers/nvme/target/rdma.c
@@ -996,6 +996,27 @@ static void nvmet_rdma_handle_command(struct nvmet_rdma_queue *queue,
nvmet_req_complete(&cmd->req, status);
}
+static bool nvmet_rdma_recv_not_live(struct nvmet_rdma_queue *queue,
+ struct nvmet_rdma_rsp *rsp)
+{
+ unsigned long flags;
+ bool ret = true;
+
+ spin_lock_irqsave(&queue->state_lock, flags);
+ /*
+ * recheck queue state is not live to prevent a race condition
+ * with RDMA_CM_EVENT_ESTABLISHED handler.
+ */
+ if (queue->state == NVMET_RDMA_Q_LIVE)
+ ret = false;
+ else if (queue->state == NVMET_RDMA_Q_CONNECTING)
+ list_add_tail(&rsp->wait_list, &queue->rsp_wait_list);
+ else
+ nvmet_rdma_put_rsp(rsp);
+ spin_unlock_irqrestore(&queue->state_lock, flags);
+ return ret;
+}
+
static void nvmet_rdma_recv_done(struct ib_cq *cq, struct ib_wc *wc)
{
struct nvmet_rdma_cmd *cmd =
@@ -1037,17 +1058,9 @@ static void nvmet_rdma_recv_done(struct ib_cq *cq, struct ib_wc *wc)
rsp->req.port = queue->port;
rsp->n_rdma = 0;
- if (unlikely(queue->state != NVMET_RDMA_Q_LIVE)) {
- unsigned long flags;
-
- spin_lock_irqsave(&queue->state_lock, flags);
- if (queue->state == NVMET_RDMA_Q_CONNECTING)
- list_add_tail(&rsp->wait_list, &queue->rsp_wait_list);
- else
- nvmet_rdma_put_rsp(rsp);
- spin_unlock_irqrestore(&queue->state_lock, flags);
+ if (unlikely(queue->state != NVMET_RDMA_Q_LIVE) &&
+ nvmet_rdma_recv_not_live(queue, rsp))
return;
- }
nvmet_rdma_handle_command(queue, rsp);
}
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 043/279] sctp: Fix undefined behavior in left shift operation
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (41 preceding siblings ...)
2025-04-08 10:47 ` [PATCH 5.15 042/279] nvmet-rdma: recheck queue state is LIVE in state lock in recv done Greg Kroah-Hartman
@ 2025-04-08 10:47 ` Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 044/279] nvme: only allow entering LIVE from CONNECTING state Greg Kroah-Hartman
` (242 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yu-Chun Lin, Jakub Kicinski,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yu-Chun Lin <eleanor15x@gmail.com>
[ Upstream commit 606572eb22c1786a3957d24307f5760bb058ca19 ]
According to the C11 standard (ISO/IEC 9899:2011, 6.5.7):
"If E1 has a signed type and E1 x 2^E2 is not representable in the result
type, the behavior is undefined."
Shifting 1 << 31 causes signed integer overflow, which leads to undefined
behavior.
Fix this by explicitly using '1U << 31' to ensure the shift operates on
an unsigned type, avoiding undefined behavior.
Signed-off-by: Yu-Chun Lin <eleanor15x@gmail.com>
Link: https://patch.msgid.link/20250218081217.3468369-1-eleanor15x@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sctp/stream.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/sctp/stream.c b/net/sctp/stream.c
index ee6514af830f7..0527728aee986 100644
--- a/net/sctp/stream.c
+++ b/net/sctp/stream.c
@@ -735,7 +735,7 @@ struct sctp_chunk *sctp_process_strreset_tsnreq(
* value SHOULD be the smallest TSN not acknowledged by the
* receiver of the request plus 2^31.
*/
- init_tsn = sctp_tsnmap_get_ctsn(&asoc->peer.tsn_map) + (1 << 31);
+ init_tsn = sctp_tsnmap_get_ctsn(&asoc->peer.tsn_map) + (1U << 31);
sctp_tsnmap_init(&asoc->peer.tsn_map, SCTP_TSN_MAP_INITIAL,
init_tsn, GFP_ATOMIC);
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 044/279] nvme: only allow entering LIVE from CONNECTING state
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (42 preceding siblings ...)
2025-04-08 10:47 ` [PATCH 5.15 043/279] sctp: Fix undefined behavior in left shift operation Greg Kroah-Hartman
@ 2025-04-08 10:47 ` Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 045/279] ASoC: tas2770: Fix volume scale Greg Kroah-Hartman
` (241 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sagi Grimberg, Daniel Wagner,
Keith Busch, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Wagner <wagi@kernel.org>
[ Upstream commit d2fe192348f93fe3a0cb1e33e4aba58e646397f4 ]
The fabric transports and also the PCI transport are not entering the
LIVE state from NEW or RESETTING. This makes the state machine more
restrictive and allows to catch not supported state transitions, e.g.
directly switching from RESETTING to LIVE.
Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
Signed-off-by: Daniel Wagner <wagi@kernel.org>
Signed-off-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/nvme/host/core.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
index 7f744aa4d120c..6748532c776b8 100644
--- a/drivers/nvme/host/core.c
+++ b/drivers/nvme/host/core.c
@@ -444,8 +444,6 @@ bool nvme_change_ctrl_state(struct nvme_ctrl *ctrl,
switch (new_state) {
case NVME_CTRL_LIVE:
switch (old_state) {
- case NVME_CTRL_NEW:
- case NVME_CTRL_RESETTING:
case NVME_CTRL_CONNECTING:
changed = true;
fallthrough;
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 045/279] ASoC: tas2770: Fix volume scale
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (43 preceding siblings ...)
2025-04-08 10:47 ` [PATCH 5.15 044/279] nvme: only allow entering LIVE from CONNECTING state Greg Kroah-Hartman
@ 2025-04-08 10:47 ` Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 046/279] ASoC: tas2764: Fix power control mask Greg Kroah-Hartman
` (240 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:47 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Hector Martin, Mark Brown,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hector Martin <marcan@marcan.st>
[ Upstream commit 579cd64b9df8a60284ec3422be919c362de40e41 ]
The scale starts at -100dB, not -128dB.
Signed-off-by: Hector Martin <marcan@marcan.st>
Signed-off-by: Mark Brown <broonie@kernel.org>
Link: https://patch.msgid.link/20250208-asoc-tas2770-v1-1-cf50ff1d59a3@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/codecs/tas2770.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sound/soc/codecs/tas2770.c b/sound/soc/codecs/tas2770.c
index ec0df3b1ef615..4e71dc1cf588f 100644
--- a/sound/soc/codecs/tas2770.c
+++ b/sound/soc/codecs/tas2770.c
@@ -508,7 +508,7 @@ static int tas2770_codec_probe(struct snd_soc_component *component)
}
static DECLARE_TLV_DB_SCALE(tas2770_digital_tlv, 1100, 50, 0);
-static DECLARE_TLV_DB_SCALE(tas2770_playback_volume, -12750, 50, 0);
+static DECLARE_TLV_DB_SCALE(tas2770_playback_volume, -10050, 50, 0);
static const struct snd_kcontrol_new tas2770_snd_controls[] = {
SOC_SINGLE_TLV("Speaker Playback Volume", TAS2770_PLAY_CFG_REG2,
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 046/279] ASoC: tas2764: Fix power control mask
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (44 preceding siblings ...)
2025-04-08 10:47 ` [PATCH 5.15 045/279] ASoC: tas2770: Fix volume scale Greg Kroah-Hartman
@ 2025-04-08 10:47 ` Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 047/279] ASoC: tas2764: Set the SDOUT polarity correctly Greg Kroah-Hartman
` (239 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Neal Gompa, Hector Martin,
James Calligeros, Mark Brown, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hector Martin <marcan@marcan.st>
[ Upstream commit a3f172359e22b2c11b750d23560481a55bf86af1 ]
Reviewed-by: Neal Gompa <neal@gompa.dev>
Signed-off-by: Hector Martin <marcan@marcan.st>
Signed-off-by: James Calligeros <jcalligeros99@gmail.com>
Link: https://patch.msgid.link/20250218-apple-codec-changes-v2-1-932760fd7e07@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/codecs/tas2764.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sound/soc/codecs/tas2764.h b/sound/soc/codecs/tas2764.h
index f015f22a083b5..b18a637bd9fa3 100644
--- a/sound/soc/codecs/tas2764.h
+++ b/sound/soc/codecs/tas2764.h
@@ -25,7 +25,7 @@
/* Power Control */
#define TAS2764_PWR_CTRL TAS2764_REG(0X0, 0x02)
-#define TAS2764_PWR_CTRL_MASK GENMASK(1, 0)
+#define TAS2764_PWR_CTRL_MASK GENMASK(2, 0)
#define TAS2764_PWR_CTRL_ACTIVE 0x0
#define TAS2764_PWR_CTRL_MUTE BIT(0)
#define TAS2764_PWR_CTRL_SHUTDOWN BIT(1)
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 047/279] ASoC: tas2764: Set the SDOUT polarity correctly
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (45 preceding siblings ...)
2025-04-08 10:47 ` [PATCH 5.15 046/279] ASoC: tas2764: Fix power control mask Greg Kroah-Hartman
@ 2025-04-08 10:47 ` Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 048/279] fuse: dont truncate cached, mutated symlink Greg Kroah-Hartman
` (238 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Neal Gompa, Hector Martin,
James Calligeros, Mark Brown, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hector Martin <marcan@marcan.st>
[ Upstream commit f5468beeab1b1adfc63c2717b1f29ef3f49a5fab ]
TX launch polarity needs to be the opposite of RX capture polarity, to
generate the right bit slot alignment.
Reviewed-by: Neal Gompa <neal@gompa.dev>
Signed-off-by: Hector Martin <marcan@marcan.st>
Signed-off-by: James Calligeros <jcalligeros99@gmail.com>
Link: https://patch.msgid.link/20250218-apple-codec-changes-v2-28-932760fd7e07@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/codecs/tas2764.c | 10 +++++++++-
sound/soc/codecs/tas2764.h | 6 ++++++
2 files changed, 15 insertions(+), 1 deletion(-)
diff --git a/sound/soc/codecs/tas2764.c b/sound/soc/codecs/tas2764.c
index 1951bae95b315..273bf4027a6e5 100644
--- a/sound/soc/codecs/tas2764.c
+++ b/sound/soc/codecs/tas2764.c
@@ -315,7 +315,7 @@ static int tas2764_set_fmt(struct snd_soc_dai *dai, unsigned int fmt)
{
struct snd_soc_component *component = dai->component;
struct tas2764_priv *tas2764 = snd_soc_component_get_drvdata(component);
- u8 tdm_rx_start_slot = 0, asi_cfg_0 = 0, asi_cfg_1 = 0;
+ u8 tdm_rx_start_slot = 0, asi_cfg_0 = 0, asi_cfg_1 = 0, asi_cfg_4 = 0;
int ret;
switch (fmt & SND_SOC_DAIFMT_INV_MASK) {
@@ -324,12 +324,14 @@ static int tas2764_set_fmt(struct snd_soc_dai *dai, unsigned int fmt)
fallthrough;
case SND_SOC_DAIFMT_NB_NF:
asi_cfg_1 = TAS2764_TDM_CFG1_RX_RISING;
+ asi_cfg_4 = TAS2764_TDM_CFG4_TX_FALLING;
break;
case SND_SOC_DAIFMT_IB_IF:
asi_cfg_0 ^= TAS2764_TDM_CFG0_FRAME_START;
fallthrough;
case SND_SOC_DAIFMT_IB_NF:
asi_cfg_1 = TAS2764_TDM_CFG1_RX_FALLING;
+ asi_cfg_4 = TAS2764_TDM_CFG4_TX_RISING;
break;
}
@@ -339,6 +341,12 @@ static int tas2764_set_fmt(struct snd_soc_dai *dai, unsigned int fmt)
if (ret < 0)
return ret;
+ ret = snd_soc_component_update_bits(component, TAS2764_TDM_CFG4,
+ TAS2764_TDM_CFG4_TX_MASK,
+ asi_cfg_4);
+ if (ret < 0)
+ return ret;
+
switch (fmt & SND_SOC_DAIFMT_FORMAT_MASK) {
case SND_SOC_DAIFMT_I2S:
asi_cfg_0 ^= TAS2764_TDM_CFG0_FRAME_START;
diff --git a/sound/soc/codecs/tas2764.h b/sound/soc/codecs/tas2764.h
index b18a637bd9fa3..337bc611bee96 100644
--- a/sound/soc/codecs/tas2764.h
+++ b/sound/soc/codecs/tas2764.h
@@ -75,6 +75,12 @@
#define TAS2764_TDM_CFG3_RXS_SHIFT 0x4
#define TAS2764_TDM_CFG3_MASK GENMASK(3, 0)
+/* TDM Configuration Reg4 */
+#define TAS2764_TDM_CFG4 TAS2764_REG(0X0, 0x0d)
+#define TAS2764_TDM_CFG4_TX_MASK BIT(0)
+#define TAS2764_TDM_CFG4_TX_RISING 0x0
+#define TAS2764_TDM_CFG4_TX_FALLING BIT(0)
+
/* TDM Configuration Reg5 */
#define TAS2764_TDM_CFG5 TAS2764_REG(0X0, 0x0e)
#define TAS2764_TDM_CFG5_VSNS_MASK BIT(6)
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 048/279] fuse: dont truncate cached, mutated symlink
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (46 preceding siblings ...)
2025-04-08 10:47 ` [PATCH 5.15 047/279] ASoC: tas2764: Set the SDOUT polarity correctly Greg Kroah-Hartman
@ 2025-04-08 10:47 ` Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 049/279] x86/irq: Define trace events conditionally Greg Kroah-Hartman
` (237 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Laura Promberger, Sam Lewis,
Miklos Szeredi, Bernd Schubert, Christian Brauner, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Miklos Szeredi <mszeredi@redhat.com>
[ Upstream commit b4c173dfbb6c78568578ff18f9e8822d7bd0e31b ]
Fuse allows the value of a symlink to change and this property is exploited
by some filesystems (e.g. CVMFS).
It has been observed, that sometimes after changing the symlink contents,
the value is truncated to the old size.
This is caused by fuse_getattr() racing with fuse_reverse_inval_inode().
fuse_reverse_inval_inode() updates the fuse_inode's attr_version, which
results in fuse_change_attributes() exiting before updating the cached
attributes
This is okay, as the cached attributes remain invalid and the next call to
fuse_change_attributes() will likely update the inode with the correct
values.
The reason this causes problems is that cached symlinks will be
returned through page_get_link(), which truncates the symlink to
inode->i_size. This is correct for filesystems that don't mutate
symlinks, but in this case it causes bad behavior.
The solution is to just remove this truncation. This can cause a
regression in a filesystem that relies on supplying a symlink larger than
the file size, but this is unlikely. If that happens we'd need to make
this behavior conditional.
Reported-by: Laura Promberger <laura.promberger@cern.ch>
Tested-by: Sam Lewis <samclewis@google.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Link: https://lore.kernel.org/r/20250220100258.793363-1-mszeredi@redhat.com
Reviewed-by: Bernd Schubert <bschubert@ddn.com>
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/fuse/dir.c | 2 +-
fs/namei.c | 24 +++++++++++++++++++-----
include/linux/fs.h | 2 ++
3 files changed, 22 insertions(+), 6 deletions(-)
diff --git a/fs/fuse/dir.c b/fs/fuse/dir.c
index 44d1c8cc58a42..03dadc44e9b1c 100644
--- a/fs/fuse/dir.c
+++ b/fs/fuse/dir.c
@@ -1333,7 +1333,7 @@ static const char *fuse_get_link(struct dentry *dentry, struct inode *inode,
goto out_err;
if (fc->cache_symlinks)
- return page_get_link(dentry, inode, callback);
+ return page_get_link_raw(dentry, inode, callback);
err = -ECHILD;
if (!dentry)
diff --git a/fs/namei.c b/fs/namei.c
index 05d45b9b59cb4..c188d525300d1 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -5114,10 +5114,9 @@ const char *vfs_get_link(struct dentry *dentry, struct delayed_call *done)
EXPORT_SYMBOL(vfs_get_link);
/* get the link contents into pagecache */
-const char *page_get_link(struct dentry *dentry, struct inode *inode,
- struct delayed_call *callback)
+static char *__page_get_link(struct dentry *dentry, struct inode *inode,
+ struct delayed_call *callback)
{
- char *kaddr;
struct page *page;
struct address_space *mapping = inode->i_mapping;
@@ -5136,8 +5135,23 @@ const char *page_get_link(struct dentry *dentry, struct inode *inode,
}
set_delayed_call(callback, page_put_link, page);
BUG_ON(mapping_gfp_mask(mapping) & __GFP_HIGHMEM);
- kaddr = page_address(page);
- nd_terminate_link(kaddr, inode->i_size, PAGE_SIZE - 1);
+ return page_address(page);
+}
+
+const char *page_get_link_raw(struct dentry *dentry, struct inode *inode,
+ struct delayed_call *callback)
+{
+ return __page_get_link(dentry, inode, callback);
+}
+EXPORT_SYMBOL_GPL(page_get_link_raw);
+
+const char *page_get_link(struct dentry *dentry, struct inode *inode,
+ struct delayed_call *callback)
+{
+ char *kaddr = __page_get_link(dentry, inode, callback);
+
+ if (!IS_ERR(kaddr))
+ nd_terminate_link(kaddr, inode->i_size, PAGE_SIZE - 1);
return kaddr;
}
diff --git a/include/linux/fs.h b/include/linux/fs.h
index d011dc742e3ef..a111724982795 100644
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -3387,6 +3387,8 @@ extern const struct file_operations generic_ro_fops;
extern int readlink_copy(char __user *, int, const char *);
extern int page_readlink(struct dentry *, char __user *, int);
+extern const char *page_get_link_raw(struct dentry *, struct inode *,
+ struct delayed_call *);
extern const char *page_get_link(struct dentry *, struct inode *,
struct delayed_call *);
extern void page_put_link(void *);
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 049/279] x86/irq: Define trace events conditionally
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (47 preceding siblings ...)
2025-04-08 10:47 ` [PATCH 5.15 048/279] fuse: dont truncate cached, mutated symlink Greg Kroah-Hartman
@ 2025-04-08 10:47 ` Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 050/279] mptcp: safety check before fallback Greg Kroah-Hartman
` (236 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:47 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Arnd Bergmann, Ingo Molnar,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arnd Bergmann <arnd@arndb.de>
[ Upstream commit 9de7695925d5d2d2085681ba935857246eb2817d ]
When both of X86_LOCAL_APIC and X86_THERMAL_VECTOR are disabled,
the irq tracing produces a W=1 build warning for the tracing
definitions:
In file included from include/trace/trace_events.h:27,
from include/trace/define_trace.h:113,
from arch/x86/include/asm/trace/irq_vectors.h:383,
from arch/x86/kernel/irq.c:29:
include/trace/stages/init.h:2:23: error: 'str__irq_vectors__trace_system_name' defined but not used [-Werror=unused-const-variable=]
Make the tracepoints conditional on the same symbosl that guard
their usage.
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Link: https://lore.kernel.org/r/20250225213236.3141752-1-arnd@kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/kernel/irq.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/arch/x86/kernel/irq.c b/arch/x86/kernel/irq.c
index 766ffe3ba3137..439fdb3f5fdf1 100644
--- a/arch/x86/kernel/irq.c
+++ b/arch/x86/kernel/irq.c
@@ -23,8 +23,10 @@
#include <asm/traps.h>
#include <asm/thermal.h>
+#if defined(CONFIG_X86_LOCAL_APIC) || defined(CONFIG_X86_THERMAL_VECTOR)
#define CREATE_TRACE_POINTS
#include <asm/trace/irq_vectors.h>
+#endif
DEFINE_PER_CPU_SHARED_ALIGNED(irq_cpustat_t, irq_stat);
EXPORT_PER_CPU_SYMBOL(irq_stat);
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 050/279] mptcp: safety check before fallback
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (48 preceding siblings ...)
2025-04-08 10:47 ` [PATCH 5.15 049/279] x86/irq: Define trace events conditionally Greg Kroah-Hartman
@ 2025-04-08 10:47 ` Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 051/279] drm/nouveau: Do not override forced connector status Greg Kroah-Hartman
` (235 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paolo Abeni, Matthieu Baerts (NGI0),
Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
[ Upstream commit db75a16813aabae3b78c06b1b99f5e314c1f55d3 ]
Recently, some fallback have been initiated, while the connection was
not supposed to fallback.
Add a safety check with a warning to detect when an wrong attempt to
fallback is being done. This should help detecting any future issues
quicker.
Acked-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20250224-net-mptcp-misc-fixes-v1-3-f550f636b435@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/mptcp/protocol.h | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/mptcp/protocol.h b/net/mptcp/protocol.h
index 83e93a7e9b40e..cfb6aa72515e8 100644
--- a/net/mptcp/protocol.h
+++ b/net/mptcp/protocol.h
@@ -872,6 +872,8 @@ static inline void __mptcp_do_fallback(struct mptcp_sock *msk)
pr_debug("TCP fallback already done (msk=%p)\n", msk);
return;
}
+ if (WARN_ON_ONCE(!READ_ONCE(msk->allow_infinite_fallback)))
+ return;
set_bit(MPTCP_FALLBACK_DONE, &msk->flags);
}
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 051/279] drm/nouveau: Do not override forced connector status
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (49 preceding siblings ...)
2025-04-08 10:47 ` [PATCH 5.15 050/279] mptcp: safety check before fallback Greg Kroah-Hartman
@ 2025-04-08 10:47 ` Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 052/279] block: fix kmem_cache of name bio-108 already exists Greg Kroah-Hartman
` (234 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Zimmermann, Lyude Paul,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Zimmermann <tzimmermann@suse.de>
[ Upstream commit 01f1d77a2630e774ce33233c4e6723bca3ae9daa ]
Keep user-forced connector status even if it cannot be programmed. Same
behavior as for the rest of the drivers.
Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
Signed-off-by: Lyude Paul <lyude@redhat.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20250114100214.195386-1-tzimmermann@suse.de
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/nouveau/nouveau_connector.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/gpu/drm/nouveau/nouveau_connector.c b/drivers/gpu/drm/nouveau/nouveau_connector.c
index ac9eb92059bc3..30f871be52cb3 100644
--- a/drivers/gpu/drm/nouveau/nouveau_connector.c
+++ b/drivers/gpu/drm/nouveau/nouveau_connector.c
@@ -754,7 +754,6 @@ nouveau_connector_force(struct drm_connector *connector)
if (!nv_encoder) {
NV_ERROR(drm, "can't find encoder to force %s on!\n",
connector->name);
- connector->status = connector_status_disconnected;
return;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 052/279] block: fix kmem_cache of name bio-108 already exists
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (50 preceding siblings ...)
2025-04-08 10:47 ` [PATCH 5.15 051/279] drm/nouveau: Do not override forced connector status Greg Kroah-Hartman
@ 2025-04-08 10:47 ` Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 053/279] USB: serial: ftdi_sio: add support for Altera USB Blaster 3 Greg Kroah-Hartman
` (233 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Guangwu Zhang, Ming Lei, Jens Axboe,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ming Lei <ming.lei@redhat.com>
[ Upstream commit b654f7a51ffb386131de42aa98ed831f8c126546 ]
Device mapper bioset often has big bio_slab size, which can be more than
1000, then 8byte can't hold the slab name any more, cause the kmem_cache
allocation warning of 'kmem_cache of name 'bio-108' already exists'.
Fix the warning by extending bio_slab->name to 12 bytes, but fix output
of /proc/slabinfo
Reported-by: Guangwu Zhang <guazhang@redhat.com>
Signed-off-by: Ming Lei <ming.lei@redhat.com>
Link: https://lore.kernel.org/r/20250228132656.2838008-1-ming.lei@redhat.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
block/bio.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/block/bio.c b/block/bio.c
index 92399883bc5e1..029dba492ac2d 100644
--- a/block/bio.c
+++ b/block/bio.c
@@ -73,7 +73,7 @@ struct bio_slab {
struct kmem_cache *slab;
unsigned int slab_ref;
unsigned int slab_size;
- char name[8];
+ char name[12];
};
static DEFINE_MUTEX(bio_slab_lock);
static DEFINE_XARRAY(bio_slabs);
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 053/279] USB: serial: ftdi_sio: add support for Altera USB Blaster 3
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (51 preceding siblings ...)
2025-04-08 10:47 ` [PATCH 5.15 052/279] block: fix kmem_cache of name bio-108 already exists Greg Kroah-Hartman
@ 2025-04-08 10:47 ` Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 054/279] USB: serial: option: add Telit Cinterion FE990B compositions Greg Kroah-Hartman
` (232 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:47 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Boon Khai Ng, Johan Hovold
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Boon Khai Ng <boon.khai.ng@intel.com>
commit 18e0885bd2ca738407036434418a26a58394a60e upstream.
The Altera USB Blaster 3, available as both a cable and an on-board
solution, is primarily used for programming and debugging FPGAs.
It interfaces with host software such as Quartus Programmer,
System Console, SignalTap, and Nios Debugger. The device utilizes
either an FT2232 or FT4232 chip.
Enabling the support for various configurations of the on-board
USB Blaster 3 by including the appropriate VID/PID pairs,
allowing it to function as a serial device via ftdi_sio.
Note that this check-in does not include support for the
cable solution, as it does not support UART functionality.
The supported configurations are determined by the
hardware design and include:
1) PID 0x6022, FT2232, 1 JTAG port (Port A) + Port B as UART
2) PID 0x6025, FT4232, 1 JTAG port (Port A) + Port C as UART
3) PID 0x6026, FT4232, 1 JTAG port (Port A) + Port C, D as UART
4) PID 0x6029, FT4232, 1 JTAG port (Port B) + Port C as UART
5) PID 0x602a, FT4232, 1 JTAG port (Port B) + Port C, D as UART
6) PID 0x602c, FT4232, 1 JTAG port (Port A) + Port B as UART
7) PID 0x602d, FT4232, 1 JTAG port (Port A) + Port B, C as UART
8) PID 0x602e, FT4232, 1 JTAG port (Port A) + Port B, C, D as UART
These configurations allow for flexibility in how the USB Blaster 3 is
used, depending on the specific needs of the hardware design.
Signed-off-by: Boon Khai Ng <boon.khai.ng@intel.com>
Cc: stable@vger.kernel.org
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/ftdi_sio.c | 14 ++++++++++++++
drivers/usb/serial/ftdi_sio_ids.h | 13 +++++++++++++
2 files changed, 27 insertions(+)
--- a/drivers/usb/serial/ftdi_sio.c
+++ b/drivers/usb/serial/ftdi_sio.c
@@ -1057,6 +1057,20 @@ static const struct usb_device_id id_tab
.driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
/* GMC devices */
{ USB_DEVICE(GMC_VID, GMC_Z216C_PID) },
+ /* Altera USB Blaster 3 */
+ { USB_DEVICE_INTERFACE_NUMBER(ALTERA_VID, ALTERA_UB3_6022_PID, 1) },
+ { USB_DEVICE_INTERFACE_NUMBER(ALTERA_VID, ALTERA_UB3_6025_PID, 2) },
+ { USB_DEVICE_INTERFACE_NUMBER(ALTERA_VID, ALTERA_UB3_6026_PID, 2) },
+ { USB_DEVICE_INTERFACE_NUMBER(ALTERA_VID, ALTERA_UB3_6026_PID, 3) },
+ { USB_DEVICE_INTERFACE_NUMBER(ALTERA_VID, ALTERA_UB3_6029_PID, 2) },
+ { USB_DEVICE_INTERFACE_NUMBER(ALTERA_VID, ALTERA_UB3_602A_PID, 2) },
+ { USB_DEVICE_INTERFACE_NUMBER(ALTERA_VID, ALTERA_UB3_602A_PID, 3) },
+ { USB_DEVICE_INTERFACE_NUMBER(ALTERA_VID, ALTERA_UB3_602C_PID, 1) },
+ { USB_DEVICE_INTERFACE_NUMBER(ALTERA_VID, ALTERA_UB3_602D_PID, 1) },
+ { USB_DEVICE_INTERFACE_NUMBER(ALTERA_VID, ALTERA_UB3_602D_PID, 2) },
+ { USB_DEVICE_INTERFACE_NUMBER(ALTERA_VID, ALTERA_UB3_602E_PID, 1) },
+ { USB_DEVICE_INTERFACE_NUMBER(ALTERA_VID, ALTERA_UB3_602E_PID, 2) },
+ { USB_DEVICE_INTERFACE_NUMBER(ALTERA_VID, ALTERA_UB3_602E_PID, 3) },
{ } /* Terminating entry */
};
--- a/drivers/usb/serial/ftdi_sio_ids.h
+++ b/drivers/usb/serial/ftdi_sio_ids.h
@@ -1605,3 +1605,16 @@
*/
#define GMC_VID 0x1cd7
#define GMC_Z216C_PID 0x0217 /* GMC Z216C Adapter IR-USB */
+
+/*
+ * Altera USB Blaster 3 (http://www.altera.com).
+ */
+#define ALTERA_VID 0x09fb
+#define ALTERA_UB3_6022_PID 0x6022
+#define ALTERA_UB3_6025_PID 0x6025
+#define ALTERA_UB3_6026_PID 0x6026
+#define ALTERA_UB3_6029_PID 0x6029
+#define ALTERA_UB3_602A_PID 0x602a
+#define ALTERA_UB3_602C_PID 0x602c
+#define ALTERA_UB3_602D_PID 0x602d
+#define ALTERA_UB3_602E_PID 0x602e
^ permalink raw reply [flat|nested] 289+ messages in thread
* [PATCH 5.15 054/279] USB: serial: option: add Telit Cinterion FE990B compositions
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (52 preceding siblings ...)
2025-04-08 10:47 ` [PATCH 5.15 053/279] USB: serial: ftdi_sio: add support for Altera USB Blaster 3 Greg Kroah-Hartman
@ 2025-04-08 10:47 ` Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 055/279] USB: serial: option: fix Telit Cinterion FE990A name Greg Kroah-Hartman
` (231 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Fabio Porcedda, Daniele Palmas,
Johan Hovold
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fabio Porcedda <fabio.porcedda@gmail.com>
commit 4981bb50392b7515b765da28cf8768ce624c2670 upstream.
Add the following Telit Cinterion FE990B40 compositions:
0x10b0: rmnet + tty (AT/NMEA) + tty (AT) + tty (AT) + tty (AT) +
tty (diag) + DPL + QDSS (Qualcomm Debug SubSystem) + adb
T: Bus=01 Lev=01 Prnt=01 Port=01 Cnt=01 Dev#= 7 Spd=480 MxCh= 0
D: Ver= 2.10 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=1bc7 ProdID=10b0 Rev=05.15
S: Manufacturer=Telit Cinterion
S: Product=FE990
S: SerialNumber=28c2595e
C: #Ifs= 9 Cfg#= 1 Atr=e0 MxPwr=500mA
I: If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=50 Driver=qmi_wwan
E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=82(I) Atr=03(Int.) MxPS= 8 Ivl=32ms
I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=60 Driver=option
E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=88(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=89(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=8a(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
E: Ad=06(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=8b(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 6 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=80 Driver=(none)
E: Ad=8c(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 7 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=70 Driver=(none)
E: Ad=8d(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 8 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none)
E: Ad=07(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=8e(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
0x10b1: MBIM + tty (AT/NMEA) + tty (AT) + tty (AT) + tty (AT) +
tty (diag) + DPL + QDSS (Qualcomm Debug SubSystem) + adb
T: Bus=01 Lev=01 Prnt=01 Port=01 Cnt=01 Dev#= 8 Spd=480 MxCh= 0
D: Ver= 2.10 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=1bc7 ProdID=10b1 Rev=05.15
S: Manufacturer=Telit Cinterion
S: Product=FE990
S: SerialNumber=28c2595e
C: #Ifs=10 Cfg#= 1 Atr=e0 MxPwr=500mA
I: If#= 0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim
E: Ad=82(I) Atr=03(Int.) MxPS= 64 Ivl=32ms
I: If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=60 Driver=option
E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=88(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 5 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=89(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=8a(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 6 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
E: Ad=06(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=8b(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 7 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=80 Driver=(none)
E: Ad=8c(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 8 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=70 Driver=(none)
E: Ad=8d(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 9 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none)
E: Ad=07(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=8e(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
0x10b2: RNDIS + tty (AT/NMEA) + tty (AT) + tty (AT) + tty (AT) +
tty (diag) + DPL + QDSS (Qualcomm Debug SubSystem) + adb
T: Bus=01 Lev=01 Prnt=01 Port=01 Cnt=01 Dev#= 9 Spd=480 MxCh= 0
D: Ver= 2.10 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=1bc7 ProdID=10b2 Rev=05.15
S: Manufacturer=Telit Cinterion
S: Product=FE990
S: SerialNumber=28c2595e
C: #Ifs=10 Cfg#= 1 Atr=e0 MxPwr=500mA
I: If#= 0 Alt= 0 #EPs= 1 Cls=ef(misc ) Sub=04 Prot=01 Driver=rndis_host
E: Ad=82(I) Atr=03(Int.) MxPS= 8 Ivl=32ms
I: If#= 1 Alt= 0 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=rndis_host
E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=60 Driver=option
E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=88(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 5 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=89(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=8a(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 6 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
E: Ad=06(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=8b(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 7 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=80 Driver=(none)
E: Ad=8c(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 8 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=70 Driver=(none)
E: Ad=8d(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 9 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none)
E: Ad=07(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=8e(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
0x10b3: ECM + tty (AT/NMEA) + tty (AT) + tty (AT) + tty (AT) +
tty (diag) + DPL + QDSS (Qualcomm Debug SubSystem) + adb
T: Bus=01 Lev=01 Prnt=01 Port=01 Cnt=01 Dev#= 11 Spd=480 MxCh= 0
D: Ver= 2.10 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=1bc7 ProdID=10b3 Rev=05.15
S: Manufacturer=Telit Cinterion
S: Product=FE990
S: SerialNumber=28c2595e
C: #Ifs=10 Cfg#= 1 Atr=e0 MxPwr=500mA
I: If#= 0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=06 Prot=00 Driver=cdc_ether
E: Ad=82(I) Atr=03(Int.) MxPS= 16 Ivl=32ms
I: If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=cdc_ether
E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=60 Driver=option
E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=88(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 5 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=89(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=8a(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 6 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
E: Ad=06(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=8b(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 7 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=80 Driver=(none)
E: Ad=8c(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 8 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=70 Driver=(none)
E: Ad=8d(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 9 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none)
E: Ad=07(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=8e(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
Cc: stable@vger.kernel.org
Signed-off-by: Fabio Porcedda <fabio.porcedda@gmail.com>
Reviewed-by: Daniele Palmas <dnlplm@gmail.com>
[ johan: use USB_DEVICE_AND_INTERFACE_INFO() and sort by protocol ]
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/option.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -1388,6 +1388,22 @@ static const struct usb_device_id option
.driver_info = RSVD(0) | NCTRL(2) | RSVD(3) | RSVD(4) },
{ USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x10aa, 0xff), /* Telit FN920C04 (MBIM) */
.driver_info = NCTRL(3) | RSVD(4) | RSVD(5) },
+ { USB_DEVICE_AND_INTERFACE_INFO(TELIT_VENDOR_ID, 0x10b0, 0xff, 0xff, 0x30), /* Telit FE990B (rmnet) */
+ .driver_info = NCTRL(5) },
+ { USB_DEVICE_AND_INTERFACE_INFO(TELIT_VENDOR_ID, 0x10b0, 0xff, 0xff, 0x40) },
+ { USB_DEVICE_AND_INTERFACE_INFO(TELIT_VENDOR_ID, 0x10b0, 0xff, 0xff, 0x60) },
+ { USB_DEVICE_AND_INTERFACE_INFO(TELIT_VENDOR_ID, 0x10b1, 0xff, 0xff, 0x30), /* Telit FE990B (MBIM) */
+ .driver_info = NCTRL(6) },
+ { USB_DEVICE_AND_INTERFACE_INFO(TELIT_VENDOR_ID, 0x10b1, 0xff, 0xff, 0x40) },
+ { USB_DEVICE_AND_INTERFACE_INFO(TELIT_VENDOR_ID, 0x10b1, 0xff, 0xff, 0x60) },
+ { USB_DEVICE_AND_INTERFACE_INFO(TELIT_VENDOR_ID, 0x10b2, 0xff, 0xff, 0x30), /* Telit FE990B (RNDIS) */
+ .driver_info = NCTRL(6) },
+ { USB_DEVICE_AND_INTERFACE_INFO(TELIT_VENDOR_ID, 0x10b2, 0xff, 0xff, 0x40) },
+ { USB_DEVICE_AND_INTERFACE_INFO(TELIT_VENDOR_ID, 0x10b2, 0xff, 0xff, 0x60) },
+ { USB_DEVICE_AND_INTERFACE_INFO(TELIT_VENDOR_ID, 0x10b3, 0xff, 0xff, 0x30), /* Telit FE990B (ECM) */
+ .driver_info = NCTRL(6) },
+ { USB_DEVICE_AND_INTERFACE_INFO(TELIT_VENDOR_ID, 0x10b3, 0xff, 0xff, 0x40) },
+ { USB_DEVICE_AND_INTERFACE_INFO(TELIT_VENDOR_ID, 0x10b3, 0xff, 0xff, 0x60) },
{ USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x10c0, 0xff), /* Telit FE910C04 (rmnet) */
.driver_info = RSVD(0) | NCTRL(3) },
{ USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x10c4, 0xff), /* Telit FE910C04 (rmnet) */
^ permalink raw reply [flat|nested] 289+ messages in thread
* [PATCH 5.15 055/279] USB: serial: option: fix Telit Cinterion FE990A name
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (53 preceding siblings ...)
2025-04-08 10:47 ` [PATCH 5.15 054/279] USB: serial: option: add Telit Cinterion FE990B compositions Greg Kroah-Hartman
@ 2025-04-08 10:47 ` Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 056/279] USB: serial: option: match on interface class for Telit FN990B Greg Kroah-Hartman
` (230 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:47 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Fabio Porcedda, Johan Hovold
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fabio Porcedda <fabio.porcedda@gmail.com>
commit 6232f0d8e100a26275bbd773fc56a60af2c95322 upstream.
The correct name for FE990 is FE990A so use it in order to avoid
confusion with FE990B.
Cc: stable@vger.kernel.org
Signed-off-by: Fabio Porcedda <fabio.porcedda@gmail.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/option.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -1368,13 +1368,13 @@ static const struct usb_device_id option
.driver_info = NCTRL(0) | RSVD(1) },
{ USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1075, 0xff), /* Telit FN990A (PCIe) */
.driver_info = RSVD(0) },
- { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1080, 0xff), /* Telit FE990 (rmnet) */
+ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1080, 0xff), /* Telit FE990A (rmnet) */
.driver_info = NCTRL(0) | RSVD(1) | RSVD(2) },
- { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1081, 0xff), /* Telit FE990 (MBIM) */
+ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1081, 0xff), /* Telit FE990A (MBIM) */
.driver_info = NCTRL(0) | RSVD(1) },
- { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1082, 0xff), /* Telit FE990 (RNDIS) */
+ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1082, 0xff), /* Telit FE990A (RNDIS) */
.driver_info = NCTRL(2) | RSVD(3) },
- { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1083, 0xff), /* Telit FE990 (ECM) */
+ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1083, 0xff), /* Telit FE990A (ECM) */
.driver_info = NCTRL(0) | RSVD(1) },
{ USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x10a0, 0xff), /* Telit FN20C04 (rmnet) */
.driver_info = RSVD(0) | NCTRL(3) },
^ permalink raw reply [flat|nested] 289+ messages in thread
* [PATCH 5.15 056/279] USB: serial: option: match on interface class for Telit FN990B
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (54 preceding siblings ...)
2025-04-08 10:47 ` [PATCH 5.15 055/279] USB: serial: option: fix Telit Cinterion FE990A name Greg Kroah-Hartman
@ 2025-04-08 10:47 ` Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 057/279] x86/microcode/AMD: Fix out-of-bounds on systems with CPU-less NUMA nodes Greg Kroah-Hartman
` (229 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Fabio Porcedda, Daniele Palmas,
Johan Hovold
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 9a665fe3d967fe46edb4fd2497c7a5cc2dac2f55 upstream.
The device id entries for Telit FN990B ended up matching only on the
interface protocol. While this works, the protocol is qualified by the
interface class (and subclass) which should have been included.
Switch to matching using USB_DEVICE_AND_INTERFACE_INFO() while keeping
the entries sorted also by protocol for consistency.
Link: https://lore.kernel.org/20250227110655.3647028-2-fabio.porcedda@gmail.com/
Cc: Fabio Porcedda <fabio.porcedda@gmail.com>
Cc: Daniele Palmas <dnlplm@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/option.c | 24 ++++++++++++------------
1 file changed, 12 insertions(+), 12 deletions(-)
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -1410,22 +1410,22 @@ static const struct usb_device_id option
.driver_info = RSVD(0) | NCTRL(3) },
{ USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x10c8, 0xff), /* Telit FE910C04 (rmnet) */
.driver_info = RSVD(0) | NCTRL(2) | RSVD(3) | RSVD(4) },
- { USB_DEVICE_INTERFACE_PROTOCOL(TELIT_VENDOR_ID, 0x10d0, 0x60) }, /* Telit FN990B (rmnet) */
- { USB_DEVICE_INTERFACE_PROTOCOL(TELIT_VENDOR_ID, 0x10d0, 0x40) },
- { USB_DEVICE_INTERFACE_PROTOCOL(TELIT_VENDOR_ID, 0x10d0, 0x30),
+ { USB_DEVICE_AND_INTERFACE_INFO(TELIT_VENDOR_ID, 0x10d0, 0xff, 0xff, 0x30), /* Telit FN990B (rmnet) */
.driver_info = NCTRL(5) },
- { USB_DEVICE_INTERFACE_PROTOCOL(TELIT_VENDOR_ID, 0x10d1, 0x60) }, /* Telit FN990B (MBIM) */
- { USB_DEVICE_INTERFACE_PROTOCOL(TELIT_VENDOR_ID, 0x10d1, 0x40) },
- { USB_DEVICE_INTERFACE_PROTOCOL(TELIT_VENDOR_ID, 0x10d1, 0x30),
+ { USB_DEVICE_AND_INTERFACE_INFO(TELIT_VENDOR_ID, 0x10d0, 0xff, 0xff, 0x40) },
+ { USB_DEVICE_AND_INTERFACE_INFO(TELIT_VENDOR_ID, 0x10d0, 0xff, 0xff, 0x60) },
+ { USB_DEVICE_AND_INTERFACE_INFO(TELIT_VENDOR_ID, 0x10d1, 0xff, 0xff, 0x30), /* Telit FN990B (MBIM) */
.driver_info = NCTRL(6) },
- { USB_DEVICE_INTERFACE_PROTOCOL(TELIT_VENDOR_ID, 0x10d2, 0x60) }, /* Telit FN990B (RNDIS) */
- { USB_DEVICE_INTERFACE_PROTOCOL(TELIT_VENDOR_ID, 0x10d2, 0x40) },
- { USB_DEVICE_INTERFACE_PROTOCOL(TELIT_VENDOR_ID, 0x10d2, 0x30),
+ { USB_DEVICE_AND_INTERFACE_INFO(TELIT_VENDOR_ID, 0x10d1, 0xff, 0xff, 0x40) },
+ { USB_DEVICE_AND_INTERFACE_INFO(TELIT_VENDOR_ID, 0x10d1, 0xff, 0xff, 0x60) },
+ { USB_DEVICE_AND_INTERFACE_INFO(TELIT_VENDOR_ID, 0x10d2, 0xff, 0xff, 0x30), /* Telit FN990B (RNDIS) */
.driver_info = NCTRL(6) },
- { USB_DEVICE_INTERFACE_PROTOCOL(TELIT_VENDOR_ID, 0x10d3, 0x60) }, /* Telit FN990B (ECM) */
- { USB_DEVICE_INTERFACE_PROTOCOL(TELIT_VENDOR_ID, 0x10d3, 0x40) },
- { USB_DEVICE_INTERFACE_PROTOCOL(TELIT_VENDOR_ID, 0x10d3, 0x30),
+ { USB_DEVICE_AND_INTERFACE_INFO(TELIT_VENDOR_ID, 0x10d2, 0xff, 0xff, 0x40) },
+ { USB_DEVICE_AND_INTERFACE_INFO(TELIT_VENDOR_ID, 0x10d2, 0xff, 0xff, 0x60) },
+ { USB_DEVICE_AND_INTERFACE_INFO(TELIT_VENDOR_ID, 0x10d3, 0xff, 0xff, 0x30), /* Telit FN990B (ECM) */
.driver_info = NCTRL(6) },
+ { USB_DEVICE_AND_INTERFACE_INFO(TELIT_VENDOR_ID, 0x10d3, 0xff, 0xff, 0x40) },
+ { USB_DEVICE_AND_INTERFACE_INFO(TELIT_VENDOR_ID, 0x10d3, 0xff, 0xff, 0x60) },
{ USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_ME910),
.driver_info = NCTRL(0) | RSVD(1) | RSVD(3) },
{ USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_ME910_DUAL_MODEM),
^ permalink raw reply [flat|nested] 289+ messages in thread
* [PATCH 5.15 057/279] x86/microcode/AMD: Fix out-of-bounds on systems with CPU-less NUMA nodes
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (55 preceding siblings ...)
2025-04-08 10:47 ` [PATCH 5.15 056/279] USB: serial: option: match on interface class for Telit FN990B Greg Kroah-Hartman
@ 2025-04-08 10:47 ` Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 058/279] drm/atomic: Filter out redundant DPMS calls Greg Kroah-Hartman
` (228 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:47 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Florent Revest,
Borislav Petkov (AMD)
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florent Revest <revest@chromium.org>
commit e3e89178a9f4a80092578af3ff3c8478f9187d59 upstream.
Currently, load_microcode_amd() iterates over all NUMA nodes, retrieves their
CPU masks and unconditionally accesses per-CPU data for the first CPU of each
mask.
According to Documentation/admin-guide/mm/numaperf.rst:
"Some memory may share the same node as a CPU, and others are provided as
memory only nodes."
Therefore, some node CPU masks may be empty and wouldn't have a "first CPU".
On a machine with far memory (and therefore CPU-less NUMA nodes):
- cpumask_of_node(nid) is 0
- cpumask_first(0) is CONFIG_NR_CPUS
- cpu_data(CONFIG_NR_CPUS) accesses the cpu_info per-CPU array at an
index that is 1 out of bounds
This does not have any security implications since flashing microcode is
a privileged operation but I believe this has reliability implications by
potentially corrupting memory while flashing a microcode update.
When booting with CONFIG_UBSAN_BOUNDS=y on an AMD machine that flashes
a microcode update. I get the following splat:
UBSAN: array-index-out-of-bounds in arch/x86/kernel/cpu/microcode/amd.c:X:Y
index 512 is out of range for type 'unsigned long[512]'
[...]
Call Trace:
dump_stack
__ubsan_handle_out_of_bounds
load_microcode_amd
request_microcode_amd
reload_store
kernfs_fop_write_iter
vfs_write
ksys_write
do_syscall_64
entry_SYSCALL_64_after_hwframe
Change the loop to go over only NUMA nodes which have CPUs before determining
whether the first CPU on the respective node needs microcode update.
[ bp: Massage commit message, fix typo. ]
Fixes: 7ff6edf4fef3 ("x86/microcode/AMD: Fix mixed steppings support")
Signed-off-by: Florent Revest <revest@chromium.org>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20250310144243.861978-1-revest@chromium.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kernel/cpu/microcode/amd.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/x86/kernel/cpu/microcode/amd.c
+++ b/arch/x86/kernel/cpu/microcode/amd.c
@@ -861,7 +861,7 @@ static enum ucode_state load_microcode_a
return ret;
}
- for_each_node(nid) {
+ for_each_node_with_cpus(nid) {
cpu = cpumask_first(cpumask_of_node(nid));
c = &cpu_data(cpu);
^ permalink raw reply [flat|nested] 289+ messages in thread
* [PATCH 5.15 058/279] drm/atomic: Filter out redundant DPMS calls
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (56 preceding siblings ...)
2025-04-08 10:47 ` [PATCH 5.15 057/279] x86/microcode/AMD: Fix out-of-bounds on systems with CPU-less NUMA nodes Greg Kroah-Hartman
@ 2025-04-08 10:47 ` Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 059/279] drm/amd/display: Restore correct backlight brightness after a GPU reset Greg Kroah-Hartman
` (227 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:47 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Simona Vetter,
Ville Syrjälä
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ville Syrjälä <ville.syrjala@linux.intel.com>
commit de93ddf88088f7624b589d0ff3af9effb87e8f3b upstream.
Video players (eg. mpv) do periodic XResetScreenSaver() calls to
keep the screen on while the video playing. The modesetting ddx
plumbs these straight through into the kernel as DPMS setproperty
ioctls, without any filtering whatsoever. When implemented via
atomic these end up as empty commits on the crtc (which will
nonetheless take one full frame), which leads to a dropped
frame every time XResetScreenSaver() is called.
Let's just filter out redundant DPMS property changes in the
kernel to avoid this issue.
v2: Explain the resulting commits a bit better (Sima)
Document the behaviour in uapi docs (Sima)
Cc: stable@vger.kernel.org
Testcase: igt/kms_flip/flip-vs-dpms-on-nop
Reviewed-by: Simona Vetter <simona.vetter@ffwll.ch>
Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20250219160239.17502-1-ville.syrjala@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/drm_atomic_uapi.c | 4 ++++
drivers/gpu/drm/drm_connector.c | 4 ++++
2 files changed, 8 insertions(+)
--- a/drivers/gpu/drm/drm_atomic_uapi.c
+++ b/drivers/gpu/drm/drm_atomic_uapi.c
@@ -964,6 +964,10 @@ int drm_atomic_connector_commit_dpms(str
if (mode != DRM_MODE_DPMS_ON)
mode = DRM_MODE_DPMS_OFF;
+
+ if (connector->dpms == mode)
+ goto out;
+
connector->dpms = mode;
crtc = connector->state->crtc;
--- a/drivers/gpu/drm/drm_connector.c
+++ b/drivers/gpu/drm/drm_connector.c
@@ -980,6 +980,10 @@ static const struct drm_prop_enum_list d
* callback. For atomic drivers the remapping to the "ACTIVE" property is
* implemented in the DRM core.
*
+ * On atomic drivers any DPMS setproperty ioctl where the value does not
+ * change is completely skipped, otherwise a full atomic commit will occur.
+ * On legacy drivers the exact behavior is driver specific.
+ *
* Note that this property cannot be set through the MODE_ATOMIC ioctl,
* userspace must use "ACTIVE" on the CRTC instead.
*
^ permalink raw reply [flat|nested] 289+ messages in thread
* [PATCH 5.15 059/279] drm/amd/display: Restore correct backlight brightness after a GPU reset
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (57 preceding siblings ...)
2025-04-08 10:47 ` [PATCH 5.15 058/279] drm/atomic: Filter out redundant DPMS calls Greg Kroah-Hartman
@ 2025-04-08 10:47 ` Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 060/279] drm/amd/display: Assign normalized_pix_clk when color depth = 14 Greg Kroah-Hartman
` (226 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wayne Lin, Mario Limonciello,
Tom Chung, Daniel Wheeler, Alex Deucher
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mario Limonciello <mario.limonciello@amd.com>
commit 5760388d9681ac743038b846b9082b9023969551 upstream.
[Why]
GPU reset will attempt to restore cached state, but brightness doesn't
get restored. It will come back at 100% brightness, but userspace thinks
it's the previous value.
[How]
When running resume sequence if GPU is in reset restore brightness
to previous value.
Acked-by: Wayne Lin <Wayne.Lin@amd.com>
Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
Signed-off-by: Tom Chung <chiahsuan.chung@amd.com>
Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 5e19e2b57b6bb640d68dfc7991e1e182922cf867)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 10 ++++++++++
1 file changed, 10 insertions(+)
--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
@@ -218,6 +218,10 @@ amd_get_format_info(const struct drm_mod
static void handle_hpd_irq_helper(struct amdgpu_dm_connector *aconnector);
+static void amdgpu_dm_backlight_set_level(struct amdgpu_display_manager *dm,
+ int bl_idx,
+ u32 user_brightness);
+
static bool
is_timing_unchanged_for_freesync(struct drm_crtc_state *old_crtc_state,
struct drm_crtc_state *new_crtc_state);
@@ -2698,6 +2702,12 @@ static int dm_resume(void *handle)
mutex_unlock(&dm->dc_lock);
+ /* set the backlight after a reset */
+ for (i = 0; i < dm->num_of_edps; i++) {
+ if (dm->backlight_dev[i])
+ amdgpu_dm_backlight_set_level(dm, i, dm->brightness[i]);
+ }
+
return 0;
}
/* Recreate dc_state - DC invalidates it when setting power state to S3. */
^ permalink raw reply [flat|nested] 289+ messages in thread
* [PATCH 5.15 060/279] drm/amd/display: Assign normalized_pix_clk when color depth = 14
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (58 preceding siblings ...)
2025-04-08 10:47 ` [PATCH 5.15 059/279] drm/amd/display: Restore correct backlight brightness after a GPU reset Greg Kroah-Hartman
@ 2025-04-08 10:47 ` Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 061/279] drm/amd/display: Fix slab-use-after-free on hdcp_work Greg Kroah-Hartman
` (225 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Harry Wentland, Alex Hung, Tom Chung,
Daniel Wheeler, Alex Deucher
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alex Hung <alex.hung@amd.com>
commit 79e31396fdd7037c503e6add15af7cb00633ea92 upstream.
[WHY & HOW]
A warning message "WARNING: CPU: 4 PID: 459 at ... /dc_resource.c:3397
calculate_phy_pix_clks+0xef/0x100 [amdgpu]" occurs because the
display_color_depth == COLOR_DEPTH_141414 is not handled. This is
observed in Radeon RX 6600 XT.
It is fixed by assigning pix_clk * (14 * 3) / 24 - same as the rests.
Also fixes the indentation in get_norm_pix_clk.
Reviewed-by: Harry Wentland <harry.wentland@amd.com>
Signed-off-by: Alex Hung <alex.hung@amd.com>
Signed-off-by: Tom Chung <chiahsuan.chung@amd.com>
Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 274a87eb389f58eddcbc5659ab0b180b37e92775)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/display/dc/core/dc_resource.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
--- a/drivers/gpu/drm/amd/display/dc/core/dc_resource.c
+++ b/drivers/gpu/drm/amd/display/dc/core/dc_resource.c
@@ -1901,10 +1901,13 @@ static int get_norm_pix_clk(const struct
break;
case COLOR_DEPTH_121212:
normalized_pix_clk = (pix_clk * 36) / 24;
- break;
+ break;
+ case COLOR_DEPTH_141414:
+ normalized_pix_clk = (pix_clk * 42) / 24;
+ break;
case COLOR_DEPTH_161616:
normalized_pix_clk = (pix_clk * 48) / 24;
- break;
+ break;
default:
ASSERT(0);
break;
^ permalink raw reply [flat|nested] 289+ messages in thread
* [PATCH 5.15 061/279] drm/amd/display: Fix slab-use-after-free on hdcp_work
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (59 preceding siblings ...)
2025-04-08 10:47 ` [PATCH 5.15 060/279] drm/amd/display: Assign normalized_pix_clk when color depth = 14 Greg Kroah-Hartman
@ 2025-04-08 10:47 ` Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 062/279] qlcnic: fix memory leak issues in qlcnic_sriov_common.c Greg Kroah-Hartman
` (224 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alex Deucher, Alex Hung,
Mario Limonciello, Tom Chung, Daniel Wheeler
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mario Limonciello <mario.limonciello@amd.com>
commit e65e7bea220c3ce8c4c793b4ba35557f4994ab2b upstream.
[Why]
A slab-use-after-free is reported when HDCP is destroyed but the
property_validate_dwork queue is still running.
[How]
Cancel the delayed work when destroying workqueue.
Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4006
Fixes: da3fd7ac0bcf ("drm/amd/display: Update CP property based on HW query")
Cc: Alex Deucher <alexander.deucher@amd.com>
Reviewed-by: Alex Hung <alex.hung@amd.com>
Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
Signed-off-by: Tom Chung <chiahsuan.chung@amd.com>
Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 725a04ba5a95e89c89633d4322430cfbca7ce128)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_hdcp.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_hdcp.c
+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_hdcp.c
@@ -396,6 +396,7 @@ void hdcp_destroy(struct kobject *kobj,
for (i = 0; i < hdcp_work->max_link; i++) {
cancel_delayed_work_sync(&hdcp_work[i].callback_dwork);
cancel_delayed_work_sync(&hdcp_work[i].watchdog_timer_dwork);
+ cancel_delayed_work_sync(&hdcp_work[i].property_validate_dwork);
}
sysfs_remove_bin_file(kobj, &hdcp_work[0].attr);
^ permalink raw reply [flat|nested] 289+ messages in thread
* [PATCH 5.15 062/279] qlcnic: fix memory leak issues in qlcnic_sriov_common.c
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (60 preceding siblings ...)
2025-04-08 10:47 ` [PATCH 5.15 061/279] drm/amd/display: Fix slab-use-after-free on hdcp_work Greg Kroah-Hartman
@ 2025-04-08 10:47 ` Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 063/279] lib/buildid: Handle memfd_secret() files in build_id_parse() Greg Kroah-Hartman
` (223 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:47 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Haoxiang Li, Paolo Abeni
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haoxiang Li <haoxiang_li2024@163.com>
commit d2b9d97e89c79c95f8b517e4fa43fd100f936acc upstream.
Add qlcnic_sriov_free_vlans() in qlcnic_sriov_alloc_vlans() if
any sriov_vlans fails to be allocated.
Add qlcnic_sriov_free_vlans() to free the memory allocated by
qlcnic_sriov_alloc_vlans() if "sriov->allowed_vlans" fails to
be allocated.
Fixes: 91b7282b613d ("qlcnic: Support VLAN id config.")
Cc: stable@vger.kernel.org
Signed-off-by: Haoxiang Li <haoxiang_li2024@163.com>
Link: https://patch.msgid.link/20250307094952.14874-1-haoxiang_li2024@163.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c
+++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c
@@ -454,8 +454,10 @@ static int qlcnic_sriov_set_guest_vlan_m
num_vlans = sriov->num_allowed_vlans;
sriov->allowed_vlans = kcalloc(num_vlans, sizeof(u16), GFP_KERNEL);
- if (!sriov->allowed_vlans)
+ if (!sriov->allowed_vlans) {
+ qlcnic_sriov_free_vlans(adapter);
return -ENOMEM;
+ }
vlans = (u16 *)&cmd->rsp.arg[3];
for (i = 0; i < num_vlans; i++)
@@ -2168,8 +2170,10 @@ int qlcnic_sriov_alloc_vlans(struct qlcn
vf = &sriov->vf_info[i];
vf->sriov_vlans = kcalloc(sriov->num_allowed_vlans,
sizeof(*vf->sriov_vlans), GFP_KERNEL);
- if (!vf->sriov_vlans)
+ if (!vf->sriov_vlans) {
+ qlcnic_sriov_free_vlans(adapter);
return -ENOMEM;
+ }
}
return 0;
^ permalink raw reply [flat|nested] 289+ messages in thread
* [PATCH 5.15 063/279] lib/buildid: Handle memfd_secret() files in build_id_parse()
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (61 preceding siblings ...)
2025-04-08 10:47 ` [PATCH 5.15 062/279] qlcnic: fix memory leak issues in qlcnic_sriov_common.c Greg Kroah-Hartman
@ 2025-04-08 10:47 ` Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 064/279] tcp: fix races in tcp_abort() Greg Kroah-Hartman
` (222 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yi Lai, Shakeel Butt,
Andrii Nakryiko, Daniel Borkmann, Chen Linxuan
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andrii Nakryiko <andrii@kernel.org>
commit 5ac9b4e935dfc6af41eee2ddc21deb5c36507a9f upstream.
>From memfd_secret(2) manpage:
The memory areas backing the file created with memfd_secret(2) are
visible only to the processes that have access to the file descriptor.
The memory region is removed from the kernel page tables and only the
page tables of the processes holding the file descriptor map the
corresponding physical memory. (Thus, the pages in the region can't be
accessed by the kernel itself, so that, for example, pointers to the
region can't be passed to system calls.)
We need to handle this special case gracefully in build ID fetching
code. Return -EFAULT whenever secretmem file is passed to build_id_parse()
family of APIs. Original report and repro can be found in [0].
[0] https://lore.kernel.org/bpf/ZwyG8Uro%2FSyTXAni@ly-workstation/
Fixes: de3ec364c3c3 ("lib/buildid: add single folio-based file reader abstraction")
Reported-by: Yi Lai <yi1.lai@intel.com>
Suggested-by: Shakeel Butt <shakeel.butt@linux.dev>
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Shakeel Butt <shakeel.butt@linux.dev>
Link: https://lore.kernel.org/bpf/20241017175431.6183-A-hca@linux.ibm.com
Link: https://lore.kernel.org/bpf/20241017174713.2157873-1-andrii@kernel.org
[ Chen Linxuan: backport same logic without folio-based changes ]
Fixes: 88a16a130933 ("perf: Add build id data in mmap2 event")
Signed-off-by: Chen Linxuan <chenlinxuan@deepin.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
lib/buildid.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/lib/buildid.c
+++ b/lib/buildid.c
@@ -5,6 +5,7 @@
#include <linux/elf.h>
#include <linux/kernel.h>
#include <linux/pagemap.h>
+#include <linux/secretmem.h>
#define BUILD_ID 3
@@ -157,6 +158,10 @@ int build_id_parse(struct vm_area_struct
if (!vma->vm_file)
return -EINVAL;
+ /* reject secretmem folios created with memfd_secret() */
+ if (vma_is_secretmem(vma))
+ return -EFAULT;
+
page = find_get_page(vma->vm_file->f_mapping, 0);
if (!page)
return -EFAULT; /* page not mapped */
^ permalink raw reply [flat|nested] 289+ messages in thread
* [PATCH 5.15 064/279] tcp: fix races in tcp_abort()
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (62 preceding siblings ...)
2025-04-08 10:47 ` [PATCH 5.15 063/279] lib/buildid: Handle memfd_secret() files in build_id_parse() Greg Kroah-Hartman
@ 2025-04-08 10:47 ` Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 065/279] ASoC: ops: Consistently treat platform_max as control value Greg Kroah-Hartman
` (221 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Neal Cardwell,
Jakub Kicinski, Youngmin Nam
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
commit 5ce4645c23cf5f048eb8e9ce49e514bababdee85 upstream.
tcp_abort() has the same issue than the one fixed in the prior patch
in tcp_write_err().
In order to get consistent results from tcp_poll(), we must call
sk_error_report() after tcp_done().
We can use tcp_done_with_error() to centralize this logic.
Fixes: c1e64e298b8c ("net: diag: Support destroying TCP sockets.")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Acked-by: Neal Cardwell <ncardwell@google.com>
Link: https://lore.kernel.org/r/20240528125253.1966136-4-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[youngmin: Resolved minor conflict in net/ipv4/tcp.c]
Signed-off-by: Youngmin Nam <youngmin.nam@samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/tcp.c | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -4514,13 +4514,9 @@ int tcp_abort(struct sock *sk, int err)
bh_lock_sock(sk);
if (!sock_flag(sk, SOCK_DEAD)) {
- WRITE_ONCE(sk->sk_err, err);
- /* This barrier is coupled with smp_rmb() in tcp_poll() */
- smp_wmb();
- sk_error_report(sk);
if (tcp_need_reset(sk->sk_state))
tcp_send_active_reset(sk, GFP_ATOMIC);
- tcp_done(sk);
+ tcp_done_with_error(sk, err);
}
bh_unlock_sock(sk);
^ permalink raw reply [flat|nested] 289+ messages in thread
* [PATCH 5.15 065/279] ASoC: ops: Consistently treat platform_max as control value
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (63 preceding siblings ...)
2025-04-08 10:47 ` [PATCH 5.15 064/279] tcp: fix races in tcp_abort() Greg Kroah-Hartman
@ 2025-04-08 10:47 ` Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 066/279] drm/gma500: Add NULL check for pci_gfx_root in mid_get_vbt_data() Greg Kroah-Hartman
` (220 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:47 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Charles Keepax, Mark Brown,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Charles Keepax <ckeepax@opensource.cirrus.com>
[ Upstream commit 0eba2a7e858907a746ba69cd002eb9eb4dbd7bf3 ]
This reverts commit 9bdd10d57a88 ("ASoC: ops: Shift tested values in
snd_soc_put_volsw() by +min"), and makes some additional related
updates.
There are two ways the platform_max could be interpreted; the maximum
register value, or the maximum value the control can be set to. The
patch moved from treating the value as a control value to a register
one. When the patch was applied it was technically correct as
snd_soc_limit_volume() also used the register interpretation. However,
even then most of the other usages treated platform_max as a
control value, and snd_soc_limit_volume() has since been updated to
also do so in commit fb9ad24485087 ("ASoC: ops: add correct range
check for limiting volume"). That patch however, missed updating
snd_soc_put_volsw() back to the control interpretation, and fixing
snd_soc_info_volsw_range(). The control interpretation makes more
sense as limiting is typically done from the machine driver, so it is
appropriate to use the customer facing representation rather than the
internal codec representation. Update all the code to consistently use
this interpretation of platform_max.
Finally, also add some comments to the soc_mixer_control struct to
hopefully avoid further patches switching between the two approaches.
Fixes: fb9ad24485087 ("ASoC: ops: add correct range check for limiting volume")
Signed-off-by: Charles Keepax <ckeepax@opensource.cirrus.com>
Link: https://patch.msgid.link/20250228151456.3703342-1-ckeepax@opensource.cirrus.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/sound/soc.h | 5 ++++-
sound/soc/soc-ops.c | 15 +++++++--------
2 files changed, 11 insertions(+), 9 deletions(-)
diff --git a/include/sound/soc.h b/include/sound/soc.h
index 3f0369aae2faf..42358dbc19b8c 100644
--- a/include/sound/soc.h
+++ b/include/sound/soc.h
@@ -1113,7 +1113,10 @@ void snd_soc_close_delayed_work(struct snd_soc_pcm_runtime *rtd);
/* mixer control */
struct soc_mixer_control {
- int min, max, platform_max;
+ /* Minimum and maximum specified as written to the hardware */
+ int min, max;
+ /* Limited maximum value specified as presented through the control */
+ int platform_max;
int reg, rreg;
unsigned int shift, rshift;
unsigned int sign_bit;
diff --git a/sound/soc/soc-ops.c b/sound/soc/soc-ops.c
index 57caa91a4376e..d8d0a26a554de 100644
--- a/sound/soc/soc-ops.c
+++ b/sound/soc/soc-ops.c
@@ -317,7 +317,7 @@ int snd_soc_put_volsw(struct snd_kcontrol *kcontrol,
mask = BIT(sign_bit + 1) - 1;
val = ucontrol->value.integer.value[0];
- if (mc->platform_max && ((int)val + min) > mc->platform_max)
+ if (mc->platform_max && val > mc->platform_max)
return -EINVAL;
if (val > max - min)
return -EINVAL;
@@ -330,7 +330,7 @@ int snd_soc_put_volsw(struct snd_kcontrol *kcontrol,
val = val << shift;
if (snd_soc_volsw_is_stereo(mc)) {
val2 = ucontrol->value.integer.value[1];
- if (mc->platform_max && ((int)val2 + min) > mc->platform_max)
+ if (mc->platform_max && val2 > mc->platform_max)
return -EINVAL;
if (val2 > max - min)
return -EINVAL;
@@ -485,17 +485,16 @@ int snd_soc_info_volsw_range(struct snd_kcontrol *kcontrol,
{
struct soc_mixer_control *mc =
(struct soc_mixer_control *)kcontrol->private_value;
- int platform_max;
- int min = mc->min;
+ int max;
- if (!mc->platform_max)
- mc->platform_max = mc->max;
- platform_max = mc->platform_max;
+ max = mc->max - mc->min;
+ if (mc->platform_max && mc->platform_max < max)
+ max = mc->platform_max;
uinfo->type = SNDRV_CTL_ELEM_TYPE_INTEGER;
uinfo->count = snd_soc_volsw_is_stereo(mc) ? 2 : 1;
uinfo->value.integer.min = 0;
- uinfo->value.integer.max = platform_max - min;
+ uinfo->value.integer.max = max;
return 0;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 066/279] drm/gma500: Add NULL check for pci_gfx_root in mid_get_vbt_data()
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (64 preceding siblings ...)
2025-04-08 10:47 ` [PATCH 5.15 065/279] ASoC: ops: Consistently treat platform_max as control value Greg Kroah-Hartman
@ 2025-04-08 10:47 ` Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 067/279] ASoC: codecs: wm0010: Fix error handling path in wm0010_spi_probe() Greg Kroah-Hartman
` (219 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ivan Abramov, Patrik Jakobsson,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ivan Abramov <i.abramov@mt-integration.ru>
[ Upstream commit 9af152dcf1a06f589f44a74da4ad67e365d4db9a ]
Since pci_get_domain_bus_and_slot() can return NULL, add NULL check for
pci_gfx_root in the mid_get_vbt_data().
This change is similar to the checks implemented in mid_get_fuse_settings()
and mid_get_pci_revID(), which were introduced by commit 0cecdd818cd7
("gma500: Final enables for Oaktrail") as "additional minor
bulletproofing".
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: f910b411053f ("gma500: Add the glue to the various BIOS and firmware interfaces")
Signed-off-by: Ivan Abramov <i.abramov@mt-integration.ru>
Signed-off-by: Patrik Jakobsson <patrik.r.jakobsson@gmail.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20250306112046.17144-1-i.abramov@mt-integration.ru
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/gma500/mid_bios.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/gpu/drm/gma500/mid_bios.c b/drivers/gpu/drm/gma500/mid_bios.c
index 68e787924ed04..1ba33f9518da2 100644
--- a/drivers/gpu/drm/gma500/mid_bios.c
+++ b/drivers/gpu/drm/gma500/mid_bios.c
@@ -280,6 +280,11 @@ static void mid_get_vbt_data(struct drm_psb_private *dev_priv)
0, PCI_DEVFN(2, 0));
int ret = -1;
+ if (pci_gfx_root == NULL) {
+ WARN_ON(1);
+ return;
+ }
+
/* Get the address of the platform config vbt */
pci_read_config_dword(pci_gfx_root, 0xFC, &addr);
pci_dev_put(pci_gfx_root);
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 067/279] ASoC: codecs: wm0010: Fix error handling path in wm0010_spi_probe()
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (65 preceding siblings ...)
2025-04-08 10:47 ` [PATCH 5.15 066/279] drm/gma500: Add NULL check for pci_gfx_root in mid_get_vbt_data() Greg Kroah-Hartman
@ 2025-04-08 10:47 ` Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 068/279] cifs: Fix integer overflow while processing acregmax mount option Greg Kroah-Hartman
` (218 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christophe JAILLET, Charles Keepax,
Mark Brown, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
[ Upstream commit ed92bc5264c4357d4fca292c769ea9967cd3d3b6 ]
Free some resources in the error handling path of the probe, as already
done in the remove function.
Fixes: e3523e01869d ("ASoC: wm0010: Add initial wm0010 DSP driver")
Fixes: fd8b96574456 ("ASoC: wm0010: Clear IRQ as wake source and include missing header")
Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Reviewed-by: Charles Keepax <ckeepax@opensource.cirrus.com>
Link: https://patch.msgid.link/5139ba1ab8c4c157ce04e56096a0f54a1683195c.1741549792.git.christophe.jaillet@wanadoo.fr
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/codecs/wm0010.c | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/sound/soc/codecs/wm0010.c b/sound/soc/codecs/wm0010.c
index 28b4656c4e149..b2f87af1bfc87 100644
--- a/sound/soc/codecs/wm0010.c
+++ b/sound/soc/codecs/wm0010.c
@@ -952,7 +952,7 @@ static int wm0010_spi_probe(struct spi_device *spi)
if (ret) {
dev_err(wm0010->dev, "Failed to set IRQ %d as wake source: %d\n",
irq, ret);
- return ret;
+ goto free_irq;
}
if (spi->max_speed_hz)
@@ -964,9 +964,18 @@ static int wm0010_spi_probe(struct spi_device *spi)
&soc_component_dev_wm0010, wm0010_dai,
ARRAY_SIZE(wm0010_dai));
if (ret < 0)
- return ret;
+ goto disable_irq_wake;
return 0;
+
+disable_irq_wake:
+ irq_set_irq_wake(wm0010->irq, 0);
+
+free_irq:
+ if (wm0010->irq)
+ free_irq(wm0010->irq, wm0010);
+
+ return ret;
}
static int wm0010_spi_remove(struct spi_device *spi)
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 068/279] cifs: Fix integer overflow while processing acregmax mount option
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (66 preceding siblings ...)
2025-04-08 10:47 ` [PATCH 5.15 067/279] ASoC: codecs: wm0010: Fix error handling path in wm0010_spi_probe() Greg Kroah-Hartman
@ 2025-04-08 10:47 ` Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 069/279] cifs: Fix integer overflow while processing acdirmax " Greg Kroah-Hartman
` (217 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Murad Masimov, Steve French,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Murad Masimov <m.masimov@mt-integration.ru>
[ Upstream commit 7489161b1852390b4413d57f2457cd40b34da6cc ]
User-provided mount parameter acregmax of type u32 is intended to have
an upper limit, but before it is validated, the value is converted from
seconds to jiffies which can lead to an integer overflow.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: 5780464614f6 ("cifs: Add new parameter "acregmax" for distinct file and directory metadata timeout")
Signed-off-by: Murad Masimov <m.masimov@mt-integration.ru>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/cifs/fs_context.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/fs/cifs/fs_context.c b/fs/cifs/fs_context.c
index fb3651513f83a..d86cbed997fdd 100644
--- a/fs/cifs/fs_context.c
+++ b/fs/cifs/fs_context.c
@@ -1055,11 +1055,11 @@ static int smb3_fs_context_parse_param(struct fs_context *fc,
ctx->got_wsize = true;
break;
case Opt_acregmax:
- ctx->acregmax = HZ * result.uint_32;
- if (ctx->acregmax > CIFS_MAX_ACTIMEO) {
+ if (result.uint_32 > CIFS_MAX_ACTIMEO / HZ) {
cifs_errorf(fc, "acregmax too large\n");
goto cifs_parse_mount_err;
}
+ ctx->acregmax = HZ * result.uint_32;
break;
case Opt_acdirmax:
ctx->acdirmax = HZ * result.uint_32;
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 069/279] cifs: Fix integer overflow while processing acdirmax mount option
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (67 preceding siblings ...)
2025-04-08 10:47 ` [PATCH 5.15 068/279] cifs: Fix integer overflow while processing acregmax mount option Greg Kroah-Hartman
@ 2025-04-08 10:47 ` Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 070/279] cifs: Fix integer overflow while processing actimeo " Greg Kroah-Hartman
` (216 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Murad Masimov, Steve French,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Murad Masimov <m.masimov@mt-integration.ru>
[ Upstream commit 5b29891f91dfb8758baf1e2217bef4b16b2b165b ]
User-provided mount parameter acdirmax of type u32 is intended to have
an upper limit, but before it is validated, the value is converted from
seconds to jiffies which can lead to an integer overflow.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: 4c9f948142a5 ("cifs: Add new mount parameter "acdirmax" to allow caching directory metadata")
Signed-off-by: Murad Masimov <m.masimov@mt-integration.ru>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/cifs/fs_context.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/fs/cifs/fs_context.c b/fs/cifs/fs_context.c
index d86cbed997fdd..9b1c0e0dfc63b 100644
--- a/fs/cifs/fs_context.c
+++ b/fs/cifs/fs_context.c
@@ -1062,11 +1062,11 @@ static int smb3_fs_context_parse_param(struct fs_context *fc,
ctx->acregmax = HZ * result.uint_32;
break;
case Opt_acdirmax:
- ctx->acdirmax = HZ * result.uint_32;
- if (ctx->acdirmax > CIFS_MAX_ACTIMEO) {
+ if (result.uint_32 > CIFS_MAX_ACTIMEO / HZ) {
cifs_errorf(fc, "acdirmax too large\n");
goto cifs_parse_mount_err;
}
+ ctx->acdirmax = HZ * result.uint_32;
break;
case Opt_actimeo:
if (HZ * result.uint_32 > CIFS_MAX_ACTIMEO) {
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 070/279] cifs: Fix integer overflow while processing actimeo mount option
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (68 preceding siblings ...)
2025-04-08 10:47 ` [PATCH 5.15 069/279] cifs: Fix integer overflow while processing acdirmax " Greg Kroah-Hartman
@ 2025-04-08 10:47 ` Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 071/279] cifs: Fix integer overflow while processing closetimeo " Greg Kroah-Hartman
` (215 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Murad Masimov, Steve French,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Murad Masimov <m.masimov@mt-integration.ru>
[ Upstream commit 64f690ee22c99e16084e0e45181b2a1eed2fa149 ]
User-provided mount parameter actimeo of type u32 is intended to have
an upper limit, but before it is validated, the value is converted from
seconds to jiffies which can lead to an integer overflow.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: 6d20e8406f09 ("cifs: add attribute cache timeout (actimeo) tunable")
Signed-off-by: Murad Masimov <m.masimov@mt-integration.ru>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/cifs/fs_context.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/cifs/fs_context.c b/fs/cifs/fs_context.c
index 9b1c0e0dfc63b..f45a29a51700b 100644
--- a/fs/cifs/fs_context.c
+++ b/fs/cifs/fs_context.c
@@ -1069,7 +1069,7 @@ static int smb3_fs_context_parse_param(struct fs_context *fc,
ctx->acdirmax = HZ * result.uint_32;
break;
case Opt_actimeo:
- if (HZ * result.uint_32 > CIFS_MAX_ACTIMEO) {
+ if (result.uint_32 > CIFS_MAX_ACTIMEO / HZ) {
cifs_errorf(fc, "timeout too large\n");
goto cifs_parse_mount_err;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 071/279] cifs: Fix integer overflow while processing closetimeo mount option
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (69 preceding siblings ...)
2025-04-08 10:47 ` [PATCH 5.15 070/279] cifs: Fix integer overflow while processing actimeo " Greg Kroah-Hartman
@ 2025-04-08 10:47 ` Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 072/279] i2c: ali1535: Fix an error handling path in ali1535_probe() Greg Kroah-Hartman
` (214 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Murad Masimov, Steve French,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Murad Masimov <m.masimov@mt-integration.ru>
[ Upstream commit d5a30fddfe2f2e540f6c43b59cf701809995faef ]
User-provided mount parameter closetimeo of type u32 is intended to have
an upper limit, but before it is validated, the value is converted from
seconds to jiffies which can lead to an integer overflow.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: 5efdd9122eff ("smb3: allow deferred close timeout to be configurable")
Signed-off-by: Murad Masimov <m.masimov@mt-integration.ru>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/cifs/fs_context.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/fs/cifs/fs_context.c b/fs/cifs/fs_context.c
index f45a29a51700b..24c42043a2271 100644
--- a/fs/cifs/fs_context.c
+++ b/fs/cifs/fs_context.c
@@ -1081,11 +1081,11 @@ static int smb3_fs_context_parse_param(struct fs_context *fc,
ctx->acdirmax = ctx->acregmax = HZ * result.uint_32;
break;
case Opt_closetimeo:
- ctx->closetimeo = HZ * result.uint_32;
- if (ctx->closetimeo > SMB3_MAX_DCLOSETIMEO) {
+ if (result.uint_32 > SMB3_MAX_DCLOSETIMEO / HZ) {
cifs_errorf(fc, "closetimeo too large\n");
goto cifs_parse_mount_err;
}
+ ctx->closetimeo = HZ * result.uint_32;
break;
case Opt_echo_interval:
ctx->echo_interval = result.uint_32;
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 072/279] i2c: ali1535: Fix an error handling path in ali1535_probe()
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (70 preceding siblings ...)
2025-04-08 10:47 ` [PATCH 5.15 071/279] cifs: Fix integer overflow while processing closetimeo " Greg Kroah-Hartman
@ 2025-04-08 10:47 ` Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 073/279] i2c: ali15x3: Fix an error handling path in ali15x3_probe() Greg Kroah-Hartman
` (213 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christophe JAILLET, Andi Shyti,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
[ Upstream commit 9b5463f349d019a261f1e80803447efca3126151 ]
If i2c_add_adapter() fails, the request_region() call in ali1535_setup()
must be undone by a corresponding release_region() call, as done in the
remove function.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
Link: https://lore.kernel.org/r/0daf63d7a2ce74c02e2664ba805bbfadab7d25e5.1741031571.git.christophe.jaillet@wanadoo.fr
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/i2c/busses/i2c-ali1535.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/drivers/i2c/busses/i2c-ali1535.c b/drivers/i2c/busses/i2c-ali1535.c
index ee83c4581bce0..cd2c8afebe798 100644
--- a/drivers/i2c/busses/i2c-ali1535.c
+++ b/drivers/i2c/busses/i2c-ali1535.c
@@ -490,6 +490,8 @@ MODULE_DEVICE_TABLE(pci, ali1535_ids);
static int ali1535_probe(struct pci_dev *dev, const struct pci_device_id *id)
{
+ int ret;
+
if (ali1535_setup(dev)) {
dev_warn(&dev->dev,
"ALI1535 not detected, module not inserted.\n");
@@ -501,7 +503,15 @@ static int ali1535_probe(struct pci_dev *dev, const struct pci_device_id *id)
snprintf(ali1535_adapter.name, sizeof(ali1535_adapter.name),
"SMBus ALI1535 adapter at %04x", ali1535_offset);
- return i2c_add_adapter(&ali1535_adapter);
+ ret = i2c_add_adapter(&ali1535_adapter);
+ if (ret)
+ goto release_region;
+
+ return 0;
+
+release_region:
+ release_region(ali1535_smba, ALI1535_SMB_IOSIZE);
+ return ret;
}
static void ali1535_remove(struct pci_dev *dev)
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 073/279] i2c: ali15x3: Fix an error handling path in ali15x3_probe()
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (71 preceding siblings ...)
2025-04-08 10:47 ` [PATCH 5.15 072/279] i2c: ali1535: Fix an error handling path in ali1535_probe() Greg Kroah-Hartman
@ 2025-04-08 10:47 ` Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 074/279] i2c: sis630: Fix an error handling path in sis630_probe() Greg Kroah-Hartman
` (212 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christophe JAILLET, Andi Shyti,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
[ Upstream commit 6e55caaf30c88209d097e575a169b1dface1ab69 ]
If i2c_add_adapter() fails, the request_region() call in ali15x3_setup()
must be undone by a corresponding release_region() call, as done in the
remove function.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
Link: https://lore.kernel.org/r/9b2090cbcc02659f425188ea05f2e02745c4e67b.1741031878.git.christophe.jaillet@wanadoo.fr
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/i2c/busses/i2c-ali15x3.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/drivers/i2c/busses/i2c-ali15x3.c b/drivers/i2c/busses/i2c-ali15x3.c
index cc58feacd0821..28a57cb6efb99 100644
--- a/drivers/i2c/busses/i2c-ali15x3.c
+++ b/drivers/i2c/busses/i2c-ali15x3.c
@@ -473,6 +473,8 @@ MODULE_DEVICE_TABLE (pci, ali15x3_ids);
static int ali15x3_probe(struct pci_dev *dev, const struct pci_device_id *id)
{
+ int ret;
+
if (ali15x3_setup(dev)) {
dev_err(&dev->dev,
"ALI15X3 not detected, module not inserted.\n");
@@ -484,7 +486,15 @@ static int ali15x3_probe(struct pci_dev *dev, const struct pci_device_id *id)
snprintf(ali15x3_adapter.name, sizeof(ali15x3_adapter.name),
"SMBus ALI15X3 adapter at %04x", ali15x3_smba);
- return i2c_add_adapter(&ali15x3_adapter);
+ ret = i2c_add_adapter(&ali15x3_adapter);
+ if (ret)
+ goto release_region;
+
+ return 0;
+
+release_region:
+ release_region(ali15x3_smba, ALI15X3_SMB_IOSIZE);
+ return ret;
}
static void ali15x3_remove(struct pci_dev *dev)
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 074/279] i2c: sis630: Fix an error handling path in sis630_probe()
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (72 preceding siblings ...)
2025-04-08 10:47 ` [PATCH 5.15 073/279] i2c: ali15x3: Fix an error handling path in ali15x3_probe() Greg Kroah-Hartman
@ 2025-04-08 10:47 ` Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 075/279] drm/amd/display: Check for invalid input params when building scaling params Greg Kroah-Hartman
` (211 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christophe JAILLET, Andi Shyti,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
[ Upstream commit 2b22459792fcb4def9f0936d64575ac11a95a58d ]
If i2c_add_adapter() fails, the request_region() call in sis630_setup()
must be undone by a corresponding release_region() call, as done in the
remove function.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Link: https://lore.kernel.org/r/3d607601f2c38e896b10207963c6ab499ca5c307.1741033587.git.christophe.jaillet@wanadoo.fr
Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/i2c/busses/i2c-sis630.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/drivers/i2c/busses/i2c-sis630.c b/drivers/i2c/busses/i2c-sis630.c
index cfb8e04a2a831..6befa6ff83f26 100644
--- a/drivers/i2c/busses/i2c-sis630.c
+++ b/drivers/i2c/busses/i2c-sis630.c
@@ -509,6 +509,8 @@ MODULE_DEVICE_TABLE(pci, sis630_ids);
static int sis630_probe(struct pci_dev *dev, const struct pci_device_id *id)
{
+ int ret;
+
if (sis630_setup(dev)) {
dev_err(&dev->dev,
"SIS630 compatible bus not detected, "
@@ -522,7 +524,15 @@ static int sis630_probe(struct pci_dev *dev, const struct pci_device_id *id)
snprintf(sis630_adapter.name, sizeof(sis630_adapter.name),
"SMBus SIS630 adapter at %04x", smbus_base + SMB_STS);
- return i2c_add_adapter(&sis630_adapter);
+ ret = i2c_add_adapter(&sis630_adapter);
+ if (ret)
+ goto release_region;
+
+ return 0;
+
+release_region:
+ release_region(smbus_base + SMB_STS, SIS630_SMB_IOREGION);
+ return ret;
}
static void sis630_remove(struct pci_dev *dev)
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 075/279] drm/amd/display: Check for invalid input params when building scaling params
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (73 preceding siblings ...)
2025-04-08 10:47 ` [PATCH 5.15 074/279] i2c: sis630: Fix an error handling path in sis630_probe() Greg Kroah-Hartman
@ 2025-04-08 10:47 ` Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 076/279] drm/amd/display: Fix null check for pipe_ctx->plane_state in resource_build_scaling_params Greg Kroah-Hartman
` (210 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Daniel Wheeler, Charlene Liu,
Tom Chung, Michael Strauss, Alex Deucher, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Strauss <michael.strauss@amd.com>
[ Upstream commit 73b1da69f5314d96e1f963468863eaa884ee1030 ]
[WHY]
Function to calculate scaling ratios can be called with invalid plane
src/dest, causing a divide by zero.
[HOW]
Fail building scaling params if plane state src/dest rects are
unpopulated
Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
Reviewed-by: Charlene Liu <Charlene.Liu@amd.com>
Acked-by: Tom Chung <chiahsuan.chung@amd.com>
Signed-off-by: Michael Strauss <michael.strauss@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Stable-dep-of: 374c9faac5a7 ("drm/amd/display: Fix null check for pipe_ctx->plane_state in resource_build_scaling_params")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/display/dc/core/dc_resource.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/drivers/gpu/drm/amd/display/dc/core/dc_resource.c b/drivers/gpu/drm/amd/display/dc/core/dc_resource.c
index f29299fb25c4d..de5192ee2b022 100644
--- a/drivers/gpu/drm/amd/display/dc/core/dc_resource.c
+++ b/drivers/gpu/drm/amd/display/dc/core/dc_resource.c
@@ -1025,6 +1025,15 @@ bool resource_build_scaling_params(struct pipe_ctx *pipe_ctx)
bool res = false;
DC_LOGGER_INIT(pipe_ctx->stream->ctx->logger);
+ /* Invalid input */
+ if (!plane_state->dst_rect.width ||
+ !plane_state->dst_rect.height ||
+ !plane_state->src_rect.width ||
+ !plane_state->src_rect.height) {
+ ASSERT(0);
+ return false;
+ }
+
pipe_ctx->plane_res.scl_data.format = convert_pixel_format_to_dalsurface(
pipe_ctx->plane_state->format);
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 076/279] drm/amd/display: Fix null check for pipe_ctx->plane_state in resource_build_scaling_params
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (74 preceding siblings ...)
2025-04-08 10:47 ` [PATCH 5.15 075/279] drm/amd/display: Check for invalid input params when building scaling params Greg Kroah-Hartman
@ 2025-04-08 10:47 ` Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 077/279] smb: client: Fix match_session bug preventing session reuse Greg Kroah-Hartman
` (209 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alex Hung, Ma Ke, Alex Deucher,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ma Ke <make24@iscas.ac.cn>
[ Upstream commit 374c9faac5a763a05bc3f68ad9f73dab3c6aec90 ]
Null pointer dereference issue could occur when pipe_ctx->plane_state
is null. The fix adds a check to ensure 'pipe_ctx->plane_state' is not
null before accessing. This prevents a null pointer dereference.
Found by code review.
Fixes: 3be5262e353b ("drm/amd/display: Rename more dc_surface stuff to plane_state")
Reviewed-by: Alex Hung <alex.hung@amd.com>
Signed-off-by: Ma Ke <make24@iscas.ac.cn>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 63e6a77ccf239337baa9b1e7787cde9fa0462092)
Cc: stable@vger.kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/display/dc/core/dc_resource.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/amd/display/dc/core/dc_resource.c b/drivers/gpu/drm/amd/display/dc/core/dc_resource.c
index de5192ee2b022..a84280b65821b 100644
--- a/drivers/gpu/drm/amd/display/dc/core/dc_resource.c
+++ b/drivers/gpu/drm/amd/display/dc/core/dc_resource.c
@@ -1026,7 +1026,8 @@ bool resource_build_scaling_params(struct pipe_ctx *pipe_ctx)
DC_LOGGER_INIT(pipe_ctx->stream->ctx->logger);
/* Invalid input */
- if (!plane_state->dst_rect.width ||
+ if (!plane_state ||
+ !plane_state->dst_rect.width ||
!plane_state->dst_rect.height ||
!plane_state->src_rect.width ||
!plane_state->src_rect.height) {
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 077/279] smb: client: Fix match_session bug preventing session reuse
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (75 preceding siblings ...)
2025-04-08 10:47 ` [PATCH 5.15 076/279] drm/amd/display: Fix null check for pipe_ctx->plane_state in resource_build_scaling_params Greg Kroah-Hartman
@ 2025-04-08 10:47 ` Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 078/279] smb: client: fix potential UAF in cifs_debug_files_proc_show() Greg Kroah-Hartman
` (208 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Enzo Matsumiya, Henrique Carvalho,
Steve French
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Henrique Carvalho <henrique.carvalho@suse.com>
commit 605b249ea96770ac4fac4b8510a99e0f8442be5e upstream.
Fix a bug in match_session() that can causes the session to not be
reused in some cases.
Reproduction steps:
mount.cifs //server/share /mnt/a -o credentials=creds
mount.cifs //server/share /mnt/b -o credentials=creds,sec=ntlmssp
cat /proc/fs/cifs/DebugData | grep SessionId | wc -l
mount.cifs //server/share /mnt/b -o credentials=creds,sec=ntlmssp
mount.cifs //server/share /mnt/a -o credentials=creds
cat /proc/fs/cifs/DebugData | grep SessionId | wc -l
Cc: stable@vger.kernel.org
Reviewed-by: Enzo Matsumiya <ematsumiya@suse.de>
Signed-off-by: Henrique Carvalho <henrique.carvalho@suse.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/cifs/connect.c | 15 +++++++++++----
1 file changed, 11 insertions(+), 4 deletions(-)
--- a/fs/cifs/connect.c
+++ b/fs/cifs/connect.c
@@ -1582,9 +1582,8 @@ out_err:
static int match_session(struct cifs_ses *ses, struct smb3_fs_context *ctx)
{
- if (ctx->sectype != Unspecified &&
- ctx->sectype != ses->sectype)
- return 0;
+ struct TCP_Server_Info *server = ses->server;
+ enum securityEnum ctx_sec, ses_sec;
/*
* If an existing session is limited to less channels than
@@ -1597,11 +1596,19 @@ static int match_session(struct cifs_ses
}
spin_unlock(&ses->chan_lock);
- switch (ses->sectype) {
+ ctx_sec = server->ops->select_sectype(server, ctx->sectype);
+ ses_sec = server->ops->select_sectype(server, ses->sectype);
+
+ if (ctx_sec != ses_sec)
+ return 0;
+
+ switch (ctx_sec) {
case Kerberos:
if (!uid_eq(ctx->cred_uid, ses->cred_uid))
return 0;
break;
+ case NTLMv2:
+ case RawNTLMSSP:
default:
/* NULL username means anonymous session */
if (ses->user_name == NULL) {
^ permalink raw reply [flat|nested] 289+ messages in thread
* [PATCH 5.15 078/279] smb: client: fix potential UAF in cifs_debug_files_proc_show()
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (76 preceding siblings ...)
2025-04-08 10:47 ` [PATCH 5.15 077/279] smb: client: Fix match_session bug preventing session reuse Greg Kroah-Hartman
@ 2025-04-08 10:47 ` Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 079/279] firmware: imx-scu: fix OF node leak in .probe() Greg Kroah-Hartman
` (207 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paulo Alcantara (Red Hat),
Steve French, Jianqi Ren, He Zhe
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paulo Alcantara <pc@manguebit.com>
commit ca545b7f0823f19db0f1148d59bc5e1a56634502 upstream.
Skip sessions that are being teared down (status == SES_EXITING) to
avoid UAF.
Cc: stable@vger.kernel.org
Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
[ This patch removes lock/unlock operation in routine cifs_ses_exiting()
for ses_lock is not present in v5.15 and not ported yet. ses->status
is protected by a global lock, cifs_tcp_ses_lock, in v5.15. ]
Signed-off-by: Jianqi Ren <jianqi.ren.cn@windriver.com>
Signed-off-by: He Zhe <zhe.he@windriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/cifs/cifs_debug.c | 2 ++
fs/cifs/cifsglob.h | 8 ++++++++
2 files changed, 10 insertions(+)
--- a/fs/cifs/cifs_debug.c
+++ b/fs/cifs/cifs_debug.c
@@ -183,6 +183,8 @@ static int cifs_debug_files_proc_show(st
list_for_each_entry(server, &cifs_tcp_ses_list, tcp_ses_list) {
list_for_each(tmp, &server->smb_ses_list) {
ses = list_entry(tmp, struct cifs_ses, smb_ses_list);
+ if (cifs_ses_exiting(ses))
+ continue;
list_for_each(tmp1, &ses->tcon_list) {
tcon = list_entry(tmp1, struct cifs_tcon, tcon_list);
spin_lock(&tcon->open_file_lock);
--- a/fs/cifs/cifsglob.h
+++ b/fs/cifs/cifsglob.h
@@ -2041,4 +2041,12 @@ static inline struct scatterlist *cifs_s
return sg;
}
+static inline bool cifs_ses_exiting(struct cifs_ses *ses)
+{
+ bool ret;
+
+ ret = ses->status == CifsExiting;
+ return ret;
+}
+
#endif /* _CIFS_GLOB_H */
^ permalink raw reply [flat|nested] 289+ messages in thread
* [PATCH 5.15 079/279] firmware: imx-scu: fix OF node leak in .probe()
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (77 preceding siblings ...)
2025-04-08 10:47 ` [PATCH 5.15 078/279] smb: client: fix potential UAF in cifs_debug_files_proc_show() Greg Kroah-Hartman
@ 2025-04-08 10:47 ` Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 080/279] xfrm_output: Force software GSO only in tunnel mode Greg Kroah-Hartman
` (206 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:47 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Joe Hattori, Shawn Guo, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp>
[ Upstream commit fbf10b86f6057cf79300720da4ea4b77e6708b0d ]
imx_scu_probe() calls of_parse_phandle_with_args(), but does not
release the OF node reference obtained by it. Add a of_node_put() call
after done with the node.
Fixes: f25a066d1a07 ("firmware: imx-scu: Support one TX and one RX")
Signed-off-by: Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/firmware/imx/imx-scu.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/firmware/imx/imx-scu.c b/drivers/firmware/imx/imx-scu.c
index dca79caccd01c..fa25c082109ac 100644
--- a/drivers/firmware/imx/imx-scu.c
+++ b/drivers/firmware/imx/imx-scu.c
@@ -279,6 +279,7 @@ static int imx_scu_probe(struct platform_device *pdev)
return ret;
sc_ipc->fast_ipc = of_device_is_compatible(args.np, "fsl,imx8-mu-scu");
+ of_node_put(args.np);
num_channel = sc_ipc->fast_ipc ? 2 : SCU_MU_CHAN_NUM;
for (i = 0; i < num_channel; i++) {
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 080/279] xfrm_output: Force software GSO only in tunnel mode
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (78 preceding siblings ...)
2025-04-08 10:47 ` [PATCH 5.15 079/279] firmware: imx-scu: fix OF node leak in .probe() Greg Kroah-Hartman
@ 2025-04-08 10:47 ` Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 081/279] ARM: dts: bcm2711: PL011 UARTs are actually r1p5 Greg Kroah-Hartman
` (205 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dragos Tatulea, Yael Chemla,
Leon Romanovsky, Cosmin Ratiu, Steffen Klassert, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cosmin Ratiu <cratiu@nvidia.com>
[ Upstream commit 0aae2867aa6067f73d066bc98385e23c8454a1d7 ]
The cited commit fixed a software GSO bug with VXLAN + IPSec in tunnel
mode. Unfortunately, it is slightly broader than necessary, as it also
severely affects performance for Geneve + IPSec transport mode over a
device capable of both HW GSO and IPSec crypto offload. In this case,
xfrm_output unnecessarily triggers software GSO instead of letting the
HW do it. In simple iperf3 tests over Geneve + IPSec transport mode over
a back-2-back pair of NICs with MTU 1500, the performance was observed
to be up to 6x worse when doing software GSO compared to leaving it to
the hardware.
This commit makes xfrm_output only trigger software GSO in crypto
offload cases for already encapsulated packets in tunnel mode, as not
doing so would then cause the inner tunnel skb->inner_networking_header
to be overwritten and break software GSO for that packet later if the
device turns out to not be capable of HW GSO.
Taking a closer look at the conditions for the original bug, to better
understand the reasons for this change:
- vxlan_build_skb -> iptunnel_handle_offloads sets inner_protocol and
inner network header.
- then, udp_tunnel_xmit_skb -> ip_tunnel_xmit adds outer transport and
network headers.
- later in the xmit path, xfrm_output -> xfrm_outer_mode_output ->
xfrm4_prepare_output -> xfrm4_tunnel_encap_add overwrites the inner
network header with the one set in ip_tunnel_xmit before adding the
second outer header.
- __dev_queue_xmit -> validate_xmit_skb checks whether GSO segmentation
needs to happen based on dev features. In the original bug, the hw
couldn't segment the packets, so skb_gso_segment was invoked.
- deep in the .gso_segment callback machinery, __skb_udp_tunnel_segment
tries to use the wrong inner network header, expecting the one set in
iptunnel_handle_offloads but getting the one set by xfrm instead.
- a bit later, ipv6_gso_segment accesses the wrong memory based on that
wrong inner network header.
With the new change, the original bug (or similar ones) cannot happen
again, as xfrm will now trigger software GSO before applying a tunnel.
This concern doesn't exist in packet offload mode, when the HW adds
encapsulation headers. For the non-offloaded packets (crypto in SW),
software GSO is still done unconditionally in the else branch.
Reviewed-by: Dragos Tatulea <dtatulea@nvidia.com>
Reviewed-by: Yael Chemla <ychemla@nvidia.com>
Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
Fixes: a204aef9fd77 ("xfrm: call xfrm_output_gso when inner_protocol is set in xfrm_output")
Signed-off-by: Cosmin Ratiu <cratiu@nvidia.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/xfrm/xfrm_output.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/xfrm/xfrm_output.c b/net/xfrm/xfrm_output.c
index 4dc4a7bbe51cf..29ce7f6f16a09 100644
--- a/net/xfrm/xfrm_output.c
+++ b/net/xfrm/xfrm_output.c
@@ -737,7 +737,7 @@ int xfrm_output(struct sock *sk, struct sk_buff *skb)
skb->encapsulation = 1;
if (skb_is_gso(skb)) {
- if (skb->inner_protocol)
+ if (skb->inner_protocol && x->props.mode == XFRM_MODE_TUNNEL)
return xfrm_output_gso(net, sk, skb);
skb_shinfo(skb)->gso_type |= SKB_GSO_ESP;
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 081/279] ARM: dts: bcm2711: PL011 UARTs are actually r1p5
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (79 preceding siblings ...)
2025-04-08 10:47 ` [PATCH 5.15 080/279] xfrm_output: Force software GSO only in tunnel mode Greg Kroah-Hartman
@ 2025-04-08 10:47 ` Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 082/279] RDMA/bnxt_re: Add missing paranthesis in map_qp_id_to_tbl_indx Greg Kroah-Hartman
` (204 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Phil Elwell, Stefan Wahren,
Florian Fainelli, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Phil Elwell <phil@raspberrypi.com>
[ Upstream commit 0de09025f161f67c07978c4742e221243d070d41 ]
The ARM PL011 UART instances in BCM2711 are r1p5 spec, which means they
have 32-entry FIFOs. The correct periphid value for this is 0x00341011.
Thanks to N Buchwitz for pointing this out.
Signed-off-by: Phil Elwell <phil@raspberrypi.com>
Signed-off-by: Stefan Wahren <wahrenst@gmx.net>
Link: https://lore.kernel.org/r/20250223125614.3592-2-wahrenst@gmx.net
Fixes: 7dbe8c62ceeb ("ARM: dts: Add minimal Raspberry Pi 4 support")
Signed-off-by: Florian Fainelli <florian.fainelli@broadcom.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/boot/dts/bcm2711.dtsi | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/arch/arm/boot/dts/bcm2711.dtsi b/arch/arm/boot/dts/bcm2711.dtsi
index 89af57482bc8f..926bc467d4516 100644
--- a/arch/arm/boot/dts/bcm2711.dtsi
+++ b/arch/arm/boot/dts/bcm2711.dtsi
@@ -133,7 +133,7 @@ uart2: serial@7e201400 {
clocks = <&clocks BCM2835_CLOCK_UART>,
<&clocks BCM2835_CLOCK_VPU>;
clock-names = "uartclk", "apb_pclk";
- arm,primecell-periphid = <0x00241011>;
+ arm,primecell-periphid = <0x00341011>;
status = "disabled";
};
@@ -144,7 +144,7 @@ uart3: serial@7e201600 {
clocks = <&clocks BCM2835_CLOCK_UART>,
<&clocks BCM2835_CLOCK_VPU>;
clock-names = "uartclk", "apb_pclk";
- arm,primecell-periphid = <0x00241011>;
+ arm,primecell-periphid = <0x00341011>;
status = "disabled";
};
@@ -155,7 +155,7 @@ uart4: serial@7e201800 {
clocks = <&clocks BCM2835_CLOCK_UART>,
<&clocks BCM2835_CLOCK_VPU>;
clock-names = "uartclk", "apb_pclk";
- arm,primecell-periphid = <0x00241011>;
+ arm,primecell-periphid = <0x00341011>;
status = "disabled";
};
@@ -166,7 +166,7 @@ uart5: serial@7e201a00 {
clocks = <&clocks BCM2835_CLOCK_UART>,
<&clocks BCM2835_CLOCK_VPU>;
clock-names = "uartclk", "apb_pclk";
- arm,primecell-periphid = <0x00241011>;
+ arm,primecell-periphid = <0x00341011>;
status = "disabled";
};
@@ -1142,6 +1142,7 @@ &txp {
};
&uart0 {
+ arm,primecell-periphid = <0x00341011>;
interrupts = <GIC_SPI 121 IRQ_TYPE_LEVEL_HIGH>;
};
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 082/279] RDMA/bnxt_re: Add missing paranthesis in map_qp_id_to_tbl_indx
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (80 preceding siblings ...)
2025-04-08 10:47 ` [PATCH 5.15 081/279] ARM: dts: bcm2711: PL011 UARTs are actually r1p5 Greg Kroah-Hartman
@ 2025-04-08 10:47 ` Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 083/279] ARM: dts: bcm2711: Dont mark timer regs unconfigured Greg Kroah-Hartman
` (203 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kalesh AP, Kashyap Desai,
Selvin Xavier, Leon Romanovsky, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kashyap Desai <kashyap.desai@broadcom.com>
[ Upstream commit 67ee8d496511ad8e1cb88f72944847e7b3e4e47c ]
The modulo operation returns wrong result without the
paranthesis and that resulted in wrong QP table indexing.
Fixes: 84cf229f4001 ("RDMA/bnxt_re: Fix the qp table indexing")
Reviewed-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
Signed-off-by: Kashyap Desai <kashyap.desai@broadcom.com>
Signed-off-by: Selvin Xavier <selvin.xavier@broadcom.com>
Link: https://patch.msgid.link/1741021178-2569-3-git-send-email-selvin.xavier@broadcom.com
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/hw/bnxt_re/qplib_rcfw.h | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/infiniband/hw/bnxt_re/qplib_rcfw.h b/drivers/infiniband/hw/bnxt_re/qplib_rcfw.h
index aaf06cd939e69..08ea292512797 100644
--- a/drivers/infiniband/hw/bnxt_re/qplib_rcfw.h
+++ b/drivers/infiniband/hw/bnxt_re/qplib_rcfw.h
@@ -220,9 +220,10 @@ int bnxt_qplib_deinit_rcfw(struct bnxt_qplib_rcfw *rcfw);
int bnxt_qplib_init_rcfw(struct bnxt_qplib_rcfw *rcfw,
struct bnxt_qplib_ctx *ctx, int is_virtfn);
void bnxt_qplib_mark_qp_error(void *qp_handle);
+
static inline u32 map_qp_id_to_tbl_indx(u32 qid, struct bnxt_qplib_rcfw *rcfw)
{
/* Last index of the qp_tbl is for QP1 ie. qp_tbl_size - 1*/
- return (qid == 1) ? rcfw->qp_tbl_size - 1 : qid % rcfw->qp_tbl_size - 2;
+ return (qid == 1) ? rcfw->qp_tbl_size - 1 : (qid % (rcfw->qp_tbl_size - 2));
}
#endif /* __BNXT_QPLIB_RCFW_H__ */
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 083/279] ARM: dts: bcm2711: Dont mark timer regs unconfigured
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (81 preceding siblings ...)
2025-04-08 10:47 ` [PATCH 5.15 082/279] RDMA/bnxt_re: Add missing paranthesis in map_qp_id_to_tbl_indx Greg Kroah-Hartman
@ 2025-04-08 10:47 ` Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 084/279] RDMA/bnxt_re: Avoid clearing VLAN_ID mask in modify qp path Greg Kroah-Hartman
` (202 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Phil Elwell, Stefan Wahren,
Krzysztof Kozlowski, Florian Fainelli, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Phil Elwell <phil@raspberrypi.com>
[ Upstream commit c24f272ae751a9f54f8816430e7f2d56031892cc ]
During upstream process of Raspberry Pi 4 back in 2019 the ARMv7 stubs
didn't configured the ARM architectural timer. This firmware issue has
been fixed in 2020, which gave users enough time to update their system.
So drop this property to allow the use of the vDSO version of
clock_gettime.
Link: https://github.com/raspberrypi/tools/pull/113
Fixes: 7dbe8c62ceeb ("ARM: dts: Add minimal Raspberry Pi 4 support")
Signed-off-by: Phil Elwell <phil@raspberrypi.com>
Signed-off-by: Stefan Wahren <wahrenst@gmx.net>
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Link: https://lore.kernel.org/r/20250222094113.48198-1-wahrenst@gmx.net
Signed-off-by: Florian Fainelli <florian.fainelli@broadcom.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/boot/dts/bcm2711.dtsi | 2 --
1 file changed, 2 deletions(-)
diff --git a/arch/arm/boot/dts/bcm2711.dtsi b/arch/arm/boot/dts/bcm2711.dtsi
index 926bc467d4516..da0eb87026028 100644
--- a/arch/arm/boot/dts/bcm2711.dtsi
+++ b/arch/arm/boot/dts/bcm2711.dtsi
@@ -450,8 +450,6 @@ IRQ_TYPE_LEVEL_LOW)>,
IRQ_TYPE_LEVEL_LOW)>,
<GIC_PPI 10 (GIC_CPU_MASK_SIMPLE(4) |
IRQ_TYPE_LEVEL_LOW)>;
- /* This only applies to the ARMv7 stub */
- arm,cpu-registers-not-fw-configured;
};
cpus: cpus {
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 084/279] RDMA/bnxt_re: Avoid clearing VLAN_ID mask in modify qp path
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (82 preceding siblings ...)
2025-04-08 10:47 ` [PATCH 5.15 083/279] ARM: dts: bcm2711: Dont mark timer regs unconfigured Greg Kroah-Hartman
@ 2025-04-08 10:47 ` Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 085/279] RDMA/hns: Remove redundant phy_addr in hns_roce_hem_list_find_mtt() Greg Kroah-Hartman
` (201 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Saravanan Vajravel, Selvin Xavier,
Leon Romanovsky, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Saravanan Vajravel <saravanan.vajravel@broadcom.com>
[ Upstream commit 81c0db302a674f8004ed805393d17fd76f552e83 ]
Driver is always clearing the mask that sets the VLAN ID/Service Level
in the adapter. Recent change for supporting multiple traffic class
exposed this issue.
Allow setting SL and VLAN_ID while QP is moved from INIT to RTR state.
Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver")
Fixes: c64b16a37b6d ("RDMA/bnxt_re: Support different traffic class")
Signed-off-by: Saravanan Vajravel <saravanan.vajravel@broadcom.com>
Signed-off-by: Selvin Xavier <selvin.xavier@broadcom.com>
Link: https://patch.msgid.link/1741670196-2919-1-git-send-email-selvin.xavier@broadcom.com
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/hw/bnxt_re/qplib_fp.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/drivers/infiniband/hw/bnxt_re/qplib_fp.c b/drivers/infiniband/hw/bnxt_re/qplib_fp.c
index 27cf6e62422aa..3725f05ad297b 100644
--- a/drivers/infiniband/hw/bnxt_re/qplib_fp.c
+++ b/drivers/infiniband/hw/bnxt_re/qplib_fp.c
@@ -1181,8 +1181,6 @@ static void __modify_flags_from_init_state(struct bnxt_qplib_qp *qp)
qp->path_mtu =
CMDQ_MODIFY_QP_PATH_MTU_MTU_2048;
}
- qp->modify_flags &=
- ~CMDQ_MODIFY_QP_MODIFY_MASK_VLAN_ID;
/* Bono FW require the max_dest_rd_atomic to be >= 1 */
if (qp->max_dest_rd_atomic < 1)
qp->max_dest_rd_atomic = 1;
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 085/279] RDMA/hns: Remove redundant phy_addr in hns_roce_hem_list_find_mtt()
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (83 preceding siblings ...)
2025-04-08 10:47 ` [PATCH 5.15 084/279] RDMA/bnxt_re: Avoid clearing VLAN_ID mask in modify qp path Greg Kroah-Hartman
@ 2025-04-08 10:47 ` Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 086/279] RDMA/hns: Fix soft lockup during bt pages loop Greg Kroah-Hartman
` (200 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chengchang Tang, Yunsheng Lin,
Haoyue Xu, Jason Gunthorpe, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chengchang Tang <tangchengchang@huawei.com>
[ Upstream commit 5f652387c5423a82453c5cb446a88834bf41a94b ]
This parameter has never been used. Remove it to simplify the function.
Link: https://lore.kernel.org/r/20220922123315.3732205-8-xuhaoyue1@hisilicon.com
Signed-off-by: Chengchang Tang <tangchengchang@huawei.com>
Signed-off-by: Yunsheng Lin <linyunsheng@huawei.com>
Signed-off-by: Haoyue Xu <xuhaoyue1@hisilicon.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Stable-dep-of: 25655580136d ("RDMA/hns: Fix soft lockup during bt pages loop")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/hw/hns/hns_roce_hem.c | 7 +------
drivers/infiniband/hw/hns/hns_roce_hem.h | 2 +-
drivers/infiniband/hw/hns/hns_roce_mr.c | 4 ++--
3 files changed, 4 insertions(+), 9 deletions(-)
diff --git a/drivers/infiniband/hw/hns/hns_roce_hem.c b/drivers/infiniband/hw/hns/hns_roce_hem.c
index 99708a7bcda78..57b84f5dc0f16 100644
--- a/drivers/infiniband/hw/hns/hns_roce_hem.c
+++ b/drivers/infiniband/hw/hns/hns_roce_hem.c
@@ -1487,19 +1487,17 @@ void hns_roce_hem_list_init(struct hns_roce_hem_list *hem_list)
void *hns_roce_hem_list_find_mtt(struct hns_roce_dev *hr_dev,
struct hns_roce_hem_list *hem_list,
- int offset, int *mtt_cnt, u64 *phy_addr)
+ int offset, int *mtt_cnt)
{
struct list_head *head = &hem_list->btm_bt;
struct hns_roce_hem_item *hem, *temp_hem;
void *cpu_base = NULL;
- u64 phy_base = 0;
int nr = 0;
list_for_each_entry_safe(hem, temp_hem, head, sibling) {
if (hem_list_page_is_in_range(hem, offset)) {
nr = offset - hem->start;
cpu_base = hem->addr + nr * BA_BYTE_LEN;
- phy_base = hem->dma_addr + nr * BA_BYTE_LEN;
nr = hem->end + 1 - offset;
break;
}
@@ -1508,8 +1506,5 @@ void *hns_roce_hem_list_find_mtt(struct hns_roce_dev *hr_dev,
if (mtt_cnt)
*mtt_cnt = nr;
- if (phy_addr)
- *phy_addr = phy_base;
-
return cpu_base;
}
diff --git a/drivers/infiniband/hw/hns/hns_roce_hem.h b/drivers/infiniband/hw/hns/hns_roce_hem.h
index fa84ce33076ac..150922b22eaa6 100644
--- a/drivers/infiniband/hw/hns/hns_roce_hem.h
+++ b/drivers/infiniband/hw/hns/hns_roce_hem.h
@@ -132,7 +132,7 @@ void hns_roce_hem_list_release(struct hns_roce_dev *hr_dev,
struct hns_roce_hem_list *hem_list);
void *hns_roce_hem_list_find_mtt(struct hns_roce_dev *hr_dev,
struct hns_roce_hem_list *hem_list,
- int offset, int *mtt_cnt, u64 *phy_addr);
+ int offset, int *mtt_cnt);
static inline void hns_roce_hem_first(struct hns_roce_hem *hem,
struct hns_roce_hem_iter *iter)
diff --git a/drivers/infiniband/hw/hns/hns_roce_mr.c b/drivers/infiniband/hw/hns/hns_roce_mr.c
index 604dd38b5c8fd..791a45802d6b2 100644
--- a/drivers/infiniband/hw/hns/hns_roce_mr.c
+++ b/drivers/infiniband/hw/hns/hns_roce_mr.c
@@ -614,7 +614,7 @@ static int mtr_map_region(struct hns_roce_dev *hr_dev, struct hns_roce_mtr *mtr,
while (offset < end && npage < max_count) {
count = 0;
mtts = hns_roce_hem_list_find_mtt(hr_dev, &mtr->hem_list,
- offset, &count, NULL);
+ offset, &count);
if (!mtts)
return -ENOBUFS;
@@ -864,7 +864,7 @@ int hns_roce_mtr_find(struct hns_roce_dev *hr_dev, struct hns_roce_mtr *mtr,
mtt_count = 0;
mtts = hns_roce_hem_list_find_mtt(hr_dev, &mtr->hem_list,
start_index + total,
- &mtt_count, NULL);
+ &mtt_count);
if (!mtts || !mtt_count)
goto done;
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 086/279] RDMA/hns: Fix soft lockup during bt pages loop
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (84 preceding siblings ...)
2025-04-08 10:47 ` [PATCH 5.15 085/279] RDMA/hns: Remove redundant phy_addr in hns_roce_hem_list_find_mtt() Greg Kroah-Hartman
@ 2025-04-08 10:47 ` Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 087/279] RDMA/hns: Fix unmatched condition in error path of alloc_user_qp_db() Greg Kroah-Hartman
` (199 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Junxian Huang, Leon Romanovsky,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Junxian Huang <huangjunxian6@hisilicon.com>
[ Upstream commit 25655580136de59ec89f09089dd28008ea440fc9 ]
Driver runs a for-loop when allocating bt pages and mapping them with
buffer pages. When a large buffer (e.g. MR over 100GB) is being allocated,
it may require a considerable loop count. This will lead to soft lockup:
watchdog: BUG: soft lockup - CPU#27 stuck for 22s!
...
Call trace:
hem_list_alloc_mid_bt+0x124/0x394 [hns_roce_hw_v2]
hns_roce_hem_list_request+0xf8/0x160 [hns_roce_hw_v2]
hns_roce_mtr_create+0x2e4/0x360 [hns_roce_hw_v2]
alloc_mr_pbl+0xd4/0x17c [hns_roce_hw_v2]
hns_roce_reg_user_mr+0xf8/0x190 [hns_roce_hw_v2]
ib_uverbs_reg_mr+0x118/0x290
watchdog: BUG: soft lockup - CPU#35 stuck for 23s!
...
Call trace:
hns_roce_hem_list_find_mtt+0x7c/0xb0 [hns_roce_hw_v2]
mtr_map_bufs+0xc4/0x204 [hns_roce_hw_v2]
hns_roce_mtr_create+0x31c/0x3c4 [hns_roce_hw_v2]
alloc_mr_pbl+0xb0/0x160 [hns_roce_hw_v2]
hns_roce_reg_user_mr+0x108/0x1c0 [hns_roce_hw_v2]
ib_uverbs_reg_mr+0x120/0x2bc
Add a cond_resched() to fix soft lockup during these loops. In order not
to affect the allocation performance of normal-size buffer, set the loop
count of a 100GB MR as the threshold to call cond_resched().
Fixes: 38389eaa4db1 ("RDMA/hns: Add mtr support for mixed multihop addressing")
Signed-off-by: Junxian Huang <huangjunxian6@hisilicon.com>
Link: https://patch.msgid.link/20250311084857.3803665-3-huangjunxian6@hisilicon.com
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/hw/hns/hns_roce_hem.c | 16 +++++++++++++++-
1 file changed, 15 insertions(+), 1 deletion(-)
diff --git a/drivers/infiniband/hw/hns/hns_roce_hem.c b/drivers/infiniband/hw/hns/hns_roce_hem.c
index 57b84f5dc0f16..64ee875cc6d1c 100644
--- a/drivers/infiniband/hw/hns/hns_roce_hem.c
+++ b/drivers/infiniband/hw/hns/hns_roce_hem.c
@@ -1410,6 +1410,11 @@ static int hem_list_alloc_root_bt(struct hns_roce_dev *hr_dev,
return ret;
}
+/* This is the bottom bt pages number of a 100G MR on 4K OS, assuming
+ * the bt page size is not expanded by cal_best_bt_pg_sz()
+ */
+#define RESCHED_LOOP_CNT_THRESHOLD_ON_4K 12800
+
/* construct the base address table and link them by address hop config */
int hns_roce_hem_list_request(struct hns_roce_dev *hr_dev,
struct hns_roce_hem_list *hem_list,
@@ -1418,6 +1423,7 @@ int hns_roce_hem_list_request(struct hns_roce_dev *hr_dev,
{
const struct hns_roce_buf_region *r;
int ofs, end;
+ int loop;
int unit;
int ret;
int i;
@@ -1435,7 +1441,10 @@ int hns_roce_hem_list_request(struct hns_roce_dev *hr_dev,
continue;
end = r->offset + r->count;
- for (ofs = r->offset; ofs < end; ofs += unit) {
+ for (ofs = r->offset, loop = 1; ofs < end; ofs += unit, loop++) {
+ if (!(loop % RESCHED_LOOP_CNT_THRESHOLD_ON_4K))
+ cond_resched();
+
ret = hem_list_alloc_mid_bt(hr_dev, r, unit, ofs,
hem_list->mid_bt[i],
&hem_list->btm_bt);
@@ -1492,9 +1501,14 @@ void *hns_roce_hem_list_find_mtt(struct hns_roce_dev *hr_dev,
struct list_head *head = &hem_list->btm_bt;
struct hns_roce_hem_item *hem, *temp_hem;
void *cpu_base = NULL;
+ int loop = 1;
int nr = 0;
list_for_each_entry_safe(hem, temp_hem, head, sibling) {
+ if (!(loop % RESCHED_LOOP_CNT_THRESHOLD_ON_4K))
+ cond_resched();
+ loop++;
+
if (hem_list_page_is_in_range(hem, offset)) {
nr = offset - hem->start;
cpu_base = hem->addr + nr * BA_BYTE_LEN;
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 087/279] RDMA/hns: Fix unmatched condition in error path of alloc_user_qp_db()
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (85 preceding siblings ...)
2025-04-08 10:47 ` [PATCH 5.15 086/279] RDMA/hns: Fix soft lockup during bt pages loop Greg Kroah-Hartman
@ 2025-04-08 10:47 ` Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 088/279] RDMA/hns: Fix a missing rollback in error path of hns_roce_create_qp_common() Greg Kroah-Hartman
` (198 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Junxian Huang, Leon Romanovsky,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Junxian Huang <huangjunxian6@hisilicon.com>
[ Upstream commit b9f59a24ba35a7d955a9f8e148dd9f85b7b40a01 ]
Currently the condition of unmapping sdb in error path is not exactly
the same as the condition of mapping in alloc_user_qp_db(). This may
cause a problem of unmapping an unmapped db in some case, such as
when the QP is XRC TGT. Unified the two conditions.
Fixes: 90ae0b57e4a5 ("RDMA/hns: Combine enable flags of qp")
Signed-off-by: Junxian Huang <huangjunxian6@hisilicon.com>
Link: https://patch.msgid.link/20250311084857.3803665-4-huangjunxian6@hisilicon.com
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/hw/hns/hns_roce_qp.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/drivers/infiniband/hw/hns/hns_roce_qp.c b/drivers/infiniband/hw/hns/hns_roce_qp.c
index ff019e32c4552..d7f620eb4f21d 100644
--- a/drivers/infiniband/hw/hns/hns_roce_qp.c
+++ b/drivers/infiniband/hw/hns/hns_roce_qp.c
@@ -842,12 +842,14 @@ static int alloc_user_qp_db(struct hns_roce_dev *hr_dev,
struct hns_roce_ib_create_qp *ucmd,
struct hns_roce_ib_create_qp_resp *resp)
{
+ bool has_sdb = user_qp_has_sdb(hr_dev, init_attr, udata, resp, ucmd);
struct hns_roce_ucontext *uctx = rdma_udata_to_drv_context(udata,
struct hns_roce_ucontext, ibucontext);
+ bool has_rdb = user_qp_has_rdb(hr_dev, init_attr, udata, resp);
struct ib_device *ibdev = &hr_dev->ib_dev;
int ret;
- if (user_qp_has_sdb(hr_dev, init_attr, udata, resp, ucmd)) {
+ if (has_sdb) {
ret = hns_roce_db_map_user(uctx, ucmd->sdb_addr, &hr_qp->sdb);
if (ret) {
ibdev_err(ibdev,
@@ -858,7 +860,7 @@ static int alloc_user_qp_db(struct hns_roce_dev *hr_dev,
hr_qp->en_flags |= HNS_ROCE_QP_CAP_SQ_RECORD_DB;
}
- if (user_qp_has_rdb(hr_dev, init_attr, udata, resp)) {
+ if (has_rdb) {
ret = hns_roce_db_map_user(uctx, ucmd->db_addr, &hr_qp->rdb);
if (ret) {
ibdev_err(ibdev,
@@ -872,7 +874,7 @@ static int alloc_user_qp_db(struct hns_roce_dev *hr_dev,
return 0;
err_sdb:
- if (hr_qp->en_flags & HNS_ROCE_QP_CAP_SQ_RECORD_DB)
+ if (has_sdb)
hns_roce_db_unmap_user(uctx, &hr_qp->sdb);
err_out:
return ret;
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 088/279] RDMA/hns: Fix a missing rollback in error path of hns_roce_create_qp_common()
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (86 preceding siblings ...)
2025-04-08 10:47 ` [PATCH 5.15 087/279] RDMA/hns: Fix unmatched condition in error path of alloc_user_qp_db() Greg Kroah-Hartman
@ 2025-04-08 10:47 ` Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 089/279] RDMA/hns: Fix wrong value of max_sge_rd Greg Kroah-Hartman
` (197 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Junxian Huang, Leon Romanovsky,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Junxian Huang <huangjunxian6@hisilicon.com>
[ Upstream commit 444907dd45cbe62fd69398805b6e2c626fab5b3a ]
When ib_copy_to_udata() fails in hns_roce_create_qp_common(),
hns_roce_qp_remove() should be called in the error path to
clean up resources in hns_roce_qp_store().
Fixes: 0f00571f9433 ("RDMA/hns: Use new SQ doorbell register for HIP09")
Signed-off-by: Junxian Huang <huangjunxian6@hisilicon.com>
Link: https://patch.msgid.link/20250311084857.3803665-6-huangjunxian6@hisilicon.com
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/hw/hns/hns_roce_qp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/infiniband/hw/hns/hns_roce_qp.c b/drivers/infiniband/hw/hns/hns_roce_qp.c
index d7f620eb4f21d..3875563abf374 100644
--- a/drivers/infiniband/hw/hns/hns_roce_qp.c
+++ b/drivers/infiniband/hw/hns/hns_roce_qp.c
@@ -1117,7 +1117,7 @@ static int hns_roce_create_qp_common(struct hns_roce_dev *hr_dev,
min(udata->outlen, sizeof(resp)));
if (ret) {
ibdev_err(ibdev, "copy qp resp failed!\n");
- goto err_store;
+ goto err_flow_ctrl;
}
}
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 089/279] RDMA/hns: Fix wrong value of max_sge_rd
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (87 preceding siblings ...)
2025-04-08 10:47 ` [PATCH 5.15 088/279] RDMA/hns: Fix a missing rollback in error path of hns_roce_create_qp_common() Greg Kroah-Hartman
@ 2025-04-08 10:47 ` Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 090/279] Bluetooth: Fix error code in chan_alloc_skb_cb() Greg Kroah-Hartman
` (196 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Junxian Huang, Leon Romanovsky,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Junxian Huang <huangjunxian6@hisilicon.com>
[ Upstream commit 6b5e41a8b51fce520bb09bd651a29ef495e990de ]
There is no difference between the sge of READ and non-READ
operations in hns RoCE. Set max_sge_rd to the same value as
max_send_sge.
Fixes: 9a4435375cd1 ("IB/hns: Add driver files for hns RoCE driver")
Signed-off-by: Junxian Huang <huangjunxian6@hisilicon.com>
Link: https://patch.msgid.link/20250311084857.3803665-8-huangjunxian6@hisilicon.com
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/hw/hns/hns_roce_main.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/infiniband/hw/hns/hns_roce_main.c b/drivers/infiniband/hw/hns/hns_roce_main.c
index e2d2f8f2bdbcf..83a6b8fbe10f0 100644
--- a/drivers/infiniband/hw/hns/hns_roce_main.c
+++ b/drivers/infiniband/hw/hns/hns_roce_main.c
@@ -185,7 +185,7 @@ static int hns_roce_query_device(struct ib_device *ib_dev,
IB_DEVICE_RC_RNR_NAK_GEN;
props->max_send_sge = hr_dev->caps.max_sq_sg;
props->max_recv_sge = hr_dev->caps.max_rq_sg;
- props->max_sge_rd = 1;
+ props->max_sge_rd = hr_dev->caps.max_sq_sg;
props->max_cq = hr_dev->caps.num_cqs;
props->max_cqe = hr_dev->caps.max_cqes;
props->max_mr = hr_dev->caps.num_mtpts;
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 090/279] Bluetooth: Fix error code in chan_alloc_skb_cb()
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (88 preceding siblings ...)
2025-04-08 10:47 ` [PATCH 5.15 089/279] RDMA/hns: Fix wrong value of max_sge_rd Greg Kroah-Hartman
@ 2025-04-08 10:47 ` Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 091/279] ipv6: Fix memleak of nhc_pcpu_rth_output in fib_check_nh_v6_gw() Greg Kroah-Hartman
` (195 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dan Carpenter,
Luiz Augusto von Dentz, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@linaro.org>
[ Upstream commit 72d061ee630d0dbb45c2920d8d19b3861c413e54 ]
The chan_alloc_skb_cb() function is supposed to return error pointers on
error. Returning NULL will lead to a NULL dereference.
Fixes: 6b8d4a6a0314 ("Bluetooth: 6LoWPAN: Use connected oriented channel instead of fixed one")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/6lowpan.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/net/bluetooth/6lowpan.c b/net/bluetooth/6lowpan.c
index 580b0940f067a..c4a1b478cf3e9 100644
--- a/net/bluetooth/6lowpan.c
+++ b/net/bluetooth/6lowpan.c
@@ -824,11 +824,16 @@ static struct sk_buff *chan_alloc_skb_cb(struct l2cap_chan *chan,
unsigned long hdr_len,
unsigned long len, int nb)
{
+ struct sk_buff *skb;
+
/* Note that we must allocate using GFP_ATOMIC here as
* this function is called originally from netdev hard xmit
* function in atomic context.
*/
- return bt_skb_alloc(hdr_len + len, GFP_ATOMIC);
+ skb = bt_skb_alloc(hdr_len + len, GFP_ATOMIC);
+ if (!skb)
+ return ERR_PTR(-ENOMEM);
+ return skb;
}
static void chan_suspend_cb(struct l2cap_chan *chan)
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 091/279] ipv6: Fix memleak of nhc_pcpu_rth_output in fib_check_nh_v6_gw().
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (89 preceding siblings ...)
2025-04-08 10:47 ` [PATCH 5.15 090/279] Bluetooth: Fix error code in chan_alloc_skb_cb() Greg Kroah-Hartman
@ 2025-04-08 10:47 ` Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 092/279] ipv6: Set errno after ip_fib_metrics_init() in ip6_route_info_create() Greg Kroah-Hartman
` (194 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kuniyuki Iwashima, Paolo Abeni,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuniyuki Iwashima <kuniyu@amazon.com>
[ Upstream commit 9740890ee20e01f99ff1dde84c63dcf089fabb98 ]
fib_check_nh_v6_gw() expects that fib6_nh_init() cleans up everything
when it fails.
Commit 7dd73168e273 ("ipv6: Always allocate pcpu memory in a fib6_nh")
moved fib_nh_common_init() before alloc_percpu_gfp() within fib6_nh_init()
but forgot to add cleanup for fib6_nh->nh_common.nhc_pcpu_rth_output in
case it fails to allocate fib6_nh->rt6i_pcpu, resulting in memleak.
Let's call fib_nh_common_release() and clear nhc_pcpu_rth_output in the
error path.
Note that we can remove the fib6_nh_release() call in nh_create_ipv6()
later in net-next.git.
Fixes: 7dd73168e273 ("ipv6: Always allocate pcpu memory in a fib6_nh")
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Link: https://patch.msgid.link/20250312010333.56001-1-kuniyu@amazon.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv6/route.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index 94526436b91e8..875cab88f3891 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -3630,7 +3630,8 @@ int fib6_nh_init(struct net *net, struct fib6_nh *fib6_nh,
in6_dev_put(idev);
if (err) {
- lwtstate_put(fib6_nh->fib_nh_lws);
+ fib_nh_common_release(&fib6_nh->nh_common);
+ fib6_nh->nh_common.nhc_pcpu_rth_output = NULL;
fib6_nh->fib_nh_lws = NULL;
dev_put(dev);
}
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 092/279] ipv6: Set errno after ip_fib_metrics_init() in ip6_route_info_create().
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (90 preceding siblings ...)
2025-04-08 10:47 ` [PATCH 5.15 091/279] ipv6: Fix memleak of nhc_pcpu_rth_output in fib_check_nh_v6_gw() Greg Kroah-Hartman
@ 2025-04-08 10:47 ` Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 093/279] net: atm: fix use after free in lec_send() Greg Kroah-Hartman
` (193 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kuniyuki Iwashima, David Ahern,
Paolo Abeni, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuniyuki Iwashima <kuniyu@amazon.com>
[ Upstream commit 9a81fc3480bf5dbe2bf80e278c440770f6ba2692 ]
While creating a new IPv6, we could get a weird -ENOMEM when
RTA_NH_ID is set and either of the conditions below is true:
1) CONFIG_IPV6_SUBTREES is enabled and rtm_src_len is specified
2) nexthop_get() fails
e.g.)
# strace ip -6 route add fe80::dead:beef:dead:beef nhid 1 from ::
recvmsg(3, {msg_iov=[{iov_base=[...[
{error=-ENOMEM, msg=[... [...]]},
[{nla_len=49, nla_type=NLMSGERR_ATTR_MSG}, "Nexthops can not be used with so"...]
]], iov_len=32768}], msg_iovlen=1, msg_controllen=0, msg_flags=0}, 0) = 148
Let's set err explicitly after ip_fib_metrics_init() in
ip6_route_info_create().
Fixes: f88d8ea67fbd ("ipv6: Plumb support for nexthop object in a fib6_info")
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Link: https://patch.msgid.link/20250312013854.61125-1-kuniyu@amazon.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv6/route.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index 875cab88f3891..f8b2fdaef67f4 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -3807,10 +3807,12 @@ static struct fib6_info *ip6_route_info_create(struct fib6_config *cfg,
if (nh) {
if (rt->fib6_src.plen) {
NL_SET_ERR_MSG(extack, "Nexthops can not be used with source routing");
+ err = -EINVAL;
goto out_free;
}
if (!nexthop_get(nh)) {
NL_SET_ERR_MSG(extack, "Nexthop has been deleted");
+ err = -ENOENT;
goto out_free;
}
rt->nh = nh;
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 093/279] net: atm: fix use after free in lec_send()
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (91 preceding siblings ...)
2025-04-08 10:47 ` [PATCH 5.15 092/279] ipv6: Set errno after ip_fib_metrics_init() in ip6_route_info_create() Greg Kroah-Hartman
@ 2025-04-08 10:47 ` Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 094/279] net/neighbor: add missing policy for NDTPA_QUEUE_LENBYTES Greg Kroah-Hartman
` (192 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Simon Horman,
Paolo Abeni, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@linaro.org>
[ Upstream commit f3009d0d6ab78053117f8857b921a8237f4d17b3 ]
The ->send() operation frees skb so save the length before calling
->send() to avoid a use after free.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/c751531d-4af4-42fe-affe-6104b34b791d@stanley.mountain
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/atm/lec.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/atm/lec.c b/net/atm/lec.c
index 7226c784dbe0c..ca9952c52fb5c 100644
--- a/net/atm/lec.c
+++ b/net/atm/lec.c
@@ -181,6 +181,7 @@ static void
lec_send(struct atm_vcc *vcc, struct sk_buff *skb)
{
struct net_device *dev = skb->dev;
+ unsigned int len = skb->len;
ATM_SKB(skb)->vcc = vcc;
atm_account_tx(vcc, skb);
@@ -191,7 +192,7 @@ lec_send(struct atm_vcc *vcc, struct sk_buff *skb)
}
dev->stats.tx_packets++;
- dev->stats.tx_bytes += skb->len;
+ dev->stats.tx_bytes += len;
}
static void lec_tx_timeout(struct net_device *dev, unsigned int txqueue)
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 094/279] net/neighbor: add missing policy for NDTPA_QUEUE_LENBYTES
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (92 preceding siblings ...)
2025-04-08 10:47 ` [PATCH 5.15 093/279] net: atm: fix use after free in lec_send() Greg Kroah-Hartman
@ 2025-04-08 10:47 ` Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 095/279] Revert "gre: Fix IPv6 link-local address generation." Greg Kroah-Hartman
` (191 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:47 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Lin Ma, Paolo Abeni, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lin Ma <linma@zju.edu.cn>
[ Upstream commit 90a7138619a0c55e2aefaad27b12ffc2ddbeed78 ]
Previous commit 8b5c171bb3dc ("neigh: new unresolved queue limits")
introduces new netlink attribute NDTPA_QUEUE_LENBYTES to represent
approximative value for deprecated QUEUE_LEN. However, it forgot to add
the associated nla_policy in nl_ntbl_parm_policy array. Fix it with one
simple NLA_U32 type policy.
Fixes: 8b5c171bb3dc ("neigh: new unresolved queue limits")
Signed-off-by: Lin Ma <linma@zju.edu.cn>
Link: https://patch.msgid.link/20250315165113.37600-1-linma@zju.edu.cn
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/neighbour.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/core/neighbour.c b/net/core/neighbour.c
index 9549738b81842..b83878b5bf788 100644
--- a/net/core/neighbour.c
+++ b/net/core/neighbour.c
@@ -2173,6 +2173,7 @@ static const struct nla_policy nl_neightbl_policy[NDTA_MAX+1] = {
static const struct nla_policy nl_ntbl_parm_policy[NDTPA_MAX+1] = {
[NDTPA_IFINDEX] = { .type = NLA_U32 },
[NDTPA_QUEUE_LEN] = { .type = NLA_U32 },
+ [NDTPA_QUEUE_LENBYTES] = { .type = NLA_U32 },
[NDTPA_PROXY_QLEN] = { .type = NLA_U32 },
[NDTPA_APP_PROBES] = { .type = NLA_U32 },
[NDTPA_UCAST_PROBES] = { .type = NLA_U32 },
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 095/279] Revert "gre: Fix IPv6 link-local address generation."
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (93 preceding siblings ...)
2025-04-08 10:47 ` [PATCH 5.15 094/279] net/neighbor: add missing policy for NDTPA_QUEUE_LENBYTES Greg Kroah-Hartman
@ 2025-04-08 10:47 ` Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 096/279] i2c: omap: fix IRQ storms Greg Kroah-Hartman
` (190 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Guillaume Nault, Stanislav Fomichev,
Paolo Abeni, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Guillaume Nault <gnault@redhat.com>
[ Upstream commit fc486c2d060f67d672ddad81724f7c8a4d329570 ]
This reverts commit 183185a18ff96751db52a46ccf93fff3a1f42815.
This patch broke net/forwarding/ip6gre_custom_multipath_hash.sh in some
circumstances (https://lore.kernel.org/netdev/Z9RIyKZDNoka53EO@mini-arch/).
Let's revert it while the problem is being investigated.
Fixes: 183185a18ff9 ("gre: Fix IPv6 link-local address generation.")
Signed-off-by: Guillaume Nault <gnault@redhat.com>
Link: https://patch.msgid.link/8b1ce738eb15dd841aab9ef888640cab4f6ccfea.1742418408.git.gnault@redhat.com
Acked-by: Stanislav Fomichev <sdf@fomichev.me>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv6/addrconf.c | 15 ++++++---------
1 file changed, 6 insertions(+), 9 deletions(-)
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index f5cca40b71610..932a10f64adcb 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -3145,13 +3145,16 @@ static void add_v4_addrs(struct inet6_dev *idev)
struct in6_addr addr;
struct net_device *dev;
struct net *net = dev_net(idev->dev);
- int scope, plen;
+ int scope, plen, offset = 0;
u32 pflags = 0;
ASSERT_RTNL();
memset(&addr, 0, sizeof(struct in6_addr));
- memcpy(&addr.s6_addr32[3], idev->dev->dev_addr, 4);
+ /* in case of IP6GRE the dev_addr is an IPv6 and therefore we use only the last 4 bytes */
+ if (idev->dev->addr_len == sizeof(struct in6_addr))
+ offset = sizeof(struct in6_addr) - 4;
+ memcpy(&addr.s6_addr32[3], idev->dev->dev_addr + offset, 4);
if (!(idev->dev->flags & IFF_POINTOPOINT) && idev->dev->type == ARPHRD_SIT) {
scope = IPV6_ADDR_COMPATv4;
@@ -3459,13 +3462,7 @@ static void addrconf_gre_config(struct net_device *dev)
return;
}
- /* Generate the IPv6 link-local address using addrconf_addr_gen(),
- * unless we have an IPv4 GRE device not bound to an IP address and
- * which is in EUI64 mode (as __ipv6_isatap_ifid() would fail in this
- * case). Such devices fall back to add_v4_addrs() instead.
- */
- if (!(dev->type == ARPHRD_IPGRE && *(__be32 *)dev->dev_addr == 0 &&
- idev->cnf.addr_gen_mode == IN6_ADDR_GEN_MODE_EUI64)) {
+ if (dev->type == ARPHRD_ETHER) {
addrconf_addr_gen(idev, true);
return;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 096/279] i2c: omap: fix IRQ storms
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (94 preceding siblings ...)
2025-04-08 10:47 ` [PATCH 5.15 095/279] Revert "gre: Fix IPv6 link-local address generation." Greg Kroah-Hartman
@ 2025-04-08 10:47 ` Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 097/279] drm/v3d: Dont run jobs that have errors flagged in its fence Greg Kroah-Hartman
` (189 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Andreas Kemnade,
Nishanth Menon, Aniket Limaye, Andi Shyti
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andreas Kemnade <andreas@kemnade.info>
commit 285df995f90e3d61d97f327d34b9659d92313314 upstream.
On the GTA04A5 writing a reset command to the gyroscope causes IRQ
storms because NACK IRQs are enabled and therefore triggered but not
acked.
Sending a reset command to the gyroscope by
i2cset 1 0x69 0x14 0xb6
with an additional debug print in the ISR (not the thread) itself
causes
[ 363.353515] i2c i2c-1: ioctl, cmd=0x720, arg=0xbe801b00
[ 363.359039] omap_i2c 48072000.i2c: addr: 0x0069, len: 2, flags: 0x0, stop: 1
[ 363.366180] omap_i2c 48072000.i2c: IRQ LL (ISR = 0x1110)
[ 363.371673] omap_i2c 48072000.i2c: IRQ (ISR = 0x0010)
[ 363.376892] omap_i2c 48072000.i2c: IRQ LL (ISR = 0x0102)
[ 363.382263] omap_i2c 48072000.i2c: IRQ LL (ISR = 0x0102)
[ 363.387664] omap_i2c 48072000.i2c: IRQ LL (ISR = 0x0102)
repeating till infinity
[...]
(0x2 = NACK, 0x100 = Bus free, which is not enabled)
Apparently no other IRQ bit gets set, so this stalls.
Do not ignore enabled interrupts and make sure they are acked.
If the NACK IRQ is not needed, it should simply not enabled, but
according to the above log, caring about it is necessary unless
the Bus free IRQ is enabled and handled. The assumption that is
will always come with a ARDY IRQ, which was the idea behind
ignoring it, proves wrong.
It is true for simple reads from an unused address.
To still avoid the i2cdetect trouble which is the reason for
commit c770657bd261 ("i2c: omap: Fix standard mode false ACK readings"),
avoid doing much about NACK in omap_i2c_xfer_data() which is used
by both IRQ mode and polling mode, so also the false detection fix
is extended to polling usage and IRQ storms are avoided.
By changing this, the hardirq handler is not needed anymore to filter
stuff.
The mentioned gyro reset now just causes a -ETIMEDOUT instead of
hanging the system.
Fixes: c770657bd261 ("i2c: omap: Fix standard mode false ACK readings").
CC: stable@kernel.org
Signed-off-by: Andreas Kemnade <andreas@kemnade.info>
Tested-by: Nishanth Menon <nm@ti.com>
Reviewed-by: Aniket Limaye <a-limaye@ti.com>
Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
Link: https://lore.kernel.org/r/20250228140420.379498-1-andreas@kemnade.info
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/i2c/busses/i2c-omap.c | 26 +++++++-------------------
1 file changed, 7 insertions(+), 19 deletions(-)
--- a/drivers/i2c/busses/i2c-omap.c
+++ b/drivers/i2c/busses/i2c-omap.c
@@ -1049,23 +1049,6 @@ static int omap_i2c_transmit_data(struct
return 0;
}
-static irqreturn_t
-omap_i2c_isr(int irq, void *dev_id)
-{
- struct omap_i2c_dev *omap = dev_id;
- irqreturn_t ret = IRQ_HANDLED;
- u16 mask;
- u16 stat;
-
- stat = omap_i2c_read_reg(omap, OMAP_I2C_STAT_REG);
- mask = omap_i2c_read_reg(omap, OMAP_I2C_IE_REG) & ~OMAP_I2C_STAT_NACK;
-
- if (stat & mask)
- ret = IRQ_WAKE_THREAD;
-
- return ret;
-}
-
static int omap_i2c_xfer_data(struct omap_i2c_dev *omap)
{
u16 bits;
@@ -1096,8 +1079,13 @@ static int omap_i2c_xfer_data(struct oma
}
if (stat & OMAP_I2C_STAT_NACK) {
- err |= OMAP_I2C_STAT_NACK;
+ omap->cmd_err |= OMAP_I2C_STAT_NACK;
omap_i2c_ack_stat(omap, OMAP_I2C_STAT_NACK);
+
+ if (!(stat & ~OMAP_I2C_STAT_NACK)) {
+ err = -EAGAIN;
+ break;
+ }
}
if (stat & OMAP_I2C_STAT_AL) {
@@ -1475,7 +1463,7 @@ omap_i2c_probe(struct platform_device *p
IRQF_NO_SUSPEND, pdev->name, omap);
else
r = devm_request_threaded_irq(&pdev->dev, omap->irq,
- omap_i2c_isr, omap_i2c_isr_thread,
+ NULL, omap_i2c_isr_thread,
IRQF_NO_SUSPEND | IRQF_ONESHOT,
pdev->name, omap);
^ permalink raw reply [flat|nested] 289+ messages in thread
* [PATCH 5.15 097/279] drm/v3d: Dont run jobs that have errors flagged in its fence
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (95 preceding siblings ...)
2025-04-08 10:47 ` [PATCH 5.15 096/279] i2c: omap: fix IRQ storms Greg Kroah-Hartman
@ 2025-04-08 10:48 ` Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 098/279] regulator: check that dummy regulator has been probed before using it Greg Kroah-Hartman
` (188 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Iago Toral Quiroga, Maíra Canal
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maíra Canal <mcanal@igalia.com>
commit 80cbee810e4e13cdbd3ae9654e9ecddf17f3e828 upstream.
The V3D driver still relies on `drm_sched_increase_karma()` and
`drm_sched_resubmit_jobs()` for resubmissions when a timeout occurs.
The function `drm_sched_increase_karma()` marks the job as guilty, while
`drm_sched_resubmit_jobs()` sets an error (-ECANCELED) in the DMA fence of
that guilty job.
Because of this, we must check whether the job’s DMA fence has been
flagged with an error before executing the job. Otherwise, the same guilty
job may be resubmitted indefinitely, causing repeated GPU resets.
This patch adds a check for an error on the job's fence to prevent running
a guilty job that was previously flagged when the GPU timed out.
Note that the CPU and CACHE_CLEAN queues do not require this check, as
their jobs are executed synchronously once the DRM scheduler starts them.
Cc: stable@vger.kernel.org
Fixes: d223f98f0209 ("drm/v3d: Add support for compute shader dispatch.")
Fixes: 1584f16ca96e ("drm/v3d: Add support for submitting jobs to the TFU.")
Reviewed-by: Iago Toral Quiroga <itoral@igalia.com>
Signed-off-by: Maíra Canal <mcanal@igalia.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20250313-v3d-gpu-reset-fixes-v4-1-c1e780d8e096@igalia.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/v3d/v3d_sched.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
--- a/drivers/gpu/drm/v3d/v3d_sched.c
+++ b/drivers/gpu/drm/v3d/v3d_sched.c
@@ -202,11 +202,15 @@ v3d_tfu_job_run(struct drm_sched_job *sc
struct drm_device *dev = &v3d->drm;
struct dma_fence *fence;
+ if (unlikely(job->base.base.s_fence->finished.error))
+ return NULL;
+
+ v3d->tfu_job = job;
+
fence = v3d_fence_create(v3d, V3D_TFU);
if (IS_ERR(fence))
return NULL;
- v3d->tfu_job = job;
if (job->base.irq_fence)
dma_fence_put(job->base.irq_fence);
job->base.irq_fence = dma_fence_get(fence);
@@ -240,6 +244,9 @@ v3d_csd_job_run(struct drm_sched_job *sc
struct dma_fence *fence;
int i;
+ if (unlikely(job->base.base.s_fence->finished.error))
+ return NULL;
+
v3d->csd_job = job;
v3d_invalidate_caches(v3d);
^ permalink raw reply [flat|nested] 289+ messages in thread
* [PATCH 5.15 098/279] regulator: check that dummy regulator has been probed before using it
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (96 preceding siblings ...)
2025-04-08 10:48 ` [PATCH 5.15 097/279] drm/v3d: Dont run jobs that have errors flagged in its fence Greg Kroah-Hartman
@ 2025-04-08 10:48 ` Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 099/279] mmc: atmel-mci: Add missing clk_disable_unprepare() Greg Kroah-Hartman
` (187 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Christian Eggers, Mark Brown
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christian Eggers <ceggers@arri.de>
commit 2c7a50bec4958f1d1c84d19cde518d0e96a676fd upstream.
Due to asynchronous driver probing there is a chance that the dummy
regulator hasn't already been probed when first accessing it.
Cc: stable@vger.kernel.org
Signed-off-by: Christian Eggers <ceggers@arri.de>
Link: https://patch.msgid.link/20250313103051.32430-3-ceggers@arri.de
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/regulator/core.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
--- a/drivers/regulator/core.c
+++ b/drivers/regulator/core.c
@@ -2047,6 +2047,10 @@ static int regulator_resolve_supply(stru
if (have_full_constraints()) {
r = dummy_regulator_rdev;
+ if (!r) {
+ ret = -EPROBE_DEFER;
+ goto out;
+ }
get_device(&r->dev);
} else {
dev_err(dev, "Failed to resolve %s-supply for %s\n",
@@ -2064,6 +2068,10 @@ static int regulator_resolve_supply(stru
goto out;
}
r = dummy_regulator_rdev;
+ if (!r) {
+ ret = -EPROBE_DEFER;
+ goto out;
+ }
get_device(&r->dev);
}
@@ -2172,8 +2180,10 @@ struct regulator *_regulator_get(struct
* enabled, even if it isn't hooked up, and just
* provide a dummy.
*/
- dev_warn(dev, "supply %s not found, using dummy regulator\n", id);
rdev = dummy_regulator_rdev;
+ if (!rdev)
+ return ERR_PTR(-EPROBE_DEFER);
+ dev_warn(dev, "supply %s not found, using dummy regulator\n", id);
get_device(&rdev->dev);
break;
^ permalink raw reply [flat|nested] 289+ messages in thread
* [PATCH 5.15 099/279] mmc: atmel-mci: Add missing clk_disable_unprepare()
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (97 preceding siblings ...)
2025-04-08 10:48 ` [PATCH 5.15 098/279] regulator: check that dummy regulator has been probed before using it Greg Kroah-Hartman
@ 2025-04-08 10:48 ` Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 100/279] proc: fix UAF in proc_get_inode() Greg Kroah-Hartman
` (186 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Gu Bowen, Aubin Constans,
Ulf Hansson
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gu Bowen <gubowen5@huawei.com>
commit e51a349d2dcf1df8422dabb90b2f691dc7df6f92 upstream.
The error path when atmci_configure_dma() set dma fails in atmci driver
does not correctly disable the clock.
Add the missing clk_disable_unprepare() to the error path for pair with
clk_prepare_enable().
Fixes: 467e081d23e6 ("mmc: atmel-mci: use probe deferring if dma controller is not ready yet")
Signed-off-by: Gu Bowen <gubowen5@huawei.com>
Acked-by: Aubin Constans <aubin.constans@microchip.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20250225022856.3452240-1-gubowen5@huawei.com
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mmc/host/atmel-mci.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/mmc/host/atmel-mci.c
+++ b/drivers/mmc/host/atmel-mci.c
@@ -2507,8 +2507,10 @@ static int atmci_probe(struct platform_d
/* Get MCI capabilities and set operations according to it */
atmci_get_cap(host);
ret = atmci_configure_dma(host);
- if (ret == -EPROBE_DEFER)
+ if (ret == -EPROBE_DEFER) {
+ clk_disable_unprepare(host->mck);
goto err_dma_probe_defer;
+ }
if (ret == 0) {
host->prepare_data = &atmci_prepare_data_dma;
host->submit_data = &atmci_submit_data_dma;
^ permalink raw reply [flat|nested] 289+ messages in thread
* [PATCH 5.15 100/279] proc: fix UAF in proc_get_inode()
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (98 preceding siblings ...)
2025-04-08 10:48 ` [PATCH 5.15 099/279] mmc: atmel-mci: Add missing clk_disable_unprepare() Greg Kroah-Hartman
@ 2025-04-08 10:48 ` Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 101/279] ARM: shmobile: smp: Enforce shmobile_smp_* alignment Greg Kroah-Hartman
` (185 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ye Bin, Alexey Dobriyan, Al Viro,
David S. Miller, Andrew Morton
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ye Bin <yebin10@huawei.com>
commit 654b33ada4ab5e926cd9c570196fefa7bec7c1df upstream.
Fix race between rmmod and /proc/XXX's inode instantiation.
The bug is that pde->proc_ops don't belong to /proc, it belongs to a
module, therefore dereferencing it after /proc entry has been registered
is a bug unless use_pde/unuse_pde() pair has been used.
use_pde/unuse_pde can be avoided (2 atomic ops!) because pde->proc_ops
never changes so information necessary for inode instantiation can be
saved _before_ proc_register() in PDE itself and used later, avoiding
pde->proc_ops->... dereference.
rmmod lookup
sys_delete_module
proc_lookup_de
pde_get(de);
proc_get_inode(dir->i_sb, de);
mod->exit()
proc_remove
remove_proc_subtree
proc_entry_rundown(de);
free_module(mod);
if (S_ISREG(inode->i_mode))
if (de->proc_ops->proc_read_iter)
--> As module is already freed, will trigger UAF
BUG: unable to handle page fault for address: fffffbfff80a702b
PGD 817fc4067 P4D 817fc4067 PUD 817fc0067 PMD 102ef4067 PTE 0
Oops: Oops: 0000 [#1] PREEMPT SMP KASAN PTI
CPU: 26 UID: 0 PID: 2667 Comm: ls Tainted: G
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)
RIP: 0010:proc_get_inode+0x302/0x6e0
RSP: 0018:ffff88811c837998 EFLAGS: 00010a06
RAX: dffffc0000000000 RBX: ffffffffc0538140 RCX: 0000000000000007
RDX: 1ffffffff80a702b RSI: 0000000000000001 RDI: ffffffffc0538158
RBP: ffff8881299a6000 R08: 0000000067bbe1e5 R09: 1ffff11023906f20
R10: ffffffffb560ca07 R11: ffffffffb2b43a58 R12: ffff888105bb78f0
R13: ffff888100518048 R14: ffff8881299a6004 R15: 0000000000000001
FS: 00007f95b9686840(0000) GS:ffff8883af100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: fffffbfff80a702b CR3: 0000000117dd2000 CR4: 00000000000006f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
proc_lookup_de+0x11f/0x2e0
__lookup_slow+0x188/0x350
walk_component+0x2ab/0x4f0
path_lookupat+0x120/0x660
filename_lookup+0x1ce/0x560
vfs_statx+0xac/0x150
__do_sys_newstat+0x96/0x110
do_syscall_64+0x5f/0x170
entry_SYSCALL_64_after_hwframe+0x76/0x7e
[adobriyan@gmail.com: don't do 2 atomic ops on the common path]
Link: https://lkml.kernel.org/r/3d25ded0-1739-447e-812b-e34da7990dcf@p183
Fixes: 778f3dd5a13c ("Fix procfs compat_ioctl regression")
Signed-off-by: Ye Bin <yebin10@huawei.com>
Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: David S. Miller <davem@davemloft.net>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/proc/generic.c | 10 +++++++++-
fs/proc/inode.c | 6 +++---
fs/proc/internal.h | 14 ++++++++++++++
include/linux/proc_fs.h | 7 +++++--
4 files changed, 31 insertions(+), 6 deletions(-)
--- a/fs/proc/generic.c
+++ b/fs/proc/generic.c
@@ -558,10 +558,16 @@ struct proc_dir_entry *proc_create_reg(c
return p;
}
-static inline void pde_set_flags(struct proc_dir_entry *pde)
+static void pde_set_flags(struct proc_dir_entry *pde)
{
if (pde->proc_ops->proc_flags & PROC_ENTRY_PERMANENT)
pde->flags |= PROC_ENTRY_PERMANENT;
+ if (pde->proc_ops->proc_read_iter)
+ pde->flags |= PROC_ENTRY_proc_read_iter;
+#ifdef CONFIG_COMPAT
+ if (pde->proc_ops->proc_compat_ioctl)
+ pde->flags |= PROC_ENTRY_proc_compat_ioctl;
+#endif
}
struct proc_dir_entry *proc_create_data(const char *name, umode_t mode,
@@ -625,6 +631,7 @@ struct proc_dir_entry *proc_create_seq_p
p->proc_ops = &proc_seq_ops;
p->seq_ops = ops;
p->state_size = state_size;
+ pde_set_flags(p);
return proc_register(parent, p);
}
EXPORT_SYMBOL(proc_create_seq_private);
@@ -655,6 +662,7 @@ struct proc_dir_entry *proc_create_singl
return NULL;
p->proc_ops = &proc_single_ops;
p->single_show = show;
+ pde_set_flags(p);
return proc_register(parent, p);
}
EXPORT_SYMBOL(proc_create_single_data);
--- a/fs/proc/inode.c
+++ b/fs/proc/inode.c
@@ -670,13 +670,13 @@ struct inode *proc_get_inode(struct supe
if (S_ISREG(inode->i_mode)) {
inode->i_op = de->proc_iops;
- if (de->proc_ops->proc_read_iter)
+ if (pde_has_proc_read_iter(de))
inode->i_fop = &proc_iter_file_ops;
else
inode->i_fop = &proc_reg_file_ops;
#ifdef CONFIG_COMPAT
- if (de->proc_ops->proc_compat_ioctl) {
- if (de->proc_ops->proc_read_iter)
+ if (pde_has_proc_compat_ioctl(de)) {
+ if (pde_has_proc_read_iter(de))
inode->i_fop = &proc_iter_file_ops_compat;
else
inode->i_fop = &proc_reg_file_ops_compat;
--- a/fs/proc/internal.h
+++ b/fs/proc/internal.h
@@ -79,6 +79,20 @@ static inline bool pde_is_permanent(cons
return pde->flags & PROC_ENTRY_PERMANENT;
}
+static inline bool pde_has_proc_read_iter(const struct proc_dir_entry *pde)
+{
+ return pde->flags & PROC_ENTRY_proc_read_iter;
+}
+
+static inline bool pde_has_proc_compat_ioctl(const struct proc_dir_entry *pde)
+{
+#ifdef CONFIG_COMPAT
+ return pde->flags & PROC_ENTRY_proc_compat_ioctl;
+#else
+ return false;
+#endif
+}
+
extern struct kmem_cache *proc_dir_entry_cache;
void pde_free(struct proc_dir_entry *pde);
--- a/include/linux/proc_fs.h
+++ b/include/linux/proc_fs.h
@@ -20,10 +20,13 @@ enum {
* If in doubt, ignore this flag.
*/
#ifdef MODULE
- PROC_ENTRY_PERMANENT = 0U,
+ PROC_ENTRY_PERMANENT = 0U,
#else
- PROC_ENTRY_PERMANENT = 1U << 0,
+ PROC_ENTRY_PERMANENT = 1U << 0,
#endif
+
+ PROC_ENTRY_proc_read_iter = 1U << 1,
+ PROC_ENTRY_proc_compat_ioctl = 1U << 2,
};
struct proc_ops {
^ permalink raw reply [flat|nested] 289+ messages in thread
* [PATCH 5.15 101/279] ARM: shmobile: smp: Enforce shmobile_smp_* alignment
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (99 preceding siblings ...)
2025-04-08 10:48 ` [PATCH 5.15 100/279] proc: fix UAF in proc_get_inode() Greg Kroah-Hartman
@ 2025-04-08 10:48 ` Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 102/279] batman-adv: Ignore own maximum aggregation size during RX Greg Kroah-Hartman
` (184 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Geert Uytterhoeven, Lad Prabhakar
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Geert Uytterhoeven <geert+renesas@glider.be>
commit 379c590113ce46f605439d4887996c60ab8820cc upstream.
When the addresses of the shmobile_smp_mpidr, shmobile_smp_fn, and
shmobile_smp_arg variables are not multiples of 4 bytes, secondary CPU
bring-up fails:
smp: Bringing up secondary CPUs ...
CPU1: failed to come online
CPU2: failed to come online
CPU3: failed to come online
smp: Brought up 1 node, 1 CPU
Fix this by adding the missing alignment directive.
Fixes: 4e960f52fce16a3b ("ARM: shmobile: Move shmobile_smp_{mpidr, fn, arg}[] from .text to .bss")
Closes: https://lore.kernel.org/r/CAMuHMdU=QR-JLgEHKWpsr6SbaZRc-Hz9r91JfpP8c3n2G-OjqA@mail.gmail.com
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Tested-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
Link: https://lore.kernel.org/c499234d559a0d95ad9472883e46077311051cd8.1741612208.git.geert+renesas@glider.be
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm/mach-shmobile/headsmp.S | 1 +
1 file changed, 1 insertion(+)
--- a/arch/arm/mach-shmobile/headsmp.S
+++ b/arch/arm/mach-shmobile/headsmp.S
@@ -136,6 +136,7 @@ ENDPROC(shmobile_smp_sleep)
.long shmobile_smp_arg - 1b
.bss
+ .align 2
.globl shmobile_smp_mpidr
shmobile_smp_mpidr:
.space NR_CPUS * 4
^ permalink raw reply [flat|nested] 289+ messages in thread
* [PATCH 5.15 102/279] batman-adv: Ignore own maximum aggregation size during RX
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (100 preceding siblings ...)
2025-04-08 10:48 ` [PATCH 5.15 101/279] ARM: shmobile: smp: Enforce shmobile_smp_* alignment Greg Kroah-Hartman
@ 2025-04-08 10:48 ` Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 103/279] soc: qcom: pdr: Fix the potential deadlock Greg Kroah-Hartman
` (183 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sven Eckelmann, Simon Wunderlich
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit 548b0c5de7619ef53bbde5590700693f2f6d2a56 upstream.
An OGMv1 and OGMv2 packet receive processing were not only limited by the
number of bytes in the received packet but also by the nodes maximum
aggregation packet size limit. But this limit is relevant for TX and not
for RX. It must not be enforced by batadv_(i)v_ogm_aggr_packet to avoid
loss of information in case of a different limit for sender and receiver.
This has a minor side effect for B.A.T.M.A.N. IV because the
batadv_iv_ogm_aggr_packet is also used for the preprocessing for the TX.
But since the aggregation code itself will not allow more than
BATADV_MAX_AGGREGATION_BYTES bytes, this check was never triggering (in
this context) prior of removing it.
Cc: stable@vger.kernel.org
Fixes: c6c8fea29769 ("net: Add batman-adv meshing protocol")
Fixes: 9323158ef9f4 ("batman-adv: OGMv2 - implement originators logic")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/batman-adv/bat_iv_ogm.c | 3 +--
net/batman-adv/bat_v_ogm.c | 3 +--
2 files changed, 2 insertions(+), 4 deletions(-)
--- a/net/batman-adv/bat_iv_ogm.c
+++ b/net/batman-adv/bat_iv_ogm.c
@@ -325,8 +325,7 @@ batadv_iv_ogm_aggr_packet(int buff_pos,
/* check if there is enough space for the optional TVLV */
next_buff_pos += ntohs(ogm_packet->tvlv_len);
- return (next_buff_pos <= packet_len) &&
- (next_buff_pos <= BATADV_MAX_AGGREGATION_BYTES);
+ return next_buff_pos <= packet_len;
}
/* send a batman ogm to a given interface */
--- a/net/batman-adv/bat_v_ogm.c
+++ b/net/batman-adv/bat_v_ogm.c
@@ -840,8 +840,7 @@ batadv_v_ogm_aggr_packet(int buff_pos, i
/* check if there is enough space for the optional TVLV */
next_buff_pos += ntohs(ogm2_packet->tvlv_len);
- return (next_buff_pos <= packet_len) &&
- (next_buff_pos <= BATADV_MAX_AGGREGATION_BYTES);
+ return next_buff_pos <= packet_len;
}
/**
^ permalink raw reply [flat|nested] 289+ messages in thread
* [PATCH 5.15 103/279] soc: qcom: pdr: Fix the potential deadlock
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (101 preceding siblings ...)
2025-04-08 10:48 ` [PATCH 5.15 102/279] batman-adv: Ignore own maximum aggregation size during RX Greg Kroah-Hartman
@ 2025-04-08 10:48 ` Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 104/279] drm/radeon: fix uninitialized size issue in radeon_vce_cs_parse() Greg Kroah-Hartman
` (182 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bjorn Andersson, Johan Hovold,
Saranya R, Mukesh Ojha, Bjorn Andersson
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Saranya R <quic_sarar@quicinc.com>
commit 2eeb03ad9f42dfece63051be2400af487ddb96d2 upstream.
When some client process A call pdr_add_lookup() to add the look up for
the service and does schedule locator work, later a process B got a new
server packet indicating locator is up and call pdr_locator_new_server()
which eventually sets pdr->locator_init_complete to true which process A
sees and takes list lock and queries domain list but it will timeout due
to deadlock as the response will queued to the same qmi->wq and it is
ordered workqueue and process B is not able to complete new server
request work due to deadlock on list lock.
Fix it by removing the unnecessary list iteration as the list iteration
is already being done inside locator work, so avoid it here and just
call schedule_work() here.
Process A Process B
process_scheduled_works()
pdr_add_lookup() qmi_data_ready_work()
process_scheduled_works() pdr_locator_new_server()
pdr->locator_init_complete=true;
pdr_locator_work()
mutex_lock(&pdr->list_lock);
pdr_locate_service() mutex_lock(&pdr->list_lock);
pdr_get_domain_list()
pr_err("PDR: %s get domain list
txn wait failed: %d\n",
req->service_name,
ret);
Timeout error log due to deadlock:
"
PDR: tms/servreg get domain list txn wait failed: -110
PDR: service lookup for msm/adsp/sensor_pd:tms/servreg failed: -110
"
Thanks to Bjorn and Johan for letting me know that this commit also fixes
an audio regression when using the in-kernel pd-mapper as that makes it
easier to hit this race. [1]
Link: https://lore.kernel.org/lkml/Zqet8iInnDhnxkT9@hovoldconsulting.com/ # [1]
Fixes: fbe639b44a82 ("soc: qcom: Introduce Protection Domain Restart helpers")
CC: stable@vger.kernel.org
Reviewed-by: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
Tested-by: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
Tested-by: Johan Hovold <johan+linaro@kernel.org>
Signed-off-by: Saranya R <quic_sarar@quicinc.com>
Co-developed-by: Mukesh Ojha <mukesh.ojha@oss.qualcomm.com>
Signed-off-by: Mukesh Ojha <mukesh.ojha@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20250212163720.1577876-1-mukesh.ojha@oss.qualcomm.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/soc/qcom/pdr_interface.c | 8 +-------
1 file changed, 1 insertion(+), 7 deletions(-)
--- a/drivers/soc/qcom/pdr_interface.c
+++ b/drivers/soc/qcom/pdr_interface.c
@@ -74,7 +74,6 @@ static int pdr_locator_new_server(struct
{
struct pdr_handle *pdr = container_of(qmi, struct pdr_handle,
locator_hdl);
- struct pdr_service *pds;
mutex_lock(&pdr->lock);
/* Create a local client port for QMI communication */
@@ -86,12 +85,7 @@ static int pdr_locator_new_server(struct
mutex_unlock(&pdr->lock);
/* Service pending lookup requests */
- mutex_lock(&pdr->list_lock);
- list_for_each_entry(pds, &pdr->lookups, node) {
- if (pds->need_locator_lookup)
- schedule_work(&pdr->locator_work);
- }
- mutex_unlock(&pdr->list_lock);
+ schedule_work(&pdr->locator_work);
return 0;
}
^ permalink raw reply [flat|nested] 289+ messages in thread
* [PATCH 5.15 104/279] drm/radeon: fix uninitialized size issue in radeon_vce_cs_parse()
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (102 preceding siblings ...)
2025-04-08 10:48 ` [PATCH 5.15 103/279] soc: qcom: pdr: Fix the potential deadlock Greg Kroah-Hartman
@ 2025-04-08 10:48 ` Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 105/279] drm/amdgpu: Fix JPEG video caps max size for navi1x and raven Greg Kroah-Hartman
` (181 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Nikita Zhandarovich, Alex Deucher
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
commit dd8689b52a24807c2d5ce0a17cb26dc87f75235c upstream.
On the off chance that command stream passed from userspace via
ioctl() call to radeon_vce_cs_parse() is weirdly crafted and
first command to execute is to encode (case 0x03000001), the function
in question will attempt to call radeon_vce_cs_reloc() with size
argument that has not been properly initialized. Specifically, 'size'
will point to 'tmp' variable before the latter had a chance to be
assigned any value.
Play it safe and init 'tmp' with 0, thus ensuring that
radeon_vce_cs_reloc() will catch an early error in cases like these.
Found by Linux Verification Center (linuxtesting.org) with static
analysis tool SVACE.
Fixes: 2fc5703abda2 ("drm/radeon: check VCE relocation buffer range v3")
Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 2d52de55f9ee7aaee0e09ac443f77855989c6b68)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/radeon/radeon_vce.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/gpu/drm/radeon/radeon_vce.c
+++ b/drivers/gpu/drm/radeon/radeon_vce.c
@@ -557,7 +557,7 @@ int radeon_vce_cs_parse(struct radeon_cs
{
int session_idx = -1;
bool destroyed = false, created = false, allocated = false;
- uint32_t tmp, handle = 0;
+ uint32_t tmp = 0, handle = 0;
uint32_t *size = &tmp;
int i, r = 0;
^ permalink raw reply [flat|nested] 289+ messages in thread
* [PATCH 5.15 105/279] drm/amdgpu: Fix JPEG video caps max size for navi1x and raven
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (103 preceding siblings ...)
2025-04-08 10:48 ` [PATCH 5.15 104/279] drm/radeon: fix uninitialized size issue in radeon_vce_cs_parse() Greg Kroah-Hartman
@ 2025-04-08 10:48 ` Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 106/279] mptcp: Fix data stream corruption in the address announcement Greg Kroah-Hartman
` (180 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, David Rosca, Alex Deucher,
Ruijing Dong
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Rosca <david.rosca@amd.com>
commit ec33964d9d88488fa954a03d476a8b811efc6e85 upstream.
8192x8192 is the maximum supported resolution.
Signed-off-by: David Rosca <david.rosca@amd.com>
Acked-by: Alex Deucher <alexander.deucher@amd.com>
Reviewed-by: Ruijing Dong <ruijing.dong@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 6e0d2fde3ae8fdb5b47e10389f23ed2cb4daec5d)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/amdgpu/nv.c | 2 +-
drivers/gpu/drm/amd/amdgpu/soc15.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/gpu/drm/amd/amdgpu/nv.c
+++ b/drivers/gpu/drm/amd/amdgpu/nv.c
@@ -87,7 +87,7 @@ static const struct amdgpu_video_codec_i
{codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG4_AVC, 4096, 4906, 52)},
{codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_VC1, 4096, 4906, 4)},
{codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_HEVC, 8192, 4352, 186)},
- {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_JPEG, 4096, 4096, 0)},
+ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_JPEG, 8192, 8192, 0)},
{codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_VP9, 8192, 4352, 0)},
};
--- a/drivers/gpu/drm/amd/amdgpu/soc15.c
+++ b/drivers/gpu/drm/amd/amdgpu/soc15.c
@@ -123,7 +123,7 @@ static const struct amdgpu_video_codec_i
{codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG4_AVC, 4096, 4906, 52)},
{codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_VC1, 4096, 4906, 4)},
{codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_HEVC, 4096, 4096, 186)},
- {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_JPEG, 4096, 4096, 0)},
+ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_JPEG, 8192, 8192, 0)},
{codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_VP9, 4096, 4096, 0)},
};
^ permalink raw reply [flat|nested] 289+ messages in thread
* [PATCH 5.15 106/279] mptcp: Fix data stream corruption in the address announcement
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (104 preceding siblings ...)
2025-04-08 10:48 ` [PATCH 5.15 105/279] drm/amdgpu: Fix JPEG video caps max size for navi1x and raven Greg Kroah-Hartman
@ 2025-04-08 10:48 ` Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 107/279] arm64: dts: rockchip: fix u2phy1_host status for NanoPi R4S Greg Kroah-Hartman
` (179 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paolo Abeni, Arthur Mongodin,
Matthieu Baerts (NGI0), Simon Horman
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arthur Mongodin <amongodin@randorisec.fr>
commit 2c1f97a52cb827a5f2768e67a9dddffae1ed47ab upstream.
Because of the size restriction in the TCP options space, the MPTCP
ADD_ADDR option is exclusive and cannot be sent with other MPTCP ones.
For this reason, in the linked mptcp_out_options structure, group of
fields linked to different options are part of the same union.
There is a case where the mptcp_pm_add_addr_signal() function can modify
opts->addr, but not ended up sending an ADD_ADDR. Later on, back in
mptcp_established_options, other options will be sent, but with
unexpected data written in other fields due to the union, e.g. in
opts->ext_copy. This could lead to a data stream corruption in the next
packet.
Using an intermediate variable, prevents from corrupting previously
established DSS option. The assignment of the ADD_ADDR option
parameters is now done once we are sure this ADD_ADDR option can be set
in the packet, e.g. after having dropped other suboptions.
Fixes: 1bff1e43a30e ("mptcp: optimize out option generation")
Cc: stable@vger.kernel.org
Suggested-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Arthur Mongodin <amongodin@randorisec.fr>
Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
[ Matt: the commit message has been updated: long lines splits and some
clarifications. ]
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20250314-net-mptcp-fix-data-stream-corr-sockopt-v1-1-122dbb249db3@kernel.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/options.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/net/mptcp/options.c
+++ b/net/mptcp/options.c
@@ -647,6 +647,7 @@ static bool mptcp_established_options_ad
struct mptcp_sock *msk = mptcp_sk(subflow->conn);
bool drop_other_suboptions = false;
unsigned int opt_size = *size;
+ struct mptcp_addr_info addr;
bool echo;
int len;
@@ -655,7 +656,7 @@ static bool mptcp_established_options_ad
*/
if (!mptcp_pm_should_add_signal(msk) ||
(opts->suboptions & (OPTION_MPTCP_MPJ_ACK | OPTION_MPTCP_MPC_ACK)) ||
- !mptcp_pm_add_addr_signal(msk, skb, opt_size, remaining, &opts->addr,
+ !mptcp_pm_add_addr_signal(msk, skb, opt_size, remaining, &addr,
&echo, &drop_other_suboptions))
return false;
@@ -668,7 +669,7 @@ static bool mptcp_established_options_ad
else if (opts->suboptions & OPTION_MPTCP_DSS)
return false;
- len = mptcp_add_addr_len(opts->addr.family, echo, !!opts->addr.port);
+ len = mptcp_add_addr_len(addr.family, echo, !!addr.port);
if (remaining < len)
return false;
@@ -685,6 +686,7 @@ static bool mptcp_established_options_ad
opts->ahmac = 0;
*size -= opt_size;
}
+ opts->addr = addr;
opts->suboptions |= OPTION_MPTCP_ADD_ADDR;
if (!echo) {
opts->ahmac = add_addr_generate_hmac(msk->local_key,
^ permalink raw reply [flat|nested] 289+ messages in thread
* [PATCH 5.15 107/279] arm64: dts: rockchip: fix u2phy1_host status for NanoPi R4S
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (105 preceding siblings ...)
2025-04-08 10:48 ` [PATCH 5.15 106/279] mptcp: Fix data stream corruption in the address announcement Greg Kroah-Hartman
@ 2025-04-08 10:48 ` Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 108/279] Bluetooth: hci_event: Align BR/EDR JUST_WORKS paring with LE Greg Kroah-Hartman
` (178 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Justin Klaassen, Dragan Simic,
Heiko Stuebner
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Justin Klaassen <justin@tidylabs.net>
commit 38f4aa34a5f737ea8588dac320d884cc2e762c03 upstream.
The u2phy1_host should always have the same status as usb_host1_ehci
and usb_host1_ohci, otherwise the EHCI and OHCI drivers may be
initialized for a disabled usb port.
Per the NanoPi R4S schematic, the phy-supply for u2phy1_host is set to
the vdd_5v regulator.
Fixes: db792e9adbf8 ("rockchip: rk3399: Add support for FriendlyARM NanoPi R4S")
Cc: stable@vger.kernel.org
Signed-off-by: Justin Klaassen <justin@tidylabs.net>
Reviewed-by: Dragan Simic <dsimic@manjaro.org>
Link: https://lore.kernel.org/r/20250225170420.3898-1-justin@tidylabs.net
Signed-off-by: Heiko Stuebner <heiko@sntech.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/boot/dts/rockchip/rk3399-nanopi-r4s.dts | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/arm64/boot/dts/rockchip/rk3399-nanopi-r4s.dts
+++ b/arch/arm64/boot/dts/rockchip/rk3399-nanopi-r4s.dts
@@ -117,7 +117,7 @@
};
&u2phy1_host {
- status = "disabled";
+ phy-supply = <&vdd_5v>;
};
&uart0 {
^ permalink raw reply [flat|nested] 289+ messages in thread
* [PATCH 5.15 108/279] Bluetooth: hci_event: Align BR/EDR JUST_WORKS paring with LE
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (106 preceding siblings ...)
2025-04-08 10:48 ` [PATCH 5.15 107/279] arm64: dts: rockchip: fix u2phy1_host status for NanoPi R4S Greg Kroah-Hartman
@ 2025-04-08 10:48 ` Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 109/279] bpf, sockmap: Fix race between element replace and close() Greg Kroah-Hartman
` (177 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Luiz Augusto von Dentz, Kiran K,
Bin Lan, He Zhe
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
commit b25e11f978b63cb7857890edb3a698599cddb10e upstream.
This aligned BR/EDR JUST_WORKS method with LE which since 92516cd97fd4
("Bluetooth: Always request for user confirmation for Just Works")
always request user confirmation with confirm_hint set since the
likes of bluetoothd have dedicated policy around JUST_WORKS method
(e.g. main.conf:JustWorksRepairing).
CVE: CVE-2024-8805
Cc: stable@vger.kernel.org
Fixes: ba15a58b179e ("Bluetooth: Fix SSP acceptor just-works confirmation without MITM")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Tested-by: Kiran K <kiran.k@intel.com>
Signed-off-by: Bin Lan <bin.lan.cn@windriver.com>
Signed-off-by: He Zhe <zhe.he@windriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bluetooth/hci_event.c | 13 +++++--------
1 file changed, 5 insertions(+), 8 deletions(-)
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -4859,19 +4859,16 @@ static void hci_user_confirm_request_evt
goto unlock;
}
- /* If no side requires MITM protection; auto-accept */
+ /* If no side requires MITM protection; use JUST_CFM method */
if ((!loc_mitm || conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) &&
(!rem_mitm || conn->io_capability == HCI_IO_NO_INPUT_OUTPUT)) {
- /* If we're not the initiators request authorization to
- * proceed from user space (mgmt_user_confirm with
- * confirm_hint set to 1). The exception is if neither
- * side had MITM or if the local IO capability is
- * NoInputNoOutput, in which case we do auto-accept
+ /* If we're not the initiator of request authorization and the
+ * local IO capability is not NoInputNoOutput, use JUST_WORKS
+ * method (mgmt_user_confirm with confirm_hint set to 1).
*/
if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) &&
- conn->io_capability != HCI_IO_NO_INPUT_OUTPUT &&
- (loc_mitm || rem_mitm)) {
+ conn->io_capability != HCI_IO_NO_INPUT_OUTPUT) {
BT_DBG("Confirming auto-accept as acceptor");
confirm_hint = 1;
goto confirm;
^ permalink raw reply [flat|nested] 289+ messages in thread
* [PATCH 5.15 109/279] bpf, sockmap: Fix race between element replace and close()
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (107 preceding siblings ...)
2025-04-08 10:48 ` [PATCH 5.15 108/279] Bluetooth: hci_event: Align BR/EDR JUST_WORKS paring with LE Greg Kroah-Hartman
@ 2025-04-08 10:48 ` Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 110/279] ALSA: usb-audio: Add quirk for Plantronics headsets to fix control names Greg Kroah-Hartman
` (176 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michal Luczaj, Daniel Borkmann,
John Fastabend, Bin Lan, He Zhe
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michal Luczaj <mhal@rbox.co>
commit ed1fc5d76b81a4d681211333c026202cad4d5649 upstream.
Element replace (with a socket different from the one stored) may race
with socket's close() link popping & unlinking. __sock_map_delete()
unconditionally unrefs the (wrong) element:
// set map[0] = s0
map_update_elem(map, 0, s0)
// drop fd of s0
close(s0)
sock_map_close()
lock_sock(sk) (s0!)
sock_map_remove_links(sk)
link = sk_psock_link_pop()
sock_map_unlink(sk, link)
sock_map_delete_from_link
// replace map[0] with s1
map_update_elem(map, 0, s1)
sock_map_update_elem
(s1!) lock_sock(sk)
sock_map_update_common
psock = sk_psock(sk)
spin_lock(&stab->lock)
osk = stab->sks[idx]
sock_map_add_link(..., &stab->sks[idx])
sock_map_unref(osk, &stab->sks[idx])
psock = sk_psock(osk)
sk_psock_put(sk, psock)
if (refcount_dec_and_test(&psock))
sk_psock_drop(sk, psock)
spin_unlock(&stab->lock)
unlock_sock(sk)
__sock_map_delete
spin_lock(&stab->lock)
sk = *psk // s1 replaced s0; sk == s1
if (!sk_test || sk_test == sk) // sk_test (s0) != sk (s1); no branch
sk = xchg(psk, NULL)
if (sk)
sock_map_unref(sk, psk) // unref s1; sks[idx] will dangle
psock = sk_psock(sk)
sk_psock_put(sk, psock)
if (refcount_dec_and_test())
sk_psock_drop(sk, psock)
spin_unlock(&stab->lock)
release_sock(sk)
Then close(map) enqueues bpf_map_free_deferred, which finally calls
sock_map_free(). This results in some refcount_t warnings along with
a KASAN splat [1].
Fix __sock_map_delete(), do not allow sock_map_unref() on elements that
may have been replaced.
[1]:
BUG: KASAN: slab-use-after-free in sock_map_free+0x10e/0x330
Write of size 4 at addr ffff88811f5b9100 by task kworker/u64:12/1063
CPU: 14 UID: 0 PID: 1063 Comm: kworker/u64:12 Not tainted 6.12.0+ #125
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.3-1-1 04/01/2014
Workqueue: events_unbound bpf_map_free_deferred
Call Trace:
<TASK>
dump_stack_lvl+0x68/0x90
print_report+0x174/0x4f6
kasan_report+0xb9/0x190
kasan_check_range+0x10f/0x1e0
sock_map_free+0x10e/0x330
bpf_map_free_deferred+0x173/0x320
process_one_work+0x846/0x1420
worker_thread+0x5b3/0xf80
kthread+0x29e/0x360
ret_from_fork+0x2d/0x70
ret_from_fork_asm+0x1a/0x30
</TASK>
Allocated by task 1202:
kasan_save_stack+0x1e/0x40
kasan_save_track+0x10/0x30
__kasan_slab_alloc+0x85/0x90
kmem_cache_alloc_noprof+0x131/0x450
sk_prot_alloc+0x5b/0x220
sk_alloc+0x2c/0x870
unix_create1+0x88/0x8a0
unix_create+0xc5/0x180
__sock_create+0x241/0x650
__sys_socketpair+0x1ce/0x420
__x64_sys_socketpair+0x92/0x100
do_syscall_64+0x93/0x180
entry_SYSCALL_64_after_hwframe+0x76/0x7e
Freed by task 46:
kasan_save_stack+0x1e/0x40
kasan_save_track+0x10/0x30
kasan_save_free_info+0x37/0x60
__kasan_slab_free+0x4b/0x70
kmem_cache_free+0x1a1/0x590
__sk_destruct+0x388/0x5a0
sk_psock_destroy+0x73e/0xa50
process_one_work+0x846/0x1420
worker_thread+0x5b3/0xf80
kthread+0x29e/0x360
ret_from_fork+0x2d/0x70
ret_from_fork_asm+0x1a/0x30
The buggy address belongs to the object at ffff88811f5b9080
which belongs to the cache UNIX-STREAM of size 1984
The buggy address is located 128 bytes inside of
freed 1984-byte region [ffff88811f5b9080, ffff88811f5b9840)
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11f5b8
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
memcg:ffff888127d49401
flags: 0x17ffffc0000040(head|node=0|zone=2|lastcpupid=0x1fffff)
page_type: f5(slab)
raw: 0017ffffc0000040 ffff8881042e4500 dead000000000122 0000000000000000
raw: 0000000000000000 00000000800f000f 00000001f5000000 ffff888127d49401
head: 0017ffffc0000040 ffff8881042e4500 dead000000000122 0000000000000000
head: 0000000000000000 00000000800f000f 00000001f5000000 ffff888127d49401
head: 0017ffffc0000003 ffffea00047d6e01 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88811f5b9000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88811f5b9080: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88811f5b9180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88811f5b9200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
Disabling lock debugging due to kernel taint
refcount_t: addition on 0; use-after-free.
WARNING: CPU: 14 PID: 1063 at lib/refcount.c:25 refcount_warn_saturate+0xce/0x150
CPU: 14 UID: 0 PID: 1063 Comm: kworker/u64:12 Tainted: G B 6.12.0+ #125
Tainted: [B]=BAD_PAGE
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.3-1-1 04/01/2014
Workqueue: events_unbound bpf_map_free_deferred
RIP: 0010:refcount_warn_saturate+0xce/0x150
Code: 34 73 eb 03 01 e8 82 53 ad fe 0f 0b eb b1 80 3d 27 73 eb 03 00 75 a8 48 c7 c7 80 bd 95 84 c6 05 17 73 eb 03 01 e8 62 53 ad fe <0f> 0b eb 91 80 3d 06 73 eb 03 00 75 88 48 c7 c7 e0 bd 95 84 c6 05
RSP: 0018:ffff88815c49fc70 EFLAGS: 00010282
RAX: 0000000000000000 RBX: ffff88811f5b9100 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000001
RBP: 0000000000000002 R08: 0000000000000001 R09: ffffed10bcde6349
R10: ffff8885e6f31a4b R11: 0000000000000000 R12: ffff88813be0b000
R13: ffff88811f5b9100 R14: ffff88811f5b9080 R15: ffff88813be0b024
FS: 0000000000000000(0000) GS:ffff8885e6f00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055dda99b0250 CR3: 000000015dbac000 CR4: 0000000000752ef0
PKRU: 55555554
Call Trace:
<TASK>
? __warn.cold+0x5f/0x1ff
? refcount_warn_saturate+0xce/0x150
? report_bug+0x1ec/0x390
? handle_bug+0x58/0x90
? exc_invalid_op+0x13/0x40
? asm_exc_invalid_op+0x16/0x20
? refcount_warn_saturate+0xce/0x150
sock_map_free+0x2e5/0x330
bpf_map_free_deferred+0x173/0x320
process_one_work+0x846/0x1420
worker_thread+0x5b3/0xf80
kthread+0x29e/0x360
ret_from_fork+0x2d/0x70
ret_from_fork_asm+0x1a/0x30
</TASK>
irq event stamp: 10741
hardirqs last enabled at (10741): [<ffffffff84400ec6>] asm_sysvec_apic_timer_interrupt+0x16/0x20
hardirqs last disabled at (10740): [<ffffffff811e532d>] handle_softirqs+0x60d/0x770
softirqs last enabled at (10506): [<ffffffff811e55a9>] __irq_exit_rcu+0x109/0x210
softirqs last disabled at (10301): [<ffffffff811e55a9>] __irq_exit_rcu+0x109/0x210
refcount_t: underflow; use-after-free.
WARNING: CPU: 14 PID: 1063 at lib/refcount.c:28 refcount_warn_saturate+0xee/0x150
CPU: 14 UID: 0 PID: 1063 Comm: kworker/u64:12 Tainted: G B W 6.12.0+ #125
Tainted: [B]=BAD_PAGE, [W]=WARN
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.3-1-1 04/01/2014
Workqueue: events_unbound bpf_map_free_deferred
RIP: 0010:refcount_warn_saturate+0xee/0x150
Code: 17 73 eb 03 01 e8 62 53 ad fe 0f 0b eb 91 80 3d 06 73 eb 03 00 75 88 48 c7 c7 e0 bd 95 84 c6 05 f6 72 eb 03 01 e8 42 53 ad fe <0f> 0b e9 6e ff ff ff 80 3d e6 72 eb 03 00 0f 85 61 ff ff ff 48 c7
RSP: 0018:ffff88815c49fc70 EFLAGS: 00010282
RAX: 0000000000000000 RBX: ffff88811f5b9100 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000001
RBP: 0000000000000003 R08: 0000000000000001 R09: ffffed10bcde6349
R10: ffff8885e6f31a4b R11: 0000000000000000 R12: ffff88813be0b000
R13: ffff88811f5b9100 R14: ffff88811f5b9080 R15: ffff88813be0b024
FS: 0000000000000000(0000) GS:ffff8885e6f00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055dda99b0250 CR3: 000000015dbac000 CR4: 0000000000752ef0
PKRU: 55555554
Call Trace:
<TASK>
? __warn.cold+0x5f/0x1ff
? refcount_warn_saturate+0xee/0x150
? report_bug+0x1ec/0x390
? handle_bug+0x58/0x90
? exc_invalid_op+0x13/0x40
? asm_exc_invalid_op+0x16/0x20
? refcount_warn_saturate+0xee/0x150
sock_map_free+0x2d3/0x330
bpf_map_free_deferred+0x173/0x320
process_one_work+0x846/0x1420
worker_thread+0x5b3/0xf80
kthread+0x29e/0x360
ret_from_fork+0x2d/0x70
ret_from_fork_asm+0x1a/0x30
</TASK>
irq event stamp: 10741
hardirqs last enabled at (10741): [<ffffffff84400ec6>] asm_sysvec_apic_timer_interrupt+0x16/0x20
hardirqs last disabled at (10740): [<ffffffff811e532d>] handle_softirqs+0x60d/0x770
softirqs last enabled at (10506): [<ffffffff811e55a9>] __irq_exit_rcu+0x109/0x210
softirqs last disabled at (10301): [<ffffffff811e55a9>] __irq_exit_rcu+0x109/0x210
Fixes: 604326b41a6f ("bpf, sockmap: convert to generic sk_msg interface")
Signed-off-by: Michal Luczaj <mhal@rbox.co>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Reviewed-by: John Fastabend <john.fastabend@gmail.com>
Link: https://lore.kernel.org/bpf/20241202-sockmap-replace-v1-3-1e88579e7bd5@rbox.co
Signed-off-by: Bin Lan <bin.lan.cn@windriver.com>
Signed-off-by: He Zhe <zhe.he@windriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/core/sock_map.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
--- a/net/core/sock_map.c
+++ b/net/core/sock_map.c
@@ -411,15 +411,14 @@ static void *sock_map_lookup_sys(struct
static int __sock_map_delete(struct bpf_stab *stab, struct sock *sk_test,
struct sock **psk)
{
- struct sock *sk;
+ struct sock *sk = NULL;
int err = 0;
if (irqs_disabled())
return -EOPNOTSUPP; /* locks here are hardirq-unsafe */
raw_spin_lock_bh(&stab->lock);
- sk = *psk;
- if (!sk_test || sk_test == sk)
+ if (!sk_test || sk_test == *psk)
sk = xchg(psk, NULL);
if (likely(sk))
^ permalink raw reply [flat|nested] 289+ messages in thread
* [PATCH 5.15 110/279] ALSA: usb-audio: Add quirk for Plantronics headsets to fix control names
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (108 preceding siblings ...)
2025-04-08 10:48 ` [PATCH 5.15 109/279] bpf, sockmap: Fix race between element replace and close() Greg Kroah-Hartman
@ 2025-04-08 10:48 ` Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 111/279] HID: hid-plantronics: Add mic mute mapping and generalize quirks Greg Kroah-Hartman
` (175 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Terry Junge, Takashi Iwai,
Jiri Kosina
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Terry Junge <linuxhid@cosmicgizmosystems.com>
commit 486f6205c233da1baa309bde5f634eb1f8319a33 upstream.
Many Poly/Plantronics headset families name the feature, input,
and/or output units in a such a way to produce control names
that are not recognized by user space. As such, the volume and
mute events do not get routed to the headset's audio controls.
As an example from a product family:
The microphone mute control is named
Headset Microphone Capture Switch
and the headset volume control is named
Headset Earphone Playback Volume
The quirk fixes these to become
Headset Capture Switch
Headset Playback Volume
Signed-off-by: Terry Junge <linuxhid@cosmicgizmosystems.com>
Reviewed-by: Takashi Iwai <tiwai@suse.de>
Cc: stable@vger.kernel.org
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/mixer_quirks.c | 51 +++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 51 insertions(+)
--- a/sound/usb/mixer_quirks.c
+++ b/sound/usb/mixer_quirks.c
@@ -3553,6 +3553,52 @@ static void snd_dragonfly_quirk_db_scale
}
}
+/*
+ * Some Plantronics headsets have control names that don't meet ALSA naming
+ * standards. This function fixes nonstandard source names. By the time
+ * this function is called the control name should look like one of these:
+ * "source names Playback Volume"
+ * "source names Playback Switch"
+ * "source names Capture Volume"
+ * "source names Capture Switch"
+ * If any of the trigger words are found in the name then the name will
+ * be changed to:
+ * "Headset Playback Volume"
+ * "Headset Playback Switch"
+ * "Headset Capture Volume"
+ * "Headset Capture Switch"
+ * depending on the current suffix.
+ */
+static void snd_fix_plt_name(struct snd_usb_audio *chip,
+ struct snd_ctl_elem_id *id)
+{
+ /* no variant of "Sidetone" should be added to this list */
+ static const char * const trigger[] = {
+ "Earphone", "Microphone", "Receive", "Transmit"
+ };
+ static const char * const suffix[] = {
+ " Playback Volume", " Playback Switch",
+ " Capture Volume", " Capture Switch"
+ };
+ int i;
+
+ for (i = 0; i < ARRAY_SIZE(trigger); i++)
+ if (strstr(id->name, trigger[i]))
+ goto triggered;
+ usb_audio_dbg(chip, "no change in %s\n", id->name);
+ return;
+
+triggered:
+ for (i = 0; i < ARRAY_SIZE(suffix); i++)
+ if (strstr(id->name, suffix[i])) {
+ usb_audio_dbg(chip, "fixing kctl name %s\n", id->name);
+ snprintf(id->name, sizeof(id->name), "Headset%s",
+ suffix[i]);
+ return;
+ }
+ usb_audio_dbg(chip, "something wrong in kctl name %s\n", id->name);
+}
+
void snd_usb_mixer_fu_apply_quirk(struct usb_mixer_interface *mixer,
struct usb_mixer_elem_info *cval, int unitid,
struct snd_kcontrol *kctl)
@@ -3570,5 +3616,10 @@ void snd_usb_mixer_fu_apply_quirk(struct
cval->min_mute = 1;
break;
}
+
+ /* ALSA-ify some Plantronics headset control names */
+ if (USB_ID_VENDOR(mixer->chip->usb_id) == 0x047f &&
+ (cval->control == UAC_FU_MUTE || cval->control == UAC_FU_VOLUME))
+ snd_fix_plt_name(mixer->chip, &kctl->id);
}
^ permalink raw reply [flat|nested] 289+ messages in thread
* [PATCH 5.15 111/279] HID: hid-plantronics: Add mic mute mapping and generalize quirks
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (109 preceding siblings ...)
2025-04-08 10:48 ` [PATCH 5.15 110/279] ALSA: usb-audio: Add quirk for Plantronics headsets to fix control names Greg Kroah-Hartman
@ 2025-04-08 10:48 ` Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 112/279] atm: Fix NULL pointer dereference Greg Kroah-Hartman
` (174 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Terry Junge, Jiri Kosina
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Terry Junge <linuxhid@cosmicgizmosystems.com>
commit 9821709af892be9fbf4ee9a50b2f3e0604295ce0 upstream.
Add mapping for headset mute key events.
Remove PLT_QUIRK_DOUBLE_VOLUME_KEYS quirk and made it generic.
The quirk logic did not keep track of the actual previous key
so any key event occurring in less than or equal to 5ms was ignored.
Remove PLT_QUIRK_FOLLOWED_OPPOSITE_VOLUME_KEYS quirk.
It had the same logic issue as the double key quirk and was actually
masking the as designed behavior of most of the headsets.
It's occurrence should be minimized with the ALSA control naming
quirk that is part of the patch set.
Signed-off-by: Terry Junge <linuxhid@cosmicgizmosystems.com>
Cc: stable@vger.kernel.org
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hid/hid-plantronics.c | 148 +++++++++++++++++++-----------------------
1 file changed, 69 insertions(+), 79 deletions(-)
--- a/drivers/hid/hid-plantronics.c
+++ b/drivers/hid/hid-plantronics.c
@@ -6,9 +6,6 @@
* Copyright (c) 2015-2018 Terry Junge <terry.junge@plantronics.com>
*/
-/*
- */
-
#include "hid-ids.h"
#include <linux/hid.h>
@@ -23,30 +20,28 @@
#define PLT_VOL_UP 0x00b1
#define PLT_VOL_DOWN 0x00b2
+#define PLT_MIC_MUTE 0x00b5
#define PLT1_VOL_UP (PLT_HID_1_0_PAGE | PLT_VOL_UP)
#define PLT1_VOL_DOWN (PLT_HID_1_0_PAGE | PLT_VOL_DOWN)
+#define PLT1_MIC_MUTE (PLT_HID_1_0_PAGE | PLT_MIC_MUTE)
#define PLT2_VOL_UP (PLT_HID_2_0_PAGE | PLT_VOL_UP)
#define PLT2_VOL_DOWN (PLT_HID_2_0_PAGE | PLT_VOL_DOWN)
+#define PLT2_MIC_MUTE (PLT_HID_2_0_PAGE | PLT_MIC_MUTE)
+#define HID_TELEPHONY_MUTE (HID_UP_TELEPHONY | 0x2f)
+#define HID_CONSUMER_MUTE (HID_UP_CONSUMER | 0xe2)
#define PLT_DA60 0xda60
#define PLT_BT300_MIN 0x0413
#define PLT_BT300_MAX 0x0418
-
-#define PLT_ALLOW_CONSUMER (field->application == HID_CP_CONSUMERCONTROL && \
- (usage->hid & HID_USAGE_PAGE) == HID_UP_CONSUMER)
-
-#define PLT_QUIRK_DOUBLE_VOLUME_KEYS BIT(0)
-#define PLT_QUIRK_FOLLOWED_OPPOSITE_VOLUME_KEYS BIT(1)
-
#define PLT_DOUBLE_KEY_TIMEOUT 5 /* ms */
-#define PLT_FOLLOWED_OPPOSITE_KEY_TIMEOUT 220 /* ms */
struct plt_drv_data {
unsigned long device_type;
- unsigned long last_volume_key_ts;
- u32 quirks;
+ unsigned long last_key_ts;
+ unsigned long double_key_to;
+ __u16 last_key;
};
static int plantronics_input_mapping(struct hid_device *hdev,
@@ -58,34 +53,43 @@ static int plantronics_input_mapping(str
unsigned short mapped_key;
struct plt_drv_data *drv_data = hid_get_drvdata(hdev);
unsigned long plt_type = drv_data->device_type;
+ int allow_mute = usage->hid == HID_TELEPHONY_MUTE;
+ int allow_consumer = field->application == HID_CP_CONSUMERCONTROL &&
+ (usage->hid & HID_USAGE_PAGE) == HID_UP_CONSUMER &&
+ usage->hid != HID_CONSUMER_MUTE;
/* special case for PTT products */
if (field->application == HID_GD_JOYSTICK)
goto defaulted;
- /* handle volume up/down mapping */
/* non-standard types or multi-HID interfaces - plt_type is PID */
if (!(plt_type & HID_USAGE_PAGE)) {
switch (plt_type) {
case PLT_DA60:
- if (PLT_ALLOW_CONSUMER)
+ if (allow_consumer)
goto defaulted;
- goto ignored;
+ if (usage->hid == HID_CONSUMER_MUTE) {
+ mapped_key = KEY_MICMUTE;
+ goto mapped;
+ }
+ break;
default:
- if (PLT_ALLOW_CONSUMER)
+ if (allow_consumer || allow_mute)
goto defaulted;
}
+ goto ignored;
}
- /* handle standard types - plt_type is 0xffa0uuuu or 0xffa2uuuu */
- /* 'basic telephony compliant' - allow default consumer page map */
- else if ((plt_type & HID_USAGE) >= PLT_BASIC_TELEPHONY &&
- (plt_type & HID_USAGE) != PLT_BASIC_EXCEPTION) {
- if (PLT_ALLOW_CONSUMER)
- goto defaulted;
- }
- /* not 'basic telephony' - apply legacy mapping */
- /* only map if the field is in the device's primary vendor page */
- else if (!((field->application ^ plt_type) & HID_USAGE_PAGE)) {
+
+ /* handle standard consumer control mapping */
+ /* and standard telephony mic mute mapping */
+ if (allow_consumer || allow_mute)
+ goto defaulted;
+
+ /* handle vendor unique types - plt_type is 0xffa0uuuu or 0xffa2uuuu */
+ /* if not 'basic telephony compliant' - map vendor unique controls */
+ if (!((plt_type & HID_USAGE) >= PLT_BASIC_TELEPHONY &&
+ (plt_type & HID_USAGE) != PLT_BASIC_EXCEPTION) &&
+ !((field->application ^ plt_type) & HID_USAGE_PAGE))
switch (usage->hid) {
case PLT1_VOL_UP:
case PLT2_VOL_UP:
@@ -95,8 +99,11 @@ static int plantronics_input_mapping(str
case PLT2_VOL_DOWN:
mapped_key = KEY_VOLUMEDOWN;
goto mapped;
+ case PLT1_MIC_MUTE:
+ case PLT2_MIC_MUTE:
+ mapped_key = KEY_MICMUTE;
+ goto mapped;
}
- }
/*
* Future mapping of call control or other usages,
@@ -105,6 +112,8 @@ static int plantronics_input_mapping(str
*/
ignored:
+ hid_dbg(hdev, "usage: %08x (appl: %08x) - ignored\n",
+ usage->hid, field->application);
return -1;
defaulted:
@@ -123,38 +132,26 @@ static int plantronics_event(struct hid_
struct hid_usage *usage, __s32 value)
{
struct plt_drv_data *drv_data = hid_get_drvdata(hdev);
+ unsigned long prev_tsto, cur_ts;
+ __u16 prev_key, cur_key;
- if (drv_data->quirks & PLT_QUIRK_DOUBLE_VOLUME_KEYS) {
- unsigned long prev_ts, cur_ts;
-
- /* Usages are filtered in plantronics_usages. */
-
- if (!value) /* Handle key presses only. */
- return 0;
-
- prev_ts = drv_data->last_volume_key_ts;
- cur_ts = jiffies;
- if (jiffies_to_msecs(cur_ts - prev_ts) <= PLT_DOUBLE_KEY_TIMEOUT)
- return 1; /* Ignore the repeated key. */
-
- drv_data->last_volume_key_ts = cur_ts;
- }
- if (drv_data->quirks & PLT_QUIRK_FOLLOWED_OPPOSITE_VOLUME_KEYS) {
- unsigned long prev_ts, cur_ts;
-
- /* Usages are filtered in plantronics_usages. */
-
- if (!value) /* Handle key presses only. */
- return 0;
+ /* Usages are filtered in plantronics_usages. */
- prev_ts = drv_data->last_volume_key_ts;
- cur_ts = jiffies;
- if (jiffies_to_msecs(cur_ts - prev_ts) <= PLT_FOLLOWED_OPPOSITE_KEY_TIMEOUT)
- return 1; /* Ignore the followed opposite volume key. */
-
- drv_data->last_volume_key_ts = cur_ts;
+ /* HZ too low for ms resolution - double key detection disabled */
+ /* or it is a key release - handle key presses only. */
+ if (!drv_data->double_key_to || !value)
+ return 0;
+
+ prev_tsto = drv_data->last_key_ts + drv_data->double_key_to;
+ cur_ts = drv_data->last_key_ts = jiffies;
+ prev_key = drv_data->last_key;
+ cur_key = drv_data->last_key = usage->code;
+
+ /* If the same key occurs in <= double_key_to -- ignore it */
+ if (prev_key == cur_key && time_before_eq(cur_ts, prev_tsto)) {
+ hid_dbg(hdev, "double key %d ignored\n", cur_key);
+ return 1; /* Ignore the repeated key. */
}
-
return 0;
}
@@ -196,12 +193,16 @@ static int plantronics_probe(struct hid_
ret = hid_parse(hdev);
if (ret) {
hid_err(hdev, "parse failed\n");
- goto err;
+ return ret;
}
drv_data->device_type = plantronics_device_type(hdev);
- drv_data->quirks = id->driver_data;
- drv_data->last_volume_key_ts = jiffies - msecs_to_jiffies(PLT_DOUBLE_KEY_TIMEOUT);
+ drv_data->double_key_to = msecs_to_jiffies(PLT_DOUBLE_KEY_TIMEOUT);
+ drv_data->last_key_ts = jiffies - drv_data->double_key_to;
+
+ /* if HZ does not allow ms resolution - disable double key detection */
+ if (drv_data->double_key_to < PLT_DOUBLE_KEY_TIMEOUT)
+ drv_data->double_key_to = 0;
hid_set_drvdata(hdev, drv_data);
@@ -210,29 +211,10 @@ static int plantronics_probe(struct hid_
if (ret)
hid_err(hdev, "hw start failed\n");
-err:
return ret;
}
static const struct hid_device_id plantronics_devices[] = {
- { HID_USB_DEVICE(USB_VENDOR_ID_PLANTRONICS,
- USB_DEVICE_ID_PLANTRONICS_BLACKWIRE_3210_SERIES),
- .driver_data = PLT_QUIRK_DOUBLE_VOLUME_KEYS },
- { HID_USB_DEVICE(USB_VENDOR_ID_PLANTRONICS,
- USB_DEVICE_ID_PLANTRONICS_BLACKWIRE_3220_SERIES),
- .driver_data = PLT_QUIRK_DOUBLE_VOLUME_KEYS },
- { HID_USB_DEVICE(USB_VENDOR_ID_PLANTRONICS,
- USB_DEVICE_ID_PLANTRONICS_BLACKWIRE_3215_SERIES),
- .driver_data = PLT_QUIRK_DOUBLE_VOLUME_KEYS },
- { HID_USB_DEVICE(USB_VENDOR_ID_PLANTRONICS,
- USB_DEVICE_ID_PLANTRONICS_BLACKWIRE_3225_SERIES),
- .driver_data = PLT_QUIRK_DOUBLE_VOLUME_KEYS },
- { HID_USB_DEVICE(USB_VENDOR_ID_PLANTRONICS,
- USB_DEVICE_ID_PLANTRONICS_BLACKWIRE_3325_SERIES),
- .driver_data = PLT_QUIRK_FOLLOWED_OPPOSITE_VOLUME_KEYS },
- { HID_USB_DEVICE(USB_VENDOR_ID_PLANTRONICS,
- USB_DEVICE_ID_PLANTRONICS_ENCOREPRO_500_SERIES),
- .driver_data = PLT_QUIRK_FOLLOWED_OPPOSITE_VOLUME_KEYS },
{ HID_USB_DEVICE(USB_VENDOR_ID_PLANTRONICS, HID_ANY_ID) },
{ }
};
@@ -241,6 +223,14 @@ MODULE_DEVICE_TABLE(hid, plantronics_dev
static const struct hid_usage_id plantronics_usages[] = {
{ HID_CP_VOLUMEUP, EV_KEY, HID_ANY_ID },
{ HID_CP_VOLUMEDOWN, EV_KEY, HID_ANY_ID },
+ { HID_TELEPHONY_MUTE, EV_KEY, HID_ANY_ID },
+ { HID_CONSUMER_MUTE, EV_KEY, HID_ANY_ID },
+ { PLT2_VOL_UP, EV_KEY, HID_ANY_ID },
+ { PLT2_VOL_DOWN, EV_KEY, HID_ANY_ID },
+ { PLT2_MIC_MUTE, EV_KEY, HID_ANY_ID },
+ { PLT1_VOL_UP, EV_KEY, HID_ANY_ID },
+ { PLT1_VOL_DOWN, EV_KEY, HID_ANY_ID },
+ { PLT1_MIC_MUTE, EV_KEY, HID_ANY_ID },
{ HID_TERMINATOR, HID_TERMINATOR, HID_TERMINATOR }
};
^ permalink raw reply [flat|nested] 289+ messages in thread
* [PATCH 5.15 112/279] atm: Fix NULL pointer dereference
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (110 preceding siblings ...)
2025-04-08 10:48 ` [PATCH 5.15 111/279] HID: hid-plantronics: Add mic mute mapping and generalize quirks Greg Kroah-Hartman
@ 2025-04-08 10:48 ` Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 113/279] ARM: 9350/1: fault: Implement copy_from_kernel_nofault_allowed() Greg Kroah-Hartman
` (173 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Minjoong Kim, Simon Horman,
Jakub Kicinski
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Minjoong Kim <pwn9uin@gmail.com>
commit bf2986fcf82a449441f9ee4335df19be19e83970 upstream.
When MPOA_cache_impos_rcvd() receives the msg, it can trigger
Null Pointer Dereference Vulnerability if both entry and
holding_time are NULL. Because there is only for the situation
where entry is NULL and holding_time exists, it can be passed
when both entry and holding_time are NULL. If these are NULL,
the entry will be passd to eg_cache_put() as parameter and
it is referenced by entry->use code in it.
kasan log:
[ 3.316691] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006:I
[ 3.317568] KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]
[ 3.318188] CPU: 3 UID: 0 PID: 79 Comm: ex Not tainted 6.14.0-rc2 #102
[ 3.318601] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
[ 3.319298] RIP: 0010:eg_cache_remove_entry+0xa5/0x470
[ 3.319677] Code: c1 f7 6e fd 48 c7 c7 00 7e 38 b2 e8 95 64 54 fd 48 c7 c7 40 7e 38 b2 48 89 ee e80
[ 3.321220] RSP: 0018:ffff88800583f8a8 EFLAGS: 00010006
[ 3.321596] RAX: 0000000000000006 RBX: ffff888005989000 RCX: ffffffffaecc2d8e
[ 3.322112] RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000030
[ 3.322643] RBP: 0000000000000000 R08: 0000000000000000 R09: fffffbfff6558b88
[ 3.323181] R10: 0000000000000003 R11: 203a207972746e65 R12: 1ffff11000b07f15
[ 3.323707] R13: dffffc0000000000 R14: ffff888005989000 R15: ffff888005989068
[ 3.324185] FS: 000000001b6313c0(0000) GS:ffff88806d380000(0000) knlGS:0000000000000000
[ 3.325042] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 3.325545] CR2: 00000000004b4b40 CR3: 000000000248e000 CR4: 00000000000006f0
[ 3.326430] Call Trace:
[ 3.326725] <TASK>
[ 3.326927] ? die_addr+0x3c/0xa0
[ 3.327330] ? exc_general_protection+0x161/0x2a0
[ 3.327662] ? asm_exc_general_protection+0x26/0x30
[ 3.328214] ? vprintk_emit+0x15e/0x420
[ 3.328543] ? eg_cache_remove_entry+0xa5/0x470
[ 3.328910] ? eg_cache_remove_entry+0x9a/0x470
[ 3.329294] ? __pfx_eg_cache_remove_entry+0x10/0x10
[ 3.329664] ? console_unlock+0x107/0x1d0
[ 3.329946] ? __pfx_console_unlock+0x10/0x10
[ 3.330283] ? do_syscall_64+0xa6/0x1a0
[ 3.330584] ? entry_SYSCALL_64_after_hwframe+0x47/0x7f
[ 3.331090] ? __pfx_prb_read_valid+0x10/0x10
[ 3.331395] ? down_trylock+0x52/0x80
[ 3.331703] ? vprintk_emit+0x15e/0x420
[ 3.331986] ? __pfx_vprintk_emit+0x10/0x10
[ 3.332279] ? down_trylock+0x52/0x80
[ 3.332527] ? _printk+0xbf/0x100
[ 3.332762] ? __pfx__printk+0x10/0x10
[ 3.333007] ? _raw_write_lock_irq+0x81/0xe0
[ 3.333284] ? __pfx__raw_write_lock_irq+0x10/0x10
[ 3.333614] msg_from_mpoad+0x1185/0x2750
[ 3.333893] ? __build_skb_around+0x27b/0x3a0
[ 3.334183] ? __pfx_msg_from_mpoad+0x10/0x10
[ 3.334501] ? __alloc_skb+0x1c0/0x310
[ 3.334809] ? __pfx___alloc_skb+0x10/0x10
[ 3.335283] ? _raw_spin_lock+0xe0/0xe0
[ 3.335632] ? finish_wait+0x8d/0x1e0
[ 3.335975] vcc_sendmsg+0x684/0xba0
[ 3.336250] ? __pfx_vcc_sendmsg+0x10/0x10
[ 3.336587] ? __pfx_autoremove_wake_function+0x10/0x10
[ 3.337056] ? fdget+0x176/0x3e0
[ 3.337348] __sys_sendto+0x4a2/0x510
[ 3.337663] ? __pfx___sys_sendto+0x10/0x10
[ 3.337969] ? ioctl_has_perm.constprop.0.isra.0+0x284/0x400
[ 3.338364] ? sock_ioctl+0x1bb/0x5a0
[ 3.338653] ? __rseq_handle_notify_resume+0x825/0xd20
[ 3.339017] ? __pfx_sock_ioctl+0x10/0x10
[ 3.339316] ? __pfx___rseq_handle_notify_resume+0x10/0x10
[ 3.339727] ? selinux_file_ioctl+0xa4/0x260
[ 3.340166] __x64_sys_sendto+0xe0/0x1c0
[ 3.340526] ? syscall_exit_to_user_mode+0x123/0x140
[ 3.340898] do_syscall_64+0xa6/0x1a0
[ 3.341170] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 3.341533] RIP: 0033:0x44a380
[ 3.341757] Code: 0f 1f 84 00 00 00 00 00 66 90 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c00
[ 3.343078] RSP: 002b:00007ffc1d404098 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
[ 3.343631] RAX: ffffffffffffffda RBX: 00007ffc1d404458 RCX: 000000000044a380
[ 3.344306] RDX: 000000000000019c RSI: 00007ffc1d4040b0 RDI: 0000000000000003
[ 3.344833] RBP: 00007ffc1d404260 R08: 0000000000000000 R09: 0000000000000000
[ 3.345381] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
[ 3.346015] R13: 00007ffc1d404448 R14: 00000000004c17d0 R15: 0000000000000001
[ 3.346503] </TASK>
[ 3.346679] Modules linked in:
[ 3.346956] ---[ end trace 0000000000000000 ]---
[ 3.347315] RIP: 0010:eg_cache_remove_entry+0xa5/0x470
[ 3.347737] Code: c1 f7 6e fd 48 c7 c7 00 7e 38 b2 e8 95 64 54 fd 48 c7 c7 40 7e 38 b2 48 89 ee e80
[ 3.349157] RSP: 0018:ffff88800583f8a8 EFLAGS: 00010006
[ 3.349517] RAX: 0000000000000006 RBX: ffff888005989000 RCX: ffffffffaecc2d8e
[ 3.350103] RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000030
[ 3.350610] RBP: 0000000000000000 R08: 0000000000000000 R09: fffffbfff6558b88
[ 3.351246] R10: 0000000000000003 R11: 203a207972746e65 R12: 1ffff11000b07f15
[ 3.351785] R13: dffffc0000000000 R14: ffff888005989000 R15: ffff888005989068
[ 3.352404] FS: 000000001b6313c0(0000) GS:ffff88806d380000(0000) knlGS:0000000000000000
[ 3.353099] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 3.353544] CR2: 00000000004b4b40 CR3: 000000000248e000 CR4: 00000000000006f0
[ 3.354072] note: ex[79] exited with irqs disabled
[ 3.354458] note: ex[79] exited with preempt_count 1
Signed-off-by: Minjoong Kim <pwn9uin@gmail.com>
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20250322105200.14981-1-pwn9uin@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/atm/mpc.c | 2 ++
1 file changed, 2 insertions(+)
--- a/net/atm/mpc.c
+++ b/net/atm/mpc.c
@@ -1314,6 +1314,8 @@ static void MPOA_cache_impos_rcvd(struct
holding_time = msg->content.eg_info.holding_time;
dprintk("(%s) entry = %p, holding_time = %u\n",
mpc->dev->name, entry, holding_time);
+ if (entry == NULL && !holding_time)
+ return;
if (entry == NULL && holding_time) {
entry = mpc->eg_ops->add_entry(msg, mpc);
mpc->eg_ops->put(entry);
^ permalink raw reply [flat|nested] 289+ messages in thread
* [PATCH 5.15 113/279] ARM: 9350/1: fault: Implement copy_from_kernel_nofault_allowed()
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (111 preceding siblings ...)
2025-04-08 10:48 ` [PATCH 5.15 112/279] atm: Fix NULL pointer dereference Greg Kroah-Hartman
@ 2025-04-08 10:48 ` Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 114/279] ARM: 9351/1: fault: Add "cut here" line for prefetch aborts Greg Kroah-Hartman
` (172 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mark Brown, Russell King (Oracle),
Ard Biesheuvel, Wang Kefeng, Andrew Morton, Ben Hutchings,
linux-arm-kernel, Kees Cook
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kees Cook <keescook@chromium.org>
commit 169f9102f9198b04afffa6164372a4ba4070f412 upstream.
Under PAN emulation when dumping backtraces from things like the
LKDTM EXEC_USERSPACE test[1], a double fault (which would hang a CPU)
would happen because of dump_instr() attempting to read a userspace
address. Make sure copy_from_kernel_nofault() does not attempt this
any more.
Closes: https://lava.sirena.org.uk/scheduler/job/497571
Link: https://lore.kernel.org/all/202401181125.D48DCB4C@keescook/ [1]
Reported-by: Mark Brown <broonie@kernel.org>
Suggested-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
Reviewed-by: Ard Biesheuvel <ardb@kernel.org>
Tested-by: Mark Brown <broonie@kernel.org>
Cc: Wang Kefeng <wangkefeng.wang@huawei.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Ben Hutchings <ben@decadent.org.uk>
Cc: linux-arm-kernel@lists.infradead.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm/mm/fault.c | 7 +++++++
1 file changed, 7 insertions(+)
--- a/arch/arm/mm/fault.c
+++ b/arch/arm/mm/fault.c
@@ -24,6 +24,13 @@
#include "fault.h"
+bool copy_from_kernel_nofault_allowed(const void *unsafe_src, size_t size)
+{
+ unsigned long addr = (unsigned long)unsafe_src;
+
+ return addr >= TASK_SIZE && ULONG_MAX - addr >= size;
+}
+
#ifdef CONFIG_MMU
/*
^ permalink raw reply [flat|nested] 289+ messages in thread
* [PATCH 5.15 114/279] ARM: 9351/1: fault: Add "cut here" line for prefetch aborts
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (112 preceding siblings ...)
2025-04-08 10:48 ` [PATCH 5.15 113/279] ARM: 9350/1: fault: Implement copy_from_kernel_nofault_allowed() Greg Kroah-Hartman
@ 2025-04-08 10:48 ` Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 115/279] ARM: Remove address checking for MMUless devices Greg Kroah-Hartman
` (171 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wang Kefeng, Ben Hutchings,
linux-arm-kernel, Ard Biesheuvel, Kees Cook,
Russell King (Oracle)
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kees Cook <keescook@chromium.org>
commit 8f09b8b4fa58e99cbfd9a650b31d65cdbd8e4276 upstream.
The common pattern in arm is to emit a "8<--- cut here ---" line for
faults, but it was missing for do_PrefetchAbort(). Add it.
Cc: Wang Kefeng <wangkefeng.wang@huawei.com>
Cc: Ben Hutchings <ben@decadent.org.uk>
Cc: linux-arm-kernel@lists.infradead.org
Acked-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm/mm/fault.c | 1 +
1 file changed, 1 insertion(+)
--- a/arch/arm/mm/fault.c
+++ b/arch/arm/mm/fault.c
@@ -559,6 +559,7 @@ do_PrefetchAbort(unsigned long addr, uns
if (!inf->fn(addr, ifsr | FSR_LNX_PF, regs))
return;
+ pr_alert("8<--- cut here ---\n");
pr_alert("Unhandled prefetch abort: %s (0x%03x) at 0x%08lx\n",
inf->name, ifsr, addr);
^ permalink raw reply [flat|nested] 289+ messages in thread
* [PATCH 5.15 115/279] ARM: Remove address checking for MMUless devices
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (113 preceding siblings ...)
2025-04-08 10:48 ` [PATCH 5.15 114/279] ARM: 9351/1: fault: Add "cut here" line for prefetch aborts Greg Kroah-Hartman
@ 2025-04-08 10:48 ` Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 116/279] netfilter: socket: Lookup orig tuple for IPv6 SNAT Greg Kroah-Hartman
` (170 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yanjun Yang, Ard Biesheuvel,
Kees Cook
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yanjun Yang <yangyj.ee@gmail.com>
commit 3ccea4784fddd96fbd6c4497eb28b45dab638c2a upstream.
Commit 169f9102f9198b ("ARM: 9350/1: fault: Implement
copy_from_kernel_nofault_allowed()") added the function to check address
before use. However, for devices without MMU, addr > TASK_SIZE will
always fail. This patch move this function after the #ifdef CONFIG_MMU
statement.
Signed-off-by: Yanjun Yang <yangyj.ee@gmail.com>
Acked-by: Ard Biesheuvel <ardb@kernel.org>
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218953
Fixes: 169f9102f9198b ("ARM: 9350/1: fault: Implement copy_from_kernel_nofault_allowed()")
Link: https://lore.kernel.org/r/20240611100947.32241-1-yangyj.ee@gmail.com
Signed-off-by: Kees Cook <kees@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm/mm/fault.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/arch/arm/mm/fault.c
+++ b/arch/arm/mm/fault.c
@@ -24,6 +24,8 @@
#include "fault.h"
+#ifdef CONFIG_MMU
+
bool copy_from_kernel_nofault_allowed(const void *unsafe_src, size_t size)
{
unsigned long addr = (unsigned long)unsafe_src;
@@ -31,8 +33,6 @@ bool copy_from_kernel_nofault_allowed(co
return addr >= TASK_SIZE && ULONG_MAX - addr >= size;
}
-#ifdef CONFIG_MMU
-
/*
* This is useful to dump out the page tables associated with
* 'addr' in mm 'mm'.
^ permalink raw reply [flat|nested] 289+ messages in thread
* [PATCH 5.15 116/279] netfilter: socket: Lookup orig tuple for IPv6 SNAT
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (114 preceding siblings ...)
2025-04-08 10:48 ` [PATCH 5.15 115/279] ARM: Remove address checking for MMUless devices Greg Kroah-Hartman
@ 2025-04-08 10:48 ` Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 117/279] ALSA: hda/realtek: Support mute LED on HP Laptop 15s-du3xxx Greg Kroah-Hartman
` (169 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maxim Mikityanskiy, Florian Westphal,
Pablo Neira Ayuso
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maxim Mikityanskiy <maxtram95@gmail.com>
commit 932b32ffd7604fb00b5c57e239a3cc4d901ccf6e upstream.
nf_sk_lookup_slow_v4 does the conntrack lookup for IPv4 packets to
restore the original 5-tuple in case of SNAT, to be able to find the
right socket (if any). Then socket_match() can correctly check whether
the socket was transparent.
However, the IPv6 counterpart (nf_sk_lookup_slow_v6) lacks this
conntrack lookup, making xt_socket fail to match on the socket when the
packet was SNATed. Add the same logic to nf_sk_lookup_slow_v6.
IPv6 SNAT is used in Kubernetes clusters for pod-to-world packets, as
pods' addresses are in the fd00::/8 ULA subnet and need to be replaced
with the node's external address. Cilium leverages Envoy to enforce L7
policies, and Envoy uses transparent sockets. Cilium inserts an iptables
prerouting rule that matches on `-m socket --transparent` and redirects
the packets to localhost, but it fails to match SNATed IPv6 packets due
to that missing conntrack lookup.
Closes: https://github.com/cilium/cilium/issues/37932
Fixes: eb31628e37a0 ("netfilter: nf_tables: Add support for IPv6 NAT")
Signed-off-by: Maxim Mikityanskiy <maxim@isovalent.com>
Reviewed-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv6/netfilter/nf_socket_ipv6.c | 23 +++++++++++++++++++++++
1 file changed, 23 insertions(+)
--- a/net/ipv6/netfilter/nf_socket_ipv6.c
+++ b/net/ipv6/netfilter/nf_socket_ipv6.c
@@ -103,6 +103,10 @@ struct sock *nf_sk_lookup_slow_v6(struct
struct sk_buff *data_skb = NULL;
int doff = 0;
int thoff = 0, tproto;
+#if IS_ENABLED(CONFIG_NF_CONNTRACK)
+ enum ip_conntrack_info ctinfo;
+ struct nf_conn const *ct;
+#endif
tproto = ipv6_find_hdr(skb, &thoff, -1, NULL, NULL);
if (tproto < 0) {
@@ -136,6 +140,25 @@ struct sock *nf_sk_lookup_slow_v6(struct
return NULL;
}
+#if IS_ENABLED(CONFIG_NF_CONNTRACK)
+ /* Do the lookup with the original socket address in
+ * case this is a reply packet of an established
+ * SNAT-ted connection.
+ */
+ ct = nf_ct_get(skb, &ctinfo);
+ if (ct &&
+ ((tproto != IPPROTO_ICMPV6 &&
+ ctinfo == IP_CT_ESTABLISHED_REPLY) ||
+ (tproto == IPPROTO_ICMPV6 &&
+ ctinfo == IP_CT_RELATED_REPLY)) &&
+ (ct->status & IPS_SRC_NAT_DONE)) {
+ daddr = &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u3.in6;
+ dport = (tproto == IPPROTO_TCP) ?
+ ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u.tcp.port :
+ ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u.udp.port;
+ }
+#endif
+
return nf_socket_get_sock_v6(net, data_skb, doff, tproto, saddr, daddr,
sport, dport, indev);
}
^ permalink raw reply [flat|nested] 289+ messages in thread
* [PATCH 5.15 117/279] ALSA: hda/realtek: Support mute LED on HP Laptop 15s-du3xxx
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (115 preceding siblings ...)
2025-04-08 10:48 ` [PATCH 5.15 116/279] netfilter: socket: Lookup orig tuple for IPv6 SNAT Greg Kroah-Hartman
@ 2025-04-08 10:48 ` Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 118/279] counter: stm32-lptimer-cnt: fix error handling when enabling Greg Kroah-Hartman
` (168 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Dhruv Deshpande, Takashi Iwai
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dhruv Deshpande <dhrv.d@proton.me>
commit 35ef1c79d2e09e9e5a66e28a66fe0df4368b0f3d upstream.
The mute LED on this HP laptop uses ALC236 and requires a quirk to function.
This patch enables the existing quirk for the device.
Tested on my laptop and the LED behaviour works as intended.
Cc: stable@vger.kernel.org
Signed-off-by: Dhruv Deshpande <dhrv.d@proton.me>
Link: https://patch.msgid.link/20250317085621.45056-1-dhrv.d@proton.me
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/pci/hda/patch_realtek.c | 1 +
1 file changed, 1 insertion(+)
--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -9302,6 +9302,7 @@ static const struct snd_pci_quirk alc269
SND_PCI_QUIRK(0x103c, 0x8811, "HP Spectre x360 15-eb1xxx", ALC285_FIXUP_HP_SPECTRE_X360_EB1),
SND_PCI_QUIRK(0x103c, 0x8812, "HP Spectre x360 15-eb1xxx", ALC285_FIXUP_HP_SPECTRE_X360_EB1),
SND_PCI_QUIRK(0x103c, 0x881d, "HP 250 G8 Notebook PC", ALC236_FIXUP_HP_MUTE_LED_COEFBIT2),
+ SND_PCI_QUIRK(0x103c, 0x881e, "HP Laptop 15s-du3xxx", ALC236_FIXUP_HP_MUTE_LED_COEFBIT2),
SND_PCI_QUIRK(0x103c, 0x8846, "HP EliteBook 850 G8 Notebook PC", ALC285_FIXUP_HP_GPIO_LED),
SND_PCI_QUIRK(0x103c, 0x8847, "HP EliteBook x360 830 G8 Notebook PC", ALC285_FIXUP_HP_GPIO_LED),
SND_PCI_QUIRK(0x103c, 0x884b, "HP EliteBook 840 Aero G8 Notebook PC", ALC285_FIXUP_HP_GPIO_LED),
^ permalink raw reply [flat|nested] 289+ messages in thread
* [PATCH 5.15 118/279] counter: stm32-lptimer-cnt: fix error handling when enabling
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (116 preceding siblings ...)
2025-04-08 10:48 ` [PATCH 5.15 117/279] ALSA: hda/realtek: Support mute LED on HP Laptop 15s-du3xxx Greg Kroah-Hartman
@ 2025-04-08 10:48 ` Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 119/279] counter: microchip-tcb-capture: Fix undefined counter channel state on probe Greg Kroah-Hartman
` (167 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Fabrice Gasnier,
William Breathitt Gray
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fabrice Gasnier <fabrice.gasnier@foss.st.com>
commit 8744dcd4fc7800de2eb9369410470bb2930d4c14 upstream.
In case the stm32_lptim_set_enable_state() fails to update CMP and ARR,
a timeout error is raised, by regmap_read_poll_timeout. It may happen,
when the lptimer runs on a slow clock, and the clock is gated only
few times during the polling.
Badly, when this happen, STM32_LPTIM_ENABLE in CR register has been set.
So the 'enable' state in sysfs wrongly lies on the counter being
correctly enabled, due to CR is read as one in stm32_lptim_is_enabled().
To fix both issues:
- enable the clock before writing CMP, ARR and polling ISR bits. It will
avoid the possible timeout error.
- clear the ENABLE bit in CR and disable the clock in the error path.
Fixes: d8958824cf07 ("iio: counter: Add support for STM32 LPTimer")
Signed-off-by: Fabrice Gasnier <fabrice.gasnier@foss.st.com>
Link: https://lore.kernel.org/r/20250224170657.3368236-1-fabrice.gasnier@foss.st.com
Signed-off-by: William Breathitt Gray <wbg@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/counter/stm32-lptimer-cnt.c | 24 +++++++++++++++---------
1 file changed, 15 insertions(+), 9 deletions(-)
--- a/drivers/counter/stm32-lptimer-cnt.c
+++ b/drivers/counter/stm32-lptimer-cnt.c
@@ -59,37 +59,43 @@ static int stm32_lptim_set_enable_state(
return 0;
}
+ ret = clk_enable(priv->clk);
+ if (ret)
+ goto disable_cnt;
+
/* LP timer must be enabled before writing CMP & ARR */
ret = regmap_write(priv->regmap, STM32_LPTIM_ARR, priv->ceiling);
if (ret)
- return ret;
+ goto disable_clk;
ret = regmap_write(priv->regmap, STM32_LPTIM_CMP, 0);
if (ret)
- return ret;
+ goto disable_clk;
/* ensure CMP & ARR registers are properly written */
ret = regmap_read_poll_timeout(priv->regmap, STM32_LPTIM_ISR, val,
(val & STM32_LPTIM_CMPOK_ARROK) == STM32_LPTIM_CMPOK_ARROK,
100, 1000);
if (ret)
- return ret;
+ goto disable_clk;
ret = regmap_write(priv->regmap, STM32_LPTIM_ICR,
STM32_LPTIM_CMPOKCF_ARROKCF);
if (ret)
- return ret;
+ goto disable_clk;
- ret = clk_enable(priv->clk);
- if (ret) {
- regmap_write(priv->regmap, STM32_LPTIM_CR, 0);
- return ret;
- }
priv->enabled = true;
/* Start LP timer in continuous mode */
return regmap_update_bits(priv->regmap, STM32_LPTIM_CR,
STM32_LPTIM_CNTSTRT, STM32_LPTIM_CNTSTRT);
+
+disable_clk:
+ clk_disable(priv->clk);
+disable_cnt:
+ regmap_write(priv->regmap, STM32_LPTIM_CR, 0);
+
+ return ret;
}
static int stm32_lptim_setup(struct stm32_lptim_cnt *priv, int enable)
^ permalink raw reply [flat|nested] 289+ messages in thread
* [PATCH 5.15 119/279] counter: microchip-tcb-capture: Fix undefined counter channel state on probe
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (117 preceding siblings ...)
2025-04-08 10:48 ` [PATCH 5.15 118/279] counter: stm32-lptimer-cnt: fix error handling when enabling Greg Kroah-Hartman
@ 2025-04-08 10:48 ` Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 120/279] tty: serial: 8250: Add some more device IDs Greg Kroah-Hartman
` (166 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Csókás Bence,
William Breathitt Gray
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: William Breathitt Gray <wbg@kernel.org>
commit c0c9c73434666dc99ee156b25e7e722150bee001 upstream.
Hardware initialize of the timer counter channel does not occur on probe
thus leaving the Count in an undefined state until the first
function_write() callback is executed. Fix this by performing the proper
hardware initialization during probe.
Fixes: 106b104137fd ("counter: Add microchip TCB capture counter")
Reported-by: Csókás Bence <csokas.bence@prolan.hu>
Closes: https://lore.kernel.org/all/bfa70e78-3cc3-4295-820b-3925c26135cb@prolan.hu/
Link: https://lore.kernel.org/r/20250305-preset-capture-mode-microchip-tcb-capture-v1-1-632c95c6421e@kernel.org
Signed-off-by: William Breathitt Gray <wbg@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/counter/microchip-tcb-capture.c | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
--- a/drivers/counter/microchip-tcb-capture.c
+++ b/drivers/counter/microchip-tcb-capture.c
@@ -370,6 +370,25 @@ static int mchp_tc_probe(struct platform
channel);
}
+ /* Disable Quadrature Decoder and position measure */
+ ret = regmap_update_bits(regmap, ATMEL_TC_BMR, ATMEL_TC_QDEN | ATMEL_TC_POSEN, 0);
+ if (ret)
+ return ret;
+
+ /* Setup the period capture mode */
+ ret = regmap_update_bits(regmap, ATMEL_TC_REG(priv->channel[0], CMR),
+ ATMEL_TC_WAVE | ATMEL_TC_ABETRG | ATMEL_TC_CMR_MASK |
+ ATMEL_TC_TCCLKS,
+ ATMEL_TC_CMR_MASK);
+ if (ret)
+ return ret;
+
+ /* Enable clock and trigger counter */
+ ret = regmap_write(regmap, ATMEL_TC_REG(priv->channel[0], CCR),
+ ATMEL_TC_CLKEN | ATMEL_TC_SWTRG);
+ if (ret)
+ return ret;
+
priv->tc_cfg = tcb_config;
priv->regmap = regmap;
priv->counter.name = dev_name(&pdev->dev);
^ permalink raw reply [flat|nested] 289+ messages in thread
* [PATCH 5.15 120/279] tty: serial: 8250: Add some more device IDs
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (118 preceding siblings ...)
2025-04-08 10:48 ` [PATCH 5.15 119/279] counter: microchip-tcb-capture: Fix undefined counter channel state on probe Greg Kroah-Hartman
@ 2025-04-08 10:48 ` Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 121/279] tty: serial: 8250: Add Brainboxes XC devices Greg Kroah-Hartman
` (165 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Cameron Williams
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cameron Williams <cang1@live.co.uk>
commit be6a23650908e2f827f2e7839a3fbae41ccb5b63 upstream.
These card IDs got missed the first time around.
Cc: stable <stable@kernel.org>
Signed-off-by: Cameron Williams <cang1@live.co.uk>
Link: https://lore.kernel.org/r/DB7PR02MB380295BCC879CCF91315AC38C4C12@DB7PR02MB3802.eurprd02.prod.outlook.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/8250/8250_pci.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
--- a/drivers/tty/serial/8250/8250_pci.c
+++ b/drivers/tty/serial/8250/8250_pci.c
@@ -5536,6 +5536,14 @@ static const struct pci_device_id serial
PCI_ANY_ID, PCI_ANY_ID,
0, 0,
pbn_b2_2_115200 },
+ { PCI_VENDOR_ID_INTASHIELD, 0x0BA2,
+ PCI_ANY_ID, PCI_ANY_ID,
+ 0, 0,
+ pbn_b2_2_115200 },
+ { PCI_VENDOR_ID_INTASHIELD, 0x0BA3,
+ PCI_ANY_ID, PCI_ANY_ID,
+ 0, 0,
+ pbn_b2_2_115200 },
/*
* Brainboxes UC-235/246
*/
@@ -5656,6 +5664,14 @@ static const struct pci_device_id serial
PCI_ANY_ID, PCI_ANY_ID,
0, 0,
pbn_b2_4_115200 },
+ { PCI_VENDOR_ID_INTASHIELD, 0x0C42,
+ PCI_ANY_ID, PCI_ANY_ID,
+ 0, 0,
+ pbn_b2_4_115200 },
+ { PCI_VENDOR_ID_INTASHIELD, 0x0C43,
+ PCI_ANY_ID, PCI_ANY_ID,
+ 0, 0,
+ pbn_b2_4_115200 },
/*
* Brainboxes UC-420
*/
^ permalink raw reply [flat|nested] 289+ messages in thread
* [PATCH 5.15 121/279] tty: serial: 8250: Add Brainboxes XC devices
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (119 preceding siblings ...)
2025-04-08 10:48 ` [PATCH 5.15 120/279] tty: serial: 8250: Add some more device IDs Greg Kroah-Hartman
@ 2025-04-08 10:48 ` Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 122/279] net: usb: qmi_wwan: add Telit Cinterion FN990B composition Greg Kroah-Hartman
` (164 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Cameron Williams, stable
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cameron Williams <cang1@live.co.uk>
commit 5c7e2896481a177bbda41d7850f05a9f5a8aee2b upstream.
These ExpressCard devices use the OxPCIE chip and can be used with
this driver.
Signed-off-by: Cameron Williams <cang1@live.co.uk>
Cc: stable <stable@kernel.org>
Link: https://lore.kernel.org/r/DB7PR02MB3802907A9360F27F6CD67AAFC4D62@DB7PR02MB3802.eurprd02.prod.outlook.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/8250/8250_pci.c | 30 ++++++++++++++++++++++++++++++
1 file changed, 30 insertions(+)
--- a/drivers/tty/serial/8250/8250_pci.c
+++ b/drivers/tty/serial/8250/8250_pci.c
@@ -2869,6 +2869,22 @@ static struct pci_serial_quirk pci_seria
.setup = pci_oxsemi_tornado_setup,
},
{
+ .vendor = PCI_VENDOR_ID_INTASHIELD,
+ .device = 0x4026,
+ .subvendor = PCI_ANY_ID,
+ .subdevice = PCI_ANY_ID,
+ .init = pci_oxsemi_tornado_init,
+ .setup = pci_oxsemi_tornado_setup,
+ },
+ {
+ .vendor = PCI_VENDOR_ID_INTASHIELD,
+ .device = 0x4021,
+ .subvendor = PCI_ANY_ID,
+ .subdevice = PCI_ANY_ID,
+ .init = pci_oxsemi_tornado_init,
+ .setup = pci_oxsemi_tornado_setup,
+ },
+ {
.vendor = PCI_VENDOR_ID_INTEL,
.device = 0x8811,
.subvendor = PCI_ANY_ID,
@@ -5898,6 +5914,20 @@ static const struct pci_device_id serial
PCI_ANY_ID, PCI_ANY_ID,
0, 0,
pbn_oxsemi_1_15625000 },
+ /*
+ * Brainboxes XC-235
+ */
+ { PCI_VENDOR_ID_INTASHIELD, 0x4026,
+ PCI_ANY_ID, PCI_ANY_ID,
+ 0, 0,
+ pbn_oxsemi_1_15625000 },
+ /*
+ * Brainboxes XC-475
+ */
+ { PCI_VENDOR_ID_INTASHIELD, 0x4021,
+ PCI_ANY_ID, PCI_ANY_ID,
+ 0, 0,
+ pbn_oxsemi_1_15625000 },
/*
* Perle PCI-RAS cards
^ permalink raw reply [flat|nested] 289+ messages in thread
* [PATCH 5.15 122/279] net: usb: qmi_wwan: add Telit Cinterion FN990B composition
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (120 preceding siblings ...)
2025-04-08 10:48 ` [PATCH 5.15 121/279] tty: serial: 8250: Add Brainboxes XC devices Greg Kroah-Hartman
@ 2025-04-08 10:48 ` Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 123/279] net: usb: qmi_wwan: add Telit Cinterion FE990B composition Greg Kroah-Hartman
` (163 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Fabio Porcedda, Jakub Kicinski
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fabio Porcedda <fabio.porcedda@gmail.com>
commit 9dba9a45f8ca64a7df32aada14c20a3153af1ac8 upstream.
Add the following Telit Cinterion FN990B composition:
0x10d0: rmnet + tty (AT/NMEA) + tty (AT) + tty (AT) + tty (AT) +
tty (diag) + DPL + QDSS (Qualcomm Debug SubSystem) + adb
T: Bus=01 Lev=01 Prnt=01 Port=01 Cnt=01 Dev#= 17 Spd=480 MxCh= 0
D: Ver= 2.10 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=1bc7 ProdID=10d0 Rev=05.15
S: Manufacturer=Telit Cinterion
S: Product=FN990
S: SerialNumber=43b38f19
C: #Ifs= 9 Cfg#= 1 Atr=e0 MxPwr=500mA
I: If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=50 Driver=qmi_wwan
E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=82(I) Atr=03(Int.) MxPS= 8 Ivl=32ms
I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=60 Driver=option
E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=88(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=89(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=8a(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
E: Ad=06(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=8b(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 6 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=80 Driver=(none)
E: Ad=8c(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 7 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=70 Driver=(none)
E: Ad=8d(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 8 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=usbfs
E: Ad=07(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=8e(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
Cc: stable@vger.kernel.org
Signed-off-by: Fabio Porcedda <fabio.porcedda@gmail.com>
Link: https://patch.msgid.link/20250205171649.618162-3-fabio.porcedda@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/usb/qmi_wwan.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/net/usb/qmi_wwan.c
+++ b/drivers/net/usb/qmi_wwan.c
@@ -1370,6 +1370,7 @@ static const struct usb_device_id produc
{QMI_QUIRK_SET_DTR(0x1bc7, 0x10c0, 0)}, /* Telit FE910C04 */
{QMI_QUIRK_SET_DTR(0x1bc7, 0x10c4, 0)}, /* Telit FE910C04 */
{QMI_QUIRK_SET_DTR(0x1bc7, 0x10c8, 0)}, /* Telit FE910C04 */
+ {QMI_QUIRK_SET_DTR(0x1bc7, 0x10d0, 0)}, /* Telit FN990B */
{QMI_FIXED_INTF(0x1bc7, 0x1100, 3)}, /* Telit ME910 */
{QMI_FIXED_INTF(0x1bc7, 0x1101, 3)}, /* Telit ME910 dual modem */
{QMI_FIXED_INTF(0x1bc7, 0x1200, 5)}, /* Telit LE920 */
^ permalink raw reply [flat|nested] 289+ messages in thread
* [PATCH 5.15 123/279] net: usb: qmi_wwan: add Telit Cinterion FE990B composition
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (121 preceding siblings ...)
2025-04-08 10:48 ` [PATCH 5.15 122/279] net: usb: qmi_wwan: add Telit Cinterion FN990B composition Greg Kroah-Hartman
@ 2025-04-08 10:48 ` Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 124/279] net: usb: usbnet: restore usb%d name exception for local mac addresses Greg Kroah-Hartman
` (162 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Fabio Porcedda, Jakub Kicinski
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fabio Porcedda <fabio.porcedda@gmail.com>
commit e8cdd91926aac2c53a23925c538ad4c44be4201f upstream.
Add the following Telit Cinterion FE990B composition:
0x10b0: rmnet + tty (AT/NMEA) + tty (AT) + tty (AT) + tty (AT) +
tty (diag) + DPL + QDSS (Qualcomm Debug SubSystem) + adb
usb-devices:
T: Bus=01 Lev=01 Prnt=01 Port=01 Cnt=01 Dev#= 7 Spd=480 MxCh= 0
D: Ver= 2.10 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=1bc7 ProdID=10b0 Rev=05.15
S: Manufacturer=Telit Cinterion
S: Product=FE990
S: SerialNumber=28c2595e
C: #Ifs= 9 Cfg#= 1 Atr=e0 MxPwr=500mA
I: If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=50 Driver=qmi_wwan
E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=82(I) Atr=03(Int.) MxPS= 8 Ivl=32ms
I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=60 Driver=option
E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=88(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=89(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=8a(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
E: Ad=06(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=8b(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 6 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=80 Driver=(none)
E: Ad=8c(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 7 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=70 Driver=(none)
E: Ad=8d(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 8 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none)
E: Ad=07(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=8e(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
Cc: stable@vger.kernel.org
Signed-off-by: Fabio Porcedda <fabio.porcedda@gmail.com>
Link: https://patch.msgid.link/20250227112441.3653819-2-fabio.porcedda@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/usb/qmi_wwan.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/net/usb/qmi_wwan.c
+++ b/drivers/net/usb/qmi_wwan.c
@@ -1367,6 +1367,7 @@ static const struct usb_device_id produc
{QMI_QUIRK_SET_DTR(0x1bc7, 0x10a0, 0)}, /* Telit FN920C04 */
{QMI_QUIRK_SET_DTR(0x1bc7, 0x10a4, 0)}, /* Telit FN920C04 */
{QMI_QUIRK_SET_DTR(0x1bc7, 0x10a9, 0)}, /* Telit FN920C04 */
+ {QMI_QUIRK_SET_DTR(0x1bc7, 0x10b0, 0)}, /* Telit FE990B */
{QMI_QUIRK_SET_DTR(0x1bc7, 0x10c0, 0)}, /* Telit FE910C04 */
{QMI_QUIRK_SET_DTR(0x1bc7, 0x10c4, 0)}, /* Telit FE910C04 */
{QMI_QUIRK_SET_DTR(0x1bc7, 0x10c8, 0)}, /* Telit FE910C04 */
^ permalink raw reply [flat|nested] 289+ messages in thread
* [PATCH 5.15 124/279] net: usb: usbnet: restore usb%d name exception for local mac addresses
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (122 preceding siblings ...)
2025-04-08 10:48 ` [PATCH 5.15 123/279] net: usb: qmi_wwan: add Telit Cinterion FE990B composition Greg Kroah-Hartman
@ 2025-04-08 10:48 ` Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 125/279] memstick: rtsx_usb_ms: Fix slab-use-after-free in rtsx_usb_ms_drv_remove Greg Kroah-Hartman
` (161 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ahmed Naseef, Dominique Martinet,
Oliver Neukum, Jakub Kicinski
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dominique Martinet <dominique.martinet@atmark-techno.com>
commit 2ea396448f26d0d7d66224cb56500a6789c7ed07 upstream.
commit 8a7d12d674ac ("net: usb: usbnet: fix name regression") assumed
that local addresses always came from the kernel, but some devices hand
out local mac addresses so we ended up with point-to-point devices with
a mac set by the driver, renaming to eth%d when they used to be named
usb%d.
Userspace should not rely on device name, but for the sake of stability
restore the local mac address check portion of the naming exception:
point to point devices which either have no mac set by the driver or
have a local mac handed out by the driver will keep the usb%d name.
(some USB LTE modems are known to hand out a stable mac from the locally
administered range; that mac appears to be random (different for
mulitple devices) and can be reset with device-specific commands, so
while such devices would benefit from getting a OUI reserved, we have
to deal with these and might as well preserve the existing behavior
to avoid breaking fragile openwrt configurations and such on upgrade.)
Link: https://lkml.kernel.org/r/20241203130457.904325-1-asmadeus@codewreck.org
Fixes: 8a7d12d674ac ("net: usb: usbnet: fix name regression")
Cc: stable@vger.kernel.org
Tested-by: Ahmed Naseef <naseefkm@gmail.com>
Signed-off-by: Dominique Martinet <dominique.martinet@atmark-techno.com>
Acked-by: Oliver Neukum <oneukum@suse.com>
Link: https://patch.msgid.link/20250326-usbnet_rename-v2-1-57eb21fcff26@atmark-techno.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/usb/usbnet.c | 21 +++++++++++++++------
1 file changed, 15 insertions(+), 6 deletions(-)
--- a/drivers/net/usb/usbnet.c
+++ b/drivers/net/usb/usbnet.c
@@ -181,6 +181,17 @@ int usbnet_get_ethernet_addr(struct usbn
}
EXPORT_SYMBOL_GPL(usbnet_get_ethernet_addr);
+static bool usbnet_needs_usb_name_format(struct usbnet *dev, struct net_device *net)
+{
+ /* Point to point devices which don't have a real MAC address
+ * (or report a fake local one) have historically used the usb%d
+ * naming. Preserve this..
+ */
+ return (dev->driver_info->flags & FLAG_POINTTOPOINT) != 0 &&
+ (is_zero_ether_addr(net->dev_addr) ||
+ is_local_ether_addr(net->dev_addr));
+}
+
static void intr_complete (struct urb *urb)
{
struct usbnet *dev = urb->context;
@@ -1764,13 +1775,11 @@ usbnet_probe (struct usb_interface *udev
if (status < 0)
goto out1;
- // heuristic: "usb%d" for links we know are two-host,
- // else "eth%d" when there's reasonable doubt. userspace
- // can rename the link if it knows better.
+ /* heuristic: rename to "eth%d" if we are not sure this link
+ * is two-host (these links keep "usb%d")
+ */
if ((dev->driver_info->flags & FLAG_ETHER) != 0 &&
- ((dev->driver_info->flags & FLAG_POINTTOPOINT) == 0 ||
- /* somebody touched it*/
- !is_zero_ether_addr(net->dev_addr)))
+ !usbnet_needs_usb_name_format(dev, net))
strscpy(net->name, "eth%d", sizeof(net->name));
/* WLAN devices should always be named "wlan%d" */
if ((dev->driver_info->flags & FLAG_WLAN) != 0)
^ permalink raw reply [flat|nested] 289+ messages in thread
* [PATCH 5.15 125/279] memstick: rtsx_usb_ms: Fix slab-use-after-free in rtsx_usb_ms_drv_remove
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (123 preceding siblings ...)
2025-04-08 10:48 ` [PATCH 5.15 124/279] net: usb: usbnet: restore usb%d name exception for local mac addresses Greg Kroah-Hartman
@ 2025-04-08 10:48 ` Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 126/279] serial: 8250_dma: terminate correct DMA in tx_dma_flush() Greg Kroah-Hartman
` (160 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Luo Qiu, Ulf Hansson
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luo Qiu <luoqiu@kylinsec.com.cn>
commit 4676741a3464b300b486e70585c3c9b692be1632 upstream.
This fixes the following crash:
==================================================================
BUG: KASAN: slab-use-after-free in rtsx_usb_ms_poll_card+0x159/0x200 [rtsx_usb_ms]
Read of size 8 at addr ffff888136335380 by task kworker/6:0/140241
CPU: 6 UID: 0 PID: 140241 Comm: kworker/6:0 Kdump: loaded Tainted: G E 6.14.0-rc6+ #1
Tainted: [E]=UNSIGNED_MODULE
Hardware name: LENOVO 30FNA1V7CW/1057, BIOS S0EKT54A 07/01/2024
Workqueue: events rtsx_usb_ms_poll_card [rtsx_usb_ms]
Call Trace:
<TASK>
dump_stack_lvl+0x51/0x70
print_address_description.constprop.0+0x27/0x320
? rtsx_usb_ms_poll_card+0x159/0x200 [rtsx_usb_ms]
print_report+0x3e/0x70
kasan_report+0xab/0xe0
? rtsx_usb_ms_poll_card+0x159/0x200 [rtsx_usb_ms]
rtsx_usb_ms_poll_card+0x159/0x200 [rtsx_usb_ms]
? __pfx_rtsx_usb_ms_poll_card+0x10/0x10 [rtsx_usb_ms]
? __pfx___schedule+0x10/0x10
? kick_pool+0x3b/0x270
process_one_work+0x357/0x660
worker_thread+0x390/0x4c0
? __pfx_worker_thread+0x10/0x10
kthread+0x190/0x1d0
? __pfx_kthread+0x10/0x10
ret_from_fork+0x2d/0x50
? __pfx_kthread+0x10/0x10
ret_from_fork_asm+0x1a/0x30
</TASK>
Allocated by task 161446:
kasan_save_stack+0x20/0x40
kasan_save_track+0x10/0x30
__kasan_kmalloc+0x7b/0x90
__kmalloc_noprof+0x1a7/0x470
memstick_alloc_host+0x1f/0xe0 [memstick]
rtsx_usb_ms_drv_probe+0x47/0x320 [rtsx_usb_ms]
platform_probe+0x60/0xe0
call_driver_probe+0x35/0x120
really_probe+0x123/0x410
__driver_probe_device+0xc7/0x1e0
driver_probe_device+0x49/0xf0
__device_attach_driver+0xc6/0x160
bus_for_each_drv+0xe4/0x160
__device_attach+0x13a/0x2b0
bus_probe_device+0xbd/0xd0
device_add+0x4a5/0x760
platform_device_add+0x189/0x370
mfd_add_device+0x587/0x5e0
mfd_add_devices+0xb1/0x130
rtsx_usb_probe+0x28e/0x2e0 [rtsx_usb]
usb_probe_interface+0x15c/0x460
call_driver_probe+0x35/0x120
really_probe+0x123/0x410
__driver_probe_device+0xc7/0x1e0
driver_probe_device+0x49/0xf0
__device_attach_driver+0xc6/0x160
bus_for_each_drv+0xe4/0x160
__device_attach+0x13a/0x2b0
rebind_marked_interfaces.isra.0+0xcc/0x110
usb_reset_device+0x352/0x410
usbdev_do_ioctl+0xe5c/0x1860
usbdev_ioctl+0xa/0x20
__x64_sys_ioctl+0xc5/0xf0
do_syscall_64+0x59/0x170
entry_SYSCALL_64_after_hwframe+0x76/0x7e
Freed by task 161506:
kasan_save_stack+0x20/0x40
kasan_save_track+0x10/0x30
kasan_save_free_info+0x36/0x60
__kasan_slab_free+0x34/0x50
kfree+0x1fd/0x3b0
device_release+0x56/0xf0
kobject_cleanup+0x73/0x1c0
rtsx_usb_ms_drv_remove+0x13d/0x220 [rtsx_usb_ms]
platform_remove+0x2f/0x50
device_release_driver_internal+0x24b/0x2e0
bus_remove_device+0x124/0x1d0
device_del+0x239/0x530
platform_device_del.part.0+0x19/0xe0
platform_device_unregister+0x1c/0x40
mfd_remove_devices_fn+0x167/0x170
device_for_each_child_reverse+0xc9/0x130
mfd_remove_devices+0x6e/0xa0
rtsx_usb_disconnect+0x2e/0xd0 [rtsx_usb]
usb_unbind_interface+0xf3/0x3f0
device_release_driver_internal+0x24b/0x2e0
proc_disconnect_claim+0x13d/0x220
usbdev_do_ioctl+0xb5e/0x1860
usbdev_ioctl+0xa/0x20
__x64_sys_ioctl+0xc5/0xf0
do_syscall_64+0x59/0x170
entry_SYSCALL_64_after_hwframe+0x76/0x7e
Last potentially related work creation:
kasan_save_stack+0x20/0x40
kasan_record_aux_stack+0x85/0x90
insert_work+0x29/0x100
__queue_work+0x34a/0x540
call_timer_fn+0x2a/0x160
expire_timers+0x5f/0x1f0
__run_timer_base.part.0+0x1b6/0x1e0
run_timer_softirq+0x8b/0xe0
handle_softirqs+0xf9/0x360
__irq_exit_rcu+0x114/0x130
sysvec_apic_timer_interrupt+0x72/0x90
asm_sysvec_apic_timer_interrupt+0x16/0x20
Second to last potentially related work creation:
kasan_save_stack+0x20/0x40
kasan_record_aux_stack+0x85/0x90
insert_work+0x29/0x100
__queue_work+0x34a/0x540
call_timer_fn+0x2a/0x160
expire_timers+0x5f/0x1f0
__run_timer_base.part.0+0x1b6/0x1e0
run_timer_softirq+0x8b/0xe0
handle_softirqs+0xf9/0x360
__irq_exit_rcu+0x114/0x130
sysvec_apic_timer_interrupt+0x72/0x90
asm_sysvec_apic_timer_interrupt+0x16/0x20
The buggy address belongs to the object at ffff888136335000
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 896 bytes inside of
freed 2048-byte region [ffff888136335000, ffff888136335800)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x136330
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x17ffffc0000040(head|node=0|zone=2|lastcpupid=0x1fffff)
page_type: f5(slab)
raw: 0017ffffc0000040 ffff888100042f00 ffffea000417a000 dead000000000002
raw: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000
head: 0017ffffc0000040 ffff888100042f00 ffffea000417a000 dead000000000002
head: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000
head: 0017ffffc0000003 ffffea0004d8cc01 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff888136335280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888136335300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888136335380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888136335400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888136335480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Fixes: 6827ca573c03 ("memstick: rtsx_usb_ms: Support runtime power management")
Signed-off-by: Luo Qiu <luoqiu@kylinsec.com.cn>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/4B7BC3E6E291E6F2+20250317101438.25650-1-luoqiu@kylinsec.com.cn
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/memstick/host/rtsx_usb_ms.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/memstick/host/rtsx_usb_ms.c
+++ b/drivers/memstick/host/rtsx_usb_ms.c
@@ -813,6 +813,7 @@ static int rtsx_usb_ms_drv_remove(struct
host->eject = true;
cancel_work_sync(&host->handle_req);
+ cancel_delayed_work_sync(&host->poll_card);
mutex_lock(&host->host_mutex);
if (host->req) {
^ permalink raw reply [flat|nested] 289+ messages in thread
* [PATCH 5.15 126/279] serial: 8250_dma: terminate correct DMA in tx_dma_flush()
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (124 preceding siblings ...)
2025-04-08 10:48 ` [PATCH 5.15 125/279] memstick: rtsx_usb_ms: Fix slab-use-after-free in rtsx_usb_ms_drv_remove Greg Kroah-Hartman
@ 2025-04-08 10:48 ` Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 127/279] media: i2c: et8ek8: Dont strip remove function when driver is builtin Greg Kroah-Hartman
` (159 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Wentao Guan, John Keeping,
Ilpo Järvinen
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: John Keeping <jkeeping@inmusicbrands.com>
commit a26503092c75abba70a0be2aa01145ecf90c2a22 upstream.
When flushing transmit side DMA, it is the transmit channel that should
be terminated, not the receive channel.
Fixes: 9e512eaaf8f40 ("serial: 8250: Fix fifo underflow on flush")
Cc: stable <stable@kernel.org>
Reported-by: Wentao Guan <guanwentao@uniontech.com>
Signed-off-by: John Keeping <jkeeping@inmusicbrands.com>
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Link: https://lore.kernel.org/r/20250224121831.1429323-1-jkeeping@inmusicbrands.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/8250/8250_dma.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/tty/serial/8250/8250_dma.c
+++ b/drivers/tty/serial/8250/8250_dma.c
@@ -150,7 +150,7 @@ void serial8250_tx_dma_flush(struct uart
*/
dma->tx_size = 0;
- dmaengine_terminate_async(dma->rxchan);
+ dmaengine_terminate_async(dma->txchan);
}
int serial8250_rx_dma(struct uart_8250_port *p)
^ permalink raw reply [flat|nested] 289+ messages in thread
* [PATCH 5.15 127/279] media: i2c: et8ek8: Dont strip remove function when driver is builtin
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (125 preceding siblings ...)
2025-04-08 10:48 ` [PATCH 5.15 126/279] serial: 8250_dma: terminate correct DMA in tx_dma_flush() Greg Kroah-Hartman
@ 2025-04-08 10:48 ` Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 128/279] watch_queue: fix pipe accounting mismatch Greg Kroah-Hartman
` (158 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Uwe Kleine-König, Sakari Ailus,
Hans Verkuil, Bin Lan, He Zhe
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
commit 545b215736c5c4b354e182d99c578a472ac9bfce upstream.
Using __exit for the remove function results in the remove callback
being discarded with CONFIG_VIDEO_ET8EK8=y. When such a device gets
unbound (e.g. using sysfs or hotplug), the driver is just removed
without the cleanup being performed. This results in resource leaks. Fix
it by compiling in the remove callback unconditionally.
This also fixes a W=1 modpost warning:
WARNING: modpost: drivers/media/i2c/et8ek8/et8ek8: section mismatch in reference: et8ek8_i2c_driver+0x10 (section: .data) -> et8ek8_remove (section: .exit.text)
Fixes: c5254e72b8ed ("[media] media: Driver for Toshiba et8ek8 5MP sensor")
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Bin Lan <bin.lan.cn@windriver.com>
Signed-off-by: He Zhe <zhe.he@windriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/i2c/et8ek8/et8ek8_driver.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/media/i2c/et8ek8/et8ek8_driver.c
+++ b/drivers/media/i2c/et8ek8/et8ek8_driver.c
@@ -1460,7 +1460,7 @@ err_mutex:
return ret;
}
-static int __exit et8ek8_remove(struct i2c_client *client)
+static int et8ek8_remove(struct i2c_client *client)
{
struct v4l2_subdev *subdev = i2c_get_clientdata(client);
struct et8ek8_sensor *sensor = to_et8ek8_sensor(subdev);
@@ -1504,7 +1504,7 @@ static struct i2c_driver et8ek8_i2c_driv
.of_match_table = et8ek8_of_table,
},
.probe_new = et8ek8_probe,
- .remove = __exit_p(et8ek8_remove),
+ .remove = et8ek8_remove,
.id_table = et8ek8_id_table,
};
^ permalink raw reply [flat|nested] 289+ messages in thread
* [PATCH 5.15 128/279] watch_queue: fix pipe accounting mismatch
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (126 preceding siblings ...)
2025-04-08 10:48 ` [PATCH 5.15 127/279] media: i2c: et8ek8: Dont strip remove function when driver is builtin Greg Kroah-Hartman
@ 2025-04-08 10:48 ` Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 129/279] x86/mm/pat: cpa-test: fix length for CPA_ARRAY test Greg Kroah-Hartman
` (157 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Sandeen, Christian Brauner,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Sandeen <sandeen@redhat.com>
[ Upstream commit f13abc1e8e1a3b7455511c4e122750127f6bc9b0 ]
Currently, watch_queue_set_size() modifies the pipe buffers charged to
user->pipe_bufs without updating the pipe->nr_accounted on the pipe
itself, due to the if (!pipe_has_watch_queue()) test in
pipe_resize_ring(). This means that when the pipe is ultimately freed,
we decrement user->pipe_bufs by something other than what than we had
charged to it, potentially leading to an underflow. This in turn can
cause subsequent too_many_pipe_buffers_soft() tests to fail with -EPERM.
To remedy this, explicitly account for the pipe usage in
watch_queue_set_size() to match the number set via account_pipe_buffers()
(It's unclear why watch_queue_set_size() does not update nr_accounted;
it may be due to intentional overprovisioning in watch_queue_set_size()?)
Fixes: e95aada4cb93d ("pipe: wakeup wr_wait after setting max_usage")
Signed-off-by: Eric Sandeen <sandeen@redhat.com>
Link: https://lore.kernel.org/r/206682a8-0604-49e5-8224-fdbe0c12b460@redhat.com
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/watch_queue.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/kernel/watch_queue.c b/kernel/watch_queue.c
index ae31bf8d2feb1..6ed37bc95cb7b 100644
--- a/kernel/watch_queue.c
+++ b/kernel/watch_queue.c
@@ -274,6 +274,15 @@ long watch_queue_set_size(struct pipe_inode_info *pipe, unsigned int nr_notes)
if (ret < 0)
goto error;
+ /*
+ * pipe_resize_ring() does not update nr_accounted for watch_queue
+ * pipes, because the above vastly overprovisions. Set nr_accounted on
+ * and max_usage this pipe to the number that was actually charged to
+ * the user above via account_pipe_buffers.
+ */
+ pipe->max_usage = nr_pages;
+ pipe->nr_accounted = nr_pages;
+
ret = -ENOMEM;
pages = kcalloc(sizeof(struct page *), nr_pages, GFP_KERNEL);
if (!pages)
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 129/279] x86/mm/pat: cpa-test: fix length for CPA_ARRAY test
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (127 preceding siblings ...)
2025-04-08 10:48 ` [PATCH 5.15 128/279] watch_queue: fix pipe accounting mismatch Greg Kroah-Hartman
@ 2025-04-08 10:48 ` Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 130/279] cpufreq: scpi: compare kHz instead of Hz Greg Kroah-Hartman
` (156 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mike Rapoport (Microsoft),
Peter Zijlstra (Intel), Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mike Rapoport (Microsoft) <rppt@kernel.org>
[ Upstream commit 33ea120582a638b2f2e380a50686c2b1d7cce795 ]
The CPA_ARRAY test always uses len[1] as numpages argument to
change_page_attr_set() although the addresses array is different each
iteration of the test loop.
Replace len[1] with len[i] to have numpages matching the addresses array.
Fixes: ecc729f1f471 ("x86/mm/cpa: Add ARRAY and PAGES_ARRAY selftests")
Signed-off-by: "Mike Rapoport (Microsoft)" <rppt@kernel.org>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Link: https://lore.kernel.org/r/20250126074733.1384926-2-rppt@kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/mm/pat/cpa-test.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/x86/mm/pat/cpa-test.c b/arch/x86/mm/pat/cpa-test.c
index 0612a73638a81..7641cff719bd0 100644
--- a/arch/x86/mm/pat/cpa-test.c
+++ b/arch/x86/mm/pat/cpa-test.c
@@ -183,7 +183,7 @@ static int pageattr_test(void)
break;
case 1:
- err = change_page_attr_set(addrs, len[1], PAGE_CPA_TEST, 1);
+ err = change_page_attr_set(addrs, len[i], PAGE_CPA_TEST, 1);
break;
case 2:
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 130/279] cpufreq: scpi: compare kHz instead of Hz
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (128 preceding siblings ...)
2025-04-08 10:48 ` [PATCH 5.15 129/279] x86/mm/pat: cpa-test: fix length for CPA_ARRAY test Greg Kroah-Hartman
@ 2025-04-08 10:48 ` Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 131/279] cpufreq: governor: Fix negative idle_time handling in dbs_update() Greg Kroah-Hartman
` (155 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, zuoqian, Dan Carpenter, Viresh Kumar,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: zuoqian <zuoqian113@gmail.com>
[ Upstream commit 4742da9774a416908ef8e3916164192c15c0e2d1 ]
The CPU rate from clk_get_rate() may not be divisible by 1000
(e.g., 133333333). But the rate calculated from frequency(kHz) is
always divisible by 1000 (e.g., 133333000).
Comparing the rate causes a warning during CPU scaling:
"cpufreq: __target_index: Failed to change cpu frequency: -5".
When we choose to compare kHz here, the issue does not occur.
Fixes: 343a8d17fa8d ("cpufreq: scpi: remove arm_big_little dependency")
Signed-off-by: zuoqian <zuoqian113@gmail.com>
Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org>
Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/cpufreq/scpi-cpufreq.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/cpufreq/scpi-cpufreq.c b/drivers/cpufreq/scpi-cpufreq.c
index 763692e327b18..35b20c74dbfc7 100644
--- a/drivers/cpufreq/scpi-cpufreq.c
+++ b/drivers/cpufreq/scpi-cpufreq.c
@@ -47,8 +47,9 @@ static unsigned int scpi_cpufreq_get_rate(unsigned int cpu)
static int
scpi_cpufreq_set_target(struct cpufreq_policy *policy, unsigned int index)
{
- u64 rate = policy->freq_table[index].frequency * 1000;
+ unsigned long freq_khz = policy->freq_table[index].frequency;
struct scpi_data *priv = policy->driver_data;
+ unsigned long rate = freq_khz * 1000;
int ret;
ret = clk_set_rate(priv->clk, rate);
@@ -56,7 +57,7 @@ scpi_cpufreq_set_target(struct cpufreq_policy *policy, unsigned int index)
if (ret)
return ret;
- if (clk_get_rate(priv->clk) != rate)
+ if (clk_get_rate(priv->clk) / 1000 != freq_khz)
return -EIO;
return 0;
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 131/279] cpufreq: governor: Fix negative idle_time handling in dbs_update()
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (129 preceding siblings ...)
2025-04-08 10:48 ` [PATCH 5.15 130/279] cpufreq: scpi: compare kHz instead of Hz Greg Kroah-Hartman
@ 2025-04-08 10:48 ` Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 132/279] x86/fpu: Avoid copying dynamic FP state from init_task in arch_dup_task_struct() Greg Kroah-Hartman
` (154 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jie Zhan, Chen Yu, Rafael J. Wysocki,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jie Zhan <zhanjie9@hisilicon.com>
[ Upstream commit 3698dd6b139dc37b35a9ad83d9330c1f99666c02 ]
We observed an issue that the CPU frequency can't raise up with a 100% CPU
load when NOHZ is off and the 'conservative' governor is selected.
'idle_time' can be negative if it's obtained from get_cpu_idle_time_jiffy()
when NOHZ is off. This was found and explained in commit 9485e4ca0b48
("cpufreq: governor: Fix handling of special cases in dbs_update()").
However, commit 7592019634f8 ("cpufreq: governors: Fix long idle detection
logic in load calculation") introduced a comparison between 'idle_time' and
'samling_rate' to detect a long idle interval. While 'idle_time' is
converted to int before comparison, it's actually promoted to unsigned
again when compared with an unsigned 'sampling_rate'. Hence, this leads to
wrong idle interval detection when it's in fact 100% busy and sets
policy_dbs->idle_periods to a very large value. 'conservative' adjusts the
frequency to minimum because of the large 'idle_periods', such that the
frequency can't raise up. 'Ondemand' doesn't use policy_dbs->idle_periods
so it fortunately avoids the issue.
Correct negative 'idle_time' to 0 before any use of it in dbs_update().
Fixes: 7592019634f8 ("cpufreq: governors: Fix long idle detection logic in load calculation")
Signed-off-by: Jie Zhan <zhanjie9@hisilicon.com>
Reviewed-by: Chen Yu <yu.c.chen@intel.com>
Link: https://patch.msgid.link/20250213035510.2402076-1-zhanjie9@hisilicon.com
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/cpufreq/cpufreq_governor.c | 45 +++++++++++++++---------------
1 file changed, 23 insertions(+), 22 deletions(-)
diff --git a/drivers/cpufreq/cpufreq_governor.c b/drivers/cpufreq/cpufreq_governor.c
index 55c80319d2684..5981e3ef9ce0e 100644
--- a/drivers/cpufreq/cpufreq_governor.c
+++ b/drivers/cpufreq/cpufreq_governor.c
@@ -145,7 +145,23 @@ unsigned int dbs_update(struct cpufreq_policy *policy)
time_elapsed = update_time - j_cdbs->prev_update_time;
j_cdbs->prev_update_time = update_time;
- idle_time = cur_idle_time - j_cdbs->prev_cpu_idle;
+ /*
+ * cur_idle_time could be smaller than j_cdbs->prev_cpu_idle if
+ * it's obtained from get_cpu_idle_time_jiffy() when NOHZ is
+ * off, where idle_time is calculated by the difference between
+ * time elapsed in jiffies and "busy time" obtained from CPU
+ * statistics. If a CPU is 100% busy, the time elapsed and busy
+ * time should grow with the same amount in two consecutive
+ * samples, but in practice there could be a tiny difference,
+ * making the accumulated idle time decrease sometimes. Hence,
+ * in this case, idle_time should be regarded as 0 in order to
+ * make the further process correct.
+ */
+ if (cur_idle_time > j_cdbs->prev_cpu_idle)
+ idle_time = cur_idle_time - j_cdbs->prev_cpu_idle;
+ else
+ idle_time = 0;
+
j_cdbs->prev_cpu_idle = cur_idle_time;
if (ignore_nice) {
@@ -162,7 +178,7 @@ unsigned int dbs_update(struct cpufreq_policy *policy)
* calls, so the previous load value can be used then.
*/
load = j_cdbs->prev_load;
- } else if (unlikely((int)idle_time > 2 * sampling_rate &&
+ } else if (unlikely(idle_time > 2 * sampling_rate &&
j_cdbs->prev_load)) {
/*
* If the CPU had gone completely idle and a task has
@@ -189,30 +205,15 @@ unsigned int dbs_update(struct cpufreq_policy *policy)
load = j_cdbs->prev_load;
j_cdbs->prev_load = 0;
} else {
- if (time_elapsed >= idle_time) {
+ if (time_elapsed > idle_time)
load = 100 * (time_elapsed - idle_time) / time_elapsed;
- } else {
- /*
- * That can happen if idle_time is returned by
- * get_cpu_idle_time_jiffy(). In that case
- * idle_time is roughly equal to the difference
- * between time_elapsed and "busy time" obtained
- * from CPU statistics. Then, the "busy time"
- * can end up being greater than time_elapsed
- * (for example, if jiffies_64 and the CPU
- * statistics are updated by different CPUs),
- * so idle_time may in fact be negative. That
- * means, though, that the CPU was busy all
- * the time (on the rough average) during the
- * last sampling interval and 100 can be
- * returned as the load.
- */
- load = (int)idle_time < 0 ? 100 : 0;
- }
+ else
+ load = 0;
+
j_cdbs->prev_load = load;
}
- if (unlikely((int)idle_time > 2 * sampling_rate)) {
+ if (unlikely(idle_time > 2 * sampling_rate)) {
unsigned int periods = idle_time / sampling_rate;
if (periods < idle_periods)
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 132/279] x86/fpu: Avoid copying dynamic FP state from init_task in arch_dup_task_struct()
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (130 preceding siblings ...)
2025-04-08 10:48 ` [PATCH 5.15 131/279] cpufreq: governor: Fix negative idle_time handling in dbs_update() Greg Kroah-Hartman
@ 2025-04-08 10:48 ` Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 133/279] x86/platform: Only allow CONFIG_EISA for 32-bit Greg Kroah-Hartman
` (153 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Benjamin Berg, Ingo Molnar,
Andy Lutomirski, H. Peter Anvin, Oleg Nesterov, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Benjamin Berg <benjamin.berg@intel.com>
[ Upstream commit 5d3b81d4d8520efe888536b6906dc10fd1a228a8 ]
The init_task instance of struct task_struct is statically allocated and
may not contain the full FP state for userspace. As such, limit the copy
to the valid area of both init_task and 'dst' and ensure all memory is
initialized.
Note that the FP state is only needed for userspace, and as such it is
entirely reasonable for init_task to not contain parts of it.
Fixes: 5aaeb5c01c5b ("x86/fpu, sched: Introduce CONFIG_ARCH_WANTS_DYNAMIC_TASK_STRUCT and use it on x86")
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Link: https://lore.kernel.org/r/20250226133136.816901-1-benjamin@sipsolutions.net
----
v2:
- Fix code if arch_task_struct_size < sizeof(init_task) by using
memcpy_and_pad.
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/kernel/process.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c
index 720d99520316a..72eb0df1a1a5f 100644
--- a/arch/x86/kernel/process.c
+++ b/arch/x86/kernel/process.c
@@ -83,7 +83,12 @@ EXPORT_PER_CPU_SYMBOL_GPL(__tss_limit_invalid);
*/
int arch_dup_task_struct(struct task_struct *dst, struct task_struct *src)
{
- memcpy(dst, src, arch_task_struct_size);
+ /* init_task is not dynamically sized (incomplete FPU state) */
+ if (unlikely(src == &init_task))
+ memcpy_and_pad(dst, arch_task_struct_size, src, sizeof(init_task), 0);
+ else
+ memcpy(dst, src, arch_task_struct_size);
+
#ifdef CONFIG_VM86
dst->thread.vm86 = NULL;
#endif
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 133/279] x86/platform: Only allow CONFIG_EISA for 32-bit
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (131 preceding siblings ...)
2025-04-08 10:48 ` [PATCH 5.15 132/279] x86/fpu: Avoid copying dynamic FP state from init_task in arch_dup_task_struct() Greg Kroah-Hartman
@ 2025-04-08 10:48 ` Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 134/279] PM: sleep: Adjust check before setting power.must_resume Greg Kroah-Hartman
` (152 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Arnd Bergmann, Ingo Molnar,
Linus Torvalds, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arnd Bergmann <arnd@arndb.de>
[ Upstream commit 976ba8da2f3c2f1e997f4f620da83ae65c0e3728 ]
The CONFIG_EISA menu was cleaned up in 2018, but this inadvertently
brought the option back on 64-bit machines: ISA remains guarded by
a CONFIG_X86_32 check, but EISA no longer depends on ISA.
The last Intel machines ith EISA support used a 82375EB PCI/EISA bridge
from 1993 that could be paired with the 440FX chipset on early Pentium-II
CPUs, long before the first x86-64 products.
Fixes: 6630a8e50105 ("eisa: consolidate EISA Kconfig entry in drivers/eisa")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Link: https://lore.kernel.org/r/20250226213714.4040853-11-arnd@kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/Kconfig | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index 90ac8d84389cf..de6a66ad3fa62 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -194,7 +194,7 @@ config X86
select HAVE_DYNAMIC_FTRACE_WITH_DIRECT_CALLS
select HAVE_EBPF_JIT
select HAVE_EFFICIENT_UNALIGNED_ACCESS
- select HAVE_EISA
+ select HAVE_EISA if X86_32
select HAVE_EXIT_THREAD
select HAVE_FAST_GUP
select HAVE_FENTRY if X86_64 || DYNAMIC_FTRACE
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 134/279] PM: sleep: Adjust check before setting power.must_resume
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (132 preceding siblings ...)
2025-04-08 10:48 ` [PATCH 5.15 133/279] x86/platform: Only allow CONFIG_EISA for 32-bit Greg Kroah-Hartman
@ 2025-04-08 10:48 ` Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 135/279] selinux: Chain up tool resolving errors in install_policy.sh Greg Kroah-Hartman
` (151 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rafael J. Wysocki, Ulf Hansson,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
[ Upstream commit eeb87d17aceab7803a5a5bcb6cf2817b745157cf ]
The check before setting power.must_resume in device_suspend_noirq()
does not take power.child_count into account, but it should do that, so
use pm_runtime_need_not_resume() in it for this purpose and adjust the
comment next to it accordingly.
Fixes: 107d47b2b95e ("PM: sleep: core: Simplify the SMART_SUSPEND flag handling")
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Reviewed-by: Ulf Hansson <ulf.hansson@linaro.org>
Link: https://patch.msgid.link/3353728.44csPzL39Z@rjwysocki.net
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/base/power/main.c | 13 ++++++-------
drivers/base/power/runtime.c | 2 +-
include/linux/pm_runtime.h | 2 ++
3 files changed, 9 insertions(+), 8 deletions(-)
diff --git a/drivers/base/power/main.c b/drivers/base/power/main.c
index 185ea0d93a5e5..8586651320901 100644
--- a/drivers/base/power/main.c
+++ b/drivers/base/power/main.c
@@ -1239,14 +1239,13 @@ static int __device_suspend_noirq(struct device *dev, pm_message_t state, bool a
dev->power.is_noirq_suspended = true;
/*
- * Skipping the resume of devices that were in use right before the
- * system suspend (as indicated by their PM-runtime usage counters)
- * would be suboptimal. Also resume them if doing that is not allowed
- * to be skipped.
+ * Devices must be resumed unless they are explicitly allowed to be left
+ * in suspend, but even in that case skipping the resume of devices that
+ * were in use right before the system suspend (as indicated by their
+ * runtime PM usage counters and child counters) would be suboptimal.
*/
- if (atomic_read(&dev->power.usage_count) > 1 ||
- !(dev_pm_test_driver_flags(dev, DPM_FLAG_MAY_SKIP_RESUME) &&
- dev->power.may_skip_resume))
+ if (!(dev_pm_test_driver_flags(dev, DPM_FLAG_MAY_SKIP_RESUME) &&
+ dev->power.may_skip_resume) || !pm_runtime_need_not_resume(dev))
dev->power.must_resume = true;
if (dev->power.must_resume)
diff --git a/drivers/base/power/runtime.c b/drivers/base/power/runtime.c
index 6699096ff2fa6..edee7f1af1cec 100644
--- a/drivers/base/power/runtime.c
+++ b/drivers/base/power/runtime.c
@@ -1809,7 +1809,7 @@ void pm_runtime_drop_link(struct device_link *link)
pm_request_idle(link->supplier);
}
-static bool pm_runtime_need_not_resume(struct device *dev)
+bool pm_runtime_need_not_resume(struct device *dev)
{
return atomic_read(&dev->power.usage_count) <= 1 &&
(atomic_read(&dev->power.child_count) == 0 ||
diff --git a/include/linux/pm_runtime.h b/include/linux/pm_runtime.h
index 9a10b6bac4a71..ed01ae76e2fa5 100644
--- a/include/linux/pm_runtime.h
+++ b/include/linux/pm_runtime.h
@@ -46,6 +46,7 @@ static inline bool queue_pm_work(struct work_struct *work)
extern int pm_generic_runtime_suspend(struct device *dev);
extern int pm_generic_runtime_resume(struct device *dev);
+extern bool pm_runtime_need_not_resume(struct device *dev);
extern int pm_runtime_force_suspend(struct device *dev);
extern int pm_runtime_force_resume(struct device *dev);
@@ -234,6 +235,7 @@ static inline bool queue_pm_work(struct work_struct *work) { return false; }
static inline int pm_generic_runtime_suspend(struct device *dev) { return 0; }
static inline int pm_generic_runtime_resume(struct device *dev) { return 0; }
+static inline bool pm_runtime_need_not_resume(struct device *dev) {return true; }
static inline int pm_runtime_force_suspend(struct device *dev) { return 0; }
static inline int pm_runtime_force_resume(struct device *dev) { return 0; }
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 135/279] selinux: Chain up tool resolving errors in install_policy.sh
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (133 preceding siblings ...)
2025-04-08 10:48 ` [PATCH 5.15 134/279] PM: sleep: Adjust check before setting power.must_resume Greg Kroah-Hartman
@ 2025-04-08 10:48 ` Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 136/279] EDAC/ie31200: Fix the size of EDAC_MC_LAYER_CHIP_SELECT layer Greg Kroah-Hartman
` (150 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Tim Schumacher, Paul Moore,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tim Schumacher <tim.schumacher1@huawei.com>
[ Upstream commit 6ae0042f4d3f331e841495eb0a3d51598e593ec2 ]
Subshell evaluations are not exempt from errexit, so if a command is
not available, `which` will fail and exit the script as a whole.
This causes the helpful error messages to not be printed if they are
tacked on using a `$?` comparison.
Resolve the issue by using chains of logical operators, which are not
subject to the effects of errexit.
Fixes: e37c1877ba5b1 ("scripts/selinux: modernize mdp")
Signed-off-by: Tim Schumacher <tim.schumacher1@huawei.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
scripts/selinux/install_policy.sh | 15 ++++++---------
1 file changed, 6 insertions(+), 9 deletions(-)
diff --git a/scripts/selinux/install_policy.sh b/scripts/selinux/install_policy.sh
index 20af56ce245c5..c68f0e045fb00 100755
--- a/scripts/selinux/install_policy.sh
+++ b/scripts/selinux/install_policy.sh
@@ -6,27 +6,24 @@ if [ `id -u` -ne 0 ]; then
exit 1
fi
-SF=`which setfiles`
-if [ $? -eq 1 ]; then
+SF=`which setfiles` || {
echo "Could not find setfiles"
echo "Do you have policycoreutils installed?"
exit 1
-fi
+}
-CP=`which checkpolicy`
-if [ $? -eq 1 ]; then
+CP=`which checkpolicy` || {
echo "Could not find checkpolicy"
echo "Do you have checkpolicy installed?"
exit 1
-fi
+}
VERS=`$CP -V | awk '{print $1}'`
-ENABLED=`which selinuxenabled`
-if [ $? -eq 1 ]; then
+ENABLED=`which selinuxenabled` || {
echo "Could not find selinuxenabled"
echo "Do you have libselinux-utils installed?"
exit 1
-fi
+}
if selinuxenabled; then
echo "SELinux is already enabled"
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 136/279] EDAC/ie31200: Fix the size of EDAC_MC_LAYER_CHIP_SELECT layer
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (134 preceding siblings ...)
2025-04-08 10:48 ` [PATCH 5.15 135/279] selinux: Chain up tool resolving errors in install_policy.sh Greg Kroah-Hartman
@ 2025-04-08 10:48 ` Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 137/279] EDAC/ie31200: Fix the DIMM size mask for several SoCs Greg Kroah-Hartman
` (149 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Qiuxu Zhuo, Tony Luck, Gary Wang,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qiuxu Zhuo <qiuxu.zhuo@intel.com>
[ Upstream commit d59d844e319d97682c8de29b88d2d60922a683b3 ]
The EDAC_MC_LAYER_CHIP_SELECT layer pertains to the rank, not the DIMM.
Fix its size to reflect the number of ranks instead of the number of DIMMs.
Also delete the unused macros IE31200_{DIMMS,RANKS}.
Fixes: 7ee40b897d18 ("ie31200_edac: Introduce the driver")
Signed-off-by: Qiuxu Zhuo <qiuxu.zhuo@intel.com>
Signed-off-by: Tony Luck <tony.luck@intel.com>
Tested-by: Gary Wang <gary.c.wang@intel.com>
Link: https://lore.kernel.org/r/20250310011411.31685-2-qiuxu.zhuo@intel.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/edac/ie31200_edac.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/drivers/edac/ie31200_edac.c b/drivers/edac/ie31200_edac.c
index 9a9ff5ad611ac..de89df8ff06ee 100644
--- a/drivers/edac/ie31200_edac.c
+++ b/drivers/edac/ie31200_edac.c
@@ -83,8 +83,6 @@
(((did) & PCI_DEVICE_ID_INTEL_IE31200_HB_CFL_MASK) == \
PCI_DEVICE_ID_INTEL_IE31200_HB_CFL_MASK))
-#define IE31200_DIMMS 4
-#define IE31200_RANKS 8
#define IE31200_RANKS_PER_CHANNEL 4
#define IE31200_DIMMS_PER_CHANNEL 2
#define IE31200_CHANNELS 2
@@ -418,7 +416,7 @@ static int ie31200_probe1(struct pci_dev *pdev, int dev_idx)
nr_channels = how_many_channels(pdev);
layers[0].type = EDAC_MC_LAYER_CHIP_SELECT;
- layers[0].size = IE31200_DIMMS;
+ layers[0].size = IE31200_RANKS_PER_CHANNEL;
layers[0].is_virt_csrow = true;
layers[1].type = EDAC_MC_LAYER_CHANNEL;
layers[1].size = nr_channels;
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 137/279] EDAC/ie31200: Fix the DIMM size mask for several SoCs
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (135 preceding siblings ...)
2025-04-08 10:48 ` [PATCH 5.15 136/279] EDAC/ie31200: Fix the size of EDAC_MC_LAYER_CHIP_SELECT layer Greg Kroah-Hartman
@ 2025-04-08 10:48 ` Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 138/279] EDAC/ie31200: Fix the error path order of ie31200_init() Greg Kroah-Hartman
` (148 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Qiuxu Zhuo, Tony Luck, Gary Wang,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qiuxu Zhuo <qiuxu.zhuo@intel.com>
[ Upstream commit 3427befbbca6b19fe0e37f91d66ce5221de70bf1 ]
The DIMM size mask for {Sky, Kaby, Coffee} Lake is not bits{7:0},
but bits{5:0}. Fix it.
Fixes: 953dee9bbd24 ("EDAC, ie31200_edac: Add Skylake support")
Signed-off-by: Qiuxu Zhuo <qiuxu.zhuo@intel.com>
Signed-off-by: Tony Luck <tony.luck@intel.com>
Tested-by: Gary Wang <gary.c.wang@intel.com>
Link: https://lore.kernel.org/r/20250310011411.31685-3-qiuxu.zhuo@intel.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/edac/ie31200_edac.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/edac/ie31200_edac.c b/drivers/edac/ie31200_edac.c
index de89df8ff06ee..ead3646294b68 100644
--- a/drivers/edac/ie31200_edac.c
+++ b/drivers/edac/ie31200_edac.c
@@ -154,6 +154,7 @@
#define IE31200_MAD_DIMM_0_OFFSET 0x5004
#define IE31200_MAD_DIMM_0_OFFSET_SKL 0x500C
#define IE31200_MAD_DIMM_SIZE GENMASK_ULL(7, 0)
+#define IE31200_MAD_DIMM_SIZE_SKL GENMASK_ULL(5, 0)
#define IE31200_MAD_DIMM_A_RANK BIT(17)
#define IE31200_MAD_DIMM_A_RANK_SHIFT 17
#define IE31200_MAD_DIMM_A_RANK_SKL BIT(10)
@@ -367,7 +368,7 @@ static void __iomem *ie31200_map_mchbar(struct pci_dev *pdev)
static void __skl_populate_dimm_info(struct dimm_data *dd, u32 addr_decode,
int chan)
{
- dd->size = (addr_decode >> (chan << 4)) & IE31200_MAD_DIMM_SIZE;
+ dd->size = (addr_decode >> (chan << 4)) & IE31200_MAD_DIMM_SIZE_SKL;
dd->dual_rank = (addr_decode & (IE31200_MAD_DIMM_A_RANK_SKL << (chan << 4))) ? 1 : 0;
dd->x16_width = ((addr_decode & (IE31200_MAD_DIMM_A_WIDTH_SKL << (chan << 4))) >>
(IE31200_MAD_DIMM_A_WIDTH_SKL_SHIFT + (chan << 4)));
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 138/279] EDAC/ie31200: Fix the error path order of ie31200_init()
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (136 preceding siblings ...)
2025-04-08 10:48 ` [PATCH 5.15 137/279] EDAC/ie31200: Fix the DIMM size mask for several SoCs Greg Kroah-Hartman
@ 2025-04-08 10:48 ` Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 139/279] thermal: int340x: Add NULL check for adev Greg Kroah-Hartman
` (147 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Qiuxu Zhuo, Tony Luck, Gary Wang,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qiuxu Zhuo <qiuxu.zhuo@intel.com>
[ Upstream commit 231e341036d9988447e3b3345cf741a98139199e ]
The error path order of ie31200_init() is incorrect, fix it.
Fixes: 709ed1bcef12 ("EDAC/ie31200: Fallback if host bridge device is already initialized")
Signed-off-by: Qiuxu Zhuo <qiuxu.zhuo@intel.com>
Signed-off-by: Tony Luck <tony.luck@intel.com>
Tested-by: Gary Wang <gary.c.wang@intel.com>
Link: https://lore.kernel.org/r/20250310011411.31685-4-qiuxu.zhuo@intel.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/edac/ie31200_edac.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/drivers/edac/ie31200_edac.c b/drivers/edac/ie31200_edac.c
index ead3646294b68..acb011cfd8c4f 100644
--- a/drivers/edac/ie31200_edac.c
+++ b/drivers/edac/ie31200_edac.c
@@ -607,7 +607,7 @@ static int __init ie31200_init(void)
pci_rc = pci_register_driver(&ie31200_driver);
if (pci_rc < 0)
- goto fail0;
+ return pci_rc;
if (!mci_pdev) {
ie31200_registered = 0;
@@ -618,11 +618,13 @@ static int __init ie31200_init(void)
if (mci_pdev)
break;
}
+
if (!mci_pdev) {
edac_dbg(0, "ie31200 pci_get_device fail\n");
pci_rc = -ENODEV;
- goto fail1;
+ goto fail0;
}
+
pci_rc = ie31200_init_one(mci_pdev, &ie31200_pci_tbl[i]);
if (pci_rc < 0) {
edac_dbg(0, "ie31200 init fail\n");
@@ -630,12 +632,12 @@ static int __init ie31200_init(void)
goto fail1;
}
}
- return 0;
+ return 0;
fail1:
- pci_unregister_driver(&ie31200_driver);
-fail0:
pci_dev_put(mci_pdev);
+fail0:
+ pci_unregister_driver(&ie31200_driver);
return pci_rc;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 139/279] thermal: int340x: Add NULL check for adev
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (137 preceding siblings ...)
2025-04-08 10:48 ` [PATCH 5.15 138/279] EDAC/ie31200: Fix the error path order of ie31200_init() Greg Kroah-Hartman
@ 2025-04-08 10:48 ` Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 140/279] PM: sleep: Fix handling devices with direct_complete set on errors Greg Kroah-Hartman
` (146 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chenyuan Yang, Uwe Kleine-König,
Rafael J. Wysocki, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chenyuan Yang <chenyuan0y@gmail.com>
[ Upstream commit 2542a3f70e563a9e70e7ded314286535a3321bdb ]
Not all devices have an ACPI companion fwnode, so adev might be NULL.
This is similar to the commit cd2fd6eab480
("platform/x86: int3472: Check for adev == NULL").
Add a check for adev not being set and return -ENODEV in that case to
avoid a possible NULL pointer deref in int3402_thermal_probe().
Note, under the same directory, int3400_thermal_probe() has such a
check.
Fixes: 77e337c6e23e ("Thermal: introduce INT3402 thermal driver")
Signed-off-by: Chenyuan Yang <chenyuan0y@gmail.com>
Acked-by: Uwe Kleine-König <u.kleine-koenig@baylibre.com>
Link: https://patch.msgid.link/20250313043611.1212116-1-chenyuan0y@gmail.com
[ rjw: Subject edit, added Fixes: ]
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/thermal/intel/int340x_thermal/int3402_thermal.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/thermal/intel/int340x_thermal/int3402_thermal.c b/drivers/thermal/intel/int340x_thermal/int3402_thermal.c
index 43fa351e2b9ec..b7fdf25bfd237 100644
--- a/drivers/thermal/intel/int340x_thermal/int3402_thermal.c
+++ b/drivers/thermal/intel/int340x_thermal/int3402_thermal.c
@@ -45,6 +45,9 @@ static int int3402_thermal_probe(struct platform_device *pdev)
struct int3402_thermal_data *d;
int ret;
+ if (!adev)
+ return -ENODEV;
+
if (!acpi_has_method(adev->handle, "_TMP"))
return -ENODEV;
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 140/279] PM: sleep: Fix handling devices with direct_complete set on errors
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (138 preceding siblings ...)
2025-04-08 10:48 ` [PATCH 5.15 139/279] thermal: int340x: Add NULL check for adev Greg Kroah-Hartman
@ 2025-04-08 10:48 ` Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 141/279] lockdep: Dont disable interrupts on RT in disable_irq_nosync_lockdep.*() Greg Kroah-Hartman
` (145 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Saravana Kannan, Rafael J. Wysocki,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
[ Upstream commit 03f1444016b71feffa1dfb8a51f15ba592f94b13 ]
When dpm_suspend() fails, some devices with power.direct_complete set
may not have been handled by device_suspend() yet, so runtime PM has
not been disabled for them yet even though power.direct_complete is set.
Since device_resume() expects that runtime PM has been disabled for all
devices with power.direct_complete set, it will attempt to reenable
runtime PM for the devices that have not been processed by device_suspend()
which does not make sense. Had those devices had runtime PM disabled
before device_suspend() had run, device_resume() would have inadvertently
enable runtime PM for them, but this is not expected to happen because
it would require ->prepare() callbacks to return positive values for
devices with runtime PM disabled, which would be invalid.
In practice, this issue is most likely benign because pm_runtime_enable()
will not allow the "disable depth" counter to underflow, but it causes a
warning message to be printed for each affected device.
To allow device_resume() to distinguish the "direct complete" devices
that have been processed by device_suspend() from those which have not
been handled by it, make device_suspend() set power.is_suspended for
"direct complete" devices.
Next, move the power.is_suspended check in device_resume() before the
power.direct_complete check in it to make it skip the "direct complete"
devices that have not been handled by device_suspend().
This change is based on a preliminary patch from Saravana Kannan.
Fixes: aae4518b3124 ("PM / sleep: Mechanism to avoid resuming runtime-suspended devices unnecessarily")
Link: https://lore.kernel.org/linux-pm/20241114220921.2529905-2-saravanak@google.com/
Reported-by: Saravana Kannan <saravanak@google.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Reviewed-by: Saravana Kannan <saravanak@google.com>
Link: https://patch.msgid.link/12627587.O9o76ZdvQC@rjwysocki.net
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/base/power/main.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/base/power/main.c b/drivers/base/power/main.c
index 8586651320901..d77ab224b861a 100644
--- a/drivers/base/power/main.c
+++ b/drivers/base/power/main.c
@@ -897,6 +897,9 @@ static void __device_resume(struct device *dev, pm_message_t state, bool async)
if (dev->power.syscore)
goto Complete;
+ if (!dev->power.is_suspended)
+ goto Complete;
+
if (dev->power.direct_complete) {
/* Match the pm_runtime_disable() in __device_suspend(). */
pm_runtime_enable(dev);
@@ -915,9 +918,6 @@ static void __device_resume(struct device *dev, pm_message_t state, bool async)
*/
dev->power.is_prepared = false;
- if (!dev->power.is_suspended)
- goto Unlock;
-
if (dev->pm_domain) {
info = "power domain ";
callback = pm_op(&dev->pm_domain->ops, state);
@@ -957,7 +957,6 @@ static void __device_resume(struct device *dev, pm_message_t state, bool async)
error = dpm_run_callback(callback, dev, state, info);
dev->power.is_suspended = false;
- Unlock:
device_unlock(dev);
dpm_watchdog_clear(&wd);
@@ -1642,6 +1641,7 @@ static int __device_suspend(struct device *dev, pm_message_t state, bool async)
pm_runtime_disable(dev);
if (pm_runtime_status_suspended(dev)) {
pm_dev_dbg(dev, state, "direct-complete ");
+ dev->power.is_suspended = true;
goto Complete;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 141/279] lockdep: Dont disable interrupts on RT in disable_irq_nosync_lockdep.*()
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (139 preceding siblings ...)
2025-04-08 10:48 ` [PATCH 5.15 140/279] PM: sleep: Fix handling devices with direct_complete set on errors Greg Kroah-Hartman
@ 2025-04-08 10:48 ` Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 142/279] perf/ring_buffer: Allow the EPOLLRDNORM flag for poll Greg Kroah-Hartman
` (144 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Guenter Roeck,
Steven Rostedt (Google), Sebastian Andrzej Siewior,
Peter Zijlstra (Intel), Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
[ Upstream commit 87886b32d669abc11c7be95ef44099215e4f5788 ]
disable_irq_nosync_lockdep() disables interrupts with lockdep enabled to
avoid false positive reports by lockdep that a certain lock has not been
acquired with disabled interrupts. The user of this macros expects that
a lock can be acquried without disabling interrupts because the IRQ line
triggering the interrupt is disabled.
This triggers a warning on PREEMPT_RT because after
disable_irq_nosync_lockdep.*() the following spinlock_t now is acquired
with disabled interrupts.
On PREEMPT_RT there is no difference between spin_lock() and
spin_lock_irq() so avoiding disabling interrupts in this case works for
the two remaining callers as of today.
Don't disable interrupts on PREEMPT_RT in disable_irq_nosync_lockdep.*().
Closes: https://lore.kernel.org/760e34f9-6034-40e0-82a5-ee9becd24438@roeck-us.net
Fixes: e8106b941ceab ("[PATCH] lockdep: core, add enable/disable_irq_irqsave/irqrestore() APIs")
Reported-by: Guenter Roeck <linux@roeck-us.net>
Suggested-by: "Steven Rostedt (Google)" <rostedt@goodmis.org>
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Tested-by: Guenter Roeck <linux@roeck-us.net>
Link: https://lore.kernel.org/r/20250212103619.2560503-2-bigeasy@linutronix.de
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/interrupt.h | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/include/linux/interrupt.h b/include/linux/interrupt.h
index 1f22a30c09637..976bca44bae0c 100644
--- a/include/linux/interrupt.h
+++ b/include/linux/interrupt.h
@@ -408,7 +408,7 @@ irq_calc_affinity_vectors(unsigned int minvec, unsigned int maxvec,
static inline void disable_irq_nosync_lockdep(unsigned int irq)
{
disable_irq_nosync(irq);
-#ifdef CONFIG_LOCKDEP
+#if defined(CONFIG_LOCKDEP) && !defined(CONFIG_PREEMPT_RT)
local_irq_disable();
#endif
}
@@ -416,7 +416,7 @@ static inline void disable_irq_nosync_lockdep(unsigned int irq)
static inline void disable_irq_nosync_lockdep_irqsave(unsigned int irq, unsigned long *flags)
{
disable_irq_nosync(irq);
-#ifdef CONFIG_LOCKDEP
+#if defined(CONFIG_LOCKDEP) && !defined(CONFIG_PREEMPT_RT)
local_irq_save(*flags);
#endif
}
@@ -431,7 +431,7 @@ static inline void disable_irq_lockdep(unsigned int irq)
static inline void enable_irq_lockdep(unsigned int irq)
{
-#ifdef CONFIG_LOCKDEP
+#if defined(CONFIG_LOCKDEP) && !defined(CONFIG_PREEMPT_RT)
local_irq_enable();
#endif
enable_irq(irq);
@@ -439,7 +439,7 @@ static inline void enable_irq_lockdep(unsigned int irq)
static inline void enable_irq_lockdep_irqrestore(unsigned int irq, unsigned long *flags)
{
-#ifdef CONFIG_LOCKDEP
+#if defined(CONFIG_LOCKDEP) && !defined(CONFIG_PREEMPT_RT)
local_irq_restore(*flags);
#endif
enable_irq(irq);
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 142/279] perf/ring_buffer: Allow the EPOLLRDNORM flag for poll
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (140 preceding siblings ...)
2025-04-08 10:48 ` [PATCH 5.15 141/279] lockdep: Dont disable interrupts on RT in disable_irq_nosync_lockdep.*() Greg Kroah-Hartman
@ 2025-04-08 10:48 ` Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 143/279] media: platform: allgro-dvt: unregister v4l2_device on the error path Greg Kroah-Hartman
` (143 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tao Chen, Ingo Molnar,
Peter Zijlstra, Arnaldo Carvalho de Melo, H. Peter Anvin,
Linus Torvalds, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tao Chen <chen.dylane@linux.dev>
[ Upstream commit c96fff391c095c11dc87dab35be72dee7d217cde ]
The poll man page says POLLRDNORM is equivalent to POLLIN. For poll(),
it seems that if user sets pollfd with POLLRDNORM in userspace, perf_poll
will not return until timeout even if perf_output_wakeup called,
whereas POLLIN returns.
Fixes: 76369139ceb9 ("perf: Split up buffer handling from core code")
Signed-off-by: Tao Chen <chen.dylane@linux.dev>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Link: https://lore.kernel.org/r/20250314030036.2543180-1-chen.dylane@linux.dev
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/events/ring_buffer.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/events/ring_buffer.c b/kernel/events/ring_buffer.c
index 98588e96b5919..3e1655374c2ed 100644
--- a/kernel/events/ring_buffer.c
+++ b/kernel/events/ring_buffer.c
@@ -19,7 +19,7 @@
static void perf_output_wakeup(struct perf_output_handle *handle)
{
- atomic_set(&handle->rb->poll, EPOLLIN);
+ atomic_set(&handle->rb->poll, EPOLLIN | EPOLLRDNORM);
handle->event->pending_wakeup = 1;
irq_work_queue(&handle->event->pending_irq);
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 143/279] media: platform: allgro-dvt: unregister v4l2_device on the error path
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (141 preceding siblings ...)
2025-04-08 10:48 ` [PATCH 5.15 142/279] perf/ring_buffer: Allow the EPOLLRDNORM flag for poll Greg Kroah-Hartman
@ 2025-04-08 10:48 ` Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 144/279] HID: remove superfluous (and wrong) Makefile entry for CONFIG_INTEL_ISH_FIRMWARE_DOWNLOADER Greg Kroah-Hartman
` (142 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Joe Hattori, Michael Tretter,
Sebastian Fricke, Hans Verkuil, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp>
[ Upstream commit c2b96a6818159fba8a3bcc38262da9e77f9b3ec7 ]
In allegro_probe(), the v4l2 device is not unregistered in the error
path, which results in a memory leak. Fix it by calling
v4l2_device_unregister() before returning error.
Fixes: d74d4e2359ec ("media: allegro: move driver out of staging")
Signed-off-by: Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp>
Reviewed-by: Michael Tretter <m.tretter@pengutronix.de>
Signed-off-by: Sebastian Fricke <sebastian.fricke@collabora.com>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/platform/allegro-dvt/allegro-core.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/media/platform/allegro-dvt/allegro-core.c b/drivers/media/platform/allegro-dvt/allegro-core.c
index 881c5bbf61568..f472eb19cd92f 100644
--- a/drivers/media/platform/allegro-dvt/allegro-core.c
+++ b/drivers/media/platform/allegro-dvt/allegro-core.c
@@ -3740,6 +3740,7 @@ static int allegro_probe(struct platform_device *pdev)
if (ret < 0) {
v4l2_err(&dev->v4l2_dev,
"failed to request firmware: %d\n", ret);
+ v4l2_device_unregister(&dev->v4l2_dev);
return ret;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 144/279] HID: remove superfluous (and wrong) Makefile entry for CONFIG_INTEL_ISH_FIRMWARE_DOWNLOADER
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (142 preceding siblings ...)
2025-04-08 10:48 ` [PATCH 5.15 143/279] media: platform: allgro-dvt: unregister v4l2_device on the error path Greg Kroah-Hartman
@ 2025-04-08 10:48 ` Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 145/279] ALSA: hda/realtek: Always honor no_shutup_pins Greg Kroah-Hartman
` (141 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jiri Slaby, Srinivas Pandruvada,
Jiri Kosina, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiri Kosina <jkosina@suse.com>
[ Upstream commit fe0fb58325e519008e2606a5aa2cff7ad23e212d ]
The line
obj-$(INTEL_ISH_FIRMWARE_DOWNLOADER) += intel-ish-hid/
in top-level HID Makefile is both superfluous (as CONFIG_INTEL_ISH_FIRMWARE_DOWNLOADER
depends on CONFIG_INTEL_ISH_HID, which contains intel-ish-hid/ already) and wrong (as it's
missing the CONFIG_ prefix).
Just remove it.
Fixes: 91b228107da3e ("HID: intel-ish-hid: ISH firmware loader client driver")
Reported-by: Jiri Slaby <jirislaby@kernel.org>
Acked-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/Makefile | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/hid/Makefile b/drivers/hid/Makefile
index e29efcb1c0402..9fc46db0a3da6 100644
--- a/drivers/hid/Makefile
+++ b/drivers/hid/Makefile
@@ -144,7 +144,6 @@ obj-$(CONFIG_USB_KBD) += usbhid/
obj-$(CONFIG_I2C_HID_CORE) += i2c-hid/
obj-$(CONFIG_INTEL_ISH_HID) += intel-ish-hid/
-obj-$(INTEL_ISH_FIRMWARE_DOWNLOADER) += intel-ish-hid/
obj-$(CONFIG_AMD_SFH_HID) += amd-sfh-hid/
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 145/279] ALSA: hda/realtek: Always honor no_shutup_pins
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (143 preceding siblings ...)
2025-04-08 10:48 ` [PATCH 5.15 144/279] HID: remove superfluous (and wrong) Makefile entry for CONFIG_INTEL_ISH_FIRMWARE_DOWNLOADER Greg Kroah-Hartman
@ 2025-04-08 10:48 ` Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 146/279] ASoC: ti: j721e-evm: Fix clock configuration for ti,j7200-cpb-audio compatible Greg Kroah-Hartman
` (140 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Takashi Iwai, Sasha Levin,
Oleg Gorobets
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
[ Upstream commit 5a0c72c1da3cbc0cd4940a95d1be2830104c6edf ]
The workaround for Dell machines to skip the pin-shutup for mic pins
introduced alc_headset_mic_no_shutup() that is replaced from the
generic snd_hda_shutup_pins() for certain codecs. The problem is that
the call is done unconditionally even if spec->no_shutup_pins is set.
This seems causing problems on other platforms like Lenovo.
This patch corrects the behavior and the driver honors always
spec->no_shutup_pins flag and skips alc_headset_mic_no_shutup() if
it's set.
Fixes: dad3197da7a3 ("ALSA: hda/realtek - Fixup headphone noise via runtime suspend")
Reported-and-tested-by: Oleg Gorobets <oleg.goro@gmail.com>
Link: https://patch.msgid.link/20250315143020.27184-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/pci/hda/patch_realtek.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
index cc0d6e040a1d2..12967b40ab088 100644
--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -576,6 +576,9 @@ static void alc_shutup_pins(struct hda_codec *codec)
{
struct alc_spec *spec = codec->spec;
+ if (spec->no_shutup_pins)
+ return;
+
switch (codec->core.vendor_id) {
case 0x10ec0236:
case 0x10ec0256:
@@ -591,8 +594,7 @@ static void alc_shutup_pins(struct hda_codec *codec)
alc_headset_mic_no_shutup(codec);
break;
default:
- if (!spec->no_shutup_pins)
- snd_hda_shutup_pins(codec);
+ snd_hda_shutup_pins(codec);
break;
}
}
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 146/279] ASoC: ti: j721e-evm: Fix clock configuration for ti,j7200-cpb-audio compatible
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (144 preceding siblings ...)
2025-04-08 10:48 ` [PATCH 5.15 145/279] ALSA: hda/realtek: Always honor no_shutup_pins Greg Kroah-Hartman
@ 2025-04-08 10:48 ` Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 147/279] drm/bridge: ti-sn65dsi86: Fix multiple instances Greg Kroah-Hartman
` (139 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jayesh Choudhary, Mark Brown,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jayesh Choudhary <j-choudhary@ti.com>
[ Upstream commit 45ff65e30deb919604e68faed156ad96ce7474d9 ]
For 'ti,j7200-cpb-audio' compatible, there is support for only one PLL for
48k. For 11025, 22050, 44100 and 88200 sampling rates, due to absence of
J721E_CLK_PARENT_44100, we get EINVAL while running any audio application.
Add support for these rates by using the 48k parent clock and adjusting
the clock for these rates later in j721e_configure_refclk.
Fixes: 6748d0559059 ("ASoC: ti: Add custom machine driver for j721e EVM (CPB and IVI)")
Signed-off-by: Jayesh Choudhary <j-choudhary@ti.com>
Link: https://patch.msgid.link/20250318113524.57100-1-j-choudhary@ti.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/ti/j721e-evm.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/sound/soc/ti/j721e-evm.c b/sound/soc/ti/j721e-evm.c
index 149f4e2ce9998..7f2734318452f 100644
--- a/sound/soc/ti/j721e-evm.c
+++ b/sound/soc/ti/j721e-evm.c
@@ -182,6 +182,8 @@ static int j721e_configure_refclk(struct j721e_priv *priv,
clk_id = J721E_CLK_PARENT_48000;
else if (!(rate % 11025) && priv->pll_rates[J721E_CLK_PARENT_44100])
clk_id = J721E_CLK_PARENT_44100;
+ else if (!(rate % 11025) && priv->pll_rates[J721E_CLK_PARENT_48000])
+ clk_id = J721E_CLK_PARENT_48000;
else
return ret;
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 147/279] drm/bridge: ti-sn65dsi86: Fix multiple instances
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (145 preceding siblings ...)
2025-04-08 10:48 ` [PATCH 5.15 146/279] ASoC: ti: j721e-evm: Fix clock configuration for ti,j7200-cpb-audio compatible Greg Kroah-Hartman
@ 2025-04-08 10:48 ` Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 148/279] drm/dp_mst: Fix drm RAD print Greg Kroah-Hartman
` (138 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Geert Uytterhoeven, Douglas Anderson,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Geert Uytterhoeven <geert+renesas@glider.be>
[ Upstream commit 574f5ee2c85a00a579549d50e9fc9c6c072ee4c4 ]
Each bridge instance creates up to four auxiliary devices with different
names. However, their IDs are always zero, causing duplicate filename
errors when a system has multiple bridges:
sysfs: cannot create duplicate filename '/bus/auxiliary/devices/ti_sn65dsi86.gpio.0'
Fix this by using a unique instance ID per bridge instance. The
instance ID is derived from the I2C adapter number and the bridge's I2C
address, to support multiple instances on the same bus.
Fixes: bf73537f411b ("drm/bridge: ti-sn65dsi86: Break GPIO and MIPI-to-eDP bridge into sub-drivers")
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Reviewed-by: Douglas Anderson <dianders@chromium.org>
Signed-off-by: Douglas Anderson <dianders@chromium.org>
Link: https://patchwork.freedesktop.org/patch/msgid/7a68a0e3f927e26edca6040067fb653eb06efb79.1733840089.git.geert+renesas@glider.be
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/bridge/ti-sn65dsi86.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/gpu/drm/bridge/ti-sn65dsi86.c b/drivers/gpu/drm/bridge/ti-sn65dsi86.c
index b488c6cb8f106..1c9dd62d3c47b 100644
--- a/drivers/gpu/drm/bridge/ti-sn65dsi86.c
+++ b/drivers/gpu/drm/bridge/ti-sn65dsi86.c
@@ -424,6 +424,7 @@ static int ti_sn65dsi86_add_aux_device(struct ti_sn65dsi86 *pdata,
const char *name)
{
struct device *dev = pdata->dev;
+ const struct i2c_client *client = to_i2c_client(dev);
struct auxiliary_device *aux;
int ret;
@@ -432,6 +433,7 @@ static int ti_sn65dsi86_add_aux_device(struct ti_sn65dsi86 *pdata,
return -ENOMEM;
aux->name = name;
+ aux->id = (client->adapter->nr << 10) | client->addr;
aux->dev.parent = dev;
aux->dev.release = ti_sn65dsi86_aux_device_release;
device_set_of_node_from_dev(&aux->dev, dev);
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 148/279] drm/dp_mst: Fix drm RAD print
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (146 preceding siblings ...)
2025-04-08 10:48 ` [PATCH 5.15 147/279] drm/bridge: ti-sn65dsi86: Fix multiple instances Greg Kroah-Hartman
@ 2025-04-08 10:48 ` Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 149/279] drm: xlnx: zynqmp: Fix max dma segment size Greg Kroah-Hartman
` (137 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Imre Deak, Ville Syrjälä,
Harry Wentland, Lyude Paul, Wayne Lin, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wayne Lin <Wayne.Lin@amd.com>
[ Upstream commit 6bbce873a9c97cb12f5455c497be279ac58e707f ]
[Why]
The RAD of sideband message printed today is incorrect.
For RAD stored within MST branch
- If MST branch LCT is 1, it's RAD array is untouched and remained as 0.
- If MST branch LCT is larger than 1, use nibble to store the up facing
port number in cascaded sequence as illustrated below:
u8 RAD[0] = (LCT_2_UFP << 4) | LCT_3_UFP
RAD[1] = (LCT_4_UFP << 4) | LCT_5_UFP
...
In drm_dp_mst_rad_to_str(), it wrongly to use BIT_MASK(4) to fetch the port
number of one nibble.
[How]
Adjust the code by:
- RAD array items are valuable only for LCT >= 1.
- Use 0xF as the mask to replace BIT_MASK(4)
V2:
- Document how RAD is constructed (Imre)
V3:
- Adjust the comment for rad[] so kdoc formats it properly (Lyude)
Fixes: 2f015ec6eab6 ("drm/dp_mst: Add sideband down request tracing + selftests")
Cc: Imre Deak <imre.deak@intel.com>
Cc: Ville Syrjälä <ville.syrjala@linux.intel.com>
Cc: Harry Wentland <hwentlan@amd.com>
Cc: Lyude Paul <lyude@redhat.com>
Reviewed-by: Lyude Paul <lyude@redhat.com>
Signed-off-by: Wayne Lin <Wayne.Lin@amd.com>
Signed-off-by: Lyude Paul <lyude@redhat.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20250113091100.3314533-2-Wayne.Lin@amd.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/drm_dp_mst_topology.c | 8 ++++----
include/drm/drm_dp_mst_helper.h | 7 +++++++
2 files changed, 11 insertions(+), 4 deletions(-)
diff --git a/drivers/gpu/drm/drm_dp_mst_topology.c b/drivers/gpu/drm/drm_dp_mst_topology.c
index 86e1a61b6b6df..70be5719e403b 100644
--- a/drivers/gpu/drm/drm_dp_mst_topology.c
+++ b/drivers/gpu/drm/drm_dp_mst_topology.c
@@ -178,13 +178,13 @@ static int
drm_dp_mst_rad_to_str(const u8 rad[8], u8 lct, char *out, size_t len)
{
int i;
- u8 unpacked_rad[16];
+ u8 unpacked_rad[16] = {};
- for (i = 0; i < lct; i++) {
+ for (i = 1; i < lct; i++) {
if (i % 2)
- unpacked_rad[i] = rad[i / 2] >> 4;
+ unpacked_rad[i] = rad[(i - 1) / 2] >> 4;
else
- unpacked_rad[i] = rad[i / 2] & BIT_MASK(4);
+ unpacked_rad[i] = rad[(i - 1) / 2] & 0xF;
}
/* TODO: Eventually add something to printk so we can format the rad
diff --git a/include/drm/drm_dp_mst_helper.h b/include/drm/drm_dp_mst_helper.h
index ddb9231d03097..9911264e0b155 100644
--- a/include/drm/drm_dp_mst_helper.h
+++ b/include/drm/drm_dp_mst_helper.h
@@ -232,6 +232,13 @@ struct drm_dp_mst_branch {
*/
struct list_head destroy_next;
+ /**
+ * @rad: Relative Address of the MST branch.
+ * For &drm_dp_mst_topology_mgr.mst_primary, it's rad[8] are all 0,
+ * unset and unused. For MST branches connected after mst_primary,
+ * in each element of rad[] the nibbles are ordered by the most
+ * signifcant 4 bits first and the least significant 4 bits second.
+ */
u8 rad[8];
u8 lct;
int num_ports;
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 149/279] drm: xlnx: zynqmp: Fix max dma segment size
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (147 preceding siblings ...)
2025-04-08 10:48 ` [PATCH 5.15 148/279] drm/dp_mst: Fix drm RAD print Greg Kroah-Hartman
@ 2025-04-08 10:48 ` Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 150/279] drm/vkms: Fix use after free and double free on init error Greg Kroah-Hartman
` (136 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sean Anderson, Tomi Valkeinen,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
[ Upstream commit 28b529a98525123acd37372a04d21e87ec2edcf7 ]
Fix "mapping sg segment longer than device claims to support" warning by
setting the max segment size.
Fixes: d76271d22694 ("drm: xlnx: DRM/KMS driver for Xilinx ZynqMP DisplayPort Subsystem")
Reviewed-by: Sean Anderson <sean.anderson@linux.dev>
Tested-by: Sean Anderson <sean.anderson@linux.dev>
Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20250115-xilinx-formats-v2-10-160327ca652a@ideasonboard.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/xlnx/zynqmp_dpsub.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/gpu/drm/xlnx/zynqmp_dpsub.c b/drivers/gpu/drm/xlnx/zynqmp_dpsub.c
index 5bb42d0a2de98..78b7dd210d89c 100644
--- a/drivers/gpu/drm/xlnx/zynqmp_dpsub.c
+++ b/drivers/gpu/drm/xlnx/zynqmp_dpsub.c
@@ -204,6 +204,8 @@ static int zynqmp_dpsub_probe(struct platform_device *pdev)
if (ret)
return ret;
+ dma_set_max_seg_size(&pdev->dev, DMA_BIT_MASK(32));
+
/* Try the reserved memory. Proceed if there's none. */
of_reserved_mem_device_init(&pdev->dev);
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 150/279] drm/vkms: Fix use after free and double free on init error
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (148 preceding siblings ...)
2025-04-08 10:48 ` [PATCH 5.15 149/279] drm: xlnx: zynqmp: Fix max dma segment size Greg Kroah-Hartman
@ 2025-04-08 10:48 ` Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 151/279] drm/mediatek: mtk_hdmi: Unregister audio platform device on failure Greg Kroah-Hartman
` (135 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Louis Chauvet,
José Expósito, Thomas Zimmermann, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: José Expósito <jose.exposito89@gmail.com>
[ Upstream commit ed15511a773df86205bda66c37193569575ae828 ]
If the driver initialization fails, the vkms_exit() function might
access an uninitialized or freed default_config pointer and it might
double free it.
Fix both possible errors by initializing default_config only when the
driver initialization succeeded.
Reported-by: Louis Chauvet <louis.chauvet@bootlin.com>
Closes: https://lore.kernel.org/all/Z5uDHcCmAwiTsGte@louis-chauvet-laptop/
Fixes: 2df7af93fdad ("drm/vkms: Add vkms_config type")
Signed-off-by: José Expósito <jose.exposito89@gmail.com>
Reviewed-by: Thomas Zimmermann <tzimmremann@suse.de>
Reviewed-by: Louis Chauvet <louis.chauvet@bootlin.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20250212084912.3196-1-jose.exposito89@gmail.com
Signed-off-by: Louis Chauvet <louis.chauvet@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/vkms/vkms_drv.c | 15 +++++++++------
1 file changed, 9 insertions(+), 6 deletions(-)
diff --git a/drivers/gpu/drm/vkms/vkms_drv.c b/drivers/gpu/drm/vkms/vkms_drv.c
index f716c5796f5fc..09025ff3b1961 100644
--- a/drivers/gpu/drm/vkms/vkms_drv.c
+++ b/drivers/gpu/drm/vkms/vkms_drv.c
@@ -226,17 +226,19 @@ static int __init vkms_init(void)
if (!config)
return -ENOMEM;
- default_config = config;
-
config->cursor = enable_cursor;
config->writeback = enable_writeback;
config->overlay = enable_overlay;
ret = vkms_create(config);
- if (ret)
+ if (ret) {
kfree(config);
+ return ret;
+ }
- return ret;
+ default_config = config;
+
+ return 0;
}
static void vkms_destroy(struct vkms_config *config)
@@ -260,9 +262,10 @@ static void vkms_destroy(struct vkms_config *config)
static void __exit vkms_exit(void)
{
- if (default_config->dev)
- vkms_destroy(default_config);
+ if (!default_config)
+ return;
+ vkms_destroy(default_config);
kfree(default_config);
}
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 151/279] drm/mediatek: mtk_hdmi: Unregister audio platform device on failure
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (149 preceding siblings ...)
2025-04-08 10:48 ` [PATCH 5.15 150/279] drm/vkms: Fix use after free and double free on init error Greg Kroah-Hartman
@ 2025-04-08 10:48 ` Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 152/279] drm/mediatek: mtk_hdmi: Fix typo for aud_sampe_size member Greg Kroah-Hartman
` (134 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, CK Hu, AngeloGioacchino Del Regno,
Chun-Kuang Hu, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
[ Upstream commit 0be123cafc06eed0fd1227166a66e786434b0c50 ]
The probe function of this driver may fail after registering the
audio platform device: in that case, the state is not getting
cleaned up, leaving this device registered.
Adding up to the mix, should the probe function of this driver
return a probe deferral for N times, we're registering up to N
audio platform devices and, again, never freeing them up.
To fix this, add a pointer to the audio platform device in the
mtk_hdmi structure, and add a devm action to unregister it upon
driver removal or probe failure.
Fixes: 8f83f26891e1 ("drm/mediatek: Add HDMI support")
Reviewed-by: CK Hu <ck.hu@mediatek.com>
Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Link: https://patchwork.kernel.org/project/linux-mediatek/patch/20250217154836.108895-18-angelogioacchino.delregno@collabora.com/
Signed-off-by: Chun-Kuang Hu <chunkuang.hu@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/mediatek/mtk_hdmi.c | 25 +++++++++++++++++++------
1 file changed, 19 insertions(+), 6 deletions(-)
diff --git a/drivers/gpu/drm/mediatek/mtk_hdmi.c b/drivers/gpu/drm/mediatek/mtk_hdmi.c
index 7613b0fa2be6e..047ed79dce3ff 100644
--- a/drivers/gpu/drm/mediatek/mtk_hdmi.c
+++ b/drivers/gpu/drm/mediatek/mtk_hdmi.c
@@ -174,6 +174,7 @@ struct mtk_hdmi {
unsigned int sys_offset;
void __iomem *regs;
enum hdmi_colorspace csp;
+ struct platform_device *audio_pdev;
struct hdmi_audio_param aud_param;
bool audio_enable;
bool powered;
@@ -1667,6 +1668,11 @@ static const struct hdmi_codec_ops mtk_hdmi_audio_codec_ops = {
.no_capture_mute = 1,
};
+static void mtk_hdmi_unregister_audio_driver(void *data)
+{
+ platform_device_unregister(data);
+}
+
static int mtk_hdmi_register_audio_driver(struct device *dev)
{
struct mtk_hdmi *hdmi = dev_get_drvdata(dev);
@@ -1676,13 +1682,20 @@ static int mtk_hdmi_register_audio_driver(struct device *dev)
.i2s = 1,
.data = hdmi,
};
- struct platform_device *pdev;
+ int ret;
- pdev = platform_device_register_data(dev, HDMI_CODEC_DRV_NAME,
- PLATFORM_DEVID_AUTO, &codec_data,
- sizeof(codec_data));
- if (IS_ERR(pdev))
- return PTR_ERR(pdev);
+ hdmi->audio_pdev = platform_device_register_data(dev,
+ HDMI_CODEC_DRV_NAME,
+ PLATFORM_DEVID_AUTO,
+ &codec_data,
+ sizeof(codec_data));
+ if (IS_ERR(hdmi->audio_pdev))
+ return PTR_ERR(hdmi->audio_pdev);
+
+ ret = devm_add_action_or_reset(dev, mtk_hdmi_unregister_audio_driver,
+ hdmi->audio_pdev);
+ if (ret)
+ return ret;
DRM_INFO("%s driver bound to HDMI\n", HDMI_CODEC_DRV_NAME);
return 0;
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 152/279] drm/mediatek: mtk_hdmi: Fix typo for aud_sampe_size member
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (150 preceding siblings ...)
2025-04-08 10:48 ` [PATCH 5.15 151/279] drm/mediatek: mtk_hdmi: Unregister audio platform device on failure Greg Kroah-Hartman
@ 2025-04-08 10:48 ` Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 153/279] PCI/ASPM: Fix link state exit during switch upstream function removal Greg Kroah-Hartman
` (133 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, CK Hu, AngeloGioacchino Del Regno,
Chun-Kuang Hu, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
[ Upstream commit 72fcb88e7bbc053ed4fc74cebb0315b98a0f20c3 ]
Rename member aud_sampe_size of struct hdmi_audio_param to
aud_sample_size to fix a typo and enhance readability.
This commit brings no functional changes.
Fixes: 8f83f26891e1 ("drm/mediatek: Add HDMI support")
Reviewed-by: CK Hu <ck.hu@mediatek.com>
Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Link: https://patchwork.kernel.org/project/linux-mediatek/patch/20250217154836.108895-20-angelogioacchino.delregno@collabora.com/
Signed-off-by: Chun-Kuang Hu <chunkuang.hu@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/mediatek/mtk_hdmi.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/gpu/drm/mediatek/mtk_hdmi.c b/drivers/gpu/drm/mediatek/mtk_hdmi.c
index 047ed79dce3ff..67ab6579daf72 100644
--- a/drivers/gpu/drm/mediatek/mtk_hdmi.c
+++ b/drivers/gpu/drm/mediatek/mtk_hdmi.c
@@ -138,7 +138,7 @@ enum hdmi_aud_channel_swap_type {
struct hdmi_audio_param {
enum hdmi_audio_coding_type aud_codec;
- enum hdmi_audio_sample_size aud_sampe_size;
+ enum hdmi_audio_sample_size aud_sample_size;
enum hdmi_aud_input_type aud_input_type;
enum hdmi_aud_i2s_fmt aud_i2s_fmt;
enum hdmi_aud_mclk aud_mclk;
@@ -1076,7 +1076,7 @@ static int mtk_hdmi_output_init(struct mtk_hdmi *hdmi)
hdmi->csp = HDMI_COLORSPACE_RGB;
aud_param->aud_codec = HDMI_AUDIO_CODING_TYPE_PCM;
- aud_param->aud_sampe_size = HDMI_AUDIO_SAMPLE_SIZE_16;
+ aud_param->aud_sample_size = HDMI_AUDIO_SAMPLE_SIZE_16;
aud_param->aud_input_type = HDMI_AUD_INPUT_I2S;
aud_param->aud_i2s_fmt = HDMI_I2S_MODE_I2S_24BIT;
aud_param->aud_mclk = HDMI_AUD_MCLK_128FS;
@@ -1577,14 +1577,14 @@ static int mtk_hdmi_audio_hw_params(struct device *dev, void *data,
switch (daifmt->fmt) {
case HDMI_I2S:
hdmi_params.aud_codec = HDMI_AUDIO_CODING_TYPE_PCM;
- hdmi_params.aud_sampe_size = HDMI_AUDIO_SAMPLE_SIZE_16;
+ hdmi_params.aud_sample_size = HDMI_AUDIO_SAMPLE_SIZE_16;
hdmi_params.aud_input_type = HDMI_AUD_INPUT_I2S;
hdmi_params.aud_i2s_fmt = HDMI_I2S_MODE_I2S_24BIT;
hdmi_params.aud_mclk = HDMI_AUD_MCLK_128FS;
break;
case HDMI_SPDIF:
hdmi_params.aud_codec = HDMI_AUDIO_CODING_TYPE_PCM;
- hdmi_params.aud_sampe_size = HDMI_AUDIO_SAMPLE_SIZE_16;
+ hdmi_params.aud_sample_size = HDMI_AUDIO_SAMPLE_SIZE_16;
hdmi_params.aud_input_type = HDMI_AUD_INPUT_SPDIF;
break;
default:
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 153/279] PCI/ASPM: Fix link state exit during switch upstream function removal
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (151 preceding siblings ...)
2025-04-08 10:48 ` [PATCH 5.15 152/279] drm/mediatek: mtk_hdmi: Fix typo for aud_sampe_size member Greg Kroah-Hartman
@ 2025-04-08 10:48 ` Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 154/279] PCI: cadence-ep: Fix the driver to send MSG TLP for INTx without data payload Greg Kroah-Hartman
` (132 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Daniel Stodden, Bjorn Helgaas,
Krzysztof Wilczyński, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Stodden <daniel.stodden@gmail.com>
[ Upstream commit cbf937dcadfd571a434f8074d057b32cd14fbea5 ]
Before 456d8aa37d0f ("PCI/ASPM: Disable ASPM on MFD function removal to
avoid use-after-free"), we would free the ASPM link only after the last
function on the bus pertaining to the given link was removed.
That was too late. If function 0 is removed before sibling function,
link->downstream would point to free'd memory after.
After above change, we freed the ASPM parent link state upon any function
removal on the bus pertaining to a given link.
That is too early. If the link is to a PCIe switch with MFD on the upstream
port, then removing functions other than 0 first would free a link which
still remains parent_link to the remaining downstream ports.
The resulting GPFs are especially frequent during hot-unplug, because
pciehp removes devices on the link bus in reverse order.
On that switch, function 0 is the virtual P2P bridge to the internal bus.
Free exactly when function 0 is removed -- before the parent link is
obsolete, but after all subordinate links are gone.
Link: https://lore.kernel.org/r/e12898835f25234561c9d7de4435590d957b85d9.1734924854.git.dns@arista.com
Fixes: 456d8aa37d0f ("PCI/ASPM: Disable ASPM on MFD function removal to avoid use-after-free")
Signed-off-by: Daniel Stodden <dns@arista.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
[kwilczynski: commit log]
Signed-off-by: Krzysztof Wilczyński <kwilczynski@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/pcie/aspm.c | 17 +++++++++--------
1 file changed, 9 insertions(+), 8 deletions(-)
diff --git a/drivers/pci/pcie/aspm.c b/drivers/pci/pcie/aspm.c
index e3f81948ce724..521340126b339 100644
--- a/drivers/pci/pcie/aspm.c
+++ b/drivers/pci/pcie/aspm.c
@@ -1014,16 +1014,16 @@ void pcie_aspm_exit_link_state(struct pci_dev *pdev)
parent_link = link->parent;
/*
- * link->downstream is a pointer to the pci_dev of function 0. If
- * we remove that function, the pci_dev is about to be deallocated,
- * so we can't use link->downstream again. Free the link state to
- * avoid this.
+ * Free the parent link state, no later than function 0 (i.e.
+ * link->downstream) being removed.
*
- * If we're removing a non-0 function, it's possible we could
- * retain the link state, but PCIe r6.0, sec 7.5.3.7, recommends
- * programming the same ASPM Control value for all functions of
- * multi-function devices, so disable ASPM for all of them.
+ * Do not free the link state any earlier. If function 0 is a
+ * switch upstream port, this link state is parent_link to all
+ * subordinate ones.
*/
+ if (pdev != link->downstream)
+ goto out;
+
pcie_config_aspm_link(link, 0);
list_del(&link->sibling);
free_link_state(link);
@@ -1034,6 +1034,7 @@ void pcie_aspm_exit_link_state(struct pci_dev *pdev)
pcie_config_aspm_path(parent_link);
}
+ out:
mutex_unlock(&aspm_lock);
up_read(&pci_bus_sem);
}
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 154/279] PCI: cadence-ep: Fix the driver to send MSG TLP for INTx without data payload
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (152 preceding siblings ...)
2025-04-08 10:48 ` [PATCH 5.15 153/279] PCI/ASPM: Fix link state exit during switch upstream function removal Greg Kroah-Hartman
@ 2025-04-08 10:48 ` Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 155/279] PCI: brcmstb: Use internal register to change link capability Greg Kroah-Hartman
` (131 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hans Zhang, Hans Zhang,
Manivannan Sadhasivam, Krzysztof Wilczyński, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hans Zhang <18255117159@163.com>
[ Upstream commit 3ac47fbf4f6e8c3a7c3855fac68cc3246f90f850 ]
Per the Cadence's "PCIe Controller IP for AX14" user guide, Version
1.04, Section 9.1.7.1, "AXI Subordinate to PCIe Address Translation
Registers", Table 9.4, the bit 16 of the AXI Subordinate Address
(axi_s_awaddr) when set corresponds to MSG with data, and when not set,
to MSG without data.
However, the driver is currently doing the opposite and due to this,
the INTx is never received on the host.
So, fix the driver to reflect the documentation and also make INTx work.
Fixes: 37dddf14f1ae ("PCI: cadence: Add EndPoint Controller driver for Cadence PCIe controller")
Signed-off-by: Hans Zhang <18255117159@163.com>
Signed-off-by: Hans Zhang <hans.zhang@cixtech.com>
Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
Link: https://lore.kernel.org/r/20250214165724.184599-1-18255117159@163.com
[kwilczynski: commit log]
Signed-off-by: Krzysztof Wilczyński <kwilczynski@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/controller/cadence/pcie-cadence-ep.c | 3 +--
drivers/pci/controller/cadence/pcie-cadence.h | 2 +-
2 files changed, 2 insertions(+), 3 deletions(-)
diff --git a/drivers/pci/controller/cadence/pcie-cadence-ep.c b/drivers/pci/controller/cadence/pcie-cadence-ep.c
index 18e32b8ffd5ef..90d1e2ac774e0 100644
--- a/drivers/pci/controller/cadence/pcie-cadence-ep.c
+++ b/drivers/pci/controller/cadence/pcie-cadence-ep.c
@@ -354,8 +354,7 @@ static void cdns_pcie_ep_assert_intx(struct cdns_pcie_ep *ep, u8 fn, u8 intx,
spin_unlock_irqrestore(&ep->lock, flags);
offset = CDNS_PCIE_NORMAL_MSG_ROUTING(MSG_ROUTING_LOCAL) |
- CDNS_PCIE_NORMAL_MSG_CODE(msg_code) |
- CDNS_PCIE_MSG_NO_DATA;
+ CDNS_PCIE_NORMAL_MSG_CODE(msg_code);
writel(0, ep->irq_cpu_addr + offset);
}
diff --git a/drivers/pci/controller/cadence/pcie-cadence.h b/drivers/pci/controller/cadence/pcie-cadence.h
index 262421e5d9178..ef649c807af4e 100644
--- a/drivers/pci/controller/cadence/pcie-cadence.h
+++ b/drivers/pci/controller/cadence/pcie-cadence.h
@@ -235,7 +235,7 @@ struct cdns_pcie_rp_ib_bar {
#define CDNS_PCIE_NORMAL_MSG_CODE_MASK GENMASK(15, 8)
#define CDNS_PCIE_NORMAL_MSG_CODE(code) \
(((code) << 8) & CDNS_PCIE_NORMAL_MSG_CODE_MASK)
-#define CDNS_PCIE_MSG_NO_DATA BIT(16)
+#define CDNS_PCIE_MSG_DATA BIT(16)
struct cdns_pcie;
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 155/279] PCI: brcmstb: Use internal register to change link capability
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (153 preceding siblings ...)
2025-04-08 10:48 ` [PATCH 5.15 154/279] PCI: cadence-ep: Fix the driver to send MSG TLP for INTx without data payload Greg Kroah-Hartman
@ 2025-04-08 10:48 ` Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 156/279] PCI/portdrv: Only disable pciehp interrupts early when needed Greg Kroah-Hartman
` (130 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jim Quinlan, Florian Fainelli,
Manivannan Sadhasivam, Krzysztof Wilczyński, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jim Quinlan <james.quinlan@broadcom.com>
[ Upstream commit 0c97321e11e0e9e18546f828492758f6aaecec59 ]
The driver has been mistakenly writing to a read-only (RO)
configuration space register (PCI_EXP_LNKCAP) to change the
PCIe link capability.
Although harmless in this case, the proper write destination
is an internal register that is reflected by PCI_EXP_LNKCAP.
Thus, fix the brcm_pcie_set_gen() function to correctly update
the link capability.
Fixes: c0452137034b ("PCI: brcmstb: Add Broadcom STB PCIe host controller driver")
Signed-off-by: Jim Quinlan <james.quinlan@broadcom.com>
Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
Link: https://lore.kernel.org/r/20250214173944.47506-3-james.quinlan@broadcom.com
[kwilczynski: commit log]
Signed-off-by: Krzysztof Wilczyński <kwilczynski@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/controller/pcie-brcmstb.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/pci/controller/pcie-brcmstb.c b/drivers/pci/controller/pcie-brcmstb.c
index cc30215f5a433..c3c1d700f519a 100644
--- a/drivers/pci/controller/pcie-brcmstb.c
+++ b/drivers/pci/controller/pcie-brcmstb.c
@@ -410,10 +410,10 @@ static int brcm_pcie_set_ssc(struct brcm_pcie *pcie)
static void brcm_pcie_set_gen(struct brcm_pcie *pcie, int gen)
{
u16 lnkctl2 = readw(pcie->base + BRCM_PCIE_CAP_REGS + PCI_EXP_LNKCTL2);
- u32 lnkcap = readl(pcie->base + BRCM_PCIE_CAP_REGS + PCI_EXP_LNKCAP);
+ u32 lnkcap = readl(pcie->base + PCIE_RC_CFG_PRIV1_LINK_CAPABILITY);
lnkcap = (lnkcap & ~PCI_EXP_LNKCAP_SLS) | gen;
- writel(lnkcap, pcie->base + BRCM_PCIE_CAP_REGS + PCI_EXP_LNKCAP);
+ writel(lnkcap, pcie->base + PCIE_RC_CFG_PRIV1_LINK_CAPABILITY);
lnkctl2 = (lnkctl2 & ~0xf) | gen;
writew(lnkctl2, pcie->base + BRCM_PCIE_CAP_REGS + PCI_EXP_LNKCTL2);
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 156/279] PCI/portdrv: Only disable pciehp interrupts early when needed
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (154 preceding siblings ...)
2025-04-08 10:48 ` [PATCH 5.15 155/279] PCI: brcmstb: Use internal register to change link capability Greg Kroah-Hartman
@ 2025-04-08 10:48 ` Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 157/279] PCI: Avoid reset when disabled via sysfs Greg Kroah-Hartman
` (129 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lukas Wunner, Feng Tang,
Bjorn Helgaas, Kuppuswamy Sathyanarayanan, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Feng Tang <feng.tang@linux.alibaba.com>
[ Upstream commit 9d7db4db19827380e225914618c0c1bf435ed2f5 ]
Firmware developers reported that Linux issues two PCIe hotplug commands in
very short intervals on an ARM server, which doesn't comply with the PCIe
spec. According to PCIe r6.1, sec 6.7.3.2, if the Command Completed event
is supported, software must wait for a command to complete or wait at
least 1 second before sending a new command.
In the failure case, the first PCIe hotplug command is from
get_port_device_capability(), which sends a command to disable PCIe hotplug
interrupts without waiting for its completion, and the second command comes
from pcie_enable_notification() of pciehp driver, which enables hotplug
interrupts again.
Fix this by only disabling the hotplug interrupts when the pciehp driver is
not enabled.
Link: https://lore.kernel.org/r/20250303023630.78397-1-feng.tang@linux.alibaba.com
Fixes: 2bd50dd800b5 ("PCI: PCIe: Disable PCIe port services during port initialization")
Suggested-by: Lukas Wunner <lukas@wunner.de>
Signed-off-by: Feng Tang <feng.tang@linux.alibaba.com>
[bhelgaas: commit log]
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Reviewed-by: Lukas Wunner <lukas@wunner.de>
Reviewed-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/pcie/portdrv_core.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/drivers/pci/pcie/portdrv_core.c b/drivers/pci/pcie/portdrv_core.c
index 604feeb84ee40..3e5274ad60f10 100644
--- a/drivers/pci/pcie/portdrv_core.c
+++ b/drivers/pci/pcie/portdrv_core.c
@@ -214,10 +214,12 @@ static int get_port_device_capability(struct pci_dev *dev)
/*
* Disable hot-plug interrupts in case they have been enabled
- * by the BIOS and the hot-plug service driver is not loaded.
+ * by the BIOS and the hot-plug service driver won't be loaded
+ * to handle them.
*/
- pcie_capability_clear_word(dev, PCI_EXP_SLTCTL,
- PCI_EXP_SLTCTL_CCIE | PCI_EXP_SLTCTL_HPIE);
+ if (!IS_ENABLED(CONFIG_HOTPLUG_PCI_PCIE))
+ pcie_capability_clear_word(dev, PCI_EXP_SLTCTL,
+ PCI_EXP_SLTCTL_CCIE | PCI_EXP_SLTCTL_HPIE);
}
#ifdef CONFIG_PCIEAER
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 157/279] PCI: Avoid reset when disabled via sysfs
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (155 preceding siblings ...)
2025-04-08 10:48 ` [PATCH 5.15 156/279] PCI/portdrv: Only disable pciehp interrupts early when needed Greg Kroah-Hartman
@ 2025-04-08 10:49 ` Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 158/279] drm/amd/display: fix type mismatch in CalculateDynamicMetadataParameters() Greg Kroah-Hartman
` (128 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nishanth Aravamudan, Bjorn Helgaas,
Alex Williamson, Raphael Norwitz, Amey Narkhede, Jason Gunthorpe,
Yishai Hadas, Shameer Kolothum, Kevin Tian, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nishanth Aravamudan <naravamudan@nvidia.com>
[ Upstream commit 479380efe1625e251008d24b2810283db60d6fcd ]
After d88f521da3ef ("PCI: Allow userspace to query and set device reset
mechanism"), userspace can disable reset of specific PCI devices by writing
an empty string to the sysfs reset_method file.
However, pci_slot_resettable() does not check pci_reset_supported(), which
means that pci_reset_function() will still reset the device even if
userspace has disabled all the reset methods.
I was able to reproduce this issue with a vfio device passed to a qemu
guest, where I had disabled PCI reset via sysfs.
Add an explicit check of pci_reset_supported() in both
pci_slot_resettable() and pci_bus_resettable() to ensure both the reset
status and reset execution are bypassed if an administrator disables it for
a device.
Link: https://lore.kernel.org/r/20250207205600.1846178-1-naravamudan@nvidia.com
Fixes: d88f521da3ef ("PCI: Allow userspace to query and set device reset mechanism")
Signed-off-by: Nishanth Aravamudan <naravamudan@nvidia.com>
[bhelgaas: commit log]
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Cc: Alex Williamson <alex.williamson@redhat.com>
Cc: Raphael Norwitz <raphael.norwitz@nutanix.com>
Cc: Amey Narkhede <ameynarkhede03@gmail.com>
Cc: Jason Gunthorpe <jgg@nvidia.com>
Cc: Yishai Hadas <yishaih@nvidia.com>
Cc: Shameer Kolothum <shameerali.kolothum.thodi@huawei.com>
Cc: Kevin Tian <kevin.tian@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/pci.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c
index fbaf9af62bd67..6a5f53f968c3d 100644
--- a/drivers/pci/pci.c
+++ b/drivers/pci/pci.c
@@ -5484,6 +5484,8 @@ static bool pci_bus_resetable(struct pci_bus *bus)
return false;
list_for_each_entry(dev, &bus->devices, bus_list) {
+ if (!pci_reset_supported(dev))
+ return false;
if (dev->dev_flags & PCI_DEV_FLAGS_NO_BUS_RESET ||
(dev->subordinate && !pci_bus_resetable(dev->subordinate)))
return false;
@@ -5560,6 +5562,8 @@ static bool pci_slot_resetable(struct pci_slot *slot)
list_for_each_entry(dev, &slot->bus->devices, bus_list) {
if (!dev->slot || dev->slot != slot)
continue;
+ if (!pci_reset_supported(dev))
+ return false;
if (dev->dev_flags & PCI_DEV_FLAGS_NO_BUS_RESET ||
(dev->subordinate && !pci_bus_resetable(dev->subordinate)))
return false;
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 158/279] drm/amd/display: fix type mismatch in CalculateDynamicMetadataParameters()
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (156 preceding siblings ...)
2025-04-08 10:49 ` [PATCH 5.15 157/279] PCI: Avoid reset when disabled via sysfs Greg Kroah-Hartman
@ 2025-04-08 10:49 ` Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 159/279] PCI: Remove stray put_device() in pci_register_host_bridge() Greg Kroah-Hartman
` (127 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vitaliy Shevtsov, Alex Hung,
Alex Deucher, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vitaliy Shevtsov <v.shevtsov@mt-integration.ru>
[ Upstream commit c3c584c18c90a024a54716229809ba36424f9660 ]
There is a type mismatch between what CalculateDynamicMetadataParameters()
takes and what is passed to it. Currently this function accepts several
args as signed long but it's called with unsigned integers and integer. On
some systems where long is 32 bits and one of these unsigned int params is
greater than INT_MAX it may cause passing input params as negative values.
Fix this by changing these argument types from long to unsigned int and to
int respectively. Also this will align the function's definition with
similar functions in other dcn* drivers.
Found by Linux Verification Center (linuxtesting.org) with Svace.
Fixes: 6725a88f88a7 ("drm/amd/display: Add DCN3 DML")
Signed-off-by: Vitaliy Shevtsov <v.shevtsov@mt-integration.ru>
Reviewed-by: Alex Hung <alex.hung@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../amd/display/dc/dml/dcn30/display_mode_vba_30.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/drivers/gpu/drm/amd/display/dc/dml/dcn30/display_mode_vba_30.c b/drivers/gpu/drm/amd/display/dc/dml/dcn30/display_mode_vba_30.c
index de0fa87b301a5..5c0d49d4eb8ec 100644
--- a/drivers/gpu/drm/amd/display/dc/dml/dcn30/display_mode_vba_30.c
+++ b/drivers/gpu/drm/amd/display/dc/dml/dcn30/display_mode_vba_30.c
@@ -283,10 +283,10 @@ static void CalculateDynamicMetadataParameters(
double DISPCLK,
double DCFClkDeepSleep,
double PixelClock,
- long HTotal,
- long VBlank,
- long DynamicMetadataTransmittedBytes,
- long DynamicMetadataLinesBeforeActiveRequired,
+ unsigned int HTotal,
+ unsigned int VBlank,
+ unsigned int DynamicMetadataTransmittedBytes,
+ int DynamicMetadataLinesBeforeActiveRequired,
int InterlaceEnable,
bool ProgressiveToInterlaceUnitInOPP,
double *Tsetup,
@@ -3375,8 +3375,8 @@ static double CalculateWriteBackDelay(
static void CalculateDynamicMetadataParameters(int MaxInterDCNTileRepeaters, double DPPCLK, double DISPCLK,
- double DCFClkDeepSleep, double PixelClock, long HTotal, long VBlank, long DynamicMetadataTransmittedBytes,
- long DynamicMetadataLinesBeforeActiveRequired, int InterlaceEnable, bool ProgressiveToInterlaceUnitInOPP,
+ double DCFClkDeepSleep, double PixelClock, unsigned int HTotal, unsigned int VBlank, unsigned int DynamicMetadataTransmittedBytes,
+ int DynamicMetadataLinesBeforeActiveRequired, int InterlaceEnable, bool ProgressiveToInterlaceUnitInOPP,
double *Tsetup, double *Tdmbf, double *Tdmec, double *Tdmsks)
{
double TotalRepeaterDelayTime = 0;
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 159/279] PCI: Remove stray put_device() in pci_register_host_bridge()
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (157 preceding siblings ...)
2025-04-08 10:49 ` [PATCH 5.15 158/279] drm/amd/display: fix type mismatch in CalculateDynamicMetadataParameters() Greg Kroah-Hartman
@ 2025-04-08 10:49 ` Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 160/279] PCI: xilinx-cpm: Fix IRQ domain leak in error path of probe Greg Kroah-Hartman
` (126 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Bjorn Helgaas,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@linaro.org>
[ Upstream commit 6e8d06e5096c80cbf41313b4a204f43071ca42be ]
This put_device() was accidentally left over from when we changed the code
from using device_register() to calling device_add(). Delete it.
Link: https://lore.kernel.org/r/55b24870-89fb-4c91-b85d-744e35db53c2@stanley.mountain
Fixes: 9885440b16b8 ("PCI: Fix pci_host_bridge struct device release/free handling")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/probe.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c
index dd2134c7c4192..51615e4d28f41 100644
--- a/drivers/pci/probe.c
+++ b/drivers/pci/probe.c
@@ -926,10 +926,9 @@ static int pci_register_host_bridge(struct pci_host_bridge *bridge)
goto free;
err = device_add(&bridge->dev);
- if (err) {
- put_device(&bridge->dev);
+ if (err)
goto free;
- }
+
bus->bridge = get_device(&bridge->dev);
device_enable_async_suspend(bus->bridge);
pci_set_bus_of_node(bus);
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 160/279] PCI: xilinx-cpm: Fix IRQ domain leak in error path of probe
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (158 preceding siblings ...)
2025-04-08 10:49 ` [PATCH 5.15 159/279] PCI: Remove stray put_device() in pci_register_host_bridge() Greg Kroah-Hartman
@ 2025-04-08 10:49 ` Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 161/279] drm/mediatek: dsi: fix error codes in mtk_dsi_host_transfer() Greg Kroah-Hartman
` (125 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thippeswamy Havalige,
Krzysztof Wilczyński, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thippeswamy Havalige <thippeswamy.havalige@amd.com>
[ Upstream commit 57b0302240741e73fe51f88404b3866e0d2933ad ]
The IRQ domain allocated for the PCIe controller is not freed if
resource_list_first_type() returns NULL, leading to a resource leak.
This fix ensures properly cleaning up the allocated IRQ domain in
the error path.
Fixes: 49e427e6bdd1 ("Merge branch 'pci/host-probe-refactor'")
Signed-off-by: Thippeswamy Havalige <thippeswamy.havalige@amd.com>
[kwilczynski: added missing Fixes: tag, refactored to use one of the goto labels]
Signed-off-by: Krzysztof Wilczyński <kwilczynski@kernel.org>
Link: https://lore.kernel.org/r/20250224155025.782179-2-thippeswamy.havalige@amd.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/controller/pcie-xilinx-cpm.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/drivers/pci/controller/pcie-xilinx-cpm.c b/drivers/pci/controller/pcie-xilinx-cpm.c
index 95426df032000..1e72cea8563f3 100644
--- a/drivers/pci/controller/pcie-xilinx-cpm.c
+++ b/drivers/pci/controller/pcie-xilinx-cpm.c
@@ -556,13 +556,15 @@ static int xilinx_cpm_pcie_probe(struct platform_device *pdev)
return err;
bus = resource_list_first_type(&bridge->windows, IORESOURCE_BUS);
- if (!bus)
- return -ENODEV;
+ if (!bus) {
+ err = -ENODEV;
+ goto err_free_irq_domains;
+ }
err = xilinx_cpm_pcie_parse_dt(port, bus->res);
if (err) {
dev_err(dev, "Parsing DT failed\n");
- goto err_parse_dt;
+ goto err_free_irq_domains;
}
xilinx_cpm_pcie_init_port(port);
@@ -586,7 +588,7 @@ static int xilinx_cpm_pcie_probe(struct platform_device *pdev)
xilinx_cpm_free_interrupts(port);
err_setup_irq:
pci_ecam_free(port->cfg);
-err_parse_dt:
+err_free_irq_domains:
xilinx_cpm_free_irq_domains(port);
return err;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 161/279] drm/mediatek: dsi: fix error codes in mtk_dsi_host_transfer()
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (159 preceding siblings ...)
2025-04-08 10:49 ` [PATCH 5.15 160/279] PCI: xilinx-cpm: Fix IRQ domain leak in error path of probe Greg Kroah-Hartman
@ 2025-04-08 10:49 ` Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 162/279] PCI: pciehp: Dont enable HPIE when resuming in poll mode Greg Kroah-Hartman
` (124 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, kernel test robot, Dan Carpenter,
Mattijs Korpershoek, AngeloGioacchino Del Regno, CK Hu,
Chun-Kuang Hu, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@linaro.org>
[ Upstream commit dcb166ee43c3d594e7b73a24f6e8cf5663eeff2c ]
There is a type bug because the return statement:
return ret < 0 ? ret : recv_cnt;
The issue is that ret is an int, recv_cnt is a u32 and the function
returns ssize_t, which is a signed long. The way that the type promotion
works is that the negative error codes are first cast to u32 and then
to signed long. The error codes end up being positive instead of
negative and the callers treat them as success.
Fixes: 81cc7e51c4f1 ("drm/mediatek: Allow commands to be sent during video mode")
Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/r/202412210801.iADw0oIH-lkp@intel.com/
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Reviewed-by: Mattijs Korpershoek <mkorpershoek@baylibre.com>
Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Reviewed-by: CK Hu <ck.hu@mediatek.com>
Link: https://patchwork.kernel.org/project/dri-devel/patch/b754a408-4f39-4e37-b52d-7706c132e27f@stanley.mountain/
Signed-off-by: Chun-Kuang Hu <chunkuang.hu@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/mediatek/mtk_dsi.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/gpu/drm/mediatek/mtk_dsi.c b/drivers/gpu/drm/mediatek/mtk_dsi.c
index 3b55a83b7cdff..cac98f0104257 100644
--- a/drivers/gpu/drm/mediatek/mtk_dsi.c
+++ b/drivers/gpu/drm/mediatek/mtk_dsi.c
@@ -920,12 +920,12 @@ static ssize_t mtk_dsi_host_transfer(struct mipi_dsi_host *host,
const struct mipi_dsi_msg *msg)
{
struct mtk_dsi *dsi = host_to_dsi(host);
- u32 recv_cnt, i;
+ ssize_t recv_cnt;
u8 read_data[16];
void *src_addr;
u8 irq_flag = CMD_DONE_INT_FLAG;
u32 dsi_mode;
- int ret;
+ int ret, i;
dsi_mode = readl(dsi->regs + DSI_MODE_CTRL);
if (dsi_mode & MODE) {
@@ -974,7 +974,7 @@ static ssize_t mtk_dsi_host_transfer(struct mipi_dsi_host *host,
if (recv_cnt)
memcpy(msg->rx_buf, src_addr, recv_cnt);
- DRM_INFO("dsi get %d byte data from the panel address(0x%x)\n",
+ DRM_INFO("dsi get %zd byte data from the panel address(0x%x)\n",
recv_cnt, *((u8 *)(msg->tx_buf)));
restore_dsi_mode:
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 162/279] PCI: pciehp: Dont enable HPIE when resuming in poll mode
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (160 preceding siblings ...)
2025-04-08 10:49 ` [PATCH 5.15 161/279] drm/mediatek: dsi: fix error codes in mtk_dsi_host_transfer() Greg Kroah-Hartman
@ 2025-04-08 10:49 ` Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 163/279] fbdev: au1100fb: Move a variable assignment behind a null pointer check Greg Kroah-Hartman
` (123 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ilpo Järvinen, Bjorn Helgaas,
Lukas Wunner, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
[ Upstream commit 527664f738afb6f2c58022cd35e63801e5dc7aec ]
PCIe hotplug can operate in poll mode without interrupt handlers using a
polling kthread only. eb34da60edee ("PCI: pciehp: Disable hotplug
interrupt during suspend") failed to consider that and enables HPIE
(Hot-Plug Interrupt Enable) unconditionally when resuming the Port.
Only set HPIE if non-poll mode is in use. This makes
pcie_enable_interrupt() match how pcie_enable_notification() already
handles HPIE.
Link: https://lore.kernel.org/r/20250321162114.3939-1-ilpo.jarvinen@linux.intel.com
Fixes: eb34da60edee ("PCI: pciehp: Disable hotplug interrupt during suspend")
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Reviewed-by: Lukas Wunner <lukas@wunner.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/hotplug/pciehp_hpc.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/pci/hotplug/pciehp_hpc.c b/drivers/pci/hotplug/pciehp_hpc.c
index 7773009b8b32e..6647ade09f054 100644
--- a/drivers/pci/hotplug/pciehp_hpc.c
+++ b/drivers/pci/hotplug/pciehp_hpc.c
@@ -840,7 +840,9 @@ void pcie_enable_interrupt(struct controller *ctrl)
{
u16 mask;
- mask = PCI_EXP_SLTCTL_HPIE | PCI_EXP_SLTCTL_DLLSCE;
+ mask = PCI_EXP_SLTCTL_DLLSCE;
+ if (!pciehp_poll_mode)
+ mask |= PCI_EXP_SLTCTL_HPIE;
pcie_write_cmd(ctrl, mask, mask);
}
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 163/279] fbdev: au1100fb: Move a variable assignment behind a null pointer check
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (161 preceding siblings ...)
2025-04-08 10:49 ` [PATCH 5.15 162/279] PCI: pciehp: Dont enable HPIE when resuming in poll mode Greg Kroah-Hartman
@ 2025-04-08 10:49 ` Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 164/279] mdacon: rework dependency list Greg Kroah-Hartman
` (122 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Markus Elfring,
Uwe Kleine-König, Helge Deller, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Markus Elfring <elfring@users.sourceforge.net>
[ Upstream commit 2df2c0caaecfd869b49e14f2b8df822397c5dd7f ]
The address of a data structure member was determined before
a corresponding null pointer check in the implementation of
the function “au1100fb_setmode”.
This issue was detected by using the Coccinelle software.
Fixes: 3b495f2bb749 ("Au1100 FB driver uplift for 2.6.")
Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>
Acked-by: Uwe Kleine-König <u.kleine-koenig@baylibre.com>
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/video/fbdev/au1100fb.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/video/fbdev/au1100fb.c b/drivers/video/fbdev/au1100fb.c
index 37a6512feda0f..abb769824840e 100644
--- a/drivers/video/fbdev/au1100fb.c
+++ b/drivers/video/fbdev/au1100fb.c
@@ -137,13 +137,15 @@ static int au1100fb_fb_blank(int blank_mode, struct fb_info *fbi)
*/
int au1100fb_setmode(struct au1100fb_device *fbdev)
{
- struct fb_info *info = &fbdev->info;
+ struct fb_info *info;
u32 words;
int index;
if (!fbdev)
return -EINVAL;
+ info = &fbdev->info;
+
/* Update var-dependent FB info */
if (panel_is_active(fbdev->panel) || panel_is_color(fbdev->panel)) {
if (info->var.bits_per_pixel <= 8) {
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 164/279] mdacon: rework dependency list
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (162 preceding siblings ...)
2025-04-08 10:49 ` [PATCH 5.15 163/279] fbdev: au1100fb: Move a variable assignment behind a null pointer check Greg Kroah-Hartman
@ 2025-04-08 10:49 ` Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 165/279] fbdev: sm501fb: Add some geometry checks Greg Kroah-Hartman
` (121 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Arnd Bergmann, Thomas Zimmermann,
Helge Deller, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arnd Bergmann <arnd@arndb.de>
[ Upstream commit 5bbcc7645f4b244ffb5ac6563fbe9d3d42194447 ]
mdacon has roughly the same dependencies as vgacon but expresses them
as a negative list instead of a positive list, with the only practical
difference being PowerPC/CHRP, which uses vga16fb instead of vgacon.
The CONFIG_MDA_CONSOLE description advises to only turn it on when vgacon
is also used because MDA/Hercules-only systems should be using vgacon
instead, so just change the list to enforce that directly for simplicity.
The probing was broken from 2002 to 2008, this improves on the fix
that was added then: If vgacon is a loadable module, then mdacon
cannot be built-in now, and the list of systems that support vgacon
is carried over.
Fixes: 0b9cf3aa6b1e ("mdacon messing up default vc's - set default to vc13-16 again")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/video/console/Kconfig | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/video/console/Kconfig b/drivers/video/console/Kconfig
index fcc46380e7c91..390280ce7ea3e 100644
--- a/drivers/video/console/Kconfig
+++ b/drivers/video/console/Kconfig
@@ -23,7 +23,7 @@ config VGA_CONSOLE
Say Y.
config MDA_CONSOLE
- depends on !M68K && !PARISC && ISA
+ depends on VGA_CONSOLE && ISA
tristate "MDA text console (dual-headed)"
help
Say Y here if you have an old MDA or monochrome Hercules graphics
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 165/279] fbdev: sm501fb: Add some geometry checks.
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (163 preceding siblings ...)
2025-04-08 10:49 ` [PATCH 5.15 164/279] mdacon: rework dependency list Greg Kroah-Hartman
@ 2025-04-08 10:49 ` Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 166/279] clk: amlogic: gxbb: drop incorrect flag on 32k clock Greg Kroah-Hartman
` (120 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Danila Chernetsov, Helge Deller,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Danila Chernetsov <listdansp@mail.ru>
[ Upstream commit aee50bd88ea5fde1ff4cc021385598f81a65830c ]
Added checks for xoffset, yoffset settings.
Incorrect settings of these parameters can lead to errors
in sm501fb_pan_ functions.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: 5fc404e47bdf ("[PATCH] fb: SM501 framebuffer driver")
Signed-off-by: Danila Chernetsov <listdansp@mail.ru>
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/video/fbdev/sm501fb.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/video/fbdev/sm501fb.c b/drivers/video/fbdev/sm501fb.c
index 6a52eba645596..3c46838651b06 100644
--- a/drivers/video/fbdev/sm501fb.c
+++ b/drivers/video/fbdev/sm501fb.c
@@ -326,6 +326,13 @@ static int sm501fb_check_var(struct fb_var_screeninfo *var,
if (var->xres_virtual > 4096 || var->yres_virtual > 2048)
return -EINVAL;
+ /* geometry sanity checks */
+ if (var->xres + var->xoffset > var->xres_virtual)
+ return -EINVAL;
+
+ if (var->yres + var->yoffset > var->yres_virtual)
+ return -EINVAL;
+
/* can cope with 8,16 or 32bpp */
if (var->bits_per_pixel <= 8)
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 166/279] clk: amlogic: gxbb: drop incorrect flag on 32k clock
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (164 preceding siblings ...)
2025-04-08 10:49 ` [PATCH 5.15 165/279] fbdev: sm501fb: Add some geometry checks Greg Kroah-Hartman
@ 2025-04-08 10:49 ` Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 167/279] crypto: hisilicon/sec2 - fix for aead authsize alignment Greg Kroah-Hartman
` (119 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Neil Armstrong, Jerome Brunet,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jerome Brunet <jbrunet@baylibre.com>
[ Upstream commit f38f7fe4830c5cb4eac138249225f119e7939965 ]
gxbb_32k_clk_div sets CLK_DIVIDER_ROUND_CLOSEST in the init_data flag which
is incorrect. This is field is not where the divider flags belong.
Thankfully, CLK_DIVIDER_ROUND_CLOSEST maps to bit 4 which is an unused
clock flag, so there is no unintended consequence to this error.
Effectively, the clock has been used without CLK_DIVIDER_ROUND_CLOSEST
so far, so just drop it.
Fixes: 14c735c8e308 ("clk: meson-gxbb: Add EE 32K Clock for CEC")
Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
Link: https://lore.kernel.org/r/20241220-amlogic-clk-gxbb-32k-fixes-v1-1-baca56ecf2db@baylibre.com
Signed-off-by: Jerome Brunet <jbrunet@baylibre.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/meson/gxbb.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/clk/meson/gxbb.c b/drivers/clk/meson/gxbb.c
index 608e0e8ca49a8..48c47503ea752 100644
--- a/drivers/clk/meson/gxbb.c
+++ b/drivers/clk/meson/gxbb.c
@@ -1310,7 +1310,7 @@ static struct clk_regmap gxbb_32k_clk_div = {
&gxbb_32k_clk_sel.hw
},
.num_parents = 1,
- .flags = CLK_SET_RATE_PARENT | CLK_DIVIDER_ROUND_CLOSEST,
+ .flags = CLK_SET_RATE_PARENT,
},
};
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 167/279] crypto: hisilicon/sec2 - fix for aead authsize alignment
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (165 preceding siblings ...)
2025-04-08 10:49 ` [PATCH 5.15 166/279] clk: amlogic: gxbb: drop incorrect flag on 32k clock Greg Kroah-Hartman
@ 2025-04-08 10:49 ` Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 168/279] remoteproc: core: Clear table_sz when rproc_shutdown Greg Kroah-Hartman
` (118 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wenkai Lin, Chenghai Huang,
Herbert Xu, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wenkai Lin <linwenkai6@hisilicon.com>
[ Upstream commit a49cc71e219040d771a8c1254879984f98192811 ]
The hardware only supports authentication sizes
that are 4-byte aligned. Therefore, the driver
switches to software computation in this case.
Fixes: 2f072d75d1ab ("crypto: hisilicon - Add aead support on SEC2")
Signed-off-by: Wenkai Lin <linwenkai6@hisilicon.com>
Signed-off-by: Chenghai Huang <huangchenghai2@huawei.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/crypto/hisilicon/sec2/sec_crypto.c | 22 +++++++++-------------
1 file changed, 9 insertions(+), 13 deletions(-)
diff --git a/drivers/crypto/hisilicon/sec2/sec_crypto.c b/drivers/crypto/hisilicon/sec2/sec_crypto.c
index 32150e05a2795..6de3ccd0fa9b7 100644
--- a/drivers/crypto/hisilicon/sec2/sec_crypto.c
+++ b/drivers/crypto/hisilicon/sec2/sec_crypto.c
@@ -55,7 +55,6 @@
#define SEC_TYPE_MASK 0x0F
#define SEC_DONE_MASK 0x0001
#define SEC_ICV_MASK 0x000E
-#define SEC_SQE_LEN_RATE_MASK 0x3
#define SEC_TOTAL_IV_SZ (SEC_IV_SIZE * QM_Q_DEPTH)
#define SEC_SGL_SGE_NR 128
@@ -77,16 +76,16 @@
#define SEC_TOTAL_PBUF_SZ (PAGE_SIZE * SEC_PBUF_PAGE_NUM + \
SEC_PBUF_LEFT_SZ)
-#define SEC_SQE_LEN_RATE 4
#define SEC_SQE_CFLAG 2
#define SEC_SQE_AEAD_FLAG 3
#define SEC_SQE_DONE 0x1
#define SEC_ICV_ERR 0x2
-#define MIN_MAC_LEN 4
#define MAC_LEN_MASK 0x1U
#define MAX_INPUT_DATA_LEN 0xFFFE00
#define BITS_MASK 0xFF
+#define WORD_MASK 0x3
#define BYTE_BITS 0x8
+#define BYTES_TO_WORDS(bcount) ((bcount) >> 2)
#define SEC_XTS_NAME_SZ 0x3
#define IV_CM_CAL_NUM 2
#define IV_CL_MASK 0x7
@@ -1133,7 +1132,7 @@ static int sec_aead_setkey(struct crypto_aead *tfm, const u8 *key,
goto bad_key;
}
- if (ctx->a_ctx.a_key_len & SEC_SQE_LEN_RATE_MASK) {
+ if (ctx->a_ctx.a_key_len & WORD_MASK) {
ret = -EINVAL;
dev_err(dev, "AUTH key length error!\n");
goto bad_key;
@@ -1538,11 +1537,10 @@ static void sec_auth_bd_fill_ex(struct sec_auth_ctx *ctx, int dir,
sec_sqe->type2.a_key_addr = cpu_to_le64(ctx->a_key_dma);
- sec_sqe->type2.mac_key_alg = cpu_to_le32(authsize / SEC_SQE_LEN_RATE);
+ sec_sqe->type2.mac_key_alg = cpu_to_le32(BYTES_TO_WORDS(authsize));
sec_sqe->type2.mac_key_alg |=
- cpu_to_le32((u32)((ctx->a_key_len) /
- SEC_SQE_LEN_RATE) << SEC_AKEY_OFFSET);
+ cpu_to_le32((u32)BYTES_TO_WORDS(ctx->a_key_len) << SEC_AKEY_OFFSET);
sec_sqe->type2.mac_key_alg |=
cpu_to_le32((u32)(ctx->a_alg) << SEC_AEAD_ALG_OFFSET);
@@ -1594,12 +1592,10 @@ static void sec_auth_bd_fill_ex_v3(struct sec_auth_ctx *ctx, int dir,
sqe3->a_key_addr = cpu_to_le64(ctx->a_key_dma);
sqe3->auth_mac_key |=
- cpu_to_le32((u32)(authsize /
- SEC_SQE_LEN_RATE) << SEC_MAC_OFFSET_V3);
+ cpu_to_le32(BYTES_TO_WORDS(authsize) << SEC_MAC_OFFSET_V3);
sqe3->auth_mac_key |=
- cpu_to_le32((u32)(ctx->a_key_len /
- SEC_SQE_LEN_RATE) << SEC_AKEY_OFFSET_V3);
+ cpu_to_le32((u32)BYTES_TO_WORDS(ctx->a_key_len) << SEC_AKEY_OFFSET_V3);
sqe3->auth_mac_key |=
cpu_to_le32((u32)(ctx->a_alg) << SEC_AUTH_ALG_OFFSET_V3);
@@ -2205,8 +2201,8 @@ static int sec_aead_spec_check(struct sec_ctx *ctx, struct sec_req *sreq)
struct device *dev = ctx->dev;
int ret;
- /* Hardware does not handle cases where authsize is less than 4 bytes */
- if (unlikely(sz < MIN_MAC_LEN)) {
+ /* Hardware does not handle cases where authsize is not 4 bytes aligned */
+ if (c_mode == SEC_CMODE_CBC && (sz & WORD_MASK)) {
sreq->aead_req.fallback = true;
return -EINVAL;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 168/279] remoteproc: core: Clear table_sz when rproc_shutdown
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (166 preceding siblings ...)
2025-04-08 10:49 ` [PATCH 5.15 167/279] crypto: hisilicon/sec2 - fix for aead authsize alignment Greg Kroah-Hartman
@ 2025-04-08 10:49 ` Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 169/279] of: property: Increase NR_FWNODE_REFERENCE_ARGS Greg Kroah-Hartman
` (117 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:49 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Peng Fan, Bjorn Andersson,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peng Fan <peng.fan@nxp.com>
[ Upstream commit efdde3d73ab25cef4ff2d06783b0aad8b093c0e4 ]
There is case as below could trigger kernel dump:
Use U-Boot to start remote processor(rproc) with resource table
published to a fixed address by rproc. After Kernel boots up,
stop the rproc, load a new firmware which doesn't have resource table
,and start rproc.
When starting rproc with a firmware not have resource table,
`memcpy(loaded_table, rproc->cached_table, rproc->table_sz)` will
trigger dump, because rproc->cache_table is set to NULL during the last
stop operation, but rproc->table_sz is still valid.
This issue is found on i.MX8MP and i.MX9.
Dump as below:
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
Mem abort info:
ESR = 0x0000000096000004
EC = 0x25: DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
FSC = 0x04: level 0 translation fault
Data abort info:
ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
CM = 0, WnR = 0, TnD = 0, TagAccess = 0
GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
user pgtable: 4k pages, 48-bit VAs, pgdp=000000010af63000
[0000000000000000] pgd=0000000000000000, p4d=0000000000000000
Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP
Modules linked in:
CPU: 2 UID: 0 PID: 1060 Comm: sh Not tainted 6.14.0-rc7-next-20250317-dirty #38
Hardware name: NXP i.MX8MPlus EVK board (DT)
pstate: a0000005 (NzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : __pi_memcpy_generic+0x110/0x22c
lr : rproc_start+0x88/0x1e0
Call trace:
__pi_memcpy_generic+0x110/0x22c (P)
rproc_boot+0x198/0x57c
state_store+0x40/0x104
dev_attr_store+0x18/0x2c
sysfs_kf_write+0x7c/0x94
kernfs_fop_write_iter+0x120/0x1cc
vfs_write+0x240/0x378
ksys_write+0x70/0x108
__arm64_sys_write+0x1c/0x28
invoke_syscall+0x48/0x10c
el0_svc_common.constprop.0+0xc0/0xe0
do_el0_svc+0x1c/0x28
el0_svc+0x30/0xcc
el0t_64_sync_handler+0x10c/0x138
el0t_64_sync+0x198/0x19c
Clear rproc->table_sz to address the issue.
Fixes: 9dc9507f1880 ("remoteproc: Properly deal with the resource table when detaching")
Signed-off-by: Peng Fan <peng.fan@nxp.com>
Link: https://lore.kernel.org/r/20250319100106.3622619-1-peng.fan@oss.nxp.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/remoteproc/remoteproc_core.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/remoteproc/remoteproc_core.c b/drivers/remoteproc/remoteproc_core.c
index 97e59f7461261..9e6d0dda64a99 100644
--- a/drivers/remoteproc/remoteproc_core.c
+++ b/drivers/remoteproc/remoteproc_core.c
@@ -2102,6 +2102,7 @@ void rproc_shutdown(struct rproc *rproc)
kfree(rproc->cached_table);
rproc->cached_table = NULL;
rproc->table_ptr = NULL;
+ rproc->table_sz = 0;
out:
mutex_unlock(&rproc->lock);
}
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 169/279] of: property: Increase NR_FWNODE_REFERENCE_ARGS
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (167 preceding siblings ...)
2025-04-08 10:49 ` [PATCH 5.15 168/279] remoteproc: core: Clear table_sz when rproc_shutdown Greg Kroah-Hartman
@ 2025-04-08 10:49 ` Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 170/279] remoteproc: qcom_q6v5_pas: Make single-PD handling more robust Greg Kroah-Hartman
` (116 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zijun Hu, Sakari Ailus,
Rob Herring (Arm), Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zijun Hu <quic_zijuhu@quicinc.com>
[ Upstream commit eb50844d728f11e87491f7c7af15a4a737f1159d ]
Currently, the following two macros have different values:
// The maximal argument count for firmware node reference
#define NR_FWNODE_REFERENCE_ARGS 8
// The maximal argument count for DT node reference
#define MAX_PHANDLE_ARGS 16
It may cause firmware node reference's argument count out of range if
directly assign DT node reference's argument count to firmware's.
drivers/of/property.c:of_fwnode_get_reference_args() is doing the direct
assignment, so may cause firmware's argument count @args->nargs got out
of range, namely, in [9, 16].
Fix by increasing NR_FWNODE_REFERENCE_ARGS to 16 to meet DT requirement.
Will align both macros later to avoid such inconsistency.
Fixes: 3e3119d3088f ("device property: Introduce fwnode_property_get_reference_args")
Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com>
Acked-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Link: https://lore.kernel.org/r/20250225-fix_arg_count-v4-1-13cdc519eb31@quicinc.com
Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/fwnode.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/linux/fwnode.h b/include/linux/fwnode.h
index 2d68606fb725d..f0833bafe6bd4 100644
--- a/include/linux/fwnode.h
+++ b/include/linux/fwnode.h
@@ -67,7 +67,7 @@ struct fwnode_endpoint {
#define SWNODE_GRAPH_PORT_NAME_FMT "port@%u"
#define SWNODE_GRAPH_ENDPOINT_NAME_FMT "endpoint@%u"
-#define NR_FWNODE_REFERENCE_ARGS 8
+#define NR_FWNODE_REFERENCE_ARGS 16
/**
* struct fwnode_reference_args - Fwnode reference with additional arguments
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 170/279] remoteproc: qcom_q6v5_pas: Make single-PD handling more robust
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (168 preceding siblings ...)
2025-04-08 10:49 ` [PATCH 5.15 169/279] of: property: Increase NR_FWNODE_REFERENCE_ARGS Greg Kroah-Hartman
@ 2025-04-08 10:49 ` Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 171/279] libbpf: Fix hypothetical STT_SECTION extern NULL deref case Greg Kroah-Hartman
` (115 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stephan Gerhold, Luca Weiss,
Bjorn Andersson, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luca Weiss <luca@lucaweiss.eu>
[ Upstream commit e917b73234b02aa4966325e7380d2559bf127ba9 ]
Only go into the if condition for single-PD handling when there's
actually just one power domain specified there. Otherwise it'll be an
issue in the dts and we should fail in the regular code path.
This also mirrors the latest changes in the qcom_q6v5_mss driver.
Suggested-by: Stephan Gerhold <stephan.gerhold@linaro.org>
Fixes: 17ee2fb4e856 ("remoteproc: qcom: pas: Vote for active/proxy power domains")
Signed-off-by: Luca Weiss <luca@lucaweiss.eu>
Reviewed-by: Stephan Gerhold <stephan.gerhold@linaro.org>
Link: https://lore.kernel.org/r/20250128-pas-singlepd-v1-2-85d9ae4b0093@lucaweiss.eu
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/remoteproc/qcom_q6v5_pas.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/drivers/remoteproc/qcom_q6v5_pas.c b/drivers/remoteproc/qcom_q6v5_pas.c
index fbcbc00f2e645..776319ab1baf9 100644
--- a/drivers/remoteproc/qcom_q6v5_pas.c
+++ b/drivers/remoteproc/qcom_q6v5_pas.c
@@ -330,16 +330,16 @@ static int adsp_pds_attach(struct device *dev, struct device **devs,
if (!pd_names)
return 0;
+ while (pd_names[num_pds])
+ num_pds++;
+
/* Handle single power domain */
- if (dev->pm_domain) {
+ if (num_pds == 1 && dev->pm_domain) {
devs[0] = dev;
pm_runtime_enable(dev);
return 1;
}
- while (pd_names[num_pds])
- num_pds++;
-
for (i = 0; i < num_pds; i++) {
devs[i] = dev_pm_domain_attach_by_name(dev, pd_names[i]);
if (IS_ERR_OR_NULL(devs[i])) {
@@ -364,7 +364,7 @@ static void adsp_pds_detach(struct qcom_adsp *adsp, struct device **pds,
int i;
/* Handle single power domain */
- if (dev->pm_domain && pd_count) {
+ if (pd_count == 1 && dev->pm_domain) {
pm_runtime_disable(dev);
return;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 171/279] libbpf: Fix hypothetical STT_SECTION extern NULL deref case
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (169 preceding siblings ...)
2025-04-08 10:49 ` [PATCH 5.15 170/279] remoteproc: qcom_q6v5_pas: Make single-PD handling more robust Greg Kroah-Hartman
@ 2025-04-08 10:49 ` Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 172/279] clk: samsung: Fix UBSAN panic in samsung_clk_init() Greg Kroah-Hartman
` (114 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andrii Nakryiko, Alexei Starovoitov,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andrii Nakryiko <andrii@kernel.org>
[ Upstream commit e0525cd72b5979d8089fe524a071ea93fd011dc9 ]
Fix theoretical NULL dereference in linker when resolving *extern*
STT_SECTION symbol against not-yet-existing ELF section. Not sure if
it's possible in practice for valid ELF object files (this would require
embedded assembly manipulations, at which point BTF will be missing),
but fix the s/dst_sym/dst_sec/ typo guarding this condition anyways.
Fixes: faf6ed321cf6 ("libbpf: Add BPF static linker APIs")
Fixes: a46349227cd8 ("libbpf: Add linker extern resolution support for functions and global variables")
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Link: https://lore.kernel.org/r/20250220002821.834400-1-andrii@kernel.org
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/lib/bpf/linker.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/lib/bpf/linker.c b/tools/lib/bpf/linker.c
index 2adf55f487430..fc91814a35e8e 100644
--- a/tools/lib/bpf/linker.c
+++ b/tools/lib/bpf/linker.c
@@ -1966,7 +1966,7 @@ static int linker_append_elf_sym(struct bpf_linker *linker, struct src_obj *obj,
obj->sym_map[src_sym_idx] = dst_sym_idx;
- if (sym_type == STT_SECTION && dst_sym) {
+ if (sym_type == STT_SECTION && dst_sec) {
dst_sec->sec_sym_idx = dst_sym_idx;
dst_sym->st_value = 0;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 172/279] clk: samsung: Fix UBSAN panic in samsung_clk_init()
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (170 preceding siblings ...)
2025-04-08 10:49 ` [PATCH 5.15 171/279] libbpf: Fix hypothetical STT_SECTION extern NULL deref case Greg Kroah-Hartman
@ 2025-04-08 10:49 ` Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 173/279] clk: qcom: gcc-msm8953: fix stuck venus0_core0 clock Greg Kroah-Hartman
` (113 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Will McVicker, Krzysztof Kozlowski,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Will McVicker <willmcvicker@google.com>
[ Upstream commit d19d7345a7bcdb083b65568a11b11adffe0687af ]
With UBSAN_ARRAY_BOUNDS=y, I'm hitting the below panic due to
dereferencing `ctx->clk_data.hws` before setting
`ctx->clk_data.num = nr_clks`. Move that up to fix the crash.
UBSAN: array index out of bounds: 00000000f2005512 [#1] PREEMPT SMP
<snip>
Call trace:
samsung_clk_init+0x110/0x124 (P)
samsung_clk_init+0x48/0x124 (L)
samsung_cmu_register_one+0x3c/0xa0
exynos_arm64_register_cmu+0x54/0x64
__gs101_cmu_top_of_clk_init_declare+0x28/0x60
...
Fixes: e620a1e061c4 ("drivers/clk: convert VL struct to struct_size")
Signed-off-by: Will McVicker <willmcvicker@google.com>
Link: https://lore.kernel.org/r/20250212183253.509771-1-willmcvicker@google.com
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/samsung/clk.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/clk/samsung/clk.c b/drivers/clk/samsung/clk.c
index 1949ae7851b2e..0468ce5506aef 100644
--- a/drivers/clk/samsung/clk.c
+++ b/drivers/clk/samsung/clk.c
@@ -64,11 +64,11 @@ struct samsung_clk_provider *__init samsung_clk_init(struct device_node *np,
if (!ctx)
panic("could not allocate clock provider context.\n");
+ ctx->clk_data.num = nr_clks;
for (i = 0; i < nr_clks; ++i)
ctx->clk_data.hws[i] = ERR_PTR(-ENOENT);
ctx->reg_base = base;
- ctx->clk_data.num = nr_clks;
spin_lock_init(&ctx->lock);
return ctx;
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 173/279] clk: qcom: gcc-msm8953: fix stuck venus0_core0 clock
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (171 preceding siblings ...)
2025-04-08 10:49 ` [PATCH 5.15 172/279] clk: samsung: Fix UBSAN panic in samsung_clk_init() Greg Kroah-Hartman
@ 2025-04-08 10:49 ` Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 174/279] bpf: Use preempt_count() directly in bpf_send_signal_common() Greg Kroah-Hartman
` (112 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vladimir Lypak,
Barnabás Czémán, Bjorn Andersson, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vladimir Lypak <vladimir.lypak@gmail.com>
[ Upstream commit cdc59600bccf2cb4c483645438a97d4ec55f326b ]
This clock can't be enable with VENUS_CORE0 GDSC turned off. But that
GDSC is under HW control so it can be turned off at any moment.
Instead of checking the dependent clock we can just vote for it to
enable later when GDSC gets turned on.
Fixes: 9bb6cfc3c77e6 ("clk: qcom: Add Global Clock Controller driver for MSM8953")
Signed-off-by: Vladimir Lypak <vladimir.lypak@gmail.com>
Signed-off-by: Barnabás Czémán <barnabas.czeman@mainlining.org>
Link: https://lore.kernel.org/r/20250315-clock-fix-v1-2-2efdc4920dda@mainlining.org
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/qcom/gcc-msm8953.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/clk/qcom/gcc-msm8953.c b/drivers/clk/qcom/gcc-msm8953.c
index 49513f1366ffd..9d11f993843db 100644
--- a/drivers/clk/qcom/gcc-msm8953.c
+++ b/drivers/clk/qcom/gcc-msm8953.c
@@ -3771,7 +3771,7 @@ static struct clk_branch gcc_venus0_axi_clk = {
static struct clk_branch gcc_venus0_core0_vcodec0_clk = {
.halt_reg = 0x4c02c,
- .halt_check = BRANCH_HALT,
+ .halt_check = BRANCH_HALT_SKIP,
.clkr = {
.enable_reg = 0x4c02c,
.enable_mask = BIT(0),
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 174/279] bpf: Use preempt_count() directly in bpf_send_signal_common()
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (172 preceding siblings ...)
2025-04-08 10:49 ` [PATCH 5.15 173/279] clk: qcom: gcc-msm8953: fix stuck venus0_core0 clock Greg Kroah-Hartman
@ 2025-04-08 10:49 ` Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 175/279] lib: 842: Improve error handling in sw842_compress() Greg Kroah-Hartman
` (111 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hou Tao, Alexei Starovoitov,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hou Tao <houtao1@huawei.com>
[ Upstream commit b4a8b5bba712a711d8ca1f7d04646db63f9c88f5 ]
bpf_send_signal_common() uses preemptible() to check whether or not the
current context is preemptible. If it is preemptible, it will use
irq_work to send the signal asynchronously instead of trying to hold a
spin-lock, because spin-lock is sleepable under PREEMPT_RT.
However, preemptible() depends on CONFIG_PREEMPT_COUNT. When
CONFIG_PREEMPT_COUNT is turned off (e.g., CONFIG_PREEMPT_VOLUNTARY=y),
!preemptible() will be evaluated as 1 and bpf_send_signal_common() will
use irq_work unconditionally.
Fix it by unfolding "!preemptible()" and using "preempt_count() != 0 ||
irqs_disabled()" instead.
Fixes: 87c544108b61 ("bpf: Send signals asynchronously if !preemptible")
Signed-off-by: Hou Tao <houtao1@huawei.com>
Link: https://lore.kernel.org/r/20250220042259.1583319-1-houtao@huaweicloud.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/trace/bpf_trace.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
index 60acc3c76316f..dba736defdfec 100644
--- a/kernel/trace/bpf_trace.c
+++ b/kernel/trace/bpf_trace.c
@@ -799,7 +799,7 @@ static int bpf_send_signal_common(u32 sig, enum pid_type type)
if (unlikely(is_global_init(current)))
return -EPERM;
- if (!preemptible()) {
+ if (preempt_count() != 0 || irqs_disabled()) {
/* Do an early check on signal validity. Otherwise,
* the error is lost in deferred irq_work.
*/
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 175/279] lib: 842: Improve error handling in sw842_compress()
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (173 preceding siblings ...)
2025-04-08 10:49 ` [PATCH 5.15 174/279] bpf: Use preempt_count() directly in bpf_send_signal_common() Greg Kroah-Hartman
@ 2025-04-08 10:49 ` Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 176/279] pinctrl: renesas: rza2: Fix missing of_node_put() call Greg Kroah-Hartman
` (110 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:49 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Tanya Agarwal, Herbert Xu,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tanya Agarwal <tanyaagarwal25699@gmail.com>
[ Upstream commit af324dc0e2b558678aec42260cce38be16cc77ca ]
The static code analysis tool "Coverity Scan" pointed the following
implementation details out for further development considerations:
CID 1309755: Unused value
In sw842_compress: A value assigned to a variable is never used. (CWE-563)
returned_value: Assigning value from add_repeat_template(p, repeat_count)
to ret here, but that stored value is overwritten before it can be used.
Conclusion:
Add error handling for the return value from an add_repeat_template()
call.
Fixes: 2da572c959dd ("lib: add software 842 compression/decompression")
Signed-off-by: Tanya Agarwal <tanyaagarwal25699@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
lib/842/842_compress.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/lib/842/842_compress.c b/lib/842/842_compress.c
index c02baa4168e16..055356508d97c 100644
--- a/lib/842/842_compress.c
+++ b/lib/842/842_compress.c
@@ -532,6 +532,8 @@ int sw842_compress(const u8 *in, unsigned int ilen,
}
if (repeat_count) {
ret = add_repeat_template(p, repeat_count);
+ if (ret)
+ return ret;
repeat_count = 0;
if (next == last) /* reached max repeat bits */
goto repeat;
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 176/279] pinctrl: renesas: rza2: Fix missing of_node_put() call
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (174 preceding siblings ...)
2025-04-08 10:49 ` [PATCH 5.15 175/279] lib: 842: Improve error handling in sw842_compress() Greg Kroah-Hartman
@ 2025-04-08 10:49 ` Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 177/279] pinctrl: renesas: rzg2l: " Greg Kroah-Hartman
` (109 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Fabrizio Castro, Lad Prabhakar,
Geert Uytterhoeven, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fabrizio Castro <fabrizio.castro.jz@renesas.com>
[ Upstream commit abcdeb4e299a11ecb5a3ea0cce00e68e8f540375 ]
of_parse_phandle_with_fixed_args() requires its caller to
call into of_node_put() on the node pointer from the output
structure, but such a call is currently missing.
Call into of_node_put() to rectify that.
Fixes: b59d0e782706 ("pinctrl: Add RZ/A2 pin and gpio controller")
Signed-off-by: Fabrizio Castro <fabrizio.castro.jz@renesas.com>
Reviewed-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
Link: https://lore.kernel.org/20250305163753.34913-5-fabrizio.castro.jz@renesas.com
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pinctrl/renesas/pinctrl-rza2.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/pinctrl/renesas/pinctrl-rza2.c b/drivers/pinctrl/renesas/pinctrl-rza2.c
index ddd8ee6b604ef..1fd3191d9f8d9 100644
--- a/drivers/pinctrl/renesas/pinctrl-rza2.c
+++ b/drivers/pinctrl/renesas/pinctrl-rza2.c
@@ -253,6 +253,8 @@ static int rza2_gpio_register(struct rza2_pinctrl_priv *priv)
return ret;
}
+ of_node_put(of_args.np);
+
if ((of_args.args[0] != 0) ||
(of_args.args[1] != 0) ||
(of_args.args[2] != priv->npins)) {
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 177/279] pinctrl: renesas: rzg2l: Fix missing of_node_put() call
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (175 preceding siblings ...)
2025-04-08 10:49 ` [PATCH 5.15 176/279] pinctrl: renesas: rza2: Fix missing of_node_put() call Greg Kroah-Hartman
@ 2025-04-08 10:49 ` Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 178/279] clk: rockchip: rk3328: fix wrong clk_ref_usb3otg parent Greg Kroah-Hartman
` (108 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Fabrizio Castro, Lad Prabhakar,
Geert Uytterhoeven, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fabrizio Castro <fabrizio.castro.jz@renesas.com>
[ Upstream commit a5779e625e2b377f16a6675c432aaf299ce5028c ]
of_parse_phandle_with_fixed_args() requires its caller to
call into of_node_put() on the node pointer from the output
structure, but such a call is currently missing.
Call into of_node_put() to rectify that.
Fixes: c4c4637eb57f ("pinctrl: renesas: Add RZ/G2L pin and gpio controller driver")
Signed-off-by: Fabrizio Castro <fabrizio.castro.jz@renesas.com>
Reviewed-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
Link: https://lore.kernel.org/20250305163753.34913-3-fabrizio.castro.jz@renesas.com
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pinctrl/renesas/pinctrl-rzg2l.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/pinctrl/renesas/pinctrl-rzg2l.c b/drivers/pinctrl/renesas/pinctrl-rzg2l.c
index 20b2af889ca96..f839bd3d0927a 100644
--- a/drivers/pinctrl/renesas/pinctrl-rzg2l.c
+++ b/drivers/pinctrl/renesas/pinctrl-rzg2l.c
@@ -979,6 +979,8 @@ static int rzg2l_gpio_register(struct rzg2l_pinctrl *pctrl)
return ret;
}
+ of_node_put(of_args.np);
+
if (of_args.args[0] != 0 || of_args.args[1] != 0 ||
of_args.args[2] != ARRAY_SIZE(rzg2l_gpio_names)) {
dev_err(pctrl->dev, "gpio-ranges does not match selected SOC\n");
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 178/279] clk: rockchip: rk3328: fix wrong clk_ref_usb3otg parent
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (176 preceding siblings ...)
2025-04-08 10:49 ` [PATCH 5.15 177/279] pinctrl: renesas: rzg2l: " Greg Kroah-Hartman
@ 2025-04-08 10:49 ` Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 179/279] RDMA/core: Dont expose hw_counters outside of init net namespace Greg Kroah-Hartman
` (107 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Peter Geis, Dragan Simic,
Heiko Stuebner, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Geis <pgwipeout@gmail.com>
[ Upstream commit a9e60f1ffe1ca57d6af6a2573e2f950e76efbf5b ]
Correct the clk_ref_usb3otg parent to fix clock control for the usb3
controller on rk3328. Verified against the rk3328 trm, the rk3228h trm,
and the rk3328 usb3 phy clock map.
Fixes: fe3511ad8a1c ("clk: rockchip: add clock controller for rk3328")
Signed-off-by: Peter Geis <pgwipeout@gmail.com>
Reviewed-by: Dragan Simic <dsimic@manjaro.org>
Link: https://lore.kernel.org/r/20250115012628.1035928-2-pgwipeout@gmail.com
Signed-off-by: Heiko Stuebner <heiko@sntech.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/rockchip/clk-rk3328.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/clk/rockchip/clk-rk3328.c b/drivers/clk/rockchip/clk-rk3328.c
index 267ab54937d3d..a3587c500de28 100644
--- a/drivers/clk/rockchip/clk-rk3328.c
+++ b/drivers/clk/rockchip/clk-rk3328.c
@@ -201,7 +201,7 @@ PNAME(mux_aclk_peri_pre_p) = { "cpll_peri",
"gpll_peri",
"hdmiphy_peri" };
PNAME(mux_ref_usb3otg_src_p) = { "xin24m",
- "clk_usb3otg_ref" };
+ "clk_ref_usb3otg_src" };
PNAME(mux_xin24m_32k_p) = { "xin24m",
"clk_rtc32k" };
PNAME(mux_mac2io_src_p) = { "clk_mac2io_src",
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 179/279] RDMA/core: Dont expose hw_counters outside of init net namespace
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (177 preceding siblings ...)
2025-04-08 10:49 ` [PATCH 5.15 178/279] clk: rockchip: rk3328: fix wrong clk_ref_usb3otg parent Greg Kroah-Hartman
@ 2025-04-08 10:49 ` Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 180/279] remoteproc: qcom_q6v5_mss: Handle platforms with one power domain Greg Kroah-Hartman
` (106 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Roman Gushchin, Jason Gunthorpe,
Leon Romanovsky, Maher Sanalla, linux-rdma, linux-kernel,
Parav Pandit, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Roman Gushchin <roman.gushchin@linux.dev>
[ Upstream commit a1ecb30f90856b0be4168ad51b8875148e285c1f ]
Commit 467f432a521a ("RDMA/core: Split port and device counter sysfs
attributes") accidentally almost exposed hw counters to non-init net
namespaces. It didn't expose them fully, as an attempt to read any of
those counters leads to a crash like this one:
[42021.807566] BUG: kernel NULL pointer dereference, address: 0000000000000028
[42021.814463] #PF: supervisor read access in kernel mode
[42021.819549] #PF: error_code(0x0000) - not-present page
[42021.824636] PGD 0 P4D 0
[42021.827145] Oops: 0000 [#1] SMP PTI
[42021.830598] CPU: 82 PID: 2843922 Comm: switchto-defaul Kdump: loaded Tainted: G S W I XXX
[42021.841697] Hardware name: XXX
[42021.849619] RIP: 0010:hw_stat_device_show+0x1e/0x40 [ib_core]
[42021.855362] Code: 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 49 89 d0 4c 8b 5e 20 48 8b 8f b8 04 00 00 48 81 c7 f0 fa ff ff <48> 8b 41 28 48 29 ce 48 83 c6 d0 48 c1 ee 04 69 d6 ab aa aa aa 48
[42021.873931] RSP: 0018:ffff97fe90f03da0 EFLAGS: 00010287
[42021.879108] RAX: ffff9406988a8c60 RBX: ffff940e1072d438 RCX: 0000000000000000
[42021.886169] RDX: ffff94085f1aa000 RSI: ffff93c6cbbdbcb0 RDI: ffff940c7517aef0
[42021.893230] RBP: ffff97fe90f03e70 R08: ffff94085f1aa000 R09: 0000000000000000
[42021.900294] R10: ffff94085f1aa000 R11: ffffffffc0775680 R12: ffffffff87ca2530
[42021.907355] R13: ffff940651602840 R14: ffff93c6cbbdbcb0 R15: ffff94085f1aa000
[42021.914418] FS: 00007fda1a3b9700(0000) GS:ffff94453fb80000(0000) knlGS:0000000000000000
[42021.922423] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[42021.928130] CR2: 0000000000000028 CR3: 00000042dcfb8003 CR4: 00000000003726f0
[42021.935194] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[42021.942257] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[42021.949324] Call Trace:
[42021.951756] <TASK>
[42021.953842] [<ffffffff86c58674>] ? show_regs+0x64/0x70
[42021.959030] [<ffffffff86c58468>] ? __die+0x78/0xc0
[42021.963874] [<ffffffff86c9ef75>] ? page_fault_oops+0x2b5/0x3b0
[42021.969749] [<ffffffff87674b92>] ? exc_page_fault+0x1a2/0x3c0
[42021.975549] [<ffffffff87801326>] ? asm_exc_page_fault+0x26/0x30
[42021.981517] [<ffffffffc0775680>] ? __pfx_show_hw_stats+0x10/0x10 [ib_core]
[42021.988482] [<ffffffffc077564e>] ? hw_stat_device_show+0x1e/0x40 [ib_core]
[42021.995438] [<ffffffff86ac7f8e>] dev_attr_show+0x1e/0x50
[42022.000803] [<ffffffff86a3eeb1>] sysfs_kf_seq_show+0x81/0xe0
[42022.006508] [<ffffffff86a11134>] seq_read_iter+0xf4/0x410
[42022.011954] [<ffffffff869f4b2e>] vfs_read+0x16e/0x2f0
[42022.017058] [<ffffffff869f50ee>] ksys_read+0x6e/0xe0
[42022.022073] [<ffffffff8766f1ca>] do_syscall_64+0x6a/0xa0
[42022.027441] [<ffffffff8780013b>] entry_SYSCALL_64_after_hwframe+0x78/0xe2
The problem can be reproduced using the following steps:
ip netns add foo
ip netns exec foo bash
cat /sys/class/infiniband/mlx4_0/hw_counters/*
The panic occurs because of casting the device pointer into an
ib_device pointer using container_of() in hw_stat_device_show() is
wrong and leads to a memory corruption.
However the real problem is that hw counters should never been exposed
outside of the non-init net namespace.
Fix this by saving the index of the corresponding attribute group
(it might be 1 or 2 depending on the presence of driver-specific
attributes) and zeroing the pointer to hw_counters group for compat
devices during the initialization.
With this fix applied hw_counters are not available in a non-init
net namespace:
find /sys/class/infiniband/mlx4_0/ -name hw_counters
/sys/class/infiniband/mlx4_0/ports/1/hw_counters
/sys/class/infiniband/mlx4_0/ports/2/hw_counters
/sys/class/infiniband/mlx4_0/hw_counters
ip netns add foo
ip netns exec foo bash
find /sys/class/infiniband/mlx4_0/ -name hw_counters
Fixes: 467f432a521a ("RDMA/core: Split port and device counter sysfs attributes")
Signed-off-by: Roman Gushchin <roman.gushchin@linux.dev>
Cc: Jason Gunthorpe <jgg@ziepe.ca>
Cc: Leon Romanovsky <leon@kernel.org>
Cc: Maher Sanalla <msanalla@nvidia.com>
Cc: linux-rdma@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Link: https://patch.msgid.link/20250227165420.3430301-1-roman.gushchin@linux.dev
Reviewed-by: Parav Pandit <parav@nvidia.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/core/device.c | 9 +++++++++
drivers/infiniband/core/sysfs.c | 1 +
include/rdma/ib_verbs.h | 1 +
3 files changed, 11 insertions(+)
diff --git a/drivers/infiniband/core/device.c b/drivers/infiniband/core/device.c
index 5d1ce55fda71e..241245e25f004 100644
--- a/drivers/infiniband/core/device.c
+++ b/drivers/infiniband/core/device.c
@@ -542,6 +542,8 @@ static struct class ib_class = {
static void rdma_init_coredev(struct ib_core_device *coredev,
struct ib_device *dev, struct net *net)
{
+ bool is_full_dev = &dev->coredev == coredev;
+
/* This BUILD_BUG_ON is intended to catch layout change
* of union of ib_core_device and device.
* dev must be the first element as ib_core and providers
@@ -553,6 +555,13 @@ static void rdma_init_coredev(struct ib_core_device *coredev,
coredev->dev.class = &ib_class;
coredev->dev.groups = dev->groups;
+
+ /*
+ * Don't expose hw counters outside of the init namespace.
+ */
+ if (!is_full_dev && dev->hw_stats_attr_index)
+ coredev->dev.groups[dev->hw_stats_attr_index] = NULL;
+
device_initialize(&coredev->dev);
coredev->owner = dev;
INIT_LIST_HEAD(&coredev->port_list);
diff --git a/drivers/infiniband/core/sysfs.c b/drivers/infiniband/core/sysfs.c
index afc59048c40c8..f68673c370d2e 100644
--- a/drivers/infiniband/core/sysfs.c
+++ b/drivers/infiniband/core/sysfs.c
@@ -976,6 +976,7 @@ int ib_setup_device_attrs(struct ib_device *ibdev)
for (i = 0; i != ARRAY_SIZE(ibdev->groups); i++)
if (!ibdev->groups[i]) {
ibdev->groups[i] = &data->group;
+ ibdev->hw_stats_attr_index = i;
return 0;
}
WARN(true, "struct ib_device->groups is too small");
diff --git a/include/rdma/ib_verbs.h b/include/rdma/ib_verbs.h
index fa13bf15feb3e..f4257c2e96b6d 100644
--- a/include/rdma/ib_verbs.h
+++ b/include/rdma/ib_verbs.h
@@ -2707,6 +2707,7 @@ struct ib_device {
* It is a NULL terminated array.
*/
const struct attribute_group *groups[4];
+ u8 hw_stats_attr_index;
u64 uverbs_cmd_mask;
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 180/279] remoteproc: qcom_q6v5_mss: Handle platforms with one power domain
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (178 preceding siblings ...)
2025-04-08 10:49 ` [PATCH 5.15 179/279] RDMA/core: Dont expose hw_counters outside of init net namespace Greg Kroah-Hartman
@ 2025-04-08 10:49 ` Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 181/279] IB/mad: Check available slots before posting receive WRs Greg Kroah-Hartman
` (105 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matti Lehtimäki,
Stephan Gerhold, Luca Weiss, Bjorn Andersson, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luca Weiss <luca@lucaweiss.eu>
[ Upstream commit 4641840341f37dc8231e0840ec1514b4061b4322 ]
For example MSM8974 has mx voltage rail exposed as regulator and only cx
voltage rail is exposed as power domain. This power domain (cx) is
attached internally in power domain and cannot be attached in this driver.
Fixes: 8750cf392394 ("remoteproc: qcom_q6v5_mss: Allow replacing regulators with power domains")
Co-developed-by: Matti Lehtimäki <matti.lehtimaki@gmail.com>
Signed-off-by: Matti Lehtimäki <matti.lehtimaki@gmail.com>
Reviewed-by: Stephan Gerhold <stephan.gerhold@linaro.org>
Signed-off-by: Luca Weiss <luca@lucaweiss.eu>
Link: https://lore.kernel.org/r/20250217-msm8226-modem-v5-4-2bc74b80e0ae@lucaweiss.eu
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/remoteproc/qcom_q6v5_mss.c | 21 +++++++++++++++++----
1 file changed, 17 insertions(+), 4 deletions(-)
diff --git a/drivers/remoteproc/qcom_q6v5_mss.c b/drivers/remoteproc/qcom_q6v5_mss.c
index 7fe1f2c5480af..7acd60de18c8f 100644
--- a/drivers/remoteproc/qcom_q6v5_mss.c
+++ b/drivers/remoteproc/qcom_q6v5_mss.c
@@ -1594,6 +1594,13 @@ static int q6v5_pds_attach(struct device *dev, struct device **devs,
while (pd_names[num_pds])
num_pds++;
+ /* Handle single power domain */
+ if (num_pds == 1 && dev->pm_domain) {
+ devs[0] = dev;
+ pm_runtime_enable(dev);
+ return 1;
+ }
+
for (i = 0; i < num_pds; i++) {
devs[i] = dev_pm_domain_attach_by_name(dev, pd_names[i]);
if (IS_ERR_OR_NULL(devs[i])) {
@@ -1614,8 +1621,15 @@ static int q6v5_pds_attach(struct device *dev, struct device **devs,
static void q6v5_pds_detach(struct q6v5 *qproc, struct device **pds,
size_t pd_count)
{
+ struct device *dev = qproc->dev;
int i;
+ /* Handle single power domain */
+ if (pd_count == 1 && dev->pm_domain) {
+ pm_runtime_disable(dev);
+ return;
+ }
+
for (i = 0; i < pd_count; i++)
dev_pm_domain_detach(pds[i], false);
}
@@ -2081,13 +2095,13 @@ static const struct rproc_hexagon_res msm8974_mss = {
.supply = "pll",
.uA = 100000,
},
- {}
- },
- .fallback_proxy_supply = (struct qcom_mss_reg_res[]) {
{
.supply = "mx",
.uV = 1050000,
},
+ {}
+ },
+ .fallback_proxy_supply = (struct qcom_mss_reg_res[]) {
{
.supply = "cx",
.uA = 100000,
@@ -2113,7 +2127,6 @@ static const struct rproc_hexagon_res msm8974_mss = {
NULL
},
.proxy_pd_names = (char*[]){
- "mx",
"cx",
NULL
},
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 181/279] IB/mad: Check available slots before posting receive WRs
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (179 preceding siblings ...)
2025-04-08 10:49 ` [PATCH 5.15 180/279] remoteproc: qcom_q6v5_mss: Handle platforms with one power domain Greg Kroah-Hartman
@ 2025-04-08 10:49 ` Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 182/279] pinctrl: tegra: Set SFIO mode to Mux Register Greg Kroah-Hartman
` (104 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maher Sanalla, Leon Romanovsky,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maher Sanalla <msanalla@nvidia.com>
[ Upstream commit 37826f0a8c2f6b6add5179003b8597e32a445362 ]
The ib_post_receive_mads() function handles posting receive work
requests (WRs) to MAD QPs and is called in two cases:
1) When a MAD port is opened.
2) When a receive WQE is consumed upon receiving a new MAD.
Whereas, if MADs arrive during the port open phase, a race condition
might cause an extra WR to be posted, exceeding the QP’s capacity.
This leads to failures such as:
infiniband mlx5_0: ib_post_recv failed: -12
infiniband mlx5_0: Couldn't post receive WRs
infiniband mlx5_0: Couldn't start port
infiniband mlx5_0: Couldn't open port 1
Fix this by checking the current receive count before posting a new WR.
If the QP’s receive queue is full, do not post additional WRs.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Maher Sanalla <msanalla@nvidia.com>
Link: https://patch.msgid.link/c4984ba3c3a98a5711a558bccefcad789587ecf1.1741875592.git.leon@kernel.org
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/core/mad.c | 38 ++++++++++++++++++-----------------
1 file changed, 20 insertions(+), 18 deletions(-)
diff --git a/drivers/infiniband/core/mad.c b/drivers/infiniband/core/mad.c
index 58befbaaf0ad5..242434c09e8d8 100644
--- a/drivers/infiniband/core/mad.c
+++ b/drivers/infiniband/core/mad.c
@@ -2671,11 +2671,11 @@ static int ib_mad_post_receive_mads(struct ib_mad_qp_info *qp_info,
struct ib_mad_private *mad)
{
unsigned long flags;
- int post, ret;
struct ib_mad_private *mad_priv;
struct ib_sge sg_list;
struct ib_recv_wr recv_wr;
struct ib_mad_queue *recv_queue = &qp_info->recv_queue;
+ int ret = 0;
/* Initialize common scatter list fields */
sg_list.lkey = qp_info->port_priv->pd->local_dma_lkey;
@@ -2685,7 +2685,7 @@ static int ib_mad_post_receive_mads(struct ib_mad_qp_info *qp_info,
recv_wr.sg_list = &sg_list;
recv_wr.num_sge = 1;
- do {
+ while (true) {
/* Allocate and map receive buffer */
if (mad) {
mad_priv = mad;
@@ -2693,10 +2693,8 @@ static int ib_mad_post_receive_mads(struct ib_mad_qp_info *qp_info,
} else {
mad_priv = alloc_mad_private(port_mad_size(qp_info->port_priv),
GFP_ATOMIC);
- if (!mad_priv) {
- ret = -ENOMEM;
- break;
- }
+ if (!mad_priv)
+ return -ENOMEM;
}
sg_list.length = mad_priv_dma_size(mad_priv);
sg_list.addr = ib_dma_map_single(qp_info->port_priv->device,
@@ -2705,37 +2703,41 @@ static int ib_mad_post_receive_mads(struct ib_mad_qp_info *qp_info,
DMA_FROM_DEVICE);
if (unlikely(ib_dma_mapping_error(qp_info->port_priv->device,
sg_list.addr))) {
- kfree(mad_priv);
ret = -ENOMEM;
- break;
+ goto free_mad_priv;
}
mad_priv->header.mapping = sg_list.addr;
mad_priv->header.mad_list.mad_queue = recv_queue;
mad_priv->header.mad_list.cqe.done = ib_mad_recv_done;
recv_wr.wr_cqe = &mad_priv->header.mad_list.cqe;
-
- /* Post receive WR */
spin_lock_irqsave(&recv_queue->lock, flags);
- post = (++recv_queue->count < recv_queue->max_active);
- list_add_tail(&mad_priv->header.mad_list.list, &recv_queue->list);
+ if (recv_queue->count >= recv_queue->max_active) {
+ /* Fully populated the receive queue */
+ spin_unlock_irqrestore(&recv_queue->lock, flags);
+ break;
+ }
+ recv_queue->count++;
+ list_add_tail(&mad_priv->header.mad_list.list,
+ &recv_queue->list);
spin_unlock_irqrestore(&recv_queue->lock, flags);
+
ret = ib_post_recv(qp_info->qp, &recv_wr, NULL);
if (ret) {
spin_lock_irqsave(&recv_queue->lock, flags);
list_del(&mad_priv->header.mad_list.list);
recv_queue->count--;
spin_unlock_irqrestore(&recv_queue->lock, flags);
- ib_dma_unmap_single(qp_info->port_priv->device,
- mad_priv->header.mapping,
- mad_priv_dma_size(mad_priv),
- DMA_FROM_DEVICE);
- kfree(mad_priv);
dev_err(&qp_info->port_priv->device->dev,
"ib_post_recv failed: %d\n", ret);
break;
}
- } while (post);
+ }
+ ib_dma_unmap_single(qp_info->port_priv->device,
+ mad_priv->header.mapping,
+ mad_priv_dma_size(mad_priv), DMA_FROM_DEVICE);
+free_mad_priv:
+ kfree(mad_priv);
return ret;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 182/279] pinctrl: tegra: Set SFIO mode to Mux Register
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (180 preceding siblings ...)
2025-04-08 10:49 ` [PATCH 5.15 181/279] IB/mad: Check available slots before posting receive WRs Greg Kroah-Hartman
@ 2025-04-08 10:49 ` Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 183/279] clk: amlogic: g12b: fix cluster A parent data Greg Kroah-Hartman
` (103 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Prathamesh Shete, Linus Walleij,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Prathamesh Shete <pshete@nvidia.com>
[ Upstream commit 17013f0acb322e5052ff9b9d0fab0ab5a4bfd828 ]
Tegra devices have an 'sfsel' bit field that determines whether a pin
operates in SFIO (Special Function I/O) or GPIO mode. Currently,
tegra_pinctrl_gpio_disable_free() sets this bit when releasing a GPIO.
However, tegra_pinctrl_set_mux() can be called independently in certain
code paths where gpio_disable_free() is not invoked. In such cases, failing
to set the SFIO mode could lead to incorrect pin configurations, resulting
in functional issues for peripherals relying on SFIO.
This patch ensures that whenever set_mux() is called, the SFIO mode is
correctly set in the Mux Register if the 'sfsel' bit is present. This
prevents situations where the pin remains in GPIO mode despite being
configured for SFIO use.
Fixes: 971dac7123c7 ("pinctrl: add a driver for NVIDIA Tegra")
Signed-off-by: Prathamesh Shete <pshete@nvidia.com>
Link: https://lore.kernel.org/20250306050542.16335-1-pshete@nvidia.com
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pinctrl/tegra/pinctrl-tegra.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/pinctrl/tegra/pinctrl-tegra.c b/drivers/pinctrl/tegra/pinctrl-tegra.c
index 195cfe557511b..90de78e4175c9 100644
--- a/drivers/pinctrl/tegra/pinctrl-tegra.c
+++ b/drivers/pinctrl/tegra/pinctrl-tegra.c
@@ -270,6 +270,9 @@ static int tegra_pinctrl_set_mux(struct pinctrl_dev *pctldev,
val = pmx_readl(pmx, g->mux_bank, g->mux_reg);
val &= ~(0x3 << g->mux_bit);
val |= i << g->mux_bit;
+ /* Set the SFIO/GPIO selection to SFIO when under pinmux control*/
+ if (pmx->soc->sfsel_in_mux)
+ val |= (1 << g->sfsel_bit);
pmx_writel(pmx, val, g->mux_bank, g->mux_reg);
return 0;
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 183/279] clk: amlogic: g12b: fix cluster A parent data
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (181 preceding siblings ...)
2025-04-08 10:49 ` [PATCH 5.15 182/279] pinctrl: tegra: Set SFIO mode to Mux Register Greg Kroah-Hartman
@ 2025-04-08 10:49 ` Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 184/279] clk: amlogic: gxbb: drop non existing 32k clock parent Greg Kroah-Hartman
` (102 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Neil Armstrong, Jerome Brunet,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jerome Brunet <jbrunet@baylibre.com>
[ Upstream commit 8995f8f108c3ac5ad52b12a6cfbbc7b3b32e9a58 ]
Several clocks used by both g12a and g12b use the g12a cpu A clock hw
pointer as clock parent. This is incorrect on g12b since the parents of
cluster A cpu clock are different. Also the hw clock provided as parent to
these children is not even registered clock on g12b.
Fix the problem by reverting to the global namespace and let CCF pick
the appropriate, as it is already done for other clocks, such as
cpu_clk_trace_div.
Fixes: 25e682a02d91 ("clk: meson: g12a: migrate to the new parent description method")
Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
Link: https://lore.kernel.org/r/20241213-amlogic-clk-g12a-cpua-parent-fix-v1-1-d8c0f41865fe@baylibre.com
Signed-off-by: Jerome Brunet <jbrunet@baylibre.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/meson/g12a.c | 36 ++++++++++++++++++++++++------------
1 file changed, 24 insertions(+), 12 deletions(-)
diff --git a/drivers/clk/meson/g12a.c b/drivers/clk/meson/g12a.c
index 310accf94830b..a623596c1e490 100644
--- a/drivers/clk/meson/g12a.c
+++ b/drivers/clk/meson/g12a.c
@@ -1136,8 +1136,18 @@ static struct clk_regmap g12a_cpu_clk_div16_en = {
.hw.init = &(struct clk_init_data) {
.name = "cpu_clk_div16_en",
.ops = &clk_regmap_gate_ro_ops,
- .parent_hws = (const struct clk_hw *[]) {
- &g12a_cpu_clk.hw
+ .parent_data = &(const struct clk_parent_data) {
+ /*
+ * Note:
+ * G12A and G12B have different cpu clocks (with
+ * different struct clk_hw). We fallback to the global
+ * naming string mechanism so this clock picks
+ * up the appropriate one. Same goes for the other
+ * clock using cpu cluster A clock output and present
+ * on both G12 variant.
+ */
+ .name = "cpu_clk",
+ .index = -1,
},
.num_parents = 1,
/*
@@ -1202,7 +1212,10 @@ static struct clk_regmap g12a_cpu_clk_apb_div = {
.hw.init = &(struct clk_init_data){
.name = "cpu_clk_apb_div",
.ops = &clk_regmap_divider_ro_ops,
- .parent_hws = (const struct clk_hw *[]) { &g12a_cpu_clk.hw },
+ .parent_data = &(const struct clk_parent_data) {
+ .name = "cpu_clk",
+ .index = -1,
+ },
.num_parents = 1,
},
};
@@ -1236,7 +1249,10 @@ static struct clk_regmap g12a_cpu_clk_atb_div = {
.hw.init = &(struct clk_init_data){
.name = "cpu_clk_atb_div",
.ops = &clk_regmap_divider_ro_ops,
- .parent_hws = (const struct clk_hw *[]) { &g12a_cpu_clk.hw },
+ .parent_data = &(const struct clk_parent_data) {
+ .name = "cpu_clk",
+ .index = -1,
+ },
.num_parents = 1,
},
};
@@ -1270,7 +1286,10 @@ static struct clk_regmap g12a_cpu_clk_axi_div = {
.hw.init = &(struct clk_init_data){
.name = "cpu_clk_axi_div",
.ops = &clk_regmap_divider_ro_ops,
- .parent_hws = (const struct clk_hw *[]) { &g12a_cpu_clk.hw },
+ .parent_data = &(const struct clk_parent_data) {
+ .name = "cpu_clk",
+ .index = -1,
+ },
.num_parents = 1,
},
};
@@ -1305,13 +1324,6 @@ static struct clk_regmap g12a_cpu_clk_trace_div = {
.name = "cpu_clk_trace_div",
.ops = &clk_regmap_divider_ro_ops,
.parent_data = &(const struct clk_parent_data) {
- /*
- * Note:
- * G12A and G12B have different cpu_clks (with
- * different struct clk_hw). We fallback to the global
- * naming string mechanism so cpu_clk_trace_div picks
- * up the appropriate one.
- */
.name = "cpu_clk",
.index = -1,
},
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 184/279] clk: amlogic: gxbb: drop non existing 32k clock parent
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (182 preceding siblings ...)
2025-04-08 10:49 ` [PATCH 5.15 183/279] clk: amlogic: g12b: fix cluster A parent data Greg Kroah-Hartman
@ 2025-04-08 10:49 ` Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 185/279] clk: amlogic: g12a: fix mmc A peripheral clock Greg Kroah-Hartman
` (101 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Neil Armstrong, Jerome Brunet,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jerome Brunet <jbrunet@baylibre.com>
[ Upstream commit 7915d7d5407c026fa9343befb4d3343f7a345f97 ]
The 32k clock reference a parent 'cts_slow_oscin' with a fixme note saying
that this clock should be provided by AO controller.
The HW probably has this clock but it does not exist at the moment in
any controller implementation. Furthermore, referencing clock by the global
name should be avoided whenever possible.
There is no reason to keep this hack around, at least for now.
Fixes: 14c735c8e308 ("clk: meson-gxbb: Add EE 32K Clock for CEC")
Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
Link: https://lore.kernel.org/r/20241220-amlogic-clk-gxbb-32k-fixes-v1-2-baca56ecf2db@baylibre.com
Signed-off-by: Jerome Brunet <jbrunet@baylibre.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/meson/gxbb.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/drivers/clk/meson/gxbb.c b/drivers/clk/meson/gxbb.c
index 48c47503ea752..35bc13e73c0dd 100644
--- a/drivers/clk/meson/gxbb.c
+++ b/drivers/clk/meson/gxbb.c
@@ -1270,14 +1270,13 @@ static struct clk_regmap gxbb_cts_i958 = {
},
};
+/*
+ * This table skips a clock named 'cts_slow_oscin' in the documentation
+ * This clock does not exist yet in this controller or the AO one
+ */
+static u32 gxbb_32k_clk_parents_val_table[] = { 0, 2, 3 };
static const struct clk_parent_data gxbb_32k_clk_parent_data[] = {
{ .fw_name = "xtal", },
- /*
- * FIXME: This clock is provided by the ao clock controller but the
- * clock is not yet part of the binding of this controller, so string
- * name must be use to set this parent.
- */
- { .name = "cts_slow_oscin", .index = -1 },
{ .hw = &gxbb_fclk_div3.hw },
{ .hw = &gxbb_fclk_div5.hw },
};
@@ -1287,6 +1286,7 @@ static struct clk_regmap gxbb_32k_clk_sel = {
.offset = HHI_32K_CLK_CNTL,
.mask = 0x3,
.shift = 16,
+ .table = gxbb_32k_clk_parents_val_table,
},
.hw.init = &(struct clk_init_data){
.name = "32k_clk_sel",
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 185/279] clk: amlogic: g12a: fix mmc A peripheral clock
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (183 preceding siblings ...)
2025-04-08 10:49 ` [PATCH 5.15 184/279] clk: amlogic: gxbb: drop non existing 32k clock parent Greg Kroah-Hartman
@ 2025-04-08 10:49 ` Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 186/279] x86/entry: Fix ORC unwinder for PUSH_REGS with save_ret=1 Greg Kroah-Hartman
` (100 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Neil Armstrong, Jerome Brunet,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jerome Brunet <jbrunet@baylibre.com>
[ Upstream commit 0079e77c08de692cb20b38e408365c830a44b1ef ]
The bit index of the peripheral clock for mmc A is wrong
This was probably not a problem for mmc A as the peripheral is likely left
enabled by the bootloader.
No issues has been reported so far but it could be a problem, most likely
some form of conflict between the ethernet and mmc A clock, breaking
ethernet on init.
Use the value provided by the documentation for mmc A before this
becomes an actual problem.
Fixes: 085a4ea93d54 ("clk: meson: g12a: add peripheral clock controller")
Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
Link: https://lore.kernel.org/r/20241213-amlogic-clk-g12a-mmca-fix-v1-1-5af421f58b64@baylibre.com
Signed-off-by: Jerome Brunet <jbrunet@baylibre.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/meson/g12a.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/clk/meson/g12a.c b/drivers/clk/meson/g12a.c
index a623596c1e490..d13a60fefc1b8 100644
--- a/drivers/clk/meson/g12a.c
+++ b/drivers/clk/meson/g12a.c
@@ -4199,7 +4199,7 @@ static MESON_GATE(g12a_spicc_1, HHI_GCLK_MPEG0, 14);
static MESON_GATE(g12a_hiu_reg, HHI_GCLK_MPEG0, 19);
static MESON_GATE(g12a_mipi_dsi_phy, HHI_GCLK_MPEG0, 20);
static MESON_GATE(g12a_assist_misc, HHI_GCLK_MPEG0, 23);
-static MESON_GATE(g12a_emmc_a, HHI_GCLK_MPEG0, 4);
+static MESON_GATE(g12a_emmc_a, HHI_GCLK_MPEG0, 24);
static MESON_GATE(g12a_emmc_b, HHI_GCLK_MPEG0, 25);
static MESON_GATE(g12a_emmc_c, HHI_GCLK_MPEG0, 26);
static MESON_GATE(g12a_audio_codec, HHI_GCLK_MPEG0, 28);
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 186/279] x86/entry: Fix ORC unwinder for PUSH_REGS with save_ret=1
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (184 preceding siblings ...)
2025-04-08 10:49 ` [PATCH 5.15 185/279] clk: amlogic: g12a: fix mmc A peripheral clock Greg Kroah-Hartman
@ 2025-04-08 10:49 ` Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 187/279] power: supply: max77693: Fix wrong conversion of charge input threshold value Greg Kroah-Hartman
` (99 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jann Horn, Ingo Molnar,
Andy Lutomirski, Brian Gerst, Juergen Gross, H. Peter Anvin,
Linus Torvalds, Kees Cook, Peter Zijlstra, Josh Poimboeuf,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jann Horn <jannh@google.com>
[ Upstream commit 57e2428f8df8263275344566e02c277648a4b7f1 ]
PUSH_REGS with save_ret=1 is used by interrupt entry helper functions that
initially start with a UNWIND_HINT_FUNC ORC state.
However, save_ret=1 means that we clobber the helper function's return
address (and then later restore the return address further down on the
stack); after that point, the only thing on the stack we can unwind through
is the IRET frame, so use UNWIND_HINT_IRET_REGS until we have a full
pt_regs frame.
( An alternate approach would be to move the pt_regs->di overwrite down
such that it is the final step of pt_regs setup; but I don't want to
rearrange entry code just to make unwinding a tiny bit more elegant. )
Fixes: 9e809d15d6b6 ("x86/entry: Reduce the code footprint of the 'idtentry' macro")
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: Juergen Gross <jgross@suse.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Kees Cook <keescook@chromium.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Link: https://lore.kernel.org/r/20250325-2025-03-unwind-fixes-v1-1-acd774364768@google.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/entry/calling.h | 2 ++
1 file changed, 2 insertions(+)
diff --git a/arch/x86/entry/calling.h b/arch/x86/entry/calling.h
index b00a3a95fbfab..16e12b45b151a 100644
--- a/arch/x86/entry/calling.h
+++ b/arch/x86/entry/calling.h
@@ -70,6 +70,8 @@ For 32-bit we have the following conventions - kernel is built with
pushq %rsi /* pt_regs->si */
movq 8(%rsp), %rsi /* temporarily store the return address in %rsi */
movq %rdi, 8(%rsp) /* pt_regs->di (overwriting original return address) */
+ /* We just clobbered the return address - use the IRET frame for unwinding: */
+ UNWIND_HINT_IRET_REGS offset=3*8
.else
pushq %rdi /* pt_regs->di */
pushq %rsi /* pt_regs->si */
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 187/279] power: supply: max77693: Fix wrong conversion of charge input threshold value
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (185 preceding siblings ...)
2025-04-08 10:49 ` [PATCH 5.15 186/279] x86/entry: Fix ORC unwinder for PUSH_REGS with save_ret=1 Greg Kroah-Hartman
@ 2025-04-08 10:49 ` Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 188/279] crypto: nx - Fix uninitialised hv_nxc on error Greg Kroah-Hartman
` (98 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Artur Weber, Krzysztof Kozlowski,
Sebastian Reichel, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Artur Weber <aweber.kernel@gmail.com>
[ Upstream commit 30cc7b0d0e9341d419eb7da15fb5c22406dbe499 ]
The charge input threshold voltage register on the MAX77693 PMIC accepts
four values: 0x0 for 4.3v, 0x1 for 4.7v, 0x2 for 4.8v and 0x3 for 4.9v.
Due to an oversight, the driver calculated the values for 4.7v and above
starting from 0x0, rather than from 0x1 ([(4700000 - 4700000) / 100000]
gives 0).
Add 1 to the calculation to ensure that 4.7v is converted to a register
value of 0x1 and that the other two voltages are converted correctly as
well.
Fixes: 87c2d9067893 ("power: max77693: Add charger driver for Maxim 77693")
Signed-off-by: Artur Weber <aweber.kernel@gmail.com>
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Link: https://lore.kernel.org/r/20250316-max77693-charger-input-threshold-fix-v1-1-2b037d0ac722@gmail.com
Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/power/supply/max77693_charger.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/power/supply/max77693_charger.c b/drivers/power/supply/max77693_charger.c
index a2c5c9858639f..ef3482fa4023e 100644
--- a/drivers/power/supply/max77693_charger.c
+++ b/drivers/power/supply/max77693_charger.c
@@ -556,7 +556,7 @@ static int max77693_set_charge_input_threshold_volt(struct max77693_charger *chg
case 4700000:
case 4800000:
case 4900000:
- data = (uvolt - 4700000) / 100000;
+ data = ((uvolt - 4700000) / 100000) + 1;
break;
default:
dev_err(chg->dev, "Wrong value for charge input voltage regulation threshold\n");
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 188/279] crypto: nx - Fix uninitialised hv_nxc on error
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (186 preceding siblings ...)
2025-04-08 10:49 ` [PATCH 5.15 187/279] power: supply: max77693: Fix wrong conversion of charge input threshold value Greg Kroah-Hartman
@ 2025-04-08 10:49 ` Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 189/279] RDMA/mlx5: Fix mlx5_poll_one() cur_qp update flow Greg Kroah-Hartman
` (97 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:49 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Herbert Xu, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Herbert Xu <herbert@gondor.apana.org.au>
[ Upstream commit 9b00eb923f3e60ca76cbc8b31123716f3a87ac6a ]
The compiler correctly warns that hv_nxc may be used uninitialised
as that will occur when NX-GZIP is unavailable.
Fix it by rearranging the code and delay setting caps_feat until
the final query succeeds.
Fixes: b4ba22114c78 ("crypto/nx: Get NX capabilities for GZIP coprocessor type")
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/crypto/nx/nx-common-pseries.c | 37 ++++++++++++---------------
1 file changed, 17 insertions(+), 20 deletions(-)
diff --git a/drivers/crypto/nx/nx-common-pseries.c b/drivers/crypto/nx/nx-common-pseries.c
index 4e304f6081e47..f24d58b6eb1e5 100644
--- a/drivers/crypto/nx/nx-common-pseries.c
+++ b/drivers/crypto/nx/nx-common-pseries.c
@@ -1142,6 +1142,7 @@ static void __init nxcop_get_capabilities(void)
{
struct hv_vas_all_caps *hv_caps;
struct hv_nx_cop_caps *hv_nxc;
+ u64 feat;
int rc;
hv_caps = kmalloc(sizeof(*hv_caps), GFP_KERNEL);
@@ -1152,27 +1153,26 @@ static void __init nxcop_get_capabilities(void)
*/
rc = h_query_vas_capabilities(H_QUERY_NX_CAPABILITIES, 0,
(u64)virt_to_phys(hv_caps));
+ if (!rc)
+ feat = be64_to_cpu(hv_caps->feat_type);
+ kfree(hv_caps);
if (rc)
- goto out;
+ return;
+ if (!(feat & VAS_NX_GZIP_FEAT_BIT))
+ return;
- caps_feat = be64_to_cpu(hv_caps->feat_type);
/*
* NX-GZIP feature available
*/
- if (caps_feat & VAS_NX_GZIP_FEAT_BIT) {
- hv_nxc = kmalloc(sizeof(*hv_nxc), GFP_KERNEL);
- if (!hv_nxc)
- goto out;
- /*
- * Get capabilities for NX-GZIP feature
- */
- rc = h_query_vas_capabilities(H_QUERY_NX_CAPABILITIES,
- VAS_NX_GZIP_FEAT,
- (u64)virt_to_phys(hv_nxc));
- } else {
- pr_err("NX-GZIP feature is not available\n");
- rc = -EINVAL;
- }
+ hv_nxc = kmalloc(sizeof(*hv_nxc), GFP_KERNEL);
+ if (!hv_nxc)
+ return;
+ /*
+ * Get capabilities for NX-GZIP feature
+ */
+ rc = h_query_vas_capabilities(H_QUERY_NX_CAPABILITIES,
+ VAS_NX_GZIP_FEAT,
+ (u64)virt_to_phys(hv_nxc));
if (!rc) {
nx_cop_caps.descriptor = be64_to_cpu(hv_nxc->descriptor);
@@ -1182,13 +1182,10 @@ static void __init nxcop_get_capabilities(void)
be64_to_cpu(hv_nxc->min_compress_len);
nx_cop_caps.min_decompress_len =
be64_to_cpu(hv_nxc->min_decompress_len);
- } else {
- caps_feat = 0;
+ caps_feat = feat;
}
kfree(hv_nxc);
-out:
- kfree(hv_caps);
}
static const struct vio_device_id nx842_vio_driver_ids[] = {
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 189/279] RDMA/mlx5: Fix mlx5_poll_one() cur_qp update flow
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (187 preceding siblings ...)
2025-04-08 10:49 ` [PATCH 5.15 188/279] crypto: nx - Fix uninitialised hv_nxc on error Greg Kroah-Hartman
@ 2025-04-08 10:49 ` Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 190/279] mfd: sm501: Switch to BIT() to mitigate integer overflows Greg Kroah-Hartman
` (96 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Patrisious Haddad, Edward Srouji,
Leon Romanovsky, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Patrisious Haddad <phaddad@nvidia.com>
[ Upstream commit 5ed3b0cb3f827072e93b4c5b6e2b8106fd7cccbd ]
When cur_qp isn't NULL, in order to avoid fetching the QP from
the radix tree again we check if the next cqe QP is identical to
the one we already have.
The bug however is that we are checking if the QP is identical by
checking the QP number inside the CQE against the QP number inside the
mlx5_ib_qp, but that's wrong since the QP number from the CQE is from
FW so it should be matched against mlx5_core_qp which is our FW QP
number.
Otherwise we could use the wrong QP when handling a CQE which could
cause the kernel trace below.
This issue is mainly noticeable over QPs 0 & 1, since for now they are
the only QPs in our driver whereas the QP number inside mlx5_ib_qp
doesn't match the QP number inside mlx5_core_qp.
BUG: kernel NULL pointer dereference, address: 0000000000000012
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0
Oops: Oops: 0000 [#1] SMP
CPU: 0 UID: 0 PID: 7927 Comm: kworker/u62:1 Not tainted 6.14.0-rc3+ #189
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
Workqueue: ib-comp-unb-wq ib_cq_poll_work [ib_core]
RIP: 0010:mlx5_ib_poll_cq+0x4c7/0xd90 [mlx5_ib]
Code: 03 00 00 8d 58 ff 21 cb 66 39 d3 74 39 48 c7 c7 3c 89 6e a0 0f b7 db e8 b7 d2 b3 e0 49 8b 86 60 03 00 00 48 c7 c7 4a 89 6e a0 <0f> b7 5c 98 02 e8 9f d2 b3 e0 41 0f b7 86 78 03 00 00 83 e8 01 21
RSP: 0018:ffff88810511bd60 EFLAGS: 00010046
RAX: 0000000000000010 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffff88885fa1b3c0 RDI: ffffffffa06e894a
RBP: 00000000000000b0 R08: 0000000000000000 R09: ffff88810511bc10
R10: 0000000000000001 R11: 0000000000000001 R12: ffff88810d593000
R13: ffff88810e579108 R14: ffff888105146000 R15: 00000000000000b0
FS: 0000000000000000(0000) GS:ffff88885fa00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000012 CR3: 00000001077e6001 CR4: 0000000000370eb0
Call Trace:
<TASK>
? __die+0x20/0x60
? page_fault_oops+0x150/0x3e0
? exc_page_fault+0x74/0x130
? asm_exc_page_fault+0x22/0x30
? mlx5_ib_poll_cq+0x4c7/0xd90 [mlx5_ib]
__ib_process_cq+0x5a/0x150 [ib_core]
ib_cq_poll_work+0x31/0x90 [ib_core]
process_one_work+0x169/0x320
worker_thread+0x288/0x3a0
? work_busy+0xb0/0xb0
kthread+0xd7/0x1f0
? kthreads_online_cpu+0x130/0x130
? kthreads_online_cpu+0x130/0x130
ret_from_fork+0x2d/0x50
? kthreads_online_cpu+0x130/0x130
ret_from_fork_asm+0x11/0x20
</TASK>
Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters")
Signed-off-by: Patrisious Haddad <phaddad@nvidia.com>
Reviewed-by: Edward Srouji <edwards@nvidia.com>
Link: https://patch.msgid.link/4ada09d41f1e36db62c44a9b25c209ea5f054316.1741875692.git.leon@kernel.org
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/hw/mlx5/cq.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/infiniband/hw/mlx5/cq.c b/drivers/infiniband/hw/mlx5/cq.c
index a190fb5815913..f3becb506125e 100644
--- a/drivers/infiniband/hw/mlx5/cq.c
+++ b/drivers/infiniband/hw/mlx5/cq.c
@@ -481,7 +481,7 @@ static int mlx5_poll_one(struct mlx5_ib_cq *cq,
}
qpn = ntohl(cqe64->sop_drop_qpn) & 0xffffff;
- if (!*cur_qp || (qpn != (*cur_qp)->ibqp.qp_num)) {
+ if (!*cur_qp || (qpn != (*cur_qp)->trans_qp.base.mqp.qpn)) {
/* We do not have to take the QP table lock here,
* because CQs will be locked while QPs are removed
* from the table.
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 190/279] mfd: sm501: Switch to BIT() to mitigate integer overflows
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (188 preceding siblings ...)
2025-04-08 10:49 ` [PATCH 5.15 189/279] RDMA/mlx5: Fix mlx5_poll_one() cur_qp update flow Greg Kroah-Hartman
@ 2025-04-08 10:49 ` Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 191/279] x86/dumpstack: Fix inaccurate unwinding from exception stacks due to misplaced assignment Greg Kroah-Hartman
` (95 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nikita Zhandarovich, Lee Jones,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
[ Upstream commit 2d8cb9ffe18c2f1e5bd07a19cbce85b26c1d0cf0 ]
If offset end up being high enough, right hand expression in functions
like sm501_gpio_set() shifted left for that number of bits, may
not fit in int type.
Just in case, fix that by using BIT() both as an option safe from
overflow issues and to make this step look similar to other gpio
drivers.
Found by Linux Verification Center (linuxtesting.org) with static
analysis tool SVACE.
Fixes: f61be273d369 ("sm501: add gpiolib support")
Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
Link: https://lore.kernel.org/r/20250115171206.20308-1-n.zhandarovich@fintech.ru
Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mfd/sm501.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/mfd/sm501.c b/drivers/mfd/sm501.c
index 3ac4508a6742a..78dcbf8e2c15d 100644
--- a/drivers/mfd/sm501.c
+++ b/drivers/mfd/sm501.c
@@ -920,7 +920,7 @@ static void sm501_gpio_set(struct gpio_chip *chip, unsigned offset, int value)
{
struct sm501_gpio_chip *smchip = gpiochip_get_data(chip);
struct sm501_gpio *smgpio = smchip->ourgpio;
- unsigned long bit = 1 << offset;
+ unsigned long bit = BIT(offset);
void __iomem *regs = smchip->regbase;
unsigned long save;
unsigned long val;
@@ -946,7 +946,7 @@ static int sm501_gpio_input(struct gpio_chip *chip, unsigned offset)
struct sm501_gpio_chip *smchip = gpiochip_get_data(chip);
struct sm501_gpio *smgpio = smchip->ourgpio;
void __iomem *regs = smchip->regbase;
- unsigned long bit = 1 << offset;
+ unsigned long bit = BIT(offset);
unsigned long save;
unsigned long ddr;
@@ -971,7 +971,7 @@ static int sm501_gpio_output(struct gpio_chip *chip,
{
struct sm501_gpio_chip *smchip = gpiochip_get_data(chip);
struct sm501_gpio *smgpio = smchip->ourgpio;
- unsigned long bit = 1 << offset;
+ unsigned long bit = BIT(offset);
void __iomem *regs = smchip->regbase;
unsigned long save;
unsigned long val;
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 191/279] x86/dumpstack: Fix inaccurate unwinding from exception stacks due to misplaced assignment
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (189 preceding siblings ...)
2025-04-08 10:49 ` [PATCH 5.15 190/279] mfd: sm501: Switch to BIT() to mitigate integer overflows Greg Kroah-Hartman
@ 2025-04-08 10:49 ` Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 192/279] crypto: hisilicon/sec2 - fix for aead auth key length Greg Kroah-Hartman
` (94 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:49 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jann Horn, Ingo Molnar, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jann Horn <jannh@google.com>
[ Upstream commit 2c118f50d7fd4d9aefc4533a26f83338b2906b7a ]
Commit:
2e4be0d011f2 ("x86/show_trace_log_lvl: Ensure stack pointer is aligned, again")
was intended to ensure alignment of the stack pointer; but it also moved
the initialization of the "stack" variable down into the loop header.
This was likely intended as a no-op cleanup, since the commit
message does not mention it; however, this caused a behavioral change
because the value of "regs" is different between the two places.
Originally, get_stack_pointer() used the regs provided by the caller; after
that commit, get_stack_pointer() instead uses the regs at the top of the
stack frame the unwinder is looking at. Often, there are no such regs at
all, and "regs" is NULL, causing get_stack_pointer() to fall back to the
task's current stack pointer, which is not what we want here, but probably
happens to mostly work. Other times, the original regs will point to
another regs frame - in that case, the linear guess unwind logic in
show_trace_log_lvl() will start unwinding too far up the stack, causing the
first frame found by the proper unwinder to never be visited, resulting in
a stack trace consisting purely of guess lines.
Fix it by moving the "stack = " assignment back where it belongs.
Fixes: 2e4be0d011f2 ("x86/show_trace_log_lvl: Ensure stack pointer is aligned, again")
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Link: https://lore.kernel.org/r/20250325-2025-03-unwind-fixes-v1-2-acd774364768@google.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/kernel/dumpstack.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/arch/x86/kernel/dumpstack.c b/arch/x86/kernel/dumpstack.c
index 92b33c7eaf3f9..8a8660074284f 100644
--- a/arch/x86/kernel/dumpstack.c
+++ b/arch/x86/kernel/dumpstack.c
@@ -195,6 +195,7 @@ static void show_trace_log_lvl(struct task_struct *task, struct pt_regs *regs,
printk("%sCall Trace:\n", log_lvl);
unwind_start(&state, task, regs, stack);
+ stack = stack ?: get_stack_pointer(task, regs);
regs = unwind_get_entry_regs(&state, &partial);
/*
@@ -213,9 +214,7 @@ static void show_trace_log_lvl(struct task_struct *task, struct pt_regs *regs,
* - hardirq stack
* - entry stack
*/
- for (stack = stack ?: get_stack_pointer(task, regs);
- stack;
- stack = stack_info.next_sp) {
+ for (; stack; stack = stack_info.next_sp) {
const char *stack_name;
stack = PTR_ALIGN(stack, sizeof(long));
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 192/279] crypto: hisilicon/sec2 - fix for aead auth key length
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (190 preceding siblings ...)
2025-04-08 10:49 ` [PATCH 5.15 191/279] x86/dumpstack: Fix inaccurate unwinding from exception stacks due to misplaced assignment Greg Kroah-Hartman
@ 2025-04-08 10:49 ` Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 193/279] clk: qcom: mmcc-sdm660: fix stuck video_subcore0 clock Greg Kroah-Hartman
` (93 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wenkai Lin, Chenghai Huang,
Herbert Xu, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wenkai Lin <linwenkai6@hisilicon.com>
[ Upstream commit 1b284ffc30b02808a0de698667cbcf5ce5f9144e ]
According to the HMAC RFC, the authentication key
can be 0 bytes, and the hardware can handle this
scenario. Therefore, remove the incorrect validation
for this case.
Fixes: 2f072d75d1ab ("crypto: hisilicon - Add aead support on SEC2")
Signed-off-by: Wenkai Lin <linwenkai6@hisilicon.com>
Signed-off-by: Chenghai Huang <huangchenghai2@huawei.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/crypto/hisilicon/sec2/sec_crypto.c | 8 ++------
1 file changed, 2 insertions(+), 6 deletions(-)
diff --git a/drivers/crypto/hisilicon/sec2/sec_crypto.c b/drivers/crypto/hisilicon/sec2/sec_crypto.c
index 6de3ccd0fa9b7..915333deae6f0 100644
--- a/drivers/crypto/hisilicon/sec2/sec_crypto.c
+++ b/drivers/crypto/hisilicon/sec2/sec_crypto.c
@@ -1047,11 +1047,6 @@ static int sec_aead_auth_set_key(struct sec_auth_ctx *ctx,
struct crypto_shash *hash_tfm = ctx->hash_tfm;
int blocksize, digestsize, ret;
- if (!keys->authkeylen) {
- pr_err("hisi_sec2: aead auth key error!\n");
- return -EINVAL;
- }
-
blocksize = crypto_shash_blocksize(hash_tfm);
digestsize = crypto_shash_digestsize(hash_tfm);
if (keys->authkeylen > blocksize) {
@@ -1063,7 +1058,8 @@ static int sec_aead_auth_set_key(struct sec_auth_ctx *ctx,
}
ctx->a_key_len = digestsize;
} else {
- memcpy(ctx->a_key, keys->authkey, keys->authkeylen);
+ if (keys->authkeylen)
+ memcpy(ctx->a_key, keys->authkey, keys->authkeylen);
ctx->a_key_len = keys->authkeylen;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 193/279] clk: qcom: mmcc-sdm660: fix stuck video_subcore0 clock
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (191 preceding siblings ...)
2025-04-08 10:49 ` [PATCH 5.15 192/279] crypto: hisilicon/sec2 - fix for aead auth key length Greg Kroah-Hartman
@ 2025-04-08 10:49 ` Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 194/279] isofs: fix KMSAN uninit-value bug in do_isofs_readdir() Greg Kroah-Hartman
` (92 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Barnabás Czémán,
Bjorn Andersson, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Barnabás Czémán <barnabas.czeman@mainlining.org>
[ Upstream commit 000cbe3896c56bf5c625e286ff096533a6b27657 ]
This clock can't be enable with VENUS_CORE0 GDSC turned off. But that
GDSC is under HW control so it can be turned off at any moment.
Instead of checking the dependent clock we can just vote for it to
enable later when GDSC gets turned on.
Fixes: 5db3ae8b33de6 ("clk: qcom: Add SDM660 Multimedia Clock Controller (MMCC) driver")
Signed-off-by: Barnabás Czémán <barnabas.czeman@mainlining.org>
Link: https://lore.kernel.org/r/20250315-clock-fix-v1-1-2efdc4920dda@mainlining.org
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/qcom/mmcc-sdm660.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/clk/qcom/mmcc-sdm660.c b/drivers/clk/qcom/mmcc-sdm660.c
index 941993bc610df..04e2b0801ee42 100644
--- a/drivers/clk/qcom/mmcc-sdm660.c
+++ b/drivers/clk/qcom/mmcc-sdm660.c
@@ -2544,7 +2544,7 @@ static struct clk_branch video_core_clk = {
static struct clk_branch video_subcore0_clk = {
.halt_reg = 0x1048,
- .halt_check = BRANCH_HALT,
+ .halt_check = BRANCH_HALT_SKIP,
.clkr = {
.enable_reg = 0x1048,
.enable_mask = BIT(0),
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 194/279] isofs: fix KMSAN uninit-value bug in do_isofs_readdir()
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (192 preceding siblings ...)
2025-04-08 10:49 ` [PATCH 5.15 193/279] clk: qcom: mmcc-sdm660: fix stuck video_subcore0 clock Greg Kroah-Hartman
@ 2025-04-08 10:49 ` Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 195/279] soundwire: slave: fix an OF node reference leak in soundwire slave device Greg Kroah-Hartman
` (91 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot, Qasim Ijaz, Jan Kara,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qasim Ijaz <qasdev00@gmail.com>
[ Upstream commit 81a82e8f33880793029cd6f8a766fb13b737e6a7 ]
In do_isofs_readdir() when assigning the variable
"struct iso_directory_record *de" the b_data field of the buffer_head
is accessed and an offset is added to it, the size of b_data is 2048
and the offset size is 2047, meaning
"de = (struct iso_directory_record *) (bh->b_data + offset);"
yields the final byte of the 2048 sized b_data block.
The first byte of the directory record (de_len) is then read and
found to be 31, meaning the directory record size is 31 bytes long.
The directory record is defined by the structure:
struct iso_directory_record {
__u8 length; // 1 byte
__u8 ext_attr_length; // 1 byte
__u8 extent[8]; // 8 bytes
__u8 size[8]; // 8 bytes
__u8 date[7]; // 7 bytes
__u8 flags; // 1 byte
__u8 file_unit_size; // 1 byte
__u8 interleave; // 1 byte
__u8 volume_sequence_number[4]; // 4 bytes
__u8 name_len; // 1 byte
char name[]; // variable size
} __attribute__((packed));
The fixed portion of this structure occupies 33 bytes. Therefore, a
valid directory record must be at least 33 bytes long
(even without considering the variable-length name field).
Since de_len is only 31, it is insufficient to contain
the complete fixed header.
The code later hits the following sanity check that
compares de_len against the sum of de->name_len and
sizeof(struct iso_directory_record):
if (de_len < de->name_len[0] + sizeof(struct iso_directory_record)) {
...
}
Since the fixed portion of the structure is
33 bytes (up to and including name_len member),
a valid record should have de_len of at least 33 bytes;
here, however, de_len is too short, and the field de->name_len
(located at offset 32) is accessed even though it lies beyond
the available 31 bytes.
This access on the corrupted isofs data triggers a KASAN uninitialized
memory warning. The fix would be to first verify that de_len is at least
sizeof(struct iso_directory_record) before accessing any
fields like de->name_len.
Reported-by: syzbot <syzbot+812641c6c3d7586a1613@syzkaller.appspotmail.com>
Tested-by: syzbot <syzbot+812641c6c3d7586a1613@syzkaller.appspotmail.com>
Closes: https://syzkaller.appspot.com/bug?extid=812641c6c3d7586a1613
Fixes: 2deb1acc653c ("isofs: fix access to unallocated memory when reading corrupted filesystem")
Signed-off-by: Qasim Ijaz <qasdev00@gmail.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Link: https://patch.msgid.link/20250211195900.42406-1-qasdev00@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/isofs/dir.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/fs/isofs/dir.c b/fs/isofs/dir.c
index eb2f8273e6f15..09df40b612fbf 100644
--- a/fs/isofs/dir.c
+++ b/fs/isofs/dir.c
@@ -147,7 +147,8 @@ static int do_isofs_readdir(struct inode *inode, struct file *file,
de = tmpde;
}
/* Basic sanity check, whether name doesn't exceed dir entry */
- if (de_len < de->name_len[0] +
+ if (de_len < sizeof(struct iso_directory_record) ||
+ de_len < de->name_len[0] +
sizeof(struct iso_directory_record)) {
printk(KERN_NOTICE "iso9660: Corrupted directory entry"
" in block %lu of inode %lu\n", block,
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 195/279] soundwire: slave: fix an OF node reference leak in soundwire slave device
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (193 preceding siblings ...)
2025-04-08 10:49 ` [PATCH 5.15 194/279] isofs: fix KMSAN uninit-value bug in do_isofs_readdir() Greg Kroah-Hartman
@ 2025-04-08 10:49 ` Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 196/279] coresight: catu: Fix number of pages while using 64k pages Greg Kroah-Hartman
` (90 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Joe Hattori, Krzysztof Kozlowski,
Vinod Koul, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp>
[ Upstream commit aac2f8363f773ae1f65aab140e06e2084ac6b787 ]
When initializing a soundwire slave device, an OF node is stored to the
device with refcount incremented. However, the refcount is not
decremented in .release(), thus call of_node_put() in
sdw_slave_release().
Fixes: a2e484585ad3 ("soundwire: core: add device tree support for slave devices")
Signed-off-by: Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp>
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Link: https://lore.kernel.org/r/20241205034844.2784964-1-joe@pf.is.s.u-tokyo.ac.jp
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/soundwire/slave.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/soundwire/slave.c b/drivers/soundwire/slave.c
index 25e76b5d4a1a3..a5a9118612de2 100644
--- a/drivers/soundwire/slave.c
+++ b/drivers/soundwire/slave.c
@@ -12,6 +12,7 @@ static void sdw_slave_release(struct device *dev)
{
struct sdw_slave *slave = dev_to_sdw_dev(dev);
+ of_node_put(slave->dev.of_node);
mutex_destroy(&slave->sdw_dev_lock);
kfree(slave);
}
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 196/279] coresight: catu: Fix number of pages while using 64k pages
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (194 preceding siblings ...)
2025-04-08 10:49 ` [PATCH 5.15 195/279] soundwire: slave: fix an OF node reference leak in soundwire slave device Greg Kroah-Hartman
@ 2025-04-08 10:49 ` Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 197/279] iio: accel: mma8452: Ensure error return on failure to matching oversampling ratio Greg Kroah-Hartman
` (89 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ilkka Koskinen, Suzuki K Poulose,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ilkka Koskinen <ilkka@os.amperecomputing.com>
[ Upstream commit 0e14e062f5ff98aa15264dfa87c5f5e924028561 ]
Trying to record a trace on kernel with 64k pages resulted in -ENOMEM.
This happens due to a bug in calculating the number of table pages, which
returns zero. Fix the issue by rounding up.
$ perf record --kcore -e cs_etm/@tmc_etr55,cycacc,branch_broadcast/k --per-thread taskset --cpu-list 1 dd if=/dev/zero of=/dev/null
failed to mmap with 12 (Cannot allocate memory)
Fixes: 8ed536b1e283 ("coresight: catu: Add support for scatter gather tables")
Signed-off-by: Ilkka Koskinen <ilkka@os.amperecomputing.com>
Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
Link: https://lore.kernel.org/r/20250109215348.5483-1-ilkka@os.amperecomputing.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hwtracing/coresight/coresight-catu.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/hwtracing/coresight/coresight-catu.c b/drivers/hwtracing/coresight/coresight-catu.c
index e0740c6dbd542..29c74a4905366 100644
--- a/drivers/hwtracing/coresight/coresight-catu.c
+++ b/drivers/hwtracing/coresight/coresight-catu.c
@@ -267,7 +267,7 @@ catu_init_sg_table(struct device *catu_dev, int node,
* Each table can address upto 1MB and we can have
* CATU_PAGES_PER_SYSPAGE tables in a system page.
*/
- nr_tpages = DIV_ROUND_UP(size, SZ_1M) / CATU_PAGES_PER_SYSPAGE;
+ nr_tpages = DIV_ROUND_UP(size, CATU_PAGES_PER_SYSPAGE * SZ_1M);
catu_table = tmc_alloc_sg_table(catu_dev, node, nr_tpages,
size >> PAGE_SHIFT, pages);
if (IS_ERR(catu_table))
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 197/279] iio: accel: mma8452: Ensure error return on failure to matching oversampling ratio
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (195 preceding siblings ...)
2025-04-08 10:49 ` [PATCH 5.15 196/279] coresight: catu: Fix number of pages while using 64k pages Greg Kroah-Hartman
@ 2025-04-08 10:49 ` Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 198/279] fs/ntfs3: Fix a couple integer overflows on 32bit systems Greg Kroah-Hartman
` (88 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Lechner, Jonathan Cameron,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
[ Upstream commit df330c808182a8beab5d0f84a6cbc9cff76c61fc ]
If a match was not found, then the write_raw() callback would return
the odr index, not an error. Return -EINVAL if this occurs.
To avoid similar issues in future, introduce j, a new indexing variable
rather than using ret for this purpose.
Fixes: 79de2ee469aa ("iio: accel: mma8452: claim direct mode during write raw")
Reviewed-by: David Lechner <dlechner@baylibre.com>
Link: https://patch.msgid.link/20250217140135.896574-2-jic23@kernel.org
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/iio/accel/mma8452.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/drivers/iio/accel/mma8452.c b/drivers/iio/accel/mma8452.c
index 1f46a73aafeac..a7168803408f6 100644
--- a/drivers/iio/accel/mma8452.c
+++ b/drivers/iio/accel/mma8452.c
@@ -709,7 +709,7 @@ static int mma8452_write_raw(struct iio_dev *indio_dev,
int val, int val2, long mask)
{
struct mma8452_data *data = iio_priv(indio_dev);
- int i, ret;
+ int i, j, ret;
ret = iio_device_claim_direct_mode(indio_dev);
if (ret)
@@ -769,14 +769,18 @@ static int mma8452_write_raw(struct iio_dev *indio_dev,
break;
case IIO_CHAN_INFO_OVERSAMPLING_RATIO:
- ret = mma8452_get_odr_index(data);
+ j = mma8452_get_odr_index(data);
for (i = 0; i < ARRAY_SIZE(mma8452_os_ratio); i++) {
- if (mma8452_os_ratio[i][ret] == val) {
+ if (mma8452_os_ratio[i][j] == val) {
ret = mma8452_set_power_mode(data, i);
break;
}
}
+ if (i == ARRAY_SIZE(mma8452_os_ratio)) {
+ ret = -EINVAL;
+ break;
+ }
break;
default:
ret = -EINVAL;
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 198/279] fs/ntfs3: Fix a couple integer overflows on 32bit systems
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (196 preceding siblings ...)
2025-04-08 10:49 ` [PATCH 5.15 197/279] iio: accel: mma8452: Ensure error return on failure to matching oversampling ratio Greg Kroah-Hartman
@ 2025-04-08 10:49 ` Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 199/279] iio: adc: ad7124: Fix comparison of channel configs Greg Kroah-Hartman
` (87 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Konstantin Komarov,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@linaro.org>
[ Upstream commit 5ad414f4df2294b28836b5b7b69787659d6aa708 ]
On 32bit systems the "off + sizeof(struct NTFS_DE)" addition can
have an integer wrapping issue. Fix it by using size_add().
Fixes: 82cae269cfa9 ("fs/ntfs3: Add initialization of super block")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ntfs3/index.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/fs/ntfs3/index.c b/fs/ntfs3/index.c
index 9cffd59e9735b..cc2d29261859a 100644
--- a/fs/ntfs3/index.c
+++ b/fs/ntfs3/index.c
@@ -617,7 +617,7 @@ static bool index_hdr_check(const struct INDEX_HDR *hdr, u32 bytes)
u32 off = le32_to_cpu(hdr->de_off);
if (!IS_ALIGNED(off, 8) || tot > bytes || end > tot ||
- off + sizeof(struct NTFS_DE) > end) {
+ size_add(off, sizeof(struct NTFS_DE)) > end) {
/* incorrect index buffer. */
return false;
}
@@ -736,7 +736,7 @@ static struct NTFS_DE *hdr_find_e(const struct ntfs_index *indx,
if (end > total)
return NULL;
- if (off + sizeof(struct NTFS_DE) > end)
+ if (size_add(off, sizeof(struct NTFS_DE)) > end)
return NULL;
e = Add2Ptr(hdr, off);
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 199/279] iio: adc: ad7124: Fix comparison of channel configs
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (197 preceding siblings ...)
2025-04-08 10:49 ` [PATCH 5.15 198/279] fs/ntfs3: Fix a couple integer overflows on 32bit systems Greg Kroah-Hartman
@ 2025-04-08 10:49 ` Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 200/279] perf units: Fix insufficient array space Greg Kroah-Hartman
` (86 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Uwe Kleine-König,
Jonathan Cameron, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Uwe Kleine-König <u.kleine-koenig@baylibre.com>
[ Upstream commit 05a5d874f7327b75e9bc4359618017e047cc129c ]
Checking the binary representation of two structs (of the same type)
for equality doesn't have the same semantic as comparing all members for
equality. The former might find a difference where the latter doesn't in
the presence of padding or when ambiguous types like float or bool are
involved. (Floats typically have different representations for single
values, like -0.0 vs +0.0, or 0.5 * 2² vs 0.25 * 2³. The type bool has
at least 8 bits and the raw values 1 and 2 (probably) both evaluate to
true, but memcmp finds a difference.)
When searching for a channel that already has the configuration we need,
the comparison by member is the one that is needed.
Convert the comparison accordingly to compare the members one after
another. Also add a static_assert guard to (somewhat) ensure that when
struct ad7124_channel_config::config_props is expanded, the comparison
is adapted, too.
This issue is somewhat theoretic, but using memcmp() on a struct is a
bad pattern that is worth fixing.
Fixes: 7b8d045e497a ("iio: adc: ad7124: allow more than 8 channels")
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@baylibre.com>
Link: https://patch.msgid.link/20250303114659.1672695-13-u.kleine-koenig@baylibre.com
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/iio/adc/ad7124.c | 35 +++++++++++++++++++++++++++++++----
1 file changed, 31 insertions(+), 4 deletions(-)
diff --git a/drivers/iio/adc/ad7124.c b/drivers/iio/adc/ad7124.c
index 93f32bba73f62..31c8cb3bf811b 100644
--- a/drivers/iio/adc/ad7124.c
+++ b/drivers/iio/adc/ad7124.c
@@ -144,7 +144,11 @@ struct ad7124_chip_info {
struct ad7124_channel_config {
bool live;
unsigned int cfg_slot;
- /* Following fields are used to compare equality. */
+ /*
+ * Following fields are used to compare for equality. If you
+ * make adaptations in it, you most likely also have to adapt
+ * ad7124_find_similar_live_cfg(), too.
+ */
struct_group(config_props,
enum ad7124_ref_sel refsel;
bool bipolar;
@@ -331,15 +335,38 @@ static struct ad7124_channel_config *ad7124_find_similar_live_cfg(struct ad7124_
struct ad7124_channel_config *cfg)
{
struct ad7124_channel_config *cfg_aux;
- ptrdiff_t cmp_size;
int i;
- cmp_size = sizeof_field(struct ad7124_channel_config, config_props);
+ /*
+ * This is just to make sure that the comparison is adapted after
+ * struct ad7124_channel_config was changed.
+ */
+ static_assert(sizeof_field(struct ad7124_channel_config, config_props) ==
+ sizeof(struct {
+ enum ad7124_ref_sel refsel;
+ bool bipolar;
+ bool buf_positive;
+ bool buf_negative;
+ unsigned int vref_mv;
+ unsigned int pga_bits;
+ unsigned int odr;
+ unsigned int odr_sel_bits;
+ unsigned int filter_type;
+ }));
+
for (i = 0; i < st->num_channels; i++) {
cfg_aux = &st->channels[i].cfg;
if (cfg_aux->live &&
- !memcmp(&cfg->config_props, &cfg_aux->config_props, cmp_size))
+ cfg->refsel == cfg_aux->refsel &&
+ cfg->bipolar == cfg_aux->bipolar &&
+ cfg->buf_positive == cfg_aux->buf_positive &&
+ cfg->buf_negative == cfg_aux->buf_negative &&
+ cfg->vref_mv == cfg_aux->vref_mv &&
+ cfg->pga_bits == cfg_aux->pga_bits &&
+ cfg->odr == cfg_aux->odr &&
+ cfg->odr_sel_bits == cfg_aux->odr_sel_bits &&
+ cfg->filter_type == cfg_aux->filter_type)
return cfg_aux;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 200/279] perf units: Fix insufficient array space
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (198 preceding siblings ...)
2025-04-08 10:49 ` [PATCH 5.15 199/279] iio: adc: ad7124: Fix comparison of channel configs Greg Kroah-Hartman
@ 2025-04-08 10:49 ` Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 201/279] kexec: initialize ELF lowest address to ULONG_MAX Greg Kroah-Hartman
` (85 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Arnaldo Carvalho de Melo,
Namhyung Kim, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arnaldo Carvalho de Melo <acme@redhat.com>
[ Upstream commit cf67629f7f637fb988228abdb3aae46d0c1748fe ]
No need to specify the array size, let the compiler figure that out.
This addresses this compiler warning that was noticed while build
testing on fedora rawhide:
31 15.81 fedora:rawhide : FAIL gcc version 15.0.1 20250225 (Red Hat 15.0.1-0) (GCC)
util/units.c: In function 'unit_number__scnprintf':
util/units.c:67:24: error: initializer-string for array of 'char' is too long [-Werror=unterminated-string-initialization]
67 | char unit[4] = "BKMG";
| ^~~~~~
cc1: all warnings being treated as errors
Fixes: 9808143ba2e54818 ("perf tools: Add unit_number__scnprintf function")
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Link: https://lore.kernel.org/r/20250310194534.265487-3-acme@kernel.org
Signed-off-by: Namhyung Kim <namhyung@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/util/units.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/perf/util/units.c b/tools/perf/util/units.c
index 32c39cfe209b3..4c6a86e1cb54b 100644
--- a/tools/perf/util/units.c
+++ b/tools/perf/util/units.c
@@ -64,7 +64,7 @@ unsigned long convert_unit(unsigned long value, char *unit)
int unit_number__scnprintf(char *buf, size_t size, u64 n)
{
- char unit[4] = "BKMG";
+ char unit[] = "BKMG";
int i = 0;
while (((n / 1024) > 1) && (i < 3)) {
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 201/279] kexec: initialize ELF lowest address to ULONG_MAX
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (199 preceding siblings ...)
2025-04-08 10:49 ` [PATCH 5.15 200/279] perf units: Fix insufficient array space Greg Kroah-Hartman
@ 2025-04-08 10:49 ` Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 202/279] ocfs2: validate l_tree_depth to avoid out-of-bounds access Greg Kroah-Hartman
` (84 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sourabh Jain, Hari Bathini,
Baoquan He, Madhavan Srinivasan, Mahesh Salgaonkar,
Michael Ellerman, Andrew Morton, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sourabh Jain <sourabhjain@linux.ibm.com>
[ Upstream commit 9986fb5164c8b21f6439cfd45ba36d8cc80c9710 ]
Patch series "powerpc/crash: use generic crashkernel reservation", v3.
Commit 0ab97169aa05 ("crash_core: add generic function to do reservation")
added a generic function to reserve crashkernel memory. So let's use the
same function on powerpc and remove the architecture-specific code that
essentially does the same thing.
The generic crashkernel reservation also provides a way to split the
crashkernel reservation into high and low memory reservations, which can
be enabled for powerpc in the future.
Additionally move powerpc to use generic APIs to locate memory hole for
kexec segments while loading kdump kernel.
This patch (of 7):
kexec_elf_load() loads an ELF executable and sets the address of the
lowest PT_LOAD section to the address held by the lowest_load_addr
function argument.
To determine the lowest PT_LOAD address, a local variable lowest_addr
(type unsigned long) is initialized to UINT_MAX. After loading each
PT_LOAD, its address is compared to lowest_addr. If a loaded PT_LOAD
address is lower, lowest_addr is updated. However, setting lowest_addr to
UINT_MAX won't work when the kernel image is loaded above 4G, as the
returned lowest PT_LOAD address would be invalid. This is resolved by
initializing lowest_addr to ULONG_MAX instead.
This issue was discovered while implementing crashkernel high/low
reservation on the PowerPC architecture.
Link: https://lkml.kernel.org/r/20250131113830.925179-1-sourabhjain@linux.ibm.com
Link: https://lkml.kernel.org/r/20250131113830.925179-2-sourabhjain@linux.ibm.com
Fixes: a0458284f062 ("powerpc: Add support code for kexec_file_load()")
Signed-off-by: Sourabh Jain <sourabhjain@linux.ibm.com>
Acked-by: Hari Bathini <hbathini@linux.ibm.com>
Acked-by: Baoquan He <bhe@redhat.com>
Cc: Madhavan Srinivasan <maddy@linux.ibm.com>
Cc: Mahesh Salgaonkar <mahesh@linux.ibm.com>
Cc: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/kexec_elf.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/kexec_elf.c b/kernel/kexec_elf.c
index d3689632e8b90..3a5c25b2adc94 100644
--- a/kernel/kexec_elf.c
+++ b/kernel/kexec_elf.c
@@ -390,7 +390,7 @@ int kexec_elf_load(struct kimage *image, struct elfhdr *ehdr,
struct kexec_buf *kbuf,
unsigned long *lowest_load_addr)
{
- unsigned long lowest_addr = UINT_MAX;
+ unsigned long lowest_addr = ULONG_MAX;
int ret;
size_t i;
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 202/279] ocfs2: validate l_tree_depth to avoid out-of-bounds access
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (200 preceding siblings ...)
2025-04-08 10:49 ` [PATCH 5.15 201/279] kexec: initialize ELF lowest address to ULONG_MAX Greg Kroah-Hartman
@ 2025-04-08 10:49 ` Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 203/279] NFSv4: Dont trigger uneccessary scans for return-on-close delegations Greg Kroah-Hartman
` (83 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vasiliy Kovalev,
syzbot+66c146268dc88f4341fd, Joseph Qi, Joel Becker, Junxiao Bi,
Changwei Ge, Jun Piao, Kurt Hackel, Mark Fasheh, Andrew Morton,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vasiliy Kovalev <kovalev@altlinux.org>
[ Upstream commit a406aff8c05115119127c962cbbbbd202e1973ef ]
The l_tree_depth field is 16-bit (__le16), but the actual maximum depth is
limited to OCFS2_MAX_PATH_DEPTH.
Add a check to prevent out-of-bounds access if l_tree_depth has an invalid
value, which may occur when reading from a corrupted mounted disk [1].
Link: https://lkml.kernel.org/r/20250214084908.736528-1-kovalev@altlinux.org
Fixes: ccd979bdbce9 ("[PATCH] OCFS2: The Second Oracle Cluster Filesystem")
Signed-off-by: Vasiliy Kovalev <kovalev@altlinux.org>
Reported-by: syzbot+66c146268dc88f4341fd@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=66c146268dc88f4341fd [1]
Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Cc: Changwei Ge <gechangwei@live.cn>
Cc: Jun Piao <piaojun@huawei.com>
Cc: Kurt Hackel <kurt.hackel@oracle.com>
Cc: Mark Fasheh <mark@fasheh.com>
Cc: Vasiliy Kovalev <kovalev@altlinux.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ocfs2/alloc.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/fs/ocfs2/alloc.c b/fs/ocfs2/alloc.c
index 5d9ae17bd443f..9c95d911a14b1 100644
--- a/fs/ocfs2/alloc.c
+++ b/fs/ocfs2/alloc.c
@@ -1796,6 +1796,14 @@ static int __ocfs2_find_path(struct ocfs2_caching_info *ci,
el = root_el;
while (el->l_tree_depth) {
+ if (unlikely(le16_to_cpu(el->l_tree_depth) >= OCFS2_MAX_PATH_DEPTH)) {
+ ocfs2_error(ocfs2_metadata_cache_get_super(ci),
+ "Owner %llu has invalid tree depth %u in extent list\n",
+ (unsigned long long)ocfs2_metadata_cache_owner(ci),
+ le16_to_cpu(el->l_tree_depth));
+ ret = -EROFS;
+ goto out;
+ }
if (le16_to_cpu(el->l_next_free_rec) == 0) {
ocfs2_error(ocfs2_metadata_cache_get_super(ci),
"Owner %llu has empty extent list at depth %u\n",
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 203/279] NFSv4: Dont trigger uneccessary scans for return-on-close delegations
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (201 preceding siblings ...)
2025-04-08 10:49 ` [PATCH 5.15 202/279] ocfs2: validate l_tree_depth to avoid out-of-bounds access Greg Kroah-Hartman
@ 2025-04-08 10:49 ` Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 204/279] fuse: fix dax truncate/punch_hole fault path Greg Kroah-Hartman
` (82 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:49 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Trond Myklebust, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Trond Myklebust <trond.myklebust@hammerspace.com>
[ Upstream commit 47acca884f714f41d95dc654f802845544554784 ]
The amount of looping through the list of delegations is occasionally
leading to soft lockups. Avoid at least some loops by not requiring the
NFSv4 state manager to scan for delegations that are marked for
return-on-close. Instead, either mark them for immediate return (if
possible) or else leave it up to nfs4_inode_return_delegation_on_close()
to return them once the file is closed by the application.
Fixes: b757144fd77c ("NFSv4: Be less aggressive about returning delegations for open files")
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nfs/delegation.c | 33 ++++++++++++++++++---------------
1 file changed, 18 insertions(+), 15 deletions(-)
diff --git a/fs/nfs/delegation.c b/fs/nfs/delegation.c
index ac79ef0d43a73..0c14ff09cfbe3 100644
--- a/fs/nfs/delegation.c
+++ b/fs/nfs/delegation.c
@@ -570,17 +570,6 @@ static bool nfs_delegation_need_return(struct nfs_delegation *delegation)
if (test_and_clear_bit(NFS_DELEGATION_RETURN, &delegation->flags))
ret = true;
- else if (test_bit(NFS_DELEGATION_RETURN_IF_CLOSED, &delegation->flags)) {
- struct inode *inode;
-
- spin_lock(&delegation->lock);
- inode = delegation->inode;
- if (inode && list_empty(&NFS_I(inode)->open_files))
- ret = true;
- spin_unlock(&delegation->lock);
- }
- if (ret)
- clear_bit(NFS_DELEGATION_RETURN_IF_CLOSED, &delegation->flags);
if (test_bit(NFS_DELEGATION_RETURNING, &delegation->flags) ||
test_bit(NFS_DELEGATION_RETURN_DELAYED, &delegation->flags) ||
test_bit(NFS_DELEGATION_REVOKED, &delegation->flags))
@@ -821,11 +810,25 @@ int nfs4_inode_make_writeable(struct inode *inode)
return nfs4_inode_return_delegation(inode);
}
-static void nfs_mark_return_if_closed_delegation(struct nfs_server *server,
- struct nfs_delegation *delegation)
+static void
+nfs_mark_return_if_closed_delegation(struct nfs_server *server,
+ struct nfs_delegation *delegation)
{
- set_bit(NFS_DELEGATION_RETURN_IF_CLOSED, &delegation->flags);
- set_bit(NFS4CLNT_DELEGRETURN, &server->nfs_client->cl_state);
+ struct inode *inode;
+
+ if (test_bit(NFS_DELEGATION_RETURN, &delegation->flags) ||
+ test_bit(NFS_DELEGATION_RETURN_IF_CLOSED, &delegation->flags))
+ return;
+ spin_lock(&delegation->lock);
+ inode = delegation->inode;
+ if (!inode)
+ goto out;
+ if (list_empty(&NFS_I(inode)->open_files))
+ nfs_mark_return_delegation(server, delegation);
+ else
+ set_bit(NFS_DELEGATION_RETURN_IF_CLOSED, &delegation->flags);
+out:
+ spin_unlock(&delegation->lock);
}
static bool nfs_server_mark_return_all_delegations(struct nfs_server *server)
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 204/279] fuse: fix dax truncate/punch_hole fault path
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (202 preceding siblings ...)
2025-04-08 10:49 ` [PATCH 5.15 203/279] NFSv4: Dont trigger uneccessary scans for return-on-close delegations Greg Kroah-Hartman
@ 2025-04-08 10:49 ` Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 205/279] i3c: master: svc: Fix missing the IBI rules Greg Kroah-Hartman
` (81 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alistair Popple, Dan Williams,
Balbir Singh, Alison Schofield, Vivek Goyal, Alexander Gordeev,
Asahi Lina, Bjorn Helgaas, Catalin Marinas, Christian Borntraeger,
Christoph Hellwig, Chunyan Zhang, Darrick J. Wong, Dave Chinner,
Dave Hansen, Dave Jiang, David Hildenbrand, Gerald Schaefer,
Heiko Carstens, Huacai Chen, Ira Weiny, Jan Kara, Jason Gunthorpe,
Jason Gunthorpe, John Hubbard, linmiaohe, Logan Gunthorpe,
Matthew Wilcow (Oracle), Michael Camp Drill Sergeant Ellerman,
Nicholas Piggin, Peter Xu, Sven Schnelle, Ted Tso, Vasily Gorbik,
Vishal Verma, WANG Xuerui, Will Deacon, Andrew Morton,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alistair Popple <apopple@nvidia.com>
[ Upstream commit 7851bf649d423edd7286b292739f2eefded3d35c ]
Patch series "fs/dax: Fix ZONE_DEVICE page reference counts", v9.
Device and FS DAX pages have always maintained their own page reference
counts without following the normal rules for page reference counting. In
particular pages are considered free when the refcount hits one rather
than zero and refcounts are not added when mapping the page.
Tracking this requires special PTE bits (PTE_DEVMAP) and a secondary
mechanism for allowing GUP to hold references on the page (see
get_dev_pagemap). However there doesn't seem to be any reason why FS DAX
pages need their own reference counting scheme.
By treating the refcounts on these pages the same way as normal pages we
can remove a lot of special checks. In particular pXd_trans_huge()
becomes the same as pXd_leaf(), although I haven't made that change here.
It also frees up a valuable SW define PTE bit on architectures that have
devmap PTE bits defined.
It also almost certainly allows further clean-up of the devmap managed
functions, but I have left that as a future improvment. It also enables
support for compound ZONE_DEVICE pages which is one of my primary
motivators for doing this work.
This patch (of 20):
FS DAX requires file systems to call into the DAX layout prior to
unlinking inodes to ensure there is no ongoing DMA or other remote access
to the direct mapped page. The fuse file system implements
fuse_dax_break_layouts() to do this which includes a comment indicating
that passing dmap_end == 0 leads to unmapping of the whole file.
However this is not true - passing dmap_end == 0 will not unmap anything
before dmap_start, and further more dax_layout_busy_page_range() will not
scan any of the range to see if there maybe ongoing DMA access to the
range. Fix this by passing -1 for dmap_end to fuse_dax_break_layouts()
which will invalidate the entire file range to
dax_layout_busy_page_range().
Link: https://lkml.kernel.org/r/cover.8068ad144a7eea4a813670301f4d2a86a8e68ec4.1740713401.git-series.apopple@nvidia.com
Link: https://lkml.kernel.org/r/f09a34b6c40032022e4ddee6fadb7cc676f08867.1740713401.git-series.apopple@nvidia.com
Fixes: 6ae330cad6ef ("virtiofs: serialize truncate/punch_hole and dax fault path")
Signed-off-by: Alistair Popple <apopple@nvidia.com>
Co-developed-by: Dan Williams <dan.j.williams@intel.com>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
Reviewed-by: Balbir Singh <balbirs@nvidia.com>
Tested-by: Alison Schofield <alison.schofield@intel.com>
Cc: Vivek Goyal <vgoyal@redhat.com>
Cc: Alexander Gordeev <agordeev@linux.ibm.com>
Cc: Asahi Lina <lina@asahilina.net>
Cc: Bjorn Helgaas <bhelgaas@google.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Christian Borntraeger <borntraeger@linux.ibm.com>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Chunyan Zhang <zhang.lyra@gmail.com>
Cc: "Darrick J. Wong" <djwong@kernel.org>
Cc: Dave Chinner <david@fromorbit.com>
Cc: Dave Hansen <dave.hansen@linux.intel.com>
Cc: Dave Jiang <dave.jiang@intel.com>
Cc: David Hildenbrand <david@redhat.com>
Cc: Gerald Schaefer <gerald.schaefer@linux.ibm.com>
Cc: Heiko Carstens <hca@linux.ibm.com>
Cc: Huacai Chen <chenhuacai@kernel.org>
Cc: Ira Weiny <ira.weiny@intel.com>
Cc: Jan Kara <jack@suse.cz>
Cc: Jason Gunthorpe <jgg@nvidia.com>
Cc: Jason Gunthorpe <jgg@ziepe.ca>
Cc: John Hubbard <jhubbard@nvidia.com>
Cc: linmiaohe <linmiaohe@huawei.com>
Cc: Logan Gunthorpe <logang@deltatee.com>
Cc: Matthew Wilcow (Oracle) <willy@infradead.org>
Cc: Michael "Camp Drill Sergeant" Ellerman <mpe@ellerman.id.au>
Cc: Nicholas Piggin <npiggin@gmail.com>
Cc: Peter Xu <peterx@redhat.com>
Cc: Sven Schnelle <svens@linux.ibm.com>
Cc: Ted Ts'o <tytso@mit.edu>
Cc: Vasily Gorbik <gor@linux.ibm.com>
Cc: Vishal Verma <vishal.l.verma@intel.com>
Cc: WANG Xuerui <kernel@xen0n.name>
Cc: Will Deacon <will@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/fuse/dax.c | 1 -
fs/fuse/dir.c | 2 +-
fs/fuse/file.c | 4 ++--
3 files changed, 3 insertions(+), 4 deletions(-)
diff --git a/fs/fuse/dax.c b/fs/fuse/dax.c
index 3e7aafe2e9533..d3ebb02626e2f 100644
--- a/fs/fuse/dax.c
+++ b/fs/fuse/dax.c
@@ -681,7 +681,6 @@ static int __fuse_dax_break_layouts(struct inode *inode, bool *retry,
0, 0, fuse_wait_dax_page(inode));
}
-/* dmap_end == 0 leads to unmapping of whole file */
int fuse_dax_break_layouts(struct inode *inode, u64 dmap_start,
u64 dmap_end)
{
diff --git a/fs/fuse/dir.c b/fs/fuse/dir.c
index 03dadc44e9b1c..1b8bf81d6c16b 100644
--- a/fs/fuse/dir.c
+++ b/fs/fuse/dir.c
@@ -1600,7 +1600,7 @@ int fuse_do_setattr(struct dentry *dentry, struct iattr *attr,
if (FUSE_IS_DAX(inode) && is_truncate) {
filemap_invalidate_lock(mapping);
fault_blocked = true;
- err = fuse_dax_break_layouts(inode, 0, 0);
+ err = fuse_dax_break_layouts(inode, 0, -1);
if (err) {
filemap_invalidate_unlock(mapping);
return err;
diff --git a/fs/fuse/file.c b/fs/fuse/file.c
index 8702ef9ff8b9e..40fdb4dac5bbc 100644
--- a/fs/fuse/file.c
+++ b/fs/fuse/file.c
@@ -242,7 +242,7 @@ int fuse_open_common(struct inode *inode, struct file *file, bool isdir)
if (dax_truncate) {
filemap_invalidate_lock(inode->i_mapping);
- err = fuse_dax_break_layouts(inode, 0, 0);
+ err = fuse_dax_break_layouts(inode, 0, -1);
if (err)
goto out_inode_unlock;
}
@@ -2962,7 +2962,7 @@ static long fuse_file_fallocate(struct file *file, int mode, loff_t offset,
inode_lock(inode);
if (block_faults) {
filemap_invalidate_lock(inode->i_mapping);
- err = fuse_dax_break_layouts(inode, 0, 0);
+ err = fuse_dax_break_layouts(inode, 0, -1);
if (err)
goto out;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 205/279] i3c: master: svc: Fix missing the IBI rules
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (203 preceding siblings ...)
2025-04-08 10:49 ` [PATCH 5.15 204/279] fuse: fix dax truncate/punch_hole fault path Greg Kroah-Hartman
@ 2025-04-08 10:49 ` Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 206/279] perf python: Fixup description of sample.id event member Greg Kroah-Hartman
` (80 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stanley Chu, Frank Li,
Alexandre Belloni, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stanley Chu <yschu@nuvoton.com>
[ Upstream commit 9cecad134d84d14dc72a0eea7a107691c3e5a837 ]
The code does not add IBI rules for devices with controller capability.
However, the secondary controller has the controller capability and works
at target mode when the device is probed. Therefore, add IBI rules for
such devices.
Fixes: dd3c52846d59 ("i3c: master: svc: Add Silvaco I3C master driver")
Signed-off-by: Stanley Chu <yschu@nuvoton.com>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Link: https://lore.kernel.org/r/20250318053606.3087121-2-yschu@nuvoton.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/i3c/master/svc-i3c-master.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/i3c/master/svc-i3c-master.c b/drivers/i3c/master/svc-i3c-master.c
index 7fc82b003b961..29440a1266b8a 100644
--- a/drivers/i3c/master/svc-i3c-master.c
+++ b/drivers/i3c/master/svc-i3c-master.c
@@ -807,7 +807,7 @@ static int svc_i3c_update_ibirules(struct svc_i3c_master *master)
/* Create the IBIRULES register for both cases */
i3c_bus_for_each_i3cdev(&master->base.bus, dev) {
- if (I3C_BCR_DEVICE_ROLE(dev->info.bcr) == I3C_BCR_I3C_MASTER)
+ if (!(dev->info.bcr & I3C_BCR_IBI_REQ_CAP))
continue;
if (dev->info.bcr & I3C_BCR_IBI_PAYLOAD) {
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 206/279] perf python: Fixup description of sample.id event member
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (204 preceding siblings ...)
2025-04-08 10:49 ` [PATCH 5.15 205/279] i3c: master: svc: Fix missing the IBI rules Greg Kroah-Hartman
@ 2025-04-08 10:49 ` Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 207/279] perf python: Decrement the refcount of just created event on failure Greg Kroah-Hartman
` (79 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Arnaldo Carvalho de Melo, Ian Rogers,
Namhyung Kim, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arnaldo Carvalho de Melo <acme@redhat.com>
[ Upstream commit 1376c195e8ad327bb9f2d32e0acc5ac39e7cb30a ]
Some old cut'n'paste error, its "ip", so the description should be
"event ip", not "event type".
Fixes: 877108e42b1b9ba6 ("perf tools: Initial python binding")
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Reviewed-by: Ian Rogers <irogers@google.com>
Link: https://lore.kernel.org/r/20250312203141.285263-2-acme@kernel.org
Signed-off-by: Namhyung Kim <namhyung@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/util/python.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/perf/util/python.c b/tools/perf/util/python.c
index 8feef3a05af7b..13d65a3cc6d7d 100644
--- a/tools/perf/util/python.c
+++ b/tools/perf/util/python.c
@@ -158,7 +158,7 @@ struct pyrf_event {
};
#define sample_members \
- sample_member_def(sample_ip, ip, T_ULONGLONG, "event type"), \
+ sample_member_def(sample_ip, ip, T_ULONGLONG, "event ip"), \
sample_member_def(sample_pid, pid, T_INT, "event pid"), \
sample_member_def(sample_tid, tid, T_INT, "event tid"), \
sample_member_def(sample_time, time, T_ULONGLONG, "event timestamp"), \
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 207/279] perf python: Decrement the refcount of just created event on failure
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (205 preceding siblings ...)
2025-04-08 10:49 ` [PATCH 5.15 206/279] perf python: Fixup description of sample.id event member Greg Kroah-Hartman
@ 2025-04-08 10:49 ` Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 208/279] perf python: Dont keep a raw_data pointer to consumed ring buffer space Greg Kroah-Hartman
` (78 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Arnaldo Carvalho de Melo, Ian Rogers,
Namhyung Kim, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arnaldo Carvalho de Melo <acme@redhat.com>
[ Upstream commit 3de5a2bf5b4847f7a59a184568f969f8fe05d57f ]
To avoid a leak if we have the python object but then something happens
and we need to return the operation, decrement the offset of the newly
created object.
Fixes: 377f698db12150a1 ("perf python: Add struct evsel into struct pyrf_event")
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Reviewed-by: Ian Rogers <irogers@google.com>
Link: https://lore.kernel.org/r/20250312203141.285263-5-acme@kernel.org
Signed-off-by: Namhyung Kim <namhyung@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/util/python.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/tools/perf/util/python.c b/tools/perf/util/python.c
index 13d65a3cc6d7d..368a5f2c244c8 100644
--- a/tools/perf/util/python.c
+++ b/tools/perf/util/python.c
@@ -1084,6 +1084,7 @@ static PyObject *pyrf_evlist__read_on_cpu(struct pyrf_evlist *pevlist,
evsel = evlist__event2evsel(evlist, event);
if (!evsel) {
+ Py_DECREF(pyevent);
Py_INCREF(Py_None);
return Py_None;
}
@@ -1095,9 +1096,12 @@ static PyObject *pyrf_evlist__read_on_cpu(struct pyrf_evlist *pevlist,
/* Consume the even only after we parsed it out. */
perf_mmap__consume(&md->core);
- if (err)
+ if (err) {
+ Py_DECREF(pyevent);
return PyErr_Format(PyExc_OSError,
"perf: can't parse sample, err=%d", err);
+ }
+
return pyevent;
}
end:
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 208/279] perf python: Dont keep a raw_data pointer to consumed ring buffer space
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (206 preceding siblings ...)
2025-04-08 10:49 ` [PATCH 5.15 207/279] perf python: Decrement the refcount of just created event on failure Greg Kroah-Hartman
@ 2025-04-08 10:49 ` Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 209/279] perf python: Check if there is space to copy all the event Greg Kroah-Hartman
` (77 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Arnaldo Carvalho de Melo, Ian Rogers,
Namhyung Kim, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arnaldo Carvalho de Melo <acme@redhat.com>
[ Upstream commit f3fed3ae34d606819d87a63d970cc3092a5be7ab ]
When processing tracepoints the perf python binding was parsing the
event before calling perf_mmap__consume(&md->core) in
pyrf_evlist__read_on_cpu().
But part of this event parsing was to set the perf_sample->raw_data
pointer to the payload of the event, which then could be overwritten by
other event before tracepoint fields were asked for via event.prev_comm
in a python program, for instance.
This also happened with other fields, but strings were were problems
were surfacing, as there is UTF-8 validation for the potentially garbled
data.
This ended up showing up as (with some added debugging messages):
( field 'prev_comm' ret=0x7f7c31f65110, raw_size=68 ) ( field 'prev_pid' ret=0x7f7c23b1bed0, raw_size=68 ) ( field 'prev_prio' ret=0x7f7c239c0030, raw_size=68 ) ( field 'prev_state' ret=0x7f7c239c0250, raw_size=68 ) time 14771421785867 prev_comm= prev_pid=1919907691 prev_prio=796026219 prev_state=0x303a32313175 ==>
( XXX '��' len=16, raw_size=68) ( field 'next_comm' ret=(nil), raw_size=68 ) Traceback (most recent call last):
File "/home/acme/git/perf-tools-next/tools/perf/python/tracepoint.py", line 51, in <module>
main()
File "/home/acme/git/perf-tools-next/tools/perf/python/tracepoint.py", line 46, in main
event.next_comm,
^^^^^^^^^^^^^^^
AttributeError: 'perf.sample_event' object has no attribute 'next_comm'
When event.next_comm was asked for, the PyUnicode_FromString() python
API would fail and that tracepoint field wouldn't be available, stopping
the tools/perf/python/tracepoint.py test tool.
But, since we already do a copy of the whole event in pyrf_event__new,
just use it and while at it remove what was done in in e8968e654191390a
("perf python: Fix pyrf_evlist__read_on_cpu event consuming") because we
don't really need to wait for parsing the sample before declaring the
event as consumed.
This copy is questionable as is now, as it limits the maximum event +
sample_type and tracepoint payload to sizeof(union perf_event), this all
has been "working" because 'struct perf_event_mmap2', the largest entry
in 'union perf_event' is:
$ pahole -C perf_event ~/bin/perf | grep mmap2
struct perf_record_mmap2 mmap2; /* 0 4168 */
$
Fixes: bae57e3825a3dded ("perf python: Add support to resolve tracepoint fields")
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Reviewed-by: Ian Rogers <irogers@google.com>
Link: https://lore.kernel.org/r/20250312203141.285263-6-acme@kernel.org
Signed-off-by: Namhyung Kim <namhyung@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/util/python.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/tools/perf/util/python.c b/tools/perf/util/python.c
index 368a5f2c244c8..42810b63125a9 100644
--- a/tools/perf/util/python.c
+++ b/tools/perf/util/python.c
@@ -1091,11 +1091,9 @@ static PyObject *pyrf_evlist__read_on_cpu(struct pyrf_evlist *pevlist,
pevent->evsel = evsel;
- err = evsel__parse_sample(evsel, event, &pevent->sample);
-
- /* Consume the even only after we parsed it out. */
perf_mmap__consume(&md->core);
+ err = evsel__parse_sample(evsel, &pevent->event, &pevent->sample);
if (err) {
Py_DECREF(pyevent);
return PyErr_Format(PyExc_OSError,
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 209/279] perf python: Check if there is space to copy all the event
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (207 preceding siblings ...)
2025-04-08 10:49 ` [PATCH 5.15 208/279] perf python: Dont keep a raw_data pointer to consumed ring buffer space Greg Kroah-Hartman
@ 2025-04-08 10:49 ` Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 210/279] fs/procfs: fix the comment above proc_pid_wchan() Greg Kroah-Hartman
` (76 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Arnaldo Carvalho de Melo, Ian Rogers,
Namhyung Kim, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arnaldo Carvalho de Melo <acme@redhat.com>
[ Upstream commit 89aaeaf84231157288035b366cb6300c1c6cac64 ]
The pyrf_event__new() method copies the event obtained from the perf
ring buffer to a structure that will then be turned into a python object
for further consumption, so it copies perf_event.header.size bytes to
its 'event' member:
$ pahole -C pyrf_event /tmp/build/perf-tools-next/python/perf.cpython-312-x86_64-linux-gnu.so
struct pyrf_event {
PyObject ob_base; /* 0 16 */
struct evsel * evsel; /* 16 8 */
struct perf_sample sample; /* 24 312 */
/* XXX last struct has 7 bytes of padding, 2 holes */
/* --- cacheline 5 boundary (320 bytes) was 16 bytes ago --- */
union perf_event event; /* 336 4168 */
/* size: 4504, cachelines: 71, members: 4 */
/* member types with holes: 1, total: 2 */
/* paddings: 1, sum paddings: 7 */
/* last cacheline: 24 bytes */
};
$
It was doing so without checking if the event just obtained has more
than that space, fix it.
This isn't a proper, final solution, as we need to support larger
events, but for the time being we at least bounds check and document it.
Fixes: 877108e42b1b9ba6 ("perf tools: Initial python binding")
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Reviewed-by: Ian Rogers <irogers@google.com>
Link: https://lore.kernel.org/r/20250312203141.285263-7-acme@kernel.org
Signed-off-by: Namhyung Kim <namhyung@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/util/python.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/tools/perf/util/python.c b/tools/perf/util/python.c
index 42810b63125a9..b9fd7edfbb3cc 100644
--- a/tools/perf/util/python.c
+++ b/tools/perf/util/python.c
@@ -585,6 +585,11 @@ static PyObject *pyrf_event__new(union perf_event *event)
event->header.type == PERF_RECORD_SWITCH_CPU_WIDE))
return NULL;
+ // FIXME this better be dynamic or we need to parse everything
+ // before calling perf_mmap__consume(), including tracepoint fields.
+ if (sizeof(pevent->event) < event->header.size)
+ return NULL;
+
ptype = pyrf_event__type[event->header.type];
pevent = PyObject_New(struct pyrf_event, ptype);
if (pevent != NULL)
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 210/279] fs/procfs: fix the comment above proc_pid_wchan()
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (208 preceding siblings ...)
2025-04-08 10:49 ` [PATCH 5.15 209/279] perf python: Check if there is space to copy all the event Greg Kroah-Hartman
@ 2025-04-08 10:49 ` Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 211/279] objtool, media: dib8000: Prevent divide-by-zero in dib8000_set_dds() Greg Kroah-Hartman
` (75 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bart Van Assche, Kees Cook,
Eric W. Biederman, Alexey Dobriyan, Andrew Morton, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bart Van Assche <bvanassche@acm.org>
[ Upstream commit 6287fbad1cd91f0c25cdc3a580499060828a8f30 ]
proc_pid_wchan() used to report kernel addresses to user space but that is
no longer the case today. Bring the comment above proc_pid_wchan() in
sync with the implementation.
Link: https://lkml.kernel.org/r/20250319210222.1518771-1-bvanassche@acm.org
Fixes: b2f73922d119 ("fs/proc, core/debug: Don't expose absolute kernel addresses via wchan")
Signed-off-by: Bart Van Assche <bvanassche@acm.org>
Cc: Kees Cook <kees@kernel.org>
Cc: Eric W. Biederman <ebiederm@xmission.com>
Cc: Alexey Dobriyan <adobriyan@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/proc/base.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/proc/base.c b/fs/proc/base.c
index d0414e566d30a..3405005199b61 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -416,7 +416,7 @@ static const struct file_operations proc_pid_cmdline_ops = {
#ifdef CONFIG_KALLSYMS
/*
* Provides a wchan file via kallsyms in a proper one-value-per-file format.
- * Returns the resolved symbol. If that fails, simply return the address.
+ * Returns the resolved symbol to user space.
*/
static int proc_pid_wchan(struct seq_file *m, struct pid_namespace *ns,
struct pid *pid, struct task_struct *task)
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 211/279] objtool, media: dib8000: Prevent divide-by-zero in dib8000_set_dds()
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (209 preceding siblings ...)
2025-04-08 10:49 ` [PATCH 5.15 210/279] fs/procfs: fix the comment above proc_pid_wchan() Greg Kroah-Hartman
@ 2025-04-08 10:49 ` Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 212/279] exfat: fix the infinite loop in exfat_find_last_cluster() Greg Kroah-Hartman
` (74 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, kernel test robot, Josh Poimboeuf,
Ingo Molnar, Mauro Carvalho Chehab, Linus Torvalds, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Josh Poimboeuf <jpoimboe@kernel.org>
[ Upstream commit e63d465f59011dede0a0f1d21718b59a64c3ff5c ]
If dib8000_set_dds()'s call to dib8000_read32() returns zero, the result
is a divide-by-zero. Prevent that from happening.
Fixes the following warning with an UBSAN kernel:
drivers/media/dvb-frontends/dib8000.o: warning: objtool: dib8000_tune() falls through to next function dib8096p_cfg_DibRx()
Fixes: 173a64cb3fcf ("[media] dib8000: enhancement")
Reported-by: kernel test robot <lkp@intel.com>
Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Cc: Mauro Carvalho Chehab <mchehab@kernel.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Link: https://lore.kernel.org/r/bd1d504d930ae3f073b1e071bcf62cae7708773c.1742852847.git.jpoimboe@kernel.org
Closes: https://lore.kernel.org/r/202503210602.fvH5DO1i-lkp@intel.com/
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/dvb-frontends/dib8000.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/media/dvb-frontends/dib8000.c b/drivers/media/dvb-frontends/dib8000.c
index 02cb48223dc67..a28cbbd9e475c 100644
--- a/drivers/media/dvb-frontends/dib8000.c
+++ b/drivers/media/dvb-frontends/dib8000.c
@@ -2701,8 +2701,11 @@ static void dib8000_set_dds(struct dib8000_state *state, s32 offset_khz)
u8 ratio;
if (state->revision == 0x8090) {
+ u32 internal = dib8000_read32(state, 23) / 1000;
+
ratio = 4;
- unit_khz_dds_val = (1<<26) / (dib8000_read32(state, 23) / 1000);
+
+ unit_khz_dds_val = (1<<26) / (internal ?: 1);
if (offset_khz < 0)
dds = (1 << 26) - (abs_offset_khz * unit_khz_dds_val);
else
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 212/279] exfat: fix the infinite loop in exfat_find_last_cluster()
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (210 preceding siblings ...)
2025-04-08 10:49 ` [PATCH 5.15 211/279] objtool, media: dib8000: Prevent divide-by-zero in dib8000_set_dds() Greg Kroah-Hartman
@ 2025-04-08 10:49 ` Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 213/279] rtnetlink: Allocate vfinfo size for VF GUIDs when supported Greg Kroah-Hartman
` (73 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+f7d147e6db52b1e09dba,
Yuezhang Mo, Namjae Jeon, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yuezhang Mo <Yuezhang.Mo@sony.com>
[ Upstream commit b0522303f67255926b946aa66885a0104d1b2980 ]
In exfat_find_last_cluster(), the cluster chain is traversed until
the EOF cluster. If the cluster chain includes a loop due to file
system corruption, the EOF cluster cannot be traversed, resulting
in an infinite loop.
If the number of clusters indicated by the file size is inconsistent
with the cluster chain length, exfat_find_last_cluster() will return
an error, so if this inconsistency is found, the traversal can be
aborted without traversing to the EOF cluster.
Reported-by: syzbot+f7d147e6db52b1e09dba@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=f7d147e6db52b1e09dba
Tested-by: syzbot+f7d147e6db52b1e09dba@syzkaller.appspotmail.com
Fixes: 31023864e67a ("exfat: add fat entry operations")
Signed-off-by: Yuezhang Mo <Yuezhang.Mo@sony.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/exfat/fatent.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/exfat/fatent.c b/fs/exfat/fatent.c
index 9c116a58544da..c5f6015a947ce 100644
--- a/fs/exfat/fatent.c
+++ b/fs/exfat/fatent.c
@@ -264,7 +264,7 @@ int exfat_find_last_cluster(struct super_block *sb, struct exfat_chain *p_chain,
clu = next;
if (exfat_ent_get(sb, clu, &next))
return -EIO;
- } while (next != EXFAT_EOF_CLUSTER);
+ } while (next != EXFAT_EOF_CLUSTER && count <= p_chain->size);
if (p_chain->size != count) {
exfat_fs_error(sb,
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 213/279] rtnetlink: Allocate vfinfo size for VF GUIDs when supported
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (211 preceding siblings ...)
2025-04-08 10:49 ` [PATCH 5.15 212/279] exfat: fix the infinite loop in exfat_find_last_cluster() Greg Kroah-Hartman
@ 2025-04-08 10:49 ` Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 214/279] ksmbd: use aead_request_free to match aead_request_alloc Greg Kroah-Hartman
` (72 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mark Zhang, Maher Sanalla,
Mark Bloch, Sabrina Dubroca, Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mark Zhang <markzhang@nvidia.com>
[ Upstream commit 23f00807619d15063d676218f36c5dfeda1eb420 ]
Commit 30aad41721e0 ("net/core: Add support for getting VF GUIDs")
added support for getting VF port and node GUIDs in netlink ifinfo
messages, but their size was not taken into consideration in the
function that allocates the netlink message, causing the following
warning when a netlink message is filled with many VF port and node
GUIDs:
# echo 64 > /sys/bus/pci/devices/0000\:08\:00.0/sriov_numvfs
# ip link show dev ib0
RTNETLINK answers: Message too long
Cannot send link get request: Message too long
Kernel warning:
------------[ cut here ]------------
WARNING: CPU: 2 PID: 1930 at net/core/rtnetlink.c:4151 rtnl_getlink+0x586/0x5a0
Modules linked in: xt_conntrack xt_MASQUERADE nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter overlay mlx5_ib macsec mlx5_core tls rpcrdma rdma_ucm ib_uverbs ib_iser libiscsi scsi_transport_iscsi ib_umad rdma_cm iw_cm ib_ipoib fuse ib_cm ib_core
CPU: 2 UID: 0 PID: 1930 Comm: ip Not tainted 6.14.0-rc2+ #1
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
RIP: 0010:rtnl_getlink+0x586/0x5a0
Code: cb 82 e8 3d af 0a 00 4d 85 ff 0f 84 08 ff ff ff 4c 89 ff 41 be ea ff ff ff e8 66 63 5b ff 49 c7 07 80 4f cb 82 e9 36 fc ff ff <0f> 0b e9 16 fe ff ff e8 de a0 56 00 66 66 2e 0f 1f 84 00 00 00 00
RSP: 0018:ffff888113557348 EFLAGS: 00010246
RAX: 00000000ffffffa6 RBX: ffff88817e87aa34 RCX: dffffc0000000000
RDX: 0000000000000003 RSI: 0000000000000000 RDI: ffff88817e87afb8
RBP: 0000000000000009 R08: ffffffff821f44aa R09: 0000000000000000
R10: ffff8881260f79a8 R11: ffff88817e87af00 R12: ffff88817e87aa00
R13: ffffffff8563d300 R14: 00000000ffffffa6 R15: 00000000ffffffff
FS: 00007f63a5dbf280(0000) GS:ffff88881ee00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f63a5ba4493 CR3: 00000001700fe002 CR4: 0000000000772eb0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
<TASK>
? __warn+0xa5/0x230
? rtnl_getlink+0x586/0x5a0
? report_bug+0x22d/0x240
? handle_bug+0x53/0xa0
? exc_invalid_op+0x14/0x50
? asm_exc_invalid_op+0x16/0x20
? skb_trim+0x6a/0x80
? rtnl_getlink+0x586/0x5a0
? __pfx_rtnl_getlink+0x10/0x10
? rtnetlink_rcv_msg+0x1e5/0x860
? __pfx___mutex_lock+0x10/0x10
? rcu_is_watching+0x34/0x60
? __pfx_lock_acquire+0x10/0x10
? stack_trace_save+0x90/0xd0
? filter_irq_stacks+0x1d/0x70
? kasan_save_stack+0x30/0x40
? kasan_save_stack+0x20/0x40
? kasan_save_track+0x10/0x30
rtnetlink_rcv_msg+0x21c/0x860
? entry_SYSCALL_64_after_hwframe+0x76/0x7e
? __pfx_rtnetlink_rcv_msg+0x10/0x10
? arch_stack_walk+0x9e/0xf0
? rcu_is_watching+0x34/0x60
? lock_acquire+0xd5/0x410
? rcu_is_watching+0x34/0x60
netlink_rcv_skb+0xe0/0x210
? __pfx_rtnetlink_rcv_msg+0x10/0x10
? __pfx_netlink_rcv_skb+0x10/0x10
? rcu_is_watching+0x34/0x60
? __pfx___netlink_lookup+0x10/0x10
? lock_release+0x62/0x200
? netlink_deliver_tap+0xfd/0x290
? rcu_is_watching+0x34/0x60
? lock_release+0x62/0x200
? netlink_deliver_tap+0x95/0x290
netlink_unicast+0x31f/0x480
? __pfx_netlink_unicast+0x10/0x10
? rcu_is_watching+0x34/0x60
? lock_acquire+0xd5/0x410
netlink_sendmsg+0x369/0x660
? lock_release+0x62/0x200
? __pfx_netlink_sendmsg+0x10/0x10
? import_ubuf+0xb9/0xf0
? __import_iovec+0x254/0x2b0
? lock_release+0x62/0x200
? __pfx_netlink_sendmsg+0x10/0x10
____sys_sendmsg+0x559/0x5a0
? __pfx_____sys_sendmsg+0x10/0x10
? __pfx_copy_msghdr_from_user+0x10/0x10
? rcu_is_watching+0x34/0x60
? do_read_fault+0x213/0x4a0
? rcu_is_watching+0x34/0x60
___sys_sendmsg+0xe4/0x150
? __pfx____sys_sendmsg+0x10/0x10
? do_fault+0x2cc/0x6f0
? handle_pte_fault+0x2e3/0x3d0
? __pfx_handle_pte_fault+0x10/0x10
? preempt_count_sub+0x14/0xc0
? __down_read_trylock+0x150/0x270
? __handle_mm_fault+0x404/0x8e0
? __pfx___handle_mm_fault+0x10/0x10
? lock_release+0x62/0x200
? __rcu_read_unlock+0x65/0x90
? rcu_is_watching+0x34/0x60
__sys_sendmsg+0xd5/0x150
? __pfx___sys_sendmsg+0x10/0x10
? __up_read+0x192/0x480
? lock_release+0x62/0x200
? __rcu_read_unlock+0x65/0x90
? rcu_is_watching+0x34/0x60
do_syscall_64+0x6d/0x140
entry_SYSCALL_64_after_hwframe+0x76/0x7e
RIP: 0033:0x7f63a5b13367
Code: 0e 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b9 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10
RSP: 002b:00007fff8c726bc8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 0000000067b687c2 RCX: 00007f63a5b13367
RDX: 0000000000000000 RSI: 00007fff8c726c30 RDI: 0000000000000004
RBP: 00007fff8c726cb8 R08: 0000000000000000 R09: 0000000000000034
R10: 00007fff8c726c7c R11: 0000000000000246 R12: 0000000000000001
R13: 0000000000000000 R14: 00007fff8c726cd0 R15: 00007fff8c726cd0
</TASK>
irq event stamp: 0
hardirqs last enabled at (0): [<0000000000000000>] 0x0
hardirqs last disabled at (0): [<ffffffff813f9e58>] copy_process+0xd08/0x2830
softirqs last enabled at (0): [<ffffffff813f9e58>] copy_process+0xd08/0x2830
softirqs last disabled at (0): [<0000000000000000>] 0x0
---[ end trace 0000000000000000 ]---
Thus, when calculating ifinfo message size, take VF GUIDs sizes into
account when supported.
Fixes: 30aad41721e0 ("net/core: Add support for getting VF GUIDs")
Signed-off-by: Mark Zhang <markzhang@nvidia.com>
Reviewed-by: Maher Sanalla <msanalla@nvidia.com>
Signed-off-by: Mark Bloch <mbloch@nvidia.com>
Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
Link: https://patch.msgid.link/20250325090226.749730-1-mbloch@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/rtnetlink.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index 24795110b2ff3..46a97c915e93e 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -972,6 +972,9 @@ static inline int rtnl_vfinfo_size(const struct net_device *dev,
/* IFLA_VF_STATS_TX_DROPPED */
nla_total_size_64bit(sizeof(__u64)));
}
+ if (dev->netdev_ops->ndo_get_vf_guid)
+ size += num_vfs * 2 *
+ nla_total_size(sizeof(struct ifla_vf_guid));
return size;
} else
return 0;
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 214/279] ksmbd: use aead_request_free to match aead_request_alloc
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (212 preceding siblings ...)
2025-04-08 10:49 ` [PATCH 5.15 213/279] rtnetlink: Allocate vfinfo size for VF GUIDs when supported Greg Kroah-Hartman
@ 2025-04-08 10:49 ` Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 215/279] ksmbd: fix multichannel connection failure Greg Kroah-Hartman
` (71 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Miaoqian Lin, Namjae Jeon,
Steve French, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Miaoqian Lin <linmq006@gmail.com>
[ Upstream commit 6171063e9d046ffa46f51579b2ca4a43caef581a ]
Use aead_request_free() instead of kfree() to properly free memory
allocated by aead_request_alloc(). This ensures sensitive crypto data
is zeroed before being freed.
Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3")
Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ksmbd/auth.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/ksmbd/auth.c b/fs/ksmbd/auth.c
index 3b776b5de7db6..647692ca78a28 100644
--- a/fs/ksmbd/auth.c
+++ b/fs/ksmbd/auth.c
@@ -1211,7 +1211,7 @@ int ksmbd_crypt_message(struct ksmbd_work *work, struct kvec *iov,
free_sg:
kfree(sg);
free_req:
- kfree(req);
+ aead_request_free(req);
free_ctx:
ksmbd_release_crypto_ctx(ctx);
return rc;
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 215/279] ksmbd: fix multichannel connection failure
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (213 preceding siblings ...)
2025-04-08 10:49 ` [PATCH 5.15 214/279] ksmbd: use aead_request_free to match aead_request_alloc Greg Kroah-Hartman
@ 2025-04-08 10:49 ` Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 216/279] ring-buffer: Fix bytes_dropped calculation issue Greg Kroah-Hartman
` (70 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sean Heelan, Namjae Jeon,
Steve French, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Namjae Jeon <linkinjeon@kernel.org>
[ Upstream commit c1883049aa9b2b7dffd3a68c5fc67fa92c174bd9 ]
ksmbd check that the session of second channel is in the session list of
first connection. If it is in session list, multichannel connection
should not be allowed.
Fixes: b95629435b84 ("ksmbd: fix racy issue from session lookup and expire")
Reported-by: Sean Heelan <seanheelan@gmail.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ksmbd/mgmt/user_session.c | 16 ++++++++++++++++
fs/ksmbd/mgmt/user_session.h | 2 ++
fs/ksmbd/smb2pdu.c | 12 ++++--------
3 files changed, 22 insertions(+), 8 deletions(-)
diff --git a/fs/ksmbd/mgmt/user_session.c b/fs/ksmbd/mgmt/user_session.c
index 1cee9733bdac5..f59714bfc819b 100644
--- a/fs/ksmbd/mgmt/user_session.c
+++ b/fs/ksmbd/mgmt/user_session.c
@@ -250,6 +250,22 @@ void ksmbd_sessions_deregister(struct ksmbd_conn *conn)
up_write(&conn->session_lock);
}
+bool is_ksmbd_session_in_connection(struct ksmbd_conn *conn,
+ unsigned long long id)
+{
+ struct ksmbd_session *sess;
+
+ down_read(&conn->session_lock);
+ sess = xa_load(&conn->sessions, id);
+ if (sess) {
+ up_read(&conn->session_lock);
+ return true;
+ }
+ up_read(&conn->session_lock);
+
+ return false;
+}
+
struct ksmbd_session *ksmbd_session_lookup(struct ksmbd_conn *conn,
unsigned long long id)
{
diff --git a/fs/ksmbd/mgmt/user_session.h b/fs/ksmbd/mgmt/user_session.h
index ce91b1d698e71..f4da293c4dbb2 100644
--- a/fs/ksmbd/mgmt/user_session.h
+++ b/fs/ksmbd/mgmt/user_session.h
@@ -87,6 +87,8 @@ void ksmbd_session_destroy(struct ksmbd_session *sess);
struct ksmbd_session *ksmbd_session_lookup_slowpath(unsigned long long id);
struct ksmbd_session *ksmbd_session_lookup(struct ksmbd_conn *conn,
unsigned long long id);
+bool is_ksmbd_session_in_connection(struct ksmbd_conn *conn,
+ unsigned long long id);
int ksmbd_session_register(struct ksmbd_conn *conn,
struct ksmbd_session *sess);
void ksmbd_sessions_deregister(struct ksmbd_conn *conn);
diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c
index 82b6be188ad4a..3dfe0acf21a5d 100644
--- a/fs/ksmbd/smb2pdu.c
+++ b/fs/ksmbd/smb2pdu.c
@@ -1725,44 +1725,38 @@ int smb2_sess_setup(struct ksmbd_work *work)
if (conn->dialect != sess->dialect) {
rc = -EINVAL;
- ksmbd_user_session_put(sess);
goto out_err;
}
if (!(req->hdr.Flags & SMB2_FLAGS_SIGNED)) {
rc = -EINVAL;
- ksmbd_user_session_put(sess);
goto out_err;
}
if (strncmp(conn->ClientGUID, sess->ClientGUID,
SMB2_CLIENT_GUID_SIZE)) {
rc = -ENOENT;
- ksmbd_user_session_put(sess);
goto out_err;
}
if (sess->state == SMB2_SESSION_IN_PROGRESS) {
rc = -EACCES;
- ksmbd_user_session_put(sess);
goto out_err;
}
if (sess->state == SMB2_SESSION_EXPIRED) {
rc = -EFAULT;
- ksmbd_user_session_put(sess);
goto out_err;
}
- ksmbd_user_session_put(sess);
if (ksmbd_conn_need_reconnect(conn)) {
rc = -EFAULT;
+ ksmbd_user_session_put(sess);
sess = NULL;
goto out_err;
}
- sess = ksmbd_session_lookup(conn, sess_id);
- if (!sess) {
+ if (is_ksmbd_session_in_connection(conn, sess_id)) {
rc = -EACCES;
goto out_err;
}
@@ -1928,6 +1922,8 @@ int smb2_sess_setup(struct ksmbd_work *work)
sess->last_active = jiffies;
sess->state = SMB2_SESSION_EXPIRED;
+ ksmbd_user_session_put(sess);
+ work->sess = NULL;
if (try_delay) {
ksmbd_conn_set_need_reconnect(conn);
ssleep(5);
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 216/279] ring-buffer: Fix bytes_dropped calculation issue
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (214 preceding siblings ...)
2025-04-08 10:49 ` [PATCH 5.15 215/279] ksmbd: fix multichannel connection failure Greg Kroah-Hartman
@ 2025-04-08 10:49 ` Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 217/279] ACPI: processor: idle: Return an error if both P_LVL{2,3} idle states are invalid Greg Kroah-Hartman
` (69 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Feng Yang, Steven Rostedt (Google),
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Feng Yang <yangfeng@kylinos.cn>
[ Upstream commit c73f0b69648501978e8b3e8fa7eef7f4197d0481 ]
The calculation of bytes-dropped and bytes_dropped_nested is reversed.
Although it does not affect the final calculation of total_dropped,
it should still be modified.
Link: https://lore.kernel.org/20250223070106.6781-1-yangfeng59949@163.com
Fixes: 6c43e554a2a5 ("ring-buffer: Add ring buffer startup selftest")
Signed-off-by: Feng Yang <yangfeng@kylinos.cn>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/trace/ring_buffer.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c
index f9f0c198cb43c..90a8dd91e2eb0 100644
--- a/kernel/trace/ring_buffer.c
+++ b/kernel/trace/ring_buffer.c
@@ -5949,9 +5949,9 @@ static __init int rb_write_something(struct rb_test_data *data, bool nested)
/* Ignore dropped events before test starts. */
if (started) {
if (nested)
- data->bytes_dropped += len;
- else
data->bytes_dropped_nested += len;
+ else
+ data->bytes_dropped += len;
}
return len;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 217/279] ACPI: processor: idle: Return an error if both P_LVL{2,3} idle states are invalid
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (215 preceding siblings ...)
2025-04-08 10:49 ` [PATCH 5.15 216/279] ring-buffer: Fix bytes_dropped calculation issue Greg Kroah-Hartman
@ 2025-04-08 10:50 ` Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 218/279] octeontx2-af: Fix mbox INTR handler when num VFs > 64 Greg Kroah-Hartman
` (68 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Giovanni Gherdovich, Zhang Rui,
Rafael J. Wysocki, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Giovanni Gherdovich <ggherdovich@suse.cz>
[ Upstream commit 9e9b893404d43894d69a18dd2fc8fcf1c36abb7e ]
Prior to commit 496121c02127 ("ACPI: processor: idle: Allow probing on
platforms with one ACPI C-state"), the acpi_idle driver wouldn't load on
systems without a valid C-State at least as deep as C2.
The behavior was desirable for guests on hypervisors such as VMWare
ESXi, which by default don't have the _CST ACPI method, and set the C2
and C3 latencies to 101 and 1001 microseconds respectively via the FADT,
to signify they're unsupported.
Since the above change though, these virtualized deployments end up
loading acpi_idle, and thus entering the default C1 C-State set by
acpi_processor_get_power_info_default(); this is undesirable for a
system that's communicating to the OS it doesn't want C-States (missing
_CST, and invalid C2/C3 in FADT).
Make acpi_processor_get_power_info_fadt() return -ENODEV in that case,
so that acpi_processor_get_cstate_info() exits early and doesn't set
pr->flags.power = 1.
Fixes: 496121c02127 ("ACPI: processor: idle: Allow probing on platforms with one ACPI C-state")
Signed-off-by: Giovanni Gherdovich <ggherdovich@suse.cz>
Reviewed-by: Zhang Rui <rui.zhang@intel.com>
Link: https://patch.msgid.link/20250328143040.9348-1-ggherdovich@suse.cz
[ rjw: Changelog edits ]
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/acpi/processor_idle.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/acpi/processor_idle.c b/drivers/acpi/processor_idle.c
index 5289c344de900..469a2e5eb6e8c 100644
--- a/drivers/acpi/processor_idle.c
+++ b/drivers/acpi/processor_idle.c
@@ -265,6 +265,10 @@ static int acpi_processor_get_power_info_fadt(struct acpi_processor *pr)
ACPI_CX_DESC_LEN, "ACPI P_LVL3 IOPORT 0x%x",
pr->power.states[ACPI_STATE_C3].address);
+ if (!pr->power.states[ACPI_STATE_C2].address &&
+ !pr->power.states[ACPI_STATE_C3].address)
+ return -ENODEV;
+
return 0;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 218/279] octeontx2-af: Fix mbox INTR handler when num VFs > 64
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (216 preceding siblings ...)
2025-04-08 10:50 ` [PATCH 5.15 217/279] ACPI: processor: idle: Return an error if both P_LVL{2,3} idle states are invalid Greg Kroah-Hartman
@ 2025-04-08 10:50 ` Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 219/279] octeontx2-af: Free NIX_AF_INT_VEC_GEN irq Greg Kroah-Hartman
` (67 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Geetha sowjanya, Simon Horman,
Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Geetha sowjanya <gakula@marvell.com>
[ Upstream commit 0fdba88a211508984eb5df62008c29688692b134 ]
When number of RVU VFs > 64, the vfs value passed to "rvu_queue_work"
function is incorrect. Due to which mbox workqueue entries for
VFs 0 to 63 never gets added to workqueue.
Fixes: 9bdc47a6e328 ("octeontx2-af: Mbox communication support btw AF and it's VFs")
Signed-off-by: Geetha sowjanya <gakula@marvell.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20250327091441.1284-1-gakula@marvell.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/marvell/octeontx2/af/rvu.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu.c
index bc8187e3f3393..0863fa06c06d1 100644
--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu.c
+++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu.c
@@ -2469,7 +2469,7 @@ static irqreturn_t rvu_mbox_intr_handler(int irq, void *rvu_irq)
rvupf_write64(rvu, RVU_PF_VFPF_MBOX_INTX(1), intr);
rvu_queue_work(&rvu->afvf_wq_info, 64, vfs, intr);
- vfs -= 64;
+ vfs = 64;
}
intr = rvupf_read64(rvu, RVU_PF_VFPF_MBOX_INTX(0));
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 219/279] octeontx2-af: Free NIX_AF_INT_VEC_GEN irq
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (217 preceding siblings ...)
2025-04-08 10:50 ` [PATCH 5.15 218/279] octeontx2-af: Fix mbox INTR handler when num VFs > 64 Greg Kroah-Hartman
@ 2025-04-08 10:50 ` Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 220/279] sched/smt: Always inline sched_smt_active() Greg Kroah-Hartman
` (66 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Geetha sowjanya, Simon Horman,
Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Geetha sowjanya <gakula@marvell.com>
[ Upstream commit 323d6db6dc7decb06f2545efb9496259ddacd4f4 ]
Due to the incorrect initial vector number in
rvu_nix_unregister_interrupts(), NIX_AF_INT_VEC_GEN is not
geeting free. Fix the vector number to include NIX_AF_INT_VEC_GEN
irq.
Fixes: 5ed66306eab6 ("octeontx2-af: Add devlink health reporters for NIX")
Signed-off-by: Geetha sowjanya <gakula@marvell.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20250327094054.2312-1-gakula@marvell.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c
index 40fbda152533b..c5e3ef6b41a87 100644
--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c
+++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c
@@ -216,7 +216,7 @@ static void rvu_nix_unregister_interrupts(struct rvu *rvu)
rvu->irq_allocated[offs + NIX_AF_INT_VEC_RVU] = false;
}
- for (i = NIX_AF_INT_VEC_AF_ERR; i < NIX_AF_INT_VEC_CNT; i++)
+ for (i = NIX_AF_INT_VEC_GEN; i < NIX_AF_INT_VEC_CNT; i++)
if (rvu->irq_allocated[offs + i]) {
free_irq(pci_irq_vector(rvu->pdev, offs + i), rvu_dl);
rvu->irq_allocated[offs + i] = false;
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 220/279] sched/smt: Always inline sched_smt_active()
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (218 preceding siblings ...)
2025-04-08 10:50 ` [PATCH 5.15 219/279] octeontx2-af: Free NIX_AF_INT_VEC_GEN irq Greg Kroah-Hartman
@ 2025-04-08 10:50 ` Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 221/279] wifi: iwlwifi: fw: allocate chained SG tables for dump Greg Kroah-Hartman
` (65 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, kernel test robot, Josh Poimboeuf,
Ingo Molnar, Linus Torvalds, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Josh Poimboeuf <jpoimboe@kernel.org>
[ Upstream commit 09f37f2d7b21ff35b8b533f9ab8cfad2fe8f72f6 ]
sched_smt_active() can be called from noinstr code, so it should always
be inlined. The CONFIG_SCHED_SMT version already has __always_inline.
Do the same for its !CONFIG_SCHED_SMT counterpart.
Fixes the following warning:
vmlinux.o: error: objtool: intel_idle_ibrs+0x13: call to sched_smt_active() leaves .noinstr.text section
Fixes: 321a874a7ef8 ("sched/smt: Expose sched_smt_present static key")
Reported-by: kernel test robot <lkp@intel.com>
Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Link: https://lore.kernel.org/r/1d03907b0a247cf7fb5c1d518de378864f603060.1743481539.git.jpoimboe@kernel.org
Closes: https://lore.kernel.org/r/202503311434.lyw2Tveh-lkp@intel.com/
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/sched/smt.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/linux/sched/smt.h b/include/linux/sched/smt.h
index 59d3736c454cf..737b50f40137b 100644
--- a/include/linux/sched/smt.h
+++ b/include/linux/sched/smt.h
@@ -12,7 +12,7 @@ static __always_inline bool sched_smt_active(void)
return static_branch_likely(&sched_smt_present);
}
#else
-static inline bool sched_smt_active(void) { return false; }
+static __always_inline bool sched_smt_active(void) { return false; }
#endif
void arch_smt_update(void);
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 221/279] wifi: iwlwifi: fw: allocate chained SG tables for dump
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (219 preceding siblings ...)
2025-04-08 10:50 ` [PATCH 5.15 220/279] sched/smt: Always inline sched_smt_active() Greg Kroah-Hartman
@ 2025-04-08 10:50 ` Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 222/279] nvme-tcp: fix possible UAF in nvme_tcp_poll Greg Kroah-Hartman
` (64 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Johannes Berg, Miri Korenblit,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johannes Berg <johannes.berg@intel.com>
[ Upstream commit 7774e3920029398ad49dc848b23840593f14d515 ]
The firmware dumps can be pretty big, and since we use single
pages for each SG table entry, even the table itself may end
up being an order-5 allocation. Build chained tables so that
we need not allocate a higher-order table here.
This could be improved and cleaned up, e.g. by using the SG
pool code or simply kvmalloc(), but all of that would require
also updating the devcoredump first since that frees it all,
so we need to be more careful. SG pool might also run against
the CONFIG_ARCH_NO_SG_CHAIN limitation, which is irrelevant
here.
Also use _devcd_free_sgtable() for the error paths now, much
simpler especially since it's in two places now.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
Link: https://patch.msgid.link/20250209143303.697c7a465ac9.Iea982df46b5c075bfb77ade36f187d99a70c63db@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/intel/iwlwifi/fw/dbg.c | 86 ++++++++++++++-------
1 file changed, 58 insertions(+), 28 deletions(-)
diff --git a/drivers/net/wireless/intel/iwlwifi/fw/dbg.c b/drivers/net/wireless/intel/iwlwifi/fw/dbg.c
index fc630a0d9c83c..f1d07ddb3f831 100644
--- a/drivers/net/wireless/intel/iwlwifi/fw/dbg.c
+++ b/drivers/net/wireless/intel/iwlwifi/fw/dbg.c
@@ -558,41 +558,71 @@ static void iwl_dump_prph(struct iwl_fw_runtime *fwrt,
}
/*
- * alloc_sgtable - allocates scallerlist table in the given size,
- * fills it with pages and returns it
+ * alloc_sgtable - allocates (chained) scatterlist in the given size,
+ * fills it with pages and returns it
* @size: the size (in bytes) of the table
-*/
-static struct scatterlist *alloc_sgtable(int size)
+ */
+static struct scatterlist *alloc_sgtable(ssize_t size)
{
- int alloc_size, nents, i;
- struct page *new_page;
- struct scatterlist *iter;
- struct scatterlist *table;
+ struct scatterlist *result = NULL, *prev;
+ int nents, i, n_prev;
nents = DIV_ROUND_UP(size, PAGE_SIZE);
- table = kcalloc(nents, sizeof(*table), GFP_KERNEL);
- if (!table)
- return NULL;
- sg_init_table(table, nents);
- iter = table;
- for_each_sg(table, iter, sg_nents(table), i) {
- new_page = alloc_page(GFP_KERNEL);
- if (!new_page) {
- /* release all previous allocated pages in the table */
- iter = table;
- for_each_sg(table, iter, sg_nents(table), i) {
- new_page = sg_page(iter);
- if (new_page)
- __free_page(new_page);
- }
- kfree(table);
+
+#define N_ENTRIES_PER_PAGE (PAGE_SIZE / sizeof(*result))
+ /*
+ * We need an additional entry for table chaining,
+ * this ensures the loop can finish i.e. we can
+ * fit at least two entries per page (obviously,
+ * many more really fit.)
+ */
+ BUILD_BUG_ON(N_ENTRIES_PER_PAGE < 2);
+
+ while (nents > 0) {
+ struct scatterlist *new, *iter;
+ int n_fill, n_alloc;
+
+ if (nents <= N_ENTRIES_PER_PAGE) {
+ /* last needed table */
+ n_fill = nents;
+ n_alloc = nents;
+ nents = 0;
+ } else {
+ /* fill a page with entries */
+ n_alloc = N_ENTRIES_PER_PAGE;
+ /* reserve one for chaining */
+ n_fill = n_alloc - 1;
+ nents -= n_fill;
+ }
+
+ new = kcalloc(n_alloc, sizeof(*new), GFP_KERNEL);
+ if (!new) {
+ if (result)
+ _devcd_free_sgtable(result);
return NULL;
}
- alloc_size = min_t(int, size, PAGE_SIZE);
- size -= PAGE_SIZE;
- sg_set_page(iter, new_page, alloc_size, 0);
+ sg_init_table(new, n_alloc);
+
+ if (!result)
+ result = new;
+ else
+ sg_chain(prev, n_prev, new);
+ prev = new;
+ n_prev = n_alloc;
+
+ for_each_sg(new, iter, n_fill, i) {
+ struct page *new_page = alloc_page(GFP_KERNEL);
+
+ if (!new_page) {
+ _devcd_free_sgtable(result);
+ return NULL;
+ }
+
+ sg_set_page(iter, new_page, PAGE_SIZE, 0);
+ }
}
- return table;
+
+ return result;
}
static void iwl_fw_get_prph_len(struct iwl_fw_runtime *fwrt,
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 222/279] nvme-tcp: fix possible UAF in nvme_tcp_poll
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (220 preceding siblings ...)
2025-04-08 10:50 ` [PATCH 5.15 221/279] wifi: iwlwifi: fw: allocate chained SG tables for dump Greg Kroah-Hartman
@ 2025-04-08 10:50 ` Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 223/279] nvme-pci: clean up CMBMSC when registering CMB fails Greg Kroah-Hartman
` (63 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhang Guanghui, Sagi Grimberg,
Chaitanya Kulkarni, Keith Busch, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sagi Grimberg <sagi@grimberg.me>
[ Upstream commit 8c1624b63a7d24142a2bbc3a5ee7e95f004ea36e ]
nvme_tcp_poll() may race with the send path error handler because
it may complete the request while it is actively being polled for
completion, resulting in a UAF panic [1]:
We should make sure to stop polling when we see an error when
trying to read from the socket. Hence make sure to propagate the
error so that the block layer breaks the polling cycle.
[1]:
--
[35665.692310] nvme nvme2: failed to send request -13
[35665.702265] nvme nvme2: unsupported pdu type (3)
[35665.702272] BUG: kernel NULL pointer dereference, address: 0000000000000000
[35665.702542] nvme nvme2: queue 1 receive failed: -22
[35665.703209] #PF: supervisor write access in kernel mode
[35665.703213] #PF: error_code(0x0002) - not-present page
[35665.703214] PGD 8000003801cce067 P4D 8000003801cce067 PUD 37e6f79067 PMD 0
[35665.703220] Oops: 0002 [#1] SMP PTI
[35665.703658] nvme nvme2: starting error recovery
[35665.705809] Hardware name: Inspur aaabbb/YZMB-00882-104, BIOS 4.1.26 09/22/2022
[35665.705812] Workqueue: kblockd blk_mq_requeue_work
[35665.709172] RIP: 0010:_raw_spin_lock+0xc/0x30
[35665.715788] Call Trace:
[35665.716201] <TASK>
[35665.716613] ? show_trace_log_lvl+0x1c1/0x2d9
[35665.717049] ? show_trace_log_lvl+0x1c1/0x2d9
[35665.717457] ? blk_mq_request_bypass_insert+0x2c/0xb0
[35665.717950] ? __die_body.cold+0x8/0xd
[35665.718361] ? page_fault_oops+0xac/0x140
[35665.718749] ? blk_mq_start_request+0x30/0xf0
[35665.719144] ? nvme_tcp_queue_rq+0xc7/0x170 [nvme_tcp]
[35665.719547] ? exc_page_fault+0x62/0x130
[35665.719938] ? asm_exc_page_fault+0x22/0x30
[35665.720333] ? _raw_spin_lock+0xc/0x30
[35665.720723] blk_mq_request_bypass_insert+0x2c/0xb0
[35665.721101] blk_mq_requeue_work+0xa5/0x180
[35665.721451] process_one_work+0x1e8/0x390
[35665.721809] worker_thread+0x53/0x3d0
[35665.722159] ? process_one_work+0x390/0x390
[35665.722501] kthread+0x124/0x150
[35665.722849] ? set_kthread_struct+0x50/0x50
[35665.723182] ret_from_fork+0x1f/0x30
Reported-by: Zhang Guanghui <zhang.guanghui@cestc.cn>
Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com>
Signed-off-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/nvme/host/tcp.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/nvme/host/tcp.c b/drivers/nvme/host/tcp.c
index 4ca7ef9416002..0fc5aba88bc15 100644
--- a/drivers/nvme/host/tcp.c
+++ b/drivers/nvme/host/tcp.c
@@ -2491,6 +2491,7 @@ static int nvme_tcp_poll(struct blk_mq_hw_ctx *hctx)
{
struct nvme_tcp_queue *queue = hctx->driver_data;
struct sock *sk = queue->sock->sk;
+ int ret;
if (!test_bit(NVME_TCP_Q_LIVE, &queue->flags))
return 0;
@@ -2498,9 +2499,9 @@ static int nvme_tcp_poll(struct blk_mq_hw_ctx *hctx)
set_bit(NVME_TCP_Q_POLLING, &queue->flags);
if (sk_can_busy_loop(sk) && skb_queue_empty_lockless(&sk->sk_receive_queue))
sk_busy_loop(sk, true);
- nvme_tcp_try_recv(queue);
+ ret = nvme_tcp_try_recv(queue);
clear_bit(NVME_TCP_Q_POLLING, &queue->flags);
- return queue->nr_cqe;
+ return ret < 0 ? ret : queue->nr_cqe;
}
static const struct blk_mq_ops nvme_tcp_mq_ops = {
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 223/279] nvme-pci: clean up CMBMSC when registering CMB fails
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (221 preceding siblings ...)
2025-04-08 10:50 ` [PATCH 5.15 222/279] nvme-tcp: fix possible UAF in nvme_tcp_poll Greg Kroah-Hartman
@ 2025-04-08 10:50 ` Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 224/279] nvme-pci: skip CMB blocks incompatible with PCI P2P DMA Greg Kroah-Hartman
` (62 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Icenowy Zheng, Christoph Hellwig,
Keith Busch, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Icenowy Zheng <uwu@icenowy.me>
[ Upstream commit 6a3572e10f740acd48e2713ef37e92186a3ce5e8 ]
CMB decoding should get disabled when the CMB block isn't successfully
registered to P2P DMA subsystem.
Clean up the CMBMSC register in this error handling codepath to disable
CMB decoding (and CMBLOC/CMBSZ registers).
Signed-off-by: Icenowy Zheng <uwu@icenowy.me>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/nvme/host/pci.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
index 2eb692876f695..39df3ac10a21f 100644
--- a/drivers/nvme/host/pci.c
+++ b/drivers/nvme/host/pci.c
@@ -1870,6 +1870,7 @@ static void nvme_map_cmb(struct nvme_dev *dev)
if (pci_p2pdma_add_resource(pdev, bar, size, offset)) {
dev_warn(dev->ctrl.device,
"failed to register the CMB\n");
+ hi_lo_writeq(0, dev->bar + NVME_REG_CMBMSC);
return;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 224/279] nvme-pci: skip CMB blocks incompatible with PCI P2P DMA
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (222 preceding siblings ...)
2025-04-08 10:50 ` [PATCH 5.15 223/279] nvme-pci: clean up CMBMSC when registering CMB fails Greg Kroah-Hartman
@ 2025-04-08 10:50 ` Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 225/279] affs: generate OFS sequence numbers starting at 1 Greg Kroah-Hartman
` (61 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:50 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Icenowy Zheng, Keith Busch,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Icenowy Zheng <uwu@icenowy.me>
[ Upstream commit 56cf7ef0d490b28fad8f8629fc135c5ab7c9f54e ]
The PCI P2PDMA code will register the CMB block to the memory
hot-plugging subsystem, which have an alignment requirement. Memory
blocks that do not satisfy this alignment requirement (usually 2MB) will
lead to a WARNING from memory hotplugging.
Verify the CMB block's address and size against the alignment and only
try to send CMB blocks compatible with it to prevent this warning.
Tested on Intel DC D4502 SSD, which has a 512K CMB block that is too
small for memory hotplugging (thus PCI P2PDMA).
Signed-off-by: Icenowy Zheng <uwu@icenowy.me>
Signed-off-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/nvme/host/pci.c | 20 ++++++++++++--------
1 file changed, 12 insertions(+), 8 deletions(-)
diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
index 39df3ac10a21f..a3c5af95e8f3e 100644
--- a/drivers/nvme/host/pci.c
+++ b/drivers/nvme/host/pci.c
@@ -1849,6 +1849,18 @@ static void nvme_map_cmb(struct nvme_dev *dev)
if (offset > bar_size)
return;
+ /*
+ * Controllers may support a CMB size larger than their BAR, for
+ * example, due to being behind a bridge. Reduce the CMB to the
+ * reported size of the BAR
+ */
+ size = min(size, bar_size - offset);
+
+ if (!IS_ALIGNED(size, memremap_compat_align()) ||
+ !IS_ALIGNED(pci_resource_start(pdev, bar),
+ memremap_compat_align()))
+ return;
+
/*
* Tell the controller about the host side address mapping the CMB,
* and enable CMB decoding for the NVMe 1.4+ scheme:
@@ -1859,14 +1871,6 @@ static void nvme_map_cmb(struct nvme_dev *dev)
dev->bar + NVME_REG_CMBMSC);
}
- /*
- * Controllers may support a CMB size larger than their BAR,
- * for example, due to being behind a bridge. Reduce the CMB to
- * the reported size of the BAR
- */
- if (size > bar_size - offset)
- size = bar_size - offset;
-
if (pci_p2pdma_add_resource(pdev, bar, size, offset)) {
dev_warn(dev->ctrl.device,
"failed to register the CMB\n");
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 225/279] affs: generate OFS sequence numbers starting at 1
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (223 preceding siblings ...)
2025-04-08 10:50 ` [PATCH 5.15 224/279] nvme-pci: skip CMB blocks incompatible with PCI P2P DMA Greg Kroah-Hartman
@ 2025-04-08 10:50 ` Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 226/279] affs: dont write overlarge OFS data block size fields Greg Kroah-Hartman
` (60 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:50 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Simon Tatham, David Sterba,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Simon Tatham <anakin@pobox.com>
[ Upstream commit e4cf8ec4de4e13f156c1d61977d282d90c221085 ]
If I write a file to an OFS floppy image, and try to read it back on
an emulated Amiga running Workbench 1.3, the Amiga reports a disk
error trying to read the file. (That is, it's unable to read it _at
all_, even to copy it to the NIL: device. It isn't a matter of getting
the wrong data and being unable to parse the file format.)
This is because the 'sequence number' field in the OFS data block
header is supposed to be based at 1, but affs writes it based at 0.
All three locations changed by this patch were setting the sequence
number to a variable 'bidx' which was previously obtained by dividing
a file position by bsize, so bidx will naturally use 0 for the first
block. Therefore all three should add 1 to that value before writing
it into the sequence number field.
With this change, the Amiga successfully reads the file.
For data block reference: https://wiki.osdev.org/FFS_(Amiga)
Signed-off-by: Simon Tatham <anakin@pobox.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/affs/file.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/fs/affs/file.c b/fs/affs/file.c
index 25d480ea797bd..88d4e6263df96 100644
--- a/fs/affs/file.c
+++ b/fs/affs/file.c
@@ -598,7 +598,7 @@ affs_extent_file_ofs(struct inode *inode, u32 newsize)
BUG_ON(tmp > bsize);
AFFS_DATA_HEAD(bh)->ptype = cpu_to_be32(T_DATA);
AFFS_DATA_HEAD(bh)->key = cpu_to_be32(inode->i_ino);
- AFFS_DATA_HEAD(bh)->sequence = cpu_to_be32(bidx);
+ AFFS_DATA_HEAD(bh)->sequence = cpu_to_be32(bidx + 1);
AFFS_DATA_HEAD(bh)->size = cpu_to_be32(tmp);
affs_fix_checksum(sb, bh);
bh->b_state &= ~(1UL << BH_New);
@@ -748,7 +748,7 @@ static int affs_write_end_ofs(struct file *file, struct address_space *mapping,
if (buffer_new(bh)) {
AFFS_DATA_HEAD(bh)->ptype = cpu_to_be32(T_DATA);
AFFS_DATA_HEAD(bh)->key = cpu_to_be32(inode->i_ino);
- AFFS_DATA_HEAD(bh)->sequence = cpu_to_be32(bidx);
+ AFFS_DATA_HEAD(bh)->sequence = cpu_to_be32(bidx + 1);
AFFS_DATA_HEAD(bh)->size = cpu_to_be32(bsize);
AFFS_DATA_HEAD(bh)->next = 0;
bh->b_state &= ~(1UL << BH_New);
@@ -782,7 +782,7 @@ static int affs_write_end_ofs(struct file *file, struct address_space *mapping,
if (buffer_new(bh)) {
AFFS_DATA_HEAD(bh)->ptype = cpu_to_be32(T_DATA);
AFFS_DATA_HEAD(bh)->key = cpu_to_be32(inode->i_ino);
- AFFS_DATA_HEAD(bh)->sequence = cpu_to_be32(bidx);
+ AFFS_DATA_HEAD(bh)->sequence = cpu_to_be32(bidx + 1);
AFFS_DATA_HEAD(bh)->size = cpu_to_be32(tmp);
AFFS_DATA_HEAD(bh)->next = 0;
bh->b_state &= ~(1UL << BH_New);
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 226/279] affs: dont write overlarge OFS data block size fields
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (224 preceding siblings ...)
2025-04-08 10:50 ` [PATCH 5.15 225/279] affs: generate OFS sequence numbers starting at 1 Greg Kroah-Hartman
@ 2025-04-08 10:50 ` Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 227/279] ksmbd: fix incorrect validation for num_aces field of smb_acl Greg Kroah-Hartman
` (59 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:50 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Simon Tatham, David Sterba,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Simon Tatham <anakin@pobox.com>
[ Upstream commit 011ea742a25a77bac3d995f457886a67d178c6f0 ]
If a data sector on an OFS floppy contains a value > 0x1e8 (the
largest amount of data that fits in the sector after its header), then
an Amiga reading the file can return corrupt data, by taking the
overlarge size at its word and reading past the end of the buffer it
read the disk sector into!
The cause: when affs_write_end_ofs() writes data to an OFS filesystem,
the new size field for a data block was computed by adding the amount
of data currently being written (into the block) to the existing value
of the size field. This is correct if you're extending the file at the
end, but if you seek backwards in the file and overwrite _existing_
data, it can lead to the size field being larger than the maximum
legal value.
This commit changes the calculation so that it sets the size field to
the max of its previous size and the position within the block that we
just wrote up to.
Signed-off-by: Simon Tatham <anakin@pobox.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/affs/file.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/fs/affs/file.c b/fs/affs/file.c
index 88d4e6263df96..2000241431d55 100644
--- a/fs/affs/file.c
+++ b/fs/affs/file.c
@@ -726,7 +726,8 @@ static int affs_write_end_ofs(struct file *file, struct address_space *mapping,
tmp = min(bsize - boff, to - from);
BUG_ON(boff + tmp > bsize || tmp > bsize);
memcpy(AFFS_DATA(bh) + boff, data + from, tmp);
- be32_add_cpu(&AFFS_DATA_HEAD(bh)->size, tmp);
+ AFFS_DATA_HEAD(bh)->size = cpu_to_be32(
+ max(boff + tmp, be32_to_cpu(AFFS_DATA_HEAD(bh)->size)));
affs_fix_checksum(sb, bh);
mark_buffer_dirty_inode(bh, inode);
written += tmp;
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 227/279] ksmbd: fix incorrect validation for num_aces field of smb_acl
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (225 preceding siblings ...)
2025-04-08 10:50 ` [PATCH 5.15 226/279] affs: dont write overlarge OFS data block size fields Greg Kroah-Hartman
@ 2025-04-08 10:50 ` Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 228/279] sched/deadline: Use online cpus for validating runtime Greg Kroah-Hartman
` (58 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Igor Leite Ladessa, Namjae Jeon,
Steve French, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Namjae Jeon <linkinjeon@kernel.org>
[ Upstream commit 1b8b67f3c5e5169535e26efedd3e422172e2db64 ]
parse_dcal() validate num_aces to allocate posix_ace_state_array.
if (num_aces > ULONG_MAX / sizeof(struct smb_ace *))
It is an incorrect validation that we can create an array of size ULONG_MAX.
smb_acl has ->size field to calculate actual number of aces in request buffer
size. Use this to check invalid num_aces.
Reported-by: Igor Leite Ladessa <igor-ladessa@hotmail.com>
Tested-by: Igor Leite Ladessa <igor-ladessa@hotmail.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ksmbd/smbacl.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/fs/ksmbd/smbacl.c b/fs/ksmbd/smbacl.c
index 3a6c0abdb0352..ecf9db3d69c38 100644
--- a/fs/ksmbd/smbacl.c
+++ b/fs/ksmbd/smbacl.c
@@ -396,7 +396,9 @@ static void parse_dacl(struct user_namespace *user_ns,
if (num_aces <= 0)
return;
- if (num_aces > ULONG_MAX / sizeof(struct smb_ace *))
+ if (num_aces > (le16_to_cpu(pdacl->size) - sizeof(struct smb_acl)) /
+ (offsetof(struct smb_ace, sid) +
+ offsetof(struct smb_sid, sub_auth) + sizeof(__le16)))
return;
ret = init_acl_state(&acl_state, num_aces);
@@ -430,6 +432,7 @@ static void parse_dacl(struct user_namespace *user_ns,
offsetof(struct smb_sid, sub_auth);
if (end_of_acl - acl_base < acl_size ||
+ ppace[i]->sid.num_subauth == 0 ||
ppace[i]->sid.num_subauth > SID_MAX_SUB_AUTHORITIES ||
(end_of_acl - acl_base <
acl_size + sizeof(__le32) * ppace[i]->sid.num_subauth) ||
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 228/279] sched/deadline: Use online cpus for validating runtime
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (226 preceding siblings ...)
2025-04-08 10:50 ` [PATCH 5.15 227/279] ksmbd: fix incorrect validation for num_aces field of smb_acl Greg Kroah-Hartman
@ 2025-04-08 10:50 ` Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 229/279] locking/semaphore: Use wake_q to wake up processes outside lock critical section Greg Kroah-Hartman
` (57 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shrikanth Hegde, Ingo Molnar,
Juri Lelli, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shrikanth Hegde <sshegde@linux.ibm.com>
[ Upstream commit 14672f059d83f591afb2ee1fff56858efe055e5a ]
The ftrace selftest reported a failure because writing -1 to
sched_rt_runtime_us returns -EBUSY. This happens when the possible
CPUs are different from active CPUs.
Active CPUs are part of one root domain, while remaining CPUs are part
of def_root_domain. Since active cpumask is being used, this results in
cpus=0 when a non active CPUs is used in the loop.
Fix it by looping over the online CPUs instead for validating the
bandwidth calculations.
Signed-off-by: Shrikanth Hegde <sshegde@linux.ibm.com>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Reviewed-by: Juri Lelli <juri.lelli@redhat.com>
Link: https://lore.kernel.org/r/20250306052954.452005-2-sshegde@linux.ibm.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/sched/deadline.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/sched/deadline.c b/kernel/sched/deadline.c
index 0a6d6899be5bd..66eb68c59f0bb 100644
--- a/kernel/sched/deadline.c
+++ b/kernel/sched/deadline.c
@@ -2610,7 +2610,7 @@ int sched_dl_global_validate(void)
* value smaller than the currently allocated bandwidth in
* any of the root_domains.
*/
- for_each_possible_cpu(cpu) {
+ for_each_online_cpu(cpu) {
rcu_read_lock_sched();
if (dl_bw_visited(cpu, gen))
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 229/279] locking/semaphore: Use wake_q to wake up processes outside lock critical section
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (227 preceding siblings ...)
2025-04-08 10:50 ` [PATCH 5.15 228/279] sched/deadline: Use online cpus for validating runtime Greg Kroah-Hartman
@ 2025-04-08 10:50 ` Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 230/279] x86/sgx: Warn explicitly if X86_FEATURE_SGX_LC is not enabled Greg Kroah-Hartman
` (56 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, yzbot+ed801a886dfdbfe7136d,
Waiman Long, Boqun Feng, Ingo Molnar, Linus Torvalds, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Waiman Long <longman@redhat.com>
[ Upstream commit 85b2b9c16d053364e2004883140538e73b333cdb ]
A circular lock dependency splat has been seen involving down_trylock():
======================================================
WARNING: possible circular locking dependency detected
6.12.0-41.el10.s390x+debug
------------------------------------------------------
dd/32479 is trying to acquire lock:
0015a20accd0d4f8 ((console_sem).lock){-.-.}-{2:2}, at: down_trylock+0x26/0x90
but task is already holding lock:
000000017e461698 (&zone->lock){-.-.}-{2:2}, at: rmqueue_bulk+0xac/0x8f0
the existing dependency chain (in reverse order) is:
-> #4 (&zone->lock){-.-.}-{2:2}:
-> #3 (hrtimer_bases.lock){-.-.}-{2:2}:
-> #2 (&rq->__lock){-.-.}-{2:2}:
-> #1 (&p->pi_lock){-.-.}-{2:2}:
-> #0 ((console_sem).lock){-.-.}-{2:2}:
The console_sem -> pi_lock dependency is due to calling try_to_wake_up()
while holding the console_sem raw_spinlock. This dependency can be broken
by using wake_q to do the wakeup instead of calling try_to_wake_up()
under the console_sem lock. This will also make the semaphore's
raw_spinlock become a terminal lock without taking any further locks
underneath it.
The hrtimer_bases.lock is a raw_spinlock while zone->lock is a
spinlock. The hrtimer_bases.lock -> zone->lock dependency happens via
the debug_objects_fill_pool() helper function in the debugobjects code.
-> #4 (&zone->lock){-.-.}-{2:2}:
__lock_acquire+0xe86/0x1cc0
lock_acquire.part.0+0x258/0x630
lock_acquire+0xb8/0xe0
_raw_spin_lock_irqsave+0xb4/0x120
rmqueue_bulk+0xac/0x8f0
__rmqueue_pcplist+0x580/0x830
rmqueue_pcplist+0xfc/0x470
rmqueue.isra.0+0xdec/0x11b0
get_page_from_freelist+0x2ee/0xeb0
__alloc_pages_noprof+0x2c2/0x520
alloc_pages_mpol_noprof+0x1fc/0x4d0
alloc_pages_noprof+0x8c/0xe0
allocate_slab+0x320/0x460
___slab_alloc+0xa58/0x12b0
__slab_alloc.isra.0+0x42/0x60
kmem_cache_alloc_noprof+0x304/0x350
fill_pool+0xf6/0x450
debug_object_activate+0xfe/0x360
enqueue_hrtimer+0x34/0x190
__run_hrtimer+0x3c8/0x4c0
__hrtimer_run_queues+0x1b2/0x260
hrtimer_interrupt+0x316/0x760
do_IRQ+0x9a/0xe0
do_irq_async+0xf6/0x160
Normally a raw_spinlock to spinlock dependency is not legitimate
and will be warned if CONFIG_PROVE_RAW_LOCK_NESTING is enabled,
but debug_objects_fill_pool() is an exception as it explicitly
allows this dependency for non-PREEMPT_RT kernel without causing
PROVE_RAW_LOCK_NESTING lockdep splat. As a result, this dependency is
legitimate and not a bug.
Anyway, semaphore is the only locking primitive left that is still
using try_to_wake_up() to do wakeup inside critical section, all the
other locking primitives had been migrated to use wake_q to do wakeup
outside of the critical section. It is also possible that there are
other circular locking dependencies involving printk/console_sem or
other existing/new semaphores lurking somewhere which may show up in
the future. Let just do the migration now to wake_q to avoid headache
like this.
Reported-by: yzbot+ed801a886dfdbfe7136d@syzkaller.appspotmail.com
Signed-off-by: Waiman Long <longman@redhat.com>
Signed-off-by: Boqun Feng <boqun.feng@gmail.com>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Link: https://lore.kernel.org/r/20250307232717.1759087-3-boqun.feng@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/locking/semaphore.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/kernel/locking/semaphore.c b/kernel/locking/semaphore.c
index 9ee381e4d2a4d..a26c915430ba0 100644
--- a/kernel/locking/semaphore.c
+++ b/kernel/locking/semaphore.c
@@ -29,6 +29,7 @@
#include <linux/export.h>
#include <linux/sched.h>
#include <linux/sched/debug.h>
+#include <linux/sched/wake_q.h>
#include <linux/semaphore.h>
#include <linux/spinlock.h>
#include <linux/ftrace.h>
@@ -37,7 +38,7 @@ static noinline void __down(struct semaphore *sem);
static noinline int __down_interruptible(struct semaphore *sem);
static noinline int __down_killable(struct semaphore *sem);
static noinline int __down_timeout(struct semaphore *sem, long timeout);
-static noinline void __up(struct semaphore *sem);
+static noinline void __up(struct semaphore *sem, struct wake_q_head *wake_q);
/**
* down - acquire the semaphore
@@ -182,13 +183,16 @@ EXPORT_SYMBOL(down_timeout);
void up(struct semaphore *sem)
{
unsigned long flags;
+ DEFINE_WAKE_Q(wake_q);
raw_spin_lock_irqsave(&sem->lock, flags);
if (likely(list_empty(&sem->wait_list)))
sem->count++;
else
- __up(sem);
+ __up(sem, &wake_q);
raw_spin_unlock_irqrestore(&sem->lock, flags);
+ if (!wake_q_empty(&wake_q))
+ wake_up_q(&wake_q);
}
EXPORT_SYMBOL(up);
@@ -256,11 +260,12 @@ static noinline int __sched __down_timeout(struct semaphore *sem, long timeout)
return __down_common(sem, TASK_UNINTERRUPTIBLE, timeout);
}
-static noinline void __sched __up(struct semaphore *sem)
+static noinline void __sched __up(struct semaphore *sem,
+ struct wake_q_head *wake_q)
{
struct semaphore_waiter *waiter = list_first_entry(&sem->wait_list,
struct semaphore_waiter, list);
list_del(&waiter->list);
waiter->up = true;
- wake_up_process(waiter->task);
+ wake_q_add(wake_q, waiter->task);
}
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 230/279] x86/sgx: Warn explicitly if X86_FEATURE_SGX_LC is not enabled
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (228 preceding siblings ...)
2025-04-08 10:50 ` [PATCH 5.15 229/279] locking/semaphore: Use wake_q to wake up processes outside lock critical section Greg Kroah-Hartman
@ 2025-04-08 10:50 ` Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 231/279] drm/amd: Keep display off while going into S4 Greg Kroah-Hartman
` (55 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vladis Dronov, Ingo Molnar,
Kai Huang, Jarkko Sakkinen, Andy Lutomirski, Sean Christopherson,
Linus Torvalds, Peter Zijlstra, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vladis Dronov <vdronov@redhat.com>
[ Upstream commit 65be5c95d08eedda570a6c888a12384c77fe7614 ]
The kernel requires X86_FEATURE_SGX_LC to be able to create SGX enclaves,
not just X86_FEATURE_SGX.
There is quite a number of hardware which has X86_FEATURE_SGX but not
X86_FEATURE_SGX_LC. A kernel running on such hardware does not create
the /dev/sgx_enclave file and does so silently.
Explicitly warn if X86_FEATURE_SGX_LC is not enabled to properly notify
users that the kernel disabled the SGX driver.
The X86_FEATURE_SGX_LC, a.k.a. SGX Launch Control, is a CPU feature
that enables LE (Launch Enclave) hash MSRs to be writable (with
additional opt-in required in the 'feature control' MSR) when running
enclaves, i.e. using a custom root key rather than the Intel proprietary
key for enclave signing.
I've hit this issue myself and have spent some time researching where
my /dev/sgx_enclave file went on SGX-enabled hardware.
Related links:
https://github.com/intel/linux-sgx/issues/837
https://patchwork.kernel.org/project/platform-driver-x86/patch/20180827185507.17087-3-jarkko.sakkinen@linux.intel.com/
[ mingo: Made the error message a bit more verbose, and added other cases
where the kernel fails to create the /dev/sgx_enclave device node. ]
Signed-off-by: Vladis Dronov <vdronov@redhat.com>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Acked-by: Kai Huang <kai.huang@intel.com>
Cc: Jarkko Sakkinen <jarkko@kernel.org>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Sean Christopherson <sean.j.christopherson@intel.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Link: https://lore.kernel.org/r/20250309172215.21777-2-vdronov@redhat.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/kernel/cpu/sgx/driver.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/arch/x86/kernel/cpu/sgx/driver.c b/arch/x86/kernel/cpu/sgx/driver.c
index aa9b8b8688676..afccb69cd9a2c 100644
--- a/arch/x86/kernel/cpu/sgx/driver.c
+++ b/arch/x86/kernel/cpu/sgx/driver.c
@@ -150,13 +150,15 @@ int __init sgx_drv_init(void)
u64 xfrm_mask;
int ret;
- if (!cpu_feature_enabled(X86_FEATURE_SGX_LC))
+ if (!cpu_feature_enabled(X86_FEATURE_SGX_LC)) {
+ pr_info("SGX disabled: SGX launch control CPU feature is not available, /dev/sgx_enclave disabled.\n");
return -ENODEV;
+ }
cpuid_count(SGX_CPUID, 0, &eax, &ebx, &ecx, &edx);
if (!(eax & 1)) {
- pr_err("SGX disabled: SGX1 instruction support not available.\n");
+ pr_info("SGX disabled: SGX1 instruction support not available, /dev/sgx_enclave disabled.\n");
return -ENODEV;
}
@@ -173,8 +175,10 @@ int __init sgx_drv_init(void)
}
ret = misc_register(&sgx_dev_enclave);
- if (ret)
+ if (ret) {
+ pr_info("SGX disabled: Unable to register the /dev/sgx_enclave driver (%d).\n", ret);
return ret;
+ }
return 0;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 231/279] drm/amd: Keep display off while going into S4
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (229 preceding siblings ...)
2025-04-08 10:50 ` [PATCH 5.15 230/279] x86/sgx: Warn explicitly if X86_FEATURE_SGX_LC is not enabled Greg Kroah-Hartman
@ 2025-04-08 10:50 ` Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 232/279] ALSA: hda/realtek: Add mute LED quirk for HP Pavilion x360 14-dy1xxx Greg Kroah-Hartman
` (54 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xaver Hugl, Muhammad Usama Anjum,
Alex Deucher, Harry Wentland, Mario Limonciello, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mario Limonciello <mario.limonciello@amd.com>
[ Upstream commit 4afacc9948e1f8fdbca401d259ae65ad93d298c0 ]
When userspace invokes S4 the flow is:
1) amdgpu_pmops_prepare()
2) amdgpu_pmops_freeze()
3) Create hibernation image
4) amdgpu_pmops_thaw()
5) Write out image to disk
6) Turn off system
Then on resume amdgpu_pmops_restore() is called.
This flow has a problem that because amdgpu_pmops_thaw() is called
it will call amdgpu_device_resume() which will resume all of the GPU.
This includes turning the display hardware back on and discovering
connectors again.
This is an unexpected experience for the display to turn back on.
Adjust the flow so that during the S4 sequence display hardware is
not turned back on.
Reported-by: Xaver Hugl <xaver.hugl@gmail.com>
Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/2038
Cc: Muhammad Usama Anjum <usama.anjum@collabora.com>
Tested-by: Muhammad Usama Anjum <usama.anjum@collabora.com>
Acked-by: Alex Deucher <alexander.deucher@amd.com>
Acked-by: Harry Wentland <harry.wentland@amd.com>
Link: https://lore.kernel.org/r/20250306185124.44780-1-mario.limonciello@amd.com
Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 68bfdc8dc0a1a7fdd9ab61e69907ae71a6fd3d91)
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 11 +++++++++--
drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 5 +++++
2 files changed, 14 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c
index 57943e9008710..adcf3adc5ca51 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c
@@ -2294,7 +2294,6 @@ static int amdgpu_pmops_freeze(struct device *dev)
adev->in_s4 = true;
r = amdgpu_device_suspend(drm_dev, true);
- adev->in_s4 = false;
if (r)
return r;
return amdgpu_asic_reset(adev);
@@ -2303,8 +2302,13 @@ static int amdgpu_pmops_freeze(struct device *dev)
static int amdgpu_pmops_thaw(struct device *dev)
{
struct drm_device *drm_dev = dev_get_drvdata(dev);
+ struct amdgpu_device *adev = drm_to_adev(drm_dev);
+ int r;
- return amdgpu_device_resume(drm_dev, true);
+ r = amdgpu_device_resume(drm_dev, true);
+ adev->in_s4 = false;
+
+ return r;
}
static int amdgpu_pmops_poweroff(struct device *dev)
@@ -2317,6 +2321,9 @@ static int amdgpu_pmops_poweroff(struct device *dev)
static int amdgpu_pmops_restore(struct device *dev)
{
struct drm_device *drm_dev = dev_get_drvdata(dev);
+ struct amdgpu_device *adev = drm_to_adev(drm_dev);
+
+ adev->in_s4 = false;
return amdgpu_device_resume(drm_dev, true);
}
diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
index a128259b19adb..a33ca712a89c5 100644
--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
@@ -2710,6 +2710,11 @@ static int dm_resume(void *handle)
return 0;
}
+
+ /* leave display off for S4 sequence */
+ if (adev->in_s4)
+ return 0;
+
/* Recreate dc_state - DC invalidates it when setting power state to S3. */
dc_release_state(dm_state->context);
dm_state->context = dc_create_state(dm->dc);
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 232/279] ALSA: hda/realtek: Add mute LED quirk for HP Pavilion x360 14-dy1xxx
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (230 preceding siblings ...)
2025-04-08 10:50 ` [PATCH 5.15 231/279] drm/amd: Keep display off while going into S4 Greg Kroah-Hartman
@ 2025-04-08 10:50 ` Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 233/279] can: statistics: use atomic access in hot path Greg Kroah-Hartman
` (53 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Navon John Lukose, Takashi Iwai,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Navon John Lukose <navonjohnlukose@gmail.com>
[ Upstream commit b11a74ac4f545626d0dc95a8ca8c41df90532bf3 ]
Add a fixup to enable the mute LED on HP Pavilion x360 Convertible
14-dy1xxx with ALC295 codec. The appropriate coefficient index and bits
were identified through a brute-force method, as detailed in
https://bbs.archlinux.org/viewtopic.php?pid=2079504#p2079504.
Signed-off-by: Navon John Lukose <navonjohnlukose@gmail.com>
Link: https://patch.msgid.link/20250307213319.35507-1-navonjohnlukose@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/pci/hda/patch_realtek.c | 21 +++++++++++++++++++++
1 file changed, 21 insertions(+)
diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
index 12967b40ab088..e1de24c9f6265 100644
--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -4759,6 +4759,21 @@ static void alc236_fixup_hp_coef_micmute_led(struct hda_codec *codec,
}
}
+static void alc295_fixup_hp_mute_led_coefbit11(struct hda_codec *codec,
+ const struct hda_fixup *fix, int action)
+{
+ struct alc_spec *spec = codec->spec;
+
+ if (action == HDA_FIXUP_ACT_PRE_PROBE) {
+ spec->mute_led_polarity = 0;
+ spec->mute_led_coef.idx = 0xb;
+ spec->mute_led_coef.mask = 3 << 3;
+ spec->mute_led_coef.on = 1 << 3;
+ spec->mute_led_coef.off = 1 << 4;
+ snd_hda_gen_add_mute_led_cdev(codec, coef_mute_led_set);
+ }
+}
+
static void alc285_fixup_hp_mute_led(struct hda_codec *codec,
const struct hda_fixup *fix, int action)
{
@@ -6998,6 +7013,7 @@ enum {
ALC290_FIXUP_MONO_SPEAKERS_HSJACK,
ALC290_FIXUP_SUBWOOFER,
ALC290_FIXUP_SUBWOOFER_HSJACK,
+ ALC295_FIXUP_HP_MUTE_LED_COEFBIT11,
ALC269_FIXUP_THINKPAD_ACPI,
ALC269_FIXUP_DMIC_THINKPAD_ACPI,
ALC269VB_FIXUP_INFINIX_ZERO_BOOK_13,
@@ -8544,6 +8560,10 @@ static const struct hda_fixup alc269_fixups[] = {
.chained = true,
.chain_id = ALC283_FIXUP_INT_MIC,
},
+ [ALC295_FIXUP_HP_MUTE_LED_COEFBIT11] = {
+ .type = HDA_FIXUP_FUNC,
+ .v.func = alc295_fixup_hp_mute_led_coefbit11,
+ },
[ALC298_FIXUP_SAMSUNG_AMP] = {
.type = HDA_FIXUP_FUNC,
.v.func = alc298_fixup_samsung_amp,
@@ -9258,6 +9278,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = {
SND_PCI_QUIRK(0x103c, 0x84e7, "HP Pavilion 15", ALC269_FIXUP_HP_MUTE_LED_MIC3),
SND_PCI_QUIRK(0x103c, 0x8519, "HP Spectre x360 15-df0xxx", ALC285_FIXUP_HP_SPECTRE_X360),
SND_PCI_QUIRK(0x103c, 0x8537, "HP ProBook 440 G6", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF),
+ SND_PCI_QUIRK(0x103c, 0x85c6, "HP Pavilion x360 Convertible 14-dy1xxx", ALC295_FIXUP_HP_MUTE_LED_COEFBIT11),
SND_PCI_QUIRK(0x103c, 0x85de, "HP Envy x360 13-ar0xxx", ALC285_FIXUP_HP_ENVY_X360),
SND_PCI_QUIRK(0x103c, 0x860f, "HP ZBook 15 G6", ALC285_FIXUP_HP_GPIO_AMP_INIT),
SND_PCI_QUIRK(0x103c, 0x861f, "HP Elite Dragonfly G1", ALC285_FIXUP_HP_GPIO_AMP_INIT),
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 233/279] can: statistics: use atomic access in hot path
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (231 preceding siblings ...)
2025-04-08 10:50 ` [PATCH 5.15 232/279] ALSA: hda/realtek: Add mute LED quirk for HP Pavilion x360 14-dy1xxx Greg Kroah-Hartman
@ 2025-04-08 10:50 ` Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 234/279] hwmon: (nct6775-core) Fix out of bounds access for NCT679{8,9} Greg Kroah-Hartman
` (52 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+78ce4489b812515d5e4d,
Oliver Hartkopp, Vincent Mailhol, Marc Kleine-Budde, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oliver Hartkopp <socketcan@hartkopp.net>
[ Upstream commit 80b5f90158d1364cbd80ad82852a757fc0692bf2 ]
In can_send() and can_receive() CAN messages and CAN filter matches are
counted to be visible in the CAN procfs files.
KCSAN detected a data race within can_send() when two CAN frames have
been generated by a timer event writing to the same CAN netdevice at the
same time. Use atomic operations to access the statistics in the hot path
to fix the KCSAN complaint.
Reported-by: syzbot+78ce4489b812515d5e4d@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/67cd717d.050a0220.e1a89.0006.GAE@google.com
Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
Reviewed-by: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
Link: https://patch.msgid.link/20250310143353.3242-1-socketcan@hartkopp.net
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/can/af_can.c | 12 ++++++------
net/can/af_can.h | 12 ++++++------
net/can/proc.c | 46 +++++++++++++++++++++++++++-------------------
3 files changed, 39 insertions(+), 31 deletions(-)
diff --git a/net/can/af_can.c b/net/can/af_can.c
index 4e728b3da40b3..edf01b73d2878 100644
--- a/net/can/af_can.c
+++ b/net/can/af_can.c
@@ -288,8 +288,8 @@ int can_send(struct sk_buff *skb, int loop)
netif_rx_ni(newskb);
/* update statistics */
- pkg_stats->tx_frames++;
- pkg_stats->tx_frames_delta++;
+ atomic_long_inc(&pkg_stats->tx_frames);
+ atomic_long_inc(&pkg_stats->tx_frames_delta);
return 0;
@@ -649,8 +649,8 @@ static void can_receive(struct sk_buff *skb, struct net_device *dev)
int matches;
/* update statistics */
- pkg_stats->rx_frames++;
- pkg_stats->rx_frames_delta++;
+ atomic_long_inc(&pkg_stats->rx_frames);
+ atomic_long_inc(&pkg_stats->rx_frames_delta);
/* create non-zero unique skb identifier together with *skb */
while (!(can_skb_prv(skb)->skbcnt))
@@ -671,8 +671,8 @@ static void can_receive(struct sk_buff *skb, struct net_device *dev)
consume_skb(skb);
if (matches > 0) {
- pkg_stats->matches++;
- pkg_stats->matches_delta++;
+ atomic_long_inc(&pkg_stats->matches);
+ atomic_long_inc(&pkg_stats->matches_delta);
}
}
diff --git a/net/can/af_can.h b/net/can/af_can.h
index 7c2d9161e2245..22f3352c77fec 100644
--- a/net/can/af_can.h
+++ b/net/can/af_can.h
@@ -66,9 +66,9 @@ struct receiver {
struct can_pkg_stats {
unsigned long jiffies_init;
- unsigned long rx_frames;
- unsigned long tx_frames;
- unsigned long matches;
+ atomic_long_t rx_frames;
+ atomic_long_t tx_frames;
+ atomic_long_t matches;
unsigned long total_rx_rate;
unsigned long total_tx_rate;
@@ -82,9 +82,9 @@ struct can_pkg_stats {
unsigned long max_tx_rate;
unsigned long max_rx_match_ratio;
- unsigned long rx_frames_delta;
- unsigned long tx_frames_delta;
- unsigned long matches_delta;
+ atomic_long_t rx_frames_delta;
+ atomic_long_t tx_frames_delta;
+ atomic_long_t matches_delta;
};
/* persistent statistics */
diff --git a/net/can/proc.c b/net/can/proc.c
index b3099f0a3cb82..0533a3c4ff0e1 100644
--- a/net/can/proc.c
+++ b/net/can/proc.c
@@ -118,6 +118,13 @@ void can_stat_update(struct timer_list *t)
struct can_pkg_stats *pkg_stats = net->can.pkg_stats;
unsigned long j = jiffies; /* snapshot */
+ long rx_frames = atomic_long_read(&pkg_stats->rx_frames);
+ long tx_frames = atomic_long_read(&pkg_stats->tx_frames);
+ long matches = atomic_long_read(&pkg_stats->matches);
+ long rx_frames_delta = atomic_long_read(&pkg_stats->rx_frames_delta);
+ long tx_frames_delta = atomic_long_read(&pkg_stats->tx_frames_delta);
+ long matches_delta = atomic_long_read(&pkg_stats->matches_delta);
+
/* restart counting in timer context on user request */
if (user_reset)
can_init_stats(net);
@@ -127,35 +134,33 @@ void can_stat_update(struct timer_list *t)
can_init_stats(net);
/* prevent overflow in calc_rate() */
- if (pkg_stats->rx_frames > (ULONG_MAX / HZ))
+ if (rx_frames > (LONG_MAX / HZ))
can_init_stats(net);
/* prevent overflow in calc_rate() */
- if (pkg_stats->tx_frames > (ULONG_MAX / HZ))
+ if (tx_frames > (LONG_MAX / HZ))
can_init_stats(net);
/* matches overflow - very improbable */
- if (pkg_stats->matches > (ULONG_MAX / 100))
+ if (matches > (LONG_MAX / 100))
can_init_stats(net);
/* calc total values */
- if (pkg_stats->rx_frames)
- pkg_stats->total_rx_match_ratio = (pkg_stats->matches * 100) /
- pkg_stats->rx_frames;
+ if (rx_frames)
+ pkg_stats->total_rx_match_ratio = (matches * 100) / rx_frames;
pkg_stats->total_tx_rate = calc_rate(pkg_stats->jiffies_init, j,
- pkg_stats->tx_frames);
+ tx_frames);
pkg_stats->total_rx_rate = calc_rate(pkg_stats->jiffies_init, j,
- pkg_stats->rx_frames);
+ rx_frames);
/* calc current values */
- if (pkg_stats->rx_frames_delta)
+ if (rx_frames_delta)
pkg_stats->current_rx_match_ratio =
- (pkg_stats->matches_delta * 100) /
- pkg_stats->rx_frames_delta;
+ (matches_delta * 100) / rx_frames_delta;
- pkg_stats->current_tx_rate = calc_rate(0, HZ, pkg_stats->tx_frames_delta);
- pkg_stats->current_rx_rate = calc_rate(0, HZ, pkg_stats->rx_frames_delta);
+ pkg_stats->current_tx_rate = calc_rate(0, HZ, tx_frames_delta);
+ pkg_stats->current_rx_rate = calc_rate(0, HZ, rx_frames_delta);
/* check / update maximum values */
if (pkg_stats->max_tx_rate < pkg_stats->current_tx_rate)
@@ -168,9 +173,9 @@ void can_stat_update(struct timer_list *t)
pkg_stats->max_rx_match_ratio = pkg_stats->current_rx_match_ratio;
/* clear values for 'current rate' calculation */
- pkg_stats->tx_frames_delta = 0;
- pkg_stats->rx_frames_delta = 0;
- pkg_stats->matches_delta = 0;
+ atomic_long_set(&pkg_stats->tx_frames_delta, 0);
+ atomic_long_set(&pkg_stats->rx_frames_delta, 0);
+ atomic_long_set(&pkg_stats->matches_delta, 0);
/* restart timer (one second) */
mod_timer(&net->can.stattimer, round_jiffies(jiffies + HZ));
@@ -214,9 +219,12 @@ static int can_stats_proc_show(struct seq_file *m, void *v)
struct can_rcv_lists_stats *rcv_lists_stats = net->can.rcv_lists_stats;
seq_putc(m, '\n');
- seq_printf(m, " %8ld transmitted frames (TXF)\n", pkg_stats->tx_frames);
- seq_printf(m, " %8ld received frames (RXF)\n", pkg_stats->rx_frames);
- seq_printf(m, " %8ld matched frames (RXMF)\n", pkg_stats->matches);
+ seq_printf(m, " %8ld transmitted frames (TXF)\n",
+ atomic_long_read(&pkg_stats->tx_frames));
+ seq_printf(m, " %8ld received frames (RXF)\n",
+ atomic_long_read(&pkg_stats->rx_frames));
+ seq_printf(m, " %8ld matched frames (RXMF)\n",
+ atomic_long_read(&pkg_stats->matches));
seq_putc(m, '\n');
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 234/279] hwmon: (nct6775-core) Fix out of bounds access for NCT679{8,9}
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (232 preceding siblings ...)
2025-04-08 10:50 ` [PATCH 5.15 233/279] can: statistics: use atomic access in hot path Greg Kroah-Hartman
@ 2025-04-08 10:50 ` Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 235/279] spufs: fix a leak on spufs_new_file() failure Greg Kroah-Hartman
` (51 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tasos Sahanidis, Guenter Roeck,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tasos Sahanidis <tasos@tasossah.com>
[ Upstream commit 815f80ad20b63830949a77c816e35395d5d55144 ]
pwm_num is set to 7 for these chips, but NCT6776_REG_PWM_MODE and
NCT6776_PWM_MODE_MASK only contain 6 values.
Fix this by adding another 0 to the end of each array.
Signed-off-by: Tasos Sahanidis <tasos@tasossah.com>
Link: https://lore.kernel.org/r/20250312030832.106475-1-tasos@tasossah.com
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hwmon/nct6775.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/hwmon/nct6775.c b/drivers/hwmon/nct6775.c
index 3645a19cdaf4d..71cfc1c5bd12e 100644
--- a/drivers/hwmon/nct6775.c
+++ b/drivers/hwmon/nct6775.c
@@ -420,8 +420,8 @@ static const s8 NCT6776_BEEP_BITS[] = {
static const u16 NCT6776_REG_TOLERANCE_H[] = {
0x10c, 0x20c, 0x30c, 0x80c, 0x90c, 0xa0c, 0xb0c };
-static const u8 NCT6776_REG_PWM_MODE[] = { 0x04, 0, 0, 0, 0, 0 };
-static const u8 NCT6776_PWM_MODE_MASK[] = { 0x01, 0, 0, 0, 0, 0 };
+static const u8 NCT6776_REG_PWM_MODE[] = { 0x04, 0, 0, 0, 0, 0, 0 };
+static const u8 NCT6776_PWM_MODE_MASK[] = { 0x01, 0, 0, 0, 0, 0, 0 };
static const u16 NCT6776_REG_FAN_MIN[] = {
0x63a, 0x63c, 0x63e, 0x640, 0x642, 0x64a, 0x64c };
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 235/279] spufs: fix a leak on spufs_new_file() failure
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (233 preceding siblings ...)
2025-04-08 10:50 ` [PATCH 5.15 234/279] hwmon: (nct6775-core) Fix out of bounds access for NCT679{8,9} Greg Kroah-Hartman
@ 2025-04-08 10:50 ` Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 236/279] spufs: fix a leak in spufs_create_context() Greg Kroah-Hartman
` (50 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:50 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Al Viro, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
[ Upstream commit d1ca8698ca1332625d83ea0d753747be66f9906d ]
It's called from spufs_fill_dir(), and caller of that will do
spufs_rmdir() in case of failure. That does remove everything
we'd managed to create, but... the problem dentry is still
negative. IOW, it needs to be explicitly dropped.
Fixes: 3f51dd91c807 "[PATCH] spufs: fix spufs_fill_dir error path"
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/powerpc/platforms/cell/spufs/inode.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/arch/powerpc/platforms/cell/spufs/inode.c b/arch/powerpc/platforms/cell/spufs/inode.c
index ed37a93bf858a..1095be5186ebf 100644
--- a/arch/powerpc/platforms/cell/spufs/inode.c
+++ b/arch/powerpc/platforms/cell/spufs/inode.c
@@ -190,8 +190,10 @@ static int spufs_fill_dir(struct dentry *dir,
return -ENOMEM;
ret = spufs_new_file(dir->d_sb, dentry, files->ops,
files->mode & mode, files->size, ctx);
- if (ret)
+ if (ret) {
+ dput(dentry);
return ret;
+ }
files++;
}
return 0;
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 236/279] spufs: fix a leak in spufs_create_context()
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (234 preceding siblings ...)
2025-04-08 10:50 ` [PATCH 5.15 235/279] spufs: fix a leak on spufs_new_file() failure Greg Kroah-Hartman
@ 2025-04-08 10:50 ` Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 237/279] riscv: ftrace: Add parentheses in macro definitions of make_call_t0 and make_call_ra Greg Kroah-Hartman
` (49 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:50 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Al Viro, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
[ Upstream commit 0f5cce3fc55b08ee4da3372baccf4bcd36a98396 ]
Leak fixes back in 2008 missed one case - if we are trying to set affinity
and spufs_mkdir() fails, we need to drop the reference to neighbor.
Fixes: 58119068cb27 "[POWERPC] spufs: Fix memory leak on SPU affinity"
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/powerpc/platforms/cell/spufs/inode.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/arch/powerpc/platforms/cell/spufs/inode.c b/arch/powerpc/platforms/cell/spufs/inode.c
index 1095be5186ebf..ea3082f2f9d1d 100644
--- a/arch/powerpc/platforms/cell/spufs/inode.c
+++ b/arch/powerpc/platforms/cell/spufs/inode.c
@@ -436,8 +436,11 @@ spufs_create_context(struct inode *inode, struct dentry *dentry,
}
ret = spufs_mkdir(inode, dentry, flags, mode & 0777);
- if (ret)
+ if (ret) {
+ if (neighbor)
+ put_spu_context(neighbor);
goto out_aff_unlock;
+ }
if (affinity) {
spufs_set_affinity(flags, SPUFS_I(d_inode(dentry))->i_ctx,
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 237/279] riscv: ftrace: Add parentheses in macro definitions of make_call_t0 and make_call_ra
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (235 preceding siblings ...)
2025-04-08 10:50 ` [PATCH 5.15 236/279] spufs: fix a leak in spufs_create_context() Greg Kroah-Hartman
@ 2025-04-08 10:50 ` Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 238/279] ntb_hw_switchtec: Fix shift-out-of-bounds in switchtec_ntb_mw_set_trans Greg Kroah-Hartman
` (48 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:50 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Juhan Jin, Alexandre Ghiti,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Juhan Jin <juhan.jin@foxmail.com>
[ Upstream commit 5f1a58ed91a040d4625d854f9bb3dd4995919202 ]
This patch adds parentheses to parameters caller and callee of macros
make_call_t0 and make_call_ra. Every existing invocation of these two
macros uses a single variable for each argument, so the absence of the
parentheses seems okay. However, future invocations might use more
complex expressions as arguments. For example, a future invocation might
look like this: make_call_t0(a - b, c, call). Without parentheses in the
macro definition, the macro invocation expands to:
...
unsigned int offset = (unsigned long) c - (unsigned long) a - b;
...
which is clearly wrong.
The use of parentheses ensures arguments are correctly evaluated and
potentially saves future users of make_call_t0 and make_call_ra debugging
trouble.
Fixes: 6724a76cff85 ("riscv: ftrace: Reduce the detour code size to half")
Signed-off-by: Juhan Jin <juhan.jin@foxmail.com>
Reviewed-by: Alexandre Ghiti <alexghiti@rivosinc.com>
Link: https://lore.kernel.org/r/tencent_AE90AA59903A628E87E9F80E563DA5BA5508@qq.com
Signed-off-by: Alexandre Ghiti <alexghiti@rivosinc.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/riscv/include/asm/ftrace.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/riscv/include/asm/ftrace.h b/arch/riscv/include/asm/ftrace.h
index d47d87c2d7e3d..195f4ebd71f2c 100644
--- a/arch/riscv/include/asm/ftrace.h
+++ b/arch/riscv/include/asm/ftrace.h
@@ -77,7 +77,7 @@ struct dyn_arch_ftrace {
#define make_call_t0(caller, callee, call) \
do { \
unsigned int offset = \
- (unsigned long) callee - (unsigned long) caller; \
+ (unsigned long) (callee) - (unsigned long) (caller); \
call[0] = to_auipc_t0(offset); \
call[1] = to_jalr_t0(offset); \
} while (0)
@@ -93,7 +93,7 @@ do { \
#define make_call_ra(caller, callee, call) \
do { \
unsigned int offset = \
- (unsigned long) callee - (unsigned long) caller; \
+ (unsigned long) (callee) - (unsigned long) (caller); \
call[0] = to_auipc_ra(offset); \
call[1] = to_jalr_ra(offset); \
} while (0)
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 238/279] ntb_hw_switchtec: Fix shift-out-of-bounds in switchtec_ntb_mw_set_trans
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (236 preceding siblings ...)
2025-04-08 10:50 ` [PATCH 5.15 237/279] riscv: ftrace: Add parentheses in macro definitions of make_call_t0 and make_call_ra Greg Kroah-Hartman
@ 2025-04-08 10:50 ` Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 239/279] ntb: intel: Fix using link status DBs Greg Kroah-Hartman
` (47 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yajun Deng, Logan Gunthorpe,
Jon Mason, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yajun Deng <yajun.deng@linux.dev>
[ Upstream commit de203da734fae00e75be50220ba5391e7beecdf9 ]
There is a kernel API ntb_mw_clear_trans() would pass 0 to both addr and
size. This would make xlate_pos negative.
[ 23.734156] switchtec switchtec0: MW 0: part 0 addr 0x0000000000000000 size 0x0000000000000000
[ 23.734158] ================================================================================
[ 23.734172] UBSAN: shift-out-of-bounds in drivers/ntb/hw/mscc/ntb_hw_switchtec.c:293:7
[ 23.734418] shift exponent -1 is negative
Ensuring xlate_pos is a positive or zero before BIT.
Fixes: 1e2fd202f859 ("ntb_hw_switchtec: Check for alignment of the buffer in mw_set_trans()")
Signed-off-by: Yajun Deng <yajun.deng@linux.dev>
Reviewed-by: Logan Gunthorpe <logang@deltatee.com>
Signed-off-by: Jon Mason <jdmason@kudzu.us>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/ntb/hw/mscc/ntb_hw_switchtec.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/ntb/hw/mscc/ntb_hw_switchtec.c b/drivers/ntb/hw/mscc/ntb_hw_switchtec.c
index 759248415b5c2..c9351063aaf15 100644
--- a/drivers/ntb/hw/mscc/ntb_hw_switchtec.c
+++ b/drivers/ntb/hw/mscc/ntb_hw_switchtec.c
@@ -288,7 +288,7 @@ static int switchtec_ntb_mw_set_trans(struct ntb_dev *ntb, int pidx, int widx,
if (size != 0 && xlate_pos < 12)
return -EINVAL;
- if (!IS_ALIGNED(addr, BIT_ULL(xlate_pos))) {
+ if (xlate_pos >= 0 && !IS_ALIGNED(addr, BIT_ULL(xlate_pos))) {
/*
* In certain circumstances we can get a buffer that is
* not aligned to its size. (Most of the time
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 239/279] ntb: intel: Fix using link status DBs
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (237 preceding siblings ...)
2025-04-08 10:50 ` [PATCH 5.15 238/279] ntb_hw_switchtec: Fix shift-out-of-bounds in switchtec_ntb_mw_set_trans Greg Kroah-Hartman
@ 2025-04-08 10:50 ` Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 240/279] ASoC: imx-card: Add NULL check in imx_card_probe() Greg Kroah-Hartman
` (46 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nikita Shubin, Dave Jiang, Jon Mason,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nikita Shubin <n.shubin@yadro.com>
[ Upstream commit 8144e9c8f30fb23bb736a5d24d5c9d46965563c4 ]
Make sure we are not using DB's which were remapped for link status.
Fixes: f6e51c354b60 ("ntb: intel: split out the gen3 code")
Signed-off-by: Nikita Shubin <n.shubin@yadro.com>
Reviewed-by: Dave Jiang <dave.jiang@intel.com>
Signed-off-by: Jon Mason <jdmason@kudzu.us>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/ntb/hw/intel/ntb_hw_gen3.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/ntb/hw/intel/ntb_hw_gen3.c b/drivers/ntb/hw/intel/ntb_hw_gen3.c
index ffcfc3e02c353..a5aa96a31f4a6 100644
--- a/drivers/ntb/hw/intel/ntb_hw_gen3.c
+++ b/drivers/ntb/hw/intel/ntb_hw_gen3.c
@@ -215,6 +215,9 @@ static int gen3_init_ntb(struct intel_ntb_dev *ndev)
}
ndev->db_valid_mask = BIT_ULL(ndev->db_count) - 1;
+ /* Make sure we are not using DB's used for link status */
+ if (ndev->hwerr_flags & NTB_HWERR_MSIX_VECTOR32_BAD)
+ ndev->db_valid_mask &= ~ndev->db_link_mask;
ndev->reg->db_iowrite(ndev->db_valid_mask,
ndev->self_mmio +
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 240/279] ASoC: imx-card: Add NULL check in imx_card_probe()
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (238 preceding siblings ...)
2025-04-08 10:50 ` [PATCH 5.15 239/279] ntb: intel: Fix using link status DBs Greg Kroah-Hartman
@ 2025-04-08 10:50 ` Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 241/279] netfilter: nft_set_hash: GC reaps elements with conncount for dynamic sets only Greg Kroah-Hartman
` (45 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Henry Martin, Frank Li, Mark Brown,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Henry Martin <bsdhenrymartin@gmail.com>
[ Upstream commit 93d34608fd162f725172e780b1c60cc93a920719 ]
devm_kasprintf() returns NULL when memory allocation fails. Currently,
imx_card_probe() does not check for this case, which results in a NULL
pointer dereference.
Add NULL check after devm_kasprintf() to prevent this issue.
Fixes: aa736700f42f ("ASoC: imx-card: Add imx-card machine driver")
Signed-off-by: Henry Martin <bsdhenrymartin@gmail.com>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Link: https://patch.msgid.link/20250401142510.29900-1-bsdhenrymartin@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/fsl/imx-card.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/sound/soc/fsl/imx-card.c b/sound/soc/fsl/imx-card.c
index 223234f6172b2..2b64c0384b6bb 100644
--- a/sound/soc/fsl/imx-card.c
+++ b/sound/soc/fsl/imx-card.c
@@ -759,6 +759,8 @@ static int imx_card_probe(struct platform_device *pdev)
data->dapm_routes[i].sink =
devm_kasprintf(&pdev->dev, GFP_KERNEL, "%d %s",
i + 1, "Playback");
+ if (!data->dapm_routes[i].sink)
+ return -ENOMEM;
data->dapm_routes[i].source = "CPU-Playback";
}
}
@@ -776,6 +778,8 @@ static int imx_card_probe(struct platform_device *pdev)
data->dapm_routes[i].source =
devm_kasprintf(&pdev->dev, GFP_KERNEL, "%d %s",
i + 1, "Capture");
+ if (!data->dapm_routes[i].source)
+ return -ENOMEM;
data->dapm_routes[i].sink = "CPU-Capture";
}
}
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 241/279] netfilter: nft_set_hash: GC reaps elements with conncount for dynamic sets only
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (239 preceding siblings ...)
2025-04-08 10:50 ` [PATCH 5.15 240/279] ASoC: imx-card: Add NULL check in imx_card_probe() Greg Kroah-Hartman
@ 2025-04-08 10:50 ` Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 242/279] netlabel: Fix NULL pointer exception caused by CALIPSO on IPv4 sockets Greg Kroah-Hartman
` (44 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:50 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Pablo Neira Ayuso, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pablo Neira Ayuso <pablo@netfilter.org>
[ Upstream commit 9d74da1177c800eb3d51c13f9821b7b0683845a5 ]
conncount has its own GC handler which determines when to reap stale
elements, this is convenient for dynamic sets. However, this also reaps
non-dynamic sets with static configurations coming from control plane.
Always run connlimit gc handler but honor feedback to reap element if
this set is dynamic.
Fixes: 290180e2448c ("netfilter: nf_tables: add connlimit support")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nft_set_hash.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/nft_set_hash.c b/net/netfilter/nft_set_hash.c
index 5c4209b49bda7..a592cca7a61f9 100644
--- a/net/netfilter/nft_set_hash.c
+++ b/net/netfilter/nft_set_hash.c
@@ -310,7 +310,8 @@ static bool nft_rhash_expr_needs_gc_run(const struct nft_set *set,
nft_setelem_expr_foreach(expr, elem_expr, size) {
if (expr->ops->gc &&
- expr->ops->gc(read_pnet(&set->net), expr))
+ expr->ops->gc(read_pnet(&set->net), expr) &&
+ set->flags & NFT_SET_EVAL)
return true;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 242/279] netlabel: Fix NULL pointer exception caused by CALIPSO on IPv4 sockets
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (240 preceding siblings ...)
2025-04-08 10:50 ` [PATCH 5.15 241/279] netfilter: nft_set_hash: GC reaps elements with conncount for dynamic sets only Greg Kroah-Hartman
@ 2025-04-08 10:50 ` Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 243/279] net_sched: skbprio: Remove overly strict queue assertions Greg Kroah-Hartman
` (43 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Debin Zhu, Bitao Ouyang, Paul Moore,
Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Debin Zhu <mowenroot@163.com>
[ Upstream commit 078aabd567de3d63d37d7673f714e309d369e6e2 ]
When calling netlbl_conn_setattr(), addr->sa_family is used
to determine the function behavior. If sk is an IPv4 socket,
but the connect function is called with an IPv6 address,
the function calipso_sock_setattr() is triggered.
Inside this function, the following code is executed:
sk_fullsock(__sk) ? inet_sk(__sk)->pinet6 : NULL;
Since sk is an IPv4 socket, pinet6 is NULL, leading to a
null pointer dereference.
This patch fixes the issue by checking if inet6_sk(sk)
returns a NULL pointer before accessing pinet6.
Signed-off-by: Debin Zhu <mowenroot@163.com>
Signed-off-by: Bitao Ouyang <1985755126@qq.com>
Acked-by: Paul Moore <paul@paul-moore.com>
Fixes: ceba1832b1b2 ("calipso: Set the calipso socket label to match the secattr.")
Link: https://patch.msgid.link/20250401124018.4763-1-mowenroot@163.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv6/calipso.c | 21 ++++++++++++++++++---
1 file changed, 18 insertions(+), 3 deletions(-)
diff --git a/net/ipv6/calipso.c b/net/ipv6/calipso.c
index 1578ed9e97d89..c07e3da08d2a8 100644
--- a/net/ipv6/calipso.c
+++ b/net/ipv6/calipso.c
@@ -1075,8 +1075,13 @@ static int calipso_sock_getattr(struct sock *sk,
struct ipv6_opt_hdr *hop;
int opt_len, len, ret_val = -ENOMSG, offset;
unsigned char *opt;
- struct ipv6_txoptions *txopts = txopt_get(inet6_sk(sk));
+ struct ipv6_pinfo *pinfo = inet6_sk(sk);
+ struct ipv6_txoptions *txopts;
+
+ if (!pinfo)
+ return -EAFNOSUPPORT;
+ txopts = txopt_get(pinfo);
if (!txopts || !txopts->hopopt)
goto done;
@@ -1128,8 +1133,13 @@ static int calipso_sock_setattr(struct sock *sk,
{
int ret_val;
struct ipv6_opt_hdr *old, *new;
- struct ipv6_txoptions *txopts = txopt_get(inet6_sk(sk));
+ struct ipv6_pinfo *pinfo = inet6_sk(sk);
+ struct ipv6_txoptions *txopts;
+
+ if (!pinfo)
+ return -EAFNOSUPPORT;
+ txopts = txopt_get(pinfo);
old = NULL;
if (txopts)
old = txopts->hopopt;
@@ -1156,8 +1166,13 @@ static int calipso_sock_setattr(struct sock *sk,
static void calipso_sock_delattr(struct sock *sk)
{
struct ipv6_opt_hdr *new_hop;
- struct ipv6_txoptions *txopts = txopt_get(inet6_sk(sk));
+ struct ipv6_pinfo *pinfo = inet6_sk(sk);
+ struct ipv6_txoptions *txopts;
+
+ if (!pinfo)
+ return;
+ txopts = txopt_get(pinfo);
if (!txopts || !txopts->hopopt)
goto done;
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 243/279] net_sched: skbprio: Remove overly strict queue assertions
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (241 preceding siblings ...)
2025-04-08 10:50 ` [PATCH 5.15 242/279] netlabel: Fix NULL pointer exception caused by CALIPSO on IPv4 sockets Greg Kroah-Hartman
@ 2025-04-08 10:50 ` Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 244/279] net: mvpp2: Prevent parser TCAM memory corruption Greg Kroah-Hartman
` (42 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+a3422a19b05ea96bee18,
Nishanth Devarajan, Cong Wang, Paolo Abeni, Jakub Kicinski,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cong Wang <xiyou.wangcong@gmail.com>
[ Upstream commit ce8fe975fd99b49c29c42e50f2441ba53112b2e8 ]
In the current implementation, skbprio enqueue/dequeue contains an assertion
that fails under certain conditions when SKBPRIO is used as a child qdisc under
TBF with specific parameters. The failure occurs because TBF sometimes peeks at
packets in the child qdisc without actually dequeuing them when tokens are
unavailable.
This peek operation creates a discrepancy between the parent and child qdisc
queue length counters. When TBF later receives a high-priority packet,
SKBPRIO's queue length may show a different value than what's reflected in its
internal priority queue tracking, triggering the assertion.
The fix removes this overly strict assertions in SKBPRIO, they are not
necessary at all.
Reported-by: syzbot+a3422a19b05ea96bee18@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=a3422a19b05ea96bee18
Fixes: aea5f654e6b7 ("net/sched: add skbprio scheduler")
Cc: Nishanth Devarajan <ndev2021@gmail.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Acked-by: Paolo Abeni <pabeni@redhat.com>
Link: https://patch.msgid.link/20250329222536.696204-2-xiyou.wangcong@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_skbprio.c | 3 ---
1 file changed, 3 deletions(-)
diff --git a/net/sched/sch_skbprio.c b/net/sched/sch_skbprio.c
index df72fb83d9c7d..c9e422e466159 100644
--- a/net/sched/sch_skbprio.c
+++ b/net/sched/sch_skbprio.c
@@ -121,8 +121,6 @@ static int skbprio_enqueue(struct sk_buff *skb, struct Qdisc *sch,
/* Check to update highest and lowest priorities. */
if (skb_queue_empty(lp_qdisc)) {
if (q->lowest_prio == q->highest_prio) {
- /* The incoming packet is the only packet in queue. */
- BUG_ON(sch->q.qlen != 1);
q->lowest_prio = prio;
q->highest_prio = prio;
} else {
@@ -154,7 +152,6 @@ static struct sk_buff *skbprio_dequeue(struct Qdisc *sch)
/* Update highest priority field. */
if (skb_queue_empty(hpq)) {
if (q->lowest_prio == q->highest_prio) {
- BUG_ON(sch->q.qlen);
q->highest_prio = 0;
q->lowest_prio = SKBPRIO_MAX_PRIORITY - 1;
} else {
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 244/279] net: mvpp2: Prevent parser TCAM memory corruption
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (242 preceding siblings ...)
2025-04-08 10:50 ` [PATCH 5.15 243/279] net_sched: skbprio: Remove overly strict queue assertions Greg Kroah-Hartman
@ 2025-04-08 10:50 ` Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 245/279] vsock: avoid timeout during connect() if the socket is closing Greg Kroah-Hartman
` (41 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tobias Waldekranz, Maxime Chevallier,
Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tobias Waldekranz <tobias@waldekranz.com>
[ Upstream commit 96844075226b49af25a69a1d084b648ec2d9b08d ]
Protect the parser TCAM/SRAM memory, and the cached (shadow) SRAM
information, from concurrent modifications.
Both the TCAM and SRAM tables are indirectly accessed by configuring
an index register that selects the row to read or write to. This means
that operations must be atomic in order to, e.g., avoid spreading
writes across multiple rows. Since the shadow SRAM array is used to
find free rows in the hardware table, it must also be protected in
order to avoid TOCTOU errors where multiple cores allocate the same
row.
This issue was detected in a situation where `mvpp2_set_rx_mode()` ran
concurrently on two CPUs. In this particular case the
MVPP2_PE_MAC_UC_PROMISCUOUS entry was corrupted, causing the
classifier unit to drop all incoming unicast - indicated by the
`rx_classifier_drops` counter.
Fixes: 3f518509dedc ("ethernet: Add new driver for Marvell Armada 375 network unit")
Signed-off-by: Tobias Waldekranz <tobias@waldekranz.com>
Reviewed-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
Tested-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
Link: https://patch.msgid.link/20250401065855.3113635-1-tobias@waldekranz.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/marvell/mvpp2/mvpp2.h | 3 +
.../net/ethernet/marvell/mvpp2/mvpp2_main.c | 3 +-
.../net/ethernet/marvell/mvpp2/mvpp2_prs.c | 201 ++++++++++++------
3 files changed, 140 insertions(+), 67 deletions(-)
diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2.h b/drivers/net/ethernet/marvell/mvpp2/mvpp2.h
index 24a8c9b8126b7..8732134cb33c9 100644
--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2.h
+++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2.h
@@ -1108,6 +1108,9 @@ struct mvpp2 {
/* Spinlocks for CM3 shared memory configuration */
spinlock_t mss_spinlock;
+
+ /* Spinlock for shared PRS parser memory and shadow table */
+ spinlock_t prs_spinlock;
};
struct mvpp2_pcpu_stats {
diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
index 2a60f949d9532..7fa880e62d096 100644
--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
+++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
@@ -7589,8 +7589,9 @@ static int mvpp2_probe(struct platform_device *pdev)
if (mvpp2_read(priv, MVPP2_VER_ID_REG) == MVPP2_VER_PP23)
priv->hw_version = MVPP23;
- /* Init mss lock */
+ /* Init locks for shared packet processor resources */
spin_lock_init(&priv->mss_spinlock);
+ spin_lock_init(&priv->prs_spinlock);
/* Initialize network controller */
err = mvpp2_init(pdev, priv);
diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.c
index 9af22f497a40f..93e978bdf303c 100644
--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.c
+++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.c
@@ -23,6 +23,8 @@ static int mvpp2_prs_hw_write(struct mvpp2 *priv, struct mvpp2_prs_entry *pe)
{
int i;
+ lockdep_assert_held(&priv->prs_spinlock);
+
if (pe->index > MVPP2_PRS_TCAM_SRAM_SIZE - 1)
return -EINVAL;
@@ -43,11 +45,13 @@ static int mvpp2_prs_hw_write(struct mvpp2 *priv, struct mvpp2_prs_entry *pe)
}
/* Initialize tcam entry from hw */
-int mvpp2_prs_init_from_hw(struct mvpp2 *priv, struct mvpp2_prs_entry *pe,
- int tid)
+static int __mvpp2_prs_init_from_hw(struct mvpp2 *priv,
+ struct mvpp2_prs_entry *pe, int tid)
{
int i;
+ lockdep_assert_held(&priv->prs_spinlock);
+
if (tid > MVPP2_PRS_TCAM_SRAM_SIZE - 1)
return -EINVAL;
@@ -73,6 +77,18 @@ int mvpp2_prs_init_from_hw(struct mvpp2 *priv, struct mvpp2_prs_entry *pe,
return 0;
}
+int mvpp2_prs_init_from_hw(struct mvpp2 *priv, struct mvpp2_prs_entry *pe,
+ int tid)
+{
+ int err;
+
+ spin_lock_bh(&priv->prs_spinlock);
+ err = __mvpp2_prs_init_from_hw(priv, pe, tid);
+ spin_unlock_bh(&priv->prs_spinlock);
+
+ return err;
+}
+
/* Invalidate tcam hw entry */
static void mvpp2_prs_hw_inv(struct mvpp2 *priv, int index)
{
@@ -374,7 +390,7 @@ static int mvpp2_prs_flow_find(struct mvpp2 *priv, int flow)
priv->prs_shadow[tid].lu != MVPP2_PRS_LU_FLOWS)
continue;
- mvpp2_prs_init_from_hw(priv, &pe, tid);
+ __mvpp2_prs_init_from_hw(priv, &pe, tid);
bits = mvpp2_prs_sram_ai_get(&pe);
/* Sram store classification lookup ID in AI bits [5:0] */
@@ -441,7 +457,7 @@ static void mvpp2_prs_mac_drop_all_set(struct mvpp2 *priv, int port, bool add)
if (priv->prs_shadow[MVPP2_PE_DROP_ALL].valid) {
/* Entry exist - update port only */
- mvpp2_prs_init_from_hw(priv, &pe, MVPP2_PE_DROP_ALL);
+ __mvpp2_prs_init_from_hw(priv, &pe, MVPP2_PE_DROP_ALL);
} else {
/* Entry doesn't exist - create new */
memset(&pe, 0, sizeof(pe));
@@ -469,14 +485,17 @@ static void mvpp2_prs_mac_drop_all_set(struct mvpp2 *priv, int port, bool add)
}
/* Set port to unicast or multicast promiscuous mode */
-void mvpp2_prs_mac_promisc_set(struct mvpp2 *priv, int port,
- enum mvpp2_prs_l2_cast l2_cast, bool add)
+static void __mvpp2_prs_mac_promisc_set(struct mvpp2 *priv, int port,
+ enum mvpp2_prs_l2_cast l2_cast,
+ bool add)
{
struct mvpp2_prs_entry pe;
unsigned char cast_match;
unsigned int ri;
int tid;
+ lockdep_assert_held(&priv->prs_spinlock);
+
if (l2_cast == MVPP2_PRS_L2_UNI_CAST) {
cast_match = MVPP2_PRS_UCAST_VAL;
tid = MVPP2_PE_MAC_UC_PROMISCUOUS;
@@ -489,7 +508,7 @@ void mvpp2_prs_mac_promisc_set(struct mvpp2 *priv, int port,
/* promiscuous mode - Accept unknown unicast or multicast packets */
if (priv->prs_shadow[tid].valid) {
- mvpp2_prs_init_from_hw(priv, &pe, tid);
+ __mvpp2_prs_init_from_hw(priv, &pe, tid);
} else {
memset(&pe, 0, sizeof(pe));
mvpp2_prs_tcam_lu_set(&pe, MVPP2_PRS_LU_MAC);
@@ -522,6 +541,14 @@ void mvpp2_prs_mac_promisc_set(struct mvpp2 *priv, int port,
mvpp2_prs_hw_write(priv, &pe);
}
+void mvpp2_prs_mac_promisc_set(struct mvpp2 *priv, int port,
+ enum mvpp2_prs_l2_cast l2_cast, bool add)
+{
+ spin_lock_bh(&priv->prs_spinlock);
+ __mvpp2_prs_mac_promisc_set(priv, port, l2_cast, add);
+ spin_unlock_bh(&priv->prs_spinlock);
+}
+
/* Set entry for dsa packets */
static void mvpp2_prs_dsa_tag_set(struct mvpp2 *priv, int port, bool add,
bool tagged, bool extend)
@@ -539,7 +566,7 @@ static void mvpp2_prs_dsa_tag_set(struct mvpp2 *priv, int port, bool add,
if (priv->prs_shadow[tid].valid) {
/* Entry exist - update port only */
- mvpp2_prs_init_from_hw(priv, &pe, tid);
+ __mvpp2_prs_init_from_hw(priv, &pe, tid);
} else {
/* Entry doesn't exist - create new */
memset(&pe, 0, sizeof(pe));
@@ -610,7 +637,7 @@ static void mvpp2_prs_dsa_tag_ethertype_set(struct mvpp2 *priv, int port,
if (priv->prs_shadow[tid].valid) {
/* Entry exist - update port only */
- mvpp2_prs_init_from_hw(priv, &pe, tid);
+ __mvpp2_prs_init_from_hw(priv, &pe, tid);
} else {
/* Entry doesn't exist - create new */
memset(&pe, 0, sizeof(pe));
@@ -673,7 +700,7 @@ static int mvpp2_prs_vlan_find(struct mvpp2 *priv, unsigned short tpid, int ai)
priv->prs_shadow[tid].lu != MVPP2_PRS_LU_VLAN)
continue;
- mvpp2_prs_init_from_hw(priv, &pe, tid);
+ __mvpp2_prs_init_from_hw(priv, &pe, tid);
match = mvpp2_prs_tcam_data_cmp(&pe, 0, tpid);
if (!match)
continue;
@@ -726,7 +753,7 @@ static int mvpp2_prs_vlan_add(struct mvpp2 *priv, unsigned short tpid, int ai,
priv->prs_shadow[tid_aux].lu != MVPP2_PRS_LU_VLAN)
continue;
- mvpp2_prs_init_from_hw(priv, &pe, tid_aux);
+ __mvpp2_prs_init_from_hw(priv, &pe, tid_aux);
ri_bits = mvpp2_prs_sram_ri_get(&pe);
if ((ri_bits & MVPP2_PRS_RI_VLAN_MASK) ==
MVPP2_PRS_RI_VLAN_DOUBLE)
@@ -760,7 +787,7 @@ static int mvpp2_prs_vlan_add(struct mvpp2 *priv, unsigned short tpid, int ai,
mvpp2_prs_shadow_set(priv, pe.index, MVPP2_PRS_LU_VLAN);
} else {
- mvpp2_prs_init_from_hw(priv, &pe, tid);
+ __mvpp2_prs_init_from_hw(priv, &pe, tid);
}
/* Update ports' mask */
mvpp2_prs_tcam_port_map_set(&pe, port_map);
@@ -800,7 +827,7 @@ static int mvpp2_prs_double_vlan_find(struct mvpp2 *priv, unsigned short tpid1,
priv->prs_shadow[tid].lu != MVPP2_PRS_LU_VLAN)
continue;
- mvpp2_prs_init_from_hw(priv, &pe, tid);
+ __mvpp2_prs_init_from_hw(priv, &pe, tid);
match = mvpp2_prs_tcam_data_cmp(&pe, 0, tpid1) &&
mvpp2_prs_tcam_data_cmp(&pe, 4, tpid2);
@@ -849,7 +876,7 @@ static int mvpp2_prs_double_vlan_add(struct mvpp2 *priv, unsigned short tpid1,
priv->prs_shadow[tid_aux].lu != MVPP2_PRS_LU_VLAN)
continue;
- mvpp2_prs_init_from_hw(priv, &pe, tid_aux);
+ __mvpp2_prs_init_from_hw(priv, &pe, tid_aux);
ri_bits = mvpp2_prs_sram_ri_get(&pe);
ri_bits &= MVPP2_PRS_RI_VLAN_MASK;
if (ri_bits == MVPP2_PRS_RI_VLAN_SINGLE ||
@@ -880,7 +907,7 @@ static int mvpp2_prs_double_vlan_add(struct mvpp2 *priv, unsigned short tpid1,
mvpp2_prs_shadow_set(priv, pe.index, MVPP2_PRS_LU_VLAN);
} else {
- mvpp2_prs_init_from_hw(priv, &pe, tid);
+ __mvpp2_prs_init_from_hw(priv, &pe, tid);
}
/* Update ports' mask */
@@ -1213,8 +1240,8 @@ static void mvpp2_prs_mac_init(struct mvpp2 *priv)
/* Create dummy entries for drop all and promiscuous modes */
mvpp2_prs_drop_fc(priv);
mvpp2_prs_mac_drop_all_set(priv, 0, false);
- mvpp2_prs_mac_promisc_set(priv, 0, MVPP2_PRS_L2_UNI_CAST, false);
- mvpp2_prs_mac_promisc_set(priv, 0, MVPP2_PRS_L2_MULTI_CAST, false);
+ __mvpp2_prs_mac_promisc_set(priv, 0, MVPP2_PRS_L2_UNI_CAST, false);
+ __mvpp2_prs_mac_promisc_set(priv, 0, MVPP2_PRS_L2_MULTI_CAST, false);
}
/* Set default entries for various types of dsa packets */
@@ -1533,12 +1560,6 @@ static int mvpp2_prs_vlan_init(struct platform_device *pdev, struct mvpp2 *priv)
struct mvpp2_prs_entry pe;
int err;
- priv->prs_double_vlans = devm_kcalloc(&pdev->dev, sizeof(bool),
- MVPP2_PRS_DBL_VLANS_MAX,
- GFP_KERNEL);
- if (!priv->prs_double_vlans)
- return -ENOMEM;
-
/* Double VLAN: 0x88A8, 0x8100 */
err = mvpp2_prs_double_vlan_add(priv, ETH_P_8021AD, ETH_P_8021Q,
MVPP2_PRS_PORT_MASK);
@@ -1941,7 +1962,7 @@ static int mvpp2_prs_vid_range_find(struct mvpp2_port *port, u16 vid, u16 mask)
port->priv->prs_shadow[tid].lu != MVPP2_PRS_LU_VID)
continue;
- mvpp2_prs_init_from_hw(port->priv, &pe, tid);
+ __mvpp2_prs_init_from_hw(port->priv, &pe, tid);
mvpp2_prs_tcam_data_byte_get(&pe, 2, &byte[0], &enable[0]);
mvpp2_prs_tcam_data_byte_get(&pe, 3, &byte[1], &enable[1]);
@@ -1970,6 +1991,8 @@ int mvpp2_prs_vid_entry_add(struct mvpp2_port *port, u16 vid)
memset(&pe, 0, sizeof(pe));
+ spin_lock_bh(&priv->prs_spinlock);
+
/* Scan TCAM and see if entry with this <vid,port> already exist */
tid = mvpp2_prs_vid_range_find(port, vid, mask);
@@ -1988,8 +2011,10 @@ int mvpp2_prs_vid_entry_add(struct mvpp2_port *port, u16 vid)
MVPP2_PRS_VLAN_FILT_MAX_ENTRY);
/* There isn't room for a new VID filter */
- if (tid < 0)
+ if (tid < 0) {
+ spin_unlock_bh(&priv->prs_spinlock);
return tid;
+ }
mvpp2_prs_tcam_lu_set(&pe, MVPP2_PRS_LU_VID);
pe.index = tid;
@@ -1997,7 +2022,7 @@ int mvpp2_prs_vid_entry_add(struct mvpp2_port *port, u16 vid)
/* Mask all ports */
mvpp2_prs_tcam_port_map_set(&pe, 0);
} else {
- mvpp2_prs_init_from_hw(priv, &pe, tid);
+ __mvpp2_prs_init_from_hw(priv, &pe, tid);
}
/* Enable the current port */
@@ -2019,6 +2044,7 @@ int mvpp2_prs_vid_entry_add(struct mvpp2_port *port, u16 vid)
mvpp2_prs_shadow_set(priv, pe.index, MVPP2_PRS_LU_VID);
mvpp2_prs_hw_write(priv, &pe);
+ spin_unlock_bh(&priv->prs_spinlock);
return 0;
}
@@ -2028,15 +2054,16 @@ void mvpp2_prs_vid_entry_remove(struct mvpp2_port *port, u16 vid)
struct mvpp2 *priv = port->priv;
int tid;
- /* Scan TCAM and see if entry with this <vid,port> already exist */
- tid = mvpp2_prs_vid_range_find(port, vid, 0xfff);
+ spin_lock_bh(&priv->prs_spinlock);
- /* No such entry */
- if (tid < 0)
- return;
+ /* Invalidate TCAM entry with this <vid,port>, if it exists */
+ tid = mvpp2_prs_vid_range_find(port, vid, 0xfff);
+ if (tid >= 0) {
+ mvpp2_prs_hw_inv(priv, tid);
+ priv->prs_shadow[tid].valid = false;
+ }
- mvpp2_prs_hw_inv(priv, tid);
- priv->prs_shadow[tid].valid = false;
+ spin_unlock_bh(&priv->prs_spinlock);
}
/* Remove all existing VID filters on this port */
@@ -2045,6 +2072,8 @@ void mvpp2_prs_vid_remove_all(struct mvpp2_port *port)
struct mvpp2 *priv = port->priv;
int tid;
+ spin_lock_bh(&priv->prs_spinlock);
+
for (tid = MVPP2_PRS_VID_PORT_FIRST(port->id);
tid <= MVPP2_PRS_VID_PORT_LAST(port->id); tid++) {
if (priv->prs_shadow[tid].valid) {
@@ -2052,6 +2081,8 @@ void mvpp2_prs_vid_remove_all(struct mvpp2_port *port)
priv->prs_shadow[tid].valid = false;
}
}
+
+ spin_unlock_bh(&priv->prs_spinlock);
}
/* Remove VID filering entry for this port */
@@ -2060,10 +2091,14 @@ void mvpp2_prs_vid_disable_filtering(struct mvpp2_port *port)
unsigned int tid = MVPP2_PRS_VID_PORT_DFLT(port->id);
struct mvpp2 *priv = port->priv;
+ spin_lock_bh(&priv->prs_spinlock);
+
/* Invalidate the guard entry */
mvpp2_prs_hw_inv(priv, tid);
priv->prs_shadow[tid].valid = false;
+
+ spin_unlock_bh(&priv->prs_spinlock);
}
/* Add guard entry that drops packets when no VID is matched on this port */
@@ -2079,6 +2114,8 @@ void mvpp2_prs_vid_enable_filtering(struct mvpp2_port *port)
memset(&pe, 0, sizeof(pe));
+ spin_lock_bh(&priv->prs_spinlock);
+
pe.index = tid;
reg_val = mvpp2_read(priv, MVPP2_MH_REG(port->id));
@@ -2111,6 +2148,8 @@ void mvpp2_prs_vid_enable_filtering(struct mvpp2_port *port)
/* Update shadow table */
mvpp2_prs_shadow_set(priv, pe.index, MVPP2_PRS_LU_VID);
mvpp2_prs_hw_write(priv, &pe);
+
+ spin_unlock_bh(&priv->prs_spinlock);
}
/* Parser default initialization */
@@ -2118,6 +2157,20 @@ int mvpp2_prs_default_init(struct platform_device *pdev, struct mvpp2 *priv)
{
int err, index, i;
+ priv->prs_shadow = devm_kcalloc(&pdev->dev, MVPP2_PRS_TCAM_SRAM_SIZE,
+ sizeof(*priv->prs_shadow),
+ GFP_KERNEL);
+ if (!priv->prs_shadow)
+ return -ENOMEM;
+
+ priv->prs_double_vlans = devm_kcalloc(&pdev->dev, sizeof(bool),
+ MVPP2_PRS_DBL_VLANS_MAX,
+ GFP_KERNEL);
+ if (!priv->prs_double_vlans)
+ return -ENOMEM;
+
+ spin_lock_bh(&priv->prs_spinlock);
+
/* Enable tcam table */
mvpp2_write(priv, MVPP2_PRS_TCAM_CTRL_REG, MVPP2_PRS_TCAM_EN_MASK);
@@ -2136,12 +2189,6 @@ int mvpp2_prs_default_init(struct platform_device *pdev, struct mvpp2 *priv)
for (index = 0; index < MVPP2_PRS_TCAM_SRAM_SIZE; index++)
mvpp2_prs_hw_inv(priv, index);
- priv->prs_shadow = devm_kcalloc(&pdev->dev, MVPP2_PRS_TCAM_SRAM_SIZE,
- sizeof(*priv->prs_shadow),
- GFP_KERNEL);
- if (!priv->prs_shadow)
- return -ENOMEM;
-
/* Always start from lookup = 0 */
for (index = 0; index < MVPP2_MAX_PORTS; index++)
mvpp2_prs_hw_port_init(priv, index, MVPP2_PRS_LU_MH,
@@ -2158,26 +2205,13 @@ int mvpp2_prs_default_init(struct platform_device *pdev, struct mvpp2 *priv)
mvpp2_prs_vid_init(priv);
err = mvpp2_prs_etype_init(priv);
- if (err)
- return err;
-
- err = mvpp2_prs_vlan_init(pdev, priv);
- if (err)
- return err;
-
- err = mvpp2_prs_pppoe_init(priv);
- if (err)
- return err;
-
- err = mvpp2_prs_ip6_init(priv);
- if (err)
- return err;
-
- err = mvpp2_prs_ip4_init(priv);
- if (err)
- return err;
+ err = err ? : mvpp2_prs_vlan_init(pdev, priv);
+ err = err ? : mvpp2_prs_pppoe_init(priv);
+ err = err ? : mvpp2_prs_ip6_init(priv);
+ err = err ? : mvpp2_prs_ip4_init(priv);
- return 0;
+ spin_unlock_bh(&priv->prs_spinlock);
+ return err;
}
/* Compare MAC DA with tcam entry data */
@@ -2217,7 +2251,7 @@ mvpp2_prs_mac_da_range_find(struct mvpp2 *priv, int pmap, const u8 *da,
(priv->prs_shadow[tid].udf != udf_type))
continue;
- mvpp2_prs_init_from_hw(priv, &pe, tid);
+ __mvpp2_prs_init_from_hw(priv, &pe, tid);
entry_pmap = mvpp2_prs_tcam_port_map_get(&pe);
if (mvpp2_prs_mac_range_equals(&pe, da, mask) &&
@@ -2229,7 +2263,8 @@ mvpp2_prs_mac_da_range_find(struct mvpp2 *priv, int pmap, const u8 *da,
}
/* Update parser's mac da entry */
-int mvpp2_prs_mac_da_accept(struct mvpp2_port *port, const u8 *da, bool add)
+static int __mvpp2_prs_mac_da_accept(struct mvpp2_port *port,
+ const u8 *da, bool add)
{
unsigned char mask[ETH_ALEN] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
struct mvpp2 *priv = port->priv;
@@ -2261,7 +2296,7 @@ int mvpp2_prs_mac_da_accept(struct mvpp2_port *port, const u8 *da, bool add)
/* Mask all ports */
mvpp2_prs_tcam_port_map_set(&pe, 0);
} else {
- mvpp2_prs_init_from_hw(priv, &pe, tid);
+ __mvpp2_prs_init_from_hw(priv, &pe, tid);
}
mvpp2_prs_tcam_lu_set(&pe, MVPP2_PRS_LU_MAC);
@@ -2317,6 +2352,17 @@ int mvpp2_prs_mac_da_accept(struct mvpp2_port *port, const u8 *da, bool add)
return 0;
}
+int mvpp2_prs_mac_da_accept(struct mvpp2_port *port, const u8 *da, bool add)
+{
+ int err;
+
+ spin_lock_bh(&port->priv->prs_spinlock);
+ err = __mvpp2_prs_mac_da_accept(port, da, add);
+ spin_unlock_bh(&port->priv->prs_spinlock);
+
+ return err;
+}
+
int mvpp2_prs_update_mac_da(struct net_device *dev, const u8 *da)
{
struct mvpp2_port *port = netdev_priv(dev);
@@ -2345,6 +2391,8 @@ void mvpp2_prs_mac_del_all(struct mvpp2_port *port)
unsigned long pmap;
int index, tid;
+ spin_lock_bh(&priv->prs_spinlock);
+
for (tid = MVPP2_PE_MAC_RANGE_START;
tid <= MVPP2_PE_MAC_RANGE_END; tid++) {
unsigned char da[ETH_ALEN], da_mask[ETH_ALEN];
@@ -2354,7 +2402,7 @@ void mvpp2_prs_mac_del_all(struct mvpp2_port *port)
(priv->prs_shadow[tid].udf != MVPP2_PRS_UDF_MAC_DEF))
continue;
- mvpp2_prs_init_from_hw(priv, &pe, tid);
+ __mvpp2_prs_init_from_hw(priv, &pe, tid);
pmap = mvpp2_prs_tcam_port_map_get(&pe);
@@ -2375,14 +2423,17 @@ void mvpp2_prs_mac_del_all(struct mvpp2_port *port)
continue;
/* Remove entry from TCAM */
- mvpp2_prs_mac_da_accept(port, da, false);
+ __mvpp2_prs_mac_da_accept(port, da, false);
}
+
+ spin_unlock_bh(&priv->prs_spinlock);
}
int mvpp2_prs_tag_mode_set(struct mvpp2 *priv, int port, int type)
{
switch (type) {
case MVPP2_TAG_TYPE_EDSA:
+ spin_lock_bh(&priv->prs_spinlock);
/* Add port to EDSA entries */
mvpp2_prs_dsa_tag_set(priv, port, true,
MVPP2_PRS_TAGGED, MVPP2_PRS_EDSA);
@@ -2393,9 +2444,11 @@ int mvpp2_prs_tag_mode_set(struct mvpp2 *priv, int port, int type)
MVPP2_PRS_TAGGED, MVPP2_PRS_DSA);
mvpp2_prs_dsa_tag_set(priv, port, false,
MVPP2_PRS_UNTAGGED, MVPP2_PRS_DSA);
+ spin_unlock_bh(&priv->prs_spinlock);
break;
case MVPP2_TAG_TYPE_DSA:
+ spin_lock_bh(&priv->prs_spinlock);
/* Add port to DSA entries */
mvpp2_prs_dsa_tag_set(priv, port, true,
MVPP2_PRS_TAGGED, MVPP2_PRS_DSA);
@@ -2406,10 +2459,12 @@ int mvpp2_prs_tag_mode_set(struct mvpp2 *priv, int port, int type)
MVPP2_PRS_TAGGED, MVPP2_PRS_EDSA);
mvpp2_prs_dsa_tag_set(priv, port, false,
MVPP2_PRS_UNTAGGED, MVPP2_PRS_EDSA);
+ spin_unlock_bh(&priv->prs_spinlock);
break;
case MVPP2_TAG_TYPE_MH:
case MVPP2_TAG_TYPE_NONE:
+ spin_lock_bh(&priv->prs_spinlock);
/* Remove port form EDSA and DSA entries */
mvpp2_prs_dsa_tag_set(priv, port, false,
MVPP2_PRS_TAGGED, MVPP2_PRS_DSA);
@@ -2419,6 +2474,7 @@ int mvpp2_prs_tag_mode_set(struct mvpp2 *priv, int port, int type)
MVPP2_PRS_TAGGED, MVPP2_PRS_EDSA);
mvpp2_prs_dsa_tag_set(priv, port, false,
MVPP2_PRS_UNTAGGED, MVPP2_PRS_EDSA);
+ spin_unlock_bh(&priv->prs_spinlock);
break;
default:
@@ -2437,11 +2493,15 @@ int mvpp2_prs_add_flow(struct mvpp2 *priv, int flow, u32 ri, u32 ri_mask)
memset(&pe, 0, sizeof(pe));
+ spin_lock_bh(&priv->prs_spinlock);
+
tid = mvpp2_prs_tcam_first_free(priv,
MVPP2_PE_LAST_FREE_TID,
MVPP2_PE_FIRST_FREE_TID);
- if (tid < 0)
+ if (tid < 0) {
+ spin_unlock_bh(&priv->prs_spinlock);
return tid;
+ }
pe.index = tid;
@@ -2461,6 +2521,7 @@ int mvpp2_prs_add_flow(struct mvpp2 *priv, int flow, u32 ri, u32 ri_mask)
mvpp2_prs_tcam_port_map_set(&pe, MVPP2_PRS_PORT_MASK);
mvpp2_prs_hw_write(priv, &pe);
+ spin_unlock_bh(&priv->prs_spinlock);
return 0;
}
@@ -2472,6 +2533,8 @@ int mvpp2_prs_def_flow(struct mvpp2_port *port)
memset(&pe, 0, sizeof(pe));
+ spin_lock_bh(&port->priv->prs_spinlock);
+
tid = mvpp2_prs_flow_find(port->priv, port->id);
/* Such entry not exist */
@@ -2480,8 +2543,10 @@ int mvpp2_prs_def_flow(struct mvpp2_port *port)
tid = mvpp2_prs_tcam_first_free(port->priv,
MVPP2_PE_LAST_FREE_TID,
MVPP2_PE_FIRST_FREE_TID);
- if (tid < 0)
+ if (tid < 0) {
+ spin_unlock_bh(&port->priv->prs_spinlock);
return tid;
+ }
pe.index = tid;
@@ -2492,13 +2557,14 @@ int mvpp2_prs_def_flow(struct mvpp2_port *port)
/* Update shadow table */
mvpp2_prs_shadow_set(port->priv, pe.index, MVPP2_PRS_LU_FLOWS);
} else {
- mvpp2_prs_init_from_hw(port->priv, &pe, tid);
+ __mvpp2_prs_init_from_hw(port->priv, &pe, tid);
}
mvpp2_prs_tcam_lu_set(&pe, MVPP2_PRS_LU_FLOWS);
mvpp2_prs_tcam_port_map_set(&pe, (1 << port->id));
mvpp2_prs_hw_write(port->priv, &pe);
+ spin_unlock_bh(&port->priv->prs_spinlock);
return 0;
}
@@ -2509,11 +2575,14 @@ int mvpp2_prs_hits(struct mvpp2 *priv, int index)
if (index > MVPP2_PRS_TCAM_SRAM_SIZE)
return -EINVAL;
+ spin_lock_bh(&priv->prs_spinlock);
+
mvpp2_write(priv, MVPP2_PRS_TCAM_HIT_IDX_REG, index);
val = mvpp2_read(priv, MVPP2_PRS_TCAM_HIT_CNT_REG);
val &= MVPP2_PRS_TCAM_HIT_CNT_MASK;
+ spin_unlock_bh(&priv->prs_spinlock);
return val;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 245/279] vsock: avoid timeout during connect() if the socket is closing
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (243 preceding siblings ...)
2025-04-08 10:50 ` [PATCH 5.15 244/279] net: mvpp2: Prevent parser TCAM memory corruption Greg Kroah-Hartman
@ 2025-04-08 10:50 ` Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 246/279] tunnels: Accept PACKET_HOST in skb_tunnel_check_pmtu() Greg Kroah-Hartman
` (40 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Luigi Leonardi, Stefano Garzarella,
Paolo Abeni, Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stefano Garzarella <sgarzare@redhat.com>
[ Upstream commit fccd2b711d9628c7ce0111d5e4938652101ee30a ]
When a peer attempts to establish a connection, vsock_connect() contains
a loop that waits for the state to be TCP_ESTABLISHED. However, the
other peer can be fast enough to accept the connection and close it
immediately, thus moving the state to TCP_CLOSING.
When this happens, the peer in the vsock_connect() is properly woken up,
but since the state is not TCP_ESTABLISHED, it goes back to sleep
until the timeout expires, returning -ETIMEDOUT.
If the socket state is TCP_CLOSING, waiting for the timeout is pointless.
vsock_connect() can return immediately without errors or delay since the
connection actually happened. The socket will be in a closing state,
but this is not an issue, and subsequent calls will fail as expected.
We discovered this issue while developing a test that accepts and
immediately closes connections to stress the transport switch between
two connect() calls, where the first one was interrupted by a signal
(see Closes link).
Reported-by: Luigi Leonardi <leonardi@redhat.com>
Closes: https://lore.kernel.org/virtualization/bq6hxrolno2vmtqwcvb5bljfpb7mvwb3kohrvaed6auz5vxrfv@ijmd2f3grobn/
Fixes: d021c344051a ("VSOCK: Introduce VM Sockets")
Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
Acked-by: Paolo Abeni <pabeni@redhat.com>
Tested-by: Luigi Leonardi <leonardi@redhat.com>
Reviewed-by: Luigi Leonardi <leonardi@redhat.com>
Link: https://patch.msgid.link/20250328141528.420719-1-sgarzare@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/vmw_vsock/af_vsock.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c
index 29ce6cc7b4011..036bdcc9d5c51 100644
--- a/net/vmw_vsock/af_vsock.c
+++ b/net/vmw_vsock/af_vsock.c
@@ -1428,7 +1428,11 @@ static int vsock_connect(struct socket *sock, struct sockaddr *addr,
timeout = vsk->connect_timeout;
prepare_to_wait(sk_sleep(sk), &wait, TASK_INTERRUPTIBLE);
- while (sk->sk_state != TCP_ESTABLISHED && sk->sk_err == 0) {
+ /* If the socket is already closing or it is in an error state, there
+ * is no point in waiting.
+ */
+ while (sk->sk_state != TCP_ESTABLISHED &&
+ sk->sk_state != TCP_CLOSING && sk->sk_err == 0) {
if (flags & O_NONBLOCK) {
/* If we're not going to block, we schedule a timeout
* function to generate a timeout on the connection
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 246/279] tunnels: Accept PACKET_HOST in skb_tunnel_check_pmtu().
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (244 preceding siblings ...)
2025-04-08 10:50 ` [PATCH 5.15 245/279] vsock: avoid timeout during connect() if the socket is closing Greg Kroah-Hartman
@ 2025-04-08 10:50 ` Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 247/279] netfilter: nft_tunnel: fix geneve_opt type confusion addition Greg Kroah-Hartman
` (39 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Guillaume Nault, Stefano Brivio,
Aaron Conole, Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Guillaume Nault <gnault@redhat.com>
[ Upstream commit 8930424777e43257f5bf6f0f0f53defd0d30415c ]
Because skb_tunnel_check_pmtu() doesn't handle PACKET_HOST packets,
commit 30a92c9e3d6b ("openvswitch: Set the skbuff pkt_type for proper
pmtud support.") forced skb->pkt_type to PACKET_OUTGOING for
openvswitch packets that are sent using the OVS_ACTION_ATTR_OUTPUT
action. This allowed such packets to invoke the
iptunnel_pmtud_check_icmp() or iptunnel_pmtud_check_icmpv6() helpers
and thus trigger PMTU update on the input device.
However, this also broke other parts of PMTU discovery. Since these
packets don't have the PACKET_HOST type anymore, they won't trigger the
sending of ICMP Fragmentation Needed or Packet Too Big messages to
remote hosts when oversized (see the skb_in->pkt_type condition in
__icmp_send() for example).
These two skb->pkt_type checks are therefore incompatible as one
requires skb->pkt_type to be PACKET_HOST, while the other requires it
to be anything but PACKET_HOST.
It makes sense to not trigger ICMP messages for non-PACKET_HOST packets
as these messages should be generated only for incoming l2-unicast
packets. However there doesn't seem to be any reason for
skb_tunnel_check_pmtu() to ignore PACKET_HOST packets.
Allow both cases to work by allowing skb_tunnel_check_pmtu() to work on
PACKET_HOST packets and not overriding skb->pkt_type in openvswitch
anymore.
Fixes: 30a92c9e3d6b ("openvswitch: Set the skbuff pkt_type for proper pmtud support.")
Fixes: 4cb47a8644cc ("tunnels: PMTU discovery support for directly bridged IP packets")
Signed-off-by: Guillaume Nault <gnault@redhat.com>
Reviewed-by: Stefano Brivio <sbrivio@redhat.com>
Reviewed-by: Aaron Conole <aconole@redhat.com>
Tested-by: Aaron Conole <aconole@redhat.com>
Link: https://patch.msgid.link/eac941652b86fddf8909df9b3bf0d97bc9444793.1743208264.git.gnault@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/ip_tunnel_core.c | 2 +-
net/openvswitch/actions.c | 6 ------
2 files changed, 1 insertion(+), 7 deletions(-)
diff --git a/net/ipv4/ip_tunnel_core.c b/net/ipv4/ip_tunnel_core.c
index 50ddbd7021f0e..51dd2b36c49d4 100644
--- a/net/ipv4/ip_tunnel_core.c
+++ b/net/ipv4/ip_tunnel_core.c
@@ -415,7 +415,7 @@ int skb_tunnel_check_pmtu(struct sk_buff *skb, struct dst_entry *encap_dst,
skb_dst_update_pmtu_no_confirm(skb, mtu);
- if (!reply || skb->pkt_type == PACKET_HOST)
+ if (!reply)
return 0;
if (skb->protocol == htons(ETH_P_IP))
diff --git a/net/openvswitch/actions.c b/net/openvswitch/actions.c
index 85af0e9e0ac6d..aca6e2b599c86 100644
--- a/net/openvswitch/actions.c
+++ b/net/openvswitch/actions.c
@@ -924,12 +924,6 @@ static void do_output(struct datapath *dp, struct sk_buff *skb, int out_port,
pskb_trim(skb, ovs_mac_header_len(key));
}
- /* Need to set the pkt_type to involve the routing layer. The
- * packet movement through the OVS datapath doesn't generally
- * use routing, but this is needed for tunnel cases.
- */
- skb->pkt_type = PACKET_OUTGOING;
-
if (likely(!mru ||
(skb->len <= mru + vport->dev->hard_header_len))) {
ovs_vport_send(vport, skb, ovs_key_mac_proto(key));
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 247/279] netfilter: nft_tunnel: fix geneve_opt type confusion addition
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (245 preceding siblings ...)
2025-04-08 10:50 ` [PATCH 5.15 246/279] tunnels: Accept PACKET_HOST in skb_tunnel_check_pmtu() Greg Kroah-Hartman
@ 2025-04-08 10:50 ` Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 248/279] ipv6: fix omitted netlink attributes when using RTEXT_FILTER_SKIP_STATS Greg Kroah-Hartman
` (38 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:50 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Lin Ma, Pablo Neira Ayuso,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lin Ma <linma@zju.edu.cn>
[ Upstream commit 1b755d8eb1ace3870789d48fbd94f386ad6e30be ]
When handling multiple NFTA_TUNNEL_KEY_OPTS_GENEVE attributes, the
parsing logic should place every geneve_opt structure one by one
compactly. Hence, when deciding the next geneve_opt position, the
pointer addition should be in units of char *.
However, the current implementation erroneously does type conversion
before the addition, which will lead to heap out-of-bounds write.
[ 6.989857] ==================================================================
[ 6.990293] BUG: KASAN: slab-out-of-bounds in nft_tunnel_obj_init+0x977/0xa70
[ 6.990725] Write of size 124 at addr ffff888005f18974 by task poc/178
[ 6.991162]
[ 6.991259] CPU: 0 PID: 178 Comm: poc-oob-write Not tainted 6.1.132 #1
[ 6.991655] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
[ 6.992281] Call Trace:
[ 6.992423] <TASK>
[ 6.992586] dump_stack_lvl+0x44/0x5c
[ 6.992801] print_report+0x184/0x4be
[ 6.993790] kasan_report+0xc5/0x100
[ 6.994252] kasan_check_range+0xf3/0x1a0
[ 6.994486] memcpy+0x38/0x60
[ 6.994692] nft_tunnel_obj_init+0x977/0xa70
[ 6.995677] nft_obj_init+0x10c/0x1b0
[ 6.995891] nf_tables_newobj+0x585/0x950
[ 6.996922] nfnetlink_rcv_batch+0xdf9/0x1020
[ 6.998997] nfnetlink_rcv+0x1df/0x220
[ 6.999537] netlink_unicast+0x395/0x530
[ 7.000771] netlink_sendmsg+0x3d0/0x6d0
[ 7.001462] __sock_sendmsg+0x99/0xa0
[ 7.001707] ____sys_sendmsg+0x409/0x450
[ 7.002391] ___sys_sendmsg+0xfd/0x170
[ 7.003145] __sys_sendmsg+0xea/0x170
[ 7.004359] do_syscall_64+0x5e/0x90
[ 7.005817] entry_SYSCALL_64_after_hwframe+0x6e/0xd8
[ 7.006127] RIP: 0033:0x7ec756d4e407
[ 7.006339] Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 faf
[ 7.007364] RSP: 002b:00007ffed5d46760 EFLAGS: 00000202 ORIG_RAX: 000000000000002e
[ 7.007827] RAX: ffffffffffffffda RBX: 00007ec756cc4740 RCX: 00007ec756d4e407
[ 7.008223] RDX: 0000000000000000 RSI: 00007ffed5d467f0 RDI: 0000000000000003
[ 7.008620] RBP: 00007ffed5d468a0 R08: 0000000000000000 R09: 0000000000000000
[ 7.009039] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000
[ 7.009429] R13: 00007ffed5d478b0 R14: 00007ec756ee5000 R15: 00005cbd4e655cb8
Fix this bug with correct pointer addition and conversion in parse
and dump code.
Fixes: 925d844696d9 ("netfilter: nft_tunnel: add support for geneve opts")
Signed-off-by: Lin Ma <linma@zju.edu.cn>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nft_tunnel.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/netfilter/nft_tunnel.c b/net/netfilter/nft_tunnel.c
index c8822fa8196d9..1b05b70497283 100644
--- a/net/netfilter/nft_tunnel.c
+++ b/net/netfilter/nft_tunnel.c
@@ -311,7 +311,7 @@ static const struct nla_policy nft_tunnel_opts_geneve_policy[NFTA_TUNNEL_KEY_GEN
static int nft_tunnel_obj_geneve_init(const struct nlattr *attr,
struct nft_tunnel_opts *opts)
{
- struct geneve_opt *opt = (struct geneve_opt *)opts->u.data + opts->len;
+ struct geneve_opt *opt = (struct geneve_opt *)(opts->u.data + opts->len);
struct nlattr *tb[NFTA_TUNNEL_KEY_GENEVE_MAX + 1];
int err, data_len;
@@ -592,7 +592,7 @@ static int nft_tunnel_opts_dump(struct sk_buff *skb,
if (!inner)
goto failure;
while (opts->len > offset) {
- opt = (struct geneve_opt *)opts->u.data + offset;
+ opt = (struct geneve_opt *)(opts->u.data + offset);
if (nla_put_be16(skb, NFTA_TUNNEL_KEY_GENEVE_CLASS,
opt->opt_class) ||
nla_put_u8(skb, NFTA_TUNNEL_KEY_GENEVE_TYPE,
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 248/279] ipv6: fix omitted netlink attributes when using RTEXT_FILTER_SKIP_STATS
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (246 preceding siblings ...)
2025-04-08 10:50 ` [PATCH 5.15 247/279] netfilter: nft_tunnel: fix geneve_opt type confusion addition Greg Kroah-Hartman
@ 2025-04-08 10:50 ` Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 249/279] net: fix geneve_opt length integer overflow Greg Kroah-Hartman
` (37 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Fernando Fernandez Mancera,
Simon Horman, Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fernando Fernandez Mancera <ffmancera@riseup.net>
[ Upstream commit 7ac6ea4a3e0898db76aecccd68fb2c403eb7d24e ]
Using RTEXT_FILTER_SKIP_STATS is incorrectly skipping non-stats IPv6
netlink attributes on link dump. This causes issues on userspace tools,
e.g iproute2 is not rendering address generation mode as it should due
to missing netlink attribute.
Move the filling of IFLA_INET6_STATS and IFLA_INET6_ICMP6STATS to a
helper function guarded by a flag check to avoid hitting the same
situation in the future.
Fixes: d5566fd72ec1 ("rtnetlink: RTEXT_FILTER_SKIP_STATS support to avoid dumping inet/inet6 stats")
Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20250402121751.3108-1-ffmancera@riseup.net
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv6/addrconf.c | 37 +++++++++++++++++++++++++------------
1 file changed, 25 insertions(+), 12 deletions(-)
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index 932a10f64adcb..07b3487e3ae97 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -5689,6 +5689,27 @@ static void snmp6_fill_stats(u64 *stats, struct inet6_dev *idev, int attrtype,
}
}
+static int inet6_fill_ifla6_stats_attrs(struct sk_buff *skb,
+ struct inet6_dev *idev)
+{
+ struct nlattr *nla;
+
+ nla = nla_reserve(skb, IFLA_INET6_STATS, IPSTATS_MIB_MAX * sizeof(u64));
+ if (!nla)
+ goto nla_put_failure;
+ snmp6_fill_stats(nla_data(nla), idev, IFLA_INET6_STATS, nla_len(nla));
+
+ nla = nla_reserve(skb, IFLA_INET6_ICMP6STATS, ICMP6_MIB_MAX * sizeof(u64));
+ if (!nla)
+ goto nla_put_failure;
+ snmp6_fill_stats(nla_data(nla), idev, IFLA_INET6_ICMP6STATS, nla_len(nla));
+
+ return 0;
+
+nla_put_failure:
+ return -EMSGSIZE;
+}
+
static int inet6_fill_ifla6_attrs(struct sk_buff *skb, struct inet6_dev *idev,
u32 ext_filter_mask)
{
@@ -5710,18 +5731,10 @@ static int inet6_fill_ifla6_attrs(struct sk_buff *skb, struct inet6_dev *idev,
/* XXX - MC not implemented */
- if (ext_filter_mask & RTEXT_FILTER_SKIP_STATS)
- return 0;
-
- nla = nla_reserve(skb, IFLA_INET6_STATS, IPSTATS_MIB_MAX * sizeof(u64));
- if (!nla)
- goto nla_put_failure;
- snmp6_fill_stats(nla_data(nla), idev, IFLA_INET6_STATS, nla_len(nla));
-
- nla = nla_reserve(skb, IFLA_INET6_ICMP6STATS, ICMP6_MIB_MAX * sizeof(u64));
- if (!nla)
- goto nla_put_failure;
- snmp6_fill_stats(nla_data(nla), idev, IFLA_INET6_ICMP6STATS, nla_len(nla));
+ if (!(ext_filter_mask & RTEXT_FILTER_SKIP_STATS)) {
+ if (inet6_fill_ifla6_stats_attrs(skb, idev) < 0)
+ goto nla_put_failure;
+ }
nla = nla_reserve(skb, IFLA_INET6_TOKEN, sizeof(struct in6_addr));
if (!nla)
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 249/279] net: fix geneve_opt length integer overflow
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (247 preceding siblings ...)
2025-04-08 10:50 ` [PATCH 5.15 248/279] ipv6: fix omitted netlink attributes when using RTEXT_FILTER_SKIP_STATS Greg Kroah-Hartman
@ 2025-04-08 10:50 ` Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 250/279] arcnet: Add NULL check in com20020pci_probe() Greg Kroah-Hartman
` (36 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lin Ma, Xin Long, Cong Wang,
Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lin Ma <linma@zju.edu.cn>
[ Upstream commit b27055a08ad4b415dcf15b63034f9cb236f7fb40 ]
struct geneve_opt uses 5 bit length for each single option, which
means every vary size option should be smaller than 128 bytes.
However, all current related Netlink policies cannot promise this
length condition and the attacker can exploit a exact 128-byte size
option to *fake* a zero length option and confuse the parsing logic,
further achieve heap out-of-bounds read.
One example crash log is like below:
[ 3.905425] ==================================================================
[ 3.905925] BUG: KASAN: slab-out-of-bounds in nla_put+0xa9/0xe0
[ 3.906255] Read of size 124 at addr ffff888005f291cc by task poc/177
[ 3.906646]
[ 3.906775] CPU: 0 PID: 177 Comm: poc-oob-read Not tainted 6.1.132 #1
[ 3.907131] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
[ 3.907784] Call Trace:
[ 3.907925] <TASK>
[ 3.908048] dump_stack_lvl+0x44/0x5c
[ 3.908258] print_report+0x184/0x4be
[ 3.909151] kasan_report+0xc5/0x100
[ 3.909539] kasan_check_range+0xf3/0x1a0
[ 3.909794] memcpy+0x1f/0x60
[ 3.909968] nla_put+0xa9/0xe0
[ 3.910147] tunnel_key_dump+0x945/0xba0
[ 3.911536] tcf_action_dump_1+0x1c1/0x340
[ 3.912436] tcf_action_dump+0x101/0x180
[ 3.912689] tcf_exts_dump+0x164/0x1e0
[ 3.912905] fw_dump+0x18b/0x2d0
[ 3.913483] tcf_fill_node+0x2ee/0x460
[ 3.914778] tfilter_notify+0xf4/0x180
[ 3.915208] tc_new_tfilter+0xd51/0x10d0
[ 3.918615] rtnetlink_rcv_msg+0x4a2/0x560
[ 3.919118] netlink_rcv_skb+0xcd/0x200
[ 3.919787] netlink_unicast+0x395/0x530
[ 3.921032] netlink_sendmsg+0x3d0/0x6d0
[ 3.921987] __sock_sendmsg+0x99/0xa0
[ 3.922220] __sys_sendto+0x1b7/0x240
[ 3.922682] __x64_sys_sendto+0x72/0x90
[ 3.922906] do_syscall_64+0x5e/0x90
[ 3.923814] entry_SYSCALL_64_after_hwframe+0x6e/0xd8
[ 3.924122] RIP: 0033:0x7e83eab84407
[ 3.924331] Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 faf
[ 3.925330] RSP: 002b:00007ffff505e370 EFLAGS: 00000202 ORIG_RAX: 000000000000002c
[ 3.925752] RAX: ffffffffffffffda RBX: 00007e83eaafa740 RCX: 00007e83eab84407
[ 3.926173] RDX: 00000000000001a8 RSI: 00007ffff505e3c0 RDI: 0000000000000003
[ 3.926587] RBP: 00007ffff505f460 R08: 00007e83eace1000 R09: 000000000000000c
[ 3.926977] R10: 0000000000000000 R11: 0000000000000202 R12: 00007ffff505f3c0
[ 3.927367] R13: 00007ffff505f5c8 R14: 00007e83ead1b000 R15: 00005d4fbbe6dcb8
Fix these issues by enforing correct length condition in related
policies.
Fixes: 925d844696d9 ("netfilter: nft_tunnel: add support for geneve opts")
Fixes: 4ece47787077 ("lwtunnel: add options setting and dumping for geneve")
Fixes: 0ed5269f9e41 ("net/sched: add tunnel option support to act_tunnel_key")
Fixes: 0a6e77784f49 ("net/sched: allow flower to match tunnel options")
Signed-off-by: Lin Ma <linma@zju.edu.cn>
Reviewed-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
Link: https://patch.msgid.link/20250402165632.6958-1-linma@zju.edu.cn
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/ip_tunnel_core.c | 2 +-
net/netfilter/nft_tunnel.c | 2 +-
net/sched/act_tunnel_key.c | 2 +-
net/sched/cls_flower.c | 2 +-
4 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/net/ipv4/ip_tunnel_core.c b/net/ipv4/ip_tunnel_core.c
index 51dd2b36c49d4..35189f1b361ea 100644
--- a/net/ipv4/ip_tunnel_core.c
+++ b/net/ipv4/ip_tunnel_core.c
@@ -450,7 +450,7 @@ static const struct nla_policy
geneve_opt_policy[LWTUNNEL_IP_OPT_GENEVE_MAX + 1] = {
[LWTUNNEL_IP_OPT_GENEVE_CLASS] = { .type = NLA_U16 },
[LWTUNNEL_IP_OPT_GENEVE_TYPE] = { .type = NLA_U8 },
- [LWTUNNEL_IP_OPT_GENEVE_DATA] = { .type = NLA_BINARY, .len = 128 },
+ [LWTUNNEL_IP_OPT_GENEVE_DATA] = { .type = NLA_BINARY, .len = 127 },
};
static const struct nla_policy
diff --git a/net/netfilter/nft_tunnel.c b/net/netfilter/nft_tunnel.c
index 1b05b70497283..cfe6cf1be4217 100644
--- a/net/netfilter/nft_tunnel.c
+++ b/net/netfilter/nft_tunnel.c
@@ -305,7 +305,7 @@ static int nft_tunnel_obj_erspan_init(const struct nlattr *attr,
static const struct nla_policy nft_tunnel_opts_geneve_policy[NFTA_TUNNEL_KEY_GENEVE_MAX + 1] = {
[NFTA_TUNNEL_KEY_GENEVE_CLASS] = { .type = NLA_U16 },
[NFTA_TUNNEL_KEY_GENEVE_TYPE] = { .type = NLA_U8 },
- [NFTA_TUNNEL_KEY_GENEVE_DATA] = { .type = NLA_BINARY, .len = 128 },
+ [NFTA_TUNNEL_KEY_GENEVE_DATA] = { .type = NLA_BINARY, .len = 127 },
};
static int nft_tunnel_obj_geneve_init(const struct nlattr *attr,
diff --git a/net/sched/act_tunnel_key.c b/net/sched/act_tunnel_key.c
index d9cd174eecb79..64277ce3c5eb9 100644
--- a/net/sched/act_tunnel_key.c
+++ b/net/sched/act_tunnel_key.c
@@ -67,7 +67,7 @@ geneve_opt_policy[TCA_TUNNEL_KEY_ENC_OPT_GENEVE_MAX + 1] = {
[TCA_TUNNEL_KEY_ENC_OPT_GENEVE_CLASS] = { .type = NLA_U16 },
[TCA_TUNNEL_KEY_ENC_OPT_GENEVE_TYPE] = { .type = NLA_U8 },
[TCA_TUNNEL_KEY_ENC_OPT_GENEVE_DATA] = { .type = NLA_BINARY,
- .len = 128 },
+ .len = 127 },
};
static const struct nla_policy
diff --git a/net/sched/cls_flower.c b/net/sched/cls_flower.c
index 35842b51a24e2..af437be93e25a 100644
--- a/net/sched/cls_flower.c
+++ b/net/sched/cls_flower.c
@@ -723,7 +723,7 @@ geneve_opt_policy[TCA_FLOWER_KEY_ENC_OPT_GENEVE_MAX + 1] = {
[TCA_FLOWER_KEY_ENC_OPT_GENEVE_CLASS] = { .type = NLA_U16 },
[TCA_FLOWER_KEY_ENC_OPT_GENEVE_TYPE] = { .type = NLA_U8 },
[TCA_FLOWER_KEY_ENC_OPT_GENEVE_DATA] = { .type = NLA_BINARY,
- .len = 128 },
+ .len = 127 },
};
static const struct nla_policy
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 250/279] arcnet: Add NULL check in com20020pci_probe()
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (248 preceding siblings ...)
2025-04-08 10:50 ` [PATCH 5.15 249/279] net: fix geneve_opt length integer overflow Greg Kroah-Hartman
@ 2025-04-08 10:50 ` Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 251/279] can: flexcan: only change CAN state when link up in system PM Greg Kroah-Hartman
` (35 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Henry Martin, Jakub Kicinski,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Henry Martin <bsdhenrymartin@gmail.com>
[ Upstream commit fda8c491db2a90ff3e6fbbae58e495b4ddddeca3 ]
devm_kasprintf() returns NULL when memory allocation fails. Currently,
com20020pci_probe() does not check for this case, which results in a
NULL pointer dereference.
Add NULL check after devm_kasprintf() to prevent this issue and ensure
no resources are left allocated.
Fixes: 6b17a597fc2f ("arcnet: restoring support for multiple Sohard Arcnet cards")
Signed-off-by: Henry Martin <bsdhenrymartin@gmail.com>
Link: https://patch.msgid.link/20250402135036.44697-1-bsdhenrymartin@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/arcnet/com20020-pci.c | 17 ++++++++++++++++-
1 file changed, 16 insertions(+), 1 deletion(-)
diff --git a/drivers/net/arcnet/com20020-pci.c b/drivers/net/arcnet/com20020-pci.c
index 9d9e4200064f9..00a80f0adece4 100644
--- a/drivers/net/arcnet/com20020-pci.c
+++ b/drivers/net/arcnet/com20020-pci.c
@@ -250,18 +250,33 @@ static int com20020pci_probe(struct pci_dev *pdev,
card->tx_led.default_trigger = devm_kasprintf(&pdev->dev,
GFP_KERNEL, "arc%d-%d-tx",
dev->dev_id, i);
+ if (!card->tx_led.default_trigger) {
+ ret = -ENOMEM;
+ goto err_free_arcdev;
+ }
card->tx_led.name = devm_kasprintf(&pdev->dev, GFP_KERNEL,
"pci:green:tx:%d-%d",
dev->dev_id, i);
-
+ if (!card->tx_led.name) {
+ ret = -ENOMEM;
+ goto err_free_arcdev;
+ }
card->tx_led.dev = &dev->dev;
card->recon_led.brightness_set = led_recon_set;
card->recon_led.default_trigger = devm_kasprintf(&pdev->dev,
GFP_KERNEL, "arc%d-%d-recon",
dev->dev_id, i);
+ if (!card->recon_led.default_trigger) {
+ ret = -ENOMEM;
+ goto err_free_arcdev;
+ }
card->recon_led.name = devm_kasprintf(&pdev->dev, GFP_KERNEL,
"pci:red:recon:%d-%d",
dev->dev_id, i);
+ if (!card->recon_led.name) {
+ ret = -ENOMEM;
+ goto err_free_arcdev;
+ }
card->recon_led.dev = &dev->dev;
ret = devm_led_classdev_register(&pdev->dev, &card->tx_led);
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 251/279] can: flexcan: only change CAN state when link up in system PM
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (249 preceding siblings ...)
2025-04-08 10:50 ` [PATCH 5.15 250/279] arcnet: Add NULL check in com20020pci_probe() Greg Kroah-Hartman
@ 2025-04-08 10:50 ` Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 252/279] can: flexcan: disable transceiver during " Greg Kroah-Hartman
` (34 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Haibo Chen, Marc Kleine-Budde,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haibo Chen <haibo.chen@nxp.com>
[ Upstream commit fd99d6ed20234b83d65b9c5417794343577cf3e5 ]
After a suspend/resume cycle on a down interface, it will come up as
ERROR-ACTIVE.
$ ip -details -s -s a s dev flexcan0
3: flexcan0: <NOARP,ECHO> mtu 16 qdisc pfifo_fast state DOWN group default qlen 10
link/can promiscuity 0 allmulti 0 minmtu 0 maxmtu 0
can state STOPPED (berr-counter tx 0 rx 0) restart-ms 1000
$ sudo systemctl suspend
$ ip -details -s -s a s dev flexcan0
3: flexcan0: <NOARP,ECHO> mtu 16 qdisc pfifo_fast state DOWN group default qlen 10
link/can promiscuity 0 allmulti 0 minmtu 0 maxmtu 0
can state ERROR-ACTIVE (berr-counter tx 0 rx 0) restart-ms 1000
And only set CAN state to CAN_STATE_ERROR_ACTIVE when resume process
has no issue, otherwise keep in CAN_STATE_SLEEPING as suspend did.
Fixes: 4de349e786a3 ("can: flexcan: fix resume function")
Cc: stable@vger.kernel.org
Signed-off-by: Haibo Chen <haibo.chen@nxp.com>
Link: https://patch.msgid.link/20250314110145.899179-1-haibo.chen@nxp.com
Reported-by: Marc Kleine-Budde <mkl@pengutronix.de>
Closes: https://lore.kernel.org/all/20250314-married-polar-elephant-b15594-mkl@pengutronix.de
[mkl: add newlines]
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/can/flexcan.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/net/can/flexcan.c b/drivers/net/can/flexcan.c
index 837bca7347594..fc9cfe434ce4f 100644
--- a/drivers/net/can/flexcan.c
+++ b/drivers/net/can/flexcan.c
@@ -2343,8 +2343,9 @@ static int __maybe_unused flexcan_suspend(struct device *device)
}
netif_stop_queue(dev);
netif_device_detach(dev);
+
+ priv->can.state = CAN_STATE_SLEEPING;
}
- priv->can.state = CAN_STATE_SLEEPING;
return 0;
}
@@ -2355,7 +2356,6 @@ static int __maybe_unused flexcan_resume(struct device *device)
struct flexcan_priv *priv = netdev_priv(dev);
int err;
- priv->can.state = CAN_STATE_ERROR_ACTIVE;
if (netif_running(dev)) {
netif_device_attach(dev);
netif_start_queue(dev);
@@ -2375,6 +2375,8 @@ static int __maybe_unused flexcan_resume(struct device *device)
flexcan_chip_interrupts_enable(dev);
}
+
+ priv->can.state = CAN_STATE_ERROR_ACTIVE;
}
return 0;
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 252/279] can: flexcan: disable transceiver during system PM
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (250 preceding siblings ...)
2025-04-08 10:50 ` [PATCH 5.15 251/279] can: flexcan: only change CAN state when link up in system PM Greg Kroah-Hartman
@ 2025-04-08 10:50 ` Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 253/279] mmc: sdhci-brcmstb: Add ability to increase max clock rate for 72116b0 Greg Kroah-Hartman
` (33 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Frank Li, Haibo Chen,
Marc Kleine-Budde, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haibo Chen <haibo.chen@nxp.com>
[ Upstream commit 5a19143124be42900b3fbc9ada3c919632eb45eb ]
During system PM, if no wakeup requirement, disable transceiver to
save power.
Fixes: 4de349e786a3 ("can: flexcan: fix resume function")
Cc: stable@vger.kernel.org
Reviewed-by: Frank Li <frank.li@nxp.com>
Signed-off-by: Haibo Chen <haibo.chen@nxp.com>
Link: https://patch.msgid.link/20250314110145.899179-2-haibo.chen@nxp.com
[mkl: add newlines]
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/can/flexcan.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/drivers/net/can/flexcan.c b/drivers/net/can/flexcan.c
index fc9cfe434ce4f..6f4e3e0330a45 100644
--- a/drivers/net/can/flexcan.c
+++ b/drivers/net/can/flexcan.c
@@ -2337,6 +2337,10 @@ static int __maybe_unused flexcan_suspend(struct device *device)
flexcan_chip_interrupts_disable(dev);
+ err = flexcan_transceiver_disable(priv);
+ if (err)
+ return err;
+
err = pinctrl_pm_select_sleep_state(device);
if (err)
return err;
@@ -2369,10 +2373,16 @@ static int __maybe_unused flexcan_resume(struct device *device)
if (err)
return err;
- err = flexcan_chip_start(dev);
+ err = flexcan_transceiver_enable(priv);
if (err)
return err;
+ err = flexcan_chip_start(dev);
+ if (err) {
+ flexcan_transceiver_disable(priv);
+ return err;
+ }
+
flexcan_chip_interrupts_enable(dev);
}
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 253/279] mmc: sdhci-brcmstb: Add ability to increase max clock rate for 72116b0
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (251 preceding siblings ...)
2025-04-08 10:50 ` [PATCH 5.15 252/279] can: flexcan: disable transceiver during " Greg Kroah-Hartman
@ 2025-04-08 10:50 ` Greg Kroah-Hartman
2025-04-08 16:02 ` Nathan Chancellor
2025-04-08 10:50 ` [PATCH 5.15 254/279] mmc: sdhci-brcmstb: add cqhci suspend/resume to PM ops Greg Kroah-Hartman
` (32 subsequent siblings)
285 siblings, 1 reply; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Al Cooper, Kamal Dasu,
Florian Fainelli, Ulf Hansson, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kamal Dasu <kdasu.kdev@gmail.com>
[ Upstream commit 97904a59855c7ac7c613085bc6bdc550d48524ff ]
The 72116B0 has improved SDIO controllers that allow the max clock
rate to be increased from a max of 100MHz to a max of 150MHz. The
driver will need to get the clock and increase it's default rate
and override the caps register, that still indicates a max of 100MHz.
The new clock will be named "sdio_freq" in the DT node's "clock-names"
list. The driver will use a DT property, "clock-frequency", to
enable this functionality and will get the actual rate in MHz
from the property to allow various speeds to be requested.
Signed-off-by: Al Cooper <alcooperx@gmail.com>
Signed-off-by: Kamal Dasu <kdasu.kdev@gmail.com>
Acked-by: Florian Fainelli <f.fainelli@gmail.com>
Link: https://lore.kernel.org/r/20220520183108.47358-3-kdasu.kdev@gmail.com
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Stable-dep-of: 723ef0e20dbb ("mmc: sdhci-brcmstb: add cqhci suspend/resume to PM ops")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mmc/host/sdhci-brcmstb.c | 69 +++++++++++++++++++++++++++++++-
1 file changed, 68 insertions(+), 1 deletion(-)
diff --git a/drivers/mmc/host/sdhci-brcmstb.c b/drivers/mmc/host/sdhci-brcmstb.c
index 4d42b1810acea..8fb23b1228875 100644
--- a/drivers/mmc/host/sdhci-brcmstb.c
+++ b/drivers/mmc/host/sdhci-brcmstb.c
@@ -32,6 +32,8 @@
struct sdhci_brcmstb_priv {
void __iomem *cfg_regs;
unsigned int flags;
+ struct clk *base_clk;
+ u32 base_freq_hz;
};
struct brcmstb_match_priv {
@@ -251,9 +253,11 @@ static int sdhci_brcmstb_probe(struct platform_device *pdev)
struct sdhci_pltfm_host *pltfm_host;
const struct of_device_id *match;
struct sdhci_brcmstb_priv *priv;
+ u32 actual_clock_mhz;
struct sdhci_host *host;
struct resource *iomem;
struct clk *clk;
+ struct clk *base_clk;
int res;
match = of_match_node(sdhci_brcm_of_match, pdev->dev.of_node);
@@ -331,6 +335,35 @@ static int sdhci_brcmstb_probe(struct platform_device *pdev)
if (match_priv->flags & BRCMSTB_MATCH_FLAGS_BROKEN_TIMEOUT)
host->quirks |= SDHCI_QUIRK_BROKEN_TIMEOUT_VAL;
+ /* Change the base clock frequency if the DT property exists */
+ if (device_property_read_u32(&pdev->dev, "clock-frequency",
+ &priv->base_freq_hz) != 0)
+ goto add_host;
+
+ base_clk = devm_clk_get_optional(&pdev->dev, "sdio_freq");
+ if (IS_ERR(base_clk)) {
+ dev_warn(&pdev->dev, "Clock for \"sdio_freq\" not found\n");
+ goto add_host;
+ }
+
+ res = clk_prepare_enable(base_clk);
+ if (res)
+ goto err;
+
+ /* set improved clock rate */
+ clk_set_rate(base_clk, priv->base_freq_hz);
+ actual_clock_mhz = clk_get_rate(base_clk) / 1000000;
+
+ host->caps &= ~SDHCI_CLOCK_V3_BASE_MASK;
+ host->caps |= (actual_clock_mhz << SDHCI_CLOCK_BASE_SHIFT);
+ /* Disable presets because they are now incorrect */
+ host->quirks2 |= SDHCI_QUIRK2_PRESET_VALUE_BROKEN;
+
+ dev_dbg(&pdev->dev, "Base Clock Frequency changed to %dMHz\n",
+ actual_clock_mhz);
+ priv->base_clk = base_clk;
+
+add_host:
res = sdhci_brcmstb_add_host(host, priv);
if (res)
goto err;
@@ -341,6 +374,7 @@ static int sdhci_brcmstb_probe(struct platform_device *pdev)
err:
sdhci_pltfm_free(pdev);
err_clk:
+ clk_disable_unprepare(base_clk);
clk_disable_unprepare(clk);
return res;
}
@@ -352,11 +386,44 @@ static void sdhci_brcmstb_shutdown(struct platform_device *pdev)
MODULE_DEVICE_TABLE(of, sdhci_brcm_of_match);
+#ifdef CONFIG_PM_SLEEP
+static int sdhci_brcmstb_suspend(struct device *dev)
+{
+ struct sdhci_host *host = dev_get_drvdata(dev);
+ struct sdhci_pltfm_host *pltfm_host = sdhci_priv(host);
+ struct sdhci_brcmstb_priv *priv = sdhci_pltfm_priv(pltfm_host);
+
+ clk_disable_unprepare(priv->base_clk);
+ return sdhci_pltfm_suspend(dev);
+}
+
+static int sdhci_brcmstb_resume(struct device *dev)
+{
+ struct sdhci_host *host = dev_get_drvdata(dev);
+ struct sdhci_pltfm_host *pltfm_host = sdhci_priv(host);
+ struct sdhci_brcmstb_priv *priv = sdhci_pltfm_priv(pltfm_host);
+ int ret;
+
+ ret = sdhci_pltfm_resume(dev);
+ if (!ret && priv->base_freq_hz) {
+ ret = clk_prepare_enable(priv->base_clk);
+ if (!ret)
+ ret = clk_set_rate(priv->base_clk, priv->base_freq_hz);
+ }
+
+ return ret;
+}
+#endif
+
+static const struct dev_pm_ops sdhci_brcmstb_pmops = {
+ SET_SYSTEM_SLEEP_PM_OPS(sdhci_brcmstb_suspend, sdhci_brcmstb_resume)
+};
+
static struct platform_driver sdhci_brcmstb_driver = {
.driver = {
.name = "sdhci-brcmstb",
.probe_type = PROBE_PREFER_ASYNCHRONOUS,
- .pm = &sdhci_pltfm_pmops,
+ .pm = &sdhci_brcmstb_pmops,
.of_match_table = of_match_ptr(sdhci_brcm_of_match),
},
.probe = sdhci_brcmstb_probe,
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 254/279] mmc: sdhci-brcmstb: add cqhci suspend/resume to PM ops
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (252 preceding siblings ...)
2025-04-08 10:50 ` [PATCH 5.15 253/279] mmc: sdhci-brcmstb: Add ability to increase max clock rate for 72116b0 Greg Kroah-Hartman
@ 2025-04-08 10:50 ` Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 255/279] tty: serial: fsl_lpuart: use UARTMODIR register bits for lpuart32 platform Greg Kroah-Hartman
` (31 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kamal Dasu, Florian Fainelli,
Ulf Hansson, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kamal Dasu <kamal.dasu@broadcom.com>
[ Upstream commit 723ef0e20dbb2aa1b5406d2bb75374fc48187daa ]
cqhci timeouts observed on brcmstb platforms during suspend:
...
[ 164.832853] mmc0: cqhci: timeout for tag 18
...
Adding cqhci_suspend()/resume() calls to disable cqe
in sdhci_brcmstb_suspend()/resume() respectively to fix
CQE timeouts seen on PM suspend.
Fixes: d46ba2d17f90 ("mmc: sdhci-brcmstb: Add support for Command Queuing (CQE)")
Cc: stable@vger.kernel.org
Signed-off-by: Kamal Dasu <kamal.dasu@broadcom.com>
Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
Link: https://lore.kernel.org/r/20250311165946.28190-1-kamal.dasu@broadcom.com
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mmc/host/sdhci-brcmstb.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/drivers/mmc/host/sdhci-brcmstb.c b/drivers/mmc/host/sdhci-brcmstb.c
index 8fb23b1228875..21574f0607f8b 100644
--- a/drivers/mmc/host/sdhci-brcmstb.c
+++ b/drivers/mmc/host/sdhci-brcmstb.c
@@ -392,8 +392,15 @@ static int sdhci_brcmstb_suspend(struct device *dev)
struct sdhci_host *host = dev_get_drvdata(dev);
struct sdhci_pltfm_host *pltfm_host = sdhci_priv(host);
struct sdhci_brcmstb_priv *priv = sdhci_pltfm_priv(pltfm_host);
+ int ret;
clk_disable_unprepare(priv->base_clk);
+ if (host->mmc->caps2 & MMC_CAP2_CQE) {
+ ret = cqhci_suspend(host->mmc);
+ if (ret)
+ return ret;
+ }
+
return sdhci_pltfm_suspend(dev);
}
@@ -411,6 +418,9 @@ static int sdhci_brcmstb_resume(struct device *dev)
ret = clk_set_rate(priv->base_clk, priv->base_freq_hz);
}
+ if (host->mmc->caps2 & MMC_CAP2_CQE)
+ ret = cqhci_resume(host->mmc);
+
return ret;
}
#endif
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 255/279] tty: serial: fsl_lpuart: use UARTMODIR register bits for lpuart32 platform
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (253 preceding siblings ...)
2025-04-08 10:50 ` [PATCH 5.15 254/279] mmc: sdhci-brcmstb: add cqhci suspend/resume to PM ops Greg Kroah-Hartman
@ 2025-04-08 10:50 ` Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 256/279] tty: serial: fsl_lpuart: disable transmitter before changing RS485 related registers Greg Kroah-Hartman
` (30 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ilpo Järvinen, Sherry Sun,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sherry Sun <sherry.sun@nxp.com>
[ Upstream commit d57d56e4dddfb5c92cd81abf8922055bf0fb85a4 ]
For lpuart32 platforms, UARTMODIR register is used instead of UARTMODEM.
So here should configure the corresponding UARTMODIR register bits to
avoid confusion.
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Sherry Sun <sherry.sun@nxp.com>
Link: https://lore.kernel.org/r/20230414022111.20896-1-sherry.sun@nxp.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Stable-dep-of: f5cb528d6441 ("tty: serial: fsl_lpuart: disable transmitter before changing RS485 related registers")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/tty/serial/fsl_lpuart.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/tty/serial/fsl_lpuart.c b/drivers/tty/serial/fsl_lpuart.c
index 9f1be9ce47e03..fe1fba335483f 100644
--- a/drivers/tty/serial/fsl_lpuart.c
+++ b/drivers/tty/serial/fsl_lpuart.c
@@ -1396,7 +1396,7 @@ static int lpuart32_config_rs485(struct uart_port *port,
struct lpuart_port, port);
unsigned long modem = lpuart32_read(&sport->port, UARTMODIR)
- & ~(UARTMODEM_TXRTSPOL | UARTMODEM_TXRTSE);
+ & ~(UARTMODIR_TXRTSPOL | UARTMODIR_TXRTSE);
lpuart32_write(&sport->port, modem, UARTMODIR);
/* clear unsupported configurations */
@@ -1406,7 +1406,7 @@ static int lpuart32_config_rs485(struct uart_port *port,
if (rs485->flags & SER_RS485_ENABLED) {
/* Enable auto RS-485 RTS mode */
- modem |= UARTMODEM_TXRTSE;
+ modem |= UARTMODIR_TXRTSE;
/*
* RTS needs to be logic HIGH either during transfer _or_ after
@@ -1428,9 +1428,9 @@ static int lpuart32_config_rs485(struct uart_port *port,
* Note: UART is assumed to be active high.
*/
if (rs485->flags & SER_RS485_RTS_ON_SEND)
- modem |= UARTMODEM_TXRTSPOL;
+ modem |= UARTMODIR_TXRTSPOL;
else if (rs485->flags & SER_RS485_RTS_AFTER_SEND)
- modem &= ~UARTMODEM_TXRTSPOL;
+ modem &= ~UARTMODIR_TXRTSPOL;
}
/* Store the new configuration */
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 256/279] tty: serial: fsl_lpuart: disable transmitter before changing RS485 related registers
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (254 preceding siblings ...)
2025-04-08 10:50 ` [PATCH 5.15 255/279] tty: serial: fsl_lpuart: use UARTMODIR register bits for lpuart32 platform Greg Kroah-Hartman
@ 2025-04-08 10:50 ` Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 257/279] drm/amd/pm: Fix negative array index read Greg Kroah-Hartman
` (29 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Sherry Sun, Frank Li,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sherry Sun <sherry.sun@nxp.com>
[ Upstream commit f5cb528d6441eb860250a2f085773aac4f44085e ]
According to the LPUART reference manual, TXRTSE and TXRTSPOL of MODIR
register only can be changed when the transmitter is disabled.
So disable the transmitter before changing RS485 related registers and
re-enable it after the change is done.
Fixes: 67b01837861c ("tty: serial: lpuart: Add RS485 support for 32-bit uart flavour")
Cc: stable <stable@kernel.org>
Signed-off-by: Sherry Sun <sherry.sun@nxp.com>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Link: https://lore.kernel.org/r/20250312022503.1342990-1-sherry.sun@nxp.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/tty/serial/fsl_lpuart.c | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/drivers/tty/serial/fsl_lpuart.c b/drivers/tty/serial/fsl_lpuart.c
index fe1fba335483f..6684f6512fb16 100644
--- a/drivers/tty/serial/fsl_lpuart.c
+++ b/drivers/tty/serial/fsl_lpuart.c
@@ -1397,6 +1397,19 @@ static int lpuart32_config_rs485(struct uart_port *port,
unsigned long modem = lpuart32_read(&sport->port, UARTMODIR)
& ~(UARTMODIR_TXRTSPOL | UARTMODIR_TXRTSE);
+ u32 ctrl;
+
+ /* TXRTSE and TXRTSPOL only can be changed when transmitter is disabled. */
+ ctrl = lpuart32_read(&sport->port, UARTCTRL);
+ if (ctrl & UARTCTRL_TE) {
+ /* wait for the transmit engine to complete */
+ lpuart32_wait_bit_set(&sport->port, UARTSTAT, UARTSTAT_TC);
+ lpuart32_write(&sport->port, ctrl & ~UARTCTRL_TE, UARTCTRL);
+
+ while (lpuart32_read(&sport->port, UARTCTRL) & UARTCTRL_TE)
+ cpu_relax();
+ }
+
lpuart32_write(&sport->port, modem, UARTMODIR);
/* clear unsupported configurations */
@@ -1437,6 +1450,10 @@ static int lpuart32_config_rs485(struct uart_port *port,
sport->port.rs485 = *rs485;
lpuart32_write(&sport->port, modem, UARTMODIR);
+
+ if (ctrl & UARTCTRL_TE)
+ lpuart32_write(&sport->port, ctrl, UARTCTRL);
+
return 0;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 289+ messages in thread
* [PATCH 5.15 257/279] drm/amd/pm: Fix negative array index read
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (255 preceding siblings ...)
2025-04-08 10:50 ` [PATCH 5.15 256/279] tty: serial: fsl_lpuart: disable transmitter before changing RS485 related registers Greg Kroah-Hartman
@ 2025-04-08 10:50 ` Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 258/279] drm/amd/display: Skip inactive planes within ModeSupportAndSystemConfiguration Greg Kroah-Hartman
` (28 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jesse Zhang, Tim Huang, Alex Deucher,
Jianqi Ren, He Zhe
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jesse Zhang <jesse.zhang@amd.com>
commit c8c19ebf7c0b202a6a2d37a52ca112432723db5f upstream.
Avoid using the negative values
for clk_idex as an index into an array pptable->DpmDescriptor.
V2: fix clk_index return check (Tim Huang)
Signed-off-by: Jesse Zhang <Jesse.Zhang@amd.com>
Reviewed-by: Tim Huang <Tim.Huang@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
[Minor conflict resolved due to code context change.]
Signed-off-by: Jianqi Ren <jianqi.ren.cn@windriver.com>
Signed-off-by: He Zhe <zhe.he@windriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/pm/swsmu/smu11/navi10_ppt.c | 21 ++++++++++++++++-----
1 file changed, 16 insertions(+), 5 deletions(-)
--- a/drivers/gpu/drm/amd/pm/swsmu/smu11/navi10_ppt.c
+++ b/drivers/gpu/drm/amd/pm/swsmu/smu11/navi10_ppt.c
@@ -1231,19 +1231,22 @@ static int navi10_get_current_clk_freq_b
value);
}
-static bool navi10_is_support_fine_grained_dpm(struct smu_context *smu, enum smu_clk_type clk_type)
+static int navi10_is_support_fine_grained_dpm(struct smu_context *smu, enum smu_clk_type clk_type)
{
PPTable_t *pptable = smu->smu_table.driver_pptable;
DpmDescriptor_t *dpm_desc = NULL;
- uint32_t clk_index = 0;
+ int clk_index = 0;
clk_index = smu_cmn_to_asic_specific_index(smu,
CMN2ASIC_MAPPING_CLK,
clk_type);
+ if (clk_index < 0)
+ return clk_index;
+
dpm_desc = &pptable->DpmDescriptor[clk_index];
/* 0 - Fine grained DPM, 1 - Discrete DPM */
- return dpm_desc->SnapToDiscrete == 0;
+ return dpm_desc->SnapToDiscrete == 0 ? 1 : 0;
}
static inline bool navi10_od_feature_is_supported(struct smu_11_0_overdrive_table *od_table, enum SMU_11_0_ODFEATURE_CAP cap)
@@ -1299,7 +1302,11 @@ static int navi10_print_clk_levels(struc
if (ret)
return size;
- if (!navi10_is_support_fine_grained_dpm(smu, clk_type)) {
+ ret = navi10_is_support_fine_grained_dpm(smu, clk_type);
+ if (ret < 0)
+ return ret;
+
+ if (!ret) {
for (i = 0; i < count; i++) {
ret = smu_v11_0_get_dpm_freq_by_index(smu, clk_type, i, &value);
if (ret)
@@ -1468,7 +1475,11 @@ static int navi10_force_clk_levels(struc
case SMU_UCLK:
case SMU_FCLK:
/* There is only 2 levels for fine grained DPM */
- if (navi10_is_support_fine_grained_dpm(smu, clk_type)) {
+ ret = navi10_is_support_fine_grained_dpm(smu, clk_type);
+ if (ret < 0)
+ return ret;
+
+ if (ret) {
soft_max_level = (soft_max_level >= 1 ? 1 : 0);
soft_min_level = (soft_min_level >= 1 ? 1 : 0);
}
^ permalink raw reply [flat|nested] 289+ messages in thread
* [PATCH 5.15 258/279] drm/amd/display: Skip inactive planes within ModeSupportAndSystemConfiguration
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (256 preceding siblings ...)
2025-04-08 10:50 ` [PATCH 5.15 257/279] drm/amd/pm: Fix negative array index read Greg Kroah-Hartman
@ 2025-04-08 10:50 ` Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 259/279] usbnet:fix NPE during rx_complete Greg Kroah-Hartman
` (27 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alex Hung, Tom Chung, Hersen Wu,
Daniel Wheeler, Alex Deucher, Jianqi Ren, He Zhe
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hersen Wu <hersenxs.wu@amd.com>
commit a54f7e866cc73a4cb71b8b24bb568ba35c8969df upstream.
[Why]
Coverity reports Memory - illegal accesses.
[How]
Skip inactive planes.
Reviewed-by: Alex Hung <alex.hung@amd.com>
Acked-by: Tom Chung <chiahsuan.chung@amd.com>
Signed-off-by: Hersen Wu <hersenxs.wu@amd.com>
Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
[get_pipe_idx() was introduced as a helper by
dda4fb85e433 ("drm/amd/display: DML changes for DCN32/321") in v6.0.
This patch backports it to make code clearer. And minor conflict is
resolved due to code context change.]
Signed-off-by: Jianqi Ren <jianqi.ren.cn@windriver.com>
Signed-off-by: He Zhe <zhe.he@windriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/display/dc/dml/display_mode_vba.c | 24 ++++++++++++++++++
1 file changed, 24 insertions(+)
--- a/drivers/gpu/drm/amd/display/dc/dml/display_mode_vba.c
+++ b/drivers/gpu/drm/amd/display/dc/dml/display_mode_vba.c
@@ -867,11 +867,30 @@ static unsigned int CursorBppEnumToBits(
}
}
+static unsigned int get_pipe_idx(struct display_mode_lib *mode_lib, unsigned int plane_idx)
+{
+ int pipe_idx = -1;
+ int i;
+
+ ASSERT(plane_idx < DC__NUM_DPP__MAX);
+
+ for (i = 0; i < DC__NUM_DPP__MAX ; i++) {
+ if (plane_idx == mode_lib->vba.pipe_plane[i]) {
+ pipe_idx = i;
+ break;
+ }
+ }
+ ASSERT(pipe_idx >= 0);
+
+ return pipe_idx;
+}
+
void ModeSupportAndSystemConfiguration(struct display_mode_lib *mode_lib)
{
soc_bounding_box_st *soc = &mode_lib->vba.soc;
unsigned int k;
unsigned int total_pipes = 0;
+ unsigned int pipe_idx = 0;
mode_lib->vba.VoltageLevel = mode_lib->vba.cache_pipes[0].clks_cfg.voltage;
mode_lib->vba.ReturnBW = mode_lib->vba.ReturnBWPerState[mode_lib->vba.VoltageLevel][mode_lib->vba.maxMpcComb];
@@ -892,6 +911,11 @@ void ModeSupportAndSystemConfiguration(s
// Total Available Pipes Support Check
for (k = 0; k < mode_lib->vba.NumberOfActivePlanes; ++k) {
+ pipe_idx = get_pipe_idx(mode_lib, k);
+ if (pipe_idx == -1) {
+ ASSERT(0);
+ continue; // skip inactive planes
+ }
total_pipes += mode_lib->vba.DPPPerPlane[k];
}
ASSERT(total_pipes <= DC__NUM_DPP__MAX);
^ permalink raw reply [flat|nested] 289+ messages in thread
* [PATCH 5.15 259/279] usbnet:fix NPE during rx_complete
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (257 preceding siblings ...)
2025-04-08 10:50 ` [PATCH 5.15 258/279] drm/amd/display: Skip inactive planes within ModeSupportAndSystemConfiguration Greg Kroah-Hartman
@ 2025-04-08 10:50 ` Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 260/279] platform/x86: ISST: Correct command storage data length Greg Kroah-Hartman
` (26 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:50 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ying Lu, Jakub Kicinski
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ying Lu <luying1@xiaomi.com>
commit 51de3600093429e3b712e5f091d767babc5dd6df upstream.
Missing usbnet_going_away Check in Critical Path.
The usb_submit_urb function lacks a usbnet_going_away
validation, whereas __usbnet_queue_skb includes this check.
This inconsistency creates a race condition where:
A URB request may succeed, but the corresponding SKB data
fails to be queued.
Subsequent processes:
(e.g., rx_complete → defer_bh → __skb_unlink(skb, list))
attempt to access skb->next, triggering a NULL pointer
dereference (Kernel Panic).
Fixes: 04e906839a05 ("usbnet: fix cyclical race on disconnect with work queue")
Cc: stable@vger.kernel.org
Signed-off-by: Ying Lu <luying1@xiaomi.com>
Link: https://patch.msgid.link/4c9ef2efaa07eb7f9a5042b74348a67e5a3a7aea.1743584159.git.luying1@xiaomi.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/usb/usbnet.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/net/usb/usbnet.c
+++ b/drivers/net/usb/usbnet.c
@@ -533,7 +533,8 @@ static int rx_submit (struct usbnet *dev
netif_device_present (dev->net) &&
test_bit(EVENT_DEV_OPEN, &dev->flags) &&
!test_bit (EVENT_RX_HALT, &dev->flags) &&
- !test_bit (EVENT_DEV_ASLEEP, &dev->flags)) {
+ !test_bit (EVENT_DEV_ASLEEP, &dev->flags) &&
+ !usbnet_going_away(dev)) {
switch (retval = usb_submit_urb (urb, GFP_ATOMIC)) {
case -EPIPE:
usbnet_defer_kevent (dev, EVENT_RX_HALT);
@@ -554,8 +555,7 @@ static int rx_submit (struct usbnet *dev
tasklet_schedule (&dev->bh);
break;
case 0:
- if (!usbnet_going_away(dev))
- __usbnet_queue_skb(&dev->rxq, skb, rx_start);
+ __usbnet_queue_skb(&dev->rxq, skb, rx_start);
}
} else {
netif_dbg(dev, ifdown, dev->net, "rx: stopped\n");
^ permalink raw reply [flat|nested] 289+ messages in thread
* [PATCH 5.15 260/279] platform/x86: ISST: Correct command storage data length
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (258 preceding siblings ...)
2025-04-08 10:50 ` [PATCH 5.15 259/279] usbnet:fix NPE during rx_complete Greg Kroah-Hartman
@ 2025-04-08 10:50 ` Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 261/279] ntb_perf: Delete duplicate dmaengine_unmap_put() call in perf_copy_chunk() Greg Kroah-Hartman
` (25 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:50 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Srinivas Pandruvada,
Ilpo Järvinen
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
commit 9462e74c5c983cce34019bfb27f734552bebe59f upstream.
After resume/online turbo limit ratio (TRL) is restored partially if
the admin explicitly changed TRL from user space.
A hash table is used to store SST mail box and MSR settings when modified
to restore those settings after resume or online. This uses a struct
isst_cmd field "data" to store these settings. This is a 64 bit field.
But isst_store_new_cmd() is only assigning as u32. This results in
truncation of 32 bits.
Change the argument to u64 from u32.
Fixes: f607874f35cb ("platform/x86: ISST: Restore state on resume")
Signed-off-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20250328224749.2691272-1-srinivas.pandruvada@linux.intel.com
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/platform/x86/intel/speed_select_if/isst_if_common.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/platform/x86/intel/speed_select_if/isst_if_common.c
+++ b/drivers/platform/x86/intel/speed_select_if/isst_if_common.c
@@ -77,7 +77,7 @@ static DECLARE_HASHTABLE(isst_hash, 8);
static DEFINE_MUTEX(isst_hash_lock);
static int isst_store_new_cmd(int cmd, u32 cpu, int mbox_cmd_type, u32 param,
- u32 data)
+ u64 data)
{
struct isst_cmd *sst_cmd;
^ permalink raw reply [flat|nested] 289+ messages in thread
* [PATCH 5.15 261/279] ntb_perf: Delete duplicate dmaengine_unmap_put() call in perf_copy_chunk()
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (259 preceding siblings ...)
2025-04-08 10:50 ` [PATCH 5.15 260/279] platform/x86: ISST: Correct command storage data length Greg Kroah-Hartman
@ 2025-04-08 10:50 ` Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 262/279] btrfs: handle errors from btrfs_dec_ref() properly Greg Kroah-Hartman
` (24 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:50 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Markus Elfring, Jon Mason
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Markus Elfring <elfring@users.sourceforge.net>
commit 4279e72cab31dd3eb8c89591eb9d2affa90ab6aa upstream.
The function call “dmaengine_unmap_put(unmap)” was used in an if branch.
The same call was immediately triggered by a subsequent goto statement.
Thus avoid such a call repetition.
This issue was detected by using the Coccinelle software.
Fixes: 5648e56d03fa ("NTB: ntb_perf: Add full multi-port NTB API support")
Cc: stable@vger.kernel.org
Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>
Signed-off-by: Jon Mason <jdmason@kudzu.us>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/ntb/test/ntb_perf.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
--- a/drivers/ntb/test/ntb_perf.c
+++ b/drivers/ntb/test/ntb_perf.c
@@ -839,10 +839,8 @@ static int perf_copy_chunk(struct perf_t
dma_set_unmap(tx, unmap);
ret = dma_submit_error(dmaengine_submit(tx));
- if (ret) {
- dmaengine_unmap_put(unmap);
+ if (ret)
goto err_free_resource;
- }
dmaengine_unmap_put(unmap);
^ permalink raw reply [flat|nested] 289+ messages in thread
* [PATCH 5.15 262/279] btrfs: handle errors from btrfs_dec_ref() properly
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (260 preceding siblings ...)
2025-04-08 10:50 ` [PATCH 5.15 261/279] ntb_perf: Delete duplicate dmaengine_unmap_put() call in perf_copy_chunk() Greg Kroah-Hartman
@ 2025-04-08 10:50 ` Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 263/279] x86/tsc: Always save/restore TSC sched_clock() on suspend/resume Greg Kroah-Hartman
` (23 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Josef Bacik, David Sterba,
Jianqi Ren, He Zhe
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Josef Bacik <josef@toxicpanda.com>
commit 5eb178f373b4f16f3b42d55ff88fc94dd95b93b1 upstream.
In walk_up_proc() we BUG_ON(ret) from btrfs_dec_ref(). This is
incorrect, we have proper error handling here, return the error.
Signed-off-by: Josef Bacik <josef@toxicpanda.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Jianqi Ren <jianqi.ren.cn@windriver.com>
Signed-off-by: He Zhe <zhe.he@windriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/extent-tree.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/fs/btrfs/extent-tree.c
+++ b/fs/btrfs/extent-tree.c
@@ -5461,7 +5461,10 @@ static noinline int walk_up_proc(struct
ret = btrfs_dec_ref(trans, root, eb, 1);
else
ret = btrfs_dec_ref(trans, root, eb, 0);
- BUG_ON(ret); /* -ENOMEM */
+ if (ret) {
+ btrfs_abort_transaction(trans, ret);
+ return ret;
+ }
if (is_fstree(root->root_key.objectid)) {
ret = btrfs_qgroup_trace_leaf_items(trans, eb);
if (ret) {
^ permalink raw reply [flat|nested] 289+ messages in thread
* [PATCH 5.15 263/279] x86/tsc: Always save/restore TSC sched_clock() on suspend/resume
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (261 preceding siblings ...)
2025-04-08 10:50 ` [PATCH 5.15 262/279] btrfs: handle errors from btrfs_dec_ref() properly Greg Kroah-Hartman
@ 2025-04-08 10:50 ` Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 264/279] x86/mm: Fix flush_tlb_range() when used for zapping normal PMDs Greg Kroah-Hartman
` (22 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Guilherme G. Piccoli, Ingo Molnar,
Thomas Gleixner, Peter Zijlstra, Linus Torvalds,
Thadeu Lima de Souza Cascardo
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Guilherme G. Piccoli <gpiccoli@igalia.com>
commit d90c9de9de2f1712df56de6e4f7d6982d358cabe upstream.
TSC could be reset in deep ACPI sleep states, even with invariant TSC.
That's the reason we have sched_clock() save/restore functions, to deal
with this situation. But what happens is that such functions are guarded
with a check for the stability of sched_clock - if not considered stable,
the save/restore routines aren't executed.
On top of that, we have a clear comment in native_sched_clock() saying
that *even* with TSC unstable, we continue using TSC for sched_clock due
to its speed.
In other words, if we have a situation of TSC getting detected as unstable,
it marks the sched_clock as unstable as well, so subsequent S3 sleep cycles
could bring bogus sched_clock values due to the lack of the save/restore
mechanism, causing warnings like this:
[22.954918] ------------[ cut here ]------------
[22.954923] Delta way too big! 18446743750843854390 ts=18446744072977390405 before=322133536015 after=322133536015 write stamp=18446744072977390405
[22.954923] If you just came from a suspend/resume,
[22.954923] please switch to the trace global clock:
[22.954923] echo global > /sys/kernel/tracing/trace_clock
[22.954923] or add trace_clock=global to the kernel command line
[22.954937] WARNING: CPU: 2 PID: 5728 at kernel/trace/ring_buffer.c:2890 rb_add_timestamp+0x193/0x1c0
Notice that the above was reproduced even with "trace_clock=global".
The fix for that is to _always_ save/restore the sched_clock on suspend
cycle _if TSC is used_ as sched_clock - only if we fallback to jiffies
the sched_clock_stable() check becomes relevant to save/restore the
sched_clock.
Debugged-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
Signed-off-by: Guilherme G. Piccoli <gpiccoli@igalia.com>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Cc: stable@vger.kernel.org
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Link: https://lore.kernel.org/r/20250215210314.351480-1-gpiccoli@igalia.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kernel/tsc.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/arch/x86/kernel/tsc.c
+++ b/arch/x86/kernel/tsc.c
@@ -920,7 +920,7 @@ static unsigned long long cyc2ns_suspend
void tsc_save_sched_clock_state(void)
{
- if (!sched_clock_stable())
+ if (!static_branch_likely(&__use_tsc) && !sched_clock_stable())
return;
cyc2ns_suspend = sched_clock();
@@ -940,7 +940,7 @@ void tsc_restore_sched_clock_state(void)
unsigned long flags;
int cpu;
- if (!sched_clock_stable())
+ if (!static_branch_likely(&__use_tsc) && !sched_clock_stable())
return;
local_irq_save(flags);
^ permalink raw reply [flat|nested] 289+ messages in thread
* [PATCH 5.15 264/279] x86/mm: Fix flush_tlb_range() when used for zapping normal PMDs
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (262 preceding siblings ...)
2025-04-08 10:50 ` [PATCH 5.15 263/279] x86/tsc: Always save/restore TSC sched_clock() on suspend/resume Greg Kroah-Hartman
@ 2025-04-08 10:50 ` Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 265/279] acpi: nfit: fix narrowing conversion in acpi_nfit_ctl Greg Kroah-Hartman
` (21 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:50 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jann Horn, Peter Zijlstra (Intel)
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jann Horn <jannh@google.com>
commit 3ef938c3503563bfc2ac15083557f880d29c2e64 upstream.
On the following path, flush_tlb_range() can be used for zapping normal
PMD entries (PMD entries that point to page tables) together with the PTE
entries in the pointed-to page table:
collapse_pte_mapped_thp
pmdp_collapse_flush
flush_tlb_range
The arm64 version of flush_tlb_range() has a comment describing that it can
be used for page table removal, and does not use any last-level
invalidation optimizations. Fix the X86 version by making it behave the
same way.
Currently, X86 only uses this information for the following two purposes,
which I think means the issue doesn't have much impact:
- In native_flush_tlb_multi() for checking if lazy TLB CPUs need to be
IPI'd to avoid issues with speculative page table walks.
- In Hyper-V TLB paravirtualization, again for lazy TLB stuff.
The patch "x86/mm: only invalidate final translations with INVLPGB" which
is currently under review (see
<https://lore.kernel.org/all/20241230175550.4046587-13-riel@surriel.com/>)
would probably be making the impact of this a lot worse.
Fixes: 016c4d92cd16 ("x86/mm/tlb: Add freed_tables argument to flush_tlb_mm_range")
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: stable@vger.kernel.org
Link: https://lkml.kernel.org/r/20250103-x86-collapse-flush-fix-v1-1-3c521856cfa6@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/include/asm/tlbflush.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/x86/include/asm/tlbflush.h
+++ b/arch/x86/include/asm/tlbflush.h
@@ -227,7 +227,7 @@ void flush_tlb_multi(const struct cpumas
flush_tlb_mm_range((vma)->vm_mm, start, end, \
((vma)->vm_flags & VM_HUGETLB) \
? huge_page_shift(hstate_vma(vma)) \
- : PAGE_SHIFT, false)
+ : PAGE_SHIFT, true)
extern void flush_tlb_all(void);
extern void flush_tlb_mm_range(struct mm_struct *mm, unsigned long start,
^ permalink raw reply [flat|nested] 289+ messages in thread
* [PATCH 5.15 265/279] acpi: nfit: fix narrowing conversion in acpi_nfit_ctl
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (263 preceding siblings ...)
2025-04-08 10:50 ` [PATCH 5.15 264/279] x86/mm: Fix flush_tlb_range() when used for zapping normal PMDs Greg Kroah-Hartman
@ 2025-04-08 10:50 ` Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 266/279] ACPI: resource: Skip IRQ override on ASUS Vivobook 14 X1404VAP Greg Kroah-Hartman
` (20 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+c80d8dc0d9fa81a3cd8c,
Murad Masimov, Ira Weiny
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Murad Masimov <m.masimov@mt-integration.ru>
commit 2ff0e408db36c21ed3fa5e3c1e0e687c82cf132f upstream.
Syzkaller has reported a warning in to_nfit_bus_uuid(): "only secondary
bus families can be translated". This warning is emited if the argument
is equal to NVDIMM_BUS_FAMILY_NFIT == 0. Function acpi_nfit_ctl() first
verifies that a user-provided value call_pkg->nd_family of type u64 is
not equal to 0. Then the value is converted to int, and only after that
is compared to NVDIMM_BUS_FAMILY_MAX. This can lead to passing an invalid
argument to acpi_nfit_ctl(), if call_pkg->nd_family is non-zero, while
the lower 32 bits are zero.
Furthermore, it is best to return EINVAL immediately upon seeing the
invalid user input. The WARNING is insufficient to prevent further
undefined behavior based on other invalid user input.
All checks of the input value should be applied to the original variable
call_pkg->nd_family.
[iweiny: update commit message]
Fixes: 6450ddbd5d8e ("ACPI: NFIT: Define runtime firmware activation commands")
Cc: stable@vger.kernel.org
Reported-by: syzbot+c80d8dc0d9fa81a3cd8c@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=c80d8dc0d9fa81a3cd8c
Signed-off-by: Murad Masimov <m.masimov@mt-integration.ru>
Link: https://patch.msgid.link/20250123163945.251-1-m.masimov@mt-integration.ru
Signed-off-by: Ira Weiny <ira.weiny@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/acpi/nfit/core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/acpi/nfit/core.c
+++ b/drivers/acpi/nfit/core.c
@@ -485,7 +485,7 @@ int acpi_nfit_ctl(struct nvdimm_bus_desc
cmd_mask = nd_desc->cmd_mask;
if (cmd == ND_CMD_CALL && call_pkg->nd_family) {
family = call_pkg->nd_family;
- if (family > NVDIMM_BUS_FAMILY_MAX ||
+ if (call_pkg->nd_family > NVDIMM_BUS_FAMILY_MAX ||
!test_bit(family, &nd_desc->bus_family_mask))
return -EINVAL;
family = array_index_nospec(family,
^ permalink raw reply [flat|nested] 289+ messages in thread
* [PATCH 5.15 266/279] ACPI: resource: Skip IRQ override on ASUS Vivobook 14 X1404VAP
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (264 preceding siblings ...)
2025-04-08 10:50 ` [PATCH 5.15 265/279] acpi: nfit: fix narrowing conversion in acpi_nfit_ctl Greg Kroah-Hartman
@ 2025-04-08 10:50 ` Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 267/279] mmc: sdhci-pxav3: set NEED_RSP_BUSY capability Greg Kroah-Hartman
` (19 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paul Menzel, Hans de Goede,
Anton Shyndin, Rafael J. Wysocki
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paul Menzel <pmenzel@molgen.mpg.de>
commit 2da31ea2a085cd189857f2db0f7b78d0162db87a upstream.
Like the ASUS Vivobook X1504VAP and Vivobook X1704VAP, the ASUS Vivobook 14
X1404VAP has its keyboard IRQ (1) described as ActiveLow in the DSDT, which
the kernel overrides to EdgeHigh breaking the keyboard.
$ sudo dmidecode
[…]
System Information
Manufacturer: ASUSTeK COMPUTER INC.
Product Name: ASUS Vivobook 14 X1404VAP_X1404VA
[…]
$ grep -A 30 PS2K dsdt.dsl | grep IRQ -A 1
IRQ (Level, ActiveLow, Exclusive, )
{1}
Add the X1404VAP to the irq1_level_low_skip_override[] quirk table to fix
this.
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219224
Cc: All applicable <stable@vger.kernel.org>
Signed-off-by: Paul Menzel <pmenzel@molgen.mpg.de>
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
Tested-by: Anton Shyndin <mrcold.il@gmail.com>
Link: https://patch.msgid.link/20250318160903.77107-1-pmenzel@molgen.mpg.de
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/acpi/resource.c | 7 +++++++
1 file changed, 7 insertions(+)
--- a/drivers/acpi/resource.c
+++ b/drivers/acpi/resource.c
@@ -443,6 +443,13 @@ static const struct dmi_system_id asus_l
},
},
{
+ /* Asus Vivobook X1404VAP */
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."),
+ DMI_MATCH(DMI_BOARD_NAME, "X1404VAP"),
+ },
+ },
+ {
/* Asus Vivobook X1504VAP */
.matches = {
DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."),
^ permalink raw reply [flat|nested] 289+ messages in thread
* [PATCH 5.15 267/279] mmc: sdhci-pxav3: set NEED_RSP_BUSY capability
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (265 preceding siblings ...)
2025-04-08 10:50 ` [PATCH 5.15 266/279] ACPI: resource: Skip IRQ override on ASUS Vivobook 14 X1404VAP Greg Kroah-Hartman
@ 2025-04-08 10:50 ` Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 268/279] tracing: Fix use-after-free in print_graph_function_flags during tracer switching Greg Kroah-Hartman
` (18 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Karel Balej, Adrian Hunter,
Duje Mihanović, Ulf Hansson
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Karel Balej <balejk@matfyz.cz>
commit a41fcca4b342811b473bbaa4b44f1d34d87fcce6 upstream.
Set the MMC_CAP_NEED_RSP_BUSY capability for the sdhci-pxav3 host to
prevent conversion of R1B responses to R1. Without this, the eMMC card
in the samsung,coreprimevelte smartphone using the Marvell PXA1908 SoC
with this mmc host doesn't probe with the ETIMEDOUT error originating in
__mmc_poll_for_busy.
Note that the other issues reported for this phone and host, namely
floods of "Tuning failed, falling back to fixed sampling clock" dmesg
messages for the eMMC and unstable SDIO are not mitigated by this
change.
Link: https://lore.kernel.org/r/20200310153340.5593-1-ulf.hansson@linaro.org/
Link: https://lore.kernel.org/r/D7204PWIGQGI.1FRFQPPIEE2P9@matfyz.cz/
Link: https://lore.kernel.org/r/20250115-pxa1908-lkml-v14-0-847d24f3665a@skole.hr/
Cc: stable@vger.kernel.org
Signed-off-by: Karel Balej <balejk@matfyz.cz>
Acked-by: Adrian Hunter <adrian.hunter@intel.com>
Tested-by: Duje Mihanović <duje.mihanovic@skole.hr>
Link: https://lore.kernel.org/r/20250310140707.23459-1-balejk@matfyz.cz
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mmc/host/sdhci-pxav3.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/mmc/host/sdhci-pxav3.c
+++ b/drivers/mmc/host/sdhci-pxav3.c
@@ -401,6 +401,7 @@ static int sdhci_pxav3_probe(struct plat
if (!IS_ERR(pxa->clk_core))
clk_prepare_enable(pxa->clk_core);
+ host->mmc->caps |= MMC_CAP_NEED_RSP_BUSY;
/* enable 1/8V DDR capable */
host->mmc->caps |= MMC_CAP_1_8V_DDR;
^ permalink raw reply [flat|nested] 289+ messages in thread
* [PATCH 5.15 268/279] tracing: Fix use-after-free in print_graph_function_flags during tracer switching
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (266 preceding siblings ...)
2025-04-08 10:50 ` [PATCH 5.15 267/279] mmc: sdhci-pxav3: set NEED_RSP_BUSY capability Greg Kroah-Hartman
@ 2025-04-08 10:50 ` Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 269/279] tracing: Ensure module defining synth event cannot be unloaded while tracing Greg Kroah-Hartman
` (17 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Masami Hiramatsu, Mathieu Desnoyers,
Zheng Yejian, Kairui Song, Tengda Wu, Steven Rostedt (Google)
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tengda Wu <wutengda@huaweicloud.com>
commit 7f81f27b1093e4895e87b74143c59c055c3b1906 upstream.
Kairui reported a UAF issue in print_graph_function_flags() during
ftrace stress testing [1]. This issue can be reproduced if puting a
'mdelay(10)' after 'mutex_unlock(&trace_types_lock)' in s_start(),
and executing the following script:
$ echo function_graph > current_tracer
$ cat trace > /dev/null &
$ sleep 5 # Ensure the 'cat' reaches the 'mdelay(10)' point
$ echo timerlat > current_tracer
The root cause lies in the two calls to print_graph_function_flags
within print_trace_line during each s_show():
* One through 'iter->trace->print_line()';
* Another through 'event->funcs->trace()', which is hidden in
print_trace_fmt() before print_trace_line returns.
Tracer switching only updates the former, while the latter continues
to use the print_line function of the old tracer, which in the script
above is print_graph_function_flags.
Moreover, when switching from the 'function_graph' tracer to the
'timerlat' tracer, s_start only calls graph_trace_close of the
'function_graph' tracer to free 'iter->private', but does not set
it to NULL. This provides an opportunity for 'event->funcs->trace()'
to use an invalid 'iter->private'.
To fix this issue, set 'iter->private' to NULL immediately after
freeing it in graph_trace_close(), ensuring that an invalid pointer
is not passed to other tracers. Additionally, clean up the unnecessary
'iter->private = NULL' during each 'cat trace' when using wakeup and
irqsoff tracers.
[1] https://lore.kernel.org/all/20231112150030.84609-1-ryncsn@gmail.com/
Cc: stable@vger.kernel.org
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Cc: Zheng Yejian <zhengyejian1@huawei.com>
Link: https://lore.kernel.org/20250320122137.23635-1-wutengda@huaweicloud.com
Fixes: eecb91b9f98d ("tracing: Fix memleak due to race between current_tracer and trace")
Closes: https://lore.kernel.org/all/CAMgjq7BW79KDSCyp+tZHjShSzHsScSiJxn5ffskp-QzVM06fxw@mail.gmail.com/
Reported-by: Kairui Song <kasong@tencent.com>
Signed-off-by: Tengda Wu <wutengda@huaweicloud.com>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/trace/trace_functions_graph.c | 1 +
kernel/trace/trace_irqsoff.c | 2 --
kernel/trace/trace_sched_wakeup.c | 2 --
3 files changed, 1 insertion(+), 4 deletions(-)
--- a/kernel/trace/trace_functions_graph.c
+++ b/kernel/trace/trace_functions_graph.c
@@ -1244,6 +1244,7 @@ void graph_trace_close(struct trace_iter
if (data) {
free_percpu(data->cpu_data);
kfree(data);
+ iter->private = NULL;
}
}
--- a/kernel/trace/trace_irqsoff.c
+++ b/kernel/trace/trace_irqsoff.c
@@ -231,8 +231,6 @@ static void irqsoff_trace_open(struct tr
{
if (is_graph(iter->tr))
graph_trace_open(iter);
- else
- iter->private = NULL;
}
static void irqsoff_trace_close(struct trace_iterator *iter)
--- a/kernel/trace/trace_sched_wakeup.c
+++ b/kernel/trace/trace_sched_wakeup.c
@@ -168,8 +168,6 @@ static void wakeup_trace_open(struct tra
{
if (is_graph(iter->tr))
graph_trace_open(iter);
- else
- iter->private = NULL;
}
static void wakeup_trace_close(struct trace_iterator *iter)
^ permalink raw reply [flat|nested] 289+ messages in thread
* [PATCH 5.15 269/279] tracing: Ensure module defining synth event cannot be unloaded while tracing
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (267 preceding siblings ...)
2025-04-08 10:50 ` [PATCH 5.15 268/279] tracing: Fix use-after-free in print_graph_function_flags during tracer switching Greg Kroah-Hartman
@ 2025-04-08 10:50 ` Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 270/279] tracing: Fix synth event printk format for str fields Greg Kroah-Hartman
` (16 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mathieu Desnoyers, Douglas Raillard,
Masami Hiramatsu (Google), Steven Rostedt (Google)
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Douglas Raillard <douglas.raillard@arm.com>
commit 21581dd4e7ff6c07d0ab577e3c32b13a74b31522 upstream.
Currently, using synth_event_delete() will fail if the event is being
used (tracing in progress), but that is normally done in the module exit
function. At that stage, failing is problematic as returning a non-zero
status means the module will become locked (impossible to unload or
reload again).
Instead, ensure the module exit function does not get called in the
first place by increasing the module refcnt when the event is enabled.
Cc: stable@vger.kernel.org
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Fixes: 35ca5207c2d11 ("tracing: Add synthetic event command generation functions")
Link: https://lore.kernel.org/20250318180906.226841-1-douglas.raillard@arm.com
Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>
Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/trace/trace_events_synth.c | 31 ++++++++++++++++++++++++++++++-
1 file changed, 30 insertions(+), 1 deletion(-)
--- a/kernel/trace/trace_events_synth.c
+++ b/kernel/trace/trace_events_synth.c
@@ -856,6 +856,35 @@ static struct trace_event_fields synth_e
{}
};
+static int synth_event_reg(struct trace_event_call *call,
+ enum trace_reg type, void *data)
+{
+ struct synth_event *event = container_of(call, struct synth_event, call);
+ int ret;
+
+ switch (type) {
+ case TRACE_REG_REGISTER:
+ case TRACE_REG_PERF_REGISTER:
+ if (!try_module_get(event->mod))
+ return -EBUSY;
+ break;
+ default:
+ break;
+ }
+
+ ret = trace_event_reg(call, type, data);
+
+ switch (type) {
+ case TRACE_REG_UNREGISTER:
+ case TRACE_REG_PERF_UNREGISTER:
+ module_put(event->mod);
+ break;
+ default:
+ break;
+ }
+ return ret;
+}
+
static int register_synth_event(struct synth_event *event)
{
struct trace_event_call *call = &event->call;
@@ -885,7 +914,7 @@ static int register_synth_event(struct s
goto out;
}
call->flags = TRACE_EVENT_FL_TRACEPOINT;
- call->class->reg = trace_event_reg;
+ call->class->reg = synth_event_reg;
call->class->probe = trace_event_raw_event_synth;
call->data = event;
call->tp = event->tp;
^ permalink raw reply [flat|nested] 289+ messages in thread
* [PATCH 5.15 270/279] tracing: Fix synth event printk format for str fields
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (268 preceding siblings ...)
2025-04-08 10:50 ` [PATCH 5.15 269/279] tracing: Ensure module defining synth event cannot be unloaded while tracing Greg Kroah-Hartman
@ 2025-04-08 10:50 ` Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 271/279] tracing/osnoise: Fix possible recursive locking for cpus_read_lock() Greg Kroah-Hartman
` (15 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Masami Hiramatsu, Mathieu Desnoyers,
Douglas Raillard, Steven Rostedt (Google)
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Douglas Raillard <douglas.raillard@arm.com>
commit 4d38328eb442dc06aec4350fd9594ffa6488af02 upstream.
The printk format for synth event uses "%.*s" to print string fields,
but then only passes the pointer part as var arg.
Replace %.*s with %s as the C string is guaranteed to be null-terminated.
The output in print fmt should never have been updated as __get_str()
handles the string limit because it can access the length of the string in
the string meta data that is saved in the ring buffer.
Cc: stable@vger.kernel.org
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Fixes: 8db4d6bfbbf92 ("tracing: Change synthetic event string format to limit printed length")
Link: https://lore.kernel.org/20250325165202.541088-1-douglas.raillard@arm.com
Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/trace/trace_events_synth.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/kernel/trace/trace_events_synth.c
+++ b/kernel/trace/trace_events_synth.c
@@ -293,7 +293,7 @@ static const char *synth_field_fmt(char
else if (strcmp(type, "gfp_t") == 0)
fmt = "%x";
else if (synth_field_is_string(type))
- fmt = "%.*s";
+ fmt = "%s";
else if (synth_field_is_stack(type))
fmt = "%s";
^ permalink raw reply [flat|nested] 289+ messages in thread
* [PATCH 5.15 271/279] tracing/osnoise: Fix possible recursive locking for cpus_read_lock()
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (269 preceding siblings ...)
2025-04-08 10:50 ` [PATCH 5.15 270/279] tracing: Fix synth event printk format for str fields Greg Kroah-Hartman
@ 2025-04-08 10:50 ` Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 272/279] ext4: dont over-report free space or inodes in statvfs Greg Kroah-Hartman
` (14 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:50 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ran Xiaokai, Steven Rostedt (Google)
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ran Xiaokai <ran.xiaokai@zte.com.cn>
commit 7e6b3fcc9c5294aeafed0dbe1a09a1bc899bd0f2 upstream.
Lockdep reports this deadlock log:
osnoise: could not start sampling thread
============================================
WARNING: possible recursive locking detected
--------------------------------------------
CPU0
----
lock(cpu_hotplug_lock);
lock(cpu_hotplug_lock);
Call Trace:
<TASK>
print_deadlock_bug+0x282/0x3c0
__lock_acquire+0x1610/0x29a0
lock_acquire+0xcb/0x2d0
cpus_read_lock+0x49/0x120
stop_per_cpu_kthreads+0x7/0x60
start_kthread+0x103/0x120
osnoise_hotplug_workfn+0x5e/0x90
process_one_work+0x44f/0xb30
worker_thread+0x33e/0x5e0
kthread+0x206/0x3b0
ret_from_fork+0x31/0x50
ret_from_fork_asm+0x11/0x20
</TASK>
This is the deadlock scenario:
osnoise_hotplug_workfn()
guard(cpus_read_lock)(); // first lock call
start_kthread(cpu)
if (IS_ERR(kthread)) {
stop_per_cpu_kthreads(); {
cpus_read_lock(); // second lock call. Cause the AA deadlock
}
}
It is not necessary to call stop_per_cpu_kthreads() which stops osnoise
kthread for every other CPUs in the system if a failure occurs during
hotplug of a certain CPU.
For start_per_cpu_kthreads(), if the start_kthread() call fails,
this function calls stop_per_cpu_kthreads() to handle the error.
Therefore, similarly, there is no need to call stop_per_cpu_kthreads()
again within start_kthread().
So just remove stop_per_cpu_kthreads() from start_kthread to solve this issue.
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/20250321095249.2739397-1-ranxiaokai627@163.com
Fixes: c8895e271f79 ("trace/osnoise: Support hotplug operations")
Signed-off-by: Ran Xiaokai <ran.xiaokai@zte.com.cn>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/trace/trace_osnoise.c | 1 -
1 file changed, 1 deletion(-)
--- a/kernel/trace/trace_osnoise.c
+++ b/kernel/trace/trace_osnoise.c
@@ -1560,7 +1560,6 @@ static int start_kthread(unsigned int cp
if (IS_ERR(kthread)) {
pr_err(BANNER "could not start sampling thread\n");
- stop_per_cpu_kthreads();
return -ENOMEM;
}
^ permalink raw reply [flat|nested] 289+ messages in thread
* [PATCH 5.15 272/279] ext4: dont over-report free space or inodes in statvfs
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (270 preceding siblings ...)
2025-04-08 10:50 ` [PATCH 5.15 271/279] tracing/osnoise: Fix possible recursive locking for cpus_read_lock() Greg Kroah-Hartman
@ 2025-04-08 10:50 ` Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 273/279] ext4: fix OOB read when checking dotdot dir Greg Kroah-Hartman
` (13 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:50 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Theodore Tso,
Darrick J. Wong
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Theodore Ts'o <tytso@mit.edu>
commit f87d3af7419307ae26e705a2b2db36140db367a2 upstream.
This fixes an analogus bug that was fixed in xfs in commit
4b8d867ca6e2 ("xfs: don't over-report free space or inodes in
statvfs") where statfs can report misleading / incorrect information
where project quota is enabled, and the free space is less than the
remaining quota.
This commit will resolve a test failure in generic/762 which tests for
this bug.
Cc: stable@kernel.org
Fixes: 689c958cbe6b ("ext4: add project quota support")
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Reviewed-by: "Darrick J. Wong" <djwong@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/super.c | 27 +++++++++++++++++----------
1 file changed, 17 insertions(+), 10 deletions(-)
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -6087,22 +6087,29 @@ static int ext4_statfs_project(struct su
dquot->dq_dqb.dqb_bhardlimit);
limit >>= sb->s_blocksize_bits;
- if (limit && buf->f_blocks > limit) {
+ if (limit) {
+ uint64_t remaining = 0;
+
curblock = (dquot->dq_dqb.dqb_curspace +
dquot->dq_dqb.dqb_rsvspace) >> sb->s_blocksize_bits;
- buf->f_blocks = limit;
- buf->f_bfree = buf->f_bavail =
- (buf->f_blocks > curblock) ?
- (buf->f_blocks - curblock) : 0;
+ if (limit > curblock)
+ remaining = limit - curblock;
+
+ buf->f_blocks = min(buf->f_blocks, limit);
+ buf->f_bfree = min(buf->f_bfree, remaining);
+ buf->f_bavail = min(buf->f_bavail, remaining);
}
limit = min_not_zero(dquot->dq_dqb.dqb_isoftlimit,
dquot->dq_dqb.dqb_ihardlimit);
- if (limit && buf->f_files > limit) {
- buf->f_files = limit;
- buf->f_ffree =
- (buf->f_files > dquot->dq_dqb.dqb_curinodes) ?
- (buf->f_files - dquot->dq_dqb.dqb_curinodes) : 0;
+ if (limit) {
+ uint64_t remaining = 0;
+
+ if (limit > dquot->dq_dqb.dqb_curinodes)
+ remaining = limit - dquot->dq_dqb.dqb_curinodes;
+
+ buf->f_files = min(buf->f_files, limit);
+ buf->f_ffree = min(buf->f_ffree, remaining);
}
spin_unlock(&dquot->dq_dqb_lock);
^ permalink raw reply [flat|nested] 289+ messages in thread
* [PATCH 5.15 273/279] ext4: fix OOB read when checking dotdot dir
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (271 preceding siblings ...)
2025-04-08 10:50 ` [PATCH 5.15 272/279] ext4: dont over-report free space or inodes in statvfs Greg Kroah-Hartman
@ 2025-04-08 10:50 ` Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 274/279] jfs: fix slab-out-of-bounds read in ea_get() Greg Kroah-Hartman
` (12 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jakub Acs, Theodore Tso,
Andreas Dilger, linux-ext4, linux-kernel, Mahmoud Adam, security
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Acs, Jakub <acsjakub@amazon.de>
commit d5e206778e96e8667d3bde695ad372c296dc9353 upstream.
Mounting a corrupted filesystem with directory which contains '.' dir
entry with rec_len == block size results in out-of-bounds read (later
on, when the corrupted directory is removed).
ext4_empty_dir() assumes every ext4 directory contains at least '.'
and '..' as directory entries in the first data block. It first loads
the '.' dir entry, performs sanity checks by calling ext4_check_dir_entry()
and then uses its rec_len member to compute the location of '..' dir
entry (in ext4_next_entry). It assumes the '..' dir entry fits into the
same data block.
If the rec_len of '.' is precisely one block (4KB), it slips through the
sanity checks (it is considered the last directory entry in the data
block) and leaves "struct ext4_dir_entry_2 *de" point exactly past the
memory slot allocated to the data block. The following call to
ext4_check_dir_entry() on new value of de then dereferences this pointer
which results in out-of-bounds mem access.
Fix this by extending __ext4_check_dir_entry() to check for '.' dir
entries that reach the end of data block. Make sure to ignore the phony
dir entries for checksum (by checking name_len for non-zero).
Note: This is reported by KASAN as use-after-free in case another
structure was recently freed from the slot past the bound, but it is
really an OOB read.
This issue was found by syzkaller tool.
Call Trace:
[ 38.594108] BUG: KASAN: slab-use-after-free in __ext4_check_dir_entry+0x67e/0x710
[ 38.594649] Read of size 2 at addr ffff88802b41a004 by task syz-executor/5375
[ 38.595158]
[ 38.595288] CPU: 0 UID: 0 PID: 5375 Comm: syz-executor Not tainted 6.14.0-rc7 #1
[ 38.595298] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 38.595304] Call Trace:
[ 38.595308] <TASK>
[ 38.595311] dump_stack_lvl+0xa7/0xd0
[ 38.595325] print_address_description.constprop.0+0x2c/0x3f0
[ 38.595339] ? __ext4_check_dir_entry+0x67e/0x710
[ 38.595349] print_report+0xaa/0x250
[ 38.595359] ? __ext4_check_dir_entry+0x67e/0x710
[ 38.595368] ? kasan_addr_to_slab+0x9/0x90
[ 38.595378] kasan_report+0xab/0xe0
[ 38.595389] ? __ext4_check_dir_entry+0x67e/0x710
[ 38.595400] __ext4_check_dir_entry+0x67e/0x710
[ 38.595410] ext4_empty_dir+0x465/0x990
[ 38.595421] ? __pfx_ext4_empty_dir+0x10/0x10
[ 38.595432] ext4_rmdir.part.0+0x29a/0xd10
[ 38.595441] ? __dquot_initialize+0x2a7/0xbf0
[ 38.595455] ? __pfx_ext4_rmdir.part.0+0x10/0x10
[ 38.595464] ? __pfx___dquot_initialize+0x10/0x10
[ 38.595478] ? down_write+0xdb/0x140
[ 38.595487] ? __pfx_down_write+0x10/0x10
[ 38.595497] ext4_rmdir+0xee/0x140
[ 38.595506] vfs_rmdir+0x209/0x670
[ 38.595517] ? lookup_one_qstr_excl+0x3b/0x190
[ 38.595529] do_rmdir+0x363/0x3c0
[ 38.595537] ? __pfx_do_rmdir+0x10/0x10
[ 38.595544] ? strncpy_from_user+0x1ff/0x2e0
[ 38.595561] __x64_sys_unlinkat+0xf0/0x130
[ 38.595570] do_syscall_64+0x5b/0x180
[ 38.595583] entry_SYSCALL_64_after_hwframe+0x76/0x7e
Fixes: ac27a0ec112a0 ("[PATCH] ext4: initial copy of files from ext3")
Signed-off-by: Jakub Acs <acsjakub@amazon.de>
Cc: Theodore Ts'o <tytso@mit.edu>
Cc: Andreas Dilger <adilger.kernel@dilger.ca>
Cc: linux-ext4@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Cc: Mahmoud Adam <mngyadam@amazon.com>
Cc: stable@vger.kernel.org
Cc: security@kernel.org
Link: https://patch.msgid.link/b3ae36a6794c4a01944c7d70b403db5b@amazon.de
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/dir.c | 3 +++
1 file changed, 3 insertions(+)
--- a/fs/ext4/dir.c
+++ b/fs/ext4/dir.c
@@ -104,6 +104,9 @@ int __ext4_check_dir_entry(const char *f
else if (unlikely(le32_to_cpu(de->inode) >
le32_to_cpu(EXT4_SB(dir->i_sb)->s_es->s_inodes_count)))
error_msg = "inode out of bounds";
+ else if (unlikely(next_offset == size && de->name_len == 1 &&
+ de->name[0] == '.'))
+ error_msg = "'.' directory cannot be the last in data block";
else
return 0;
^ permalink raw reply [flat|nested] 289+ messages in thread
* [PATCH 5.15 274/279] jfs: fix slab-out-of-bounds read in ea_get()
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (272 preceding siblings ...)
2025-04-08 10:50 ` [PATCH 5.15 273/279] ext4: fix OOB read when checking dotdot dir Greg Kroah-Hartman
@ 2025-04-08 10:50 ` Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 275/279] jfs: add index corruption check to DT_GETPAGE() Greg Kroah-Hartman
` (11 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:50 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, syzbot, Qasim Ijaz, Dave Kleikamp
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qasim Ijaz <qasdev00@gmail.com>
commit fdf480da5837c23b146c4743c18de97202fcab37 upstream.
During the "size_check" label in ea_get(), the code checks if the extended
attribute list (xattr) size matches ea_size. If not, it logs
"ea_get: invalid extended attribute" and calls print_hex_dump().
Here, EALIST_SIZE(ea_buf->xattr) returns 4110417968, which exceeds
INT_MAX (2,147,483,647). Then ea_size is clamped:
int size = clamp_t(int, ea_size, 0, EALIST_SIZE(ea_buf->xattr));
Although clamp_t aims to bound ea_size between 0 and 4110417968, the upper
limit is treated as an int, causing an overflow above 2^31 - 1. This leads
"size" to wrap around and become negative (-184549328).
The "size" is then passed to print_hex_dump() (called "len" in
print_hex_dump()), it is passed as type size_t (an unsigned
type), this is then stored inside a variable called
"int remaining", which is then assigned to "int linelen" which
is then passed to hex_dump_to_buffer(). In print_hex_dump()
the for loop, iterates through 0 to len-1, where len is
18446744073525002176, calling hex_dump_to_buffer()
on each iteration:
for (i = 0; i < len; i += rowsize) {
linelen = min(remaining, rowsize);
remaining -= rowsize;
hex_dump_to_buffer(ptr + i, linelen, rowsize, groupsize,
linebuf, sizeof(linebuf), ascii);
...
}
The expected stopping condition (i < len) is effectively broken
since len is corrupted and very large. This eventually leads to
the "ptr+i" being passed to hex_dump_to_buffer() to get closer
to the end of the actual bounds of "ptr", eventually an out of
bounds access is done in hex_dump_to_buffer() in the following
for loop:
for (j = 0; j < len; j++) {
if (linebuflen < lx + 2)
goto overflow2;
ch = ptr[j];
...
}
To fix this we should validate "EALIST_SIZE(ea_buf->xattr)"
before it is utilised.
Reported-by: syzbot <syzbot+4e6e7e4279d046613bc5@syzkaller.appspotmail.com>
Tested-by: syzbot <syzbot+4e6e7e4279d046613bc5@syzkaller.appspotmail.com>
Closes: https://syzkaller.appspot.com/bug?extid=4e6e7e4279d046613bc5
Fixes: d9f9d96136cb ("jfs: xattr: check invalid xattr size more strictly")
Cc: stable@vger.kernel.org
Signed-off-by: Qasim Ijaz <qasdev00@gmail.com>
Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/jfs/xattr.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
--- a/fs/jfs/xattr.c
+++ b/fs/jfs/xattr.c
@@ -559,11 +559,16 @@ static int ea_get(struct inode *inode, s
size_check:
if (EALIST_SIZE(ea_buf->xattr) != ea_size) {
- int size = clamp_t(int, ea_size, 0, EALIST_SIZE(ea_buf->xattr));
+ if (unlikely(EALIST_SIZE(ea_buf->xattr) > INT_MAX)) {
+ printk(KERN_ERR "ea_get: extended attribute size too large: %u > INT_MAX\n",
+ EALIST_SIZE(ea_buf->xattr));
+ } else {
+ int size = clamp_t(int, ea_size, 0, EALIST_SIZE(ea_buf->xattr));
- printk(KERN_ERR "ea_get: invalid extended attribute\n");
- print_hex_dump(KERN_ERR, "", DUMP_PREFIX_ADDRESS, 16, 1,
- ea_buf->xattr, size, 1);
+ printk(KERN_ERR "ea_get: invalid extended attribute\n");
+ print_hex_dump(KERN_ERR, "", DUMP_PREFIX_ADDRESS, 16, 1,
+ ea_buf->xattr, size, 1);
+ }
ea_release(inode, ea_buf);
rc = -EIO;
goto clean_up;
^ permalink raw reply [flat|nested] 289+ messages in thread
* [PATCH 5.15 275/279] jfs: add index corruption check to DT_GETPAGE()
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (273 preceding siblings ...)
2025-04-08 10:50 ` [PATCH 5.15 274/279] jfs: fix slab-out-of-bounds read in ea_get() Greg Kroah-Hartman
@ 2025-04-08 10:50 ` Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 276/279] nfsd: put dl_stid if fail to queue dl_recall Greg Kroah-Hartman
` (10 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:50 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, syzbot, Roman Smirnov, Dave Kleikamp
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Roman Smirnov <r.smirnov@omp.ru>
commit a8dfb2168906944ea61acfc87846b816eeab882d upstream.
If the file system is corrupted, the header.stblindex variable
may become greater than 127. Because of this, an array access out
of bounds may occur:
------------[ cut here ]------------
UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dtree.c:3096:10
index 237 is out of range for type 'struct dtslot[128]'
CPU: 0 UID: 0 PID: 5822 Comm: syz-executor740 Not tainted 6.13.0-rc4-syzkaller-00110-g4099a71718b0 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
ubsan_epilogue lib/ubsan.c:231 [inline]
__ubsan_handle_out_of_bounds+0x121/0x150 lib/ubsan.c:429
dtReadFirst+0x622/0xc50 fs/jfs/jfs_dtree.c:3096
dtReadNext fs/jfs/jfs_dtree.c:3147 [inline]
jfs_readdir+0x9aa/0x3c50 fs/jfs/jfs_dtree.c:2862
wrap_directory_iterator+0x91/0xd0 fs/readdir.c:65
iterate_dir+0x571/0x800 fs/readdir.c:108
__do_sys_getdents64 fs/readdir.c:403 [inline]
__se_sys_getdents64+0x1e2/0x4b0 fs/readdir.c:389
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
</TASK>
---[ end trace ]---
Add a stblindex check for corruption.
Reported-by: syzbot <syzbot+9120834fc227768625ba@syzkaller.appspotmail.com>
Closes: https://syzkaller.appspot.com/bug?extid=9120834fc227768625ba
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Roman Smirnov <r.smirnov@omp.ru>
Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/jfs/jfs_dtree.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/fs/jfs/jfs_dtree.c
+++ b/fs/jfs/jfs_dtree.c
@@ -117,7 +117,8 @@ do { \
if (!(RC)) { \
if (((P)->header.nextindex > \
(((BN) == 0) ? DTROOTMAXSLOT : (P)->header.maxslot)) || \
- ((BN) && ((P)->header.maxslot > DTPAGEMAXSLOT))) { \
+ ((BN) && (((P)->header.maxslot > DTPAGEMAXSLOT) || \
+ ((P)->header.stblindex >= DTPAGEMAXSLOT)))) { \
BT_PUTPAGE(MP); \
jfs_error((IP)->i_sb, \
"DT_GETPAGE: dtree page corrupt\n"); \
^ permalink raw reply [flat|nested] 289+ messages in thread
* [PATCH 5.15 276/279] nfsd: put dl_stid if fail to queue dl_recall
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (274 preceding siblings ...)
2025-04-08 10:50 ` [PATCH 5.15 275/279] jfs: add index corruption check to DT_GETPAGE() Greg Kroah-Hartman
@ 2025-04-08 10:50 ` Greg Kroah-Hartman
2025-04-08 10:51 ` [PATCH 5.15 277/279] NFSD: Skip sending CB_RECALL_ANY when the backchannel isnt up Greg Kroah-Hartman
` (9 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:50 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Li Lingfeng, Jeff Layton,
Chuck Lever
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Li Lingfeng <lilingfeng3@huawei.com>
commit 230ca758453c63bd38e4d9f4a21db698f7abada8 upstream.
Before calling nfsd4_run_cb to queue dl_recall to the callback_wq, we
increment the reference count of dl_stid.
We expect that after the corresponding work_struct is processed, the
reference count of dl_stid will be decremented through the callback
function nfsd4_cb_recall_release.
However, if the call to nfsd4_run_cb fails, the incremented reference
count of dl_stid will not be decremented correspondingly, leading to the
following nfs4_stid leak:
unreferenced object 0xffff88812067b578 (size 344):
comm "nfsd", pid 2761, jiffies 4295044002 (age 5541.241s)
hex dump (first 32 bytes):
01 00 00 00 6b 6b 6b 6b b8 02 c0 e2 81 88 ff ff ....kkkk........
00 6b 6b 6b 6b 6b 6b 6b 00 00 00 00 ad 4e ad de .kkkkkkk.....N..
backtrace:
kmem_cache_alloc+0x4b9/0x700
nfsd4_process_open1+0x34/0x300
nfsd4_open+0x2d1/0x9d0
nfsd4_proc_compound+0x7a2/0xe30
nfsd_dispatch+0x241/0x3e0
svc_process_common+0x5d3/0xcc0
svc_process+0x2a3/0x320
nfsd+0x180/0x2e0
kthread+0x199/0x1d0
ret_from_fork+0x30/0x50
ret_from_fork_asm+0x1b/0x30
unreferenced object 0xffff8881499f4d28 (size 368):
comm "nfsd", pid 2761, jiffies 4295044005 (age 5541.239s)
hex dump (first 32 bytes):
01 00 00 00 00 00 00 00 30 4d 9f 49 81 88 ff ff ........0M.I....
30 4d 9f 49 81 88 ff ff 20 00 00 00 01 00 00 00 0M.I.... .......
backtrace:
kmem_cache_alloc+0x4b9/0x700
nfs4_alloc_stid+0x29/0x210
alloc_init_deleg+0x92/0x2e0
nfs4_set_delegation+0x284/0xc00
nfs4_open_delegation+0x216/0x3f0
nfsd4_process_open2+0x2b3/0xee0
nfsd4_open+0x770/0x9d0
nfsd4_proc_compound+0x7a2/0xe30
nfsd_dispatch+0x241/0x3e0
svc_process_common+0x5d3/0xcc0
svc_process+0x2a3/0x320
nfsd+0x180/0x2e0
kthread+0x199/0x1d0
ret_from_fork+0x30/0x50
ret_from_fork_asm+0x1b/0x30
Fix it by checking the result of nfsd4_run_cb and call nfs4_put_stid if
fail to queue dl_recall.
Cc: stable@vger.kernel.org
Signed-off-by: Li Lingfeng <lilingfeng3@huawei.com>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nfsd/nfs4state.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
--- a/fs/nfsd/nfs4state.c
+++ b/fs/nfsd/nfs4state.c
@@ -1069,6 +1069,12 @@ static struct nfs4_ol_stateid * nfs4_all
return openlockstateid(stid);
}
+/*
+ * As the sc_free callback of deleg, this may be called by nfs4_put_stid
+ * in nfsd_break_one_deleg.
+ * Considering nfsd_break_one_deleg is called with the flc->flc_lock held,
+ * this function mustn't ever sleep.
+ */
static void nfs4_free_deleg(struct nfs4_stid *stid)
{
struct nfs4_delegation *dp = delegstateid(stid);
@@ -4926,6 +4932,7 @@ static const struct nfsd4_callback_ops n
static void nfsd_break_one_deleg(struct nfs4_delegation *dp)
{
+ bool queued;
/*
* We're assuming the state code never drops its reference
* without first removing the lease. Since we're in this lease
@@ -4934,7 +4941,10 @@ static void nfsd_break_one_deleg(struct
* we know it's safe to take a reference.
*/
refcount_inc(&dp->dl_stid.sc_count);
- WARN_ON_ONCE(!nfsd4_run_cb(&dp->dl_recall));
+ queued = nfsd4_run_cb(&dp->dl_recall);
+ WARN_ON_ONCE(!queued);
+ if (!queued)
+ nfs4_put_stid(&dp->dl_stid);
}
/* Called from break_lease() with flc_lock held. */
^ permalink raw reply [flat|nested] 289+ messages in thread
* [PATCH 5.15 277/279] NFSD: Skip sending CB_RECALL_ANY when the backchannel isnt up
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (275 preceding siblings ...)
2025-04-08 10:50 ` [PATCH 5.15 276/279] nfsd: put dl_stid if fail to queue dl_recall Greg Kroah-Hartman
@ 2025-04-08 10:51 ` Greg Kroah-Hartman
2025-04-08 10:51 ` [PATCH 5.15 278/279] mmc: sdhci-brcmstb: use clk_get_rate(base_clk) in PM resume Greg Kroah-Hartman
` (8 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:51 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jeff Layton, Chuck Lever
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chuck Lever <chuck.lever@oracle.com>
commit 8a388c1fabeb6606e16467b23242416c0dbeffad upstream.
NFSD sends CB_RECALL_ANY to clients when the server is low on
memory or that client has a large number of delegations outstanding.
We've seen cases where NFSD attempts to send CB_RECALL_ANY requests
to disconnected clients, and gets confused. These calls never go
anywhere if a backchannel transport to the target client isn't
available. Before the server can send any backchannel operation, the
client has to connect first and then do a BIND_CONN_TO_SESSION.
This patch doesn't address the root cause of the confusion, but
there's no need to queue up these optional operations if they can't
go anywhere.
Fixes: 44df6f439a17 ("NFSD: add delegation reaper to react to low memory condition")
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Cc: stable@vger.kernel.org
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nfsd/nfs4state.c | 19 ++++++++++++-------
1 file changed, 12 insertions(+), 7 deletions(-)
--- a/fs/nfsd/nfs4state.c
+++ b/fs/nfsd/nfs4state.c
@@ -6250,14 +6250,19 @@ deleg_reaper(struct nfsd_net *nn)
spin_lock(&nn->client_lock);
list_for_each_safe(pos, next, &nn->client_lru) {
clp = list_entry(pos, struct nfs4_client, cl_lru);
- if (clp->cl_state != NFSD4_ACTIVE ||
- list_empty(&clp->cl_delegations) ||
- atomic_read(&clp->cl_delegs_in_recall) ||
- test_bit(NFSD4_CLIENT_CB_RECALL_ANY, &clp->cl_flags) ||
- (ktime_get_boottime_seconds() -
- clp->cl_ra_time < 5)) {
+
+ if (clp->cl_state != NFSD4_ACTIVE)
+ continue;
+ if (list_empty(&clp->cl_delegations))
+ continue;
+ if (atomic_read(&clp->cl_delegs_in_recall))
+ continue;
+ if (test_bit(NFSD4_CLIENT_CB_RECALL_ANY, &clp->cl_flags))
+ continue;
+ if (ktime_get_boottime_seconds() - clp->cl_ra_time < 5)
+ continue;
+ if (clp->cl_cb_state != NFSD4_CB_UP)
continue;
- }
list_add(&clp->cl_ra_cblist, &cblist);
/* release in nfsd4_cb_recall_any_release */
^ permalink raw reply [flat|nested] 289+ messages in thread
* [PATCH 5.15 278/279] mmc: sdhci-brcmstb: use clk_get_rate(base_clk) in PM resume
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (276 preceding siblings ...)
2025-04-08 10:51 ` [PATCH 5.15 277/279] NFSD: Skip sending CB_RECALL_ANY when the backchannel isnt up Greg Kroah-Hartman
@ 2025-04-08 10:51 ` Greg Kroah-Hartman
2025-04-08 10:51 ` [PATCH 5.15 279/279] mm, slab: remove duplicate kernel-doc comment for ksize() Greg Kroah-Hartman
` (7 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kamal Dasu, Florian Fainelli,
Ulf Hansson
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kamal Dasu <kdasu.kdev@gmail.com>
commit 886201c70a1cab34ef96f867c2b2dd6379ffa7b9 upstream.
Use clk_get_rate for base_clk on resume before setting new rate.
This change ensures that the clock api returns current rate
and sets the clock to the desired rate and honors CLK_GET_NO_CACHE
attribute used by clock api.
Fixes: 97904a59855c (mmc: sdhci-brcmstb: Add ability to increase max clock rate for 72116b0)
Signed-off-by: Kamal Dasu <kdasu.kdev@gmail.com>
Acked-by: Florian Fainelli <f.fainelli@gmail.com>
Link: https://lore.kernel.org/r/20220714174132.18541-1-kdasu.kdev@gmail.com
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mmc/host/sdhci-brcmstb.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
--- a/drivers/mmc/host/sdhci-brcmstb.c
+++ b/drivers/mmc/host/sdhci-brcmstb.c
@@ -414,7 +414,14 @@ static int sdhci_brcmstb_resume(struct d
ret = sdhci_pltfm_resume(dev);
if (!ret && priv->base_freq_hz) {
ret = clk_prepare_enable(priv->base_clk);
- if (!ret)
+ /*
+ * Note: using clk_get_rate() below as clk_get_rate()
+ * honors CLK_GET_RATE_NOCACHE attribute, but clk_set_rate()
+ * may do implicit get_rate() calls that do not honor
+ * CLK_GET_RATE_NOCACHE.
+ */
+ if (!ret &&
+ (clk_get_rate(priv->base_clk) != priv->base_freq_hz))
ret = clk_set_rate(priv->base_clk, priv->base_freq_hz);
}
^ permalink raw reply [flat|nested] 289+ messages in thread
* [PATCH 5.15 279/279] mm, slab: remove duplicate kernel-doc comment for ksize()
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (277 preceding siblings ...)
2025-04-08 10:51 ` [PATCH 5.15 278/279] mmc: sdhci-brcmstb: use clk_get_rate(base_clk) in PM resume Greg Kroah-Hartman
@ 2025-04-08 10:51 ` Greg Kroah-Hartman
2025-04-08 15:08 ` [PATCH 5.15 000/279] 5.15.180-rc1 review Mark Brown
` (6 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-08 10:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Akira Yokosawa, Kees Cook,
Vlastimil Babka
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vlastimil Babka <vbabka@suse.cz>
commit c18c20f16219516b12a4f2fd29c25e06be97e064 upstream.
Akira reports:
> "make htmldocs" reports duplicate C declaration of ksize() as follows:
> /linux/Documentation/core-api/mm-api:43: ./mm/slab_common.c:1428: WARNING: Duplicate C declaration, also defined at core-api/mm-api:212.
> Declaration is '.. c:function:: size_t ksize (const void *objp)'.
> This is due to the kernel-doc comment for ksize() declaration added in
> include/linux/slab.h by commit 05a940656e1e ("slab: Introduce
> kmalloc_size_roundup()").
There is an older kernel-doc comment for ksize() definition in
mm/slab_common.c, which is not only duplicated, but also contradicts the
new one - the additional storage discovered by ksize() should not be
used by callers anymore. Delete the old kernel-doc.
Reported-by: Akira Yokosawa <akiyks@gmail.com>
Link: https://lore.kernel.org/all/d33440f6-40cf-9747-3340-e54ffaf7afb8@gmail.com/
Fixes: 05a940656e1e ("slab: Introduce kmalloc_size_roundup()")
Cc: Kees Cook <keescook@chromium.org>
Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/slab_common.c | 14 --------------
1 file changed, 14 deletions(-)
--- a/mm/slab_common.c
+++ b/mm/slab_common.c
@@ -1305,20 +1305,6 @@ void kfree_sensitive(const void *p)
}
EXPORT_SYMBOL(kfree_sensitive);
-/**
- * ksize - get the actual amount of memory allocated for a given object
- * @objp: Pointer to the object
- *
- * kmalloc may internally round up allocations and return more memory
- * than requested. ksize() can be used to determine the actual amount of
- * memory allocated. The caller may use this additional memory, even though
- * a smaller amount of memory was initially specified with the kmalloc call.
- * The caller must guarantee that objp points to a valid object previously
- * allocated with either kmalloc() or kmem_cache_alloc(). The object
- * must not be freed during the duration of the call.
- *
- * Return: size of the actual memory used by @objp in bytes
- */
size_t ksize(const void *objp)
{
size_t size;
^ permalink raw reply [flat|nested] 289+ messages in thread
* Re: [PATCH 5.15 000/279] 5.15.180-rc1 review
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (278 preceding siblings ...)
2025-04-08 10:51 ` [PATCH 5.15 279/279] mm, slab: remove duplicate kernel-doc comment for ksize() Greg Kroah-Hartman
@ 2025-04-08 15:08 ` Mark Brown
2025-04-08 21:42 ` Florian Fainelli
` (5 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Mark Brown @ 2025-04-08 15:08 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, srw, rwarsow, conor, hargar
[-- Attachment #1: Type: text/plain, Size: 347 bytes --]
On Tue, Apr 08, 2025 at 12:46:23PM +0200, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.15.180 release.
> There are 279 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
Tested-by: Mark Brown <broonie@kernel.org>
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
^ permalink raw reply [flat|nested] 289+ messages in thread
* Re: [PATCH 5.15 253/279] mmc: sdhci-brcmstb: Add ability to increase max clock rate for 72116b0
2025-04-08 10:50 ` [PATCH 5.15 253/279] mmc: sdhci-brcmstb: Add ability to increase max clock rate for 72116b0 Greg Kroah-Hartman
@ 2025-04-08 16:02 ` Nathan Chancellor
2025-04-09 10:52 ` Greg Kroah-Hartman
0 siblings, 1 reply; 289+ messages in thread
From: Nathan Chancellor @ 2025-04-08 16:02 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, Al Cooper, Kamal Dasu, Florian Fainelli,
Ulf Hansson, Sasha Levin
Hi Greg,
On Tue, Apr 08, 2025 at 12:50:36PM +0200, Greg Kroah-Hartman wrote:
> 5.15-stable review patch. If anyone has any objections, please let me know.
>
> ------------------
>
> From: Kamal Dasu <kdasu.kdev@gmail.com>
>
> [ Upstream commit 97904a59855c7ac7c613085bc6bdc550d48524ff ]
>
> The 72116B0 has improved SDIO controllers that allow the max clock
> rate to be increased from a max of 100MHz to a max of 150MHz. The
> driver will need to get the clock and increase it's default rate
> and override the caps register, that still indicates a max of 100MHz.
> The new clock will be named "sdio_freq" in the DT node's "clock-names"
> list. The driver will use a DT property, "clock-frequency", to
> enable this functionality and will get the actual rate in MHz
> from the property to allow various speeds to be requested.
>
> Signed-off-by: Al Cooper <alcooperx@gmail.com>
> Signed-off-by: Kamal Dasu <kdasu.kdev@gmail.com>
> Acked-by: Florian Fainelli <f.fainelli@gmail.com>
> Link: https://lore.kernel.org/r/20220520183108.47358-3-kdasu.kdev@gmail.com
> Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
> Stable-dep-of: 723ef0e20dbb ("mmc: sdhci-brcmstb: add cqhci suspend/resume to PM ops")
> Signed-off-by: Sasha Levin <sashal@kernel.org>
This change needs a fix for a clang -Wsometimes-uninitialized warning,
commit c3c0ed75ffbf ("mmc: sdhci-brcmstb: Initialize base_clk to NULL in
sdhci_brcmstb_probe()"), as pointed out by KernelCI.
https://lore.kernel.org/CACo-S-297JUFPCNaeSoA0WHSP=sC+QquSZaX=rQto=JZzi1PUA@mail.gmail.com/
Not exactly your fault, I had a Fixes tag on the original patch but it
seems like it got stripped during application :/
https://lore.kernel.org/20220608152757.82529-1-nathan@kernel.org/
Cheers,
Nathan
^ permalink raw reply [flat|nested] 289+ messages in thread
* Re: [PATCH 5.15 000/279] 5.15.180-rc1 review
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (279 preceding siblings ...)
2025-04-08 15:08 ` [PATCH 5.15 000/279] 5.15.180-rc1 review Mark Brown
@ 2025-04-08 21:42 ` Florian Fainelli
2025-04-09 2:36 ` SeongJae Park
` (4 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Florian Fainelli @ 2025-04-08 21:42 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, sudipm.mukherjee, srw, rwarsow,
conor, hargar, broonie
On 4/8/25 03:46, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.15.180 release.
> There are 279 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 10 Apr 2025 10:47:53 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.15.180-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.15.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
On ARCH_BRCMSTB using 32-bit and 64-bit ARM kernels, build tested on
BMIPS_GENERIC:
Tested-by: Florian Fainelli <florian.fainelli@broadcom.com>
--
Florian
^ permalink raw reply [flat|nested] 289+ messages in thread
* Re: [PATCH 5.15 000/279] 5.15.180-rc1 review
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (280 preceding siblings ...)
2025-04-08 21:42 ` Florian Fainelli
@ 2025-04-09 2:36 ` SeongJae Park
2025-04-09 6:26 ` Vijayendra Suman
` (3 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: SeongJae Park @ 2025-04-09 2:36 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: SeongJae Park, stable, patches, linux-kernel, torvalds, akpm,
linux, shuah, patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, srw, rwarsow, conor, hargar, broonie, damon
Hello,
On Tue, 8 Apr 2025 12:46:23 +0200 Greg Kroah-Hartman <gregkh@linuxfoundation.org> wrote:
> This is the start of the stable review cycle for the 5.15.180 release.
> There are 279 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 10 Apr 2025 10:47:53 +0000.
> Anything received after that time might be too late.
This rc kernel passes DAMON functionality test[1] on my test machine.
Attaching the test results summary below. Please note that I retrieved the
kernel from linux-stable-rc tree[2].
Tested-by: SeongJae Park <sj@kernel.org>
[1] https://github.com/damonitor/damon-tests/tree/next/corr
[2] 0b4857306c61 ("Linux 5.15.180-rc1")
Thanks,
SJ
[...]
---
ok 1 selftests: damon: debugfs_attrs.sh
ok 1 selftests: damon-tests: kunit.sh
ok 2 selftests: damon-tests: huge_count_read_write.sh
ok 3 selftests: damon-tests: buffer_overflow.sh
ok 4 selftests: damon-tests: rm_contexts.sh
ok 5 selftests: damon-tests: record_null_deref.sh
ok 6 selftests: damon-tests: dbgfs_target_ids_read_before_terminate_race.sh
ok 7 selftests: damon-tests: dbgfs_target_ids_pid_leak.sh
ok 8 selftests: damon-tests: damo_tests.sh
ok 9 selftests: damon-tests: masim-record.sh
ok 10 selftests: damon-tests: build_i386.sh
ok 11 selftests: damon-tests: build_arm64.sh # SKIP
ok 12 selftests: damon-tests: build_m68k.sh # SKIP
ok 13 selftests: damon-tests: build_i386_idle_flag.sh
ok 14 selftests: damon-tests: build_i386_highpte.sh
ok 15 selftests: damon-tests: build_nomemcg.sh
[33m
[92mPASS [39m
^ permalink raw reply [flat|nested] 289+ messages in thread
* Re: [PATCH 5.15 000/279] 5.15.180-rc1 review
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (281 preceding siblings ...)
2025-04-09 2:36 ` SeongJae Park
@ 2025-04-09 6:26 ` Vijayendra Suman
2025-04-09 7:01 ` Ron Economos
` (2 subsequent siblings)
285 siblings, 0 replies; 289+ messages in thread
From: Vijayendra Suman @ 2025-04-09 6:26 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee, srw,
rwarsow, conor, hargar, broonie
On 08/04/25 4:16 pm, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.15.180 release.
> There are 279 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 10 Apr 2025 10:47:53 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/
> patch-5.15.180-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.15.y
> and the diffstat can be found below.
>
No issues were seen on x86_64 and aarch64 platforms with our testing.
Tested-by: Vijayendra Suman <vijayendra.suman@oracle.com>
> thanks,
>
> greg k-h
thanks,
Vijay
^ permalink raw reply [flat|nested] 289+ messages in thread
* Re: [PATCH 5.15 000/279] 5.15.180-rc1 review
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (282 preceding siblings ...)
2025-04-09 6:26 ` Vijayendra Suman
@ 2025-04-09 7:01 ` Ron Economos
2025-04-09 8:00 ` Jon Hunter
2025-04-09 10:53 ` Naresh Kamboju
285 siblings, 0 replies; 289+ messages in thread
From: Ron Economos @ 2025-04-09 7:01 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee, srw,
rwarsow, conor, hargar, broonie
On 4/8/25 03:46, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.15.180 release.
> There are 279 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 10 Apr 2025 10:47:53 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.15.180-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.15.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
Built and booted successfully on RISC-V RV64 (HiFive Unmatched).
Tested-by: Ron Economos <re@w6rz.net>
^ permalink raw reply [flat|nested] 289+ messages in thread
* Re: [PATCH 5.15 000/279] 5.15.180-rc1 review
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (283 preceding siblings ...)
2025-04-09 7:01 ` Ron Economos
@ 2025-04-09 8:00 ` Jon Hunter
2025-04-09 10:53 ` Naresh Kamboju
285 siblings, 0 replies; 289+ messages in thread
From: Jon Hunter @ 2025-04-09 8:00 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: Greg Kroah-Hartman, patches, linux-kernel, torvalds, akpm, linux,
shuah, patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, srw, rwarsow, conor, hargar, broonie,
linux-tegra, stable
On Tue, 08 Apr 2025 12:46:23 +0200, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.15.180 release.
> There are 279 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 10 Apr 2025 10:47:53 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.15.180-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.15.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
All tests passing for Tegra ...
Test results for stable-v5.15:
10 builds: 10 pass, 0 fail
28 boots: 28 pass, 0 fail
101 tests: 101 pass, 0 fail
Linux version: 5.15.180-rc1-g0b4857306c61
Boards tested: tegra124-jetson-tk1, tegra186-p2771-0000,
tegra186-p3509-0000+p3636-0001, tegra194-p2972-0000,
tegra194-p3509-0000+p3668-0000, tegra20-ventana,
tegra210-p2371-2180, tegra210-p3450-0000,
tegra30-cardhu-a04
Tested-by: Jon Hunter <jonathanh@nvidia.com>
Jon
^ permalink raw reply [flat|nested] 289+ messages in thread
* Re: [PATCH 5.15 253/279] mmc: sdhci-brcmstb: Add ability to increase max clock rate for 72116b0
2025-04-08 16:02 ` Nathan Chancellor
@ 2025-04-09 10:52 ` Greg Kroah-Hartman
0 siblings, 0 replies; 289+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-09 10:52 UTC (permalink / raw)
To: Nathan Chancellor
Cc: stable, patches, Al Cooper, Kamal Dasu, Florian Fainelli,
Ulf Hansson, Sasha Levin
On Tue, Apr 08, 2025 at 09:02:35AM -0700, Nathan Chancellor wrote:
> Hi Greg,
>
> On Tue, Apr 08, 2025 at 12:50:36PM +0200, Greg Kroah-Hartman wrote:
> > 5.15-stable review patch. If anyone has any objections, please let me know.
> >
> > ------------------
> >
> > From: Kamal Dasu <kdasu.kdev@gmail.com>
> >
> > [ Upstream commit 97904a59855c7ac7c613085bc6bdc550d48524ff ]
> >
> > The 72116B0 has improved SDIO controllers that allow the max clock
> > rate to be increased from a max of 100MHz to a max of 150MHz. The
> > driver will need to get the clock and increase it's default rate
> > and override the caps register, that still indicates a max of 100MHz.
> > The new clock will be named "sdio_freq" in the DT node's "clock-names"
> > list. The driver will use a DT property, "clock-frequency", to
> > enable this functionality and will get the actual rate in MHz
> > from the property to allow various speeds to be requested.
> >
> > Signed-off-by: Al Cooper <alcooperx@gmail.com>
> > Signed-off-by: Kamal Dasu <kdasu.kdev@gmail.com>
> > Acked-by: Florian Fainelli <f.fainelli@gmail.com>
> > Link: https://lore.kernel.org/r/20220520183108.47358-3-kdasu.kdev@gmail.com
> > Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
> > Stable-dep-of: 723ef0e20dbb ("mmc: sdhci-brcmstb: add cqhci suspend/resume to PM ops")
> > Signed-off-by: Sasha Levin <sashal@kernel.org>
>
> This change needs a fix for a clang -Wsometimes-uninitialized warning,
> commit c3c0ed75ffbf ("mmc: sdhci-brcmstb: Initialize base_clk to NULL in
> sdhci_brcmstb_probe()"), as pointed out by KernelCI.
>
> https://lore.kernel.org/CACo-S-297JUFPCNaeSoA0WHSP=sC+QquSZaX=rQto=JZzi1PUA@mail.gmail.com/
>
> Not exactly your fault, I had a Fixes tag on the original patch but it
> seems like it got stripped during application :/
>
> https://lore.kernel.org/20220608152757.82529-1-nathan@kernel.org/
Thanks, I'll go queue that up now.
greg k-h
^ permalink raw reply [flat|nested] 289+ messages in thread
* Re: [PATCH 5.15 000/279] 5.15.180-rc1 review
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
` (284 preceding siblings ...)
2025-04-09 8:00 ` Jon Hunter
@ 2025-04-09 10:53 ` Naresh Kamboju
285 siblings, 0 replies; 289+ messages in thread
From: Naresh Kamboju @ 2025-04-09 10:53 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, srw, rwarsow, conor, hargar, broonie
On Tue, 8 Apr 2025 at 17:09, Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
>
> This is the start of the stable review cycle for the 5.15.180 release.
> There are 279 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 10 Apr 2025 10:47:53 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.15.180-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.15.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
Results from Linaro’s test farm.
No regressions on arm64, arm, x86_64, and i386.
Tested-by: Linux Kernel Functional Testing <lkft@linaro.org>
## Build
* kernel: 5.15.180-rc1
* git: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
* git commit: 0b4857306c618d2052f6455b90747ef1df364ecd
* git describe: v5.15.179-280-g0b4857306c61
* test details:
https://qa-reports.linaro.org/lkft/linux-stable-rc-linux-5.15.y/build/v5.15.179-280-g0b4857306c61
## Test Regressions (compared to v5.15.178-617-g4372970bf866)
## Metric Regressions (compared to v5.15.178-617-g4372970bf866)
## Test Fixes (compared to v5.15.178-617-g4372970bf866)
## Metric Fixes (compared to v5.15.178-617-g4372970bf866)
## Test result summary
total: 51097, pass: 36064, fail: 2716, skip: 11897, xfail: 420
## Build Summary
* arc: 5 total, 5 passed, 0 failed
* arm: 102 total, 102 passed, 0 failed
* arm64: 30 total, 30 passed, 0 failed
* i386: 22 total, 20 passed, 2 failed
* mips: 22 total, 22 passed, 0 failed
* parisc: 3 total, 3 passed, 0 failed
* powerpc: 22 total, 22 passed, 0 failed
* riscv: 8 total, 8 passed, 0 failed
* s390: 9 total, 9 passed, 0 failed
* sh: 10 total, 10 passed, 0 failed
* sparc: 6 total, 6 passed, 0 failed
* x86_64: 26 total, 26 passed, 0 failed
## Test suites summary
* boot
* kselftest-arm64
* kselftest-breakpoints
* kselftest-capabilities
* kselftest-cgroup
* kselftest-clone3
* kselftest-core
* kselftest-cpu-hotplug
* kselftest-cpufreq
* kselftest-efivarfs
* kselftest-exec
* kselftest-fpu
* kselftest-ftrace
* kselftest-futex
* kselftest-gpio
* kselftest-intel_pstate
* kselftest-ipc
* kselftest-kcmp
* kselftest-livepatch
* kselftest-membarrier
* kselftest-memfd
* kselftest-mincore
* kselftest-mqueue
* kselftest-net
* kselftest-net-mptcp
* kselftest-openat2
* kselftest-ptrace
* kselftest-rseq
* kselftest-rtc
* kselftest-seccomp
* kselftest-sigaltstack
* kselftest-size
* kselftest-tc-testing
* kselftest-timers
* kselftest-tmpfs
* kselftest-tpm2
* kselftest-user_events
* kselftest-vDSO
* kselftest-x86
* kunit
* kvm-unit-tests
* libgpiod
* libhugetlbfs
* log-parser-boot
* log-parser-build-clang
* log-parser-build-gcc
* log-parser-test
* ltp-capability
* ltp-commands
* ltp-containers
* ltp-controllers
* ltp-cpuhotplug
* ltp-crypto
* ltp-cve
* ltp-dio
* ltp-fcntl-locktests
* ltp-fs
* ltp-fs_bind
* ltp-fs_perms_simple
* ltp-hugetlb
* ltp-ipc
* ltp-math
* ltp-mm
* ltp-nptl
* ltp-pty
* ltp-sched
* ltp-smoke
* ltp-syscalls
* ltp-tracing
* perf
* rcutorture
--
Linaro LKFT
https://lkft.linaro.org
^ permalink raw reply [flat|nested] 289+ messages in thread
end of thread, other threads:[~2025-04-09 10:53 UTC | newest]
Thread overview: 289+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-04-08 10:46 [PATCH 5.15 000/279] 5.15.180-rc1 review Greg Kroah-Hartman
2025-04-08 10:46 ` [PATCH 5.15 001/279] vlan: fix memory leak in vlan_newlink() Greg Kroah-Hartman
2025-04-08 10:46 ` [PATCH 5.15 002/279] clockevents/drivers/i8253: Fix stop sequence for timer 0 Greg Kroah-Hartman
2025-04-08 10:46 ` [PATCH 5.15 003/279] sched/isolation: Prevent boot crash when the boot CPU is nohz_full Greg Kroah-Hartman
2025-04-08 10:46 ` [PATCH 5.15 004/279] ipv6: Fix signed integer overflow in __ip6_append_data Greg Kroah-Hartman
2025-04-08 10:46 ` [PATCH 5.15 005/279] fbdev: hyperv_fb: iounmap() the correct memory when removing a device Greg Kroah-Hartman
2025-04-08 10:46 ` [PATCH 5.15 006/279] pinctrl: bcm281xx: Fix incorrect regmap max_registers value Greg Kroah-Hartman
2025-04-08 10:46 ` [PATCH 5.15 007/279] netfilter: nft_ct: Use __refcount_inc() for per-CPU nft_ct_pcpu_template Greg Kroah-Hartman
2025-04-08 10:46 ` [PATCH 5.15 008/279] ice: fix memory leak in aRFS after reset Greg Kroah-Hartman
2025-04-08 10:46 ` [PATCH 5.15 009/279] net: dsa: mv88e6xxx: Verify after ATU Load ops Greg Kroah-Hartman
2025-04-08 10:46 ` [PATCH 5.15 010/279] netpoll: hold rcu read lock in __netpoll_send_skb() Greg Kroah-Hartman
2025-04-08 10:46 ` [PATCH 5.15 011/279] Drivers: hv: vmbus: Dont release fb_mmio resource in vmbus_free_mmio() Greg Kroah-Hartman
2025-04-08 10:46 ` [PATCH 5.15 012/279] net/mlx5: handle errors in mlx5_chains_create_table() Greg Kroah-Hartman
2025-04-08 10:46 ` [PATCH 5.15 013/279] netfilter: nf_conncount: Fully initialize struct nf_conncount_tuple in insert_tree() Greg Kroah-Hartman
2025-04-08 10:46 ` [PATCH 5.15 014/279] ipvs: prevent integer overflow in do_ip_vs_get_ctl() Greg Kroah-Hartman
2025-04-08 10:46 ` [PATCH 5.15 015/279] net_sched: Prevent creation of classes with TC_H_ROOT Greg Kroah-Hartman
2025-04-08 10:46 ` [PATCH 5.15 016/279] netfilter: nft_exthdr: fix offset with ipv4_find_option() Greg Kroah-Hartman
2025-04-08 10:46 ` [PATCH 5.15 017/279] gre: Fix IPv6 link-local address generation Greg Kroah-Hartman
2025-04-08 10:46 ` [PATCH 5.15 018/279] slab: clean up function prototypes Greg Kroah-Hartman
2025-04-08 10:46 ` [PATCH 5.15 019/279] slab: Introduce kmalloc_size_roundup() Greg Kroah-Hartman
2025-04-08 10:46 ` [PATCH 5.15 020/279] openvswitch: Use kmalloc_size_roundup() to match ksize() usage Greg Kroah-Hartman
2025-04-08 10:46 ` [PATCH 5.15 021/279] net: openvswitch: remove misbehaving actions length check Greg Kroah-Hartman
2025-04-08 10:46 ` [PATCH 5.15 022/279] net/mlx5: Bridge, fix the crash caused by LAG state check Greg Kroah-Hartman
2025-04-08 10:46 ` [PATCH 5.15 023/279] net/mlx5e: Prevent bridge link show failure for non-eswitch-allowed devices Greg Kroah-Hartman
2025-04-08 10:46 ` [PATCH 5.15 024/279] nvme-fc: go straight to connecting state when initializing Greg Kroah-Hartman
2025-04-08 10:46 ` [PATCH 5.15 025/279] hrtimers: Mark is_migration_base() with __always_inline Greg Kroah-Hartman
2025-04-08 10:46 ` [PATCH 5.15 026/279] powercap: call put_device() on an error path in powercap_register_control_type() Greg Kroah-Hartman
2025-04-08 10:46 ` [PATCH 5.15 027/279] iscsi_ibft: Fix UBSAN shift-out-of-bounds warning in ibft_attr_show_nic() Greg Kroah-Hartman
2025-04-08 10:46 ` [PATCH 5.15 028/279] scsi: core: Use GFP_NOIO to avoid circular locking dependency Greg Kroah-Hartman
2025-04-08 10:46 ` [PATCH 5.15 029/279] scsi: qla1280: Fix kernel oops when debug level > 2 Greg Kroah-Hartman
2025-04-08 10:46 ` [PATCH 5.15 030/279] ACPI: resource: IRQ override for Eluktronics MECH-17 Greg Kroah-Hartman
2025-04-08 10:46 ` [PATCH 5.15 031/279] alpha/elf: Fix misc/setarch test of util-linux by removing 32bit support Greg Kroah-Hartman
2025-04-08 10:46 ` [PATCH 5.15 032/279] vboxsf: fix building with GCC 15 Greg Kroah-Hartman
2025-04-08 10:46 ` [PATCH 5.15 033/279] HID: intel-ish-hid: fix the length of MNG_SYNC_FW_CLOCK in doorbell Greg Kroah-Hartman
2025-04-08 10:46 ` [PATCH 5.15 034/279] HID: ignore non-functional sensor in HP 5MP Camera Greg Kroah-Hartman
2025-04-08 10:46 ` [PATCH 5.15 035/279] sched: Clarify wake_up_q()s write to task->wake_q.next Greg Kroah-Hartman
2025-04-08 10:46 ` [PATCH 5.15 036/279] s390/cio: Fix CHPID "configure" attribute caching Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 037/279] thermal/cpufreq_cooling: Remove structure member documentation Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 038/279] ASoC: rsnd: dont indicate warning on rsnd_kctrl_accept_runtime() Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 039/279] ASoC: arizona/madera: use fsleep() in up/down DAPM event delays Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 040/279] ASoC: SOF: Intel: hda: add softdep pre to snd-hda-codec-hdmi module Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 041/279] net: wwan: mhi_wwan_mbim: Silence sequence number glitch errors Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 042/279] nvmet-rdma: recheck queue state is LIVE in state lock in recv done Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 043/279] sctp: Fix undefined behavior in left shift operation Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 044/279] nvme: only allow entering LIVE from CONNECTING state Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 045/279] ASoC: tas2770: Fix volume scale Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 046/279] ASoC: tas2764: Fix power control mask Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 047/279] ASoC: tas2764: Set the SDOUT polarity correctly Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 048/279] fuse: dont truncate cached, mutated symlink Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 049/279] x86/irq: Define trace events conditionally Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 050/279] mptcp: safety check before fallback Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 051/279] drm/nouveau: Do not override forced connector status Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 052/279] block: fix kmem_cache of name bio-108 already exists Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 053/279] USB: serial: ftdi_sio: add support for Altera USB Blaster 3 Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 054/279] USB: serial: option: add Telit Cinterion FE990B compositions Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 055/279] USB: serial: option: fix Telit Cinterion FE990A name Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 056/279] USB: serial: option: match on interface class for Telit FN990B Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 057/279] x86/microcode/AMD: Fix out-of-bounds on systems with CPU-less NUMA nodes Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 058/279] drm/atomic: Filter out redundant DPMS calls Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 059/279] drm/amd/display: Restore correct backlight brightness after a GPU reset Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 060/279] drm/amd/display: Assign normalized_pix_clk when color depth = 14 Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 061/279] drm/amd/display: Fix slab-use-after-free on hdcp_work Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 062/279] qlcnic: fix memory leak issues in qlcnic_sriov_common.c Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 063/279] lib/buildid: Handle memfd_secret() files in build_id_parse() Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 064/279] tcp: fix races in tcp_abort() Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 065/279] ASoC: ops: Consistently treat platform_max as control value Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 066/279] drm/gma500: Add NULL check for pci_gfx_root in mid_get_vbt_data() Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 067/279] ASoC: codecs: wm0010: Fix error handling path in wm0010_spi_probe() Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 068/279] cifs: Fix integer overflow while processing acregmax mount option Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 069/279] cifs: Fix integer overflow while processing acdirmax " Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 070/279] cifs: Fix integer overflow while processing actimeo " Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 071/279] cifs: Fix integer overflow while processing closetimeo " Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 072/279] i2c: ali1535: Fix an error handling path in ali1535_probe() Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 073/279] i2c: ali15x3: Fix an error handling path in ali15x3_probe() Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 074/279] i2c: sis630: Fix an error handling path in sis630_probe() Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 075/279] drm/amd/display: Check for invalid input params when building scaling params Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 076/279] drm/amd/display: Fix null check for pipe_ctx->plane_state in resource_build_scaling_params Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 077/279] smb: client: Fix match_session bug preventing session reuse Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 078/279] smb: client: fix potential UAF in cifs_debug_files_proc_show() Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 079/279] firmware: imx-scu: fix OF node leak in .probe() Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 080/279] xfrm_output: Force software GSO only in tunnel mode Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 081/279] ARM: dts: bcm2711: PL011 UARTs are actually r1p5 Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 082/279] RDMA/bnxt_re: Add missing paranthesis in map_qp_id_to_tbl_indx Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 083/279] ARM: dts: bcm2711: Dont mark timer regs unconfigured Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 084/279] RDMA/bnxt_re: Avoid clearing VLAN_ID mask in modify qp path Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 085/279] RDMA/hns: Remove redundant phy_addr in hns_roce_hem_list_find_mtt() Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 086/279] RDMA/hns: Fix soft lockup during bt pages loop Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 087/279] RDMA/hns: Fix unmatched condition in error path of alloc_user_qp_db() Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 088/279] RDMA/hns: Fix a missing rollback in error path of hns_roce_create_qp_common() Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 089/279] RDMA/hns: Fix wrong value of max_sge_rd Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 090/279] Bluetooth: Fix error code in chan_alloc_skb_cb() Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 091/279] ipv6: Fix memleak of nhc_pcpu_rth_output in fib_check_nh_v6_gw() Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 092/279] ipv6: Set errno after ip_fib_metrics_init() in ip6_route_info_create() Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 093/279] net: atm: fix use after free in lec_send() Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 094/279] net/neighbor: add missing policy for NDTPA_QUEUE_LENBYTES Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 095/279] Revert "gre: Fix IPv6 link-local address generation." Greg Kroah-Hartman
2025-04-08 10:47 ` [PATCH 5.15 096/279] i2c: omap: fix IRQ storms Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 097/279] drm/v3d: Dont run jobs that have errors flagged in its fence Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 098/279] regulator: check that dummy regulator has been probed before using it Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 099/279] mmc: atmel-mci: Add missing clk_disable_unprepare() Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 100/279] proc: fix UAF in proc_get_inode() Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 101/279] ARM: shmobile: smp: Enforce shmobile_smp_* alignment Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 102/279] batman-adv: Ignore own maximum aggregation size during RX Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 103/279] soc: qcom: pdr: Fix the potential deadlock Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 104/279] drm/radeon: fix uninitialized size issue in radeon_vce_cs_parse() Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 105/279] drm/amdgpu: Fix JPEG video caps max size for navi1x and raven Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 106/279] mptcp: Fix data stream corruption in the address announcement Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 107/279] arm64: dts: rockchip: fix u2phy1_host status for NanoPi R4S Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 108/279] Bluetooth: hci_event: Align BR/EDR JUST_WORKS paring with LE Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 109/279] bpf, sockmap: Fix race between element replace and close() Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 110/279] ALSA: usb-audio: Add quirk for Plantronics headsets to fix control names Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 111/279] HID: hid-plantronics: Add mic mute mapping and generalize quirks Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 112/279] atm: Fix NULL pointer dereference Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 113/279] ARM: 9350/1: fault: Implement copy_from_kernel_nofault_allowed() Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 114/279] ARM: 9351/1: fault: Add "cut here" line for prefetch aborts Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 115/279] ARM: Remove address checking for MMUless devices Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 116/279] netfilter: socket: Lookup orig tuple for IPv6 SNAT Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 117/279] ALSA: hda/realtek: Support mute LED on HP Laptop 15s-du3xxx Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 118/279] counter: stm32-lptimer-cnt: fix error handling when enabling Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 119/279] counter: microchip-tcb-capture: Fix undefined counter channel state on probe Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 120/279] tty: serial: 8250: Add some more device IDs Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 121/279] tty: serial: 8250: Add Brainboxes XC devices Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 122/279] net: usb: qmi_wwan: add Telit Cinterion FN990B composition Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 123/279] net: usb: qmi_wwan: add Telit Cinterion FE990B composition Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 124/279] net: usb: usbnet: restore usb%d name exception for local mac addresses Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 125/279] memstick: rtsx_usb_ms: Fix slab-use-after-free in rtsx_usb_ms_drv_remove Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 126/279] serial: 8250_dma: terminate correct DMA in tx_dma_flush() Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 127/279] media: i2c: et8ek8: Dont strip remove function when driver is builtin Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 128/279] watch_queue: fix pipe accounting mismatch Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 129/279] x86/mm/pat: cpa-test: fix length for CPA_ARRAY test Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 130/279] cpufreq: scpi: compare kHz instead of Hz Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 131/279] cpufreq: governor: Fix negative idle_time handling in dbs_update() Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 132/279] x86/fpu: Avoid copying dynamic FP state from init_task in arch_dup_task_struct() Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 133/279] x86/platform: Only allow CONFIG_EISA for 32-bit Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 134/279] PM: sleep: Adjust check before setting power.must_resume Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 135/279] selinux: Chain up tool resolving errors in install_policy.sh Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 136/279] EDAC/ie31200: Fix the size of EDAC_MC_LAYER_CHIP_SELECT layer Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 137/279] EDAC/ie31200: Fix the DIMM size mask for several SoCs Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 138/279] EDAC/ie31200: Fix the error path order of ie31200_init() Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 139/279] thermal: int340x: Add NULL check for adev Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 140/279] PM: sleep: Fix handling devices with direct_complete set on errors Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 141/279] lockdep: Dont disable interrupts on RT in disable_irq_nosync_lockdep.*() Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 142/279] perf/ring_buffer: Allow the EPOLLRDNORM flag for poll Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 143/279] media: platform: allgro-dvt: unregister v4l2_device on the error path Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 144/279] HID: remove superfluous (and wrong) Makefile entry for CONFIG_INTEL_ISH_FIRMWARE_DOWNLOADER Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 145/279] ALSA: hda/realtek: Always honor no_shutup_pins Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 146/279] ASoC: ti: j721e-evm: Fix clock configuration for ti,j7200-cpb-audio compatible Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 147/279] drm/bridge: ti-sn65dsi86: Fix multiple instances Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 148/279] drm/dp_mst: Fix drm RAD print Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 149/279] drm: xlnx: zynqmp: Fix max dma segment size Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 150/279] drm/vkms: Fix use after free and double free on init error Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 151/279] drm/mediatek: mtk_hdmi: Unregister audio platform device on failure Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 152/279] drm/mediatek: mtk_hdmi: Fix typo for aud_sampe_size member Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 153/279] PCI/ASPM: Fix link state exit during switch upstream function removal Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 154/279] PCI: cadence-ep: Fix the driver to send MSG TLP for INTx without data payload Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 155/279] PCI: brcmstb: Use internal register to change link capability Greg Kroah-Hartman
2025-04-08 10:48 ` [PATCH 5.15 156/279] PCI/portdrv: Only disable pciehp interrupts early when needed Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 157/279] PCI: Avoid reset when disabled via sysfs Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 158/279] drm/amd/display: fix type mismatch in CalculateDynamicMetadataParameters() Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 159/279] PCI: Remove stray put_device() in pci_register_host_bridge() Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 160/279] PCI: xilinx-cpm: Fix IRQ domain leak in error path of probe Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 161/279] drm/mediatek: dsi: fix error codes in mtk_dsi_host_transfer() Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 162/279] PCI: pciehp: Dont enable HPIE when resuming in poll mode Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 163/279] fbdev: au1100fb: Move a variable assignment behind a null pointer check Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 164/279] mdacon: rework dependency list Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 165/279] fbdev: sm501fb: Add some geometry checks Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 166/279] clk: amlogic: gxbb: drop incorrect flag on 32k clock Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 167/279] crypto: hisilicon/sec2 - fix for aead authsize alignment Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 168/279] remoteproc: core: Clear table_sz when rproc_shutdown Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 169/279] of: property: Increase NR_FWNODE_REFERENCE_ARGS Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 170/279] remoteproc: qcom_q6v5_pas: Make single-PD handling more robust Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 171/279] libbpf: Fix hypothetical STT_SECTION extern NULL deref case Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 172/279] clk: samsung: Fix UBSAN panic in samsung_clk_init() Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 173/279] clk: qcom: gcc-msm8953: fix stuck venus0_core0 clock Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 174/279] bpf: Use preempt_count() directly in bpf_send_signal_common() Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 175/279] lib: 842: Improve error handling in sw842_compress() Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 176/279] pinctrl: renesas: rza2: Fix missing of_node_put() call Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 177/279] pinctrl: renesas: rzg2l: " Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 178/279] clk: rockchip: rk3328: fix wrong clk_ref_usb3otg parent Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 179/279] RDMA/core: Dont expose hw_counters outside of init net namespace Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 180/279] remoteproc: qcom_q6v5_mss: Handle platforms with one power domain Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 181/279] IB/mad: Check available slots before posting receive WRs Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 182/279] pinctrl: tegra: Set SFIO mode to Mux Register Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 183/279] clk: amlogic: g12b: fix cluster A parent data Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 184/279] clk: amlogic: gxbb: drop non existing 32k clock parent Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 185/279] clk: amlogic: g12a: fix mmc A peripheral clock Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 186/279] x86/entry: Fix ORC unwinder for PUSH_REGS with save_ret=1 Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 187/279] power: supply: max77693: Fix wrong conversion of charge input threshold value Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 188/279] crypto: nx - Fix uninitialised hv_nxc on error Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 189/279] RDMA/mlx5: Fix mlx5_poll_one() cur_qp update flow Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 190/279] mfd: sm501: Switch to BIT() to mitigate integer overflows Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 191/279] x86/dumpstack: Fix inaccurate unwinding from exception stacks due to misplaced assignment Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 192/279] crypto: hisilicon/sec2 - fix for aead auth key length Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 193/279] clk: qcom: mmcc-sdm660: fix stuck video_subcore0 clock Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 194/279] isofs: fix KMSAN uninit-value bug in do_isofs_readdir() Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 195/279] soundwire: slave: fix an OF node reference leak in soundwire slave device Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 196/279] coresight: catu: Fix number of pages while using 64k pages Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 197/279] iio: accel: mma8452: Ensure error return on failure to matching oversampling ratio Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 198/279] fs/ntfs3: Fix a couple integer overflows on 32bit systems Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 199/279] iio: adc: ad7124: Fix comparison of channel configs Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 200/279] perf units: Fix insufficient array space Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 201/279] kexec: initialize ELF lowest address to ULONG_MAX Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 202/279] ocfs2: validate l_tree_depth to avoid out-of-bounds access Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 203/279] NFSv4: Dont trigger uneccessary scans for return-on-close delegations Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 204/279] fuse: fix dax truncate/punch_hole fault path Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 205/279] i3c: master: svc: Fix missing the IBI rules Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 206/279] perf python: Fixup description of sample.id event member Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 207/279] perf python: Decrement the refcount of just created event on failure Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 208/279] perf python: Dont keep a raw_data pointer to consumed ring buffer space Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 209/279] perf python: Check if there is space to copy all the event Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 210/279] fs/procfs: fix the comment above proc_pid_wchan() Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 211/279] objtool, media: dib8000: Prevent divide-by-zero in dib8000_set_dds() Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 212/279] exfat: fix the infinite loop in exfat_find_last_cluster() Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 213/279] rtnetlink: Allocate vfinfo size for VF GUIDs when supported Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 214/279] ksmbd: use aead_request_free to match aead_request_alloc Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 215/279] ksmbd: fix multichannel connection failure Greg Kroah-Hartman
2025-04-08 10:49 ` [PATCH 5.15 216/279] ring-buffer: Fix bytes_dropped calculation issue Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 217/279] ACPI: processor: idle: Return an error if both P_LVL{2,3} idle states are invalid Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 218/279] octeontx2-af: Fix mbox INTR handler when num VFs > 64 Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 219/279] octeontx2-af: Free NIX_AF_INT_VEC_GEN irq Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 220/279] sched/smt: Always inline sched_smt_active() Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 221/279] wifi: iwlwifi: fw: allocate chained SG tables for dump Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 222/279] nvme-tcp: fix possible UAF in nvme_tcp_poll Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 223/279] nvme-pci: clean up CMBMSC when registering CMB fails Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 224/279] nvme-pci: skip CMB blocks incompatible with PCI P2P DMA Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 225/279] affs: generate OFS sequence numbers starting at 1 Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 226/279] affs: dont write overlarge OFS data block size fields Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 227/279] ksmbd: fix incorrect validation for num_aces field of smb_acl Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 228/279] sched/deadline: Use online cpus for validating runtime Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 229/279] locking/semaphore: Use wake_q to wake up processes outside lock critical section Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 230/279] x86/sgx: Warn explicitly if X86_FEATURE_SGX_LC is not enabled Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 231/279] drm/amd: Keep display off while going into S4 Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 232/279] ALSA: hda/realtek: Add mute LED quirk for HP Pavilion x360 14-dy1xxx Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 233/279] can: statistics: use atomic access in hot path Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 234/279] hwmon: (nct6775-core) Fix out of bounds access for NCT679{8,9} Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 235/279] spufs: fix a leak on spufs_new_file() failure Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 236/279] spufs: fix a leak in spufs_create_context() Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 237/279] riscv: ftrace: Add parentheses in macro definitions of make_call_t0 and make_call_ra Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 238/279] ntb_hw_switchtec: Fix shift-out-of-bounds in switchtec_ntb_mw_set_trans Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 239/279] ntb: intel: Fix using link status DBs Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 240/279] ASoC: imx-card: Add NULL check in imx_card_probe() Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 241/279] netfilter: nft_set_hash: GC reaps elements with conncount for dynamic sets only Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 242/279] netlabel: Fix NULL pointer exception caused by CALIPSO on IPv4 sockets Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 243/279] net_sched: skbprio: Remove overly strict queue assertions Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 244/279] net: mvpp2: Prevent parser TCAM memory corruption Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 245/279] vsock: avoid timeout during connect() if the socket is closing Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 246/279] tunnels: Accept PACKET_HOST in skb_tunnel_check_pmtu() Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 247/279] netfilter: nft_tunnel: fix geneve_opt type confusion addition Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 248/279] ipv6: fix omitted netlink attributes when using RTEXT_FILTER_SKIP_STATS Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 249/279] net: fix geneve_opt length integer overflow Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 250/279] arcnet: Add NULL check in com20020pci_probe() Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 251/279] can: flexcan: only change CAN state when link up in system PM Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 252/279] can: flexcan: disable transceiver during " Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 253/279] mmc: sdhci-brcmstb: Add ability to increase max clock rate for 72116b0 Greg Kroah-Hartman
2025-04-08 16:02 ` Nathan Chancellor
2025-04-09 10:52 ` Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 254/279] mmc: sdhci-brcmstb: add cqhci suspend/resume to PM ops Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 255/279] tty: serial: fsl_lpuart: use UARTMODIR register bits for lpuart32 platform Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 256/279] tty: serial: fsl_lpuart: disable transmitter before changing RS485 related registers Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 257/279] drm/amd/pm: Fix negative array index read Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 258/279] drm/amd/display: Skip inactive planes within ModeSupportAndSystemConfiguration Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 259/279] usbnet:fix NPE during rx_complete Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 260/279] platform/x86: ISST: Correct command storage data length Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 261/279] ntb_perf: Delete duplicate dmaengine_unmap_put() call in perf_copy_chunk() Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 262/279] btrfs: handle errors from btrfs_dec_ref() properly Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 263/279] x86/tsc: Always save/restore TSC sched_clock() on suspend/resume Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 264/279] x86/mm: Fix flush_tlb_range() when used for zapping normal PMDs Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 265/279] acpi: nfit: fix narrowing conversion in acpi_nfit_ctl Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 266/279] ACPI: resource: Skip IRQ override on ASUS Vivobook 14 X1404VAP Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 267/279] mmc: sdhci-pxav3: set NEED_RSP_BUSY capability Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 268/279] tracing: Fix use-after-free in print_graph_function_flags during tracer switching Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 269/279] tracing: Ensure module defining synth event cannot be unloaded while tracing Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 270/279] tracing: Fix synth event printk format for str fields Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 271/279] tracing/osnoise: Fix possible recursive locking for cpus_read_lock() Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 272/279] ext4: dont over-report free space or inodes in statvfs Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 273/279] ext4: fix OOB read when checking dotdot dir Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 274/279] jfs: fix slab-out-of-bounds read in ea_get() Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 275/279] jfs: add index corruption check to DT_GETPAGE() Greg Kroah-Hartman
2025-04-08 10:50 ` [PATCH 5.15 276/279] nfsd: put dl_stid if fail to queue dl_recall Greg Kroah-Hartman
2025-04-08 10:51 ` [PATCH 5.15 277/279] NFSD: Skip sending CB_RECALL_ANY when the backchannel isnt up Greg Kroah-Hartman
2025-04-08 10:51 ` [PATCH 5.15 278/279] mmc: sdhci-brcmstb: use clk_get_rate(base_clk) in PM resume Greg Kroah-Hartman
2025-04-08 10:51 ` [PATCH 5.15 279/279] mm, slab: remove duplicate kernel-doc comment for ksize() Greg Kroah-Hartman
2025-04-08 15:08 ` [PATCH 5.15 000/279] 5.15.180-rc1 review Mark Brown
2025-04-08 21:42 ` Florian Fainelli
2025-04-09 2:36 ` SeongJae Park
2025-04-09 6:26 ` Vijayendra Suman
2025-04-09 7:01 ` Ron Economos
2025-04-09 8:00 ` Jon Hunter
2025-04-09 10:53 ` Naresh Kamboju
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox