* [PATCH 6.1 000/291] 6.1.135-rc1 review
@ 2025-04-23 14:39 Greg Kroah-Hartman
2025-04-23 14:39 ` [PATCH 6.1 001/291] selftests/futex: futex_waitv wouldblock test should fail Greg Kroah-Hartman
` (298 more replies)
0 siblings, 299 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, linux-kernel, torvalds, akpm, linux,
shuah, patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, srw, rwarsow, conor, hargar, broonie
This is the start of the stable review cycle for the 6.1.135 release.
There are 291 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Fri, 25 Apr 2025 14:25:27 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.1.135-rc1.gz
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.1.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Linux 6.1.135-rc1
WangYuli <wangyuli@uniontech.com>
MIPS: ds1287: Match ds1287_set_base_clock() function types
WangYuli <wangyuli@uniontech.com>
MIPS: cevt-ds1287: Add missing ds1287.h include
WangYuli <wangyuli@uniontech.com>
MIPS: dec: Declare which_prom() as static
Jan Stancek <jstancek@redhat.com>
sign-file,extract-cert: use pkcs11 provider for OPENSSL MAJOR >= 3
Jan Stancek <jstancek@redhat.com>
sign-file,extract-cert: avoid using deprecated ERR_get_error_line()
Jan Stancek <jstancek@redhat.com>
sign-file,extract-cert: move common SSL helper functions to a header
Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
mm: fix apply_to_existing_page_range()
Li Nan <linan122@huawei.com>
blk-iocost: do not WARN if iocg was already offlined
Yu Kuai <yukuai3@huawei.com>
blk-cgroup: support to track if policy is online
Xu Kuohai <xukuohai@huawei.com>
bpf: Prevent tail call between progs attached to different hooks
Andrii Nakryiko <andrii@kernel.org>
bpf: avoid holding freeze_mutex during mmap operation
Haisu Wang <haisuwang@tencent.com>
btrfs: fix the length of reserved qgroup to free
Jakub Kicinski <kuba@kernel.org>
net/sched: act_mirred: don't override retval if we already lost the skb
Paulo Alcantara <pc@cjr.nz>
cifs: use origin fullpath for automounts
ChenXiaoSong <chenxiaosong@kylinos.cn>
smb/server: fix potential null-ptr-deref of lease_ctx_info in smb2_open()
WangYuli <wangyuli@uniontech.com>
nvmet-fc: Remove unused functions
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Revert "LoongArch: BPF: Fix off-by-one error in build_prologue()"
Mickaël Salaün <mic@digikod.net>
landlock: Add the errata interface
Hersen Wu <hersenxs.wu@amd.com>
drm/amd/display: Stop amdgpu_dm initialize when link nums greater than max_links
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Revert "Xen/swiotlb: mark xen_swiotlb_fixup() __init"
Johannes Thumshirn <johannes.thumshirn@wdc.com>
btrfs: zoned: fix zone finishing with missing devices
Johannes Thumshirn <johannes.thumshirn@wdc.com>
btrfs: zoned: fix zone activation with missing devices
Boris Burkov <boris@bur.io>
btrfs: fix qgroup reserve leaks in cow_file_range
Yuli Wang <wangyuli@uniontech.com>
LoongArch: Eliminate superfluous get_numa_distances_cnt()
Nathan Lynch <nathanl@linux.ibm.com>
powerpc/rtas: Prevent Spectre v1 gadget construction in sys_rtas()
Ard Biesheuvel <ardb@kernel.org>
x86/pvh: Call C code via the kernel virtual mapping
Maksim Davydov <davydov-max@yandex-team.ru>
x86/split_lock: Fix the delayed detection logic
Alex Williamson <alex.williamson@redhat.com>
mm: Fix is_zero_page() usage in try_grab_page()
Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
misc: pci_endpoint_test: Fix 'irq_type' to convey the correct type
Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
misc: pci_endpoint_test: Fix displaying 'irq_type' after 'request_irq' error
Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
misc: pci_endpoint_test: Avoid issue of interrupts remaining after request_irq error
Matthieu Baerts (NGI0) <matttbe@kernel.org>
mptcp: sockopt: fix getting freebind & transparent
Arnd Bergmann <arnd@arndb.de>
media: mediatek: vcodec: mark vdec_vp9_slice_map_counts_eob_coef noinline
Nathan Chancellor <nathan@kernel.org>
kbuild: Add '-fno-builtin-wcslen'
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
cpufreq: Reference count policy in cpufreq_update_limits()
Mark Rutland <mark.rutland@arm.com>
KVM: arm64: Eagerly switch ZCR_EL{1,2}
Fuad Tabba <tabba@google.com>
KVM: arm64: Calculate cptr_el2 traps on activating traps
Mark Rutland <mark.rutland@arm.com>
KVM: arm64: Mark some header functions as inline
Mark Rutland <mark.rutland@arm.com>
KVM: arm64: Refactor exit handlers
Mark Rutland <mark.rutland@arm.com>
KVM: arm64: Remove VHE host restore of CPACR_EL1.SMEN
Mark Rutland <mark.rutland@arm.com>
KVM: arm64: Remove VHE host restore of CPACR_EL1.ZEN
Mark Rutland <mark.rutland@arm.com>
KVM: arm64: Remove host FPSIMD saving for non-protected KVM
Mark Rutland <mark.rutland@arm.com>
KVM: arm64: Unconditionally save+flush host FPSIMD/SVE/SME state
Mark Brown <broonie@kernel.org>
arm64/fpsimd: Stop using TIF_SVE to manage register saving in KVM
Mark Brown <broonie@kernel.org>
arm64/fpsimd: Have KVM explicitly say which FP registers to save
Mark Brown <broonie@kernel.org>
arm64/fpsimd: Track the saved FPSIMD state type separately to TIF_SVE
Mark Brown <broonie@kernel.org>
KVM: arm64: Discard any SVE state when entering KVM guests
Pavel Begunkov <asml.silence@gmail.com>
io_uring/net: fix accept multishot handling
Jani Nikula <jani.nikula@intel.com>
drm/i915/gvt: fix unterminated-string-initialization warning
Rolf Eike Beer <eb@emlix.com>
drm/sti: remove duplicate object names
Chris Bainbridge <chris.bainbridge@gmail.com>
drm/nouveau: prime: fix ttm_bo_delayed_delete oops
Matthew Auld <matthew.auld@intel.com>
drm/amdgpu/dma_buf: fix page_link check
Denis Arefev <arefev@swemel.ru>
drm/amd/pm/powerplay/hwmgr/vega20_thermal: Prevent division by zero
Denis Arefev <arefev@swemel.ru>
drm/amd/pm/swsmu/smu13/smu_v13_0: Prevent division by zero
Denis Arefev <arefev@swemel.ru>
drm/amd/pm/powerplay/hwmgr/smu7_thermal: Prevent division by zero
Denis Arefev <arefev@swemel.ru>
drm/amd/pm/smu11: Prevent division by zero
Denis Arefev <arefev@swemel.ru>
drm/amd/pm/powerplay: Prevent division by zero
Denis Arefev <arefev@swemel.ru>
drm/amd/pm: Prevent division by zero
Mario Limonciello <mario.limonciello@amd.com>
drm/amd: Handle being compiled without SI or CIK support better
Akhil P Oommen <quic_akhilpo@quicinc.com>
drm/msm/a6xx: Fix stale rpmh votes from GPU
Nikita Zhandarovich <n.zhandarovich@fintech.ru>
drm/repaper: fix integer overflows in repeat functions
Kan Liang <kan.liang@linux.intel.com>
perf/x86/intel/uncore: Fix the scale of IIO free running counters on SPR
Kan Liang <kan.liang@linux.intel.com>
perf/x86/intel/uncore: Fix the scale of IIO free running counters on ICX
Kan Liang <kan.liang@linux.intel.com>
perf/x86/intel/uncore: Fix the scale of IIO free running counters on SNR
Dapeng Mi <dapeng1.mi@linux.intel.com>
perf/x86/intel: Allow to update user space GPRs from PEBS records
Sharath Srinivasan <sharath.srinivasan@oracle.com>
RDMA/cma: Fix workqueue crash in cma_netevent_work_handler
Peter Griffin <peter.griffin@linaro.org>
scsi: ufs: exynos: Ensure consistent phy reference counts
Chandrakanth Patil <chandrakanth.patil@broadcom.com>
scsi: megaraid_sas: Block zero-length ATA VPD inquiry
Xiangsheng Hou <xiangsheng.hou@mediatek.com>
virtiofs: add filesystem context source name check
Steven Rostedt <rostedt@goodmis.org>
tracing: Fix filter string testing
Peter Collingbourne <pcc@google.com>
string: Add load_unaligned_zeropad() code path to sized_strscpy()
Chunjie Zhu <chunjie.zhu@cloud.com>
smb3 client: fix open hardlink on deferred close file error
Nathan Chancellor <nathan@kernel.org>
riscv: Avoid fortify warning in syscall_get_arguments()
Namjae Jeon <linkinjeon@kernel.org>
ksmbd: fix the warning from __kernel_write_iter
Denis Arefev <arefev@swemel.ru>
ksmbd: Prevent integer overflow in calculation of deadtime
Sean Heelan <seanheelan@gmail.com>
ksmbd: Fix dangling pointer in krb_authenticate
Vishal Moola (Oracle) <vishal.moola@gmail.com>
mm: fix filemap_get_folios_contig returning batches of identical folios
Baoquan He <bhe@redhat.com>
mm/gup: fix wrongly calculated returned value in fault_in_safe_writeable()
Thomas Weißschuh <thomas.weissschuh@linutronix.de>
loop: LOOP_SET_FD: send uevents for partitions
Thomas Weißschuh <thomas.weissschuh@linutronix.de>
loop: properly send KOBJ_CHANGED uevent for disk device
Edward Adam Davis <eadavis@qq.com>
isofs: Prevent the use of too small fid
Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
i2c: cros-ec-tunnel: defer probe if parent EC is not present
Vasiliy Kovalev <kovalev@altlinux.org>
hfs/hfsplus: fix slab-out-of-bounds in hfs_bnode_read_key
Herbert Xu <herbert@gondor.apana.org.au>
crypto: caam/qi - Fix drv_ctx refcount bug
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
cpufreq: Avoid using inconsistent policy->min and policy->max
Johannes Kimmel <kernel@bareminimum.eu>
btrfs: correctly escape subvol in btrfs_show_options()
Li Lingfeng <lilingfeng3@huawei.com>
nfsd: decrease sc_count directly if fail to queue dl_recall
Eric Biggers <ebiggers@google.com>
nfs: add missing selections of CONFIG_CRC32
Jeff Layton <jlayton@kernel.org>
nfs: move nfs_fhandle_hash to common include file
Denis Arefev <arefev@swemel.ru>
asus-laptop: Fix an uninitialized variable
Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
ASoC: codecs:lpass-wsa-macro: Fix logic of enabling vi channels
Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
ASoC: codecs:lpass-wsa-macro: Fix vi feedback rate
Alex Williamson <alex.williamson@redhat.com>
Revert "PCI: Avoid reset when disabled via sysfs"
Andreas Gruenbacher <agruenba@redhat.com>
writeback: fix false warning in inode_to_wb()
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
cpufreq/sched: Fix the usage of CPUFREQ_NEED_UPDATE_LIMITS
WangYuli <wangyuli@uniontech.com>
riscv: KGDB: Remove ".option norvc/.option rvc" for kgdb_compiled_break
WangYuli <wangyuli@uniontech.com>
riscv: KGDB: Do not inline arch_kgdb_breakpoint()
Björn Töpel <bjorn@rivosinc.com>
riscv: Properly export reserved regions in /proc/iomem
Sagi Maimon <maimon.sagi@gmail.com>
ptp: ocp: fix start time alignment in ptp_ocp_signal_set
Vladimir Oltean <vladimir.oltean@nxp.com>
net: dsa: avoid refcount warnings when ds->ops->tag_8021q_vlan_del() fails
Vladimir Oltean <vladimir.oltean@nxp.com>
net: dsa: mv88e6xxx: fix -ENOENT when deleting VLANs and MST is unsupported
Vladimir Oltean <vladimir.oltean@nxp.com>
net: dsa: mv88e6xxx: avoid unregistering devlink regions which were never registered
Jonas Gorski <jonas.gorski@gmail.com>
net: bridge: switchdev: do not notify new brentries as changed
Jonas Gorski <jonas.gorski@gmail.com>
net: b53: enable BPDU reception for management port
Abdun Nihaal <abdun.nihaal@gmail.com>
cxgb4: fix memory leak in cxgb4_init_ethtool_filters() error path
Ilya Maximets <i.maximets@ovn.org>
net: openvswitch: fix nested key length validation in the set() action
Matt Johnston <matt@codeconstruct.com.au>
net: mctp: Set SOCK_RCU_FREE
Matthew Wilcox (Oracle) <willy@infradead.org>
test suite: use %zu to print size_t
Christopher S M Hall <christopher.s.hall@intel.com>
igc: cleanup PTP module if probe fails
Christopher S M Hall <christopher.s.hall@intel.com>
igc: handle the IGC_PTP_ENABLED flag correctly
Christopher S M Hall <christopher.s.hall@intel.com>
igc: move ktime snapshot into PTM retry loop
Christopher S M Hall <christopher.s.hall@intel.com>
igc: fix PTM cycle trigger logic
Johannes Berg <johannes.berg@intel.com>
Revert "wifi: mac80211: Update skb's control block key in ieee80211_tx_dequeue()"
Frédéric Danis <frederic.danis@collabora.com>
Bluetooth: l2cap: Check encryption key size on incoming connection
Dan Carpenter <dan.carpenter@linaro.org>
Bluetooth: btrtl: Prevent potential NULL dereference
Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Bluetooth: hci_event: Fix sending MGMT_EV_DEVICE_FOUND for invalid address
Shay Drory <shayd@nvidia.com>
RDMA/core: Silence oversized kvmalloc() warning
Chengchang Tang <tangchengchang@huawei.com>
RDMA/hns: Fix wrong maximum DMA segment size
Yue Haibing <yuehaibing@huawei.com>
RDMA/usnic: Fix passing zero to PTR_ERR in usnic_ib_pci_probe()
Zheng Qixing <zhengqixing@huawei.com>
md/md-bitmap: fix stats collection for external bitmaps
Yu Kuai <yukuai3@huawei.com>
md/raid10: fix missing discard IO accounting
Miaoqian Lin <linmq006@gmail.com>
scsi: iscsi: Fix missing scsi_host_put() in error path
Abdun Nihaal <abdun.nihaal@gmail.com>
wifi: wl1251: fix memory leak in wl1251_tx_work
Remi Pommarel <repk@triplefau.lt>
wifi: mac80211: Purge vif txq in ieee80211_do_stop()
Remi Pommarel <repk@triplefau.lt>
wifi: mac80211: Update skb's control block key in ieee80211_tx_dequeue()
Abdun Nihaal <abdun.nihaal@gmail.com>
wifi: at76c50x: fix use after free access in at76_disconnect
Xingui Yang <yangxingui@huawei.com>
scsi: hisi_sas: Enable force phy when SATA disk directly connected
Kaixin Wang <kxwang23@m.fudan.edu.cn>
HSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol Driver Due to Race Condition
Arseniy Krasnov <avkrasnov@salutedevices.com>
Bluetooth: hci_uart: Fix another race during initialization
Myrrh Periwinkle <myrrhperiwinkle@qtmlabs.xyz>
x86/e820: Fix handling of subpage regions when calculating nosave ranges in e820__register_nosave_regions()
Nathan Chancellor <nathan@kernel.org>
ACPI: platform-profile: Fix CFI violation when accessing sysfs files
Douglas Anderson <dianders@chromium.org>
arm64: errata: Add newer ARM cores to the spectre_bhb_loop_affected() lists
Geliang Tang <tanggeliang@kylinos.cn>
selftests: mptcp: close fd_in before returning in main_loop
Stephan Gerhold <stephan.gerhold@linaro.org>
pinctrl: qcom: Clear latched interrupt status when changing IRQ type
Ma Ke <make24@iscas.ac.cn>
PCI: Fix reference leak in pci_alloc_child_bus()
Stanimir Varbanov <svarbanov@suse.de>
PCI: brcmstb: Fix missing of_node_put() in brcm_pcie_probe()
Zijun Hu <quic_zijuhu@quicinc.com>
of/irq: Fix device node refcount leakages in of_irq_init()
Zijun Hu <quic_zijuhu@quicinc.com>
of/irq: Fix device node refcount leakage in API irq_of_parse_and_map()
Zijun Hu <quic_zijuhu@quicinc.com>
of/irq: Fix device node refcount leakages in of_irq_count()
Zijun Hu <quic_zijuhu@quicinc.com>
of/irq: Fix device node refcount leakage in API of_irq_parse_raw()
Zijun Hu <quic_zijuhu@quicinc.com>
of/irq: Fix device node refcount leakage in API of_irq_parse_one()
Fedor Pchelkin <pchelkin@ispras.ru>
ntb: use 64-bit arithmetic for the MSI doorbell mask
Sean Christopherson <seanjc@google.com>
KVM: x86: Acquire SRCU in KVM_GET_MP_STATE to protect guest memory accesses
Joshua Washington <joshwash@google.com>
gve: handle overflow when reporting TX consumed descriptors
Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
gpio: zynq: Fix wakeup source leaks on device unbind
Guixin Liu <kanie@linux.alibaba.com>
gpio: tegra186: fix resource handling in ACPI probe path
zhoumin <teczm@foxmail.com>
ftrace: Add cond_resched() to ftrace_graph_set_hash()
Mikulas Patocka <mpatocka@redhat.com>
dm-verity: fix prefetch-vs-suspend race
Mikulas Patocka <mpatocka@redhat.com>
dm-integrity: set ti->error on memory allocation failure
Mikulas Patocka <mpatocka@redhat.com>
dm-ebs: fix prefetch-vs-suspend race
Tom Lendacky <thomas.lendacky@amd.com>
crypto: ccp - Fix check for the primary ASP device
Taniya Das <quic_tdas@quicinc.com>
clk: qcom: gdsc: Set retain_ff before moving to HW CTRL
Bryan O'Donoghue <bryan.odonoghue@linaro.org>
clk: qcom: gdsc: Capture pm_genpd_add_subdomain result code
Bryan O'Donoghue <bryan.odonoghue@linaro.org>
clk: qcom: gdsc: Release pm subdomains in reverse add order
Roman Smirnov <r.smirnov@omp.ru>
cifs: fix integer overflow in match_server()
Alexandra Diupina <adiupina@astralinux.ru>
cifs: avoid NULL pointer dereference in dbg call
Trevor Woerner <twoerner@gmail.com>
thermal/drivers/rockchip: Add missing rk3328 mapping entry
Ricardo Cañuelo Navarro <rcn@igalia.com>
sctp: detect and prevent references to a freed transport in sendmsg
Shuai Xue <xueshuai@linux.alibaba.com>
mm/hwpoison: do not send SIGBUS to processes with recovered clean pages
Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
mm: add missing release barrier on PGDAT_RECLAIM_LOCKED unlock
David Hildenbrand <david@redhat.com>
mm/rmap: reject hugetlb folios in folio_make_device_exclusive()
Ryan Roberts <ryan.roberts@arm.com>
sparc/mm: disable preemption in lazy mmu mode
Filipe Manana <fdmanana@suse.com>
btrfs: fix non-empty delayed iputs list on unmount due to compressed write workers
Chen-Yu Tsai <wenst@chromium.org>
arm64: dts: mediatek: mt8173: Fix disp-pwm compatible string
Zhenhua Huang <quic_zhenhuah@quicinc.com>
arm64: mm: Correct the update of max_pfn
Wentao Liang <vulab@iscas.ac.cn>
mtd: rawnand: Add status chack in r852_ready()
Wentao Liang <vulab@iscas.ac.cn>
mtd: inftlcore: Add error check for inftl_read_oob()
Matthieu Baerts (NGI0) <matttbe@kernel.org>
mptcp: only inc MPJoinAckHMacFailure for HMAC failures
Gang Yan <yangang@kylinos.cn>
mptcp: fix NULL pointer in can_accept_new_subflow
T Pratham <t-pratham@ti.com>
lib: scatterlist: fix sg_split_phys to preserve original scatterlist offsets
Boqun Feng <boqun.feng@gmail.com>
locking/lockdep: Decrease nr_unused_locks if lock unused in zap_class()
Chenyuan Yang <chenyuan0y@gmail.com>
mfd: ene-kb3930: Fix a potential NULL pointer dereference
Jan Kara <jack@suse.cz>
jbd2: remove wrong sb->s_sequence check
Manjunatha Venkatesh <manjunatha.venkatesh@nxp.com>
i3c: Add NULL pointer check in i3c_master_queue_ibi()
Stanley Chu <yschu@nuvoton.com>
i3c: master: svc: Use readsb helper for reading MDB
Steve French <stfrench@microsoft.com>
smb311 client: fix missing tcon check when mounting with linux/posix extensions
Chenyuan Yang <chenyuan0y@gmail.com>
soc: samsung: exynos-chipid: Add NULL pointer check in exynos_chipid_probe()
Si-Wei Liu <si-wei.liu@oracle.com>
vdpa/mlx5: Fix oversized null mkey longer than 32bit
Artem Sadovnikov <a.sadovnikov@ispras.ru>
ext4: fix off-by-one error in do_split
Jeff Hugo <quic_jhugo@quicinc.com>
bus: mhi: host: Fix race between unprepare and queue_buf
Alexey Klimov <alexey.klimov@linaro.org>
ASoC: qdsp6: q6asm-dai: fix q6asm_dai_compr_set_params error path
Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
ASoC: qdsp6: q6apm-dai: fix capture pipeline overruns.
Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
ASoC: qdsp6: q6apm-dai: set 10 ms period and buffer alignment.
Jens Axboe <axboe@kernel.dk>
io_uring/kbuf: reject zero sized provided buffers
Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru>
wifi: mac80211: fix integer overflow in hwmp_route_info_get()
Haoxiang Li <haoxiang_li2024@163.com>
wifi: mt76: Add check for devm_kstrdup()
Alexandre Torgue <alexandre.torgue@foss.st.com>
clocksource/drivers/stm32-lptimer: Use wakeup capable instead of init wakeup
Jiasheng Jiang <jiashengjiangcool@gmail.com>
mtd: Replace kcalloc() with devm_kcalloc()
Marek Behún <kabel@kernel.org>
net: dsa: mv88e6xxx: workaround RGMII transmit delay erratum for 6320 family
Jiasheng Jiang <jiashengjiangcool@gmail.com>
mtd: Add check for devm_kcalloc()
Matthieu Baerts (NGI0) <matttbe@kernel.org>
mptcp: sockopt: fix getting IPV6_V6ONLY
Vikash Garodia <quic_vgarodia@quicinc.com>
media: venus: hfi_parser: refactor hfi packet parsing logic
Vikash Garodia <quic_vgarodia@quicinc.com>
media: venus: hfi_parser: add check to avoid out of bound access
Sakari Ailus <sakari.ailus@linux.intel.com>
media: i2c: ov7251: Introduce 1 ms delay between regulators and en GPIO
Sakari Ailus <sakari.ailus@linux.intel.com>
media: i2c: ov7251: Set enable GPIO low in probe
Sakari Ailus <sakari.ailus@linux.intel.com>
media: i2c: ccs: Set the device's runtime PM status correctly in probe
Sakari Ailus <sakari.ailus@linux.intel.com>
media: i2c: ccs: Set the device's runtime PM status correctly in remove
Karina Yankevich <k.yankevich@omp.ru>
media: v4l2-dv-timings: prevent possible overflow in v4l2_detect_gtf()
Jiasheng Jiang <jiashengjiangcool@gmail.com>
media: platform: stm32: Add check for clk_enable()
Murad Masimov <m.masimov@mt-integration.ru>
media: streamzap: prevent processing IR data on URB failure
Jonathan McDowell <noodles@meta.com>
tpm, tpm_tis: Fix timeout handling when waiting for TPM status
Kamal Dasu <kamal.dasu@broadcom.com>
mtd: rawnand: brcmnand: fix PM resume warning
Miquel Raynal <miquel.raynal@bootlin.com>
spi: cadence-qspi: Fix probe on AM62A LP SK
Will Deacon <will@kernel.org>
KVM: arm64: Tear down vGIC on failed vCPU creation
Douglas Anderson <dianders@chromium.org>
arm64: errata: Add KRYO 2XX/3XX/4XX silver cores to Spectre BHB safe list
Douglas Anderson <dianders@chromium.org>
arm64: errata: Assume that unknown CPUs _are_ vulnerable to Spectre BHB
Douglas Anderson <dianders@chromium.org>
arm64: errata: Add QCOM_KRYO_4XX_GOLD to the spectre_bhb_k24_list
Douglas Anderson <dianders@chromium.org>
arm64: cputype: Add MIDR_CORTEX_A76AE
Jan Beulich <jbeulich@suse.com>
xenfs/xensyms: respect hypervisor's "next" indication
Yuan Can <yuancan@huawei.com>
media: siano: Fix error handling in smsdvb_module_init()
Matthew Majewski <mattwmajewski@gmail.com>
media: vim2m: print device name after registering device
Vikash Garodia <quic_vgarodia@quicinc.com>
media: venus: hfi: add check to handle incorrect queue size
Vikash Garodia <quic_vgarodia@quicinc.com>
media: venus: hfi: add a check to handle OOB in sfr region
Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
media: i2c: adv748x: Fix test pattern selection mask
Jann Horn <jannh@google.com>
ext4: don't treat fhandle lookup of ea_inode as FS corruption
Willem de Bruijn <willemb@google.com>
bpf: support SKF_NET_OFF and SKF_LL_OFF on skb frags
Uwe Kleine-König <u.kleine-koenig@baylibre.com>
pwm: fsl-ftm: Handle clk_get_rate() returning 0
Uwe Kleine-König <u.kleine-koenig@baylibre.com>
pwm: rcar: Improve register calculation
Josh Poimboeuf <jpoimboe@kernel.org>
pwm: mediatek: Prevent divide-by-zero in pwm_mediatek_config()
Jonathan McDowell <noodles@meta.com>
tpm, tpm_tis: Workaround failed command reception on Infineon devices
Ayush Jain <Ayush.jain3@amd.com>
ktest: Fix Test Failures Due to Missing LOG_FILE Directories
Leonid Arapov <arapovl839@gmail.com>
fbdev: omapfb: Add 'plane' value check
Christian König <christian.koenig@amd.com>
drm/amdgpu: grab an additional reference on the gang fence v2
Ryo Takakura <ryotkkr98@gmail.com>
PCI: vmd: Make vmd_dev::cfg_lock a raw_spinlock_t type
Wentao Liang <vulab@iscas.ac.cn>
drm/amdgpu: handle amdgpu_cgs_create_device() errors in amd_powerplay_create()
AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
drm/mediatek: mtk_dpi: Explicitly manage TVD clock in power on/off
AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
drm/mediatek: mtk_dpi: Move the input_2p_en bit to platform data
Philip Yang <Philip.Yang@amd.com>
drm/amdkfd: Fix pqm_destroy_queue race with GPU reset
Philip Yang <Philip.Yang@amd.com>
drm/amdkfd: Fix mode1 reset crash issue
David Yat Sin <David.YatSin@amd.com>
drm/amdkfd: clamp queue size to minimum
Lucas De Marchi <lucas.demarchi@intel.com>
drivers: base: devres: Allow to release group on device release
Luca Ceresoli <luca.ceresoli@bootlin.com>
drm/bridge: panel: forbid initializing a panel with unknown connector type
Andrew Wyatt <fewtarius@steamfork.org>
drm: panel-orientation-quirks: Add quirk for OneXPlayer Mini (Intel)
Andrew Wyatt <fewtarius@steamfork.org>
drm: panel-orientation-quirks: Add new quirk for GPD Win 2
Andrew Wyatt <fewtarius@steamfork.org>
drm: panel-orientation-quirks: Add quirk for AYA NEO Slide
Andrew Wyatt <fewtarius@steamfork.org>
drm: panel-orientation-quirks: Add quirks for AYA NEO Flip DS and KB
Andrew Wyatt <fewtarius@steamfork.org>
drm: panel-orientation-quirks: Add support for AYANEO 2S
Zhikai Zhai <zhikai.zhai@amd.com>
drm/amd/display: Update Cursor request mode to the beginning prefetch always
Abhinav Kumar <quic_abhinavk@quicinc.com>
drm: allow encoder mode_set even when connectors change for crtc
Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Bluetooth: qca: simplify WCN399x NVM loading
Arseniy Krasnov <avkrasnov@salutedevices.com>
Bluetooth: hci_uart: fix race during initialization
Gabriele Paoloni <gpaoloni@redhat.com>
tracing: fix return value in __ftrace_event_enable_disable for TRACE_REG_UNREGISTER
Stanislav Fomichev <sdf@fomichev.me>
net: vlan: don't propagate flags on open
Icenowy Zheng <uwu@icenowy.me>
wifi: mt76: mt76x2u: add TP-Link TL-WDN6200 ID to device table
Kai Mäkisara <Kai.Makisara@kolumbus.fi>
scsi: st: Fix array overflow in st_setup()
Bhupesh <bhupesh@igalia.com>
ext4: ignore xattrs past end
Ojaswin Mujoo <ojaswin@linux.ibm.com>
ext4: protect ext4_release_dquot against freezing
Daniel Kral <d.kral@proxmox.com>
ahci: add PCI ID for Marvell 88SE9215 SATA Controller
Chao Yu <chao@kernel.org>
f2fs: fix to avoid out-of-bounds access in f2fs_truncate_inode_blocks()
Niklas Cassel <cassel@kernel.org>
ata: libata-eh: Do not use ATAPI DMA for a device limited to PIO mode
Edward Adam Davis <eadavis@qq.com>
jfs: add sanity check for agwidth in dbMount
Edward Adam Davis <eadavis@qq.com>
jfs: Prevent copying of nlink with value 0 from disk inode
Rand Deeb <rand.sec96@gmail.com>
fs/jfs: Prevent integer overflow in AG size calculation
Rand Deeb <rand.sec96@gmail.com>
fs/jfs: cast inactags to s64 to prevent potential overflow
Zhongqiu Han <quic_zhonhan@quicinc.com>
jfs: Fix uninit-value access of imap allocated in the diMount() function
Jason Xing <kerneljasonxing@gmail.com>
page_pool: avoid infinite loop to schedule delayed worker
Chao Yu <chao@kernel.org>
f2fs: don't retry IO for corrupted data scenario
keenplify <keenplify@gmail.com>
ASoC: amd: Add DMI quirk for ACP6X mic support
Ricard Wanderlof <ricard2013@butoba.net>
ALSA: usb-audio: Fix CME quirk for UF series keyboards
Kaustabh Chakraborty <kauschluss@disroot.org>
mmc: dw_mmc: add a quirk for accessing 64-bit FIFOs in two halves
Shengjiu Wang <shengjiu.wang@nxp.com>
ASoC: fsl_audmix: register card device depends on 'dais' property
Maxim Mikityanskiy <maxtram95@gmail.com>
ALSA: hda: intel: Add Lenovo IdeaPad Z570 to probe denylist
Maxim Mikityanskiy <maxtram95@gmail.com>
ALSA: hda: intel: Fix Optimus when GPU has no sound
Tomasz Pakuła <forest10pl@gmail.com>
HID: pidff: Fix null pointer dereference in pidff_find_fields
Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
HID: pidff: Do not send effect envelope if it's empty
Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
HID: pidff: Convert infinite length from Linux API to PID standard
Kees Cook <kees@kernel.org>
xen/mcelog: Add __nonstring annotations for unterminated strings
Douglas Anderson <dianders@chromium.org>
arm64: cputype: Add QCOM_CPU_PART_KRYO_3XX_GOLD
Mark Rutland <mark.rutland@arm.com>
perf: arm_pmu: Don't disable counter in armpmu_add()
Max Grobecker <max@grobecker.info>
x86/cpu: Don't clear X86_FEATURE_LAHF_LM flag in init_amd_k8() on AMD when running in a virtual machine
Zhongqiu Han <quic_zhonhan@quicinc.com>
pm: cpupower: bench: Prevent NULL dereference on malloc failure
Trond Myklebust <trond.myklebust@hammerspace.com>
umount: Allow superblock owners to force umount
Mateusz Guzik <mjguzik@gmail.com>
fs: consistently deref the files table with rcu_dereference_raw()
Louis-Alexis Eyraud <louisalexis.eyraud@collabora.com>
iommu/mediatek: Fix NULL pointer deference in mtk_iommu_device_group
Florian Westphal <fw@strlen.de>
nft_set_pipapo: fix incorrect avx2 match of 5th field octet
Arnaud Lecomte <contact@arnaud-lcm.com>
net: ppp: Add bound checking for skb data on ppp_sync_txmung
Ido Schimmel <idosch@nvidia.com>
ipv6: Align behavior across nexthops during path selection
Octavian Purdila <tavip@google.com>
net_sched: sch_sfq: move the limit validation
Octavian Purdila <tavip@google.com>
net_sched: sch_sfq: use a temporary work area for validating configuration
Daniel Wagner <wagi@kernel.org>
nvmet-fcloop: swap list_add_tail arguments
Wentao Liang <vulab@iscas.ac.cn>
ata: sata_sx4: Add error handling in pdc20621_i2c_read()
Maxime Chevallier <maxime.chevallier@bootlin.com>
net: ethtool: Don't call .cleanup_data when prepare_data fails
Toke Høiland-Jørgensen <toke@redhat.com>
tc: Ensure we have enough buffer space when sending filter netlink notifications
Pedro Tammela <pctammela@mojatatu.com>
net/sched: cls_api: conditional notification of events
Victor Nogueira <victor@mojatatu.com>
rtnl: add helper to check if a notification is needed
Jamal Hadi Salim <jhs@mojatatu.com>
rtnl: add helper to check if rtnl group has listeners
Jakub Kicinski <kuba@kernel.org>
net: tls: explicitly disallow disconnect
Cong Wang <xiyou.wangcong@gmail.com>
codel: remove sch->q.qlen check before qdisc_tree_reduce_backlog()
Tung Nguyen <tung.quang.nguyen@est.tech>
tipc: fix memory leak in tipc_link_xmit
Henry Martin <bsdhenrymartin@gmail.com>
ata: pata_pxa: Fix potential NULL pointer dereference in pxa_ata_probe()
Edward Liaw <edliaw@google.com>
selftests/futex: futex_waitv wouldblock test should fail
-------------
Diffstat:
MAINTAINERS | 1 +
Makefile | 7 +-
arch/arm64/boot/dts/mediatek/mt8173.dtsi | 6 +-
arch/arm64/include/asm/cputype.h | 4 +
arch/arm64/include/asm/fpsimd.h | 4 +-
arch/arm64/include/asm/kvm_host.h | 19 +-
arch/arm64/include/asm/kvm_hyp.h | 1 +
arch/arm64/include/asm/processor.h | 7 +
arch/arm64/include/asm/spectre.h | 1 -
arch/arm64/kernel/fpsimd.c | 69 +++++--
arch/arm64/kernel/process.c | 2 +
arch/arm64/kernel/proton-pack.c | 208 +++++++++++----------
arch/arm64/kernel/ptrace.c | 3 +
arch/arm64/kernel/signal.c | 7 +-
arch/arm64/kvm/arm.c | 7 +-
arch/arm64/kvm/fpsimd.c | 92 +++------
arch/arm64/kvm/hyp/entry.S | 5 +
arch/arm64/kvm/hyp/include/hyp/switch.h | 106 +++++++----
arch/arm64/kvm/hyp/nvhe/hyp-main.c | 8 +-
arch/arm64/kvm/hyp/nvhe/pkvm.c | 17 +-
arch/arm64/kvm/hyp/nvhe/switch.c | 91 +++++----
arch/arm64/kvm/hyp/vhe/switch.c | 12 +-
arch/arm64/kvm/reset.c | 3 +
arch/arm64/mm/mmu.c | 3 +-
arch/loongarch/kernel/acpi.c | 12 --
arch/loongarch/net/bpf_jit.c | 2 -
arch/loongarch/net/bpf_jit.h | 5 -
arch/mips/dec/prom/init.c | 2 +-
arch/mips/include/asm/ds1287.h | 2 +-
arch/mips/kernel/cevt-ds1287.c | 1 +
arch/powerpc/kernel/rtas.c | 4 +
arch/riscv/include/asm/kgdb.h | 9 +-
arch/riscv/include/asm/syscall.h | 7 +-
arch/riscv/kernel/kgdb.c | 6 +
arch/riscv/kernel/setup.c | 36 +++-
arch/sparc/mm/tlb.c | 5 +-
arch/x86/events/intel/ds.c | 8 +-
arch/x86/events/intel/uncore_snbep.c | 107 +----------
arch/x86/kernel/cpu/amd.c | 2 +-
arch/x86/kernel/cpu/intel.c | 20 +-
arch/x86/kernel/e820.c | 17 +-
arch/x86/kvm/x86.c | 4 +
arch/x86/platform/pvh/head.S | 7 +-
block/blk-cgroup.c | 24 ++-
block/blk-cgroup.h | 1 +
block/blk-iocost.c | 7 +-
certs/Makefile | 2 +-
certs/extract-cert.c | 138 +++++++-------
drivers/acpi/platform_profile.c | 20 +-
drivers/ata/ahci.c | 2 +
drivers/ata/libata-eh.c | 11 +-
drivers/ata/pata_pxa.c | 6 +
drivers/ata/sata_sx4.c | 13 +-
drivers/base/devres.c | 7 +
drivers/block/loop.c | 7 +-
drivers/bluetooth/btqca.c | 13 +-
drivers/bluetooth/btrtl.c | 2 +
drivers/bluetooth/hci_ldisc.c | 19 +-
drivers/bluetooth/hci_uart.h | 1 +
drivers/bus/mhi/host/main.c | 16 +-
drivers/char/tpm/tpm_tis_core.c | 20 +-
drivers/char/tpm/tpm_tis_core.h | 1 +
drivers/clk/qcom/gdsc.c | 61 +++---
drivers/clocksource/timer-stm32-lp.c | 4 +-
drivers/cpufreq/cpufreq.c | 40 +++-
drivers/crypto/caam/qi.c | 6 +-
drivers/crypto/ccp/sp-pci.c | 15 +-
drivers/gpio/gpio-tegra186.c | 25 +--
drivers/gpio/gpio-zynq.c | 1 +
drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 10 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c | 2 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 44 +++--
drivers/gpu/drm/amd/amdkfd/kfd_chardev.c | 10 +
drivers/gpu/drm/amd/amdkfd/kfd_process.c | 17 ++
.../gpu/drm/amd/amdkfd/kfd_process_queue_manager.c | 2 +-
drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 14 +-
.../drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c | 22 +--
drivers/gpu/drm/amd/display/dc/dcn31/dcn31_hubp.c | 2 +-
drivers/gpu/drm/amd/pm/powerplay/amd_powerplay.c | 5 +
.../gpu/drm/amd/pm/powerplay/hwmgr/smu7_thermal.c | 4 +-
.../drm/amd/pm/powerplay/hwmgr/vega10_thermal.c | 4 +-
.../drm/amd/pm/powerplay/hwmgr/vega20_thermal.c | 2 +-
drivers/gpu/drm/amd/pm/swsmu/smu11/arcturus_ppt.c | 3 +
drivers/gpu/drm/amd/pm/swsmu/smu11/smu_v11_0.c | 2 +-
drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0.c | 2 +-
drivers/gpu/drm/drm_atomic_helper.c | 2 +-
drivers/gpu/drm/drm_panel.c | 5 +-
drivers/gpu/drm/drm_panel_orientation_quirks.c | 46 ++++-
drivers/gpu/drm/i915/gvt/opregion.c | 7 +-
drivers/gpu/drm/mediatek/mtk_dpi.c | 23 ++-
drivers/gpu/drm/msm/adreno/a6xx_gmu.c | 82 ++++----
drivers/gpu/drm/nouveau/nouveau_bo.c | 3 +
drivers/gpu/drm/nouveau/nouveau_gem.c | 3 -
drivers/gpu/drm/sti/Makefile | 2 -
drivers/gpu/drm/tiny/repaper.c | 4 +-
drivers/hid/usbhid/hid-pidff.c | 60 ++++--
drivers/hsi/clients/ssi_protocol.c | 1 +
drivers/i2c/busses/i2c-cros-ec-tunnel.c | 3 +
drivers/i3c/master.c | 3 +
drivers/i3c/master/svc-i3c-master.c | 2 +-
drivers/infiniband/core/cma.c | 4 +-
drivers/infiniband/core/umem_odp.c | 6 +-
drivers/infiniband/hw/hns/hns_roce_main.c | 2 +-
drivers/infiniband/hw/usnic/usnic_ib_main.c | 14 +-
drivers/iommu/mtk_iommu.c | 26 +--
drivers/md/dm-ebs-target.c | 7 +
drivers/md/dm-integrity.c | 3 +
drivers/md/dm-verity-target.c | 8 +
drivers/md/md-bitmap.c | 5 +-
drivers/md/raid10.c | 1 +
drivers/media/common/siano/smsdvb-main.c | 2 +
drivers/media/i2c/adv748x/adv748x.h | 2 +-
drivers/media/i2c/ccs/ccs-core.c | 6 +-
drivers/media/i2c/ov7251.c | 4 +-
.../mediatek/vcodec/vdec/vdec_vp9_req_lat_if.c | 3 +-
drivers/media/platform/qcom/venus/hfi_parser.c | 100 +++++++---
drivers/media/platform/qcom/venus/hfi_venus.c | 18 +-
drivers/media/platform/st/stm32/dma2d/dma2d.c | 3 +-
drivers/media/rc/streamzap.c | 68 ++++---
drivers/media/test-drivers/vim2m.c | 6 +-
drivers/media/v4l2-core/v4l2-dv-timings.c | 4 +-
drivers/mfd/ene-kb3930.c | 2 +-
drivers/misc/pci_endpoint_test.c | 6 +-
drivers/mmc/host/dw_mmc.c | 94 +++++++++-
drivers/mmc/host/dw_mmc.h | 27 +++
drivers/mtd/inftlcore.c | 9 +-
drivers/mtd/mtdpstore.c | 12 +-
drivers/mtd/nand/raw/brcmnand/brcmnand.c | 2 +-
drivers/mtd/nand/raw/r852.c | 3 +
drivers/net/dsa/b53/b53_common.c | 10 +
drivers/net/dsa/mv88e6xxx/chip.c | 30 ++-
drivers/net/dsa/mv88e6xxx/devlink.c | 3 +-
drivers/net/ethernet/chelsio/cxgb4/cxgb4_ethtool.c | 1 +
drivers/net/ethernet/google/gve/gve_ethtool.c | 4 +-
drivers/net/ethernet/intel/igc/igc_defines.h | 1 +
drivers/net/ethernet/intel/igc/igc_main.c | 1 +
drivers/net/ethernet/intel/igc/igc_ptp.c | 93 +++++----
drivers/net/ppp/ppp_synctty.c | 5 +
drivers/net/wireless/atmel/at76c50x-usb.c | 2 +-
drivers/net/wireless/mediatek/mt76/eeprom.c | 4 +
drivers/net/wireless/mediatek/mt76/mt76x2/usb.c | 1 +
drivers/net/wireless/ti/wl1251/tx.c | 4 +-
drivers/ntb/ntb_transport.c | 2 +-
drivers/nvme/target/fc.c | 14 --
drivers/nvme/target/fcloop.c | 2 +-
drivers/of/irq.c | 78 ++++----
drivers/pci/controller/pcie-brcmstb.c | 13 +-
drivers/pci/controller/vmd.c | 12 +-
drivers/pci/pci.c | 4 -
drivers/pci/probe.c | 5 +-
drivers/perf/arm_pmu.c | 8 +-
drivers/pinctrl/qcom/pinctrl-msm.c | 12 +-
drivers/platform/x86/asus-laptop.c | 9 +-
drivers/ptp/ptp_ocp.c | 1 +
drivers/pwm/pwm-fsl-ftm.c | 6 +
drivers/pwm/pwm-mediatek.c | 8 +-
drivers/pwm/pwm-rcar.c | 24 +--
drivers/scsi/hisi_sas/hisi_sas_v2_hw.c | 9 +-
drivers/scsi/hisi_sas/hisi_sas_v3_hw.c | 14 +-
drivers/scsi/megaraid/megaraid_sas_base.c | 9 +-
drivers/scsi/megaraid/megaraid_sas_fusion.c | 5 +-
drivers/scsi/scsi_transport_iscsi.c | 7 +-
drivers/scsi/st.c | 2 +-
drivers/soc/samsung/exynos-chipid.c | 2 +
drivers/spi/spi-cadence-quadspi.c | 6 +
drivers/thermal/rockchip_thermal.c | 1 +
drivers/ufs/host/ufs-exynos.c | 6 +
drivers/vdpa/mlx5/core/mr.c | 7 +-
drivers/video/fbdev/omap2/omapfb/dss/dispc.c | 6 +-
drivers/xen/swiotlb-xen.c | 2 +-
drivers/xen/xenfs/xensyms.c | 4 +-
fs/Kconfig | 1 +
fs/btrfs/disk-io.c | 12 ++
fs/btrfs/inode.c | 6 +-
fs/btrfs/super.c | 3 +-
fs/btrfs/zoned.c | 6 +
fs/ext4/inode.c | 68 +++++--
fs/ext4/namei.c | 2 +-
fs/ext4/super.c | 17 ++
fs/ext4/xattr.c | 11 +-
fs/f2fs/inode.c | 4 +
fs/f2fs/node.c | 9 +-
fs/file.c | 26 ++-
fs/fuse/virtio_fs.c | 3 +
fs/hfs/bnode.c | 6 +
fs/hfsplus/bnode.c | 6 +
fs/isofs/export.c | 2 +-
fs/jbd2/journal.c | 1 -
fs/jfs/jfs_dmap.c | 10 +-
fs/jfs/jfs_imap.c | 4 +-
fs/namespace.c | 3 +-
fs/nfs/Kconfig | 2 +-
fs/nfs/internal.h | 22 ---
fs/nfs/nfs4session.h | 4 -
fs/nfsd/Kconfig | 1 +
fs/nfsd/nfs4state.c | 2 +-
fs/nfsd/nfsfh.h | 7 -
fs/smb/client/cifs_dfs_ref.c | 34 +++-
fs/smb/client/cifsproto.h | 23 +++
fs/smb/client/connect.c | 2 +
fs/smb/client/dir.c | 21 ++-
fs/smb/client/file.c | 28 +++
fs/smb/client/fs_context.c | 5 +
fs/smb/client/smb2misc.c | 9 +-
fs/smb/server/oplock.c | 2 +-
fs/smb/server/smb2pdu.c | 6 +-
fs/smb/server/transport_ipc.c | 7 +-
fs/smb/server/vfs.c | 3 +-
include/linux/backing-dev.h | 1 +
include/linux/bpf.h | 1 +
include/linux/nfs.h | 13 ++
include/linux/rtnetlink.h | 22 +++
include/linux/tpm.h | 1 +
include/net/sctp/structs.h | 3 +-
include/uapi/linux/kfd_ioctl.h | 2 +
include/uapi/linux/landlock.h | 2 +
include/xen/interface/xen-mca.h | 2 +-
io_uring/kbuf.c | 2 +
io_uring/net.c | 2 +
kernel/bpf/core.c | 19 +-
kernel/bpf/syscall.c | 17 +-
kernel/locking/lockdep.c | 3 +
kernel/sched/cpufreq_schedutil.c | 18 +-
kernel/trace/ftrace.c | 1 +
kernel/trace/trace_events.c | 4 +-
kernel/trace/trace_events_filter.c | 4 +-
lib/sg_split.c | 2 -
lib/string.c | 13 +-
mm/filemap.c | 1 +
mm/gup.c | 6 +-
mm/memory-failure.c | 11 +-
mm/memory.c | 4 +-
mm/rmap.c | 2 +-
mm/vmscan.c | 2 +-
net/8021q/vlan_dev.c | 31 +--
net/bluetooth/hci_event.c | 5 +-
net/bluetooth/l2cap_core.c | 3 +-
net/bridge/br_vlan.c | 4 +-
net/core/filter.c | 80 ++++----
net/core/page_pool.c | 8 +-
net/dsa/tag_8021q.c | 2 +-
net/ethtool/netlink.c | 8 +-
net/ipv6/route.c | 8 +-
net/mac80211/iface.c | 3 +
net/mac80211/mesh_hwmp.c | 14 +-
net/mctp/af_mctp.c | 3 +
net/mptcp/sockopt.c | 28 +++
net/mptcp/subflow.c | 19 +-
net/netfilter/nft_set_pipapo_avx2.c | 3 +-
net/openvswitch/flow_netlink.c | 3 +-
net/sched/act_mirred.c | 20 +-
net/sched/cls_api.c | 74 ++++++--
net/sched/sch_codel.c | 5 +-
net/sched/sch_fq_codel.c | 6 +-
net/sched/sch_sfq.c | 66 +++++--
net/sctp/socket.c | 22 ++-
net/sctp/transport.c | 2 +
net/tipc/link.c | 1 +
net/tls/tls_main.c | 6 +
scripts/sign-file.c | 132 ++++++-------
scripts/ssl-common.h | 32 ++++
security/landlock/errata.h | 87 +++++++++
security/landlock/setup.c | 30 +++
security/landlock/setup.h | 3 +
security/landlock/syscalls.c | 22 ++-
sound/pci/hda/hda_intel.c | 44 ++++-
sound/soc/amd/yc/acp6x-mach.c | 7 +
sound/soc/codecs/lpass-wsa-macro.c | 139 +++++++++-----
sound/soc/fsl/fsl_audmix.c | 16 +-
sound/soc/qcom/qdsp6/q6apm-dai.c | 9 +-
sound/soc/qcom/qdsp6/q6asm-dai.c | 19 +-
sound/usb/midi.c | 80 +++++++-
tools/power/cpupower/bench/parse.c | 4 +
tools/testing/ktest/ktest.pl | 8 +
tools/testing/radix-tree/linux.c | 4 +-
.../futex/functional/futex_wait_wouldblock.c | 2 +-
tools/testing/selftests/landlock/base_test.c | 46 ++++-
tools/testing/selftests/net/mptcp/mptcp_connect.c | 7 +-
278 files changed, 2913 insertions(+), 1414 deletions(-)
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 001/291] selftests/futex: futex_waitv wouldblock test should fail
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
@ 2025-04-23 14:39 ` Greg Kroah-Hartman
2025-04-23 14:39 ` [PATCH 6.1 002/291] ata: pata_pxa: Fix potential NULL pointer dereference in pxa_ata_probe() Greg Kroah-Hartman
` (297 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Edward Liaw, Thomas Gleixner,
André Almeida, Shuah Khan, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Edward Liaw <edliaw@google.com>
[ Upstream commit 7d50e00fef2832e98d7e06bbfc85c1d66ee110ca ]
Testcase should fail if -EWOULDBLOCK is not returned when expected value
differs from actual value from the waiter.
Link: https://lore.kernel.org/r/20250404221225.1596324-1-edliaw@google.com
Fixes: 9d57f7c79748920636f8293d2f01192d702fe390 ("selftests: futex: Test sys_futex_waitv() wouldblock")
Signed-off-by: Edward Liaw <edliaw@google.com>
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: André Almeida <andrealmeid@igalia.com>
Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../testing/selftests/futex/functional/futex_wait_wouldblock.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/testing/selftests/futex/functional/futex_wait_wouldblock.c b/tools/testing/selftests/futex/functional/futex_wait_wouldblock.c
index 7d7a6a06cdb75..2d8230da90642 100644
--- a/tools/testing/selftests/futex/functional/futex_wait_wouldblock.c
+++ b/tools/testing/selftests/futex/functional/futex_wait_wouldblock.c
@@ -98,7 +98,7 @@ int main(int argc, char *argv[])
info("Calling futex_waitv on f1: %u @ %p with val=%u\n", f1, &f1, f1+1);
res = futex_waitv(&waitv, 1, 0, &to, CLOCK_MONOTONIC);
if (!res || errno != EWOULDBLOCK) {
- ksft_test_result_pass("futex_waitv returned: %d %s\n",
+ ksft_test_result_fail("futex_waitv returned: %d %s\n",
res ? errno : res,
res ? strerror(errno) : "");
ret = RET_FAIL;
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 002/291] ata: pata_pxa: Fix potential NULL pointer dereference in pxa_ata_probe()
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
2025-04-23 14:39 ` [PATCH 6.1 001/291] selftests/futex: futex_waitv wouldblock test should fail Greg Kroah-Hartman
@ 2025-04-23 14:39 ` Greg Kroah-Hartman
2025-04-23 14:39 ` [PATCH 6.1 003/291] tipc: fix memory leak in tipc_link_xmit Greg Kroah-Hartman
` (296 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Henry Martin, Damien Le Moal,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Henry Martin <bsdhenrymartin@gmail.com>
[ Upstream commit ad320e408a8c95a282ab9c05cdf0c9b95e317985 ]
devm_ioremap() returns NULL on error. Currently, pxa_ata_probe() does
not check for this case, which can result in a NULL pointer dereference.
Add NULL check after devm_ioremap() to prevent this issue.
Fixes: 2dc6c6f15da9 ("[ARM] pata_pxa: DMA-capable PATA driver")
Signed-off-by: Henry Martin <bsdhenrymartin@gmail.com>
Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/ata/pata_pxa.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/ata/pata_pxa.c b/drivers/ata/pata_pxa.c
index 985f42c4fd700..9113b74b2b67d 100644
--- a/drivers/ata/pata_pxa.c
+++ b/drivers/ata/pata_pxa.c
@@ -223,10 +223,16 @@ static int pxa_ata_probe(struct platform_device *pdev)
ap->ioaddr.cmd_addr = devm_ioremap(&pdev->dev, cmd_res->start,
resource_size(cmd_res));
+ if (!ap->ioaddr.cmd_addr)
+ return -ENOMEM;
ap->ioaddr.ctl_addr = devm_ioremap(&pdev->dev, ctl_res->start,
resource_size(ctl_res));
+ if (!ap->ioaddr.ctl_addr)
+ return -ENOMEM;
ap->ioaddr.bmdma_addr = devm_ioremap(&pdev->dev, dma_res->start,
resource_size(dma_res));
+ if (!ap->ioaddr.bmdma_addr)
+ return -ENOMEM;
/*
* Adjust register offsets
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 003/291] tipc: fix memory leak in tipc_link_xmit
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
2025-04-23 14:39 ` [PATCH 6.1 001/291] selftests/futex: futex_waitv wouldblock test should fail Greg Kroah-Hartman
2025-04-23 14:39 ` [PATCH 6.1 002/291] ata: pata_pxa: Fix potential NULL pointer dereference in pxa_ata_probe() Greg Kroah-Hartman
@ 2025-04-23 14:39 ` Greg Kroah-Hartman
2025-04-23 14:39 ` [PATCH 6.1 004/291] codel: remove sch->q.qlen check before qdisc_tree_reduce_backlog() Greg Kroah-Hartman
` (295 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Tung Nguyen, Paolo Abeni,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tung Nguyen <tung.quang.nguyen@est.tech>
[ Upstream commit 69ae94725f4fc9e75219d2d69022029c5b24bc9a ]
In case the backlog transmit queue for system-importance messages is overloaded,
tipc_link_xmit() returns -ENOBUFS but the skb list is not purged. This leads to
memory leak and failure when a skb is allocated.
This commit fixes this issue by purging the skb list before tipc_link_xmit()
returns.
Fixes: 365ad353c256 ("tipc: reduce risk of user starvation during link congestion")
Signed-off-by: Tung Nguyen <tung.quang.nguyen@est.tech>
Link: https://patch.msgid.link/20250403092431.514063-1-tung.quang.nguyen@est.tech
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/tipc/link.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/tipc/link.c b/net/tipc/link.c
index 8715c9b05f90d..d6a8f0aa531bd 100644
--- a/net/tipc/link.c
+++ b/net/tipc/link.c
@@ -1068,6 +1068,7 @@ int tipc_link_xmit(struct tipc_link *l, struct sk_buff_head *list,
if (unlikely(l->backlog[imp].len >= l->backlog[imp].limit)) {
if (imp == TIPC_SYSTEM_IMPORTANCE) {
pr_warn("%s<%s>, link overflow", link_rst_msg, l->name);
+ __skb_queue_purge(list);
return -ENOBUFS;
}
rc = link_schedule_user(l, hdr);
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 004/291] codel: remove sch->q.qlen check before qdisc_tree_reduce_backlog()
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (2 preceding siblings ...)
2025-04-23 14:39 ` [PATCH 6.1 003/291] tipc: fix memory leak in tipc_link_xmit Greg Kroah-Hartman
@ 2025-04-23 14:39 ` Greg Kroah-Hartman
2025-04-23 14:39 ` [PATCH 6.1 005/291] net: tls: explicitly disallow disconnect Greg Kroah-Hartman
` (294 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gerrard Tai, Cong Wang, Simon Horman,
Jamal Hadi Salim, Paolo Abeni, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cong Wang <xiyou.wangcong@gmail.com>
[ Upstream commit 342debc12183b51773b3345ba267e9263bdfaaef ]
After making all ->qlen_notify() callbacks idempotent, now it is safe to
remove the check of qlen!=0 from both fq_codel_dequeue() and
codel_qdisc_dequeue().
Reported-by: Gerrard Tai <gerrard.tai@starlabs.sg>
Fixes: 4b549a2ef4be ("fq_codel: Fair Queue Codel AQM")
Fixes: 76e3cc126bb2 ("codel: Controlled Delay AQM")
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20250403211636.166257-1-xiyou.wangcong@gmail.com
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_codel.c | 5 +----
net/sched/sch_fq_codel.c | 6 ++----
2 files changed, 3 insertions(+), 8 deletions(-)
diff --git a/net/sched/sch_codel.c b/net/sched/sch_codel.c
index d7a4874543de5..5f2e068157456 100644
--- a/net/sched/sch_codel.c
+++ b/net/sched/sch_codel.c
@@ -95,10 +95,7 @@ static struct sk_buff *codel_qdisc_dequeue(struct Qdisc *sch)
&q->stats, qdisc_pkt_len, codel_get_enqueue_time,
drop_func, dequeue_func);
- /* We cant call qdisc_tree_reduce_backlog() if our qlen is 0,
- * or HTB crashes. Defer it for next round.
- */
- if (q->stats.drop_count && sch->q.qlen) {
+ if (q->stats.drop_count) {
qdisc_tree_reduce_backlog(sch, q->stats.drop_count, q->stats.drop_len);
q->stats.drop_count = 0;
q->stats.drop_len = 0;
diff --git a/net/sched/sch_fq_codel.c b/net/sched/sch_fq_codel.c
index 8c4fee0634366..9330923a624c0 100644
--- a/net/sched/sch_fq_codel.c
+++ b/net/sched/sch_fq_codel.c
@@ -314,10 +314,8 @@ static struct sk_buff *fq_codel_dequeue(struct Qdisc *sch)
}
qdisc_bstats_update(sch, skb);
flow->deficit -= qdisc_pkt_len(skb);
- /* We cant call qdisc_tree_reduce_backlog() if our qlen is 0,
- * or HTB crashes. Defer it for next round.
- */
- if (q->cstats.drop_count && sch->q.qlen) {
+
+ if (q->cstats.drop_count) {
qdisc_tree_reduce_backlog(sch, q->cstats.drop_count,
q->cstats.drop_len);
q->cstats.drop_count = 0;
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 005/291] net: tls: explicitly disallow disconnect
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (3 preceding siblings ...)
2025-04-23 14:39 ` [PATCH 6.1 004/291] codel: remove sch->q.qlen check before qdisc_tree_reduce_backlog() Greg Kroah-Hartman
@ 2025-04-23 14:39 ` Greg Kroah-Hartman
2025-04-23 14:39 ` [PATCH 6.1 006/291] rtnl: add helper to check if rtnl group has listeners Greg Kroah-Hartman
` (293 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+b4cd76826045a1eb93c1,
Jakub Kicinski, Eric Dumazet, Sabrina Dubroca, Paolo Abeni,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jakub Kicinski <kuba@kernel.org>
[ Upstream commit 5071a1e606b30c0c11278d3c6620cd6a24724cf6 ]
syzbot discovered that it can disconnect a TLS socket and then
run into all sort of unexpected corner cases. I have a vague
recollection of Eric pointing this out to us a long time ago.
Supporting disconnect is really hard, for one thing if offload
is enabled we'd need to wait for all packets to be _acked_.
Disconnect is not commonly used, disallow it.
The immediate problem syzbot run into is the warning in the strp,
but that's just the easiest bug to trigger:
WARNING: CPU: 0 PID: 5834 at net/tls/tls_strp.c:486 tls_strp_msg_load+0x72e/0xa80 net/tls/tls_strp.c:486
RIP: 0010:tls_strp_msg_load+0x72e/0xa80 net/tls/tls_strp.c:486
Call Trace:
<TASK>
tls_rx_rec_wait+0x280/0xa60 net/tls/tls_sw.c:1363
tls_sw_recvmsg+0x85c/0x1c30 net/tls/tls_sw.c:2043
inet6_recvmsg+0x2c9/0x730 net/ipv6/af_inet6.c:678
sock_recvmsg_nosec net/socket.c:1023 [inline]
sock_recvmsg+0x109/0x280 net/socket.c:1045
__sys_recvfrom+0x202/0x380 net/socket.c:2237
Fixes: 3c4d7559159b ("tls: kernel TLS support")
Reported-by: syzbot+b4cd76826045a1eb93c1@syzkaller.appspotmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
Link: https://patch.msgid.link/20250404180334.3224206-1-kuba@kernel.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/tls/tls_main.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/net/tls/tls_main.c b/net/tls/tls_main.c
index 75cd20c0e3fdb..14d01558311d2 100644
--- a/net/tls/tls_main.c
+++ b/net/tls/tls_main.c
@@ -900,6 +900,11 @@ static int tls_setsockopt(struct sock *sk, int level, int optname,
return do_tls_setsockopt(sk, optname, optval, optlen);
}
+static int tls_disconnect(struct sock *sk, int flags)
+{
+ return -EOPNOTSUPP;
+}
+
struct tls_context *tls_ctx_create(struct sock *sk)
{
struct inet_connection_sock *icsk = inet_csk(sk);
@@ -995,6 +1000,7 @@ static void build_protos(struct proto prot[TLS_NUM_CONFIG][TLS_NUM_CONFIG],
prot[TLS_BASE][TLS_BASE] = *base;
prot[TLS_BASE][TLS_BASE].setsockopt = tls_setsockopt;
prot[TLS_BASE][TLS_BASE].getsockopt = tls_getsockopt;
+ prot[TLS_BASE][TLS_BASE].disconnect = tls_disconnect;
prot[TLS_BASE][TLS_BASE].close = tls_sk_proto_close;
prot[TLS_SW][TLS_BASE] = prot[TLS_BASE][TLS_BASE];
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 006/291] rtnl: add helper to check if rtnl group has listeners
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (4 preceding siblings ...)
2025-04-23 14:39 ` [PATCH 6.1 005/291] net: tls: explicitly disallow disconnect Greg Kroah-Hartman
@ 2025-04-23 14:39 ` Greg Kroah-Hartman
2025-04-23 14:39 ` [PATCH 6.1 007/291] rtnl: add helper to check if a notification is needed Greg Kroah-Hartman
` (292 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jiri Pirko, Simon Horman,
Jamal Hadi Salim, Victor Nogueira, Pedro Tammela, Jakub Kicinski,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jamal Hadi Salim <jhs@mojatatu.com>
[ Upstream commit c5e2a973448d958feb7881e4d875eac59fdeff3d ]
As of today, rtnl code creates a new skb and unconditionally fills and
broadcasts it to the relevant group. For most operations this is okay
and doesn't waste resources in general.
When operations are done without the rtnl_lock, as in tc-flower, such
skb allocation, message fill and no-op broadcasting can happen in all
cores of the system, which contributes to system pressure and wastes
precious cpu cycles when no one will receive the built message.
Introduce this helper so rtnetlink operations can simply check if someone
is listening and then proceed if necessary.
Reviewed-by: Jiri Pirko <jiri@nvidia.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: Victor Nogueira <victor@mojatatu.com>
Signed-off-by: Pedro Tammela <pctammela@mojatatu.com>
Link: https://lore.kernel.org/r/20231208192847.714940-2-pctammela@mojatatu.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: 369609fc6272 ("tc: Ensure we have enough buffer space when sending filter netlink notifications")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/rtnetlink.h | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/include/linux/rtnetlink.h b/include/linux/rtnetlink.h
index ae2c6a3cec5db..ad5f15d369235 100644
--- a/include/linux/rtnetlink.h
+++ b/include/linux/rtnetlink.h
@@ -138,4 +138,11 @@ extern int ndo_dflt_bridge_getlink(struct sk_buff *skb, u32 pid, u32 seq,
extern void rtnl_offload_xstats_notify(struct net_device *dev);
+static inline int rtnl_has_listeners(const struct net *net, u32 group)
+{
+ struct sock *rtnl = net->rtnl;
+
+ return netlink_has_listeners(rtnl, group);
+}
+
#endif /* __LINUX_RTNETLINK_H */
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 007/291] rtnl: add helper to check if a notification is needed
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (5 preceding siblings ...)
2025-04-23 14:39 ` [PATCH 6.1 006/291] rtnl: add helper to check if rtnl group has listeners Greg Kroah-Hartman
@ 2025-04-23 14:39 ` Greg Kroah-Hartman
2025-04-23 14:39 ` [PATCH 6.1 008/291] net/sched: cls_api: conditional notification of events Greg Kroah-Hartman
` (291 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jiri Pirko, Simon Horman,
Victor Nogueira, Pedro Tammela, Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Victor Nogueira <victor@mojatatu.com>
[ Upstream commit 8439109b76a3c405808383bf9dd532fc4b9c2dbd ]
Building on the rtnl_has_listeners helper, add the rtnl_notify_needed
helper to check if we can bail out early in the notification routines.
Reviewed-by: Jiri Pirko <jiri@nvidia.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: Victor Nogueira <victor@mojatatu.com>
Signed-off-by: Pedro Tammela <pctammela@mojatatu.com>
Link: https://lore.kernel.org/r/20231208192847.714940-3-pctammela@mojatatu.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: 369609fc6272 ("tc: Ensure we have enough buffer space when sending filter netlink notifications")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/rtnetlink.h | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/include/linux/rtnetlink.h b/include/linux/rtnetlink.h
index ad5f15d369235..f532d1eda761c 100644
--- a/include/linux/rtnetlink.h
+++ b/include/linux/rtnetlink.h
@@ -145,4 +145,19 @@ static inline int rtnl_has_listeners(const struct net *net, u32 group)
return netlink_has_listeners(rtnl, group);
}
+/**
+ * rtnl_notify_needed - check if notification is needed
+ * @net: Pointer to the net namespace
+ * @nlflags: netlink ingress message flags
+ * @group: rtnl group
+ *
+ * Based on the ingress message flags and rtnl group, returns true
+ * if a notification is needed, false otherwise.
+ */
+static inline bool
+rtnl_notify_needed(const struct net *net, u16 nlflags, u32 group)
+{
+ return (nlflags & NLM_F_ECHO) || rtnl_has_listeners(net, group);
+}
+
#endif /* __LINUX_RTNETLINK_H */
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 008/291] net/sched: cls_api: conditional notification of events
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (6 preceding siblings ...)
2025-04-23 14:39 ` [PATCH 6.1 007/291] rtnl: add helper to check if a notification is needed Greg Kroah-Hartman
@ 2025-04-23 14:39 ` Greg Kroah-Hartman
2025-04-23 14:39 ` [PATCH 6.1 009/291] tc: Ensure we have enough buffer space when sending filter netlink notifications Greg Kroah-Hartman
` (290 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jiri Pirko, Simon Horman,
Pedro Tammela, Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pedro Tammela <pctammela@mojatatu.com>
[ Upstream commit 93775590b1ee98bf2976b1f4a1ed24e9ff76170f ]
As of today tc-filter/chain events are unconditionally built and sent to
RTNLGRP_TC. As with the introduction of rtnl_notify_needed we can check
before-hand if they are really needed. This will help to alleviate
system pressure when filters are concurrently added without the rtnl
lock as in tc-flower.
Reviewed-by: Jiri Pirko <jiri@nvidia.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: Pedro Tammela <pctammela@mojatatu.com>
Link: https://lore.kernel.org/r/20231208192847.714940-8-pctammela@mojatatu.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: 369609fc6272 ("tc: Ensure we have enough buffer space when sending filter netlink notifications")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/cls_api.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/net/sched/cls_api.c b/net/sched/cls_api.c
index 445ab1b0537da..2b44b82877f5a 100644
--- a/net/sched/cls_api.c
+++ b/net/sched/cls_api.c
@@ -1885,6 +1885,9 @@ static int tfilter_notify(struct net *net, struct sk_buff *oskb,
u32 portid = oskb ? NETLINK_CB(oskb).portid : 0;
int err = 0;
+ if (!unicast && !rtnl_notify_needed(net, n->nlmsg_flags, RTNLGRP_TC))
+ return 0;
+
skb = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
if (!skb)
return -ENOBUFS;
@@ -1914,6 +1917,9 @@ static int tfilter_del_notify(struct net *net, struct sk_buff *oskb,
u32 portid = oskb ? NETLINK_CB(oskb).portid : 0;
int err;
+ if (!rtnl_notify_needed(net, n->nlmsg_flags, RTNLGRP_TC))
+ return tp->ops->delete(tp, fh, last, rtnl_held, extack);
+
skb = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
if (!skb)
return -ENOBUFS;
@@ -2731,6 +2737,9 @@ static int tc_chain_notify(struct tcf_chain *chain, struct sk_buff *oskb,
struct sk_buff *skb;
int err = 0;
+ if (!unicast && !rtnl_notify_needed(net, flags, RTNLGRP_TC))
+ return 0;
+
skb = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
if (!skb)
return -ENOBUFS;
@@ -2760,6 +2769,9 @@ static int tc_chain_notify_delete(const struct tcf_proto_ops *tmplt_ops,
struct net *net = block->net;
struct sk_buff *skb;
+ if (!rtnl_notify_needed(net, flags, RTNLGRP_TC))
+ return 0;
+
skb = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
if (!skb)
return -ENOBUFS;
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 009/291] tc: Ensure we have enough buffer space when sending filter netlink notifications
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (7 preceding siblings ...)
2025-04-23 14:39 ` [PATCH 6.1 008/291] net/sched: cls_api: conditional notification of events Greg Kroah-Hartman
@ 2025-04-23 14:39 ` Greg Kroah-Hartman
2025-04-23 14:39 ` [PATCH 6.1 010/291] net: ethtool: Dont call .cleanup_data when prepare_data fails Greg Kroah-Hartman
` (289 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Frode Nordahl,
Toke Høiland-Jørgensen, Jiri Pirko, Paolo Abeni,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Toke Høiland-Jørgensen <toke@redhat.com>
[ Upstream commit 369609fc6272c2f6ad666ba4fd913f3baf32908f ]
The tfilter_notify() and tfilter_del_notify() functions assume that
NLMSG_GOODSIZE is always enough to dump the filter chain. This is not
always the case, which can lead to silent notify failures (because the
return code of tfilter_notify() is not always checked). In particular,
this can lead to NLM_F_ECHO not being honoured even though an action
succeeds, which forces userspace to create workarounds[0].
Fix this by increasing the message size if dumping the filter chain into
the allocated skb fails. Use the size of the incoming skb as a size hint
if set, so we can start at a larger value when appropriate.
To trigger this, run the following commands:
# ip link add type veth
# tc qdisc replace dev veth0 root handle 1: fq_codel
# tc -echo filter add dev veth0 parent 1: u32 match u32 0 0 $(for i in $(seq 32); do echo action pedit munge ip dport set 22; done)
Before this fix, tc just returns:
Not a filter(cmd 2)
After the fix, we get the correct echo:
added filter dev veth0 parent 1: protocol all pref 49152 u32 chain 0 fh 800::800 order 2048 key ht 800 bkt 0 terminal flowid not_in_hw
match 00000000/00000000 at 0
action order 1: pedit action pass keys 1
index 1 ref 1 bind 1
key #0 at 20: val 00000016 mask ffff0000
[repeated 32 times]
[0] https://github.com/openvswitch/ovs/commit/106ef21860c935e5e0017a88bf42b94025c4e511
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: Frode Nordahl <frode.nordahl@canonical.com>
Closes: https://bugs.launchpad.net/ubuntu/+source/openvswitch/+bug/2018500
Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
Reviewed-by: Jiri Pirko <jiri@nvidia.com>
Link: https://patch.msgid.link/20250407105542.16601-1-toke@redhat.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/cls_api.c | 66 ++++++++++++++++++++++++++++++---------------
1 file changed, 45 insertions(+), 21 deletions(-)
diff --git a/net/sched/cls_api.c b/net/sched/cls_api.c
index 2b44b82877f5a..89da596be1b86 100644
--- a/net/sched/cls_api.c
+++ b/net/sched/cls_api.c
@@ -1824,6 +1824,7 @@ static int tcf_fill_node(struct net *net, struct sk_buff *skb,
struct tcmsg *tcm;
struct nlmsghdr *nlh;
unsigned char *b = skb_tail_pointer(skb);
+ int ret = -EMSGSIZE;
nlh = nlmsg_put(skb, portid, seq, event, sizeof(*tcm), flags);
if (!nlh)
@@ -1868,11 +1869,45 @@ static int tcf_fill_node(struct net *net, struct sk_buff *skb,
return skb->len;
+cls_op_not_supp:
+ ret = -EOPNOTSUPP;
out_nlmsg_trim:
nla_put_failure:
-cls_op_not_supp:
nlmsg_trim(skb, b);
- return -1;
+ return ret;
+}
+
+static struct sk_buff *tfilter_notify_prep(struct net *net,
+ struct sk_buff *oskb,
+ struct nlmsghdr *n,
+ struct tcf_proto *tp,
+ struct tcf_block *block,
+ struct Qdisc *q, u32 parent,
+ void *fh, int event,
+ u32 portid, bool rtnl_held,
+ struct netlink_ext_ack *extack)
+{
+ unsigned int size = oskb ? max(NLMSG_GOODSIZE, oskb->len) : NLMSG_GOODSIZE;
+ struct sk_buff *skb;
+ int ret;
+
+retry:
+ skb = alloc_skb(size, GFP_KERNEL);
+ if (!skb)
+ return ERR_PTR(-ENOBUFS);
+
+ ret = tcf_fill_node(net, skb, tp, block, q, parent, fh, portid,
+ n->nlmsg_seq, n->nlmsg_flags, event, false,
+ rtnl_held, extack);
+ if (ret <= 0) {
+ kfree_skb(skb);
+ if (ret == -EMSGSIZE) {
+ size += NLMSG_GOODSIZE;
+ goto retry;
+ }
+ return ERR_PTR(-EINVAL);
+ }
+ return skb;
}
static int tfilter_notify(struct net *net, struct sk_buff *oskb,
@@ -1888,16 +1923,10 @@ static int tfilter_notify(struct net *net, struct sk_buff *oskb,
if (!unicast && !rtnl_notify_needed(net, n->nlmsg_flags, RTNLGRP_TC))
return 0;
- skb = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
- if (!skb)
- return -ENOBUFS;
-
- if (tcf_fill_node(net, skb, tp, block, q, parent, fh, portid,
- n->nlmsg_seq, n->nlmsg_flags, event,
- false, rtnl_held, extack) <= 0) {
- kfree_skb(skb);
- return -EINVAL;
- }
+ skb = tfilter_notify_prep(net, oskb, n, tp, block, q, parent, fh, event,
+ portid, rtnl_held, extack);
+ if (IS_ERR(skb))
+ return PTR_ERR(skb);
if (unicast)
err = rtnl_unicast(skb, net, portid);
@@ -1920,16 +1949,11 @@ static int tfilter_del_notify(struct net *net, struct sk_buff *oskb,
if (!rtnl_notify_needed(net, n->nlmsg_flags, RTNLGRP_TC))
return tp->ops->delete(tp, fh, last, rtnl_held, extack);
- skb = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
- if (!skb)
- return -ENOBUFS;
-
- if (tcf_fill_node(net, skb, tp, block, q, parent, fh, portid,
- n->nlmsg_seq, n->nlmsg_flags, RTM_DELTFILTER,
- false, rtnl_held, extack) <= 0) {
+ skb = tfilter_notify_prep(net, oskb, n, tp, block, q, parent, fh,
+ RTM_DELTFILTER, portid, rtnl_held, extack);
+ if (IS_ERR(skb)) {
NL_SET_ERR_MSG(extack, "Failed to build del event notification");
- kfree_skb(skb);
- return -EINVAL;
+ return PTR_ERR(skb);
}
err = tp->ops->delete(tp, fh, last, rtnl_held, extack);
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 010/291] net: ethtool: Dont call .cleanup_data when prepare_data fails
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (8 preceding siblings ...)
2025-04-23 14:39 ` [PATCH 6.1 009/291] tc: Ensure we have enough buffer space when sending filter netlink notifications Greg Kroah-Hartman
@ 2025-04-23 14:39 ` Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 011/291] ata: sata_sx4: Add error handling in pdc20621_i2c_read() Greg Kroah-Hartman
` (288 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kory Maincent, Simon Horman,
Michal Kubecek, Maxime Chevallier, Paolo Abeni, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maxime Chevallier <maxime.chevallier@bootlin.com>
[ Upstream commit 4f038a6a02d20859a3479293cbf172b0f14cbdd6 ]
There's a consistent pattern where the .cleanup_data() callback is
called when .prepare_data() fails, when it should really be called to
clean after a successful .prepare_data() as per the documentation.
Rewrite the error-handling paths to make sure we don't cleanup
un-prepared data.
Fixes: c781ff12a2f3 ("ethtool: Allow network drivers to dump arbitrary EEPROM data")
Reviewed-by: Kory Maincent <kory.maincent@bootlin.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Reviewed-by: Michal Kubecek <mkubecek@suse.cz>
Signed-off-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
Link: https://patch.msgid.link/20250407130511.75621-1-maxime.chevallier@bootlin.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ethtool/netlink.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/net/ethtool/netlink.c b/net/ethtool/netlink.c
index e5efdf2817eff..98c0641138825 100644
--- a/net/ethtool/netlink.c
+++ b/net/ethtool/netlink.c
@@ -384,7 +384,7 @@ static int ethnl_default_doit(struct sk_buff *skb, struct genl_info *info)
ret = ops->prepare_data(req_info, reply_data, info);
rtnl_unlock();
if (ret < 0)
- goto err_cleanup;
+ goto err_dev;
ret = ops->reply_size(req_info, reply_data);
if (ret < 0)
goto err_cleanup;
@@ -442,7 +442,7 @@ static int ethnl_default_dump_one(struct sk_buff *skb, struct net_device *dev,
ret = ctx->ops->prepare_data(ctx->req_info, ctx->reply_data, NULL);
rtnl_unlock();
if (ret < 0)
- goto out;
+ goto out_cancel;
ret = ethnl_fill_reply_header(skb, dev, ctx->ops->hdr_attr);
if (ret < 0)
goto out;
@@ -451,6 +451,7 @@ static int ethnl_default_dump_one(struct sk_buff *skb, struct net_device *dev,
out:
if (ctx->ops->cleanup_data)
ctx->ops->cleanup_data(ctx->reply_data);
+out_cancel:
ctx->reply_data->dev = NULL;
if (ret < 0)
genlmsg_cancel(skb, ehdr);
@@ -636,7 +637,7 @@ static void ethnl_default_notify(struct net_device *dev, unsigned int cmd,
ethnl_init_reply_data(reply_data, ops, dev);
ret = ops->prepare_data(req_info, reply_data, NULL);
if (ret < 0)
- goto err_cleanup;
+ goto err_rep;
ret = ops->reply_size(req_info, reply_data);
if (ret < 0)
goto err_cleanup;
@@ -671,6 +672,7 @@ static void ethnl_default_notify(struct net_device *dev, unsigned int cmd,
err_cleanup:
if (ops->cleanup_data)
ops->cleanup_data(reply_data);
+err_rep:
kfree(reply_data);
kfree(req_info);
return;
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 011/291] ata: sata_sx4: Add error handling in pdc20621_i2c_read()
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (9 preceding siblings ...)
2025-04-23 14:39 ` [PATCH 6.1 010/291] net: ethtool: Dont call .cleanup_data when prepare_data fails Greg Kroah-Hartman
@ 2025-04-23 14:40 ` Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 012/291] nvmet-fcloop: swap list_add_tail arguments Greg Kroah-Hartman
` (287 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wentao Liang, Niklas Cassel,
Damien Le Moal, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wentao Liang <vulab@iscas.ac.cn>
[ Upstream commit 8d46a27085039158eb5e253ab8a35a0e33b5e864 ]
The function pdc20621_prog_dimm0() calls the function pdc20621_i2c_read()
but does not handle the error if the read fails. This could lead to
process with invalid data. A proper implementation can be found in
/source/drivers/ata/sata_sx4.c, pdc20621_prog_dimm_global(). As mentioned
in its commit: bb44e154e25125bef31fa956785e90fccd24610b, the variable spd0
might be used uninitialized when pdc20621_i2c_read() fails.
Add error handling to pdc20621_i2c_read(). If a read operation fails,
an error message is logged via dev_err(), and return a negative error
code.
Add error handling to pdc20621_prog_dimm0() in pdc20621_dimm_init(), and
return a negative error code if pdc20621_prog_dimm0() fails.
Fixes: 4447d3515616 ("libata: convert the remaining SATA drivers to new init model")
Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
Reviewed-by: Niklas Cassel <cassel@kernel.org>
Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/ata/sata_sx4.c | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/drivers/ata/sata_sx4.c b/drivers/ata/sata_sx4.c
index fa1966638c060..c524634fd9265 100644
--- a/drivers/ata/sata_sx4.c
+++ b/drivers/ata/sata_sx4.c
@@ -1118,9 +1118,14 @@ static int pdc20621_prog_dimm0(struct ata_host *host)
mmio += PDC_CHIP0_OFS;
for (i = 0; i < ARRAY_SIZE(pdc_i2c_read_data); i++)
- pdc20621_i2c_read(host, PDC_DIMM0_SPD_DEV_ADDRESS,
- pdc_i2c_read_data[i].reg,
- &spd0[pdc_i2c_read_data[i].ofs]);
+ if (!pdc20621_i2c_read(host, PDC_DIMM0_SPD_DEV_ADDRESS,
+ pdc_i2c_read_data[i].reg,
+ &spd0[pdc_i2c_read_data[i].ofs])) {
+ dev_err(host->dev,
+ "Failed in i2c read at index %d: device=%#x, reg=%#x\n",
+ i, PDC_DIMM0_SPD_DEV_ADDRESS, pdc_i2c_read_data[i].reg);
+ return -EIO;
+ }
data |= (spd0[4] - 8) | ((spd0[21] != 0) << 3) | ((spd0[3]-11) << 4);
data |= ((spd0[17] / 4) << 6) | ((spd0[5] / 2) << 7) |
@@ -1285,6 +1290,8 @@ static unsigned int pdc20621_dimm_init(struct ata_host *host)
/* Programming DIMM0 Module Control Register (index_CID0:80h) */
size = pdc20621_prog_dimm0(host);
+ if (size < 0)
+ return size;
dev_dbg(host->dev, "Local DIMM Size = %dMB\n", size);
/* Programming DIMM Module Global Control Register (index_CID0:88h) */
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 012/291] nvmet-fcloop: swap list_add_tail arguments
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (10 preceding siblings ...)
2025-04-23 14:40 ` [PATCH 6.1 011/291] ata: sata_sx4: Add error handling in pdc20621_i2c_read() Greg Kroah-Hartman
@ 2025-04-23 14:40 ` Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 013/291] net_sched: sch_sfq: use a temporary work area for validating configuration Greg Kroah-Hartman
` (286 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Daniel Wagner, Hannes Reinecke,
Christoph Hellwig, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Wagner <wagi@kernel.org>
[ Upstream commit 2b5f0c5bc819af2b0759a8fcddc1b39102735c0f ]
The newly element to be added to the list is the first argument of
list_add_tail. This fix is missing dcfad4ab4d67 ("nvmet-fcloop: swap
the list_add_tail arguments").
Fixes: 437c0b824dbd ("nvme-fcloop: add target to host LS request support")
Signed-off-by: Daniel Wagner <wagi@kernel.org>
Reviewed-by: Hannes Reinecke <hare@suse.de>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/nvme/target/fcloop.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/nvme/target/fcloop.c b/drivers/nvme/target/fcloop.c
index f5b8442b653db..787dfb3859a0d 100644
--- a/drivers/nvme/target/fcloop.c
+++ b/drivers/nvme/target/fcloop.c
@@ -478,7 +478,7 @@ fcloop_t2h_xmt_ls_rsp(struct nvme_fc_local_port *localport,
if (targetport) {
tport = targetport->private;
spin_lock(&tport->lock);
- list_add_tail(&tport->ls_list, &tls_req->ls_list);
+ list_add_tail(&tls_req->ls_list, &tport->ls_list);
spin_unlock(&tport->lock);
queue_work(nvmet_wq, &tport->ls_work);
}
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 013/291] net_sched: sch_sfq: use a temporary work area for validating configuration
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (11 preceding siblings ...)
2025-04-23 14:40 ` [PATCH 6.1 012/291] nvmet-fcloop: swap list_add_tail arguments Greg Kroah-Hartman
@ 2025-04-23 14:40 ` Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 014/291] net_sched: sch_sfq: move the limit validation Greg Kroah-Hartman
` (285 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Octavian Purdila, Cong Wang,
David S. Miller, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Octavian Purdila <tavip@google.com>
[ Upstream commit 8c0cea59d40cf6dd13c2950437631dd614fbade6 ]
Many configuration parameters have influence on others (e.g. divisor
-> flows -> limit, depth -> limit) and so it is difficult to correctly
do all of the validation before applying the configuration. And if a
validation error is detected late it is difficult to roll back a
partially applied configuration.
To avoid these issues use a temporary work area to update and validate
the configuration and only then apply the configuration to the
internal state.
Signed-off-by: Octavian Purdila <tavip@google.com>
Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stable-dep-of: b3bf8f63e617 ("net_sched: sch_sfq: move the limit validation")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_sfq.c | 56 +++++++++++++++++++++++++++++++++++----------
1 file changed, 44 insertions(+), 12 deletions(-)
diff --git a/net/sched/sch_sfq.c b/net/sched/sch_sfq.c
index 60754f366ab7b..68e909e8fabd9 100644
--- a/net/sched/sch_sfq.c
+++ b/net/sched/sch_sfq.c
@@ -631,6 +631,15 @@ static int sfq_change(struct Qdisc *sch, struct nlattr *opt,
struct red_parms *p = NULL;
struct sk_buff *to_free = NULL;
struct sk_buff *tail = NULL;
+ unsigned int maxflows;
+ unsigned int quantum;
+ unsigned int divisor;
+ int perturb_period;
+ u8 headdrop;
+ u8 maxdepth;
+ int limit;
+ u8 flags;
+
if (opt->nla_len < nla_attr_size(sizeof(*ctl)))
return -EINVAL;
@@ -656,36 +665,59 @@ static int sfq_change(struct Qdisc *sch, struct nlattr *opt,
NL_SET_ERR_MSG_MOD(extack, "invalid limit");
return -EINVAL;
}
+
sch_tree_lock(sch);
+
+ limit = q->limit;
+ divisor = q->divisor;
+ headdrop = q->headdrop;
+ maxdepth = q->maxdepth;
+ maxflows = q->maxflows;
+ perturb_period = q->perturb_period;
+ quantum = q->quantum;
+ flags = q->flags;
+
+ /* update and validate configuration */
if (ctl->quantum)
- q->quantum = ctl->quantum;
- WRITE_ONCE(q->perturb_period, ctl->perturb_period * HZ);
+ quantum = ctl->quantum;
+ perturb_period = ctl->perturb_period * HZ;
if (ctl->flows)
- q->maxflows = min_t(u32, ctl->flows, SFQ_MAX_FLOWS);
+ maxflows = min_t(u32, ctl->flows, SFQ_MAX_FLOWS);
if (ctl->divisor) {
- q->divisor = ctl->divisor;
- q->maxflows = min_t(u32, q->maxflows, q->divisor);
+ divisor = ctl->divisor;
+ maxflows = min_t(u32, maxflows, divisor);
}
if (ctl_v1) {
if (ctl_v1->depth)
- q->maxdepth = min_t(u32, ctl_v1->depth, SFQ_MAX_DEPTH);
+ maxdepth = min_t(u32, ctl_v1->depth, SFQ_MAX_DEPTH);
if (p) {
- swap(q->red_parms, p);
- red_set_parms(q->red_parms,
+ red_set_parms(p,
ctl_v1->qth_min, ctl_v1->qth_max,
ctl_v1->Wlog,
ctl_v1->Plog, ctl_v1->Scell_log,
NULL,
ctl_v1->max_P);
}
- q->flags = ctl_v1->flags;
- q->headdrop = ctl_v1->headdrop;
+ flags = ctl_v1->flags;
+ headdrop = ctl_v1->headdrop;
}
if (ctl->limit) {
- q->limit = min_t(u32, ctl->limit, q->maxdepth * q->maxflows);
- q->maxflows = min_t(u32, q->maxflows, q->limit);
+ limit = min_t(u32, ctl->limit, maxdepth * maxflows);
+ maxflows = min_t(u32, maxflows, limit);
}
+ /* commit configuration */
+ q->limit = limit;
+ q->divisor = divisor;
+ q->headdrop = headdrop;
+ q->maxdepth = maxdepth;
+ q->maxflows = maxflows;
+ WRITE_ONCE(q->perturb_period, perturb_period);
+ q->quantum = quantum;
+ q->flags = flags;
+ if (p)
+ swap(q->red_parms, p);
+
qlen = sch->q.qlen;
while (sch->q.qlen > q->limit) {
dropped += sfq_drop(sch, &to_free);
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 014/291] net_sched: sch_sfq: move the limit validation
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (12 preceding siblings ...)
2025-04-23 14:40 ` [PATCH 6.1 013/291] net_sched: sch_sfq: use a temporary work area for validating configuration Greg Kroah-Hartman
@ 2025-04-23 14:40 ` Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 015/291] ipv6: Align behavior across nexthops during path selection Greg Kroah-Hartman
` (284 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot, Octavian Purdila, Cong Wang,
David S. Miller, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Octavian Purdila <tavip@google.com>
[ Upstream commit b3bf8f63e6179076b57c9de660c9f80b5abefe70 ]
It is not sufficient to directly validate the limit on the data that
the user passes as it can be updated based on how the other parameters
are changed.
Move the check at the end of the configuration update process to also
catch scenarios where the limit is indirectly updated, for example
with the following configurations:
tc qdisc add dev dummy0 handle 1: root sfq limit 2 flows 1 depth 1
tc qdisc add dev dummy0 handle 1: root sfq limit 2 flows 1 divisor 1
This fixes the following syzkaller reported crash:
------------[ cut here ]------------
UBSAN: array-index-out-of-bounds in net/sched/sch_sfq.c:203:6
index 65535 is out of range for type 'struct sfq_head[128]'
CPU: 1 UID: 0 PID: 3037 Comm: syz.2.16 Not tainted 6.14.0-rc2-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x201/0x300 lib/dump_stack.c:120
ubsan_epilogue lib/ubsan.c:231 [inline]
__ubsan_handle_out_of_bounds+0xf5/0x120 lib/ubsan.c:429
sfq_link net/sched/sch_sfq.c:203 [inline]
sfq_dec+0x53c/0x610 net/sched/sch_sfq.c:231
sfq_dequeue+0x34e/0x8c0 net/sched/sch_sfq.c:493
sfq_reset+0x17/0x60 net/sched/sch_sfq.c:518
qdisc_reset+0x12e/0x600 net/sched/sch_generic.c:1035
tbf_reset+0x41/0x110 net/sched/sch_tbf.c:339
qdisc_reset+0x12e/0x600 net/sched/sch_generic.c:1035
dev_reset_queue+0x100/0x1b0 net/sched/sch_generic.c:1311
netdev_for_each_tx_queue include/linux/netdevice.h:2590 [inline]
dev_deactivate_many+0x7e5/0xe70 net/sched/sch_generic.c:1375
Reported-by: syzbot <syzkaller@googlegroups.com>
Fixes: 10685681bafc ("net_sched: sch_sfq: don't allow 1 packet limit")
Signed-off-by: Octavian Purdila <tavip@google.com>
Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_sfq.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/net/sched/sch_sfq.c b/net/sched/sch_sfq.c
index 68e909e8fabd9..002941d35b643 100644
--- a/net/sched/sch_sfq.c
+++ b/net/sched/sch_sfq.c
@@ -661,10 +661,6 @@ static int sfq_change(struct Qdisc *sch, struct nlattr *opt,
if (!p)
return -ENOMEM;
}
- if (ctl->limit == 1) {
- NL_SET_ERR_MSG_MOD(extack, "invalid limit");
- return -EINVAL;
- }
sch_tree_lock(sch);
@@ -705,6 +701,12 @@ static int sfq_change(struct Qdisc *sch, struct nlattr *opt,
limit = min_t(u32, ctl->limit, maxdepth * maxflows);
maxflows = min_t(u32, maxflows, limit);
}
+ if (limit == 1) {
+ sch_tree_unlock(sch);
+ kfree(p);
+ NL_SET_ERR_MSG_MOD(extack, "invalid limit");
+ return -EINVAL;
+ }
/* commit configuration */
q->limit = limit;
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 015/291] ipv6: Align behavior across nexthops during path selection
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (13 preceding siblings ...)
2025-04-23 14:40 ` [PATCH 6.1 014/291] net_sched: sch_sfq: move the limit validation Greg Kroah-Hartman
@ 2025-04-23 14:40 ` Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 016/291] net: ppp: Add bound checking for skb data on ppp_sync_txmung Greg Kroah-Hartman
` (283 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Willem de Bruijn, Ido Schimmel,
Willem de Bruijn, David Ahern, Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ido Schimmel <idosch@nvidia.com>
[ Upstream commit 6933cd4714861eea6848f18396a119d741f25fc3 ]
A nexthop is only chosen when the calculated multipath hash falls in the
nexthop's hash region (i.e., the hash is smaller than the nexthop's hash
threshold) and when the nexthop is assigned a non-negative score by
rt6_score_route().
Commit 4d0ab3a6885e ("ipv6: Start path selection from the first
nexthop") introduced an unintentional difference between the first
nexthop and the rest when the score is negative.
When the first nexthop matches, but has a negative score, the code will
currently evaluate subsequent nexthops until one is found with a
non-negative score. On the other hand, when a different nexthop matches,
but has a negative score, the code will fallback to the nexthop with
which the selection started ('match').
Align the behavior across all nexthops and fallback to 'match' when the
first nexthop matches, but has a negative score.
Fixes: 3d709f69a3e7 ("ipv6: Use hash-threshold instead of modulo-N")
Fixes: 4d0ab3a6885e ("ipv6: Start path selection from the first nexthop")
Reported-by: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
Closes: https://lore.kernel.org/netdev/67efef607bc41_1ddca82948c@willemb.c.googlers.com.notmuch/
Signed-off-by: Ido Schimmel <idosch@nvidia.com>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Link: https://patch.msgid.link/20250408084316.243559-1-idosch@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv6/route.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index d6de164720a05..4e6b833dc40bb 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -474,10 +474,10 @@ void fib6_select_path(const struct net *net, struct fib6_result *res,
goto out;
hash = fl6->mp_hash;
- if (hash <= atomic_read(&first->fib6_nh->fib_nh_upper_bound) &&
- rt6_score_route(first->fib6_nh, first->fib6_flags, oif,
- strict) >= 0) {
- match = first;
+ if (hash <= atomic_read(&first->fib6_nh->fib_nh_upper_bound)) {
+ if (rt6_score_route(first->fib6_nh, first->fib6_flags, oif,
+ strict) >= 0)
+ match = first;
goto out;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 016/291] net: ppp: Add bound checking for skb data on ppp_sync_txmung
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (14 preceding siblings ...)
2025-04-23 14:40 ` [PATCH 6.1 015/291] ipv6: Align behavior across nexthops during path selection Greg Kroah-Hartman
@ 2025-04-23 14:40 ` Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 017/291] nft_set_pipapo: fix incorrect avx2 match of 5th field octet Greg Kroah-Hartman
` (282 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+29fc8991b0ecb186cf40,
Arnaud Lecomte, Paolo Abeni, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arnaud Lecomte <contact@arnaud-lcm.com>
[ Upstream commit aabc6596ffb377c4c9c8f335124b92ea282c9821 ]
Ensure we have enough data in linear buffer from skb before accessing
initial bytes. This prevents potential out-of-bounds accesses
when processing short packets.
When ppp_sync_txmung receives an incoming package with an empty
payload:
(remote) gef➤ p *(struct pppoe_hdr *) (skb->head + skb->network_header)
$18 = {
type = 0x1,
ver = 0x1,
code = 0x0,
sid = 0x2,
length = 0x0,
tag = 0xffff8880371cdb96
}
from the skb struct (trimmed)
tail = 0x16,
end = 0x140,
head = 0xffff88803346f400 "4",
data = 0xffff88803346f416 ":\377",
truesize = 0x380,
len = 0x0,
data_len = 0x0,
mac_len = 0xe,
hdr_len = 0x0,
it is not safe to access data[2].
Reported-by: syzbot+29fc8991b0ecb186cf40@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=29fc8991b0ecb186cf40
Tested-by: syzbot+29fc8991b0ecb186cf40@syzkaller.appspotmail.com
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Arnaud Lecomte <contact@arnaud-lcm.com>
Link: https://patch.msgid.link/20250408-bound-checking-ppp_txmung-v2-1-94bb6e1b92d0@arnaud-lcm.com
[pabeni@redhat.com: fixed subj typo]
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ppp/ppp_synctty.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/net/ppp/ppp_synctty.c b/drivers/net/ppp/ppp_synctty.c
index 94ef6f9ca5103..fb533c43deeea 100644
--- a/drivers/net/ppp/ppp_synctty.c
+++ b/drivers/net/ppp/ppp_synctty.c
@@ -515,6 +515,11 @@ ppp_sync_txmunge(struct syncppp *ap, struct sk_buff *skb)
unsigned char *data;
int islcp;
+ /* Ensure we can safely access protocol field and LCP code */
+ if (!pskb_may_pull(skb, 3)) {
+ kfree_skb(skb);
+ return NULL;
+ }
data = skb->data;
proto = get_unaligned_be16(data);
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 017/291] nft_set_pipapo: fix incorrect avx2 match of 5th field octet
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (15 preceding siblings ...)
2025-04-23 14:40 ` [PATCH 6.1 016/291] net: ppp: Add bound checking for skb data on ppp_sync_txmung Greg Kroah-Hartman
@ 2025-04-23 14:40 ` Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 018/291] iommu/mediatek: Fix NULL pointer deference in mtk_iommu_device_group Greg Kroah-Hartman
` (281 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, sontu mazumdar, Stefano Brivio,
Florian Westphal, Pablo Neira Ayuso, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
[ Upstream commit e042ed950d4e176379ba4c0722146cd96fb38aa2 ]
Given a set element like:
icmpv6 . dead:beef:00ff::1
The value of 'ff' is irrelevant, any address will be matched
as long as the other octets are the same.
This is because of too-early register clobbering:
ymm7 is reloaded with new packet data (pkt[9]) but it still holds data
of an earlier load that wasn't processed yet.
The existing tests in nft_concat_range.sh selftests do exercise this code
path, but do not trigger incorrect matching due to the network prefix
limitation.
Fixes: 7400b063969b ("nft_set_pipapo: Introduce AVX2-based lookup implementation")
Reported-by: sontu mazumdar <sontu21@gmail.com>
Closes: https://lore.kernel.org/netfilter/CANgxkqwnMH7fXra+VUfODT-8+qFLgskq3set1cAzqqJaV4iEZg@mail.gmail.com/T/#t
Reviewed-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nft_set_pipapo_avx2.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/nft_set_pipapo_avx2.c b/net/netfilter/nft_set_pipapo_avx2.c
index b8d3c3213efee..c15db28c5ebc4 100644
--- a/net/netfilter/nft_set_pipapo_avx2.c
+++ b/net/netfilter/nft_set_pipapo_avx2.c
@@ -994,8 +994,9 @@ static int nft_pipapo_avx2_lookup_8b_16(unsigned long *map, unsigned long *fill,
NFT_PIPAPO_AVX2_BUCKET_LOAD8(5, lt, 8, pkt[8], bsize);
NFT_PIPAPO_AVX2_AND(6, 2, 3);
+ NFT_PIPAPO_AVX2_AND(3, 4, 7);
NFT_PIPAPO_AVX2_BUCKET_LOAD8(7, lt, 9, pkt[9], bsize);
- NFT_PIPAPO_AVX2_AND(0, 4, 5);
+ NFT_PIPAPO_AVX2_AND(0, 3, 5);
NFT_PIPAPO_AVX2_BUCKET_LOAD8(1, lt, 10, pkt[10], bsize);
NFT_PIPAPO_AVX2_AND(2, 6, 7);
NFT_PIPAPO_AVX2_BUCKET_LOAD8(3, lt, 11, pkt[11], bsize);
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 018/291] iommu/mediatek: Fix NULL pointer deference in mtk_iommu_device_group
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (16 preceding siblings ...)
2025-04-23 14:40 ` [PATCH 6.1 017/291] nft_set_pipapo: fix incorrect avx2 match of 5th field octet Greg Kroah-Hartman
@ 2025-04-23 14:40 ` Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 019/291] fs: consistently deref the files table with rcu_dereference_raw() Greg Kroah-Hartman
` (280 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yong Wu, AngeloGioacchino Del Regno,
Louis-Alexis Eyraud, Joerg Roedel, Sasha Levin, Chen-Yu Tsai
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Louis-Alexis Eyraud <louisalexis.eyraud@collabora.com>
[ Upstream commit 38e8844005e6068f336a3ad45451a562a0040ca1 ]
Currently, mtk_iommu calls during probe iommu_device_register before
the hw_list from driver data is initialized. Since iommu probing issue
fix, it leads to NULL pointer dereference in mtk_iommu_device_group when
hw_list is accessed with list_first_entry (not null safe).
So, change the call order to ensure iommu_device_register is called
after the driver data are initialized.
Fixes: 9e3a2a643653 ("iommu/mediatek: Adapt sharing and non-sharing pgtable case")
Fixes: bcb81ac6ae3c ("iommu: Get DT/ACPI parsing into the proper probe path")
Reviewed-by: Yong Wu <yong.wu@mediatek.com>
Tested-by: Chen-Yu Tsai <wenst@chromium.org> # MT8183 Juniper, MT8186 Tentacruel
Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Tested-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Signed-off-by: Louis-Alexis Eyraud <louisalexis.eyraud@collabora.com>
Link: https://lore.kernel.org/r/20250403-fix-mtk-iommu-error-v2-1-fe8b18f8b0a8@collabora.com
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/iommu/mtk_iommu.c | 26 +++++++++++++-------------
1 file changed, 13 insertions(+), 13 deletions(-)
diff --git a/drivers/iommu/mtk_iommu.c b/drivers/iommu/mtk_iommu.c
index 576163f88a4a5..d4cb09b2e267e 100644
--- a/drivers/iommu/mtk_iommu.c
+++ b/drivers/iommu/mtk_iommu.c
@@ -1268,15 +1268,6 @@ static int mtk_iommu_probe(struct platform_device *pdev)
platform_set_drvdata(pdev, data);
mutex_init(&data->mutex);
- ret = iommu_device_sysfs_add(&data->iommu, dev, NULL,
- "mtk-iommu.%pa", &ioaddr);
- if (ret)
- goto out_link_remove;
-
- ret = iommu_device_register(&data->iommu, &mtk_iommu_ops, dev);
- if (ret)
- goto out_sysfs_remove;
-
if (MTK_IOMMU_HAS_FLAG(data->plat_data, SHARE_PGTABLE)) {
list_add_tail(&data->list, data->plat_data->hw_list);
data->hw_list = data->plat_data->hw_list;
@@ -1286,19 +1277,28 @@ static int mtk_iommu_probe(struct platform_device *pdev)
data->hw_list = &data->hw_list_head;
}
+ ret = iommu_device_sysfs_add(&data->iommu, dev, NULL,
+ "mtk-iommu.%pa", &ioaddr);
+ if (ret)
+ goto out_list_del;
+
+ ret = iommu_device_register(&data->iommu, &mtk_iommu_ops, dev);
+ if (ret)
+ goto out_sysfs_remove;
+
if (MTK_IOMMU_IS_TYPE(data->plat_data, MTK_IOMMU_TYPE_MM)) {
ret = component_master_add_with_match(dev, &mtk_iommu_com_ops, match);
if (ret)
- goto out_list_del;
+ goto out_device_unregister;
}
return ret;
-out_list_del:
- list_del(&data->list);
+out_device_unregister:
iommu_device_unregister(&data->iommu);
out_sysfs_remove:
iommu_device_sysfs_remove(&data->iommu);
-out_link_remove:
+out_list_del:
+ list_del(&data->list);
if (MTK_IOMMU_IS_TYPE(data->plat_data, MTK_IOMMU_TYPE_MM))
device_link_remove(data->smicomm_dev, dev);
out_runtime_disable:
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 019/291] fs: consistently deref the files table with rcu_dereference_raw()
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (17 preceding siblings ...)
2025-04-23 14:40 ` [PATCH 6.1 018/291] iommu/mediatek: Fix NULL pointer deference in mtk_iommu_device_group Greg Kroah-Hartman
@ 2025-04-23 14:40 ` Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 020/291] umount: Allow superblock owners to force umount Greg Kroah-Hartman
` (279 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mateusz Guzik, Christian Brauner,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mateusz Guzik <mjguzik@gmail.com>
[ Upstream commit f381640e1bd4f2de7ccafbfe8703d33c3718aad9 ]
... except when the table is known to be only used by one thread.
A file pointer can get installed at any moment despite the ->file_lock
being held since the following:
8a81252b774b53e6 ("fs/file.c: don't acquire files->file_lock in fd_install()")
Accesses subject to such a race can in principle suffer load tearing.
While here redo the comment in dup_fd -- it only covered a race against
files showing up, still assuming fd_install() takes the lock.
Signed-off-by: Mateusz Guzik <mjguzik@gmail.com>
Link: https://lore.kernel.org/r/20250313135725.1320914-1-mjguzik@gmail.com
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/file.c | 26 +++++++++++++++++---------
1 file changed, 17 insertions(+), 9 deletions(-)
diff --git a/fs/file.c b/fs/file.c
index bc0c087b31bbd..2eccbb5dcd86a 100644
--- a/fs/file.c
+++ b/fs/file.c
@@ -362,17 +362,25 @@ struct files_struct *dup_fd(struct files_struct *oldf, struct fd_range *punch_ho
old_fds = old_fdt->fd;
new_fds = new_fdt->fd;
+ /*
+ * We may be racing against fd allocation from other threads using this
+ * files_struct, despite holding ->file_lock.
+ *
+ * alloc_fd() might have already claimed a slot, while fd_install()
+ * did not populate it yet. Note the latter operates locklessly, so
+ * the file can show up as we are walking the array below.
+ *
+ * At the same time we know no files will disappear as all other
+ * operations take the lock.
+ *
+ * Instead of trying to placate userspace racing with itself, we
+ * ref the file if we see it and mark the fd slot as unused otherwise.
+ */
for (i = open_files; i != 0; i--) {
- struct file *f = *old_fds++;
+ struct file *f = rcu_dereference_raw(*old_fds++);
if (f) {
get_file(f);
} else {
- /*
- * The fd may be claimed in the fd bitmap but not yet
- * instantiated in the files array if a sibling thread
- * is partway through open(). So make sure that this
- * fd is available to the new process.
- */
__clear_open_fd(open_files - i, new_fdt);
}
rcu_assign_pointer(*new_fds++, f);
@@ -625,7 +633,7 @@ static struct file *pick_file(struct files_struct *files, unsigned fd)
return NULL;
fd = array_index_nospec(fd, fdt->max_fds);
- file = fdt->fd[fd];
+ file = rcu_dereference_raw(fdt->fd[fd]);
if (file) {
rcu_assign_pointer(fdt->fd[fd], NULL);
__put_unused_fd(files, fd);
@@ -1093,7 +1101,7 @@ __releases(&files->file_lock)
*/
fdt = files_fdtable(files);
fd = array_index_nospec(fd, fdt->max_fds);
- tofree = fdt->fd[fd];
+ tofree = rcu_dereference_raw(fdt->fd[fd]);
if (!tofree && fd_is_open(fd, fdt))
goto Ebusy;
get_file(file);
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 020/291] umount: Allow superblock owners to force umount
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (18 preceding siblings ...)
2025-04-23 14:40 ` [PATCH 6.1 019/291] fs: consistently deref the files table with rcu_dereference_raw() Greg Kroah-Hartman
@ 2025-04-23 14:40 ` Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 021/291] pm: cpupower: bench: Prevent NULL dereference on malloc failure Greg Kroah-Hartman
` (278 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Trond Myklebust, Eric W. Biederman,
Christian Brauner, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Trond Myklebust <trond.myklebust@hammerspace.com>
[ Upstream commit e1ff7aa34dec7e650159fd7ca8ec6af7cc428d9f ]
Loosen the permission check on forced umount to allow users holding
CAP_SYS_ADMIN privileges in namespaces that are privileged with respect
to the userns that originally mounted the filesystem.
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Link: https://lore.kernel.org/r/12f212d4ef983714d065a6bb372fbb378753bf4c.1742315194.git.trond.myklebust@hammerspace.com
Acked-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/namespace.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/fs/namespace.c b/fs/namespace.c
index 59a9f877738b2..57166cc7e5117 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -1777,6 +1777,7 @@ static void warn_mandlock(void)
static int can_umount(const struct path *path, int flags)
{
struct mount *mnt = real_mount(path->mnt);
+ struct super_block *sb = path->dentry->d_sb;
if (!may_mount())
return -EPERM;
@@ -1786,7 +1787,7 @@ static int can_umount(const struct path *path, int flags)
return -EINVAL;
if (mnt->mnt.mnt_flags & MNT_LOCKED) /* Check optimistically */
return -EINVAL;
- if (flags & MNT_FORCE && !capable(CAP_SYS_ADMIN))
+ if (flags & MNT_FORCE && !ns_capable(sb->s_user_ns, CAP_SYS_ADMIN))
return -EPERM;
return 0;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 021/291] pm: cpupower: bench: Prevent NULL dereference on malloc failure
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (19 preceding siblings ...)
2025-04-23 14:40 ` [PATCH 6.1 020/291] umount: Allow superblock owners to force umount Greg Kroah-Hartman
@ 2025-04-23 14:40 ` Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 022/291] x86/cpu: Dont clear X86_FEATURE_LAHF_LM flag in init_amd_k8() on AMD when running in a virtual machine Greg Kroah-Hartman
` (277 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zhongqiu Han, Shuah Khan,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhongqiu Han <quic_zhonhan@quicinc.com>
[ Upstream commit 208baa3ec9043a664d9acfb8174b332e6b17fb69 ]
If malloc returns NULL due to low memory, 'config' pointer can be NULL.
Add a check to prevent NULL dereference.
Link: https://lore.kernel.org/r/20250219122715.3892223-1-quic_zhonhan@quicinc.com
Signed-off-by: Zhongqiu Han <quic_zhonhan@quicinc.com>
Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/power/cpupower/bench/parse.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/tools/power/cpupower/bench/parse.c b/tools/power/cpupower/bench/parse.c
index e63dc11fa3a53..48e25be6e1635 100644
--- a/tools/power/cpupower/bench/parse.c
+++ b/tools/power/cpupower/bench/parse.c
@@ -120,6 +120,10 @@ FILE *prepare_output(const char *dirname)
struct config *prepare_default_config()
{
struct config *config = malloc(sizeof(struct config));
+ if (!config) {
+ perror("malloc");
+ return NULL;
+ }
dprintf("loading defaults\n");
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 022/291] x86/cpu: Dont clear X86_FEATURE_LAHF_LM flag in init_amd_k8() on AMD when running in a virtual machine
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (20 preceding siblings ...)
2025-04-23 14:40 ` [PATCH 6.1 021/291] pm: cpupower: bench: Prevent NULL dereference on malloc failure Greg Kroah-Hartman
@ 2025-04-23 14:40 ` Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 023/291] perf: arm_pmu: Dont disable counter in armpmu_add() Greg Kroah-Hartman
` (276 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Max Grobecker, Ingo Molnar,
linux-kernel, Borislav Petkov, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Max Grobecker <max@grobecker.info>
[ Upstream commit a4248ee16f411ac1ea7dfab228a6659b111e3d65 ]
When running in a virtual machine, we might see the original hardware CPU
vendor string (i.e. "AuthenticAMD"), but a model and family ID set by the
hypervisor. In case we run on AMD hardware and the hypervisor sets a model
ID < 0x14, the LAHF cpu feature is eliminated from the the list of CPU
capabilities present to circumvent a bug with some BIOSes in conjunction with
AMD K8 processors.
Parsing the flags list from /proc/cpuinfo seems to be happening mostly in
bash scripts and prebuilt Docker containers, as it does not need to have
additionals tools present – even though more reliable ways like using "kcpuid",
which calls the CPUID instruction instead of parsing a list, should be preferred.
Scripts, that use /proc/cpuinfo to determine if the current CPU is
"compliant" with defined microarchitecture levels like x86-64-v2 will falsely
claim the CPU is incapable of modern CPU instructions when "lahf_lm" is missing
in that flags list.
This can prevent some docker containers from starting or build scripts to create
unoptimized binaries.
Admittably, this is more a small inconvenience than a severe bug in the kernel
and the shoddy scripts that rely on parsing /proc/cpuinfo
should be fixed instead.
This patch adds an additional check to see if we're running inside a
virtual machine (X86_FEATURE_HYPERVISOR is present), which, to my
understanding, can't be present on a real K8 processor as it was introduced
only with the later/other Athlon64 models.
Example output with the "lahf_lm" flag missing in the flags list
(should be shown between "hypervisor" and "abm"):
$ cat /proc/cpuinfo
processor : 0
vendor_id : AuthenticAMD
cpu family : 15
model : 6
model name : Common KVM processor
stepping : 1
microcode : 0x1000065
cpu MHz : 2599.998
cache size : 512 KB
physical id : 0
siblings : 1
core id : 0
cpu cores : 1
apicid : 0
initial apicid : 0
fpu : yes
fpu_exception : yes
cpuid level : 13
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca
cmov pat pse36 clflush mmx fxsr sse sse2 syscall nx rdtscp
lm rep_good nopl cpuid extd_apicid tsc_known_freq pni
pclmulqdq ssse3 fma cx16 sse4_1 sse4_2 x2apic movbe popcnt
tsc_deadline_timer aes xsave avx f16c hypervisor abm
3dnowprefetch vmmcall bmi1 avx2 bmi2 xsaveopt
... while kcpuid shows the feature to be present in the CPU:
# kcpuid -d | grep lahf
lahf_lm - LAHF/SAHF available in 64-bit mode
[ mingo: Updated the comment a bit, incorporated Boris's review feedback. ]
Signed-off-by: Max Grobecker <max@grobecker.info>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Cc: linux-kernel@vger.kernel.org
Cc: Borislav Petkov <bp@alien8.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/kernel/cpu/amd.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c
index 37796a1d0715f..9ac93b4ba67b4 100644
--- a/arch/x86/kernel/cpu/amd.c
+++ b/arch/x86/kernel/cpu/amd.c
@@ -787,7 +787,7 @@ static void init_amd_k8(struct cpuinfo_x86 *c)
* (model = 0x14) and later actually support it.
* (AMD Erratum #110, docId: 25759).
*/
- if (c->x86_model < 0x14 && cpu_has(c, X86_FEATURE_LAHF_LM)) {
+ if (c->x86_model < 0x14 && cpu_has(c, X86_FEATURE_LAHF_LM) && !cpu_has(c, X86_FEATURE_HYPERVISOR)) {
clear_cpu_cap(c, X86_FEATURE_LAHF_LM);
if (!rdmsrl_amd_safe(0xc001100d, &value)) {
value &= ~BIT_64(32);
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 023/291] perf: arm_pmu: Dont disable counter in armpmu_add()
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (21 preceding siblings ...)
2025-04-23 14:40 ` [PATCH 6.1 022/291] x86/cpu: Dont clear X86_FEATURE_LAHF_LM flag in init_amd_k8() on AMD when running in a virtual machine Greg Kroah-Hartman
@ 2025-04-23 14:40 ` Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 024/291] arm64: cputype: Add QCOM_CPU_PART_KRYO_3XX_GOLD Greg Kroah-Hartman
` (275 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mark Rutland, Rob Herring (Arm),
Anshuman Khandual, James Clark, Will Deacon, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mark Rutland <mark.rutland@arm.com>
[ Upstream commit dcca27bc1eccb9abc2552aab950b18a9742fb8e7 ]
Currently armpmu_add() tries to handle a newly-allocated counter having
a stale associated event, but this should not be possible, and if this
were to happen the current mitigation is insufficient and potentially
expensive. It would be better to warn if we encounter the impossible
case.
Calls to pmu::add() and pmu::del() are serialized by the core perf code,
and armpmu_del() clears the relevant slot in pmu_hw_events::events[]
before clearing the bit in pmu_hw_events::used_mask such that the
counter can be reallocated. Thus when armpmu_add() allocates a counter
index from pmu_hw_events::used_mask, it should not be possible to observe
a stale even in pmu_hw_events::events[] unless either
pmu_hw_events::used_mask or pmu_hw_events::events[] have been corrupted.
If this were to happen, we'd end up with two events with the same
event->hw.idx, which would clash with each other during reprogramming,
deletion, etc, and produce bogus results. Add a WARN_ON_ONCE() for this
case so that we can detect if this ever occurs in practice.
That possiblity aside, there's no need to call arm_pmu::disable(event)
for the new event. The PMU reset code initialises the counter in a
disabled state, and armpmu_del() will disable the counter before it can
be reused. Remove the redundant disable.
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
Reviewed-by: Anshuman Khandual <anshuman.khandual@arm.com>
Tested-by: James Clark <james.clark@linaro.org>
Link: https://lore.kernel.org/r/20250218-arm-brbe-v19-v20-2-4e9922fc2e8e@kernel.org
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/perf/arm_pmu.c | 8 +++-----
1 file changed, 3 insertions(+), 5 deletions(-)
diff --git a/drivers/perf/arm_pmu.c b/drivers/perf/arm_pmu.c
index 3f07df5a7e950..d351d6ce750bf 100644
--- a/drivers/perf/arm_pmu.c
+++ b/drivers/perf/arm_pmu.c
@@ -340,12 +340,10 @@ armpmu_add(struct perf_event *event, int flags)
if (idx < 0)
return idx;
- /*
- * If there is an event in the counter we are going to use then make
- * sure it is disabled.
- */
+ /* The newly-allocated counter should be empty */
+ WARN_ON_ONCE(hw_events->events[idx]);
+
event->hw.idx = idx;
- armpmu->disable(event);
hw_events->events[idx] = event;
hwc->state = PERF_HES_STOPPED | PERF_HES_UPTODATE;
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 024/291] arm64: cputype: Add QCOM_CPU_PART_KRYO_3XX_GOLD
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (22 preceding siblings ...)
2025-04-23 14:40 ` [PATCH 6.1 023/291] perf: arm_pmu: Dont disable counter in armpmu_add() Greg Kroah-Hartman
@ 2025-04-23 14:40 ` Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 025/291] xen/mcelog: Add __nonstring annotations for unterminated strings Greg Kroah-Hartman
` (274 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Baryshkov, Douglas Anderson,
Trilok Soni, Catalin Marinas, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Douglas Anderson <dianders@chromium.org>
[ Upstream commit 401c3333bb2396aa52e4121887a6f6a6e2f040bc ]
Add a definition for the Qualcomm Kryo 300-series Gold cores.
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Signed-off-by: Douglas Anderson <dianders@chromium.org>
Acked-by: Trilok Soni <quic_tsoni@quicinc.com>
Link: https://lore.kernel.org/r/20241219131107.v3.1.I18e0288742871393228249a768e5d56ea65d93dc@changeid
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/include/asm/cputype.h | 2 ++
1 file changed, 2 insertions(+)
diff --git a/arch/arm64/include/asm/cputype.h b/arch/arm64/include/asm/cputype.h
index 8efc3302bf96b..a735215cb88ef 100644
--- a/arch/arm64/include/asm/cputype.h
+++ b/arch/arm64/include/asm/cputype.h
@@ -119,6 +119,7 @@
#define QCOM_CPU_PART_KRYO 0x200
#define QCOM_CPU_PART_KRYO_2XX_GOLD 0x800
#define QCOM_CPU_PART_KRYO_2XX_SILVER 0x801
+#define QCOM_CPU_PART_KRYO_3XX_GOLD 0x802
#define QCOM_CPU_PART_KRYO_3XX_SILVER 0x803
#define QCOM_CPU_PART_KRYO_4XX_GOLD 0x804
#define QCOM_CPU_PART_KRYO_4XX_SILVER 0x805
@@ -188,6 +189,7 @@
#define MIDR_QCOM_KRYO MIDR_CPU_MODEL(ARM_CPU_IMP_QCOM, QCOM_CPU_PART_KRYO)
#define MIDR_QCOM_KRYO_2XX_GOLD MIDR_CPU_MODEL(ARM_CPU_IMP_QCOM, QCOM_CPU_PART_KRYO_2XX_GOLD)
#define MIDR_QCOM_KRYO_2XX_SILVER MIDR_CPU_MODEL(ARM_CPU_IMP_QCOM, QCOM_CPU_PART_KRYO_2XX_SILVER)
+#define MIDR_QCOM_KRYO_3XX_GOLD MIDR_CPU_MODEL(ARM_CPU_IMP_QCOM, QCOM_CPU_PART_KRYO_3XX_GOLD)
#define MIDR_QCOM_KRYO_3XX_SILVER MIDR_CPU_MODEL(ARM_CPU_IMP_QCOM, QCOM_CPU_PART_KRYO_3XX_SILVER)
#define MIDR_QCOM_KRYO_4XX_GOLD MIDR_CPU_MODEL(ARM_CPU_IMP_QCOM, QCOM_CPU_PART_KRYO_4XX_GOLD)
#define MIDR_QCOM_KRYO_4XX_SILVER MIDR_CPU_MODEL(ARM_CPU_IMP_QCOM, QCOM_CPU_PART_KRYO_4XX_SILVER)
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 025/291] xen/mcelog: Add __nonstring annotations for unterminated strings
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (23 preceding siblings ...)
2025-04-23 14:40 ` [PATCH 6.1 024/291] arm64: cputype: Add QCOM_CPU_PART_KRYO_3XX_GOLD Greg Kroah-Hartman
@ 2025-04-23 14:40 ` Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 026/291] HID: pidff: Convert infinite length from Linux API to PID standard Greg Kroah-Hartman
` (273 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Juergen Gross, Stefano Stabellini,
Oleksandr Tyshchenko, xen-devel, Kees Cook, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kees Cook <kees@kernel.org>
[ Upstream commit 1c3dfc7c6b0f551fdca3f7c1f1e4c73be8adb17d ]
When a character array without a terminating NUL character has a static
initializer, GCC 15's -Wunterminated-string-initialization will only
warn if the array lacks the "nonstring" attribute[1]. Mark the arrays
with __nonstring to and correctly identify the char array as "not a C
string" and thereby eliminate the warning.
Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=117178 [1]
Cc: Juergen Gross <jgross@suse.com>
Cc: Stefano Stabellini <sstabellini@kernel.org>
Cc: Oleksandr Tyshchenko <oleksandr_tyshchenko@epam.com>
Cc: xen-devel@lists.xenproject.org
Signed-off-by: Kees Cook <kees@kernel.org>
Acked-by: Juergen Gross <jgross@suse.com>
Message-ID: <20250310222234.work.473-kees@kernel.org>
Signed-off-by: Juergen Gross <jgross@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/xen/interface/xen-mca.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/xen/interface/xen-mca.h b/include/xen/interface/xen-mca.h
index 464aa6b3a5f92..1c9afbe8cc260 100644
--- a/include/xen/interface/xen-mca.h
+++ b/include/xen/interface/xen-mca.h
@@ -372,7 +372,7 @@ struct xen_mce {
#define XEN_MCE_LOG_LEN 32
struct xen_mce_log {
- char signature[12]; /* "MACHINECHECK" */
+ char signature[12] __nonstring; /* "MACHINECHECK" */
unsigned len; /* = XEN_MCE_LOG_LEN */
unsigned next;
unsigned flags;
--
2.39.5
um: ntf-flags
-
- name: type
+ name: ndm-type
type: u8
enum: rtm-type
-
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 026/291] HID: pidff: Convert infinite length from Linux API to PID standard
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (24 preceding siblings ...)
2025-04-23 14:40 ` [PATCH 6.1 025/291] xen/mcelog: Add __nonstring annotations for unterminated strings Greg Kroah-Hartman
@ 2025-04-23 14:40 ` Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 027/291] HID: pidff: Do not send effect envelope if its empty Greg Kroah-Hartman
` (272 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Makarenko Oleg, Tomasz Pakuła,
Michał Kopeć, Paul Dino Jones, Cristóferson Bueno,
Pablo Cisneros, Jiri Kosina, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
[ Upstream commit 37e0591fe44dce39d1ebc7a82d5b6e4dba1582eb ]
Software uses 0 as de-facto infinite lenght on Linux FF apis (SDL),
Linux doesn't actually define anythi as of now, while USB PID defines
NULL (0xffff). Most PID devices do not expect a 0-length effect and
can't interpret it as infinite. This change fixes Force Feedback for
most PID compliant devices.
As most games depend on updating the values of already playing infinite
effects, this is crucial to ensure they will actually work.
Previously, users had to rely on third-party software to do this conversion
and make their PID devices usable.
Co-developed-by: Makarenko Oleg <oleg@makarenk.ooo>
Signed-off-by: Makarenko Oleg <oleg@makarenk.ooo>
Signed-off-by: Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
Reviewed-by: Michał Kopeć <michal@nozomi.space>
Reviewed-by: Paul Dino Jones <paul@spacefreak18.xyz>
Tested-by: Paul Dino Jones <paul@spacefreak18.xyz>
Tested-by: Cristóferson Bueno <cbueno81@gmail.com>
Tested-by: Pablo Cisneros <patchkez@protonmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/usbhid/hid-pidff.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/drivers/hid/usbhid/hid-pidff.c b/drivers/hid/usbhid/hid-pidff.c
index 3b4ee21cd8111..5fe4422bb5bad 100644
--- a/drivers/hid/usbhid/hid-pidff.c
+++ b/drivers/hid/usbhid/hid-pidff.c
@@ -21,6 +21,7 @@
#include "usbhid.h"
#define PID_EFFECTS_MAX 64
+#define PID_INFINITE 0xffff
/* Report usage table used to put reports into an array */
@@ -301,7 +302,12 @@ static void pidff_set_effect_report(struct pidff_device *pidff,
pidff->block_load[PID_EFFECT_BLOCK_INDEX].value[0];
pidff->set_effect_type->value[0] =
pidff->create_new_effect_type->value[0];
- pidff->set_effect[PID_DURATION].value[0] = effect->replay.length;
+
+ /* Convert infinite length from Linux API (0)
+ to PID standard (NULL) if needed */
+ pidff->set_effect[PID_DURATION].value[0] =
+ effect->replay.length == 0 ? PID_INFINITE : effect->replay.length;
+
pidff->set_effect[PID_TRIGGER_BUTTON].value[0] = effect->trigger.button;
pidff->set_effect[PID_TRIGGER_REPEAT_INT].value[0] =
effect->trigger.interval;
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 027/291] HID: pidff: Do not send effect envelope if its empty
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (25 preceding siblings ...)
2025-04-23 14:40 ` [PATCH 6.1 026/291] HID: pidff: Convert infinite length from Linux API to PID standard Greg Kroah-Hartman
@ 2025-04-23 14:40 ` Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 028/291] HID: pidff: Fix null pointer dereference in pidff_find_fields Greg Kroah-Hartman
` (271 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tomasz Pakuła,
Michał Kopeć, Paul Dino Jones, Cristóferson Bueno,
Pablo Cisneros, Jiri Kosina, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
[ Upstream commit 8876fc1884f5b39550c8387ff3176396c988541d ]
Envelope struct is always initialized, but the envelope itself is
optional as described in USB PID Device class definition 1.0.
5.1.1.1 Type Specific Block Offsets
...
4) Effects that do not use Condition Blocks use 1 Parameter Block and
an *optional* Envelope Block.
Sending out "empty" envelope breaks force feedback on some devices with
games that use SINE effect + offset to emulate constant force effect, as
well as generally breaking Constant/Periodic effects. One of the affected
brands is Moza Racing.
This change prevents the envelope from being sent if it contains all
0 values while keeping the old behavior of only sending it, if it differs
from the old one.
Changes in v6:
- Simplify the checks to make them clearer
- Fix possible null pointer dereference while calling
pidff_needs_set_envelope
Signed-off-by: Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
Reviewed-by: Michał Kopeć <michal@nozomi.space>
Reviewed-by: Paul Dino Jones <paul@spacefreak18.xyz>
Tested-by: Paul Dino Jones <paul@spacefreak18.xyz>
Tested-by: Cristóferson Bueno <cbueno81@gmail.com>
Tested-by: Pablo Cisneros <patchkez@protonmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/usbhid/hid-pidff.c | 42 +++++++++++++++++++---------------
1 file changed, 24 insertions(+), 18 deletions(-)
diff --git a/drivers/hid/usbhid/hid-pidff.c b/drivers/hid/usbhid/hid-pidff.c
index 5fe4422bb5bad..a01c1b2ab2f4c 100644
--- a/drivers/hid/usbhid/hid-pidff.c
+++ b/drivers/hid/usbhid/hid-pidff.c
@@ -262,10 +262,22 @@ static void pidff_set_envelope_report(struct pidff_device *pidff,
static int pidff_needs_set_envelope(struct ff_envelope *envelope,
struct ff_envelope *old)
{
- return envelope->attack_level != old->attack_level ||
- envelope->fade_level != old->fade_level ||
+ bool needs_new_envelope;
+ needs_new_envelope = envelope->attack_level != 0 ||
+ envelope->fade_level != 0 ||
+ envelope->attack_length != 0 ||
+ envelope->fade_length != 0;
+
+ if (!needs_new_envelope)
+ return false;
+
+ if (!old)
+ return needs_new_envelope;
+
+ return envelope->attack_level != old->attack_level ||
+ envelope->fade_level != old->fade_level ||
envelope->attack_length != old->attack_length ||
- envelope->fade_length != old->fade_length;
+ envelope->fade_length != old->fade_length;
}
/*
@@ -580,11 +592,9 @@ static int pidff_upload_effect(struct input_dev *dev, struct ff_effect *effect,
pidff_set_effect_report(pidff, effect);
if (!old || pidff_needs_set_constant(effect, old))
pidff_set_constant_force_report(pidff, effect);
- if (!old ||
- pidff_needs_set_envelope(&effect->u.constant.envelope,
- &old->u.constant.envelope))
- pidff_set_envelope_report(pidff,
- &effect->u.constant.envelope);
+ if (pidff_needs_set_envelope(&effect->u.constant.envelope,
+ old ? &old->u.constant.envelope : NULL))
+ pidff_set_envelope_report(pidff, &effect->u.constant.envelope);
break;
case FF_PERIODIC:
@@ -619,11 +629,9 @@ static int pidff_upload_effect(struct input_dev *dev, struct ff_effect *effect,
pidff_set_effect_report(pidff, effect);
if (!old || pidff_needs_set_periodic(effect, old))
pidff_set_periodic_report(pidff, effect);
- if (!old ||
- pidff_needs_set_envelope(&effect->u.periodic.envelope,
- &old->u.periodic.envelope))
- pidff_set_envelope_report(pidff,
- &effect->u.periodic.envelope);
+ if (pidff_needs_set_envelope(&effect->u.periodic.envelope,
+ old ? &old->u.periodic.envelope : NULL))
+ pidff_set_envelope_report(pidff, &effect->u.periodic.envelope);
break;
case FF_RAMP:
@@ -637,11 +645,9 @@ static int pidff_upload_effect(struct input_dev *dev, struct ff_effect *effect,
pidff_set_effect_report(pidff, effect);
if (!old || pidff_needs_set_ramp(effect, old))
pidff_set_ramp_force_report(pidff, effect);
- if (!old ||
- pidff_needs_set_envelope(&effect->u.ramp.envelope,
- &old->u.ramp.envelope))
- pidff_set_envelope_report(pidff,
- &effect->u.ramp.envelope);
+ if (pidff_needs_set_envelope(&effect->u.ramp.envelope,
+ old ? &old->u.ramp.envelope : NULL))
+ pidff_set_envelope_report(pidff, &effect->u.ramp.envelope);
break;
case FF_SPRING:
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 028/291] HID: pidff: Fix null pointer dereference in pidff_find_fields
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (26 preceding siblings ...)
2025-04-23 14:40 ` [PATCH 6.1 027/291] HID: pidff: Do not send effect envelope if its empty Greg Kroah-Hartman
@ 2025-04-23 14:40 ` Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 029/291] ALSA: hda: intel: Fix Optimus when GPU has no sound Greg Kroah-Hartman
` (270 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nolan Nicholson, Tomasz Pakuła,
Michał Kopeć, Paul Dino Jones, Cristóferson Bueno,
Pablo Cisneros, Jiri Kosina, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tomasz Pakuła <forest10pl@gmail.com>
[ Upstream commit 22a05462c3d0eee15154faf8d13c49e6295270a5 ]
This function triggered a null pointer dereference if used to search for
a report that isn't implemented on the device. This happened both for
optional and required reports alike.
The same logic was applied to pidff_find_special_field and although
pidff_init_fields should return an error earlier if one of the required
reports is missing, future modifications could change this logic and
resurface this possible null pointer dereference again.
LKML bug report:
https://lore.kernel.org/all/CAL-gK7f5=R0nrrQdPtaZZr1fd-cdAMbDMuZ_NLA8vM0SX+nGSw@mail.gmail.com
Reported-by: Nolan Nicholson <nolananicholson@gmail.com>
Signed-off-by: Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
Reviewed-by: Michał Kopeć <michal@nozomi.space>
Reviewed-by: Paul Dino Jones <paul@spacefreak18.xyz>
Tested-by: Paul Dino Jones <paul@spacefreak18.xyz>
Tested-by: Cristóferson Bueno <cbueno81@gmail.com>
Tested-by: Pablo Cisneros <patchkez@protonmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/usbhid/hid-pidff.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/drivers/hid/usbhid/hid-pidff.c b/drivers/hid/usbhid/hid-pidff.c
index a01c1b2ab2f4c..26cb331b646ca 100644
--- a/drivers/hid/usbhid/hid-pidff.c
+++ b/drivers/hid/usbhid/hid-pidff.c
@@ -770,6 +770,11 @@ static void pidff_set_autocenter(struct input_dev *dev, u16 magnitude)
static int pidff_find_fields(struct pidff_usage *usage, const u8 *table,
struct hid_report *report, int count, int strict)
{
+ if (!report) {
+ pr_debug("pidff_find_fields, null report\n");
+ return -1;
+ }
+
int i, j, k, found;
for (k = 0; k < count; k++) {
@@ -883,6 +888,11 @@ static int pidff_reports_ok(struct pidff_device *pidff)
static struct hid_field *pidff_find_special_field(struct hid_report *report,
int usage, int enforce_min)
{
+ if (!report) {
+ pr_debug("pidff_find_special_field, null report\n");
+ return NULL;
+ }
+
int i;
for (i = 0; i < report->maxfield; i++) {
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 029/291] ALSA: hda: intel: Fix Optimus when GPU has no sound
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (27 preceding siblings ...)
2025-04-23 14:40 ` [PATCH 6.1 028/291] HID: pidff: Fix null pointer dereference in pidff_find_fields Greg Kroah-Hartman
@ 2025-04-23 14:40 ` Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 031/291] ASoC: fsl_audmix: register card device depends on dais property Greg Kroah-Hartman
` (269 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maxim Mikityanskiy, Takashi Iwai,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maxim Mikityanskiy <maxtram95@gmail.com>
[ Upstream commit 2b360ba9a4936486380bc30d1eabceb40a714d98 ]
quirk_nvidia_hda() forcefully enables HDA controller on all NVIDIA GPUs,
because some buggy BIOSes leave it disabled. However, some dual-GPU
laptops do not have a functional HDA controller in DGPU, and BIOS
disables it on purpose. After quirk_nvidia_hda() reenables this dummy
HDA controller, attempting to probe it fails at azx_first_init(), which
is too late to cancel the probe, as it happens in azx_probe_continue().
The sna_hda_intel driver calls azx_free() and stops the chip, however,
it stays probed, and from the runtime PM point of view, the device
remains active (it was set as active by the PCI subsystem on probe). It
prevents vga_switcheroo from turning off the DGPU, because
pci_create_device_link() syncs power management for video and audio
devices.
Affected devices should be added to driver_denylist to prevent them from
probing early. This patch helps identify such devices by printing a
warning, and also forces the device to the suspended state to allow
vga_switcheroo turn off DGPU.
Signed-off-by: Maxim Mikityanskiy <maxtram95@gmail.com>
Link: https://patch.msgid.link/20250208214602.39607-2-maxtram95@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/pci/hda/hda_intel.c | 15 ++++++++++++++-
1 file changed, 14 insertions(+), 1 deletion(-)
diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c
index 56ee7708f6c49..7d0b12aab886f 100644
--- a/sound/pci/hda/hda_intel.c
+++ b/sound/pci/hda/hda_intel.c
@@ -1366,8 +1366,21 @@ static void azx_free(struct azx *chip)
if (use_vga_switcheroo(hda)) {
if (chip->disabled && hda->probe_continued)
snd_hda_unlock_devices(&chip->bus);
- if (hda->vga_switcheroo_registered)
+ if (hda->vga_switcheroo_registered) {
vga_switcheroo_unregister_client(chip->pci);
+
+ /* Some GPUs don't have sound, and azx_first_init fails,
+ * leaving the device probed but non-functional. As long
+ * as it's probed, the PCI subsystem keeps its runtime
+ * PM status as active. Force it to suspended (as we
+ * actually stop the chip) to allow GPU to suspend via
+ * vga_switcheroo, and print a warning.
+ */
+ dev_warn(&pci->dev, "GPU sound probed, but not operational: please add a quirk to driver_denylist\n");
+ pm_runtime_disable(&pci->dev);
+ pm_runtime_set_suspended(&pci->dev);
+ pm_runtime_enable(&pci->dev);
+ }
}
if (bus->chip_init) {
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 031/291] ASoC: fsl_audmix: register card device depends on dais property
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (28 preceding siblings ...)
2025-04-23 14:40 ` [PATCH 6.1 029/291] ALSA: hda: intel: Fix Optimus when GPU has no sound Greg Kroah-Hartman
@ 2025-04-23 14:40 ` Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 032/291] mmc: dw_mmc: add a quirk for accessing 64-bit FIFOs in two halves Greg Kroah-Hartman
` (268 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Shengjiu Wang, Mark Brown,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shengjiu Wang <shengjiu.wang@nxp.com>
[ Upstream commit 294a60e5e9830045c161181286d44ce669f88833 ]
In order to make the audmix device linked by audio graph card, make
'dais' property to be optional.
If 'dais' property exists, then register the imx-audmix card driver.
otherwise, it should be linked by audio graph card.
Signed-off-by: Shengjiu Wang <shengjiu.wang@nxp.com>
Link: https://patch.msgid.link/20250226100508.2352568-5-shengjiu.wang@nxp.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/fsl/fsl_audmix.c | 16 +++++++++++-----
1 file changed, 11 insertions(+), 5 deletions(-)
diff --git a/sound/soc/fsl/fsl_audmix.c b/sound/soc/fsl/fsl_audmix.c
index 672148dd4b234..acb499a5043c8 100644
--- a/sound/soc/fsl/fsl_audmix.c
+++ b/sound/soc/fsl/fsl_audmix.c
@@ -492,11 +492,17 @@ static int fsl_audmix_probe(struct platform_device *pdev)
goto err_disable_pm;
}
- priv->pdev = platform_device_register_data(dev, "imx-audmix", 0, NULL, 0);
- if (IS_ERR(priv->pdev)) {
- ret = PTR_ERR(priv->pdev);
- dev_err(dev, "failed to register platform: %d\n", ret);
- goto err_disable_pm;
+ /*
+ * If dais property exist, then register the imx-audmix card driver.
+ * otherwise, it should be linked by audio graph card.
+ */
+ if (of_find_property(pdev->dev.of_node, "dais", NULL)) {
+ priv->pdev = platform_device_register_data(dev, "imx-audmix", 0, NULL, 0);
+ if (IS_ERR(priv->pdev)) {
+ ret = PTR_ERR(priv->pdev);
+ dev_err(dev, "failed to register platform: %d\n", ret);
+ goto err_disable_pm;
+ }
}
return 0;
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 032/291] mmc: dw_mmc: add a quirk for accessing 64-bit FIFOs in two halves
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (29 preceding siblings ...)
2025-04-23 14:40 ` [PATCH 6.1 031/291] ASoC: fsl_audmix: register card device depends on dais property Greg Kroah-Hartman
@ 2025-04-23 14:40 ` Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 033/291] ALSA: usb-audio: Fix CME quirk for UF series keyboards Greg Kroah-Hartman
` (267 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kaustabh Chakraborty, Ulf Hansson,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kaustabh Chakraborty <kauschluss@disroot.org>
[ Upstream commit 57c0902f8bec51add5a1eb908d8b876592725d81 ]
In certain DW MMC implementations (such as in some Exynos7870
controllers), 64-bit read/write is not allowed from a 64-bit FIFO.
Add a quirk which facilitates accessing the 64-bit FIFO registers in two
32-bit halves.
Signed-off-by: Kaustabh Chakraborty <kauschluss@disroot.org>
Link: https://lore.kernel.org/r/20250219-exynos7870-mmc-v2-2-b4255a3e39ed@disroot.org
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mmc/host/dw_mmc.c | 94 ++++++++++++++++++++++++++++++++++++++-
drivers/mmc/host/dw_mmc.h | 27 +++++++++++
2 files changed, 119 insertions(+), 2 deletions(-)
diff --git a/drivers/mmc/host/dw_mmc.c b/drivers/mmc/host/dw_mmc.c
index d0da4573b38cd..0822493c949e8 100644
--- a/drivers/mmc/host/dw_mmc.c
+++ b/drivers/mmc/host/dw_mmc.c
@@ -2574,6 +2574,91 @@ static void dw_mci_pull_data64(struct dw_mci *host, void *buf, int cnt)
}
}
+static void dw_mci_push_data64_32(struct dw_mci *host, void *buf, int cnt)
+{
+ struct mmc_data *data = host->data;
+ int init_cnt = cnt;
+
+ /* try and push anything in the part_buf */
+ if (unlikely(host->part_buf_count)) {
+ int len = dw_mci_push_part_bytes(host, buf, cnt);
+
+ buf += len;
+ cnt -= len;
+
+ if (host->part_buf_count == 8) {
+ mci_fifo_l_writeq(host->fifo_reg, host->part_buf);
+ host->part_buf_count = 0;
+ }
+ }
+#ifndef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
+ if (unlikely((unsigned long)buf & 0x7)) {
+ while (cnt >= 8) {
+ u64 aligned_buf[16];
+ int len = min(cnt & -8, (int)sizeof(aligned_buf));
+ int items = len >> 3;
+ int i;
+ /* memcpy from input buffer into aligned buffer */
+ memcpy(aligned_buf, buf, len);
+ buf += len;
+ cnt -= len;
+ /* push data from aligned buffer into fifo */
+ for (i = 0; i < items; ++i)
+ mci_fifo_l_writeq(host->fifo_reg, aligned_buf[i]);
+ }
+ } else
+#endif
+ {
+ u64 *pdata = buf;
+
+ for (; cnt >= 8; cnt -= 8)
+ mci_fifo_l_writeq(host->fifo_reg, *pdata++);
+ buf = pdata;
+ }
+ /* put anything remaining in the part_buf */
+ if (cnt) {
+ dw_mci_set_part_bytes(host, buf, cnt);
+ /* Push data if we have reached the expected data length */
+ if ((data->bytes_xfered + init_cnt) ==
+ (data->blksz * data->blocks))
+ mci_fifo_l_writeq(host->fifo_reg, host->part_buf);
+ }
+}
+
+static void dw_mci_pull_data64_32(struct dw_mci *host, void *buf, int cnt)
+{
+#ifndef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
+ if (unlikely((unsigned long)buf & 0x7)) {
+ while (cnt >= 8) {
+ /* pull data from fifo into aligned buffer */
+ u64 aligned_buf[16];
+ int len = min(cnt & -8, (int)sizeof(aligned_buf));
+ int items = len >> 3;
+ int i;
+
+ for (i = 0; i < items; ++i)
+ aligned_buf[i] = mci_fifo_l_readq(host->fifo_reg);
+
+ /* memcpy from aligned buffer into output buffer */
+ memcpy(buf, aligned_buf, len);
+ buf += len;
+ cnt -= len;
+ }
+ } else
+#endif
+ {
+ u64 *pdata = buf;
+
+ for (; cnt >= 8; cnt -= 8)
+ *pdata++ = mci_fifo_l_readq(host->fifo_reg);
+ buf = pdata;
+ }
+ if (cnt) {
+ host->part_buf = mci_fifo_l_readq(host->fifo_reg);
+ dw_mci_pull_final_bytes(host, buf, cnt);
+ }
+}
+
static void dw_mci_pull_data(struct dw_mci *host, void *buf, int cnt)
{
int len;
@@ -3374,8 +3459,13 @@ int dw_mci_probe(struct dw_mci *host)
width = 16;
host->data_shift = 1;
} else if (i == 2) {
- host->push_data = dw_mci_push_data64;
- host->pull_data = dw_mci_pull_data64;
+ if ((host->quirks & DW_MMC_QUIRK_FIFO64_32)) {
+ host->push_data = dw_mci_push_data64_32;
+ host->pull_data = dw_mci_pull_data64_32;
+ } else {
+ host->push_data = dw_mci_push_data64;
+ host->pull_data = dw_mci_pull_data64;
+ }
width = 64;
host->data_shift = 3;
} else {
diff --git a/drivers/mmc/host/dw_mmc.h b/drivers/mmc/host/dw_mmc.h
index 4ed81f94f7cab..af16dbb37f261 100644
--- a/drivers/mmc/host/dw_mmc.h
+++ b/drivers/mmc/host/dw_mmc.h
@@ -280,6 +280,8 @@ struct dw_mci_board {
/* Support for longer data read timeout */
#define DW_MMC_QUIRK_EXTENDED_TMOUT BIT(0)
+/* Force 32-bit access to the FIFO */
+#define DW_MMC_QUIRK_FIFO64_32 BIT(1)
#define DW_MMC_240A 0x240a
#define DW_MMC_280A 0x280a
@@ -471,6 +473,31 @@ struct dw_mci_board {
#define mci_fifo_writel(__value, __reg) __raw_writel(__reg, __value)
#define mci_fifo_writeq(__value, __reg) __raw_writeq(__reg, __value)
+/*
+ * Some dw_mmc devices have 64-bit FIFOs, but expect them to be
+ * accessed using two 32-bit accesses. If such controller is used
+ * with a 64-bit kernel, this has to be done explicitly.
+ */
+static inline u64 mci_fifo_l_readq(void __iomem *addr)
+{
+ u64 ans;
+ u32 proxy[2];
+
+ proxy[0] = mci_fifo_readl(addr);
+ proxy[1] = mci_fifo_readl(addr + 4);
+ memcpy(&ans, proxy, 8);
+ return ans;
+}
+
+static inline void mci_fifo_l_writeq(void __iomem *addr, u64 value)
+{
+ u32 proxy[2];
+
+ memcpy(proxy, &value, 8);
+ mci_fifo_writel(addr, proxy[0]);
+ mci_fifo_writel(addr + 4, proxy[1]);
+}
+
/* Register access macros */
#define mci_readl(dev, reg) \
readl_relaxed((dev)->regs + SDMMC_##reg)
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 033/291] ALSA: usb-audio: Fix CME quirk for UF series keyboards
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (30 preceding siblings ...)
2025-04-23 14:40 ` [PATCH 6.1 032/291] mmc: dw_mmc: add a quirk for accessing 64-bit FIFOs in two halves Greg Kroah-Hartman
@ 2025-04-23 14:40 ` Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 034/291] ASoC: amd: Add DMI quirk for ACP6X mic support Greg Kroah-Hartman
` (266 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ricard Wanderlof, Takashi Iwai,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ricard Wanderlof <ricard2013@butoba.net>
[ Upstream commit c2820405ba55a38932aa2177f026b70064296663 ]
Fix quirk for CME master keyboards so it not only handles
sysex but also song position pointer, MIDI timing clock, start
and stop messages, and active sensing. All of these can be
output by the CME UF series master keyboards.
Tested with a CME UF6 in a desktop Linux environment as
well as on the Zynthian Raspberry Pi based platform.
Signed-off-by: Ricard Wanderlof <ricard2013@butoba.net>
Link: https://patch.msgid.link/20250313-cme-fix-v1-1-d404889e4de8@butoba.net
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/usb/midi.c | 80 ++++++++++++++++++++++++++++++++++++++++++++----
1 file changed, 74 insertions(+), 6 deletions(-)
diff --git a/sound/usb/midi.c b/sound/usb/midi.c
index eed71369c7af2..d300cd1f922b6 100644
--- a/sound/usb/midi.c
+++ b/sound/usb/midi.c
@@ -489,16 +489,84 @@ static void ch345_broken_sysex_input(struct snd_usb_midi_in_endpoint *ep,
/*
* CME protocol: like the standard protocol, but SysEx commands are sent as a
- * single USB packet preceded by a 0x0F byte.
+ * single USB packet preceded by a 0x0F byte, as are system realtime
+ * messages and MIDI Active Sensing.
+ * Also, multiple messages can be sent in the same packet.
*/
static void snd_usbmidi_cme_input(struct snd_usb_midi_in_endpoint *ep,
uint8_t *buffer, int buffer_length)
{
- if (buffer_length < 2 || (buffer[0] & 0x0f) != 0x0f)
- snd_usbmidi_standard_input(ep, buffer, buffer_length);
- else
- snd_usbmidi_input_data(ep, buffer[0] >> 4,
- &buffer[1], buffer_length - 1);
+ int remaining = buffer_length;
+
+ /*
+ * CME send sysex, song position pointer, system realtime
+ * and active sensing using CIN 0x0f, which in the standard
+ * is only intended for single byte unparsed data.
+ * So we need to interpret these here before sending them on.
+ * By default, we assume single byte data, which is true
+ * for system realtime (midi clock, start, stop and continue)
+ * and active sensing, and handle the other (known) cases
+ * separately.
+ * In contrast to the standard, CME does not split sysex
+ * into multiple 4-byte packets, but lumps everything together
+ * into one. In addition, CME can string multiple messages
+ * together in the same packet; pressing the Record button
+ * on an UF6 sends a sysex message directly followed
+ * by a song position pointer in the same packet.
+ * For it to have any reasonable meaning, a sysex message
+ * needs to be at least 3 bytes in length (0xf0, id, 0xf7),
+ * corresponding to a packet size of 4 bytes, and the ones sent
+ * by CME devices are 6 or 7 bytes, making the packet fragments
+ * 7 or 8 bytes long (six or seven bytes plus preceding CN+CIN byte).
+ * For the other types, the packet size is always 4 bytes,
+ * as per the standard, with the data size being 3 for SPP
+ * and 1 for the others.
+ * Thus all packet fragments are at least 4 bytes long, so we can
+ * skip anything that is shorter; this also conveniantly skips
+ * packets with size 0, which CME devices continuously send when
+ * they have nothing better to do.
+ * Another quirk is that sometimes multiple messages are sent
+ * in the same packet. This has been observed for midi clock
+ * and active sensing i.e. 0x0f 0xf8 0x00 0x00 0x0f 0xfe 0x00 0x00,
+ * but also multiple note ons/offs, and control change together
+ * with MIDI clock. Similarly, some sysex messages are followed by
+ * the song position pointer in the same packet, and occasionally
+ * additionally by a midi clock or active sensing.
+ * We handle this by looping over all data and parsing it along the way.
+ */
+ while (remaining >= 4) {
+ int source_length = 4; /* default */
+
+ if ((buffer[0] & 0x0f) == 0x0f) {
+ int data_length = 1; /* default */
+
+ if (buffer[1] == 0xf0) {
+ /* Sysex: Find EOX and send on whole message. */
+ /* To kick off the search, skip the first
+ * two bytes (CN+CIN and SYSEX (0xf0).
+ */
+ uint8_t *tmp_buf = buffer + 2;
+ int tmp_length = remaining - 2;
+
+ while (tmp_length > 1 && *tmp_buf != 0xf7) {
+ tmp_buf++;
+ tmp_length--;
+ }
+ data_length = tmp_buf - buffer;
+ source_length = data_length + 1;
+ } else if (buffer[1] == 0xf2) {
+ /* Three byte song position pointer */
+ data_length = 3;
+ }
+ snd_usbmidi_input_data(ep, buffer[0] >> 4,
+ &buffer[1], data_length);
+ } else {
+ /* normal channel events */
+ snd_usbmidi_standard_input(ep, buffer, source_length);
+ }
+ buffer += source_length;
+ remaining -= source_length;
+ }
}
/*
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 034/291] ASoC: amd: Add DMI quirk for ACP6X mic support
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (31 preceding siblings ...)
2025-04-23 14:40 ` [PATCH 6.1 033/291] ALSA: usb-audio: Fix CME quirk for UF series keyboards Greg Kroah-Hartman
@ 2025-04-23 14:40 ` Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 035/291] f2fs: dont retry IO for corrupted data scenario Greg Kroah-Hartman
` (265 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, keenplify, Mark Brown, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: keenplify <keenplify@gmail.com>
[ Upstream commit 309b367eafc8e162603cd29189da6db770411fea ]
Some AMD laptops with ACP6X do not expose the DMIC properly on Linux.
Adding a DMI quirk enables mic functionality.
Similar to Bugzilla #218402, this issue affects multiple users.
Link: https://bugzilla.kernel.org/show_bug.cgi?id=219853
Signed-off-by: keenplify <keenplify@gmail.com>
Link: https://patch.msgid.link/20250315111617.12194-1-keenplify@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/amd/yc/acp6x-mach.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/sound/soc/amd/yc/acp6x-mach.c b/sound/soc/amd/yc/acp6x-mach.c
index 77ea8a6c2d6d9..1f94269e121af 100644
--- a/sound/soc/amd/yc/acp6x-mach.c
+++ b/sound/soc/amd/yc/acp6x-mach.c
@@ -479,6 +479,13 @@ static const struct dmi_system_id yc_acp_quirk_table[] = {
DMI_MATCH(DMI_PRODUCT_VERSION, "pang13"),
}
},
+ {
+ .driver_data = &acp6x_card,
+ .matches = {
+ DMI_MATCH(DMI_BOARD_VENDOR, "Micro-Star International Co., Ltd."),
+ DMI_MATCH(DMI_PRODUCT_NAME, "Bravo 15 C7UCX"),
+ }
+ },
{}
};
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 035/291] f2fs: dont retry IO for corrupted data scenario
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (32 preceding siblings ...)
2025-04-23 14:40 ` [PATCH 6.1 034/291] ASoC: amd: Add DMI quirk for ACP6X mic support Greg Kroah-Hartman
@ 2025-04-23 14:40 ` Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 036/291] page_pool: avoid infinite loop to schedule delayed worker Greg Kroah-Hartman
` (264 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Chao Yu, Jaegeuk Kim, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chao Yu <chao@kernel.org>
[ Upstream commit 1534747d3170646ddeb9ea5f7caaac90359707cf ]
F2FS-fs (dm-105): inconsistent node block, nid:430, node_footer[nid:2198964142,ino:598252782,ofs:118300154,cpver:5409237455940746069,blkaddr:2125070942]
F2FS-fs (dm-105): inconsistent node block, nid:430, node_footer[nid:2198964142,ino:598252782,ofs:118300154,cpver:5409237455940746069,blkaddr:2125070942]
F2FS-fs (dm-105): inconsistent node block, nid:430, node_footer[nid:2198964142,ino:598252782,ofs:118300154,cpver:5409237455940746069,blkaddr:2125070942]
F2FS-fs (dm-105): inconsistent node block, nid:430, node_footer[nid:2198964142,ino:598252782,ofs:118300154,cpver:5409237455940746069,blkaddr:2125070942]
F2FS-fs (dm-105): inconsistent node block, nid:430, node_footer[nid:2198964142,ino:598252782,ofs:118300154,cpver:5409237455940746069,blkaddr:2125070942]
F2FS-fs (dm-105): inconsistent node block, nid:430, node_footer[nid:2198964142,ino:598252782,ofs:118300154,cpver:5409237455940746069,blkaddr:2125070942]
F2FS-fs (dm-105): inconsistent node block, nid:430, node_footer[nid:2198964142,ino:598252782,ofs:118300154,cpver:5409237455940746069,blkaddr:2125070942]
F2FS-fs (dm-105): inconsistent node block, nid:430, node_footer[nid:2198964142,ino:598252782,ofs:118300154,cpver:5409237455940746069,blkaddr:2125070942]
F2FS-fs (dm-105): inconsistent node block, nid:430, node_footer[nid:2198964142,ino:598252782,ofs:118300154,cpver:5409237455940746069,blkaddr:2125070942]
F2FS-fs (dm-105): inconsistent node block, nid:430, node_footer[nid:2198964142,ino:598252782,ofs:118300154,cpver:5409237455940746069,blkaddr:2125070942]
If node block is loaded successfully, but its content is inconsistent, it
doesn't need to retry IO.
Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/f2fs/inode.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/fs/f2fs/inode.c b/fs/f2fs/inode.c
index 0f350368dea73..b8296b0414fcb 100644
--- a/fs/f2fs/inode.c
+++ b/fs/f2fs/inode.c
@@ -695,8 +695,12 @@ void f2fs_update_inode_page(struct inode *inode)
if (err == -ENOENT)
return;
+ if (err == -EFSCORRUPTED)
+ goto stop_checkpoint;
+
if (err == -ENOMEM || ++count <= DEFAULT_RETRY_IO_COUNT)
goto retry;
+stop_checkpoint:
f2fs_stop_checkpoint(sbi, false, STOP_CP_REASON_UPDATE_INODE);
return;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 036/291] page_pool: avoid infinite loop to schedule delayed worker
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (33 preceding siblings ...)
2025-04-23 14:40 ` [PATCH 6.1 035/291] f2fs: dont retry IO for corrupted data scenario Greg Kroah-Hartman
@ 2025-04-23 14:40 ` Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 037/291] jfs: Fix uninit-value access of imap allocated in the diMount() function Greg Kroah-Hartman
` (263 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jason Xing, Mina Almasry,
Paolo Abeni, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jason Xing <kerneljasonxing@gmail.com>
[ Upstream commit 43130d02baa137033c25297aaae95fd0edc41654 ]
We noticed the kworker in page_pool_release_retry() was waken
up repeatedly and infinitely in production because of the
buggy driver causing the inflight less than 0 and warning
us in page_pool_inflight()[1].
Since the inflight value goes negative, it means we should
not expect the whole page_pool to get back to work normally.
This patch mitigates the adverse effect by not rescheduling
the kworker when detecting the inflight negative in
page_pool_release_retry().
[1]
[Mon Feb 10 20:36:11 2025] ------------[ cut here ]------------
[Mon Feb 10 20:36:11 2025] Negative(-51446) inflight packet-pages
...
[Mon Feb 10 20:36:11 2025] Call Trace:
[Mon Feb 10 20:36:11 2025] page_pool_release_retry+0x23/0x70
[Mon Feb 10 20:36:11 2025] process_one_work+0x1b1/0x370
[Mon Feb 10 20:36:11 2025] worker_thread+0x37/0x3a0
[Mon Feb 10 20:36:11 2025] kthread+0x11a/0x140
[Mon Feb 10 20:36:11 2025] ? process_one_work+0x370/0x370
[Mon Feb 10 20:36:11 2025] ? __kthread_cancel_work+0x40/0x40
[Mon Feb 10 20:36:11 2025] ret_from_fork+0x35/0x40
[Mon Feb 10 20:36:11 2025] ---[ end trace ebffe800f33e7e34 ]---
Note: before this patch, the above calltrace would flood the
dmesg due to repeated reschedule of release_dw kworker.
Signed-off-by: Jason Xing <kerneljasonxing@gmail.com>
Reviewed-by: Mina Almasry <almasrymina@google.com>
Link: https://patch.msgid.link/20250214064250.85987-1-kerneljasonxing@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/page_pool.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/net/core/page_pool.c b/net/core/page_pool.c
index caf6d950d54ad..acc1d0d055cdd 100644
--- a/net/core/page_pool.c
+++ b/net/core/page_pool.c
@@ -841,7 +841,13 @@ static void page_pool_release_retry(struct work_struct *wq)
int inflight;
inflight = page_pool_release(pool);
- if (!inflight)
+ /* In rare cases, a driver bug may cause inflight to go negative.
+ * Don't reschedule release if inflight is 0 or negative.
+ * - If 0, the page_pool has been destroyed
+ * - if negative, we will never recover
+ * in both cases no reschedule is necessary.
+ */
+ if (inflight <= 0)
return;
/* Periodic warning */
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 037/291] jfs: Fix uninit-value access of imap allocated in the diMount() function
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (34 preceding siblings ...)
2025-04-23 14:40 ` [PATCH 6.1 036/291] page_pool: avoid infinite loop to schedule delayed worker Greg Kroah-Hartman
@ 2025-04-23 14:40 ` Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 038/291] fs/jfs: cast inactags to s64 to prevent potential overflow Greg Kroah-Hartman
` (262 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhongqiu Han,
syzbot+df6cdcb35904203d2b6d, Dave Kleikamp, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhongqiu Han <quic_zhonhan@quicinc.com>
[ Upstream commit 9629d7d66c621671d9a47afe27ca9336bfc8a9ea ]
syzbot reports that hex_dump_to_buffer is using uninit-value:
=====================================================
BUG: KMSAN: uninit-value in hex_dump_to_buffer+0x888/0x1100 lib/hexdump.c:171
hex_dump_to_buffer+0x888/0x1100 lib/hexdump.c:171
print_hex_dump+0x13d/0x3e0 lib/hexdump.c:276
diFree+0x5ba/0x4350 fs/jfs/jfs_imap.c:876
jfs_evict_inode+0x510/0x550 fs/jfs/inode.c:156
evict+0x723/0xd10 fs/inode.c:796
iput_final fs/inode.c:1946 [inline]
iput+0x97b/0xdb0 fs/inode.c:1972
txUpdateMap+0xf3e/0x1150 fs/jfs/jfs_txnmgr.c:2367
txLazyCommit fs/jfs/jfs_txnmgr.c:2664 [inline]
jfs_lazycommit+0x627/0x11d0 fs/jfs/jfs_txnmgr.c:2733
kthread+0x6b9/0xef0 kernel/kthread.c:464
ret_from_fork+0x6d/0x90 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
Uninit was created at:
slab_post_alloc_hook mm/slub.c:4121 [inline]
slab_alloc_node mm/slub.c:4164 [inline]
__kmalloc_cache_noprof+0x8e3/0xdf0 mm/slub.c:4320
kmalloc_noprof include/linux/slab.h:901 [inline]
diMount+0x61/0x7f0 fs/jfs/jfs_imap.c:105
jfs_mount+0xa8e/0x11d0 fs/jfs/jfs_mount.c:176
jfs_fill_super+0xa47/0x17c0 fs/jfs/super.c:523
get_tree_bdev_flags+0x6ec/0x910 fs/super.c:1636
get_tree_bdev+0x37/0x50 fs/super.c:1659
jfs_get_tree+0x34/0x40 fs/jfs/super.c:635
vfs_get_tree+0xb1/0x5a0 fs/super.c:1814
do_new_mount+0x71f/0x15e0 fs/namespace.c:3560
path_mount+0x742/0x1f10 fs/namespace.c:3887
do_mount fs/namespace.c:3900 [inline]
__do_sys_mount fs/namespace.c:4111 [inline]
__se_sys_mount+0x71f/0x800 fs/namespace.c:4088
__x64_sys_mount+0xe4/0x150 fs/namespace.c:4088
x64_sys_call+0x39bf/0x3c30 arch/x86/include/generated/asm/syscalls_64.h:166
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
=====================================================
The reason is that imap is not properly initialized after memory
allocation. It will cause the snprintf() function to write uninitialized
data into linebuf within hex_dump_to_buffer().
Fix this by using kzalloc instead of kmalloc to clear its content at the
beginning in diMount().
Signed-off-by: Zhongqiu Han <quic_zhonhan@quicinc.com>
Reported-by: syzbot+df6cdcb35904203d2b6d@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/lkml/67b5d07e.050a0220.14d86d.00e6.GAE@google.com/
Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/jfs/jfs_imap.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/jfs/jfs_imap.c b/fs/jfs/jfs_imap.c
index c72e97f065798..309b5f6e977d7 100644
--- a/fs/jfs/jfs_imap.c
+++ b/fs/jfs/jfs_imap.c
@@ -102,7 +102,7 @@ int diMount(struct inode *ipimap)
* allocate/initialize the in-memory inode map control structure
*/
/* allocate the in-memory inode map control structure. */
- imap = kmalloc(sizeof(struct inomap), GFP_KERNEL);
+ imap = kzalloc(sizeof(struct inomap), GFP_KERNEL);
if (imap == NULL)
return -ENOMEM;
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 038/291] fs/jfs: cast inactags to s64 to prevent potential overflow
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (35 preceding siblings ...)
2025-04-23 14:40 ` [PATCH 6.1 037/291] jfs: Fix uninit-value access of imap allocated in the diMount() function Greg Kroah-Hartman
@ 2025-04-23 14:40 ` Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 039/291] fs/jfs: Prevent integer overflow in AG size calculation Greg Kroah-Hartman
` (261 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Rand Deeb, Dave Kleikamp,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rand Deeb <rand.sec96@gmail.com>
[ Upstream commit 70ca3246ad201b53a9f09380b3f29d8bac320383 ]
The expression "inactags << bmp->db_agl2size" in the function
dbFinalizeBmap() is computed using int operands. Although the
values (inactags and db_agl2size) are derived from filesystem
parameters and are usually small, there is a theoretical risk that
the shift could overflow a 32-bit int if extreme values occur.
According to the C standard, shifting a signed 32-bit int can lead
to undefined behavior if the result exceeds its range. In our
case, an overflow could miscalculate free blocks, potentially
leading to erroneous filesystem accounting.
To ensure the arithmetic is performed in 64-bit space, we cast
"inactags" to s64 before shifting. This defensive fix prevents any
risk of overflow and complies with kernel coding best practices.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Signed-off-by: Rand Deeb <rand.sec96@gmail.com>
Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/jfs/jfs_dmap.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
index 6509102e581a1..3d4c7373a25e0 100644
--- a/fs/jfs/jfs_dmap.c
+++ b/fs/jfs/jfs_dmap.c
@@ -3666,8 +3666,8 @@ void dbFinalizeBmap(struct inode *ipbmap)
* system size is not a multiple of the group size).
*/
inactfree = (inactags && ag_rem) ?
- ((inactags - 1) << bmp->db_agl2size) + ag_rem
- : inactags << bmp->db_agl2size;
+ (((s64)inactags - 1) << bmp->db_agl2size) + ag_rem
+ : ((s64)inactags << bmp->db_agl2size);
/* determine how many free blocks are in the active
* allocation groups plus the average number of free blocks
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 039/291] fs/jfs: Prevent integer overflow in AG size calculation
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (36 preceding siblings ...)
2025-04-23 14:40 ` [PATCH 6.1 038/291] fs/jfs: cast inactags to s64 to prevent potential overflow Greg Kroah-Hartman
@ 2025-04-23 14:40 ` Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 040/291] jfs: Prevent copying of nlink with value 0 from disk inode Greg Kroah-Hartman
` (260 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Rand Deeb, Dave Kleikamp,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rand Deeb <rand.sec96@gmail.com>
[ Upstream commit 7fcbf789629cdb9fbf4e2172ce31136cfed11e5e ]
The JFS filesystem calculates allocation group (AG) size using 1 <<
l2agsize in dbExtendFS(). When l2agsize exceeds 31 (possible with >2TB
aggregates on 32-bit systems), this 32-bit shift operation causes undefined
behavior and improper AG sizing.
On 32-bit architectures:
- Left-shifting 1 by 32+ bits results in 0 due to integer overflow
- This creates invalid AG sizes (0 or garbage values) in
sbi->bmap->db_agsize
- Subsequent block allocations would reference invalid AG structures
- Could lead to:
- Filesystem corruption during extend operations
- Kernel crashes due to invalid memory accesses
- Security vulnerabilities via malformed on-disk structures
Fix by casting to s64 before shifting:
bmp->db_agsize = (s64)1 << l2agsize;
This ensures 64-bit arithmetic even on 32-bit architectures. The cast
matches the data type of db_agsize (s64) and follows similar patterns in
JFS block calculation code.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Signed-off-by: Rand Deeb <rand.sec96@gmail.com>
Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/jfs/jfs_dmap.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
index 3d4c7373a25e0..11b6be462575c 100644
--- a/fs/jfs/jfs_dmap.c
+++ b/fs/jfs/jfs_dmap.c
@@ -3403,7 +3403,7 @@ int dbExtendFS(struct inode *ipbmap, s64 blkno, s64 nblocks)
oldl2agsize = bmp->db_agl2size;
bmp->db_agl2size = l2agsize;
- bmp->db_agsize = 1 << l2agsize;
+ bmp->db_agsize = (s64)1 << l2agsize;
/* compute new number of AG */
agno = bmp->db_numag;
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 040/291] jfs: Prevent copying of nlink with value 0 from disk inode
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (37 preceding siblings ...)
2025-04-23 14:40 ` [PATCH 6.1 039/291] fs/jfs: Prevent integer overflow in AG size calculation Greg Kroah-Hartman
@ 2025-04-23 14:40 ` Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 041/291] jfs: add sanity check for agwidth in dbMount Greg Kroah-Hartman
` (259 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+355da3b3a74881008e8f,
Edward Adam Davis, Dave Kleikamp, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Edward Adam Davis <eadavis@qq.com>
[ Upstream commit b61e69bb1c049cf507e3c654fa3dc1568231bd07 ]
syzbot report a deadlock in diFree. [1]
When calling "ioctl$LOOP_SET_STATUS64", the offset value passed in is 4,
which does not match the mounted loop device, causing the mapping of the
mounted loop device to be invalidated.
When creating the directory and creating the inode of iag in diReadSpecial(),
read the page of fixed disk inode (AIT) in raw mode in read_metapage(), the
metapage data it returns is corrupted, which causes the nlink value of 0 to be
assigned to the iag inode when executing copy_from_dinode(), which ultimately
causes a deadlock when entering diFree().
To avoid this, first check the nlink value of dinode before setting iag inode.
[1]
WARNING: possible recursive locking detected
6.12.0-rc7-syzkaller-00212-g4a5df3796467 #0 Not tainted
--------------------------------------------
syz-executor301/5309 is trying to acquire lock:
ffff888044548920 (&(imap->im_aglock[index])){+.+.}-{3:3}, at: diFree+0x37c/0x2fb0 fs/jfs/jfs_imap.c:889
but task is already holding lock:
ffff888044548920 (&(imap->im_aglock[index])){+.+.}-{3:3}, at: diAlloc+0x1b6/0x1630
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0
----
lock(&(imap->im_aglock[index]));
lock(&(imap->im_aglock[index]));
*** DEADLOCK ***
May be due to missing lock nesting notation
5 locks held by syz-executor301/5309:
#0: ffff8880422a4420 (sb_writers#9){.+.+}-{0:0}, at: mnt_want_write+0x3f/0x90 fs/namespace.c:515
#1: ffff88804755b390 (&type->i_mutex_dir_key#6/1){+.+.}-{3:3}, at: inode_lock_nested include/linux/fs.h:850 [inline]
#1: ffff88804755b390 (&type->i_mutex_dir_key#6/1){+.+.}-{3:3}, at: filename_create+0x260/0x540 fs/namei.c:4026
#2: ffff888044548920 (&(imap->im_aglock[index])){+.+.}-{3:3}, at: diAlloc+0x1b6/0x1630
#3: ffff888044548890 (&imap->im_freelock){+.+.}-{3:3}, at: diNewIAG fs/jfs/jfs_imap.c:2460 [inline]
#3: ffff888044548890 (&imap->im_freelock){+.+.}-{3:3}, at: diAllocExt fs/jfs/jfs_imap.c:1905 [inline]
#3: ffff888044548890 (&imap->im_freelock){+.+.}-{3:3}, at: diAllocAG+0x4b7/0x1e50 fs/jfs/jfs_imap.c:1669
#4: ffff88804755a618 (&jfs_ip->rdwrlock/1){++++}-{3:3}, at: diNewIAG fs/jfs/jfs_imap.c:2477 [inline]
#4: ffff88804755a618 (&jfs_ip->rdwrlock/1){++++}-{3:3}, at: diAllocExt fs/jfs/jfs_imap.c:1905 [inline]
#4: ffff88804755a618 (&jfs_ip->rdwrlock/1){++++}-{3:3}, at: diAllocAG+0x869/0x1e50 fs/jfs/jfs_imap.c:1669
stack backtrace:
CPU: 0 UID: 0 PID: 5309 Comm: syz-executor301 Not tainted 6.12.0-rc7-syzkaller-00212-g4a5df3796467 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_deadlock_bug+0x483/0x620 kernel/locking/lockdep.c:3037
check_deadlock kernel/locking/lockdep.c:3089 [inline]
validate_chain+0x15e2/0x5920 kernel/locking/lockdep.c:3891
__lock_acquire+0x1384/0x2050 kernel/locking/lockdep.c:5202
lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5825
__mutex_lock_common kernel/locking/mutex.c:608 [inline]
__mutex_lock+0x136/0xd70 kernel/locking/mutex.c:752
diFree+0x37c/0x2fb0 fs/jfs/jfs_imap.c:889
jfs_evict_inode+0x32d/0x440 fs/jfs/inode.c:156
evict+0x4e8/0x9b0 fs/inode.c:725
diFreeSpecial fs/jfs/jfs_imap.c:552 [inline]
duplicateIXtree+0x3c6/0x550 fs/jfs/jfs_imap.c:3022
diNewIAG fs/jfs/jfs_imap.c:2597 [inline]
diAllocExt fs/jfs/jfs_imap.c:1905 [inline]
diAllocAG+0x17dc/0x1e50 fs/jfs/jfs_imap.c:1669
diAlloc+0x1d2/0x1630 fs/jfs/jfs_imap.c:1590
ialloc+0x8f/0x900 fs/jfs/jfs_inode.c:56
jfs_mkdir+0x1c5/0xba0 fs/jfs/namei.c:225
vfs_mkdir+0x2f9/0x4f0 fs/namei.c:4257
do_mkdirat+0x264/0x3a0 fs/namei.c:4280
__do_sys_mkdirat fs/namei.c:4295 [inline]
__se_sys_mkdirat fs/namei.c:4293 [inline]
__x64_sys_mkdirat+0x87/0xa0 fs/namei.c:4293
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Reported-by: syzbot+355da3b3a74881008e8f@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=355da3b3a74881008e8f
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/jfs/jfs_imap.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/jfs/jfs_imap.c b/fs/jfs/jfs_imap.c
index 309b5f6e977d7..155f66812934a 100644
--- a/fs/jfs/jfs_imap.c
+++ b/fs/jfs/jfs_imap.c
@@ -456,7 +456,7 @@ struct inode *diReadSpecial(struct super_block *sb, ino_t inum, int secondary)
dp += inum % 8; /* 8 inodes per 4K page */
/* copy on-disk inode to in-memory inode */
- if ((copy_from_dinode(dp, ip)) != 0) {
+ if ((copy_from_dinode(dp, ip) != 0) || (ip->i_nlink == 0)) {
/* handle bad return by returning NULL for ip */
set_nlink(ip, 1); /* Don't want iput() deleting it */
iput(ip);
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 041/291] jfs: add sanity check for agwidth in dbMount
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (38 preceding siblings ...)
2025-04-23 14:40 ` [PATCH 6.1 040/291] jfs: Prevent copying of nlink with value 0 from disk inode Greg Kroah-Hartman
@ 2025-04-23 14:40 ` Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 042/291] ata: libata-eh: Do not use ATAPI DMA for a device limited to PIO mode Greg Kroah-Hartman
` (258 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Edward Adam Davis, Dave Kleikamp,
Sasha Levin, syzbot+7c808908291a569281a9
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Edward Adam Davis <eadavis@qq.com>
[ Upstream commit ddf2846f22e8575d6b4b6a66f2100f168b8cd73d ]
The width in dmapctl of the AG is zero, it trigger a divide error when
calculating the control page level in dbAllocAG.
To avoid this issue, add a check for agwidth in dbAllocAG.
Reported-and-tested-by: syzbot+7c808908291a569281a9@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=7c808908291a569281a9
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/jfs/jfs_dmap.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
index 11b6be462575c..5e32526174e88 100644
--- a/fs/jfs/jfs_dmap.c
+++ b/fs/jfs/jfs_dmap.c
@@ -204,6 +204,10 @@ int dbMount(struct inode *ipbmap)
bmp->db_aglevel = le32_to_cpu(dbmp_le->dn_aglevel);
bmp->db_agheight = le32_to_cpu(dbmp_le->dn_agheight);
bmp->db_agwidth = le32_to_cpu(dbmp_le->dn_agwidth);
+ if (!bmp->db_agwidth) {
+ err = -EINVAL;
+ goto err_release_metapage;
+ }
bmp->db_agstart = le32_to_cpu(dbmp_le->dn_agstart);
bmp->db_agl2size = le32_to_cpu(dbmp_le->dn_agl2size);
if (bmp->db_agl2size > L2MAXL2SIZE - L2MAXAG ||
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 042/291] ata: libata-eh: Do not use ATAPI DMA for a device limited to PIO mode
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (39 preceding siblings ...)
2025-04-23 14:40 ` [PATCH 6.1 041/291] jfs: add sanity check for agwidth in dbMount Greg Kroah-Hartman
@ 2025-04-23 14:40 ` Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 043/291] f2fs: fix to avoid out-of-bounds access in f2fs_truncate_inode_blocks() Greg Kroah-Hartman
` (257 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Philip Pemberton, Damien Le Moal,
Niklas Cassel, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Niklas Cassel <cassel@kernel.org>
[ Upstream commit 91ec84f8eaddbc93d7c62e363d68aeb7b89879c7 ]
atapi_eh_request_sense() currently uses ATAPI DMA if the SATA controller
has ATA_FLAG_PIO_DMA (PIO cmds via DMA) set.
However, ATA_FLAG_PIO_DMA is a flag that can be set by a low-level driver
on a port at initialization time, before any devices are scanned.
If a controller detects a connected device that only supports PIO, we set
the flag ATA_DFLAG_PIO.
Modify atapi_eh_request_sense() to not use ATAPI DMA if the connected
device only supports PIO.
Reported-by: Philip Pemberton <lists@philpem.me.uk>
Closes: https://lore.kernel.org/linux-ide/c6722ee8-5e21-4169-af59-cbbae9edc02f@philpem.me.uk/
Tested-by: Philip Pemberton <lists@philpem.me.uk>
Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
Link: https://lore.kernel.org/r/20250221015422.20687-2-cassel@kernel.org
Signed-off-by: Niklas Cassel <cassel@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/ata/libata-eh.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/drivers/ata/libata-eh.c b/drivers/ata/libata-eh.c
index 3f327ba759fd9..586982a2a61ff 100644
--- a/drivers/ata/libata-eh.c
+++ b/drivers/ata/libata-eh.c
@@ -1510,8 +1510,15 @@ unsigned int atapi_eh_request_sense(struct ata_device *dev,
tf.flags |= ATA_TFLAG_ISADDR | ATA_TFLAG_DEVICE;
tf.command = ATA_CMD_PACKET;
- /* is it pointless to prefer PIO for "safety reasons"? */
- if (ap->flags & ATA_FLAG_PIO_DMA) {
+ /*
+ * Do not use DMA if the connected device only supports PIO, even if the
+ * port prefers PIO commands via DMA.
+ *
+ * Ideally, we should call atapi_check_dma() to check if it is safe for
+ * the LLD to use DMA for REQUEST_SENSE, but we don't have a qc.
+ * Since we can't check the command, perhaps we should only use pio?
+ */
+ if ((ap->flags & ATA_FLAG_PIO_DMA) && !(dev->flags & ATA_DFLAG_PIO)) {
tf.protocol = ATAPI_PROT_DMA;
tf.feature |= ATAPI_PKT_DMA;
} else {
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 043/291] f2fs: fix to avoid out-of-bounds access in f2fs_truncate_inode_blocks()
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (40 preceding siblings ...)
2025-04-23 14:40 ` [PATCH 6.1 042/291] ata: libata-eh: Do not use ATAPI DMA for a device limited to PIO mode Greg Kroah-Hartman
@ 2025-04-23 14:40 ` Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 044/291] ahci: add PCI ID for Marvell 88SE9215 SATA Controller Greg Kroah-Hartman
` (256 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+6653f10281a1badc749e, Chao Yu,
Jaegeuk Kim, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chao Yu <chao@kernel.org>
[ Upstream commit e6494977bd4a83862118a05f57a8df40256951c0 ]
syzbot reports an UBSAN issue as below:
------------[ cut here ]------------
UBSAN: array-index-out-of-bounds in fs/f2fs/node.h:381:10
index 18446744073709550692 is out of range for type '__le32[5]' (aka 'unsigned int[5]')
CPU: 0 UID: 0 PID: 5318 Comm: syz.0.0 Not tainted 6.14.0-rc3-syzkaller-00060-g6537cfb395f3 #0
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
ubsan_epilogue lib/ubsan.c:231 [inline]
__ubsan_handle_out_of_bounds+0x121/0x150 lib/ubsan.c:429
get_nid fs/f2fs/node.h:381 [inline]
f2fs_truncate_inode_blocks+0xa5e/0xf60 fs/f2fs/node.c:1181
f2fs_do_truncate_blocks+0x782/0x1030 fs/f2fs/file.c:808
f2fs_truncate_blocks+0x10d/0x300 fs/f2fs/file.c:836
f2fs_truncate+0x417/0x720 fs/f2fs/file.c:886
f2fs_file_write_iter+0x1bdb/0x2550 fs/f2fs/file.c:5093
aio_write+0x56b/0x7c0 fs/aio.c:1633
io_submit_one+0x8a7/0x18a0 fs/aio.c:2052
__do_sys_io_submit fs/aio.c:2111 [inline]
__se_sys_io_submit+0x171/0x2e0 fs/aio.c:2081
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f238798cde9
index 18446744073709550692 (decimal, unsigned long long)
= 0xfffffffffffffc64 (hexadecimal, unsigned long long)
= -924 (decimal, long long)
In f2fs_truncate_inode_blocks(), UBSAN detects that get_nid() tries to
access .i_nid[-924], it means both offset[0] and level should zero.
The possible case should be in f2fs_do_truncate_blocks(), we try to
truncate inode size to zero, however, dn.ofs_in_node is zero and
dn.node_page is not an inode page, so it fails to truncate inode page,
and then pass zeroed free_from to f2fs_truncate_inode_blocks(), result
in this issue.
if (dn.ofs_in_node || IS_INODE(dn.node_page)) {
f2fs_truncate_data_blocks_range(&dn, count);
free_from += count;
}
I guess the reason why dn.node_page is not an inode page could be: there
are multiple nat entries share the same node block address, once the node
block address was reused, f2fs_get_node_page() may load a non-inode block.
Let's add a sanity check for such condition to avoid out-of-bounds access
issue.
Reported-by: syzbot+6653f10281a1badc749e@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/66fdcdf3.050a0220.40bef.0025.GAE@google.com
Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/f2fs/node.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/fs/f2fs/node.c b/fs/f2fs/node.c
index 745ecf5523c9b..ccc72781e0c61 100644
--- a/fs/f2fs/node.c
+++ b/fs/f2fs/node.c
@@ -1112,7 +1112,14 @@ int f2fs_truncate_inode_blocks(struct inode *inode, pgoff_t from)
trace_f2fs_truncate_inode_blocks_enter(inode, from);
level = get_node_path(inode, from, offset, noffset);
- if (level < 0) {
+ if (level <= 0) {
+ if (!level) {
+ level = -EFSCORRUPTED;
+ f2fs_err(sbi, "%s: inode ino=%lx has corrupted node block, from:%lu addrs:%u",
+ __func__, inode->i_ino,
+ from, ADDRS_PER_INODE(inode));
+ set_sbi_flag(sbi, SBI_NEED_FSCK);
+ }
trace_f2fs_truncate_inode_blocks_exit(inode, level);
return level;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 044/291] ahci: add PCI ID for Marvell 88SE9215 SATA Controller
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (41 preceding siblings ...)
2025-04-23 14:40 ` [PATCH 6.1 043/291] f2fs: fix to avoid out-of-bounds access in f2fs_truncate_inode_blocks() Greg Kroah-Hartman
@ 2025-04-23 14:40 ` Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 045/291] ext4: protect ext4_release_dquot against freezing Greg Kroah-Hartman
` (255 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Daniel Kral, Niklas Cassel,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Kral <d.kral@proxmox.com>
[ Upstream commit 885251dc35767b1c992f6909532ca366c830814a ]
Add support for Marvell Technology Group Ltd. 88SE9215 SATA 6 Gb/s
controller, which is e.g. used in the DAWICONTROL DC-614e RAID bus
controller and was not automatically recognized before.
Tested with a DAWICONTROL DC-614e RAID bus controller.
Signed-off-by: Daniel Kral <d.kral@proxmox.com>
Link: https://lore.kernel.org/r/20250304092030.37108-1-d.kral@proxmox.com
Signed-off-by: Niklas Cassel <cassel@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/ata/ahci.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/ata/ahci.c b/drivers/ata/ahci.c
index 20f53ae4d204e..a4b0a499b67d4 100644
--- a/drivers/ata/ahci.c
+++ b/drivers/ata/ahci.c
@@ -592,6 +592,8 @@ static const struct pci_device_id ahci_pci_tbl[] = {
.driver_data = board_ahci_yes_fbs },
{ PCI_DEVICE(PCI_VENDOR_ID_MARVELL_EXT, 0x91a3),
.driver_data = board_ahci_yes_fbs },
+ { PCI_DEVICE(PCI_VENDOR_ID_MARVELL_EXT, 0x9215),
+ .driver_data = board_ahci_yes_fbs },
{ PCI_DEVICE(PCI_VENDOR_ID_MARVELL_EXT, 0x9230),
.driver_data = board_ahci_yes_fbs },
{ PCI_DEVICE(PCI_VENDOR_ID_MARVELL_EXT, 0x9235),
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 045/291] ext4: protect ext4_release_dquot against freezing
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (42 preceding siblings ...)
2025-04-23 14:40 ` [PATCH 6.1 044/291] ahci: add PCI ID for Marvell 88SE9215 SATA Controller Greg Kroah-Hartman
@ 2025-04-23 14:40 ` Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 046/291] ext4: ignore xattrs past end Greg Kroah-Hartman
` (254 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jan Kara, Ojaswin Mujoo, Baokun Li,
Theodore Tso, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ojaswin Mujoo <ojaswin@linux.ibm.com>
[ Upstream commit 530fea29ef82e169cd7fe048c2b7baaeb85a0028 ]
Protect ext4_release_dquot against freezing so that we
don't try to start a transaction when FS is frozen, leading
to warnings.
Further, avoid taking the freeze protection if a transaction
is already running so that we don't need end up in a deadlock
as described in
46e294efc355 ext4: fix deadlock with fs freezing and EA inodes
Suggested-by: Jan Kara <jack@suse.cz>
Signed-off-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
Reviewed-by: Baokun Li <libaokun1@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://patch.msgid.link/20241121123855.645335-3-ojaswin@linux.ibm.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ext4/super.c | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/fs/ext4/super.c b/fs/ext4/super.c
index 1568baedab077..7f0231b349057 100644
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -6810,12 +6810,25 @@ static int ext4_release_dquot(struct dquot *dquot)
{
int ret, err;
handle_t *handle;
+ bool freeze_protected = false;
+
+ /*
+ * Trying to sb_start_intwrite() in a running transaction
+ * can result in a deadlock. Further, running transactions
+ * are already protected from freezing.
+ */
+ if (!ext4_journal_current_handle()) {
+ sb_start_intwrite(dquot->dq_sb);
+ freeze_protected = true;
+ }
handle = ext4_journal_start(dquot_to_inode(dquot), EXT4_HT_QUOTA,
EXT4_QUOTA_DEL_BLOCKS(dquot->dq_sb));
if (IS_ERR(handle)) {
/* Release dquot anyway to avoid endless cycle in dqput() */
dquot_release(dquot);
+ if (freeze_protected)
+ sb_end_intwrite(dquot->dq_sb);
return PTR_ERR(handle);
}
ret = dquot_release(dquot);
@@ -6826,6 +6839,10 @@ static int ext4_release_dquot(struct dquot *dquot)
err = ext4_journal_stop(handle);
if (!ret)
ret = err;
+
+ if (freeze_protected)
+ sb_end_intwrite(dquot->dq_sb);
+
return ret;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 046/291] ext4: ignore xattrs past end
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (43 preceding siblings ...)
2025-04-23 14:40 ` [PATCH 6.1 045/291] ext4: protect ext4_release_dquot against freezing Greg Kroah-Hartman
@ 2025-04-23 14:40 ` Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 047/291] scsi: st: Fix array overflow in st_setup() Greg Kroah-Hartman
` (253 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+b244bda78289b00204ed,
Thadeu Lima de Souza Cascardo, Bhupesh, Theodore Tso, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bhupesh <bhupesh@igalia.com>
[ Upstream commit c8e008b60492cf6fd31ef127aea6d02fd3d314cd ]
Once inside 'ext4_xattr_inode_dec_ref_all' we should
ignore xattrs entries past the 'end' entry.
This fixes the following KASAN reported issue:
==================================================================
BUG: KASAN: slab-use-after-free in ext4_xattr_inode_dec_ref_all+0xb8c/0xe90
Read of size 4 at addr ffff888012c120c4 by task repro/2065
CPU: 1 UID: 0 PID: 2065 Comm: repro Not tainted 6.13.0-rc2+ #11
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x1fd/0x300
? tcp_gro_dev_warn+0x260/0x260
? _printk+0xc0/0x100
? read_lock_is_recursive+0x10/0x10
? irq_work_queue+0x72/0xf0
? __virt_addr_valid+0x17b/0x4b0
print_address_description+0x78/0x390
print_report+0x107/0x1f0
? __virt_addr_valid+0x17b/0x4b0
? __virt_addr_valid+0x3ff/0x4b0
? __phys_addr+0xb5/0x160
? ext4_xattr_inode_dec_ref_all+0xb8c/0xe90
kasan_report+0xcc/0x100
? ext4_xattr_inode_dec_ref_all+0xb8c/0xe90
ext4_xattr_inode_dec_ref_all+0xb8c/0xe90
? ext4_xattr_delete_inode+0xd30/0xd30
? __ext4_journal_ensure_credits+0x5f0/0x5f0
? __ext4_journal_ensure_credits+0x2b/0x5f0
? inode_update_timestamps+0x410/0x410
ext4_xattr_delete_inode+0xb64/0xd30
? ext4_truncate+0xb70/0xdc0
? ext4_expand_extra_isize_ea+0x1d20/0x1d20
? __ext4_mark_inode_dirty+0x670/0x670
? ext4_journal_check_start+0x16f/0x240
? ext4_inode_is_fast_symlink+0x2f2/0x3a0
ext4_evict_inode+0xc8c/0xff0
? ext4_inode_is_fast_symlink+0x3a0/0x3a0
? do_raw_spin_unlock+0x53/0x8a0
? ext4_inode_is_fast_symlink+0x3a0/0x3a0
evict+0x4ac/0x950
? proc_nr_inodes+0x310/0x310
? trace_ext4_drop_inode+0xa2/0x220
? _raw_spin_unlock+0x1a/0x30
? iput+0x4cb/0x7e0
do_unlinkat+0x495/0x7c0
? try_break_deleg+0x120/0x120
? 0xffffffff81000000
? __check_object_size+0x15a/0x210
? strncpy_from_user+0x13e/0x250
? getname_flags+0x1dc/0x530
__x64_sys_unlinkat+0xc8/0xf0
do_syscall_64+0x65/0x110
entry_SYSCALL_64_after_hwframe+0x67/0x6f
RIP: 0033:0x434ffd
Code: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 8
RSP: 002b:00007ffc50fa7b28 EFLAGS: 00000246 ORIG_RAX: 0000000000000107
RAX: ffffffffffffffda RBX: 00007ffc50fa7e18 RCX: 0000000000434ffd
RDX: 0000000000000000 RSI: 0000000020000240 RDI: 0000000000000005
RBP: 00007ffc50fa7be0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
R13: 00007ffc50fa7e08 R14: 00000000004bbf30 R15: 0000000000000001
</TASK>
The buggy address belongs to the object at ffff888012c12000
which belongs to the cache filp of size 360
The buggy address is located 196 bytes inside of
freed 360-byte region [ffff888012c12000, ffff888012c12168)
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12c12
head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x40(head|node=0|zone=0)
page_type: f5(slab)
raw: 0000000000000040 ffff888000ad7640 ffffea0000497a00 dead000000000004
raw: 0000000000000000 0000000000100010 00000001f5000000 0000000000000000
head: 0000000000000040 ffff888000ad7640 ffffea0000497a00 dead000000000004
head: 0000000000000000 0000000000100010 00000001f5000000 0000000000000000
head: 0000000000000001 ffffea00004b0481 ffffffffffffffff 0000000000000000
head: 0000000000000002 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff888012c11f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff888012c12000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff888012c12080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888012c12100: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc
ffff888012c12180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
Reported-by: syzbot+b244bda78289b00204ed@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=b244bda78289b00204ed
Suggested-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
Signed-off-by: Bhupesh <bhupesh@igalia.com>
Link: https://patch.msgid.link/20250128082751.124948-2-bhupesh@igalia.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ext4/xattr.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c
index 5598aec757752..95dbc7c9843b8 100644
--- a/fs/ext4/xattr.c
+++ b/fs/ext4/xattr.c
@@ -1127,15 +1127,24 @@ ext4_xattr_inode_dec_ref_all(handle_t *handle, struct inode *parent,
{
struct inode *ea_inode;
struct ext4_xattr_entry *entry;
+ struct ext4_iloc iloc;
bool dirty = false;
unsigned int ea_ino;
int err;
int credits;
+ void *end;
+
+ if (block_csum)
+ end = (void *)bh->b_data + bh->b_size;
+ else {
+ ext4_get_inode_loc(parent, &iloc);
+ end = (void *)ext4_raw_inode(&iloc) + EXT4_SB(parent->i_sb)->s_inode_size;
+ }
/* One credit for dec ref on ea_inode, one for orphan list addition, */
credits = 2 + extra_credits;
- for (entry = first; !IS_LAST_ENTRY(entry);
+ for (entry = first; (void *)entry < end && !IS_LAST_ENTRY(entry);
entry = EXT4_XATTR_NEXT(entry)) {
if (!entry->e_value_inum)
continue;
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 047/291] scsi: st: Fix array overflow in st_setup()
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (44 preceding siblings ...)
2025-04-23 14:40 ` [PATCH 6.1 046/291] ext4: ignore xattrs past end Greg Kroah-Hartman
@ 2025-04-23 14:40 ` Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 048/291] wifi: mt76: mt76x2u: add TP-Link TL-WDN6200 ID to device table Greg Kroah-Hartman
` (252 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chenyuan Yang, Kai Mäkisara,
Martin K. Petersen, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kai Mäkisara <Kai.Makisara@kolumbus.fi>
[ Upstream commit a018d1cf990d0c339fe0e29b762ea5dc10567d67 ]
Change the array size to follow parms size instead of a fixed value.
Reported-by: Chenyuan Yang <chenyuan0y@gmail.com>
Closes: https://lore.kernel.org/linux-scsi/CALGdzuoubbra4xKOJcsyThdk5Y1BrAmZs==wbqjbkAgmKS39Aw@mail.gmail.com/
Signed-off-by: Kai Mäkisara <Kai.Makisara@kolumbus.fi>
Link: https://lore.kernel.org/r/20250311112516.5548-2-Kai.Makisara@kolumbus.fi
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/st.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/scsi/st.c b/drivers/scsi/st.c
index b3caa3b9722d1..7f107be344236 100644
--- a/drivers/scsi/st.c
+++ b/drivers/scsi/st.c
@@ -4112,7 +4112,7 @@ static void validate_options(void)
*/
static int __init st_setup(char *str)
{
- int i, len, ints[5];
+ int i, len, ints[ARRAY_SIZE(parms) + 1];
char *stp;
stp = get_options(str, ARRAY_SIZE(ints), ints);
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 048/291] wifi: mt76: mt76x2u: add TP-Link TL-WDN6200 ID to device table
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (45 preceding siblings ...)
2025-04-23 14:40 ` [PATCH 6.1 047/291] scsi: st: Fix array overflow in st_setup() Greg Kroah-Hartman
@ 2025-04-23 14:40 ` Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 049/291] net: vlan: dont propagate flags on open Greg Kroah-Hartman
` (251 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Icenowy Zheng, Felix Fietkau,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Icenowy Zheng <uwu@icenowy.me>
[ Upstream commit 06cccc2ebbe6c8a20f714f3a0ff3ff489d3004bb ]
The TP-Link TL-WDN6200 "Driverless" version cards use a MT7612U chipset.
Add the USB ID to mt76x2u driver.
Signed-off-by: Icenowy Zheng <uwu@icenowy.me>
Link: https://patch.msgid.link/20250317102235.1421726-1-uwu@icenowy.me
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/mediatek/mt76/mt76x2/usb.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/wireless/mediatek/mt76/mt76x2/usb.c b/drivers/net/wireless/mediatek/mt76/mt76x2/usb.c
index 55068f3252ef3..d804309992196 100644
--- a/drivers/net/wireless/mediatek/mt76/mt76x2/usb.c
+++ b/drivers/net/wireless/mediatek/mt76/mt76x2/usb.c
@@ -21,6 +21,7 @@ static const struct usb_device_id mt76x2u_device_table[] = {
{ USB_DEVICE(0x0846, 0x9053) }, /* Netgear A6210 */
{ USB_DEVICE(0x045e, 0x02e6) }, /* XBox One Wireless Adapter */
{ USB_DEVICE(0x045e, 0x02fe) }, /* XBox One Wireless Adapter */
+ { USB_DEVICE(0x2357, 0x0137) }, /* TP-Link TL-WDN6200 */
{ },
};
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 049/291] net: vlan: dont propagate flags on open
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (46 preceding siblings ...)
2025-04-23 14:40 ` [PATCH 6.1 048/291] wifi: mt76: mt76x2u: add TP-Link TL-WDN6200 ID to device table Greg Kroah-Hartman
@ 2025-04-23 14:40 ` Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 050/291] tracing: fix return value in __ftrace_event_enable_disable for TRACE_REG_UNREGISTER Greg Kroah-Hartman
` (250 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+b0c03d76056ef6cd12a6,
Stanislav Fomichev, Simon Horman, Paolo Abeni, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stanislav Fomichev <sdf@fomichev.me>
[ Upstream commit 27b918007d96402aba10ed52a6af8015230f1793 ]
With the device instance lock, there is now a possibility of a deadlock:
[ 1.211455] ============================================
[ 1.211571] WARNING: possible recursive locking detected
[ 1.211687] 6.14.0-rc5-01215-g032756b4ca7a-dirty #5 Not tainted
[ 1.211823] --------------------------------------------
[ 1.211936] ip/184 is trying to acquire lock:
[ 1.212032] ffff8881024a4c30 (&dev->lock){+.+.}-{4:4}, at: dev_set_allmulti+0x4e/0xb0
[ 1.212207]
[ 1.212207] but task is already holding lock:
[ 1.212332] ffff8881024a4c30 (&dev->lock){+.+.}-{4:4}, at: dev_open+0x50/0xb0
[ 1.212487]
[ 1.212487] other info that might help us debug this:
[ 1.212626] Possible unsafe locking scenario:
[ 1.212626]
[ 1.212751] CPU0
[ 1.212815] ----
[ 1.212871] lock(&dev->lock);
[ 1.212944] lock(&dev->lock);
[ 1.213016]
[ 1.213016] *** DEADLOCK ***
[ 1.213016]
[ 1.213143] May be due to missing lock nesting notation
[ 1.213143]
[ 1.213294] 3 locks held by ip/184:
[ 1.213371] #0: ffffffff838b53e0 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_nets_lock+0x1b/0xa0
[ 1.213543] #1: ffffffff84e5fc70 (&net->rtnl_mutex){+.+.}-{4:4}, at: rtnl_nets_lock+0x37/0xa0
[ 1.213727] #2: ffff8881024a4c30 (&dev->lock){+.+.}-{4:4}, at: dev_open+0x50/0xb0
[ 1.213895]
[ 1.213895] stack backtrace:
[ 1.213991] CPU: 0 UID: 0 PID: 184 Comm: ip Not tainted 6.14.0-rc5-01215-g032756b4ca7a-dirty #5
[ 1.213993] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.3-1-1 04/01/2014
[ 1.213994] Call Trace:
[ 1.213995] <TASK>
[ 1.213996] dump_stack_lvl+0x8e/0xd0
[ 1.214000] print_deadlock_bug+0x28b/0x2a0
[ 1.214020] lock_acquire+0xea/0x2a0
[ 1.214027] __mutex_lock+0xbf/0xd40
[ 1.214038] dev_set_allmulti+0x4e/0xb0 # real_dev->flags & IFF_ALLMULTI
[ 1.214040] vlan_dev_open+0xa5/0x170 # ndo_open on vlandev
[ 1.214042] __dev_open+0x145/0x270
[ 1.214046] __dev_change_flags+0xb0/0x1e0
[ 1.214051] netif_change_flags+0x22/0x60 # IFF_UP vlandev
[ 1.214053] dev_change_flags+0x61/0xb0 # for each device in group from dev->vlan_info
[ 1.214055] vlan_device_event+0x766/0x7c0 # on netdevsim0
[ 1.214058] notifier_call_chain+0x78/0x120
[ 1.214062] netif_open+0x6d/0x90
[ 1.214064] dev_open+0x5b/0xb0 # locks netdevsim0
[ 1.214066] bond_enslave+0x64c/0x1230
[ 1.214075] do_set_master+0x175/0x1e0 # on netdevsim0
[ 1.214077] do_setlink+0x516/0x13b0
[ 1.214094] rtnl_newlink+0xaba/0xb80
[ 1.214132] rtnetlink_rcv_msg+0x440/0x490
[ 1.214144] netlink_rcv_skb+0xeb/0x120
[ 1.214150] netlink_unicast+0x1f9/0x320
[ 1.214153] netlink_sendmsg+0x346/0x3f0
[ 1.214157] __sock_sendmsg+0x86/0xb0
[ 1.214160] ____sys_sendmsg+0x1c8/0x220
[ 1.214164] ___sys_sendmsg+0x28f/0x2d0
[ 1.214179] __x64_sys_sendmsg+0xef/0x140
[ 1.214184] do_syscall_64+0xec/0x1d0
[ 1.214190] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 1.214191] RIP: 0033:0x7f2d1b4a7e56
Device setup:
netdevsim0 (down)
^ ^
bond netdevsim1.100@netdevsim1 allmulticast=on (down)
When we enslave the lower device (netdevsim0) which has a vlan, we
propagate vlan's allmuti/promisc flags during ndo_open. This causes
(re)locking on of the real_dev.
Propagate allmulti/promisc on flags change, not on the open. There
is a slight semantics change that vlans that are down now propagate
the flags, but this seems unlikely to result in the real issues.
Reproducer:
echo 0 1 > /sys/bus/netdevsim/new_device
dev_path=$(ls -d /sys/bus/netdevsim/devices/netdevsim0/net/*)
dev=$(echo $dev_path | rev | cut -d/ -f1 | rev)
ip link set dev $dev name netdevsim0
ip link set dev netdevsim0 up
ip link add link netdevsim0 name netdevsim0.100 type vlan id 100
ip link set dev netdevsim0.100 allmulticast on down
ip link add name bond1 type bond mode 802.3ad
ip link set dev netdevsim0 down
ip link set dev netdevsim0 master bond1
ip link set dev bond1 up
ip link show
Reported-by: syzbot+b0c03d76056ef6cd12a6@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/Z9CfXjLMKn6VLG5d@mini-arch/T/#m15ba130f53227c883e79fb969687d69d670337a0
Signed-off-by: Stanislav Fomichev <sdf@fomichev.me>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20250313100657.2287455-1-sdf@fomichev.me
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/8021q/vlan_dev.c | 31 ++++---------------------------
1 file changed, 4 insertions(+), 27 deletions(-)
diff --git a/net/8021q/vlan_dev.c b/net/8021q/vlan_dev.c
index d3e511e1eba8a..c08228d488346 100644
--- a/net/8021q/vlan_dev.c
+++ b/net/8021q/vlan_dev.c
@@ -272,17 +272,6 @@ static int vlan_dev_open(struct net_device *dev)
goto out;
}
- if (dev->flags & IFF_ALLMULTI) {
- err = dev_set_allmulti(real_dev, 1);
- if (err < 0)
- goto del_unicast;
- }
- if (dev->flags & IFF_PROMISC) {
- err = dev_set_promiscuity(real_dev, 1);
- if (err < 0)
- goto clear_allmulti;
- }
-
ether_addr_copy(vlan->real_dev_addr, real_dev->dev_addr);
if (vlan->flags & VLAN_FLAG_GVRP)
@@ -296,12 +285,6 @@ static int vlan_dev_open(struct net_device *dev)
netif_carrier_on(dev);
return 0;
-clear_allmulti:
- if (dev->flags & IFF_ALLMULTI)
- dev_set_allmulti(real_dev, -1);
-del_unicast:
- if (!ether_addr_equal(dev->dev_addr, real_dev->dev_addr))
- dev_uc_del(real_dev, dev->dev_addr);
out:
netif_carrier_off(dev);
return err;
@@ -314,10 +297,6 @@ static int vlan_dev_stop(struct net_device *dev)
dev_mc_unsync(real_dev, dev);
dev_uc_unsync(real_dev, dev);
- if (dev->flags & IFF_ALLMULTI)
- dev_set_allmulti(real_dev, -1);
- if (dev->flags & IFF_PROMISC)
- dev_set_promiscuity(real_dev, -1);
if (!ether_addr_equal(dev->dev_addr, real_dev->dev_addr))
dev_uc_del(real_dev, dev->dev_addr);
@@ -474,12 +453,10 @@ static void vlan_dev_change_rx_flags(struct net_device *dev, int change)
{
struct net_device *real_dev = vlan_dev_priv(dev)->real_dev;
- if (dev->flags & IFF_UP) {
- if (change & IFF_ALLMULTI)
- dev_set_allmulti(real_dev, dev->flags & IFF_ALLMULTI ? 1 : -1);
- if (change & IFF_PROMISC)
- dev_set_promiscuity(real_dev, dev->flags & IFF_PROMISC ? 1 : -1);
- }
+ if (change & IFF_ALLMULTI)
+ dev_set_allmulti(real_dev, dev->flags & IFF_ALLMULTI ? 1 : -1);
+ if (change & IFF_PROMISC)
+ dev_set_promiscuity(real_dev, dev->flags & IFF_PROMISC ? 1 : -1);
}
static void vlan_dev_set_rx_mode(struct net_device *vlan_dev)
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 050/291] tracing: fix return value in __ftrace_event_enable_disable for TRACE_REG_UNREGISTER
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (47 preceding siblings ...)
2025-04-23 14:40 ` [PATCH 6.1 049/291] net: vlan: dont propagate flags on open Greg Kroah-Hartman
@ 2025-04-23 14:40 ` Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 051/291] Bluetooth: hci_uart: fix race during initialization Greg Kroah-Hartman
` (249 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gabriele Paoloni,
Steven Rostedt (Google), Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gabriele Paoloni <gpaoloni@redhat.com>
[ Upstream commit 0c588ac0ca6c22b774d9ad4a6594681fdfa57d9d ]
When __ftrace_event_enable_disable invokes the class callback to
unregister the event, the return value is not reported up to the
caller, hence leading to event unregister failures being silently
ignored.
This patch assigns the ret variable to the invocation of the
event unregister callback, so that its return value is stored
and reported to the caller, and it raises a warning in case
of error.
Link: https://lore.kernel.org/20250321170821.101403-1-gpaoloni@redhat.com
Signed-off-by: Gabriele Paoloni <gpaoloni@redhat.com>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/trace/trace_events.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/kernel/trace/trace_events.c b/kernel/trace/trace_events.c
index 94bb5f9251b13..ed0d0c8a2b4bb 100644
--- a/kernel/trace/trace_events.c
+++ b/kernel/trace/trace_events.c
@@ -776,7 +776,9 @@ static int __ftrace_event_enable_disable(struct trace_event_file *file,
clear_bit(EVENT_FILE_FL_RECORDED_TGID_BIT, &file->flags);
}
- call->class->reg(call, TRACE_REG_UNREGISTER, file);
+ ret = call->class->reg(call, TRACE_REG_UNREGISTER, file);
+
+ WARN_ON_ONCE(ret);
}
/* If in SOFT_MODE, just set the SOFT_DISABLE_BIT, else clear it */
if (file->flags & EVENT_FILE_FL_SOFT_MODE)
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 051/291] Bluetooth: hci_uart: fix race during initialization
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (48 preceding siblings ...)
2025-04-23 14:40 ` [PATCH 6.1 050/291] tracing: fix return value in __ftrace_event_enable_disable for TRACE_REG_UNREGISTER Greg Kroah-Hartman
@ 2025-04-23 14:40 ` Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 052/291] Bluetooth: qca: simplify WCN399x NVM loading Greg Kroah-Hartman
` (248 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Arseniy Krasnov,
Luiz Augusto von Dentz, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arseniy Krasnov <avkrasnov@salutedevices.com>
[ Upstream commit 366ceff495f902182d42b6f41525c2474caf3f9a ]
'hci_register_dev()' calls power up function, which is executed by
kworker - 'hci_power_on()'. This function does access to bluetooth chip
using callbacks from 'hci_ldisc.c', for example 'hci_uart_send_frame()'.
Now 'hci_uart_send_frame()' checks 'HCI_UART_PROTO_READY' bit set, and
if not - it fails. Problem is that 'HCI_UART_PROTO_READY' is set after
'hci_register_dev()', and there is tiny chance that 'hci_power_on()' will
be executed before setting this bit. In that case HCI init logic fails.
Patch moves setting of 'HCI_UART_PROTO_READY' before calling function
'hci_uart_register_dev()'.
Signed-off-by: Arseniy Krasnov <avkrasnov@salutedevices.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/bluetooth/hci_ldisc.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/bluetooth/hci_ldisc.c b/drivers/bluetooth/hci_ldisc.c
index c1feebd9e3a03..5dc2f38c7b9a7 100644
--- a/drivers/bluetooth/hci_ldisc.c
+++ b/drivers/bluetooth/hci_ldisc.c
@@ -709,12 +709,13 @@ static int hci_uart_set_proto(struct hci_uart *hu, int id)
hu->proto = p;
+ set_bit(HCI_UART_PROTO_READY, &hu->flags);
+
err = hci_uart_register_dev(hu);
if (err) {
return err;
}
- set_bit(HCI_UART_PROTO_READY, &hu->flags);
return 0;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 052/291] Bluetooth: qca: simplify WCN399x NVM loading
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (49 preceding siblings ...)
2025-04-23 14:40 ` [PATCH 6.1 051/291] Bluetooth: hci_uart: fix race during initialization Greg Kroah-Hartman
@ 2025-04-23 14:40 ` Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 053/291] drm: allow encoder mode_set even when connectors change for crtc Greg Kroah-Hartman
` (247 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Baryshkov,
Luiz Augusto von Dentz, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
[ Upstream commit 1cc41b5092e3aa511454ec882c525af311bee631 ]
The WCN399x code has two separate cases for loading the NVM data. In
preparation to adding support for WCN3950, which also requires similar
quirk, split the "variant" to be specified explicitly and merge two
snprintfs into a single one.
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/bluetooth/btqca.c | 13 ++++++-------
1 file changed, 6 insertions(+), 7 deletions(-)
diff --git a/drivers/bluetooth/btqca.c b/drivers/bluetooth/btqca.c
index 892e2540f008a..5651f40db1736 100644
--- a/drivers/bluetooth/btqca.c
+++ b/drivers/bluetooth/btqca.c
@@ -807,6 +807,7 @@ int qca_uart_setup(struct hci_dev *hdev, uint8_t baudrate,
const char *firmware_name)
{
struct qca_fw_config config = {};
+ const char *variant = "";
int err;
u8 rom_ver = 0;
u32 soc_ver;
@@ -901,13 +902,11 @@ int qca_uart_setup(struct hci_dev *hdev, uint8_t baudrate,
case QCA_WCN3990:
case QCA_WCN3991:
case QCA_WCN3998:
- if (le32_to_cpu(ver.soc_id) == QCA_WCN3991_SOC_ID) {
- snprintf(config.fwname, sizeof(config.fwname),
- "qca/crnv%02xu.bin", rom_ver);
- } else {
- snprintf(config.fwname, sizeof(config.fwname),
- "qca/crnv%02x.bin", rom_ver);
- }
+ if (le32_to_cpu(ver.soc_id) == QCA_WCN3991_SOC_ID)
+ variant = "u";
+
+ snprintf(config.fwname, sizeof(config.fwname),
+ "qca/crnv%02x%s.bin", rom_ver, variant);
break;
case QCA_WCN3988:
snprintf(config.fwname, sizeof(config.fwname),
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 053/291] drm: allow encoder mode_set even when connectors change for crtc
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (50 preceding siblings ...)
2025-04-23 14:40 ` [PATCH 6.1 052/291] Bluetooth: qca: simplify WCN399x NVM loading Greg Kroah-Hartman
@ 2025-04-23 14:40 ` Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 054/291] drm/amd/display: Update Cursor request mode to the beginning prefetch always Greg Kroah-Hartman
` (246 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Abhinav Kumar, Jessica Zhang,
Maxime Ripard, Dmitry Baryshkov, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Abhinav Kumar <quic_abhinavk@quicinc.com>
[ Upstream commit 7e182cb4f5567f53417b762ec0d679f0b6f0039d ]
In certain use-cases, a CRTC could switch between two encoders
and because the mode being programmed on the CRTC remains
the same during this switch, the CRTC's mode_changed remains false.
In such cases, the encoder's mode_set also gets skipped.
Skipping mode_set on the encoder for such cases could cause an issue
because even though the same CRTC mode was being used, the encoder
type could have changed like the CRTC could have switched from a
real time encoder to a writeback encoder OR vice-versa.
Allow encoder's mode_set to happen even when connectors changed on a
CRTC and not just when the mode changed.
Signed-off-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
Signed-off-by: Jessica Zhang <quic_jesszhan@quicinc.com>
Reviewed-by: Maxime Ripard <mripard@kernel.org>
Link: https://patchwork.freedesktop.org/patch/msgid/20241211-abhinavk-modeset-fix-v3-1-0de4bf3e7c32@quicinc.com
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/drm_atomic_helper.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/drm_atomic_helper.c b/drivers/gpu/drm/drm_atomic_helper.c
index b097bff1cd18e..66d223c2d9ab9 100644
--- a/drivers/gpu/drm/drm_atomic_helper.c
+++ b/drivers/gpu/drm/drm_atomic_helper.c
@@ -1389,7 +1389,7 @@ crtc_set_mode(struct drm_device *dev, struct drm_atomic_state *old_state)
mode = &new_crtc_state->mode;
adjusted_mode = &new_crtc_state->adjusted_mode;
- if (!new_crtc_state->mode_changed)
+ if (!new_crtc_state->mode_changed && !new_crtc_state->connectors_changed)
continue;
drm_dbg_atomic(dev, "modeset on [ENCODER:%d:%s]\n",
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 054/291] drm/amd/display: Update Cursor request mode to the beginning prefetch always
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (51 preceding siblings ...)
2025-04-23 14:40 ` [PATCH 6.1 053/291] drm: allow encoder mode_set even when connectors change for crtc Greg Kroah-Hartman
@ 2025-04-23 14:40 ` Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 055/291] drm: panel-orientation-quirks: Add support for AYANEO 2S Greg Kroah-Hartman
` (245 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nicholas Kazlauskas, Zhikai Zhai,
Zaeem Mohamed, Daniel Wheeler, Alex Deucher, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhikai Zhai <zhikai.zhai@amd.com>
[ Upstream commit 4a4077b4b63a8404efd6d37fc2926f03fb25bace ]
[Why]
The double buffer cursor registers is updated by the cursor
vupdate event. There is a gap between vupdate and cursor data
fetch if cursor fetch data reletive to cursor position.
Cursor corruption will happen if we update the cursor surface
in this gap.
[How]
Modify the cursor request mode to the beginning prefetch always
and avoid wraparound calculation issues.
Reviewed-by: Nicholas Kazlauskas <nicholas.kazlauskas@amd.com>
Signed-off-by: Zhikai Zhai <zhikai.zhai@amd.com>
Signed-off-by: Zaeem Mohamed <zaeem.mohamed@amd.com>
Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../amd/display/dc/dcn10/dcn10_hw_sequencer.c | 22 ++++++++-----------
.../gpu/drm/amd/display/dc/dcn31/dcn31_hubp.c | 2 +-
2 files changed, 10 insertions(+), 14 deletions(-)
diff --git a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c
index 416168c7dcc52..b120aa67d26c1 100644
--- a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c
+++ b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c
@@ -1947,20 +1947,11 @@ static void delay_cursor_until_vupdate(struct dc *dc, struct pipe_ctx *pipe_ctx)
dc->hwss.get_position(&pipe_ctx, 1, &position);
vpos = position.vertical_count;
- /* Avoid wraparound calculation issues */
- vupdate_start += stream->timing.v_total;
- vupdate_end += stream->timing.v_total;
- vpos += stream->timing.v_total;
-
if (vpos <= vupdate_start) {
/* VPOS is in VACTIVE or back porch. */
lines_to_vupdate = vupdate_start - vpos;
- } else if (vpos > vupdate_end) {
- /* VPOS is in the front porch. */
- return;
} else {
- /* VPOS is in VUPDATE. */
- lines_to_vupdate = 0;
+ lines_to_vupdate = stream->timing.v_total - vpos + vupdate_start;
}
/* Calculate time until VUPDATE in microseconds. */
@@ -1968,13 +1959,18 @@ static void delay_cursor_until_vupdate(struct dc *dc, struct pipe_ctx *pipe_ctx)
stream->timing.h_total * 10000u / stream->timing.pix_clk_100hz;
us_to_vupdate = lines_to_vupdate * us_per_line;
+ /* Stall out until the cursor update completes. */
+ if (vupdate_end < vupdate_start)
+ vupdate_end += stream->timing.v_total;
+
+ /* Position is in the range of vupdate start and end*/
+ if (lines_to_vupdate > stream->timing.v_total - vupdate_end + vupdate_start)
+ us_to_vupdate = 0;
+
/* 70 us is a conservative estimate of cursor update time*/
if (us_to_vupdate > 70)
return;
- /* Stall out until the cursor update completes. */
- if (vupdate_end < vupdate_start)
- vupdate_end += stream->timing.v_total;
us_vupdate = (vupdate_end - vupdate_start + 1) * us_per_line;
udelay(us_to_vupdate + us_vupdate);
}
diff --git a/drivers/gpu/drm/amd/display/dc/dcn31/dcn31_hubp.c b/drivers/gpu/drm/amd/display/dc/dcn31/dcn31_hubp.c
index 39a57bcd78667..576acf2ce10dd 100644
--- a/drivers/gpu/drm/amd/display/dc/dcn31/dcn31_hubp.c
+++ b/drivers/gpu/drm/amd/display/dc/dcn31/dcn31_hubp.c
@@ -44,7 +44,7 @@ void hubp31_set_unbounded_requesting(struct hubp *hubp, bool enable)
struct dcn20_hubp *hubp2 = TO_DCN20_HUBP(hubp);
REG_UPDATE(DCHUBP_CNTL, HUBP_UNBOUNDED_REQ_MODE, enable);
- REG_UPDATE(CURSOR_CONTROL, CURSOR_REQ_MODE, enable);
+ REG_UPDATE(CURSOR_CONTROL, CURSOR_REQ_MODE, 1);
}
void hubp31_soft_reset(struct hubp *hubp, bool reset)
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 055/291] drm: panel-orientation-quirks: Add support for AYANEO 2S
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (52 preceding siblings ...)
2025-04-23 14:40 ` [PATCH 6.1 054/291] drm/amd/display: Update Cursor request mode to the beginning prefetch always Greg Kroah-Hartman
@ 2025-04-23 14:40 ` Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 056/291] drm: panel-orientation-quirks: Add quirks for AYA NEO Flip DS and KB Greg Kroah-Hartman
` (244 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andrew Wyatt, John Edwards,
Thomas Zimmermann, Hans de Goede, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andrew Wyatt <fewtarius@steamfork.org>
[ Upstream commit eb8f1e3e8ee10cff591d4a47437dfd34d850d454 ]
AYANEO 2S uses the same panel and orientation as the AYANEO 2.
Update the AYANEO 2 DMI match to also match AYANEO 2S.
Signed-off-by: Andrew Wyatt <fewtarius@steamfork.org>
Signed-off-by: John Edwards <uejji@uejji.net>
Tested-by: John Edwards <uejji@uejji.net>
Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
Link: https://patchwork.freedesktop.org/patch/msgid/20250213222455.93533-2-uejji@uejji.net
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/drm_panel_orientation_quirks.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/drm_panel_orientation_quirks.c b/drivers/gpu/drm/drm_panel_orientation_quirks.c
index c00f6f16244c0..7bf096ddeb06d 100644
--- a/drivers/gpu/drm/drm_panel_orientation_quirks.c
+++ b/drivers/gpu/drm/drm_panel_orientation_quirks.c
@@ -184,10 +184,10 @@ static const struct dmi_system_id orientation_data[] = {
DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "T103HAF"),
},
.driver_data = (void *)&lcd800x1280_rightside_up,
- }, { /* AYA NEO AYANEO 2 */
+ }, { /* AYA NEO AYANEO 2/2S */
.matches = {
DMI_EXACT_MATCH(DMI_SYS_VENDOR, "AYANEO"),
- DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "AYANEO 2"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "AYANEO 2"),
},
.driver_data = (void *)&lcd1200x1920_rightside_up,
}, { /* AYA NEO 2021 */
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 056/291] drm: panel-orientation-quirks: Add quirks for AYA NEO Flip DS and KB
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (53 preceding siblings ...)
2025-04-23 14:40 ` [PATCH 6.1 055/291] drm: panel-orientation-quirks: Add support for AYANEO 2S Greg Kroah-Hartman
@ 2025-04-23 14:40 ` Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 057/291] drm: panel-orientation-quirks: Add quirk for AYA NEO Slide Greg Kroah-Hartman
` (243 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andrew Wyatt, John Edwards,
Paco Avelar, Thomas Zimmermann, Hans de Goede, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andrew Wyatt <fewtarius@steamfork.org>
[ Upstream commit 529741c331da1fbf54f86c6ec3a4558b9b0b16dc ]
The AYA NEO Flip DS and KB both use a 1080x1920 portrait LCD panel. The
Flip DS additionally uses a 640x960 portrait LCD panel as a second display.
Add DMI matches to correctly rotate these panels.
Signed-off-by: Andrew Wyatt <fewtarius@steamfork.org>
Co-developed-by: John Edwards <uejji@uejji.net>
Signed-off-by: John Edwards <uejji@uejji.net>
Tested-by: Paco Avelar <pacoavelar@hotmail.com>
Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
Link: https://patchwork.freedesktop.org/patch/msgid/20250213222455.93533-3-uejji@uejji.net
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/drm_panel_orientation_quirks.c | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/drivers/gpu/drm/drm_panel_orientation_quirks.c b/drivers/gpu/drm/drm_panel_orientation_quirks.c
index 7bf096ddeb06d..d9ed6214cf28b 100644
--- a/drivers/gpu/drm/drm_panel_orientation_quirks.c
+++ b/drivers/gpu/drm/drm_panel_orientation_quirks.c
@@ -93,6 +93,12 @@ static const struct drm_dmi_panel_orientation_data onegx1_pro = {
.orientation = DRM_MODE_PANEL_ORIENTATION_RIGHT_UP,
};
+static const struct drm_dmi_panel_orientation_data lcd640x960_leftside_up = {
+ .width = 640,
+ .height = 960,
+ .orientation = DRM_MODE_PANEL_ORIENTATION_LEFT_UP,
+};
+
static const struct drm_dmi_panel_orientation_data lcd720x1280_rightside_up = {
.width = 720,
.height = 1280,
@@ -202,6 +208,18 @@ static const struct dmi_system_id orientation_data[] = {
DMI_MATCH(DMI_PRODUCT_NAME, "AIR"),
},
.driver_data = (void *)&lcd1080x1920_leftside_up,
+ }, { /* AYA NEO Flip DS Bottom Screen */
+ .matches = {
+ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "AYANEO"),
+ DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "FLIP DS"),
+ },
+ .driver_data = (void *)&lcd640x960_leftside_up,
+ }, { /* AYA NEO Flip KB/DS Top Screen */
+ .matches = {
+ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "AYANEO"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "FLIP"),
+ },
+ .driver_data = (void *)&lcd1080x1920_leftside_up,
}, { /* AYA NEO Founder */
.matches = {
DMI_EXACT_MATCH(DMI_SYS_VENDOR, "AYA NEO"),
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 057/291] drm: panel-orientation-quirks: Add quirk for AYA NEO Slide
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (54 preceding siblings ...)
2025-04-23 14:40 ` [PATCH 6.1 056/291] drm: panel-orientation-quirks: Add quirks for AYA NEO Flip DS and KB Greg Kroah-Hartman
@ 2025-04-23 14:40 ` Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 058/291] drm: panel-orientation-quirks: Add new quirk for GPD Win 2 Greg Kroah-Hartman
` (242 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andrew Wyatt, John Edwards,
Thomas Zimmermann, Hans de Goede, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andrew Wyatt <fewtarius@steamfork.org>
[ Upstream commit 132c89ef8872e602cfb909377815111d121fe8d7 ]
The AYANEO Slide uses a 1080x1920 portrait LCD panel. This is the same
panel used on the AYANEO Air Plus, but the DMI data is too different to
match both with one entry.
Add a DMI match to correctly rotate the panel on the AYANEO Slide.
This also covers the Antec Core HS, which is a rebranded AYANEO Slide with
the exact same hardware and DMI strings.
Signed-off-by: Andrew Wyatt <fewtarius@steamfork.org>
Signed-off-by: John Edwards <uejji@uejji.net>
Tested-by: John Edwards <uejji@uejji.net>
Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
Link: https://patchwork.freedesktop.org/patch/msgid/20250213222455.93533-4-uejji@uejji.net
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/drm_panel_orientation_quirks.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/gpu/drm/drm_panel_orientation_quirks.c b/drivers/gpu/drm/drm_panel_orientation_quirks.c
index d9ed6214cf28b..702246ee7ced2 100644
--- a/drivers/gpu/drm/drm_panel_orientation_quirks.c
+++ b/drivers/gpu/drm/drm_panel_orientation_quirks.c
@@ -244,6 +244,12 @@ static const struct dmi_system_id orientation_data[] = {
DMI_MATCH(DMI_BOARD_NAME, "KUN"),
},
.driver_data = (void *)&lcd1600x2560_rightside_up,
+ }, { /* AYA NEO SLIDE */
+ .matches = {
+ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "AYANEO"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "SLIDE"),
+ },
+ .driver_data = (void *)&lcd1080x1920_leftside_up,
}, { /* AYN Loki Max */
.matches = {
DMI_EXACT_MATCH(DMI_SYS_VENDOR, "ayn"),
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 058/291] drm: panel-orientation-quirks: Add new quirk for GPD Win 2
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (55 preceding siblings ...)
2025-04-23 14:40 ` [PATCH 6.1 057/291] drm: panel-orientation-quirks: Add quirk for AYA NEO Slide Greg Kroah-Hartman
@ 2025-04-23 14:40 ` Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 059/291] drm: panel-orientation-quirks: Add quirk for OneXPlayer Mini (Intel) Greg Kroah-Hartman
` (241 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andrew Wyatt, John Edwards,
Paco Avelar, Thomas Zimmermann, Hans de Goede, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andrew Wyatt <fewtarius@steamfork.org>
[ Upstream commit a860eb9c6ba6cdbf32e3e01a606556e5a90a2931 ]
Some GPD Win 2 units shipped with the correct DMI strings.
Add a DMI match to correctly rotate the panel on these units.
Signed-off-by: Andrew Wyatt <fewtarius@steamfork.org>
Signed-off-by: John Edwards <uejji@uejji.net>
Tested-by: Paco Avelar <pacoavelar@hotmail.com>
Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
Link: https://patchwork.freedesktop.org/patch/msgid/20250213222455.93533-5-uejji@uejji.net
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/drm_panel_orientation_quirks.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/gpu/drm/drm_panel_orientation_quirks.c b/drivers/gpu/drm/drm_panel_orientation_quirks.c
index 702246ee7ced2..12d547f093bd2 100644
--- a/drivers/gpu/drm/drm_panel_orientation_quirks.c
+++ b/drivers/gpu/drm/drm_panel_orientation_quirks.c
@@ -339,6 +339,12 @@ static const struct dmi_system_id orientation_data[] = {
DMI_EXACT_MATCH(DMI_BOARD_NAME, "Default string"),
},
.driver_data = (void *)&gpd_win2,
+ }, { /* GPD Win 2 (correct DMI strings) */
+ .matches = {
+ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "GPD"),
+ DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "WIN2")
+ },
+ .driver_data = (void *)&lcd720x1280_rightside_up,
}, { /* GPD Win 3 */
.matches = {
DMI_EXACT_MATCH(DMI_SYS_VENDOR, "GPD"),
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 059/291] drm: panel-orientation-quirks: Add quirk for OneXPlayer Mini (Intel)
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (56 preceding siblings ...)
2025-04-23 14:40 ` [PATCH 6.1 058/291] drm: panel-orientation-quirks: Add new quirk for GPD Win 2 Greg Kroah-Hartman
@ 2025-04-23 14:40 ` Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 060/291] drm/bridge: panel: forbid initializing a panel with unknown connector type Greg Kroah-Hartman
` (240 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andrew Wyatt, John Edwards,
João Pedro Kurtz, Thomas Zimmermann, Hans de Goede,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andrew Wyatt <fewtarius@steamfork.org>
[ Upstream commit b24dcc183583fc360ae0f0899e286a68f46abbd0 ]
The Intel model of the OneXPlayer Mini uses a 1200x1920 portrait LCD panel.
The DMI strings are the same as the OneXPlayer, which already has a DMI
quirk, but the panel is different.
Add a DMI match to correctly rotate this panel.
Signed-off-by: Andrew Wyatt <fewtarius@steamfork.org>
Co-developed-by: John Edwards <uejji@uejji.net>
Signed-off-by: John Edwards <uejji@uejji.net>
Tested-by: João Pedro Kurtz <joexkurtz@gmail.com>
Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
Link: https://patchwork.freedesktop.org/patch/msgid/20250213222455.93533-6-uejji@uejji.net
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/drm_panel_orientation_quirks.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/drivers/gpu/drm/drm_panel_orientation_quirks.c b/drivers/gpu/drm/drm_panel_orientation_quirks.c
index 12d547f093bd2..036b095c98882 100644
--- a/drivers/gpu/drm/drm_panel_orientation_quirks.c
+++ b/drivers/gpu/drm/drm_panel_orientation_quirks.c
@@ -129,6 +129,12 @@ static const struct drm_dmi_panel_orientation_data lcd1080x1920_rightside_up = {
.orientation = DRM_MODE_PANEL_ORIENTATION_RIGHT_UP,
};
+static const struct drm_dmi_panel_orientation_data lcd1200x1920_leftside_up = {
+ .width = 1200,
+ .height = 1920,
+ .orientation = DRM_MODE_PANEL_ORIENTATION_LEFT_UP,
+};
+
static const struct drm_dmi_panel_orientation_data lcd1200x1920_rightside_up = {
.width = 1200,
.height = 1920,
@@ -473,6 +479,12 @@ static const struct dmi_system_id orientation_data[] = {
DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "ONE XPLAYER"),
},
.driver_data = (void *)&lcd1600x2560_leftside_up,
+ }, { /* OneXPlayer Mini (Intel) */
+ .matches = {
+ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "ONE-NETBOOK TECHNOLOGY CO., LTD."),
+ DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "ONE XPLAYER"),
+ },
+ .driver_data = (void *)&lcd1200x1920_leftside_up,
}, { /* OrangePi Neo */
.matches = {
DMI_EXACT_MATCH(DMI_SYS_VENDOR, "OrangePi"),
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 060/291] drm/bridge: panel: forbid initializing a panel with unknown connector type
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (57 preceding siblings ...)
2025-04-23 14:40 ` [PATCH 6.1 059/291] drm: panel-orientation-quirks: Add quirk for OneXPlayer Mini (Intel) Greg Kroah-Hartman
@ 2025-04-23 14:40 ` Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 061/291] drivers: base: devres: Allow to release group on device release Greg Kroah-Hartman
` (239 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Baryshkov, Luca Ceresoli,
Robert Foss, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luca Ceresoli <luca.ceresoli@bootlin.com>
[ Upstream commit b296955b3a740ecc8b3b08e34fd64f1ceabb8fb4 ]
Having an DRM_MODE_CONNECTOR_Unknown connector type is considered bad, and
drm_panel_bridge_add_typed() and derivatives are deprecated for this.
drm_panel_init() won't prevent initializing a panel with a
DRM_MODE_CONNECTOR_Unknown connector type. Luckily there are no in-tree
users doing it, so take this as an opportinuty to document a valid
connector type must be passed.
Returning an error if this rule is violated is not possible because
drm_panel_init() is a void function. Add at least a warning to make any
violations noticeable, especially to non-upstream drivers.
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Robert Foss <rfoss@kernel.org>
Link: https://patchwork.freedesktop.org/patch/msgid/20250214-drm-assorted-cleanups-v7-5-88ca5827d7af@bootlin.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/drm_panel.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/drm_panel.c b/drivers/gpu/drm/drm_panel.c
index 7fd3de89ed079..acd29b4f43f84 100644
--- a/drivers/gpu/drm/drm_panel.c
+++ b/drivers/gpu/drm/drm_panel.c
@@ -49,7 +49,7 @@ static LIST_HEAD(panel_list);
* @dev: parent device of the panel
* @funcs: panel operations
* @connector_type: the connector type (DRM_MODE_CONNECTOR_*) corresponding to
- * the panel interface
+ * the panel interface (must NOT be DRM_MODE_CONNECTOR_Unknown)
*
* Initialize the panel structure for subsequent registration with
* drm_panel_add().
@@ -57,6 +57,9 @@ static LIST_HEAD(panel_list);
void drm_panel_init(struct drm_panel *panel, struct device *dev,
const struct drm_panel_funcs *funcs, int connector_type)
{
+ if (connector_type == DRM_MODE_CONNECTOR_Unknown)
+ DRM_WARN("%s: %s: a valid connector type is required!\n", __func__, dev_name(dev));
+
INIT_LIST_HEAD(&panel->list);
panel->dev = dev;
panel->funcs = funcs;
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 061/291] drivers: base: devres: Allow to release group on device release
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (58 preceding siblings ...)
2025-04-23 14:40 ` [PATCH 6.1 060/291] drm/bridge: panel: forbid initializing a panel with unknown connector type Greg Kroah-Hartman
@ 2025-04-23 14:40 ` Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 062/291] drm/amdkfd: clamp queue size to minimum Greg Kroah-Hartman
` (238 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rodrigo Vivi, Lucas De Marchi,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lucas De Marchi <lucas.demarchi@intel.com>
[ Upstream commit 8e1ddfada4530939a8cb64ee9251aef780474274 ]
When releasing a device, if the release action causes a group to be
released, a warning is emitted because it can't find the group. This
happens because devres_release_all() moves the entire list to a todo
list and also move the group markers. Considering r* normal resource
nodes and g1 a group resource node:
g1 -----------.
v v
r1 -> r2 -> g1[0] -> r3-> g[1] -> r4
After devres_release_all(), dev->devres_head becomes empty and the todo
list it iterates on becomes:
g1
v
r1 -> r2 -> r3-> r4 -> g1[0]
When a call to component_del() is made and takes down the aggregate
device, a warning like this happen:
RIP: 0010:devres_release_group+0x362/0x530
...
Call Trace:
<TASK>
component_unbind+0x156/0x380
component_unbind_all+0x1d0/0x270
mei_component_master_unbind+0x28/0x80 [mei_hdcp]
take_down_aggregate_device+0xc1/0x160
component_del+0x1c6/0x3e0
intel_hdcp_component_fini+0xf1/0x170 [xe]
xe_display_fini+0x1e/0x40 [xe]
Because the devres group corresponding to the hdcp component cannot be
found. Just ignore this corner case: if the dev->devres_head is empty
and the caller is trying to remove a group, it's likely in the process
of device cleanup so just ignore it instead of warning.
Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Reviewed-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20250222001051.3012936-2-lucas.demarchi@intel.com
Signed-off-by: Lucas De Marchi <lucas.demarchi@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/base/devres.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/base/devres.c b/drivers/base/devres.c
index 35d1e2864696f..9d0ea5c14bc50 100644
--- a/drivers/base/devres.c
+++ b/drivers/base/devres.c
@@ -684,6 +684,13 @@ int devres_release_group(struct device *dev, void *id)
spin_unlock_irqrestore(&dev->devres_lock, flags);
release_nodes(dev, &todo);
+ } else if (list_empty(&dev->devres_head)) {
+ /*
+ * dev is probably dying via devres_release_all(): groups
+ * have already been removed and are on the process of
+ * being released - don't touch and don't warn.
+ */
+ spin_unlock_irqrestore(&dev->devres_lock, flags);
} else {
WARN_ON(1);
spin_unlock_irqrestore(&dev->devres_lock, flags);
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 062/291] drm/amdkfd: clamp queue size to minimum
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (59 preceding siblings ...)
2025-04-23 14:40 ` [PATCH 6.1 061/291] drivers: base: devres: Allow to release group on device release Greg Kroah-Hartman
@ 2025-04-23 14:40 ` Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 063/291] drm/amdkfd: Fix mode1 reset crash issue Greg Kroah-Hartman
` (237 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Yat Sin, Jay Cornwall,
Harish Kasiviswanathan, Alex Deucher, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Yat Sin <David.YatSin@amd.com>
[ Upstream commit e90711946b53590371ecce32e8fcc381a99d6333 ]
If queue size is less than minimum, clamp it to minimum to prevent
underflow when writing queue mqd.
Signed-off-by: David Yat Sin <David.YatSin@amd.com>
Reviewed-by: Jay Cornwall <jay.cornwall@amd.com>
Reviewed-by: Harish Kasiviswanathan <Harish.Kasiviswanathan@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdkfd/kfd_chardev.c | 10 ++++++++++
include/uapi/linux/kfd_ioctl.h | 2 ++
2 files changed, 12 insertions(+)
diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
index f83574107eb85..773913a7d6e90 100644
--- a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
+++ b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
@@ -208,6 +208,11 @@ static int set_queue_properties_from_user(struct queue_properties *q_properties,
return -EINVAL;
}
+ if (args->ring_size < KFD_MIN_QUEUE_RING_SIZE) {
+ args->ring_size = KFD_MIN_QUEUE_RING_SIZE;
+ pr_debug("Size lower. clamped to KFD_MIN_QUEUE_RING_SIZE");
+ }
+
if (!access_ok((const void __user *) args->read_pointer_address,
sizeof(uint32_t))) {
pr_err("Can't access read pointer\n");
@@ -464,6 +469,11 @@ static int kfd_ioctl_update_queue(struct file *filp, struct kfd_process *p,
return -EINVAL;
}
+ if (args->ring_size < KFD_MIN_QUEUE_RING_SIZE) {
+ args->ring_size = KFD_MIN_QUEUE_RING_SIZE;
+ pr_debug("Size lower. clamped to KFD_MIN_QUEUE_RING_SIZE");
+ }
+
properties.queue_address = args->ring_base_address;
properties.queue_size = args->ring_size;
properties.queue_percent = args->queue_percentage;
diff --git a/include/uapi/linux/kfd_ioctl.h b/include/uapi/linux/kfd_ioctl.h
index 42b60198b6c5f..deed930ed3051 100644
--- a/include/uapi/linux/kfd_ioctl.h
+++ b/include/uapi/linux/kfd_ioctl.h
@@ -55,6 +55,8 @@ struct kfd_ioctl_get_version_args {
#define KFD_MAX_QUEUE_PERCENTAGE 100
#define KFD_MAX_QUEUE_PRIORITY 15
+#define KFD_MIN_QUEUE_RING_SIZE 1024
+
struct kfd_ioctl_create_queue_args {
__u64 ring_base_address; /* to KFD */
__u64 write_pointer_address; /* from KFD */
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 063/291] drm/amdkfd: Fix mode1 reset crash issue
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (60 preceding siblings ...)
2025-04-23 14:40 ` [PATCH 6.1 062/291] drm/amdkfd: clamp queue size to minimum Greg Kroah-Hartman
@ 2025-04-23 14:40 ` Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 064/291] drm/amdkfd: Fix pqm_destroy_queue race with GPU reset Greg Kroah-Hartman
` (236 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Philip Yang, Lijo Lazar,
Felix Kuehling, Alex Deucher, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Philip Yang <Philip.Yang@amd.com>
[ Upstream commit f0b4440cdc1807bb6ec3dce0d6de81170803569b ]
If HW scheduler hangs and mode1 reset is used to recover GPU, KFD signal
user space to abort the processes. After process abort exit, user queues
still use the GPU to access system memory before h/w is reset while KFD
cleanup worker free system memory and free VRAM.
There is use-after-free race bug that KFD allocate and reuse the freed
system memory, and user queue write to the same system memory to corrupt
the data structure and cause driver crash.
To fix this race, KFD cleanup worker terminate user queues, then flush
reset_domain wq to wait for any GPU ongoing reset complete, and then
free outstanding BOs.
Signed-off-by: Philip Yang <Philip.Yang@amd.com>
Reviewed-by: Lijo Lazar <lijo.lazar@amd.com>
Reviewed-by: Felix Kuehling <felix.kuehling@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdkfd/kfd_process.c | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_process.c b/drivers/gpu/drm/amd/amdkfd/kfd_process.c
index 99e2aef52ef26..bc01c5173ab9a 100644
--- a/drivers/gpu/drm/amd/amdkfd/kfd_process.c
+++ b/drivers/gpu/drm/amd/amdkfd/kfd_process.c
@@ -36,6 +36,7 @@
#include <linux/pm_runtime.h>
#include "amdgpu_amdkfd.h"
#include "amdgpu.h"
+#include "amdgpu_reset.h"
struct mm_struct;
@@ -1114,6 +1115,17 @@ static void kfd_process_remove_sysfs(struct kfd_process *p)
p->kobj = NULL;
}
+/*
+ * If any GPU is ongoing reset, wait for reset complete.
+ */
+static void kfd_process_wait_gpu_reset_complete(struct kfd_process *p)
+{
+ int i;
+
+ for (i = 0; i < p->n_pdds; i++)
+ flush_workqueue(p->pdds[i]->dev->adev->reset_domain->wq);
+}
+
/* No process locking is needed in this function, because the process
* is not findable any more. We must assume that no other thread is
* using it any more, otherwise we couldn't safely free the process
@@ -1127,6 +1139,11 @@ static void kfd_process_wq_release(struct work_struct *work)
kfd_process_dequeue_from_all_devices(p);
pqm_uninit(&p->pqm);
+ /*
+ * If GPU in reset, user queues may still running, wait for reset complete.
+ */
+ kfd_process_wait_gpu_reset_complete(p);
+
/* Signal the eviction fence after user mode queues are
* destroyed. This allows any BOs to be freed without
* triggering pointless evictions or waiting for fences.
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 064/291] drm/amdkfd: Fix pqm_destroy_queue race with GPU reset
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (61 preceding siblings ...)
2025-04-23 14:40 ` [PATCH 6.1 063/291] drm/amdkfd: Fix mode1 reset crash issue Greg Kroah-Hartman
@ 2025-04-23 14:40 ` Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 065/291] drm/mediatek: mtk_dpi: Move the input_2p_en bit to platform data Greg Kroah-Hartman
` (235 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Philip Yang, Felix Kuehling,
Alex Deucher, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Philip Yang <Philip.Yang@amd.com>
[ Upstream commit 7919b4cad5545ed93778f11881ceee72e4dbed66 ]
If GPU in reset, destroy_queue return -EIO, pqm_destroy_queue should
delete the queue from process_queue_list and free the resource.
Signed-off-by: Philip Yang <Philip.Yang@amd.com>
Reviewed-by: Felix Kuehling <felix.kuehling@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c b/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c
index 1918a3c06ac86..a15bf1e382767 100644
--- a/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c
+++ b/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c
@@ -429,7 +429,7 @@ int pqm_destroy_queue(struct process_queue_manager *pqm, unsigned int qid)
pr_err("Pasid 0x%x destroy queue %d failed, ret %d\n",
pqm->process->pasid,
pqn->q->properties.queue_id, retval);
- if (retval != -ETIME)
+ if (retval != -ETIME && retval != -EIO)
goto err_destroy_queue;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 065/291] drm/mediatek: mtk_dpi: Move the input_2p_en bit to platform data
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (62 preceding siblings ...)
2025-04-23 14:40 ` [PATCH 6.1 064/291] drm/amdkfd: Fix pqm_destroy_queue race with GPU reset Greg Kroah-Hartman
@ 2025-04-23 14:40 ` Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 066/291] drm/mediatek: mtk_dpi: Explicitly manage TVD clock in power on/off Greg Kroah-Hartman
` (234 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, CK Hu, AngeloGioacchino Del Regno,
Chun-Kuang Hu, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
[ Upstream commit c90876a695dd83e76680b88b40067275a5982811 ]
In preparation for adding support for MT8195's HDMI reserved DPI
instance, move the input_2p_en bit for DP_INTF to platform data.
While at it, remove the input_2pixel member from platform data as
having this bit implies that the 2pixel feature must be enabled.
Reviewed-by: CK Hu <ck.hu@mediatek.com>
Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Link: https://patchwork.kernel.org/project/dri-devel/patch/20250217154836.108895-7-angelogioacchino.delregno@collabora.com/
Signed-off-by: Chun-Kuang Hu <chunkuang.hu@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/mediatek/mtk_dpi.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/drivers/gpu/drm/mediatek/mtk_dpi.c b/drivers/gpu/drm/mediatek/mtk_dpi.c
index 1f5d39a4077cd..cab4b3451187d 100644
--- a/drivers/gpu/drm/mediatek/mtk_dpi.c
+++ b/drivers/gpu/drm/mediatek/mtk_dpi.c
@@ -125,14 +125,14 @@ struct mtk_dpi_yc_limit {
* @is_ck_de_pol: Support CK/DE polarity.
* @swap_input_support: Support input swap function.
* @support_direct_pin: IP supports direct connection to dpi panels.
- * @input_2pixel: Input pixel of dp_intf is 2 pixel per round, so enable this
- * config to enable this feature.
* @dimension_mask: Mask used for HWIDTH, HPORCH, VSYNC_WIDTH and VSYNC_PORCH
* (no shift).
* @hvsize_mask: Mask of HSIZE and VSIZE mask (no shift).
* @channel_swap_shift: Shift value of channel swap.
* @yuv422_en_bit: Enable bit of yuv422.
* @csc_enable_bit: Enable bit of CSC.
+ * @input_2p_en_bit: Enable bit for input two pixel per round feature.
+ * If present, implies that the feature must be enabled.
* @pixels_per_iter: Quantity of transferred pixels per iteration.
*/
struct mtk_dpi_conf {
@@ -145,12 +145,12 @@ struct mtk_dpi_conf {
bool is_ck_de_pol;
bool swap_input_support;
bool support_direct_pin;
- bool input_2pixel;
u32 dimension_mask;
u32 hvsize_mask;
u32 channel_swap_shift;
u32 yuv422_en_bit;
u32 csc_enable_bit;
+ u32 input_2p_en_bit;
u32 pixels_per_iter;
};
@@ -602,9 +602,9 @@ static int mtk_dpi_set_display_mode(struct mtk_dpi *dpi,
mtk_dpi_dual_edge(dpi);
mtk_dpi_config_disable_edge(dpi);
}
- if (dpi->conf->input_2pixel) {
- mtk_dpi_mask(dpi, DPI_CON, DPINTF_INPUT_2P_EN,
- DPINTF_INPUT_2P_EN);
+ if (dpi->conf->input_2p_en_bit) {
+ mtk_dpi_mask(dpi, DPI_CON, dpi->conf->input_2p_en_bit,
+ dpi->conf->input_2p_en_bit);
}
mtk_dpi_sw_reset(dpi, false);
@@ -952,12 +952,12 @@ static const struct mtk_dpi_conf mt8195_dpintf_conf = {
.output_fmts = mt8195_output_fmts,
.num_output_fmts = ARRAY_SIZE(mt8195_output_fmts),
.pixels_per_iter = 4,
- .input_2pixel = true,
.dimension_mask = DPINTF_HPW_MASK,
.hvsize_mask = DPINTF_HSIZE_MASK,
.channel_swap_shift = DPINTF_CH_SWAP,
.yuv422_en_bit = DPINTF_YUV422_EN,
.csc_enable_bit = DPINTF_CSC_ENABLE,
+ .input_2p_en_bit = DPINTF_INPUT_2P_EN,
};
static int mtk_dpi_probe(struct platform_device *pdev)
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 066/291] drm/mediatek: mtk_dpi: Explicitly manage TVD clock in power on/off
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (63 preceding siblings ...)
2025-04-23 14:40 ` [PATCH 6.1 065/291] drm/mediatek: mtk_dpi: Move the input_2p_en bit to platform data Greg Kroah-Hartman
@ 2025-04-23 14:40 ` Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 067/291] drm/amdgpu: handle amdgpu_cgs_create_device() errors in amd_powerplay_create() Greg Kroah-Hartman
` (233 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, CK Hu, AngeloGioacchino Del Regno,
Chun-Kuang Hu, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
[ Upstream commit 473c33f5ce651365468503c76f33158aaa1c7dd2 ]
In preparation for adding support for MT8195's HDMI reserved
DPI, add calls to clk_prepare_enable() / clk_disable_unprepare()
for the TVD clock: in this particular case, the aforementioned
clock is not (and cannot be) parented to neither pixel or engine
clocks hence it won't get enabled automatically by the clock
framework.
Please note that on all of the currently supported MediaTek
platforms, the TVD clock is always a parent of either pixel or
engine clocks, and this means that the common clock framework
is already enabling this clock before the children.
On such platforms, this commit will only increase the refcount
of the TVD clock without any functional change.
Reviewed-by: CK Hu <ck.hu@mediatek.com>
Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Link: https://patchwork.kernel.org/project/dri-devel/patch/20250217154836.108895-10-angelogioacchino.delregno@collabora.com/
Signed-off-by: Chun-Kuang Hu <chunkuang.hu@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/mediatek/mtk_dpi.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/drivers/gpu/drm/mediatek/mtk_dpi.c b/drivers/gpu/drm/mediatek/mtk_dpi.c
index cab4b3451187d..1fa958e8c40a1 100644
--- a/drivers/gpu/drm/mediatek/mtk_dpi.c
+++ b/drivers/gpu/drm/mediatek/mtk_dpi.c
@@ -463,6 +463,7 @@ static void mtk_dpi_power_off(struct mtk_dpi *dpi)
mtk_dpi_disable(dpi);
clk_disable_unprepare(dpi->pixel_clk);
+ clk_disable_unprepare(dpi->tvd_clk);
clk_disable_unprepare(dpi->engine_clk);
}
@@ -479,6 +480,12 @@ static int mtk_dpi_power_on(struct mtk_dpi *dpi)
goto err_refcount;
}
+ ret = clk_prepare_enable(dpi->tvd_clk);
+ if (ret) {
+ dev_err(dpi->dev, "Failed to enable tvd pll: %d\n", ret);
+ goto err_engine;
+ }
+
ret = clk_prepare_enable(dpi->pixel_clk);
if (ret) {
dev_err(dpi->dev, "Failed to enable pixel clock: %d\n", ret);
@@ -488,6 +495,8 @@ static int mtk_dpi_power_on(struct mtk_dpi *dpi)
return 0;
err_pixel:
+ clk_disable_unprepare(dpi->tvd_clk);
+err_engine:
clk_disable_unprepare(dpi->engine_clk);
err_refcount:
dpi->refcount--;
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 067/291] drm/amdgpu: handle amdgpu_cgs_create_device() errors in amd_powerplay_create()
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (64 preceding siblings ...)
2025-04-23 14:40 ` [PATCH 6.1 066/291] drm/mediatek: mtk_dpi: Explicitly manage TVD clock in power on/off Greg Kroah-Hartman
@ 2025-04-23 14:40 ` Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 068/291] PCI: vmd: Make vmd_dev::cfg_lock a raw_spinlock_t type Greg Kroah-Hartman
` (232 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Wentao Liang, Alex Deucher,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wentao Liang <vulab@iscas.ac.cn>
[ Upstream commit 1435e895d4fc967d64e9f5bf81e992ac32f5ac76 ]
Add error handling to propagate amdgpu_cgs_create_device() failures
to the caller. When amdgpu_cgs_create_device() fails, release hwmgr
and return -ENOMEM to prevent null pointer dereference.
[v1]->[v2]: Change error code from -EINVAL to -ENOMEM. Free hwmgr.
Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/pm/powerplay/amd_powerplay.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/gpu/drm/amd/pm/powerplay/amd_powerplay.c b/drivers/gpu/drm/amd/pm/powerplay/amd_powerplay.c
index eae4b4826f043..ab8ae74646649 100644
--- a/drivers/gpu/drm/amd/pm/powerplay/amd_powerplay.c
+++ b/drivers/gpu/drm/amd/pm/powerplay/amd_powerplay.c
@@ -51,6 +51,11 @@ static int amd_powerplay_create(struct amdgpu_device *adev)
hwmgr->adev = adev;
hwmgr->not_vf = !amdgpu_sriov_vf(adev);
hwmgr->device = amdgpu_cgs_create_device(adev);
+ if (!hwmgr->device) {
+ kfree(hwmgr);
+ return -ENOMEM;
+ }
+
mutex_init(&hwmgr->msg_lock);
hwmgr->chip_family = adev->family;
hwmgr->chip_id = adev->asic_type;
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 068/291] PCI: vmd: Make vmd_dev::cfg_lock a raw_spinlock_t type
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (65 preceding siblings ...)
2025-04-23 14:40 ` [PATCH 6.1 067/291] drm/amdgpu: handle amdgpu_cgs_create_device() errors in amd_powerplay_create() Greg Kroah-Hartman
@ 2025-04-23 14:40 ` Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 069/291] drm/amdgpu: grab an additional reference on the gang fence v2 Greg Kroah-Hartman
` (231 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ryo Takakura,
Luis Claudio R. Goncalves, Sebastian Andrzej Siewior,
Krzysztof Wilczyński, Bjorn Helgaas, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ryo Takakura <ryotkkr98@gmail.com>
[ Upstream commit 18056a48669a040bef491e63b25896561ee14d90 ]
The access to the PCI config space via pci_ops::read and pci_ops::write is
a low-level hardware access. The functions can be accessed with disabled
interrupts even on PREEMPT_RT. The pci_lock is a raw_spinlock_t for this
purpose.
A spinlock_t becomes a sleeping lock on PREEMPT_RT, so it cannot be
acquired with disabled interrupts. The vmd_dev::cfg_lock is accessed in
the same context as the pci_lock.
Make vmd_dev::cfg_lock a raw_spinlock_t type so it can be used with
interrupts disabled.
This was reported as:
BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48
Call Trace:
rt_spin_lock+0x4e/0x130
vmd_pci_read+0x8d/0x100 [vmd]
pci_user_read_config_byte+0x6f/0xe0
pci_read_config+0xfe/0x290
sysfs_kf_bin_read+0x68/0x90
Signed-off-by: Ryo Takakura <ryotkkr98@gmail.com>
Tested-by: Luis Claudio R. Goncalves <lgoncalv@redhat.com>
Acked-by: Luis Claudio R. Goncalves <lgoncalv@redhat.com>
[bigeasy: reword commit message]
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Tested-off-by: Luis Claudio R. Goncalves <lgoncalv@redhat.com>
Link: https://lore.kernel.org/r/20250218080830.ufw3IgyX@linutronix.de
[kwilczynski: commit log]
Signed-off-by: Krzysztof Wilczyński <kwilczynski@kernel.org>
[bhelgaas: add back report info from
https://lore.kernel.org/lkml/20241218115951.83062-1-ryotkkr98@gmail.com/]
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/controller/vmd.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/drivers/pci/controller/vmd.c b/drivers/pci/controller/vmd.c
index a1dd614bdc324..09995b6e73bcc 100644
--- a/drivers/pci/controller/vmd.c
+++ b/drivers/pci/controller/vmd.c
@@ -110,7 +110,7 @@ struct vmd_irq_list {
struct vmd_dev {
struct pci_dev *dev;
- spinlock_t cfg_lock;
+ raw_spinlock_t cfg_lock;
void __iomem *cfgbar;
int msix_count;
@@ -387,7 +387,7 @@ static int vmd_pci_read(struct pci_bus *bus, unsigned int devfn, int reg,
if (!addr)
return -EFAULT;
- spin_lock_irqsave(&vmd->cfg_lock, flags);
+ raw_spin_lock_irqsave(&vmd->cfg_lock, flags);
switch (len) {
case 1:
*value = readb(addr);
@@ -402,7 +402,7 @@ static int vmd_pci_read(struct pci_bus *bus, unsigned int devfn, int reg,
ret = -EINVAL;
break;
}
- spin_unlock_irqrestore(&vmd->cfg_lock, flags);
+ raw_spin_unlock_irqrestore(&vmd->cfg_lock, flags);
return ret;
}
@@ -422,7 +422,7 @@ static int vmd_pci_write(struct pci_bus *bus, unsigned int devfn, int reg,
if (!addr)
return -EFAULT;
- spin_lock_irqsave(&vmd->cfg_lock, flags);
+ raw_spin_lock_irqsave(&vmd->cfg_lock, flags);
switch (len) {
case 1:
writeb(value, addr);
@@ -440,7 +440,7 @@ static int vmd_pci_write(struct pci_bus *bus, unsigned int devfn, int reg,
ret = -EINVAL;
break;
}
- spin_unlock_irqrestore(&vmd->cfg_lock, flags);
+ raw_spin_unlock_irqrestore(&vmd->cfg_lock, flags);
return ret;
}
@@ -958,7 +958,7 @@ static int vmd_probe(struct pci_dev *dev, const struct pci_device_id *id)
if (features & VMD_FEAT_OFFSET_FIRST_VECTOR)
vmd->first_vec = 1;
- spin_lock_init(&vmd->cfg_lock);
+ raw_spin_lock_init(&vmd->cfg_lock);
pci_set_drvdata(dev, vmd);
err = vmd_enable_domain(vmd, features);
if (err)
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 069/291] drm/amdgpu: grab an additional reference on the gang fence v2
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (66 preceding siblings ...)
2025-04-23 14:40 ` [PATCH 6.1 068/291] PCI: vmd: Make vmd_dev::cfg_lock a raw_spinlock_t type Greg Kroah-Hartman
@ 2025-04-23 14:40 ` Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 070/291] fbdev: omapfb: Add plane value check Greg Kroah-Hartman
` (230 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christian König,
Srinivasan Shanmugam, Alex Deucher, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christian König <christian.koenig@amd.com>
[ Upstream commit 0d9a95099dcb05b5f4719c830d15bf4fdcad0dc2 ]
We keep the gang submission fence around in adev, make sure that it
stays alive.
v2: fix memory leak on retry
Signed-off-by: Christian König <christian.koenig@amd.com>
Acked-by: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
index b41a97185823a..fcd0c61499f89 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
@@ -6186,6 +6186,7 @@ struct dma_fence *amdgpu_device_switch_gang(struct amdgpu_device *adev,
{
struct dma_fence *old = NULL;
+ dma_fence_get(gang);
do {
dma_fence_put(old);
rcu_read_lock();
@@ -6195,12 +6196,19 @@ struct dma_fence *amdgpu_device_switch_gang(struct amdgpu_device *adev,
if (old == gang)
break;
- if (!dma_fence_is_signaled(old))
+ if (!dma_fence_is_signaled(old)) {
+ dma_fence_put(gang);
return old;
+ }
} while (cmpxchg((struct dma_fence __force **)&adev->gang_submit,
old, gang) != old);
+ /*
+ * Drop it once for the exchanged reference in adev and once for the
+ * thread local reference acquired in amdgpu_device_get_gang().
+ */
+ dma_fence_put(old);
dma_fence_put(old);
return NULL;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 070/291] fbdev: omapfb: Add plane value check
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (67 preceding siblings ...)
2025-04-23 14:40 ` [PATCH 6.1 069/291] drm/amdgpu: grab an additional reference on the gang fence v2 Greg Kroah-Hartman
@ 2025-04-23 14:40 ` Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 071/291] ktest: Fix Test Failures Due to Missing LOG_FILE Directories Greg Kroah-Hartman
` (229 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Leonid Arapov, Helge Deller,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Leonid Arapov <arapovl839@gmail.com>
[ Upstream commit 3e411827f31db7f938a30a3c7a7599839401ec30 ]
Function dispc_ovl_setup is not intended to work with the value OMAP_DSS_WB
of the enum parameter plane.
The value of this parameter is initialized in dss_init_overlays and in the
current state of the code it cannot take this value so it's not a real
problem.
For the purposes of defensive coding it wouldn't be superfluous to check
the parameter value, because some functions down the call stack process
this value correctly and some not.
For example, in dispc_ovl_setup_global_alpha it may lead to buffer
overflow.
Add check for this value.
Found by Linux Verification Center (linuxtesting.org) with SVACE static
analysis tool.
Signed-off-by: Leonid Arapov <arapovl839@gmail.com>
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/video/fbdev/omap2/omapfb/dss/dispc.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/video/fbdev/omap2/omapfb/dss/dispc.c b/drivers/video/fbdev/omap2/omapfb/dss/dispc.c
index 92fb6b7e1f681..a6225f9621902 100644
--- a/drivers/video/fbdev/omap2/omapfb/dss/dispc.c
+++ b/drivers/video/fbdev/omap2/omapfb/dss/dispc.c
@@ -2749,9 +2749,13 @@ int dispc_ovl_setup(enum omap_plane plane, const struct omap_overlay_info *oi,
bool mem_to_mem)
{
int r;
- enum omap_overlay_caps caps = dss_feat_get_overlay_caps(plane);
+ enum omap_overlay_caps caps;
enum omap_channel channel;
+ if (plane == OMAP_DSS_WB)
+ return -EINVAL;
+
+ caps = dss_feat_get_overlay_caps(plane);
channel = dispc_ovl_get_channel_out(plane);
DSSDBG("dispc_ovl_setup %d, pa %pad, pa_uv %pad, sw %d, %d,%d, %dx%d ->"
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 071/291] ktest: Fix Test Failures Due to Missing LOG_FILE Directories
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (68 preceding siblings ...)
2025-04-23 14:40 ` [PATCH 6.1 070/291] fbdev: omapfb: Add plane value check Greg Kroah-Hartman
@ 2025-04-23 14:41 ` Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 072/291] tpm, tpm_tis: Workaround failed command reception on Infineon devices Greg Kroah-Hartman
` (228 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, warthog9, Ayush Jain, Steven Rostedt,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ayush Jain <Ayush.jain3@amd.com>
[ Upstream commit 5a1bed232781d356f842576daacc260f0d0c8d2e ]
Handle missing parent directories for LOG_FILE path to prevent test
failures. If the parent directories don't exist, create them to ensure
the tests proceed successfully.
Cc: <warthog9@eaglescrag.net>
Link: https://lore.kernel.org/20250307043854.2518539-1-Ayush.jain3@amd.com
Signed-off-by: Ayush Jain <Ayush.jain3@amd.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/ktest/ktest.pl | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/tools/testing/ktest/ktest.pl b/tools/testing/ktest/ktest.pl
index aecea16cbd02f..2109bd42c144a 100755
--- a/tools/testing/ktest/ktest.pl
+++ b/tools/testing/ktest/ktest.pl
@@ -4282,6 +4282,14 @@ if (defined($opt{"LOG_FILE"})) {
if ($opt{"CLEAR_LOG"}) {
unlink $opt{"LOG_FILE"};
}
+
+ if (! -e $opt{"LOG_FILE"} && $opt{"LOG_FILE"} =~ m,^(.*/),) {
+ my $dir = $1;
+ if (! -d $dir) {
+ mkpath($dir) or die "Failed to create directories '$dir': $!";
+ print "\nThe log directory $dir did not exist, so it was created.\n";
+ }
+ }
open(LOG, ">> $opt{LOG_FILE}") or die "Can't write to $opt{LOG_FILE}";
LOG->autoflush(1);
}
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 072/291] tpm, tpm_tis: Workaround failed command reception on Infineon devices
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (69 preceding siblings ...)
2025-04-23 14:41 ` [PATCH 6.1 071/291] ktest: Fix Test Failures Due to Missing LOG_FILE Directories Greg Kroah-Hartman
@ 2025-04-23 14:41 ` Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 073/291] pwm: mediatek: Prevent divide-by-zero in pwm_mediatek_config() Greg Kroah-Hartman
` (227 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jonathan McDowell, Jarkko Sakkinen,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jonathan McDowell <noodles@meta.com>
[ Upstream commit de9e33df7762abbfc2a1568291f2c3a3154c6a9d ]
Some Infineon devices have a issue where the status register will get
stuck with a quick REQUEST_USE / COMMAND_READY sequence. This is not
simply a matter of requiring a longer timeout; the work around is to
retry the command submission. Add appropriate logic to do this in the
send path.
This is fixed in later firmware revisions, but those are not always
available, and cannot generally be easily updated from outside a
firmware environment.
Testing has been performed with a simple repeated loop of doing a
TPM2_CC_GET_CAPABILITY for TPM_CAP_PROP_MANUFACTURER using the Go code
at:
https://the.earth.li/~noodles/tpm-stuff/timeout-reproducer-simple.go
It can take several hours to reproduce, and several million operations.
Signed-off-by: Jonathan McDowell <noodles@meta.com>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/char/tpm/tpm_tis_core.c | 17 ++++++++++++++---
drivers/char/tpm/tpm_tis_core.h | 1 +
include/linux/tpm.h | 1 +
3 files changed, 16 insertions(+), 3 deletions(-)
diff --git a/drivers/char/tpm/tpm_tis_core.c b/drivers/char/tpm/tpm_tis_core.c
index 5889d9edaf940..4e294a915925b 100644
--- a/drivers/char/tpm/tpm_tis_core.c
+++ b/drivers/char/tpm/tpm_tis_core.c
@@ -433,7 +433,10 @@ static int tpm_tis_send_data(struct tpm_chip *chip, const u8 *buf, size_t len)
if (wait_for_tpm_stat(chip, TPM_STS_VALID, chip->timeout_c,
&priv->int_queue, false) < 0) {
- rc = -ETIME;
+ if (test_bit(TPM_TIS_STATUS_VALID_RETRY, &priv->flags))
+ rc = -EAGAIN;
+ else
+ rc = -ETIME;
goto out_err;
}
status = tpm_tis_status(chip);
@@ -450,7 +453,10 @@ static int tpm_tis_send_data(struct tpm_chip *chip, const u8 *buf, size_t len)
if (wait_for_tpm_stat(chip, TPM_STS_VALID, chip->timeout_c,
&priv->int_queue, false) < 0) {
- rc = -ETIME;
+ if (test_bit(TPM_TIS_STATUS_VALID_RETRY, &priv->flags))
+ rc = -EAGAIN;
+ else
+ rc = -ETIME;
goto out_err;
}
status = tpm_tis_status(chip);
@@ -505,9 +511,11 @@ static int tpm_tis_send_main(struct tpm_chip *chip, const u8 *buf, size_t len)
if (rc >= 0)
/* Data transfer done successfully */
break;
- else if (rc != -EIO)
+ else if (rc != -EAGAIN && rc != -EIO)
/* Data transfer failed, not recoverable */
return rc;
+
+ usleep_range(priv->timeout_min, priv->timeout_max);
}
rc = tpm_tis_verify_crc(priv, len, buf);
@@ -1044,6 +1052,9 @@ int tpm_tis_core_init(struct device *dev, struct tpm_tis_data *priv, int irq,
priv->timeout_max = TIS_TIMEOUT_MAX_ATML;
}
+ if (priv->manufacturer_id == TPM_VID_IFX)
+ set_bit(TPM_TIS_STATUS_VALID_RETRY, &priv->flags);
+
if (is_bsw()) {
priv->ilb_base_addr = ioremap(INTEL_LEGACY_BLK_BASE_ADDR,
ILB_REMAP_SIZE);
diff --git a/drivers/char/tpm/tpm_tis_core.h b/drivers/char/tpm/tpm_tis_core.h
index 610bfadb6acf1..be72681ab8ea2 100644
--- a/drivers/char/tpm/tpm_tis_core.h
+++ b/drivers/char/tpm/tpm_tis_core.h
@@ -88,6 +88,7 @@ enum tpm_tis_flags {
TPM_TIS_INVALID_STATUS = 1,
TPM_TIS_DEFAULT_CANCELLATION = 2,
TPM_TIS_IRQ_TESTED = 3,
+ TPM_TIS_STATUS_VALID_RETRY = 4,
};
struct tpm_tis_data {
diff --git a/include/linux/tpm.h b/include/linux/tpm.h
index df5cd4245f299..dd0784a6e07d9 100644
--- a/include/linux/tpm.h
+++ b/include/linux/tpm.h
@@ -271,6 +271,7 @@ enum tpm2_cc_attrs {
#define TPM_VID_WINBOND 0x1050
#define TPM_VID_STM 0x104A
#define TPM_VID_ATML 0x1114
+#define TPM_VID_IFX 0x15D1
enum tpm_chip_flags {
TPM_CHIP_FLAG_BOOTSTRAPPED = BIT(0),
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 073/291] pwm: mediatek: Prevent divide-by-zero in pwm_mediatek_config()
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (70 preceding siblings ...)
2025-04-23 14:41 ` [PATCH 6.1 072/291] tpm, tpm_tis: Workaround failed command reception on Infineon devices Greg Kroah-Hartman
@ 2025-04-23 14:41 ` Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 074/291] pwm: rcar: Improve register calculation Greg Kroah-Hartman
` (226 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Josh Poimboeuf,
Uwe Kleine-König, Uwe Kleine-König, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Josh Poimboeuf <jpoimboe@kernel.org>
[ Upstream commit 7ca59947b5fcf94e7ea4029d1bd0f7c41500a161 ]
With CONFIG_COMPILE_TEST && !CONFIG_HAVE_CLK, pwm_mediatek_config() has a
divide-by-zero in the following line:
do_div(resolution, clk_get_rate(pc->clk_pwms[pwm->hwpwm]));
due to the fact that the !CONFIG_HAVE_CLK version of clk_get_rate()
returns zero.
This is presumably just a theoretical problem: COMPILE_TEST overrides
the dependency on RALINK which would select COMMON_CLK. Regardless it's
a good idea to check for the error explicitly to avoid divide-by-zero.
Fixes the following warning:
drivers/pwm/pwm-mediatek.o: warning: objtool: .text: unexpected end of section
Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
Link: https://lore.kernel.org/r/fb56444939325cc173e752ba199abd7aeae3bf12.1742852847.git.jpoimboe@kernel.org
[ukleinek: s/CONFIG_CLK/CONFIG_HAVE_CLK/]
Fixes: caf065f8fd58 ("pwm: Add MediaTek PWM support")
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@baylibre.com>
Link: https://lore.kernel.org/r/9e78a0796acba3435553ed7db1c7965dcffa6215.1743501688.git.u.kleine-koenig@baylibre.com
Signed-off-by: Uwe Kleine-König <ukleinek@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pwm/pwm-mediatek.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/drivers/pwm/pwm-mediatek.c b/drivers/pwm/pwm-mediatek.c
index a337b47dc2f7d..10c2ed23f5511 100644
--- a/drivers/pwm/pwm-mediatek.c
+++ b/drivers/pwm/pwm-mediatek.c
@@ -120,21 +120,25 @@ static int pwm_mediatek_config(struct pwm_chip *chip, struct pwm_device *pwm,
struct pwm_mediatek_chip *pc = to_pwm_mediatek_chip(chip);
u32 clkdiv = 0, cnt_period, cnt_duty, reg_width = PWMDWIDTH,
reg_thres = PWMTHRES;
+ unsigned long clk_rate;
u64 resolution;
int ret;
ret = pwm_mediatek_clk_enable(chip, pwm);
-
if (ret < 0)
return ret;
+ clk_rate = clk_get_rate(pc->clk_pwms[pwm->hwpwm]);
+ if (!clk_rate)
+ return -EINVAL;
+
/* Make sure we use the bus clock and not the 26MHz clock */
if (pc->soc->has_ck_26m_sel)
writel(0, pc->regs + PWM_CK_26M_SEL);
/* Using resolution in picosecond gets accuracy higher */
resolution = (u64)NSEC_PER_SEC * 1000;
- do_div(resolution, clk_get_rate(pc->clk_pwms[pwm->hwpwm]));
+ do_div(resolution, clk_rate);
cnt_period = DIV_ROUND_CLOSEST_ULL((u64)period_ns * 1000, resolution);
while (cnt_period > 8191) {
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 074/291] pwm: rcar: Improve register calculation
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (71 preceding siblings ...)
2025-04-23 14:41 ` [PATCH 6.1 073/291] pwm: mediatek: Prevent divide-by-zero in pwm_mediatek_config() Greg Kroah-Hartman
@ 2025-04-23 14:41 ` Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 075/291] pwm: fsl-ftm: Handle clk_get_rate() returning 0 Greg Kroah-Hartman
` (225 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Uwe Kleine-König,
Geert Uytterhoeven, Uwe Kleine-König, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Uwe Kleine-König <u.kleine-koenig@baylibre.com>
[ Upstream commit e7327c193014a4d8666e9c1cda09cf2c060518e8 ]
There were several issues in the function rcar_pwm_set_counter():
- The u64 values period_ns and duty_ns were cast to int on function
call which might loose bits on 32 bit architectures.
Fix: Make parameters to rcar_pwm_set_counter() u64
- The algorithm divided by the result of a division which looses
precision.
Fix: Make use of mul_u64_u64_div_u64()
- The calculated values were just masked to fit the respective register
fields which again might loose bits.
Fix: Explicitly check for overlow
Implement the respective fixes.
A side effect of fixing the 2nd issue is that there is no division by 0
if clk_get_rate() returns 0.
Fixes: ed6c1476bf7f ("pwm: Add support for R-Car PWM Timer")
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@baylibre.com>
Link: https://lore.kernel.org/r/ab3dac794b2216cc1cc56d65c93dd164f8bd461b.1743501688.git.u.kleine-koenig@baylibre.com
[ukleinek: Added an explicit #include <linux/bitfield.h> to please the
0day build bot]
Link: https://lore.kernel.org/oe-kbuild-all/202504031354.VJtxScP5-lkp@intel.com/
Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Uwe Kleine-König <ukleinek@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pwm/pwm-rcar.c | 24 +++++++++++++-----------
1 file changed, 13 insertions(+), 11 deletions(-)
diff --git a/drivers/pwm/pwm-rcar.c b/drivers/pwm/pwm-rcar.c
index 55f46d09602b1..b2e75d870532e 100644
--- a/drivers/pwm/pwm-rcar.c
+++ b/drivers/pwm/pwm-rcar.c
@@ -8,6 +8,7 @@
* - The hardware cannot generate a 0% duty cycle.
*/
+#include <linux/bitfield.h>
#include <linux/clk.h>
#include <linux/err.h>
#include <linux/io.h>
@@ -103,23 +104,24 @@ static void rcar_pwm_set_clock_control(struct rcar_pwm_chip *rp,
rcar_pwm_write(rp, value, RCAR_PWMCR);
}
-static int rcar_pwm_set_counter(struct rcar_pwm_chip *rp, int div, int duty_ns,
- int period_ns)
+static int rcar_pwm_set_counter(struct rcar_pwm_chip *rp, int div, u64 duty_ns,
+ u64 period_ns)
{
- unsigned long long one_cycle, tmp; /* 0.01 nanoseconds */
+ unsigned long long tmp;
unsigned long clk_rate = clk_get_rate(rp->clk);
u32 cyc, ph;
- one_cycle = NSEC_PER_SEC * 100ULL << div;
- do_div(one_cycle, clk_rate);
+ /* div <= 24 == RCAR_PWM_MAX_DIVISION, so the shift doesn't overflow. */
+ tmp = mul_u64_u64_div_u64(period_ns, clk_rate, (u64)NSEC_PER_SEC << div);
+ if (tmp > FIELD_MAX(RCAR_PWMCNT_CYC0_MASK))
+ tmp = FIELD_MAX(RCAR_PWMCNT_CYC0_MASK);
- tmp = period_ns * 100ULL;
- do_div(tmp, one_cycle);
- cyc = (tmp << RCAR_PWMCNT_CYC0_SHIFT) & RCAR_PWMCNT_CYC0_MASK;
+ cyc = FIELD_PREP(RCAR_PWMCNT_CYC0_MASK, tmp);
- tmp = duty_ns * 100ULL;
- do_div(tmp, one_cycle);
- ph = tmp & RCAR_PWMCNT_PH0_MASK;
+ tmp = mul_u64_u64_div_u64(duty_ns, clk_rate, (u64)NSEC_PER_SEC << div);
+ if (tmp > FIELD_MAX(RCAR_PWMCNT_PH0_MASK))
+ tmp = FIELD_MAX(RCAR_PWMCNT_PH0_MASK);
+ ph = FIELD_PREP(RCAR_PWMCNT_PH0_MASK, tmp);
/* Avoid prohibited setting */
if (cyc == 0 || ph == 0)
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 075/291] pwm: fsl-ftm: Handle clk_get_rate() returning 0
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (72 preceding siblings ...)
2025-04-23 14:41 ` [PATCH 6.1 074/291] pwm: rcar: Improve register calculation Greg Kroah-Hartman
@ 2025-04-23 14:41 ` Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 076/291] bpf: support SKF_NET_OFF and SKF_LL_OFF on skb frags Greg Kroah-Hartman
` (224 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Uwe Kleine-König,
Uwe Kleine-König, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Uwe Kleine-König <u.kleine-koenig@baylibre.com>
[ Upstream commit 928446a5302eee30ebb32075c0db5dda5a138fb7 ]
Considering that the driver doesn't enable the used clocks (and also
that clk_get_rate() returns 0 if CONFIG_HAVE_CLK is unset) better check
the return value of clk_get_rate() for being non-zero before dividing by
it.
Fixes: 3479bbd1e1f8 ("pwm: fsl-ftm: More relaxed permissions for updating period")
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@baylibre.com>
Link: https://lore.kernel.org/r/b68351a51017035651bc62ad3146afcb706874f0.1743501688.git.u.kleine-koenig@baylibre.com
Signed-off-by: Uwe Kleine-König <ukleinek@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pwm/pwm-fsl-ftm.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/pwm/pwm-fsl-ftm.c b/drivers/pwm/pwm-fsl-ftm.c
index 0247757f9a72d..6751f3d005605 100644
--- a/drivers/pwm/pwm-fsl-ftm.c
+++ b/drivers/pwm/pwm-fsl-ftm.c
@@ -123,6 +123,9 @@ static unsigned int fsl_pwm_ticks_to_ns(struct fsl_pwm_chip *fpc,
unsigned long long exval;
rate = clk_get_rate(fpc->clk[fpc->period.clk_select]);
+ if (rate >> fpc->period.clk_ps == 0)
+ return 0;
+
exval = ticks;
exval *= 1000000000UL;
do_div(exval, rate >> fpc->period.clk_ps);
@@ -195,6 +198,9 @@ static unsigned int fsl_pwm_calculate_duty(struct fsl_pwm_chip *fpc,
unsigned int period = fpc->period.mod_period + 1;
unsigned int period_ns = fsl_pwm_ticks_to_ns(fpc, period);
+ if (!period_ns)
+ return 0;
+
duty = (unsigned long long)duty_ns * period;
do_div(duty, period_ns);
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 076/291] bpf: support SKF_NET_OFF and SKF_LL_OFF on skb frags
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (73 preceding siblings ...)
2025-04-23 14:41 ` [PATCH 6.1 075/291] pwm: fsl-ftm: Handle clk_get_rate() returning 0 Greg Kroah-Hartman
@ 2025-04-23 14:41 ` Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 077/291] ext4: dont treat fhandle lookup of ea_inode as FS corruption Greg Kroah-Hartman
` (223 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matt Moeller,
Maciej Żenczykowski, Willem de Bruijn, Stanislav Fomichev,
Alexei Starovoitov, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Willem de Bruijn <willemb@google.com>
[ Upstream commit d4bac0288a2b444e468e6df9cb4ed69479ddf14a ]
Classic BPF socket filters with SKB_NET_OFF and SKB_LL_OFF fail to
read when these offsets extend into frags.
This has been observed with iwlwifi and reproduced with tun with
IFF_NAPI_FRAGS. The below straightforward socket filter on UDP port,
applied to a RAW socket, will silently miss matching packets.
const int offset_proto = offsetof(struct ip6_hdr, ip6_nxt);
const int offset_dport = sizeof(struct ip6_hdr) + offsetof(struct udphdr, dest);
struct sock_filter filter_code[] = {
BPF_STMT(BPF_LD + BPF_B + BPF_ABS, SKF_AD_OFF + SKF_AD_PKTTYPE),
BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, PACKET_HOST, 0, 4),
BPF_STMT(BPF_LD + BPF_B + BPF_ABS, SKF_NET_OFF + offset_proto),
BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, IPPROTO_UDP, 0, 2),
BPF_STMT(BPF_LD + BPF_H + BPF_ABS, SKF_NET_OFF + offset_dport),
This is unexpected behavior. Socket filter programs should be
consistent regardless of environment. Silent misses are
particularly concerning as hard to detect.
Use skb_copy_bits for offsets outside linear, same as done for
non-SKF_(LL|NET) offsets.
Offset is always positive after subtracting the reference threshold
SKB_(LL|NET)_OFF, so is always >= skb_(mac|network)_offset. The sum of
the two is an offset against skb->data, and may be negative, but it
cannot point before skb->head, as skb_(mac|network)_offset would too.
This appears to go back to when frag support was introduced to
sk_run_filter in linux-2.4.4, before the introduction of git.
The amount of code change and 8/16/32 bit duplication are unfortunate.
But any attempt I made to be smarter saved very few LoC while
complicating the code.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Link: https://lore.kernel.org/netdev/20250122200402.3461154-1-maze@google.com/
Link: https://elixir.bootlin.com/linux/2.4.4/source/net/core/filter.c#L244
Reported-by: Matt Moeller <moeller.matt@gmail.com>
Co-developed-by: Maciej Żenczykowski <maze@google.com>
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Signed-off-by: Willem de Bruijn <willemb@google.com>
Acked-by: Stanislav Fomichev <sdf@fomichev.me>
Link: https://lore.kernel.org/r/20250408132833.195491-2-willemdebruijn.kernel@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/filter.c | 80 ++++++++++++++++++++++++++---------------------
1 file changed, 44 insertions(+), 36 deletions(-)
diff --git a/net/core/filter.c b/net/core/filter.c
index 370f61f9bf4ba..d713696d0832a 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -212,24 +212,36 @@ BPF_CALL_3(bpf_skb_get_nlattr_nest, struct sk_buff *, skb, u32, a, u32, x)
return 0;
}
+static int bpf_skb_load_helper_convert_offset(const struct sk_buff *skb, int offset)
+{
+ if (likely(offset >= 0))
+ return offset;
+
+ if (offset >= SKF_NET_OFF)
+ return offset - SKF_NET_OFF + skb_network_offset(skb);
+
+ if (offset >= SKF_LL_OFF && skb_mac_header_was_set(skb))
+ return offset - SKF_LL_OFF + skb_mac_offset(skb);
+
+ return INT_MIN;
+}
+
BPF_CALL_4(bpf_skb_load_helper_8, const struct sk_buff *, skb, const void *,
data, int, headlen, int, offset)
{
- u8 tmp, *ptr;
+ u8 tmp;
const int len = sizeof(tmp);
- if (offset >= 0) {
- if (headlen - offset >= len)
- return *(u8 *)(data + offset);
- if (!skb_copy_bits(skb, offset, &tmp, sizeof(tmp)))
- return tmp;
- } else {
- ptr = bpf_internal_load_pointer_neg_helper(skb, offset, len);
- if (likely(ptr))
- return *(u8 *)ptr;
- }
+ offset = bpf_skb_load_helper_convert_offset(skb, offset);
+ if (offset == INT_MIN)
+ return -EFAULT;
- return -EFAULT;
+ if (headlen - offset >= len)
+ return *(u8 *)(data + offset);
+ if (!skb_copy_bits(skb, offset, &tmp, sizeof(tmp)))
+ return tmp;
+ else
+ return -EFAULT;
}
BPF_CALL_2(bpf_skb_load_helper_8_no_cache, const struct sk_buff *, skb,
@@ -242,21 +254,19 @@ BPF_CALL_2(bpf_skb_load_helper_8_no_cache, const struct sk_buff *, skb,
BPF_CALL_4(bpf_skb_load_helper_16, const struct sk_buff *, skb, const void *,
data, int, headlen, int, offset)
{
- __be16 tmp, *ptr;
+ __be16 tmp;
const int len = sizeof(tmp);
- if (offset >= 0) {
- if (headlen - offset >= len)
- return get_unaligned_be16(data + offset);
- if (!skb_copy_bits(skb, offset, &tmp, sizeof(tmp)))
- return be16_to_cpu(tmp);
- } else {
- ptr = bpf_internal_load_pointer_neg_helper(skb, offset, len);
- if (likely(ptr))
- return get_unaligned_be16(ptr);
- }
+ offset = bpf_skb_load_helper_convert_offset(skb, offset);
+ if (offset == INT_MIN)
+ return -EFAULT;
- return -EFAULT;
+ if (headlen - offset >= len)
+ return get_unaligned_be16(data + offset);
+ if (!skb_copy_bits(skb, offset, &tmp, sizeof(tmp)))
+ return be16_to_cpu(tmp);
+ else
+ return -EFAULT;
}
BPF_CALL_2(bpf_skb_load_helper_16_no_cache, const struct sk_buff *, skb,
@@ -269,21 +279,19 @@ BPF_CALL_2(bpf_skb_load_helper_16_no_cache, const struct sk_buff *, skb,
BPF_CALL_4(bpf_skb_load_helper_32, const struct sk_buff *, skb, const void *,
data, int, headlen, int, offset)
{
- __be32 tmp, *ptr;
+ __be32 tmp;
const int len = sizeof(tmp);
- if (likely(offset >= 0)) {
- if (headlen - offset >= len)
- return get_unaligned_be32(data + offset);
- if (!skb_copy_bits(skb, offset, &tmp, sizeof(tmp)))
- return be32_to_cpu(tmp);
- } else {
- ptr = bpf_internal_load_pointer_neg_helper(skb, offset, len);
- if (likely(ptr))
- return get_unaligned_be32(ptr);
- }
+ offset = bpf_skb_load_helper_convert_offset(skb, offset);
+ if (offset == INT_MIN)
+ return -EFAULT;
- return -EFAULT;
+ if (headlen - offset >= len)
+ return get_unaligned_be32(data + offset);
+ if (!skb_copy_bits(skb, offset, &tmp, sizeof(tmp)))
+ return be32_to_cpu(tmp);
+ else
+ return -EFAULT;
}
BPF_CALL_2(bpf_skb_load_helper_32_no_cache, const struct sk_buff *, skb,
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 077/291] ext4: dont treat fhandle lookup of ea_inode as FS corruption
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (74 preceding siblings ...)
2025-04-23 14:41 ` [PATCH 6.1 076/291] bpf: support SKF_NET_OFF and SKF_LL_OFF on skb frags Greg Kroah-Hartman
@ 2025-04-23 14:41 ` Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 078/291] media: i2c: adv748x: Fix test pattern selection mask Greg Kroah-Hartman
` (222 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jann Horn, Jan Kara, Theodore Tso,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jann Horn <jannh@google.com>
[ Upstream commit 642335f3ea2b3fd6dba03e57e01fa9587843a497 ]
A file handle that userspace provides to open_by_handle_at() can
legitimately contain an outdated inode number that has since been reused
for another purpose - that's why the file handle also contains a generation
number.
But if the inode number has been reused for an ea_inode, check_igot_inode()
will notice, __ext4_iget() will go through ext4_error_inode(), and if the
inode was newly created, it will also be marked as bad by iget_failed().
This all happens before the point where the inode generation is checked.
ext4_error_inode() is supposed to only be used on filesystem corruption; it
should not be used when userspace just got unlucky with a stale file
handle. So when this happens, let __ext4_iget() just return an error.
Fixes: b3e6bcb94590 ("ext4: add EA_INODE checking to ext4_iget()")
Signed-off-by: Jann Horn <jannh@google.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://patch.msgid.link/20241129-ext4-ignore-ea-fhandle-v1-1-e532c0d1cee0@google.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ext4/inode.c | 68 ++++++++++++++++++++++++++++++++++---------------
1 file changed, 48 insertions(+), 20 deletions(-)
diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
index 694af768ac5b4..f460150ec73e5 100644
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -4776,22 +4776,43 @@ static inline void ext4_inode_set_iversion_queried(struct inode *inode, u64 val)
inode_set_iversion_queried(inode, val);
}
-static const char *check_igot_inode(struct inode *inode, ext4_iget_flags flags)
-
+static int check_igot_inode(struct inode *inode, ext4_iget_flags flags,
+ const char *function, unsigned int line)
{
+ const char *err_str;
+
if (flags & EXT4_IGET_EA_INODE) {
- if (!(EXT4_I(inode)->i_flags & EXT4_EA_INODE_FL))
- return "missing EA_INODE flag";
+ if (!(EXT4_I(inode)->i_flags & EXT4_EA_INODE_FL)) {
+ err_str = "missing EA_INODE flag";
+ goto error;
+ }
if (ext4_test_inode_state(inode, EXT4_STATE_XATTR) ||
- EXT4_I(inode)->i_file_acl)
- return "ea_inode with extended attributes";
+ EXT4_I(inode)->i_file_acl) {
+ err_str = "ea_inode with extended attributes";
+ goto error;
+ }
} else {
- if ((EXT4_I(inode)->i_flags & EXT4_EA_INODE_FL))
- return "unexpected EA_INODE flag";
+ if ((EXT4_I(inode)->i_flags & EXT4_EA_INODE_FL)) {
+ /*
+ * open_by_handle_at() could provide an old inode number
+ * that has since been reused for an ea_inode; this does
+ * not indicate filesystem corruption
+ */
+ if (flags & EXT4_IGET_HANDLE)
+ return -ESTALE;
+ err_str = "unexpected EA_INODE flag";
+ goto error;
+ }
+ }
+ if (is_bad_inode(inode) && !(flags & EXT4_IGET_BAD)) {
+ err_str = "unexpected bad inode w/o EXT4_IGET_BAD";
+ goto error;
}
- if (is_bad_inode(inode) && !(flags & EXT4_IGET_BAD))
- return "unexpected bad inode w/o EXT4_IGET_BAD";
- return NULL;
+ return 0;
+
+error:
+ ext4_error_inode(inode, function, line, 0, err_str);
+ return -EFSCORRUPTED;
}
struct inode *__ext4_iget(struct super_block *sb, unsigned long ino,
@@ -4803,7 +4824,6 @@ struct inode *__ext4_iget(struct super_block *sb, unsigned long ino,
struct ext4_inode_info *ei;
struct ext4_super_block *es = EXT4_SB(sb)->s_es;
struct inode *inode;
- const char *err_str;
journal_t *journal = EXT4_SB(sb)->s_journal;
long ret;
loff_t size;
@@ -4832,10 +4852,10 @@ struct inode *__ext4_iget(struct super_block *sb, unsigned long ino,
if (!inode)
return ERR_PTR(-ENOMEM);
if (!(inode->i_state & I_NEW)) {
- if ((err_str = check_igot_inode(inode, flags)) != NULL) {
- ext4_error_inode(inode, function, line, 0, err_str);
+ ret = check_igot_inode(inode, flags, function, line);
+ if (ret) {
iput(inode);
- return ERR_PTR(-EFSCORRUPTED);
+ return ERR_PTR(ret);
}
return inode;
}
@@ -5107,13 +5127,21 @@ struct inode *__ext4_iget(struct super_block *sb, unsigned long ino,
ret = -EFSCORRUPTED;
goto bad_inode;
}
- if ((err_str = check_igot_inode(inode, flags)) != NULL) {
- ext4_error_inode(inode, function, line, 0, err_str);
- ret = -EFSCORRUPTED;
- goto bad_inode;
+ ret = check_igot_inode(inode, flags, function, line);
+ /*
+ * -ESTALE here means there is nothing inherently wrong with the inode,
+ * it's just not an inode we can return for an fhandle lookup.
+ */
+ if (ret == -ESTALE) {
+ brelse(iloc.bh);
+ unlock_new_inode(inode);
+ iput(inode);
+ return ERR_PTR(-ESTALE);
}
-
+ if (ret)
+ goto bad_inode;
brelse(iloc.bh);
+
unlock_new_inode(inode);
return inode;
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 078/291] media: i2c: adv748x: Fix test pattern selection mask
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (75 preceding siblings ...)
2025-04-23 14:41 ` [PATCH 6.1 077/291] ext4: dont treat fhandle lookup of ea_inode as FS corruption Greg Kroah-Hartman
@ 2025-04-23 14:41 ` Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 079/291] media: venus: hfi: add a check to handle OOB in sfr region Greg Kroah-Hartman
` (221 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Niklas Söderlund,
Kieran Bingham, Hans Verkuil
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
commit 9e38acacb9d809b97a0bdc5c76e725355a47158a upstream.
The mask to select the test-pattern in register ADV748X_SDP_FRP is
incorrect, it's the lower 3 bits which controls the pattern. The
GENMASK() macro is used incorrectly and the generated mask is 0x0e
instead of 0x07.
The result is that not all test patterns are selectable, and that in
some cases the wrong test pattern is activated. Fix this by correcting
the GENMASK().
Fixes: 3e89586a64df ("media: i2c: adv748x: add adv748x driver")
Cc: stable@vger.kernel.org
Signed-off-by: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
Reviewed-by: Kieran Bingham <kieran.bingham+renesas@ideasonboard.com>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
[hverkuil: fixed tiny typo in commit log: my -> by]
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/i2c/adv748x/adv748x.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/media/i2c/adv748x/adv748x.h
+++ b/drivers/media/i2c/adv748x/adv748x.h
@@ -322,7 +322,7 @@ struct adv748x_state {
/* Free run pattern select */
#define ADV748X_SDP_FRP 0x14
-#define ADV748X_SDP_FRP_MASK GENMASK(3, 1)
+#define ADV748X_SDP_FRP_MASK GENMASK(2, 0)
/* Saturation */
#define ADV748X_SDP_SD_SAT_U 0xe3 /* user_map_rw_reg_e3 */
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 079/291] media: venus: hfi: add a check to handle OOB in sfr region
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (76 preceding siblings ...)
2025-04-23 14:41 ` [PATCH 6.1 078/291] media: i2c: adv748x: Fix test pattern selection mask Greg Kroah-Hartman
@ 2025-04-23 14:41 ` Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 080/291] media: venus: hfi: add check to handle incorrect queue size Greg Kroah-Hartman
` (220 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bryan ODonoghue, Vikash Garodia,
Hans Verkuil
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vikash Garodia <quic_vgarodia@quicinc.com>
commit f4b211714bcc70effa60c34d9fa613d182e3ef1e upstream.
sfr->buf_size is in shared memory and can be modified by malicious user.
OOB write is possible when the size is made higher than actual sfr data
buffer. Cap the size to allocated size for such cases.
Cc: stable@vger.kernel.org
Fixes: d96d3f30c0f2 ("[media] media: venus: hfi: add Venus HFI files")
Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Signed-off-by: Vikash Garodia <quic_vgarodia@quicinc.com>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/qcom/venus/hfi_venus.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
--- a/drivers/media/platform/qcom/venus/hfi_venus.c
+++ b/drivers/media/platform/qcom/venus/hfi_venus.c
@@ -1053,18 +1053,26 @@ static void venus_sfr_print(struct venus
{
struct device *dev = hdev->core->dev;
struct hfi_sfr *sfr = hdev->sfr.kva;
+ u32 size;
void *p;
if (!sfr)
return;
- p = memchr(sfr->data, '\0', sfr->buf_size);
+ size = sfr->buf_size;
+ if (!size)
+ return;
+
+ if (size > ALIGNED_SFR_SIZE)
+ size = ALIGNED_SFR_SIZE;
+
+ p = memchr(sfr->data, '\0', size);
/*
* SFR isn't guaranteed to be NULL terminated since SYS_ERROR indicates
* that Venus is in the process of crashing.
*/
if (!p)
- sfr->data[sfr->buf_size - 1] = '\0';
+ sfr->data[size - 1] = '\0';
dev_err_ratelimited(dev, "SFR message from FW: %s\n", sfr->data);
}
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 080/291] media: venus: hfi: add check to handle incorrect queue size
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (77 preceding siblings ...)
2025-04-23 14:41 ` [PATCH 6.1 079/291] media: venus: hfi: add a check to handle OOB in sfr region Greg Kroah-Hartman
@ 2025-04-23 14:41 ` Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 081/291] media: vim2m: print device name after registering device Greg Kroah-Hartman
` (219 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bryan ODonoghue, Vikash Garodia,
Hans Verkuil
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vikash Garodia <quic_vgarodia@quicinc.com>
commit 69baf245b23e20efda0079238b27fc63ecf13de1 upstream.
qsize represents size of shared queued between driver and video
firmware. Firmware can modify this value to an invalid large value. In
such situation, empty_space will be bigger than the space actually
available. Since new_wr_idx is not checked, so the following code will
result in an OOB write.
...
qsize = qhdr->q_size
if (wr_idx >= rd_idx)
empty_space = qsize - (wr_idx - rd_idx)
....
if (new_wr_idx < qsize) {
memcpy(wr_ptr, packet, dwords << 2) --> OOB write
Add check to ensure qsize is within the allocated size while
reading and writing packets into the queue.
Cc: stable@vger.kernel.org
Fixes: d96d3f30c0f2 ("[media] media: venus: hfi: add Venus HFI files")
Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Signed-off-by: Vikash Garodia <quic_vgarodia@quicinc.com>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/qcom/venus/hfi_venus.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/drivers/media/platform/qcom/venus/hfi_venus.c
+++ b/drivers/media/platform/qcom/venus/hfi_venus.c
@@ -187,6 +187,9 @@ static int venus_write_queue(struct venu
/* ensure rd/wr indices's are read from memory */
rmb();
+ if (qsize > IFACEQ_QUEUE_SIZE / 4)
+ return -EINVAL;
+
if (wr_idx >= rd_idx)
empty_space = qsize - (wr_idx - rd_idx);
else
@@ -255,6 +258,9 @@ static int venus_read_queue(struct venus
wr_idx = qhdr->write_idx;
qsize = qhdr->q_size;
+ if (qsize > IFACEQ_QUEUE_SIZE / 4)
+ return -EINVAL;
+
/* make sure data is valid before using it */
rmb();
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 081/291] media: vim2m: print device name after registering device
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (78 preceding siblings ...)
2025-04-23 14:41 ` [PATCH 6.1 080/291] media: venus: hfi: add check to handle incorrect queue size Greg Kroah-Hartman
@ 2025-04-23 14:41 ` Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 082/291] media: siano: Fix error handling in smsdvb_module_init() Greg Kroah-Hartman
` (218 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Matthew Majewski, Hans Verkuil
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthew Majewski <mattwmajewski@gmail.com>
commit 143d75583f2427f3a97dba62413c4f0604867ebf upstream.
Move the v4l2_info() call displaying the video device name after the
device is actually registered.
This fixes a bug where the driver was always displaying "/dev/video0"
since it was reading from the vfd before it was registered.
Fixes: cf7f34777a5b ("media: vim2m: Register video device after setting up internals")
Cc: stable@vger.kernel.org
Signed-off-by: Matthew Majewski <mattwmajewski@gmail.com>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/test-drivers/vim2m.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/media/test-drivers/vim2m.c
+++ b/drivers/media/test-drivers/vim2m.c
@@ -1316,9 +1316,6 @@ static int vim2m_probe(struct platform_d
vfd->v4l2_dev = &dev->v4l2_dev;
video_set_drvdata(vfd, dev);
- v4l2_info(&dev->v4l2_dev,
- "Device registered as /dev/video%d\n", vfd->num);
-
platform_set_drvdata(pdev, dev);
dev->m2m_dev = v4l2_m2m_init(&m2m_ops);
@@ -1345,6 +1342,9 @@ static int vim2m_probe(struct platform_d
goto error_m2m;
}
+ v4l2_info(&dev->v4l2_dev,
+ "Device registered as /dev/video%d\n", vfd->num);
+
#ifdef CONFIG_MEDIA_CONTROLLER
ret = v4l2_m2m_register_media_controller(dev->m2m_dev, vfd,
MEDIA_ENT_F_PROC_VIDEO_SCALER);
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 082/291] media: siano: Fix error handling in smsdvb_module_init()
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (79 preceding siblings ...)
2025-04-23 14:41 ` [PATCH 6.1 081/291] media: vim2m: print device name after registering device Greg Kroah-Hartman
@ 2025-04-23 14:41 ` Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 083/291] xenfs/xensyms: respect hypervisors "next" indication Greg Kroah-Hartman
` (217 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yuan Can, Ricardo Ribalda,
Hans Verkuil
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yuan Can <yuancan@huawei.com>
commit 734ac57e47b3bdd140a1119e2c4e8e6f8ef8b33d upstream.
The smsdvb_module_init() returns without checking the retval from
smscore_register_hotplug().
If the smscore_register_hotplug() failed, the module failed to install,
leaving the smsdvb_debugfs not unregistered.
Fixes: 3f6b87cff66b ("[media] siano: allow showing the complete statistics via debugfs")
Cc: stable@vger.kernel.org
Signed-off-by: Yuan Can <yuancan@huawei.com>
Acked-by: Ricardo Ribalda <ribalda@chromium.org>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/common/siano/smsdvb-main.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/media/common/siano/smsdvb-main.c
+++ b/drivers/media/common/siano/smsdvb-main.c
@@ -1243,6 +1243,8 @@ static int __init smsdvb_module_init(voi
smsdvb_debugfs_register();
rc = smscore_register_hotplug(smsdvb_hotplug);
+ if (rc)
+ smsdvb_debugfs_unregister();
pr_debug("\n");
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 083/291] xenfs/xensyms: respect hypervisors "next" indication
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (80 preceding siblings ...)
2025-04-23 14:41 ` [PATCH 6.1 082/291] media: siano: Fix error handling in smsdvb_module_init() Greg Kroah-Hartman
@ 2025-04-23 14:41 ` Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 084/291] arm64: cputype: Add MIDR_CORTEX_A76AE Greg Kroah-Hartman
` (216 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Jan Beulich, Juergen Gross
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jan Beulich <jbeulich@suse.com>
commit 5c4e79e29a9fe4ea132118ac40c2bc97cfe23077 upstream.
The interface specifies the symnum field as an input and output; the
hypervisor sets it to the next sequential symbol's index. xensyms_next()
incrementing the position explicitly (and xensyms_next_sym()
decrementing it to "rewind") is only correct as long as the sequence of
symbol indexes is non-sparse. Use the hypervisor-supplied value instead
to update the position in xensyms_next(), and use the saved incoming
index in xensyms_next_sym().
Cc: stable@kernel.org
Fixes: a11f4f0a4e18 ("xen: xensyms support")
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Juergen Gross <jgross@suse.com>
Message-ID: <15d5e7fa-ec5d-422f-9319-d28bed916349@suse.com>
Signed-off-by: Juergen Gross <jgross@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/xen/xenfs/xensyms.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/xen/xenfs/xensyms.c
+++ b/drivers/xen/xenfs/xensyms.c
@@ -48,7 +48,7 @@ static int xensyms_next_sym(struct xensy
return -ENOMEM;
set_xen_guest_handle(symdata->name, xs->name);
- symdata->symnum--; /* Rewind */
+ symdata->symnum = symnum; /* Rewind */
ret = HYPERVISOR_platform_op(&xs->op);
if (ret < 0)
@@ -78,7 +78,7 @@ static void *xensyms_next(struct seq_fil
{
struct xensyms *xs = (struct xensyms *)m->private;
- xs->op.u.symdata.symnum = ++(*pos);
+ *pos = xs->op.u.symdata.symnum;
if (xensyms_next_sym(xs))
return NULL;
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 084/291] arm64: cputype: Add MIDR_CORTEX_A76AE
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (81 preceding siblings ...)
2025-04-23 14:41 ` [PATCH 6.1 083/291] xenfs/xensyms: respect hypervisors "next" indication Greg Kroah-Hartman
@ 2025-04-23 14:41 ` Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 085/291] arm64: errata: Add QCOM_KRYO_4XX_GOLD to the spectre_bhb_k24_list Greg Kroah-Hartman
` (215 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Douglas Anderson, Catalin Marinas
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Douglas Anderson <dianders@chromium.org>
commit a9b5bd81b294d30a747edd125e9f6aef2def7c79 upstream.
>From the TRM, MIDR_CORTEX_A76AE has a partnum of 0xDOE and an
implementor of 0x41 (ARM). Add the values.
Cc: stable@vger.kernel.org # dependency of the next fix in the series
Signed-off-by: Douglas Anderson <dianders@chromium.org>
Link: https://lore.kernel.org/r/20250107120555.v4.4.I151f3b7ee323bcc3082179b8c60c3cd03308aa94@changeid
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/include/asm/cputype.h | 2 ++
1 file changed, 2 insertions(+)
--- a/arch/arm64/include/asm/cputype.h
+++ b/arch/arm64/include/asm/cputype.h
@@ -75,6 +75,7 @@
#define ARM_CPU_PART_CORTEX_A76 0xD0B
#define ARM_CPU_PART_NEOVERSE_N1 0xD0C
#define ARM_CPU_PART_CORTEX_A77 0xD0D
+#define ARM_CPU_PART_CORTEX_A76AE 0xD0E
#define ARM_CPU_PART_NEOVERSE_V1 0xD40
#define ARM_CPU_PART_CORTEX_A78 0xD41
#define ARM_CPU_PART_CORTEX_A78AE 0xD42
@@ -152,6 +153,7 @@
#define MIDR_CORTEX_A76 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A76)
#define MIDR_NEOVERSE_N1 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_N1)
#define MIDR_CORTEX_A77 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A77)
+#define MIDR_CORTEX_A76AE MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A76AE)
#define MIDR_NEOVERSE_V1 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V1)
#define MIDR_CORTEX_A78 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A78)
#define MIDR_CORTEX_A78AE MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A78AE)
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 085/291] arm64: errata: Add QCOM_KRYO_4XX_GOLD to the spectre_bhb_k24_list
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (82 preceding siblings ...)
2025-04-23 14:41 ` [PATCH 6.1 084/291] arm64: cputype: Add MIDR_CORTEX_A76AE Greg Kroah-Hartman
@ 2025-04-23 14:41 ` Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 086/291] arm64: errata: Assume that unknown CPUs _are_ vulnerable to Spectre BHB Greg Kroah-Hartman
` (214 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Scott Bauer, Douglas Anderson,
Trilok Soni, Catalin Marinas
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Douglas Anderson <dianders@chromium.org>
commit ed1ce841245d8febe3badf51c57e81c3619d0a1d upstream.
Qualcomm Kryo 400-series Gold cores have a derivative of an ARM Cortex
A76 in them. Since A76 needs Spectre mitigation via looping then the
Kyro 400-series Gold cores also need Spectre mitigation via looping.
Qualcomm has confirmed that the proper "k" value for Kryo 400-series
Gold cores is 24.
Fixes: 558c303c9734 ("arm64: Mitigate spectre style branch history side channels")
Cc: stable@vger.kernel.org
Cc: Scott Bauer <sbauer@quicinc.com>
Signed-off-by: Douglas Anderson <dianders@chromium.org>
Acked-by: Trilok Soni <quic_tsoni@quicinc.com>
Link: https://lore.kernel.org/r/20250107120555.v4.1.Ie4ef54abe02e7eb0eee50f830575719bf23bda48@changeid
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/kernel/proton-pack.c | 1 +
1 file changed, 1 insertion(+)
--- a/arch/arm64/kernel/proton-pack.c
+++ b/arch/arm64/kernel/proton-pack.c
@@ -878,6 +878,7 @@ u8 spectre_bhb_loop_affected(int scope)
MIDR_ALL_VERSIONS(MIDR_CORTEX_A76),
MIDR_ALL_VERSIONS(MIDR_CORTEX_A77),
MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N1),
+ MIDR_ALL_VERSIONS(MIDR_QCOM_KRYO_4XX_GOLD),
{},
};
static const struct midr_range spectre_bhb_k11_list[] = {
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 086/291] arm64: errata: Assume that unknown CPUs _are_ vulnerable to Spectre BHB
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (83 preceding siblings ...)
2025-04-23 14:41 ` [PATCH 6.1 085/291] arm64: errata: Add QCOM_KRYO_4XX_GOLD to the spectre_bhb_k24_list Greg Kroah-Hartman
@ 2025-04-23 14:41 ` Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 087/291] arm64: errata: Add KRYO 2XX/3XX/4XX silver cores to Spectre BHB safe list Greg Kroah-Hartman
` (213 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Julius Werner, Douglas Anderson,
Catalin Marinas
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Douglas Anderson <dianders@chromium.org>
commit e403e8538359d8580cbee1976ff71813e947101e upstream.
The code for detecting CPUs that are vulnerable to Spectre BHB was
based on a hardcoded list of CPU IDs that were known to be affected.
Unfortunately, the list mostly only contained the IDs of standard ARM
cores. The IDs for many cores that are minor variants of the standard
ARM cores (like many Qualcomm Kyro CPUs) weren't listed. This led the
code to assume that those variants were not affected.
Flip the code on its head and instead assume that a core is vulnerable
if it doesn't have CSV2_3 but is unrecognized as being safe. This
involves creating a "Spectre BHB safe" list.
As of right now, the only CPU IDs added to the "Spectre BHB safe" list
are ARM Cortex A35, A53, A55, A510, and A520. This list was created by
looking for cores that weren't listed in ARM's list [1] as per review
feedback on v2 of this patch [2]. Additionally Brahma A53 is added as
per mailing list feedback [3].
NOTE: this patch will not actually _mitigate_ anyone, it will simply
cause them to report themselves as vulnerable. If any cores in the
system are reported as vulnerable but not mitigated then the whole
system will be reported as vulnerable though the system will attempt
to mitigate with the information it has about the known cores.
[1] https://developer.arm.com/Arm%20Security%20Center/Spectre-BHB
[2] https://lore.kernel.org/r/20241219175128.GA25477@willie-the-truck
[3] https://lore.kernel.org/r/18dbd7d1-a46c-4112-a425-320c99f67a8d@broadcom.com
Fixes: 558c303c9734 ("arm64: Mitigate spectre style branch history side channels")
Cc: stable@vger.kernel.org
Reviewed-by: Julius Werner <jwerner@chromium.org>
Signed-off-by: Douglas Anderson <dianders@chromium.org>
Link: https://lore.kernel.org/r/20250107120555.v4.2.I2040fa004dafe196243f67ebcc647cbedbb516e6@changeid
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/include/asm/spectre.h | 1
arch/arm64/kernel/proton-pack.c | 201 +++++++++++++++++++--------------------
2 files changed, 101 insertions(+), 101 deletions(-)
--- a/arch/arm64/include/asm/spectre.h
+++ b/arch/arm64/include/asm/spectre.h
@@ -96,7 +96,6 @@ enum mitigation_state arm64_get_meltdown
enum mitigation_state arm64_get_spectre_bhb_state(void);
bool is_spectre_bhb_affected(const struct arm64_cpu_capabilities *entry, int scope);
-u8 spectre_bhb_loop_affected(int scope);
void spectre_bhb_enable_mitigation(const struct arm64_cpu_capabilities *__unused);
#endif /* __ASSEMBLY__ */
#endif /* __ASM_SPECTRE_H */
--- a/arch/arm64/kernel/proton-pack.c
+++ b/arch/arm64/kernel/proton-pack.c
@@ -857,53 +857,70 @@ static unsigned long system_bhb_mitigati
* This must be called with SCOPE_LOCAL_CPU for each type of CPU, before any
* SCOPE_SYSTEM call will give the right answer.
*/
-u8 spectre_bhb_loop_affected(int scope)
+static bool is_spectre_bhb_safe(int scope)
+{
+ static const struct midr_range spectre_bhb_safe_list[] = {
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_A35),
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_A53),
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_A55),
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_A510),
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_A520),
+ MIDR_ALL_VERSIONS(MIDR_BRAHMA_B53),
+ {},
+ };
+ static bool all_safe = true;
+
+ if (scope != SCOPE_LOCAL_CPU)
+ return all_safe;
+
+ if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_safe_list))
+ return true;
+
+ all_safe = false;
+
+ return false;
+}
+
+static u8 spectre_bhb_loop_affected(void)
{
u8 k = 0;
- static u8 max_bhb_k;
- if (scope == SCOPE_LOCAL_CPU) {
- static const struct midr_range spectre_bhb_k32_list[] = {
- MIDR_ALL_VERSIONS(MIDR_CORTEX_A78),
- MIDR_ALL_VERSIONS(MIDR_CORTEX_A78AE),
- MIDR_ALL_VERSIONS(MIDR_CORTEX_A78C),
- MIDR_ALL_VERSIONS(MIDR_CORTEX_X1),
- MIDR_ALL_VERSIONS(MIDR_CORTEX_A710),
- MIDR_ALL_VERSIONS(MIDR_CORTEX_X2),
- MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N2),
- MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V1),
- {},
- };
- static const struct midr_range spectre_bhb_k24_list[] = {
- MIDR_ALL_VERSIONS(MIDR_CORTEX_A76),
- MIDR_ALL_VERSIONS(MIDR_CORTEX_A77),
- MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N1),
- MIDR_ALL_VERSIONS(MIDR_QCOM_KRYO_4XX_GOLD),
- {},
- };
- static const struct midr_range spectre_bhb_k11_list[] = {
- MIDR_ALL_VERSIONS(MIDR_AMPERE1),
- {},
- };
- static const struct midr_range spectre_bhb_k8_list[] = {
- MIDR_ALL_VERSIONS(MIDR_CORTEX_A72),
- MIDR_ALL_VERSIONS(MIDR_CORTEX_A57),
- {},
- };
-
- if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_k32_list))
- k = 32;
- else if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_k24_list))
- k = 24;
- else if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_k11_list))
- k = 11;
- else if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_k8_list))
- k = 8;
-
- max_bhb_k = max(max_bhb_k, k);
- } else {
- k = max_bhb_k;
- }
+ static const struct midr_range spectre_bhb_k32_list[] = {
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_A78),
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_A78AE),
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_A78C),
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_X1),
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_A710),
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_X2),
+ MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N2),
+ MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V1),
+ {},
+ };
+ static const struct midr_range spectre_bhb_k24_list[] = {
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_A76),
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_A77),
+ MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N1),
+ MIDR_ALL_VERSIONS(MIDR_QCOM_KRYO_4XX_GOLD),
+ {},
+ };
+ static const struct midr_range spectre_bhb_k11_list[] = {
+ MIDR_ALL_VERSIONS(MIDR_AMPERE1),
+ {},
+ };
+ static const struct midr_range spectre_bhb_k8_list[] = {
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_A72),
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_A57),
+ {},
+ };
+
+ if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_k32_list))
+ k = 32;
+ else if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_k24_list))
+ k = 24;
+ else if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_k11_list))
+ k = 11;
+ else if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_k8_list))
+ k = 8;
return k;
}
@@ -929,29 +946,13 @@ static enum mitigation_state spectre_bhb
}
}
-static bool is_spectre_bhb_fw_affected(int scope)
+static bool has_spectre_bhb_fw_mitigation(void)
{
- static bool system_affected;
enum mitigation_state fw_state;
bool has_smccc = arm_smccc_1_1_get_conduit() != SMCCC_CONDUIT_NONE;
- static const struct midr_range spectre_bhb_firmware_mitigated_list[] = {
- MIDR_ALL_VERSIONS(MIDR_CORTEX_A73),
- MIDR_ALL_VERSIONS(MIDR_CORTEX_A75),
- {},
- };
- bool cpu_in_list = is_midr_in_range_list(read_cpuid_id(),
- spectre_bhb_firmware_mitigated_list);
-
- if (scope != SCOPE_LOCAL_CPU)
- return system_affected;
fw_state = spectre_bhb_get_cpu_fw_mitigation_state();
- if (cpu_in_list || (has_smccc && fw_state == SPECTRE_MITIGATED)) {
- system_affected = true;
- return true;
- }
-
- return false;
+ return has_smccc && fw_state == SPECTRE_MITIGATED;
}
static bool supports_ecbhb(int scope)
@@ -967,6 +968,8 @@ static bool supports_ecbhb(int scope)
ID_AA64MMFR1_EL1_ECBHB_SHIFT);
}
+static u8 max_bhb_k;
+
bool is_spectre_bhb_affected(const struct arm64_cpu_capabilities *entry,
int scope)
{
@@ -975,16 +978,18 @@ bool is_spectre_bhb_affected(const struc
if (supports_csv2p3(scope))
return false;
- if (supports_clearbhb(scope))
- return true;
-
- if (spectre_bhb_loop_affected(scope))
- return true;
+ if (is_spectre_bhb_safe(scope))
+ return false;
- if (is_spectre_bhb_fw_affected(scope))
- return true;
+ /*
+ * At this point the core isn't known to be "safe" so we're going to
+ * assume it's vulnerable. We still need to update `max_bhb_k` though,
+ * but only if we aren't mitigating with clearbhb though.
+ */
+ if (scope == SCOPE_LOCAL_CPU && !supports_clearbhb(SCOPE_LOCAL_CPU))
+ max_bhb_k = max(max_bhb_k, spectre_bhb_loop_affected());
- return false;
+ return true;
}
static void this_cpu_set_vectors(enum arm64_bp_harden_el1_vectors slot)
@@ -1018,7 +1023,7 @@ early_param("nospectre_bhb", parse_spect
void spectre_bhb_enable_mitigation(const struct arm64_cpu_capabilities *entry)
{
bp_hardening_cb_t cpu_cb;
- enum mitigation_state fw_state, state = SPECTRE_VULNERABLE;
+ enum mitigation_state state = SPECTRE_VULNERABLE;
struct bp_hardening_data *data = this_cpu_ptr(&bp_hardening_data);
if (!is_spectre_bhb_affected(entry, SCOPE_LOCAL_CPU))
@@ -1044,7 +1049,7 @@ void spectre_bhb_enable_mitigation(const
this_cpu_set_vectors(EL1_VECTOR_BHB_CLEAR_INSN);
state = SPECTRE_MITIGATED;
set_bit(BHB_INSN, &system_bhb_mitigations);
- } else if (spectre_bhb_loop_affected(SCOPE_LOCAL_CPU)) {
+ } else if (spectre_bhb_loop_affected()) {
/*
* Ensure KVM uses the indirect vector which will have the
* branchy-loop added. A57/A72-r0 will already have selected
@@ -1057,32 +1062,29 @@ void spectre_bhb_enable_mitigation(const
this_cpu_set_vectors(EL1_VECTOR_BHB_LOOP);
state = SPECTRE_MITIGATED;
set_bit(BHB_LOOP, &system_bhb_mitigations);
- } else if (is_spectre_bhb_fw_affected(SCOPE_LOCAL_CPU)) {
- fw_state = spectre_bhb_get_cpu_fw_mitigation_state();
- if (fw_state == SPECTRE_MITIGATED) {
- /*
- * Ensure KVM uses one of the spectre bp_hardening
- * vectors. The indirect vector doesn't include the EL3
- * call, so needs upgrading to
- * HYP_VECTOR_SPECTRE_INDIRECT.
- */
- if (!data->slot || data->slot == HYP_VECTOR_INDIRECT)
- data->slot += 1;
-
- this_cpu_set_vectors(EL1_VECTOR_BHB_FW);
-
- /*
- * The WA3 call in the vectors supersedes the WA1 call
- * made during context-switch. Uninstall any firmware
- * bp_hardening callback.
- */
- cpu_cb = spectre_v2_get_sw_mitigation_cb();
- if (__this_cpu_read(bp_hardening_data.fn) != cpu_cb)
- __this_cpu_write(bp_hardening_data.fn, NULL);
-
- state = SPECTRE_MITIGATED;
- set_bit(BHB_FW, &system_bhb_mitigations);
- }
+ } else if (has_spectre_bhb_fw_mitigation()) {
+ /*
+ * Ensure KVM uses one of the spectre bp_hardening
+ * vectors. The indirect vector doesn't include the EL3
+ * call, so needs upgrading to
+ * HYP_VECTOR_SPECTRE_INDIRECT.
+ */
+ if (!data->slot || data->slot == HYP_VECTOR_INDIRECT)
+ data->slot += 1;
+
+ this_cpu_set_vectors(EL1_VECTOR_BHB_FW);
+
+ /*
+ * The WA3 call in the vectors supersedes the WA1 call
+ * made during context-switch. Uninstall any firmware
+ * bp_hardening callback.
+ */
+ cpu_cb = spectre_v2_get_sw_mitigation_cb();
+ if (__this_cpu_read(bp_hardening_data.fn) != cpu_cb)
+ __this_cpu_write(bp_hardening_data.fn, NULL);
+
+ state = SPECTRE_MITIGATED;
+ set_bit(BHB_FW, &system_bhb_mitigations);
}
update_mitigation_state(&spectre_bhb_state, state);
@@ -1116,7 +1118,6 @@ void noinstr spectre_bhb_patch_loop_iter
{
u8 rd;
u32 insn;
- u16 loop_count = spectre_bhb_loop_affected(SCOPE_SYSTEM);
BUG_ON(nr_inst != 1); /* MOV -> MOV */
@@ -1125,7 +1126,7 @@ void noinstr spectre_bhb_patch_loop_iter
insn = le32_to_cpu(*origptr);
rd = aarch64_insn_decode_register(AARCH64_INSN_REGTYPE_RD, insn);
- insn = aarch64_insn_gen_movewide(rd, loop_count, 0,
+ insn = aarch64_insn_gen_movewide(rd, max_bhb_k, 0,
AARCH64_INSN_VARIANT_64BIT,
AARCH64_INSN_MOVEWIDE_ZERO);
*updptr++ = cpu_to_le32(insn);
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 087/291] arm64: errata: Add KRYO 2XX/3XX/4XX silver cores to Spectre BHB safe list
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (84 preceding siblings ...)
2025-04-23 14:41 ` [PATCH 6.1 086/291] arm64: errata: Assume that unknown CPUs _are_ vulnerable to Spectre BHB Greg Kroah-Hartman
@ 2025-04-23 14:41 ` Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 088/291] KVM: arm64: Tear down vGIC on failed vCPU creation Greg Kroah-Hartman
` (212 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Scott Bauer, Douglas Anderson,
Trilok Soni, Catalin Marinas
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Douglas Anderson <dianders@chromium.org>
commit 0c9fc6e652cd5aed48c5f700c32b7642bea7f453 upstream.
Qualcomm has confirmed that, much like Cortex A53 and A55, KRYO
2XX/3XX/4XX silver cores are unaffected by Spectre BHB. Add them to
the safe list.
Fixes: 558c303c9734 ("arm64: Mitigate spectre style branch history side channels")
Cc: stable@vger.kernel.org
Cc: Scott Bauer <sbauer@quicinc.com>
Signed-off-by: Douglas Anderson <dianders@chromium.org>
Acked-by: Trilok Soni <quic_tsoni@quicinc.com>
Link: https://lore.kernel.org/r/20250107120555.v4.3.Iab8dbfb5c9b1e143e7a29f410bce5f9525a0ba32@changeid
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/kernel/proton-pack.c | 3 +++
1 file changed, 3 insertions(+)
--- a/arch/arm64/kernel/proton-pack.c
+++ b/arch/arm64/kernel/proton-pack.c
@@ -866,6 +866,9 @@ static bool is_spectre_bhb_safe(int scop
MIDR_ALL_VERSIONS(MIDR_CORTEX_A510),
MIDR_ALL_VERSIONS(MIDR_CORTEX_A520),
MIDR_ALL_VERSIONS(MIDR_BRAHMA_B53),
+ MIDR_ALL_VERSIONS(MIDR_QCOM_KRYO_2XX_SILVER),
+ MIDR_ALL_VERSIONS(MIDR_QCOM_KRYO_3XX_SILVER),
+ MIDR_ALL_VERSIONS(MIDR_QCOM_KRYO_4XX_SILVER),
{},
};
static bool all_safe = true;
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 088/291] KVM: arm64: Tear down vGIC on failed vCPU creation
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (85 preceding siblings ...)
2025-04-23 14:41 ` [PATCH 6.1 087/291] arm64: errata: Add KRYO 2XX/3XX/4XX silver cores to Spectre BHB safe list Greg Kroah-Hartman
@ 2025-04-23 14:41 ` Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 089/291] spi: cadence-qspi: Fix probe on AM62A LP SK Greg Kroah-Hartman
` (211 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Marc Zyngier, Oliver Upton,
Quentin Perret, Will Deacon
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Will Deacon <will@kernel.org>
commit 250f25367b58d8c65a1b060a2dda037eea09a672 upstream.
If kvm_arch_vcpu_create() fails to share the vCPU page with the
hypervisor, we propagate the error back to the ioctl but leave the
vGIC vCPU data initialised. Note only does this leak the corresponding
memory when the vCPU is destroyed but it can also lead to use-after-free
if the redistributor device handling tries to walk into the vCPU.
Add the missing cleanup to kvm_arch_vcpu_create(), ensuring that the
vGIC vCPU structures are destroyed on error.
Cc: <stable@vger.kernel.org>
Cc: Marc Zyngier <maz@kernel.org>
Cc: Oliver Upton <oliver.upton@linux.dev>
Cc: Quentin Perret <qperret@google.com>
Signed-off-by: Will Deacon <will@kernel.org>
Reviewed-by: Marc Zyngier <maz@kernel.org>
Link: https://lore.kernel.org/r/20250314133409.9123-1-will@kernel.org
Signed-off-by: Oliver Upton <oliver.upton@linux.dev>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/kvm/arm.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/arch/arm64/kvm/arm.c
+++ b/arch/arm64/kvm/arm.c
@@ -371,7 +371,11 @@ int kvm_arch_vcpu_create(struct kvm_vcpu
if (err)
return err;
- return kvm_share_hyp(vcpu, vcpu + 1);
+ err = kvm_share_hyp(vcpu, vcpu + 1);
+ if (err)
+ kvm_vgic_vcpu_destroy(vcpu);
+
+ return err;
}
void kvm_arch_vcpu_postcreate(struct kvm_vcpu *vcpu)
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 089/291] spi: cadence-qspi: Fix probe on AM62A LP SK
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (86 preceding siblings ...)
2025-04-23 14:41 ` [PATCH 6.1 088/291] KVM: arm64: Tear down vGIC on failed vCPU creation Greg Kroah-Hartman
@ 2025-04-23 14:41 ` Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 090/291] mtd: rawnand: brcmnand: fix PM resume warning Greg Kroah-Hartman
` (210 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Miquel Raynal, Mark Brown
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Miquel Raynal <miquel.raynal@bootlin.com>
commit b8665a1b49f5498edb7b21d730030c06b7348a3c upstream.
In 2020, there's been an unnoticed change which rightfully attempted to
report probe deferrals upon DMA absence by checking the return value of
dma_request_chan_by_mask(). By doing so, it also reported errors which
were simply ignored otherwise, likely on purpose.
This change actually turned a void return into an error code. Hence, not
only the -EPROBE_DEFER error codes but all error codes got reported to
the callers, now failing to probe in the absence of Rx DMA channel,
despite the fact that DMA seems to not be supported natively by many
implementations.
Looking at the history, this change probably led to:
ad2775dc3fc5 ("spi: cadence-quadspi: Disable the DAC for Intel LGM SoC")
f724c296f2f2 ("spi: cadence-quadspi: fix Direct Access Mode disable for SoCFPGA")
In my case, the AM62A LP SK core octo-SPI node from TI does not
advertise any DMA channel, hinting that there is likely no support for
it, but yet when the support for the am654 compatible was added, DMA
seemed to be used, so just discarding its use with the
CQSPI_DISABLE_DAC_MODE quirk for this compatible does not seem the
correct approach.
Let's get change the return condition back to:
- return a probe deferral error if we get one
- ignore the return value otherwise
The "error" log level was however likely too high for something that is
expected to fail, so let's lower it arbitrarily to the info level.
Fixes: 935da5e5100f ("mtd: spi-nor: cadence-quadspi: Handle probe deferral while requesting DMA channel")
Cc: stable@vger.kernel.org
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Link: https://patch.msgid.link/20250305200933.2512925-2-miquel.raynal@bootlin.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-cadence-quadspi.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/drivers/spi/spi-cadence-quadspi.c
+++ b/drivers/spi/spi-cadence-quadspi.c
@@ -1509,6 +1509,12 @@ static int cqspi_request_mmap_dma(struct
int ret = PTR_ERR(cqspi->rx_chan);
cqspi->rx_chan = NULL;
+ if (ret == -ENODEV) {
+ /* DMA support is not mandatory */
+ dev_info(&cqspi->pdev->dev, "No Rx DMA available\n");
+ return 0;
+ }
+
return dev_err_probe(&cqspi->pdev->dev, ret, "No Rx DMA available\n");
}
init_completion(&cqspi->rx_dma_complete);
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 090/291] mtd: rawnand: brcmnand: fix PM resume warning
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (87 preceding siblings ...)
2025-04-23 14:41 ` [PATCH 6.1 089/291] spi: cadence-qspi: Fix probe on AM62A LP SK Greg Kroah-Hartman
@ 2025-04-23 14:41 ` Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 091/291] tpm, tpm_tis: Fix timeout handling when waiting for TPM status Greg Kroah-Hartman
` (209 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kamal Dasu, Florian Fainelli,
Miquel Raynal
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kamal Dasu <kamal.dasu@broadcom.com>
commit ddc210cf8b8a8be68051ad958bf3e2cef6b681c2 upstream.
Fixed warning on PM resume as shown below caused due to uninitialized
struct nand_operation that checks chip select field :
WARN_ON(op->cs >= nanddev_ntargets(&chip->base)
[ 14.588522] ------------[ cut here ]------------
[ 14.588529] WARNING: CPU: 0 PID: 1392 at drivers/mtd/nand/raw/internals.h:139 nand_reset_op+0x1e0/0x1f8
[ 14.588553] Modules linked in: bdc udc_core
[ 14.588579] CPU: 0 UID: 0 PID: 1392 Comm: rtcwake Tainted: G W 6.14.0-rc4-g5394eea10651 #16
[ 14.588590] Tainted: [W]=WARN
[ 14.588593] Hardware name: Broadcom STB (Flattened Device Tree)
[ 14.588598] Call trace:
[ 14.588604] dump_backtrace from show_stack+0x18/0x1c
[ 14.588622] r7:00000009 r6:0000008b r5:60000153 r4:c0fa558c
[ 14.588625] show_stack from dump_stack_lvl+0x70/0x7c
[ 14.588639] dump_stack_lvl from dump_stack+0x18/0x1c
[ 14.588653] r5:c08d40b0 r4:c1003cb0
[ 14.588656] dump_stack from __warn+0x84/0xe4
[ 14.588668] __warn from warn_slowpath_fmt+0x18c/0x194
[ 14.588678] r7:c08d40b0 r6:c1003cb0 r5:00000000 r4:00000000
[ 14.588681] warn_slowpath_fmt from nand_reset_op+0x1e0/0x1f8
[ 14.588695] r8:70c40dff r7:89705f41 r6:36b4a597 r5:c26c9444 r4:c26b0048
[ 14.588697] nand_reset_op from brcmnand_resume+0x13c/0x150
[ 14.588714] r9:00000000 r8:00000000 r7:c24f8010 r6:c228a3f8 r5:c26c94bc r4:c26b0040
[ 14.588717] brcmnand_resume from platform_pm_resume+0x34/0x54
[ 14.588735] r5:00000010 r4:c0840a50
[ 14.588738] platform_pm_resume from dpm_run_callback+0x5c/0x14c
[ 14.588757] dpm_run_callback from device_resume+0xc0/0x324
[ 14.588776] r9:c24f8054 r8:c24f80a0 r7:00000000 r6:00000000 r5:00000010 r4:c24f8010
[ 14.588779] device_resume from dpm_resume+0x130/0x160
[ 14.588799] r9:c22539e4 r8:00000010 r7:c22bebb0 r6:c24f8010 r5:c22539dc r4:c22539b0
[ 14.588802] dpm_resume from dpm_resume_end+0x14/0x20
[ 14.588822] r10:c2204e40 r9:00000000 r8:c228a3fc r7:00000000 r6:00000003 r5:c228a414
[ 14.588826] r4:00000010
[ 14.588828] dpm_resume_end from suspend_devices_and_enter+0x274/0x6f8
[ 14.588848] r5:c228a414 r4:00000000
[ 14.588851] suspend_devices_and_enter from pm_suspend+0x228/0x2bc
[ 14.588868] r10:c3502910 r9:c3501f40 r8:00000004 r7:c228a438 r6:c0f95e18 r5:00000000
[ 14.588871] r4:00000003
[ 14.588874] pm_suspend from state_store+0x74/0xd0
[ 14.588889] r7:c228a438 r6:c0f934c8 r5:00000003 r4:00000003
[ 14.588892] state_store from kobj_attr_store+0x1c/0x28
[ 14.588913] r9:00000000 r8:00000000 r7:f09f9f08 r6:00000004 r5:c3502900 r4:c0283250
[ 14.588916] kobj_attr_store from sysfs_kf_write+0x40/0x4c
[ 14.588936] r5:c3502900 r4:c0d92a48
[ 14.588939] sysfs_kf_write from kernfs_fop_write_iter+0x104/0x1f0
[ 14.588956] r5:c3502900 r4:c3501f40
[ 14.588960] kernfs_fop_write_iter from vfs_write+0x250/0x420
[ 14.588980] r10:c0e14b48 r9:00000000 r8:c25f5780 r7:00443398 r6:f09f9f68 r5:c34f7f00
[ 14.588983] r4:c042a88c
[ 14.588987] vfs_write from ksys_write+0x74/0xe4
[ 14.589005] r10:00000004 r9:c25f5780 r8:c02002fA0 r7:00000000 r6:00000000 r5:c34f7f00
[ 14.589008] r4:c34f7f00
[ 14.589011] ksys_write from sys_write+0x10/0x14
[ 14.589029] r7:00000004 r6:004421c0 r5:00443398 r4:00000004
[ 14.589032] sys_write from ret_fast_syscall+0x0/0x5c
[ 14.589044] Exception stack(0xf09f9fa8 to 0xf09f9ff0)
[ 14.589050] 9fa0: 00000004 00443398 00000004 00443398 00000004 00000001
[ 14.589056] 9fc0: 00000004 00443398 004421c0 00000004 b6ecbd58 00000008 bebfbc38 0043eb78
[ 14.589062] 9fe0: 00440eb0 bebfbaf8 b6de18a0 b6e579e8
[ 14.589065] ---[ end trace 0000000000000000 ]---
The fix uses the higher level nand_reset(chip, chipnr); where chipnr = 0, when
doing PM resume operation in compliance with the controller support for single
die nand chip. Switching from nand_reset_op() to nand_reset() implies more
than just setting the cs field op->cs, it also reconfigures the data interface
(ie. the timings). Tested and confirmed the NAND chip is in sync timing wise
with host after the fix.
Fixes: 97d90da8a886 ("mtd: nand: provide several helpers to do common NAND operations")
Cc: stable@vger.kernel.org
Signed-off-by: Kamal Dasu <kamal.dasu@broadcom.com>
Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mtd/nand/raw/brcmnand/brcmnand.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/mtd/nand/raw/brcmnand/brcmnand.c
+++ b/drivers/mtd/nand/raw/brcmnand/brcmnand.c
@@ -2968,7 +2968,7 @@ static int brcmnand_resume(struct device
brcmnand_save_restore_cs_config(host, 1);
/* Reset the chip, required by some chips after power-up */
- nand_reset_op(chip);
+ nand_reset(chip, 0);
}
return 0;
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 091/291] tpm, tpm_tis: Fix timeout handling when waiting for TPM status
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (88 preceding siblings ...)
2025-04-23 14:41 ` [PATCH 6.1 090/291] mtd: rawnand: brcmnand: fix PM resume warning Greg Kroah-Hartman
@ 2025-04-23 14:41 ` Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 092/291] media: streamzap: prevent processing IR data on URB failure Greg Kroah-Hartman
` (208 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jonathan McDowell,
Michal Suchánek, Lino Sanfilippo, Jarkko Sakkinen
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jonathan McDowell <noodles@meta.com>
commit 7146dffa875cd00e7a7f918e1fce79c7593ac1fa upstream.
The change to only use interrupts to handle supported status changes
introduced an issue when it is necessary to poll for the status. Rather
than checking for the status after sleeping the code now sleeps after
the check. This means a correct, but slower, status change on the part
of the TPM can be missed, resulting in a spurious timeout error,
especially on a more loaded system. Switch back to sleeping *then*
checking. An up front check of the status has been done at the start of
the function, so this does not cause an additional delay when the status
is already what we're looking for.
Cc: stable@vger.kernel.org # v6.4+
Fixes: e87fcf0dc2b4 ("tpm, tpm_tis: Only handle supported interrupts")
Signed-off-by: Jonathan McDowell <noodles@meta.com>
Reviewed-by: Michal Suchánek <msuchanek@suse.de>
Reviewed-by: Lino Sanfilippo <l.sanfilippo@kunbus.com>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/char/tpm/tpm_tis_core.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/drivers/char/tpm/tpm_tis_core.c
+++ b/drivers/char/tpm/tpm_tis_core.c
@@ -104,11 +104,10 @@ again:
return 0;
/* process status changes without irq support */
do {
+ usleep_range(priv->timeout_min, priv->timeout_max);
status = chip->ops->status(chip);
if ((status & mask) == mask)
return 0;
- usleep_range(priv->timeout_min,
- priv->timeout_max);
} while (time_before(jiffies, stop));
return -ETIME;
}
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 092/291] media: streamzap: prevent processing IR data on URB failure
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (89 preceding siblings ...)
2025-04-23 14:41 ` [PATCH 6.1 091/291] tpm, tpm_tis: Fix timeout handling when waiting for TPM status Greg Kroah-Hartman
@ 2025-04-23 14:41 ` Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 093/291] media: platform: stm32: Add check for clk_enable() Greg Kroah-Hartman
` (207 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Murad Masimov, Sean Young,
Hans Verkuil
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Murad Masimov <m.masimov@mt-integration.ru>
commit 549f6d348167fb2f7800ed7c8d4bce9630c74498 upstream.
If streamzap_callback() receives an urb with any non-critical error
status, i.e. any error code other than -ECONNRESET, -ENOENT or -ESHUTDOWN,
it will try to process IR data, ignoring a possible transfer failure.
Make streamzap_callback() process IR data only when urb->status is 0.
Move processing logic to a separate function to make code cleaner and
more similar to the URB completion handlers in other RC drivers.
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
Fixes: 19770693c354 ("V4L/DVB: staging/lirc: add lirc_streamzap driver")
Cc: stable@vger.kernel.org
Signed-off-by: Murad Masimov <m.masimov@mt-integration.ru>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/rc/streamzap.c | 68 ++++++++++++++++++++++++-------------------
1 file changed, 38 insertions(+), 30 deletions(-)
--- a/drivers/media/rc/streamzap.c
+++ b/drivers/media/rc/streamzap.c
@@ -138,39 +138,10 @@ static void sz_push_half_space(struct st
sz_push_full_space(sz, value & SZ_SPACE_MASK);
}
-/*
- * streamzap_callback - usb IRQ handler callback
- *
- * This procedure is invoked on reception of data from
- * the usb remote.
- */
-static void streamzap_callback(struct urb *urb)
+static void sz_process_ir_data(struct streamzap_ir *sz, int len)
{
- struct streamzap_ir *sz;
unsigned int i;
- int len;
-
- if (!urb)
- return;
-
- sz = urb->context;
- len = urb->actual_length;
-
- switch (urb->status) {
- case -ECONNRESET:
- case -ENOENT:
- case -ESHUTDOWN:
- /*
- * this urb is terminated, clean up.
- * sz might already be invalid at this point
- */
- dev_err(sz->dev, "urb terminated, status: %d\n", urb->status);
- return;
- default:
- break;
- }
- dev_dbg(sz->dev, "%s: received urb, len %d\n", __func__, len);
for (i = 0; i < len; i++) {
dev_dbg(sz->dev, "sz->buf_in[%d]: %x\n",
i, (unsigned char)sz->buf_in[i]);
@@ -219,6 +190,43 @@ static void streamzap_callback(struct ur
}
ir_raw_event_handle(sz->rdev);
+}
+
+/*
+ * streamzap_callback - usb IRQ handler callback
+ *
+ * This procedure is invoked on reception of data from
+ * the usb remote.
+ */
+static void streamzap_callback(struct urb *urb)
+{
+ struct streamzap_ir *sz;
+ int len;
+
+ if (!urb)
+ return;
+
+ sz = urb->context;
+ len = urb->actual_length;
+
+ switch (urb->status) {
+ case 0:
+ dev_dbg(sz->dev, "%s: received urb, len %d\n", __func__, len);
+ sz_process_ir_data(sz, len);
+ break;
+ case -ECONNRESET:
+ case -ENOENT:
+ case -ESHUTDOWN:
+ /*
+ * this urb is terminated, clean up.
+ * sz might already be invalid at this point
+ */
+ dev_err(sz->dev, "urb terminated, status: %d\n", urb->status);
+ return;
+ default:
+ break;
+ }
+
usb_submit_urb(urb, GFP_ATOMIC);
}
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 093/291] media: platform: stm32: Add check for clk_enable()
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (90 preceding siblings ...)
2025-04-23 14:41 ` [PATCH 6.1 092/291] media: streamzap: prevent processing IR data on URB failure Greg Kroah-Hartman
@ 2025-04-23 14:41 ` Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 094/291] media: v4l2-dv-timings: prevent possible overflow in v4l2_detect_gtf() Greg Kroah-Hartman
` (206 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jiasheng Jiang, Hans Verkuil
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiasheng Jiang <jiashengjiangcool@gmail.com>
commit f883f34b6a46b1a09d44d7f94c3cd72fe0e8f93b upstream.
Add check for the return value of clk_enable() to gurantee the success.
Fixes: 002e8f0d5927 ("media: stm32-dma2d: STM32 DMA2D driver")
Cc: stable@vger.kernel.org
Signed-off-by: Jiasheng Jiang <jiashengjiangcool@gmail.com>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/st/stm32/dma2d/dma2d.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/media/platform/st/stm32/dma2d/dma2d.c
+++ b/drivers/media/platform/st/stm32/dma2d/dma2d.c
@@ -492,7 +492,8 @@ static void device_run(void *prv)
dst->sequence = frm_cap->sequence++;
v4l2_m2m_buf_copy_metadata(src, dst, true);
- clk_enable(dev->gate);
+ if (clk_enable(dev->gate))
+ goto end;
dma2d_config_fg(dev, frm_out,
vb2_dma_contig_plane_dma_addr(&src->vb2_buf, 0));
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 094/291] media: v4l2-dv-timings: prevent possible overflow in v4l2_detect_gtf()
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (91 preceding siblings ...)
2025-04-23 14:41 ` [PATCH 6.1 093/291] media: platform: stm32: Add check for clk_enable() Greg Kroah-Hartman
@ 2025-04-23 14:41 ` Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 095/291] media: i2c: ccs: Set the devices runtime PM status correctly in remove Greg Kroah-Hartman
` (205 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Karina Yankevich, Sergey Shtylyov,
Hans Verkuil
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Karina Yankevich <k.yankevich@omp.ru>
commit 3edd1fc48d2c045e8259561797c89fe78f01717e upstream.
In v4l2_detect_gtf(), it seems safer to cast the 32-bit image_width
variable to the 64-bit type u64 before multiplying to avoid
a possible overflow. The resulting object code even seems to
look better, at least on x86_64.
Found by Linux Verification Center (linuxtesting.org) with Svace.
[Sergey: rewrote the patch subject/descripition]
Fixes: c9bc9f50753d ("[media] v4l2-dv-timings: fix overflow in gtf timings calculation")
Cc: stable@vger.kernel.org
Signed-off-by: Karina Yankevich <k.yankevich@omp.ru>
Signed-off-by: Sergey Shtylyov <s.shtylyov@omp.ru>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/v4l2-core/v4l2-dv-timings.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/media/v4l2-core/v4l2-dv-timings.c
+++ b/drivers/media/v4l2-core/v4l2-dv-timings.c
@@ -764,7 +764,7 @@ bool v4l2_detect_gtf(unsigned int frame_
u64 num;
u32 den;
- num = ((image_width * GTF_D_C_PRIME * (u64)hfreq) -
+ num = (((u64)image_width * GTF_D_C_PRIME * hfreq) -
((u64)image_width * GTF_D_M_PRIME * 1000));
den = (hfreq * (100 - GTF_D_C_PRIME) + GTF_D_M_PRIME * 1000) *
(2 * GTF_CELL_GRAN);
@@ -774,7 +774,7 @@ bool v4l2_detect_gtf(unsigned int frame_
u64 num;
u32 den;
- num = ((image_width * GTF_S_C_PRIME * (u64)hfreq) -
+ num = (((u64)image_width * GTF_S_C_PRIME * hfreq) -
((u64)image_width * GTF_S_M_PRIME * 1000));
den = (hfreq * (100 - GTF_S_C_PRIME) + GTF_S_M_PRIME * 1000) *
(2 * GTF_CELL_GRAN);
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 095/291] media: i2c: ccs: Set the devices runtime PM status correctly in remove
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (92 preceding siblings ...)
2025-04-23 14:41 ` [PATCH 6.1 094/291] media: v4l2-dv-timings: prevent possible overflow in v4l2_detect_gtf() Greg Kroah-Hartman
@ 2025-04-23 14:41 ` Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 096/291] media: i2c: ccs: Set the devices runtime PM status correctly in probe Greg Kroah-Hartman
` (204 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sakari Ailus, Hans Verkuil
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sakari Ailus <sakari.ailus@linux.intel.com>
commit e04604583095faf455b3490b004254a225fd60d4 upstream.
Set the device's runtime PM status to suspended in device removal only if
it wasn't suspended already.
Fixes: 9447082ae666 ("[media] smiapp: Implement power-on and power-off sequences without runtime PM")
Cc: stable@vger.kernel.org # for >= v5.15
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/i2c/ccs/ccs-core.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/drivers/media/i2c/ccs/ccs-core.c
+++ b/drivers/media/i2c/ccs/ccs-core.c
@@ -3674,9 +3674,10 @@ static void ccs_remove(struct i2c_client
v4l2_async_unregister_subdev(subdev);
pm_runtime_disable(&client->dev);
- if (!pm_runtime_status_suspended(&client->dev))
+ if (!pm_runtime_status_suspended(&client->dev)) {
ccs_power_off(&client->dev);
- pm_runtime_set_suspended(&client->dev);
+ pm_runtime_set_suspended(&client->dev);
+ }
for (i = 0; i < sensor->ssds_used; i++) {
v4l2_device_unregister_subdev(&sensor->ssds[i].sd);
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 096/291] media: i2c: ccs: Set the devices runtime PM status correctly in probe
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (93 preceding siblings ...)
2025-04-23 14:41 ` [PATCH 6.1 095/291] media: i2c: ccs: Set the devices runtime PM status correctly in remove Greg Kroah-Hartman
@ 2025-04-23 14:41 ` Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 097/291] media: i2c: ov7251: Set enable GPIO low " Greg Kroah-Hartman
` (203 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sakari Ailus, Hans Verkuil
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sakari Ailus <sakari.ailus@linux.intel.com>
commit 80704d14f1bd3628f578510e0a88b66824990ef6 upstream.
Set the device's runtime PM status to suspended in probe error paths where
it was previously set to active.
Fixes: 9447082ae666 ("[media] smiapp: Implement power-on and power-off sequences without runtime PM")
Cc: stable@vger.kernel.org # for >= v5.15
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/i2c/ccs/ccs-core.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/media/i2c/ccs/ccs-core.c
+++ b/drivers/media/i2c/ccs/ccs-core.c
@@ -3642,6 +3642,7 @@ static int ccs_probe(struct i2c_client *
out_disable_runtime_pm:
pm_runtime_put_noidle(&client->dev);
pm_runtime_disable(&client->dev);
+ pm_runtime_set_suspended(&client->dev);
out_media_entity_cleanup:
media_entity_cleanup(&sensor->src->sd.entity);
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 097/291] media: i2c: ov7251: Set enable GPIO low in probe
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (94 preceding siblings ...)
2025-04-23 14:41 ` [PATCH 6.1 096/291] media: i2c: ccs: Set the devices runtime PM status correctly in probe Greg Kroah-Hartman
@ 2025-04-23 14:41 ` Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 098/291] media: i2c: ov7251: Introduce 1 ms delay between regulators and en GPIO Greg Kroah-Hartman
` (202 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sakari Ailus, Dave Stevenson,
Hans Verkuil
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sakari Ailus <sakari.ailus@linux.intel.com>
commit a1963698d59cec83df640ded343af08b76c8e9c5 upstream.
Set the enable GPIO low when acquiring it.
Fixes: d30bb512da3d ("media: Add a driver for the ov7251 camera sensor")
Cc: stable@vger.kernel.org
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Reviewed-by: Dave Stevenson <dave.stevenson@raspberrypi.com>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/i2c/ov7251.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/media/i2c/ov7251.c
+++ b/drivers/media/i2c/ov7251.c
@@ -1675,7 +1675,7 @@ static int ov7251_probe(struct i2c_clien
return PTR_ERR(ov7251->analog_regulator);
}
- ov7251->enable_gpio = devm_gpiod_get(dev, "enable", GPIOD_OUT_HIGH);
+ ov7251->enable_gpio = devm_gpiod_get(dev, "enable", GPIOD_OUT_LOW);
if (IS_ERR(ov7251->enable_gpio)) {
dev_err(dev, "cannot get enable gpio\n");
return PTR_ERR(ov7251->enable_gpio);
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 098/291] media: i2c: ov7251: Introduce 1 ms delay between regulators and en GPIO
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (95 preceding siblings ...)
2025-04-23 14:41 ` [PATCH 6.1 097/291] media: i2c: ov7251: Set enable GPIO low " Greg Kroah-Hartman
@ 2025-04-23 14:41 ` Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 099/291] media: venus: hfi_parser: add check to avoid out of bound access Greg Kroah-Hartman
` (201 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sakari Ailus, Dave Stevenson,
Hans Verkuil
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sakari Ailus <sakari.ailus@linux.intel.com>
commit 3d391292cdd53984ec1b9a1f6182a62a62751e03 upstream.
Lift the xshutdown (enable) GPIO 1 ms after enabling the regulators, as
required by the sensor's power-up sequence.
Fixes: d30bb512da3d ("media: Add a driver for the ov7251 camera sensor")
Cc: stable@vger.kernel.org
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Reviewed-by: Dave Stevenson <dave.stevenson@raspberrypi.com>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/i2c/ov7251.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/media/i2c/ov7251.c
+++ b/drivers/media/i2c/ov7251.c
@@ -922,6 +922,8 @@ static int ov7251_set_power_on(struct de
return ret;
}
+ usleep_range(1000, 1100);
+
gpiod_set_value_cansleep(ov7251->enable_gpio, 1);
/* wait at least 65536 external clock cycles */
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 099/291] media: venus: hfi_parser: add check to avoid out of bound access
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (96 preceding siblings ...)
2025-04-23 14:41 ` [PATCH 6.1 098/291] media: i2c: ov7251: Introduce 1 ms delay between regulators and en GPIO Greg Kroah-Hartman
@ 2025-04-23 14:41 ` Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 100/291] media: venus: hfi_parser: refactor hfi packet parsing logic Greg Kroah-Hartman
` (200 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bryan ODonoghue, Vikash Garodia,
Hans Verkuil
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vikash Garodia <quic_vgarodia@quicinc.com>
commit 172bf5a9ef70a399bb227809db78442dc01d9e48 upstream.
There is a possibility that init_codecs is invoked multiple times during
manipulated payload from video firmware. In such case, if codecs_count
can get incremented to value more than MAX_CODEC_NUM, there can be OOB
access. Reset the count so that it always starts from beginning.
Cc: stable@vger.kernel.org
Fixes: 1a73374a04e5 ("media: venus: hfi_parser: add common capability parser")
Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Signed-off-by: Vikash Garodia <quic_vgarodia@quicinc.com>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/qcom/venus/hfi_parser.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/media/platform/qcom/venus/hfi_parser.c
+++ b/drivers/media/platform/qcom/venus/hfi_parser.c
@@ -19,6 +19,8 @@ static void init_codecs(struct venus_cor
struct hfi_plat_caps *caps = core->caps, *cap;
unsigned long bit;
+ core->codecs_count = 0;
+
if (hweight_long(core->dec_codecs) + hweight_long(core->enc_codecs) > MAX_CODEC_NUM)
return;
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 100/291] media: venus: hfi_parser: refactor hfi packet parsing logic
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (97 preceding siblings ...)
2025-04-23 14:41 ` [PATCH 6.1 099/291] media: venus: hfi_parser: add check to avoid out of bound access Greg Kroah-Hartman
@ 2025-04-23 14:41 ` Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 101/291] mptcp: sockopt: fix getting IPV6_V6ONLY Greg Kroah-Hartman
` (199 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vikash Garodia, Bryan ODonoghue,
Hans Verkuil
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vikash Garodia <quic_vgarodia@quicinc.com>
commit 9edaaa8e3e15aab1ca413ab50556de1975bcb329 upstream.
words_count denotes the number of words in total payload, while data
points to payload of various property within it. When words_count
reaches last word, data can access memory beyond the total payload. This
can lead to OOB access. With this patch, the utility api for handling
individual properties now returns the size of data consumed. Accordingly
remaining bytes are calculated before parsing the payload, thereby
eliminates the OOB access possibilities.
Cc: stable@vger.kernel.org
Fixes: 1a73374a04e5 ("media: venus: hfi_parser: add common capability parser")
Signed-off-by: Vikash Garodia <quic_vgarodia@quicinc.com>
Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/qcom/venus/hfi_parser.c | 98 ++++++++++++++++++-------
1 file changed, 72 insertions(+), 26 deletions(-)
--- a/drivers/media/platform/qcom/venus/hfi_parser.c
+++ b/drivers/media/platform/qcom/venus/hfi_parser.c
@@ -64,7 +64,7 @@ fill_buf_mode(struct hfi_plat_caps *cap,
cap->cap_bufs_mode_dynamic = true;
}
-static void
+static int
parse_alloc_mode(struct venus_core *core, u32 codecs, u32 domain, void *data)
{
struct hfi_buffer_alloc_mode_supported *mode = data;
@@ -72,7 +72,7 @@ parse_alloc_mode(struct venus_core *core
u32 *type;
if (num_entries > MAX_ALLOC_MODE_ENTRIES)
- return;
+ return -EINVAL;
type = mode->data;
@@ -84,6 +84,8 @@ parse_alloc_mode(struct venus_core *core
type++;
}
+
+ return sizeof(*mode);
}
static void fill_profile_level(struct hfi_plat_caps *cap, const void *data,
@@ -98,7 +100,7 @@ static void fill_profile_level(struct hf
cap->num_pl += num;
}
-static void
+static int
parse_profile_level(struct venus_core *core, u32 codecs, u32 domain, void *data)
{
struct hfi_profile_level_supported *pl = data;
@@ -106,12 +108,14 @@ parse_profile_level(struct venus_core *c
struct hfi_profile_level pl_arr[HFI_MAX_PROFILE_COUNT] = {};
if (pl->profile_count > HFI_MAX_PROFILE_COUNT)
- return;
+ return -EINVAL;
memcpy(pl_arr, proflevel, pl->profile_count * sizeof(*proflevel));
for_each_codec(core->caps, ARRAY_SIZE(core->caps), codecs, domain,
fill_profile_level, pl_arr, pl->profile_count);
+
+ return pl->profile_count * sizeof(*proflevel) + sizeof(u32);
}
static void
@@ -126,7 +130,7 @@ fill_caps(struct hfi_plat_caps *cap, con
cap->num_caps += num;
}
-static void
+static int
parse_caps(struct venus_core *core, u32 codecs, u32 domain, void *data)
{
struct hfi_capabilities *caps = data;
@@ -135,12 +139,14 @@ parse_caps(struct venus_core *core, u32
struct hfi_capability caps_arr[MAX_CAP_ENTRIES] = {};
if (num_caps > MAX_CAP_ENTRIES)
- return;
+ return -EINVAL;
memcpy(caps_arr, cap, num_caps * sizeof(*cap));
for_each_codec(core->caps, ARRAY_SIZE(core->caps), codecs, domain,
fill_caps, caps_arr, num_caps);
+
+ return sizeof(*caps);
}
static void fill_raw_fmts(struct hfi_plat_caps *cap, const void *fmts,
@@ -155,7 +161,7 @@ static void fill_raw_fmts(struct hfi_pla
cap->num_fmts += num_fmts;
}
-static void
+static int
parse_raw_formats(struct venus_core *core, u32 codecs, u32 domain, void *data)
{
struct hfi_uncompressed_format_supported *fmt = data;
@@ -164,7 +170,8 @@ parse_raw_formats(struct venus_core *cor
struct raw_formats rawfmts[MAX_FMT_ENTRIES] = {};
u32 entries = fmt->format_entries;
unsigned int i = 0;
- u32 num_planes;
+ u32 num_planes = 0;
+ u32 size;
while (entries) {
num_planes = pinfo->num_planes;
@@ -174,7 +181,7 @@ parse_raw_formats(struct venus_core *cor
i++;
if (i >= MAX_FMT_ENTRIES)
- return;
+ return -EINVAL;
if (pinfo->num_planes > MAX_PLANES)
break;
@@ -186,9 +193,13 @@ parse_raw_formats(struct venus_core *cor
for_each_codec(core->caps, ARRAY_SIZE(core->caps), codecs, domain,
fill_raw_fmts, rawfmts, i);
+ size = fmt->format_entries * (sizeof(*constr) * num_planes + 2 * sizeof(u32))
+ + 2 * sizeof(u32);
+
+ return size;
}
-static void parse_codecs(struct venus_core *core, void *data)
+static int parse_codecs(struct venus_core *core, void *data)
{
struct hfi_codec_supported *codecs = data;
@@ -200,21 +211,27 @@ static void parse_codecs(struct venus_co
core->dec_codecs &= ~HFI_VIDEO_CODEC_SPARK;
core->enc_codecs &= ~HFI_VIDEO_CODEC_HEVC;
}
+
+ return sizeof(*codecs);
}
-static void parse_max_sessions(struct venus_core *core, const void *data)
+static int parse_max_sessions(struct venus_core *core, const void *data)
{
const struct hfi_max_sessions_supported *sessions = data;
core->max_sessions_supported = sessions->max_sessions;
+
+ return sizeof(*sessions);
}
-static void parse_codecs_mask(u32 *codecs, u32 *domain, void *data)
+static int parse_codecs_mask(u32 *codecs, u32 *domain, void *data)
{
struct hfi_codec_mask_supported *mask = data;
*codecs = mask->codecs;
*domain = mask->video_domains;
+
+ return sizeof(*mask);
}
static void parser_init(struct venus_inst *inst, u32 *codecs, u32 *domain)
@@ -283,8 +300,9 @@ static int hfi_platform_parser(struct ve
u32 hfi_parser(struct venus_core *core, struct venus_inst *inst, void *buf,
u32 size)
{
- unsigned int words_count = size >> 2;
- u32 *word = buf, *data, codecs = 0, domain = 0;
+ u32 *words = buf, *payload, codecs = 0, domain = 0;
+ u32 *frame_size = buf + size;
+ u32 rem_bytes = size;
int ret;
ret = hfi_platform_parser(core, inst);
@@ -301,38 +319,66 @@ u32 hfi_parser(struct venus_core *core,
memset(core->caps, 0, sizeof(core->caps));
}
- while (words_count) {
- data = word + 1;
+ while (words < frame_size) {
+ payload = words + 1;
- switch (*word) {
+ switch (*words) {
case HFI_PROPERTY_PARAM_CODEC_SUPPORTED:
- parse_codecs(core, data);
+ if (rem_bytes <= sizeof(struct hfi_codec_supported))
+ return HFI_ERR_SYS_INSUFFICIENT_RESOURCES;
+
+ ret = parse_codecs(core, payload);
+ if (ret < 0)
+ return HFI_ERR_SYS_INSUFFICIENT_RESOURCES;
+
init_codecs(core);
break;
case HFI_PROPERTY_PARAM_MAX_SESSIONS_SUPPORTED:
- parse_max_sessions(core, data);
+ if (rem_bytes <= sizeof(struct hfi_max_sessions_supported))
+ return HFI_ERR_SYS_INSUFFICIENT_RESOURCES;
+
+ ret = parse_max_sessions(core, payload);
break;
case HFI_PROPERTY_PARAM_CODEC_MASK_SUPPORTED:
- parse_codecs_mask(&codecs, &domain, data);
+ if (rem_bytes <= sizeof(struct hfi_codec_mask_supported))
+ return HFI_ERR_SYS_INSUFFICIENT_RESOURCES;
+
+ ret = parse_codecs_mask(&codecs, &domain, payload);
break;
case HFI_PROPERTY_PARAM_UNCOMPRESSED_FORMAT_SUPPORTED:
- parse_raw_formats(core, codecs, domain, data);
+ if (rem_bytes <= sizeof(struct hfi_uncompressed_format_supported))
+ return HFI_ERR_SYS_INSUFFICIENT_RESOURCES;
+
+ ret = parse_raw_formats(core, codecs, domain, payload);
break;
case HFI_PROPERTY_PARAM_CAPABILITY_SUPPORTED:
- parse_caps(core, codecs, domain, data);
+ if (rem_bytes <= sizeof(struct hfi_capabilities))
+ return HFI_ERR_SYS_INSUFFICIENT_RESOURCES;
+
+ ret = parse_caps(core, codecs, domain, payload);
break;
case HFI_PROPERTY_PARAM_PROFILE_LEVEL_SUPPORTED:
- parse_profile_level(core, codecs, domain, data);
+ if (rem_bytes <= sizeof(struct hfi_profile_level_supported))
+ return HFI_ERR_SYS_INSUFFICIENT_RESOURCES;
+
+ ret = parse_profile_level(core, codecs, domain, payload);
break;
case HFI_PROPERTY_PARAM_BUFFER_ALLOC_MODE_SUPPORTED:
- parse_alloc_mode(core, codecs, domain, data);
+ if (rem_bytes <= sizeof(struct hfi_buffer_alloc_mode_supported))
+ return HFI_ERR_SYS_INSUFFICIENT_RESOURCES;
+
+ ret = parse_alloc_mode(core, codecs, domain, payload);
break;
default:
+ ret = sizeof(u32);
break;
}
- word++;
- words_count--;
+ if (ret < 0)
+ return HFI_ERR_SYS_INSUFFICIENT_RESOURCES;
+
+ words += ret / sizeof(u32);
+ rem_bytes -= ret;
}
if (!core->max_sessions_supported)
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 101/291] mptcp: sockopt: fix getting IPV6_V6ONLY
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (98 preceding siblings ...)
2025-04-23 14:41 ` [PATCH 6.1 100/291] media: venus: hfi_parser: refactor hfi packet parsing logic Greg Kroah-Hartman
@ 2025-04-23 14:41 ` Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 102/291] mtd: Add check for devm_kcalloc() Greg Kroah-Hartman
` (198 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mat Martineau,
Matthieu Baerts (NGI0), Simon Horman, Paolo Abeni
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
commit 8c39633759885b6ff85f6d96cf445560e74df5e8 upstream.
When adding a socket option support in MPTCP, both the get and set parts
are supposed to be implemented.
IPV6_V6ONLY support for the setsockopt part has been added a while ago,
but it looks like the get part got forgotten. It should have been
present as a way to verify a setting has been set as expected, and not
to act differently from TCP or any other socket types.
Not supporting this getsockopt(IPV6_V6ONLY) blocks some apps which want
to check the default value, before doing extra actions. On Linux, the
default value is 0, but this can be changed with the net.ipv6.bindv6only
sysctl knob. On Windows, it is set to 1 by default. So supporting the
get part, like for all other socket options, is important.
Everything was in place to expose it, just the last step was missing.
Only new code is added to cover this specific getsockopt(), that seems
safe.
Fixes: c9b95a135987 ("mptcp: support IPV6_V6ONLY setsockopt")
Cc: stable@vger.kernel.org
Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/550
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20250314-net-mptcp-fix-data-stream-corr-sockopt-v1-2-122dbb249db3@kernel.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/sockopt.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
--- a/net/mptcp/sockopt.c
+++ b/net/mptcp/sockopt.c
@@ -1271,6 +1271,20 @@ static int mptcp_getsockopt_v4(struct mp
return -EOPNOTSUPP;
}
+static int mptcp_getsockopt_v6(struct mptcp_sock *msk, int optname,
+ char __user *optval, int __user *optlen)
+{
+ struct sock *sk = (void *)msk;
+
+ switch (optname) {
+ case IPV6_V6ONLY:
+ return mptcp_put_int_option(msk, optval, optlen,
+ sk->sk_ipv6only);
+ }
+
+ return -EOPNOTSUPP;
+}
+
static int mptcp_getsockopt_sol_mptcp(struct mptcp_sock *msk, int optname,
char __user *optval, int __user *optlen)
{
@@ -1308,6 +1322,8 @@ int mptcp_getsockopt(struct sock *sk, in
if (level == SOL_IP)
return mptcp_getsockopt_v4(msk, optname, optval, option);
+ if (level == SOL_IPV6)
+ return mptcp_getsockopt_v6(msk, optname, optval, option);
if (level == SOL_TCP)
return mptcp_getsockopt_sol_tcp(msk, optname, optval, option);
if (level == SOL_MPTCP)
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 102/291] mtd: Add check for devm_kcalloc()
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (99 preceding siblings ...)
2025-04-23 14:41 ` [PATCH 6.1 101/291] mptcp: sockopt: fix getting IPV6_V6ONLY Greg Kroah-Hartman
@ 2025-04-23 14:41 ` Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 103/291] net: dsa: mv88e6xxx: workaround RGMII transmit delay erratum for 6320 family Greg Kroah-Hartman
` (197 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jiasheng Jiang, Miquel Raynal
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiasheng Jiang <jiashengjiangcool@gmail.com>
commit 2aee30bb10d7bad0a60255059c9ce1b84cf0130e upstream.
Add a check for devm_kcalloc() to ensure successful allocation.
Fixes: 78c08247b9d3 ("mtd: Support kmsg dumper based on pstore/blk")
Cc: stable@vger.kernel.org # v5.10+
Signed-off-by: Jiasheng Jiang <jiashengjiangcool@gmail.com>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mtd/mtdpstore.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/mtd/mtdpstore.c
+++ b/drivers/mtd/mtdpstore.c
@@ -423,6 +423,9 @@ static void mtdpstore_notify_add(struct
longcnt = BITS_TO_LONGS(div_u64(mtd->size, mtd->erasesize));
cxt->badmap = kcalloc(longcnt, sizeof(long), GFP_KERNEL);
+ if (!cxt->rmmap || !cxt->usedmap || !cxt->badmap)
+ return;
+
/* just support dmesg right now */
cxt->dev.flags = PSTORE_FLAGS_DMESG;
cxt->dev.zone.read = mtdpstore_read;
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 103/291] net: dsa: mv88e6xxx: workaround RGMII transmit delay erratum for 6320 family
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (100 preceding siblings ...)
2025-04-23 14:41 ` [PATCH 6.1 102/291] mtd: Add check for devm_kcalloc() Greg Kroah-Hartman
@ 2025-04-23 14:41 ` Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 104/291] mtd: Replace kcalloc() with devm_kcalloc() Greg Kroah-Hartman
` (196 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Marek Behún, Andrew Lunn,
Jakub Kicinski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marek Behún <kabel@kernel.org>
commit 1ebc8e1ef906db9c08e9abe9776d85ddec837725 upstream.
Implement the workaround for erratum
3.3 RGMII timing may be out of spec when transmit delay is enabled
for the 6320 family, which says:
When transmit delay is enabled via Port register 1 bit 14 = 1, duty
cycle may be out of spec. Under very rare conditions this may cause
the attached device receive CRC errors.
Signed-off-by: Marek Behún <kabel@kernel.org>
Cc: <stable@vger.kernel.org> # 5.4.x
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Link: https://patch.msgid.link/20250317173250.28780-8-kabel@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/dsa/mv88e6xxx/chip.c | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
--- a/drivers/net/dsa/mv88e6xxx/chip.c
+++ b/drivers/net/dsa/mv88e6xxx/chip.c
@@ -3694,6 +3694,21 @@ static int mv88e6xxx_stats_setup(struct
return mv88e6xxx_g1_stats_clear(chip);
}
+static int mv88e6320_setup_errata(struct mv88e6xxx_chip *chip)
+{
+ u16 dummy;
+ int err;
+
+ /* Workaround for erratum
+ * 3.3 RGMII timing may be out of spec when transmit delay is enabled
+ */
+ err = mv88e6xxx_port_hidden_write(chip, 0, 0xf, 0x7, 0xe000);
+ if (err)
+ return err;
+
+ return mv88e6xxx_port_hidden_read(chip, 0, 0xf, 0x7, &dummy);
+}
+
/* Check if the errata has already been applied. */
static bool mv88e6390_setup_errata_applied(struct mv88e6xxx_chip *chip)
{
@@ -5110,6 +5125,7 @@ static const struct mv88e6xxx_ops mv88e6
static const struct mv88e6xxx_ops mv88e6320_ops = {
/* MV88E6XXX_FAMILY_6320 */
+ .setup_errata = mv88e6320_setup_errata,
.ieee_pri_map = mv88e6085_g1_ieee_pri_map,
.ip_pri_map = mv88e6085_g1_ip_pri_map,
.irl_init_all = mv88e6352_g2_irl_init_all,
@@ -5157,6 +5173,7 @@ static const struct mv88e6xxx_ops mv88e6
static const struct mv88e6xxx_ops mv88e6321_ops = {
/* MV88E6XXX_FAMILY_6320 */
+ .setup_errata = mv88e6320_setup_errata,
.ieee_pri_map = mv88e6085_g1_ieee_pri_map,
.ip_pri_map = mv88e6085_g1_ip_pri_map,
.irl_init_all = mv88e6352_g2_irl_init_all,
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 104/291] mtd: Replace kcalloc() with devm_kcalloc()
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (101 preceding siblings ...)
2025-04-23 14:41 ` [PATCH 6.1 103/291] net: dsa: mv88e6xxx: workaround RGMII transmit delay erratum for 6320 family Greg Kroah-Hartman
@ 2025-04-23 14:41 ` Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 105/291] clocksource/drivers/stm32-lptimer: Use wakeup capable instead of init wakeup Greg Kroah-Hartman
` (195 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jiasheng Jiang, Miquel Raynal
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiasheng Jiang <jiashengjiangcool@gmail.com>
commit 1b61a59876f0eafc19b23007c522ee407f55dbec upstream.
Replace kcalloc() with devm_kcalloc() to prevent memory leaks in case of
errors.
Fixes: 78c08247b9d3 ("mtd: Support kmsg dumper based on pstore/blk")
Cc: stable@vger.kernel.org # v5.10+
Signed-off-by: Jiasheng Jiang <jiashengjiangcool@gmail.com>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mtd/mtdpstore.c | 9 +++------
1 file changed, 3 insertions(+), 6 deletions(-)
--- a/drivers/mtd/mtdpstore.c
+++ b/drivers/mtd/mtdpstore.c
@@ -417,11 +417,11 @@ static void mtdpstore_notify_add(struct
}
longcnt = BITS_TO_LONGS(div_u64(mtd->size, info->kmsg_size));
- cxt->rmmap = kcalloc(longcnt, sizeof(long), GFP_KERNEL);
- cxt->usedmap = kcalloc(longcnt, sizeof(long), GFP_KERNEL);
+ cxt->rmmap = devm_kcalloc(&mtd->dev, longcnt, sizeof(long), GFP_KERNEL);
+ cxt->usedmap = devm_kcalloc(&mtd->dev, longcnt, sizeof(long), GFP_KERNEL);
longcnt = BITS_TO_LONGS(div_u64(mtd->size, mtd->erasesize));
- cxt->badmap = kcalloc(longcnt, sizeof(long), GFP_KERNEL);
+ cxt->badmap = devm_kcalloc(&mtd->dev, longcnt, sizeof(long), GFP_KERNEL);
if (!cxt->rmmap || !cxt->usedmap || !cxt->badmap)
return;
@@ -530,9 +530,6 @@ static void mtdpstore_notify_remove(stru
mtdpstore_flush_removed(cxt);
unregister_pstore_device(&cxt->dev);
- kfree(cxt->badmap);
- kfree(cxt->usedmap);
- kfree(cxt->rmmap);
cxt->mtd = NULL;
cxt->index = -1;
}
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 105/291] clocksource/drivers/stm32-lptimer: Use wakeup capable instead of init wakeup
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (102 preceding siblings ...)
2025-04-23 14:41 ` [PATCH 6.1 104/291] mtd: Replace kcalloc() with devm_kcalloc() Greg Kroah-Hartman
@ 2025-04-23 14:41 ` Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 106/291] wifi: mt76: Add check for devm_kstrdup() Greg Kroah-Hartman
` (194 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexandre Torgue, Fabrice Gasnier,
Daniel Lezcano
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexandre Torgue <alexandre.torgue@foss.st.com>
commit 96bf4b89a6ab22426ad83ef76e66c72a5a8daca0 upstream.
"wakeup-source" property describes a device which has wakeup capability
but should not force this device as a wakeup source.
Fixes: 48b41c5e2de6 ("clocksource: Add Low Power STM32 timers driver")
Cc: stable@vger.kernel.org
Signed-off-by: Alexandre Torgue <alexandre.torgue@foss.st.com>
Signed-off-by: Fabrice Gasnier <fabrice.gasnier@foss.st.com>
Rule: add
Link: https://lore.kernel.org/stable/20250306083407.2374894-1-fabrice.gasnier%40foss.st.com
Link: https://lore.kernel.org/r/20250306102501.2980153-1-fabrice.gasnier@foss.st.com
Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/clocksource/timer-stm32-lp.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
--- a/drivers/clocksource/timer-stm32-lp.c
+++ b/drivers/clocksource/timer-stm32-lp.c
@@ -168,9 +168,7 @@ static int stm32_clkevent_lp_probe(struc
}
if (of_property_read_bool(pdev->dev.parent->of_node, "wakeup-source")) {
- ret = device_init_wakeup(&pdev->dev, true);
- if (ret)
- goto out_clk_disable;
+ device_set_wakeup_capable(&pdev->dev, true);
ret = dev_pm_set_wake_irq(&pdev->dev, irq);
if (ret)
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 106/291] wifi: mt76: Add check for devm_kstrdup()
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (103 preceding siblings ...)
2025-04-23 14:41 ` [PATCH 6.1 105/291] clocksource/drivers/stm32-lptimer: Use wakeup capable instead of init wakeup Greg Kroah-Hartman
@ 2025-04-23 14:41 ` Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 107/291] wifi: mac80211: fix integer overflow in hwmp_route_info_get() Greg Kroah-Hartman
` (193 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Haoxiang Li, Felix Fietkau
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haoxiang Li <haoxiang_li2024@163.com>
commit 4bc1da524b502999da28d287de4286c986a1af57 upstream.
Add check for the return value of devm_kstrdup() in
mt76_get_of_data_from_mtd() to catch potential exception.
Fixes: e7a6a044f9b9 ("mt76: testmode: move mtd part to mt76_dev")
Cc: stable@vger.kernel.org
Signed-off-by: Haoxiang Li <haoxiang_li2024@163.com>
Link: https://patch.msgid.link/20250219033645.2594753-1-haoxiang_li2024@163.com
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/mediatek/mt76/eeprom.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/net/wireless/mediatek/mt76/eeprom.c
+++ b/drivers/net/wireless/mediatek/mt76/eeprom.c
@@ -90,6 +90,10 @@ int mt76_get_of_eeprom(struct mt76_dev *
#ifdef CONFIG_NL80211_TESTMODE
dev->test_mtd.name = devm_kstrdup(dev->dev, part, GFP_KERNEL);
+ if (!dev->test_mtd.name) {
+ ret = -ENOMEM;
+ goto out_put_node;
+ }
dev->test_mtd.offset = offset;
#endif
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 107/291] wifi: mac80211: fix integer overflow in hwmp_route_info_get()
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (104 preceding siblings ...)
2025-04-23 14:41 ` [PATCH 6.1 106/291] wifi: mt76: Add check for devm_kstrdup() Greg Kroah-Hartman
@ 2025-04-23 14:41 ` Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 108/291] io_uring/kbuf: reject zero sized provided buffers Greg Kroah-Hartman
` (192 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ilia Gavrilov, Johannes Berg
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru>
commit d00c0c4105e5ab8a6a13ed23d701cceb285761fa upstream.
Since the new_metric and last_hop_metric variables can reach
the MAX_METRIC(0xffffffff) value, an integer overflow may occur
when multiplying them by 10/9. It can lead to incorrect behavior.
Found by InfoTeCS on behalf of Linux Verification Center
(linuxtesting.org) with SVACE.
Fixes: a8d418d9ac25 ("mac80211: mesh: only switch path when new metric is at least 10% better")
Cc: stable@vger.kernel.org
Signed-off-by: Ilia Gavrilov <Ilia.Gavrilov@infotecs.ru>
Link: https://patch.msgid.link/20250212082124.4078236-1-Ilia.Gavrilov@infotecs.ru
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mac80211/mesh_hwmp.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
--- a/net/mac80211/mesh_hwmp.c
+++ b/net/mac80211/mesh_hwmp.c
@@ -365,6 +365,12 @@ u32 airtime_link_metric_get(struct ieee8
return (u32)result;
}
+/* Check that the first metric is at least 10% better than the second one */
+static bool is_metric_better(u32 x, u32 y)
+{
+ return (x < y) && (x < (y - x / 10));
+}
+
/**
* hwmp_route_info_get - Update routing info to originator and transmitter
*
@@ -455,8 +461,8 @@ static u32 hwmp_route_info_get(struct ie
(mpath->sn == orig_sn &&
(rcu_access_pointer(mpath->next_hop) !=
sta ?
- mult_frac(new_metric, 10, 9) :
- new_metric) >= mpath->metric)) {
+ !is_metric_better(new_metric, mpath->metric) :
+ new_metric >= mpath->metric))) {
process = false;
fresh_info = false;
}
@@ -526,8 +532,8 @@ static u32 hwmp_route_info_get(struct ie
if ((mpath->flags & MESH_PATH_FIXED) ||
((mpath->flags & MESH_PATH_ACTIVE) &&
((rcu_access_pointer(mpath->next_hop) != sta ?
- mult_frac(last_hop_metric, 10, 9) :
- last_hop_metric) > mpath->metric)))
+ !is_metric_better(last_hop_metric, mpath->metric) :
+ last_hop_metric > mpath->metric))))
fresh_info = false;
} else {
mpath = mesh_path_add(sdata, ta);
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 108/291] io_uring/kbuf: reject zero sized provided buffers
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (105 preceding siblings ...)
2025-04-23 14:41 ` [PATCH 6.1 107/291] wifi: mac80211: fix integer overflow in hwmp_route_info_get() Greg Kroah-Hartman
@ 2025-04-23 14:41 ` Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 109/291] ASoC: qdsp6: q6apm-dai: set 10 ms period and buffer alignment Greg Kroah-Hartman
` (191 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, syzbot+58928048fd1416f1457c,
Jens Axboe
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jens Axboe <axboe@kernel.dk>
commit cf960726eb65e8d0bfecbcce6cf95f47b1ffa6cc upstream.
This isn't fixing a real issue, but there's also zero point in going
through group and buffer setup, when the buffers are going to be
rejected once attempted to get used.
Cc: stable@vger.kernel.org
Reported-by: syzbot+58928048fd1416f1457c@syzkaller.appspotmail.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
io_uring/kbuf.c | 2 ++
1 file changed, 2 insertions(+)
--- a/io_uring/kbuf.c
+++ b/io_uring/kbuf.c
@@ -336,6 +336,8 @@ int io_provide_buffers_prep(struct io_ki
p->nbufs = tmp;
p->addr = READ_ONCE(sqe->addr);
p->len = READ_ONCE(sqe->len);
+ if (!p->len)
+ return -EINVAL;
if (check_mul_overflow((unsigned long)p->len, (unsigned long)p->nbufs,
&size))
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 109/291] ASoC: qdsp6: q6apm-dai: set 10 ms period and buffer alignment.
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (106 preceding siblings ...)
2025-04-23 14:41 ` [PATCH 6.1 108/291] io_uring/kbuf: reject zero sized provided buffers Greg Kroah-Hartman
@ 2025-04-23 14:41 ` Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 110/291] ASoC: qdsp6: q6apm-dai: fix capture pipeline overruns Greg Kroah-Hartman
` (190 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Srinivas Kandagatla, Johan Hovold,
Mark Brown
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
commit 3107019501842c27334554ba9d6583b1f200f61f upstream.
DSP expects the periods to be aligned to fragment sizes, currently
setting up to hw constriants on periods bytes is not going to work
correctly as we can endup with periods sizes aligned to 32 bytes however
not aligned to fragment size.
Update the constriants to use fragment size, and also set at step of
10ms for period size to accommodate DSP requirements of 10ms latency.
Fixes: 9b4fe0f1cd79 ("ASoC: qdsp6: audioreach: add q6apm-dai support")
Cc: stable@vger.kernel.org
Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
Tested-by: Johan Hovold <johan+linaro@kernel.org>
Link: https://patch.msgid.link/20250314174800.10142-5-srinivas.kandagatla@linaro.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/qcom/qdsp6/q6apm-dai.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/sound/soc/qcom/qdsp6/q6apm-dai.c
+++ b/sound/soc/qcom/qdsp6/q6apm-dai.c
@@ -292,13 +292,14 @@ static int q6apm_dai_open(struct snd_soc
}
}
- ret = snd_pcm_hw_constraint_step(runtime, 0, SNDRV_PCM_HW_PARAM_PERIOD_BYTES, 32);
+ /* setup 10ms latency to accommodate DSP restrictions */
+ ret = snd_pcm_hw_constraint_step(runtime, 0, SNDRV_PCM_HW_PARAM_PERIOD_SIZE, 480);
if (ret < 0) {
dev_err(dev, "constraint for period bytes step ret = %d\n", ret);
goto err;
}
- ret = snd_pcm_hw_constraint_step(runtime, 0, SNDRV_PCM_HW_PARAM_BUFFER_BYTES, 32);
+ ret = snd_pcm_hw_constraint_step(runtime, 0, SNDRV_PCM_HW_PARAM_BUFFER_SIZE, 480);
if (ret < 0) {
dev_err(dev, "constraint for buffer bytes step ret = %d\n", ret);
goto err;
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 110/291] ASoC: qdsp6: q6apm-dai: fix capture pipeline overruns.
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (107 preceding siblings ...)
2025-04-23 14:41 ` [PATCH 6.1 109/291] ASoC: qdsp6: q6apm-dai: set 10 ms period and buffer alignment Greg Kroah-Hartman
@ 2025-04-23 14:41 ` Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 111/291] ASoC: qdsp6: q6asm-dai: fix q6asm_dai_compr_set_params error path Greg Kroah-Hartman
` (189 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Srinivas Kandagatla,
Krzysztof Kozlowski, Johan Hovold, Mark Brown
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
commit 5d01ed9b9939b4c726be74db291a982bc984c584 upstream.
Period sizes less than 6k for capture path triggers overruns in the
dsp capture pipeline.
Change the period size and number of periods to value which DSP is happy with.
Fixes: 9b4fe0f1cd79 ("ASoC: qdsp6: audioreach: add q6apm-dai support")
Cc: stable@vger.kernel.org
Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
Tested-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Tested-by: Johan Hovold <johan+linaro@kernel.org>
Link: https://patch.msgid.link/20250314174800.10142-6-srinivas.kandagatla@linaro.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/qcom/qdsp6/q6apm-dai.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/sound/soc/qcom/qdsp6/q6apm-dai.c
+++ b/sound/soc/qcom/qdsp6/q6apm-dai.c
@@ -24,8 +24,8 @@
#define PLAYBACK_MIN_PERIOD_SIZE 128
#define CAPTURE_MIN_NUM_PERIODS 2
#define CAPTURE_MAX_NUM_PERIODS 8
-#define CAPTURE_MAX_PERIOD_SIZE 4096
-#define CAPTURE_MIN_PERIOD_SIZE 320
+#define CAPTURE_MAX_PERIOD_SIZE 65536
+#define CAPTURE_MIN_PERIOD_SIZE 6144
#define BUFFER_BYTES_MAX (PLAYBACK_MAX_NUM_PERIODS * PLAYBACK_MAX_PERIOD_SIZE)
#define BUFFER_BYTES_MIN (PLAYBACK_MIN_NUM_PERIODS * PLAYBACK_MIN_PERIOD_SIZE)
#define SID_MASK_DEFAULT 0xF
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 111/291] ASoC: qdsp6: q6asm-dai: fix q6asm_dai_compr_set_params error path
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (108 preceding siblings ...)
2025-04-23 14:41 ` [PATCH 6.1 110/291] ASoC: qdsp6: q6apm-dai: fix capture pipeline overruns Greg Kroah-Hartman
@ 2025-04-23 14:41 ` Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 112/291] bus: mhi: host: Fix race between unprepare and queue_buf Greg Kroah-Hartman
` (188 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Srinivas Kandagatla, Vinod Koul,
Pierre-Louis Bossart, Alexey Klimov, Mark Brown
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexey Klimov <alexey.klimov@linaro.org>
commit 7eccc86e90f04a0d758d16c08627a620ac59604d upstream.
In case of attempts to compress playback something, for instance,
when audio routing is not set up correctly, the audio DSP is left in
inconsistent state because we are not doing the correct things in
the error path of q6asm_dai_compr_set_params().
So, when routing is not set up and compress playback is attempted
the following errors are present (simplified log):
q6routing routing: Routing not setup for MultiMedia-1 Session
q6asm-dai dais: Stream reg failed ret:-22
q6asm-dai dais: ASoC error (-22): at snd_soc_component_compr_set_params()
on 17300000.remoteproc:glink-edge:apr:service@7:dais
After setting the correct routing the compress playback will always fail:
q6asm-dai dais: cmd = 0x10db3 returned error = 0x9
q6asm-dai dais: DSP returned error[9]
q6asm-dai dais: q6asm_open_write failed
q6asm-dai dais: ASoC error (-22): at snd_soc_component_compr_set_params()
on 17300000.remoteproc:glink-edge:apr:service@7:dais
0x9 here means "Operation is already processed". The CMD_OPEN here was
sent the second time hence DSP responds that it was already done.
Turns out the CMD_CLOSE should be sent after the q6asm_open_write()
succeeded but something failed after that, for instance, routing
setup.
Fix this by slightly reworking the error path in
q6asm_dai_compr_set_params().
Tested on QRB5165 RB5 and SDM845 RB3 boards.
Cc: stable@vger.kernel.org
Fixes: 5b39363e54cc ("ASoC: q6asm-dai: prepare set params to accept profile change")
Cc: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
Cc: Vinod Koul <vkoul@kernel.org>
Cc: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
Signed-off-by: Alexey Klimov <alexey.klimov@linaro.org>
Reviewed-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
Link: https://patch.msgid.link/20250327154650.337404-1-alexey.klimov@linaro.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/qcom/qdsp6/q6asm-dai.c | 19 +++++++++++++------
1 file changed, 13 insertions(+), 6 deletions(-)
--- a/sound/soc/qcom/qdsp6/q6asm-dai.c
+++ b/sound/soc/qcom/qdsp6/q6asm-dai.c
@@ -902,9 +902,7 @@ static int q6asm_dai_compr_set_params(st
if (ret < 0) {
dev_err(dev, "q6asm_open_write failed\n");
- q6asm_audio_client_free(prtd->audio_client);
- prtd->audio_client = NULL;
- return ret;
+ goto open_err;
}
}
@@ -913,7 +911,7 @@ static int q6asm_dai_compr_set_params(st
prtd->session_id, dir);
if (ret) {
dev_err(dev, "Stream reg failed ret:%d\n", ret);
- return ret;
+ goto q6_err;
}
ret = __q6asm_dai_compr_set_codec_params(component, stream,
@@ -921,7 +919,7 @@ static int q6asm_dai_compr_set_params(st
prtd->stream_id);
if (ret) {
dev_err(dev, "codec param setup failed ret:%d\n", ret);
- return ret;
+ goto q6_err;
}
ret = q6asm_map_memory_regions(dir, prtd->audio_client, prtd->phys,
@@ -930,12 +928,21 @@ static int q6asm_dai_compr_set_params(st
if (ret < 0) {
dev_err(dev, "Buffer Mapping failed ret:%d\n", ret);
- return -ENOMEM;
+ ret = -ENOMEM;
+ goto q6_err;
}
prtd->state = Q6ASM_STREAM_RUNNING;
return 0;
+
+q6_err:
+ q6asm_cmd(prtd->audio_client, prtd->stream_id, CMD_CLOSE);
+
+open_err:
+ q6asm_audio_client_free(prtd->audio_client);
+ prtd->audio_client = NULL;
+ return ret;
}
static int q6asm_dai_compr_set_metadata(struct snd_soc_component *component,
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 112/291] bus: mhi: host: Fix race between unprepare and queue_buf
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (109 preceding siblings ...)
2025-04-23 14:41 ` [PATCH 6.1 111/291] ASoC: qdsp6: q6asm-dai: fix q6asm_dai_compr_set_params error path Greg Kroah-Hartman
@ 2025-04-23 14:41 ` Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 113/291] ext4: fix off-by-one error in do_split Greg Kroah-Hartman
` (187 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jeffrey Hugo, Jeff Hugo,
Krishna Chaitanya Chundru, Youssef Samir, Manivannan Sadhasivam,
Troy Hanson
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jeff Hugo <quic_jhugo@quicinc.com>
commit 0686a818d77a431fc3ba2fab4b46bbb04e8c9380 upstream.
A client driver may use mhi_unprepare_from_transfer() to quiesce
incoming data during the client driver's tear down. The client driver
might also be processing data at the same time, resulting in a call to
mhi_queue_buf() which will invoke mhi_gen_tre(). If mhi_gen_tre() runs
after mhi_unprepare_from_transfer() has torn down the channel, a panic
will occur due to an invalid dereference leading to a page fault.
This occurs because mhi_gen_tre() does not verify the channel state
after locking it. Fix this by having mhi_gen_tre() confirm the channel
state is valid, or return error to avoid accessing deinitialized data.
Cc: stable@vger.kernel.org # 6.8
Fixes: b89b6a863dd5 ("bus: mhi: host: Add spinlock to protect WP access when queueing TREs")
Signed-off-by: Jeffrey Hugo <quic_jhugo@quicinc.com>
Signed-off-by: Jeff Hugo <jeff.hugo@oss.qualcomm.com>
Reviewed-by: Krishna Chaitanya Chundru <krishna.chundru@oss.qualcomm.com>
Reviewed-by: Youssef Samir <quic_yabdulra@quicinc.com>
Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
Reviewed-by: Troy Hanson <quic_thanson@quicinc.com>
Link: https://lore.kernel.org/r/20250306172913.856982-1-jeff.hugo@oss.qualcomm.com
[mani: added stable tag]
Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/bus/mhi/host/main.c | 16 ++++++++++------
1 file changed, 10 insertions(+), 6 deletions(-)
--- a/drivers/bus/mhi/host/main.c
+++ b/drivers/bus/mhi/host/main.c
@@ -1201,11 +1201,16 @@ int mhi_gen_tre(struct mhi_controller *m
struct mhi_ring_element *mhi_tre;
struct mhi_buf_info *buf_info;
int eot, eob, chain, bei;
- int ret;
+ int ret = 0;
/* Protect accesses for reading and incrementing WP */
write_lock_bh(&mhi_chan->lock);
+ if (mhi_chan->ch_state != MHI_CH_STATE_ENABLED) {
+ ret = -ENODEV;
+ goto out;
+ }
+
buf_ring = &mhi_chan->buf_ring;
tre_ring = &mhi_chan->tre_ring;
@@ -1223,10 +1228,8 @@ int mhi_gen_tre(struct mhi_controller *m
if (!info->pre_mapped) {
ret = mhi_cntrl->map_single(mhi_cntrl, buf_info);
- if (ret) {
- write_unlock_bh(&mhi_chan->lock);
- return ret;
- }
+ if (ret)
+ goto out;
}
eob = !!(flags & MHI_EOB);
@@ -1243,9 +1246,10 @@ int mhi_gen_tre(struct mhi_controller *m
mhi_add_ring_element(mhi_cntrl, tre_ring);
mhi_add_ring_element(mhi_cntrl, buf_ring);
+out:
write_unlock_bh(&mhi_chan->lock);
- return 0;
+ return ret;
}
int mhi_queue_buf(struct mhi_device *mhi_dev, enum dma_data_direction dir,
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 113/291] ext4: fix off-by-one error in do_split
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (110 preceding siblings ...)
2025-04-23 14:41 ` [PATCH 6.1 112/291] bus: mhi: host: Fix race between unprepare and queue_buf Greg Kroah-Hartman
@ 2025-04-23 14:41 ` Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 114/291] vdpa/mlx5: Fix oversized null mkey longer than 32bit Greg Kroah-Hartman
` (186 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Artem Sadovnikov, Jan Kara,
Theodore Tso
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Artem Sadovnikov <a.sadovnikov@ispras.ru>
commit 94824ac9a8aaf2fb3c54b4bdde842db80ffa555d upstream.
Syzkaller detected a use-after-free issue in ext4_insert_dentry that was
caused by out-of-bounds access due to incorrect splitting in do_split.
BUG: KASAN: use-after-free in ext4_insert_dentry+0x36a/0x6d0 fs/ext4/namei.c:2109
Write of size 251 at addr ffff888074572f14 by task syz-executor335/5847
CPU: 0 UID: 0 PID: 5847 Comm: syz-executor335 Not tainted 6.12.0-rc6-syzkaller-00318-ga9cda7c0ffed #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/30/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
kasan_check_range+0x282/0x290 mm/kasan/generic.c:189
__asan_memcpy+0x40/0x70 mm/kasan/shadow.c:106
ext4_insert_dentry+0x36a/0x6d0 fs/ext4/namei.c:2109
add_dirent_to_buf+0x3d9/0x750 fs/ext4/namei.c:2154
make_indexed_dir+0xf98/0x1600 fs/ext4/namei.c:2351
ext4_add_entry+0x222a/0x25d0 fs/ext4/namei.c:2455
ext4_add_nondir+0x8d/0x290 fs/ext4/namei.c:2796
ext4_symlink+0x920/0xb50 fs/ext4/namei.c:3431
vfs_symlink+0x137/0x2e0 fs/namei.c:4615
do_symlinkat+0x222/0x3a0 fs/namei.c:4641
__do_sys_symlink fs/namei.c:4662 [inline]
__se_sys_symlink fs/namei.c:4660 [inline]
__x64_sys_symlink+0x7a/0x90 fs/namei.c:4660
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
</TASK>
The following loop is located right above 'if' statement.
for (i = count-1; i >= 0; i--) {
/* is more than half of this entry in 2nd half of the block? */
if (size + map[i].size/2 > blocksize/2)
break;
size += map[i].size;
move++;
}
'i' in this case could go down to -1, in which case sum of active entries
wouldn't exceed half the block size, but previous behaviour would also do
split in half if sum would exceed at the very last block, which in case of
having too many long name files in a single block could lead to
out-of-bounds access and following use-after-free.
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
Cc: stable@vger.kernel.org
Fixes: 5872331b3d91 ("ext4: fix potential negative array index in do_split()")
Signed-off-by: Artem Sadovnikov <a.sadovnikov@ispras.ru>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://patch.msgid.link/20250404082804.2567-3-a.sadovnikov@ispras.ru
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/namei.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/ext4/namei.c
+++ b/fs/ext4/namei.c
@@ -2041,7 +2041,7 @@ static struct ext4_dir_entry_2 *do_split
* split it in half by count; each resulting block will have at least
* half the space free.
*/
- if (i > 0)
+ if (i >= 0)
split = count - move;
else
split = count/2;
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 114/291] vdpa/mlx5: Fix oversized null mkey longer than 32bit
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (111 preceding siblings ...)
2025-04-23 14:41 ` [PATCH 6.1 113/291] ext4: fix off-by-one error in do_split Greg Kroah-Hartman
@ 2025-04-23 14:41 ` Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 115/291] soc: samsung: exynos-chipid: Add NULL pointer check in exynos_chipid_probe() Greg Kroah-Hartman
` (185 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Cong Meng, Si-Wei Liu,
Dragos Tatulea, Eugenio Pérez, Michael S. Tsirkin,
Jason Wang
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Si-Wei Liu <si-wei.liu@oracle.com>
commit a6097e0a54a5c24f8d577ffecbc35289ae281c2e upstream.
create_user_mr() has correct code to count the number of null keys
used to fill in a hole for the memory map. However, fill_indir()
does not follow the same to cap the range up to the 1GB limit
correspondingly. Fill in more null keys for the gaps in between,
so that null keys are correctly populated.
Fixes: 94abbccdf291 ("vdpa/mlx5: Add shared memory registration code")
Cc: stable@vger.kernel.org
Reported-by: Cong Meng <cong.meng@oracle.com>
Signed-off-by: Si-Wei Liu <si-wei.liu@oracle.com>
Signed-off-by: Dragos Tatulea <dtatulea@nvidia.com>
Acked-by: Eugenio Pérez <eperezma@redhat.com>
Message-Id: <20250220193732.521462-2-dtatulea@nvidia.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/vdpa/mlx5/core/mr.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
--- a/drivers/vdpa/mlx5/core/mr.c
+++ b/drivers/vdpa/mlx5/core/mr.c
@@ -166,9 +166,12 @@ again:
klm->bcount = cpu_to_be32(klm_bcount(dmr->end - dmr->start));
preve = dmr->end;
} else {
+ u64 bcount = min_t(u64, dmr->start - preve, MAX_KLM_SIZE);
+
klm->key = cpu_to_be32(mvdev->res.null_mkey);
- klm->bcount = cpu_to_be32(klm_bcount(dmr->start - preve));
- preve = dmr->start;
+ klm->bcount = cpu_to_be32(klm_bcount(bcount));
+ preve += bcount;
+
goto again;
}
}
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 115/291] soc: samsung: exynos-chipid: Add NULL pointer check in exynos_chipid_probe()
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (112 preceding siblings ...)
2025-04-23 14:41 ` [PATCH 6.1 114/291] vdpa/mlx5: Fix oversized null mkey longer than 32bit Greg Kroah-Hartman
@ 2025-04-23 14:41 ` Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 116/291] smb311 client: fix missing tcon check when mounting with linux/posix extensions Greg Kroah-Hartman
` (184 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Chenyuan Yang, Krzysztof Kozlowski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chenyuan Yang <chenyuan0y@gmail.com>
commit c8222ef6cf29dd7cad21643228f96535cc02b327 upstream.
soc_dev_attr->revision could be NULL, thus,
a pointer check is added to prevent potential NULL pointer dereference.
This is similar to the fix in commit 3027e7b15b02
("ice: Fix some null pointer dereference issues in ice_ptp.c").
This issue is found by our static analysis tool.
Signed-off-by: Chenyuan Yang <chenyuan0y@gmail.com>
Link: https://lore.kernel.org/r/20250212213518.69432-1-chenyuan0y@gmail.com
Fixes: 3253b7b7cd44 ("soc: samsung: Add exynos chipid driver support")
Cc: <stable@vger.kernel.org>
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/soc/samsung/exynos-chipid.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/soc/samsung/exynos-chipid.c
+++ b/drivers/soc/samsung/exynos-chipid.c
@@ -131,6 +131,8 @@ static int exynos_chipid_probe(struct pl
soc_dev_attr->revision = devm_kasprintf(&pdev->dev, GFP_KERNEL,
"%x", soc_info.revision);
+ if (!soc_dev_attr->revision)
+ return -ENOMEM;
soc_dev_attr->soc_id = product_id_to_soc_id(soc_info.product_id);
if (!soc_dev_attr->soc_id) {
pr_err("Unknown SoC\n");
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 116/291] smb311 client: fix missing tcon check when mounting with linux/posix extensions
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (113 preceding siblings ...)
2025-04-23 14:41 ` [PATCH 6.1 115/291] soc: samsung: exynos-chipid: Add NULL pointer check in exynos_chipid_probe() Greg Kroah-Hartman
@ 2025-04-23 14:41 ` Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 117/291] i3c: master: svc: Use readsb helper for reading MDB Greg Kroah-Hartman
` (183 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Steve French
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Steve French <stfrench@microsoft.com>
commit b365b9d404b7376c60c91cd079218bfef11b7822 upstream.
When mounting the same share twice, once with the "linux" mount parameter
(or equivalently "posix") and then once without (or e.g. with "nolinux"),
we were incorrectly reusing the same tree connection for both mounts.
This meant that the first mount of the share on the client, would
cause subsequent mounts of that same share on the same client to
ignore that mount parm ("linux" vs. "nolinux") and incorrectly reuse
the same tcon.
Cc: stable@vger.kernel.org
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/client/connect.c | 2 ++
1 file changed, 2 insertions(+)
--- a/fs/smb/client/connect.c
+++ b/fs/smb/client/connect.c
@@ -2417,6 +2417,8 @@ static int match_tcon(struct cifs_tcon *
return 0;
if (tcon->nodelete != ctx->nodelete)
return 0;
+ if (tcon->posix_extensions != ctx->linux_ext)
+ return 0;
return 1;
}
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 117/291] i3c: master: svc: Use readsb helper for reading MDB
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (114 preceding siblings ...)
2025-04-23 14:41 ` [PATCH 6.1 116/291] smb311 client: fix missing tcon check when mounting with linux/posix extensions Greg Kroah-Hartman
@ 2025-04-23 14:41 ` Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 118/291] i3c: Add NULL pointer check in i3c_master_queue_ibi() Greg Kroah-Hartman
` (182 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Stanley Chu, Frank Li,
Alexandre Belloni
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stanley Chu <yschu@nuvoton.com>
commit c06acf7143bddaa3c0f7bedd8b99e48f6acb85c3 upstream.
The target can send the MDB byte followed by additional data bytes.
The readl on MRDATAB reads one actual byte, but the readsl advances
the destination pointer by 4 bytes. This causes the subsequent payload
to be copied to wrong position in the destination buffer.
Cc: stable@kernel.org
Fixes: dd3c52846d59 ("i3c: master: svc: Add Silvaco I3C master driver")
Signed-off-by: Stanley Chu <yschu@nuvoton.com>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Link: https://lore.kernel.org/r/20250318053606.3087121-3-yschu@nuvoton.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/i3c/master/svc-i3c-master.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/i3c/master/svc-i3c-master.c
+++ b/drivers/i3c/master/svc-i3c-master.c
@@ -368,7 +368,7 @@ static int svc_i3c_master_handle_ibi(str
slot->len < SVC_I3C_FIFO_SIZE) {
mdatactrl = readl(master->regs + SVC_I3C_MDATACTRL);
count = SVC_I3C_MDATACTRL_RXCOUNT(mdatactrl);
- readsl(master->regs + SVC_I3C_MRDATAB, buf, count);
+ readsb(master->regs + SVC_I3C_MRDATAB, buf, count);
slot->len += count;
buf += count;
}
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 118/291] i3c: Add NULL pointer check in i3c_master_queue_ibi()
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (115 preceding siblings ...)
2025-04-23 14:41 ` [PATCH 6.1 117/291] i3c: master: svc: Use readsb helper for reading MDB Greg Kroah-Hartman
@ 2025-04-23 14:41 ` Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 119/291] jbd2: remove wrong sb->s_sequence check Greg Kroah-Hartman
` (181 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Manjunatha Venkatesh, Frank Li,
Alexandre Belloni
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Manjunatha Venkatesh <manjunatha.venkatesh@nxp.com>
commit bd496a44f041da9ef3afe14d1d6193d460424e91 upstream.
The I3C master driver may receive an IBI from a target device that has not
been probed yet. In such cases, the master calls `i3c_master_queue_ibi()`
to queue an IBI work task, leading to "Unable to handle kernel read from
unreadable memory" and resulting in a kernel panic.
Typical IBI handling flow:
1. The I3C master scans target devices and probes their respective drivers.
2. The target device driver calls `i3c_device_request_ibi()` to enable IBI
and assigns `dev->ibi = ibi`.
3. The I3C master receives an IBI from the target device and calls
`i3c_master_queue_ibi()` to queue the target device driver’s IBI
handler task.
However, since target device events are asynchronous to the I3C probe
sequence, step 3 may occur before step 2, causing `dev->ibi` to be `NULL`,
leading to a kernel panic.
Add a NULL pointer check in `i3c_master_queue_ibi()` to prevent accessing
an uninitialized `dev->ibi`, ensuring stability.
Fixes: 3a379bbcea0af ("i3c: Add core I3C infrastructure")
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/lkml/Z9gjGYudiYyl3bSe@lizhi-Precision-Tower-5810/
Signed-off-by: Manjunatha Venkatesh <manjunatha.venkatesh@nxp.com>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Link: https://lore.kernel.org/r/20250326123047.2797946-1-manjunatha.venkatesh@nxp.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/i3c/master.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/i3c/master.c
+++ b/drivers/i3c/master.c
@@ -2495,6 +2495,9 @@ static void i3c_master_unregister_i3c_de
*/
void i3c_master_queue_ibi(struct i3c_dev_desc *dev, struct i3c_ibi_slot *slot)
{
+ if (!dev->ibi || !slot)
+ return;
+
atomic_inc(&dev->ibi->pending_ibis);
queue_work(dev->common.master->wq, &slot->work);
}
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 119/291] jbd2: remove wrong sb->s_sequence check
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (116 preceding siblings ...)
2025-04-23 14:41 ` [PATCH 6.1 118/291] i3c: Add NULL pointer check in i3c_master_queue_ibi() Greg Kroah-Hartman
@ 2025-04-23 14:41 ` Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 120/291] mfd: ene-kb3930: Fix a potential NULL pointer dereference Greg Kroah-Hartman
` (180 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jan Kara, Zhang Yi, Theodore Tso
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jan Kara <jack@suse.cz>
commit e6eff39dd0fe4190c6146069cc16d160e71d1148 upstream.
Journal emptiness is not determined by sb->s_sequence == 0 but rather by
sb->s_start == 0 (which is set a few lines above). Furthermore 0 is a
valid transaction ID so the check can spuriously trigger. Remove the
invalid WARN_ON.
CC: stable@vger.kernel.org
Signed-off-by: Jan Kara <jack@suse.cz>
Reviewed-by: Zhang Yi <yi.zhang@huawei.com>
Link: https://patch.msgid.link/20250206094657.20865-3-jack@suse.cz
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/jbd2/journal.c | 1 -
1 file changed, 1 deletion(-)
--- a/fs/jbd2/journal.c
+++ b/fs/jbd2/journal.c
@@ -1711,7 +1711,6 @@ int jbd2_journal_update_sb_log_tail(jour
/* Log is no longer empty */
write_lock(&journal->j_state_lock);
- WARN_ON(!sb->s_sequence);
journal->j_flags &= ~JBD2_FLUSHED;
write_unlock(&journal->j_state_lock);
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 120/291] mfd: ene-kb3930: Fix a potential NULL pointer dereference
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (117 preceding siblings ...)
2025-04-23 14:41 ` [PATCH 6.1 119/291] jbd2: remove wrong sb->s_sequence check Greg Kroah-Hartman
@ 2025-04-23 14:41 ` Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 121/291] locking/lockdep: Decrease nr_unused_locks if lock unused in zap_class() Greg Kroah-Hartman
` (179 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Lee Jones, Chenyuan Yang
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chenyuan Yang <chenyuan0y@gmail.com>
commit 4cdf1d2a816a93fa02f7b6b5492dc7f55af2a199 upstream.
The off_gpios could be NULL. Add missing check in the kb3930_probe().
This is similar to the issue fixed in commit b1ba8bcb2d1f
("backlight: hx8357: Fix potential NULL pointer dereference").
This was detected by our static analysis tool.
Cc: stable@vger.kernel.org
Fixes: ede6b2d1dfc0 ("mfd: ene-kb3930: Add driver for ENE KB3930 Embedded Controller")
Suggested-by: Lee Jones <lee@kernel.org>
Signed-off-by: Chenyuan Yang <chenyuan0y@gmail.com>
Link: https://lore.kernel.org/r/20250224233736.1919739-1-chenyuan0y@gmail.com
Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mfd/ene-kb3930.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/mfd/ene-kb3930.c
+++ b/drivers/mfd/ene-kb3930.c
@@ -162,7 +162,7 @@ static int kb3930_probe(struct i2c_clien
devm_gpiod_get_array_optional(dev, "off", GPIOD_IN);
if (IS_ERR(ddata->off_gpios))
return PTR_ERR(ddata->off_gpios);
- if (ddata->off_gpios->ndescs < 2) {
+ if (ddata->off_gpios && ddata->off_gpios->ndescs < 2) {
dev_err(dev, "invalid off-gpios property\n");
return -EINVAL;
}
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 121/291] locking/lockdep: Decrease nr_unused_locks if lock unused in zap_class()
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (118 preceding siblings ...)
2025-04-23 14:41 ` [PATCH 6.1 120/291] mfd: ene-kb3930: Fix a potential NULL pointer dereference Greg Kroah-Hartman
@ 2025-04-23 14:41 ` Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 122/291] lib: scatterlist: fix sg_split_phys to preserve original scatterlist offsets Greg Kroah-Hartman
` (178 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Boqun Feng, Ingo Molnar, Waiman Long
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Boqun Feng <boqun.feng@gmail.com>
commit 495f53d5cca0f939eaed9dca90b67e7e6fb0e30c upstream.
Currently, when a lock class is allocated, nr_unused_locks will be
increased by 1, until it gets used: nr_unused_locks will be decreased by
1 in mark_lock(). However, one scenario is missed: a lock class may be
zapped without even being used once. This could result into a situation
that nr_unused_locks != 0 but no unused lock class is active in the
system, and when `cat /proc/lockdep_stats`, a WARN_ON() will
be triggered in a CONFIG_DEBUG_LOCKDEP=y kernel:
[...] DEBUG_LOCKS_WARN_ON(debug_atomic_read(nr_unused_locks) != nr_unused)
[...] WARNING: CPU: 41 PID: 1121 at kernel/locking/lockdep_proc.c:283 lockdep_stats_show+0xba9/0xbd0
And as a result, lockdep will be disabled after this.
Therefore, nr_unused_locks needs to be accounted correctly at
zap_class() time.
Signed-off-by: Boqun Feng <boqun.feng@gmail.com>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Reviewed-by: Waiman Long <longman@redhat.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20250326180831.510348-1-boqun.feng@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/locking/lockdep.c | 3 +++
1 file changed, 3 insertions(+)
--- a/kernel/locking/lockdep.c
+++ b/kernel/locking/lockdep.c
@@ -6021,6 +6021,9 @@ static void zap_class(struct pending_fre
hlist_del_rcu(&class->hash_entry);
WRITE_ONCE(class->key, NULL);
WRITE_ONCE(class->name, NULL);
+ /* Class allocated but not used, -1 in nr_unused_locks */
+ if (class->usage_mask == 0)
+ debug_atomic_dec(nr_unused_locks);
nr_lock_classes--;
__clear_bit(class - lock_classes, lock_classes_in_use);
if (class - lock_classes == max_lock_class_idx)
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 122/291] lib: scatterlist: fix sg_split_phys to preserve original scatterlist offsets
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (119 preceding siblings ...)
2025-04-23 14:41 ` [PATCH 6.1 121/291] locking/lockdep: Decrease nr_unused_locks if lock unused in zap_class() Greg Kroah-Hartman
@ 2025-04-23 14:41 ` Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 123/291] mptcp: fix NULL pointer in can_accept_new_subflow Greg Kroah-Hartman
` (177 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, T Pratham, Robert Jarzmik,
Jens Axboe, Kamlesh Gurudasani, Praneeth Bajjuri,
Vignesh Raghavendra, Andrew Morton
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: T Pratham <t-pratham@ti.com>
commit 8b46fdaea819a679da176b879e7b0674a1161a5e upstream.
The split_sg_phys function was incorrectly setting the offsets of all
scatterlist entries (except the first) to 0. Only the first scatterlist
entry's offset and length needs to be modified to account for the skip.
Setting the rest entries' offsets to 0 could lead to incorrect data
access.
I am using this function in a crypto driver that I'm currently developing
(not yet sent to mailing list). During testing, it was observed that the
output scatterlists (except the first one) contained incorrect garbage
data.
I narrowed this issue down to the call of sg_split(). Upon debugging
inside this function, I found that this resetting of offset is the cause
of the problem, causing the subsequent scatterlists to point to incorrect
memory locations in a page. By removing this code, I am obtaining
expected data in all the split output scatterlists. Thus, this was indeed
causing observable runtime effects!
This patch removes the offending code, ensuring that the page offsets in
the input scatterlist are preserved in the output scatterlist.
Link: https://lkml.kernel.org/r/20250319111437.1969903-1-t-pratham@ti.com
Fixes: f8bcbe62acd0 ("lib: scatterlist: add sg splitting function")
Signed-off-by: T Pratham <t-pratham@ti.com>
Cc: Robert Jarzmik <robert.jarzmik@free.fr>
Cc: Jens Axboe <axboe@kernel.dk>
Cc: Kamlesh Gurudasani <kamlesh@ti.com>
Cc: Praneeth Bajjuri <praneeth@ti.com>
Cc: Vignesh Raghavendra <vigneshr@ti.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
lib/sg_split.c | 2 --
1 file changed, 2 deletions(-)
--- a/lib/sg_split.c
+++ b/lib/sg_split.c
@@ -88,8 +88,6 @@ static void sg_split_phys(struct sg_spli
if (!j) {
out_sg->offset += split->skip_sg0;
out_sg->length -= split->skip_sg0;
- } else {
- out_sg->offset = 0;
}
sg_dma_address(out_sg) = 0;
sg_dma_len(out_sg) = 0;
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 123/291] mptcp: fix NULL pointer in can_accept_new_subflow
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (120 preceding siblings ...)
2025-04-23 14:41 ` [PATCH 6.1 122/291] lib: scatterlist: fix sg_split_phys to preserve original scatterlist offsets Greg Kroah-Hartman
@ 2025-04-23 14:41 ` Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 124/291] mptcp: only inc MPJoinAckHMacFailure for HMAC failures Greg Kroah-Hartman
` (176 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paolo Abeni, Gang Yan,
Matthieu Baerts (NGI0), Jakub Kicinski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gang Yan <yangang@kylinos.cn>
commit 443041deb5ef6a1289a99ed95015ec7442f141dc upstream.
When testing valkey benchmark tool with MPTCP, the kernel panics in
'mptcp_can_accept_new_subflow' because subflow_req->msk is NULL.
Call trace:
mptcp_can_accept_new_subflow (./net/mptcp/subflow.c:63 (discriminator 4)) (P)
subflow_syn_recv_sock (./net/mptcp/subflow.c:854)
tcp_check_req (./net/ipv4/tcp_minisocks.c:863)
tcp_v4_rcv (./net/ipv4/tcp_ipv4.c:2268)
ip_protocol_deliver_rcu (./net/ipv4/ip_input.c:207)
ip_local_deliver_finish (./net/ipv4/ip_input.c:234)
ip_local_deliver (./net/ipv4/ip_input.c:254)
ip_rcv_finish (./net/ipv4/ip_input.c:449)
...
According to the debug log, the same req received two SYN-ACK in a very
short time, very likely because the client retransmits the syn ack due
to multiple reasons.
Even if the packets are transmitted with a relevant time interval, they
can be processed by the server on different CPUs concurrently). The
'subflow_req->msk' ownership is transferred to the subflow the first,
and there will be a risk of a null pointer dereference here.
This patch fixes this issue by moving the 'subflow_req->msk' under the
`own_req == true` conditional.
Note that the !msk check in subflow_hmac_valid() can be dropped, because
the same check already exists under the own_req mpj branch where the
code has been moved to.
Fixes: 9466a1ccebbe ("mptcp: enable JOIN requests even if cookies are in use")
Cc: stable@vger.kernel.org
Suggested-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Gang Yan <yangang@kylinos.cn>
Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20250328-net-mptcp-misc-fixes-6-15-v1-1-34161a482a7f@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/subflow.c | 15 ++++++++-------
1 file changed, 8 insertions(+), 7 deletions(-)
--- a/net/mptcp/subflow.c
+++ b/net/mptcp/subflow.c
@@ -643,8 +643,6 @@ static bool subflow_hmac_valid(const str
subflow_req = mptcp_subflow_rsk(req);
msk = subflow_req->msk;
- if (!msk)
- return false;
subflow_generate_hmac(msk->remote_key, msk->local_key,
subflow_req->remote_nonce,
@@ -739,12 +737,8 @@ static struct sock *subflow_syn_recv_soc
} else if (subflow_req->mp_join) {
mptcp_get_options(skb, &mp_opt);
- if (!(mp_opt.suboptions & OPTION_MPTCP_MPJ_ACK) ||
- !subflow_hmac_valid(req, &mp_opt) ||
- !mptcp_can_accept_new_subflow(subflow_req->msk)) {
- SUBFLOW_REQ_INC_STATS(req, MPTCP_MIB_JOINACKMAC);
+ if (!(mp_opt.suboptions & OPTION_MPTCP_MPJ_ACK))
fallback = true;
- }
}
create_child:
@@ -793,6 +787,13 @@ create_child:
subflow_add_reset_reason(skb, MPTCP_RST_EPROHIBIT);
goto dispose_child;
}
+
+ if (!subflow_hmac_valid(req, &mp_opt) ||
+ !mptcp_can_accept_new_subflow(subflow_req->msk)) {
+ SUBFLOW_REQ_INC_STATS(req, MPTCP_MIB_JOINACKMAC);
+ subflow_add_reset_reason(skb, MPTCP_RST_EPROHIBIT);
+ goto dispose_child;
+ }
/* move the msk reference ownership to the subflow */
subflow_req->msk = NULL;
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 124/291] mptcp: only inc MPJoinAckHMacFailure for HMAC failures
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (121 preceding siblings ...)
2025-04-23 14:41 ` [PATCH 6.1 123/291] mptcp: fix NULL pointer in can_accept_new_subflow Greg Kroah-Hartman
@ 2025-04-23 14:41 ` Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 125/291] mtd: inftlcore: Add error check for inftl_read_oob() Greg Kroah-Hartman
` (175 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Geliang Tang, Matthieu Baerts (NGI0),
Simon Horman, Jakub Kicinski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
commit 21c02e8272bc95ba0dd44943665c669029b42760 upstream.
Recently, during a debugging session using local MPTCP connections, I
noticed MPJoinAckHMacFailure was not zero on the server side. The
counter was in fact incremented when the PM rejected new subflows,
because the 'subflow' limit was reached.
The fix is easy, simply dissociating the two cases: only the HMAC
validation check should increase MPTCP_MIB_JOINACKMAC counter.
Fixes: 4cf8b7e48a09 ("subflow: introduce and use mptcp_can_accept_new_subflow()")
Cc: stable@vger.kernel.org
Reviewed-by: Geliang Tang <geliang@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20250407-net-mptcp-hmac-failure-mib-v1-1-3c9ecd0a3a50@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/subflow.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
--- a/net/mptcp/subflow.c
+++ b/net/mptcp/subflow.c
@@ -788,12 +788,16 @@ create_child:
goto dispose_child;
}
- if (!subflow_hmac_valid(req, &mp_opt) ||
- !mptcp_can_accept_new_subflow(subflow_req->msk)) {
+ if (!subflow_hmac_valid(req, &mp_opt)) {
SUBFLOW_REQ_INC_STATS(req, MPTCP_MIB_JOINACKMAC);
subflow_add_reset_reason(skb, MPTCP_RST_EPROHIBIT);
goto dispose_child;
}
+
+ if (!mptcp_can_accept_new_subflow(owner)) {
+ subflow_add_reset_reason(skb, MPTCP_RST_EPROHIBIT);
+ goto dispose_child;
+ }
/* move the msk reference ownership to the subflow */
subflow_req->msk = NULL;
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 125/291] mtd: inftlcore: Add error check for inftl_read_oob()
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (122 preceding siblings ...)
2025-04-23 14:41 ` [PATCH 6.1 124/291] mptcp: only inc MPJoinAckHMacFailure for HMAC failures Greg Kroah-Hartman
@ 2025-04-23 14:41 ` Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 126/291] mtd: rawnand: Add status chack in r852_ready() Greg Kroah-Hartman
` (174 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Wentao Liang, Miquel Raynal
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wentao Liang <vulab@iscas.ac.cn>
commit d027951dc85cb2e15924c980dc22a6754d100c7c upstream.
In INFTL_findwriteunit(), the return value of inftl_read_oob()
need to be checked. A proper implementation can be
found in INFTL_deleteblock(). The status will be set as
SECTOR_IGNORE to break from the while-loop correctly
if the inftl_read_oob() fails.
Fixes: 8593fbc68b0d ("[MTD] Rework the out of band handling completely")
Cc: stable@vger.kernel.org # v2.6+
Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mtd/inftlcore.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
--- a/drivers/mtd/inftlcore.c
+++ b/drivers/mtd/inftlcore.c
@@ -482,10 +482,11 @@ static inline u16 INFTL_findwriteunit(st
silly = MAX_LOOPS;
while (thisEUN <= inftl->lastEUN) {
- inftl_read_oob(mtd, (thisEUN * inftl->EraseSize) +
- blockofs, 8, &retlen, (char *)&bci);
-
- status = bci.Status | bci.Status1;
+ if (inftl_read_oob(mtd, (thisEUN * inftl->EraseSize) +
+ blockofs, 8, &retlen, (char *)&bci) < 0)
+ status = SECTOR_IGNORE;
+ else
+ status = bci.Status | bci.Status1;
pr_debug("INFTL: status of block %d in EUN %d is %x\n",
block , writeEUN, status);
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 126/291] mtd: rawnand: Add status chack in r852_ready()
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (123 preceding siblings ...)
2025-04-23 14:41 ` [PATCH 6.1 125/291] mtd: inftlcore: Add error check for inftl_read_oob() Greg Kroah-Hartman
@ 2025-04-23 14:41 ` Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 127/291] arm64: mm: Correct the update of max_pfn Greg Kroah-Hartman
` (173 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Wentao Liang, Miquel Raynal
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wentao Liang <vulab@iscas.ac.cn>
commit b79fe1829975556854665258cf4d2476784a89db upstream.
In r852_ready(), the dev get from r852_get_dev() need to be checked.
An unstable device should not be ready. A proper implementation can
be found in r852_read_byte(). Add a status check and return 0 when it is
unstable.
Fixes: 50a487e7719c ("mtd: rawnand: Pass a nand_chip object to chip->dev_ready()")
Cc: stable@vger.kernel.org # v4.20+
Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mtd/nand/raw/r852.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/mtd/nand/raw/r852.c
+++ b/drivers/mtd/nand/raw/r852.c
@@ -387,6 +387,9 @@ static int r852_wait(struct nand_chip *c
static int r852_ready(struct nand_chip *chip)
{
struct r852_device *dev = r852_get_dev(nand_to_mtd(chip));
+ if (dev->card_unstable)
+ return 0;
+
return !(r852_read_reg(dev, R852_CARD_STA) & R852_CARD_STA_BUSY);
}
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 127/291] arm64: mm: Correct the update of max_pfn
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (124 preceding siblings ...)
2025-04-23 14:41 ` [PATCH 6.1 126/291] mtd: rawnand: Add status chack in r852_ready() Greg Kroah-Hartman
@ 2025-04-23 14:41 ` Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 128/291] arm64: dts: mediatek: mt8173: Fix disp-pwm compatible string Greg Kroah-Hartman
` (172 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhenhua Huang, David Hildenbrand,
Anshuman Khandual, Catalin Marinas
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhenhua Huang <quic_zhenhuah@quicinc.com>
commit 89f43e1ce6f60d4f44399059595ac47f7a90a393 upstream.
Hotplugged memory can be smaller than the original memory. For example,
on my target:
root@genericarmv8:~# cat /sys/kernel/debug/memblock/memory
0: 0x0000000064005000..0x0000000064023fff 0 NOMAP
1: 0x0000000064400000..0x00000000647fffff 0 NOMAP
2: 0x0000000068000000..0x000000006fffffff 0 DRV_MNG
3: 0x0000000088800000..0x0000000094ffefff 0 NONE
4: 0x0000000094fff000..0x0000000094ffffff 0 NOMAP
max_pfn will affect read_page_owner. Therefore, it should first compare and
then select the larger value for max_pfn.
Fixes: 8fac67ca236b ("arm64: mm: update max_pfn after memory hotplug")
Cc: <stable@vger.kernel.org> # 6.1.x
Signed-off-by: Zhenhua Huang <quic_zhenhuah@quicinc.com>
Acked-by: David Hildenbrand <david@redhat.com>
Reviewed-by: Anshuman Khandual <anshuman.khandual@arm.com>
Link: https://lore.kernel.org/r/20250321070019.1271859-1-quic_zhenhuah@quicinc.com
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/mm/mmu.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/arch/arm64/mm/mmu.c
+++ b/arch/arm64/mm/mmu.c
@@ -1578,7 +1578,8 @@ int arch_add_memory(int nid, u64 start,
__remove_pgd_mapping(swapper_pg_dir,
__phys_to_virt(start), size);
else {
- max_pfn = PFN_UP(start + size);
+ /* Address of hotplugged memory can be smaller */
+ max_pfn = max(max_pfn, PFN_UP(start + size));
max_low_pfn = max_pfn;
}
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 128/291] arm64: dts: mediatek: mt8173: Fix disp-pwm compatible string
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (125 preceding siblings ...)
2025-04-23 14:41 ` [PATCH 6.1 127/291] arm64: mm: Correct the update of max_pfn Greg Kroah-Hartman
@ 2025-04-23 14:41 ` Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 129/291] btrfs: fix non-empty delayed iputs list on unmount due to compressed write workers Greg Kroah-Hartman
` (171 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, YH Huang, Chen-Yu Tsai,
AngeloGioacchino Del Regno
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chen-Yu Tsai <wenst@chromium.org>
commit 46ad36002088eff8fc5cae200aa42ae9f9310ddd upstream.
The MT8173 disp-pwm device should have only one compatible string, based
on the following DT validation error:
arch/arm64/boot/dts/mediatek/mt8173-elm.dtb: pwm@1401e000: compatible: 'oneOf' conditional failed, one must be fixed:
['mediatek,mt8173-disp-pwm', 'mediatek,mt6595-disp-pwm'] is too long
'mediatek,mt8173-disp-pwm' is not one of ['mediatek,mt6795-disp-pwm', 'mediatek,mt8167-disp-pwm']
'mediatek,mt8173-disp-pwm' is not one of ['mediatek,mt8186-disp-pwm', 'mediatek,mt8188-disp-pwm', 'mediatek,mt8192-disp-pwm', 'mediatek,mt8195-disp-pwm', 'mediatek,mt8365-disp-pwm']
'mediatek,mt8173-disp-pwm' was expected
'mediatek,mt8183-disp-pwm' was expected
from schema $id: http://devicetree.org/schemas/pwm/mediatek,pwm-disp.yaml#
arch/arm64/boot/dts/mediatek/mt8173-elm.dtb: pwm@1401f000: compatible: 'oneOf' conditional failed, one must be fixed:
['mediatek,mt8173-disp-pwm', 'mediatek,mt6595-disp-pwm'] is too long
'mediatek,mt8173-disp-pwm' is not one of ['mediatek,mt6795-disp-pwm', 'mediatek,mt8167-disp-pwm']
'mediatek,mt8173-disp-pwm' is not one of ['mediatek,mt8186-disp-pwm', 'mediatek,mt8188-disp-pwm', 'mediatek,mt8192-disp-pwm', 'mediatek,mt8195-disp-pwm', 'mediatek,mt8365-disp-pwm']
'mediatek,mt8173-disp-pwm' was expected
'mediatek,mt8183-disp-pwm' was expected
from schema $id: http://devicetree.org/schemas/pwm/mediatek,pwm-disp.yaml#
Drop the extra "mediatek,mt6595-disp-pwm" compatible string.
Fixes: 61aee9342514 ("arm64: dts: mt8173: add MT8173 display PWM driver support node")
Cc: YH Huang <yh.huang@mediatek.com>
Cc: stable@vger.kernel.org # v4.5+
Signed-off-by: Chen-Yu Tsai <wenst@chromium.org>
Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Link: https://lore.kernel.org/r/20250108083424.2732375-2-wenst@chromium.org
Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/boot/dts/mediatek/mt8173.dtsi | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
--- a/arch/arm64/boot/dts/mediatek/mt8173.dtsi
+++ b/arch/arm64/boot/dts/mediatek/mt8173.dtsi
@@ -1247,8 +1247,7 @@
};
pwm0: pwm@1401e000 {
- compatible = "mediatek,mt8173-disp-pwm",
- "mediatek,mt6595-disp-pwm";
+ compatible = "mediatek,mt8173-disp-pwm";
reg = <0 0x1401e000 0 0x1000>;
#pwm-cells = <2>;
clocks = <&mmsys CLK_MM_DISP_PWM026M>,
@@ -1258,8 +1257,7 @@
};
pwm1: pwm@1401f000 {
- compatible = "mediatek,mt8173-disp-pwm",
- "mediatek,mt6595-disp-pwm";
+ compatible = "mediatek,mt8173-disp-pwm";
reg = <0 0x1401f000 0 0x1000>;
#pwm-cells = <2>;
clocks = <&mmsys CLK_MM_DISP_PWM126M>,
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 129/291] btrfs: fix non-empty delayed iputs list on unmount due to compressed write workers
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (126 preceding siblings ...)
2025-04-23 14:41 ` [PATCH 6.1 128/291] arm64: dts: mediatek: mt8173: Fix disp-pwm compatible string Greg Kroah-Hartman
@ 2025-04-23 14:41 ` Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 130/291] sparc/mm: disable preemption in lazy mmu mode Greg Kroah-Hartman
` (170 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Qu Wenruo, Filipe Manana,
David Sterba
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Filipe Manana <fdmanana@suse.com>
commit 4c782247b89376a83fa132f7d45d6977edae0629 upstream.
At close_ctree() after we have ran delayed iputs either through explicitly
calling btrfs_run_delayed_iputs() or later during the call to
btrfs_commit_super() or btrfs_error_commit_super(), we assert that the
delayed iputs list is empty.
When we have compressed writes this assertion may fail because delayed
iputs may have been added to the list after we last ran delayed iputs.
This happens like this:
1) We have a compressed write bio executing;
2) We enter close_ctree() and flush the fs_info->endio_write_workers
queue which is the queue used for running ordered extent completion;
3) The compressed write bio finishes and enters
btrfs_finish_compressed_write_work(), where it calls
btrfs_finish_ordered_extent() which in turn calls
btrfs_queue_ordered_fn(), which queues a work item in the
fs_info->endio_write_workers queue that we have flushed before;
4) At close_ctree() we proceed, run all existing delayed iputs and
call btrfs_commit_super() (which also runs delayed iputs), but before
we run the following assertion below:
ASSERT(list_empty(&fs_info->delayed_iputs))
A delayed iput is added by the step below...
5) The ordered extent completion job queued in step 3 runs and results in
creating a delayed iput when dropping the last reference of the ordered
extent (a call to btrfs_put_ordered_extent() made from
btrfs_finish_one_ordered());
6) At this point the delayed iputs list is not empty, so the assertion at
close_ctree() fails.
Fix this by flushing the fs_info->compressed_write_workers queue at
close_ctree() before flushing the fs_info->endio_write_workers queue,
respecting the queue dependency as the later is responsible for the
execution of ordered extent completion.
CC: stable@vger.kernel.org # 5.15+
Reviewed-by: Qu Wenruo <wqu@suse.com>
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/disk-io.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
--- a/fs/btrfs/disk-io.c
+++ b/fs/btrfs/disk-io.c
@@ -4662,6 +4662,18 @@ void __cold close_ctree(struct btrfs_fs_
btrfs_flush_workqueue(fs_info->delalloc_workers);
/*
+ * When finishing a compressed write bio we schedule a work queue item
+ * to finish an ordered extent - btrfs_finish_compressed_write_work()
+ * calls btrfs_finish_ordered_extent() which in turns does a call to
+ * btrfs_queue_ordered_fn(), and that queues the ordered extent
+ * completion either in the endio_write_workers work queue or in the
+ * fs_info->endio_freespace_worker work queue. We flush those queues
+ * below, so before we flush them we must flush this queue for the
+ * workers of compressed writes.
+ */
+ flush_workqueue(fs_info->compressed_write_workers);
+
+ /*
* After we parked the cleaner kthread, ordered extents may have
* completed and created new delayed iputs. If one of the async reclaim
* tasks is running and in the RUN_DELAYED_IPUTS flush state, then we
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 130/291] sparc/mm: disable preemption in lazy mmu mode
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (127 preceding siblings ...)
2025-04-23 14:41 ` [PATCH 6.1 129/291] btrfs: fix non-empty delayed iputs list on unmount due to compressed write workers Greg Kroah-Hartman
@ 2025-04-23 14:41 ` Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 131/291] mm/rmap: reject hugetlb folios in folio_make_device_exclusive() Greg Kroah-Hartman
` (169 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ryan Roberts, David Hildenbrand,
Andreas Larsson, Juergen Gross, Borislav Betkov, Boris Ostrovsky,
Catalin Marinas, Dave Hansen, David S. Miller, H. Peter Anvin,
Ingo Molnar, Matthew Wilcow (Oracle), Thomas Gleinxer,
Andrew Morton
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ryan Roberts <ryan.roberts@arm.com>
commit a1d416bf9faf4f4871cb5a943614a07f80a7d70f upstream.
Since commit 38e0edb15bd0 ("mm/apply_to_range: call pte function with lazy
updates") it's been possible for arch_[enter|leave]_lazy_mmu_mode() to be
called without holding a page table lock (for the kernel mappings case),
and therefore it is possible that preemption may occur while in the lazy
mmu mode. The Sparc lazy mmu implementation is not robust to preemption
since it stores the lazy mode state in a per-cpu structure and does not
attempt to manage that state on task switch.
Powerpc had the same issue and fixed it by explicitly disabling preemption
in arch_enter_lazy_mmu_mode() and re-enabling in
arch_leave_lazy_mmu_mode(). See commit b9ef323ea168 ("powerpc/64s:
Disable preemption in hash lazy mmu mode").
Given Sparc's lazy mmu mode is based on powerpc's, let's fix it in the
same way here.
Link: https://lkml.kernel.org/r/20250303141542.3371656-4-ryan.roberts@arm.com
Fixes: 38e0edb15bd0 ("mm/apply_to_range: call pte function with lazy updates")
Signed-off-by: Ryan Roberts <ryan.roberts@arm.com>
Acked-by: David Hildenbrand <david@redhat.com>
Acked-by: Andreas Larsson <andreas@gaisler.com>
Acked-by: Juergen Gross <jgross@suse.com>
Cc: Borislav Betkov <bp@alien8.de>
Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Dave Hansen <dave.hansen@linux.intel.com>
Cc: David S. Miller <davem@davemloft.net>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Juegren Gross <jgross@suse.com>
Cc: Matthew Wilcow (Oracle) <willy@infradead.org>
Cc: Thomas Gleinxer <tglx@linutronix.de>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/sparc/mm/tlb.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/arch/sparc/mm/tlb.c
+++ b/arch/sparc/mm/tlb.c
@@ -52,8 +52,10 @@ out:
void arch_enter_lazy_mmu_mode(void)
{
- struct tlb_batch *tb = this_cpu_ptr(&tlb_batch);
+ struct tlb_batch *tb;
+ preempt_disable();
+ tb = this_cpu_ptr(&tlb_batch);
tb->active = 1;
}
@@ -64,6 +66,7 @@ void arch_leave_lazy_mmu_mode(void)
if (tb->tlb_nr)
flush_tlb_pending();
tb->active = 0;
+ preempt_enable();
}
static void tlb_batch_add_one(struct mm_struct *mm, unsigned long vaddr,
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 131/291] mm/rmap: reject hugetlb folios in folio_make_device_exclusive()
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (128 preceding siblings ...)
2025-04-23 14:41 ` [PATCH 6.1 130/291] sparc/mm: disable preemption in lazy mmu mode Greg Kroah-Hartman
@ 2025-04-23 14:42 ` Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 132/291] mm: add missing release barrier on PGDAT_RECLAIM_LOCKED unlock Greg Kroah-Hartman
` (168 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Hildenbrand, Alistair Popple,
Alex Shi, Danilo Krummrich, Dave Airlie, Jann Horn,
Jason Gunthorpe, Jerome Glisse, John Hubbard, Jonathan Corbet,
Karol Herbst, Liam Howlett, Lorenzo Stoakes, Lyude,
Masami Hiramatsu (Google), Oleg Nesterov, Pasha Tatashin,
Peter Xu, Peter Zijlstra (Intel), SeongJae Park, Simona Vetter,
Vlastimil Babka, Yanteng Si, Barry Song, Andrew Morton
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Hildenbrand <david@redhat.com>
commit bc3fe6805cf09a25a086573a17d40e525208c5d8 upstream.
Even though FOLL_SPLIT_PMD on hugetlb now always fails with -EOPNOTSUPP,
let's add a safety net in case FOLL_SPLIT_PMD usage would ever be
reworked.
In particular, before commit 9cb28da54643 ("mm/gup: handle hugetlb in the
generic follow_page_mask code"), GUP(FOLL_SPLIT_PMD) would just have
returned a page. In particular, hugetlb folios that are not PMD-sized
would never have been prone to FOLL_SPLIT_PMD.
hugetlb folios can be anonymous, and page_make_device_exclusive_one() is
not really prepared for handling them at all. So let's spell that out.
Link: https://lkml.kernel.org/r/20250210193801.781278-3-david@redhat.com
Fixes: b756a3b5e7ea ("mm: device exclusive memory access")
Signed-off-by: David Hildenbrand <david@redhat.com>
Reviewed-by: Alistair Popple <apopple@nvidia.com>
Tested-by: Alistair Popple <apopple@nvidia.com>
Cc: Alex Shi <alexs@kernel.org>
Cc: Danilo Krummrich <dakr@kernel.org>
Cc: Dave Airlie <airlied@gmail.com>
Cc: Jann Horn <jannh@google.com>
Cc: Jason Gunthorpe <jgg@nvidia.com>
Cc: Jerome Glisse <jglisse@redhat.com>
Cc: John Hubbard <jhubbard@nvidia.com>
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: Karol Herbst <kherbst@redhat.com>
Cc: Liam Howlett <liam.howlett@oracle.com>
Cc: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Cc: Lyude <lyude@redhat.com>
Cc: "Masami Hiramatsu (Google)" <mhiramat@kernel.org>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Pasha Tatashin <pasha.tatashin@soleen.com>
Cc: Peter Xu <peterx@redhat.com>
Cc: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: SeongJae Park <sj@kernel.org>
Cc: Simona Vetter <simona.vetter@ffwll.ch>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Yanteng Si <si.yanteng@linux.dev>
Cc: Barry Song <v-songbaohua@oppo.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/rmap.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/mm/rmap.c
+++ b/mm/rmap.c
@@ -2306,7 +2306,7 @@ static bool folio_make_device_exclusive(
* Restrict to anonymous folios for now to avoid potential writeback
* issues.
*/
- if (!folio_test_anon(folio))
+ if (!folio_test_anon(folio) || folio_test_hugetlb(folio))
return false;
rmap_walk(folio, &rwc);
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 132/291] mm: add missing release barrier on PGDAT_RECLAIM_LOCKED unlock
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (129 preceding siblings ...)
2025-04-23 14:42 ` [PATCH 6.1 131/291] mm/rmap: reject hugetlb folios in folio_make_device_exclusive() Greg Kroah-Hartman
@ 2025-04-23 14:42 ` Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 133/291] mm/hwpoison: do not send SIGBUS to processes with recovered clean pages Greg Kroah-Hartman
` (167 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mathieu Desnoyers, Lorenzo Stoakes,
Matthew Wilcox, Alan Stern, Andrea Parri, Will Deacon,
Peter Zijlstra, Boqun Feng, Nicholas Piggin, David Howells,
Jade Alglave, Luc Maranget, Paul E. McKenney, Andrew Morton
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
commit c0ebbb3841e07c4493e6fe351698806b09a87a37 upstream.
The PGDAT_RECLAIM_LOCKED bit is used to provide mutual exclusion of node
reclaim for struct pglist_data using a single bit.
It is "locked" with a test_and_set_bit (similarly to a try lock) which
provides full ordering with respect to loads and stores done within
__node_reclaim().
It is "unlocked" with clear_bit(), which does not provide any ordering
with respect to loads and stores done before clearing the bit.
The lack of clear_bit() memory ordering with respect to stores within
__node_reclaim() can cause a subsequent CPU to fail to observe stores from
a prior node reclaim. This is not an issue in practice on TSO (e.g.
x86), but it is an issue on weakly-ordered architectures (e.g. arm64).
Fix this by using clear_bit_unlock rather than clear_bit to clear
PGDAT_RECLAIM_LOCKED with a release memory ordering semantic.
This provides stronger memory ordering (release rather than relaxed).
Link: https://lkml.kernel.org/r/20250312141014.129725-1-mathieu.desnoyers@efficios.com
Fixes: d773ed6b856a ("mm: test and set zone reclaim lock before starting reclaim")
Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Cc: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Cc: Matthew Wilcox <willy@infradead.org>
Cc: Alan Stern <stern@rowland.harvard.edu>
Cc: Andrea Parri <parri.andrea@gmail.com>
Cc: Will Deacon <will@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Boqun Feng <boqun.feng@gmail.com>
Cc: Nicholas Piggin <npiggin@gmail.com>
Cc: David Howells <dhowells@redhat.com>
Cc: Jade Alglave <j.alglave@ucl.ac.uk>
Cc: Luc Maranget <luc.maranget@inria.fr>
Cc: "Paul E. McKenney" <paulmck@kernel.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/vmscan.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/mm/vmscan.c
+++ b/mm/vmscan.c
@@ -7729,7 +7729,7 @@ int node_reclaim(struct pglist_data *pgd
return NODE_RECLAIM_NOSCAN;
ret = __node_reclaim(pgdat, gfp_mask, order);
- clear_bit(PGDAT_RECLAIM_LOCKED, &pgdat->flags);
+ clear_bit_unlock(PGDAT_RECLAIM_LOCKED, &pgdat->flags);
if (!ret)
count_vm_event(PGSCAN_ZONE_RECLAIM_FAILED);
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 133/291] mm/hwpoison: do not send SIGBUS to processes with recovered clean pages
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (130 preceding siblings ...)
2025-04-23 14:42 ` [PATCH 6.1 132/291] mm: add missing release barrier on PGDAT_RECLAIM_LOCKED unlock Greg Kroah-Hartman
@ 2025-04-23 14:42 ` Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 134/291] sctp: detect and prevent references to a freed transport in sendmsg Greg Kroah-Hartman
` (166 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shuai Xue, Tony Luck, Miaohe Lin,
Baolin Wang, Borislav Betkov, Catalin Marinas, Dave Hansen,
H. Peter Anvin, Ingo Molnar, Jane Chu, Jarkko Sakkinen,
Jonathan Cameron, Josh Poimboeuf, Naoya Horiguchi, Peter Zijlstra,
Ruidong Tian, Thomas Gleinxer, Yazen Ghannam, Andrew Morton
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shuai Xue <xueshuai@linux.alibaba.com>
commit aaf99ac2ceb7c974f758a635723eeaf48596388e upstream.
When an uncorrected memory error is consumed there is a race between the
CMCI from the memory controller reporting an uncorrected error with a UCNA
signature, and the core reporting and SRAR signature machine check when
the data is about to be consumed.
- Background: why *UN*corrected errors tied to *C*MCI in Intel platform [1]
Prior to Icelake memory controllers reported patrol scrub events that
detected a previously unseen uncorrected error in memory by signaling a
broadcast machine check with an SRAO (Software Recoverable Action
Optional) signature in the machine check bank. This was overkill because
it's not an urgent problem that no core is on the verge of consuming that
bad data. It's also found that multi SRAO UCE may cause nested MCE
interrupts and finally become an IERR.
Hence, Intel downgrades the machine check bank signature of patrol scrub
from SRAO to UCNA (Uncorrected, No Action required), and signal changed to
#CMCI. Just to add to the confusion, Linux does take an action (in
uc_decode_notifier()) to try to offline the page despite the UC*NA*
signature name.
- Background: why #CMCI and #MCE race when poison is consuming in Intel platform [1]
Having decided that CMCI/UCNA is the best action for patrol scrub errors,
the memory controller uses it for reads too. But the memory controller is
executing asynchronously from the core, and can't tell the difference
between a "real" read and a speculative read. So it will do CMCI/UCNA if
an error is found in any read.
Thus:
1) Core is clever and thinks address A is needed soon, issues a speculative read.
2) Core finds it is going to use address A soon after sending the read request
3) The CMCI from the memory controller is in a race with MCE from the core
that will soon try to retire the load from address A.
Quite often (because speculation has got better) the CMCI from the memory
controller is delivered before the core is committed to the instruction
reading address A, so the interrupt is taken, and Linux offlines the page
(marking it as poison).
- Why user process is killed for instr case
Commit 046545a661af ("mm/hwpoison: fix error page recovered but reported
"not recovered"") tries to fix noise message "Memory error not recovered"
and skips duplicate SIGBUSs due to the race. But it also introduced a bug
that kill_accessing_process() return -EHWPOISON for instr case, as result,
kill_me_maybe() send a SIGBUS to user process.
If the CMCI wins that race, the page is marked poisoned when
uc_decode_notifier() calls memory_failure(). For dirty pages,
memory_failure() invokes try_to_unmap() with the TTU_HWPOISON flag,
converting the PTE to a hwpoison entry. As a result,
kill_accessing_process():
- call walk_page_range() and return 1 regardless of whether
try_to_unmap() succeeds or fails,
- call kill_proc() to make sure a SIGBUS is sent
- return -EHWPOISON to indicate that SIGBUS is already sent to the
process and kill_me_maybe() doesn't have to send it again.
However, for clean pages, the TTU_HWPOISON flag is cleared, leaving the
PTE unchanged and not converted to a hwpoison entry. Conversely, for
clean pages where PTE entries are not marked as hwpoison,
kill_accessing_process() returns -EFAULT, causing kill_me_maybe() to send
a SIGBUS.
Console log looks like this:
Memory failure: 0x827ca68: corrupted page was clean: dropped without side effects
Memory failure: 0x827ca68: recovery action for clean LRU page: Recovered
Memory failure: 0x827ca68: already hardware poisoned
mce: Memory error not recovered
To fix it, return 0 for "corrupted page was clean", preventing an
unnecessary SIGBUS to user process.
[1] https://lore.kernel.org/lkml/20250217063335.22257-1-xueshuai@linux.alibaba.com/T/#mba94f1305b3009dd340ce4114d3221fe810d1871
Link: https://lkml.kernel.org/r/20250312112852.82415-3-xueshuai@linux.alibaba.com
Fixes: 046545a661af ("mm/hwpoison: fix error page recovered but reported "not recovered"")
Signed-off-by: Shuai Xue <xueshuai@linux.alibaba.com>
Tested-by: Tony Luck <tony.luck@intel.com>
Acked-by: Miaohe Lin <linmiaohe@huawei.com>
Cc: Baolin Wang <baolin.wang@linux.alibaba.com>
Cc: Borislav Betkov <bp@alien8.de>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Dave Hansen <dave.hansen@linux.intel.com>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Jane Chu <jane.chu@oracle.com>
Cc: Jarkko Sakkinen <jarkko@kernel.org>
Cc: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Cc: Josh Poimboeuf <jpoimboe@kernel.org>
Cc: Naoya Horiguchi <nao.horiguchi@gmail.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Ruidong Tian <tianruidong@linux.alibaba.com>
Cc: Thomas Gleinxer <tglx@linutronix.de>
Cc: Yazen Ghannam <yazen.ghannam@amd.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/memory-failure.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
--- a/mm/memory-failure.c
+++ b/mm/memory-failure.c
@@ -764,12 +764,17 @@ static int kill_accessing_process(struct
mmap_read_lock(p->mm);
ret = walk_page_range(p->mm, 0, TASK_SIZE, &hwp_walk_ops,
(void *)&priv);
+ /*
+ * ret = 1 when CMCI wins, regardless of whether try_to_unmap()
+ * succeeds or fails, then kill the process with SIGBUS.
+ * ret = 0 when poison page is a clean page and it's dropped, no
+ * SIGBUS is needed.
+ */
if (ret == 1 && priv.tk.addr)
kill_proc(&priv.tk, pfn, flags);
- else
- ret = 0;
mmap_read_unlock(p->mm);
- return ret > 0 ? -EHWPOISON : -EFAULT;
+
+ return ret > 0 ? -EHWPOISON : 0;
}
static const char *action_name[] = {
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 134/291] sctp: detect and prevent references to a freed transport in sendmsg
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (131 preceding siblings ...)
2025-04-23 14:42 ` [PATCH 6.1 133/291] mm/hwpoison: do not send SIGBUS to processes with recovered clean pages Greg Kroah-Hartman
@ 2025-04-23 14:42 ` Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 135/291] thermal/drivers/rockchip: Add missing rk3328 mapping entry Greg Kroah-Hartman
` (165 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xin Long,
Ricardo Cañuelo Navarro, Paolo Abeni
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ricardo Cañuelo Navarro <rcn@igalia.com>
commit f1a69a940de58b16e8249dff26f74c8cc59b32be upstream.
sctp_sendmsg() re-uses associations and transports when possible by
doing a lookup based on the socket endpoint and the message destination
address, and then sctp_sendmsg_to_asoc() sets the selected transport in
all the message chunks to be sent.
There's a possible race condition if another thread triggers the removal
of that selected transport, for instance, by explicitly unbinding an
address with setsockopt(SCTP_SOCKOPT_BINDX_REM), after the chunks have
been set up and before the message is sent. This can happen if the send
buffer is full, during the period when the sender thread temporarily
releases the socket lock in sctp_wait_for_sndbuf().
This causes the access to the transport data in
sctp_outq_select_transport(), when the association outqueue is flushed,
to result in a use-after-free read.
This change avoids this scenario by having sctp_transport_free() signal
the freeing of the transport, tagging it as "dead". In order to do this,
the patch restores the "dead" bit in struct sctp_transport, which was
removed in
commit 47faa1e4c50e ("sctp: remove the dead field of sctp_transport").
Then, in the scenario where the sender thread has released the socket
lock in sctp_wait_for_sndbuf(), the bit is checked again after
re-acquiring the socket lock to detect the deletion. This is done while
holding a reference to the transport to prevent it from being freed in
the process.
If the transport was deleted while the socket lock was relinquished,
sctp_sendmsg_to_asoc() will return -EAGAIN to let userspace retry the
send.
The bug was found by a private syzbot instance (see the error report [1]
and the C reproducer that triggers it [2]).
Link: https://people.igalia.com/rcn/kernel_logs/20250402__KASAN_slab-use-after-free_Read_in_sctp_outq_select_transport.txt [1]
Link: https://people.igalia.com/rcn/kernel_logs/20250402__KASAN_slab-use-after-free_Read_in_sctp_outq_select_transport__repro.c [2]
Cc: stable@vger.kernel.org
Fixes: df132eff4638 ("sctp: clear the transport of some out_chunk_list chunks in sctp_assoc_rm_peer")
Suggested-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: Ricardo Cañuelo Navarro <rcn@igalia.com>
Acked-by: Xin Long <lucien.xin@gmail.com>
Link: https://patch.msgid.link/20250404-kasan_slab-use-after-free_read_in_sctp_outq_select_transport__20250404-v1-1-5ce4a0b78ef2@igalia.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/net/sctp/structs.h | 3 ++-
net/sctp/socket.c | 22 ++++++++++++++--------
net/sctp/transport.c | 2 ++
3 files changed, 18 insertions(+), 9 deletions(-)
--- a/include/net/sctp/structs.h
+++ b/include/net/sctp/structs.h
@@ -777,6 +777,7 @@ struct sctp_transport {
/* Reference counting. */
refcount_t refcnt;
+ __u32 dead:1,
/* RTO-Pending : A flag used to track if one of the DATA
* chunks sent to this address is currently being
* used to compute a RTT. If this flag is 0,
@@ -786,7 +787,7 @@ struct sctp_transport {
* calculation completes (i.e. the DATA chunk
* is SACK'd) clear this flag.
*/
- __u32 rto_pending:1,
+ rto_pending:1,
/*
* hb_sent : a flag that signals that we have a pending
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -70,8 +70,9 @@
/* Forward declarations for internal helper functions. */
static bool sctp_writeable(const struct sock *sk);
static void sctp_wfree(struct sk_buff *skb);
-static int sctp_wait_for_sndbuf(struct sctp_association *asoc, long *timeo_p,
- size_t msg_len);
+static int sctp_wait_for_sndbuf(struct sctp_association *asoc,
+ struct sctp_transport *transport,
+ long *timeo_p, size_t msg_len);
static int sctp_wait_for_packet(struct sock *sk, int *err, long *timeo_p);
static int sctp_wait_for_connect(struct sctp_association *, long *timeo_p);
static int sctp_wait_for_accept(struct sock *sk, long timeo);
@@ -1826,7 +1827,7 @@ static int sctp_sendmsg_to_asoc(struct s
if (sctp_wspace(asoc) <= 0 || !sk_wmem_schedule(sk, msg_len)) {
timeo = sock_sndtimeo(sk, msg->msg_flags & MSG_DONTWAIT);
- err = sctp_wait_for_sndbuf(asoc, &timeo, msg_len);
+ err = sctp_wait_for_sndbuf(asoc, transport, &timeo, msg_len);
if (err)
goto err;
if (unlikely(sinfo->sinfo_stream >= asoc->stream.outcnt)) {
@@ -9203,8 +9204,9 @@ void sctp_sock_rfree(struct sk_buff *skb
/* Helper function to wait for space in the sndbuf. */
-static int sctp_wait_for_sndbuf(struct sctp_association *asoc, long *timeo_p,
- size_t msg_len)
+static int sctp_wait_for_sndbuf(struct sctp_association *asoc,
+ struct sctp_transport *transport,
+ long *timeo_p, size_t msg_len)
{
struct sock *sk = asoc->base.sk;
long current_timeo = *timeo_p;
@@ -9214,7 +9216,9 @@ static int sctp_wait_for_sndbuf(struct s
pr_debug("%s: asoc:%p, timeo:%ld, msg_len:%zu\n", __func__, asoc,
*timeo_p, msg_len);
- /* Increment the association's refcnt. */
+ /* Increment the transport and association's refcnt. */
+ if (transport)
+ sctp_transport_hold(transport);
sctp_association_hold(asoc);
/* Wait on the association specific sndbuf space. */
@@ -9223,7 +9227,7 @@ static int sctp_wait_for_sndbuf(struct s
TASK_INTERRUPTIBLE);
if (asoc->base.dead)
goto do_dead;
- if (!*timeo_p)
+ if ((!*timeo_p) || (transport && transport->dead))
goto do_nonblock;
if (sk->sk_err || asoc->state >= SCTP_STATE_SHUTDOWN_PENDING)
goto do_error;
@@ -9248,7 +9252,9 @@ static int sctp_wait_for_sndbuf(struct s
out:
finish_wait(&asoc->wait, &wait);
- /* Release the association's refcnt. */
+ /* Release the transport and association's refcnt. */
+ if (transport)
+ sctp_transport_put(transport);
sctp_association_put(asoc);
return err;
--- a/net/sctp/transport.c
+++ b/net/sctp/transport.c
@@ -117,6 +117,8 @@ fail:
*/
void sctp_transport_free(struct sctp_transport *transport)
{
+ transport->dead = 1;
+
/* Try to delete the heartbeat timer. */
if (del_timer(&transport->hb_timer))
sctp_transport_put(transport);
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 135/291] thermal/drivers/rockchip: Add missing rk3328 mapping entry
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (132 preceding siblings ...)
2025-04-23 14:42 ` [PATCH 6.1 134/291] sctp: detect and prevent references to a freed transport in sendmsg Greg Kroah-Hartman
@ 2025-04-23 14:42 ` Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 136/291] cifs: avoid NULL pointer dereference in dbg call Greg Kroah-Hartman
` (164 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Trevor Woerner, Dragan Simic,
Daniel Lezcano
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Trevor Woerner <twoerner@gmail.com>
commit ee022e5cae052e0c67ca7c5fec0f2e7bc897c70e upstream.
The mapping table for the rk3328 is missing the entry for -25C which is
found in the TRM section 9.5.2 "Temperature-to-code mapping".
NOTE: the kernel uses the tsadc_q_sel=1'b1 mode which is defined as:
4096-<code in table>. Whereas the table in the TRM gives the code
"3774" for -25C, the kernel uses 4096-3774=322.
[Dragan Simic] : "After going through the RK3308 and RK3328 TRMs, as
well as through the downstream kernel code, it seems we may have
some troubles at our hands. Let me explain, please.
To sum it up, part 1 of the RK3308 TRM v1.1 says on page 538 that
the equation for the output when tsadc_q_sel equals 1 is (4096 -
tsadc_q), while part 1 of the RK3328 TRM v1.2 says that the output
equation is (1024 - tsadc_q) in that case.
The downstream kernel code, however, treats the RK3308 and RK3328
tables and their values as being the same. It even mentions 1024 as
the "offset" value in a comment block for the rk_tsadcv3_control()
function, just like the upstream code does, which is obviously wrong
"offset" value when correlated with the table on page 544 of part 1
of the RK3308 TRM v1.1.
With all this in mind, it's obvious that more work is needed to make
it clear where's the actual mistake (it could be that the TRM is
wrong), which I'll volunteer for as part of the SoC binning project.
In the meantime, this patch looks fine as-is to me, by offering
what's a clear improvement to the current state of the upstream
code"
Link: https://opensource.rock-chips.com/images/9/97/Rockchip_RK3328TRM_V1.1-Part1-20170321.pdf
Cc: stable@vger.kernel.org
Fixes: eda519d5f73e ("thermal: rockchip: Support the RK3328 SOC in thermal driver")
Signed-off-by: Trevor Woerner <twoerner@gmail.com>
Reviewed-by: Dragan Simic <dsimic@manjaro.org>
Link: https://lore.kernel.org/r/20250207175048.35959-1-twoerner@gmail.com
Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/thermal/rockchip_thermal.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/thermal/rockchip_thermal.c
+++ b/drivers/thermal/rockchip_thermal.c
@@ -373,6 +373,7 @@ static const struct tsadc_table rk3328_c
{296, -40000},
{304, -35000},
{313, -30000},
+ {322, -25000},
{331, -20000},
{340, -15000},
{349, -10000},
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 136/291] cifs: avoid NULL pointer dereference in dbg call
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (133 preceding siblings ...)
2025-04-23 14:42 ` [PATCH 6.1 135/291] thermal/drivers/rockchip: Add missing rk3328 mapping entry Greg Kroah-Hartman
@ 2025-04-23 14:42 ` Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 137/291] cifs: fix integer overflow in match_server() Greg Kroah-Hartman
` (163 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Alexandra Diupina, Steve French
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexandra Diupina <adiupina@astralinux.ru>
commit b4885bd5935bb26f0a414ad55679a372e53f9b9b upstream.
cifs_server_dbg() implies server to be non-NULL so
move call under condition to avoid NULL pointer dereference.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: e79b0332ae06 ("cifs: ignore cached share root handle closing errors")
Cc: stable@vger.kernel.org
Signed-off-by: Alexandra Diupina <adiupina@astralinux.ru>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/client/smb2misc.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
--- a/fs/smb/client/smb2misc.c
+++ b/fs/smb/client/smb2misc.c
@@ -814,11 +814,12 @@ smb2_handle_cancelled_close(struct cifs_
WARN_ONCE(tcon->tc_count < 0, "tcon refcount is negative");
spin_unlock(&cifs_tcp_ses_lock);
- if (tcon->ses)
+ if (tcon->ses) {
server = tcon->ses->server;
-
- cifs_server_dbg(FYI, "tid=0x%x: tcon is closing, skipping async close retry of fid %llu %llu\n",
- tcon->tid, persistent_fid, volatile_fid);
+ cifs_server_dbg(FYI,
+ "tid=0x%x: tcon is closing, skipping async close retry of fid %llu %llu\n",
+ tcon->tid, persistent_fid, volatile_fid);
+ }
return 0;
}
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 137/291] cifs: fix integer overflow in match_server()
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (134 preceding siblings ...)
2025-04-23 14:42 ` [PATCH 6.1 136/291] cifs: avoid NULL pointer dereference in dbg call Greg Kroah-Hartman
@ 2025-04-23 14:42 ` Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 138/291] clk: qcom: gdsc: Release pm subdomains in reverse add order Greg Kroah-Hartman
` (162 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Roman Smirnov, Steve French
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Roman Smirnov <r.smirnov@omp.ru>
commit 2510859475d7f46ed7940db0853f3342bf1b65ee upstream.
The echo_interval is not limited in any way during mounting,
which makes it possible to write a large number to it. This can
cause an overflow when multiplying ctx->echo_interval by HZ in
match_server().
Add constraints for echo_interval to smb3_fs_context_parse_param().
Found by Linux Verification Center (linuxtesting.org) with Svace.
Fixes: adfeb3e00e8e1 ("cifs: Make echo interval tunable")
Cc: stable@vger.kernel.org
Signed-off-by: Roman Smirnov <r.smirnov@omp.ru>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/client/fs_context.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/fs/smb/client/fs_context.c
+++ b/fs/smb/client/fs_context.c
@@ -1111,6 +1111,11 @@ static int smb3_fs_context_parse_param(s
ctx->closetimeo = HZ * result.uint_32;
break;
case Opt_echo_interval:
+ if (result.uint_32 < SMB_ECHO_INTERVAL_MIN ||
+ result.uint_32 > SMB_ECHO_INTERVAL_MAX) {
+ cifs_errorf(fc, "echo interval is out of bounds\n");
+ goto cifs_parse_mount_err;
+ }
ctx->echo_interval = result.uint_32;
break;
case Opt_snapshot:
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 138/291] clk: qcom: gdsc: Release pm subdomains in reverse add order
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (135 preceding siblings ...)
2025-04-23 14:42 ` [PATCH 6.1 137/291] cifs: fix integer overflow in match_server() Greg Kroah-Hartman
@ 2025-04-23 14:42 ` Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 139/291] clk: qcom: gdsc: Capture pm_genpd_add_subdomain result code Greg Kroah-Hartman
` (161 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Bryan ODonoghue, Bjorn Andersson
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
commit 0e6dfde439df0bb977cddd3cf7fff150a084a9bf upstream.
gdsc_unregister() should release subdomains in the reverse order to the
order in which those subdomains were added.
I've made this patch a standalone patch because it facilitates a subsequent
fix to stable.
Fixes: 1b771839de05 ("clk: qcom: gdsc: enable optional power domain support")
Cc: stable@vger.kernel.org
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Link: https://lore.kernel.org/r/20250117-b4-linux-next-24-11-18-clock-multiple-power-domains-v10-1-13f2bb656dad@linaro.org
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/clk/qcom/gdsc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/clk/qcom/gdsc.c
+++ b/drivers/clk/qcom/gdsc.c
@@ -523,7 +523,7 @@ void gdsc_unregister(struct gdsc_desc *d
size_t num = desc->num;
/* Remove subdomains */
- for (i = 0; i < num; i++) {
+ for (i = num - 1; i >= 0; i--) {
if (!scs[i])
continue;
if (scs[i]->parent)
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 139/291] clk: qcom: gdsc: Capture pm_genpd_add_subdomain result code
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (136 preceding siblings ...)
2025-04-23 14:42 ` [PATCH 6.1 138/291] clk: qcom: gdsc: Release pm subdomains in reverse add order Greg Kroah-Hartman
@ 2025-04-23 14:42 ` Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 140/291] clk: qcom: gdsc: Set retain_ff before moving to HW CTRL Greg Kroah-Hartman
` (160 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Bryan ODonoghue, Bjorn Andersson
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
commit 65a733464553ea192797b889d1533a1a37216f32 upstream.
Adding a new clause to this if/else I noticed the existing usage of
pm_genpd_add_subdomain() wasn't capturing and returning the result code.
pm_genpd_add_subdomain() returns an int and can fail. Capture that result
code and throw it up the call stack if something goes wrong.
Fixes: 1b771839de05 ("clk: qcom: gdsc: enable optional power domain support")
Cc: stable@vger.kernel.org
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Link: https://lore.kernel.org/r/20250117-b4-linux-next-24-11-18-clock-multiple-power-domains-v10-2-13f2bb656dad@linaro.org
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/clk/qcom/gdsc.c | 40 +++++++++++++++++++++++++++-------------
1 file changed, 27 insertions(+), 13 deletions(-)
--- a/drivers/clk/qcom/gdsc.c
+++ b/drivers/clk/qcom/gdsc.c
@@ -463,6 +463,23 @@ err_disable_supply:
return ret;
}
+static void gdsc_pm_subdomain_remove(struct gdsc_desc *desc, size_t num)
+{
+ struct device *dev = desc->dev;
+ struct gdsc **scs = desc->scs;
+ int i;
+
+ /* Remove subdomains */
+ for (i = num - 1; i >= 0; i--) {
+ if (!scs[i])
+ continue;
+ if (scs[i]->parent)
+ pm_genpd_remove_subdomain(scs[i]->parent, &scs[i]->pd);
+ else if (!IS_ERR_OR_NULL(dev->pm_domain))
+ pm_genpd_remove_subdomain(pd_to_genpd(dev->pm_domain), &scs[i]->pd);
+ }
+}
+
int gdsc_register(struct gdsc_desc *desc,
struct reset_controller_dev *rcdev, struct regmap *regmap)
{
@@ -507,30 +524,27 @@ int gdsc_register(struct gdsc_desc *desc
if (!scs[i])
continue;
if (scs[i]->parent)
- pm_genpd_add_subdomain(scs[i]->parent, &scs[i]->pd);
+ ret = pm_genpd_add_subdomain(scs[i]->parent, &scs[i]->pd);
else if (!IS_ERR_OR_NULL(dev->pm_domain))
- pm_genpd_add_subdomain(pd_to_genpd(dev->pm_domain), &scs[i]->pd);
+ ret = pm_genpd_add_subdomain(pd_to_genpd(dev->pm_domain), &scs[i]->pd);
+ if (ret)
+ goto err_pm_subdomain_remove;
}
return of_genpd_add_provider_onecell(dev->of_node, data);
+
+err_pm_subdomain_remove:
+ gdsc_pm_subdomain_remove(desc, i);
+
+ return ret;
}
void gdsc_unregister(struct gdsc_desc *desc)
{
- int i;
struct device *dev = desc->dev;
- struct gdsc **scs = desc->scs;
size_t num = desc->num;
- /* Remove subdomains */
- for (i = num - 1; i >= 0; i--) {
- if (!scs[i])
- continue;
- if (scs[i]->parent)
- pm_genpd_remove_subdomain(scs[i]->parent, &scs[i]->pd);
- else if (!IS_ERR_OR_NULL(dev->pm_domain))
- pm_genpd_remove_subdomain(pd_to_genpd(dev->pm_domain), &scs[i]->pd);
- }
+ gdsc_pm_subdomain_remove(desc, num);
of_genpd_del_provider(dev->of_node);
}
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 140/291] clk: qcom: gdsc: Set retain_ff before moving to HW CTRL
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (137 preceding siblings ...)
2025-04-23 14:42 ` [PATCH 6.1 139/291] clk: qcom: gdsc: Capture pm_genpd_add_subdomain result code Greg Kroah-Hartman
@ 2025-04-23 14:42 ` Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 141/291] crypto: ccp - Fix check for the primary ASP device Greg Kroah-Hartman
` (159 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Taniya Das, Imran Shaik,
Bjorn Andersson
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Taniya Das <quic_tdas@quicinc.com>
commit 25708f73ff171bb4171950c9f4be5aa8504b8459 upstream.
Enable the retain_ff_enable bit of GDSCR only if the GDSC is already ON.
Once the GDSCR moves to HW control, SW no longer can determine the state
of the GDSCR and setting the retain_ff bit could destroy all the register
contents we intended to save.
Therefore, move the retain_ff configuration before switching the GDSC to
HW trigger mode.
Cc: stable@vger.kernel.org
Fixes: 173722995cdb ("clk: qcom: gdsc: Add support to enable retention of GSDCR")
Signed-off-by: Taniya Das <quic_tdas@quicinc.com>
Reviewed-by: Imran Shaik <quic_imrashai@quicinc.com>
Tested-by: Imran Shaik <quic_imrashai@quicinc.com> # on QCS8300
Link: https://lore.kernel.org/r/20250214-gdsc_fixes-v1-1-73e56d68a80f@quicinc.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/clk/qcom/gdsc.c | 21 +++++++++++----------
1 file changed, 11 insertions(+), 10 deletions(-)
--- a/drivers/clk/qcom/gdsc.c
+++ b/drivers/clk/qcom/gdsc.c
@@ -290,6 +290,9 @@ static int gdsc_enable(struct generic_pm
*/
udelay(1);
+ if (sc->flags & RETAIN_FF_ENABLE)
+ gdsc_retain_ff_on(sc);
+
/* Turn on HW trigger mode if supported */
if (sc->flags & HW_CTRL) {
ret = gdsc_hwctrl(sc, true);
@@ -306,9 +309,6 @@ static int gdsc_enable(struct generic_pm
udelay(1);
}
- if (sc->flags & RETAIN_FF_ENABLE)
- gdsc_retain_ff_on(sc);
-
return 0;
}
@@ -418,13 +418,6 @@ static int gdsc_init(struct gdsc *sc)
goto err_disable_supply;
}
- /* Turn on HW trigger mode if supported */
- if (sc->flags & HW_CTRL) {
- ret = gdsc_hwctrl(sc, true);
- if (ret < 0)
- goto err_disable_supply;
- }
-
/*
* Make sure the retain bit is set if the GDSC is already on,
* otherwise we end up turning off the GDSC and destroying all
@@ -432,6 +425,14 @@ static int gdsc_init(struct gdsc *sc)
*/
if (sc->flags & RETAIN_FF_ENABLE)
gdsc_retain_ff_on(sc);
+
+ /* Turn on HW trigger mode if supported */
+ if (sc->flags & HW_CTRL) {
+ ret = gdsc_hwctrl(sc, true);
+ if (ret < 0)
+ goto err_disable_supply;
+ }
+
} else if (sc->flags & ALWAYS_ON) {
/* If ALWAYS_ON GDSCs are not ON, turn them ON */
gdsc_enable(&sc->pd);
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 141/291] crypto: ccp - Fix check for the primary ASP device
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (138 preceding siblings ...)
2025-04-23 14:42 ` [PATCH 6.1 140/291] clk: qcom: gdsc: Set retain_ff before moving to HW CTRL Greg Kroah-Hartman
@ 2025-04-23 14:42 ` Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 142/291] dm-ebs: fix prefetch-vs-suspend race Greg Kroah-Hartman
` (158 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Tom Lendacky, Herbert Xu
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tom Lendacky <thomas.lendacky@amd.com>
commit 07bb097b92b987db518e72525b515d77904e966e upstream.
Currently, the ASP primary device check does not have support for PCI
domains, and, as a result, when the system is configured with PCI domains
(PCI segments) the wrong device can be selected as primary. This results
in commands submitted to the device timing out and failing. The device
check also relies on specific device and function assignments that may
not hold in the future.
Fix the primary ASP device check to include support for PCI domains and
to perform proper checking of the Bus/Device/Function positions.
Fixes: 2a6170dfe755 ("crypto: ccp: Add Platform Security Processor (PSP) device support")
Cc: stable@vger.kernel.org
Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/crypto/ccp/sp-pci.c | 15 +++++++++------
1 file changed, 9 insertions(+), 6 deletions(-)
--- a/drivers/crypto/ccp/sp-pci.c
+++ b/drivers/crypto/ccp/sp-pci.c
@@ -179,14 +179,17 @@ static bool sp_pci_is_master(struct sp_d
pdev_new = to_pci_dev(dev_new);
pdev_cur = to_pci_dev(dev_cur);
- if (pdev_new->bus->number < pdev_cur->bus->number)
- return true;
+ if (pci_domain_nr(pdev_new->bus) != pci_domain_nr(pdev_cur->bus))
+ return pci_domain_nr(pdev_new->bus) < pci_domain_nr(pdev_cur->bus);
- if (PCI_SLOT(pdev_new->devfn) < PCI_SLOT(pdev_cur->devfn))
- return true;
+ if (pdev_new->bus->number != pdev_cur->bus->number)
+ return pdev_new->bus->number < pdev_cur->bus->number;
- if (PCI_FUNC(pdev_new->devfn) < PCI_FUNC(pdev_cur->devfn))
- return true;
+ if (PCI_SLOT(pdev_new->devfn) != PCI_SLOT(pdev_cur->devfn))
+ return PCI_SLOT(pdev_new->devfn) < PCI_SLOT(pdev_cur->devfn);
+
+ if (PCI_FUNC(pdev_new->devfn) != PCI_FUNC(pdev_cur->devfn))
+ return PCI_FUNC(pdev_new->devfn) < PCI_FUNC(pdev_cur->devfn);
return false;
}
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 142/291] dm-ebs: fix prefetch-vs-suspend race
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (139 preceding siblings ...)
2025-04-23 14:42 ` [PATCH 6.1 141/291] crypto: ccp - Fix check for the primary ASP device Greg Kroah-Hartman
@ 2025-04-23 14:42 ` Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 143/291] dm-integrity: set ti->error on memory allocation failure Greg Kroah-Hartman
` (157 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Mikulas Patocka
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mikulas Patocka <mpatocka@redhat.com>
commit 9c565428788fb9b49066f94ab7b10efc686a0a4c upstream.
There's a possible race condition in dm-ebs - dm bufio prefetch may be in
progress while the device is suspended. Fix this by calling
dm_bufio_client_reset in the postsuspend hook.
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/md/dm-ebs-target.c | 7 +++++++
1 file changed, 7 insertions(+)
--- a/drivers/md/dm-ebs-target.c
+++ b/drivers/md/dm-ebs-target.c
@@ -389,6 +389,12 @@ static int ebs_map(struct dm_target *ti,
return DM_MAPIO_REMAPPED;
}
+static void ebs_postsuspend(struct dm_target *ti)
+{
+ struct ebs_c *ec = ti->private;
+ dm_bufio_client_reset(ec->bufio);
+}
+
static void ebs_status(struct dm_target *ti, status_type_t type,
unsigned int status_flags, char *result, unsigned int maxlen)
{
@@ -446,6 +452,7 @@ static struct target_type ebs_target = {
.ctr = ebs_ctr,
.dtr = ebs_dtr,
.map = ebs_map,
+ .postsuspend = ebs_postsuspend,
.status = ebs_status,
.io_hints = ebs_io_hints,
.prepare_ioctl = ebs_prepare_ioctl,
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 143/291] dm-integrity: set ti->error on memory allocation failure
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (140 preceding siblings ...)
2025-04-23 14:42 ` [PATCH 6.1 142/291] dm-ebs: fix prefetch-vs-suspend race Greg Kroah-Hartman
@ 2025-04-23 14:42 ` Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 144/291] dm-verity: fix prefetch-vs-suspend race Greg Kroah-Hartman
` (156 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Mikulas Patocka
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mikulas Patocka <mpatocka@redhat.com>
commit 00204ae3d6712ee053353920e3ce2b00c35ef75b upstream.
The dm-integrity target didn't set the error string when memory
allocation failed. This patch fixes it.
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/md/dm-integrity.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/md/dm-integrity.c
+++ b/drivers/md/dm-integrity.c
@@ -4546,16 +4546,19 @@ try_smaller_buffer:
ic->recalc_bitmap = dm_integrity_alloc_page_list(n_bitmap_pages);
if (!ic->recalc_bitmap) {
+ ti->error = "Could not allocate memory for bitmap";
r = -ENOMEM;
goto bad;
}
ic->may_write_bitmap = dm_integrity_alloc_page_list(n_bitmap_pages);
if (!ic->may_write_bitmap) {
+ ti->error = "Could not allocate memory for bitmap";
r = -ENOMEM;
goto bad;
}
ic->bbs = kvmalloc_array(ic->n_bitmap_blocks, sizeof(struct bitmap_block_status), GFP_KERNEL);
if (!ic->bbs) {
+ ti->error = "Could not allocate memory for bitmap";
r = -ENOMEM;
goto bad;
}
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 144/291] dm-verity: fix prefetch-vs-suspend race
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (141 preceding siblings ...)
2025-04-23 14:42 ` [PATCH 6.1 143/291] dm-integrity: set ti->error on memory allocation failure Greg Kroah-Hartman
@ 2025-04-23 14:42 ` Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 145/291] ftrace: Add cond_resched() to ftrace_graph_set_hash() Greg Kroah-Hartman
` (155 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Mikulas Patocka
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mikulas Patocka <mpatocka@redhat.com>
commit 2de510fccbca3d1906b55f4be5f1de83fa2424ef upstream.
There's a possible race condition in dm-verity - the prefetch work item
may race with suspend and it is possible that prefetch continues to run
while the device is suspended. Fix this by calling flush_workqueue and
dm_bufio_client_reset in the postsuspend hook.
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/md/dm-verity-target.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/drivers/md/dm-verity-target.c
+++ b/drivers/md/dm-verity-target.c
@@ -823,6 +823,13 @@ static int verity_map(struct dm_target *
return DM_MAPIO_SUBMITTED;
}
+static void verity_postsuspend(struct dm_target *ti)
+{
+ struct dm_verity *v = ti->private;
+ flush_workqueue(v->verify_wq);
+ dm_bufio_client_reset(v->bufio);
+}
+
/*
* Status: V (valid) or C (corruption found)
*/
@@ -1542,6 +1549,7 @@ static struct target_type verity_target
.ctr = verity_ctr,
.dtr = verity_dtr,
.map = verity_map,
+ .postsuspend = verity_postsuspend,
.status = verity_status,
.prepare_ioctl = verity_prepare_ioctl,
.iterate_devices = verity_iterate_devices,
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 145/291] ftrace: Add cond_resched() to ftrace_graph_set_hash()
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (142 preceding siblings ...)
2025-04-23 14:42 ` [PATCH 6.1 144/291] dm-verity: fix prefetch-vs-suspend race Greg Kroah-Hartman
@ 2025-04-23 14:42 ` Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 146/291] gpio: tegra186: fix resource handling in ACPI probe path Greg Kroah-Hartman
` (154 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, zhoumin, Steven Rostedt (Google)
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: zhoumin <teczm@foxmail.com>
commit 42ea22e754ba4f2b86f8760ca27f6f71da2d982c upstream.
When the kernel contains a large number of functions that can be traced,
the loop in ftrace_graph_set_hash() may take a lot of time to execute.
This may trigger the softlockup watchdog.
Add cond_resched() within the loop to allow the kernel to remain
responsive even when processing a large number of functions.
This matches the cond_resched() that is used in other locations of the
code that iterates over all functions that can be traced.
Cc: stable@vger.kernel.org
Fixes: b9b0c831bed26 ("ftrace: Convert graph filter to use hash tables")
Link: https://lore.kernel.org/tencent_3E06CE338692017B5809534B9C5C03DA7705@qq.com
Signed-off-by: zhoumin <teczm@foxmail.com>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/trace/ftrace.c | 1 +
1 file changed, 1 insertion(+)
--- a/kernel/trace/ftrace.c
+++ b/kernel/trace/ftrace.c
@@ -6522,6 +6522,7 @@ ftrace_graph_set_hash(struct ftrace_hash
}
}
}
+ cond_resched();
} while_for_each_ftrace_rec();
out:
mutex_unlock(&ftrace_lock);
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 146/291] gpio: tegra186: fix resource handling in ACPI probe path
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (143 preceding siblings ...)
2025-04-23 14:42 ` [PATCH 6.1 145/291] ftrace: Add cond_resched() to ftrace_graph_set_hash() Greg Kroah-Hartman
@ 2025-04-23 14:42 ` Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 147/291] gpio: zynq: Fix wakeup source leaks on device unbind Greg Kroah-Hartman
` (153 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Guixin Liu, Bartosz Golaszewski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Guixin Liu <kanie@linux.alibaba.com>
commit 8323f3a69de6f6e96bf22f32dd8e2920766050c2 upstream.
When the Tegra186 GPIO controller is probed through ACPI matching,
the driver emits two error messages during probing:
"tegra186-gpio NVDA0508:00: invalid resource (null)"
"tegra186-gpio NVDA0508:00: invalid resource (null)"
Fix this by getting resource first and then do the ioremap.
Fixes: 2606e7c9f5fc ("gpio: tegra186: Add ACPI support")
Cc: stable@vger.kernel.org
Signed-off-by: Guixin Liu <kanie@linux.alibaba.com>
Link: https://lore.kernel.org/r/20250327032349.78809-1-kanie@linux.alibaba.com
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpio/gpio-tegra186.c | 27 ++++++++++++++-------------
1 file changed, 14 insertions(+), 13 deletions(-)
--- a/drivers/gpio/gpio-tegra186.c
+++ b/drivers/gpio/gpio-tegra186.c
@@ -753,6 +753,7 @@ static int tegra186_gpio_probe(struct pl
struct gpio_irq_chip *irq;
struct tegra_gpio *gpio;
struct device_node *np;
+ struct resource *res;
char **names;
int err;
@@ -772,19 +773,19 @@ static int tegra186_gpio_probe(struct pl
gpio->num_banks++;
/* get register apertures */
- gpio->secure = devm_platform_ioremap_resource_byname(pdev, "security");
- if (IS_ERR(gpio->secure)) {
- gpio->secure = devm_platform_ioremap_resource(pdev, 0);
- if (IS_ERR(gpio->secure))
- return PTR_ERR(gpio->secure);
- }
-
- gpio->base = devm_platform_ioremap_resource_byname(pdev, "gpio");
- if (IS_ERR(gpio->base)) {
- gpio->base = devm_platform_ioremap_resource(pdev, 1);
- if (IS_ERR(gpio->base))
- return PTR_ERR(gpio->base);
- }
+ res = platform_get_resource_byname(pdev, IORESOURCE_MEM, "security");
+ if (!res)
+ res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
+ gpio->secure = devm_ioremap_resource(&pdev->dev, res);
+ if (IS_ERR(gpio->secure))
+ return PTR_ERR(gpio->secure);
+
+ res = platform_get_resource_byname(pdev, IORESOURCE_MEM, "gpio");
+ if (!res)
+ res = platform_get_resource(pdev, IORESOURCE_MEM, 1);
+ gpio->base = devm_ioremap_resource(&pdev->dev, res);
+ if (IS_ERR(gpio->base))
+ return PTR_ERR(gpio->base);
err = platform_irq_count(pdev);
if (err < 0)
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 147/291] gpio: zynq: Fix wakeup source leaks on device unbind
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (144 preceding siblings ...)
2025-04-23 14:42 ` [PATCH 6.1 146/291] gpio: tegra186: fix resource handling in ACPI probe path Greg Kroah-Hartman
@ 2025-04-23 14:42 ` Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 148/291] gve: handle overflow when reporting TX consumed descriptors Greg Kroah-Hartman
` (152 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Krzysztof Kozlowski,
Bartosz Golaszewski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
commit c5672e310ad971d408752fce7596ed27adc6008f upstream.
Device can be unbound, so driver must also release memory for the wakeup
source.
Cc: stable@vger.kernel.org
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Link: https://lore.kernel.org/r/20250406202245.53854-2-krzysztof.kozlowski@linaro.org
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpio/gpio-zynq.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/gpio/gpio-zynq.c
+++ b/drivers/gpio/gpio-zynq.c
@@ -1012,6 +1012,7 @@ static int zynq_gpio_remove(struct platf
ret = pm_runtime_get_sync(&pdev->dev);
if (ret < 0)
dev_warn(&pdev->dev, "pm_runtime_get_sync() Failed\n");
+ device_init_wakeup(&pdev->dev, 0);
gpiochip_remove(&gpio->chip);
clk_disable_unprepare(gpio->clk);
device_set_wakeup_capable(&pdev->dev, 0);
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 148/291] gve: handle overflow when reporting TX consumed descriptors
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (145 preceding siblings ...)
2025-04-23 14:42 ` [PATCH 6.1 147/291] gpio: zynq: Fix wakeup source leaks on device unbind Greg Kroah-Hartman
@ 2025-04-23 14:42 ` Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 149/291] KVM: x86: Acquire SRCU in KVM_GET_MP_STATE to protect guest memory accesses Greg Kroah-Hartman
` (151 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Joshua Washington,
Harshitha Ramamurthy, Michal Swiatkowski, Simon Horman,
Jakub Kicinski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Joshua Washington <joshwash@google.com>
commit 15970e1b23f5c25db88c613fddf9131de086f28e upstream.
When the tx tail is less than the head (in cases of wraparound), the TX
consumed descriptor statistic in DQ will be reported as
UINT32_MAX - head + tail, which is incorrect. Mask the difference of
head and tail according to the ring size when reporting the statistic.
Cc: stable@vger.kernel.org
Fixes: 2c9198356d56 ("gve: Add consumed counts to ethtool stats")
Signed-off-by: Joshua Washington <joshwash@google.com>
Signed-off-by: Harshitha Ramamurthy <hramamurthy@google.com>
Reviewed-by: Michal Swiatkowski <michal.swiatkowski@linux.intel.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20250402001037.2717315-1-hramamurthy@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/google/gve/gve_ethtool.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/net/ethernet/google/gve/gve_ethtool.c
+++ b/drivers/net/ethernet/google/gve/gve_ethtool.c
@@ -327,7 +327,9 @@ gve_get_ethtool_stats(struct net_device
*/
data[i++] = 0;
data[i++] = 0;
- data[i++] = tx->dqo_tx.tail - tx->dqo_tx.head;
+ data[i++] =
+ (tx->dqo_tx.tail - tx->dqo_tx.head) &
+ tx->mask;
}
do {
start =
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 149/291] KVM: x86: Acquire SRCU in KVM_GET_MP_STATE to protect guest memory accesses
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (146 preceding siblings ...)
2025-04-23 14:42 ` [PATCH 6.1 148/291] gve: handle overflow when reporting TX consumed descriptors Greg Kroah-Hartman
@ 2025-04-23 14:42 ` Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 150/291] ntb: use 64-bit arithmetic for the MSI doorbell mask Greg Kroah-Hartman
` (150 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sean Christopherson, Paolo Bonzini
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
commit ef01cac401f18647d62720cf773d7bb0541827da upstream.
Acquire a lock on kvm->srcu when userspace is getting MP state to handle a
rather extreme edge case where "accepting" APIC events, i.e. processing
pending INIT or SIPI, can trigger accesses to guest memory. If the vCPU
is in L2 with INIT *and* a TRIPLE_FAULT request pending, then getting MP
state will trigger a nested VM-Exit by way of ->check_nested_events(), and
emuating the nested VM-Exit can access guest memory.
The splat was originally hit by syzkaller on a Google-internal kernel, and
reproduced on an upstream kernel by hacking the triple_fault_event_test
selftest to stuff a pending INIT, store an MSR on VM-Exit (to generate a
memory access on VMX), and do vcpu_mp_state_get() to trigger the scenario.
=============================
WARNING: suspicious RCU usage
6.14.0-rc3-b112d356288b-vmx/pi_lockdep_false_pos-lock #3 Not tainted
-----------------------------
include/linux/kvm_host.h:1058 suspicious rcu_dereference_check() usage!
other info that might help us debug this:
rcu_scheduler_active = 2, debug_locks = 1
1 lock held by triple_fault_ev/1256:
#0: ffff88810df5a330 (&vcpu->mutex){+.+.}-{4:4}, at: kvm_vcpu_ioctl+0x8b/0x9a0 [kvm]
stack backtrace:
CPU: 11 UID: 1000 PID: 1256 Comm: triple_fault_ev Not tainted 6.14.0-rc3-b112d356288b-vmx #3
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
Call Trace:
<TASK>
dump_stack_lvl+0x7f/0x90
lockdep_rcu_suspicious+0x144/0x190
kvm_vcpu_gfn_to_memslot+0x156/0x180 [kvm]
kvm_vcpu_read_guest+0x3e/0x90 [kvm]
read_and_check_msr_entry+0x2e/0x180 [kvm_intel]
__nested_vmx_vmexit+0x550/0xde0 [kvm_intel]
kvm_check_nested_events+0x1b/0x30 [kvm]
kvm_apic_accept_events+0x33/0x100 [kvm]
kvm_arch_vcpu_ioctl_get_mpstate+0x30/0x1d0 [kvm]
kvm_vcpu_ioctl+0x33e/0x9a0 [kvm]
__x64_sys_ioctl+0x8b/0xb0
do_syscall_64+0x6c/0x170
entry_SYSCALL_64_after_hwframe+0x4b/0x53
</TASK>
Cc: stable@vger.kernel.org
Signed-off-by: Sean Christopherson <seanjc@google.com>
Message-ID: <20250401150504.829812-1-seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/x86.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -11460,6 +11460,8 @@ int kvm_arch_vcpu_ioctl_get_mpstate(stru
if (kvm_mpx_supported())
kvm_load_guest_fpu(vcpu);
+ kvm_vcpu_srcu_read_lock(vcpu);
+
r = kvm_apic_accept_events(vcpu);
if (r < 0)
goto out;
@@ -11473,6 +11475,8 @@ int kvm_arch_vcpu_ioctl_get_mpstate(stru
mp_state->mp_state = vcpu->arch.mp_state;
out:
+ kvm_vcpu_srcu_read_unlock(vcpu);
+
if (kvm_mpx_supported())
kvm_put_guest_fpu(vcpu);
vcpu_put(vcpu);
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 150/291] ntb: use 64-bit arithmetic for the MSI doorbell mask
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (147 preceding siblings ...)
2025-04-23 14:42 ` [PATCH 6.1 149/291] KVM: x86: Acquire SRCU in KVM_GET_MP_STATE to protect guest memory accesses Greg Kroah-Hartman
@ 2025-04-23 14:42 ` Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 151/291] of/irq: Fix device node refcount leakage in API of_irq_parse_one() Greg Kroah-Hartman
` (149 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Fedor Pchelkin, Dave Jiang,
Jon Mason
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fedor Pchelkin <pchelkin@ispras.ru>
commit fd5625fc86922f36bedee5846fefd647b7e72751 upstream.
msi_db_mask is of type 'u64', still the standard 'int' arithmetic is
performed to compute its value.
While most of the ntb_hw drivers actually don't utilize the higher 32
bits of the doorbell mask now, this may be the case for Switchtec - see
switchtec_ntb_init_db().
Found by Linux Verification Center (linuxtesting.org) with SVACE static
analysis tool.
Fixes: 2b0569b3b7e6 ("NTB: Add MSI interrupt support to ntb_transport")
Cc: stable@vger.kernel.org
Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
Reviewed-by: Dave Jiang <dave.jiang@intel.com>
Signed-off-by: Jon Mason <jdmason@kudzu.us>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/ntb/ntb_transport.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/ntb/ntb_transport.c
+++ b/drivers/ntb/ntb_transport.c
@@ -1351,7 +1351,7 @@ static int ntb_transport_probe(struct nt
qp_count = ilog2(qp_bitmap);
if (nt->use_msi) {
qp_count -= 1;
- nt->msi_db_mask = 1 << qp_count;
+ nt->msi_db_mask = BIT_ULL(qp_count);
ntb_db_clear_mask(ndev, nt->msi_db_mask);
}
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 151/291] of/irq: Fix device node refcount leakage in API of_irq_parse_one()
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (148 preceding siblings ...)
2025-04-23 14:42 ` [PATCH 6.1 150/291] ntb: use 64-bit arithmetic for the MSI doorbell mask Greg Kroah-Hartman
@ 2025-04-23 14:42 ` Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 152/291] of/irq: Fix device node refcount leakage in API of_irq_parse_raw() Greg Kroah-Hartman
` (148 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zijun Hu, Rob Herring (Arm)
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zijun Hu <quic_zijuhu@quicinc.com>
commit 0cb58d6c7b558a69957fabe159bfb184196e1e8d upstream.
of_irq_parse_one(@int_gen_dev, i, ...) will leak refcount of @i_th_phandle
int_gen_dev {
...
interrupts-extended = ..., <&i_th_phandle ...>, ...;
...
};
Refcount of @i_th_phandle is increased by of_parse_phandle_with_args()
but is not decreased by API of_irq_parse_one() before return, so causes
refcount leakage.
Rework the refcounting to use __free() cleanup and simplify the code to
have a single call to of_irq_parse_raw().
Also add comments about refcount of node @out_irq->np got by the API.
Fixes: 79d9701559a9 ("of/irq: create interrupts-extended property")
Cc: stable@vger.kernel.org
Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com>
Link: https://lore.kernel.org/r/20250209-of_irq_fix-v2-2-93e3a2659aa7@quicinc.com
[robh: Use __free() to do puts]
Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/of/irq.c | 59 +++++++++++++++++++++++++------------------------------
1 file changed, 27 insertions(+), 32 deletions(-)
--- a/drivers/of/irq.c
+++ b/drivers/of/irq.c
@@ -16,6 +16,7 @@
#define pr_fmt(fmt) "OF: " fmt
+#include <linux/cleanup.h>
#include <linux/device.h>
#include <linux/errno.h>
#include <linux/list.h>
@@ -339,10 +340,12 @@ EXPORT_SYMBOL_GPL(of_irq_parse_raw);
* This function resolves an interrupt for a node by walking the interrupt tree,
* finding which interrupt controller node it is attached to, and returning the
* interrupt specifier that can be used to retrieve a Linux IRQ number.
+ *
+ * Note: refcount of node @out_irq->np is increased by 1 on success.
*/
int of_irq_parse_one(struct device_node *device, int index, struct of_phandle_args *out_irq)
{
- struct device_node *p;
+ struct device_node __free(device_node) *p = NULL;
const __be32 *addr;
u32 intsize;
int i, res, addr_len;
@@ -367,41 +370,33 @@ int of_irq_parse_one(struct device_node
/* Try the new-style interrupts-extended first */
res = of_parse_phandle_with_args(device, "interrupts-extended",
"#interrupt-cells", index, out_irq);
- if (!res)
- return of_irq_parse_raw(addr_buf, out_irq);
-
- /* Look for the interrupt parent. */
- p = of_irq_find_parent(device);
- if (p == NULL)
- return -EINVAL;
-
- /* Get size of interrupt specifier */
- if (of_property_read_u32(p, "#interrupt-cells", &intsize)) {
- res = -EINVAL;
- goto out;
- }
-
- pr_debug(" parent=%pOF, intsize=%d\n", p, intsize);
+ if (!res) {
+ p = out_irq->np;
+ } else {
+ /* Look for the interrupt parent. */
+ p = of_irq_find_parent(device);
+ /* Get size of interrupt specifier */
+ if (!p || of_property_read_u32(p, "#interrupt-cells", &intsize))
+ return -EINVAL;
+
+ pr_debug(" parent=%pOF, intsize=%d\n", p, intsize);
+
+ /* Copy intspec into irq structure */
+ out_irq->np = p;
+ out_irq->args_count = intsize;
+ for (i = 0; i < intsize; i++) {
+ res = of_property_read_u32_index(device, "interrupts",
+ (index * intsize) + i,
+ out_irq->args + i);
+ if (res)
+ return res;
+ }
- /* Copy intspec into irq structure */
- out_irq->np = p;
- out_irq->args_count = intsize;
- for (i = 0; i < intsize; i++) {
- res = of_property_read_u32_index(device, "interrupts",
- (index * intsize) + i,
- out_irq->args + i);
- if (res)
- goto out;
+ pr_debug(" intspec=%d\n", *out_irq->args);
}
- pr_debug(" intspec=%d\n", *out_irq->args);
-
-
/* Check if there are any interrupt-map translations to process */
- res = of_irq_parse_raw(addr_buf, out_irq);
- out:
- of_node_put(p);
- return res;
+ return of_irq_parse_raw(addr_buf, out_irq);
}
EXPORT_SYMBOL_GPL(of_irq_parse_one);
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 152/291] of/irq: Fix device node refcount leakage in API of_irq_parse_raw()
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (149 preceding siblings ...)
2025-04-23 14:42 ` [PATCH 6.1 151/291] of/irq: Fix device node refcount leakage in API of_irq_parse_one() Greg Kroah-Hartman
@ 2025-04-23 14:42 ` Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 153/291] of/irq: Fix device node refcount leakages in of_irq_count() Greg Kroah-Hartman
` (147 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zijun Hu, Rob Herring (Arm)
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zijun Hu <quic_zijuhu@quicinc.com>
commit ff93e7213d6cc8d9a7b0bc64f70ed26094e168f3 upstream.
if the node @out_irq->np got by of_irq_parse_raw() is a combo node which
consists of both controller and nexus, namely, of_irq_parse_raw() returns
due to condition (@ipar == @newpar), then the node's refcount was increased
twice, hence causes refcount leakage.
Fix by putting @out_irq->np refcount before returning due to the condition.
Also add comments about refcount of node @out_irq->np got by the API.
Fixes: 041284181226 ("of/irq: Allow matching of an interrupt-map local to an interrupt controller")
Cc: stable@vger.kernel.org
Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com>
Link: https://lore.kernel.org/r/20250209-of_irq_fix-v2-4-93e3a2659aa7@quicinc.com
Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/of/irq.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/drivers/of/irq.c
+++ b/drivers/of/irq.c
@@ -166,6 +166,8 @@ const __be32 *of_irq_parse_imap_parent(c
* the specifier for each map, and then returns the translated map.
*
* Return: 0 on success and a negative number on error
+ *
+ * Note: refcount of node @out_irq->np is increased by 1 on success.
*/
int of_irq_parse_raw(const __be32 *addr, struct of_phandle_args *out_irq)
{
@@ -311,6 +313,12 @@ int of_irq_parse_raw(const __be32 *addr,
addrsize = (imap - match_array) - intsize;
if (ipar == newpar) {
+ /*
+ * We got @ipar's refcount, but the refcount was
+ * gotten again by of_irq_parse_imap_parent() via its
+ * alias @newpar.
+ */
+ of_node_put(ipar);
pr_debug("%pOF interrupt-map entry to self\n", ipar);
return 0;
}
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 153/291] of/irq: Fix device node refcount leakages in of_irq_count()
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (150 preceding siblings ...)
2025-04-23 14:42 ` [PATCH 6.1 152/291] of/irq: Fix device node refcount leakage in API of_irq_parse_raw() Greg Kroah-Hartman
@ 2025-04-23 14:42 ` Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 154/291] of/irq: Fix device node refcount leakage in API irq_of_parse_and_map() Greg Kroah-Hartman
` (146 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zijun Hu, Rob Herring (Arm)
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zijun Hu <quic_zijuhu@quicinc.com>
commit bbf71f44aaf241d853759a71de7e7ebcdb89be3d upstream.
of_irq_count() invokes of_irq_parse_one() to count IRQs, and successful
invocation of the later will get device node @irq.np refcount, but the
former does not put the refcount before next iteration invocation, hence
causes device node refcount leakages.
Fix by putting @irq.np refcount before the next iteration invocation.
Fixes: 3da5278727a8 ("of/irq: Rework of_irq_count()")
Cc: stable@vger.kernel.org
Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com>
Link: https://lore.kernel.org/r/20250209-of_irq_fix-v2-5-93e3a2659aa7@quicinc.com
Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/of/irq.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/of/irq.c
+++ b/drivers/of/irq.c
@@ -503,8 +503,10 @@ int of_irq_count(struct device_node *dev
struct of_phandle_args irq;
int nr = 0;
- while (of_irq_parse_one(dev, nr, &irq) == 0)
+ while (of_irq_parse_one(dev, nr, &irq) == 0) {
+ of_node_put(irq.np);
nr++;
+ }
return nr;
}
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 154/291] of/irq: Fix device node refcount leakage in API irq_of_parse_and_map()
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (151 preceding siblings ...)
2025-04-23 14:42 ` [PATCH 6.1 153/291] of/irq: Fix device node refcount leakages in of_irq_count() Greg Kroah-Hartman
@ 2025-04-23 14:42 ` Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 155/291] of/irq: Fix device node refcount leakages in of_irq_init() Greg Kroah-Hartman
` (145 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zijun Hu, Rob Herring (Arm)
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zijun Hu <quic_zijuhu@quicinc.com>
commit 962a2805e47b933876ba0e4c488d9e89ced2dd29 upstream.
In irq_of_parse_and_map(), refcount of device node @oirq.np was got
by successful of_irq_parse_one() invocation, but it does not put the
refcount before return, so causes @oirq.np refcount leakage.
Fix by putting @oirq.np refcount before return.
Fixes: e3873444990d ("of/irq: Move irq_of_parse_and_map() to common code")
Cc: stable@vger.kernel.org
Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com>
Link: https://lore.kernel.org/r/20250209-of_irq_fix-v2-6-93e3a2659aa7@quicinc.com
Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/of/irq.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/drivers/of/irq.c
+++ b/drivers/of/irq.c
@@ -39,11 +39,15 @@
unsigned int irq_of_parse_and_map(struct device_node *dev, int index)
{
struct of_phandle_args oirq;
+ unsigned int ret;
if (of_irq_parse_one(dev, index, &oirq))
return 0;
- return irq_create_of_mapping(&oirq);
+ ret = irq_create_of_mapping(&oirq);
+ of_node_put(oirq.np);
+
+ return ret;
}
EXPORT_SYMBOL_GPL(irq_of_parse_and_map);
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 155/291] of/irq: Fix device node refcount leakages in of_irq_init()
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (152 preceding siblings ...)
2025-04-23 14:42 ` [PATCH 6.1 154/291] of/irq: Fix device node refcount leakage in API irq_of_parse_and_map() Greg Kroah-Hartman
@ 2025-04-23 14:42 ` Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 156/291] PCI: brcmstb: Fix missing of_node_put() in brcm_pcie_probe() Greg Kroah-Hartman
` (144 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zijun Hu, Rob Herring (Arm)
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zijun Hu <quic_zijuhu@quicinc.com>
commit 708124d9e6e7ac5ebf927830760679136b23fdf0 upstream.
of_irq_init() will leak interrupt controller device node refcounts
in two places as explained below:
1) Leak refcounts of both @desc->dev and @desc->interrupt_parent when
suffers @desc->irq_init_cb() failure.
2) Leak refcount of @desc->interrupt_parent when cleans up list
@intc_desc_list in the end.
Refcounts of both @desc->dev and @desc->interrupt_parent were got in
the first loop, but of_irq_init() does not put them before kfree(@desc)
in places mentioned above, so causes refcount leakages.
Fix by putting refcounts involved before kfree(@desc).
Fixes: 8363ccb917c6 ("of/irq: add missing of_node_put")
Fixes: c71a54b08201 ("of/irq: introduce of_irq_init")
Cc: stable@vger.kernel.org
Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com>
Link: https://lore.kernel.org/r/20250209-of_irq_fix-v2-7-93e3a2659aa7@quicinc.com
Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/of/irq.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/of/irq.c
+++ b/drivers/of/irq.c
@@ -627,6 +627,8 @@ void __init of_irq_init(const struct of_
__func__, desc->dev, desc->dev,
desc->interrupt_parent);
of_node_clear_flag(desc->dev, OF_POPULATED);
+ of_node_put(desc->interrupt_parent);
+ of_node_put(desc->dev);
kfree(desc);
continue;
}
@@ -657,6 +659,7 @@ void __init of_irq_init(const struct of_
err:
list_for_each_entry_safe(desc, temp_desc, &intc_desc_list, list) {
list_del(&desc->list);
+ of_node_put(desc->interrupt_parent);
of_node_put(desc->dev);
kfree(desc);
}
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 156/291] PCI: brcmstb: Fix missing of_node_put() in brcm_pcie_probe()
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (153 preceding siblings ...)
2025-04-23 14:42 ` [PATCH 6.1 155/291] of/irq: Fix device node refcount leakages in of_irq_init() Greg Kroah-Hartman
@ 2025-04-23 14:42 ` Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 157/291] PCI: Fix reference leak in pci_alloc_child_bus() Greg Kroah-Hartman
` (143 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stanimir Varbanov, Florian Fainelli,
Manivannan Sadhasivam, Krzysztof Wilczyński
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stanimir Varbanov <svarbanov@suse.de>
commit 2df181e1aea4628a8fd257f866026625d0519627 upstream.
A call to of_parse_phandle() is incrementing the refcount, and as such,
the of_node_put() must be called when the reference is no longer needed.
Thus, refactor the existing code and add a missing of_node_put() call
following the check to ensure that "msi_np" matches "pcie->np" and after
MSI initialization, but only if the MSI support is enabled system-wide.
Cc: stable@vger.kernel.org # v5.10+
Fixes: 40ca1bf580ef ("PCI: brcmstb: Add MSI support")
Signed-off-by: Stanimir Varbanov <svarbanov@suse.de>
Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
Link: https://lore.kernel.org/r/20250122222955.1752778-1-svarbanov@suse.de
[kwilczynski: commit log]
Signed-off-by: Krzysztof Wilczyński <kwilczynski@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pci/controller/pcie-brcmstb.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
--- a/drivers/pci/controller/pcie-brcmstb.c
+++ b/drivers/pci/controller/pcie-brcmstb.c
@@ -1488,7 +1488,7 @@ static struct pci_ops brcm7425_pcie_ops
static int brcm_pcie_probe(struct platform_device *pdev)
{
- struct device_node *np = pdev->dev.of_node, *msi_np;
+ struct device_node *np = pdev->dev.of_node;
struct pci_host_bridge *bridge;
const struct pcie_cfg_data *data;
struct brcm_pcie *pcie;
@@ -1563,9 +1563,14 @@ static int brcm_pcie_probe(struct platfo
goto fail;
}
- msi_np = of_parse_phandle(pcie->np, "msi-parent", 0);
- if (pci_msi_enabled() && msi_np == pcie->np) {
- ret = brcm_pcie_enable_msi(pcie);
+ if (pci_msi_enabled()) {
+ struct device_node *msi_np = of_parse_phandle(pcie->np, "msi-parent", 0);
+
+ if (msi_np == pcie->np)
+ ret = brcm_pcie_enable_msi(pcie);
+
+ of_node_put(msi_np);
+
if (ret) {
dev_err(pcie->dev, "probe of internal MSI failed");
goto fail;
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 157/291] PCI: Fix reference leak in pci_alloc_child_bus()
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (154 preceding siblings ...)
2025-04-23 14:42 ` [PATCH 6.1 156/291] PCI: brcmstb: Fix missing of_node_put() in brcm_pcie_probe() Greg Kroah-Hartman
@ 2025-04-23 14:42 ` Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 158/291] pinctrl: qcom: Clear latched interrupt status when changing IRQ type Greg Kroah-Hartman
` (142 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ma Ke, Bjorn Helgaas,
Ilpo Järvinen
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ma Ke <make24@iscas.ac.cn>
commit 1f2768b6a3ee77a295106e3a5d68458064923ede upstream.
If device_register(&child->dev) fails, call put_device() to explicitly
release child->dev, per the comment at device_register().
Found by code review.
Link: https://lore.kernel.org/r/20250202062357.872971-1-make24@iscas.ac.cn
Fixes: 4f535093cf8f ("PCI: Put pci_dev in device tree as early as possible")
Signed-off-by: Ma Ke <make24@iscas.ac.cn>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pci/probe.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/drivers/pci/probe.c
+++ b/drivers/pci/probe.c
@@ -1141,7 +1141,10 @@ static struct pci_bus *pci_alloc_child_b
add_dev:
pci_set_bus_msi_domain(child);
ret = device_register(&child->dev);
- WARN_ON(ret < 0);
+ if (WARN_ON(ret < 0)) {
+ put_device(&child->dev);
+ return NULL;
+ }
pcibios_add_bus(child);
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 158/291] pinctrl: qcom: Clear latched interrupt status when changing IRQ type
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (155 preceding siblings ...)
2025-04-23 14:42 ` [PATCH 6.1 157/291] PCI: Fix reference leak in pci_alloc_child_bus() Greg Kroah-Hartman
@ 2025-04-23 14:42 ` Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 159/291] selftests: mptcp: close fd_in before returning in main_loop Greg Kroah-Hartman
` (141 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bjorn Andersson, Stephan Gerhold,
Bjorn Andersson, Linus Walleij
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stephan Gerhold <stephan.gerhold@linaro.org>
commit e225128c3f8be879e7d4eb71a25949e188b420ae upstream.
When submitting the TLMM test driver, Bjorn reported that some of the test
cases are failing for GPIOs that not are backed by PDC (i.e. "non-wakeup"
GPIOs that are handled directly in pinctrl-msm). Basically, lingering
latched interrupt state is still being delivered at IRQ request time, e.g.:
ok 1 tlmm_test_silent_rising
tlmm_test_silent_falling: ASSERTION FAILED at drivers/pinctrl/qcom/tlmm-test.c:178
Expected atomic_read(&priv->intr_count) == 0, but
atomic_read(&priv->intr_count) == 1 (0x1)
not ok 2 tlmm_test_silent_falling
tlmm_test_silent_low: ASSERTION FAILED at drivers/pinctrl/qcom/tlmm-test.c:178
Expected atomic_read(&priv->intr_count) == 0, but
atomic_read(&priv->intr_count) == 1 (0x1)
not ok 3 tlmm_test_silent_low
ok 4 tlmm_test_silent_high
Whether to report interrupts that came in while the IRQ was unclaimed
doesn't seem to be well-defined in the Linux IRQ API. However, looking
closer at these specific cases, we're actually reporting events that do not
match the interrupt type requested by the driver:
1. After "ok 1 tlmm_test_silent_rising", the GPIO is in low state and
configured for IRQF_TRIGGER_RISING.
2. (a) In preparation for "tlmm_test_silent_falling", the GPIO is switched
to high state. The rising interrupt gets latched.
(b) The GPIO is re-configured for IRQF_TRIGGER_FALLING, but the latched
interrupt isn't cleared.
(c) The IRQ handler is called for the latched interrupt, but there
wasn't any falling edge.
3. (a) For "tlmm_test_silent_low", the GPIO remains in high state.
(b) The GPIO is re-configured for IRQF_TRIGGER_LOW. This seems to
result in a phantom interrupt that gets latched.
(c) The IRQ handler is called for the latched interrupt, but the GPIO
isn't in low state.
4. (a) For "tlmm_test_silent_high", the GPIO is switched to low state.
(b) This doesn't result in a latched interrupt, because RAW_STATUS_EN
was cleared when masking the level-triggered interrupt.
Fix this by clearing the interrupt state whenever making any changes to the
interrupt configuration. This includes previously disabled interrupts, but
also any changes to interrupt polarity or detection type.
With this change, all 16 test cases are now passing for the non-wakeup
GPIOs in the TLMM.
Cc: stable@vger.kernel.org
Fixes: cf9d052aa600 ("pinctrl: qcom: Don't clear pending interrupts when enabling")
Reported-by: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
Closes: https://lore.kernel.org/r/20250227-tlmm-test-v1-1-d18877b4a5db@oss.qualcomm.com/
Signed-off-by: Stephan Gerhold <stephan.gerhold@linaro.org>
Tested-by: Bjorn Andersson <andersson@kernel.org>
Reviewed-by: Bjorn Andersson <andersson@kernel.org>
Link: https://lore.kernel.org/20250312-pinctrl-msm-type-latch-v1-1-ce87c561d3d7@linaro.org
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pinctrl/qcom/pinctrl-msm.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
--- a/drivers/pinctrl/qcom/pinctrl-msm.c
+++ b/drivers/pinctrl/qcom/pinctrl-msm.c
@@ -1006,8 +1006,7 @@ static int msm_gpio_irq_set_type(struct
struct msm_pinctrl *pctrl = gpiochip_get_data(gc);
const struct msm_pingroup *g;
unsigned long flags;
- bool was_enabled;
- u32 val;
+ u32 val, oldval;
if (msm_gpio_needs_dual_edge_parent_workaround(d, type)) {
set_bit(d->hwirq, pctrl->dual_edge_irqs);
@@ -1067,8 +1066,7 @@ static int msm_gpio_irq_set_type(struct
* internal circuitry of TLMM, toggling the RAW_STATUS
* could cause the INTR_STATUS to be set for EDGE interrupts.
*/
- val = msm_readl_intr_cfg(pctrl, g);
- was_enabled = val & BIT(g->intr_raw_status_bit);
+ val = oldval = msm_readl_intr_cfg(pctrl, g);
val |= BIT(g->intr_raw_status_bit);
if (g->intr_detection_width == 2) {
val &= ~(3 << g->intr_detection_bit);
@@ -1121,9 +1119,11 @@ static int msm_gpio_irq_set_type(struct
/*
* The first time we set RAW_STATUS_EN it could trigger an interrupt.
* Clear the interrupt. This is safe because we have
- * IRQCHIP_SET_TYPE_MASKED.
+ * IRQCHIP_SET_TYPE_MASKED. When changing the interrupt type, we could
+ * also still have a non-matching interrupt latched, so clear whenever
+ * making changes to the interrupt configuration.
*/
- if (!was_enabled)
+ if (val != oldval)
msm_ack_intr_status(pctrl, g);
if (test_bit(d->hwirq, pctrl->dual_edge_irqs))
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 159/291] selftests: mptcp: close fd_in before returning in main_loop
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (156 preceding siblings ...)
2025-04-23 14:42 ` [PATCH 6.1 158/291] pinctrl: qcom: Clear latched interrupt status when changing IRQ type Greg Kroah-Hartman
@ 2025-04-23 14:42 ` Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 160/291] arm64: errata: Add newer ARM cores to the spectre_bhb_loop_affected() lists Greg Kroah-Hartman
` (140 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Cong Liu, Geliang Tang,
Matthieu Baerts (NGI0), Jakub Kicinski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Geliang Tang <tanggeliang@kylinos.cn>
commit c183165f87a486d5879f782c05a23c179c3794ab upstream.
The file descriptor 'fd_in' is opened when cfg_input is configured, but
not closed in main_loop(), this patch fixes it.
Fixes: 05be5e273c84 ("selftests: mptcp: add disconnect tests")
Cc: stable@vger.kernel.org
Co-developed-by: Cong Liu <liucong2@kylinos.cn>
Signed-off-by: Cong Liu <liucong2@kylinos.cn>
Signed-off-by: Geliang Tang <tanggeliang@kylinos.cn>
Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20250328-net-mptcp-misc-fixes-6-15-v1-3-34161a482a7f@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/testing/selftests/net/mptcp/mptcp_connect.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
--- a/tools/testing/selftests/net/mptcp/mptcp_connect.c
+++ b/tools/testing/selftests/net/mptcp/mptcp_connect.c
@@ -1213,7 +1213,7 @@ again:
/* close the client socket open only if we are not going to reconnect */
ret = copyfd_io(fd_in, fd, 1, 0);
if (ret)
- return ret;
+ goto out;
if (cfg_truncate > 0) {
shutdown(fd, SHUT_WR);
@@ -1233,7 +1233,10 @@ again:
close(fd);
}
- return 0;
+out:
+ if (cfg_input)
+ close(fd_in);
+ return ret;
}
int parse_proto(const char *proto)
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 160/291] arm64: errata: Add newer ARM cores to the spectre_bhb_loop_affected() lists
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (157 preceding siblings ...)
2025-04-23 14:42 ` [PATCH 6.1 159/291] selftests: mptcp: close fd_in before returning in main_loop Greg Kroah-Hartman
@ 2025-04-23 14:42 ` Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 161/291] ACPI: platform-profile: Fix CFI violation when accessing sysfs files Greg Kroah-Hartman
` (139 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Douglas Anderson, James Morse,
Catalin Marinas
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Douglas Anderson <dianders@chromium.org>
commit a5951389e58d2e816eed3dbec5877de9327fd881 upstream.
When comparing to the ARM list [1], it appears that several ARM cores
were missing from the lists in spectre_bhb_loop_affected(). Add them.
NOTE: for some of these cores it may not matter since other ways of
clearing the BHB may be used (like the CLRBHB instruction or ECBHB),
but it still seems good to have all the info from ARM's whitepaper
included.
[1] https://developer.arm.com/Arm%20Security%20Center/Spectre-BHB
Fixes: 558c303c9734 ("arm64: Mitigate spectre style branch history side channels")
Cc: stable@vger.kernel.org
Signed-off-by: Douglas Anderson <dianders@chromium.org>
Reviewed-by: James Morse <james.morse@arm.com>
Link: https://lore.kernel.org/r/20250107120555.v4.5.I4a9a527e03f663040721c5401c41de587d015c82@changeid
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/kernel/proton-pack.c | 15 ++++++++++++++-
1 file changed, 14 insertions(+), 1 deletion(-)
--- a/arch/arm64/kernel/proton-pack.c
+++ b/arch/arm64/kernel/proton-pack.c
@@ -888,6 +888,14 @@ static u8 spectre_bhb_loop_affected(void
{
u8 k = 0;
+ static const struct midr_range spectre_bhb_k132_list[] = {
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_X3),
+ MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V2),
+ };
+ static const struct midr_range spectre_bhb_k38_list[] = {
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_A715),
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_A720),
+ };
static const struct midr_range spectre_bhb_k32_list[] = {
MIDR_ALL_VERSIONS(MIDR_CORTEX_A78),
MIDR_ALL_VERSIONS(MIDR_CORTEX_A78AE),
@@ -901,6 +909,7 @@ static u8 spectre_bhb_loop_affected(void
};
static const struct midr_range spectre_bhb_k24_list[] = {
MIDR_ALL_VERSIONS(MIDR_CORTEX_A76),
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_A76AE),
MIDR_ALL_VERSIONS(MIDR_CORTEX_A77),
MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N1),
MIDR_ALL_VERSIONS(MIDR_QCOM_KRYO_4XX_GOLD),
@@ -916,7 +925,11 @@ static u8 spectre_bhb_loop_affected(void
{},
};
- if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_k32_list))
+ if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_k132_list))
+ k = 132;
+ else if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_k38_list))
+ k = 38;
+ else if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_k32_list))
k = 32;
else if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_k24_list))
k = 24;
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 161/291] ACPI: platform-profile: Fix CFI violation when accessing sysfs files
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (158 preceding siblings ...)
2025-04-23 14:42 ` [PATCH 6.1 160/291] arm64: errata: Add newer ARM cores to the spectre_bhb_loop_affected() lists Greg Kroah-Hartman
@ 2025-04-23 14:42 ` Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 162/291] x86/e820: Fix handling of subpage regions when calculating nosave ranges in e820__register_nosave_regions() Greg Kroah-Hartman
` (138 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, John Rowley, Sami Tolvanen,
Nathan Chancellor, Mark Pearson, Rafael J. Wysocki
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nathan Chancellor <nathan@kernel.org>
commit dd4f730b557ce701a2cd4f604bf1e57667bd8b6e upstream.
When an attribute group is created with sysfs_create_group(), the
->sysfs_ops() callback is set to kobj_sysfs_ops, which sets the ->show()
and ->store() callbacks to kobj_attr_show() and kobj_attr_store()
respectively. These functions use container_of() to get the respective
callback from the passed attribute, meaning that these callbacks need to
be of the same type as the callbacks in 'struct kobj_attribute'.
However, ->show() and ->store() in the platform_profile driver are
defined for struct device_attribute with the help of DEVICE_ATTR_RO()
and DEVICE_ATTR_RW(), which results in a CFI violation when accessing
platform_profile or platform_profile_choices under /sys/firmware/acpi
because the types do not match:
CFI failure at kobj_attr_show+0x19/0x30 (target: platform_profile_choices_show+0x0/0x140; expected type: 0x7a69590c)
There is no functional issue from the type mismatch because the layout
of 'struct kobj_attribute' and 'struct device_attribute' are the same,
so the container_of() cast does not break anything aside from CFI.
Change the type of platform_profile_choices_show() and
platform_profile_{show,store}() to match the callbacks in
'struct kobj_attribute' and update the attribute variables to
match, which resolves the CFI violation.
Cc: All applicable <stable@vger.kernel.org>
Fixes: a2ff95e018f1 ("ACPI: platform: Add platform profile support")
Reported-by: John Rowley <lkml@johnrowley.me>
Closes: https://github.com/ClangBuiltLinux/linux/issues/2047
Tested-by: John Rowley <lkml@johnrowley.me>
Reviewed-by: Sami Tolvanen <samitolvanen@google.com>
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Reviewed-by: Mark Pearson <mpearson-lenovo@squebb.ca>
Tested-by: Mark Pearson <mpearson-lenovo@squebb.ca>
Link: https://patch.msgid.link/20250210-acpi-platform_profile-fix-cfi-violation-v3-1-ed9e9901c33a@kernel.org
[ rjw: Changelog edits ]
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
[nathan: Fix conflicts in older stable branches]
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/acpi/platform_profile.c | 20 ++++++++++----------
1 file changed, 10 insertions(+), 10 deletions(-)
--- a/drivers/acpi/platform_profile.c
+++ b/drivers/acpi/platform_profile.c
@@ -22,8 +22,8 @@ static const char * const profile_names[
};
static_assert(ARRAY_SIZE(profile_names) == PLATFORM_PROFILE_LAST);
-static ssize_t platform_profile_choices_show(struct device *dev,
- struct device_attribute *attr,
+static ssize_t platform_profile_choices_show(struct kobject *kobj,
+ struct kobj_attribute *attr,
char *buf)
{
int len = 0;
@@ -49,8 +49,8 @@ static ssize_t platform_profile_choices_
return len;
}
-static ssize_t platform_profile_show(struct device *dev,
- struct device_attribute *attr,
+static ssize_t platform_profile_show(struct kobject *kobj,
+ struct kobj_attribute *attr,
char *buf)
{
enum platform_profile_option profile = PLATFORM_PROFILE_BALANCED;
@@ -77,8 +77,8 @@ static ssize_t platform_profile_show(str
return sysfs_emit(buf, "%s\n", profile_names[profile]);
}
-static ssize_t platform_profile_store(struct device *dev,
- struct device_attribute *attr,
+static ssize_t platform_profile_store(struct kobject *kobj,
+ struct kobj_attribute *attr,
const char *buf, size_t count)
{
int err, i;
@@ -115,12 +115,12 @@ static ssize_t platform_profile_store(st
return count;
}
-static DEVICE_ATTR_RO(platform_profile_choices);
-static DEVICE_ATTR_RW(platform_profile);
+static struct kobj_attribute attr_platform_profile_choices = __ATTR_RO(platform_profile_choices);
+static struct kobj_attribute attr_platform_profile = __ATTR_RW(platform_profile);
static struct attribute *platform_profile_attrs[] = {
- &dev_attr_platform_profile_choices.attr,
- &dev_attr_platform_profile.attr,
+ &attr_platform_profile_choices.attr,
+ &attr_platform_profile.attr,
NULL
};
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 162/291] x86/e820: Fix handling of subpage regions when calculating nosave ranges in e820__register_nosave_regions()
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (159 preceding siblings ...)
2025-04-23 14:42 ` [PATCH 6.1 161/291] ACPI: platform-profile: Fix CFI violation when accessing sysfs files Greg Kroah-Hartman
@ 2025-04-23 14:42 ` Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 163/291] Bluetooth: hci_uart: Fix another race during initialization Greg Kroah-Hartman
` (137 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Roberto Ricci, Myrrh Periwinkle,
Ingo Molnar, Rafael J. Wysocki, Ard Biesheuvel, H. Peter Anvin,
Kees Cook, Linus Torvalds, David Woodhouse, Len Brown
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Myrrh Periwinkle <myrrhperiwinkle@qtmlabs.xyz>
commit f2f29da9f0d4367f6ff35e0d9d021257bb53e273 upstream.
While debugging kexec/hibernation hangs and crashes, it turned out that
the current implementation of e820__register_nosave_regions() suffers from
multiple serious issues:
- The end of last region is tracked by PFN, causing it to find holes
that aren't there if two consecutive subpage regions are present
- The nosave PFN ranges derived from holes are rounded out (instead of
rounded in) which makes it inconsistent with how explicitly reserved
regions are handled
Fix this by:
- Treating reserved regions as if they were holes, to ensure consistent
handling (rounding out nosave PFN ranges is more correct as the
kernel does not use partial pages)
- Tracking the end of the last RAM region by address instead of pages
to detect holes more precisely
These bugs appear to have been introduced about ~18 years ago with the very
first version of e820_mark_nosave_regions(), and its flawed assumptions were
carried forward uninterrupted through various waves of rewrites and renames.
[ mingo: Added Git archeology details, for kicks and giggles. ]
Fixes: e8eff5ac294e ("[PATCH] Make swsusp avoid memory holes and reserved memory regions on x86_64")
Reported-by: Roberto Ricci <io@r-ricci.it>
Tested-by: Roberto Ricci <io@r-ricci.it>
Signed-off-by: Myrrh Periwinkle <myrrhperiwinkle@qtmlabs.xyz>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Cc: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Cc: Ard Biesheuvel <ardb@kernel.org>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: David Woodhouse <dwmw@amazon.co.uk>
Cc: Len Brown <len.brown@intel.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20250406-fix-e820-nosave-v3-1-f3787bc1ee1d@qtmlabs.xyz
Closes: https://lore.kernel.org/all/Z4WFjBVHpndct7br@desktop0a/
Signed-off-by: Myrrh Periwinkle <myrrhperiwinkle@qtmlabs.xyz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kernel/e820.c | 17 ++++++++---------
1 file changed, 8 insertions(+), 9 deletions(-)
--- a/arch/x86/kernel/e820.c
+++ b/arch/x86/kernel/e820.c
@@ -753,22 +753,21 @@ void __init e820__memory_setup_extended(
void __init e820__register_nosave_regions(unsigned long limit_pfn)
{
int i;
- unsigned long pfn = 0;
+ u64 last_addr = 0;
for (i = 0; i < e820_table->nr_entries; i++) {
struct e820_entry *entry = &e820_table->entries[i];
- if (pfn < PFN_UP(entry->addr))
- register_nosave_region(pfn, PFN_UP(entry->addr));
-
- pfn = PFN_DOWN(entry->addr + entry->size);
-
if (entry->type != E820_TYPE_RAM && entry->type != E820_TYPE_RESERVED_KERN)
- register_nosave_region(PFN_UP(entry->addr), pfn);
+ continue;
- if (pfn >= limit_pfn)
- break;
+ if (last_addr < entry->addr)
+ register_nosave_region(PFN_DOWN(last_addr), PFN_UP(entry->addr));
+
+ last_addr = entry->addr + entry->size;
}
+
+ register_nosave_region(PFN_DOWN(last_addr), limit_pfn);
}
#ifdef CONFIG_ACPI
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 163/291] Bluetooth: hci_uart: Fix another race during initialization
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (160 preceding siblings ...)
2025-04-23 14:42 ` [PATCH 6.1 162/291] x86/e820: Fix handling of subpage regions when calculating nosave ranges in e820__register_nosave_regions() Greg Kroah-Hartman
@ 2025-04-23 14:42 ` Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 164/291] HSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol Driver Due to Race Condition Greg Kroah-Hartman
` (136 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Arseniy Krasnov,
syzbot+683f8cb11b94b1824c77, Luiz Augusto von Dentz
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arseniy Krasnov <avkrasnov@salutedevices.com>
commit 5df5dafc171b90d0b8d51547a82657cd5a1986c7 upstream.
Do not set 'HCI_UART_PROTO_READY' before call 'hci_uart_register_dev()'.
Possible race is when someone calls 'hci_tty_uart_close()' after this bit
is set, but 'hci_uart_register_dev()' wasn't done. This leads to access
to uninitialized fields. To fix it let's set this bit after device was
registered (as before patch c411c62cc133) and to fix previous problem let's
add one more bit in addition to 'HCI_UART_PROTO_READY' which allows to
perform power up without original bit set (pls see commit c411c62cc133).
Crash backtrace from syzbot report:
RIP: 0010:skb_queue_empty_lockless include/linux/skbuff.h:1887 [inline]
RIP: 0010:skb_queue_purge_reason+0x6d/0x140 net/core/skbuff.c:3936
Call Trace:
<TASK>
skb_queue_purge include/linux/skbuff.h:3364 [inline]
mrvl_close+0x2f/0x90 drivers/bluetooth/hci_mrvl.c:100
hci_uart_tty_close+0xb6/0x120 drivers/bluetooth/hci_ldisc.c:557
tty_ldisc_close drivers/tty/tty_ldisc.c:455 [inline]
tty_ldisc_kill+0x66/0xc0 drivers/tty/tty_ldisc.c:613
tty_ldisc_release+0xc9/0x120 drivers/tty/tty_ldisc.c:781
tty_release_struct+0x10/0x80 drivers/tty/tty_io.c:1690
tty_release+0x4ef/0x640 drivers/tty/tty_io.c:1861
__fput+0x86/0x2a0 fs/file_table.c:450
task_work_run+0x82/0xb0 kernel/task_work.c:239
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
exit_to_user_mode_loop kernel/entry/common.c:114 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
syscall_exit_to_user_mode+0xa3/0x1b0 kernel/entry/common.c:218
do_syscall_64+0x9a/0x190 arch/x86/entry/common.c:89
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Signed-off-by: Arseniy Krasnov <avkrasnov@salutedevices.com>
Reported-by: syzbot+683f8cb11b94b1824c77@syzkaller.appspotmail.com
Tested-by: syzbot+683f8cb11b94b1824c77@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/linux-bluetooth/d159c57f-8490-4c26-79da-6ad3612c4a14@salutedevices.com/
Fixes: 366ceff495f9 ("Bluetooth: hci_uart: fix race during initialization")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/bluetooth/hci_ldisc.c | 20 ++++++++++++++------
drivers/bluetooth/hci_uart.h | 1 +
2 files changed, 15 insertions(+), 6 deletions(-)
--- a/drivers/bluetooth/hci_ldisc.c
+++ b/drivers/bluetooth/hci_ldisc.c
@@ -102,7 +102,8 @@ static inline struct sk_buff *hci_uart_d
if (!skb) {
percpu_down_read(&hu->proto_lock);
- if (test_bit(HCI_UART_PROTO_READY, &hu->flags))
+ if (test_bit(HCI_UART_PROTO_READY, &hu->flags) ||
+ test_bit(HCI_UART_PROTO_INIT, &hu->flags))
skb = hu->proto->dequeue(hu);
percpu_up_read(&hu->proto_lock);
@@ -124,7 +125,8 @@ int hci_uart_tx_wakeup(struct hci_uart *
if (!percpu_down_read_trylock(&hu->proto_lock))
return 0;
- if (!test_bit(HCI_UART_PROTO_READY, &hu->flags))
+ if (!test_bit(HCI_UART_PROTO_READY, &hu->flags) &&
+ !test_bit(HCI_UART_PROTO_INIT, &hu->flags))
goto no_schedule;
set_bit(HCI_UART_TX_WAKEUP, &hu->tx_state);
@@ -278,7 +280,8 @@ static int hci_uart_send_frame(struct hc
percpu_down_read(&hu->proto_lock);
- if (!test_bit(HCI_UART_PROTO_READY, &hu->flags)) {
+ if (!test_bit(HCI_UART_PROTO_READY, &hu->flags) &&
+ !test_bit(HCI_UART_PROTO_INIT, &hu->flags)) {
percpu_up_read(&hu->proto_lock);
return -EUNATCH;
}
@@ -582,7 +585,8 @@ static void hci_uart_tty_wakeup(struct t
if (tty != hu->tty)
return;
- if (test_bit(HCI_UART_PROTO_READY, &hu->flags))
+ if (test_bit(HCI_UART_PROTO_READY, &hu->flags) ||
+ test_bit(HCI_UART_PROTO_INIT, &hu->flags))
hci_uart_tx_wakeup(hu);
}
@@ -608,7 +612,8 @@ static void hci_uart_tty_receive(struct
percpu_down_read(&hu->proto_lock);
- if (!test_bit(HCI_UART_PROTO_READY, &hu->flags)) {
+ if (!test_bit(HCI_UART_PROTO_READY, &hu->flags) &&
+ !test_bit(HCI_UART_PROTO_INIT, &hu->flags)) {
percpu_up_read(&hu->proto_lock);
return;
}
@@ -709,13 +714,16 @@ static int hci_uart_set_proto(struct hci
hu->proto = p;
- set_bit(HCI_UART_PROTO_READY, &hu->flags);
+ set_bit(HCI_UART_PROTO_INIT, &hu->flags);
err = hci_uart_register_dev(hu);
if (err) {
return err;
}
+ set_bit(HCI_UART_PROTO_READY, &hu->flags);
+ clear_bit(HCI_UART_PROTO_INIT, &hu->flags);
+
return 0;
}
--- a/drivers/bluetooth/hci_uart.h
+++ b/drivers/bluetooth/hci_uart.h
@@ -90,6 +90,7 @@ struct hci_uart {
#define HCI_UART_REGISTERED 1
#define HCI_UART_PROTO_READY 2
#define HCI_UART_NO_SUSPEND_NOTIFIER 3
+#define HCI_UART_PROTO_INIT 4
/* TX states */
#define HCI_UART_SENDING 1
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 164/291] HSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol Driver Due to Race Condition
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (161 preceding siblings ...)
2025-04-23 14:42 ` [PATCH 6.1 163/291] Bluetooth: hci_uart: Fix another race during initialization Greg Kroah-Hartman
@ 2025-04-23 14:42 ` Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 165/291] scsi: hisi_sas: Enable force phy when SATA disk directly connected Greg Kroah-Hartman
` (135 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kaixin Wang, Andy Shevchenko,
Sebastian Reichel
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kaixin Wang <kxwang23@m.fudan.edu.cn>
commit e3f88665a78045fe35c7669d2926b8d97b892c11 upstream.
In the ssi_protocol_probe() function, &ssi->work is bound with
ssip_xmit_work(), In ssip_pn_setup(), the ssip_pn_xmit() function
within the ssip_pn_ops structure is capable of starting the
work.
If we remove the module which will call ssi_protocol_remove()
to make a cleanup, it will free ssi through kfree(ssi),
while the work mentioned above will be used. The sequence
of operations that may lead to a UAF bug is as follows:
CPU0 CPU1
| ssip_xmit_work
ssi_protocol_remove |
kfree(ssi); |
| struct hsi_client *cl = ssi->cl;
| // use ssi
Fix it by ensuring that the work is canceled before proceeding
with the cleanup in ssi_protocol_remove().
Signed-off-by: Kaixin Wang <kxwang23@m.fudan.edu.cn>
Acked-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Link: https://lore.kernel.org/r/20240918120749.1730-1-kxwang23@m.fudan.edu.cn
Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hsi/clients/ssi_protocol.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/hsi/clients/ssi_protocol.c
+++ b/drivers/hsi/clients/ssi_protocol.c
@@ -403,6 +403,7 @@ static void ssip_reset(struct hsi_client
del_timer(&ssi->rx_wd);
del_timer(&ssi->tx_wd);
del_timer(&ssi->keep_alive);
+ cancel_work_sync(&ssi->work);
ssi->main_state = 0;
ssi->send_state = 0;
ssi->recv_state = 0;
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 165/291] scsi: hisi_sas: Enable force phy when SATA disk directly connected
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (162 preceding siblings ...)
2025-04-23 14:42 ` [PATCH 6.1 164/291] HSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol Driver Due to Race Condition Greg Kroah-Hartman
@ 2025-04-23 14:42 ` Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 166/291] wifi: at76c50x: fix use after free access in at76_disconnect Greg Kroah-Hartman
` (134 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xingui Yang, Yihang Li,
Martin K. Petersen, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xingui Yang <yangxingui@huawei.com>
[ Upstream commit 8aa580cd92843b60d4d6331f3b0a9e8409bb70eb ]
when a SATA disk is directly connected the SAS controller determines the
disk to which I/Os are delivered based on the port ID in the DQ entry.
When many phys are disconnected and reconnect, the port ID of phys were
changed and used by other link, resulting in I/O being sent to incorrect
disk. Data inconsistency on the SATA disk may occur during I/O retries
using the old port ID. So enable force phy, then force the command to be
executed in a certain phy, and if the actual phy ID of the port does not
match the phy configured in the command, the chip will stop delivering the
I/O to disk.
Fixes: ce60689e12dd ("scsi: hisi_sas: add v3 code to send ATA frame")
Signed-off-by: Xingui Yang <yangxingui@huawei.com>
Link: https://lore.kernel.org/r/20250312095135.3048379-2-yangxingui@huawei.com
Reviewed-by: Yihang Li <liyihang9@huawei.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/hisi_sas/hisi_sas_v2_hw.c | 9 +++++++--
drivers/scsi/hisi_sas/hisi_sas_v3_hw.c | 14 ++++++++++++--
2 files changed, 19 insertions(+), 4 deletions(-)
diff --git a/drivers/scsi/hisi_sas/hisi_sas_v2_hw.c b/drivers/scsi/hisi_sas/hisi_sas_v2_hw.c
index 50697672146ad..ae39f6b5dc9a8 100644
--- a/drivers/scsi/hisi_sas/hisi_sas_v2_hw.c
+++ b/drivers/scsi/hisi_sas/hisi_sas_v2_hw.c
@@ -2502,6 +2502,7 @@ static void prep_ata_v2_hw(struct hisi_hba *hisi_hba,
struct hisi_sas_port *port = to_hisi_sas_port(sas_port);
struct sas_ata_task *ata_task = &task->ata_task;
struct sas_tmf_task *tmf = slot->tmf;
+ int phy_id;
u8 *buf_cmd;
int has_data = 0, hdr_tag = 0;
u32 dw0, dw1 = 0, dw2 = 0;
@@ -2509,10 +2510,14 @@ static void prep_ata_v2_hw(struct hisi_hba *hisi_hba,
/* create header */
/* dw0 */
dw0 = port->id << CMD_HDR_PORT_OFF;
- if (parent_dev && dev_is_expander(parent_dev->dev_type))
+ if (parent_dev && dev_is_expander(parent_dev->dev_type)) {
dw0 |= 3 << CMD_HDR_CMD_OFF;
- else
+ } else {
+ phy_id = device->phy->identify.phy_identifier;
+ dw0 |= (1U << phy_id) << CMD_HDR_PHY_ID_OFF;
+ dw0 |= CMD_HDR_FORCE_PHY_MSK;
dw0 |= 4 << CMD_HDR_CMD_OFF;
+ }
if (tmf && ata_task->force_phy) {
dw0 |= CMD_HDR_FORCE_PHY_MSK;
diff --git a/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c b/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c
index 05dcd925a3fab..20b4d76e07149 100644
--- a/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c
+++ b/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c
@@ -357,6 +357,10 @@
#define CMD_HDR_RESP_REPORT_MSK (0x1 << CMD_HDR_RESP_REPORT_OFF)
#define CMD_HDR_TLR_CTRL_OFF 6
#define CMD_HDR_TLR_CTRL_MSK (0x3 << CMD_HDR_TLR_CTRL_OFF)
+#define CMD_HDR_PHY_ID_OFF 8
+#define CMD_HDR_PHY_ID_MSK (0x1ff << CMD_HDR_PHY_ID_OFF)
+#define CMD_HDR_FORCE_PHY_OFF 17
+#define CMD_HDR_FORCE_PHY_MSK (0x1U << CMD_HDR_FORCE_PHY_OFF)
#define CMD_HDR_PORT_OFF 18
#define CMD_HDR_PORT_MSK (0xf << CMD_HDR_PORT_OFF)
#define CMD_HDR_PRIORITY_OFF 27
@@ -1385,15 +1389,21 @@ static void prep_ata_v3_hw(struct hisi_hba *hisi_hba,
struct hisi_sas_cmd_hdr *hdr = slot->cmd_hdr;
struct asd_sas_port *sas_port = device->port;
struct hisi_sas_port *port = to_hisi_sas_port(sas_port);
+ int phy_id;
u8 *buf_cmd;
int has_data = 0, hdr_tag = 0;
u32 dw1 = 0, dw2 = 0;
hdr->dw0 = cpu_to_le32(port->id << CMD_HDR_PORT_OFF);
- if (parent_dev && dev_is_expander(parent_dev->dev_type))
+ if (parent_dev && dev_is_expander(parent_dev->dev_type)) {
hdr->dw0 |= cpu_to_le32(3 << CMD_HDR_CMD_OFF);
- else
+ } else {
+ phy_id = device->phy->identify.phy_identifier;
+ hdr->dw0 |= cpu_to_le32((1U << phy_id)
+ << CMD_HDR_PHY_ID_OFF);
+ hdr->dw0 |= CMD_HDR_FORCE_PHY_MSK;
hdr->dw0 |= cpu_to_le32(4U << CMD_HDR_CMD_OFF);
+ }
switch (task->data_dir) {
case DMA_TO_DEVICE:
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 166/291] wifi: at76c50x: fix use after free access in at76_disconnect
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (163 preceding siblings ...)
2025-04-23 14:42 ` [PATCH 6.1 165/291] scsi: hisi_sas: Enable force phy when SATA disk directly connected Greg Kroah-Hartman
@ 2025-04-23 14:42 ` Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 167/291] wifi: mac80211: Update skbs control block key in ieee80211_tx_dequeue() Greg Kroah-Hartman
` (133 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Abdun Nihaal, Johannes Berg,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Abdun Nihaal <abdun.nihaal@gmail.com>
[ Upstream commit 27c7e63b3cb1a20bb78ed4a36c561ea4579fd7da ]
The memory pointed to by priv is freed at the end of at76_delete_device
function (using ieee80211_free_hw). But the code then accesses the udev
field of the freed object to put the USB device. This may also lead to a
memory leak of the usb device. Fix this by using udev from interface.
Fixes: 29e20aa6c6af ("at76c50x-usb: fix use after free on failure path in at76_probe()")
Signed-off-by: Abdun Nihaal <abdun.nihaal@gmail.com>
Link: https://patch.msgid.link/20250330103110.44080-1-abdun.nihaal@gmail.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/atmel/at76c50x-usb.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/wireless/atmel/at76c50x-usb.c b/drivers/net/wireless/atmel/at76c50x-usb.c
index 24e609c1f5231..4a15c22cf348d 100644
--- a/drivers/net/wireless/atmel/at76c50x-usb.c
+++ b/drivers/net/wireless/atmel/at76c50x-usb.c
@@ -2553,7 +2553,7 @@ static void at76_disconnect(struct usb_interface *interface)
wiphy_info(priv->hw->wiphy, "disconnecting\n");
at76_delete_device(priv);
- usb_put_dev(priv->udev);
+ usb_put_dev(interface_to_usbdev(interface));
dev_info(&interface->dev, "disconnected\n");
}
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 167/291] wifi: mac80211: Update skbs control block key in ieee80211_tx_dequeue()
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (164 preceding siblings ...)
2025-04-23 14:42 ` [PATCH 6.1 166/291] wifi: at76c50x: fix use after free access in at76_disconnect Greg Kroah-Hartman
@ 2025-04-23 14:42 ` Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 168/291] wifi: mac80211: Purge vif txq in ieee80211_do_stop() Greg Kroah-Hartman
` (132 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Remi Pommarel, Johannes Berg,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Remi Pommarel <repk@triplefau.lt>
[ Upstream commit a104042e2bf6528199adb6ca901efe7b60c2c27f ]
The ieee80211 skb control block key (set when skb was queued) could have
been removed before ieee80211_tx_dequeue() call. ieee80211_tx_dequeue()
already called ieee80211_tx_h_select_key() to get the current key, but
the latter do not update the key in skb control block in case it is
NULL. Because some drivers actually use this key in their TX callbacks
(e.g. ath1{1,2}k_mac_op_tx()) this could lead to the use after free
below:
BUG: KASAN: slab-use-after-free in ath11k_mac_op_tx+0x590/0x61c
Read of size 4 at addr ffffff803083c248 by task kworker/u16:4/1440
CPU: 3 UID: 0 PID: 1440 Comm: kworker/u16:4 Not tainted 6.13.0-ge128f627f404 #2
Hardware name: HW (DT)
Workqueue: bat_events batadv_send_outstanding_bcast_packet
Call trace:
show_stack+0x14/0x1c (C)
dump_stack_lvl+0x58/0x74
print_report+0x164/0x4c0
kasan_report+0xac/0xe8
__asan_report_load4_noabort+0x1c/0x24
ath11k_mac_op_tx+0x590/0x61c
ieee80211_handle_wake_tx_queue+0x12c/0x1c8
ieee80211_queue_skb+0xdcc/0x1b4c
ieee80211_tx+0x1ec/0x2bc
ieee80211_xmit+0x224/0x324
__ieee80211_subif_start_xmit+0x85c/0xcf8
ieee80211_subif_start_xmit+0xc0/0xec4
dev_hard_start_xmit+0xf4/0x28c
__dev_queue_xmit+0x6ac/0x318c
batadv_send_skb_packet+0x38c/0x4b0
batadv_send_outstanding_bcast_packet+0x110/0x328
process_one_work+0x578/0xc10
worker_thread+0x4bc/0xc7c
kthread+0x2f8/0x380
ret_from_fork+0x10/0x20
Allocated by task 1906:
kasan_save_stack+0x28/0x4c
kasan_save_track+0x1c/0x40
kasan_save_alloc_info+0x3c/0x4c
__kasan_kmalloc+0xac/0xb0
__kmalloc_noprof+0x1b4/0x380
ieee80211_key_alloc+0x3c/0xb64
ieee80211_add_key+0x1b4/0x71c
nl80211_new_key+0x2b4/0x5d8
genl_family_rcv_msg_doit+0x198/0x240
<...>
Freed by task 1494:
kasan_save_stack+0x28/0x4c
kasan_save_track+0x1c/0x40
kasan_save_free_info+0x48/0x94
__kasan_slab_free+0x48/0x60
kfree+0xc8/0x31c
kfree_sensitive+0x70/0x80
ieee80211_key_free_common+0x10c/0x174
ieee80211_free_keys+0x188/0x46c
ieee80211_stop_mesh+0x70/0x2cc
ieee80211_leave_mesh+0x1c/0x60
cfg80211_leave_mesh+0xe0/0x280
cfg80211_leave+0x1e0/0x244
<...>
Reset SKB control block key before calling ieee80211_tx_h_select_key()
to avoid that.
Fixes: bb42f2d13ffc ("mac80211: Move reorder-sensitive TX handlers to after TXQ dequeue")
Signed-off-by: Remi Pommarel <repk@triplefau.lt>
Link: https://patch.msgid.link/06aa507b853ca385ceded81c18b0a6dd0f081bc8.1742833382.git.repk@triplefau.lt
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/mac80211/tx.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
index 62b2817df2ba9..7c1e81e15865c 100644
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -3800,6 +3800,7 @@ struct sk_buff *ieee80211_tx_dequeue(struct ieee80211_hw *hw,
* The key can be removed while the packet was queued, so need to call
* this here to get the current key.
*/
+ info->control.hw_key = NULL;
r = ieee80211_tx_h_select_key(&tx);
if (r != TX_CONTINUE) {
ieee80211_free_txskb(&local->hw, skb);
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 168/291] wifi: mac80211: Purge vif txq in ieee80211_do_stop()
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (165 preceding siblings ...)
2025-04-23 14:42 ` [PATCH 6.1 167/291] wifi: mac80211: Update skbs control block key in ieee80211_tx_dequeue() Greg Kroah-Hartman
@ 2025-04-23 14:42 ` Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 169/291] wifi: wl1251: fix memory leak in wl1251_tx_work Greg Kroah-Hartman
` (131 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Remi Pommarel, Johannes Berg,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Remi Pommarel <repk@triplefau.lt>
[ Upstream commit 378677eb8f44621ecc9ce659f7af61e5baa94d81 ]
After ieee80211_do_stop() SKB from vif's txq could still be processed.
Indeed another concurrent vif schedule_and_wake_txq call could cause
those packets to be dequeued (see ieee80211_handle_wake_tx_queue())
without checking the sdata current state.
Because vif.drv_priv is now cleared in this function, this could lead to
driver crash.
For example in ath12k, ahvif is store in vif.drv_priv. Thus if
ath12k_mac_op_tx() is called after ieee80211_do_stop(), ahvif->ah can be
NULL, leading the ath12k_warn(ahvif->ah,...) call in this function to
trigger the NULL deref below.
Unable to handle kernel paging request at virtual address dfffffc000000001
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
batman_adv: bat0: Interface deactivated: brbh1337
Mem abort info:
ESR = 0x0000000096000004
EC = 0x25: DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
FSC = 0x04: level 0 translation fault
Data abort info:
ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
CM = 0, WnR = 0, TnD = 0, TagAccess = 0
GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[dfffffc000000001] address between user and kernel address ranges
Internal error: Oops: 0000000096000004 [#1] SMP
CPU: 1 UID: 0 PID: 978 Comm: lbd Not tainted 6.13.0-g633f875b8f1e #114
Hardware name: HW (DT)
pstate: 10000005 (nzcV daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : ath12k_mac_op_tx+0x6cc/0x29b8 [ath12k]
lr : ath12k_mac_op_tx+0x174/0x29b8 [ath12k]
sp : ffffffc086ace450
x29: ffffffc086ace450 x28: 0000000000000000 x27: 1ffffff810d59ca4
x26: ffffff801d05f7c0 x25: 0000000000000000 x24: 000000004000001e
x23: ffffff8009ce4926 x22: ffffff801f9c0800 x21: ffffff801d05f7f0
x20: ffffff8034a19f40 x19: 0000000000000000 x18: ffffff801f9c0958
x17: ffffff800bc0a504 x16: dfffffc000000000 x15: ffffffc086ace4f8
x14: ffffff801d05f83c x13: 0000000000000000 x12: ffffffb003a0bf03
x11: 0000000000000000 x10: ffffffb003a0bf02 x9 : ffffff8034a19f40
x8 : ffffff801d05f818 x7 : 1ffffff0069433dc x6 : ffffff8034a19ee0
x5 : ffffff801d05f7f0 x4 : 0000000000000000 x3 : 0000000000000001
x2 : 0000000000000000 x1 : dfffffc000000000 x0 : 0000000000000008
Call trace:
ath12k_mac_op_tx+0x6cc/0x29b8 [ath12k] (P)
ieee80211_handle_wake_tx_queue+0x16c/0x260
ieee80211_queue_skb+0xeec/0x1d20
ieee80211_tx+0x200/0x2c8
ieee80211_xmit+0x22c/0x338
__ieee80211_subif_start_xmit+0x7e8/0xc60
ieee80211_subif_start_xmit+0xc4/0xee0
__ieee80211_subif_start_xmit_8023.isra.0+0x854/0x17a0
ieee80211_subif_start_xmit_8023+0x124/0x488
dev_hard_start_xmit+0x160/0x5a8
__dev_queue_xmit+0x6f8/0x3120
br_dev_queue_push_xmit+0x120/0x4a8
__br_forward+0xe4/0x2b0
deliver_clone+0x5c/0xd0
br_flood+0x398/0x580
br_dev_xmit+0x454/0x9f8
dev_hard_start_xmit+0x160/0x5a8
__dev_queue_xmit+0x6f8/0x3120
ip6_finish_output2+0xc28/0x1b60
__ip6_finish_output+0x38c/0x638
ip6_output+0x1b4/0x338
ip6_local_out+0x7c/0xa8
ip6_send_skb+0x7c/0x1b0
ip6_push_pending_frames+0x94/0xd0
rawv6_sendmsg+0x1a98/0x2898
inet_sendmsg+0x94/0xe0
__sys_sendto+0x1e4/0x308
__arm64_sys_sendto+0xc4/0x140
do_el0_svc+0x110/0x280
el0_svc+0x20/0x60
el0t_64_sync_handler+0x104/0x138
el0t_64_sync+0x154/0x158
To avoid that, empty vif's txq at ieee80211_do_stop() so no packet could
be dequeued after ieee80211_do_stop() (new packets cannot be queued
because SDATA_STATE_RUNNING is cleared at this point).
Fixes: ba8c3d6f16a1 ("mac80211: add an intermediate software queue implementation")
Signed-off-by: Remi Pommarel <repk@triplefau.lt>
Link: https://patch.msgid.link/ff7849e268562456274213c0476e09481a48f489.1742833382.git.repk@triplefau.lt
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/mac80211/iface.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c
index 8861f63e2cfb9..fc60e80088a38 100644
--- a/net/mac80211/iface.c
+++ b/net/mac80211/iface.c
@@ -688,6 +688,9 @@ static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata, bool going_do
if (sdata->vif.type == NL80211_IFTYPE_AP_VLAN)
ieee80211_txq_remove_vlan(local, sdata);
+ if (sdata->vif.txq)
+ ieee80211_txq_purge(sdata->local, to_txq_info(sdata->vif.txq));
+
sdata->bss = NULL;
if (local->open_count == 0)
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 169/291] wifi: wl1251: fix memory leak in wl1251_tx_work
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (166 preceding siblings ...)
2025-04-23 14:42 ` [PATCH 6.1 168/291] wifi: mac80211: Purge vif txq in ieee80211_do_stop() Greg Kroah-Hartman
@ 2025-04-23 14:42 ` Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 170/291] scsi: iscsi: Fix missing scsi_host_put() in error path Greg Kroah-Hartman
` (130 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Abdun Nihaal, Michael Nemanov,
Johannes Berg, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Abdun Nihaal <abdun.nihaal@gmail.com>
[ Upstream commit a0f0dc96de03ffeefc2a177b7f8acde565cb77f4 ]
The skb dequeued from tx_queue is lost when wl1251_ps_elp_wakeup fails
with a -ETIMEDOUT error. Fix that by queueing the skb back to tx_queue.
Fixes: c5483b719363 ("wl12xx: check if elp wakeup failed")
Signed-off-by: Abdun Nihaal <abdun.nihaal@gmail.com>
Reviewed-by: Michael Nemanov <michael.nemanov@ti.com>
Link: https://patch.msgid.link/20250330104532.44935-1-abdun.nihaal@gmail.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ti/wl1251/tx.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/ti/wl1251/tx.c b/drivers/net/wireless/ti/wl1251/tx.c
index e9dc3c72bb110..06dc74cc6cb52 100644
--- a/drivers/net/wireless/ti/wl1251/tx.c
+++ b/drivers/net/wireless/ti/wl1251/tx.c
@@ -342,8 +342,10 @@ void wl1251_tx_work(struct work_struct *work)
while ((skb = skb_dequeue(&wl->tx_queue))) {
if (!woken_up) {
ret = wl1251_ps_elp_wakeup(wl);
- if (ret < 0)
+ if (ret < 0) {
+ skb_queue_head(&wl->tx_queue, skb);
goto out;
+ }
woken_up = true;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 170/291] scsi: iscsi: Fix missing scsi_host_put() in error path
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (167 preceding siblings ...)
2025-04-23 14:42 ` [PATCH 6.1 169/291] wifi: wl1251: fix memory leak in wl1251_tx_work Greg Kroah-Hartman
@ 2025-04-23 14:42 ` Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 171/291] md/raid10: fix missing discard IO accounting Greg Kroah-Hartman
` (129 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Miaoqian Lin, Mike Christie,
Martin K. Petersen, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Miaoqian Lin <linmq006@gmail.com>
[ Upstream commit 72eea84a1092b50a10eeecfeba4b28ac9f1312ab ]
Add goto to ensure scsi_host_put() is called in all error paths of
iscsi_set_host_param() function. This fixes a potential memory leak when
strlen() check fails.
Fixes: ce51c8170084 ("scsi: iscsi: Add strlen() check in iscsi_if_set{_host}_param()")
Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
Link: https://lore.kernel.org/r/20250318094344.91776-1-linmq006@gmail.com
Reviewed-by: Mike Christie <michael.christie@oracle.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/scsi_transport_iscsi.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/drivers/scsi/scsi_transport_iscsi.c b/drivers/scsi/scsi_transport_iscsi.c
index 687487ea4fd3b..7f0fd03dd03bc 100644
--- a/drivers/scsi/scsi_transport_iscsi.c
+++ b/drivers/scsi/scsi_transport_iscsi.c
@@ -3207,11 +3207,14 @@ iscsi_set_host_param(struct iscsi_transport *transport,
}
/* see similar check in iscsi_if_set_param() */
- if (strlen(data) > ev->u.set_host_param.len)
- return -EINVAL;
+ if (strlen(data) > ev->u.set_host_param.len) {
+ err = -EINVAL;
+ goto out;
+ }
err = transport->set_host_param(shost, ev->u.set_host_param.param,
data, ev->u.set_host_param.len);
+out:
scsi_host_put(shost);
return err;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 171/291] md/raid10: fix missing discard IO accounting
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (168 preceding siblings ...)
2025-04-23 14:42 ` [PATCH 6.1 170/291] scsi: iscsi: Fix missing scsi_host_put() in error path Greg Kroah-Hartman
@ 2025-04-23 14:42 ` Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 172/291] md/md-bitmap: fix stats collection for external bitmaps Greg Kroah-Hartman
` (128 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yu Kuai, Coly Li, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yu Kuai <yukuai3@huawei.com>
[ Upstream commit d05af90d6218e9c8f1c2026990c3f53c1b41bfb0 ]
md_account_bio() is not called from raid10_handle_discard(), now that we
handle bitmap inside md_account_bio(), also fix missing
bitmap_startwrite for discard.
Test whole disk discard for 20G raid10:
Before:
Device d/s dMB/s drqm/s %drqm d_await dareq-sz
md0 48.00 16.00 0.00 0.00 5.42 341.33
After:
Device d/s dMB/s drqm/s %drqm d_await dareq-sz
md0 68.00 20462.00 0.00 0.00 2.65 308133.65
Link: https://lore.kernel.org/linux-raid/20250325015746.3195035-1-yukuai1@huaweicloud.com
Fixes: 528bc2cf2fcc ("md/raid10: enable io accounting")
Signed-off-by: Yu Kuai <yukuai3@huawei.com>
Acked-by: Coly Li <colyli@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/md/raid10.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c
index f608f30c7d6a6..24427eddf61bc 100644
--- a/drivers/md/raid10.c
+++ b/drivers/md/raid10.c
@@ -1772,6 +1772,7 @@ static int raid10_handle_discard(struct mddev *mddev, struct bio *bio)
* The discard bio returns only first r10bio finishes
*/
if (first_copy) {
+ md_account_bio(mddev, &bio);
r10_bio->master_bio = bio;
set_bit(R10BIO_Discard, &r10_bio->state);
first_copy = false;
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 172/291] md/md-bitmap: fix stats collection for external bitmaps
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (169 preceding siblings ...)
2025-04-23 14:42 ` [PATCH 6.1 171/291] md/raid10: fix missing discard IO accounting Greg Kroah-Hartman
@ 2025-04-23 14:42 ` Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 173/291] RDMA/usnic: Fix passing zero to PTR_ERR in usnic_ib_pci_probe() Greg Kroah-Hartman
` (127 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zheng Qixing, Yu Kuai, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zheng Qixing <zhengqixing@huawei.com>
[ Upstream commit 6ec1f0239485028445d213d91cfee5242f3211ba ]
The bitmap_get_stats() function incorrectly returns -ENOENT for external
bitmaps.
Remove the external bitmap check as the statistics should be available
regardless of bitmap storage location.
Return -EINVAL only for invalid bitmap with no storage (neither in
superblock nor in external file).
Note: "bitmap_info.external" here refers to a bitmap stored in a separate
file (bitmap_file), not to external metadata.
Fixes: 8d28d0ddb986 ("md/md-bitmap: Synchronize bitmap_get_stats() with bitmap lifetime")
Signed-off-by: Zheng Qixing <zhengqixing@huawei.com>
Link: https://lore.kernel.org/linux-raid/20250403015322.2873369-1-zhengqixing@huaweicloud.com
Signed-off-by: Yu Kuai <yukuai3@huawei.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/md/md-bitmap.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
--- a/drivers/md/md-bitmap.c
+++ b/drivers/md/md-bitmap.c
@@ -2029,9 +2029,8 @@ int md_bitmap_get_stats(struct bitmap *b
if (!bitmap)
return -ENOENT;
- if (bitmap->mddev->bitmap_info.external)
- return -ENOENT;
- if (!bitmap->storage.sb_page) /* no superblock */
+ if (!bitmap->mddev->bitmap_info.external &&
+ !bitmap->storage.sb_page)
return -EINVAL;
sb = kmap_local_page(bitmap->storage.sb_page);
stats->sync_size = le64_to_cpu(sb->sync_size);
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 173/291] RDMA/usnic: Fix passing zero to PTR_ERR in usnic_ib_pci_probe()
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (170 preceding siblings ...)
2025-04-23 14:42 ` [PATCH 6.1 172/291] md/md-bitmap: fix stats collection for external bitmaps Greg Kroah-Hartman
@ 2025-04-23 14:42 ` Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 174/291] RDMA/hns: Fix wrong maximum DMA segment size Greg Kroah-Hartman
` (126 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yue Haibing, Zhu Yanjun,
Jason Gunthorpe, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yue Haibing <yuehaibing@huawei.com>
[ Upstream commit 95ba3850fed03e01b422ab5d7943aeba130c9723 ]
drivers/infiniband/hw/usnic/usnic_ib_main.c:590
usnic_ib_pci_probe() warn: passing zero to 'PTR_ERR'
Make usnic_ib_device_add() return NULL on fail path, also remove
useless NULL check for usnic_ib_discover_pf()
Fixes: e3cf00d0a87f ("IB/usnic: Add Cisco VIC low-level hardware driver")
Link: https://patch.msgid.link/r/20250324123132.2392077-1-yuehaibing@huawei.com
Signed-off-by: Yue Haibing <yuehaibing@huawei.com>
Reviewed-by: Zhu Yanjun <yanjun.zhu@linux.dev>
Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/hw/usnic/usnic_ib_main.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/drivers/infiniband/hw/usnic/usnic_ib_main.c b/drivers/infiniband/hw/usnic/usnic_ib_main.c
index 46653ad56f5a1..ec2d8f78c898b 100644
--- a/drivers/infiniband/hw/usnic/usnic_ib_main.c
+++ b/drivers/infiniband/hw/usnic/usnic_ib_main.c
@@ -380,7 +380,7 @@ static void *usnic_ib_device_add(struct pci_dev *dev)
if (!us_ibdev) {
usnic_err("Device %s context alloc failed\n",
netdev_name(pci_get_drvdata(dev)));
- return ERR_PTR(-EFAULT);
+ return NULL;
}
us_ibdev->ufdev = usnic_fwd_dev_alloc(dev);
@@ -500,8 +500,8 @@ static struct usnic_ib_dev *usnic_ib_discover_pf(struct usnic_vnic *vnic)
}
us_ibdev = usnic_ib_device_add(parent_pci);
- if (IS_ERR_OR_NULL(us_ibdev)) {
- us_ibdev = us_ibdev ? us_ibdev : ERR_PTR(-EFAULT);
+ if (!us_ibdev) {
+ us_ibdev = ERR_PTR(-EFAULT);
goto out;
}
@@ -569,10 +569,10 @@ static int usnic_ib_pci_probe(struct pci_dev *pdev,
}
pf = usnic_ib_discover_pf(vf->vnic);
- if (IS_ERR_OR_NULL(pf)) {
- usnic_err("Failed to discover pf of vnic %s with err%ld\n",
- pci_name(pdev), PTR_ERR(pf));
- err = pf ? PTR_ERR(pf) : -EFAULT;
+ if (IS_ERR(pf)) {
+ err = PTR_ERR(pf);
+ usnic_err("Failed to discover pf of vnic %s with err%d\n",
+ pci_name(pdev), err);
goto out_clean_vnic;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 174/291] RDMA/hns: Fix wrong maximum DMA segment size
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (171 preceding siblings ...)
2025-04-23 14:42 ` [PATCH 6.1 173/291] RDMA/usnic: Fix passing zero to PTR_ERR in usnic_ib_pci_probe() Greg Kroah-Hartman
@ 2025-04-23 14:42 ` Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 175/291] RDMA/core: Silence oversized kvmalloc() warning Greg Kroah-Hartman
` (125 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chengchang Tang, Junxian Huang,
Jason Gunthorpe, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chengchang Tang <tangchengchang@huawei.com>
[ Upstream commit 9beb2c91fb86e0be70a5833c6730441fa3c9efa8 ]
Set maximum DMA segment size to 2G instead of UINT_MAX due to HW limit.
Fixes: e0477b34d9d1 ("RDMA: Explicitly pass in the dma_device to ib_register_device")
Link: https://patch.msgid.link/r/20250327114724.3454268-3-huangjunxian6@hisilicon.com
Signed-off-by: Chengchang Tang <tangchengchang@huawei.com>
Signed-off-by: Junxian Huang <huangjunxian6@hisilicon.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/hw/hns/hns_roce_main.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/infiniband/hw/hns/hns_roce_main.c b/drivers/infiniband/hw/hns/hns_roce_main.c
index 5106b3ce89f08..eae22ac42e05d 100644
--- a/drivers/infiniband/hw/hns/hns_roce_main.c
+++ b/drivers/infiniband/hw/hns/hns_roce_main.c
@@ -642,7 +642,7 @@ static int hns_roce_register_device(struct hns_roce_dev *hr_dev)
if (ret)
return ret;
}
- dma_set_max_seg_size(dev, UINT_MAX);
+ dma_set_max_seg_size(dev, SZ_2G);
ret = ib_register_device(ib_dev, "hns_%d", dev);
if (ret) {
dev_err(dev, "ib_register_device failed!\n");
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 175/291] RDMA/core: Silence oversized kvmalloc() warning
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (172 preceding siblings ...)
2025-04-23 14:42 ` [PATCH 6.1 174/291] RDMA/hns: Fix wrong maximum DMA segment size Greg Kroah-Hartman
@ 2025-04-23 14:42 ` Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 176/291] Bluetooth: hci_event: Fix sending MGMT_EV_DEVICE_FOUND for invalid address Greg Kroah-Hartman
` (124 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shay Drory, Leon Romanovsky,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shay Drory <shayd@nvidia.com>
[ Upstream commit 9a0e6f15029e1a8a21e40f06fd05aa52b7f063de ]
syzkaller triggered an oversized kvmalloc() warning.
Silence it by adding __GFP_NOWARN.
syzkaller log:
WARNING: CPU: 7 PID: 518 at mm/util.c:665 __kvmalloc_node_noprof+0x175/0x180
CPU: 7 UID: 0 PID: 518 Comm: c_repro Not tainted 6.11.0-rc6+ #6
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
RIP: 0010:__kvmalloc_node_noprof+0x175/0x180
RSP: 0018:ffffc90001e67c10 EFLAGS: 00010246
RAX: 0000000000000100 RBX: 0000000000000400 RCX: ffffffff8149d46b
RDX: 0000000000000000 RSI: ffff8881030fae80 RDI: 0000000000000002
RBP: 000000712c800000 R08: 0000000000000100 R09: 0000000000000000
R10: ffffc90001e67c10 R11: 0030ae0601000000 R12: 0000000000000000
R13: 0000000000000000 R14: 00000000ffffffff R15: 0000000000000000
FS: 00007fde79159740(0000) GS:ffff88813bdc0000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000180 CR3: 0000000105eb4005 CR4: 00000000003706b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
ib_umem_odp_get+0x1f6/0x390
mlx5_ib_reg_user_mr+0x1e8/0x450
ib_uverbs_reg_mr+0x28b/0x440
ib_uverbs_write+0x7d3/0xa30
vfs_write+0x1ac/0x6c0
ksys_write+0x134/0x170
? __sanitizer_cov_trace_pc+0x1c/0x50
do_syscall_64+0x50/0x110
entry_SYSCALL_64_after_hwframe+0x76/0x7e
Fixes: 37824952dc8f ("RDMA/odp: Use kvcalloc for the dma_list and page_list")
Signed-off-by: Shay Drory <shayd@nvidia.com>
Link: https://patch.msgid.link/c6cb92379de668be94894f49c2cfa40e73f94d56.1742388096.git.leonro@nvidia.com
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/core/umem_odp.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/infiniband/core/umem_odp.c b/drivers/infiniband/core/umem_odp.c
index e9fa22d31c233..c48ef60830205 100644
--- a/drivers/infiniband/core/umem_odp.c
+++ b/drivers/infiniband/core/umem_odp.c
@@ -76,12 +76,14 @@ static inline int ib_init_umem_odp(struct ib_umem_odp *umem_odp,
npfns = (end - start) >> PAGE_SHIFT;
umem_odp->pfn_list = kvcalloc(
- npfns, sizeof(*umem_odp->pfn_list), GFP_KERNEL);
+ npfns, sizeof(*umem_odp->pfn_list),
+ GFP_KERNEL | __GFP_NOWARN);
if (!umem_odp->pfn_list)
return -ENOMEM;
umem_odp->dma_list = kvcalloc(
- ndmas, sizeof(*umem_odp->dma_list), GFP_KERNEL);
+ ndmas, sizeof(*umem_odp->dma_list),
+ GFP_KERNEL | __GFP_NOWARN);
if (!umem_odp->dma_list) {
ret = -ENOMEM;
goto out_pfn_list;
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 176/291] Bluetooth: hci_event: Fix sending MGMT_EV_DEVICE_FOUND for invalid address
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (173 preceding siblings ...)
2025-04-23 14:42 ` [PATCH 6.1 175/291] RDMA/core: Silence oversized kvmalloc() warning Greg Kroah-Hartman
@ 2025-04-23 14:42 ` Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 177/291] Bluetooth: btrtl: Prevent potential NULL dereference Greg Kroah-Hartman
` (123 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Luiz Augusto von Dentz, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
[ Upstream commit eb73b5a9157221f405b4fe32751da84ee46b7a25 ]
This fixes sending MGMT_EV_DEVICE_FOUND for invalid address
(00:00:00:00:00:00) which is a regression introduced by
a2ec905d1e16 ("Bluetooth: fix kernel oops in store_pending_adv_report")
since in the attempt to skip storing data for extended advertisement it
actually made the code to skip the entire if statement supposed to send
MGMT_EV_DEVICE_FOUND without attempting to use the last_addr_adv which
is garanteed to be invalid for extended advertisement since we never
store anything on it.
Link: https://github.com/bluez/bluez/issues/1157
Link: https://github.com/bluez/bluez/issues/1149#issuecomment-2767215658
Fixes: a2ec905d1e16 ("Bluetooth: fix kernel oops in store_pending_adv_report")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/hci_event.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index 6cfd61628cd78..8667723d4e969 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -6248,11 +6248,12 @@ static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr,
* event or send an immediate device found event if the data
* should not be stored for later.
*/
- if (!ext_adv && !has_pending_adv_report(hdev)) {
+ if (!has_pending_adv_report(hdev)) {
/* If the report will trigger a SCAN_REQ store it for
* later merging.
*/
- if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) {
+ if (!ext_adv && (type == LE_ADV_IND ||
+ type == LE_ADV_SCAN_IND)) {
store_pending_adv_report(hdev, bdaddr, bdaddr_type,
rssi, flags, data, len);
return;
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 177/291] Bluetooth: btrtl: Prevent potential NULL dereference
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (174 preceding siblings ...)
2025-04-23 14:42 ` [PATCH 6.1 176/291] Bluetooth: hci_event: Fix sending MGMT_EV_DEVICE_FOUND for invalid address Greg Kroah-Hartman
@ 2025-04-23 14:42 ` Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 178/291] Bluetooth: l2cap: Check encryption key size on incoming connection Greg Kroah-Hartman
` (122 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Hans de Goede,
Luiz Augusto von Dentz, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@linaro.org>
[ Upstream commit 324dddea321078a6eeb535c2bff5257be74c9799 ]
The btrtl_initialize() function checks that rtl_load_file() either
had an error or it loaded a zero length file. However, if it loaded
a zero length file then the error code is not set correctly. It
results in an error pointer vs NULL bug, followed by a NULL pointer
dereference. This was detected by Smatch:
drivers/bluetooth/btrtl.c:592 btrtl_initialize() warn: passing zero to 'ERR_PTR'
Fixes: 26503ad25de8 ("Bluetooth: btrtl: split the device initialization into smaller parts")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/bluetooth/btrtl.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/bluetooth/btrtl.c b/drivers/bluetooth/btrtl.c
index 5671f0d9ab28c..1c122613e562c 100644
--- a/drivers/bluetooth/btrtl.c
+++ b/drivers/bluetooth/btrtl.c
@@ -817,6 +817,8 @@ struct btrtl_device_info *btrtl_initialize(struct hci_dev *hdev,
rtl_dev_err(hdev, "mandatory config file %s not found",
btrtl_dev->ic_info->cfg_name);
ret = btrtl_dev->cfg_len;
+ if (!ret)
+ ret = -EINVAL;
goto err_free;
}
}
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 178/291] Bluetooth: l2cap: Check encryption key size on incoming connection
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (175 preceding siblings ...)
2025-04-23 14:42 ` [PATCH 6.1 177/291] Bluetooth: btrtl: Prevent potential NULL dereference Greg Kroah-Hartman
@ 2025-04-23 14:42 ` Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 179/291] Revert "wifi: mac80211: Update skbs control block key in ieee80211_tx_dequeue()" Greg Kroah-Hartman
` (121 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Frédéric Danis,
Luiz Augusto von Dentz, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Frédéric Danis <frederic.danis@collabora.com>
[ Upstream commit 522e9ed157e3c21b4dd623c79967f72c21e45b78 ]
This is required for passing GAP/SEC/SEM/BI-04-C PTS test case:
Security Mode 4 Level 4, Responder - Invalid Encryption Key Size
- 128 bit
This tests the security key with size from 1 to 15 bytes while the
Security Mode 4 Level 4 requests 16 bytes key size.
Currently PTS fails with the following logs:
- expected:Connection Response:
Code: [3 (0x03)] Code
Identifier: (lt)WildCard: Exists(gt)
Length: [8 (0x0008)]
Destination CID: (lt)WildCard: Exists(gt)
Source CID: [64 (0x0040)]
Result: [3 (0x0003)] Connection refused - Security block
Status: (lt)WildCard: Exists(gt),
but received:Connection Response:
Code: [3 (0x03)] Code
Identifier: [1 (0x01)]
Length: [8 (0x0008)]
Destination CID: [64 (0x0040)]
Source CID: [64 (0x0040)]
Result: [0 (0x0000)] Connection Successful
Status: [0 (0x0000)] No further information available
And HCI logs:
< HCI Command: Read Encrypti.. (0x05|0x0008) plen 2
Handle: 14 Address: 00:1B:DC:F2:24:10 (Vencer Co., Ltd.)
> HCI Event: Command Complete (0x0e) plen 7
Read Encryption Key Size (0x05|0x0008) ncmd 1
Status: Success (0x00)
Handle: 14 Address: 00:1B:DC:F2:24:10 (Vencer Co., Ltd.)
Key size: 7
> ACL Data RX: Handle 14 flags 0x02 dlen 12
L2CAP: Connection Request (0x02) ident 1 len 4
PSM: 4097 (0x1001)
Source CID: 64
< ACL Data TX: Handle 14 flags 0x00 dlen 16
L2CAP: Connection Response (0x03) ident 1 len 8
Destination CID: 64
Source CID: 64
Result: Connection successful (0x0000)
Status: No further information available (0x0000)
Fixes: 288c06973daa ("Bluetooth: Enforce key size of 16 bytes on FIPS level")
Signed-off-by: Frédéric Danis <frederic.danis@collabora.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/l2cap_core.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 21a79ef7092d7..222105e24d2d8 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -4186,7 +4186,8 @@ static struct l2cap_chan *l2cap_connect(struct l2cap_conn *conn,
/* Check if the ACL is secure enough (if not SDP) */
if (psm != cpu_to_le16(L2CAP_PSM_SDP) &&
- !hci_conn_check_link_mode(conn->hcon)) {
+ (!hci_conn_check_link_mode(conn->hcon) ||
+ !l2cap_check_enc_key_size(conn->hcon))) {
conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
result = L2CAP_CR_SEC_BLOCK;
goto response;
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 179/291] Revert "wifi: mac80211: Update skbs control block key in ieee80211_tx_dequeue()"
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (176 preceding siblings ...)
2025-04-23 14:42 ` [PATCH 6.1 178/291] Bluetooth: l2cap: Check encryption key size on incoming connection Greg Kroah-Hartman
@ 2025-04-23 14:42 ` Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 180/291] igc: fix PTM cycle trigger logic Greg Kroah-Hartman
` (120 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bert Karwatzki, Johannes Berg,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johannes Berg <johannes.berg@intel.com>
[ Upstream commit 0937cb5f345c79d702b4d0d744e2a2529b551cb2 ]
This reverts commit a104042e2bf6528199adb6ca901efe7b60c2c27f.
Since the original bug seems to have been around for years,
but a new issue was report with the fix, revert the fix for
now. We have a couple of weeks to figure it out for this
release, if needed.
Reported-by: Bert Karwatzki <spasswolf@web.de>
Closes: https://lore.kernel.org/linux-wireless/20250410215527.3001-1-spasswolf@web.de
Fixes: a104042e2bf6 ("wifi: mac80211: Update skb's control block key in ieee80211_tx_dequeue()")
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/mac80211/tx.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
index 7c1e81e15865c..62b2817df2ba9 100644
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -3800,7 +3800,6 @@ struct sk_buff *ieee80211_tx_dequeue(struct ieee80211_hw *hw,
* The key can be removed while the packet was queued, so need to call
* this here to get the current key.
*/
- info->control.hw_key = NULL;
r = ieee80211_tx_h_select_key(&tx);
if (r != TX_CONTINUE) {
ieee80211_free_txskb(&local->hw, skb);
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 180/291] igc: fix PTM cycle trigger logic
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (177 preceding siblings ...)
2025-04-23 14:42 ` [PATCH 6.1 179/291] Revert "wifi: mac80211: Update skbs control block key in ieee80211_tx_dequeue()" Greg Kroah-Hartman
@ 2025-04-23 14:42 ` Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 181/291] igc: move ktime snapshot into PTM retry loop Greg Kroah-Hartman
` (119 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michal Swiatkowski, Mor Bar-Gabay,
Avigail Dahan, Christopher S M Hall, Corinna Vinschen,
Jacob Keller, Vinicius Costa Gomes, Tony Nguyen, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christopher S M Hall <christopher.s.hall@intel.com>
[ Upstream commit 8e404ad95d2c10c261e2ef6992c7c12dde03df0e ]
Writing to clear the PTM status 'valid' bit while the PTM cycle is
triggered results in unreliable PTM operation. To fix this, clear the
PTM 'trigger' and status after each PTM transaction.
The issue can be reproduced with the following:
$ sudo phc2sys -R 1000 -O 0 -i tsn0 -m
Note: 1000 Hz (-R 1000) is unrealistically large, but provides a way to
quickly reproduce the issue.
PHC2SYS exits with:
"ioctl PTP_OFFSET_PRECISE: Connection timed out" when the PTM transaction
fails
This patch also fixes a hang in igc_probe() when loading the igc
driver in the kdump kernel on systems supporting PTM.
The igc driver running in the base kernel enables PTM trigger in
igc_probe(). Therefore the driver is always in PTM trigger mode,
except in brief periods when manually triggering a PTM cycle.
When a crash occurs, the NIC is reset while PTM trigger is enabled.
Due to a hardware problem, the NIC is subsequently in a bad busmaster
state and doesn't handle register reads/writes. When running
igc_probe() in the kdump kernel, the first register access to a NIC
register hangs driver probing and ultimately breaks kdump.
With this patch, igc has PTM trigger disabled most of the time,
and the trigger is only enabled for very brief (10 - 100 us) periods
when manually triggering a PTM cycle. Chances that a crash occurs
during a PTM trigger are not 0, but extremely reduced.
Fixes: a90ec8483732 ("igc: Add support for PTP getcrosststamp()")
Reviewed-by: Michal Swiatkowski <michal.swiatkowski@linux.intel.com>
Tested-by: Mor Bar-Gabay <morx.bar.gabay@intel.com>
Tested-by: Avigail Dahan <avigailx.dahan@intel.com>
Signed-off-by: Christopher S M Hall <christopher.s.hall@intel.com>
Reviewed-by: Corinna Vinschen <vinschen@redhat.com>
Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
Tested-by: Corinna Vinschen <vinschen@redhat.com>
Acked-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/igc/igc_defines.h | 1 +
drivers/net/ethernet/intel/igc/igc_ptp.c | 70 ++++++++++++--------
2 files changed, 42 insertions(+), 29 deletions(-)
diff --git a/drivers/net/ethernet/intel/igc/igc_defines.h b/drivers/net/ethernet/intel/igc/igc_defines.h
index 8187a658dcbd5..17a7e3c875ccb 100644
--- a/drivers/net/ethernet/intel/igc/igc_defines.h
+++ b/drivers/net/ethernet/intel/igc/igc_defines.h
@@ -574,6 +574,7 @@
#define IGC_PTM_STAT_T4M1_OVFL BIT(3) /* T4 minus T1 overflow */
#define IGC_PTM_STAT_ADJUST_1ST BIT(4) /* 1588 timer adjusted during 1st PTM cycle */
#define IGC_PTM_STAT_ADJUST_CYC BIT(5) /* 1588 timer adjusted during non-1st PTM cycle */
+#define IGC_PTM_STAT_ALL GENMASK(5, 0) /* Used to clear all status */
/* PCIe PTM Cycle Control */
#define IGC_PTM_CYCLE_CTRL_CYC_TIME(msec) ((msec) & 0x3ff) /* PTM Cycle Time (msec) */
diff --git a/drivers/net/ethernet/intel/igc/igc_ptp.c b/drivers/net/ethernet/intel/igc/igc_ptp.c
index 14cd7f995280d..b4720545191ff 100644
--- a/drivers/net/ethernet/intel/igc/igc_ptp.c
+++ b/drivers/net/ethernet/intel/igc/igc_ptp.c
@@ -844,13 +844,40 @@ static void igc_ptm_log_error(struct igc_adapter *adapter, u32 ptm_stat)
}
}
+static void igc_ptm_trigger(struct igc_hw *hw)
+{
+ u32 ctrl;
+
+ /* To "manually" start the PTM cycle we need to set the
+ * trigger (TRIG) bit
+ */
+ ctrl = rd32(IGC_PTM_CTRL);
+ ctrl |= IGC_PTM_CTRL_TRIG;
+ wr32(IGC_PTM_CTRL, ctrl);
+ /* Perform flush after write to CTRL register otherwise
+ * transaction may not start
+ */
+ wrfl();
+}
+
+static void igc_ptm_reset(struct igc_hw *hw)
+{
+ u32 ctrl;
+
+ ctrl = rd32(IGC_PTM_CTRL);
+ ctrl &= ~IGC_PTM_CTRL_TRIG;
+ wr32(IGC_PTM_CTRL, ctrl);
+ /* Write to clear all status */
+ wr32(IGC_PTM_STAT, IGC_PTM_STAT_ALL);
+}
+
static int igc_phc_get_syncdevicetime(ktime_t *device,
struct system_counterval_t *system,
void *ctx)
{
- u32 stat, t2_curr_h, t2_curr_l, ctrl;
struct igc_adapter *adapter = ctx;
struct igc_hw *hw = &adapter->hw;
+ u32 stat, t2_curr_h, t2_curr_l;
int err, count = 100;
ktime_t t1, t2_curr;
@@ -864,25 +891,13 @@ static int igc_phc_get_syncdevicetime(ktime_t *device,
* are transitory. Repeating the process returns valid
* data eventually.
*/
-
- /* To "manually" start the PTM cycle we need to clear and
- * then set again the TRIG bit.
- */
- ctrl = rd32(IGC_PTM_CTRL);
- ctrl &= ~IGC_PTM_CTRL_TRIG;
- wr32(IGC_PTM_CTRL, ctrl);
- ctrl |= IGC_PTM_CTRL_TRIG;
- wr32(IGC_PTM_CTRL, ctrl);
-
- /* The cycle only starts "for real" when software notifies
- * that it has read the registers, this is done by setting
- * VALID bit.
- */
- wr32(IGC_PTM_STAT, IGC_PTM_STAT_VALID);
+ igc_ptm_trigger(hw);
err = readx_poll_timeout(rd32, IGC_PTM_STAT, stat,
stat, IGC_PTM_STAT_SLEEP,
IGC_PTM_STAT_TIMEOUT);
+ igc_ptm_reset(hw);
+
if (err < 0) {
netdev_err(adapter->netdev, "Timeout reading IGC_PTM_STAT register\n");
return err;
@@ -891,15 +906,7 @@ static int igc_phc_get_syncdevicetime(ktime_t *device,
if ((stat & IGC_PTM_STAT_VALID) == IGC_PTM_STAT_VALID)
break;
- if (stat & ~IGC_PTM_STAT_VALID) {
- /* An error occurred, log it. */
- igc_ptm_log_error(adapter, stat);
- /* The STAT register is write-1-to-clear (W1C),
- * so write the previous error status to clear it.
- */
- wr32(IGC_PTM_STAT, stat);
- continue;
- }
+ igc_ptm_log_error(adapter, stat);
} while (--count);
if (!count) {
@@ -1081,7 +1088,7 @@ void igc_ptp_stop(struct igc_adapter *adapter)
void igc_ptp_reset(struct igc_adapter *adapter)
{
struct igc_hw *hw = &adapter->hw;
- u32 cycle_ctrl, ctrl;
+ u32 cycle_ctrl, ctrl, stat;
unsigned long flags;
u32 timadj;
@@ -1116,14 +1123,19 @@ void igc_ptp_reset(struct igc_adapter *adapter)
ctrl = IGC_PTM_CTRL_EN |
IGC_PTM_CTRL_START_NOW |
IGC_PTM_CTRL_SHRT_CYC(IGC_PTM_SHORT_CYC_DEFAULT) |
- IGC_PTM_CTRL_PTM_TO(IGC_PTM_TIMEOUT_DEFAULT) |
- IGC_PTM_CTRL_TRIG;
+ IGC_PTM_CTRL_PTM_TO(IGC_PTM_TIMEOUT_DEFAULT);
wr32(IGC_PTM_CTRL, ctrl);
/* Force the first cycle to run. */
- wr32(IGC_PTM_STAT, IGC_PTM_STAT_VALID);
+ igc_ptm_trigger(hw);
+
+ if (readx_poll_timeout_atomic(rd32, IGC_PTM_STAT, stat,
+ stat, IGC_PTM_STAT_SLEEP,
+ IGC_PTM_STAT_TIMEOUT))
+ netdev_err(adapter->netdev, "Timeout reading IGC_PTM_STAT register\n");
+ igc_ptm_reset(hw);
break;
default:
/* No work to do. */
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 181/291] igc: move ktime snapshot into PTM retry loop
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (178 preceding siblings ...)
2025-04-23 14:42 ` [PATCH 6.1 180/291] igc: fix PTM cycle trigger logic Greg Kroah-Hartman
@ 2025-04-23 14:42 ` Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 182/291] igc: handle the IGC_PTP_ENABLED flag correctly Greg Kroah-Hartman
` (118 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michal Swiatkowski, Mor Bar-Gabay,
Avigail Dahan, Christopher S M Hall, Corinna Vinschen,
Jacob Keller, Vinicius Costa Gomes, Tony Nguyen, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christopher S M Hall <christopher.s.hall@intel.com>
[ Upstream commit cd7f7328d691937102732f39f97ead35b15bf803 ]
Move ktime_get_snapshot() into the loop. If a retry does occur, a more
recent snapshot will result in a more accurate cross-timestamp.
Fixes: a90ec8483732 ("igc: Add support for PTP getcrosststamp()")
Reviewed-by: Michal Swiatkowski <michal.swiatkowski@linux.intel.com>
Tested-by: Mor Bar-Gabay <morx.bar.gabay@intel.com>
Tested-by: Avigail Dahan <avigailx.dahan@intel.com>
Signed-off-by: Christopher S M Hall <christopher.s.hall@intel.com>
Reviewed-by: Corinna Vinschen <vinschen@redhat.com>
Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
Acked-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/igc/igc_ptp.c | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)
diff --git a/drivers/net/ethernet/intel/igc/igc_ptp.c b/drivers/net/ethernet/intel/igc/igc_ptp.c
index b4720545191ff..5616b7f4e504f 100644
--- a/drivers/net/ethernet/intel/igc/igc_ptp.c
+++ b/drivers/net/ethernet/intel/igc/igc_ptp.c
@@ -881,16 +881,16 @@ static int igc_phc_get_syncdevicetime(ktime_t *device,
int err, count = 100;
ktime_t t1, t2_curr;
- /* Get a snapshot of system clocks to use as historic value. */
- ktime_get_snapshot(&adapter->snapshot);
-
+ /* Doing this in a loop because in the event of a
+ * badly timed (ha!) system clock adjustment, we may
+ * get PTM errors from the PCI root, but these errors
+ * are transitory. Repeating the process returns valid
+ * data eventually.
+ */
do {
- /* Doing this in a loop because in the event of a
- * badly timed (ha!) system clock adjustment, we may
- * get PTM errors from the PCI root, but these errors
- * are transitory. Repeating the process returns valid
- * data eventually.
- */
+ /* Get a snapshot of system clocks to use as historic value. */
+ ktime_get_snapshot(&adapter->snapshot);
+
igc_ptm_trigger(hw);
err = readx_poll_timeout(rd32, IGC_PTM_STAT, stat,
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 182/291] igc: handle the IGC_PTP_ENABLED flag correctly
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (179 preceding siblings ...)
2025-04-23 14:42 ` [PATCH 6.1 181/291] igc: move ktime snapshot into PTM retry loop Greg Kroah-Hartman
@ 2025-04-23 14:42 ` Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 183/291] igc: cleanup PTP module if probe fails Greg Kroah-Hartman
` (117 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christopher S M Hall,
Corinna Vinschen, Jacob Keller, Mor Bar-Gabay,
Vinicius Costa Gomes, Tony Nguyen, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christopher S M Hall <christopher.s.hall@intel.com>
[ Upstream commit 26a3910afd111f7c1a96dace6dc02f3225063896 ]
All functions in igc_ptp.c called from igc_main.c should check the
IGC_PTP_ENABLED flag. Adding check for this flag to stop and reset
functions.
Fixes: 5f2958052c58 ("igc: Add basic skeleton for PTP")
Signed-off-by: Christopher S M Hall <christopher.s.hall@intel.com>
Reviewed-by: Corinna Vinschen <vinschen@redhat.com>
Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
Tested-by: Mor Bar-Gabay <morx.bar.gabay@intel.com>
Acked-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/igc/igc_ptp.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/net/ethernet/intel/igc/igc_ptp.c b/drivers/net/ethernet/intel/igc/igc_ptp.c
index 5616b7f4e504f..8731e8f234946 100644
--- a/drivers/net/ethernet/intel/igc/igc_ptp.c
+++ b/drivers/net/ethernet/intel/igc/igc_ptp.c
@@ -1070,8 +1070,12 @@ void igc_ptp_suspend(struct igc_adapter *adapter)
**/
void igc_ptp_stop(struct igc_adapter *adapter)
{
+ if (!(adapter->ptp_flags & IGC_PTP_ENABLED))
+ return;
+
igc_ptp_suspend(adapter);
+ adapter->ptp_flags &= ~IGC_PTP_ENABLED;
if (adapter->ptp_clock) {
ptp_clock_unregister(adapter->ptp_clock);
netdev_info(adapter->netdev, "PHC removed\n");
@@ -1092,6 +1096,9 @@ void igc_ptp_reset(struct igc_adapter *adapter)
unsigned long flags;
u32 timadj;
+ if (!(adapter->ptp_flags & IGC_PTP_ENABLED))
+ return;
+
/* reset the tstamp_config */
igc_ptp_set_timestamp_mode(adapter, &adapter->tstamp_config);
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 183/291] igc: cleanup PTP module if probe fails
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (180 preceding siblings ...)
2025-04-23 14:42 ` [PATCH 6.1 182/291] igc: handle the IGC_PTP_ENABLED flag correctly Greg Kroah-Hartman
@ 2025-04-23 14:42 ` Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 184/291] test suite: use %zu to print size_t Greg Kroah-Hartman
` (116 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christopher S M Hall,
Corinna Vinschen, Jacob Keller, Mor Bar-Gabay,
Vinicius Costa Gomes, Tony Nguyen, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christopher S M Hall <christopher.s.hall@intel.com>
[ Upstream commit 1f025759ba394dd53e434d2668cb0597886d9b69 ]
Make sure that the PTP module is cleaned up if the igc_probe() fails by
calling igc_ptp_stop() on exit.
Fixes: d89f88419f99 ("igc: Add skeletal frame for Intel(R) 2.5G Ethernet Controller support")
Signed-off-by: Christopher S M Hall <christopher.s.hall@intel.com>
Reviewed-by: Corinna Vinschen <vinschen@redhat.com>
Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
Tested-by: Mor Bar-Gabay <morx.bar.gabay@intel.com>
Acked-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/igc/igc_main.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c
index 6ae2d0b723c82..082f78beeb4ed 100644
--- a/drivers/net/ethernet/intel/igc/igc_main.c
+++ b/drivers/net/ethernet/intel/igc/igc_main.c
@@ -6725,6 +6725,7 @@ static int igc_probe(struct pci_dev *pdev,
err_register:
igc_release_hw_control(adapter);
+ igc_ptp_stop(adapter);
err_eeprom:
if (!igc_check_reset_block(hw))
igc_reset_phy(hw);
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 184/291] test suite: use %zu to print size_t
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (181 preceding siblings ...)
2025-04-23 14:42 ` [PATCH 6.1 183/291] igc: cleanup PTP module if probe fails Greg Kroah-Hartman
@ 2025-04-23 14:42 ` Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 185/291] net: mctp: Set SOCK_RCU_FREE Greg Kroah-Hartman
` (115 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matthew Wilcox (Oracle),
Liam R. Howlett, Andrew Morton, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthew Wilcox (Oracle) <willy@infradead.org>
[ Upstream commit a30951d09c33c899f0e4aca80eb87fad5f10ecfa ]
On 32-bit, we can't use %lu to print a size_t variable and gcc warns us
about it. Shame it doesn't warn about it on 64-bit.
Link: https://lkml.kernel.org/r/20250403003311.359917-1-Liam.Howlett@oracle.com
Fixes: cc86e0c2f306 ("radix tree test suite: add support for slab bulk APIs")
Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
Signed-off-by: Liam R. Howlett <Liam.Howlett@oracle.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/radix-tree/linux.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/tools/testing/radix-tree/linux.c b/tools/testing/radix-tree/linux.c
index d587a558997f8..11149bd12a1f7 100644
--- a/tools/testing/radix-tree/linux.c
+++ b/tools/testing/radix-tree/linux.c
@@ -121,7 +121,7 @@ void kmem_cache_free(struct kmem_cache *cachep, void *objp)
void kmem_cache_free_bulk(struct kmem_cache *cachep, size_t size, void **list)
{
if (kmalloc_verbose)
- pr_debug("Bulk free %p[0-%lu]\n", list, size - 1);
+ pr_debug("Bulk free %p[0-%zu]\n", list, size - 1);
pthread_mutex_lock(&cachep->lock);
for (int i = 0; i < size; i++)
@@ -139,7 +139,7 @@ int kmem_cache_alloc_bulk(struct kmem_cache *cachep, gfp_t gfp, size_t size,
size_t i;
if (kmalloc_verbose)
- pr_debug("Bulk alloc %lu\n", size);
+ pr_debug("Bulk alloc %zu\n", size);
if (!(gfp & __GFP_DIRECT_RECLAIM)) {
if (cachep->non_kernel < size)
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 185/291] net: mctp: Set SOCK_RCU_FREE
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (182 preceding siblings ...)
2025-04-23 14:42 ` [PATCH 6.1 184/291] test suite: use %zu to print size_t Greg Kroah-Hartman
@ 2025-04-23 14:42 ` Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 186/291] net: openvswitch: fix nested key length validation in the set() action Greg Kroah-Hartman
` (114 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matt Johnston, Jakub Kicinski,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matt Johnston <matt@codeconstruct.com.au>
[ Upstream commit 52024cd6ec71a6ca934d0cc12452bd8d49850679 ]
Bind lookup runs under RCU, so ensure that a socket doesn't go away in
the middle of a lookup.
Fixes: 833ef3b91de6 ("mctp: Populate socket implementation")
Signed-off-by: Matt Johnston <matt@codeconstruct.com.au>
Link: https://patch.msgid.link/20250410-mctp-rcu-sock-v1-1-872de9fdc877@codeconstruct.com.au
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/mctp/af_mctp.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/mctp/af_mctp.c b/net/mctp/af_mctp.c
index 2316e7772b785..6a963eac1cc2f 100644
--- a/net/mctp/af_mctp.c
+++ b/net/mctp/af_mctp.c
@@ -551,6 +551,9 @@ static int mctp_sk_hash(struct sock *sk)
{
struct net *net = sock_net(sk);
+ /* Bind lookup runs under RCU, remain live during that. */
+ sock_set_flag(sk, SOCK_RCU_FREE);
+
mutex_lock(&net->mctp.bind_lock);
sk_add_node_rcu(sk, &net->mctp.binds);
mutex_unlock(&net->mctp.bind_lock);
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 186/291] net: openvswitch: fix nested key length validation in the set() action
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (183 preceding siblings ...)
2025-04-23 14:42 ` [PATCH 6.1 185/291] net: mctp: Set SOCK_RCU_FREE Greg Kroah-Hartman
@ 2025-04-23 14:42 ` Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 187/291] cxgb4: fix memory leak in cxgb4_init_ethtool_filters() error path Greg Kroah-Hartman
` (113 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+b07a9da40df1576b8048,
Ilya Maximets, Eelco Chaudron, Aaron Conole, Jakub Kicinski,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ilya Maximets <i.maximets@ovn.org>
[ Upstream commit 65d91192aa66f05710cfddf6a14b5a25ee554dba ]
It's not safe to access nla_len(ovs_key) if the data is smaller than
the netlink header. Check that the attribute is OK first.
Fixes: ccb1352e76cf ("net: Add Open vSwitch kernel components.")
Reported-by: syzbot+b07a9da40df1576b8048@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=b07a9da40df1576b8048
Tested-by: syzbot+b07a9da40df1576b8048@syzkaller.appspotmail.com
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
Reviewed-by: Eelco Chaudron <echaudro@redhat.com>
Acked-by: Aaron Conole <aconole@redhat.com>
Link: https://patch.msgid.link/20250412104052.2073688-1-i.maximets@ovn.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/openvswitch/flow_netlink.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/openvswitch/flow_netlink.c b/net/openvswitch/flow_netlink.c
index 5ebbec656895e..0ed3953dbe529 100644
--- a/net/openvswitch/flow_netlink.c
+++ b/net/openvswitch/flow_netlink.c
@@ -2860,7 +2860,8 @@ static int validate_set(const struct nlattr *a,
size_t key_len;
/* There can be only one key in a action */
- if (nla_total_size(nla_len(ovs_key)) != nla_len(a))
+ if (!nla_ok(ovs_key, nla_len(a)) ||
+ nla_total_size(nla_len(ovs_key)) != nla_len(a))
return -EINVAL;
key_len = nla_len(ovs_key);
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 187/291] cxgb4: fix memory leak in cxgb4_init_ethtool_filters() error path
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (184 preceding siblings ...)
2025-04-23 14:42 ` [PATCH 6.1 186/291] net: openvswitch: fix nested key length validation in the set() action Greg Kroah-Hartman
@ 2025-04-23 14:42 ` Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 188/291] net: b53: enable BPDU reception for management port Greg Kroah-Hartman
` (112 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Abdun Nihaal, Simon Horman,
Jacob Keller, Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Abdun Nihaal <abdun.nihaal@gmail.com>
[ Upstream commit 00ffb3724ce743578163f5ade2884374554ca021 ]
In the for loop used to allocate the loc_array and bmap for each port, a
memory leak is possible when the allocation for loc_array succeeds,
but the allocation for bmap fails. This is because when the control flow
goes to the label free_eth_finfo, only the allocations starting from
(i-1)th iteration are freed.
Fix that by freeing the loc_array in the bmap allocation error path.
Fixes: d915c299f1da ("cxgb4: add skeleton for ethtool n-tuple filters")
Signed-off-by: Abdun Nihaal <abdun.nihaal@gmail.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
Link: https://patch.msgid.link/20250414170649.89156-1-abdun.nihaal@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/chelsio/cxgb4/cxgb4_ethtool.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_ethtool.c b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_ethtool.c
index 8477a93cee6bd..b77897aa06c4f 100644
--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_ethtool.c
+++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_ethtool.c
@@ -2273,6 +2273,7 @@ int cxgb4_init_ethtool_filters(struct adapter *adap)
eth_filter->port[i].bmap = bitmap_zalloc(nentries, GFP_KERNEL);
if (!eth_filter->port[i].bmap) {
ret = -ENOMEM;
+ kvfree(eth_filter->port[i].loc_array);
goto free_eth_finfo;
}
}
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 188/291] net: b53: enable BPDU reception for management port
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (185 preceding siblings ...)
2025-04-23 14:42 ` [PATCH 6.1 187/291] cxgb4: fix memory leak in cxgb4_init_ethtool_filters() error path Greg Kroah-Hartman
@ 2025-04-23 14:42 ` Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 189/291] net: bridge: switchdev: do not notify new brentries as changed Greg Kroah-Hartman
` (111 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jonas Gorski, Jakub Kicinski,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jonas Gorski <jonas.gorski@gmail.com>
[ Upstream commit 36355ddfe8955f226a88a543ed354b9f6b84cd70 ]
For STP to work, receiving BPDUs is essential, but the appropriate bit
was never set. Without GC_RX_BPDU_EN, the switch chip will filter all
BPDUs, even if an appropriate PVID VLAN was setup.
Fixes: ff39c2d68679 ("net: dsa: b53: Add bridge support")
Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
Link: https://patch.msgid.link/20250414200434.194422-1-jonas.gorski@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/dsa/b53/b53_common.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c
index 463c6d84ae1b0..ea7d2c01e6726 100644
--- a/drivers/net/dsa/b53/b53_common.c
+++ b/drivers/net/dsa/b53/b53_common.c
@@ -724,6 +724,15 @@ static void b53_enable_mib(struct b53_device *dev)
b53_write8(dev, B53_MGMT_PAGE, B53_GLOBAL_CONFIG, gc);
}
+static void b53_enable_stp(struct b53_device *dev)
+{
+ u8 gc;
+
+ b53_read8(dev, B53_MGMT_PAGE, B53_GLOBAL_CONFIG, &gc);
+ gc |= GC_RX_BPDU_EN;
+ b53_write8(dev, B53_MGMT_PAGE, B53_GLOBAL_CONFIG, gc);
+}
+
static u16 b53_default_pvid(struct b53_device *dev)
{
if (is5325(dev) || is5365(dev))
@@ -863,6 +872,7 @@ static int b53_switch_reset(struct b53_device *dev)
}
b53_enable_mib(dev);
+ b53_enable_stp(dev);
return b53_flush_arl(dev, FAST_AGE_STATIC);
}
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 189/291] net: bridge: switchdev: do not notify new brentries as changed
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (186 preceding siblings ...)
2025-04-23 14:42 ` [PATCH 6.1 188/291] net: b53: enable BPDU reception for management port Greg Kroah-Hartman
@ 2025-04-23 14:42 ` Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 190/291] net: dsa: mv88e6xxx: avoid unregistering devlink regions which were never registered Greg Kroah-Hartman
` (110 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vladimir Oltean, Jonas Gorski,
Ido Schimmel, Nikolay Aleksandrov, Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jonas Gorski <jonas.gorski@gmail.com>
[ Upstream commit eb25de13bd9cf025413a04f25e715d0e99847e30 ]
When adding a bridge vlan that is pvid or untagged after the vlan has
already been added to any other switchdev backed port, the vlan change
will be propagated as changed, since the flags change.
This causes the vlan to not be added to the hardware for DSA switches,
since the DSA handler ignores any vlans for the CPU or DSA ports that
are changed.
E.g. the following order of operations would work:
$ ip link add swbridge type bridge vlan_filtering 1 vlan_default_pvid 0
$ ip link set lan1 master swbridge
$ bridge vlan add dev swbridge vid 1 pvid untagged self
$ bridge vlan add dev lan1 vid 1 pvid untagged
but this order would break:
$ ip link add swbridge type bridge vlan_filtering 1 vlan_default_pvid 0
$ ip link set lan1 master swbridge
$ bridge vlan add dev lan1 vid 1 pvid untagged
$ bridge vlan add dev swbridge vid 1 pvid untagged self
Additionally, the vlan on the bridge itself would become undeletable:
$ bridge vlan
port vlan-id
lan1 1 PVID Egress Untagged
swbridge 1 PVID Egress Untagged
$ bridge vlan del dev swbridge vid 1 self
$ bridge vlan
port vlan-id
lan1 1 PVID Egress Untagged
swbridge 1 Egress Untagged
since the vlan was never added to DSA's vlan list, so deleting it will
cause an error, causing the bridge code to not remove it.
Fix this by checking if flags changed only for vlans that are already
brentry and pass changed as false for those that become brentries, as
these are a new vlan (member) from the switchdev point of view.
Since *changed is set to true for becomes_brentry = true regardless of
would_change's value, this will not change any rtnetlink notification
delivery, just the value passed on to switchdev in vlan->changed.
Fixes: 8d23a54f5bee ("net: bridge: switchdev: differentiate new VLANs from changed ones")
Reviewed-by: Vladimir Oltean <vladimir.oltean@nxp.com>
Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Acked-by: Nikolay Aleksandrov <razor@blackwall.org>
Link: https://patch.msgid.link/20250414200020.192715-1-jonas.gorski@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bridge/br_vlan.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/net/bridge/br_vlan.c b/net/bridge/br_vlan.c
index 9ffd40b8270c1..23a82567fe624 100644
--- a/net/bridge/br_vlan.c
+++ b/net/bridge/br_vlan.c
@@ -715,8 +715,8 @@ static int br_vlan_add_existing(struct net_bridge *br,
u16 flags, bool *changed,
struct netlink_ext_ack *extack)
{
- bool would_change = __vlan_flags_would_change(vlan, flags);
bool becomes_brentry = false;
+ bool would_change = false;
int err;
if (!br_vlan_is_brentry(vlan)) {
@@ -725,6 +725,8 @@ static int br_vlan_add_existing(struct net_bridge *br,
return -EINVAL;
becomes_brentry = true;
+ } else {
+ would_change = __vlan_flags_would_change(vlan, flags);
}
/* Master VLANs that aren't brentries weren't notified before,
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 190/291] net: dsa: mv88e6xxx: avoid unregistering devlink regions which were never registered
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (187 preceding siblings ...)
2025-04-23 14:42 ` [PATCH 6.1 189/291] net: bridge: switchdev: do not notify new brentries as changed Greg Kroah-Hartman
@ 2025-04-23 14:42 ` Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 191/291] net: dsa: mv88e6xxx: fix -ENOENT when deleting VLANs and MST is unsupported Greg Kroah-Hartman
` (109 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Russell King (Oracle),
Vladimir Oltean, Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vladimir Oltean <vladimir.oltean@nxp.com>
[ Upstream commit c84f6ce918a9e6f4996597cbc62536bbf2247c96 ]
Russell King reports that a system with mv88e6xxx dereferences a NULL
pointer when unbinding this driver:
https://lore.kernel.org/netdev/Z_lRkMlTJ1KQ0kVX@shell.armlinux.org.uk/
The crash seems to be in devlink_region_destroy(), which is not NULL
tolerant but is given a NULL devlink global region pointer.
At least on some chips, some devlink regions are conditionally registered
since the blamed commit, see mv88e6xxx_setup_devlink_regions_global():
if (cond && !cond(chip))
continue;
These are MV88E6XXX_REGION_STU and MV88E6XXX_REGION_PVT. If the chip
does not have an STU or PVT, it should crash like this.
To fix the issue, avoid unregistering those regions which are NULL, i.e.
were skipped at mv88e6xxx_setup_devlink_regions_global() time.
Fixes: 836021a2d0e0 ("net: dsa: mv88e6xxx: Export cross-chip PVT as devlink region")
Tested-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
Link: https://patch.msgid.link/20250414212850.2953957-1-vladimir.oltean@nxp.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/dsa/mv88e6xxx/devlink.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/net/dsa/mv88e6xxx/devlink.c b/drivers/net/dsa/mv88e6xxx/devlink.c
index 1266eabee0863..2ab2eb2cb47be 100644
--- a/drivers/net/dsa/mv88e6xxx/devlink.c
+++ b/drivers/net/dsa/mv88e6xxx/devlink.c
@@ -743,7 +743,8 @@ void mv88e6xxx_teardown_devlink_regions_global(struct dsa_switch *ds)
int i;
for (i = 0; i < ARRAY_SIZE(mv88e6xxx_regions); i++)
- dsa_devlink_region_destroy(chip->regions[i]);
+ if (chip->regions[i])
+ dsa_devlink_region_destroy(chip->regions[i]);
}
void mv88e6xxx_teardown_devlink_regions_port(struct dsa_switch *ds, int port)
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 191/291] net: dsa: mv88e6xxx: fix -ENOENT when deleting VLANs and MST is unsupported
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (188 preceding siblings ...)
2025-04-23 14:42 ` [PATCH 6.1 190/291] net: dsa: mv88e6xxx: avoid unregistering devlink regions which were never registered Greg Kroah-Hartman
@ 2025-04-23 14:43 ` Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 192/291] net: dsa: avoid refcount warnings when ds->ops->tag_8021q_vlan_del() fails Greg Kroah-Hartman
` (108 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vladimir Oltean, Jakub Kicinski,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vladimir Oltean <vladimir.oltean@nxp.com>
[ Upstream commit ea08dfc35f83cfc73493c52f63ae4f2e29edfe8d ]
Russell King reports that on the ZII dev rev B, deleting a bridge VLAN
from a user port fails with -ENOENT:
https://lore.kernel.org/netdev/Z_lQXNP0s5-IiJzd@shell.armlinux.org.uk/
This comes from mv88e6xxx_port_vlan_leave() -> mv88e6xxx_mst_put(),
which tries to find an MST entry in &chip->msts associated with the SID,
but fails and returns -ENOENT as such.
But we know that this chip does not support MST at all, so that is not
surprising. The question is why does the guard in mv88e6xxx_mst_put()
not exit early:
if (!sid)
return 0;
And the answer seems to be simple: the sid comes from vlan.sid which
supposedly was previously populated by mv88e6xxx_vtu_get().
But some chip->info->ops->vtu_getnext() implementations do not populate
vlan.sid, for example see mv88e6185_g1_vtu_getnext(). In that case,
later in mv88e6xxx_port_vlan_leave() we are using a garbage sid which is
just residual stack memory.
Testing for sid == 0 covers all cases of a non-bridge VLAN or a bridge
VLAN mapped to the default MSTI. For some chips, SID 0 is valid and
installed by mv88e6xxx_stu_setup(). A chip which does not support the
STU would implicitly only support mapping all VLANs to the default MSTI,
so although SID 0 is not valid, it would be sufficient, if we were to
zero-initialize the vlan structure, to fix the bug, due to the
coincidence that a test for vlan.sid == 0 already exists and leads to
the same (correct) behavior.
Another option which would be sufficient would be to add a test for
mv88e6xxx_has_stu() inside mv88e6xxx_mst_put(), symmetric to the one
which already exists in mv88e6xxx_mst_get(). But that placement means
the caller will have to dereference vlan.sid, which means it will access
uninitialized memory, which is not nice even if it ignores it later.
So we end up making both modifications, in order to not rely just on the
sid == 0 coincidence, but also to avoid having uninitialized structure
fields which might get temporarily accessed.
Fixes: acaf4d2e36b3 ("net: dsa: mv88e6xxx: MST Offloading")
Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
Link: https://patch.msgid.link/20250414212913.2955253-1-vladimir.oltean@nxp.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/dsa/mv88e6xxx/chip.c | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
diff --git a/drivers/net/dsa/mv88e6xxx/chip.c b/drivers/net/dsa/mv88e6xxx/chip.c
index d348078ec033c..4c60f79ce2697 100644
--- a/drivers/net/dsa/mv88e6xxx/chip.c
+++ b/drivers/net/dsa/mv88e6xxx/chip.c
@@ -1724,6 +1724,8 @@ static int mv88e6xxx_vtu_get(struct mv88e6xxx_chip *chip, u16 vid,
if (!chip->info->ops->vtu_getnext)
return -EOPNOTSUPP;
+ memset(entry, 0, sizeof(*entry));
+
entry->vid = vid ? vid - 1 : mv88e6xxx_max_vid(chip);
entry->valid = false;
@@ -1859,7 +1861,16 @@ static int mv88e6xxx_mst_put(struct mv88e6xxx_chip *chip, u8 sid)
struct mv88e6xxx_mst *mst, *tmp;
int err;
- if (!sid)
+ /* If the SID is zero, it is for a VLAN mapped to the default MSTI,
+ * and mv88e6xxx_stu_setup() made sure it is always present, and thus,
+ * should not be removed here.
+ *
+ * If the chip lacks STU support, numerically the "sid" variable will
+ * happen to also be zero, but we don't want to rely on that fact, so
+ * we explicitly test that first. In that case, there is also nothing
+ * to do here.
+ */
+ if (!mv88e6xxx_has_stu(chip) || !sid)
return 0;
list_for_each_entry_safe(mst, tmp, &chip->msts, node) {
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 192/291] net: dsa: avoid refcount warnings when ds->ops->tag_8021q_vlan_del() fails
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (189 preceding siblings ...)
2025-04-23 14:43 ` [PATCH 6.1 191/291] net: dsa: mv88e6xxx: fix -ENOENT when deleting VLANs and MST is unsupported Greg Kroah-Hartman
@ 2025-04-23 14:43 ` Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 193/291] ptp: ocp: fix start time alignment in ptp_ocp_signal_set Greg Kroah-Hartman
` (107 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vladimir Oltean, Jakub Kicinski,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vladimir Oltean <vladimir.oltean@nxp.com>
[ Upstream commit 514eff7b0aa1c5eb645ddbb8676ef3e2d88a8b99 ]
This is very similar to the problem and solution from commit
232deb3f9567 ("net: dsa: avoid refcount warnings when
->port_{fdb,mdb}_del returns error"), except for the
dsa_port_do_tag_8021q_vlan_del() operation.
Fixes: c64b9c05045a ("net: dsa: tag_8021q: add proper cross-chip notifier support")
Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
Link: https://patch.msgid.link/20250414213020.2959021-1-vladimir.oltean@nxp.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/dsa/tag_8021q.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/dsa/tag_8021q.c b/net/dsa/tag_8021q.c
index 89371b16416e2..6a33f35a0f748 100644
--- a/net/dsa/tag_8021q.c
+++ b/net/dsa/tag_8021q.c
@@ -180,7 +180,7 @@ static int dsa_port_do_tag_8021q_vlan_del(struct dsa_port *dp, u16 vid)
err = ds->ops->tag_8021q_vlan_del(ds, port, vid);
if (err) {
- refcount_inc(&v->refcount);
+ refcount_set(&v->refcount, 1);
return err;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 193/291] ptp: ocp: fix start time alignment in ptp_ocp_signal_set
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (190 preceding siblings ...)
2025-04-23 14:43 ` [PATCH 6.1 192/291] net: dsa: avoid refcount warnings when ds->ops->tag_8021q_vlan_del() fails Greg Kroah-Hartman
@ 2025-04-23 14:43 ` Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 194/291] riscv: Properly export reserved regions in /proc/iomem Greg Kroah-Hartman
` (106 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sagi Maimon, Vadim Fedorenko,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sagi Maimon <maimon.sagi@gmail.com>
[ Upstream commit 2a5970d5aaff8f3e33ce3bfaa403ae88c40de40d ]
In ptp_ocp_signal_set, the start time for periodic signals is not
aligned to the next period boundary. The current code rounds up the
start time and divides by the period but fails to multiply back by
the period, causing misaligned signal starts. Fix this by multiplying
the rounded-up value by the period to ensure the start time is the
closest next period.
Fixes: 4bd46bb037f8e ("ptp: ocp: Use DIV64_U64_ROUND_UP for rounding.")
Signed-off-by: Sagi Maimon <maimon.sagi@gmail.com>
Reviewed-by: Vadim Fedorenko <vadim.fedorenko@linux.dev>
Link: https://patch.msgid.link/20250415053131.129413-1-maimon.sagi@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/ptp/ptp_ocp.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/ptp/ptp_ocp.c b/drivers/ptp/ptp_ocp.c
index 87b960e941bae..b6f66a9886ce2 100644
--- a/drivers/ptp/ptp_ocp.c
+++ b/drivers/ptp/ptp_ocp.c
@@ -1654,6 +1654,7 @@ ptp_ocp_signal_set(struct ptp_ocp *bp, int gen, struct ptp_ocp_signal *s)
if (!s->start) {
/* roundup() does not work on 32-bit systems */
s->start = DIV64_U64_ROUND_UP(start_ns, s->period);
+ s->start *= s->period;
s->start = ktime_add(s->start, s->phase);
}
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 194/291] riscv: Properly export reserved regions in /proc/iomem
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (191 preceding siblings ...)
2025-04-23 14:43 ` [PATCH 6.1 193/291] ptp: ocp: fix start time alignment in ptp_ocp_signal_set Greg Kroah-Hartman
@ 2025-04-23 14:43 ` Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 195/291] riscv: KGDB: Do not inline arch_kgdb_breakpoint() Greg Kroah-Hartman
` (105 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Björn Töpel,
Alexandre Ghiti, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Björn Töpel <bjorn@rivosinc.com>
[ Upstream commit e94eb7ea6f206e229791761a5fdf9389f8dbd183 ]
The /proc/iomem represents the kernel's memory map. Regions marked
with "Reserved" tells the user that the range should not be tampered
with. Kexec-tools, when using the older kexec_load syscall relies on
the "Reserved" regions to build the memory segments, that will be the
target of the new kexec'd kernel.
The RISC-V port tries to expose all reserved regions to userland, but
some regions were not properly exposed: Regions that resided in both
the "regular" and reserved memory block, e.g. the EFI Memory Map. A
missing entry could result in reserved memory being overwritten.
It turns out, that arm64, and loongarch had a similar issue a while
back:
commit d91680e687f4 ("arm64: Fix /proc/iomem for reserved but not memory regions")
commit 50d7ba36b916 ("arm64: export memblock_reserve()d regions via /proc/iomem")
Similar to the other ports, resolve the issue by splitting the regions
in an arch initcall, since we need a working allocator.
Fixes: ffe0e5261268 ("RISC-V: Improve init_resources()")
Signed-off-by: Björn Töpel <bjorn@rivosinc.com>
Reviewed-by: Alexandre Ghiti <alexghiti@rivosinc.com>
Link: https://lore.kernel.org/r/20250409182129.634415-1-bjorn@kernel.org
Signed-off-by: Alexandre Ghiti <alexghiti@rivosinc.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/riscv/kernel/setup.c | 36 +++++++++++++++++++++++++++++++++++-
1 file changed, 35 insertions(+), 1 deletion(-)
diff --git a/arch/riscv/kernel/setup.c b/arch/riscv/kernel/setup.c
index 2acf51c235673..f4c3252abce41 100644
--- a/arch/riscv/kernel/setup.c
+++ b/arch/riscv/kernel/setup.c
@@ -76,6 +76,9 @@ static struct resource bss_res = { .name = "Kernel bss", };
static struct resource elfcorehdr_res = { .name = "ELF Core hdr", };
#endif
+static int num_standard_resources;
+static struct resource *standard_resources;
+
static int __init add_resource(struct resource *parent,
struct resource *res)
{
@@ -149,7 +152,7 @@ static void __init init_resources(void)
struct resource *res = NULL;
struct resource *mem_res = NULL;
size_t mem_res_sz = 0;
- int num_resources = 0, res_idx = 0;
+ int num_resources = 0, res_idx = 0, non_resv_res = 0;
int ret = 0;
/* + 1 as memblock_alloc() might increase memblock.reserved.cnt */
@@ -213,6 +216,7 @@ static void __init init_resources(void)
/* Add /memory regions to the resource tree */
for_each_mem_region(region) {
res = &mem_res[res_idx--];
+ non_resv_res++;
if (unlikely(memblock_is_nomap(region))) {
res->name = "Reserved";
@@ -230,6 +234,9 @@ static void __init init_resources(void)
goto error;
}
+ num_standard_resources = non_resv_res;
+ standard_resources = &mem_res[res_idx + 1];
+
/* Clean-up any unused pre-allocated resources */
if (res_idx >= 0)
memblock_free(mem_res, (res_idx + 1) * sizeof(*mem_res));
@@ -241,6 +248,33 @@ static void __init init_resources(void)
memblock_free(mem_res, mem_res_sz);
}
+static int __init reserve_memblock_reserved_regions(void)
+{
+ u64 i, j;
+
+ for (i = 0; i < num_standard_resources; i++) {
+ struct resource *mem = &standard_resources[i];
+ phys_addr_t r_start, r_end, mem_size = resource_size(mem);
+
+ if (!memblock_is_region_reserved(mem->start, mem_size))
+ continue;
+
+ for_each_reserved_mem_range(j, &r_start, &r_end) {
+ resource_size_t start, end;
+
+ start = max(PFN_PHYS(PFN_DOWN(r_start)), mem->start);
+ end = min(PFN_PHYS(PFN_UP(r_end)) - 1, mem->end);
+
+ if (start > mem->end || end < mem->start)
+ continue;
+
+ reserve_region_with_split(mem, start, end, "Reserved");
+ }
+ }
+
+ return 0;
+}
+arch_initcall(reserve_memblock_reserved_regions);
static void __init parse_dtb(void)
{
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 195/291] riscv: KGDB: Do not inline arch_kgdb_breakpoint()
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (192 preceding siblings ...)
2025-04-23 14:43 ` [PATCH 6.1 194/291] riscv: Properly export reserved regions in /proc/iomem Greg Kroah-Hartman
@ 2025-04-23 14:43 ` Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 196/291] riscv: KGDB: Remove ".option norvc/.option rvc" for kgdb_compiled_break Greg Kroah-Hartman
` (104 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Huacai Chen, WangYuli,
Palmer Dabbelt, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: WangYuli <wangyuli@uniontech.com>
[ Upstream commit 3af4bec9c1db3f003be4d5ae09b6a737e4be1612 ]
The arch_kgdb_breakpoint() function defines the kgdb_compiled_break
symbol using inline assembly.
There's a potential issue where the compiler might inline
arch_kgdb_breakpoint(), which would then define the kgdb_compiled_break
symbol multiple times, leading to fail to link vmlinux.o.
This isn't merely a potential compilation problem. The intent here
is to determine the global symbol address of kgdb_compiled_break,
and if this function is inlined multiple times, it would logically
be a grave error.
Link: https://lore.kernel.org/all/4b4187c1-77e5-44b7-885f-d6826723dd9a@sifive.com/
Link: https://lore.kernel.org/all/5b0adf9b-2b22-43fe-ab74-68df94115b9a@ghiti.fr/
Link: https://lore.kernel.org/all/23693e7f-4fff-40f3-a437-e06d827278a5@ghiti.fr/
Fixes: fe89bd2be866 ("riscv: Add KGDB support")
Co-developed-by: Huacai Chen <chenhuacai@loongson.cn>
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
Signed-off-by: WangYuli <wangyuli@uniontech.com>
Link: https://lore.kernel.org/r/F22359AFB6FF9FD8+20250411073222.56820-1-wangyuli@uniontech.com
Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/riscv/include/asm/kgdb.h | 9 +--------
arch/riscv/kernel/kgdb.c | 8 ++++++++
2 files changed, 9 insertions(+), 8 deletions(-)
diff --git a/arch/riscv/include/asm/kgdb.h b/arch/riscv/include/asm/kgdb.h
index 46677daf708bd..cc11c4544cffd 100644
--- a/arch/riscv/include/asm/kgdb.h
+++ b/arch/riscv/include/asm/kgdb.h
@@ -19,16 +19,9 @@
#ifndef __ASSEMBLY__
+void arch_kgdb_breakpoint(void);
extern unsigned long kgdb_compiled_break;
-static inline void arch_kgdb_breakpoint(void)
-{
- asm(".global kgdb_compiled_break\n"
- ".option norvc\n"
- "kgdb_compiled_break: ebreak\n"
- ".option rvc\n");
-}
-
#endif /* !__ASSEMBLY__ */
#define DBG_REG_ZERO "zero"
diff --git a/arch/riscv/kernel/kgdb.c b/arch/riscv/kernel/kgdb.c
index 963ed7edcff26..b0db3350d243b 100644
--- a/arch/riscv/kernel/kgdb.c
+++ b/arch/riscv/kernel/kgdb.c
@@ -273,6 +273,14 @@ void kgdb_arch_set_pc(struct pt_regs *regs, unsigned long pc)
regs->epc = pc;
}
+noinline void arch_kgdb_breakpoint(void)
+{
+ asm(".global kgdb_compiled_break\n"
+ ".option norvc\n"
+ "kgdb_compiled_break: ebreak\n"
+ ".option rvc\n");
+}
+
void kgdb_arch_handle_qxfer_pkt(char *remcom_in_buffer,
char *remcom_out_buffer)
{
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 196/291] riscv: KGDB: Remove ".option norvc/.option rvc" for kgdb_compiled_break
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (193 preceding siblings ...)
2025-04-23 14:43 ` [PATCH 6.1 195/291] riscv: KGDB: Do not inline arch_kgdb_breakpoint() Greg Kroah-Hartman
@ 2025-04-23 14:43 ` Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 197/291] cpufreq/sched: Fix the usage of CPUFREQ_NEED_UPDATE_LIMITS Greg Kroah-Hartman
` (103 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Samuel Holland, Palmer Dabbelt,
Alexandre Ghiti, WangYuli, Palmer Dabbelt, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: WangYuli <wangyuli@uniontech.com>
[ Upstream commit 550c2aa787d1b06efcb11de1877354502a1237f2 ]
[ Quoting Samuel Holland: ]
This is a separate issue, but using ".option rvc" here is a bug.
It will unconditionally enable the C extension for the rest of
the file, even if the kernel is being built with CONFIG_RISCV_ISA_C=n.
[ Quoting Palmer Dabbelt: ]
We're just looking at the address of kgdb_compiled_break, so it's
fine if it ends up as a c.ebreak.
[ Quoting Alexandre Ghiti: ]
.option norvc is used to prevent the assembler from using compressed
instructions, but it's generally used when we need to ensure the
size of the instructions that are used, which is not the case here
as noted by Palmer since we only care about the address. So yes
it will work fine with C enabled :)
So let's just remove them all.
Link: https://lore.kernel.org/all/4b4187c1-77e5-44b7-885f-d6826723dd9a@sifive.com/
Link: https://lore.kernel.org/all/mhng-69513841-5068-441d-be8f-2aeebdc56a08@palmer-ri-x1c9a/
Link: https://lore.kernel.org/all/23693e7f-4fff-40f3-a437-e06d827278a5@ghiti.fr/
Fixes: fe89bd2be866 ("riscv: Add KGDB support")
Cc: Samuel Holland <samuel.holland@sifive.com>
Cc: Palmer Dabbelt <palmer@dabbelt.com>
Cc: Alexandre Ghiti <alex@ghiti.fr>
Signed-off-by: WangYuli <wangyuli@uniontech.com>
Link: https://lore.kernel.org/r/8B431C6A4626225C+20250411073222.56820-2-wangyuli@uniontech.com
Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/riscv/kernel/kgdb.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/arch/riscv/kernel/kgdb.c b/arch/riscv/kernel/kgdb.c
index b0db3350d243b..1d83b36967212 100644
--- a/arch/riscv/kernel/kgdb.c
+++ b/arch/riscv/kernel/kgdb.c
@@ -276,9 +276,7 @@ void kgdb_arch_set_pc(struct pt_regs *regs, unsigned long pc)
noinline void arch_kgdb_breakpoint(void)
{
asm(".global kgdb_compiled_break\n"
- ".option norvc\n"
- "kgdb_compiled_break: ebreak\n"
- ".option rvc\n");
+ "kgdb_compiled_break: ebreak\n");
}
void kgdb_arch_handle_qxfer_pkt(char *remcom_in_buffer,
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 197/291] cpufreq/sched: Fix the usage of CPUFREQ_NEED_UPDATE_LIMITS
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (194 preceding siblings ...)
2025-04-23 14:43 ` [PATCH 6.1 196/291] riscv: KGDB: Remove ".option norvc/.option rvc" for kgdb_compiled_break Greg Kroah-Hartman
@ 2025-04-23 14:43 ` Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 198/291] writeback: fix false warning in inode_to_wb() Greg Kroah-Hartman
` (102 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stephan Gerhold, Rafael J. Wysocki,
Christian Loehle, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
[ Upstream commit cfde542df7dd51d26cf667f4af497878ddffd85a ]
Commit 8e461a1cb43d ("cpufreq: schedutil: Fix superfluous updates caused
by need_freq_update") modified sugov_should_update_freq() to set the
need_freq_update flag only for drivers with CPUFREQ_NEED_UPDATE_LIMITS
set, but that flag generally needs to be set when the policy limits
change because the driver callback may need to be invoked for the new
limits to take effect.
However, if the return value of cpufreq_driver_resolve_freq() after
applying the new limits is still equal to the previously selected
frequency, the driver callback needs to be invoked only in the case
when CPUFREQ_NEED_UPDATE_LIMITS is set (which means that the driver
specifically wants its callback to be invoked every time the policy
limits change).
Update the code accordingly to avoid missing policy limits changes for
drivers without CPUFREQ_NEED_UPDATE_LIMITS.
Fixes: 8e461a1cb43d ("cpufreq: schedutil: Fix superfluous updates caused by need_freq_update")
Closes: https://lore.kernel.org/lkml/Z_Tlc6Qs-tYpxWYb@linaro.org/
Reported-by: Stephan Gerhold <stephan.gerhold@linaro.org>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Reviewed-by: Christian Loehle <christian.loehle@arm.com>
Link: https://patch.msgid.link/3010358.e9J7NaK4W3@rjwysocki.net
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/sched/cpufreq_schedutil.c | 18 +++++++++++++++---
1 file changed, 15 insertions(+), 3 deletions(-)
diff --git a/kernel/sched/cpufreq_schedutil.c b/kernel/sched/cpufreq_schedutil.c
index 542c0e82a9005..4dcb489733181 100644
--- a/kernel/sched/cpufreq_schedutil.c
+++ b/kernel/sched/cpufreq_schedutil.c
@@ -84,7 +84,7 @@ static bool sugov_should_update_freq(struct sugov_policy *sg_policy, u64 time)
if (unlikely(sg_policy->limits_changed)) {
sg_policy->limits_changed = false;
- sg_policy->need_freq_update = cpufreq_driver_test_flags(CPUFREQ_NEED_UPDATE_LIMITS);
+ sg_policy->need_freq_update = true;
return true;
}
@@ -96,10 +96,22 @@ static bool sugov_should_update_freq(struct sugov_policy *sg_policy, u64 time)
static bool sugov_update_next_freq(struct sugov_policy *sg_policy, u64 time,
unsigned int next_freq)
{
- if (sg_policy->need_freq_update)
+ if (sg_policy->need_freq_update) {
sg_policy->need_freq_update = false;
- else if (sg_policy->next_freq == next_freq)
+ /*
+ * The policy limits have changed, but if the return value of
+ * cpufreq_driver_resolve_freq() after applying the new limits
+ * is still equal to the previously selected frequency, the
+ * driver callback need not be invoked unless the driver
+ * specifically wants that to happen on every update of the
+ * policy limits.
+ */
+ if (sg_policy->next_freq == next_freq &&
+ !cpufreq_driver_test_flags(CPUFREQ_NEED_UPDATE_LIMITS))
+ return false;
+ } else if (sg_policy->next_freq == next_freq) {
return false;
+ }
sg_policy->next_freq = next_freq;
sg_policy->last_freq_update_time = time;
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 198/291] writeback: fix false warning in inode_to_wb()
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (195 preceding siblings ...)
2025-04-23 14:43 ` [PATCH 6.1 197/291] cpufreq/sched: Fix the usage of CPUFREQ_NEED_UPDATE_LIMITS Greg Kroah-Hartman
@ 2025-04-23 14:43 ` Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 199/291] Revert "PCI: Avoid reset when disabled via sysfs" Greg Kroah-Hartman
` (101 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jan Kara, Andreas Gruenbacher,
Andrew Morton
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andreas Gruenbacher <agruenba@redhat.com>
commit 9e888998ea4d22257b07ce911576509486fa0667 upstream.
inode_to_wb() is used also for filesystems that don't support cgroup
writeback. For these filesystems inode->i_wb is stable during the
lifetime of the inode (it points to bdi->wb) and there's no need to hold
locks protecting the inode->i_wb dereference. Improve the warning in
inode_to_wb() to not trigger for these filesystems.
Link: https://lkml.kernel.org/r/20250412163914.3773459-3-agruenba@redhat.com
Fixes: aaa2cacf8184 ("writeback: add lockdep annotation to inode_to_wb()")
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
Reviewed-by: Andreas Gruenbacher <agruenba@redhat.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/backing-dev.h | 1 +
1 file changed, 1 insertion(+)
--- a/include/linux/backing-dev.h
+++ b/include/linux/backing-dev.h
@@ -241,6 +241,7 @@ static inline struct bdi_writeback *inod
{
#ifdef CONFIG_LOCKDEP
WARN_ON_ONCE(debug_locks &&
+ (inode->i_sb->s_iflags & SB_I_CGROUPWB) &&
(!lockdep_is_held(&inode->i_lock) &&
!lockdep_is_held(&inode->i_mapping->i_pages.xa_lock) &&
!lockdep_is_held(&inode->i_wb->list_lock)));
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 199/291] Revert "PCI: Avoid reset when disabled via sysfs"
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (196 preceding siblings ...)
2025-04-23 14:43 ` [PATCH 6.1 198/291] writeback: fix false warning in inode_to_wb() Greg Kroah-Hartman
@ 2025-04-23 14:43 ` Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 200/291] ASoC: codecs:lpass-wsa-macro: Fix vi feedback rate Greg Kroah-Hartman
` (100 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Cal Peake, Athul Krishna,
Alex Williamson, Bjorn Helgaas, Kevin Tian
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alex Williamson <alex.williamson@redhat.com>
commit bc0b828ef6e561081ebc4c758d0c4d166bb9829c upstream.
This reverts commit 479380efe1625e251008d24b2810283db60d6fcd.
The reset_method attribute on a PCI device is only intended to manage the
availability of function scoped resets for a device. It was never intended
to restrict resets targeting the bus or slot.
In introducing a restriction that each device must support function level
reset by testing pci_reset_supported(), we essentially create a catch-22,
that a device must have a function scope reset in order to support bus/slot
reset, when we use bus/slot reset to effect a reset of a device that does
not support a function scoped reset, especially multi-function devices.
This breaks the majority of uses cases where vfio-pci uses bus/slot resets
to manage multifunction devices that do not support function scoped resets.
Fixes: 479380efe162 ("PCI: Avoid reset when disabled via sysfs")
Reported-by: Cal Peake <cp@absolutedigital.net>
Closes: https://lore.kernel.org/all/808e1111-27b7-f35b-6d5c-5b275e73677b@absolutedigital.net
Reported-by: Athul Krishna <athul.krishna.kr@protonmail.com>
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220010
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Reviewed-by: Kevin Tian <kevin.tian@intel.com>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20250414211828.3530741-1-alex.williamson@redhat.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pci/pci.c | 4 ----
1 file changed, 4 deletions(-)
--- a/drivers/pci/pci.c
+++ b/drivers/pci/pci.c
@@ -5578,8 +5578,6 @@ static bool pci_bus_resetable(struct pci
return false;
list_for_each_entry(dev, &bus->devices, bus_list) {
- if (!pci_reset_supported(dev))
- return false;
if (dev->dev_flags & PCI_DEV_FLAGS_NO_BUS_RESET ||
(dev->subordinate && !pci_bus_resetable(dev->subordinate)))
return false;
@@ -5656,8 +5654,6 @@ static bool pci_slot_resetable(struct pc
list_for_each_entry(dev, &slot->bus->devices, bus_list) {
if (!dev->slot || dev->slot != slot)
continue;
- if (!pci_reset_supported(dev))
- return false;
if (dev->dev_flags & PCI_DEV_FLAGS_NO_BUS_RESET ||
(dev->subordinate && !pci_bus_resetable(dev->subordinate)))
return false;
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 200/291] ASoC: codecs:lpass-wsa-macro: Fix vi feedback rate
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (197 preceding siblings ...)
2025-04-23 14:43 ` [PATCH 6.1 199/291] Revert "PCI: Avoid reset when disabled via sysfs" Greg Kroah-Hartman
@ 2025-04-23 14:43 ` Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 201/291] ASoC: codecs:lpass-wsa-macro: Fix logic of enabling vi channels Greg Kroah-Hartman
` (99 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Srinivas Kandagatla,
Dmitry Baryshkov, Mark Brown
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
commit d7bff1415e85b889dc8908be6aedba8807ae5e37 upstream.
Currently the VI feedback rate is set to fixed 8K, fix this by getting
the correct rate from params_rate.
Without this patch incorrect rate will be set on the VI feedback
recording resulting in rate miss match and audio artifacts.
Fixes: 2c4066e5d428 ("ASoC: codecs: lpass-wsa-macro: add dapm widgets and route")
Cc: stable@vger.kernel.org
Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Link: https://patch.msgid.link/20250403160209.21613-2-srinivas.kandagatla@linaro.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/codecs/lpass-wsa-macro.c | 39 ++++++++++++++++++++++++++++++++++---
1 file changed, 36 insertions(+), 3 deletions(-)
--- a/sound/soc/codecs/lpass-wsa-macro.c
+++ b/sound/soc/codecs/lpass-wsa-macro.c
@@ -63,6 +63,10 @@
#define CDC_WSA_TX_SPKR_PROT_CLK_DISABLE 0
#define CDC_WSA_TX_SPKR_PROT_PCM_RATE_MASK GENMASK(3, 0)
#define CDC_WSA_TX_SPKR_PROT_PCM_RATE_8K 0
+#define CDC_WSA_TX_SPKR_PROT_PCM_RATE_16K 1
+#define CDC_WSA_TX_SPKR_PROT_PCM_RATE_24K 2
+#define CDC_WSA_TX_SPKR_PROT_PCM_RATE_32K 3
+#define CDC_WSA_TX_SPKR_PROT_PCM_RATE_48K 4
#define CDC_WSA_TX0_SPKR_PROT_PATH_CFG0 (0x0248)
#define CDC_WSA_TX1_SPKR_PROT_PATH_CTL (0x0264)
#define CDC_WSA_TX1_SPKR_PROT_PATH_CFG0 (0x0268)
@@ -344,6 +348,7 @@ struct wsa_macro {
int ear_spkr_gain;
int spkr_gain_offset;
int spkr_mode;
+ u32 pcm_rate_vi;
int is_softclip_on[WSA_MACRO_SOFTCLIP_MAX];
int softclip_clk_users[WSA_MACRO_SOFTCLIP_MAX];
struct regmap *regmap;
@@ -971,6 +976,7 @@ static int wsa_macro_hw_params(struct sn
struct snd_soc_dai *dai)
{
struct snd_soc_component *component = dai->component;
+ struct wsa_macro *wsa = snd_soc_component_get_drvdata(component);
int ret;
switch (substream->stream) {
@@ -983,6 +989,11 @@ static int wsa_macro_hw_params(struct sn
return ret;
}
break;
+ case SNDRV_PCM_STREAM_CAPTURE:
+ if (dai->id == WSA_MACRO_AIF_VI)
+ wsa->pcm_rate_vi = params_rate(params);
+
+ break;
default:
break;
}
@@ -1156,6 +1167,28 @@ static int wsa_macro_enable_vi_feedback(
struct snd_soc_component *component = snd_soc_dapm_to_component(w->dapm);
struct wsa_macro *wsa = snd_soc_component_get_drvdata(component);
u32 tx_reg0, tx_reg1;
+ u32 rate_val;
+
+ switch (wsa->pcm_rate_vi) {
+ case 8000:
+ rate_val = CDC_WSA_TX_SPKR_PROT_PCM_RATE_8K;
+ break;
+ case 16000:
+ rate_val = CDC_WSA_TX_SPKR_PROT_PCM_RATE_16K;
+ break;
+ case 24000:
+ rate_val = CDC_WSA_TX_SPKR_PROT_PCM_RATE_24K;
+ break;
+ case 32000:
+ rate_val = CDC_WSA_TX_SPKR_PROT_PCM_RATE_32K;
+ break;
+ case 48000:
+ rate_val = CDC_WSA_TX_SPKR_PROT_PCM_RATE_48K;
+ break;
+ default:
+ rate_val = CDC_WSA_TX_SPKR_PROT_PCM_RATE_8K;
+ break;
+ }
if (test_bit(WSA_MACRO_TX0, &wsa->active_ch_mask[WSA_MACRO_AIF_VI])) {
tx_reg0 = CDC_WSA_TX0_SPKR_PROT_PATH_CTL;
@@ -1167,7 +1200,7 @@ static int wsa_macro_enable_vi_feedback(
switch (event) {
case SND_SOC_DAPM_POST_PMU:
- /* Enable V&I sensing */
+ /* Enable V&I sensing */
snd_soc_component_update_bits(component, tx_reg0,
CDC_WSA_TX_SPKR_PROT_RESET_MASK,
CDC_WSA_TX_SPKR_PROT_RESET);
@@ -1176,10 +1209,10 @@ static int wsa_macro_enable_vi_feedback(
CDC_WSA_TX_SPKR_PROT_RESET);
snd_soc_component_update_bits(component, tx_reg0,
CDC_WSA_TX_SPKR_PROT_PCM_RATE_MASK,
- CDC_WSA_TX_SPKR_PROT_PCM_RATE_8K);
+ rate_val);
snd_soc_component_update_bits(component, tx_reg1,
CDC_WSA_TX_SPKR_PROT_PCM_RATE_MASK,
- CDC_WSA_TX_SPKR_PROT_PCM_RATE_8K);
+ rate_val);
snd_soc_component_update_bits(component, tx_reg0,
CDC_WSA_TX_SPKR_PROT_CLK_EN_MASK,
CDC_WSA_TX_SPKR_PROT_CLK_ENABLE);
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 201/291] ASoC: codecs:lpass-wsa-macro: Fix logic of enabling vi channels
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (198 preceding siblings ...)
2025-04-23 14:43 ` [PATCH 6.1 200/291] ASoC: codecs:lpass-wsa-macro: Fix vi feedback rate Greg Kroah-Hartman
@ 2025-04-23 14:43 ` Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 202/291] asus-laptop: Fix an uninitialized variable Greg Kroah-Hartman
` (98 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Manikantan R, Srinivas Kandagatla,
Dmitry Baryshkov, Mark Brown
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
commit 7648beb65600220996ebb2da207610b1ff9b735e upstream.
Existing code only configures one of WSA_MACRO_TX0 or WSA_MACRO_TX1
paths eventhough we enable both of them. Fix this bug by adding proper
checks and rearranging some of the common code to able to allow setting
both TX0 and TX1 paths
Without this patch only one channel gets enabled in VI path instead of 2
channels. End result would be 1 channel recording instead of 2.
Fixes: 2c4066e5d428 ("ASoC: codecs: lpass-wsa-macro: add dapm widgets and route")
Cc: stable@vger.kernel.org
Co-developed-by: Manikantan R <quic_manrav@quicinc.com>
Signed-off-by: Manikantan R <quic_manrav@quicinc.com>
Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Link: https://patch.msgid.link/20250403160209.21613-3-srinivas.kandagatla@linaro.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/codecs/lpass-wsa-macro.c | 108 +++++++++++++++++++++----------------
1 file changed, 63 insertions(+), 45 deletions(-)
--- a/sound/soc/codecs/lpass-wsa-macro.c
+++ b/sound/soc/codecs/lpass-wsa-macro.c
@@ -1150,6 +1150,67 @@ static void wsa_macro_mclk_enable(struct
}
}
+static void wsa_macro_enable_disable_vi_sense(struct snd_soc_component *component, bool enable,
+ u32 tx_reg0, u32 tx_reg1, u32 val)
+{
+ if (enable) {
+ /* Enable V&I sensing */
+ snd_soc_component_update_bits(component, tx_reg0,
+ CDC_WSA_TX_SPKR_PROT_RESET_MASK,
+ CDC_WSA_TX_SPKR_PROT_RESET);
+ snd_soc_component_update_bits(component, tx_reg1,
+ CDC_WSA_TX_SPKR_PROT_RESET_MASK,
+ CDC_WSA_TX_SPKR_PROT_RESET);
+ snd_soc_component_update_bits(component, tx_reg0,
+ CDC_WSA_TX_SPKR_PROT_PCM_RATE_MASK,
+ val);
+ snd_soc_component_update_bits(component, tx_reg1,
+ CDC_WSA_TX_SPKR_PROT_PCM_RATE_MASK,
+ val);
+ snd_soc_component_update_bits(component, tx_reg0,
+ CDC_WSA_TX_SPKR_PROT_CLK_EN_MASK,
+ CDC_WSA_TX_SPKR_PROT_CLK_ENABLE);
+ snd_soc_component_update_bits(component, tx_reg1,
+ CDC_WSA_TX_SPKR_PROT_CLK_EN_MASK,
+ CDC_WSA_TX_SPKR_PROT_CLK_ENABLE);
+ snd_soc_component_update_bits(component, tx_reg0,
+ CDC_WSA_TX_SPKR_PROT_RESET_MASK,
+ CDC_WSA_TX_SPKR_PROT_NO_RESET);
+ snd_soc_component_update_bits(component, tx_reg1,
+ CDC_WSA_TX_SPKR_PROT_RESET_MASK,
+ CDC_WSA_TX_SPKR_PROT_NO_RESET);
+ } else {
+ snd_soc_component_update_bits(component, tx_reg0,
+ CDC_WSA_TX_SPKR_PROT_RESET_MASK,
+ CDC_WSA_TX_SPKR_PROT_RESET);
+ snd_soc_component_update_bits(component, tx_reg1,
+ CDC_WSA_TX_SPKR_PROT_RESET_MASK,
+ CDC_WSA_TX_SPKR_PROT_RESET);
+ snd_soc_component_update_bits(component, tx_reg0,
+ CDC_WSA_TX_SPKR_PROT_CLK_EN_MASK,
+ CDC_WSA_TX_SPKR_PROT_CLK_DISABLE);
+ snd_soc_component_update_bits(component, tx_reg1,
+ CDC_WSA_TX_SPKR_PROT_CLK_EN_MASK,
+ CDC_WSA_TX_SPKR_PROT_CLK_DISABLE);
+ }
+}
+
+static void wsa_macro_enable_disable_vi_feedback(struct snd_soc_component *component,
+ bool enable, u32 rate)
+{
+ struct wsa_macro *wsa = snd_soc_component_get_drvdata(component);
+
+ if (test_bit(WSA_MACRO_TX0, &wsa->active_ch_mask[WSA_MACRO_AIF_VI]))
+ wsa_macro_enable_disable_vi_sense(component, enable,
+ CDC_WSA_TX0_SPKR_PROT_PATH_CTL,
+ CDC_WSA_TX1_SPKR_PROT_PATH_CTL, rate);
+
+ if (test_bit(WSA_MACRO_TX1, &wsa->active_ch_mask[WSA_MACRO_AIF_VI]))
+ wsa_macro_enable_disable_vi_sense(component, enable,
+ CDC_WSA_TX2_SPKR_PROT_PATH_CTL,
+ CDC_WSA_TX3_SPKR_PROT_PATH_CTL, rate);
+}
+
static int wsa_macro_mclk_event(struct snd_soc_dapm_widget *w,
struct snd_kcontrol *kcontrol, int event)
{
@@ -1166,7 +1227,6 @@ static int wsa_macro_enable_vi_feedback(
{
struct snd_soc_component *component = snd_soc_dapm_to_component(w->dapm);
struct wsa_macro *wsa = snd_soc_component_get_drvdata(component);
- u32 tx_reg0, tx_reg1;
u32 rate_val;
switch (wsa->pcm_rate_vi) {
@@ -1190,56 +1250,14 @@ static int wsa_macro_enable_vi_feedback(
break;
}
- if (test_bit(WSA_MACRO_TX0, &wsa->active_ch_mask[WSA_MACRO_AIF_VI])) {
- tx_reg0 = CDC_WSA_TX0_SPKR_PROT_PATH_CTL;
- tx_reg1 = CDC_WSA_TX1_SPKR_PROT_PATH_CTL;
- } else if (test_bit(WSA_MACRO_TX1, &wsa->active_ch_mask[WSA_MACRO_AIF_VI])) {
- tx_reg0 = CDC_WSA_TX2_SPKR_PROT_PATH_CTL;
- tx_reg1 = CDC_WSA_TX3_SPKR_PROT_PATH_CTL;
- }
-
switch (event) {
case SND_SOC_DAPM_POST_PMU:
/* Enable V&I sensing */
- snd_soc_component_update_bits(component, tx_reg0,
- CDC_WSA_TX_SPKR_PROT_RESET_MASK,
- CDC_WSA_TX_SPKR_PROT_RESET);
- snd_soc_component_update_bits(component, tx_reg1,
- CDC_WSA_TX_SPKR_PROT_RESET_MASK,
- CDC_WSA_TX_SPKR_PROT_RESET);
- snd_soc_component_update_bits(component, tx_reg0,
- CDC_WSA_TX_SPKR_PROT_PCM_RATE_MASK,
- rate_val);
- snd_soc_component_update_bits(component, tx_reg1,
- CDC_WSA_TX_SPKR_PROT_PCM_RATE_MASK,
- rate_val);
- snd_soc_component_update_bits(component, tx_reg0,
- CDC_WSA_TX_SPKR_PROT_CLK_EN_MASK,
- CDC_WSA_TX_SPKR_PROT_CLK_ENABLE);
- snd_soc_component_update_bits(component, tx_reg1,
- CDC_WSA_TX_SPKR_PROT_CLK_EN_MASK,
- CDC_WSA_TX_SPKR_PROT_CLK_ENABLE);
- snd_soc_component_update_bits(component, tx_reg0,
- CDC_WSA_TX_SPKR_PROT_RESET_MASK,
- CDC_WSA_TX_SPKR_PROT_NO_RESET);
- snd_soc_component_update_bits(component, tx_reg1,
- CDC_WSA_TX_SPKR_PROT_RESET_MASK,
- CDC_WSA_TX_SPKR_PROT_NO_RESET);
+ wsa_macro_enable_disable_vi_feedback(component, true, rate_val);
break;
case SND_SOC_DAPM_POST_PMD:
/* Disable V&I sensing */
- snd_soc_component_update_bits(component, tx_reg0,
- CDC_WSA_TX_SPKR_PROT_RESET_MASK,
- CDC_WSA_TX_SPKR_PROT_RESET);
- snd_soc_component_update_bits(component, tx_reg1,
- CDC_WSA_TX_SPKR_PROT_RESET_MASK,
- CDC_WSA_TX_SPKR_PROT_RESET);
- snd_soc_component_update_bits(component, tx_reg0,
- CDC_WSA_TX_SPKR_PROT_CLK_EN_MASK,
- CDC_WSA_TX_SPKR_PROT_CLK_DISABLE);
- snd_soc_component_update_bits(component, tx_reg1,
- CDC_WSA_TX_SPKR_PROT_CLK_EN_MASK,
- CDC_WSA_TX_SPKR_PROT_CLK_DISABLE);
+ wsa_macro_enable_disable_vi_feedback(component, false, rate_val);
break;
}
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 202/291] asus-laptop: Fix an uninitialized variable
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (199 preceding siblings ...)
2025-04-23 14:43 ` [PATCH 6.1 201/291] ASoC: codecs:lpass-wsa-macro: Fix logic of enabling vi channels Greg Kroah-Hartman
@ 2025-04-23 14:43 ` Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 203/291] nfs: move nfs_fhandle_hash to common include file Greg Kroah-Hartman
` (97 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Denis Arefev, Ilpo Järvinen
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Denis Arefev <arefev@swemel.ru>
commit 6c683c6887e4addcd6bd1ddce08cafccb0a21e32 upstream.
The value returned by acpi_evaluate_integer() is not checked,
but the result is not always successful, so it is necessary to
add a check of the returned value.
If the result remains negative during three iterations of the loop,
then the uninitialized variable 'val' will be used in the clamp_val()
macro, so it must be initialized with the current value of the 'curr'
variable.
In this case, the algorithm should be less noisy.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: b23910c2194e ("asus-laptop: Pegatron Lucid accelerometer")
Cc: stable@vger.kernel.org
Signed-off-by: Denis Arefev <arefev@swemel.ru>
Link: https://lore.kernel.org/r/20250403122603.18172-1-arefev@swemel.ru
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/platform/x86/asus-laptop.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
--- a/drivers/platform/x86/asus-laptop.c
+++ b/drivers/platform/x86/asus-laptop.c
@@ -427,11 +427,14 @@ static int asus_pega_lucid_set(struct as
static int pega_acc_axis(struct asus_laptop *asus, int curr, char *method)
{
+ unsigned long long val = (unsigned long long)curr;
+ acpi_status status;
int i, delta;
- unsigned long long val;
- for (i = 0; i < PEGA_ACC_RETRIES; i++) {
- acpi_evaluate_integer(asus->handle, method, NULL, &val);
+ for (i = 0; i < PEGA_ACC_RETRIES; i++) {
+ status = acpi_evaluate_integer(asus->handle, method, NULL, &val);
+ if (ACPI_FAILURE(status))
+ continue;
/* The output is noisy. From reading the ASL
* dissassembly, timeout errors are returned with 1's
* in the high word, and the lack of locking around
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 203/291] nfs: move nfs_fhandle_hash to common include file
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (200 preceding siblings ...)
2025-04-23 14:43 ` [PATCH 6.1 202/291] asus-laptop: Fix an uninitialized variable Greg Kroah-Hartman
@ 2025-04-23 14:43 ` Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 204/291] nfs: add missing selections of CONFIG_CRC32 Greg Kroah-Hartman
` (96 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jeff Layton, Chuck Lever,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jeff Layton <jlayton@kernel.org>
[ Upstream commit e59fb6749ed833deee5b3cfd7e89925296d41f49 ]
lockd needs to be able to hash filehandles for tracepoints. Move the
nfs_fhandle_hash() helper to a common nfs include file.
Signed-off-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Stable-dep-of: cd35b6cb4664 ("nfs: add missing selections of CONFIG_CRC32")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nfs/internal.h | 15 ---------------
include/linux/nfs.h | 20 ++++++++++++++++++++
2 files changed, 20 insertions(+), 15 deletions(-)
diff --git a/fs/nfs/internal.h b/fs/nfs/internal.h
index 7fa23a6368e0b..d511d66bd8a3a 100644
--- a/fs/nfs/internal.h
+++ b/fs/nfs/internal.h
@@ -827,27 +827,12 @@ u64 nfs_timespec_to_change_attr(const struct timespec64 *ts)
}
#ifdef CONFIG_CRC32
-/**
- * nfs_fhandle_hash - calculate the crc32 hash for the filehandle
- * @fh - pointer to filehandle
- *
- * returns a crc32 hash for the filehandle that is compatible with
- * the one displayed by "wireshark".
- */
-static inline u32 nfs_fhandle_hash(const struct nfs_fh *fh)
-{
- return ~crc32_le(0xFFFFFFFF, &fh->data[0], fh->size);
-}
static inline u32 nfs_stateid_hash(const nfs4_stateid *stateid)
{
return ~crc32_le(0xFFFFFFFF, &stateid->other[0],
NFS4_STATEID_OTHER_SIZE);
}
#else
-static inline u32 nfs_fhandle_hash(const struct nfs_fh *fh)
-{
- return 0;
-}
static inline u32 nfs_stateid_hash(nfs4_stateid *stateid)
{
return 0;
diff --git a/include/linux/nfs.h b/include/linux/nfs.h
index b06375e88e589..ceb70a926b95e 100644
--- a/include/linux/nfs.h
+++ b/include/linux/nfs.h
@@ -10,6 +10,7 @@
#include <linux/sunrpc/msg_prot.h>
#include <linux/string.h>
+#include <linux/crc32.h>
#include <uapi/linux/nfs.h>
/*
@@ -44,4 +45,23 @@ enum nfs3_stable_how {
/* used by direct.c to mark verf as invalid */
NFS_INVALID_STABLE_HOW = -1
};
+
+#ifdef CONFIG_CRC32
+/**
+ * nfs_fhandle_hash - calculate the crc32 hash for the filehandle
+ * @fh - pointer to filehandle
+ *
+ * returns a crc32 hash for the filehandle that is compatible with
+ * the one displayed by "wireshark".
+ */
+static inline u32 nfs_fhandle_hash(const struct nfs_fh *fh)
+{
+ return ~crc32_le(0xFFFFFFFF, &fh->data[0], fh->size);
+}
+#else /* CONFIG_CRC32 */
+static inline u32 nfs_fhandle_hash(const struct nfs_fh *fh)
+{
+ return 0;
+}
+#endif /* CONFIG_CRC32 */
#endif /* _LINUX_NFS_H */
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 204/291] nfs: add missing selections of CONFIG_CRC32
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (201 preceding siblings ...)
2025-04-23 14:43 ` [PATCH 6.1 203/291] nfs: move nfs_fhandle_hash to common include file Greg Kroah-Hartman
@ 2025-04-23 14:43 ` Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 205/291] nfsd: decrease sc_count directly if fail to queue dl_recall Greg Kroah-Hartman
` (95 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Biggers, Anna Schumaker,
Chuck Lever, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@google.com>
[ Upstream commit cd35b6cb46649750b7dbd0df0e2d767415d8917b ]
nfs.ko, nfsd.ko, and lockd.ko all use crc32_le(), which is available
only when CONFIG_CRC32 is enabled. But the only NFS kconfig option that
selected CONFIG_CRC32 was CONFIG_NFS_DEBUG, which is client-specific and
did not actually guard the use of crc32_le() even on the client.
The code worked around this bug by only actually calling crc32_le() when
CONFIG_CRC32 is built-in, instead hard-coding '0' in other cases. This
avoided randconfig build errors, and in real kernels the fallback code
was unlikely to be reached since CONFIG_CRC32 is 'default y'. But, this
really needs to just be done properly, especially now that I'm planning
to update CONFIG_CRC32 to not be 'default y'.
Therefore, make CONFIG_NFS_FS, CONFIG_NFSD, and CONFIG_LOCKD select
CONFIG_CRC32. Then remove the fallback code that becomes unnecessary,
as well as the selection of CONFIG_CRC32 from CONFIG_NFS_DEBUG.
Fixes: 1264a2f053a3 ("NFS: refactor code for calculating the crc32 hash of a filehandle")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Acked-by: Anna Schumaker <anna.schumaker@oracle.com>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/Kconfig | 1 +
fs/nfs/Kconfig | 2 +-
fs/nfs/internal.h | 7 -------
fs/nfs/nfs4session.h | 4 ----
fs/nfsd/Kconfig | 1 +
fs/nfsd/nfsfh.h | 7 -------
include/linux/nfs.h | 7 -------
7 files changed, 3 insertions(+), 26 deletions(-)
diff --git a/fs/Kconfig b/fs/Kconfig
index 703a1cea0fc09..7104e3eb38eb4 100644
--- a/fs/Kconfig
+++ b/fs/Kconfig
@@ -347,6 +347,7 @@ config GRACE_PERIOD
config LOCKD
tristate
depends on FILE_LOCKING
+ select CRC32
select GRACE_PERIOD
config LOCKD_V4
diff --git a/fs/nfs/Kconfig b/fs/nfs/Kconfig
index 14a72224b6571..899e25e9b4eb5 100644
--- a/fs/nfs/Kconfig
+++ b/fs/nfs/Kconfig
@@ -2,6 +2,7 @@
config NFS_FS
tristate "NFS client support"
depends on INET && FILE_LOCKING && MULTIUSER
+ select CRC32
select LOCKD
select SUNRPC
select NFS_ACL_SUPPORT if NFS_V3_ACL
@@ -194,7 +195,6 @@ config NFS_USE_KERNEL_DNS
config NFS_DEBUG
bool
depends on NFS_FS && SUNRPC_DEBUG
- select CRC32
default y
config NFS_DISABLE_UDP_SUPPORT
diff --git a/fs/nfs/internal.h b/fs/nfs/internal.h
index d511d66bd8a3a..ece517ebcca0b 100644
--- a/fs/nfs/internal.h
+++ b/fs/nfs/internal.h
@@ -826,18 +826,11 @@ u64 nfs_timespec_to_change_attr(const struct timespec64 *ts)
return ((u64)ts->tv_sec << 30) + ts->tv_nsec;
}
-#ifdef CONFIG_CRC32
static inline u32 nfs_stateid_hash(const nfs4_stateid *stateid)
{
return ~crc32_le(0xFFFFFFFF, &stateid->other[0],
NFS4_STATEID_OTHER_SIZE);
}
-#else
-static inline u32 nfs_stateid_hash(nfs4_stateid *stateid)
-{
- return 0;
-}
-#endif
static inline bool nfs_error_is_fatal(int err)
{
diff --git a/fs/nfs/nfs4session.h b/fs/nfs/nfs4session.h
index 351616c61df54..f9c291e2165cd 100644
--- a/fs/nfs/nfs4session.h
+++ b/fs/nfs/nfs4session.h
@@ -148,16 +148,12 @@ static inline void nfs4_copy_sessionid(struct nfs4_sessionid *dst,
memcpy(dst->data, src->data, NFS4_MAX_SESSIONID_LEN);
}
-#ifdef CONFIG_CRC32
/*
* nfs_session_id_hash - calculate the crc32 hash for the session id
* @session - pointer to session
*/
#define nfs_session_id_hash(sess_id) \
(~crc32_le(0xFFFFFFFF, &(sess_id)->data[0], sizeof((sess_id)->data)))
-#else
-#define nfs_session_id_hash(session) (0)
-#endif
#else /* defined(CONFIG_NFS_V4_1) */
static inline int nfs4_init_session(struct nfs_client *clp)
diff --git a/fs/nfsd/Kconfig b/fs/nfsd/Kconfig
index 7c441f2bd4440..4f704f868d9c9 100644
--- a/fs/nfsd/Kconfig
+++ b/fs/nfsd/Kconfig
@@ -4,6 +4,7 @@ config NFSD
depends on INET
depends on FILE_LOCKING
depends on FSNOTIFY
+ select CRC32
select LOCKD
select SUNRPC
select EXPORTFS
diff --git a/fs/nfsd/nfsfh.h b/fs/nfsd/nfsfh.h
index 513e028b0bbee..40aee06ebd952 100644
--- a/fs/nfsd/nfsfh.h
+++ b/fs/nfsd/nfsfh.h
@@ -263,7 +263,6 @@ static inline bool fh_fsid_match(const struct knfsd_fh *fh1,
return true;
}
-#ifdef CONFIG_CRC32
/**
* knfsd_fh_hash - calculate the crc32 hash for the filehandle
* @fh - pointer to filehandle
@@ -275,12 +274,6 @@ static inline u32 knfsd_fh_hash(const struct knfsd_fh *fh)
{
return ~crc32_le(0xFFFFFFFF, fh->fh_raw, fh->fh_size);
}
-#else
-static inline u32 knfsd_fh_hash(const struct knfsd_fh *fh)
-{
- return 0;
-}
-#endif
/**
* fh_clear_pre_post_attrs - Reset pre/post attributes
diff --git a/include/linux/nfs.h b/include/linux/nfs.h
index ceb70a926b95e..095a95c1fae82 100644
--- a/include/linux/nfs.h
+++ b/include/linux/nfs.h
@@ -46,7 +46,6 @@ enum nfs3_stable_how {
NFS_INVALID_STABLE_HOW = -1
};
-#ifdef CONFIG_CRC32
/**
* nfs_fhandle_hash - calculate the crc32 hash for the filehandle
* @fh - pointer to filehandle
@@ -58,10 +57,4 @@ static inline u32 nfs_fhandle_hash(const struct nfs_fh *fh)
{
return ~crc32_le(0xFFFFFFFF, &fh->data[0], fh->size);
}
-#else /* CONFIG_CRC32 */
-static inline u32 nfs_fhandle_hash(const struct nfs_fh *fh)
-{
- return 0;
-}
-#endif /* CONFIG_CRC32 */
#endif /* _LINUX_NFS_H */
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 205/291] nfsd: decrease sc_count directly if fail to queue dl_recall
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (202 preceding siblings ...)
2025-04-23 14:43 ` [PATCH 6.1 204/291] nfs: add missing selections of CONFIG_CRC32 Greg Kroah-Hartman
@ 2025-04-23 14:43 ` Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 206/291] btrfs: correctly escape subvol in btrfs_show_options() Greg Kroah-Hartman
` (94 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Li Lingfeng, Jeff Layton,
Chuck Lever, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Li Lingfeng <lilingfeng3@huawei.com>
[ Upstream commit a1d14d931bf700c1025db8c46d6731aa5cf440f9 ]
A deadlock warning occurred when invoking nfs4_put_stid following a failed
dl_recall queue operation:
T1 T2
nfs4_laundromat
nfs4_get_client_reaplist
nfs4_anylock_blockers
__break_lease
spin_lock // ctx->flc_lock
spin_lock // clp->cl_lock
nfs4_lockowner_has_blockers
locks_owner_has_blockers
spin_lock // flctx->flc_lock
nfsd_break_deleg_cb
nfsd_break_one_deleg
nfs4_put_stid
refcount_dec_and_lock
spin_lock // clp->cl_lock
When a file is opened, an nfs4_delegation is allocated with sc_count
initialized to 1, and the file_lease holds a reference to the delegation.
The file_lease is then associated with the file through kernel_setlease.
The disassociation is performed in nfsd4_delegreturn via the following
call chain:
nfsd4_delegreturn --> destroy_delegation --> destroy_unhashed_deleg -->
nfs4_unlock_deleg_lease --> kernel_setlease --> generic_delete_lease
The corresponding sc_count reference will be released after this
disassociation.
Since nfsd_break_one_deleg executes while holding the flc_lock, the
disassociation process becomes blocked when attempting to acquire flc_lock
in generic_delete_lease. This means:
1) sc_count in nfsd_break_one_deleg will not be decremented to 0;
2) The nfs4_put_stid called by nfsd_break_one_deleg will not attempt to
acquire cl_lock;
3) Consequently, no deadlock condition is created.
Given that sc_count in nfsd_break_one_deleg remains non-zero, we can
safely perform refcount_dec on sc_count directly. This approach
effectively avoids triggering deadlock warnings.
Fixes: 230ca758453c ("nfsd: put dl_stid if fail to queue dl_recall")
Signed-off-by: Li Lingfeng <lilingfeng3@huawei.com>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nfsd/nfs4state.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c
index 628d20574a919..bdee95d714d0e 100644
--- a/fs/nfsd/nfs4state.c
+++ b/fs/nfsd/nfs4state.c
@@ -4941,7 +4941,7 @@ static void nfsd_break_one_deleg(struct nfs4_delegation *dp)
queued = nfsd4_run_cb(&dp->dl_recall);
WARN_ON_ONCE(!queued);
if (!queued)
- nfs4_put_stid(&dp->dl_stid);
+ refcount_dec(&dp->dl_stid.sc_count);
}
/* Called from break_lease() with flc_lock held. */
--
2.39.5
^ permalink raw reply related [flat|nested] 304+ messages in thread
* [PATCH 6.1 206/291] btrfs: correctly escape subvol in btrfs_show_options()
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (203 preceding siblings ...)
2025-04-23 14:43 ` [PATCH 6.1 205/291] nfsd: decrease sc_count directly if fail to queue dl_recall Greg Kroah-Hartman
@ 2025-04-23 14:43 ` Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 207/291] cpufreq: Avoid using inconsistent policy->min and policy->max Greg Kroah-Hartman
` (93 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Calvin Walton, Johannes Kimmel,
David Sterba
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johannes Kimmel <kernel@bareminimum.eu>
commit dc08c58696f8555e4a802f1f23c894a330d80ab7 upstream.
Currently, displaying the btrfs subvol mount option doesn't escape ','.
This makes parsing /proc/self/mounts and /proc/self/mountinfo
ambiguous for subvolume names that contain commas. The text after the
comma could be mistaken for another option (think "subvol=foo,ro", where
ro is actually part of the subvolumes name).
Replace the manual escape characters list with a call to
seq_show_option(). Thanks to Calvin Walton for suggesting this approach.
Fixes: c8d3fe028f64 ("Btrfs: show subvol= and subvolid= in /proc/mounts")
CC: stable@vger.kernel.org # 5.4+
Suggested-by: Calvin Walton <calvin.walton@kepstin.ca>
Signed-off-by: Johannes Kimmel <kernel@bareminimum.eu>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/super.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/fs/btrfs/super.c
+++ b/fs/btrfs/super.c
@@ -1640,8 +1640,7 @@ static int btrfs_show_options(struct seq
subvol_name = btrfs_get_subvol_name_from_objectid(info,
BTRFS_I(d_inode(dentry))->root->root_key.objectid);
if (!IS_ERR(subvol_name)) {
- seq_puts(seq, ",subvol=");
- seq_escape(seq, subvol_name, " \t\n\\");
+ seq_show_option(seq, "subvol", subvol_name);
kfree(subvol_name);
}
return 0;
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 207/291] cpufreq: Avoid using inconsistent policy->min and policy->max
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (204 preceding siblings ...)
2025-04-23 14:43 ` [PATCH 6.1 206/291] btrfs: correctly escape subvol in btrfs_show_options() Greg Kroah-Hartman
@ 2025-04-23 14:43 ` Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 208/291] crypto: caam/qi - Fix drv_ctx refcount bug Greg Kroah-Hartman
` (92 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rafael J. Wysocki, Christian Loehle,
Viresh Kumar
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
commit 7491cdf46b5cbdf123fc84fbe0a07e9e3d7b7620 upstream.
Since cpufreq_driver_resolve_freq() can run in parallel with
cpufreq_set_policy() and there is no synchronization between them,
the former may access policy->min and policy->max while the latter
is updating them and it may see intermediate values of them due
to the way the update is carried out. Also the compiler is free
to apply any optimizations it wants both to the stores in
cpufreq_set_policy() and to the loads in cpufreq_driver_resolve_freq()
which may result in additional inconsistencies.
To address this, use WRITE_ONCE() when updating policy->min and
policy->max in cpufreq_set_policy() and use READ_ONCE() for reading
them in cpufreq_driver_resolve_freq(). Moreover, rearrange the update
in cpufreq_set_policy() to avoid storing intermediate values in
policy->min and policy->max with the help of the observation that
their new values are expected to be properly ordered upfront.
Also modify cpufreq_driver_resolve_freq() to take the possible reverse
ordering of policy->min and policy->max, which may happen depending on
the ordering of operations when this function and cpufreq_set_policy()
run concurrently, into account by always honoring the max when it
turns out to be less than the min (in case it comes from thermal
throttling or similar).
Fixes: 151717690694 ("cpufreq: Make policy min/max hard requirements")
Cc: 5.16+ <stable@vger.kernel.org> # 5.16+
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Reviewed-by: Christian Loehle <christian.loehle@arm.com>
Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
Link: https://patch.msgid.link/5907080.DvuYhMxLoT@rjwysocki.net
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/cpufreq/cpufreq.c | 32 +++++++++++++++++++++++++-------
1 file changed, 25 insertions(+), 7 deletions(-)
--- a/drivers/cpufreq/cpufreq.c
+++ b/drivers/cpufreq/cpufreq.c
@@ -532,8 +532,6 @@ static unsigned int __resolve_freq(struc
{
unsigned int idx;
- target_freq = clamp_val(target_freq, policy->min, policy->max);
-
if (!policy->freq_table)
return target_freq;
@@ -557,7 +555,22 @@ static unsigned int __resolve_freq(struc
unsigned int cpufreq_driver_resolve_freq(struct cpufreq_policy *policy,
unsigned int target_freq)
{
- return __resolve_freq(policy, target_freq, CPUFREQ_RELATION_LE);
+ unsigned int min = READ_ONCE(policy->min);
+ unsigned int max = READ_ONCE(policy->max);
+
+ /*
+ * If this function runs in parallel with cpufreq_set_policy(), it may
+ * read policy->min before the update and policy->max after the update
+ * or the other way around, so there is no ordering guarantee.
+ *
+ * Resolve this by always honoring the max (in case it comes from
+ * thermal throttling or similar).
+ */
+ if (unlikely(min > max))
+ min = max;
+
+ return __resolve_freq(policy, clamp_val(target_freq, min, max),
+ CPUFREQ_RELATION_LE);
}
EXPORT_SYMBOL_GPL(cpufreq_driver_resolve_freq);
@@ -2283,6 +2296,7 @@ int __cpufreq_driver_target(struct cpufr
if (cpufreq_disabled())
return -ENODEV;
+ target_freq = clamp_val(target_freq, policy->min, policy->max);
target_freq = __resolve_freq(policy, target_freq, relation);
pr_debug("target for CPU %u: %u kHz, relation %u, requested %u kHz\n",
@@ -2573,11 +2587,15 @@ static int cpufreq_set_policy(struct cpu
* Resolve policy min/max to available frequencies. It ensures
* no frequency resolution will neither overshoot the requested maximum
* nor undershoot the requested minimum.
+ *
+ * Avoid storing intermediate values in policy->max or policy->min and
+ * compiler optimizations around them because they may be accessed
+ * concurrently by cpufreq_driver_resolve_freq() during the update.
*/
- policy->min = new_data.min;
- policy->max = new_data.max;
- policy->min = __resolve_freq(policy, policy->min, CPUFREQ_RELATION_L);
- policy->max = __resolve_freq(policy, policy->max, CPUFREQ_RELATION_H);
+ WRITE_ONCE(policy->max, __resolve_freq(policy, new_data.max, CPUFREQ_RELATION_H));
+ new_data.min = __resolve_freq(policy, new_data.min, CPUFREQ_RELATION_L);
+ WRITE_ONCE(policy->min, new_data.min > policy->max ? policy->max : new_data.min);
+
trace_cpu_frequency_limits(policy);
policy->cached_target_freq = UINT_MAX;
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 208/291] crypto: caam/qi - Fix drv_ctx refcount bug
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (205 preceding siblings ...)
2025-04-23 14:43 ` [PATCH 6.1 207/291] cpufreq: Avoid using inconsistent policy->min and policy->max Greg Kroah-Hartman
@ 2025-04-23 14:43 ` Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 209/291] hfs/hfsplus: fix slab-out-of-bounds in hfs_bnode_read_key Greg Kroah-Hartman
` (91 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sean Anderson, Herbert Xu,
Horia Geantă
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Herbert Xu <herbert@gondor.apana.org.au>
commit b7b39df7e710b0068356e4c696af07aa10e2cd3d upstream.
Ensure refcount is raised before request is enqueued since it could
be dequeued before the call returns.
Reported-by: Sean Anderson <sean.anderson@linux.dev>
Cc: <stable@vger.kernel.org>
Fixes: 11144416a755 ("crypto: caam/qi - optimize frame queue cleanup")
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Reviewed-by: Horia Geantă <horia.geanta@nxp.com>
Tested-by: Sean Anderson <sean.anderson@linux.dev>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/crypto/caam/qi.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/crypto/caam/qi.c
+++ b/drivers/crypto/caam/qi.c
@@ -115,12 +115,12 @@ int caam_qi_enqueue(struct device *qidev
qm_fd_addr_set64(&fd, addr);
do {
+ refcount_inc(&req->drv_ctx->refcnt);
ret = qman_enqueue(req->drv_ctx->req_fq, &fd);
- if (likely(!ret)) {
- refcount_inc(&req->drv_ctx->refcnt);
+ if (likely(!ret))
return 0;
- }
+ refcount_dec(&req->drv_ctx->refcnt);
if (ret != -EBUSY)
break;
num_retries++;
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 209/291] hfs/hfsplus: fix slab-out-of-bounds in hfs_bnode_read_key
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (206 preceding siblings ...)
2025-04-23 14:43 ` [PATCH 6.1 208/291] crypto: caam/qi - Fix drv_ctx refcount bug Greg Kroah-Hartman
@ 2025-04-23 14:43 ` Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 210/291] i2c: cros-ec-tunnel: defer probe if parent EC is not present Greg Kroah-Hartman
` (90 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+5f3a973ed3dfb85a6683,
Vasiliy Kovalev, Cengiz Can, Christian Brauner
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vasiliy Kovalev <kovalev@altlinux.org>
commit bb5e07cb927724e0b47be371fa081141cfb14414 upstream.
Syzbot reported an issue in hfs subsystem:
BUG: KASAN: slab-out-of-bounds in memcpy_from_page include/linux/highmem.h:423 [inline]
BUG: KASAN: slab-out-of-bounds in hfs_bnode_read fs/hfs/bnode.c:35 [inline]
BUG: KASAN: slab-out-of-bounds in hfs_bnode_read_key+0x314/0x450 fs/hfs/bnode.c:70
Write of size 94 at addr ffff8880123cd100 by task syz-executor237/5102
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
kasan_check_range+0x282/0x290 mm/kasan/generic.c:189
__asan_memcpy+0x40/0x70 mm/kasan/shadow.c:106
memcpy_from_page include/linux/highmem.h:423 [inline]
hfs_bnode_read fs/hfs/bnode.c:35 [inline]
hfs_bnode_read_key+0x314/0x450 fs/hfs/bnode.c:70
hfs_brec_insert+0x7f3/0xbd0 fs/hfs/brec.c:159
hfs_cat_create+0x41d/0xa50 fs/hfs/catalog.c:118
hfs_mkdir+0x6c/0xe0 fs/hfs/dir.c:232
vfs_mkdir+0x2f9/0x4f0 fs/namei.c:4257
do_mkdirat+0x264/0x3a0 fs/namei.c:4280
__do_sys_mkdir fs/namei.c:4300 [inline]
__se_sys_mkdir fs/namei.c:4298 [inline]
__x64_sys_mkdir+0x6c/0x80 fs/namei.c:4298
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fbdd6057a99
Add a check for key length in hfs_bnode_read_key to prevent
out-of-bounds memory access. If the key length is invalid, the
key buffer is cleared, improving stability and reliability.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: syzbot+5f3a973ed3dfb85a6683@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=5f3a973ed3dfb85a6683
Cc: stable@vger.kernel.org
Signed-off-by: Vasiliy Kovalev <kovalev@altlinux.org>
Link: https://lore.kernel.org/20241019191303.24048-1-kovalev@altlinux.org
Reviewed-by: Cengiz Can <cengiz.can@canonical.com>
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/hfs/bnode.c | 6 ++++++
fs/hfsplus/bnode.c | 6 ++++++
2 files changed, 12 insertions(+)
--- a/fs/hfs/bnode.c
+++ b/fs/hfs/bnode.c
@@ -67,6 +67,12 @@ void hfs_bnode_read_key(struct hfs_bnode
else
key_len = tree->max_key_len + 1;
+ if (key_len > sizeof(hfs_btree_key) || key_len < 1) {
+ memset(key, 0, sizeof(hfs_btree_key));
+ pr_err("hfs: Invalid key length: %d\n", key_len);
+ return;
+ }
+
hfs_bnode_read(node, key, off, key_len);
}
--- a/fs/hfsplus/bnode.c
+++ b/fs/hfsplus/bnode.c
@@ -67,6 +67,12 @@ void hfs_bnode_read_key(struct hfs_bnode
else
key_len = tree->max_key_len + 2;
+ if (key_len > sizeof(hfsplus_btree_key) || key_len < 1) {
+ memset(key, 0, sizeof(hfsplus_btree_key));
+ pr_err("hfsplus: Invalid key length: %d\n", key_len);
+ return;
+ }
+
hfs_bnode_read(node, key, off, key_len);
}
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 210/291] i2c: cros-ec-tunnel: defer probe if parent EC is not present
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (207 preceding siblings ...)
2025-04-23 14:43 ` [PATCH 6.1 209/291] hfs/hfsplus: fix slab-out-of-bounds in hfs_bnode_read_key Greg Kroah-Hartman
@ 2025-04-23 14:43 ` Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 211/291] isofs: Prevent the use of too small fid Greg Kroah-Hartman
` (89 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thadeu Lima de Souza Cascardo,
Andi Shyti
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
commit 424eafe65647a8d6c690284536e711977153195a upstream.
When i2c-cros-ec-tunnel and the EC driver are built-in, the EC parent
device will not be found, leading to NULL pointer dereference.
That can also be reproduced by unbinding the controller driver and then
loading i2c-cros-ec-tunnel module (or binding the device).
[ 271.991245] BUG: kernel NULL pointer dereference, address: 0000000000000058
[ 271.998215] #PF: supervisor read access in kernel mode
[ 272.003351] #PF: error_code(0x0000) - not-present page
[ 272.008485] PGD 0 P4D 0
[ 272.011022] Oops: Oops: 0000 [#1] SMP NOPTI
[ 272.015207] CPU: 0 UID: 0 PID: 3859 Comm: insmod Tainted: G S 6.15.0-rc1-00004-g44722359ed83 #30 PREEMPT(full) 3c7fb39a552e7d949de2ad921a7d6588d3a4fdc5
[ 272.030312] Tainted: [S]=CPU_OUT_OF_SPEC
[ 272.034233] Hardware name: HP Berknip/Berknip, BIOS Google_Berknip.13434.356.0 05/17/2021
[ 272.042400] RIP: 0010:ec_i2c_probe+0x2b/0x1c0 [i2c_cros_ec_tunnel]
[ 272.048577] Code: 1f 44 00 00 41 57 41 56 41 55 41 54 53 48 83 ec 10 65 48 8b 05 06 a0 6c e7 48 89 44 24 08 4c 8d 7f 10 48 8b 47 50 4c 8b 60 78 <49> 83 7c 24 58 00 0f 84 2f 01 00 00 48 89 fb be 30 06 00 00 4c 9
[ 272.067317] RSP: 0018:ffffa32082a03940 EFLAGS: 00010282
[ 272.072541] RAX: ffff969580b6a810 RBX: ffff969580b68c10 RCX: 0000000000000000
[ 272.079672] RDX: 0000000000000000 RSI: 0000000000000282 RDI: ffff969580b68c00
[ 272.086804] RBP: 00000000fffffdfb R08: 0000000000000000 R09: 0000000000000000
[ 272.093936] R10: 0000000000000000 R11: ffffffffc0600000 R12: 0000000000000000
[ 272.101067] R13: ffffffffa666fbb8 R14: ffffffffc05b5528 R15: ffff969580b68c10
[ 272.108198] FS: 00007b930906fc40(0000) GS:ffff969603149000(0000) knlGS:0000000000000000
[ 272.116282] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 272.122024] CR2: 0000000000000058 CR3: 000000012631c000 CR4: 00000000003506f0
[ 272.129155] Call Trace:
[ 272.131606] <TASK>
[ 272.133709] ? acpi_dev_pm_attach+0xdd/0x110
[ 272.137985] platform_probe+0x69/0xa0
[ 272.141652] really_probe+0x152/0x310
[ 272.145318] __driver_probe_device+0x77/0x110
[ 272.149678] driver_probe_device+0x1e/0x190
[ 272.153864] __driver_attach+0x10b/0x1e0
[ 272.157790] ? driver_attach+0x20/0x20
[ 272.161542] bus_for_each_dev+0x107/0x150
[ 272.165553] bus_add_driver+0x15d/0x270
[ 272.169392] driver_register+0x65/0x110
[ 272.173232] ? cleanup_module+0xa80/0xa80 [i2c_cros_ec_tunnel 3a00532f3f4af4a9eade753f86b0f8dd4e4e5698]
[ 272.182617] do_one_initcall+0x110/0x350
[ 272.186543] ? security_kernfs_init_security+0x49/0xd0
[ 272.191682] ? __kernfs_new_node+0x1b9/0x240
[ 272.195954] ? security_kernfs_init_security+0x49/0xd0
[ 272.201093] ? __kernfs_new_node+0x1b9/0x240
[ 272.205365] ? kernfs_link_sibling+0x105/0x130
[ 272.209810] ? kernfs_next_descendant_post+0x1c/0xa0
[ 272.214773] ? kernfs_activate+0x57/0x70
[ 272.218699] ? kernfs_add_one+0x118/0x160
[ 272.222710] ? __kernfs_create_file+0x71/0xa0
[ 272.227069] ? sysfs_add_bin_file_mode_ns+0xd6/0x110
[ 272.232033] ? internal_create_group+0x453/0x4a0
[ 272.236651] ? __vunmap_range_noflush+0x214/0x2d0
[ 272.241355] ? __free_frozen_pages+0x1dc/0x420
[ 272.245799] ? free_vmap_area_noflush+0x10a/0x1c0
[ 272.250505] ? load_module+0x1509/0x16f0
[ 272.254431] do_init_module+0x60/0x230
[ 272.258181] __se_sys_finit_module+0x27a/0x370
[ 272.262627] do_syscall_64+0x6a/0xf0
[ 272.266206] ? do_syscall_64+0x76/0xf0
[ 272.269956] ? irqentry_exit_to_user_mode+0x79/0x90
[ 272.274836] entry_SYSCALL_64_after_hwframe+0x55/0x5d
[ 272.279887] RIP: 0033:0x7b9309168d39
[ 272.283466] Code: 5b 41 5c 5d c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d af 40 0c 00 f7 d8 64 89 01 8
[ 272.302210] RSP: 002b:00007fff50f1a288 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
[ 272.309774] RAX: ffffffffffffffda RBX: 000058bf9b50f6d0 RCX: 00007b9309168d39
[ 272.316905] RDX: 0000000000000000 RSI: 000058bf6c103a77 RDI: 0000000000000003
[ 272.324036] RBP: 00007fff50f1a2e0 R08: 00007fff50f19218 R09: 0000000021ec4150
[ 272.331166] R10: 000058bf9b50f7f0 R11: 0000000000000246 R12: 0000000000000000
[ 272.338296] R13: 00000000fffffffe R14: 0000000000000000 R15: 000058bf6c103a77
[ 272.345428] </TASK>
[ 272.347617] Modules linked in: i2c_cros_ec_tunnel(+)
[ 272.364585] gsmi: Log Shutdown Reason 0x03
Returning -EPROBE_DEFER will allow the device to be bound once the
controller is bound, in the case of built-in drivers.
Fixes: 9d230c9e4f4e ("i2c: ChromeOS EC tunnel driver")
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
Cc: <stable@vger.kernel.org> # v3.16+
Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
Link: https://lore.kernel.org/r/20250407-null-ec-parent-v1-1-f7dda62d3110@igalia.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/i2c/busses/i2c-cros-ec-tunnel.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/i2c/busses/i2c-cros-ec-tunnel.c
+++ b/drivers/i2c/busses/i2c-cros-ec-tunnel.c
@@ -247,6 +247,9 @@ static int ec_i2c_probe(struct platform_
u32 remote_bus;
int err;
+ if (!ec)
+ return dev_err_probe(dev, -EPROBE_DEFER, "couldn't find parent EC device\n");
+
if (!ec->cmd_xfer) {
dev_err(dev, "Missing sendrecv\n");
return -EINVAL;
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 211/291] isofs: Prevent the use of too small fid
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (208 preceding siblings ...)
2025-04-23 14:43 ` [PATCH 6.1 210/291] i2c: cros-ec-tunnel: defer probe if parent EC is not present Greg Kroah-Hartman
@ 2025-04-23 14:43 ` Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 212/291] loop: properly send KOBJ_CHANGED uevent for disk device Greg Kroah-Hartman
` (88 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+4d7cd7dd0ce1aa8d5c65,
Edward Adam Davis, Jan Kara
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Edward Adam Davis <eadavis@qq.com>
commit 0405d4b63d082861f4eaff9d39c78ee9dc34f845 upstream.
syzbot reported a slab-out-of-bounds Read in isofs_fh_to_parent. [1]
The handle_bytes value passed in by the reproducing program is equal to 12.
In handle_to_path(), only 12 bytes of memory are allocated for the structure
file_handle->f_handle member, which causes an out-of-bounds access when
accessing the member parent_block of the structure isofs_fid in isofs,
because accessing parent_block requires at least 16 bytes of f_handle.
Here, fh_len is used to indirectly confirm that the value of handle_bytes
is greater than 3 before accessing parent_block.
[1]
BUG: KASAN: slab-out-of-bounds in isofs_fh_to_parent+0x1b8/0x210 fs/isofs/export.c:183
Read of size 4 at addr ffff0000cc030d94 by task syz-executor215/6466
CPU: 1 UID: 0 PID: 6466 Comm: syz-executor215 Not tainted 6.14.0-rc7-syzkaller-ga2392f333575 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
Call trace:
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:466 (C)
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0xe4/0x150 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:408 [inline]
print_report+0x198/0x550 mm/kasan/report.c:521
kasan_report+0xd8/0x138 mm/kasan/report.c:634
__asan_report_load4_noabort+0x20/0x2c mm/kasan/report_generic.c:380
isofs_fh_to_parent+0x1b8/0x210 fs/isofs/export.c:183
exportfs_decode_fh_raw+0x2dc/0x608 fs/exportfs/expfs.c:523
do_handle_to_path+0xa0/0x198 fs/fhandle.c:257
handle_to_path fs/fhandle.c:385 [inline]
do_handle_open+0x8cc/0xb8c fs/fhandle.c:403
__do_sys_open_by_handle_at fs/fhandle.c:443 [inline]
__se_sys_open_by_handle_at fs/fhandle.c:434 [inline]
__arm64_sys_open_by_handle_at+0x80/0x94 fs/fhandle.c:434
__invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:744
el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762
el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600
Allocated by task 6466:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x40/0x78 mm/kasan/common.c:68
kasan_save_alloc_info+0x40/0x50 mm/kasan/generic.c:562
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0xac/0xc4 mm/kasan/common.c:394
kasan_kmalloc include/linux/kasan.h:260 [inline]
__do_kmalloc_node mm/slub.c:4294 [inline]
__kmalloc_noprof+0x32c/0x54c mm/slub.c:4306
kmalloc_noprof include/linux/slab.h:905 [inline]
handle_to_path fs/fhandle.c:357 [inline]
do_handle_open+0x5a4/0xb8c fs/fhandle.c:403
__do_sys_open_by_handle_at fs/fhandle.c:443 [inline]
__se_sys_open_by_handle_at fs/fhandle.c:434 [inline]
__arm64_sys_open_by_handle_at+0x80/0x94 fs/fhandle.c:434
__invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:744
el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762
el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600
Reported-by: syzbot+4d7cd7dd0ce1aa8d5c65@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=4d7cd7dd0ce1aa8d5c65
Tested-by: syzbot+4d7cd7dd0ce1aa8d5c65@syzkaller.appspotmail.com
CC: stable@vger.kernel.org
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Link: https://patch.msgid.link/tencent_9C8CB8A7E7C6C512C7065DC98B6EDF6EC606@qq.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/isofs/export.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/isofs/export.c
+++ b/fs/isofs/export.c
@@ -180,7 +180,7 @@ static struct dentry *isofs_fh_to_parent
return NULL;
return isofs_export_iget(sb,
- fh_len > 2 ? ifid->parent_block : 0,
+ fh_len > 3 ? ifid->parent_block : 0,
ifid->parent_offset,
fh_len > 4 ? ifid->parent_generation : 0);
}
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 212/291] loop: properly send KOBJ_CHANGED uevent for disk device
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (209 preceding siblings ...)
2025-04-23 14:43 ` [PATCH 6.1 211/291] isofs: Prevent the use of too small fid Greg Kroah-Hartman
@ 2025-04-23 14:43 ` Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 213/291] loop: LOOP_SET_FD: send uevents for partitions Greg Kroah-Hartman
` (87 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Thomas Weißschuh, Jens Axboe
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
commit e7bc0010ceb403d025100698586c8e760921d471 upstream.
The original commit message and the wording "uncork" in the code comment
indicate that it is expected that the suppressed event instances are
automatically sent after unsuppressing.
This is not the case, instead they are discarded.
In effect this means that no "changed" events are emitted on the device
itself by default.
While each discovered partition does trigger a changed event on the
device, devices without partitions don't have any event emitted.
This makes udev miss the device creation and prompted workarounds in
userspace. See the linked util-linux/losetup bug.
Explicitly emit the events and drop the confusingly worded comments.
Link: https://github.com/util-linux/util-linux/issues/2434
Fixes: 498ef5c777d9 ("loop: suppress uevents while reconfiguring the device")
Cc: stable@vger.kernel.org
Signed-off-by: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
Link: https://lore.kernel.org/r/20250415-loop-uevent-changed-v2-1-0c4e6a923b2a@linutronix.de
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/block/loop.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/block/loop.c
+++ b/drivers/block/loop.c
@@ -629,8 +629,8 @@ static int loop_change_fd(struct loop_de
error = 0;
done:
- /* enable and uncork uevent now that we are done */
dev_set_uevent_suppress(disk_to_dev(lo->lo_disk), 0);
+ kobject_uevent(&disk_to_dev(lo->lo_disk)->kobj, KOBJ_CHANGE);
return error;
out_err:
@@ -1104,8 +1104,8 @@ static int loop_configure(struct loop_de
if (partscan)
clear_bit(GD_SUPPRESS_PART_SCAN, &lo->lo_disk->state);
- /* enable and uncork uevent now that we are done */
dev_set_uevent_suppress(disk_to_dev(lo->lo_disk), 0);
+ kobject_uevent(&disk_to_dev(lo->lo_disk)->kobj, KOBJ_CHANGE);
loop_global_unlock(lo, is_loop);
if (partscan)
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 213/291] loop: LOOP_SET_FD: send uevents for partitions
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (210 preceding siblings ...)
2025-04-23 14:43 ` [PATCH 6.1 212/291] loop: properly send KOBJ_CHANGED uevent for disk device Greg Kroah-Hartman
@ 2025-04-23 14:43 ` Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 214/291] mm/gup: fix wrongly calculated returned value in fault_in_safe_writeable() Greg Kroah-Hartman
` (86 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Weißschuh, Jan Kara,
Jens Axboe
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
commit 0dba7a05b9e47d8b546399117b0ddf2426dc6042 upstream.
Remove the suppression of the uevents before scanning for partitions.
The partitions inherit their suppression settings from their parent device,
which lead to the uevents being dropped.
This is similar to the same changes for LOOP_CONFIGURE done in
commit bb430b694226 ("loop: LOOP_CONFIGURE: send uevents for partitions").
Fixes: 498ef5c777d9 ("loop: suppress uevents while reconfiguring the device")
Cc: stable@vger.kernel.org
Signed-off-by: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://lore.kernel.org/r/20250415-loop-uevent-changed-v3-1-60ff69ac6088@linutronix.de
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/block/loop.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/block/loop.c
+++ b/drivers/block/loop.c
@@ -624,12 +624,12 @@ static int loop_change_fd(struct loop_de
* dependency.
*/
fput(old_file);
+ dev_set_uevent_suppress(disk_to_dev(lo->lo_disk), 0);
if (partscan)
loop_reread_partitions(lo);
error = 0;
done:
- dev_set_uevent_suppress(disk_to_dev(lo->lo_disk), 0);
kobject_uevent(&disk_to_dev(lo->lo_disk)->kobj, KOBJ_CHANGE);
return error;
@@ -637,6 +637,7 @@ out_err:
loop_global_unlock(lo, is_loop);
out_putf:
fput(file);
+ dev_set_uevent_suppress(disk_to_dev(lo->lo_disk), 0);
goto done;
}
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 214/291] mm/gup: fix wrongly calculated returned value in fault_in_safe_writeable()
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (211 preceding siblings ...)
2025-04-23 14:43 ` [PATCH 6.1 213/291] loop: LOOP_SET_FD: send uevents for partitions Greg Kroah-Hartman
@ 2025-04-23 14:43 ` Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 215/291] mm: fix filemap_get_folios_contig returning batches of identical folios Greg Kroah-Hartman
` (85 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Baoquan He, Oscar Salvador,
David Hildenbrand, Andreas Gruenbacher, Yanjun.Zhu, Andrew Morton
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Baoquan He <bhe@redhat.com>
commit 8c03ebd7cdc06bd0d2fecb4d1a609ef1dbb7d0aa upstream.
Not like fault_in_readable() or fault_in_writeable(), in
fault_in_safe_writeable() local variable 'start' is increased page by page
to loop till the whole address range is handled. However, it mistakenly
calculates the size of the handled range with 'uaddr - start'.
Fix it here.
Andreas said:
: In gfs2, fault_in_iov_iter_writeable() is used in
: gfs2_file_direct_read() and gfs2_file_read_iter(), so this potentially
: affects buffered as well as direct reads. This bug could cause those
: gfs2 functions to spin in a loop.
Link: https://lkml.kernel.org/r/20250410035717.473207-1-bhe@redhat.com
Link: https://lkml.kernel.org/r/20250410035717.473207-2-bhe@redhat.com
Signed-off-by: Baoquan He <bhe@redhat.com>
Fixes: fe673d3f5bf1 ("mm: gup: make fault_in_safe_writeable() use fixup_user_fault()")
Reviewed-by: Oscar Salvador <osalvador@suse.de>
Acked-by: David Hildenbrand <david@redhat.com>
Cc: Andreas Gruenbacher <agruenba@redhat.com>
Cc: Yanjun.Zhu <yanjun.zhu@linux.dev>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/gup.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/mm/gup.c
+++ b/mm/gup.c
@@ -1881,8 +1881,8 @@ size_t fault_in_safe_writeable(const cha
} while (start != end);
mmap_read_unlock(mm);
- if (size > (unsigned long)uaddr - start)
- return size - ((unsigned long)uaddr - start);
+ if (size > start - (unsigned long)uaddr)
+ return size - (start - (unsigned long)uaddr);
return 0;
}
EXPORT_SYMBOL(fault_in_safe_writeable);
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 215/291] mm: fix filemap_get_folios_contig returning batches of identical folios
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (212 preceding siblings ...)
2025-04-23 14:43 ` [PATCH 6.1 214/291] mm/gup: fix wrongly calculated returned value in fault_in_safe_writeable() Greg Kroah-Hartman
@ 2025-04-23 14:43 ` Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 216/291] ksmbd: Fix dangling pointer in krb_authenticate Greg Kroah-Hartman
` (84 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vishal Moola (Oracle), Qu Wenruo,
Matthew Wilcox (Oracle), Vivek Kasireddy, Andrew Morton
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vishal Moola (Oracle) <vishal.moola@gmail.com>
commit 8ab1b16023961dc640023b10436d282f905835ad upstream.
filemap_get_folios_contig() is supposed to return distinct folios found
within [start, end]. Large folios in the Xarray become multi-index
entries. xas_next() can iterate through the sub-indexes before finding a
sibling entry and breaking out of the loop.
This can result in a returned folio_batch containing an indeterminate
number of duplicate folios, which forces the callers to skeptically handle
the returned batch. This is inefficient and incurs a large maintenance
overhead.
We can fix this by calling xas_advance() after we have successfully adding
a folio to the batch to ensure our Xarray is positioned such that it will
correctly find the next folio - similar to filemap_get_read_batch().
Link: https://lkml.kernel.org/r/Z-8s1-kiIDkzgRbc@fedora
Fixes: 35b471467f88 ("filemap: add filemap_get_folios_contig()")
Signed-off-by: Vishal Moola (Oracle) <vishal.moola@gmail.com>
Reported-by: Qu Wenruo <quwenruo.btrfs@gmx.com>
Closes: https://lkml.kernel.org/r/b714e4de-2583-4035-b829-72cfb5eb6fc6@gmx.com
Tested-by: Qu Wenruo <quwenruo.btrfs@gmx.com>
Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
Cc: Vivek Kasireddy <vivek.kasireddy@intel.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/filemap.c | 1 +
1 file changed, 1 insertion(+)
--- a/mm/filemap.c
+++ b/mm/filemap.c
@@ -2266,6 +2266,7 @@ unsigned filemap_get_folios_contig(struc
*start = folio->index + nr;
goto out;
}
+ xas_advance(&xas, folio_next_index(folio) - 1);
continue;
put_folio:
folio_put(folio);
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 216/291] ksmbd: Fix dangling pointer in krb_authenticate
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (213 preceding siblings ...)
2025-04-23 14:43 ` [PATCH 6.1 215/291] mm: fix filemap_get_folios_contig returning batches of identical folios Greg Kroah-Hartman
@ 2025-04-23 14:43 ` Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 217/291] ksmbd: Prevent integer overflow in calculation of deadtime Greg Kroah-Hartman
` (83 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sean Heelan, Namjae Jeon,
Steve French
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Heelan <seanheelan@gmail.com>
commit 1e440d5b25b7efccb3defe542a73c51005799a5f upstream.
krb_authenticate frees sess->user and does not set the pointer
to NULL. It calls ksmbd_krb5_authenticate to reinitialise
sess->user but that function may return without doing so. If
that happens then smb2_sess_setup, which calls krb_authenticate,
will be accessing free'd memory when it later uses sess->user.
Cc: stable@vger.kernel.org
Signed-off-by: Sean Heelan <seanheelan@gmail.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/server/smb2pdu.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/fs/smb/server/smb2pdu.c
+++ b/fs/smb/server/smb2pdu.c
@@ -1615,8 +1615,10 @@ static int krb5_authenticate(struct ksmb
if (prev_sess_id && prev_sess_id != sess->id)
destroy_previous_session(conn, sess->user, prev_sess_id);
- if (sess->state == SMB2_SESSION_VALID)
+ if (sess->state == SMB2_SESSION_VALID) {
ksmbd_free_user(sess->user);
+ sess->user = NULL;
+ }
retval = ksmbd_krb5_authenticate(sess, in_blob, in_len,
out_blob, &out_len);
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 217/291] ksmbd: Prevent integer overflow in calculation of deadtime
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (214 preceding siblings ...)
2025-04-23 14:43 ` [PATCH 6.1 216/291] ksmbd: Fix dangling pointer in krb_authenticate Greg Kroah-Hartman
@ 2025-04-23 14:43 ` Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 218/291] ksmbd: fix the warning from __kernel_write_iter Greg Kroah-Hartman
` (82 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Denis Arefev, Namjae Jeon,
Steve French
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Denis Arefev <arefev@swemel.ru>
commit a93ff742820f75bf8bb3fcf21d9f25ca6eb3d4c6 upstream.
The user can set any value for 'deadtime'. This affects the arithmetic
expression 'req->deadtime * SMB_ECHO_INTERVAL', which is subject to
overflow. The added check makes the server behavior more predictable.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: 0626e6641f6b ("cifsd: add server handler for central processing and tranport layers")
Cc: stable@vger.kernel.org
Signed-off-by: Denis Arefev <arefev@swemel.ru>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/server/transport_ipc.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/fs/smb/server/transport_ipc.c
+++ b/fs/smb/server/transport_ipc.c
@@ -296,7 +296,11 @@ static int ipc_server_config_on_startup(
server_conf.signing = req->signing;
server_conf.tcp_port = req->tcp_port;
server_conf.ipc_timeout = req->ipc_timeout * HZ;
- server_conf.deadtime = req->deadtime * SMB_ECHO_INTERVAL;
+ if (check_mul_overflow(req->deadtime, SMB_ECHO_INTERVAL,
+ &server_conf.deadtime)) {
+ ret = -EINVAL;
+ goto out;
+ }
server_conf.share_fake_fscaps = req->share_fake_fscaps;
ksmbd_init_domain(req->sub_auth);
@@ -319,6 +323,7 @@ static int ipc_server_config_on_startup(
ret |= ksmbd_set_work_group(req->work_group);
ret |= ksmbd_tcp_set_interfaces(KSMBD_STARTUP_CONFIG_INTERFACES(req),
req->ifc_list_sz);
+out:
if (ret) {
pr_err("Server configuration error: %s %s %s\n",
req->netbios_name, req->server_string,
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 218/291] ksmbd: fix the warning from __kernel_write_iter
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (215 preceding siblings ...)
2025-04-23 14:43 ` [PATCH 6.1 217/291] ksmbd: Prevent integer overflow in calculation of deadtime Greg Kroah-Hartman
@ 2025-04-23 14:43 ` Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 219/291] riscv: Avoid fortify warning in syscall_get_arguments() Greg Kroah-Hartman
` (81 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Norbert Szetei, Namjae Jeon,
Steve French
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Namjae Jeon <linkinjeon@kernel.org>
commit b37f2f332b40ad1c27f18682a495850f2f04db0a upstream.
[ 2110.972290] ------------[ cut here ]------------
[ 2110.972301] WARNING: CPU: 3 PID: 735 at fs/read_write.c:599 __kernel_write_iter+0x21b/0x280
This patch doesn't allow writing to directory.
Cc: stable@vger.kernel.org
Reported-by: Norbert Szetei <norbert@doyensec.com>
Tested-by: Norbert Szetei <norbert@doyensec.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/server/vfs.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/fs/smb/server/vfs.c
+++ b/fs/smb/server/vfs.c
@@ -493,7 +493,8 @@ int ksmbd_vfs_write(struct ksmbd_work *w
int err = 0;
if (work->conn->connection_type) {
- if (!(fp->daccess & (FILE_WRITE_DATA_LE | FILE_APPEND_DATA_LE))) {
+ if (!(fp->daccess & (FILE_WRITE_DATA_LE | FILE_APPEND_DATA_LE)) ||
+ S_ISDIR(file_inode(fp->filp)->i_mode)) {
pr_err("no right to write(%pD)\n", fp->filp);
err = -EACCES;
goto out;
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 219/291] riscv: Avoid fortify warning in syscall_get_arguments()
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (216 preceding siblings ...)
2025-04-23 14:43 ` [PATCH 6.1 218/291] ksmbd: fix the warning from __kernel_write_iter Greg Kroah-Hartman
@ 2025-04-23 14:43 ` Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 220/291] smb3 client: fix open hardlink on deferred close file error Greg Kroah-Hartman
` (80 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nathan Chancellor, Dmitry V. Levin,
Palmer Dabbelt
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nathan Chancellor <nathan@kernel.org>
commit adf53771a3123df99ca26e38818760fbcf5c05d0 upstream.
When building with CONFIG_FORTIFY_SOURCE=y and W=1, there is a warning
because of the memcpy() in syscall_get_arguments():
In file included from include/linux/string.h:392,
from include/linux/bitmap.h:13,
from include/linux/cpumask.h:12,
from arch/riscv/include/asm/processor.h:55,
from include/linux/sched.h:13,
from kernel/ptrace.c:13:
In function 'fortify_memcpy_chk',
inlined from 'syscall_get_arguments.isra' at arch/riscv/include/asm/syscall.h:66:2:
include/linux/fortify-string.h:580:25: error: call to '__read_overflow2_field' declared with attribute warning: detected read beyond size of field (2nd parameter); maybe use struct_group()? [-Werror=attribute-warning]
580 | __read_overflow2_field(q_size_field, size);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
cc1: all warnings being treated as errors
The fortified memcpy() routine enforces that the source is not overread
and the destination is not overwritten if the size of either field and
the size of the copy are known at compile time. The memcpy() in
syscall_get_arguments() intentionally overreads from a1 to a5 in
'struct pt_regs' but this is bigger than the size of a1.
Normally, this could be solved by wrapping a1 through a5 with
struct_group() but there was already a struct_group() applied to these
members in commit bba547810c66 ("riscv: tracing: Fix
__write_overflow_field in ftrace_partial_regs()").
Just avoid memcpy() altogether and write the copying of args from regs
manually, which clears up the warning at the expense of three extra
lines of code.
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Reviewed-by: Dmitry V. Levin <ldv@strace.io>
Fixes: e2c0cdfba7f6 ("RISC-V: User-facing API")
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20250409-riscv-avoid-fortify-warning-syscall_get_arguments-v1-1-7853436d4755@kernel.org
Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/riscv/include/asm/syscall.h | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
--- a/arch/riscv/include/asm/syscall.h
+++ b/arch/riscv/include/asm/syscall.h
@@ -61,8 +61,11 @@ static inline void syscall_get_arguments
unsigned long *args)
{
args[0] = regs->orig_a0;
- args++;
- memcpy(args, ®s->a1, 5 * sizeof(args[0]));
+ args[1] = regs->a1;
+ args[2] = regs->a2;
+ args[3] = regs->a3;
+ args[4] = regs->a4;
+ args[5] = regs->a5;
}
static inline int syscall_get_arch(struct task_struct *task)
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 220/291] smb3 client: fix open hardlink on deferred close file error
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (217 preceding siblings ...)
2025-04-23 14:43 ` [PATCH 6.1 219/291] riscv: Avoid fortify warning in syscall_get_arguments() Greg Kroah-Hartman
@ 2025-04-23 14:43 ` Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 221/291] string: Add load_unaligned_zeropad() code path to sized_strscpy() Greg Kroah-Hartman
` (79 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Chunjie Zhu, Steve French
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chunjie Zhu <chunjie.zhu@cloud.com>
commit 262b73ef442e68e53220b9d6fc5a0d08b557fa42 upstream.
The following Python script results in unexpected behaviour when run on
a CIFS filesystem against a Windows Server:
# Create file
fd = os.open('test', os.O_WRONLY|os.O_CREAT)
os.write(fd, b'foo')
os.close(fd)
# Open and close the file to leave a pending deferred close
fd = os.open('test', os.O_RDONLY|os.O_DIRECT)
os.close(fd)
# Try to open the file via a hard link
os.link('test', 'new')
newfd = os.open('new', os.O_RDONLY|os.O_DIRECT)
The final open returns EINVAL due to the server returning
STATUS_INVALID_PARAMETER. The root cause of this is that the client
caches lease keys per inode, but the spec requires them to be related to
the filename which causes problems when hard links are involved:
>From MS-SMB2 section 3.3.5.9.11:
"The server MUST attempt to locate a Lease by performing a lookup in the
LeaseTable.LeaseList using the LeaseKey in the
SMB2_CREATE_REQUEST_LEASE_V2 as the lookup key. If a lease is found,
Lease.FileDeleteOnClose is FALSE, and Lease.Filename does not match the
file name for the incoming request, the request MUST be failed with
STATUS_INVALID_PARAMETER"
On client side, we first check the context of file open, if it hits above
conditions, we first close all opening files which are belong to the same
inode, then we do open the hard link file.
Cc: stable@vger.kernel.org
Signed-off-by: Chunjie Zhu <chunjie.zhu@cloud.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/client/cifsproto.h | 2 ++
fs/smb/client/file.c | 28 ++++++++++++++++++++++++++++
2 files changed, 30 insertions(+)
--- a/fs/smb/client/cifsproto.h
+++ b/fs/smb/client/cifsproto.h
@@ -152,6 +152,8 @@ extern int cifs_get_writable_path(struct
extern struct cifsFileInfo *find_readable_file(struct cifsInodeInfo *, bool);
extern int cifs_get_readable_path(struct cifs_tcon *tcon, const char *name,
struct cifsFileInfo **ret_file);
+extern int cifs_get_hardlink_path(struct cifs_tcon *tcon, struct inode *inode,
+ struct file *file);
extern unsigned int smbCalcSize(void *buf);
extern int decode_negTokenInit(unsigned char *security_blob, int length,
struct TCP_Server_Info *server);
--- a/fs/smb/client/file.c
+++ b/fs/smb/client/file.c
@@ -687,6 +687,11 @@ int cifs_open(struct inode *inode, struc
} else {
_cifsFileInfo_put(cfile, true, false);
}
+ } else {
+ /* hard link on the defeered close file */
+ rc = cifs_get_hardlink_path(tcon, inode, file);
+ if (rc)
+ cifs_close_deferred_file(CIFS_I(inode));
}
if (server->oplocks)
@@ -1735,6 +1740,29 @@ cifs_move_llist(struct list_head *source
list_move(li, dest);
}
+int
+cifs_get_hardlink_path(struct cifs_tcon *tcon, struct inode *inode,
+ struct file *file)
+{
+ struct cifsFileInfo *open_file = NULL;
+ struct cifsInodeInfo *cinode = CIFS_I(inode);
+ int rc = 0;
+
+ spin_lock(&tcon->open_file_lock);
+ spin_lock(&cinode->open_file_lock);
+
+ list_for_each_entry(open_file, &cinode->openFileList, flist) {
+ if (file->f_flags == open_file->f_flags) {
+ rc = -EINVAL;
+ break;
+ }
+ }
+
+ spin_unlock(&cinode->open_file_lock);
+ spin_unlock(&tcon->open_file_lock);
+ return rc;
+}
+
void
cifs_free_llist(struct list_head *llist)
{
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 221/291] string: Add load_unaligned_zeropad() code path to sized_strscpy()
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (218 preceding siblings ...)
2025-04-23 14:43 ` [PATCH 6.1 220/291] smb3 client: fix open hardlink on deferred close file error Greg Kroah-Hartman
@ 2025-04-23 14:43 ` Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 222/291] tracing: Fix filter string testing Greg Kroah-Hartman
` (78 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Peter Collingbourne, Catalin Marinas,
Kees Cook
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Collingbourne <pcc@google.com>
commit d94c12bd97d567de342fd32599e7cd9e50bfa140 upstream.
The call to read_word_at_a_time() in sized_strscpy() is problematic
with MTE because it may trigger a tag check fault when reading
across a tag granule (16 bytes) boundary. To make this code
MTE compatible, let's start using load_unaligned_zeropad()
on architectures where it is available (i.e. architectures that
define CONFIG_DCACHE_WORD_ACCESS). Because load_unaligned_zeropad()
takes care of page boundaries as well as tag granule boundaries,
also disable the code preventing crossing page boundaries when using
load_unaligned_zeropad().
Signed-off-by: Peter Collingbourne <pcc@google.com>
Link: https://linux-review.googlesource.com/id/If4b22e43b5a4ca49726b4bf98ada827fdf755548
Fixes: 94ab5b61ee16 ("kasan, arm64: enable CONFIG_KASAN_HW_TAGS")
Cc: stable@vger.kernel.org
Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
Link: https://lore.kernel.org/r/20250403000703.2584581-2-pcc@google.com
Signed-off-by: Kees Cook <kees@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
lib/string.c | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
--- a/lib/string.c
+++ b/lib/string.c
@@ -181,6 +181,7 @@ ssize_t strscpy(char *dest, const char *
if (count == 0 || WARN_ON_ONCE(count > INT_MAX))
return -E2BIG;
+#ifndef CONFIG_DCACHE_WORD_ACCESS
#ifdef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
/*
* If src is unaligned, don't cross a page boundary,
@@ -196,11 +197,13 @@ ssize_t strscpy(char *dest, const char *
if (((long) dest | (long) src) & (sizeof(long) - 1))
max = 0;
#endif
+#endif
/*
- * read_word_at_a_time() below may read uninitialized bytes after the
- * trailing zero and use them in comparisons. Disable this optimization
- * under KMSAN to prevent false positive reports.
+ * load_unaligned_zeropad() or read_word_at_a_time() below may read
+ * uninitialized bytes after the trailing zero and use them in
+ * comparisons. Disable this optimization under KMSAN to prevent
+ * false positive reports.
*/
if (IS_ENABLED(CONFIG_KMSAN))
max = 0;
@@ -208,7 +211,11 @@ ssize_t strscpy(char *dest, const char *
while (max >= sizeof(unsigned long)) {
unsigned long c, data;
+#ifdef CONFIG_DCACHE_WORD_ACCESS
+ c = load_unaligned_zeropad(src+res);
+#else
c = read_word_at_a_time(src+res);
+#endif
if (has_zero(c, &data, &constants)) {
data = prep_zero_mask(c, data, &constants);
data = create_zero_mask(data);
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 222/291] tracing: Fix filter string testing
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (219 preceding siblings ...)
2025-04-23 14:43 ` [PATCH 6.1 221/291] string: Add load_unaligned_zeropad() code path to sized_strscpy() Greg Kroah-Hartman
@ 2025-04-23 14:43 ` Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 223/291] virtiofs: add filesystem context source name check Greg Kroah-Hartman
` (77 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Masami Hiramatsu, Mathieu Desnoyers,
Andrew Morton, Andrii Nakryiko, Mykyta Yatsenko,
Steven Rostedt (Google)
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Steven Rostedt <rostedt@goodmis.org>
commit a8c5b0ed89a3f2c81c6ae0b041394e6eea0e7024 upstream.
The filter string testing uses strncpy_from_kernel/user_nofault() to
retrieve the string to test the filter against. The if() statement was
incorrect as it considered 0 as a fault, when it is only negative that it
faulted.
Running the following commands:
# cd /sys/kernel/tracing
# echo "filename.ustring ~ \"/proc*\"" > events/syscalls/sys_enter_openat/filter
# echo 1 > events/syscalls/sys_enter_openat/enable
# ls /proc/$$/maps
# cat trace
Would produce nothing, but with the fix it will produce something like:
ls-1192 [007] ..... 8169.828333: sys_openat(dfd: ffffffffffffff9c, filename: 7efc18359904, flags: 80000, mode: 0)
Link: https://lore.kernel.org/all/CAEf4BzbVPQ=BjWztmEwBPRKHUwNfKBkS3kce-Rzka6zvbQeVpg@mail.gmail.com/
Cc: stable@vger.kernel.org
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Link: https://lore.kernel.org/20250417183003.505835fb@gandalf.local.home
Fixes: 77360f9bbc7e5 ("tracing: Add test for user space strings when filtering on string pointers")
Reported-by: Andrii Nakryiko <andrii.nakryiko@gmail.com>
Reported-by: Mykyta Yatsenko <mykyta.yatsenko5@gmail.com>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/trace/trace_events_filter.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/kernel/trace/trace_events_filter.c
+++ b/kernel/trace/trace_events_filter.c
@@ -716,7 +716,7 @@ static __always_inline char *test_string
kstr = ubuf->buffer;
/* For safety, do not trust the string pointer */
- if (!strncpy_from_kernel_nofault(kstr, str, USTRING_BUF_SIZE))
+ if (strncpy_from_kernel_nofault(kstr, str, USTRING_BUF_SIZE) < 0)
return NULL;
return kstr;
}
@@ -735,7 +735,7 @@ static __always_inline char *test_ustrin
/* user space address? */
ustr = (char __user *)str;
- if (!strncpy_from_user_nofault(kstr, ustr, USTRING_BUF_SIZE))
+ if (strncpy_from_user_nofault(kstr, ustr, USTRING_BUF_SIZE) < 0)
return NULL;
return kstr;
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 223/291] virtiofs: add filesystem context source name check
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (220 preceding siblings ...)
2025-04-23 14:43 ` [PATCH 6.1 222/291] tracing: Fix filter string testing Greg Kroah-Hartman
@ 2025-04-23 14:43 ` Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 224/291] scsi: megaraid_sas: Block zero-length ATA VPD inquiry Greg Kroah-Hartman
` (76 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Xiangsheng Hou, Christian Brauner
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xiangsheng Hou <xiangsheng.hou@mediatek.com>
commit a94fd938df2b1628da66b498aa0eeb89593bc7a2 upstream.
In certain scenarios, for example, during fuzz testing, the source
name may be NULL, which could lead to a kernel panic. Therefore, an
extra check for the source name should be added.
Fixes: a62a8ef9d97d ("virtio-fs: add virtiofs filesystem")
Cc: <stable@vger.kernel.org> # all LTS kernels
Signed-off-by: Xiangsheng Hou <xiangsheng.hou@mediatek.com>
Link: https://lore.kernel.org/20250407115111.25535-1-xiangsheng.hou@mediatek.com
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/fuse/virtio_fs.c | 3 +++
1 file changed, 3 insertions(+)
--- a/fs/fuse/virtio_fs.c
+++ b/fs/fuse/virtio_fs.c
@@ -1429,6 +1429,9 @@ static int virtio_fs_get_tree(struct fs_
unsigned int virtqueue_size;
int err = -EIO;
+ if (!fsc->source)
+ return invalf(fsc, "No source specified");
+
/* This gets a reference on virtio_fs object. This ptr gets installed
* in fc->iq->priv. Once fuse_conn is going away, it calls ->put()
* to drop the reference to this object.
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 224/291] scsi: megaraid_sas: Block zero-length ATA VPD inquiry
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (221 preceding siblings ...)
2025-04-23 14:43 ` [PATCH 6.1 223/291] virtiofs: add filesystem context source name check Greg Kroah-Hartman
@ 2025-04-23 14:43 ` Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 225/291] scsi: ufs: exynos: Ensure consistent phy reference counts Greg Kroah-Hartman
` (75 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Martin K. Petersen,
Chandrakanth Patil, Ryan Lahfa
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chandrakanth Patil <chandrakanth.patil@broadcom.com>
commit aad9945623ab4029ae7789609fb6166c97976c62 upstream.
A firmware bug was observed where ATA VPD inquiry commands with a
zero-length data payload were not handled and failed with a non-standard
status code of 0xf0.
Avoid sending ATA VPD inquiry commands without data payload by setting
the device no_vpd_size flag to 1. In addition, if the firmware returns a
status code of 0xf0, set scsi_cmnd->result to CHECK_CONDITION to
facilitate proper error handling.
Suggested-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Chandrakanth Patil <chandrakanth.patil@broadcom.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20250402193735.5098-1-chandrakanth.patil@broadcom.com
Tested-by: Ryan Lahfa <ryan@lahfa.xyz>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/scsi/megaraid/megaraid_sas_base.c | 9 +++++++--
drivers/scsi/megaraid/megaraid_sas_fusion.c | 5 ++++-
2 files changed, 11 insertions(+), 3 deletions(-)
--- a/drivers/scsi/megaraid/megaraid_sas_base.c
+++ b/drivers/scsi/megaraid/megaraid_sas_base.c
@@ -2101,6 +2101,9 @@ static int megasas_slave_configure(struc
/* This sdev property may change post OCR */
megasas_set_dynamic_target_properties(sdev, is_target_prop);
+ if (!MEGASAS_IS_LOGICAL(sdev))
+ sdev->no_vpd_size = 1;
+
mutex_unlock(&instance->reset_mutex);
return 0;
@@ -3661,8 +3664,10 @@ megasas_complete_cmd(struct megasas_inst
case MFI_STAT_SCSI_IO_FAILED:
case MFI_STAT_LD_INIT_IN_PROGRESS:
- cmd->scmd->result =
- (DID_ERROR << 16) | hdr->scsi_status;
+ if (hdr->scsi_status == 0xf0)
+ cmd->scmd->result = (DID_ERROR << 16) | SAM_STAT_CHECK_CONDITION;
+ else
+ cmd->scmd->result = (DID_ERROR << 16) | hdr->scsi_status;
break;
case MFI_STAT_SCSI_DONE_WITH_ERROR:
--- a/drivers/scsi/megaraid/megaraid_sas_fusion.c
+++ b/drivers/scsi/megaraid/megaraid_sas_fusion.c
@@ -2040,7 +2040,10 @@ map_cmd_status(struct fusion_context *fu
case MFI_STAT_SCSI_IO_FAILED:
case MFI_STAT_LD_INIT_IN_PROGRESS:
- scmd->result = (DID_ERROR << 16) | ext_status;
+ if (ext_status == 0xf0)
+ scmd->result = (DID_ERROR << 16) | SAM_STAT_CHECK_CONDITION;
+ else
+ scmd->result = (DID_ERROR << 16) | ext_status;
break;
case MFI_STAT_SCSI_DONE_WITH_ERROR:
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 225/291] scsi: ufs: exynos: Ensure consistent phy reference counts
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (222 preceding siblings ...)
2025-04-23 14:43 ` [PATCH 6.1 224/291] scsi: megaraid_sas: Block zero-length ATA VPD inquiry Greg Kroah-Hartman
@ 2025-04-23 14:43 ` Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 226/291] RDMA/cma: Fix workqueue crash in cma_netevent_work_handler Greg Kroah-Hartman
` (74 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Peter Griffin, Bart Van Assche,
Martin K. Petersen
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Griffin <peter.griffin@linaro.org>
commit 7f05fd9a3b6fb3a9abc5a748307d11831c03175f upstream.
ufshcd_link_startup() can call ufshcd_vops_link_startup_notify()
multiple times when retrying. This causes the phy reference count to
keep increasing and the phy to not properly re-initialize.
If the phy has already been previously powered on, first issue a
phy_power_off() and phy_exit(), before re-initializing and powering on
again.
Signed-off-by: Peter Griffin <peter.griffin@linaro.org>
Link: https://lore.kernel.org/r/20250319-exynos-ufs-stability-fixes-v2-4-96722cc2ba1b@linaro.org
Fixes: 3d73b200f989 ("scsi: ufs: ufs-exynos: Change ufs phy control sequence")
Cc: stable@vger.kernel.org
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/ufs/host/ufs-exynos.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/drivers/ufs/host/ufs-exynos.c
+++ b/drivers/ufs/host/ufs-exynos.c
@@ -901,6 +901,12 @@ static int exynos_ufs_phy_init(struct ex
}
phy_set_bus_width(generic_phy, ufs->avail_ln_rx);
+
+ if (generic_phy->power_count) {
+ phy_power_off(generic_phy);
+ phy_exit(generic_phy);
+ }
+
ret = phy_init(generic_phy);
if (ret) {
dev_err(hba->dev, "%s: phy init failed, ret = %d\n",
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 226/291] RDMA/cma: Fix workqueue crash in cma_netevent_work_handler
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (223 preceding siblings ...)
2025-04-23 14:43 ` [PATCH 6.1 225/291] scsi: ufs: exynos: Ensure consistent phy reference counts Greg Kroah-Hartman
@ 2025-04-23 14:43 ` Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 227/291] perf/x86/intel: Allow to update user space GPRs from PEBS records Greg Kroah-Hartman
` (73 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Håkon Bugge, Sharath Srinivasan,
Patrisious Haddad, Leon Romanovsky
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sharath Srinivasan <sharath.srinivasan@oracle.com>
commit 45f5dcdd049719fb999393b30679605f16ebce14 upstream.
struct rdma_cm_id has member "struct work_struct net_work"
that is reused for enqueuing cma_netevent_work_handler()s
onto cma_wq.
Below crash[1] can occur if more than one call to
cma_netevent_callback() occurs in quick succession,
which further enqueues cma_netevent_work_handler()s for the
same rdma_cm_id, overwriting any previously queued work-item(s)
that was just scheduled to run i.e. there is no guarantee
the queued work item may run between two successive calls
to cma_netevent_callback() and the 2nd INIT_WORK would overwrite
the 1st work item (for the same rdma_cm_id), despite grabbing
id_table_lock during enqueue.
Also drgn analysis [2] indicates the work item was likely overwritten.
Fix this by moving the INIT_WORK() to __rdma_create_id(),
so that it doesn't race with any existing queue_work() or
its worker thread.
[1] Trimmed crash stack:
=============================================
BUG: kernel NULL pointer dereference, address: 0000000000000008
kworker/u256:6 ... 6.12.0-0...
Workqueue: cma_netevent_work_handler [rdma_cm] (rdma_cm)
RIP: 0010:process_one_work+0xba/0x31a
Call Trace:
worker_thread+0x266/0x3a0
kthread+0xcf/0x100
ret_from_fork+0x31/0x50
ret_from_fork_asm+0x1a/0x30
=============================================
[2] drgn crash analysis:
>>> trace = prog.crashed_thread().stack_trace()
>>> trace
(0) crash_setup_regs (./arch/x86/include/asm/kexec.h:111:15)
(1) __crash_kexec (kernel/crash_core.c:122:4)
(2) panic (kernel/panic.c:399:3)
(3) oops_end (arch/x86/kernel/dumpstack.c:382:3)
...
(8) process_one_work (kernel/workqueue.c:3168:2)
(9) process_scheduled_works (kernel/workqueue.c:3310:3)
(10) worker_thread (kernel/workqueue.c:3391:4)
(11) kthread (kernel/kthread.c:389:9)
Line workqueue.c:3168 for this kernel version is in process_one_work():
3168 strscpy(worker->desc, pwq->wq->name, WORKER_DESC_LEN);
>>> trace[8]["work"]
*(struct work_struct *)0xffff92577d0a21d8 = {
.data = (atomic_long_t){
.counter = (s64)536870912, <=== Note
},
.entry = (struct list_head){
.next = (struct list_head *)0xffff924d075924c0,
.prev = (struct list_head *)0xffff924d075924c0,
},
.func = (work_func_t)cma_netevent_work_handler+0x0 = 0xffffffffc2cec280,
}
Suspicion is that pwq is NULL:
>>> trace[8]["pwq"]
(struct pool_workqueue *)<absent>
In process_one_work(), pwq is assigned from:
struct pool_workqueue *pwq = get_work_pwq(work);
and get_work_pwq() is:
static struct pool_workqueue *get_work_pwq(struct work_struct *work)
{
unsigned long data = atomic_long_read(&work->data);
if (data & WORK_STRUCT_PWQ)
return work_struct_pwq(data);
else
return NULL;
}
WORK_STRUCT_PWQ is 0x4:
>>> print(repr(prog['WORK_STRUCT_PWQ']))
Object(prog, 'enum work_flags', value=4)
But work->data is 536870912 which is 0x20000000.
So, get_work_pwq() returns NULL and we crash in process_one_work():
3168 strscpy(worker->desc, pwq->wq->name, WORKER_DESC_LEN);
=============================================
Fixes: 925d046e7e52 ("RDMA/core: Add a netevent notifier to cma")
Cc: stable@vger.kernel.org
Co-developed-by: Håkon Bugge <haakon.bugge@oracle.com>
Signed-off-by: Håkon Bugge <haakon.bugge@oracle.com>
Signed-off-by: Sharath Srinivasan <sharath.srinivasan@oracle.com>
Reviewed-by: Patrisious Haddad <phaddad@nvidia.com>
Link: https://patch.msgid.link/bf0082f9-5b25-4593-92c6-d130aa8ba439@oracle.com
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/infiniband/core/cma.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/infiniband/core/cma.c
+++ b/drivers/infiniband/core/cma.c
@@ -72,6 +72,8 @@ static const char * const cma_events[] =
static void cma_iboe_set_mgid(struct sockaddr *addr, union ib_gid *mgid,
enum ib_gid_type gid_type);
+static void cma_netevent_work_handler(struct work_struct *_work);
+
const char *__attribute_const__ rdma_event_msg(enum rdma_cm_event_type event)
{
size_t index = event;
@@ -994,6 +996,7 @@ __rdma_create_id(struct net *net, rdma_c
get_random_bytes(&id_priv->seq_num, sizeof id_priv->seq_num);
id_priv->id.route.addr.dev_addr.net = get_net(net);
id_priv->seq_num &= 0x00ffffff;
+ INIT_WORK(&id_priv->id.net_work, cma_netevent_work_handler);
rdma_restrack_new(&id_priv->res, RDMA_RESTRACK_CM_ID);
if (parent)
@@ -5186,7 +5189,6 @@ static int cma_netevent_callback(struct
if (!memcmp(current_id->id.route.addr.dev_addr.dst_dev_addr,
neigh->ha, ETH_ALEN))
continue;
- INIT_WORK(¤t_id->id.net_work, cma_netevent_work_handler);
cma_id_get(current_id);
queue_work(cma_wq, ¤t_id->id.net_work);
}
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 227/291] perf/x86/intel: Allow to update user space GPRs from PEBS records
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (224 preceding siblings ...)
2025-04-23 14:43 ` [PATCH 6.1 226/291] RDMA/cma: Fix workqueue crash in cma_netevent_work_handler Greg Kroah-Hartman
@ 2025-04-23 14:43 ` Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 228/291] perf/x86/intel/uncore: Fix the scale of IIO free running counters on SNR Greg Kroah-Hartman
` (72 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dapeng Mi, Peter Zijlstra (Intel),
Ingo Molnar
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dapeng Mi <dapeng1.mi@linux.intel.com>
commit 71dcc11c2cd9e434c34a63154ecadca21c135ddd upstream.
Currently when a user samples user space GPRs (--user-regs option) with
PEBS, the user space GPRs actually always come from software PMI
instead of from PEBS hardware. This leads to the sampled GPRs to
possibly be inaccurate for single PEBS record case because of the
skid between counter overflow and GPRs sampling on PMI.
For the large PEBS case, it is even worse. If user sets the
exclude_kernel attribute, large PEBS would be used to sample user space
GPRs, but since PEBS GPRs group is not really enabled, it leads to all
samples in the large PEBS record to share the same piece of user space
GPRs, like this reproducer shows:
$ perf record -e branches:pu --user-regs=ip,ax -c 100000 ./foo
$ perf report -D | grep "AX"
.... AX 0x000000003a0d4ead
.... AX 0x000000003a0d4ead
.... AX 0x000000003a0d4ead
.... AX 0x000000003a0d4ead
.... AX 0x000000003a0d4ead
.... AX 0x000000003a0d4ead
.... AX 0x000000003a0d4ead
.... AX 0x000000003a0d4ead
.... AX 0x000000003a0d4ead
.... AX 0x000000003a0d4ead
.... AX 0x000000003a0d4ead
So enable GPRs group for user space GPRs sampling and prioritize reading
GPRs from PEBS. If the PEBS sampled GPRs is not user space GPRs (single
PEBS record case), perf_sample_regs_user() modifies them to user space
GPRs.
[ mingo: Clarified the changelog. ]
Fixes: c22497f5838c ("perf/x86/intel: Support adaptive PEBS v4")
Signed-off-by: Dapeng Mi <dapeng1.mi@linux.intel.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20250415104135.318169-2-dapeng1.mi@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/events/intel/ds.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
--- a/arch/x86/events/intel/ds.c
+++ b/arch/x86/events/intel/ds.c
@@ -1149,8 +1149,10 @@ static u64 pebs_update_adaptive_cfg(stru
* + precise_ip < 2 for the non event IP
* + For RTM TSX weight we need GPRs for the abort code.
*/
- gprs = (sample_type & PERF_SAMPLE_REGS_INTR) &&
- (attr->sample_regs_intr & PEBS_GP_REGS);
+ gprs = ((sample_type & PERF_SAMPLE_REGS_INTR) &&
+ (attr->sample_regs_intr & PEBS_GP_REGS)) ||
+ ((sample_type & PERF_SAMPLE_REGS_USER) &&
+ (attr->sample_regs_user & PEBS_GP_REGS));
tsx_weight = (sample_type & PERF_SAMPLE_WEIGHT_TYPE) &&
((attr->config & INTEL_ARCH_EVENT_MASK) ==
@@ -1792,7 +1794,7 @@ static void setup_pebs_adaptive_sample_d
regs->flags &= ~PERF_EFLAGS_EXACT;
}
- if (sample_type & PERF_SAMPLE_REGS_INTR)
+ if (sample_type & (PERF_SAMPLE_REGS_INTR | PERF_SAMPLE_REGS_USER))
adaptive_pebs_save_regs(regs, gprs);
}
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 228/291] perf/x86/intel/uncore: Fix the scale of IIO free running counters on SNR
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (225 preceding siblings ...)
2025-04-23 14:43 ` [PATCH 6.1 227/291] perf/x86/intel: Allow to update user space GPRs from PEBS records Greg Kroah-Hartman
@ 2025-04-23 14:43 ` Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 229/291] perf/x86/intel/uncore: Fix the scale of IIO free running counters on ICX Greg Kroah-Hartman
` (71 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Kan Liang, Ingo Molnar,
Peter Zijlstra
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kan Liang <kan.liang@linux.intel.com>
commit 96a720db59ab330c8562b2437153faa45dac705f upstream.
There was a mistake in the SNR uncore spec. The counter increments for
every 32 bytes of data sent from the IO agent to the SOC, not 4 bytes
which was documented in the spec.
The event list has been updated:
"EventName": "UNC_IIO_BANDWIDTH_IN.PART0_FREERUN",
"BriefDescription": "Free running counter that increments for every 32
bytes of data sent from the IO agent to the SOC",
Update the scale of the IIO bandwidth in free running counters as well.
Fixes: 210cc5f9db7a ("perf/x86/intel/uncore: Add uncore support for Snow Ridge server")
Signed-off-by: Kan Liang <kan.liang@linux.intel.com>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20250416142426.3933977-1-kan.liang@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/events/intel/uncore_snbep.c | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
--- a/arch/x86/events/intel/uncore_snbep.c
+++ b/arch/x86/events/intel/uncore_snbep.c
@@ -4656,28 +4656,28 @@ static struct uncore_event_desc snr_unco
INTEL_UNCORE_EVENT_DESC(ioclk, "event=0xff,umask=0x10"),
/* Free-Running IIO BANDWIDTH IN Counters */
INTEL_UNCORE_EVENT_DESC(bw_in_port0, "event=0xff,umask=0x20"),
- INTEL_UNCORE_EVENT_DESC(bw_in_port0.scale, "3.814697266e-6"),
+ INTEL_UNCORE_EVENT_DESC(bw_in_port0.scale, "3.0517578125e-5"),
INTEL_UNCORE_EVENT_DESC(bw_in_port0.unit, "MiB"),
INTEL_UNCORE_EVENT_DESC(bw_in_port1, "event=0xff,umask=0x21"),
- INTEL_UNCORE_EVENT_DESC(bw_in_port1.scale, "3.814697266e-6"),
+ INTEL_UNCORE_EVENT_DESC(bw_in_port1.scale, "3.0517578125e-5"),
INTEL_UNCORE_EVENT_DESC(bw_in_port1.unit, "MiB"),
INTEL_UNCORE_EVENT_DESC(bw_in_port2, "event=0xff,umask=0x22"),
- INTEL_UNCORE_EVENT_DESC(bw_in_port2.scale, "3.814697266e-6"),
+ INTEL_UNCORE_EVENT_DESC(bw_in_port2.scale, "3.0517578125e-5"),
INTEL_UNCORE_EVENT_DESC(bw_in_port2.unit, "MiB"),
INTEL_UNCORE_EVENT_DESC(bw_in_port3, "event=0xff,umask=0x23"),
- INTEL_UNCORE_EVENT_DESC(bw_in_port3.scale, "3.814697266e-6"),
+ INTEL_UNCORE_EVENT_DESC(bw_in_port3.scale, "3.0517578125e-5"),
INTEL_UNCORE_EVENT_DESC(bw_in_port3.unit, "MiB"),
INTEL_UNCORE_EVENT_DESC(bw_in_port4, "event=0xff,umask=0x24"),
- INTEL_UNCORE_EVENT_DESC(bw_in_port4.scale, "3.814697266e-6"),
+ INTEL_UNCORE_EVENT_DESC(bw_in_port4.scale, "3.0517578125e-5"),
INTEL_UNCORE_EVENT_DESC(bw_in_port4.unit, "MiB"),
INTEL_UNCORE_EVENT_DESC(bw_in_port5, "event=0xff,umask=0x25"),
- INTEL_UNCORE_EVENT_DESC(bw_in_port5.scale, "3.814697266e-6"),
+ INTEL_UNCORE_EVENT_DESC(bw_in_port5.scale, "3.0517578125e-5"),
INTEL_UNCORE_EVENT_DESC(bw_in_port5.unit, "MiB"),
INTEL_UNCORE_EVENT_DESC(bw_in_port6, "event=0xff,umask=0x26"),
- INTEL_UNCORE_EVENT_DESC(bw_in_port6.scale, "3.814697266e-6"),
+ INTEL_UNCORE_EVENT_DESC(bw_in_port6.scale, "3.0517578125e-5"),
INTEL_UNCORE_EVENT_DESC(bw_in_port6.unit, "MiB"),
INTEL_UNCORE_EVENT_DESC(bw_in_port7, "event=0xff,umask=0x27"),
- INTEL_UNCORE_EVENT_DESC(bw_in_port7.scale, "3.814697266e-6"),
+ INTEL_UNCORE_EVENT_DESC(bw_in_port7.scale, "3.0517578125e-5"),
INTEL_UNCORE_EVENT_DESC(bw_in_port7.unit, "MiB"),
{ /* end: all zeroes */ },
};
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 229/291] perf/x86/intel/uncore: Fix the scale of IIO free running counters on ICX
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (226 preceding siblings ...)
2025-04-23 14:43 ` [PATCH 6.1 228/291] perf/x86/intel/uncore: Fix the scale of IIO free running counters on SNR Greg Kroah-Hartman
@ 2025-04-23 14:43 ` Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 230/291] perf/x86/intel/uncore: Fix the scale of IIO free running counters on SPR Greg Kroah-Hartman
` (70 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tang Jun, Kan Liang, Ingo Molnar,
Peter Zijlstra
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kan Liang <kan.liang@linux.intel.com>
commit 32c7f1150225694d95a51110a93be25db03bb5db upstream.
There was a mistake in the ICX uncore spec too. The counter increments
for every 32 bytes rather than 4 bytes.
The same as SNR, there are 1 ioclk and 8 IIO bandwidth in free running
counters. Reuse the snr_uncore_iio_freerunning_events().
Fixes: 2b3b76b5ec67 ("perf/x86/intel/uncore: Add Ice Lake server uncore support")
Reported-by: Tang Jun <dukang.tj@alibaba-inc.com>
Signed-off-by: Kan Liang <kan.liang@linux.intel.com>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20250416142426.3933977-2-kan.liang@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/events/intel/uncore_snbep.c | 33 +--------------------------------
1 file changed, 1 insertion(+), 32 deletions(-)
--- a/arch/x86/events/intel/uncore_snbep.c
+++ b/arch/x86/events/intel/uncore_snbep.c
@@ -5250,37 +5250,6 @@ static struct freerunning_counters icx_i
[ICX_IIO_MSR_BW_IN] = { 0xaa0, 0x1, 0x10, 8, 48, icx_iio_bw_freerunning_box_offsets },
};
-static struct uncore_event_desc icx_uncore_iio_freerunning_events[] = {
- /* Free-Running IIO CLOCKS Counter */
- INTEL_UNCORE_EVENT_DESC(ioclk, "event=0xff,umask=0x10"),
- /* Free-Running IIO BANDWIDTH IN Counters */
- INTEL_UNCORE_EVENT_DESC(bw_in_port0, "event=0xff,umask=0x20"),
- INTEL_UNCORE_EVENT_DESC(bw_in_port0.scale, "3.814697266e-6"),
- INTEL_UNCORE_EVENT_DESC(bw_in_port0.unit, "MiB"),
- INTEL_UNCORE_EVENT_DESC(bw_in_port1, "event=0xff,umask=0x21"),
- INTEL_UNCORE_EVENT_DESC(bw_in_port1.scale, "3.814697266e-6"),
- INTEL_UNCORE_EVENT_DESC(bw_in_port1.unit, "MiB"),
- INTEL_UNCORE_EVENT_DESC(bw_in_port2, "event=0xff,umask=0x22"),
- INTEL_UNCORE_EVENT_DESC(bw_in_port2.scale, "3.814697266e-6"),
- INTEL_UNCORE_EVENT_DESC(bw_in_port2.unit, "MiB"),
- INTEL_UNCORE_EVENT_DESC(bw_in_port3, "event=0xff,umask=0x23"),
- INTEL_UNCORE_EVENT_DESC(bw_in_port3.scale, "3.814697266e-6"),
- INTEL_UNCORE_EVENT_DESC(bw_in_port3.unit, "MiB"),
- INTEL_UNCORE_EVENT_DESC(bw_in_port4, "event=0xff,umask=0x24"),
- INTEL_UNCORE_EVENT_DESC(bw_in_port4.scale, "3.814697266e-6"),
- INTEL_UNCORE_EVENT_DESC(bw_in_port4.unit, "MiB"),
- INTEL_UNCORE_EVENT_DESC(bw_in_port5, "event=0xff,umask=0x25"),
- INTEL_UNCORE_EVENT_DESC(bw_in_port5.scale, "3.814697266e-6"),
- INTEL_UNCORE_EVENT_DESC(bw_in_port5.unit, "MiB"),
- INTEL_UNCORE_EVENT_DESC(bw_in_port6, "event=0xff,umask=0x26"),
- INTEL_UNCORE_EVENT_DESC(bw_in_port6.scale, "3.814697266e-6"),
- INTEL_UNCORE_EVENT_DESC(bw_in_port6.unit, "MiB"),
- INTEL_UNCORE_EVENT_DESC(bw_in_port7, "event=0xff,umask=0x27"),
- INTEL_UNCORE_EVENT_DESC(bw_in_port7.scale, "3.814697266e-6"),
- INTEL_UNCORE_EVENT_DESC(bw_in_port7.unit, "MiB"),
- { /* end: all zeroes */ },
-};
-
static struct intel_uncore_type icx_uncore_iio_free_running = {
.name = "iio_free_running",
.num_counters = 9,
@@ -5288,7 +5257,7 @@ static struct intel_uncore_type icx_unco
.num_freerunning_types = ICX_IIO_FREERUNNING_TYPE_MAX,
.freerunning = icx_iio_freerunning,
.ops = &skx_uncore_iio_freerunning_ops,
- .event_descs = icx_uncore_iio_freerunning_events,
+ .event_descs = snr_uncore_iio_freerunning_events,
.format_group = &skx_uncore_iio_freerunning_format_group,
};
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 230/291] perf/x86/intel/uncore: Fix the scale of IIO free running counters on SPR
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (227 preceding siblings ...)
2025-04-23 14:43 ` [PATCH 6.1 229/291] perf/x86/intel/uncore: Fix the scale of IIO free running counters on ICX Greg Kroah-Hartman
@ 2025-04-23 14:43 ` Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 231/291] drm/repaper: fix integer overflows in repeat functions Greg Kroah-Hartman
` (69 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tang Jun, Kan Liang, Ingo Molnar,
Peter Zijlstra
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kan Liang <kan.liang@linux.intel.com>
commit 506f981ab40f0b03a11a640cfd77f48b09aff330 upstream.
The scale of IIO bandwidth in free running counters is inherited from
the ICX. The counter increments for every 32 bytes rather than 4 bytes.
The IIO bandwidth out free running counters don't increment with a
consistent size. The increment depends on the requested size. It's
impossible to find a fixed increment. Remove it from the event_descs.
Fixes: 0378c93a92e2 ("perf/x86/intel/uncore: Support IIO free-running counters on Sapphire Rapids server")
Reported-by: Tang Jun <dukang.tj@alibaba-inc.com>
Signed-off-by: Kan Liang <kan.liang@linux.intel.com>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20250416142426.3933977-3-kan.liang@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/events/intel/uncore_snbep.c | 58 -----------------------------------
1 file changed, 1 insertion(+), 57 deletions(-)
--- a/arch/x86/events/intel/uncore_snbep.c
+++ b/arch/x86/events/intel/uncore_snbep.c
@@ -5826,69 +5826,13 @@ static struct freerunning_counters spr_i
[SPR_IIO_MSR_BW_OUT] = { 0x3808, 0x1, 0x10, 8, 48 },
};
-static struct uncore_event_desc spr_uncore_iio_freerunning_events[] = {
- /* Free-Running IIO CLOCKS Counter */
- INTEL_UNCORE_EVENT_DESC(ioclk, "event=0xff,umask=0x10"),
- /* Free-Running IIO BANDWIDTH IN Counters */
- INTEL_UNCORE_EVENT_DESC(bw_in_port0, "event=0xff,umask=0x20"),
- INTEL_UNCORE_EVENT_DESC(bw_in_port0.scale, "3.814697266e-6"),
- INTEL_UNCORE_EVENT_DESC(bw_in_port0.unit, "MiB"),
- INTEL_UNCORE_EVENT_DESC(bw_in_port1, "event=0xff,umask=0x21"),
- INTEL_UNCORE_EVENT_DESC(bw_in_port1.scale, "3.814697266e-6"),
- INTEL_UNCORE_EVENT_DESC(bw_in_port1.unit, "MiB"),
- INTEL_UNCORE_EVENT_DESC(bw_in_port2, "event=0xff,umask=0x22"),
- INTEL_UNCORE_EVENT_DESC(bw_in_port2.scale, "3.814697266e-6"),
- INTEL_UNCORE_EVENT_DESC(bw_in_port2.unit, "MiB"),
- INTEL_UNCORE_EVENT_DESC(bw_in_port3, "event=0xff,umask=0x23"),
- INTEL_UNCORE_EVENT_DESC(bw_in_port3.scale, "3.814697266e-6"),
- INTEL_UNCORE_EVENT_DESC(bw_in_port3.unit, "MiB"),
- INTEL_UNCORE_EVENT_DESC(bw_in_port4, "event=0xff,umask=0x24"),
- INTEL_UNCORE_EVENT_DESC(bw_in_port4.scale, "3.814697266e-6"),
- INTEL_UNCORE_EVENT_DESC(bw_in_port4.unit, "MiB"),
- INTEL_UNCORE_EVENT_DESC(bw_in_port5, "event=0xff,umask=0x25"),
- INTEL_UNCORE_EVENT_DESC(bw_in_port5.scale, "3.814697266e-6"),
- INTEL_UNCORE_EVENT_DESC(bw_in_port5.unit, "MiB"),
- INTEL_UNCORE_EVENT_DESC(bw_in_port6, "event=0xff,umask=0x26"),
- INTEL_UNCORE_EVENT_DESC(bw_in_port6.scale, "3.814697266e-6"),
- INTEL_UNCORE_EVENT_DESC(bw_in_port6.unit, "MiB"),
- INTEL_UNCORE_EVENT_DESC(bw_in_port7, "event=0xff,umask=0x27"),
- INTEL_UNCORE_EVENT_DESC(bw_in_port7.scale, "3.814697266e-6"),
- INTEL_UNCORE_EVENT_DESC(bw_in_port7.unit, "MiB"),
- /* Free-Running IIO BANDWIDTH OUT Counters */
- INTEL_UNCORE_EVENT_DESC(bw_out_port0, "event=0xff,umask=0x30"),
- INTEL_UNCORE_EVENT_DESC(bw_out_port0.scale, "3.814697266e-6"),
- INTEL_UNCORE_EVENT_DESC(bw_out_port0.unit, "MiB"),
- INTEL_UNCORE_EVENT_DESC(bw_out_port1, "event=0xff,umask=0x31"),
- INTEL_UNCORE_EVENT_DESC(bw_out_port1.scale, "3.814697266e-6"),
- INTEL_UNCORE_EVENT_DESC(bw_out_port1.unit, "MiB"),
- INTEL_UNCORE_EVENT_DESC(bw_out_port2, "event=0xff,umask=0x32"),
- INTEL_UNCORE_EVENT_DESC(bw_out_port2.scale, "3.814697266e-6"),
- INTEL_UNCORE_EVENT_DESC(bw_out_port2.unit, "MiB"),
- INTEL_UNCORE_EVENT_DESC(bw_out_port3, "event=0xff,umask=0x33"),
- INTEL_UNCORE_EVENT_DESC(bw_out_port3.scale, "3.814697266e-6"),
- INTEL_UNCORE_EVENT_DESC(bw_out_port3.unit, "MiB"),
- INTEL_UNCORE_EVENT_DESC(bw_out_port4, "event=0xff,umask=0x34"),
- INTEL_UNCORE_EVENT_DESC(bw_out_port4.scale, "3.814697266e-6"),
- INTEL_UNCORE_EVENT_DESC(bw_out_port4.unit, "MiB"),
- INTEL_UNCORE_EVENT_DESC(bw_out_port5, "event=0xff,umask=0x35"),
- INTEL_UNCORE_EVENT_DESC(bw_out_port5.scale, "3.814697266e-6"),
- INTEL_UNCORE_EVENT_DESC(bw_out_port5.unit, "MiB"),
- INTEL_UNCORE_EVENT_DESC(bw_out_port6, "event=0xff,umask=0x36"),
- INTEL_UNCORE_EVENT_DESC(bw_out_port6.scale, "3.814697266e-6"),
- INTEL_UNCORE_EVENT_DESC(bw_out_port6.unit, "MiB"),
- INTEL_UNCORE_EVENT_DESC(bw_out_port7, "event=0xff,umask=0x37"),
- INTEL_UNCORE_EVENT_DESC(bw_out_port7.scale, "3.814697266e-6"),
- INTEL_UNCORE_EVENT_DESC(bw_out_port7.unit, "MiB"),
- { /* end: all zeroes */ },
-};
-
static struct intel_uncore_type spr_uncore_iio_free_running = {
.name = "iio_free_running",
.num_counters = 17,
.num_freerunning_types = SPR_IIO_FREERUNNING_TYPE_MAX,
.freerunning = spr_iio_freerunning,
.ops = &skx_uncore_iio_freerunning_ops,
- .event_descs = spr_uncore_iio_freerunning_events,
+ .event_descs = snr_uncore_iio_freerunning_events,
.format_group = &skx_uncore_iio_freerunning_format_group,
};
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 231/291] drm/repaper: fix integer overflows in repeat functions
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (228 preceding siblings ...)
2025-04-23 14:43 ` [PATCH 6.1 230/291] perf/x86/intel/uncore: Fix the scale of IIO free running counters on SPR Greg Kroah-Hartman
@ 2025-04-23 14:43 ` Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 232/291] drm/msm/a6xx: Fix stale rpmh votes from GPU Greg Kroah-Hartman
` (68 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Nikita Zhandarovich, Alex Lanzano
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
commit 4d098000ac193f359e6b8ca4801dbdbd6a27b41f upstream.
There are conditions, albeit somewhat unlikely, under which right hand
expressions, calculating the end of time period in functions like
repaper_frame_fixed_repeat(), may overflow.
For instance, if 'factor10x' in repaper_get_temperature() is high
enough (170), as is 'epd->stage_time' in repaper_probe(), then the
resulting value of 'end' will not fit in unsigned int expression.
Mitigate this by casting 'epd->factored_stage_time' to wider type before
any multiplication is done.
Found by Linux Verification Center (linuxtesting.org) with static
analysis tool SVACE.
Fixes: 3589211e9b03 ("drm/tinydrm: Add RePaper e-ink driver")
Cc: stable@vger.kernel.org
Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
Signed-off-by: Alex Lanzano <lanzano.alex@gmail.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20250116134801.22067-1-n.zhandarovich@fintech.ru
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/tiny/repaper.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/gpu/drm/tiny/repaper.c
+++ b/drivers/gpu/drm/tiny/repaper.c
@@ -455,7 +455,7 @@ static void repaper_frame_fixed_repeat(s
enum repaper_stage stage)
{
u64 start = local_clock();
- u64 end = start + (epd->factored_stage_time * 1000 * 1000);
+ u64 end = start + ((u64)epd->factored_stage_time * 1000 * 1000);
do {
repaper_frame_fixed(epd, fixed_value, stage);
@@ -466,7 +466,7 @@ static void repaper_frame_data_repeat(st
const u8 *mask, enum repaper_stage stage)
{
u64 start = local_clock();
- u64 end = start + (epd->factored_stage_time * 1000 * 1000);
+ u64 end = start + ((u64)epd->factored_stage_time * 1000 * 1000);
do {
repaper_frame_data(epd, image, mask, stage);
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 232/291] drm/msm/a6xx: Fix stale rpmh votes from GPU
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (229 preceding siblings ...)
2025-04-23 14:43 ` [PATCH 6.1 231/291] drm/repaper: fix integer overflows in repeat functions Greg Kroah-Hartman
@ 2025-04-23 14:43 ` Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 233/291] drm/amd: Handle being compiled without SI or CIK support better Greg Kroah-Hartman
` (67 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Akhil P Oommen, Rob Clark
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Akhil P Oommen <quic_akhilpo@quicinc.com>
commit f561db72a663f8a73c2250bf3244ce1ce221bed7 upstream.
It was observed on sc7180 (A618 gpu) that GPU votes for GX rail and CNOC
BCM nodes were not removed after GPU suspend. This was because we
skipped sending 'prepare-slumber' request to gmu during suspend sequence
in some cases. So, make sure we always call prepare-slumber hfi during
suspend. Also, calling prepare-slumber without a prior oob-gpu handshake
messes up gmu firmware's internal state. So, do that when required.
Fixes: 4b565ca5a2cb ("drm/msm: Add A6XX device support")
Cc: stable@vger.kernel.org
Signed-off-by: Akhil P Oommen <quic_akhilpo@quicinc.com>
Patchwork: https://patchwork.freedesktop.org/patch/639569/
Signed-off-by: Rob Clark <robdclark@chromium.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/msm/adreno/a6xx_gmu.c | 82 ++++++++++++++++++----------------
1 file changed, 44 insertions(+), 38 deletions(-)
--- a/drivers/gpu/drm/msm/adreno/a6xx_gmu.c
+++ b/drivers/gpu/drm/msm/adreno/a6xx_gmu.c
@@ -1070,50 +1070,51 @@ static void a6xx_gmu_shutdown(struct a6x
struct a6xx_gpu *a6xx_gpu = container_of(gmu, struct a6xx_gpu, gmu);
struct adreno_gpu *adreno_gpu = &a6xx_gpu->base;
u32 val;
+ int ret;
/*
- * The GMU may still be in slumber unless the GPU started so check and
- * skip putting it back into slumber if so
+ * GMU firmware's internal power state gets messed up if we send "prepare_slumber" hfi when
+ * oob_gpu handshake wasn't done after the last wake up. So do a dummy handshake here when
+ * required
*/
- val = gmu_read(gmu, REG_A6XX_GPU_GMU_CX_GMU_RPMH_POWER_STATE);
+ if (adreno_gpu->base.needs_hw_init) {
+ if (a6xx_gmu_set_oob(&a6xx_gpu->gmu, GMU_OOB_GPU_SET))
+ goto force_off;
- if (val != 0xf) {
- int ret = a6xx_gmu_wait_for_idle(gmu);
-
- /* If the GMU isn't responding assume it is hung */
- if (ret) {
- a6xx_gmu_force_off(gmu);
- return;
- }
-
- a6xx_bus_clear_pending_transactions(adreno_gpu, a6xx_gpu->hung);
-
- /* tell the GMU we want to slumber */
- ret = a6xx_gmu_notify_slumber(gmu);
- if (ret) {
- a6xx_gmu_force_off(gmu);
- return;
- }
-
- ret = gmu_poll_timeout(gmu,
- REG_A6XX_GPU_GMU_AO_GPU_CX_BUSY_STATUS, val,
- !(val & A6XX_GPU_GMU_AO_GPU_CX_BUSY_STATUS_GPUBUSYIGNAHB),
- 100, 10000);
-
- /*
- * Let the user know we failed to slumber but don't worry too
- * much because we are powering down anyway
- */
-
- if (ret)
- DRM_DEV_ERROR(gmu->dev,
- "Unable to slumber GMU: status = 0%x/0%x\n",
- gmu_read(gmu,
- REG_A6XX_GPU_GMU_AO_GPU_CX_BUSY_STATUS),
- gmu_read(gmu,
- REG_A6XX_GPU_GMU_AO_GPU_CX_BUSY_STATUS2));
+ a6xx_gmu_clear_oob(&a6xx_gpu->gmu, GMU_OOB_GPU_SET);
}
+ ret = a6xx_gmu_wait_for_idle(gmu);
+
+ /* If the GMU isn't responding assume it is hung */
+ if (ret)
+ goto force_off;
+
+ a6xx_bus_clear_pending_transactions(adreno_gpu, a6xx_gpu->hung);
+
+ /* tell the GMU we want to slumber */
+ ret = a6xx_gmu_notify_slumber(gmu);
+ if (ret)
+ goto force_off;
+
+ ret = gmu_poll_timeout(gmu,
+ REG_A6XX_GPU_GMU_AO_GPU_CX_BUSY_STATUS, val,
+ !(val & A6XX_GPU_GMU_AO_GPU_CX_BUSY_STATUS_GPUBUSYIGNAHB),
+ 100, 10000);
+
+ /*
+ * Let the user know we failed to slumber but don't worry too
+ * much because we are powering down anyway
+ */
+
+ if (ret)
+ DRM_DEV_ERROR(gmu->dev,
+ "Unable to slumber GMU: status = 0%x/0%x\n",
+ gmu_read(gmu,
+ REG_A6XX_GPU_GMU_AO_GPU_CX_BUSY_STATUS),
+ gmu_read(gmu,
+ REG_A6XX_GPU_GMU_AO_GPU_CX_BUSY_STATUS2));
+
/* Turn off HFI */
a6xx_hfi_stop(gmu);
@@ -1122,6 +1123,11 @@ static void a6xx_gmu_shutdown(struct a6x
/* Tell RPMh to power off the GPU */
a6xx_rpmh_stop(gmu);
+
+ return;
+
+force_off:
+ a6xx_gmu_force_off(gmu);
}
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 233/291] drm/amd: Handle being compiled without SI or CIK support better
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (230 preceding siblings ...)
2025-04-23 14:43 ` [PATCH 6.1 232/291] drm/msm/a6xx: Fix stale rpmh votes from GPU Greg Kroah-Hartman
@ 2025-04-23 14:43 ` Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 234/291] drm/amd/pm: Prevent division by zero Greg Kroah-Hartman
` (66 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Mario Limonciello, Alex Deucher
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mario Limonciello <mario.limonciello@amd.com>
commit 5f054ddead33c1622ea9c0c0aaf07c6843fc7ab0 upstream.
If compiled without SI or CIK support but amdgpu tries to load it
will run into failures with uninitialized callbacks.
Show a nicer message in this case and fail probe instead.
Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4050
Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 44 +++++++++++++++++---------------
1 file changed, 24 insertions(+), 20 deletions(-)
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c
@@ -1662,7 +1662,6 @@ static const u16 amdgpu_unsupported_pcii
};
static const struct pci_device_id pciidlist[] = {
-#ifdef CONFIG_DRM_AMDGPU_SI
{0x1002, 0x6780, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_TAHITI},
{0x1002, 0x6784, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_TAHITI},
{0x1002, 0x6788, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_TAHITI},
@@ -1735,8 +1734,6 @@ static const struct pci_device_id pciidl
{0x1002, 0x6665, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_HAINAN|AMD_IS_MOBILITY},
{0x1002, 0x6667, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_HAINAN|AMD_IS_MOBILITY},
{0x1002, 0x666F, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_HAINAN|AMD_IS_MOBILITY},
-#endif
-#ifdef CONFIG_DRM_AMDGPU_CIK
/* Kaveri */
{0x1002, 0x1304, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_KAVERI|AMD_IS_MOBILITY|AMD_IS_APU},
{0x1002, 0x1305, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_KAVERI|AMD_IS_APU},
@@ -1819,7 +1816,6 @@ static const struct pci_device_id pciidl
{0x1002, 0x985D, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_MULLINS|AMD_IS_MOBILITY|AMD_IS_APU},
{0x1002, 0x985E, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_MULLINS|AMD_IS_MOBILITY|AMD_IS_APU},
{0x1002, 0x985F, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_MULLINS|AMD_IS_MOBILITY|AMD_IS_APU},
-#endif
/* topaz */
{0x1002, 0x6900, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_TOPAZ},
{0x1002, 0x6901, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_TOPAZ},
@@ -2099,14 +2095,14 @@ static int amdgpu_pci_probe(struct pci_d
return -ENOTSUPP;
}
+ switch (flags & AMD_ASIC_MASK) {
+ case CHIP_TAHITI:
+ case CHIP_PITCAIRN:
+ case CHIP_VERDE:
+ case CHIP_OLAND:
+ case CHIP_HAINAN:
#ifdef CONFIG_DRM_AMDGPU_SI
- if (!amdgpu_si_support) {
- switch (flags & AMD_ASIC_MASK) {
- case CHIP_TAHITI:
- case CHIP_PITCAIRN:
- case CHIP_VERDE:
- case CHIP_OLAND:
- case CHIP_HAINAN:
+ if (!amdgpu_si_support) {
dev_info(&pdev->dev,
"SI support provided by radeon.\n");
dev_info(&pdev->dev,
@@ -2114,16 +2110,18 @@ static int amdgpu_pci_probe(struct pci_d
);
return -ENODEV;
}
- }
+ break;
+#else
+ dev_info(&pdev->dev, "amdgpu is built without SI support.\n");
+ return -ENODEV;
#endif
+ case CHIP_KAVERI:
+ case CHIP_BONAIRE:
+ case CHIP_HAWAII:
+ case CHIP_KABINI:
+ case CHIP_MULLINS:
#ifdef CONFIG_DRM_AMDGPU_CIK
- if (!amdgpu_cik_support) {
- switch (flags & AMD_ASIC_MASK) {
- case CHIP_KAVERI:
- case CHIP_BONAIRE:
- case CHIP_HAWAII:
- case CHIP_KABINI:
- case CHIP_MULLINS:
+ if (!amdgpu_cik_support) {
dev_info(&pdev->dev,
"CIK support provided by radeon.\n");
dev_info(&pdev->dev,
@@ -2131,8 +2129,14 @@ static int amdgpu_pci_probe(struct pci_d
);
return -ENODEV;
}
- }
+ break;
+#else
+ dev_info(&pdev->dev, "amdgpu is built without CIK support.\n");
+ return -ENODEV;
#endif
+ default:
+ break;
+ }
adev = devm_drm_dev_alloc(&pdev->dev, &amdgpu_kms_driver, typeof(*adev), ddev);
if (IS_ERR(adev))
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 234/291] drm/amd/pm: Prevent division by zero
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (231 preceding siblings ...)
2025-04-23 14:43 ` [PATCH 6.1 233/291] drm/amd: Handle being compiled without SI or CIK support better Greg Kroah-Hartman
@ 2025-04-23 14:43 ` Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 235/291] drm/amd/pm/powerplay: " Greg Kroah-Hartman
` (65 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Denis Arefev, Alex Deucher
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Denis Arefev <arefev@swemel.ru>
commit 7d641c2b83275d3b0424127b2e0d2d0f7dd82aef upstream.
The user can set any speed value.
If speed is greater than UINT_MAX/8, division by zero is possible.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: b64625a303de ("drm/amd/pm: correct the address of Arcturus fan related registers")
Signed-off-by: Denis Arefev <arefev@swemel.ru>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/pm/swsmu/smu11/arcturus_ppt.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/gpu/drm/amd/pm/swsmu/smu11/arcturus_ppt.c
+++ b/drivers/gpu/drm/amd/pm/swsmu/smu11/arcturus_ppt.c
@@ -1273,6 +1273,9 @@ static int arcturus_set_fan_speed_rpm(st
uint32_t crystal_clock_freq = 2500;
uint32_t tach_period;
+ if (!speed || speed > UINT_MAX/8)
+ return -EINVAL;
+
tach_period = 60 * crystal_clock_freq * 10000 / (8 * speed);
WREG32_SOC15(THM, 0, mmCG_TACH_CTRL_ARCT,
REG_SET_FIELD(RREG32_SOC15(THM, 0, mmCG_TACH_CTRL_ARCT),
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 235/291] drm/amd/pm/powerplay: Prevent division by zero
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (232 preceding siblings ...)
2025-04-23 14:43 ` [PATCH 6.1 234/291] drm/amd/pm: Prevent division by zero Greg Kroah-Hartman
@ 2025-04-23 14:43 ` Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 236/291] drm/amd/pm/smu11: " Greg Kroah-Hartman
` (64 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Denis Arefev, Alex Deucher
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Denis Arefev <arefev@swemel.ru>
commit 4b8c3c0d17c07f301011e2908fecd2ebdcfe3d1c upstream.
The user can set any speed value.
If speed is greater than UINT_MAX/8, division by zero is possible.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: c52dcf49195d ("drm/amd/pp: Avoid divide-by-zero in fan_ctrl_set_fan_speed_rpm")
Signed-off-by: Denis Arefev <arefev@swemel.ru>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega10_thermal.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega10_thermal.c
+++ b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega10_thermal.c
@@ -307,10 +307,10 @@ int vega10_fan_ctrl_set_fan_speed_rpm(st
int result = 0;
if (hwmgr->thermal_controller.fanInfo.bNoFan ||
- speed == 0 ||
+ (!speed || speed > UINT_MAX/8) ||
(speed < hwmgr->thermal_controller.fanInfo.ulMinRPM) ||
(speed > hwmgr->thermal_controller.fanInfo.ulMaxRPM))
- return -1;
+ return -EINVAL;
if (PP_CAP(PHM_PlatformCaps_MicrocodeFanControl))
result = vega10_fan_ctrl_stop_smc_fan_control(hwmgr);
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 236/291] drm/amd/pm/smu11: Prevent division by zero
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (233 preceding siblings ...)
2025-04-23 14:43 ` [PATCH 6.1 235/291] drm/amd/pm/powerplay: " Greg Kroah-Hartman
@ 2025-04-23 14:43 ` Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 237/291] drm/amd/pm/powerplay/hwmgr/smu7_thermal: " Greg Kroah-Hartman
` (63 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Denis Arefev, Alex Deucher
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Denis Arefev <arefev@swemel.ru>
commit 7ba88b5cccc1a99c1afb96e31e7eedac9907704c upstream.
The user can set any speed value.
If speed is greater than UINT_MAX/8, division by zero is possible.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: 1e866f1fe528 ("drm/amd/pm: Prevent divide by zero")
Signed-off-by: Denis Arefev <arefev@swemel.ru>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit da7dc714a8f8e1c9fc33c57cd63583779a3bef71)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/pm/swsmu/smu11/smu_v11_0.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/gpu/drm/amd/pm/swsmu/smu11/smu_v11_0.c
+++ b/drivers/gpu/drm/amd/pm/swsmu/smu11/smu_v11_0.c
@@ -1228,7 +1228,7 @@ int smu_v11_0_set_fan_speed_rpm(struct s
uint32_t crystal_clock_freq = 2500;
uint32_t tach_period;
- if (speed == 0)
+ if (!speed || speed > UINT_MAX/8)
return -EINVAL;
/*
* To prevent from possible overheat, some ASICs may have requirement
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 237/291] drm/amd/pm/powerplay/hwmgr/smu7_thermal: Prevent division by zero
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (234 preceding siblings ...)
2025-04-23 14:43 ` [PATCH 6.1 236/291] drm/amd/pm/smu11: " Greg Kroah-Hartman
@ 2025-04-23 14:43 ` Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 238/291] drm/amd/pm/swsmu/smu13/smu_v13_0: " Greg Kroah-Hartman
` (62 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Denis Arefev, Alex Deucher
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Denis Arefev <arefev@swemel.ru>
commit 7c246a05df51c52fe0852ce56ba10c41e6ed1f39 upstream.
The user can set any speed value.
If speed is greater than UINT_MAX/8, division by zero is possible.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: c52dcf49195d ("drm/amd/pp: Avoid divide-by-zero in fan_ctrl_set_fan_speed_rpm")
Signed-off-by: Denis Arefev <arefev@swemel.ru>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu7_thermal.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu7_thermal.c
+++ b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu7_thermal.c
@@ -267,10 +267,10 @@ int smu7_fan_ctrl_set_fan_speed_rpm(stru
if (hwmgr->thermal_controller.fanInfo.bNoFan ||
(hwmgr->thermal_controller.fanInfo.
ucTachometerPulsesPerRevolution == 0) ||
- speed == 0 ||
+ (!speed || speed > UINT_MAX/8) ||
(speed < hwmgr->thermal_controller.fanInfo.ulMinRPM) ||
(speed > hwmgr->thermal_controller.fanInfo.ulMaxRPM))
- return 0;
+ return -EINVAL;
if (PP_CAP(PHM_PlatformCaps_MicrocodeFanControl))
smu7_fan_ctrl_stop_smc_fan_control(hwmgr);
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 238/291] drm/amd/pm/swsmu/smu13/smu_v13_0: Prevent division by zero
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (235 preceding siblings ...)
2025-04-23 14:43 ` [PATCH 6.1 237/291] drm/amd/pm/powerplay/hwmgr/smu7_thermal: " Greg Kroah-Hartman
@ 2025-04-23 14:43 ` Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 239/291] drm/amd/pm/powerplay/hwmgr/vega20_thermal: " Greg Kroah-Hartman
` (61 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Denis Arefev, Alex Deucher
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Denis Arefev <arefev@swemel.ru>
commit f23e9116ebb71b63fe9cec0dcac792aa9af30b0c upstream.
The user can set any speed value.
If speed is greater than UINT_MAX/8, division by zero is possible.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: c05d1c401572 ("drm/amd/swsmu: add aldebaran smu13 ip support (v3)")
Signed-off-by: Denis Arefev <arefev@swemel.ru>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0.c
+++ b/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0.c
@@ -1265,7 +1265,7 @@ int smu_v13_0_set_fan_speed_rpm(struct s
uint32_t tach_period;
int ret;
- if (!speed)
+ if (!speed || speed > UINT_MAX/8)
return -EINVAL;
ret = smu_v13_0_auto_fan_control(smu, 0);
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 239/291] drm/amd/pm/powerplay/hwmgr/vega20_thermal: Prevent division by zero
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (236 preceding siblings ...)
2025-04-23 14:43 ` [PATCH 6.1 238/291] drm/amd/pm/swsmu/smu13/smu_v13_0: " Greg Kroah-Hartman
@ 2025-04-23 14:43 ` Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 240/291] drm/amdgpu/dma_buf: fix page_link check Greg Kroah-Hartman
` (60 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Denis Arefev, Alex Deucher
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Denis Arefev <arefev@swemel.ru>
commit 4e3d9508c056d7e0a56b58d5c81253e2a0d22b6c upstream.
The user can set any speed value.
If speed is greater than UINT_MAX/8, division by zero is possible.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: 031db09017da ("drm/amd/powerplay/vega20: enable fan RPM and pwm settings V2")
Signed-off-by: Denis Arefev <arefev@swemel.ru>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega20_thermal.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega20_thermal.c
+++ b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega20_thermal.c
@@ -191,7 +191,7 @@ int vega20_fan_ctrl_set_fan_speed_rpm(st
uint32_t tach_period, crystal_clock_freq;
int result = 0;
- if (!speed)
+ if (!speed || speed > UINT_MAX/8)
return -EINVAL;
if (PP_CAP(PHM_PlatformCaps_MicrocodeFanControl)) {
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 240/291] drm/amdgpu/dma_buf: fix page_link check
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (237 preceding siblings ...)
2025-04-23 14:43 ` [PATCH 6.1 239/291] drm/amd/pm/powerplay/hwmgr/vega20_thermal: " Greg Kroah-Hartman
@ 2025-04-23 14:43 ` Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 241/291] drm/nouveau: prime: fix ttm_bo_delayed_delete oops Greg Kroah-Hartman
` (59 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matthew Auld, Christian König,
amd-gfx, Alex Deucher
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthew Auld <matthew.auld@intel.com>
commit c0dd8a9253fadfb8e5357217d085f1989da4ef0a upstream.
The page_link lower bits of the first sg could contain something like
SG_END, if we are mapping a single VRAM page or contiguous blob which
fits into one sg entry. Rather pull out the struct page, and use that in
our check to know if we mapped struct pages vs VRAM.
Fixes: f44ffd677fb3 ("drm/amdgpu: add support for exporting VRAM using DMA-buf v3")
Signed-off-by: Matthew Auld <matthew.auld@intel.com>
Cc: Christian König <christian.koenig@amd.com>
Cc: amd-gfx@lists.freedesktop.org
Cc: <stable@vger.kernel.org> # v5.8+
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c
@@ -210,7 +210,7 @@ static void amdgpu_dma_buf_unmap(struct
struct sg_table *sgt,
enum dma_data_direction dir)
{
- if (sgt->sgl->page_link) {
+ if (sg_page(sgt->sgl)) {
dma_unmap_sgtable(attach->dev, sgt, dir, 0);
sg_free_table(sgt);
kfree(sgt);
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 241/291] drm/nouveau: prime: fix ttm_bo_delayed_delete oops
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (238 preceding siblings ...)
2025-04-23 14:43 ` [PATCH 6.1 240/291] drm/amdgpu/dma_buf: fix page_link check Greg Kroah-Hartman
@ 2025-04-23 14:43 ` Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 242/291] drm/sti: remove duplicate object names Greg Kroah-Hartman
` (58 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chris Bainbridge,
Christian König, Stable, Danilo Krummrich
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chris Bainbridge <chris.bainbridge@gmail.com>
commit 8ec0fbb28d049273bfd4f1e7a5ae4c74884beed3 upstream.
Fix an oops in ttm_bo_delayed_delete which results from dererencing a
dangling pointer:
Oops: general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6b7b: 0000 [#1] PREEMPT SMP
CPU: 4 UID: 0 PID: 1082 Comm: kworker/u65:2 Not tainted 6.14.0-rc4-00267-g505460b44513-dirty #216
Hardware name: LENOVO 82N6/LNVNB161216, BIOS GKCN65WW 01/16/2024
Workqueue: ttm ttm_bo_delayed_delete [ttm]
RIP: 0010:dma_resv_iter_first_unlocked+0x55/0x290
Code: 31 f6 48 c7 c7 00 2b fa aa e8 97 bd 52 ff e8 a2 c1 53 00 5a 85 c0 74 48 e9 88 01 00 00 4c 89 63 20 4d 85 e4 0f 84 30 01 00 00 <41> 8b 44 24 10 c6 43 2c 01 48 89 df 89 43 28 e8 97 fd ff ff 4c 8b
RSP: 0018:ffffbf9383473d60 EFLAGS: 00010202
RAX: 0000000000000001 RBX: ffffbf9383473d88 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffbf9383473d78 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 6b6b6b6b6b6b6b6b
R13: ffffa003bbf78580 R14: ffffa003a6728040 R15: 00000000000383cc
FS: 0000000000000000(0000) GS:ffffa00991c00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000758348024dd0 CR3: 000000012c259000 CR4: 0000000000f50ef0
PKRU: 55555554
Call Trace:
<TASK>
? __die_body.cold+0x19/0x26
? die_addr+0x3d/0x70
? exc_general_protection+0x159/0x460
? asm_exc_general_protection+0x27/0x30
? dma_resv_iter_first_unlocked+0x55/0x290
dma_resv_wait_timeout+0x56/0x100
ttm_bo_delayed_delete+0x69/0xb0 [ttm]
process_one_work+0x217/0x5c0
worker_thread+0x1c8/0x3d0
? apply_wqattrs_cleanup.part.0+0xc0/0xc0
kthread+0x10b/0x240
? kthreads_online_cpu+0x140/0x140
ret_from_fork+0x40/0x70
? kthreads_online_cpu+0x140/0x140
ret_from_fork_asm+0x11/0x20
</TASK>
The cause of this is:
- drm_prime_gem_destroy calls dma_buf_put(dma_buf) which releases the
reference to the shared dma_buf. The reference count is 0, so the
dma_buf is destroyed, which in turn decrements the corresponding
amdgpu_bo reference count to 0, and the amdgpu_bo is destroyed -
calling drm_gem_object_release then dma_resv_fini (which destroys the
reservation object), then finally freeing the amdgpu_bo.
- nouveau_bo obj->bo.base.resv is now a dangling pointer to the memory
formerly allocated to the amdgpu_bo.
- nouveau_gem_object_del calls ttm_bo_put(&nvbo->bo) which calls
ttm_bo_release, which schedules ttm_bo_delayed_delete.
- ttm_bo_delayed_delete runs and dereferences the dangling resv pointer,
resulting in a general protection fault.
Fix this by moving the drm_prime_gem_destroy call from
nouveau_gem_object_del to nouveau_bo_del_ttm. This ensures that it will
be run after ttm_bo_delayed_delete.
Signed-off-by: Chris Bainbridge <chris.bainbridge@gmail.com>
Suggested-by: Christian König <christian.koenig@amd.com>
Fixes: 22b33e8ed0e3 ("nouveau: add PRIME support")
Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/3937
Cc: Stable@vger.kernel.org
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
Link: https://patchwork.freedesktop.org/patch/msgid/Z-P4epVK8k7tFZ7C@debian.local
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/nouveau/nouveau_bo.c | 3 +++
drivers/gpu/drm/nouveau/nouveau_gem.c | 3 ---
2 files changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/gpu/drm/nouveau/nouveau_bo.c
+++ b/drivers/gpu/drm/nouveau/nouveau_bo.c
@@ -143,6 +143,9 @@ nouveau_bo_del_ttm(struct ttm_buffer_obj
nouveau_bo_del_io_reserve_lru(bo);
nv10_bo_put_tile_region(dev, nvbo->tile, NULL);
+ if (bo->base.import_attach)
+ drm_prime_gem_destroy(&bo->base, bo->sg);
+
/*
* If nouveau_bo_new() allocated this buffer, the GEM object was never
* initialized, so don't attempt to release it.
--- a/drivers/gpu/drm/nouveau/nouveau_gem.c
+++ b/drivers/gpu/drm/nouveau/nouveau_gem.c
@@ -87,9 +87,6 @@ nouveau_gem_object_del(struct drm_gem_ob
return;
}
- if (gem->import_attach)
- drm_prime_gem_destroy(gem, nvbo->bo.sg);
-
ttm_bo_put(&nvbo->bo);
pm_runtime_mark_last_busy(dev);
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 242/291] drm/sti: remove duplicate object names
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (239 preceding siblings ...)
2025-04-23 14:43 ` [PATCH 6.1 241/291] drm/nouveau: prime: fix ttm_bo_delayed_delete oops Greg Kroah-Hartman
@ 2025-04-23 14:43 ` Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 243/291] drm/i915/gvt: fix unterminated-string-initialization warning Greg Kroah-Hartman
` (57 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Rolf Eike Beer,
Dmitry Baryshkov, Raphael Gallais-Pou
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rolf Eike Beer <eb@emlix.com>
commit 7fb6afa9125fc111478615e24231943c4f76cc2e upstream.
When merging 2 drivers common object files were not deduplicated.
Fixes: dcec16efd677 ("drm/sti: Build monolithic driver")
Cc: stable@kernel.org
Signed-off-by: Rolf Eike Beer <eb@emlix.com>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Link: https://lore.kernel.org/r/1920148.tdWV9SEqCh@devpool47.emlix.com
Signed-off-by: Raphael Gallais-Pou <raphael.gallais-pou@foss.st.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/sti/Makefile | 2 --
1 file changed, 2 deletions(-)
--- a/drivers/gpu/drm/sti/Makefile
+++ b/drivers/gpu/drm/sti/Makefile
@@ -7,8 +7,6 @@ sti-drm-y := \
sti_compositor.o \
sti_crtc.o \
sti_plane.o \
- sti_crtc.o \
- sti_plane.o \
sti_hdmi.o \
sti_hdmi_tx3g4c28phy.o \
sti_dvo.o \
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 243/291] drm/i915/gvt: fix unterminated-string-initialization warning
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (240 preceding siblings ...)
2025-04-23 14:43 ` [PATCH 6.1 242/291] drm/sti: remove duplicate object names Greg Kroah-Hartman
@ 2025-04-23 14:43 ` Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 244/291] io_uring/net: fix accept multishot handling Greg Kroah-Hartman
` (56 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kees Cook, Nicolas Chauvet,
Damian Tometzki, Zhenyu Wang, Jani Nikula
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jani Nikula <jani.nikula@intel.com>
commit 2e43ae7dd71cd9bb0d1bce1d3306bf77523feb81 upstream.
Initializing const char opregion_signature[16] = OPREGION_SIGNATURE
(which is "IntelGraphicsMem") drops the NUL termination of the
string. This is intentional, but the compiler doesn't know this.
Switch to initializing header->signature directly from the string
litaral, with sizeof destination rather than source. We don't treat the
signature as a string other than for initialization; it's really just a
blob of binary data.
Add a static assert for good measure to cross-check the sizes.
Reported-by: Kees Cook <kees@kernel.org>
Closes: https://lore.kernel.org/r/20250310222355.work.417-kees@kernel.org
Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/13934
Tested-by: Nicolas Chauvet <kwizart@gmail.com>
Tested-by: Damian Tometzki <damian@riscv-rocks.de>
Cc: stable@vger.kernel.org
Reviewed-by: Zhenyu Wang <zhenyuw.linux@gmail.com>
Link: https://lore.kernel.org/r/20250327124739.2609656-1-jani.nikula@intel.com
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
(cherry picked from commit 4f8207469094bd04aad952258ceb9ff4c77b6bfa)
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/i915/gvt/opregion.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
--- a/drivers/gpu/drm/i915/gvt/opregion.c
+++ b/drivers/gpu/drm/i915/gvt/opregion.c
@@ -222,7 +222,6 @@ int intel_vgpu_init_opregion(struct inte
u8 *buf;
struct opregion_header *header;
struct vbt v;
- const char opregion_signature[16] = OPREGION_SIGNATURE;
gvt_dbg_core("init vgpu%d opregion\n", vgpu->id);
vgpu_opregion(vgpu)->va = (void *)__get_free_pages(GFP_KERNEL |
@@ -236,8 +235,10 @@ int intel_vgpu_init_opregion(struct inte
/* emulated opregion with VBT mailbox only */
buf = (u8 *)vgpu_opregion(vgpu)->va;
header = (struct opregion_header *)buf;
- memcpy(header->signature, opregion_signature,
- sizeof(opregion_signature));
+
+ static_assert(sizeof(header->signature) == sizeof(OPREGION_SIGNATURE) - 1);
+ memcpy(header->signature, OPREGION_SIGNATURE, sizeof(header->signature));
+
header->size = 0x8;
header->opregion_ver = 0x02000000;
header->mboxes = MBOX_VBT;
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 244/291] io_uring/net: fix accept multishot handling
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (241 preceding siblings ...)
2025-04-23 14:43 ` [PATCH 6.1 243/291] drm/i915/gvt: fix unterminated-string-initialization warning Greg Kroah-Hartman
@ 2025-04-23 14:43 ` Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 245/291] KVM: arm64: Discard any SVE state when entering KVM guests Greg Kroah-Hartman
` (55 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Pavel Begunkov, Jens Axboe
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pavel Begunkov <asml.silence@gmail.com>
Commit f6a89bf5278d6e15016a736db67043560d1b50d5 upstream.
REQ_F_APOLL_MULTISHOT doesn't guarantee it's executed from the multishot
context, so a multishot accept may get executed inline, fail
io_req_post_cqe(), and ask the core code to kill the request with
-ECANCELED by returning IOU_STOP_MULTISHOT even when a socket has been
accepted and installed.
Cc: stable@vger.kernel.org
Fixes: 390ed29b5e425 ("io_uring: add IORING_ACCEPT_MULTISHOT for accept")
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Link: https://lore.kernel.org/r/51c6deb01feaa78b08565ca8f24843c017f5bc80.1740331076.git.asml.silence@gmail.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
io_uring/net.c | 2 ++
1 file changed, 2 insertions(+)
--- a/io_uring/net.c
+++ b/io_uring/net.c
@@ -1391,6 +1391,8 @@ retry:
goto retry;
io_req_set_res(req, ret, 0);
+ if (!(issue_flags & IO_URING_F_MULTISHOT))
+ return IOU_OK;
return IOU_STOP_MULTISHOT;
}
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 245/291] KVM: arm64: Discard any SVE state when entering KVM guests
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (242 preceding siblings ...)
2025-04-23 14:43 ` [PATCH 6.1 244/291] io_uring/net: fix accept multishot handling Greg Kroah-Hartman
@ 2025-04-23 14:43 ` Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 246/291] arm64/fpsimd: Track the saved FPSIMD state type separately to TIF_SVE Greg Kroah-Hartman
` (54 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mark Brown, Catalin Marinas,
Marc Zyngier, Will Deacon, Mark Rutland
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mark Brown <broonie@kernel.org>
[ Upstream commit 93ae6b01bafee8fa385aa25ee7ebdb40057f6abe ]
Since 8383741ab2e773a99 (KVM: arm64: Get rid of host SVE tracking/saving)
KVM has not tracked the host SVE state, relying on the fact that we
currently disable SVE whenever we perform a syscall. This may not be true
in future since performance optimisation may result in us keeping SVE
enabled in order to avoid needing to take access traps to reenable it.
Handle this by clearing TIF_SVE and converting the stored task state to
FPSIMD format when preparing to run the guest. This is done with a new
call fpsimd_kvm_prepare() to keep the direct state manipulation
functions internal to fpsimd.c.
Signed-off-by: Mark Brown <broonie@kernel.org>
Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
Reviewed-by: Marc Zyngier <maz@kernel.org>
Link: https://lore.kernel.org/r/20221115094640.112848-2-broonie@kernel.org
Signed-off-by: Will Deacon <will@kernel.org>
[ Mark: trivial backport to v6.1 ]
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/include/asm/fpsimd.h | 1 +
arch/arm64/kernel/fpsimd.c | 23 +++++++++++++++++++++++
arch/arm64/kvm/fpsimd.c | 3 ++-
3 files changed, 26 insertions(+), 1 deletion(-)
--- a/arch/arm64/include/asm/fpsimd.h
+++ b/arch/arm64/include/asm/fpsimd.h
@@ -56,6 +56,7 @@ extern void fpsimd_signal_preserve_curre
extern void fpsimd_preserve_current_state(void);
extern void fpsimd_restore_current_state(void);
extern void fpsimd_update_current_state(struct user_fpsimd_state const *state);
+extern void fpsimd_kvm_prepare(void);
extern void fpsimd_bind_state_to_cpu(struct user_fpsimd_state *state,
void *sve_state, unsigned int sve_vl,
--- a/arch/arm64/kernel/fpsimd.c
+++ b/arch/arm64/kernel/fpsimd.c
@@ -1644,6 +1644,29 @@ void fpsimd_signal_preserve_current_stat
}
/*
+ * Called by KVM when entering the guest.
+ */
+void fpsimd_kvm_prepare(void)
+{
+ if (!system_supports_sve())
+ return;
+
+ /*
+ * KVM does not save host SVE state since we can only enter
+ * the guest from a syscall so the ABI means that only the
+ * non-saved SVE state needs to be saved. If we have left
+ * SVE enabled for performance reasons then update the task
+ * state to be FPSIMD only.
+ */
+ get_cpu_fpsimd_context();
+
+ if (test_and_clear_thread_flag(TIF_SVE))
+ sve_to_fpsimd(current);
+
+ put_cpu_fpsimd_context();
+}
+
+/*
* Associate current's FPSIMD context with this cpu
* The caller must have ownership of the cpu FPSIMD context before calling
* this function.
--- a/arch/arm64/kvm/fpsimd.c
+++ b/arch/arm64/kvm/fpsimd.c
@@ -75,11 +75,12 @@ int kvm_arch_vcpu_run_map_fp(struct kvm_
void kvm_arch_vcpu_load_fp(struct kvm_vcpu *vcpu)
{
BUG_ON(!current->mm);
- BUG_ON(test_thread_flag(TIF_SVE));
if (!system_supports_fpsimd())
return;
+ fpsimd_kvm_prepare();
+
vcpu->arch.fp_state = FP_STATE_HOST_OWNED;
vcpu_clear_flag(vcpu, HOST_SVE_ENABLED);
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 246/291] arm64/fpsimd: Track the saved FPSIMD state type separately to TIF_SVE
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (243 preceding siblings ...)
2025-04-23 14:43 ` [PATCH 6.1 245/291] KVM: arm64: Discard any SVE state when entering KVM guests Greg Kroah-Hartman
@ 2025-04-23 14:43 ` Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 247/291] arm64/fpsimd: Have KVM explicitly say which FP registers to save Greg Kroah-Hartman
` (53 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mark Brown, Catalin Marinas,
Marc Zyngier, Will Deacon, Mark Rutland
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mark Brown <broonie@kernel.org>
[ Upstream commit baa8515281b30861cff3da7db70662d2a25c6440 ]
When we save the state for the floating point registers this can be done
in the form visible through either the FPSIMD V registers or the SVE Z and
P registers. At present we track which format is currently used based on
TIF_SVE and the SME streaming mode state but particularly in the SVE case
this limits our options for optimising things, especially around syscalls.
Introduce a new enum which we place together with saved floating point
state in both thread_struct and the KVM guest state which explicitly
states which format is active and keep it up to date when we change it.
At present we do not use this state except to verify that it has the
expected value when loading the state, future patches will introduce
functional changes.
Signed-off-by: Mark Brown <broonie@kernel.org>
Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
Reviewed-by: Marc Zyngier <maz@kernel.org>
Link: https://lore.kernel.org/r/20221115094640.112848-3-broonie@kernel.org
Signed-off-by: Will Deacon <will@kernel.org>
[ Mark: fix conflicts due to earlier backports ]
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/include/asm/fpsimd.h | 2 -
arch/arm64/include/asm/kvm_host.h | 12 +++++++
arch/arm64/include/asm/processor.h | 6 +++
arch/arm64/kernel/fpsimd.c | 58 +++++++++++++++++++++++++++----------
arch/arm64/kernel/process.c | 2 +
arch/arm64/kernel/ptrace.c | 3 +
arch/arm64/kernel/signal.c | 7 +++-
arch/arm64/kvm/fpsimd.c | 3 +
8 files changed, 74 insertions(+), 19 deletions(-)
--- a/arch/arm64/include/asm/fpsimd.h
+++ b/arch/arm64/include/asm/fpsimd.h
@@ -61,7 +61,7 @@ extern void fpsimd_kvm_prepare(void);
extern void fpsimd_bind_state_to_cpu(struct user_fpsimd_state *state,
void *sve_state, unsigned int sve_vl,
void *za_state, unsigned int sme_vl,
- u64 *svcr);
+ u64 *svcr, enum fp_type *type);
extern void fpsimd_flush_task_state(struct task_struct *target);
extern void fpsimd_save_and_flush_cpu_state(void);
--- a/arch/arm64/include/asm/kvm_host.h
+++ b/arch/arm64/include/asm/kvm_host.h
@@ -309,8 +309,18 @@ struct vcpu_reset_state {
struct kvm_vcpu_arch {
struct kvm_cpu_context ctxt;
- /* Guest floating point state */
+ /*
+ * Guest floating point state
+ *
+ * The architecture has two main floating point extensions,
+ * the original FPSIMD and SVE. These have overlapping
+ * register views, with the FPSIMD V registers occupying the
+ * low 128 bits of the SVE Z registers. When the core
+ * floating point code saves the register state of a task it
+ * records which view it saved in fp_type.
+ */
void *sve_state;
+ enum fp_type fp_type;
unsigned int sve_max_vl;
u64 svcr;
--- a/arch/arm64/include/asm/processor.h
+++ b/arch/arm64/include/asm/processor.h
@@ -122,6 +122,11 @@ enum vec_type {
ARM64_VEC_MAX,
};
+enum fp_type {
+ FP_STATE_FPSIMD,
+ FP_STATE_SVE,
+};
+
struct cpu_context {
unsigned long x19;
unsigned long x20;
@@ -152,6 +157,7 @@ struct thread_struct {
struct user_fpsimd_state fpsimd_state;
} uw;
+ enum fp_type fp_type; /* registers FPSIMD or SVE? */
unsigned int fpsimd_cpu;
void *sve_state; /* SVE registers, if any */
void *za_state; /* ZA register, if any */
--- a/arch/arm64/kernel/fpsimd.c
+++ b/arch/arm64/kernel/fpsimd.c
@@ -125,6 +125,7 @@ struct fpsimd_last_state_struct {
u64 *svcr;
unsigned int sve_vl;
unsigned int sme_vl;
+ enum fp_type *fp_type;
};
static DEFINE_PER_CPU(struct fpsimd_last_state_struct, fpsimd_last_state);
@@ -330,15 +331,6 @@ void task_set_vl_onexec(struct task_stru
* The task can execute SVE instructions while in userspace without
* trapping to the kernel.
*
- * When stored, Z0-Z31 (incorporating Vn in bits[127:0] or the
- * corresponding Zn), P0-P15 and FFR are encoded in
- * task->thread.sve_state, formatted appropriately for vector
- * length task->thread.sve_vl or, if SVCR.SM is set,
- * task->thread.sme_vl.
- *
- * task->thread.sve_state must point to a valid buffer at least
- * sve_state_size(task) bytes in size.
- *
* During any syscall, the kernel may optionally clear TIF_SVE and
* discard the vector state except for the FPSIMD subset.
*
@@ -348,7 +340,15 @@ void task_set_vl_onexec(struct task_stru
* do_sve_acc() to be called, which does some preparation and then
* sets TIF_SVE.
*
- * When stored, FPSIMD registers V0-V31 are encoded in
+ * During any syscall, the kernel may optionally clear TIF_SVE and
+ * discard the vector state except for the FPSIMD subset.
+ *
+ * The data will be stored in one of two formats:
+ *
+ * * FPSIMD only - FP_STATE_FPSIMD:
+ *
+ * When the FPSIMD only state stored task->thread.fp_type is set to
+ * FP_STATE_FPSIMD, the FPSIMD registers V0-V31 are encoded in
* task->thread.uw.fpsimd_state; bits [max : 128] for each of Z0-Z31 are
* logically zero but not stored anywhere; P0-P15 and FFR are not
* stored and have unspecified values from userspace's point of
@@ -358,6 +358,19 @@ void task_set_vl_onexec(struct task_stru
* task->thread.sve_state does not need to be non-NULL, valid or any
* particular size: it must not be dereferenced.
*
+ * * SVE state - FP_STATE_SVE:
+ *
+ * When the full SVE state is stored task->thread.fp_type is set to
+ * FP_STATE_SVE and Z0-Z31 (incorporating Vn in bits[127:0] or the
+ * corresponding Zn), P0-P15 and FFR are encoded in in
+ * task->thread.sve_state, formatted appropriately for vector
+ * length task->thread.sve_vl or, if SVCR.SM is set,
+ * task->thread.sme_vl. The storage for the vector registers in
+ * task->thread.uw.fpsimd_state should be ignored.
+ *
+ * task->thread.sve_state must point to a valid buffer at least
+ * sve_state_size(task) bytes in size.
+ *
* * FPSR and FPCR are always stored in task->thread.uw.fpsimd_state
* irrespective of whether TIF_SVE is clear or set, since these are
* not vector length dependent.
@@ -404,12 +417,15 @@ static void task_fpsimd_load(void)
}
}
- if (restore_sve_regs)
+ if (restore_sve_regs) {
+ WARN_ON_ONCE(current->thread.fp_type != FP_STATE_SVE);
sve_load_state(sve_pffr(¤t->thread),
¤t->thread.uw.fpsimd_state.fpsr,
restore_ffr);
- else
+ } else {
+ WARN_ON_ONCE(current->thread.fp_type != FP_STATE_FPSIMD);
fpsimd_load_state(¤t->thread.uw.fpsimd_state);
+ }
}
/*
@@ -474,8 +490,10 @@ static void fpsimd_save(void)
sve_save_state((char *)last->sve_state +
sve_ffr_offset(vl),
&last->st->fpsr, save_ffr);
+ *last->fp_type = FP_STATE_SVE;
} else {
fpsimd_save_state(last->st);
+ *last->fp_type = FP_STATE_FPSIMD;
}
}
@@ -851,8 +869,10 @@ int vec_set_vector_length(struct task_st
fpsimd_flush_task_state(task);
if (test_and_clear_tsk_thread_flag(task, TIF_SVE) ||
- thread_sm_enabled(&task->thread))
+ thread_sm_enabled(&task->thread)) {
sve_to_fpsimd(task);
+ task->thread.fp_type = FP_STATE_FPSIMD;
+ }
if (system_supports_sme()) {
if (type == ARM64_VEC_SME ||
@@ -1383,6 +1403,7 @@ static void sve_init_regs(void)
fpsimd_bind_task_to_cpu();
} else {
fpsimd_to_sve(current);
+ current->thread.fp_type = FP_STATE_SVE;
fpsimd_flush_task_state(current);
}
}
@@ -1612,6 +1633,8 @@ void fpsimd_flush_thread(void)
current->thread.svcr = 0;
}
+ current->thread.fp_type = FP_STATE_FPSIMD;
+
put_cpu_fpsimd_context();
kfree(sve_state);
kfree(za_state);
@@ -1660,8 +1683,10 @@ void fpsimd_kvm_prepare(void)
*/
get_cpu_fpsimd_context();
- if (test_and_clear_thread_flag(TIF_SVE))
+ if (test_and_clear_thread_flag(TIF_SVE)) {
sve_to_fpsimd(current);
+ current->thread.fp_type = FP_STATE_FPSIMD;
+ }
put_cpu_fpsimd_context();
}
@@ -1683,6 +1708,7 @@ static void fpsimd_bind_task_to_cpu(void
last->sve_vl = task_get_sve_vl(current);
last->sme_vl = task_get_sme_vl(current);
last->svcr = ¤t->thread.svcr;
+ last->fp_type = ¤t->thread.fp_type;
current->thread.fpsimd_cpu = smp_processor_id();
/*
@@ -1706,7 +1732,8 @@ static void fpsimd_bind_task_to_cpu(void
void fpsimd_bind_state_to_cpu(struct user_fpsimd_state *st, void *sve_state,
unsigned int sve_vl, void *za_state,
- unsigned int sme_vl, u64 *svcr)
+ unsigned int sme_vl, u64 *svcr,
+ enum fp_type *type)
{
struct fpsimd_last_state_struct *last =
this_cpu_ptr(&fpsimd_last_state);
@@ -1720,6 +1747,7 @@ void fpsimd_bind_state_to_cpu(struct use
last->za_state = za_state;
last->sve_vl = sve_vl;
last->sme_vl = sme_vl;
+ last->fp_type = type;
}
/*
--- a/arch/arm64/kernel/process.c
+++ b/arch/arm64/kernel/process.c
@@ -331,6 +331,8 @@ int arch_dup_task_struct(struct task_str
clear_tsk_thread_flag(dst, TIF_SME);
}
+ dst->thread.fp_type = FP_STATE_FPSIMD;
+
/* clear any pending asynchronous tag fault raised by the parent */
clear_tsk_thread_flag(dst, TIF_MTE_ASYNC_FAULT);
--- a/arch/arm64/kernel/ptrace.c
+++ b/arch/arm64/kernel/ptrace.c
@@ -917,6 +917,7 @@ static int sve_set_common(struct task_st
clear_tsk_thread_flag(target, TIF_SVE);
if (type == ARM64_VEC_SME)
fpsimd_force_sync_to_sve(target);
+ target->thread.fp_type = FP_STATE_FPSIMD;
goto out;
}
@@ -939,6 +940,7 @@ static int sve_set_common(struct task_st
if (!target->thread.sve_state) {
ret = -ENOMEM;
clear_tsk_thread_flag(target, TIF_SVE);
+ target->thread.fp_type = FP_STATE_FPSIMD;
goto out;
}
@@ -952,6 +954,7 @@ static int sve_set_common(struct task_st
fpsimd_sync_to_sve(target);
if (type == ARM64_VEC_SVE)
set_tsk_thread_flag(target, TIF_SVE);
+ target->thread.fp_type = FP_STATE_SVE;
BUILD_BUG_ON(SVE_PT_SVE_OFFSET != sizeof(header));
start = SVE_PT_SVE_OFFSET;
--- a/arch/arm64/kernel/signal.c
+++ b/arch/arm64/kernel/signal.c
@@ -207,6 +207,7 @@ static int restore_fpsimd_context(struct
__get_user_error(fpsimd.fpcr, &ctx->fpcr, err);
clear_thread_flag(TIF_SVE);
+ current->thread.fp_type = FP_STATE_FPSIMD;
/* load the hardware registers from the fpsimd_state structure */
if (!err)
@@ -297,6 +298,7 @@ static int restore_sve_fpsimd_context(st
if (sve.head.size <= sizeof(*user->sve)) {
clear_thread_flag(TIF_SVE);
current->thread.svcr &= ~SVCR_SM_MASK;
+ current->thread.fp_type = FP_STATE_FPSIMD;
goto fpsimd_only;
}
@@ -332,6 +334,7 @@ static int restore_sve_fpsimd_context(st
current->thread.svcr |= SVCR_SM_MASK;
else
set_thread_flag(TIF_SVE);
+ current->thread.fp_type = FP_STATE_SVE;
fpsimd_only:
/* copy the FP and status/control registers */
@@ -937,9 +940,11 @@ static void setup_return(struct pt_regs
* FPSIMD register state - flush the saved FPSIMD
* register state in case it gets loaded.
*/
- if (current->thread.svcr & SVCR_SM_MASK)
+ if (current->thread.svcr & SVCR_SM_MASK) {
memset(¤t->thread.uw.fpsimd_state, 0,
sizeof(current->thread.uw.fpsimd_state));
+ current->thread.fp_type = FP_STATE_FPSIMD;
+ }
current->thread.svcr &= ~(SVCR_ZA_MASK |
SVCR_SM_MASK);
--- a/arch/arm64/kvm/fpsimd.c
+++ b/arch/arm64/kvm/fpsimd.c
@@ -140,7 +140,8 @@ void kvm_arch_vcpu_ctxsync_fp(struct kvm
fpsimd_bind_state_to_cpu(&vcpu->arch.ctxt.fp_regs,
vcpu->arch.sve_state,
vcpu->arch.sve_max_vl,
- NULL, 0, &vcpu->arch.svcr);
+ NULL, 0, &vcpu->arch.svcr,
+ &vcpu->arch.fp_type);
clear_thread_flag(TIF_FOREIGN_FPSTATE);
update_thread_flag(TIF_SVE, vcpu_has_sve(vcpu));
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 247/291] arm64/fpsimd: Have KVM explicitly say which FP registers to save
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (244 preceding siblings ...)
2025-04-23 14:43 ` [PATCH 6.1 246/291] arm64/fpsimd: Track the saved FPSIMD state type separately to TIF_SVE Greg Kroah-Hartman
@ 2025-04-23 14:43 ` Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 248/291] arm64/fpsimd: Stop using TIF_SVE to manage register saving in KVM Greg Kroah-Hartman
` (52 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mark Brown, Catalin Marinas,
Marc Zyngier, Will Deacon, Mark Rutland
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mark Brown <broonie@kernel.org>
[ Upstream commit deeb8f9a80fdae5a62525656d65c7070c28bd3a4 ]
In order to avoid needlessly saving and restoring the guest registers KVM
relies on the host FPSMID code to save the guest registers when we context
switch away from the guest. This is done by binding the KVM guest state to
the CPU on top of the task state that was originally there, then carefully
managing the TIF_SVE flag for the task to cause the host to save the full
SVE state when needed regardless of the needs of the host task. This works
well enough but isn't terribly direct about what is going on and makes it
much more complicated to try to optimise what we're doing with the SVE
register state.
Let's instead have KVM pass in the register state it wants saving when it
binds to the CPU. We introduce a new FP_STATE_CURRENT for use
during normal task binding to indicate that we should base our
decisions on the current task. This should not be used when
actually saving. Ideally we might want to use a separate enum for
the type to save but this enum and the enum values would then
need to be named which has problems with clarity and ambiguity.
In order to ease any future debugging that might be required this patch
does not actually update any of the decision making about what to save,
it merely starts tracking the new information and warns if the requested
state is not what we would otherwise have decided to save.
Signed-off-by: Mark Brown <broonie@kernel.org>
Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
Reviewed-by: Marc Zyngier <maz@kernel.org>
Link: https://lore.kernel.org/r/20221115094640.112848-4-broonie@kernel.org
Signed-off-by: Will Deacon <will@kernel.org>
[ Mark: trivial backport ]
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/include/asm/fpsimd.h | 3 ++-
arch/arm64/include/asm/processor.h | 1 +
arch/arm64/kernel/fpsimd.c | 27 ++++++++++++++++++++++++---
arch/arm64/kvm/fpsimd.c | 9 ++++++++-
4 files changed, 35 insertions(+), 5 deletions(-)
--- a/arch/arm64/include/asm/fpsimd.h
+++ b/arch/arm64/include/asm/fpsimd.h
@@ -61,7 +61,8 @@ extern void fpsimd_kvm_prepare(void);
extern void fpsimd_bind_state_to_cpu(struct user_fpsimd_state *state,
void *sve_state, unsigned int sve_vl,
void *za_state, unsigned int sme_vl,
- u64 *svcr, enum fp_type *type);
+ u64 *svcr, enum fp_type *type,
+ enum fp_type to_save);
extern void fpsimd_flush_task_state(struct task_struct *target);
extern void fpsimd_save_and_flush_cpu_state(void);
--- a/arch/arm64/include/asm/processor.h
+++ b/arch/arm64/include/asm/processor.h
@@ -123,6 +123,7 @@ enum vec_type {
};
enum fp_type {
+ FP_STATE_CURRENT, /* Save based on current task state. */
FP_STATE_FPSIMD,
FP_STATE_SVE,
};
--- a/arch/arm64/kernel/fpsimd.c
+++ b/arch/arm64/kernel/fpsimd.c
@@ -126,6 +126,7 @@ struct fpsimd_last_state_struct {
unsigned int sve_vl;
unsigned int sme_vl;
enum fp_type *fp_type;
+ enum fp_type to_save;
};
static DEFINE_PER_CPU(struct fpsimd_last_state_struct, fpsimd_last_state);
@@ -356,7 +357,8 @@ void task_set_vl_onexec(struct task_stru
* but userspace is discouraged from relying on this.
*
* task->thread.sve_state does not need to be non-NULL, valid or any
- * particular size: it must not be dereferenced.
+ * particular size: it must not be dereferenced and any data stored
+ * there should be considered stale and not referenced.
*
* * SVE state - FP_STATE_SVE:
*
@@ -369,7 +371,9 @@ void task_set_vl_onexec(struct task_stru
* task->thread.uw.fpsimd_state should be ignored.
*
* task->thread.sve_state must point to a valid buffer at least
- * sve_state_size(task) bytes in size.
+ * sve_state_size(task) bytes in size. The data stored in
+ * task->thread.uw.fpsimd_state.vregs should be considered stale
+ * and not referenced.
*
* * FPSR and FPCR are always stored in task->thread.uw.fpsimd_state
* irrespective of whether TIF_SVE is clear or set, since these are
@@ -459,6 +463,21 @@ static void fpsimd_save(void)
vl = last->sve_vl;
}
+ /*
+ * Validate that an explicitly specified state to save is
+ * consistent with the task state.
+ */
+ switch (last->to_save) {
+ case FP_STATE_CURRENT:
+ break;
+ case FP_STATE_FPSIMD:
+ WARN_ON_ONCE(save_sve_regs);
+ break;
+ case FP_STATE_SVE:
+ WARN_ON_ONCE(!save_sve_regs);
+ break;
+ }
+
if (system_supports_sme()) {
u64 *svcr = last->svcr;
@@ -1709,6 +1728,7 @@ static void fpsimd_bind_task_to_cpu(void
last->sme_vl = task_get_sme_vl(current);
last->svcr = ¤t->thread.svcr;
last->fp_type = ¤t->thread.fp_type;
+ last->to_save = FP_STATE_CURRENT;
current->thread.fpsimd_cpu = smp_processor_id();
/*
@@ -1733,7 +1753,7 @@ static void fpsimd_bind_task_to_cpu(void
void fpsimd_bind_state_to_cpu(struct user_fpsimd_state *st, void *sve_state,
unsigned int sve_vl, void *za_state,
unsigned int sme_vl, u64 *svcr,
- enum fp_type *type)
+ enum fp_type *type, enum fp_type to_save)
{
struct fpsimd_last_state_struct *last =
this_cpu_ptr(&fpsimd_last_state);
@@ -1748,6 +1768,7 @@ void fpsimd_bind_state_to_cpu(struct use
last->sve_vl = sve_vl;
last->sme_vl = sme_vl;
last->fp_type = type;
+ last->to_save = to_save;
}
/*
--- a/arch/arm64/kvm/fpsimd.c
+++ b/arch/arm64/kvm/fpsimd.c
@@ -130,9 +130,16 @@ void kvm_arch_vcpu_ctxflush_fp(struct kv
*/
void kvm_arch_vcpu_ctxsync_fp(struct kvm_vcpu *vcpu)
{
+ enum fp_type fp_type;
+
WARN_ON_ONCE(!irqs_disabled());
if (vcpu->arch.fp_state == FP_STATE_GUEST_OWNED) {
+ if (vcpu_has_sve(vcpu))
+ fp_type = FP_STATE_SVE;
+ else
+ fp_type = FP_STATE_FPSIMD;
+
/*
* Currently we do not support SME guests so SVCR is
* always 0 and we just need a variable to point to.
@@ -141,7 +148,7 @@ void kvm_arch_vcpu_ctxsync_fp(struct kvm
vcpu->arch.sve_state,
vcpu->arch.sve_max_vl,
NULL, 0, &vcpu->arch.svcr,
- &vcpu->arch.fp_type);
+ &vcpu->arch.fp_type, fp_type);
clear_thread_flag(TIF_FOREIGN_FPSTATE);
update_thread_flag(TIF_SVE, vcpu_has_sve(vcpu));
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 248/291] arm64/fpsimd: Stop using TIF_SVE to manage register saving in KVM
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (245 preceding siblings ...)
2025-04-23 14:43 ` [PATCH 6.1 247/291] arm64/fpsimd: Have KVM explicitly say which FP registers to save Greg Kroah-Hartman
@ 2025-04-23 14:43 ` Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 249/291] KVM: arm64: Unconditionally save+flush host FPSIMD/SVE/SME state Greg Kroah-Hartman
` (51 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mark Brown, Catalin Marinas,
Marc Zyngier, Will Deacon, Mark Rutland
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mark Brown <broonie@kernel.org>
[ Upstream commit 62021cc36add7b2c015b837f7893f2fb4b8c2586 ]
Now that we are explicitly telling the host FP code which register state
it needs to save we can remove the manipulation of TIF_SVE from the KVM
code, simplifying it and allowing us to optimise our handling of normal
tasks. Remove the manipulation of TIF_SVE from KVM and instead rely on
to_save to ensure we save the correct data for it.
There should be no functional or performance impact from this change.
Signed-off-by: Mark Brown <broonie@kernel.org>
Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
Reviewed-by: Marc Zyngier <maz@kernel.org>
Link: https://lore.kernel.org/r/20221115094640.112848-5-broonie@kernel.org
Signed-off-by: Will Deacon <will@kernel.org>
[ Mark: trivial backport ]
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/kernel/fpsimd.c | 22 ++++------------------
arch/arm64/kvm/fpsimd.c | 3 ---
2 files changed, 4 insertions(+), 21 deletions(-)
--- a/arch/arm64/kernel/fpsimd.c
+++ b/arch/arm64/kernel/fpsimd.c
@@ -439,8 +439,8 @@ static void task_fpsimd_load(void)
* last, if KVM is involved this may be the guest VM context rather
* than the host thread for the VM pointed to by current. This means
* that we must always reference the state storage via last rather
- * than via current, other than the TIF_ flags which KVM will
- * carefully maintain for us.
+ * than via current, if we are saving KVM state then it will have
+ * ensured that the type of registers to save is set in last->to_save.
*/
static void fpsimd_save(void)
{
@@ -457,27 +457,13 @@ static void fpsimd_save(void)
if (test_thread_flag(TIF_FOREIGN_FPSTATE))
return;
- if (test_thread_flag(TIF_SVE)) {
+ if ((last->to_save == FP_STATE_CURRENT && test_thread_flag(TIF_SVE)) ||
+ last->to_save == FP_STATE_SVE) {
save_sve_regs = true;
save_ffr = true;
vl = last->sve_vl;
}
- /*
- * Validate that an explicitly specified state to save is
- * consistent with the task state.
- */
- switch (last->to_save) {
- case FP_STATE_CURRENT:
- break;
- case FP_STATE_FPSIMD:
- WARN_ON_ONCE(save_sve_regs);
- break;
- case FP_STATE_SVE:
- WARN_ON_ONCE(!save_sve_regs);
- break;
- }
-
if (system_supports_sme()) {
u64 *svcr = last->svcr;
--- a/arch/arm64/kvm/fpsimd.c
+++ b/arch/arm64/kvm/fpsimd.c
@@ -151,7 +151,6 @@ void kvm_arch_vcpu_ctxsync_fp(struct kvm
&vcpu->arch.fp_type, fp_type);
clear_thread_flag(TIF_FOREIGN_FPSTATE);
- update_thread_flag(TIF_SVE, vcpu_has_sve(vcpu));
}
}
@@ -208,7 +207,5 @@ void kvm_arch_vcpu_put_fp(struct kvm_vcp
sysreg_clear_set(CPACR_EL1, CPACR_EL1_ZEN_EL0EN, 0);
}
- update_thread_flag(TIF_SVE, 0);
-
local_irq_restore(flags);
}
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 249/291] KVM: arm64: Unconditionally save+flush host FPSIMD/SVE/SME state
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (246 preceding siblings ...)
2025-04-23 14:43 ` [PATCH 6.1 248/291] arm64/fpsimd: Stop using TIF_SVE to manage register saving in KVM Greg Kroah-Hartman
@ 2025-04-23 14:43 ` Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 250/291] KVM: arm64: Remove host FPSIMD saving for non-protected KVM Greg Kroah-Hartman
` (50 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Auger, Wilco Dijkstra,
Mark Brown, Eric Auger, Will Deacon, Catalin Marinas,
Florian Weimer, Fuad Tabba, Jeremy Linton, Marc Zyngier,
Oliver Upton, Paolo Bonzini, Mark Rutland
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mark Rutland <mark.rutland@arm.com>
[ Upstream commit fbc7e61195e23f744814e78524b73b59faa54ab4 ]
There are several problems with the way hyp code lazily saves the host's
FPSIMD/SVE state, including:
* Host SVE being discarded unexpectedly due to inconsistent
configuration of TIF_SVE and CPACR_ELx.ZEN. This has been seen to
result in QEMU crashes where SVE is used by memmove(), as reported by
Eric Auger:
https://issues.redhat.com/browse/RHEL-68997
* Host SVE state is discarded *after* modification by ptrace, which was an
unintentional ptrace ABI change introduced with lazy discarding of SVE state.
* The host FPMR value can be discarded when running a non-protected VM,
where FPMR support is not exposed to a VM, and that VM uses
FPSIMD/SVE. In these cases the hyp code does not save the host's FPMR
before unbinding the host's FPSIMD/SVE/SME state, leaving a stale
value in memory.
Avoid these by eagerly saving and "flushing" the host's FPSIMD/SVE/SME
state when loading a vCPU such that KVM does not need to save any of the
host's FPSIMD/SVE/SME state. For clarity, fpsimd_kvm_prepare() is
removed and the necessary call to fpsimd_save_and_flush_cpu_state() is
placed in kvm_arch_vcpu_load_fp(). As 'fpsimd_state' and 'fpmr_ptr'
should not be used, they are set to NULL; all uses of these will be
removed in subsequent patches.
Historical problems go back at least as far as v5.17, e.g. erroneous
assumptions about TIF_SVE being clear in commit:
8383741ab2e773a9 ("KVM: arm64: Get rid of host SVE tracking/saving")
... and so this eager save+flush probably needs to be backported to ALL
stable trees.
Fixes: 93ae6b01bafee8fa ("KVM: arm64: Discard any SVE state when entering KVM guests")
Fixes: 8c845e2731041f0f ("arm64/sve: Leave SVE enabled on syscall if we don't context switch")
Fixes: ef3be86021c3bdf3 ("KVM: arm64: Add save/restore support for FPMR")
Reported-by: Eric Auger <eauger@redhat.com>
Reported-by: Wilco Dijkstra <wilco.dijkstra@arm.com>
Reviewed-by: Mark Brown <broonie@kernel.org>
Tested-by: Mark Brown <broonie@kernel.org>
Tested-by: Eric Auger <eric.auger@redhat.com>
Acked-by: Will Deacon <will@kernel.org>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Florian Weimer <fweimer@redhat.com>
Cc: Fuad Tabba <tabba@google.com>
Cc: Jeremy Linton <jeremy.linton@arm.com>
Cc: Marc Zyngier <maz@kernel.org>
Cc: Oliver Upton <oliver.upton@linux.dev>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Reviewed-by: Oliver Upton <oliver.upton@linux.dev>
Link: https://lore.kernel.org/r/20250210195226.1215254-2-mark.rutland@arm.com
Signed-off-by: Marc Zyngier <maz@kernel.org>
[ Mark: Handle vcpu/host flag conflict, remove host_data_ptr() ]
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/kernel/fpsimd.c | 25 -------------------------
arch/arm64/kvm/fpsimd.c | 18 ++++++++++--------
2 files changed, 10 insertions(+), 33 deletions(-)
--- a/arch/arm64/kernel/fpsimd.c
+++ b/arch/arm64/kernel/fpsimd.c
@@ -1672,31 +1672,6 @@ void fpsimd_signal_preserve_current_stat
}
/*
- * Called by KVM when entering the guest.
- */
-void fpsimd_kvm_prepare(void)
-{
- if (!system_supports_sve())
- return;
-
- /*
- * KVM does not save host SVE state since we can only enter
- * the guest from a syscall so the ABI means that only the
- * non-saved SVE state needs to be saved. If we have left
- * SVE enabled for performance reasons then update the task
- * state to be FPSIMD only.
- */
- get_cpu_fpsimd_context();
-
- if (test_and_clear_thread_flag(TIF_SVE)) {
- sve_to_fpsimd(current);
- current->thread.fp_type = FP_STATE_FPSIMD;
- }
-
- put_cpu_fpsimd_context();
-}
-
-/*
* Associate current's FPSIMD context with this cpu
* The caller must have ownership of the cpu FPSIMD context before calling
* this function.
--- a/arch/arm64/kvm/fpsimd.c
+++ b/arch/arm64/kvm/fpsimd.c
@@ -79,9 +79,16 @@ void kvm_arch_vcpu_load_fp(struct kvm_vc
if (!system_supports_fpsimd())
return;
- fpsimd_kvm_prepare();
-
- vcpu->arch.fp_state = FP_STATE_HOST_OWNED;
+ /*
+ * Ensure that any host FPSIMD/SVE/SME state is saved and unbound such
+ * that the host kernel is responsible for restoring this state upon
+ * return to userspace, and the hyp code doesn't need to save anything.
+ *
+ * When the host may use SME, fpsimd_save_and_flush_cpu_state() ensures
+ * that PSTATE.{SM,ZA} == {0,0}.
+ */
+ fpsimd_save_and_flush_cpu_state();
+ vcpu->arch.fp_state = FP_STATE_FREE;
vcpu_clear_flag(vcpu, HOST_SVE_ENABLED);
if (read_sysreg(cpacr_el1) & CPACR_EL1_ZEN_EL0EN)
@@ -100,11 +107,6 @@ void kvm_arch_vcpu_load_fp(struct kvm_vc
vcpu_clear_flag(vcpu, HOST_SME_ENABLED);
if (read_sysreg(cpacr_el1) & CPACR_EL1_SMEN_EL0EN)
vcpu_set_flag(vcpu, HOST_SME_ENABLED);
-
- if (read_sysreg_s(SYS_SVCR) & (SVCR_SM_MASK | SVCR_ZA_MASK)) {
- vcpu->arch.fp_state = FP_STATE_FREE;
- fpsimd_save_and_flush_cpu_state();
- }
}
}
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 250/291] KVM: arm64: Remove host FPSIMD saving for non-protected KVM
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (247 preceding siblings ...)
2025-04-23 14:43 ` [PATCH 6.1 249/291] KVM: arm64: Unconditionally save+flush host FPSIMD/SVE/SME state Greg Kroah-Hartman
@ 2025-04-23 14:43 ` Greg Kroah-Hartman
2025-04-23 14:44 ` [PATCH 6.1 251/291] KVM: arm64: Remove VHE host restore of CPACR_EL1.ZEN Greg Kroah-Hartman
` (49 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mark Rutland, Mark Brown,
Will Deacon, Catalin Marinas, Fuad Tabba, Marc Zyngier,
Oliver Upton
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mark Rutland <mark.rutland@arm.com>
[ Upstream commit 8eca7f6d5100b6997df4f532090bc3f7e0203bef ]
Now that the host eagerly saves its own FPSIMD/SVE/SME state,
non-protected KVM never needs to save the host FPSIMD/SVE/SME state,
and the code to do this is never used. Protected KVM still needs to
save/restore the host FPSIMD/SVE state to avoid leaking guest state to
the host (and to avoid revealing to the host whether the guest used
FPSIMD/SVE/SME), and that code needs to be retained.
Remove the unused code and data structures.
To avoid the need for a stub copy of kvm_hyp_save_fpsimd_host() in the
VHE hyp code, the nVHE/hVHE version is moved into the shared switch
header, where it is only invoked when KVM is in protected mode.
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Reviewed-by: Mark Brown <broonie@kernel.org>
Tested-by: Mark Brown <broonie@kernel.org>
Acked-by: Will Deacon <will@kernel.org>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Fuad Tabba <tabba@google.com>
Cc: Marc Zyngier <maz@kernel.org>
Cc: Oliver Upton <oliver.upton@linux.dev>
Reviewed-by: Oliver Upton <oliver.upton@linux.dev>
Link: https://lore.kernel.org/r/20250210195226.1215254-3-mark.rutland@arm.com
Signed-off-by: Marc Zyngier <maz@kernel.org>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/include/asm/kvm_host.h | 1 -
arch/arm64/kvm/fpsimd.c | 2 --
arch/arm64/kvm/hyp/include/hyp/switch.h | 4 ----
3 files changed, 7 deletions(-)
--- a/arch/arm64/include/asm/kvm_host.h
+++ b/arch/arm64/include/asm/kvm_host.h
@@ -380,7 +380,6 @@ struct kvm_vcpu_arch {
struct kvm_guest_debug_arch vcpu_debug_state;
struct kvm_guest_debug_arch external_debug_state;
- struct user_fpsimd_state *host_fpsimd_state; /* hyp VA */
struct task_struct *parent_task;
struct {
--- a/arch/arm64/kvm/fpsimd.c
+++ b/arch/arm64/kvm/fpsimd.c
@@ -49,8 +49,6 @@ int kvm_arch_vcpu_run_map_fp(struct kvm_
if (ret)
return ret;
- vcpu->arch.host_fpsimd_state = kern_hyp_va(fpsimd);
-
/*
* We need to keep current's task_struct pinned until its data has been
* unshared with the hypervisor to make sure it is not re-used by the
--- a/arch/arm64/kvm/hyp/include/hyp/switch.h
+++ b/arch/arm64/kvm/hyp/include/hyp/switch.h
@@ -207,10 +207,6 @@ static bool kvm_hyp_handle_fpsimd(struct
}
isb();
- /* Write out the host state if it's in the registers */
- if (vcpu->arch.fp_state == FP_STATE_HOST_OWNED)
- __fpsimd_save_state(vcpu->arch.host_fpsimd_state);
-
/* Restore the guest state */
if (sve_guest)
__hyp_sve_restore_guest(vcpu);
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 251/291] KVM: arm64: Remove VHE host restore of CPACR_EL1.ZEN
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (248 preceding siblings ...)
2025-04-23 14:43 ` [PATCH 6.1 250/291] KVM: arm64: Remove host FPSIMD saving for non-protected KVM Greg Kroah-Hartman
@ 2025-04-23 14:44 ` Greg Kroah-Hartman
2025-04-23 14:44 ` [PATCH 6.1 252/291] KVM: arm64: Remove VHE host restore of CPACR_EL1.SMEN Greg Kroah-Hartman
` (48 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mark Rutland, Mark Brown,
Will Deacon, Catalin Marinas, Fuad Tabba, Marc Zyngier,
Oliver Upton
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mark Rutland <mark.rutland@arm.com>
[ Upstream commit 459f059be702056d91537b99a129994aa6ccdd35 ]
When KVM is in VHE mode, the host kernel tries to save and restore the
configuration of CPACR_EL1.ZEN (i.e. CPTR_EL2.ZEN when HCR_EL2.E2H=1)
across kvm_arch_vcpu_load_fp() and kvm_arch_vcpu_put_fp(), since the
configuration may be clobbered by hyp when running a vCPU. This logic is
currently redundant.
The VHE hyp code unconditionally configures CPTR_EL2.ZEN to 0b01 when
returning to the host, permitting host kernel usage of SVE.
Now that the host eagerly saves and unbinds its own FPSIMD/SVE/SME
state, there's no need to save/restore the state of the EL0 SVE trap.
The kernel can safely save/restore state without trapping, as described
above, and will restore userspace state (including trap controls) before
returning to userspace.
Remove the redundant logic.
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Reviewed-by: Mark Brown <broonie@kernel.org>
Tested-by: Mark Brown <broonie@kernel.org>
Acked-by: Will Deacon <will@kernel.org>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Fuad Tabba <tabba@google.com>
Cc: Marc Zyngier <maz@kernel.org>
Cc: Oliver Upton <oliver.upton@linux.dev>
Reviewed-by: Oliver Upton <oliver.upton@linux.dev>
Link: https://lore.kernel.org/r/20250210195226.1215254-4-mark.rutland@arm.com
Signed-off-by: Marc Zyngier <maz@kernel.org>
[Rework for refactoring of where the flags are stored -- broonie]
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/include/asm/kvm_host.h | 2 --
arch/arm64/kvm/fpsimd.c | 16 ----------------
2 files changed, 18 deletions(-)
--- a/arch/arm64/include/asm/kvm_host.h
+++ b/arch/arm64/include/asm/kvm_host.h
@@ -556,8 +556,6 @@ struct kvm_vcpu_arch {
/* Save TRBE context if active */
#define DEBUG_STATE_SAVE_TRBE __vcpu_single_flag(iflags, BIT(6))
-/* SVE enabled for host EL0 */
-#define HOST_SVE_ENABLED __vcpu_single_flag(sflags, BIT(0))
/* SME enabled for EL0 */
#define HOST_SME_ENABLED __vcpu_single_flag(sflags, BIT(1))
/* Physical CPU not in supported_cpus */
--- a/arch/arm64/kvm/fpsimd.c
+++ b/arch/arm64/kvm/fpsimd.c
@@ -88,10 +88,6 @@ void kvm_arch_vcpu_load_fp(struct kvm_vc
fpsimd_save_and_flush_cpu_state();
vcpu->arch.fp_state = FP_STATE_FREE;
- vcpu_clear_flag(vcpu, HOST_SVE_ENABLED);
- if (read_sysreg(cpacr_el1) & CPACR_EL1_ZEN_EL0EN)
- vcpu_set_flag(vcpu, HOST_SVE_ENABLED);
-
/*
* We don't currently support SME guests but if we leave
* things in streaming mode then when the guest starts running
@@ -193,18 +189,6 @@ void kvm_arch_vcpu_put_fp(struct kvm_vcp
}
fpsimd_save_and_flush_cpu_state();
- } else if (has_vhe() && system_supports_sve()) {
- /*
- * The FPSIMD/SVE state in the CPU has not been touched, and we
- * have SVE (and VHE): CPACR_EL1 (alias CPTR_EL2) has been
- * reset to CPACR_EL1_DEFAULT by the Hyp code, disabling SVE
- * for EL0. To avoid spurious traps, restore the trap state
- * seen by kvm_arch_vcpu_load_fp():
- */
- if (vcpu_get_flag(vcpu, HOST_SVE_ENABLED))
- sysreg_clear_set(CPACR_EL1, 0, CPACR_EL1_ZEN_EL0EN);
- else
- sysreg_clear_set(CPACR_EL1, CPACR_EL1_ZEN_EL0EN, 0);
}
local_irq_restore(flags);
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 252/291] KVM: arm64: Remove VHE host restore of CPACR_EL1.SMEN
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (249 preceding siblings ...)
2025-04-23 14:44 ` [PATCH 6.1 251/291] KVM: arm64: Remove VHE host restore of CPACR_EL1.ZEN Greg Kroah-Hartman
@ 2025-04-23 14:44 ` Greg Kroah-Hartman
2025-04-23 14:44 ` [PATCH 6.1 253/291] KVM: arm64: Refactor exit handlers Greg Kroah-Hartman
` (47 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mark Rutland, Mark Brown,
Will Deacon, Catalin Marinas, Fuad Tabba, Marc Zyngier,
Oliver Upton
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mark Rutland <mark.rutland@arm.com>
[ Upstream commit 407a99c4654e8ea65393f412c421a55cac539f5b ]
When KVM is in VHE mode, the host kernel tries to save and restore the
configuration of CPACR_EL1.SMEN (i.e. CPTR_EL2.SMEN when HCR_EL2.E2H=1)
across kvm_arch_vcpu_load_fp() and kvm_arch_vcpu_put_fp(), since the
configuration may be clobbered by hyp when running a vCPU. This logic
has historically been broken, and is currently redundant.
This logic was originally introduced in commit:
861262ab86270206 ("KVM: arm64: Handle SME host state when running guests")
At the time, the VHE hyp code would reset CPTR_EL2.SMEN to 0b00 when
returning to the host, trapping host access to SME state. Unfortunately,
this was unsafe as the host could take a softirq before calling
kvm_arch_vcpu_put_fp(), and if a softirq handler were to use kernel mode
NEON the resulting attempt to save the live FPSIMD/SVE/SME state would
result in a fatal trap.
That issue was limited to VHE mode. For nVHE/hVHE modes, KVM always
saved/restored the host kernel's CPACR_EL1 value, and configured
CPTR_EL2.TSM to 0b0, ensuring that host usage of SME would not be
trapped.
The issue above was incidentally fixed by commit:
375110ab51dec5dc ("KVM: arm64: Fix resetting SME trap values on reset for (h)VHE")
That commit changed the VHE hyp code to configure CPTR_EL2.SMEN to 0b01
when returning to the host, permitting host kernel usage of SME,
avoiding the issue described above. At the time, this was not identified
as a fix for commit 861262ab86270206.
Now that the host eagerly saves and unbinds its own FPSIMD/SVE/SME
state, there's no need to save/restore the state of the EL0 SME trap.
The kernel can safely save/restore state without trapping, as described
above, and will restore userspace state (including trap controls) before
returning to userspace.
Remove the redundant logic.
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Reviewed-by: Mark Brown <broonie@kernel.org>
Tested-by: Mark Brown <broonie@kernel.org>
Acked-by: Will Deacon <will@kernel.org>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Fuad Tabba <tabba@google.com>
Cc: Marc Zyngier <maz@kernel.org>
Cc: Oliver Upton <oliver.upton@linux.dev>
Reviewed-by: Oliver Upton <oliver.upton@linux.dev>
Link: https://lore.kernel.org/r/20250210195226.1215254-5-mark.rutland@arm.com
Signed-off-by: Marc Zyngier <maz@kernel.org>
[Update for rework of flags storage -- broonie]
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/include/asm/kvm_host.h | 2 --
arch/arm64/kvm/fpsimd.c | 31 -------------------------------
2 files changed, 33 deletions(-)
--- a/arch/arm64/include/asm/kvm_host.h
+++ b/arch/arm64/include/asm/kvm_host.h
@@ -556,8 +556,6 @@ struct kvm_vcpu_arch {
/* Save TRBE context if active */
#define DEBUG_STATE_SAVE_TRBE __vcpu_single_flag(iflags, BIT(6))
-/* SME enabled for EL0 */
-#define HOST_SME_ENABLED __vcpu_single_flag(sflags, BIT(1))
/* Physical CPU not in supported_cpus */
#define ON_UNSUPPORTED_CPU __vcpu_single_flag(sflags, BIT(2))
/* WFIT instruction trapped */
--- a/arch/arm64/kvm/fpsimd.c
+++ b/arch/arm64/kvm/fpsimd.c
@@ -87,21 +87,6 @@ void kvm_arch_vcpu_load_fp(struct kvm_vc
*/
fpsimd_save_and_flush_cpu_state();
vcpu->arch.fp_state = FP_STATE_FREE;
-
- /*
- * We don't currently support SME guests but if we leave
- * things in streaming mode then when the guest starts running
- * FPSIMD or SVE code it may generate SME traps so as a
- * special case if we are in streaming mode we force the host
- * state to be saved now and exit streaming mode so that we
- * don't have to handle any SME traps for valid guest
- * operations. Do this for ZA as well for now for simplicity.
- */
- if (system_supports_sme()) {
- vcpu_clear_flag(vcpu, HOST_SME_ENABLED);
- if (read_sysreg(cpacr_el1) & CPACR_EL1_SMEN_EL0EN)
- vcpu_set_flag(vcpu, HOST_SME_ENABLED);
- }
}
/*
@@ -162,22 +147,6 @@ void kvm_arch_vcpu_put_fp(struct kvm_vcp
local_irq_save(flags);
- /*
- * If we have VHE then the Hyp code will reset CPACR_EL1 to
- * CPACR_EL1_DEFAULT and we need to reenable SME.
- */
- if (has_vhe() && system_supports_sme()) {
- /* Also restore EL0 state seen on entry */
- if (vcpu_get_flag(vcpu, HOST_SME_ENABLED))
- sysreg_clear_set(CPACR_EL1, 0,
- CPACR_EL1_SMEN_EL0EN |
- CPACR_EL1_SMEN_EL1EN);
- else
- sysreg_clear_set(CPACR_EL1,
- CPACR_EL1_SMEN_EL0EN,
- CPACR_EL1_SMEN_EL1EN);
- }
-
if (vcpu->arch.fp_state == FP_STATE_GUEST_OWNED) {
if (vcpu_has_sve(vcpu)) {
__vcpu_sys_reg(vcpu, ZCR_EL1) = read_sysreg_el1(SYS_ZCR);
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 253/291] KVM: arm64: Refactor exit handlers
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (250 preceding siblings ...)
2025-04-23 14:44 ` [PATCH 6.1 252/291] KVM: arm64: Remove VHE host restore of CPACR_EL1.SMEN Greg Kroah-Hartman
@ 2025-04-23 14:44 ` Greg Kroah-Hartman
2025-04-23 14:44 ` [PATCH 6.1 254/291] KVM: arm64: Mark some header functions as inline Greg Kroah-Hartman
` (46 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mark Rutland, Mark Brown,
Will Deacon, Catalin Marinas, Fuad Tabba, Marc Zyngier,
Oliver Upton
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mark Rutland <mark.rutland@arm.com>
[ Upstream commit 9b66195063c5a145843547b1d692bd189be85287 ]
The hyp exit handling logic is largely shared between VHE and nVHE/hVHE,
with common logic in arch/arm64/kvm/hyp/include/hyp/switch.h. The code
in the header depends on function definitions provided by
arch/arm64/kvm/hyp/vhe/switch.c and arch/arm64/kvm/hyp/nvhe/switch.c
when they include the header.
This is an unusual header dependency, and prevents the use of
arch/arm64/kvm/hyp/include/hyp/switch.h in other files as this would
result in compiler warnings regarding missing definitions, e.g.
| In file included from arch/arm64/kvm/hyp/nvhe/hyp-main.c:8:
| ./arch/arm64/kvm/hyp/include/hyp/switch.h:733:31: warning: 'kvm_get_exit_handler_array' used but never defined
| 733 | static const exit_handler_fn *kvm_get_exit_handler_array(struct kvm_vcpu *vcpu);
| | ^~~~~~~~~~~~~~~~~~~~~~~~~~
| ./arch/arm64/kvm/hyp/include/hyp/switch.h:735:13: warning: 'early_exit_filter' used but never defined
| 735 | static void early_exit_filter(struct kvm_vcpu *vcpu, u64 *exit_code);
| | ^~~~~~~~~~~~~~~~~
Refactor the logic such that the header doesn't depend on anything from
the C files. There should be no functional change as a result of this
patch.
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Reviewed-by: Mark Brown <broonie@kernel.org>
Tested-by: Mark Brown <broonie@kernel.org>
Acked-by: Will Deacon <will@kernel.org>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Fuad Tabba <tabba@google.com>
Cc: Marc Zyngier <maz@kernel.org>
Cc: Oliver Upton <oliver.upton@linux.dev>
Reviewed-by: Oliver Upton <oliver.upton@linux.dev>
Link: https://lore.kernel.org/r/20250210195226.1215254-7-mark.rutland@arm.com
Signed-off-by: Marc Zyngier <maz@kernel.org>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/kvm/hyp/include/hyp/switch.h | 30 ++++++------------------------
arch/arm64/kvm/hyp/nvhe/switch.c | 27 +++++++++++++++------------
arch/arm64/kvm/hyp/vhe/switch.c | 8 +++-----
3 files changed, 24 insertions(+), 41 deletions(-)
--- a/arch/arm64/kvm/hyp/include/hyp/switch.h
+++ b/arch/arm64/kvm/hyp/include/hyp/switch.h
@@ -398,23 +398,16 @@ static bool kvm_hyp_handle_dabt_low(stru
typedef bool (*exit_handler_fn)(struct kvm_vcpu *, u64 *);
-static const exit_handler_fn *kvm_get_exit_handler_array(struct kvm_vcpu *vcpu);
-
-static void early_exit_filter(struct kvm_vcpu *vcpu, u64 *exit_code);
-
/*
* Allow the hypervisor to handle the exit with an exit handler if it has one.
*
* Returns true if the hypervisor handled the exit, and control should go back
* to the guest, or false if it hasn't.
*/
-static inline bool kvm_hyp_handle_exit(struct kvm_vcpu *vcpu, u64 *exit_code)
+static inline bool kvm_hyp_handle_exit(struct kvm_vcpu *vcpu, u64 *exit_code,
+ const exit_handler_fn *handlers)
{
- const exit_handler_fn *handlers = kvm_get_exit_handler_array(vcpu);
- exit_handler_fn fn;
-
- fn = handlers[kvm_vcpu_trap_get_class(vcpu)];
-
+ exit_handler_fn fn = handlers[kvm_vcpu_trap_get_class(vcpu)];
if (fn)
return fn(vcpu, exit_code);
@@ -444,20 +437,9 @@ static inline void synchronize_vcpu_psta
* the guest, false when we should restore the host state and return to the
* main run loop.
*/
-static inline bool fixup_guest_exit(struct kvm_vcpu *vcpu, u64 *exit_code)
+static inline bool __fixup_guest_exit(struct kvm_vcpu *vcpu, u64 *exit_code,
+ const exit_handler_fn *handlers)
{
- /*
- * Save PSTATE early so that we can evaluate the vcpu mode
- * early on.
- */
- synchronize_vcpu_pstate(vcpu, exit_code);
-
- /*
- * Check whether we want to repaint the state one way or
- * another.
- */
- early_exit_filter(vcpu, exit_code);
-
if (ARM_EXCEPTION_CODE(*exit_code) != ARM_EXCEPTION_IRQ)
vcpu->arch.fault.esr_el2 = read_sysreg_el2(SYS_ESR);
@@ -487,7 +469,7 @@ static inline bool fixup_guest_exit(stru
goto exit;
/* Check if there's an exit handler and allow it to handle the exit. */
- if (kvm_hyp_handle_exit(vcpu, exit_code))
+ if (kvm_hyp_handle_exit(vcpu, exit_code, handlers))
goto guest;
exit:
/* Return to the host kernel and handle the exit */
--- a/arch/arm64/kvm/hyp/nvhe/switch.c
+++ b/arch/arm64/kvm/hyp/nvhe/switch.c
@@ -209,21 +209,22 @@ static const exit_handler_fn *kvm_get_ex
return hyp_exit_handlers;
}
-/*
- * Some guests (e.g., protected VMs) are not be allowed to run in AArch32.
- * The ARMv8 architecture does not give the hypervisor a mechanism to prevent a
- * guest from dropping to AArch32 EL0 if implemented by the CPU. If the
- * hypervisor spots a guest in such a state ensure it is handled, and don't
- * trust the host to spot or fix it. The check below is based on the one in
- * kvm_arch_vcpu_ioctl_run().
- *
- * Returns false if the guest ran in AArch32 when it shouldn't have, and
- * thus should exit to the host, or true if a the guest run loop can continue.
- */
-static void early_exit_filter(struct kvm_vcpu *vcpu, u64 *exit_code)
+static inline bool fixup_guest_exit(struct kvm_vcpu *vcpu, u64 *exit_code)
{
+ const exit_handler_fn *handlers = kvm_get_exit_handler_array(vcpu);
struct kvm *kvm = kern_hyp_va(vcpu->kvm);
+ synchronize_vcpu_pstate(vcpu, exit_code);
+
+ /*
+ * Some guests (e.g., protected VMs) are not be allowed to run in
+ * AArch32. The ARMv8 architecture does not give the hypervisor a
+ * mechanism to prevent a guest from dropping to AArch32 EL0 if
+ * implemented by the CPU. If the hypervisor spots a guest in such a
+ * state ensure it is handled, and don't trust the host to spot or fix
+ * it. The check below is based on the one in
+ * kvm_arch_vcpu_ioctl_run().
+ */
if (kvm_vm_is_protected(kvm) && vcpu_mode_is_32bit(vcpu)) {
/*
* As we have caught the guest red-handed, decide that it isn't
@@ -236,6 +237,8 @@ static void early_exit_filter(struct kvm
*exit_code &= BIT(ARM_EXIT_WITH_SERROR_BIT);
*exit_code |= ARM_EXCEPTION_IL;
}
+
+ return __fixup_guest_exit(vcpu, exit_code, handlers);
}
/* Switch to the guest for legacy non-VHE systems */
--- a/arch/arm64/kvm/hyp/vhe/switch.c
+++ b/arch/arm64/kvm/hyp/vhe/switch.c
@@ -114,13 +114,11 @@ static const exit_handler_fn hyp_exit_ha
[ESR_ELx_EC_PAC] = kvm_hyp_handle_ptrauth,
};
-static const exit_handler_fn *kvm_get_exit_handler_array(struct kvm_vcpu *vcpu)
+static inline bool fixup_guest_exit(struct kvm_vcpu *vcpu, u64 *exit_code)
{
- return hyp_exit_handlers;
-}
+ synchronize_vcpu_pstate(vcpu, exit_code);
-static void early_exit_filter(struct kvm_vcpu *vcpu, u64 *exit_code)
-{
+ return __fixup_guest_exit(vcpu, exit_code, hyp_exit_handlers);
}
/* Switch to the guest for VHE systems running in EL2 */
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 254/291] KVM: arm64: Mark some header functions as inline
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (251 preceding siblings ...)
2025-04-23 14:44 ` [PATCH 6.1 253/291] KVM: arm64: Refactor exit handlers Greg Kroah-Hartman
@ 2025-04-23 14:44 ` Greg Kroah-Hartman
2025-04-23 14:44 ` [PATCH 6.1 255/291] KVM: arm64: Calculate cptr_el2 traps on activating traps Greg Kroah-Hartman
` (45 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mark Rutland, Mark Brown,
Will Deacon, Catalin Marinas, Fuad Tabba, Marc Zyngier,
Oliver Upton
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mark Rutland <mark.rutland@arm.com>
[ Upstream commit f9dd00de1e53a47763dfad601635d18542c3836d ]
The shared hyp switch header has a number of static functions which
might not be used by all files that include the header, and when unused
they will provoke compiler warnings, e.g.
| In file included from arch/arm64/kvm/hyp/nvhe/hyp-main.c:8:
| ./arch/arm64/kvm/hyp/include/hyp/switch.h:703:13: warning: 'kvm_hyp_handle_dabt_low' defined but not used [-Wunused-function]
| 703 | static bool kvm_hyp_handle_dabt_low(struct kvm_vcpu *vcpu, u64 *exit_code)
| | ^~~~~~~~~~~~~~~~~~~~~~~
| ./arch/arm64/kvm/hyp/include/hyp/switch.h:682:13: warning: 'kvm_hyp_handle_cp15_32' defined but not used [-Wunused-function]
| 682 | static bool kvm_hyp_handle_cp15_32(struct kvm_vcpu *vcpu, u64 *exit_code)
| | ^~~~~~~~~~~~~~~~~~~~~~
| ./arch/arm64/kvm/hyp/include/hyp/switch.h:662:13: warning: 'kvm_hyp_handle_sysreg' defined but not used [-Wunused-function]
| 662 | static bool kvm_hyp_handle_sysreg(struct kvm_vcpu *vcpu, u64 *exit_code)
| | ^~~~~~~~~~~~~~~~~~~~~
| ./arch/arm64/kvm/hyp/include/hyp/switch.h:458:13: warning: 'kvm_hyp_handle_fpsimd' defined but not used [-Wunused-function]
| 458 | static bool kvm_hyp_handle_fpsimd(struct kvm_vcpu *vcpu, u64 *exit_code)
| | ^~~~~~~~~~~~~~~~~~~~~
| ./arch/arm64/kvm/hyp/include/hyp/switch.h:329:13: warning: 'kvm_hyp_handle_mops' defined but not used [-Wunused-function]
| 329 | static bool kvm_hyp_handle_mops(struct kvm_vcpu *vcpu, u64 *exit_code)
| | ^~~~~~~~~~~~~~~~~~~
Mark these functions as 'inline' to suppress this warning. This
shouldn't result in any functional change.
At the same time, avoid the use of __alias() in the header and alias
kvm_hyp_handle_iabt_low() and kvm_hyp_handle_watchpt_low() to
kvm_hyp_handle_memory_fault() using CPP, matching the style in the rest
of the kernel. For consistency, kvm_hyp_handle_memory_fault() is also
marked as 'inline'.
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Reviewed-by: Mark Brown <broonie@kernel.org>
Tested-by: Mark Brown <broonie@kernel.org>
Acked-by: Will Deacon <will@kernel.org>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Fuad Tabba <tabba@google.com>
Cc: Marc Zyngier <maz@kernel.org>
Cc: Oliver Upton <oliver.upton@linux.dev>
Reviewed-by: Oliver Upton <oliver.upton@linux.dev>
Link: https://lore.kernel.org/r/20250210195226.1215254-8-mark.rutland@arm.com
Signed-off-by: Marc Zyngier <maz@kernel.org>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/kvm/hyp/include/hyp/switch.h | 17 ++++++++---------
1 file changed, 8 insertions(+), 9 deletions(-)
--- a/arch/arm64/kvm/hyp/include/hyp/switch.h
+++ b/arch/arm64/kvm/hyp/include/hyp/switch.h
@@ -173,7 +173,7 @@ static inline void __hyp_sve_restore_gue
* If FP/SIMD is not implemented, handle the trap and inject an undefined
* instruction exception to the guest. Similarly for trapped SVE accesses.
*/
-static bool kvm_hyp_handle_fpsimd(struct kvm_vcpu *vcpu, u64 *exit_code)
+static inline bool kvm_hyp_handle_fpsimd(struct kvm_vcpu *vcpu, u64 *exit_code)
{
bool sve_guest;
u8 esr_ec;
@@ -331,7 +331,7 @@ static bool kvm_hyp_handle_ptrauth(struc
return true;
}
-static bool kvm_hyp_handle_sysreg(struct kvm_vcpu *vcpu, u64 *exit_code)
+static inline bool kvm_hyp_handle_sysreg(struct kvm_vcpu *vcpu, u64 *exit_code)
{
if (cpus_have_final_cap(ARM64_WORKAROUND_CAVIUM_TX2_219_TVM) &&
handle_tx2_tvm(vcpu))
@@ -347,7 +347,7 @@ static bool kvm_hyp_handle_sysreg(struct
return false;
}
-static bool kvm_hyp_handle_cp15_32(struct kvm_vcpu *vcpu, u64 *exit_code)
+static inline bool kvm_hyp_handle_cp15_32(struct kvm_vcpu *vcpu, u64 *exit_code)
{
if (static_branch_unlikely(&vgic_v3_cpuif_trap) &&
__vgic_v3_perform_cpuif_access(vcpu) == 1)
@@ -356,19 +356,18 @@ static bool kvm_hyp_handle_cp15_32(struc
return false;
}
-static bool kvm_hyp_handle_memory_fault(struct kvm_vcpu *vcpu, u64 *exit_code)
+static inline bool kvm_hyp_handle_memory_fault(struct kvm_vcpu *vcpu,
+ u64 *exit_code)
{
if (!__populate_fault_info(vcpu))
return true;
return false;
}
-static bool kvm_hyp_handle_iabt_low(struct kvm_vcpu *vcpu, u64 *exit_code)
- __alias(kvm_hyp_handle_memory_fault);
-static bool kvm_hyp_handle_watchpt_low(struct kvm_vcpu *vcpu, u64 *exit_code)
- __alias(kvm_hyp_handle_memory_fault);
+#define kvm_hyp_handle_iabt_low kvm_hyp_handle_memory_fault
+#define kvm_hyp_handle_watchpt_low kvm_hyp_handle_memory_fault
-static bool kvm_hyp_handle_dabt_low(struct kvm_vcpu *vcpu, u64 *exit_code)
+static inline bool kvm_hyp_handle_dabt_low(struct kvm_vcpu *vcpu, u64 *exit_code)
{
if (kvm_hyp_handle_memory_fault(vcpu, exit_code))
return true;
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 255/291] KVM: arm64: Calculate cptr_el2 traps on activating traps
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (252 preceding siblings ...)
2025-04-23 14:44 ` [PATCH 6.1 254/291] KVM: arm64: Mark some header functions as inline Greg Kroah-Hartman
@ 2025-04-23 14:44 ` Greg Kroah-Hartman
2025-04-23 14:44 ` [PATCH 6.1 256/291] KVM: arm64: Eagerly switch ZCR_EL{1,2} Greg Kroah-Hartman
` (44 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, James Clark, Fuad Tabba,
Marc Zyngier, Mark Brown
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fuad Tabba <tabba@google.com>
[ Upstream commit 2fd5b4b0e7b440602455b79977bfa64dea101e6c ]
Similar to VHE, calculate the value of cptr_el2 from scratch on
activate traps. This removes the need to store cptr_el2 in every
vcpu structure. Moreover, some traps, such as whether the guest
owns the fp registers, need to be set on every vcpu run.
Reported-by: James Clark <james.clark@linaro.org>
Fixes: 5294afdbf45a ("KVM: arm64: Exclude FP ownership from kvm_vcpu_arch")
Signed-off-by: Fuad Tabba <tabba@google.com>
Link: https://lore.kernel.org/r/20241216105057.579031-13-tabba@google.com
Signed-off-by: Marc Zyngier <maz@kernel.org>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/include/asm/kvm_host.h | 1 -
arch/arm64/kvm/arm.c | 1 -
arch/arm64/kvm/hyp/nvhe/pkvm.c | 15 ---------------
arch/arm64/kvm/hyp/nvhe/switch.c | 38 +++++++++++++++++++++++++++-----------
4 files changed, 27 insertions(+), 28 deletions(-)
--- a/arch/arm64/include/asm/kvm_host.h
+++ b/arch/arm64/include/asm/kvm_host.h
@@ -330,7 +330,6 @@ struct kvm_vcpu_arch {
/* Values of trap registers for the guest. */
u64 hcr_el2;
u64 mdcr_el2;
- u64 cptr_el2;
/* Values of trap registers for the host before guest entry. */
u64 mdcr_el2_host;
--- a/arch/arm64/kvm/arm.c
+++ b/arch/arm64/kvm/arm.c
@@ -1234,7 +1234,6 @@ static int kvm_arch_vcpu_ioctl_vcpu_init
}
vcpu_reset_hcr(vcpu);
- vcpu->arch.cptr_el2 = CPTR_EL2_DEFAULT;
/*
* Handle the "start in power-off" case.
--- a/arch/arm64/kvm/hyp/nvhe/pkvm.c
+++ b/arch/arm64/kvm/hyp/nvhe/pkvm.c
@@ -17,7 +17,6 @@ static void pvm_init_traps_aa64pfr0(stru
const u64 feature_ids = pvm_read_id_reg(vcpu, SYS_ID_AA64PFR0_EL1);
u64 hcr_set = HCR_RW;
u64 hcr_clear = 0;
- u64 cptr_set = 0;
/* Protected KVM does not support AArch32 guests. */
BUILD_BUG_ON(FIELD_GET(ARM64_FEATURE_MASK(ID_AA64PFR0_EL1_EL0),
@@ -44,16 +43,10 @@ static void pvm_init_traps_aa64pfr0(stru
/* Trap AMU */
if (!FIELD_GET(ARM64_FEATURE_MASK(ID_AA64PFR0_EL1_AMU), feature_ids)) {
hcr_clear |= HCR_AMVOFFEN;
- cptr_set |= CPTR_EL2_TAM;
}
- /* Trap SVE */
- if (!FIELD_GET(ARM64_FEATURE_MASK(ID_AA64PFR0_EL1_SVE), feature_ids))
- cptr_set |= CPTR_EL2_TZ;
-
vcpu->arch.hcr_el2 |= hcr_set;
vcpu->arch.hcr_el2 &= ~hcr_clear;
- vcpu->arch.cptr_el2 |= cptr_set;
}
/*
@@ -83,7 +76,6 @@ static void pvm_init_traps_aa64dfr0(stru
const u64 feature_ids = pvm_read_id_reg(vcpu, SYS_ID_AA64DFR0_EL1);
u64 mdcr_set = 0;
u64 mdcr_clear = 0;
- u64 cptr_set = 0;
/* Trap/constrain PMU */
if (!FIELD_GET(ARM64_FEATURE_MASK(ID_AA64DFR0_EL1_PMUVer), feature_ids)) {
@@ -110,13 +102,8 @@ static void pvm_init_traps_aa64dfr0(stru
if (!FIELD_GET(ARM64_FEATURE_MASK(ID_AA64DFR0_EL1_TraceFilt), feature_ids))
mdcr_set |= MDCR_EL2_TTRF;
- /* Trap Trace */
- if (!FIELD_GET(ARM64_FEATURE_MASK(ID_AA64DFR0_EL1_TraceVer), feature_ids))
- cptr_set |= CPTR_EL2_TTA;
-
vcpu->arch.mdcr_el2 |= mdcr_set;
vcpu->arch.mdcr_el2 &= ~mdcr_clear;
- vcpu->arch.cptr_el2 |= cptr_set;
}
/*
@@ -167,8 +154,6 @@ static void pvm_init_trap_regs(struct kv
/* Clear res0 and set res1 bits to trap potential new features. */
vcpu->arch.hcr_el2 &= ~(HCR_RES0);
vcpu->arch.mdcr_el2 &= ~(MDCR_EL2_RES0);
- vcpu->arch.cptr_el2 |= CPTR_NVHE_EL2_RES1;
- vcpu->arch.cptr_el2 &= ~(CPTR_NVHE_EL2_RES0);
}
/*
--- a/arch/arm64/kvm/hyp/nvhe/switch.c
+++ b/arch/arm64/kvm/hyp/nvhe/switch.c
@@ -36,23 +36,39 @@ DEFINE_PER_CPU(unsigned long, kvm_hyp_ve
extern void kvm_nvhe_prepare_backtrace(unsigned long fp, unsigned long pc);
-static void __activate_traps(struct kvm_vcpu *vcpu)
+static void __activate_cptr_traps(struct kvm_vcpu *vcpu)
{
- u64 val;
+ u64 val = CPTR_EL2_TAM; /* Same bit irrespective of E2H */
- ___activate_traps(vcpu);
- __activate_traps_common(vcpu);
+ /* !hVHE case upstream */
+ if (1) {
+ val |= CPTR_EL2_TTA | CPTR_NVHE_EL2_RES1;
+
+ /*
+ * Always trap SME since it's not supported in KVM.
+ * TSM is RES1 if SME isn't implemented.
+ */
+ val |= CPTR_EL2_TSM;
- val = vcpu->arch.cptr_el2;
- val |= CPTR_EL2_TTA | CPTR_EL2_TAM;
- if (!guest_owns_fp_regs(vcpu)) {
- val |= CPTR_EL2_TFP | CPTR_EL2_TZ;
- __activate_traps_fpsimd32(vcpu);
+ if (!vcpu_has_sve(vcpu) || !guest_owns_fp_regs(vcpu))
+ val |= CPTR_EL2_TZ;
+
+ if (!guest_owns_fp_regs(vcpu))
+ val |= CPTR_EL2_TFP;
}
- if (cpus_have_final_cap(ARM64_SME))
- val |= CPTR_EL2_TSM;
+
+ if (!guest_owns_fp_regs(vcpu))
+ __activate_traps_fpsimd32(vcpu);
write_sysreg(val, cptr_el2);
+}
+
+static void __activate_traps(struct kvm_vcpu *vcpu)
+{
+ ___activate_traps(vcpu);
+ __activate_traps_common(vcpu);
+ __activate_cptr_traps(vcpu);
+
write_sysreg(__this_cpu_read(kvm_hyp_vector), vbar_el2);
if (cpus_have_final_cap(ARM64_WORKAROUND_SPECULATIVE_AT)) {
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 256/291] KVM: arm64: Eagerly switch ZCR_EL{1,2}
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (253 preceding siblings ...)
2025-04-23 14:44 ` [PATCH 6.1 255/291] KVM: arm64: Calculate cptr_el2 traps on activating traps Greg Kroah-Hartman
@ 2025-04-23 14:44 ` Greg Kroah-Hartman
2025-04-23 14:44 ` [PATCH 6.1 257/291] cpufreq: Reference count policy in cpufreq_update_limits() Greg Kroah-Hartman
` (43 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mark Rutland, Mark Brown,
Catalin Marinas, Fuad Tabba, Marc Zyngier, Oliver Upton,
Will Deacon
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mark Rutland <mark.rutland@arm.com>
[ Upstream commit 59419f10045bc955d2229819c7cf7a8b0b9c5b59 ]
In non-protected KVM modes, while the guest FPSIMD/SVE/SME state is live on the
CPU, the host's active SVE VL may differ from the guest's maximum SVE VL:
* For VHE hosts, when a VM uses NV, ZCR_EL2 contains a value constrained
by the guest hypervisor, which may be less than or equal to that
guest's maximum VL.
Note: in this case the value of ZCR_EL1 is immaterial due to E2H.
* For nVHE/hVHE hosts, ZCR_EL1 contains a value written by the guest,
which may be less than or greater than the guest's maximum VL.
Note: in this case hyp code traps host SVE usage and lazily restores
ZCR_EL2 to the host's maximum VL, which may be greater than the
guest's maximum VL.
This can be the case between exiting a guest and kvm_arch_vcpu_put_fp().
If a softirq is taken during this period and the softirq handler tries
to use kernel-mode NEON, then the kernel will fail to save the guest's
FPSIMD/SVE state, and will pend a SIGKILL for the current thread.
This happens because kvm_arch_vcpu_ctxsync_fp() binds the guest's live
FPSIMD/SVE state with the guest's maximum SVE VL, and
fpsimd_save_user_state() verifies that the live SVE VL is as expected
before attempting to save the register state:
| if (WARN_ON(sve_get_vl() != vl)) {
| force_signal_inject(SIGKILL, SI_KERNEL, 0, 0);
| return;
| }
Fix this and make this a bit easier to reason about by always eagerly
switching ZCR_EL{1,2} at hyp during guest<->host transitions. With this
happening, there's no need to trap host SVE usage, and the nVHE/nVHE
__deactivate_cptr_traps() logic can be simplified to enable host access
to all present FPSIMD/SVE/SME features.
In protected nVHE/hVHE modes, the host's state is always saved/restored
by hyp, and the guest's state is saved prior to exit to the host, so
from the host's PoV the guest never has live FPSIMD/SVE/SME state, and
the host's ZCR_EL1 is never clobbered by hyp.
Fixes: 8c8010d69c132273 ("KVM: arm64: Save/restore SVE state for nVHE")
Fixes: 2e3cf82063a00ea0 ("KVM: arm64: nv: Ensure correct VL is loaded before saving SVE state")
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Reviewed-by: Mark Brown <broonie@kernel.org>
Tested-by: Mark Brown <broonie@kernel.org>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Fuad Tabba <tabba@google.com>
Cc: Marc Zyngier <maz@kernel.org>
Cc: Oliver Upton <oliver.upton@linux.dev>
Cc: Will Deacon <will@kernel.org>
Reviewed-by: Oliver Upton <oliver.upton@linux.dev>
Link: https://lore.kernel.org/r/20250210195226.1215254-9-mark.rutland@arm.com
Signed-off-by: Marc Zyngier <maz@kernel.org>
[ v6.6 lacks pKVM saving of host SVE state, pull in discovery of maximum
host VL separately -- broonie ]
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/include/asm/kvm_host.h | 1
arch/arm64/include/asm/kvm_hyp.h | 1
arch/arm64/kvm/fpsimd.c | 19 +++++------
arch/arm64/kvm/hyp/entry.S | 5 ++
arch/arm64/kvm/hyp/include/hyp/switch.h | 55 ++++++++++++++++++++++++++++++++
arch/arm64/kvm/hyp/nvhe/hyp-main.c | 8 +---
arch/arm64/kvm/hyp/nvhe/pkvm.c | 2 +
arch/arm64/kvm/hyp/nvhe/switch.c | 30 +++++++++++------
arch/arm64/kvm/hyp/vhe/switch.c | 4 ++
arch/arm64/kvm/reset.c | 3 +
10 files changed, 103 insertions(+), 25 deletions(-)
--- a/arch/arm64/include/asm/kvm_host.h
+++ b/arch/arm64/include/asm/kvm_host.h
@@ -67,6 +67,7 @@ enum kvm_mode kvm_get_mode(void);
DECLARE_STATIC_KEY_FALSE(userspace_irqchip_in_use);
extern unsigned int kvm_sve_max_vl;
+extern unsigned int kvm_host_sve_max_vl;
int kvm_arm_init_sve(void);
u32 __attribute_const__ kvm_target_cpu(void);
--- a/arch/arm64/include/asm/kvm_hyp.h
+++ b/arch/arm64/include/asm/kvm_hyp.h
@@ -122,5 +122,6 @@ extern u64 kvm_nvhe_sym(id_aa64isar2_el1
extern u64 kvm_nvhe_sym(id_aa64mmfr0_el1_sys_val);
extern u64 kvm_nvhe_sym(id_aa64mmfr1_el1_sys_val);
extern u64 kvm_nvhe_sym(id_aa64mmfr2_el1_sys_val);
+extern unsigned int kvm_nvhe_sym(kvm_host_sve_max_vl);
#endif /* __ARM64_KVM_HYP_H__ */
--- a/arch/arm64/kvm/fpsimd.c
+++ b/arch/arm64/kvm/fpsimd.c
@@ -148,15 +148,16 @@ void kvm_arch_vcpu_put_fp(struct kvm_vcp
local_irq_save(flags);
if (vcpu->arch.fp_state == FP_STATE_GUEST_OWNED) {
- if (vcpu_has_sve(vcpu)) {
- __vcpu_sys_reg(vcpu, ZCR_EL1) = read_sysreg_el1(SYS_ZCR);
-
- /* Restore the VL that was saved when bound to the CPU */
- if (!has_vhe())
- sve_cond_update_zcr_vq(vcpu_sve_max_vq(vcpu) - 1,
- SYS_ZCR_EL1);
- }
-
+ /*
+ * Flush (save and invalidate) the fpsimd/sve state so that if
+ * the host tries to use fpsimd/sve, it's not using stale data
+ * from the guest.
+ *
+ * Flushing the state sets the TIF_FOREIGN_FPSTATE bit for the
+ * context unconditionally, in both nVHE and VHE. This allows
+ * the kernel to restore the fpsimd/sve state, including ZCR_EL1
+ * when needed.
+ */
fpsimd_save_and_flush_cpu_state();
}
--- a/arch/arm64/kvm/hyp/entry.S
+++ b/arch/arm64/kvm/hyp/entry.S
@@ -44,6 +44,11 @@ alternative_if ARM64_HAS_RAS_EXTN
alternative_else_nop_endif
mrs x1, isr_el1
cbz x1, 1f
+
+ // Ensure that __guest_enter() always provides a context
+ // synchronization event so that callers don't need ISBs for anything
+ // that would usually be synchonized by the ERET.
+ isb
mov x0, #ARM_EXCEPTION_IRQ
ret
--- a/arch/arm64/kvm/hyp/include/hyp/switch.h
+++ b/arch/arm64/kvm/hyp/include/hyp/switch.h
@@ -167,6 +167,61 @@ static inline void __hyp_sve_restore_gue
write_sysreg_el1(__vcpu_sys_reg(vcpu, ZCR_EL1), SYS_ZCR);
}
+static inline void fpsimd_lazy_switch_to_guest(struct kvm_vcpu *vcpu)
+{
+ u64 zcr_el1, zcr_el2;
+
+ if (!guest_owns_fp_regs(vcpu))
+ return;
+
+ if (vcpu_has_sve(vcpu)) {
+ zcr_el2 = vcpu_sve_max_vq(vcpu) - 1;
+
+ write_sysreg_el2(zcr_el2, SYS_ZCR);
+
+ zcr_el1 = __vcpu_sys_reg(vcpu, ZCR_EL1);
+ write_sysreg_el1(zcr_el1, SYS_ZCR);
+ }
+}
+
+static inline void fpsimd_lazy_switch_to_host(struct kvm_vcpu *vcpu)
+{
+ u64 zcr_el1, zcr_el2;
+
+ if (!guest_owns_fp_regs(vcpu))
+ return;
+
+ /*
+ * When the guest owns the FP regs, we know that guest+hyp traps for
+ * any FPSIMD/SVE/SME features exposed to the guest have been disabled
+ * by either fpsimd_lazy_switch_to_guest() or kvm_hyp_handle_fpsimd()
+ * prior to __guest_entry(). As __guest_entry() guarantees a context
+ * synchronization event, we don't need an ISB here to avoid taking
+ * traps for anything that was exposed to the guest.
+ */
+ if (vcpu_has_sve(vcpu)) {
+ zcr_el1 = read_sysreg_el1(SYS_ZCR);
+ __vcpu_sys_reg(vcpu, ZCR_EL1) = zcr_el1;
+
+ /*
+ * The guest's state is always saved using the guest's max VL.
+ * Ensure that the host has the guest's max VL active such that
+ * the host can save the guest's state lazily, but don't
+ * artificially restrict the host to the guest's max VL.
+ */
+ if (has_vhe()) {
+ zcr_el2 = vcpu_sve_max_vq(vcpu) - 1;
+ write_sysreg_el2(zcr_el2, SYS_ZCR);
+ } else {
+ zcr_el2 = sve_vq_from_vl(kvm_host_sve_max_vl) - 1;
+ write_sysreg_el2(zcr_el2, SYS_ZCR);
+
+ zcr_el1 = vcpu_sve_max_vq(vcpu) - 1;
+ write_sysreg_el1(zcr_el1, SYS_ZCR);
+ }
+ }
+}
+
/*
* We trap the first access to the FP/SIMD to save the host context and
* restore the guest context lazily.
--- a/arch/arm64/kvm/hyp/nvhe/hyp-main.c
+++ b/arch/arm64/kvm/hyp/nvhe/hyp-main.c
@@ -5,6 +5,7 @@
*/
#include <hyp/adjust_pc.h>
+#include <hyp/switch.h>
#include <asm/pgtable-types.h>
#include <asm/kvm_asm.h>
@@ -25,7 +26,9 @@ static void handle___kvm_vcpu_run(struct
{
DECLARE_REG(struct kvm_vcpu *, vcpu, host_ctxt, 1);
+ fpsimd_lazy_switch_to_guest(kern_hyp_va(vcpu));
cpu_reg(host_ctxt, 1) = __kvm_vcpu_run(kern_hyp_va(vcpu));
+ fpsimd_lazy_switch_to_host(kern_hyp_va(vcpu));
}
static void handle___kvm_adjust_pc(struct kvm_cpu_context *host_ctxt)
@@ -285,11 +288,6 @@ void handle_trap(struct kvm_cpu_context
case ESR_ELx_EC_SMC64:
handle_host_smc(host_ctxt);
break;
- case ESR_ELx_EC_SVE:
- sysreg_clear_set(cptr_el2, CPTR_EL2_TZ, 0);
- isb();
- sve_cond_update_zcr_vq(ZCR_ELx_LEN_MASK, SYS_ZCR_EL2);
- break;
case ESR_ELx_EC_IABT_LOW:
case ESR_ELx_EC_DABT_LOW:
handle_host_mem_abort(host_ctxt);
--- a/arch/arm64/kvm/hyp/nvhe/pkvm.c
+++ b/arch/arm64/kvm/hyp/nvhe/pkvm.c
@@ -9,6 +9,8 @@
#include <nvhe/fixed_config.h>
#include <nvhe/trap_handler.h>
+unsigned int kvm_host_sve_max_vl;
+
/*
* Set trap register values based on features in ID_AA64PFR0.
*/
--- a/arch/arm64/kvm/hyp/nvhe/switch.c
+++ b/arch/arm64/kvm/hyp/nvhe/switch.c
@@ -40,6 +40,9 @@ static void __activate_cptr_traps(struct
{
u64 val = CPTR_EL2_TAM; /* Same bit irrespective of E2H */
+ if (!guest_owns_fp_regs(vcpu))
+ __activate_traps_fpsimd32(vcpu);
+
/* !hVHE case upstream */
if (1) {
val |= CPTR_EL2_TTA | CPTR_NVHE_EL2_RES1;
@@ -55,12 +58,24 @@ static void __activate_cptr_traps(struct
if (!guest_owns_fp_regs(vcpu))
val |= CPTR_EL2_TFP;
+
+ write_sysreg(val, cptr_el2);
}
+}
- if (!guest_owns_fp_regs(vcpu))
- __activate_traps_fpsimd32(vcpu);
+static void __deactivate_cptr_traps(struct kvm_vcpu *vcpu)
+{
+ /* !hVHE case upstream */
+ if (1) {
+ u64 val = CPTR_NVHE_EL2_RES1;
- write_sysreg(val, cptr_el2);
+ if (!cpus_have_final_cap(ARM64_SVE))
+ val |= CPTR_EL2_TZ;
+ if (!cpus_have_final_cap(ARM64_SME))
+ val |= CPTR_EL2_TSM;
+
+ write_sysreg(val, cptr_el2);
+ }
}
static void __activate_traps(struct kvm_vcpu *vcpu)
@@ -89,7 +104,6 @@ static void __activate_traps(struct kvm_
static void __deactivate_traps(struct kvm_vcpu *vcpu)
{
extern char __kvm_hyp_host_vector[];
- u64 cptr;
___deactivate_traps(vcpu);
@@ -114,13 +128,7 @@ static void __deactivate_traps(struct kv
write_sysreg(this_cpu_ptr(&kvm_init_params)->hcr_el2, hcr_el2);
- cptr = CPTR_EL2_DEFAULT;
- if (vcpu_has_sve(vcpu) && (vcpu->arch.fp_state == FP_STATE_GUEST_OWNED))
- cptr |= CPTR_EL2_TZ;
- if (cpus_have_final_cap(ARM64_SME))
- cptr &= ~CPTR_EL2_TSM;
-
- write_sysreg(cptr, cptr_el2);
+ __deactivate_cptr_traps(vcpu);
write_sysreg(__kvm_hyp_host_vector, vbar_el2);
}
--- a/arch/arm64/kvm/hyp/vhe/switch.c
+++ b/arch/arm64/kvm/hyp/vhe/switch.c
@@ -134,6 +134,8 @@ static int __kvm_vcpu_run_vhe(struct kvm
sysreg_save_host_state_vhe(host_ctxt);
+ fpsimd_lazy_switch_to_guest(vcpu);
+
/*
* ARM erratum 1165522 requires us to configure both stage 1 and
* stage 2 translation for the guest context before we clear
@@ -164,6 +166,8 @@ static int __kvm_vcpu_run_vhe(struct kvm
__deactivate_traps(vcpu);
+ fpsimd_lazy_switch_to_host(vcpu);
+
sysreg_restore_host_state_vhe(host_ctxt);
if (vcpu->arch.fp_state == FP_STATE_GUEST_OWNED)
--- a/arch/arm64/kvm/reset.c
+++ b/arch/arm64/kvm/reset.c
@@ -42,11 +42,14 @@ static u32 kvm_ipa_limit;
PSR_AA32_I_BIT | PSR_AA32_F_BIT)
unsigned int kvm_sve_max_vl;
+unsigned int kvm_host_sve_max_vl;
int kvm_arm_init_sve(void)
{
if (system_supports_sve()) {
kvm_sve_max_vl = sve_max_virtualisable_vl();
+ kvm_host_sve_max_vl = sve_max_vl();
+ kvm_nvhe_sym(kvm_host_sve_max_vl) = kvm_host_sve_max_vl;
/*
* The get_sve_reg()/set_sve_reg() ioctl interface will need
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 257/291] cpufreq: Reference count policy in cpufreq_update_limits()
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (254 preceding siblings ...)
2025-04-23 14:44 ` [PATCH 6.1 256/291] KVM: arm64: Eagerly switch ZCR_EL{1,2} Greg Kroah-Hartman
@ 2025-04-23 14:44 ` Greg Kroah-Hartman
2025-04-23 14:44 ` [PATCH 6.1 258/291] kbuild: Add -fno-builtin-wcslen Greg Kroah-Hartman
` (42 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Marek Marczykowski-Górecki,
Rafael J. Wysocki, Viresh Kumar
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
commit 9e4e249018d208678888bdf22f6b652728106528 upstream.
Since acpi_processor_notify() can be called before registering a cpufreq
driver or even in cases when a cpufreq driver is not registered at all,
cpufreq_update_limits() needs to check if a cpufreq driver is present
and prevent it from being unregistered.
For this purpose, make it call cpufreq_cpu_get() to obtain a cpufreq
policy pointer for the given CPU and reference count the corresponding
policy object, if present.
Fixes: 5a25e3f7cc53 ("cpufreq: intel_pstate: Driver-specific handling of _PPC updates")
Closes: https://lore.kernel.org/linux-acpi/Z-ShAR59cTow0KcR@mail-itl
Reported-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
Cc: All applicable <stable@vger.kernel.org>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
Link: https://patch.msgid.link/1928789.tdWV9SEqCh@rjwysocki.net
[do not use __free(cpufreq_cpu_put) in a backport]
Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/cpufreq/cpufreq.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/drivers/cpufreq/cpufreq.c
+++ b/drivers/cpufreq/cpufreq.c
@@ -2691,10 +2691,18 @@ EXPORT_SYMBOL(cpufreq_update_policy);
*/
void cpufreq_update_limits(unsigned int cpu)
{
+ struct cpufreq_policy *policy;
+
+ policy = cpufreq_cpu_get(cpu);
+ if (!policy)
+ return;
+
if (cpufreq_driver->update_limits)
cpufreq_driver->update_limits(cpu);
else
cpufreq_update_policy(cpu);
+
+ cpufreq_cpu_put(policy);
}
EXPORT_SYMBOL_GPL(cpufreq_update_limits);
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 258/291] kbuild: Add -fno-builtin-wcslen
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (255 preceding siblings ...)
2025-04-23 14:44 ` [PATCH 6.1 257/291] cpufreq: Reference count policy in cpufreq_update_limits() Greg Kroah-Hartman
@ 2025-04-23 14:44 ` Greg Kroah-Hartman
2025-04-23 14:44 ` [PATCH 6.1 259/291] media: mediatek: vcodec: mark vdec_vp9_slice_map_counts_eob_coef noinline Greg Kroah-Hartman
` (41 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:44 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Nathan Chancellor, Linus Torvalds
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nathan Chancellor <nathan@kernel.org>
commit 84ffc79bfbf70c779e60218563f2f3ad45288671 upstream.
A recent optimization change in LLVM [1] aims to transform certain loop
idioms into calls to strlen() or wcslen(). This change transforms the
first while loop in UniStrcat() into a call to wcslen(), breaking the
build when UniStrcat() gets inlined into alloc_path_with_tree_prefix():
ld.lld: error: undefined symbol: wcslen
>>> referenced by nls_ucs2_utils.h:54 (fs/smb/client/../../nls/nls_ucs2_utils.h:54)
>>> vmlinux.o:(alloc_path_with_tree_prefix)
>>> referenced by nls_ucs2_utils.h:54 (fs/smb/client/../../nls/nls_ucs2_utils.h:54)
>>> vmlinux.o:(alloc_path_with_tree_prefix)
Disable this optimization with '-fno-builtin-wcslen', which prevents the
compiler from assuming that wcslen() is available in the kernel's C
library.
[ More to the point - it's not that we couldn't implement wcslen(), it's
that this isn't an optimization at all in the context of the kernel.
Replacing a simple inlined loop with a function call to the same loop
is just stupid and pointless if you don't have long strings and fancy
libraries with vectorization support etc.
For the regular 'strlen()' cases, we want the compiler to do this in
order to handle the trivial case of constant strings. And we do have
optimized versions of 'strlen()' on some architectures. But for
wcslen? Just no. - Linus ]
Cc: stable@vger.kernel.org
Link: https://github.com/llvm/llvm-project/commit/9694844d7e36fd5e01011ab56b64f27b867aa72d [1]
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[nathan: Resolve small conflict in older trees]
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
Makefile | 3 +++
1 file changed, 3 insertions(+)
--- a/Makefile
+++ b/Makefile
@@ -1075,6 +1075,9 @@ KBUILD_CFLAGS += $(call cc-option,-Wer
# Require designated initializers for all marked structures
KBUILD_CFLAGS += $(call cc-option,-Werror=designated-init)
+# Ensure compilers do not transform certain loops into calls to wcslen()
+KBUILD_CFLAGS += -fno-builtin-wcslen
+
# change __FILE__ to the relative path from the srctree
KBUILD_CPPFLAGS += $(call cc-option,-fmacro-prefix-map=$(srctree)/=)
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 259/291] media: mediatek: vcodec: mark vdec_vp9_slice_map_counts_eob_coef noinline
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (256 preceding siblings ...)
2025-04-23 14:44 ` [PATCH 6.1 258/291] kbuild: Add -fno-builtin-wcslen Greg Kroah-Hartman
@ 2025-04-23 14:44 ` Greg Kroah-Hartman
2025-04-23 14:44 ` [PATCH 6.1 260/291] mptcp: sockopt: fix getting freebind & transparent Greg Kroah-Hartman
` (40 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Arnd Bergmann, Nathan Chancellor,
Sebastian Fricke, Mauro Carvalho Chehab
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arnd Bergmann <arnd@arndb.de>
commit 8b55f8818900c99dd4f55a59a103f5b29e41eb2c upstream.
With KASAN enabled, clang fails to optimize the inline version of
vdec_vp9_slice_map_counts_eob_coef() properly, leading to kilobytes
of temporary values spilled to the stack:
drivers/media/platform/mediatek/vcodec/decoder/vdec/vdec_vp9_req_lat_if.c:1526:12: error: stack frame size (2160) exceeds limit (2048) in 'vdec_vp9_slice_update_prob' [-Werror,-Wframe-larger-than]
This seems to affect all versions of clang including the latest (clang-20),
but the degree of stack overhead is different per release.
Marking the function as noinline_for_stack is harmless here and avoids
the problem completely.
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Reviewed-by: Nathan Chancellor <nathan@kernel.org>
Signed-off-by: Sebastian Fricke <sebastian.fricke@collabora.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
[nathan: Handle file location change in older trees]
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/mediatek/vcodec/vdec/vdec_vp9_req_lat_if.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/media/platform/mediatek/vcodec/vdec/vdec_vp9_req_lat_if.c
+++ b/drivers/media/platform/mediatek/vcodec/vdec/vdec_vp9_req_lat_if.c
@@ -1192,7 +1192,8 @@ err:
return ret;
}
-static
+/* clang stack usage explodes if this is inlined */
+static noinline_for_stack
void vdec_vp9_slice_map_counts_eob_coef(unsigned int i, unsigned int j, unsigned int k,
struct vdec_vp9_slice_frame_counts *counts,
struct v4l2_vp9_frame_symbol_counts *counts_helper)
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 260/291] mptcp: sockopt: fix getting freebind & transparent
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (257 preceding siblings ...)
2025-04-23 14:44 ` [PATCH 6.1 259/291] media: mediatek: vcodec: mark vdec_vp9_slice_map_counts_eob_coef noinline Greg Kroah-Hartman
@ 2025-04-23 14:44 ` Greg Kroah-Hartman
2025-04-23 14:44 ` [PATCH 6.1 261/291] misc: pci_endpoint_test: Avoid issue of interrupts remaining after request_irq error Greg Kroah-Hartman
` (39 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mat Martineau,
Matthieu Baerts (NGI0), Simon Horman, Paolo Abeni
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
commit e2f4ac7bab2205d3c4dd9464e6ffd82502177c51 upstream.
When adding a socket option support in MPTCP, both the get and set parts
are supposed to be implemented.
IP(V6)_FREEBIND and IP(V6)_TRANSPARENT support for the setsockopt part
has been added a while ago, but it looks like the get part got
forgotten. It should have been present as a way to verify a setting has
been set as expected, and not to act differently from TCP or any other
socket types.
Everything was in place to expose it, just the last step was missing.
Only new code is added to cover these specific getsockopt(), that seems
safe.
Fixes: c9406a23c116 ("mptcp: sockopt: add SOL_IP freebind & transparent options")
Cc: stable@vger.kernel.org
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20250314-net-mptcp-fix-data-stream-corr-sockopt-v1-3-122dbb249db3@kernel.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
[ Conflict in sockopt.c due to commit e08d0b3d1723 ("inet: implement
lockless IP_TOS") not being in this version. The conflict is in the
context and the modification can still be applied in
mptcp_getsockopt_v4() after the IP_TOS case.
Also, get the values without 'inet_test_bit()' like it was done in
this version. ]
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/sockopt.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
--- a/net/mptcp/sockopt.c
+++ b/net/mptcp/sockopt.c
@@ -1266,6 +1266,12 @@ static int mptcp_getsockopt_v4(struct mp
switch (optname) {
case IP_TOS:
return mptcp_put_int_option(msk, optval, optlen, inet_sk(sk)->tos);
+ case IP_FREEBIND:
+ return mptcp_put_int_option(msk, optval, optlen,
+ inet_sk(sk)->freebind);
+ case IP_TRANSPARENT:
+ return mptcp_put_int_option(msk, optval, optlen,
+ inet_sk(sk)->transparent);
}
return -EOPNOTSUPP;
@@ -1280,6 +1286,12 @@ static int mptcp_getsockopt_v6(struct mp
case IPV6_V6ONLY:
return mptcp_put_int_option(msk, optval, optlen,
sk->sk_ipv6only);
+ case IPV6_TRANSPARENT:
+ return mptcp_put_int_option(msk, optval, optlen,
+ inet_sk(sk)->transparent);
+ case IPV6_FREEBIND:
+ return mptcp_put_int_option(msk, optval, optlen,
+ inet_sk(sk)->freebind);
}
return -EOPNOTSUPP;
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 261/291] misc: pci_endpoint_test: Avoid issue of interrupts remaining after request_irq error
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (258 preceding siblings ...)
2025-04-23 14:44 ` [PATCH 6.1 260/291] mptcp: sockopt: fix getting freebind & transparent Greg Kroah-Hartman
@ 2025-04-23 14:44 ` Greg Kroah-Hartman
2025-04-23 14:44 ` [PATCH 6.1 262/291] misc: pci_endpoint_test: Fix displaying irq_type " Greg Kroah-Hartman
` (38 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Manivannan Sadhasivam,
Kunihiko Hayashi, Krzysztof Wilczyński
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
commit f6cb7828c8e17520d4f5afb416515d3fae1af9a9 upstream.
After devm_request_irq() fails with error in pci_endpoint_test_request_irq(),
the pci_endpoint_test_free_irq_vectors() is called assuming that all IRQs
have been released.
However, some requested IRQs remain unreleased, so there are still
/proc/irq/* entries remaining, and this results in WARN() with the
following message:
remove_proc_entry: removing non-empty directory 'irq/30', leaking at least 'pci-endpoint-test.0'
WARNING: CPU: 0 PID: 202 at fs/proc/generic.c:719 remove_proc_entry +0x190/0x19c
To solve this issue, set the number of remaining IRQs to test->num_irqs,
and release IRQs in advance by calling pci_endpoint_test_release_irq().
Cc: stable@vger.kernel.org
Fixes: e03327122e2c ("pci_endpoint_test: Add 2 ioctl commands")
Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
Signed-off-by: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
Link: https://lore.kernel.org/r/20250225110252.28866-3-hayashi.kunihiko@socionext.com
[kwilczynski: commit log]
Signed-off-by: Krzysztof Wilczyński <kwilczynski@kernel.org>
Signed-off-by: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/misc/pci_endpoint_test.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/misc/pci_endpoint_test.c
+++ b/drivers/misc/pci_endpoint_test.c
@@ -262,6 +262,9 @@ fail:
break;
}
+ test->num_irqs = i;
+ pci_endpoint_test_release_irq(test);
+
return false;
}
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 262/291] misc: pci_endpoint_test: Fix displaying irq_type after request_irq error
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (259 preceding siblings ...)
2025-04-23 14:44 ` [PATCH 6.1 261/291] misc: pci_endpoint_test: Avoid issue of interrupts remaining after request_irq error Greg Kroah-Hartman
@ 2025-04-23 14:44 ` Greg Kroah-Hartman
2025-04-23 14:44 ` [PATCH 6.1 263/291] misc: pci_endpoint_test: Fix irq_type to convey the correct type Greg Kroah-Hartman
` (37 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Manivannan Sadhasivam,
Kunihiko Hayashi, Krzysztof Wilczyński
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
commit 919d14603dab6a9cf03ebbeb2cfa556df48737c8 upstream.
There are two variables that indicate the interrupt type to be used
in the next test execution, global "irq_type" and "test->irq_type".
The former is referenced from pci_endpoint_test_get_irq() to preserve
the current type for ioctl(PCITEST_GET_IRQTYPE).
In the pci_endpoint_test_request_irq(), since this global variable
is referenced when an error occurs, the unintended error message is
displayed.
For example, after running "pcitest -i 2", the following message
shows "MSI 3" even if the current IRQ type becomes "MSI-X":
pci-endpoint-test 0000:01:00.0: Failed to request IRQ 30 for MSI 3
SET IRQ TYPE TO MSI-X: NOT OKAY
Fix this issue by using "test->irq_type" instead of global "irq_type".
Cc: stable@vger.kernel.org
Fixes: b2ba9225e031 ("misc: pci_endpoint_test: Avoid using module parameter to determine irqtype")
Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
Signed-off-by: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
Link: https://lore.kernel.org/r/20250225110252.28866-4-hayashi.kunihiko@socionext.com
[kwilczynski: commit log]
Signed-off-by: Krzysztof Wilczyński <kwilczynski@kernel.org>
Signed-off-by: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/misc/pci_endpoint_test.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/misc/pci_endpoint_test.c
+++ b/drivers/misc/pci_endpoint_test.c
@@ -245,7 +245,7 @@ static bool pci_endpoint_test_request_ir
return true;
fail:
- switch (irq_type) {
+ switch (test->irq_type) {
case IRQ_TYPE_LEGACY:
dev_err(dev, "Failed to request IRQ %d for Legacy\n",
pci_irq_vector(pdev, i));
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 263/291] misc: pci_endpoint_test: Fix irq_type to convey the correct type
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (260 preceding siblings ...)
2025-04-23 14:44 ` [PATCH 6.1 262/291] misc: pci_endpoint_test: Fix displaying irq_type " Greg Kroah-Hartman
@ 2025-04-23 14:44 ` Greg Kroah-Hartman
2025-04-23 14:44 ` [PATCH 6.1 264/291] mm: Fix is_zero_page() usage in try_grab_page() Greg Kroah-Hartman
` (36 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kunihiko Hayashi,
Krzysztof Wilczyński, Niklas Cassel, Manivannan Sadhasivam
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
commit baaef0a274cfb75f9b50eab3ef93205e604f662c upstream.
There are two variables that indicate the interrupt type to be used
in the next test execution, "irq_type" as global and "test->irq_type".
The global is referenced from pci_endpoint_test_get_irq() to preserve
the current type for ioctl(PCITEST_GET_IRQTYPE).
The type set in this function isn't reflected in the global "irq_type",
so ioctl(PCITEST_GET_IRQTYPE) returns the previous type.
As a result, the wrong type is displayed in old version of "pcitest"
as follows:
- Result of running "pcitest -i 0"
SET IRQ TYPE TO LEGACY: OKAY
- Result of running "pcitest -I"
GET IRQ TYPE: MSI
Whereas running the new version of "pcitest" in kselftest results in an
error as follows:
# RUN pci_ep_basic.LEGACY_IRQ_TEST ...
# pci_endpoint_test.c:104:LEGACY_IRQ_TEST:Expected 0 (0) == ret (1)
# pci_endpoint_test.c:104:LEGACY_IRQ_TEST:Can't get Legacy IRQ type
Fix this issue by propagating the current type to the global "irq_type".
Fixes: b2ba9225e031 ("misc: pci_endpoint_test: Avoid using module parameter to determine irqtype")
Signed-off-by: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
[kwilczynski: commit log]
Signed-off-by: Krzysztof Wilczyński <kwilczynski@kernel.org>
Reviewed-by: Niklas Cassel <cassel@kernel.org>
Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20250225110252.28866-5-hayashi.kunihiko@socionext.com
Signed-off-by: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/misc/pci_endpoint_test.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/misc/pci_endpoint_test.c
+++ b/drivers/misc/pci_endpoint_test.c
@@ -717,6 +717,7 @@ static bool pci_endpoint_test_set_irq(st
if (!pci_endpoint_test_request_irq(test))
goto err;
+ irq_type = test->irq_type;
return true;
err:
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 264/291] mm: Fix is_zero_page() usage in try_grab_page()
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (261 preceding siblings ...)
2025-04-23 14:44 ` [PATCH 6.1 263/291] misc: pci_endpoint_test: Fix irq_type to convey the correct type Greg Kroah-Hartman
@ 2025-04-23 14:44 ` Greg Kroah-Hartman
2025-04-23 14:44 ` [PATCH 6.1 265/291] x86/split_lock: Fix the delayed detection logic Greg Kroah-Hartman
` (35 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Salvatore Bonaccorso, Milan Broz,
David Hildenbrand, linux-kernel, linux-mm, Sasha Levin,
Alex Williamson
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alex Williamson <alex.williamson@redhat.com>
The backport of upstream commit c8070b787519 ("mm: Don't pin ZERO_PAGE
in pin_user_pages()") into v6.1.130 noted below in Fixes does not
account for commit 0f0892356fa1 ("mm: allow multiple error returns in
try_grab_page()"), which changed the return value of try_grab_page()
from bool to int. Therefore returning 0, success in the upstream
version, becomes an error here. Fix the return value.
Fixes: 476c1dfefab8 ("mm: Don't pin ZERO_PAGE in pin_user_pages()")
Link: https://lore.kernel.org/all/Z_6uhLQjJ7SSzI13@eldamar.lan
Reported-by: Salvatore Bonaccorso <carnil@debian.org>
Reported-by: Milan Broz <gmazyland@gmail.com>
Reviewed-by: David Hildenbrand <david@redhat.com>
Cc: stable@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Cc: linux-mm@kvack.org
Cc: Sasha Levin <sashal@kernel.org>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/gup.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/mm/gup.c
+++ b/mm/gup.c
@@ -232,7 +232,7 @@ bool __must_check try_grab_page(struct p
* and it is used in a *lot* of places.
*/
if (is_zero_page(page))
- return 0;
+ return true;
/*
* Similar to try_grab_folio(): be sure to *also*
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 265/291] x86/split_lock: Fix the delayed detection logic
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (262 preceding siblings ...)
2025-04-23 14:44 ` [PATCH 6.1 264/291] mm: Fix is_zero_page() usage in try_grab_page() Greg Kroah-Hartman
@ 2025-04-23 14:44 ` Greg Kroah-Hartman
2025-04-23 14:44 ` [PATCH 6.1 266/291] x86/pvh: Call C code via the kernel virtual mapping Greg Kroah-Hartman
` (34 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maksim Davydov, Ingo Molnar,
Guilherme G. Piccoli, Thomas Gleixner, Ravi Bangoria,
Tom Lendacky
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maksim Davydov <davydov-max@yandex-team.ru>
commit c929d08df8bee855528b9d15b853c892c54e1eee upstream.
If the warning mode with disabled mitigation mode is used, then on each
CPU where the split lock occurred detection will be disabled in order to
make progress and delayed work will be scheduled, which then will enable
detection back.
Now it turns out that all CPUs use one global delayed work structure.
This leads to the fact that if a split lock occurs on several CPUs
at the same time (within 2 jiffies), only one CPU will schedule delayed
work, but the rest will not.
The return value of schedule_delayed_work_on() would have shown this,
but it is not checked in the code.
A diagram that can help to understand the bug reproduction:
- sld_update_msr() enables/disables SLD on both CPUs on the same core
- schedule_delayed_work_on() internally checks WORK_STRUCT_PENDING_BIT.
If a work has the 'pending' status, then schedule_delayed_work_on()
will return an error code and, most importantly, the work will not
be placed in the workqueue.
Let's say we have a multicore system on which split_lock_mitigate=0 and
a multithreaded application is running that calls splitlock in multiple
threads. Due to the fact that sld_update_msr() affects the entire core
(both CPUs), we will consider 2 CPUs from different cores. Let the 2
threads of this application schedule to CPU0 (core 0) and to CPU 2
(core 1), then:
| || |
| CPU 0 (core 0) || CPU 2 (core 1) |
|_________________________________||___________________________________|
| || |
| 1) SPLIT LOCK occured || |
| || |
| 2) split_lock_warn() || |
| || |
| 3) sysctl_sld_mitigate == 0 || |
| (work = &sl_reenable) || |
| || |
| 4) schedule_delayed_work_on() || |
| (reenable will be called || |
| after 2 jiffies on CPU 0) || |
| || |
| 5) disable SLD for core 0 || |
| || |
| ------------------------- || |
| || |
| || 6) SPLIT LOCK occured |
| || |
| || 7) split_lock_warn() |
| || |
| || 8) sysctl_sld_mitigate == 0 |
| || (work = &sl_reenable, |
| || the same address as in 3) ) |
| || |
| 2 jiffies || 9) schedule_delayed_work_on() |
| || fials because the work is in |
| || the pending state since 4). |
| || The work wasn't placed to the |
| || workqueue. reenable won't be |
| || called on CPU 2 |
| || |
| || 10) disable SLD for core 0 |
| || |
| || From now on SLD will |
| || never be reenabled on core 1 |
| || |
| ------------------------- || |
| || |
| 11) enable SLD for core 0 by || |
| __split_lock_reenable || |
| || |
If the application threads can be scheduled to all processor cores,
then over time there will be only one core left, on which SLD will be
enabled and split lock will be able to be detected; and on all other
cores SLD will be disabled all the time.
Most likely, this bug has not been noticed for so long because
sysctl_sld_mitigate default value is 1, and in this case a semaphore
is used that does not allow 2 different cores to have SLD disabled at
the same time, that is, strictly only one work is placed in the
workqueue.
In order to fix the warning mode with disabled mitigation mode,
delayed work has to be per-CPU. Implement it.
Fixes: 727209376f49 ("x86/split_lock: Add sysctl to control the misery mode")
Signed-off-by: Maksim Davydov <davydov-max@yandex-team.ru>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Tested-by: Guilherme G. Piccoli <gpiccoli@igalia.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Ravi Bangoria <ravi.bangoria@amd.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Link: https://lore.kernel.org/r/20250115131704.132609-1-davydov-max@yandex-team.ru
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kernel/cpu/intel.c | 20 ++++++++++++++++----
1 file changed, 16 insertions(+), 4 deletions(-)
--- a/arch/x86/kernel/cpu/intel.c
+++ b/arch/x86/kernel/cpu/intel.c
@@ -1204,7 +1204,13 @@ static void __split_lock_reenable(struct
{
sld_update_msr(true);
}
-static DECLARE_DELAYED_WORK(sl_reenable, __split_lock_reenable);
+/*
+ * In order for each CPU to schedule its delayed work independently of the
+ * others, delayed work struct must be per-CPU. This is not required when
+ * sysctl_sld_mitigate is enabled because of the semaphore that limits
+ * the number of simultaneously scheduled delayed works to 1.
+ */
+static DEFINE_PER_CPU(struct delayed_work, sl_reenable);
/*
* If a CPU goes offline with pending delayed work to re-enable split lock
@@ -1225,7 +1231,7 @@ static int splitlock_cpu_offline(unsigne
static void split_lock_warn(unsigned long ip)
{
- struct delayed_work *work;
+ struct delayed_work *work = NULL;
int cpu;
if (!current->reported_split_lock)
@@ -1247,11 +1253,17 @@ static void split_lock_warn(unsigned lon
if (down_interruptible(&buslock_sem) == -EINTR)
return;
work = &sl_reenable_unlock;
- } else {
- work = &sl_reenable;
}
cpu = get_cpu();
+
+ if (!work) {
+ work = this_cpu_ptr(&sl_reenable);
+ /* Deferred initialization of per-CPU struct */
+ if (!work->work.func)
+ INIT_DELAYED_WORK(work, __split_lock_reenable);
+ }
+
schedule_delayed_work_on(cpu, work, 2);
/* Disable split lock detection on this CPU to make progress */
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 266/291] x86/pvh: Call C code via the kernel virtual mapping
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (263 preceding siblings ...)
2025-04-23 14:44 ` [PATCH 6.1 265/291] x86/split_lock: Fix the delayed detection logic Greg Kroah-Hartman
@ 2025-04-23 14:44 ` Greg Kroah-Hartman
2025-04-23 14:44 ` [PATCH 6.1 267/291] powerpc/rtas: Prevent Spectre v1 gadget construction in sys_rtas() Greg Kroah-Hartman
` (33 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jason Andryuk, Ard Biesheuvel,
Juergen Gross
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ard Biesheuvel <ardb@kernel.org>
commit e8fbc0d9cab6c1ee6403f42c0991b0c1d5dbc092 upstream.
Calling C code via a different mapping than it was linked at is
problematic, because the compiler assumes that RIP-relative and absolute
symbol references are interchangeable. GCC in particular may use
RIP-relative per-CPU variable references even when not using -fpic.
So call xen_prepare_pvh() via its kernel virtual mapping on x86_64, so
that those RIP-relative references produce the correct values. This
matches the pre-existing behavior for i386, which also invokes
xen_prepare_pvh() via the kernel virtual mapping before invoking
startup_32 with paging disabled again.
Fixes: 7243b93345f7 ("xen/pvh: Bootstrap PVH guest")
Tested-by: Jason Andryuk <jason.andryuk@amd.com>
Reviewed-by: Jason Andryuk <jason.andryuk@amd.com>
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Message-ID: <20241009160438.3884381-8-ardb+git@google.com>
Signed-off-by: Juergen Gross <jgross@suse.com>
[ Stable context update ]
Signed-off-by: Jason Andryuk <jason.andryuk@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/platform/pvh/head.S | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/arch/x86/platform/pvh/head.S
+++ b/arch/x86/platform/pvh/head.S
@@ -100,7 +100,12 @@ SYM_CODE_START_LOCAL(pvh_start_xen)
xor %edx, %edx
wrmsr
- call xen_prepare_pvh
+ /* Call xen_prepare_pvh() via the kernel virtual mapping */
+ leaq xen_prepare_pvh(%rip), %rax
+ subq phys_base(%rip), %rax
+ addq $__START_KERNEL_map, %rax
+ ANNOTATE_RETPOLINE_SAFE
+ call *%rax
/* startup_64 expects boot_params in %rsi. */
mov $_pa(pvh_bootparams), %rsi
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 267/291] powerpc/rtas: Prevent Spectre v1 gadget construction in sys_rtas()
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (264 preceding siblings ...)
2025-04-23 14:44 ` [PATCH 6.1 266/291] x86/pvh: Call C code via the kernel virtual mapping Greg Kroah-Hartman
@ 2025-04-23 14:44 ` Greg Kroah-Hartman
2025-04-23 14:44 ` [PATCH 6.1 268/291] LoongArch: Eliminate superfluous get_numa_distances_cnt() Greg Kroah-Hartman
` (32 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nathan Lynch, Breno Leitao,
Michael Ellerman, Cliff Liu, He Zhe
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nathan Lynch <nathanl@linux.ibm.com>
commit 0974d03eb479384466d828d65637814bee6b26d7 upstream.
Smatch warns:
arch/powerpc/kernel/rtas.c:1932 __do_sys_rtas() warn: potential
spectre issue 'args.args' [r] (local cap)
The 'nargs' and 'nret' locals come directly from a user-supplied
buffer and are used as indexes into a small stack-based array and as
inputs to copy_to_user() after they are subject to bounds checks.
Use array_index_nospec() after the bounds checks to clamp these values
for speculative execution.
Signed-off-by: Nathan Lynch <nathanl@linux.ibm.com>
Reported-by: Breno Leitao <leitao@debian.org>
Reviewed-by: Breno Leitao <leitao@debian.org>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://msgid.link/20240530-sys_rtas-nargs-nret-v1-1-129acddd4d89@linux.ibm.com
[Minor context change fixed]
Signed-off-by: Cliff Liu <donghua.liu@windriver.com>
Signed-off-by: He Zhe <Zhe.He@windriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/powerpc/kernel/rtas.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/arch/powerpc/kernel/rtas.c
+++ b/arch/powerpc/kernel/rtas.c
@@ -25,6 +25,7 @@
#include <linux/reboot.h>
#include <linux/security.h>
#include <linux/syscalls.h>
+#include <linux/nospec.h>
#include <linux/of.h>
#include <linux/of_fdt.h>
@@ -1178,6 +1179,9 @@ SYSCALL_DEFINE1(rtas, struct rtas_args _
|| nargs + nret > ARRAY_SIZE(args.args))
return -EINVAL;
+ nargs = array_index_nospec(nargs, ARRAY_SIZE(args.args));
+ nret = array_index_nospec(nret, ARRAY_SIZE(args.args) - nargs);
+
/* Copy in args. */
if (copy_from_user(args.args, uargs->args,
nargs * sizeof(rtas_arg_t)) != 0)
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 268/291] LoongArch: Eliminate superfluous get_numa_distances_cnt()
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (265 preceding siblings ...)
2025-04-23 14:44 ` [PATCH 6.1 267/291] powerpc/rtas: Prevent Spectre v1 gadget construction in sys_rtas() Greg Kroah-Hartman
@ 2025-04-23 14:44 ` Greg Kroah-Hartman
2025-04-23 14:44 ` [PATCH 6.1 269/291] btrfs: fix qgroup reserve leaks in cow_file_range Greg Kroah-Hartman
` (31 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:44 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yuli Wang, Huacai Chen
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yuli Wang <wangyuli@uniontech.com>
commit a0d3c8bcb9206ac207c7ad3182027c6b0a1319bb upstream.
In LoongArch, get_numa_distances_cnt() isn't in use, resulting in a
compiler warning.
Fix follow errors with clang-18 when W=1e:
arch/loongarch/kernel/acpi.c:259:28: error: unused function 'get_numa_distances_cnt' [-Werror,-Wunused-function]
259 | static inline unsigned int get_numa_distances_cnt(struct acpi_table_slit *slit)
| ^~~~~~~~~~~~~~~~~~~~~~
1 error generated.
Link: https://lore.kernel.org/all/Z7bHPVUH4lAezk0E@kernel.org/
Signed-off-by: Yuli Wang <wangyuli@uniontech.com>
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/loongarch/kernel/acpi.c | 12 ------------
1 file changed, 12 deletions(-)
--- a/arch/loongarch/kernel/acpi.c
+++ b/arch/loongarch/kernel/acpi.c
@@ -173,18 +173,6 @@ static __init int setup_node(int pxm)
return acpi_map_pxm_to_node(pxm);
}
-/*
- * Callback for SLIT parsing. pxm_to_node() returns NUMA_NO_NODE for
- * I/O localities since SRAT does not list them. I/O localities are
- * not supported at this point.
- */
-unsigned int numa_distance_cnt;
-
-static inline unsigned int get_numa_distances_cnt(struct acpi_table_slit *slit)
-{
- return slit->locality_count;
-}
-
void __init numa_set_distance(int from, int to, int distance)
{
if ((u8)distance != distance || (from == to && distance != LOCAL_DISTANCE)) {
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 269/291] btrfs: fix qgroup reserve leaks in cow_file_range
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (266 preceding siblings ...)
2025-04-23 14:44 ` [PATCH 6.1 268/291] LoongArch: Eliminate superfluous get_numa_distances_cnt() Greg Kroah-Hartman
@ 2025-04-23 14:44 ` Greg Kroah-Hartman
2025-04-23 14:44 ` [PATCH 6.1 270/291] btrfs: zoned: fix zone activation with missing devices Greg Kroah-Hartman
` (30 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Qu Wenruo, Boris Burkov,
David Sterba, Jianqi Ren, He Zhe
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Boris Burkov <boris@bur.io>
commit 30479f31d44d47ed00ae0c7453d9b253537005b2 upstream.
In the buffered write path, the dirty page owns the qgroup reserve until
it creates an ordered_extent.
Therefore, any errors that occur before the ordered_extent is created
must free that reservation, or else the space is leaked. The fstest
generic/475 exercises various IO error paths, and is able to trigger
errors in cow_file_range where we fail to get to allocating the ordered
extent. Note that because we *do* clear delalloc, we are likely to
remove the inode from the delalloc list, so the inodes/pages to not have
invalidate/launder called on them in the commit abort path.
This results in failures at the unmount stage of the test that look like:
BTRFS: error (device dm-8 state EA) in cleanup_transaction:2018: errno=-5 IO failure
BTRFS: error (device dm-8 state EA) in btrfs_replace_file_extents:2416: errno=-5 IO failure
BTRFS warning (device dm-8 state EA): qgroup 0/5 has unreleased space, type 0 rsv 28672
------------[ cut here ]------------
WARNING: CPU: 3 PID: 22588 at fs/btrfs/disk-io.c:4333 close_ctree+0x222/0x4d0 [btrfs]
Modules linked in: btrfs blake2b_generic libcrc32c xor zstd_compress raid6_pq
CPU: 3 PID: 22588 Comm: umount Kdump: loaded Tainted: G W 6.10.0-rc7-gab56fde445b8 #21
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.3-1-1 04/01/2014
RIP: 0010:close_ctree+0x222/0x4d0 [btrfs]
RSP: 0018:ffffb4465283be00 EFLAGS: 00010202
RAX: 0000000000000001 RBX: ffffa1a1818e1000 RCX: 0000000000000001
RDX: 0000000000000000 RSI: ffffb4465283bbe0 RDI: ffffa1a19374fcb8
RBP: ffffa1a1818e13c0 R08: 0000000100028b16 R09: 0000000000000000
R10: 0000000000000003 R11: 0000000000000003 R12: ffffa1a18ad7972c
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
FS: 00007f9168312b80(0000) GS:ffffa1a4afcc0000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f91683c9140 CR3: 000000010acaa000 CR4: 00000000000006f0
Call Trace:
<TASK>
? close_ctree+0x222/0x4d0 [btrfs]
? __warn.cold+0x8e/0xea
? close_ctree+0x222/0x4d0 [btrfs]
? report_bug+0xff/0x140
? handle_bug+0x3b/0x70
? exc_invalid_op+0x17/0x70
? asm_exc_invalid_op+0x1a/0x20
? close_ctree+0x222/0x4d0 [btrfs]
generic_shutdown_super+0x70/0x160
kill_anon_super+0x11/0x40
btrfs_kill_super+0x11/0x20 [btrfs]
deactivate_locked_super+0x2e/0xa0
cleanup_mnt+0xb5/0x150
task_work_run+0x57/0x80
syscall_exit_to_user_mode+0x121/0x130
do_syscall_64+0xab/0x1a0
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f916847a887
---[ end trace 0000000000000000 ]---
BTRFS error (device dm-8 state EA): qgroup reserved space leaked
Cases 2 and 3 in the out_reserve path both pertain to this type of leak
and must free the reserved qgroup data. Because it is already an error
path, I opted not to handle the possible errors in
btrfs_free_qgroup_data.
Reviewed-by: Qu Wenruo <wqu@suse.com>
Signed-off-by: Boris Burkov <boris@bur.io>
Signed-off-by: David Sterba <dsterba@suse.com>
[Minor conflict resolved due to code context change.]
Signed-off-by: Jianqi Ren <jianqi.ren.cn@windriver.com>
Signed-off-by: He Zhe <zhe.he@windriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/inode.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/fs/btrfs/inode.c
+++ b/fs/btrfs/inode.c
@@ -1428,6 +1428,7 @@ out_unlock:
locked_page,
clear_bits,
page_ops);
+ btrfs_qgroup_free_data(inode, NULL, start, cur_alloc_size, NULL);
start += cur_alloc_size;
}
@@ -1441,6 +1442,7 @@ out_unlock:
clear_bits |= EXTENT_CLEAR_DATA_RESV;
extent_clear_unlock_delalloc(inode, start, end, locked_page,
clear_bits, page_ops);
+ btrfs_qgroup_free_data(inode, NULL, start, cur_alloc_size, NULL);
}
return ret;
}
@@ -2168,13 +2170,15 @@ error:
if (nocow)
btrfs_dec_nocow_writers(bg);
- if (ret && cur_offset < end)
+ if (ret && cur_offset < end) {
extent_clear_unlock_delalloc(inode, cur_offset, end,
locked_page, EXTENT_LOCKED |
EXTENT_DELALLOC | EXTENT_DEFRAG |
EXTENT_DO_ACCOUNTING, PAGE_UNLOCK |
PAGE_START_WRITEBACK |
PAGE_END_WRITEBACK);
+ btrfs_qgroup_free_data(inode, NULL, cur_offset, end - cur_offset + 1, NULL);
+ }
btrfs_free_path(path);
return ret;
}
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 270/291] btrfs: zoned: fix zone activation with missing devices
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (267 preceding siblings ...)
2025-04-23 14:44 ` [PATCH 6.1 269/291] btrfs: fix qgroup reserve leaks in cow_file_range Greg Kroah-Hartman
@ 2025-04-23 14:44 ` Greg Kroah-Hartman
2025-04-23 14:44 ` [PATCH 6.1 271/291] btrfs: zoned: fix zone finishing " Greg Kroah-Hartman
` (29 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Naohiro Aota, Anand Jain,
Johannes Thumshirn, David Sterba
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johannes Thumshirn <johannes.thumshirn@wdc.com>
commit 2bbc4a45e5eb6b868357c1045bf6f38f6ba576e0 upstream.
If btrfs_zone_activate() is called with a filesystem that has missing
devices (e.g. a RAID file system mounted in degraded mode) it is accessing
the btrfs_device::zone_info pointer, which will not be set if the device in
question is missing.
Check if the device is present (by checking if it has a valid block
device pointer associated) and if not, skip zone activation for it.
Fixes: f9a912a3c45f ("btrfs: zoned: make zone activation multi stripe capable")
CC: stable@vger.kernel.org # 6.1+
Reviewed-by: Naohiro Aota <naohiro.aota@wdc.com>
Reviewed-by: Anand Jain <anand.jain@oracle.com>
Signed-off-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/zoned.c | 3 +++
1 file changed, 3 insertions(+)
--- a/fs/btrfs/zoned.c
+++ b/fs/btrfs/zoned.c
@@ -1909,6 +1909,9 @@ bool btrfs_zone_activate(struct btrfs_bl
device = map->stripes[i].dev;
physical = map->stripes[i].physical;
+ if (!device->bdev)
+ continue;
+
if (device->zone_info->max_active_zones == 0)
continue;
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 271/291] btrfs: zoned: fix zone finishing with missing devices
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (268 preceding siblings ...)
2025-04-23 14:44 ` [PATCH 6.1 270/291] btrfs: zoned: fix zone activation with missing devices Greg Kroah-Hartman
@ 2025-04-23 14:44 ` Greg Kroah-Hartman
2025-04-23 14:44 ` [PATCH 6.1 272/291] Revert "Xen/swiotlb: mark xen_swiotlb_fixup() __init" Greg Kroah-Hartman
` (28 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Naohiro Aota, Anand Jain,
Johannes Thumshirn, David Sterba
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johannes Thumshirn <johannes.thumshirn@wdc.com>
commit 35fec1089ebb5617f85884d3fa6a699ce6337a75 upstream.
If do_zone_finish() is called with a filesystem that has missing devices
(e.g. a RAID file system mounted in degraded mode) it is accessing the
btrfs_device::zone_info pointer, which will not be set if the device
in question is missing.
Check if the device is present (by checking if it has a valid block device
pointer associated) and if not, skip zone finishing for it.
Fixes: 4dcbb8ab31c1 ("btrfs: zoned: make zone finishing multi stripe capable")
CC: stable@vger.kernel.org # 6.1+
Reviewed-by: Naohiro Aota <naohiro.aota@wdc.com>
Reviewed-by: Anand Jain <anand.jain@oracle.com>
Signed-off-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/zoned.c | 3 +++
1 file changed, 3 insertions(+)
--- a/fs/btrfs/zoned.c
+++ b/fs/btrfs/zoned.c
@@ -2055,6 +2055,9 @@ static int do_zone_finish(struct btrfs_b
struct btrfs_device *device = map->stripes[i].dev;
const u64 physical = map->stripes[i].physical;
+ if (!device->bdev)
+ continue;
+
if (device->zone_info->max_active_zones == 0)
continue;
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 272/291] Revert "Xen/swiotlb: mark xen_swiotlb_fixup() __init"
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (269 preceding siblings ...)
2025-04-23 14:44 ` [PATCH 6.1 271/291] btrfs: zoned: fix zone finishing " Greg Kroah-Hartman
@ 2025-04-23 14:44 ` Greg Kroah-Hartman
2025-04-23 14:44 ` [PATCH 6.1 273/291] drm/amd/display: Stop amdgpu_dm initialize when link nums greater than max_links Greg Kroah-Hartman
` (27 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nathan Chancellor,
Salvatore Bonaccorso, Juergen Gross, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This reverts commit 1a95cff6e15945e8bc7a4e4cec9f9b85f0fb08e7 which is
commit 75ad02318af2e4ae669e26a79f001bd5e1f97472 upstream.
Turns out it causes build warnings and might break systems.
Link: https://lore.kernel.org/r/20250407181218.GA737271@ax162
Reported-by: Nathan Chancellor <nathan@kernel.org>
Reported-by: Salvatore Bonaccorso <carnil@debian.org>
Cc: Juergen Gross <jgross@suse.com>
Cc: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/xen/swiotlb-xen.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/xen/swiotlb-xen.c
+++ b/drivers/xen/swiotlb-xen.c
@@ -112,7 +112,7 @@ static int is_xen_swiotlb_buffer(struct
}
#ifdef CONFIG_X86
-int __init xen_swiotlb_fixup(void *buf, unsigned long nslabs)
+int xen_swiotlb_fixup(void *buf, unsigned long nslabs)
{
int rc;
unsigned int order = get_order(IO_TLB_SEGSIZE << IO_TLB_SHIFT);
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 273/291] drm/amd/display: Stop amdgpu_dm initialize when link nums greater than max_links
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (270 preceding siblings ...)
2025-04-23 14:44 ` [PATCH 6.1 272/291] Revert "Xen/swiotlb: mark xen_swiotlb_fixup() __init" Greg Kroah-Hartman
@ 2025-04-23 14:44 ` Greg Kroah-Hartman
2025-04-23 14:44 ` [PATCH 6.1 274/291] landlock: Add the errata interface Greg Kroah-Hartman
` (26 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Harry Wentland, Tom Chung, Hersen Wu,
Daniel Wheeler, Alex Deucher, Jianqi Ren, He Zhe
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hersen Wu <hersenxs.wu@amd.com>
commit cf8b16857db702ceb8d52f9219a4613363e2b1cf upstream.
[Why]
Coverity report OVERRUN warning. There are
only max_links elements within dc->links. link
count could up to AMDGPU_DM_MAX_DISPLAY_INDEX 31.
[How]
Make sure link count less than max_links.
Reviewed-by: Harry Wentland <harry.wentland@amd.com>
Acked-by: Tom Chung <chiahsuan.chung@amd.com>
Signed-off-by: Hersen Wu <hersenxs.wu@amd.com>
Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
[Minor conflict resolved due to code context change. And the macro MAX_LINKS
is introduced by Commit 60df5628144b ("drm/amd/display: handle invalid
connector indices") after 6.10. So here we still use the original array
length MAX_PIPES * 2]
Signed-off-by: Jianqi Ren <jianqi.ren.cn@windriver.com>
Signed-off-by: He Zhe <zhe.he@windriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
@@ -4499,17 +4499,17 @@ static int amdgpu_dm_initialize_drm_devi
}
}
+ if (link_cnt > (MAX_PIPES * 2)) {
+ DRM_ERROR(
+ "KMS: Cannot support more than %d display indexes\n",
+ MAX_PIPES * 2);
+ goto fail;
+ }
+
/* loops over all connectors on the board */
for (i = 0; i < link_cnt; i++) {
struct dc_link *link = NULL;
- if (i > AMDGPU_DM_MAX_DISPLAY_INDEX) {
- DRM_ERROR(
- "KMS: Cannot support more than %d display indexes\n",
- AMDGPU_DM_MAX_DISPLAY_INDEX);
- continue;
- }
-
aconnector = kzalloc(sizeof(*aconnector), GFP_KERNEL);
if (!aconnector)
goto fail;
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 274/291] landlock: Add the errata interface
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (271 preceding siblings ...)
2025-04-23 14:44 ` [PATCH 6.1 273/291] drm/amd/display: Stop amdgpu_dm initialize when link nums greater than max_links Greg Kroah-Hartman
@ 2025-04-23 14:44 ` Greg Kroah-Hartman
2025-04-23 14:44 ` [PATCH 6.1 275/291] Revert "LoongArch: BPF: Fix off-by-one error in build_prologue()" Greg Kroah-Hartman
` (25 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Günther Noack,
Mickaël Salaün
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mickaël Salaün <mic@digikod.net>
commit 15383a0d63dbcd63dc7e8d9ec1bf3a0f7ebf64ac upstream.
Some fixes may require user space to check if they are applied on the
running kernel before using a specific feature. For instance, this
applies when a restriction was previously too restrictive and is now
getting relaxed (e.g. for compatibility reasons). However, non-visible
changes for legitimate use (e.g. security fixes) do not require an
erratum.
Because fixes are backported down to a specific Landlock ABI, we need a
way to avoid cherry-pick conflicts. The solution is to only update a
file related to the lower ABI impacted by this issue. All the ABI files
are then used to create a bitmask of fixes.
The new errata interface is similar to the one used to get the supported
Landlock ABI version, but it returns a bitmask instead because the order
of fixes may not match the order of versions, and not all fixes may
apply to all versions.
The actual errata will come with dedicated commits. The description is
not actually used in the code but serves as documentation.
Create the landlock_abi_version symbol and use its value to check errata
consistency.
Update test_base's create_ruleset_checks_ordering tests and add errata
tests.
This commit is backportable down to the first version of Landlock.
Fixes: 3532b0b4352c ("landlock: Enable user space to infer supported features")
Cc: Günther Noack <gnoack@google.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20250318161443.279194-3-mic@digikod.net
Signed-off-by: Mickaël Salaün <mic@digikod.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/uapi/linux/landlock.h | 2
security/landlock/errata.h | 87 +++++++++++++++++++++++++++
security/landlock/setup.c | 30 +++++++++
security/landlock/setup.h | 3
security/landlock/syscalls.c | 22 +++++-
tools/testing/selftests/landlock/base_test.c | 46 +++++++++++++-
6 files changed, 185 insertions(+), 5 deletions(-)
create mode 100644 security/landlock/errata.h
--- a/include/uapi/linux/landlock.h
+++ b/include/uapi/linux/landlock.h
@@ -38,9 +38,11 @@ struct landlock_ruleset_attr {
*
* - %LANDLOCK_CREATE_RULESET_VERSION: Get the highest supported Landlock ABI
* version.
+ * - %LANDLOCK_CREATE_RULESET_ERRATA: Get a bitmask of fixed issues.
*/
/* clang-format off */
#define LANDLOCK_CREATE_RULESET_VERSION (1U << 0)
+#define LANDLOCK_CREATE_RULESET_ERRATA (1U << 1)
/* clang-format on */
/**
--- /dev/null
+++ b/security/landlock/errata.h
@@ -0,0 +1,87 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
+/*
+ * Landlock - Errata information
+ *
+ * Copyright © 2025 Microsoft Corporation
+ */
+
+#ifndef _SECURITY_LANDLOCK_ERRATA_H
+#define _SECURITY_LANDLOCK_ERRATA_H
+
+#include <linux/init.h>
+
+struct landlock_erratum {
+ const int abi;
+ const u8 number;
+};
+
+/* clang-format off */
+#define LANDLOCK_ERRATUM(NUMBER) \
+ { \
+ .abi = LANDLOCK_ERRATA_ABI, \
+ .number = NUMBER, \
+ },
+/* clang-format on */
+
+/*
+ * Some fixes may require user space to check if they are applied on the running
+ * kernel before using a specific feature. For instance, this applies when a
+ * restriction was previously too restrictive and is now getting relaxed (for
+ * compatibility or semantic reasons). However, non-visible changes for
+ * legitimate use (e.g. security fixes) do not require an erratum.
+ */
+static const struct landlock_erratum landlock_errata_init[] __initconst = {
+
+/*
+ * Only Sparse may not implement __has_include. If a compiler does not
+ * implement __has_include, a warning will be printed at boot time (see
+ * setup.c).
+ */
+#ifdef __has_include
+
+#define LANDLOCK_ERRATA_ABI 1
+#if __has_include("errata/abi-1.h")
+#include "errata/abi-1.h"
+#endif
+#undef LANDLOCK_ERRATA_ABI
+
+#define LANDLOCK_ERRATA_ABI 2
+#if __has_include("errata/abi-2.h")
+#include "errata/abi-2.h"
+#endif
+#undef LANDLOCK_ERRATA_ABI
+
+#define LANDLOCK_ERRATA_ABI 3
+#if __has_include("errata/abi-3.h")
+#include "errata/abi-3.h"
+#endif
+#undef LANDLOCK_ERRATA_ABI
+
+#define LANDLOCK_ERRATA_ABI 4
+#if __has_include("errata/abi-4.h")
+#include "errata/abi-4.h"
+#endif
+#undef LANDLOCK_ERRATA_ABI
+
+/*
+ * For each new erratum, we need to include all the ABI files up to the impacted
+ * ABI to make all potential future intermediate errata easy to backport.
+ *
+ * If such change involves more than one ABI addition, then it must be in a
+ * dedicated commit with the same Fixes tag as used for the actual fix.
+ *
+ * Each commit creating a new security/landlock/errata/abi-*.h file must have a
+ * Depends-on tag to reference the commit that previously added the line to
+ * include this new file, except if the original Fixes tag is enough.
+ *
+ * Each erratum must be documented in its related ABI file, and a dedicated
+ * commit must update Documentation/userspace-api/landlock.rst to include this
+ * erratum. This commit will not be backported.
+ */
+
+#endif
+
+ {}
+};
+
+#endif /* _SECURITY_LANDLOCK_ERRATA_H */
--- a/security/landlock/setup.c
+++ b/security/landlock/setup.c
@@ -6,11 +6,13 @@
* Copyright © 2018-2020 ANSSI
*/
+#include <linux/bits.h>
#include <linux/init.h>
#include <linux/lsm_hooks.h>
#include "common.h"
#include "cred.h"
+#include "errata.h"
#include "fs.h"
#include "ptrace.h"
#include "setup.h"
@@ -23,8 +25,36 @@ struct lsm_blob_sizes landlock_blob_size
.lbs_superblock = sizeof(struct landlock_superblock_security),
};
+int landlock_errata __ro_after_init;
+
+static void __init compute_errata(void)
+{
+ size_t i;
+
+#ifndef __has_include
+ /*
+ * This is a safeguard to make sure the compiler implements
+ * __has_include (see errata.h).
+ */
+ WARN_ON_ONCE(1);
+ return;
+#endif
+
+ for (i = 0; landlock_errata_init[i].number; i++) {
+ const int prev_errata = landlock_errata;
+
+ if (WARN_ON_ONCE(landlock_errata_init[i].abi >
+ landlock_abi_version))
+ continue;
+
+ landlock_errata |= BIT(landlock_errata_init[i].number - 1);
+ WARN_ON_ONCE(prev_errata == landlock_errata);
+ }
+}
+
static int __init landlock_init(void)
{
+ compute_errata();
landlock_add_cred_hooks();
landlock_add_ptrace_hooks();
landlock_add_fs_hooks();
--- a/security/landlock/setup.h
+++ b/security/landlock/setup.h
@@ -11,7 +11,10 @@
#include <linux/lsm_hooks.h>
+extern const int landlock_abi_version;
+
extern bool landlock_initialized;
+extern int landlock_errata;
extern struct lsm_blob_sizes landlock_blob_sizes;
--- a/security/landlock/syscalls.c
+++ b/security/landlock/syscalls.c
@@ -150,7 +150,9 @@ static const struct file_operations rule
* the new ruleset.
* @size: Size of the pointed &struct landlock_ruleset_attr (needed for
* backward and forward compatibility).
- * @flags: Supported value: %LANDLOCK_CREATE_RULESET_VERSION.
+ * @flags: Supported value:
+ * - %LANDLOCK_CREATE_RULESET_VERSION
+ * - %LANDLOCK_CREATE_RULESET_ERRATA
*
* This system call enables to create a new Landlock ruleset, and returns the
* related file descriptor on success.
@@ -159,6 +161,10 @@ static const struct file_operations rule
* 0, then the returned value is the highest supported Landlock ABI version
* (starting at 1).
*
+ * If @flags is %LANDLOCK_CREATE_RULESET_ERRATA and @attr is NULL and @size is
+ * 0, then the returned value is a bitmask of fixed issues for the current
+ * Landlock ABI version.
+ *
* Possible returned errors are:
*
* - %EOPNOTSUPP: Landlock is supported by the kernel but disabled at boot time;
@@ -181,9 +187,15 @@ SYSCALL_DEFINE3(landlock_create_ruleset,
return -EOPNOTSUPP;
if (flags) {
- if ((flags == LANDLOCK_CREATE_RULESET_VERSION) && !attr &&
- !size)
- return LANDLOCK_ABI_VERSION;
+ if (attr || size)
+ return -EINVAL;
+
+ if (flags == LANDLOCK_CREATE_RULESET_VERSION)
+ return landlock_abi_version;
+
+ if (flags == LANDLOCK_CREATE_RULESET_ERRATA)
+ return landlock_errata;
+
return -EINVAL;
}
@@ -213,6 +225,8 @@ SYSCALL_DEFINE3(landlock_create_ruleset,
return ruleset_fd;
}
+const int landlock_abi_version = LANDLOCK_ABI_VERSION;
+
/*
* Returns an owned ruleset from a FD. It is thus needed to call
* landlock_put_ruleset() on the return value.
--- a/tools/testing/selftests/landlock/base_test.c
+++ b/tools/testing/selftests/landlock/base_test.c
@@ -98,10 +98,54 @@ TEST(abi_version)
ASSERT_EQ(EINVAL, errno);
}
+/*
+ * Old source trees might not have the set of Kselftest fixes related to kernel
+ * UAPI headers.
+ */
+#ifndef LANDLOCK_CREATE_RULESET_ERRATA
+#define LANDLOCK_CREATE_RULESET_ERRATA (1U << 1)
+#endif
+
+TEST(errata)
+{
+ const struct landlock_ruleset_attr ruleset_attr = {
+ .handled_access_fs = LANDLOCK_ACCESS_FS_READ_FILE,
+ };
+ int errata;
+
+ errata = landlock_create_ruleset(NULL, 0,
+ LANDLOCK_CREATE_RULESET_ERRATA);
+ /* The errata bitmask will not be backported to tests. */
+ ASSERT_LE(0, errata);
+ TH_LOG("errata: 0x%x", errata);
+
+ ASSERT_EQ(-1, landlock_create_ruleset(&ruleset_attr, 0,
+ LANDLOCK_CREATE_RULESET_ERRATA));
+ ASSERT_EQ(EINVAL, errno);
+
+ ASSERT_EQ(-1, landlock_create_ruleset(NULL, sizeof(ruleset_attr),
+ LANDLOCK_CREATE_RULESET_ERRATA));
+ ASSERT_EQ(EINVAL, errno);
+
+ ASSERT_EQ(-1,
+ landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr),
+ LANDLOCK_CREATE_RULESET_ERRATA));
+ ASSERT_EQ(EINVAL, errno);
+
+ ASSERT_EQ(-1, landlock_create_ruleset(
+ NULL, 0,
+ LANDLOCK_CREATE_RULESET_VERSION |
+ LANDLOCK_CREATE_RULESET_ERRATA));
+ ASSERT_EQ(-1, landlock_create_ruleset(NULL, 0,
+ LANDLOCK_CREATE_RULESET_ERRATA |
+ 1 << 31));
+ ASSERT_EQ(EINVAL, errno);
+}
+
/* Tests ordering of syscall argument checks. */
TEST(create_ruleset_checks_ordering)
{
- const int last_flag = LANDLOCK_CREATE_RULESET_VERSION;
+ const int last_flag = LANDLOCK_CREATE_RULESET_ERRATA;
const int invalid_flag = last_flag << 1;
int ruleset_fd;
const struct landlock_ruleset_attr ruleset_attr = {
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 275/291] Revert "LoongArch: BPF: Fix off-by-one error in build_prologue()"
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (272 preceding siblings ...)
2025-04-23 14:44 ` [PATCH 6.1 274/291] landlock: Add the errata interface Greg Kroah-Hartman
@ 2025-04-23 14:44 ` Greg Kroah-Hartman
2025-04-23 14:44 ` [PATCH 6.1 276/291] nvmet-fc: Remove unused functions Greg Kroah-Hartman
` (24 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Guenter Roeck, Vincent Li,
Hengqi Chen, Huacai Chen
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This reverts commit e9ccb262b39a which is
commit 7e2586991e36663c9bc48c828b83eab180ad30a9 upstream.
It breaks the build.
Link: https://lore.kernel.org/r/90288944-3f5b-45b7-ae7d-c7a54398db55@roeck-us.neta
Reported-by: Guenter Roeck <linux@roeck-us.net>
Cc: Vincent Li <vincent.mc.li@gmail.com>
Cc: Hengqi Chen <hengqi.chen@gmail.com>
Cc: Huacai Chen <chenhuacai@loongson.cn>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/loongarch/net/bpf_jit.c | 2 --
arch/loongarch/net/bpf_jit.h | 5 -----
2 files changed, 7 deletions(-)
--- a/arch/loongarch/net/bpf_jit.c
+++ b/arch/loongarch/net/bpf_jit.c
@@ -142,8 +142,6 @@ static void build_prologue(struct jit_ct
*/
if (seen_tail_call(ctx) && seen_call(ctx))
move_reg(ctx, TCC_SAVED, REG_TCC);
- else
- emit_insn(ctx, nop);
ctx->stack_size = stack_adjust;
}
--- a/arch/loongarch/net/bpf_jit.h
+++ b/arch/loongarch/net/bpf_jit.h
@@ -25,11 +25,6 @@ struct jit_data {
struct jit_ctx ctx;
};
-static inline void emit_nop(union loongarch_instruction *insn)
-{
- insn->word = INSN_NOP;
-}
-
#define emit_insn(ctx, func, ...) \
do { \
if (ctx->image != NULL) { \
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 276/291] nvmet-fc: Remove unused functions
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (273 preceding siblings ...)
2025-04-23 14:44 ` [PATCH 6.1 275/291] Revert "LoongArch: BPF: Fix off-by-one error in build_prologue()" Greg Kroah-Hartman
@ 2025-04-23 14:44 ` Greg Kroah-Hartman
2025-04-23 14:44 ` [PATCH 6.1 277/291] smb/server: fix potential null-ptr-deref of lease_ctx_info in smb2_open() Greg Kroah-Hartman
` (23 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, WangYuli, Chaitanya Kulkarni,
Christoph Hellwig, Keith Busch
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: WangYuli <wangyuli@uniontech.com>
commit 1b304c006b0fb4f0517a8c4ba8c46e88f48a069c upstream.
The functions nvmet_fc_iodnum() and nvmet_fc_fodnum() are currently
unutilized.
Following commit c53432030d86 ("nvme-fabrics: Add target support for FC
transport"), which introduced these two functions, they have not been
used at all in practice.
Remove them to resolve the compiler warnings.
Fix follow errors with clang-19 when W=1e:
drivers/nvme/target/fc.c:177:1: error: unused function 'nvmet_fc_iodnum' [-Werror,-Wunused-function]
177 | nvmet_fc_iodnum(struct nvmet_fc_ls_iod *iodptr)
| ^~~~~~~~~~~~~~~
drivers/nvme/target/fc.c:183:1: error: unused function 'nvmet_fc_fodnum' [-Werror,-Wunused-function]
183 | nvmet_fc_fodnum(struct nvmet_fc_fcp_iod *fodptr)
| ^~~~~~~~~~~~~~~
2 errors generated.
make[8]: *** [scripts/Makefile.build:207: drivers/nvme/target/fc.o] Error 1
make[7]: *** [scripts/Makefile.build:465: drivers/nvme/target] Error 2
make[6]: *** [scripts/Makefile.build:465: drivers/nvme] Error 2
make[6]: *** Waiting for unfinished jobs....
Fixes: c53432030d86 ("nvme-fabrics: Add target support for FC transport")
Signed-off-by: WangYuli <wangyuli@uniontech.com>
Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/nvme/target/fc.c | 14 --------------
1 file changed, 14 deletions(-)
--- a/drivers/nvme/target/fc.c
+++ b/drivers/nvme/target/fc.c
@@ -173,20 +173,6 @@ struct nvmet_fc_tgt_assoc {
struct rcu_head rcu;
};
-
-static inline int
-nvmet_fc_iodnum(struct nvmet_fc_ls_iod *iodptr)
-{
- return (iodptr - iodptr->tgtport->iod);
-}
-
-static inline int
-nvmet_fc_fodnum(struct nvmet_fc_fcp_iod *fodptr)
-{
- return (fodptr - fodptr->queue->fod);
-}
-
-
/*
* Association and Connection IDs:
*
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 277/291] smb/server: fix potential null-ptr-deref of lease_ctx_info in smb2_open()
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (274 preceding siblings ...)
2025-04-23 14:44 ` [PATCH 6.1 276/291] nvmet-fc: Remove unused functions Greg Kroah-Hartman
@ 2025-04-23 14:44 ` Greg Kroah-Hartman
2025-04-23 14:44 ` [PATCH 6.1 278/291] cifs: use origin fullpath for automounts Greg Kroah-Hartman
` (22 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, ChenXiaoSong, Steve French,
Jianqi Ren, He Zhe
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: ChenXiaoSong <chenxiaosong@kylinos.cn>
commit 4e8771a3666c8f216eefd6bd2fd50121c6c437db upstream.
null-ptr-deref will occur when (req_op_level == SMB2_OPLOCK_LEVEL_LEASE)
and parse_lease_state() return NULL.
Fix this by check if 'lease_ctx_info' is NULL.
Additionally, remove the redundant parentheses in
parse_durable_handle_context().
Signed-off-by: ChenXiaoSong <chenxiaosong@kylinos.cn>
Signed-off-by: Steve French <stfrench@microsoft.com>
[ Drop the parentheses clean-up since the parentheses was introduced by
c8efcc786146 ("ksmbd: add support for durable handles v1/v2") in v6.9
Minor context change fixed ]
Signed-off-by: Jianqi Ren <jianqi.ren.cn@windriver.com>
Signed-off-by: He Zhe <zhe.he@windriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/server/oplock.c | 2 +-
fs/smb/server/smb2pdu.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
--- a/fs/smb/server/oplock.c
+++ b/fs/smb/server/oplock.c
@@ -1515,7 +1515,7 @@ void create_lease_buf(u8 *rbuf, struct l
* @open_req: buffer containing smb2 file open(create) request
* @is_dir: whether leasing file is directory
*
- * Return: oplock state, -ENOENT if create lease context not found
+ * Return: allocated lease context object on success, otherwise NULL
*/
struct lease_ctx_info *parse_lease_state(void *open_req, bool is_dir)
{
--- a/fs/smb/server/smb2pdu.c
+++ b/fs/smb/server/smb2pdu.c
@@ -3243,7 +3243,7 @@ int smb2_open(struct ksmbd_work *work)
goto err_out1;
}
} else {
- if (req_op_level == SMB2_OPLOCK_LEVEL_LEASE) {
+ if (req_op_level == SMB2_OPLOCK_LEVEL_LEASE && lc) {
/*
* Compare parent lease using parent key. If there is no
* a lease that has same parent key, Send lease break
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 278/291] cifs: use origin fullpath for automounts
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (275 preceding siblings ...)
2025-04-23 14:44 ` [PATCH 6.1 277/291] smb/server: fix potential null-ptr-deref of lease_ctx_info in smb2_open() Greg Kroah-Hartman
@ 2025-04-23 14:44 ` Greg Kroah-Hartman
2025-04-23 14:44 ` [PATCH 6.1 279/291] net/sched: act_mirred: dont override retval if we already lost the skb Greg Kroah-Hartman
` (21 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paulo Alcantara (SUSE), Steve French,
Andrew Paniakin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paulo Alcantara <pc@cjr.nz>
commit 7ad54b98fc1f141cfb70cfe2a3d6def5a85169ff upstream.
Use TCP_Server_Info::origin_fullpath instead of cifs_tcon::tree_name
when building source paths for automounts as it will be useful for
domain-based DFS referrals where the connections and referrals would
get either re-used from the cache or re-created when chasing the dfs
link.
Signed-off-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
Signed-off-by: Steve French <stfrench@microsoft.com>
[apanyaki: backport to v6.1-stable]
Signed-off-by: Andrew Paniakin <apanyaki@amazon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/client/cifs_dfs_ref.c | 34 ++++++++++++++++++++++++++++++++--
fs/smb/client/cifsproto.h | 21 +++++++++++++++++++++
fs/smb/client/dir.c | 21 +++++++++++++++------
3 files changed, 68 insertions(+), 8 deletions(-)
--- a/fs/smb/client/cifs_dfs_ref.c
+++ b/fs/smb/client/cifs_dfs_ref.c
@@ -258,6 +258,31 @@ compose_mount_options_err:
goto compose_mount_options_out;
}
+static int set_dest_addr(struct smb3_fs_context *ctx, const char *full_path)
+{
+ struct sockaddr *addr = (struct sockaddr *)&ctx->dstaddr;
+ char *str_addr = NULL;
+ int rc;
+
+ rc = dns_resolve_server_name_to_ip(full_path, &str_addr, NULL);
+ if (rc < 0)
+ goto out;
+
+ rc = cifs_convert_address(addr, str_addr, strlen(str_addr));
+ if (!rc) {
+ cifs_dbg(FYI, "%s: failed to convert ip address\n", __func__);
+ rc = -EINVAL;
+ goto out;
+ }
+
+ cifs_set_port(addr, ctx->port);
+ rc = 0;
+
+out:
+ kfree(str_addr);
+ return rc;
+}
+
/*
* Create a vfsmount that we can automount
*/
@@ -295,8 +320,7 @@ static struct vfsmount *cifs_dfs_do_auto
ctx = smb3_fc2context(fc);
page = alloc_dentry_path();
- /* always use tree name prefix */
- full_path = build_path_from_dentry_optional_prefix(mntpt, page, true);
+ full_path = dfs_get_automount_devname(mntpt, page);
if (IS_ERR(full_path)) {
mnt = ERR_CAST(full_path);
goto out;
@@ -313,6 +337,12 @@ static struct vfsmount *cifs_dfs_do_auto
if (rc) {
mnt = ERR_PTR(rc);
goto out;
+ }
+
+ rc = set_dest_addr(ctx, full_path);
+ if (rc) {
+ mnt = ERR_PTR(rc);
+ goto out;
}
rc = smb3_parse_devname(full_path, ctx);
--- a/fs/smb/client/cifsproto.h
+++ b/fs/smb/client/cifsproto.h
@@ -57,8 +57,29 @@ extern void exit_cifs_idmap(void);
extern int init_cifs_spnego(void);
extern void exit_cifs_spnego(void);
extern const char *build_path_from_dentry(struct dentry *, void *);
+char *__build_path_from_dentry_optional_prefix(struct dentry *direntry, void *page,
+ const char *tree, int tree_len,
+ bool prefix);
extern char *build_path_from_dentry_optional_prefix(struct dentry *direntry,
void *page, bool prefix);
+
+#ifdef CONFIG_CIFS_DFS_UPCALL
+static inline char *dfs_get_automount_devname(struct dentry *dentry, void *page)
+{
+ struct cifs_sb_info *cifs_sb = CIFS_SB(dentry->d_sb);
+ struct cifs_tcon *tcon = cifs_sb_master_tcon(cifs_sb);
+ struct TCP_Server_Info *server = tcon->ses->server;
+
+ if (unlikely(!server->origin_fullpath))
+ return ERR_PTR(-EREMOTE);
+
+ return __build_path_from_dentry_optional_prefix(dentry, page,
+ server->origin_fullpath,
+ strlen(server->origin_fullpath),
+ true);
+}
+#endif
+
static inline void *alloc_dentry_path(void)
{
return __getname();
--- a/fs/smb/client/dir.c
+++ b/fs/smb/client/dir.c
@@ -78,14 +78,13 @@ build_path_from_dentry(struct dentry *di
prefix);
}
-char *
-build_path_from_dentry_optional_prefix(struct dentry *direntry, void *page,
- bool prefix)
+char *__build_path_from_dentry_optional_prefix(struct dentry *direntry, void *page,
+ const char *tree, int tree_len,
+ bool prefix)
{
int dfsplen;
int pplen = 0;
struct cifs_sb_info *cifs_sb = CIFS_SB(direntry->d_sb);
- struct cifs_tcon *tcon = cifs_sb_master_tcon(cifs_sb);
char dirsep = CIFS_DIR_SEP(cifs_sb);
char *s;
@@ -93,7 +92,7 @@ build_path_from_dentry_optional_prefix(s
return ERR_PTR(-ENOMEM);
if (prefix)
- dfsplen = strnlen(tcon->tree_name, MAX_TREE_SIZE + 1);
+ dfsplen = strnlen(tree, tree_len + 1);
else
dfsplen = 0;
@@ -123,7 +122,7 @@ build_path_from_dentry_optional_prefix(s
}
if (dfsplen) {
s -= dfsplen;
- memcpy(s, tcon->tree_name, dfsplen);
+ memcpy(s, tree, dfsplen);
if (cifs_sb->mnt_cifs_flags & CIFS_MOUNT_POSIX_PATHS) {
int i;
for (i = 0; i < dfsplen; i++) {
@@ -135,6 +134,16 @@ build_path_from_dentry_optional_prefix(s
return s;
}
+char *build_path_from_dentry_optional_prefix(struct dentry *direntry, void *page,
+ bool prefix)
+{
+ struct cifs_sb_info *cifs_sb = CIFS_SB(direntry->d_sb);
+ struct cifs_tcon *tcon = cifs_sb_master_tcon(cifs_sb);
+
+ return __build_path_from_dentry_optional_prefix(direntry, page, tcon->tree_name,
+ MAX_TREE_SIZE, prefix);
+}
+
/*
* Don't allow path components longer than the server max.
* Don't allow the separator character in a path component.
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 279/291] net/sched: act_mirred: dont override retval if we already lost the skb
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (276 preceding siblings ...)
2025-04-23 14:44 ` [PATCH 6.1 278/291] cifs: use origin fullpath for automounts Greg Kroah-Hartman
@ 2025-04-23 14:44 ` Greg Kroah-Hartman
2025-04-23 14:44 ` [PATCH 6.1 280/291] btrfs: fix the length of reserved qgroup to free Greg Kroah-Hartman
` (20 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michal Swiatkowski, Jakub Kicinski,
Jamal Hadi Salim, David S. Miller, Jianqi Ren, He Zhe
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jakub Kicinski <kuba@kernel.org>
commit 166c2c8a6a4dc2e4ceba9e10cfe81c3e469e3210 upstream.
If we're redirecting the skb, and haven't called tcf_mirred_forward(),
yet, we need to tell the core to drop the skb by setting the retcode
to SHOT. If we have called tcf_mirred_forward(), however, the skb
is out of our hands and returning SHOT will lead to UaF.
Move the retval override to the error path which actually need it.
Reviewed-by: Michal Swiatkowski <michal.swiatkowski@linux.intel.com>
Fixes: e5cf1baf92cb ("act_mirred: use TC_ACT_REINSERT when possible")
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[Minor conflict resolved due to code context change.]
Signed-off-by: Jianqi Ren <jianqi.ren.cn@windriver.com>
Signed-off-by: He Zhe <zhe.he@windriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/sched/act_mirred.c | 20 ++++++++++++--------
1 file changed, 12 insertions(+), 8 deletions(-)
--- a/net/sched/act_mirred.c
+++ b/net/sched/act_mirred.c
@@ -259,13 +259,13 @@ static int tcf_mirred_act(struct sk_buff
dev = rcu_dereference_bh(m->tcfm_dev);
if (unlikely(!dev)) {
pr_notice_once("tc mirred: target device is gone\n");
- goto out;
+ goto err_cant_do;
}
if (unlikely(!(dev->flags & IFF_UP)) || !netif_carrier_ok(dev)) {
net_notice_ratelimited("tc mirred to Houston: device %s is down\n",
dev->name);
- goto out;
+ goto err_cant_do;
}
/* we could easily avoid the clone only if called by ingress and clsact;
@@ -279,7 +279,7 @@ static int tcf_mirred_act(struct sk_buff
if (!use_reinsert) {
skb2 = skb_clone(skb, GFP_ATOMIC);
if (!skb2)
- goto out;
+ goto err_cant_do;
}
want_ingress = tcf_mirred_act_wants_ingress(m_eaction);
@@ -321,12 +321,16 @@ static int tcf_mirred_act(struct sk_buff
}
err = tcf_mirred_forward(want_ingress, skb2);
- if (err) {
-out:
+ if (err)
tcf_action_inc_overlimit_qstats(&m->common);
- if (tcf_mirred_is_act_redirect(m_eaction))
- retval = TC_ACT_SHOT;
- }
+ __this_cpu_dec(mirred_nest_level);
+
+ return retval;
+
+err_cant_do:
+ if (is_redirect)
+ retval = TC_ACT_SHOT;
+ tcf_action_inc_overlimit_qstats(&m->common);
__this_cpu_dec(mirred_nest_level);
return retval;
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 280/291] btrfs: fix the length of reserved qgroup to free
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (277 preceding siblings ...)
2025-04-23 14:44 ` [PATCH 6.1 279/291] net/sched: act_mirred: dont override retval if we already lost the skb Greg Kroah-Hartman
@ 2025-04-23 14:44 ` Greg Kroah-Hartman
2025-04-23 14:44 ` [PATCH 6.1 281/291] bpf: avoid holding freeze_mutex during mmap operation Greg Kroah-Hartman
` (19 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Qu Wenruo, Boris Burkov, Haisu Wang,
David Sterba
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haisu Wang <haisuwang@tencent.com>
commit 2b084d8205949dd804e279df8e68531da78be1e8 upstream.
The dealloc flag may be cleared and the extent won't reach the disk in
cow_file_range when errors path. The reserved qgroup space is freed in
commit 30479f31d44d ("btrfs: fix qgroup reserve leaks in
cow_file_range"). However, the length of untouched region to free needs
to be adjusted with the correct remaining region size.
Fixes: 30479f31d44d ("btrfs: fix qgroup reserve leaks in cow_file_range")
CC: stable@vger.kernel.org # 6.11+
Reviewed-by: Qu Wenruo <wqu@suse.com>
Reviewed-by: Boris Burkov <boris@bur.io>
Signed-off-by: Haisu Wang <haisuwang@tencent.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/inode.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/btrfs/inode.c
+++ b/fs/btrfs/inode.c
@@ -1442,7 +1442,7 @@ out_unlock:
clear_bits |= EXTENT_CLEAR_DATA_RESV;
extent_clear_unlock_delalloc(inode, start, end, locked_page,
clear_bits, page_ops);
- btrfs_qgroup_free_data(inode, NULL, start, cur_alloc_size, NULL);
+ btrfs_qgroup_free_data(inode, NULL, start, end - start + 1, NULL);
}
return ret;
}
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 281/291] bpf: avoid holding freeze_mutex during mmap operation
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (278 preceding siblings ...)
2025-04-23 14:44 ` [PATCH 6.1 280/291] btrfs: fix the length of reserved qgroup to free Greg Kroah-Hartman
@ 2025-04-23 14:44 ` Greg Kroah-Hartman
2025-04-23 14:44 ` [PATCH 6.1 282/291] bpf: Prevent tail call between progs attached to different hooks Greg Kroah-Hartman
` (18 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+4dc041c686b7c816a71e,
Andrii Nakryiko, Alexei Starovoitov, David Sauerwein
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andrii Nakryiko <andrii@kernel.org>
commit bc27c52eea189e8f7492d40739b7746d67b65beb upstream.
We use map->freeze_mutex to prevent races between map_freeze() and
memory mapping BPF map contents with writable permissions. The way we
naively do this means we'll hold freeze_mutex for entire duration of all
the mm and VMA manipulations, which is completely unnecessary. This can
potentially also lead to deadlocks, as reported by syzbot in [0].
So, instead, hold freeze_mutex only during writeability checks, bump
(proactively) "write active" count for the map, unlock the mutex and
proceed with mmap logic. And only if something went wrong during mmap
logic, then undo that "write active" counter increment.
[0] https://lore.kernel.org/bpf/678dcbc9.050a0220.303755.0066.GAE@google.com/
Fixes: fc9702273e2e ("bpf: Add mmap() support for BPF_MAP_TYPE_ARRAY")
Reported-by: syzbot+4dc041c686b7c816a71e@syzkaller.appspotmail.com
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Link: https://lore.kernel.org/r/20250129012246.1515826-2-andrii@kernel.org
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: David Sauerwein <dssauerw@amazon.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/bpf/syscall.c | 17 ++++++++++-------
1 file changed, 10 insertions(+), 7 deletions(-)
--- a/kernel/bpf/syscall.c
+++ b/kernel/bpf/syscall.c
@@ -813,7 +813,7 @@ static const struct vm_operations_struct
static int bpf_map_mmap(struct file *filp, struct vm_area_struct *vma)
{
struct bpf_map *map = filp->private_data;
- int err;
+ int err = 0;
if (!map->ops->map_mmap || map_value_has_spin_lock(map) ||
map_value_has_timer(map) || map_value_has_kptrs(map))
@@ -838,7 +838,12 @@ static int bpf_map_mmap(struct file *fil
err = -EACCES;
goto out;
}
+ bpf_map_write_active_inc(map);
}
+out:
+ mutex_unlock(&map->freeze_mutex);
+ if (err)
+ return err;
/* set default open/close callbacks */
vma->vm_ops = &bpf_map_default_vmops;
@@ -849,13 +854,11 @@ static int bpf_map_mmap(struct file *fil
vma->vm_flags &= ~VM_MAYWRITE;
err = map->ops->map_mmap(map, vma);
- if (err)
- goto out;
+ if (err) {
+ if (vma->vm_flags & VM_WRITE)
+ bpf_map_write_active_dec(map);
+ }
- if (vma->vm_flags & VM_MAYWRITE)
- bpf_map_write_active_inc(map);
-out:
- mutex_unlock(&map->freeze_mutex);
return err;
}
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 282/291] bpf: Prevent tail call between progs attached to different hooks
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (279 preceding siblings ...)
2025-04-23 14:44 ` [PATCH 6.1 281/291] bpf: avoid holding freeze_mutex during mmap operation Greg Kroah-Hartman
@ 2025-04-23 14:44 ` Greg Kroah-Hartman
2025-04-23 14:44 ` [PATCH 6.1 283/291] blk-cgroup: support to track if policy is online Greg Kroah-Hartman
` (17 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xu Kuohai, Alexei Starovoitov,
Andrii Nakryiko, Jianqi Ren, He Zhe
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xu Kuohai <xukuohai@huawei.com>
commit 28ead3eaabc16ecc907cfb71876da028080f6356 upstream.
bpf progs can be attached to kernel functions, and the attached functions
can take different parameters or return different return values. If
prog attached to one kernel function tail calls prog attached to another
kernel function, the ctx access or return value verification could be
bypassed.
For example, if prog1 is attached to func1 which takes only 1 parameter
and prog2 is attached to func2 which takes two parameters. Since verifier
assumes the bpf ctx passed to prog2 is constructed based on func2's
prototype, verifier allows prog2 to access the second parameter from
the bpf ctx passed to it. The problem is that verifier does not prevent
prog1 from passing its bpf ctx to prog2 via tail call. In this case,
the bpf ctx passed to prog2 is constructed from func1 instead of func2,
that is, the assumption for ctx access verification is bypassed.
Another example, if BPF LSM prog1 is attached to hook file_alloc_security,
and BPF LSM prog2 is attached to hook bpf_lsm_audit_rule_known. Verifier
knows the return value rules for these two hooks, e.g. it is legal for
bpf_lsm_audit_rule_known to return positive number 1, and it is illegal
for file_alloc_security to return positive number. So verifier allows
prog2 to return positive number 1, but does not allow prog1 to return
positive number. The problem is that verifier does not prevent prog1
from calling prog2 via tail call. In this case, prog2's return value 1
will be used as the return value for prog1's hook file_alloc_security.
That is, the return value rule is bypassed.
This patch adds restriction for tail call to prevent such bypasses.
Signed-off-by: Xu Kuohai <xukuohai@huawei.com>
Link: https://lore.kernel.org/r/20240719110059.797546-4-xukuohai@huaweicloud.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
[Minor conflict resolved due to code context change.]
Signed-off-by: Jianqi Ren <jianqi.ren.cn@windriver.com>
Signed-off-by: He Zhe <zhe.he@windriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/bpf.h | 1 +
kernel/bpf/core.c | 19 +++++++++++++++++--
2 files changed, 18 insertions(+), 2 deletions(-)
--- a/include/linux/bpf.h
+++ b/include/linux/bpf.h
@@ -250,6 +250,7 @@ struct bpf_map {
* same prog type, JITed flag and xdp_has_frags flag.
*/
struct {
+ const struct btf_type *attach_func_proto;
spinlock_t lock;
enum bpf_prog_type type;
bool jited;
--- a/kernel/bpf/core.c
+++ b/kernel/bpf/core.c
@@ -2121,6 +2121,7 @@ bool bpf_prog_map_compatible(struct bpf_
{
enum bpf_prog_type prog_type = resolve_prog_type(fp);
bool ret;
+ struct bpf_prog_aux *aux = fp->aux;
if (fp->kprobe_override)
return false;
@@ -2132,12 +2133,26 @@ bool bpf_prog_map_compatible(struct bpf_
*/
map->owner.type = prog_type;
map->owner.jited = fp->jited;
- map->owner.xdp_has_frags = fp->aux->xdp_has_frags;
+ map->owner.xdp_has_frags = aux->xdp_has_frags;
+ map->owner.attach_func_proto = aux->attach_func_proto;
ret = true;
} else {
ret = map->owner.type == prog_type &&
map->owner.jited == fp->jited &&
- map->owner.xdp_has_frags == fp->aux->xdp_has_frags;
+ map->owner.xdp_has_frags == aux->xdp_has_frags;
+ if (ret &&
+ map->owner.attach_func_proto != aux->attach_func_proto) {
+ switch (prog_type) {
+ case BPF_PROG_TYPE_TRACING:
+ case BPF_PROG_TYPE_LSM:
+ case BPF_PROG_TYPE_EXT:
+ case BPF_PROG_TYPE_STRUCT_OPS:
+ ret = false;
+ break;
+ default:
+ break;
+ }
+ }
}
spin_unlock(&map->owner.lock);
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 283/291] blk-cgroup: support to track if policy is online
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (280 preceding siblings ...)
2025-04-23 14:44 ` [PATCH 6.1 282/291] bpf: Prevent tail call between progs attached to different hooks Greg Kroah-Hartman
@ 2025-04-23 14:44 ` Greg Kroah-Hartman
2025-04-23 14:44 ` [PATCH 6.1 284/291] blk-iocost: do not WARN if iocg was already offlined Greg Kroah-Hartman
` (16 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yu Kuai, Tejun Heo,
Christoph Hellwig, Jens Axboe, Bin Lan, He Zhe
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yu Kuai <yukuai3@huawei.com>
commit dfd6200a095440b663099d8d42f1efb0175a1ce3 upstream.
A new field 'online' is added to blkg_policy_data to fix following
2 problem:
1) In blkcg_activate_policy(), if pd_alloc_fn() with 'GFP_NOWAIT'
failed, 'queue_lock' will be dropped and pd_alloc_fn() will try again
without 'GFP_NOWAIT'. In the meantime, remove cgroup can race with
it, and pd_offline_fn() will be called without pd_init_fn() and
pd_online_fn(). This way null-ptr-deference can be triggered.
2) In order to synchronize pd_free_fn() from blkg_free_workfn() and
blkcg_deactivate_policy(), 'list_del_init(&blkg->q_node)' will be
delayed to blkg_free_workfn(), hence pd_offline_fn() can be called
first in blkg_destroy(), and then blkcg_deactivate_policy() will
call it again, we must prevent it.
The new field 'online' will be set after pd_online_fn() and will be
cleared after pd_offline_fn(), in the meantime pd_offline_fn() will only
be called if 'online' is set.
Signed-off-by: Yu Kuai <yukuai3@huawei.com>
Acked-by: Tejun Heo <tj@kernel.org>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Link: https://lore.kernel.org/r/20230119110350.2287325-3-yukuai1@huaweicloud.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Bin Lan <bin.lan.cn@windriver.com>
Signed-off-by: He Zhe <zhe.he@windriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
block/blk-cgroup.c | 24 +++++++++++++++++-------
block/blk-cgroup.h | 1 +
2 files changed, 18 insertions(+), 7 deletions(-)
--- a/block/blk-cgroup.c
+++ b/block/blk-cgroup.c
@@ -255,6 +255,7 @@ static struct blkcg_gq *blkg_alloc(struc
blkg->pd[i] = pd;
pd->blkg = blkg;
pd->plid = i;
+ pd->online = false;
}
return blkg;
@@ -326,8 +327,11 @@ static struct blkcg_gq *blkg_create(stru
for (i = 0; i < BLKCG_MAX_POLS; i++) {
struct blkcg_policy *pol = blkcg_policy[i];
- if (blkg->pd[i] && pol->pd_online_fn)
- pol->pd_online_fn(blkg->pd[i]);
+ if (blkg->pd[i]) {
+ if (pol->pd_online_fn)
+ pol->pd_online_fn(blkg->pd[i]);
+ blkg->pd[i]->online = true;
+ }
}
}
blkg->online = true;
@@ -432,8 +436,11 @@ static void blkg_destroy(struct blkcg_gq
for (i = 0; i < BLKCG_MAX_POLS; i++) {
struct blkcg_policy *pol = blkcg_policy[i];
- if (blkg->pd[i] && pol->pd_offline_fn)
- pol->pd_offline_fn(blkg->pd[i]);
+ if (blkg->pd[i] && blkg->pd[i]->online) {
+ if (pol->pd_offline_fn)
+ pol->pd_offline_fn(blkg->pd[i]);
+ blkg->pd[i]->online = false;
+ }
}
blkg->online = false;
@@ -1422,6 +1429,7 @@ retry:
blkg->pd[pol->plid] = pd;
pd->blkg = blkg;
pd->plid = pol->plid;
+ pd->online = false;
}
/* all allocated, init in the same order */
@@ -1429,9 +1437,11 @@ retry:
list_for_each_entry_reverse(blkg, &q->blkg_list, q_node)
pol->pd_init_fn(blkg->pd[pol->plid]);
- if (pol->pd_online_fn)
- list_for_each_entry_reverse(blkg, &q->blkg_list, q_node)
+ list_for_each_entry_reverse(blkg, &q->blkg_list, q_node) {
+ if (pol->pd_online_fn)
pol->pd_online_fn(blkg->pd[pol->plid]);
+ blkg->pd[pol->plid]->online = true;
+ }
__set_bit(pol->plid, q->blkcg_pols);
ret = 0;
@@ -1493,7 +1503,7 @@ void blkcg_deactivate_policy(struct requ
spin_lock(&blkcg->lock);
if (blkg->pd[pol->plid]) {
- if (pol->pd_offline_fn)
+ if (blkg->pd[pol->plid]->online && pol->pd_offline_fn)
pol->pd_offline_fn(blkg->pd[pol->plid]);
pol->pd_free_fn(blkg->pd[pol->plid]);
blkg->pd[pol->plid] = NULL;
--- a/block/blk-cgroup.h
+++ b/block/blk-cgroup.h
@@ -125,6 +125,7 @@ struct blkg_policy_data {
/* the blkg and policy id this per-policy data belongs to */
struct blkcg_gq *blkg;
int plid;
+ bool online;
};
/*
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 284/291] blk-iocost: do not WARN if iocg was already offlined
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (281 preceding siblings ...)
2025-04-23 14:44 ` [PATCH 6.1 283/291] blk-cgroup: support to track if policy is online Greg Kroah-Hartman
@ 2025-04-23 14:44 ` Greg Kroah-Hartman
2025-04-23 14:44 ` [PATCH 6.1 285/291] mm: fix apply_to_existing_page_range() Greg Kroah-Hartman
` (15 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Li Nan, Yu Kuai, Tejun Heo,
Jens Axboe, Bin Lan, He Zhe
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Li Nan <linan122@huawei.com>
commit 01bc4fda9ea0a6b52f12326486f07a4910666cf6 upstream.
In iocg_pay_debt(), warn is triggered if 'active_list' is empty, which
is intended to confirm iocg is active when it has debt. However, warn
can be triggered during a blkcg or disk removal, if iocg_waitq_timer_fn()
is run at that time:
WARNING: CPU: 0 PID: 2344971 at block/blk-iocost.c:1402 iocg_pay_debt+0x14c/0x190
Call trace:
iocg_pay_debt+0x14c/0x190
iocg_kick_waitq+0x438/0x4c0
iocg_waitq_timer_fn+0xd8/0x130
__run_hrtimer+0x144/0x45c
__hrtimer_run_queues+0x16c/0x244
hrtimer_interrupt+0x2cc/0x7b0
The warn in this situation is meaningless. Since this iocg is being
removed, the state of the 'active_list' is irrelevant, and 'waitq_timer'
is canceled after removing 'active_list' in ioc_pd_free(), which ensures
iocg is freed after iocg_waitq_timer_fn() returns.
Therefore, add the check if iocg was already offlined to avoid warn
when removing a blkcg or disk.
Signed-off-by: Li Nan <linan122@huawei.com>
Reviewed-by: Yu Kuai <yukuai3@huawei.com>
Acked-by: Tejun Heo <tj@kernel.org>
Link: https://lore.kernel.org/r/20240419093257.3004211-1-linan666@huaweicloud.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Bin Lan <bin.lan.cn@windriver.com>
Signed-off-by: He Zhe <zhe.he@windriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
block/blk-iocost.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
--- a/block/blk-iocost.c
+++ b/block/blk-iocost.c
@@ -1430,8 +1430,11 @@ static void iocg_pay_debt(struct ioc_gq
lockdep_assert_held(&iocg->ioc->lock);
lockdep_assert_held(&iocg->waitq.lock);
- /* make sure that nobody messed with @iocg */
- WARN_ON_ONCE(list_empty(&iocg->active_list));
+ /*
+ * make sure that nobody messed with @iocg. Check iocg->pd.online
+ * to avoid warn when removing blkcg or disk.
+ */
+ WARN_ON_ONCE(list_empty(&iocg->active_list) && iocg->pd.online);
WARN_ON_ONCE(iocg->inuse > 1);
iocg->abs_vdebt -= min(abs_vpay, iocg->abs_vdebt);
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 285/291] mm: fix apply_to_existing_page_range()
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (282 preceding siblings ...)
2025-04-23 14:44 ` [PATCH 6.1 284/291] blk-iocost: do not WARN if iocg was already offlined Greg Kroah-Hartman
@ 2025-04-23 14:44 ` Greg Kroah-Hartman
2025-04-23 14:44 ` [PATCH 6.1 286/291] sign-file,extract-cert: move common SSL helper functions to a header Greg Kroah-Hartman
` (14 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kirill A. Shutemov, Daniel Axtens,
David Hildenbrand, Vlastimil Babka, Andrew Morton
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
commit a995199384347261bb3f21b2e171fa7f988bd2f8 upstream.
In the case of apply_to_existing_page_range(), apply_to_pte_range() is
reached with 'create' set to false. When !create, the loop over the PTE
page table is broken.
apply_to_pte_range() will only move to the next PTE entry if 'create' is
true or if the current entry is not pte_none().
This means that the user of apply_to_existing_page_range() will not have
'fn' called for any entries after the first pte_none() in the PTE page
table.
Fix the loop logic in apply_to_pte_range().
There are no known runtime issues from this, but the fix is trivial enough
for stable@ even without a known buggy user.
Link: https://lkml.kernel.org/r/20250409094043.1629234-1-kirill.shutemov@linux.intel.com
Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Fixes: be1db4753ee6 ("mm/memory.c: add apply_to_existing_page_range() helper")
Cc: Daniel Axtens <dja@axtens.net>
Cc: David Hildenbrand <david@redhat.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/memory.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/mm/memory.c
+++ b/mm/memory.c
@@ -2659,11 +2659,11 @@ static int apply_to_pte_range(struct mm_
if (fn) {
do {
if (create || !pte_none(*pte)) {
- err = fn(pte++, addr, data);
+ err = fn(pte, addr, data);
if (err)
break;
}
- } while (addr += PAGE_SIZE, addr != end);
+ } while (pte++, addr += PAGE_SIZE, addr != end);
}
*mask |= PGTBL_PTE_MODIFIED;
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 286/291] sign-file,extract-cert: move common SSL helper functions to a header
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (283 preceding siblings ...)
2025-04-23 14:44 ` [PATCH 6.1 285/291] mm: fix apply_to_existing_page_range() Greg Kroah-Hartman
@ 2025-04-23 14:44 ` Greg Kroah-Hartman
2025-04-23 14:44 ` [PATCH 6.1 287/291] sign-file,extract-cert: avoid using deprecated ERR_get_error_line() Greg Kroah-Hartman
` (13 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jan Stancek, Jarkko Sakkinen,
R Nageswara Sastry, Neal Gompa, Huacai Chen
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jan Stancek <jstancek@redhat.com>
commit 300e6d4116f956b035281ec94297dc4dc8d4e1d3 upstream.
Couple error handling helpers are repeated in both tools, so
move them to a common header.
Signed-off-by: Jan Stancek <jstancek@redhat.com>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
Tested-by: R Nageswara Sastry <rnsastry@linux.ibm.com>
Reviewed-by: Neal Gompa <neal@gompa.dev>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
MAINTAINERS | 1 +
certs/Makefile | 2 +-
| 37 ++-----------------------------------
scripts/sign-file.c | 37 ++-----------------------------------
scripts/ssl-common.h | 39 +++++++++++++++++++++++++++++++++++++++
5 files changed, 45 insertions(+), 71 deletions(-)
create mode 100644 scripts/ssl-common.h
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -4833,6 +4833,7 @@ S: Maintained
F: Documentation/admin-guide/module-signing.rst
F: certs/
F: scripts/sign-file.c
+F: scripts/ssl-common.h
F: tools/certs/
CFAG12864B LCD DRIVER
--- a/certs/Makefile
+++ b/certs/Makefile
@@ -84,5 +84,5 @@ targets += x509_revocation_list
hostprogs := extract-cert
-HOSTCFLAGS_extract-cert.o = $(shell $(HOSTPKG_CONFIG) --cflags libcrypto 2> /dev/null)
+HOSTCFLAGS_extract-cert.o = $(shell $(HOSTPKG_CONFIG) --cflags libcrypto 2> /dev/null) -I$(srctree)/scripts
HOSTLDLIBS_extract-cert = $(shell $(HOSTPKG_CONFIG) --libs libcrypto 2> /dev/null || echo -lcrypto)
--- a/certs/extract-cert.c
+++ b/certs/extract-cert.c
@@ -23,6 +23,8 @@
#include <openssl/err.h>
#include <openssl/engine.h>
+#include "ssl-common.h"
+
/*
* OpenSSL 3.0 deprecates the OpenSSL's ENGINE API.
*
@@ -40,41 +42,6 @@ void format(void)
exit(2);
}
-static void display_openssl_errors(int l)
-{
- const char *file;
- char buf[120];
- int e, line;
-
- if (ERR_peek_error() == 0)
- return;
- fprintf(stderr, "At main.c:%d:\n", l);
-
- while ((e = ERR_get_error_line(&file, &line))) {
- ERR_error_string(e, buf);
- fprintf(stderr, "- SSL %s: %s:%d\n", buf, file, line);
- }
-}
-
-static void drain_openssl_errors(void)
-{
- const char *file;
- int line;
-
- if (ERR_peek_error() == 0)
- return;
- while (ERR_get_error_line(&file, &line)) {}
-}
-
-#define ERR(cond, fmt, ...) \
- do { \
- bool __cond = (cond); \
- display_openssl_errors(__LINE__); \
- if (__cond) { \
- err(1, fmt, ## __VA_ARGS__); \
- } \
- } while(0)
-
static const char *key_pass;
static BIO *wb;
static char *cert_dst;
--- a/scripts/sign-file.c
+++ b/scripts/sign-file.c
@@ -29,6 +29,8 @@
#include <openssl/err.h>
#include <openssl/engine.h>
+#include "ssl-common.h"
+
/*
* OpenSSL 3.0 deprecates the OpenSSL's ENGINE API.
*
@@ -83,41 +85,6 @@ void format(void)
exit(2);
}
-static void display_openssl_errors(int l)
-{
- const char *file;
- char buf[120];
- int e, line;
-
- if (ERR_peek_error() == 0)
- return;
- fprintf(stderr, "At main.c:%d:\n", l);
-
- while ((e = ERR_get_error_line(&file, &line))) {
- ERR_error_string(e, buf);
- fprintf(stderr, "- SSL %s: %s:%d\n", buf, file, line);
- }
-}
-
-static void drain_openssl_errors(void)
-{
- const char *file;
- int line;
-
- if (ERR_peek_error() == 0)
- return;
- while (ERR_get_error_line(&file, &line)) {}
-}
-
-#define ERR(cond, fmt, ...) \
- do { \
- bool __cond = (cond); \
- display_openssl_errors(__LINE__); \
- if (__cond) { \
- errx(1, fmt, ## __VA_ARGS__); \
- } \
- } while(0)
-
static const char *key_pass;
static int pem_pw_cb(char *buf, int len, int w, void *v)
--- /dev/null
+++ b/scripts/ssl-common.h
@@ -0,0 +1,39 @@
+/* SPDX-License-Identifier: LGPL-2.1+ */
+/*
+ * SSL helper functions shared by sign-file and extract-cert.
+ */
+
+static void display_openssl_errors(int l)
+{
+ const char *file;
+ char buf[120];
+ int e, line;
+
+ if (ERR_peek_error() == 0)
+ return;
+ fprintf(stderr, "At main.c:%d:\n", l);
+
+ while ((e = ERR_get_error_line(&file, &line))) {
+ ERR_error_string(e, buf);
+ fprintf(stderr, "- SSL %s: %s:%d\n", buf, file, line);
+ }
+}
+
+static void drain_openssl_errors(void)
+{
+ const char *file;
+ int line;
+
+ if (ERR_peek_error() == 0)
+ return;
+ while (ERR_get_error_line(&file, &line)) {}
+}
+
+#define ERR(cond, fmt, ...) \
+ do { \
+ bool __cond = (cond); \
+ display_openssl_errors(__LINE__); \
+ if (__cond) { \
+ errx(1, fmt, ## __VA_ARGS__); \
+ } \
+ } while (0)
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 287/291] sign-file,extract-cert: avoid using deprecated ERR_get_error_line()
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (284 preceding siblings ...)
2025-04-23 14:44 ` [PATCH 6.1 286/291] sign-file,extract-cert: move common SSL helper functions to a header Greg Kroah-Hartman
@ 2025-04-23 14:44 ` Greg Kroah-Hartman
2025-04-23 14:44 ` [PATCH 6.1 288/291] sign-file,extract-cert: use pkcs11 provider for OPENSSL MAJOR >= 3 Greg Kroah-Hartman
` (12 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jan Stancek, Jarkko Sakkinen,
R Nageswara Sastry, Neal Gompa, Huacai Chen
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jan Stancek <jstancek@redhat.com>
commit 467d60eddf55588add232feda325da7215ddaf30 upstream.
ERR_get_error_line() is deprecated since OpenSSL 3.0.
Use ERR_peek_error_line() instead, and combine display_openssl_errors()
and drain_openssl_errors() to a single function where parameter decides
if it should consume errors silently.
Signed-off-by: Jan Stancek <jstancek@redhat.com>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
Tested-by: R Nageswara Sastry <rnsastry@linux.ibm.com>
Reviewed-by: Neal Gompa <neal@gompa.dev>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
| 4 ++--
scripts/sign-file.c | 6 +++---
scripts/ssl-common.h | 23 ++++++++---------------
3 files changed, 13 insertions(+), 20 deletions(-)
--- a/certs/extract-cert.c
+++ b/certs/extract-cert.c
@@ -96,11 +96,11 @@ int main(int argc, char **argv)
parms.cert = NULL;
ENGINE_load_builtin_engines();
- drain_openssl_errors();
+ drain_openssl_errors(__LINE__, 1);
e = ENGINE_by_id("pkcs11");
ERR(!e, "Load PKCS#11 ENGINE");
if (ENGINE_init(e))
- drain_openssl_errors();
+ drain_openssl_errors(__LINE__, 1);
else
ERR(1, "ENGINE_init");
if (key_pass)
--- a/scripts/sign-file.c
+++ b/scripts/sign-file.c
@@ -114,11 +114,11 @@ static EVP_PKEY *read_private_key(const
ENGINE *e;
ENGINE_load_builtin_engines();
- drain_openssl_errors();
+ drain_openssl_errors(__LINE__, 1);
e = ENGINE_by_id("pkcs11");
ERR(!e, "Load PKCS#11 ENGINE");
if (ENGINE_init(e))
- drain_openssl_errors();
+ drain_openssl_errors(__LINE__, 1);
else
ERR(1, "ENGINE_init");
if (key_pass)
@@ -273,7 +273,7 @@ int main(int argc, char **argv)
/* Digest the module data. */
OpenSSL_add_all_digests();
- display_openssl_errors(__LINE__);
+ drain_openssl_errors(__LINE__, 0);
digest_algo = EVP_get_digestbyname(hash_algo);
ERR(!digest_algo, "EVP_get_digestbyname");
--- a/scripts/ssl-common.h
+++ b/scripts/ssl-common.h
@@ -3,7 +3,7 @@
* SSL helper functions shared by sign-file and extract-cert.
*/
-static void display_openssl_errors(int l)
+static void drain_openssl_errors(int l, int silent)
{
const char *file;
char buf[120];
@@ -11,28 +11,21 @@ static void display_openssl_errors(int l
if (ERR_peek_error() == 0)
return;
- fprintf(stderr, "At main.c:%d:\n", l);
+ if (!silent)
+ fprintf(stderr, "At main.c:%d:\n", l);
- while ((e = ERR_get_error_line(&file, &line))) {
+ while ((e = ERR_peek_error_line(&file, &line))) {
ERR_error_string(e, buf);
- fprintf(stderr, "- SSL %s: %s:%d\n", buf, file, line);
+ if (!silent)
+ fprintf(stderr, "- SSL %s: %s:%d\n", buf, file, line);
+ ERR_get_error();
}
}
-static void drain_openssl_errors(void)
-{
- const char *file;
- int line;
-
- if (ERR_peek_error() == 0)
- return;
- while (ERR_get_error_line(&file, &line)) {}
-}
-
#define ERR(cond, fmt, ...) \
do { \
bool __cond = (cond); \
- display_openssl_errors(__LINE__); \
+ drain_openssl_errors(__LINE__, 0); \
if (__cond) { \
errx(1, fmt, ## __VA_ARGS__); \
} \
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 288/291] sign-file,extract-cert: use pkcs11 provider for OPENSSL MAJOR >= 3
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (285 preceding siblings ...)
2025-04-23 14:44 ` [PATCH 6.1 287/291] sign-file,extract-cert: avoid using deprecated ERR_get_error_line() Greg Kroah-Hartman
@ 2025-04-23 14:44 ` Greg Kroah-Hartman
2025-04-23 14:44 ` [PATCH 6.1 289/291] MIPS: dec: Declare which_prom() as static Greg Kroah-Hartman
` (11 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jan Stancek, Jarkko Sakkinen,
R Nageswara Sastry, Neal Gompa, Huacai Chen
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jan Stancek <jstancek@redhat.com>
commit 558bdc45dfb2669e1741384a0c80be9c82fa052c upstream.
ENGINE API has been deprecated since OpenSSL version 3.0 [1].
Distros have started dropping support from headers and in future
it will likely disappear also from library.
It has been superseded by the PROVIDER API, so use it instead
for OPENSSL MAJOR >= 3.
[1] https://github.com/openssl/openssl/blob/master/README-ENGINES.md
[jarkko: fixed up alignment issues reported by checkpatch.pl --strict]
Signed-off-by: Jan Stancek <jstancek@redhat.com>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
Tested-by: R Nageswara Sastry <rnsastry@linux.ibm.com>
Reviewed-by: Neal Gompa <neal@gompa.dev>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
| 103 ++++++++++++++++++++++++++++++++++++---------------
scripts/sign-file.c | 95 ++++++++++++++++++++++++++++++++---------------
2 files changed, 139 insertions(+), 59 deletions(-)
--- a/certs/extract-cert.c
+++ b/certs/extract-cert.c
@@ -21,17 +21,18 @@
#include <openssl/bio.h>
#include <openssl/pem.h>
#include <openssl/err.h>
-#include <openssl/engine.h>
-
+#if OPENSSL_VERSION_MAJOR >= 3
+# define USE_PKCS11_PROVIDER
+# include <openssl/provider.h>
+# include <openssl/store.h>
+#else
+# if !defined(OPENSSL_NO_ENGINE) && !defined(OPENSSL_NO_DEPRECATED_3_0)
+# define USE_PKCS11_ENGINE
+# include <openssl/engine.h>
+# endif
+#endif
#include "ssl-common.h"
-/*
- * OpenSSL 3.0 deprecates the OpenSSL's ENGINE API.
- *
- * Remove this if/when that API is no longer used
- */
-#pragma GCC diagnostic ignored "-Wdeprecated-declarations"
-
#define PKEY_ID_PKCS7 2
static __attribute__((noreturn))
@@ -61,6 +62,66 @@ static void write_cert(X509 *x509)
fprintf(stderr, "Extracted cert: %s\n", buf);
}
+static X509 *load_cert_pkcs11(const char *cert_src)
+{
+ X509 *cert = NULL;
+#ifdef USE_PKCS11_PROVIDER
+ OSSL_STORE_CTX *store;
+
+ if (!OSSL_PROVIDER_try_load(NULL, "pkcs11", true))
+ ERR(1, "OSSL_PROVIDER_try_load(pkcs11)");
+ if (!OSSL_PROVIDER_try_load(NULL, "default", true))
+ ERR(1, "OSSL_PROVIDER_try_load(default)");
+
+ store = OSSL_STORE_open(cert_src, NULL, NULL, NULL, NULL);
+ ERR(!store, "OSSL_STORE_open");
+
+ while (!OSSL_STORE_eof(store)) {
+ OSSL_STORE_INFO *info = OSSL_STORE_load(store);
+
+ if (!info) {
+ drain_openssl_errors(__LINE__, 0);
+ continue;
+ }
+ if (OSSL_STORE_INFO_get_type(info) == OSSL_STORE_INFO_CERT) {
+ cert = OSSL_STORE_INFO_get1_CERT(info);
+ ERR(!cert, "OSSL_STORE_INFO_get1_CERT");
+ }
+ OSSL_STORE_INFO_free(info);
+ if (cert)
+ break;
+ }
+ OSSL_STORE_close(store);
+#elif defined(USE_PKCS11_ENGINE)
+ ENGINE *e;
+ struct {
+ const char *cert_id;
+ X509 *cert;
+ } parms;
+
+ parms.cert_id = cert_src;
+ parms.cert = NULL;
+
+ ENGINE_load_builtin_engines();
+ drain_openssl_errors(__LINE__, 1);
+ e = ENGINE_by_id("pkcs11");
+ ERR(!e, "Load PKCS#11 ENGINE");
+ if (ENGINE_init(e))
+ drain_openssl_errors(__LINE__, 1);
+ else
+ ERR(1, "ENGINE_init");
+ if (key_pass)
+ ERR(!ENGINE_ctrl_cmd_string(e, "PIN", key_pass, 0), "Set PKCS#11 PIN");
+ ENGINE_ctrl_cmd(e, "LOAD_CERT_CTRL", 0, &parms, NULL, 1);
+ ERR(!parms.cert, "Get X.509 from PKCS#11");
+ cert = parms.cert;
+#else
+ fprintf(stderr, "no pkcs11 engine/provider available\n");
+ exit(1);
+#endif
+ return cert;
+}
+
int main(int argc, char **argv)
{
char *cert_src;
@@ -86,28 +147,10 @@ int main(int argc, char **argv)
fclose(f);
exit(0);
} else if (!strncmp(cert_src, "pkcs11:", 7)) {
- ENGINE *e;
- struct {
- const char *cert_id;
- X509 *cert;
- } parms;
-
- parms.cert_id = cert_src;
- parms.cert = NULL;
+ X509 *cert = load_cert_pkcs11(cert_src);
- ENGINE_load_builtin_engines();
- drain_openssl_errors(__LINE__, 1);
- e = ENGINE_by_id("pkcs11");
- ERR(!e, "Load PKCS#11 ENGINE");
- if (ENGINE_init(e))
- drain_openssl_errors(__LINE__, 1);
- else
- ERR(1, "ENGINE_init");
- if (key_pass)
- ERR(!ENGINE_ctrl_cmd_string(e, "PIN", key_pass, 0), "Set PKCS#11 PIN");
- ENGINE_ctrl_cmd(e, "LOAD_CERT_CTRL", 0, &parms, NULL, 1);
- ERR(!parms.cert, "Get X.509 from PKCS#11");
- write_cert(parms.cert);
+ ERR(!cert, "load_cert_pkcs11 failed");
+ write_cert(cert);
} else {
BIO *b;
X509 *x509;
--- a/scripts/sign-file.c
+++ b/scripts/sign-file.c
@@ -27,18 +27,19 @@
#include <openssl/evp.h>
#include <openssl/pem.h>
#include <openssl/err.h>
-#include <openssl/engine.h>
-
+#if OPENSSL_VERSION_MAJOR >= 3
+# define USE_PKCS11_PROVIDER
+# include <openssl/provider.h>
+# include <openssl/store.h>
+#else
+# if !defined(OPENSSL_NO_ENGINE) && !defined(OPENSSL_NO_DEPRECATED_3_0)
+# define USE_PKCS11_ENGINE
+# include <openssl/engine.h>
+# endif
+#endif
#include "ssl-common.h"
/*
- * OpenSSL 3.0 deprecates the OpenSSL's ENGINE API.
- *
- * Remove this if/when that API is no longer used
- */
-#pragma GCC diagnostic ignored "-Wdeprecated-declarations"
-
-/*
* Use CMS if we have openssl-1.0.0 or newer available - otherwise we have to
* assume that it's not available and its header file is missing and that we
* should use PKCS#7 instead. Switching to the older PKCS#7 format restricts
@@ -106,28 +107,64 @@ static int pem_pw_cb(char *buf, int len,
return pwlen;
}
-static EVP_PKEY *read_private_key(const char *private_key_name)
+static EVP_PKEY *read_private_key_pkcs11(const char *private_key_name)
{
- EVP_PKEY *private_key;
+ EVP_PKEY *private_key = NULL;
+#ifdef USE_PKCS11_PROVIDER
+ OSSL_STORE_CTX *store;
+
+ if (!OSSL_PROVIDER_try_load(NULL, "pkcs11", true))
+ ERR(1, "OSSL_PROVIDER_try_load(pkcs11)");
+ if (!OSSL_PROVIDER_try_load(NULL, "default", true))
+ ERR(1, "OSSL_PROVIDER_try_load(default)");
+
+ store = OSSL_STORE_open(private_key_name, NULL, NULL, NULL, NULL);
+ ERR(!store, "OSSL_STORE_open");
+
+ while (!OSSL_STORE_eof(store)) {
+ OSSL_STORE_INFO *info = OSSL_STORE_load(store);
+
+ if (!info) {
+ drain_openssl_errors(__LINE__, 0);
+ continue;
+ }
+ if (OSSL_STORE_INFO_get_type(info) == OSSL_STORE_INFO_PKEY) {
+ private_key = OSSL_STORE_INFO_get1_PKEY(info);
+ ERR(!private_key, "OSSL_STORE_INFO_get1_PKEY");
+ }
+ OSSL_STORE_INFO_free(info);
+ if (private_key)
+ break;
+ }
+ OSSL_STORE_close(store);
+#elif defined(USE_PKCS11_ENGINE)
+ ENGINE *e;
+
+ ENGINE_load_builtin_engines();
+ drain_openssl_errors(__LINE__, 1);
+ e = ENGINE_by_id("pkcs11");
+ ERR(!e, "Load PKCS#11 ENGINE");
+ if (ENGINE_init(e))
+ drain_openssl_errors(__LINE__, 1);
+ else
+ ERR(1, "ENGINE_init");
+ if (key_pass)
+ ERR(!ENGINE_ctrl_cmd_string(e, "PIN", key_pass, 0), "Set PKCS#11 PIN");
+ private_key = ENGINE_load_private_key(e, private_key_name, NULL, NULL);
+ ERR(!private_key, "%s", private_key_name);
+#else
+ fprintf(stderr, "no pkcs11 engine/provider available\n");
+ exit(1);
+#endif
+ return private_key;
+}
+static EVP_PKEY *read_private_key(const char *private_key_name)
+{
if (!strncmp(private_key_name, "pkcs11:", 7)) {
- ENGINE *e;
-
- ENGINE_load_builtin_engines();
- drain_openssl_errors(__LINE__, 1);
- e = ENGINE_by_id("pkcs11");
- ERR(!e, "Load PKCS#11 ENGINE");
- if (ENGINE_init(e))
- drain_openssl_errors(__LINE__, 1);
- else
- ERR(1, "ENGINE_init");
- if (key_pass)
- ERR(!ENGINE_ctrl_cmd_string(e, "PIN", key_pass, 0),
- "Set PKCS#11 PIN");
- private_key = ENGINE_load_private_key(e, private_key_name,
- NULL, NULL);
- ERR(!private_key, "%s", private_key_name);
+ return read_private_key_pkcs11(private_key_name);
} else {
+ EVP_PKEY *private_key;
BIO *b;
b = BIO_new_file(private_key_name, "rb");
@@ -136,9 +173,9 @@ static EVP_PKEY *read_private_key(const
NULL);
ERR(!private_key, "%s", private_key_name);
BIO_free(b);
- }
- return private_key;
+ return private_key;
+ }
}
static X509 *read_x509(const char *x509_name)
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 289/291] MIPS: dec: Declare which_prom() as static
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (286 preceding siblings ...)
2025-04-23 14:44 ` [PATCH 6.1 288/291] sign-file,extract-cert: use pkcs11 provider for OPENSSL MAJOR >= 3 Greg Kroah-Hartman
@ 2025-04-23 14:44 ` Greg Kroah-Hartman
2025-04-23 14:44 ` [PATCH 6.1 290/291] MIPS: cevt-ds1287: Add missing ds1287.h include Greg Kroah-Hartman
` (10 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:44 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, WangYuli, Thomas Bogendoerfer
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: WangYuli <wangyuli@uniontech.com>
commit 55fa5868519bc48a7344a4c070efa2f4468f2167 upstream.
Declare which_prom() as static to suppress gcc compiler warning that
'missing-prototypes'. This function is not intended to be called
from other parts.
Fix follow error with gcc-14 when -Werror:
arch/mips/dec/prom/init.c:45:13: error: no previous prototype for ‘which_prom’ [-Werror=missing-prototypes]
45 | void __init which_prom(s32 magic, s32 *prom_vec)
| ^~~~~~~~~~
cc1: all warnings being treated as errors
make[6]: *** [scripts/Makefile.build:207: arch/mips/dec/prom/init.o] Error 1
make[5]: *** [scripts/Makefile.build:465: arch/mips/dec/prom] Error 2
make[5]: *** Waiting for unfinished jobs....
Signed-off-by: WangYuli <wangyuli@uniontech.com>
Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/mips/dec/prom/init.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/mips/dec/prom/init.c
+++ b/arch/mips/dec/prom/init.c
@@ -42,7 +42,7 @@ int (*__pmax_close)(int);
* Detect which PROM the DECSTATION has, and set the callback vectors
* appropriately.
*/
-void __init which_prom(s32 magic, s32 *prom_vec)
+static void __init which_prom(s32 magic, s32 *prom_vec)
{
/*
* No sign of the REX PROM's magic number means we assume a non-REX
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 290/291] MIPS: cevt-ds1287: Add missing ds1287.h include
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (287 preceding siblings ...)
2025-04-23 14:44 ` [PATCH 6.1 289/291] MIPS: dec: Declare which_prom() as static Greg Kroah-Hartman
@ 2025-04-23 14:44 ` Greg Kroah-Hartman
2025-04-23 14:44 ` [PATCH 6.1 291/291] MIPS: ds1287: Match ds1287_set_base_clock() function types Greg Kroah-Hartman
` (9 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:44 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, WangYuli, Thomas Bogendoerfer
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: WangYuli <wangyuli@uniontech.com>
commit f3be225f338a578851a7b607a409f476354a8deb upstream.
Address the issue of cevt-ds1287.c not including the ds1287.h header
file.
Fix follow errors with gcc-14 when -Werror:
arch/mips/kernel/cevt-ds1287.c:15:5: error: no previous prototype for ‘ds1287_timer_state’ [-Werror=missing-prototypes]
15 | int ds1287_timer_state(void)
| ^~~~~~~~~~~~~~~~~~
arch/mips/kernel/cevt-ds1287.c:20:5: error: no previous prototype for ‘ds1287_set_base_clock’ [-Werror=missing-prototypes]
20 | int ds1287_set_base_clock(unsigned int hz)
| ^~~~~~~~~~~~~~~~~~~~~
arch/mips/kernel/cevt-ds1287.c:103:12: error: no previous prototype for ‘ds1287_clockevent_init’ [-Werror=missing-prototypes]
103 | int __init ds1287_clockevent_init(int irq)
| ^~~~~~~~~~~~~~~~~~~~~~
cc1: all warnings being treated as errors
make[7]: *** [scripts/Makefile.build:207: arch/mips/kernel/cevt-ds1287.o] Error 1
make[7]: *** Waiting for unfinished jobs....
make[6]: *** [scripts/Makefile.build:465: arch/mips/kernel] Error 2
make[6]: *** Waiting for unfinished jobs....
Signed-off-by: WangYuli <wangyuli@uniontech.com>
Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/mips/kernel/cevt-ds1287.c | 1 +
1 file changed, 1 insertion(+)
--- a/arch/mips/kernel/cevt-ds1287.c
+++ b/arch/mips/kernel/cevt-ds1287.c
@@ -10,6 +10,7 @@
#include <linux/mc146818rtc.h>
#include <linux/irq.h>
+#include <asm/ds1287.h>
#include <asm/time.h>
int ds1287_timer_state(void)
^ permalink raw reply [flat|nested] 304+ messages in thread
* [PATCH 6.1 291/291] MIPS: ds1287: Match ds1287_set_base_clock() function types
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (288 preceding siblings ...)
2025-04-23 14:44 ` [PATCH 6.1 290/291] MIPS: cevt-ds1287: Add missing ds1287.h include Greg Kroah-Hartman
@ 2025-04-23 14:44 ` Greg Kroah-Hartman
2025-04-23 16:52 ` [PATCH 6.1 000/291] 6.1.135-rc1 review Peter Schneider
` (8 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-23 14:44 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, WangYuli, Thomas Bogendoerfer
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: WangYuli <wangyuli@uniontech.com>
commit a759109b234385b74d2f5f4c86b5f59b3201ec12 upstream.
Synchronize the declaration of ds1287_set_base_clock() between
cevt-ds1287.c and ds1287.h.
Fix follow error with gcc-14 when -Werror:
arch/mips/kernel/cevt-ds1287.c:21:5: error: conflicting types for ‘ds1287_set_base_clock’; have ‘int(unsigned int)’
21 | int ds1287_set_base_clock(unsigned int hz)
| ^~~~~~~~~~~~~~~~~~~~~
In file included from arch/mips/kernel/cevt-ds1287.c:13:
./arch/mips/include/asm/ds1287.h:11:13: note: previous declaration of ‘ds1287_set_base_clock’ with type ‘void(unsigned int)’
11 | extern void ds1287_set_base_clock(unsigned int clock);
| ^~~~~~~~~~~~~~~~~~~~~
make[7]: *** [scripts/Makefile.build:207: arch/mips/kernel/cevt-ds1287.o] Error 1
make[6]: *** [scripts/Makefile.build:465: arch/mips/kernel] Error 2
make[6]: *** Waiting for unfinished jobs....
Signed-off-by: WangYuli <wangyuli@uniontech.com>
Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/mips/include/asm/ds1287.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/mips/include/asm/ds1287.h
+++ b/arch/mips/include/asm/ds1287.h
@@ -8,7 +8,7 @@
#define __ASM_DS1287_H
extern int ds1287_timer_state(void);
-extern void ds1287_set_base_clock(unsigned int clock);
+extern int ds1287_set_base_clock(unsigned int hz);
extern int ds1287_clockevent_init(int irq);
#endif
^ permalink raw reply [flat|nested] 304+ messages in thread
* Re: [PATCH 6.1 000/291] 6.1.135-rc1 review
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (289 preceding siblings ...)
2025-04-23 14:44 ` [PATCH 6.1 291/291] MIPS: ds1287: Match ds1287_set_base_clock() function types Greg Kroah-Hartman
@ 2025-04-23 16:52 ` Peter Schneider
2025-04-23 19:18 ` Pavel Machek
` (7 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Peter Schneider @ 2025-04-23 16:52 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee, srw,
rwarsow, conor, hargar, broonie
Am 23.04.2025 um 16:39 schrieb Greg Kroah-Hartman:
> This is the start of the stable review cycle for the 6.1.135 release.
> There are 291 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
Builds, boots and works on my 2-socket Ivy Bridge Xeon E5-2697 v2 server. No dmesg
oddities or regressions found.
Tested-by: Peter Schneider <pschneider1968@googlemail.com>
Beste Grüße,
Peter Schneider
--
Climb the mountain not to plant your flag, but to embrace the challenge,
enjoy the air and behold the view. Climb it so you can see the world,
not so the world can see you. -- David McCullough Jr.
OpenPGP: 0xA3828BD796CCE11A8CADE8866E3A92C92C3FF244
Download: https://www.peters-netzplatz.de/download/pschneider1968_pub.asc
https://keys.mailvelope.com/pks/lookup?op=get&search=pschneider1968@googlemail.com
https://keys.mailvelope.com/pks/lookup?op=get&search=pschneider1968@gmail.com
^ permalink raw reply [flat|nested] 304+ messages in thread
* Re: [PATCH 6.1 000/291] 6.1.135-rc1 review
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (290 preceding siblings ...)
2025-04-23 16:52 ` [PATCH 6.1 000/291] 6.1.135-rc1 review Peter Schneider
@ 2025-04-23 19:18 ` Pavel Machek
2025-04-23 21:17 ` Shuah Khan
` (6 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Pavel Machek @ 2025-04-23 19:18 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, jonathanh, f.fainelli, sudipm.mukherjee,
srw, rwarsow, conor, hargar, broonie
[-- Attachment #1: Type: text/plain, Size: 660 bytes --]
Hi!
> This is the start of the stable review cycle for the 6.1.135 release.
> There are 291 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
CIP testing did not find any problems here:
https://gitlab.com/cip-project/cip-testing/linux-stable-rc-ci/-/tree/linux-6.1.y
Tested-by: Pavel Machek (CIP) <pavel@denx.de>
Best regards,
Pavel
--
DENX Software Engineering GmbH, Managing Director: Erika Unter
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
^ permalink raw reply [flat|nested] 304+ messages in thread
* Re: [PATCH 6.1 000/291] 6.1.135-rc1 review
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (291 preceding siblings ...)
2025-04-23 19:18 ` Pavel Machek
@ 2025-04-23 21:17 ` Shuah Khan
2025-04-24 7:31 ` Ron Economos
` (5 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Shuah Khan @ 2025-04-23 21:17 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee, srw,
rwarsow, conor, hargar, broonie, Shuah Khan
On 4/23/25 08:39, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.1.135 release.
> There are 291 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Fri, 25 Apr 2025 14:25:27 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.1.135-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.1.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
>
Compiled and booted on my test system. No dmesg regressions.
Tested-by: Shuah Khan <skhan@linuxfoundation.org>
thanks,
-- Shuah
^ permalink raw reply [flat|nested] 304+ messages in thread
* Re: [PATCH 6.1 000/291] 6.1.135-rc1 review
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (292 preceding siblings ...)
2025-04-23 21:17 ` Shuah Khan
@ 2025-04-24 7:31 ` Ron Economos
2025-04-24 10:53 ` Jon Hunter
` (4 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Ron Economos @ 2025-04-24 7:31 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee, srw,
rwarsow, conor, hargar, broonie
On 4/23/25 07:39, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.1.135 release.
> There are 291 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Fri, 25 Apr 2025 14:25:27 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.1.135-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.1.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
Built and booted successfully on RISC-V RV64 (HiFive Unmatched).
Tested-by: Ron Economos <re@w6rz.net>
^ permalink raw reply [flat|nested] 304+ messages in thread
* Re: [PATCH 6.1 000/291] 6.1.135-rc1 review
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (293 preceding siblings ...)
2025-04-24 7:31 ` Ron Economos
@ 2025-04-24 10:53 ` Jon Hunter
2025-04-24 11:58 ` Mark Brown
` (3 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Jon Hunter @ 2025-04-24 10:53 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: Greg Kroah-Hartman, patches, linux-kernel, torvalds, akpm, linux,
shuah, patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, srw, rwarsow, conor, hargar, broonie,
linux-tegra, stable
On Wed, 23 Apr 2025 16:39:49 +0200, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.1.135 release.
> There are 291 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Fri, 25 Apr 2025 14:25:27 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.1.135-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.1.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
All tests passing for Tegra ...
Test results for stable-v6.1:
10 builds: 10 pass, 0 fail
28 boots: 28 pass, 0 fail
115 tests: 115 pass, 0 fail
Linux version: 6.1.135-rc1-gb8b5da130779
Boards tested: tegra124-jetson-tk1, tegra186-p2771-0000,
tegra186-p3509-0000+p3636-0001, tegra194-p2972-0000,
tegra194-p3509-0000+p3668-0000, tegra20-ventana,
tegra210-p2371-2180, tegra210-p3450-0000,
tegra30-cardhu-a04
Tested-by: Jon Hunter <jonathanh@nvidia.com>
Jon
^ permalink raw reply [flat|nested] 304+ messages in thread
* Re: [PATCH 6.1 000/291] 6.1.135-rc1 review
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (294 preceding siblings ...)
2025-04-24 10:53 ` Jon Hunter
@ 2025-04-24 11:58 ` Mark Brown
2025-04-24 12:46 ` Florian Fainelli
` (2 subsequent siblings)
298 siblings, 0 replies; 304+ messages in thread
From: Mark Brown @ 2025-04-24 11:58 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, srw, rwarsow, conor, hargar
[-- Attachment #1: Type: text/plain, Size: 346 bytes --]
On Wed, Apr 23, 2025 at 04:39:49PM +0200, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.1.135 release.
> There are 291 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
Tested-by: Mark Brown <broonie@kernel.org>
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
^ permalink raw reply [flat|nested] 304+ messages in thread
* Re: [PATCH 6.1 000/291] 6.1.135-rc1 review
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (295 preceding siblings ...)
2025-04-24 11:58 ` Mark Brown
@ 2025-04-24 12:46 ` Florian Fainelli
2025-04-24 13:31 ` Naresh Kamboju
2025-04-25 0:17 ` Miguel Ojeda
298 siblings, 0 replies; 304+ messages in thread
From: Florian Fainelli @ 2025-04-24 12:46 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, sudipm.mukherjee, srw, rwarsow,
conor, hargar, broonie
On 4/23/2025 4:39 PM, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.1.135 release.
> There are 291 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Fri, 25 Apr 2025 14:25:27 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.1.135-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.1.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
On ARCH_BRCMSTB using 32-bit and 64-bit ARM kernels, build tested on
BMIPS_GENERIC:
Tested-by: Florian Fainelli <florian.fainelli@broadcom.com>
--
Florian
^ permalink raw reply [flat|nested] 304+ messages in thread
* Re: [PATCH 6.1 000/291] 6.1.135-rc1 review
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (296 preceding siblings ...)
2025-04-24 12:46 ` Florian Fainelli
@ 2025-04-24 13:31 ` Naresh Kamboju
2025-04-24 13:41 ` Greg Kroah-Hartman
2025-04-25 0:17 ` Miguel Ojeda
298 siblings, 1 reply; 304+ messages in thread
From: Naresh Kamboju @ 2025-04-24 13:31 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, srw, rwarsow, conor, hargar, broonie, Netdev,
clang-built-linux, Anders Roxell, Dan Carpenter, Arnd Bergmann,
Nathan Chancellor, David S. Miller, Jakub Kicinski
On Wed, 23 Apr 2025 at 20:16, Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
>
> This is the start of the stable review cycle for the 6.1.135 release.
> There are 291 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Fri, 25 Apr 2025 14:25:27 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.1.135-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.1.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
Regressions on arm, riscv and x86_64 with following kernel configs with
clang-20 and clang-nightly toolchains on stable-rc 6.1.135-rc1.
Build regressions:
* arm, build
- clang-20-allmodconfig
* i386, build
- clang-nightly-lkftconfig-kselftest
* riscv, build
- clang-20-allmodconfig
* x86_64, build
- clang-20-allmodconfig
- clang-nightly-lkftconfig-kselftest
Regression Analysis:
- New regression? Yes
- Reproducibility? Yes
Build regression: arm allmodconfig variable 'is_redirect' is used
uninitialized whenever 'if' condition is true
Reported-by: Linux Kernel Functional Testing <lkft@linaro.org>
## Build error:
net/sched/act_mirred.c:265:6: error: variable 'is_redirect' is used
uninitialized whenever 'if' condition is true
[-Werror,-Wsometimes-uninitialized]
265 | if (unlikely(!(dev->flags & IFF_UP)) ||
!netif_carrier_ok(dev)) {
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
## Source
* Kernel version: 6.1.135-rc1
* Git tree: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
* Git sha: b8b5da130779a27bf7d189bd3b40ebf59ee0e0e9
* Git describe: v6.1.134-292-gb8b5da130779
* Project details:
https://qa-reports.linaro.org/lkft/linux-stable-rc-linux-6.1.y/build/v6.1.134-292-gb8b5da130779
* Architectures: arm riscv x86_64
* Toolchains: clang-20, clang-nightly
* Kconfigs: allmodconfig
## Build
* Build log: https://qa-reports.linaro.org/lkft/linux-stable-rc-linux-6.1.y/build/v6.1.134-292-gb8b5da130779/testrun/28211709/suite/build/test/clang-20-allmodconfig/log
* Build history:
https://qa-reports.linaro.org/lkft/linux-stable-rc-linux-6.1.y/build/v6.1.134-292-gb8b5da130779/testrun/28211709/suite/build/test/clang-20-allmodconfig/history/
* Build details:
https://qa-reports.linaro.org/lkft/linux-stable-rc-linux-6.1.y/build/v6.1.134-292-gb8b5da130779/testrun/28211709/suite/build/test/clang-20-allmodconfig/details/
* Build link: https://storage.tuxsuite.com/public/linaro/lkft/builds/2w8QtyR8377WMNLrbtsmGi2lkaI/
* Kernel config:
https://storage.tuxsuite.com/public/linaro/lkft/builds/2w8QtyR8377WMNLrbtsmGi2lkaI/config
## Steps to reproduce on riscv
- tuxmake --runtime podman --target-arch arm --toolchain clang-20
--kconfig allmodconfig LLVM=1 LLVM_IAS=1
--
Linaro LKFT
https://lkft.linaro.org
^ permalink raw reply [flat|nested] 304+ messages in thread
* Re: [PATCH 6.1 000/291] 6.1.135-rc1 review
2025-04-24 13:31 ` Naresh Kamboju
@ 2025-04-24 13:41 ` Greg Kroah-Hartman
2025-04-24 14:34 ` Arnd Bergmann
0 siblings, 1 reply; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-24 13:41 UTC (permalink / raw)
To: Naresh Kamboju
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, srw, rwarsow, conor, hargar, broonie, Netdev,
clang-built-linux, Anders Roxell, Dan Carpenter, Arnd Bergmann,
Nathan Chancellor, David S. Miller, Jakub Kicinski
On Thu, Apr 24, 2025 at 07:01:02PM +0530, Naresh Kamboju wrote:
> On Wed, 23 Apr 2025 at 20:16, Greg Kroah-Hartman
> <gregkh@linuxfoundation.org> wrote:
> >
> > This is the start of the stable review cycle for the 6.1.135 release.
> > There are 291 patches in this series, all will be posted as a response
> > to this one. If anyone has any issues with these being applied, please
> > let me know.
> >
> > Responses should be made by Fri, 25 Apr 2025 14:25:27 +0000.
> > Anything received after that time might be too late.
> >
> > The whole patch series can be found in one patch at:
> > https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.1.135-rc1.gz
> > or in the git tree and branch at:
> > git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.1.y
> > and the diffstat can be found below.
> >
> > thanks,
> >
> > greg k-h
>
> Regressions on arm, riscv and x86_64 with following kernel configs with
> clang-20 and clang-nightly toolchains on stable-rc 6.1.135-rc1.
>
> Build regressions:
> * arm, build
> - clang-20-allmodconfig
>
> * i386, build
> - clang-nightly-lkftconfig-kselftest
>
> * riscv, build
> - clang-20-allmodconfig
>
> * x86_64, build
> - clang-20-allmodconfig
> - clang-nightly-lkftconfig-kselftest
>
> Regression Analysis:
> - New regression? Yes
> - Reproducibility? Yes
>
> Build regression: arm allmodconfig variable 'is_redirect' is used
> uninitialized whenever 'if' condition is true
>
> Reported-by: Linux Kernel Functional Testing <lkft@linaro.org>
>
> ## Build error:
> net/sched/act_mirred.c:265:6: error: variable 'is_redirect' is used
> uninitialized whenever 'if' condition is true
> [-Werror,-Wsometimes-uninitialized]
> 265 | if (unlikely(!(dev->flags & IFF_UP)) ||
> !netif_carrier_ok(dev)) {
> | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Odd this isn't showing up in newer releases, as this is an old commit
and nothing has changed in this file since then (it showed up in 6.8.)
Is there some follow-up commit somewhere that I'm missing that resolved
this issue?
thanks,
greg k-h
^ permalink raw reply [flat|nested] 304+ messages in thread
* Re: [PATCH 6.1 000/291] 6.1.135-rc1 review
2025-04-24 13:41 ` Greg Kroah-Hartman
@ 2025-04-24 14:34 ` Arnd Bergmann
2025-04-24 15:28 ` Greg Kroah-Hartman
0 siblings, 1 reply; 304+ messages in thread
From: Arnd Bergmann @ 2025-04-24 14:34 UTC (permalink / raw)
To: Greg Kroah-Hartman, Naresh Kamboju
Cc: stable, patches, linux-kernel, Linus Torvalds, Andrew Morton,
Guenter Roeck, shuah, patches, lkft-triage, Pavel Machek,
Jon Hunter, Florian Fainelli, Sudip Mukherjee, Slade Watkins,
rwarsow, Conor Dooley, hargar, Mark Brown, Netdev,
clang-built-linux, Anders Roxell, Dan Carpenter,
Nathan Chancellor, David S . Miller, Jakub Kicinski
On Thu, Apr 24, 2025, at 15:41, Greg Kroah-Hartman wrote:
> On Thu, Apr 24, 2025 at 07:01:02PM +0530, Naresh Kamboju wrote:
>>
>> ## Build error:
>> net/sched/act_mirred.c:265:6: error: variable 'is_redirect' is used
>> uninitialized whenever 'if' condition is true
>> [-Werror,-Wsometimes-uninitialized]
>> 265 | if (unlikely(!(dev->flags & IFF_UP)) ||
>> !netif_carrier_ok(dev)) {
>> | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> Odd this isn't showing up in newer releases, as this is an old commit
> and nothing has changed in this file since then (it showed up in 6.8.)
>
> Is there some follow-up commit somewhere that I'm missing that resolved
> this issue?
I think the difference is commit 16085e48cb48 ("net/sched: act_mirred:
Create function tcf_mirred_to_dev and improve readability") from
v6.8, which adds the initialization that 166c2c8a6a4d ("net/sched:
act_mirred: don't override retval if we already lost the skb")
relies on.
Arnd
^ permalink raw reply [flat|nested] 304+ messages in thread
* Re: [PATCH 6.1 000/291] 6.1.135-rc1 review
2025-04-24 14:34 ` Arnd Bergmann
@ 2025-04-24 15:28 ` Greg Kroah-Hartman
2025-04-28 7:50 ` He Zhe
0 siblings, 1 reply; 304+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-24 15:28 UTC (permalink / raw)
To: He Zhe, Arnd Bergmann
Cc: Naresh Kamboju, stable, patches, linux-kernel, Linus Torvalds,
Andrew Morton, Guenter Roeck, shuah, patches, lkft-triage,
Pavel Machek, Jon Hunter, Florian Fainelli, Sudip Mukherjee,
Slade Watkins, rwarsow, Conor Dooley, hargar, Mark Brown, Netdev,
clang-built-linux, Anders Roxell, Dan Carpenter,
Nathan Chancellor, David S . Miller, Jakub Kicinski
On Thu, Apr 24, 2025 at 04:34:04PM +0200, Arnd Bergmann wrote:
> On Thu, Apr 24, 2025, at 15:41, Greg Kroah-Hartman wrote:
> > On Thu, Apr 24, 2025 at 07:01:02PM +0530, Naresh Kamboju wrote:
> >>
> >> ## Build error:
> >> net/sched/act_mirred.c:265:6: error: variable 'is_redirect' is used
> >> uninitialized whenever 'if' condition is true
> >> [-Werror,-Wsometimes-uninitialized]
> >> 265 | if (unlikely(!(dev->flags & IFF_UP)) ||
> >> !netif_carrier_ok(dev)) {
> >> | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> >
> > Odd this isn't showing up in newer releases, as this is an old commit
> > and nothing has changed in this file since then (it showed up in 6.8.)
> >
> > Is there some follow-up commit somewhere that I'm missing that resolved
> > this issue?
>
> I think the difference is commit 16085e48cb48 ("net/sched: act_mirred:
> Create function tcf_mirred_to_dev and improve readability") from
> v6.8, which adds the initialization that 166c2c8a6a4d ("net/sched:
> act_mirred: don't override retval if we already lost the skb")
> relies on.
Ok, that didn't apply cleanly either, so I'm just going to drop this
backported patch and wait for the submitter to fix it up and resend it.
thanks,
greg k-h
^ permalink raw reply [flat|nested] 304+ messages in thread
* Re: [PATCH 6.1 000/291] 6.1.135-rc1 review
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
` (297 preceding siblings ...)
2025-04-24 13:31 ` Naresh Kamboju
@ 2025-04-25 0:17 ` Miguel Ojeda
298 siblings, 0 replies; 304+ messages in thread
From: Miguel Ojeda @ 2025-04-25 0:17 UTC (permalink / raw)
To: gregkh
Cc: akpm, broonie, conor, f.fainelli, hargar, jonathanh, linux-kernel,
linux, lkft-triage, patches, patches, pavel, rwarsow, shuah, srw,
stable, sudipm.mukherjee, torvalds, Miguel Ojeda
On Wed, 23 Apr 2025 16:39:49 +0200 Greg Kroah-Hartman <gregkh@linuxfoundation.org> wrote:
>
> This is the start of the stable review cycle for the 6.1.135 release.
> There are 291 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Fri, 25 Apr 2025 14:25:27 +0000.
> Anything received after that time might be too late.
Boot-tested under QEMU for Rust x86_64:
Tested-by: Miguel Ojeda <ojeda@kernel.org>
Thanks!
Cheers,
Miguel
^ permalink raw reply [flat|nested] 304+ messages in thread
* Re: [PATCH 6.1 000/291] 6.1.135-rc1 review
2025-04-24 15:28 ` Greg Kroah-Hartman
@ 2025-04-28 7:50 ` He Zhe
0 siblings, 0 replies; 304+ messages in thread
From: He Zhe @ 2025-04-28 7:50 UTC (permalink / raw)
To: Greg Kroah-Hartman, Arnd Bergmann
Cc: Naresh Kamboju, stable, patches, linux-kernel, Linus Torvalds,
Andrew Morton, Guenter Roeck, shuah, patches, lkft-triage,
Pavel Machek, Jon Hunter, Florian Fainelli, Sudip Mukherjee,
Slade Watkins, rwarsow, Conor Dooley, hargar, Mark Brown, Netdev,
clang-built-linux, Anders Roxell, Dan Carpenter,
Nathan Chancellor, David S . Miller, Jakub Kicinski
On 2025/4/24 23:28, Greg Kroah-Hartman wrote:
> On Thu, Apr 24, 2025 at 04:34:04PM +0200, Arnd Bergmann wrote:
>> On Thu, Apr 24, 2025, at 15:41, Greg Kroah-Hartman wrote:
>>> On Thu, Apr 24, 2025 at 07:01:02PM +0530, Naresh Kamboju wrote:
>>>> ## Build error:
>>>> net/sched/act_mirred.c:265:6: error: variable 'is_redirect' is used
>>>> uninitialized whenever 'if' condition is true
>>>> [-Werror,-Wsometimes-uninitialized]
>>>> 265 | if (unlikely(!(dev->flags & IFF_UP)) ||
>>>> !netif_carrier_ok(dev)) {
>>>> | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>> Odd this isn't showing up in newer releases, as this is an old commit
>>> and nothing has changed in this file since then (it showed up in 6.8.)
>>>
>>> Is there some follow-up commit somewhere that I'm missing that resolved
>>> this issue?
>> I think the difference is commit 16085e48cb48 ("net/sched: act_mirred:
>> Create function tcf_mirred_to_dev and improve readability") from
>> v6.8, which adds the initialization that 166c2c8a6a4d ("net/sched:
>> act_mirred: don't override retval if we already lost the skb")
>> relies on.
> Ok, that didn't apply cleanly either, so I'm just going to drop this
> backported patch and wait for the submitter to fix it up and resend it.
Sorry for the inconvenience. We have fixed the above issue found by clang-20
and will sent out v2 soon.
Thanks,
Zhe
>
> thanks,
>
> greg k-h
^ permalink raw reply [flat|nested] 304+ messages in thread
end of thread, other threads:[~2025-04-28 7:53 UTC | newest]
Thread overview: 304+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-04-23 14:39 [PATCH 6.1 000/291] 6.1.135-rc1 review Greg Kroah-Hartman
2025-04-23 14:39 ` [PATCH 6.1 001/291] selftests/futex: futex_waitv wouldblock test should fail Greg Kroah-Hartman
2025-04-23 14:39 ` [PATCH 6.1 002/291] ata: pata_pxa: Fix potential NULL pointer dereference in pxa_ata_probe() Greg Kroah-Hartman
2025-04-23 14:39 ` [PATCH 6.1 003/291] tipc: fix memory leak in tipc_link_xmit Greg Kroah-Hartman
2025-04-23 14:39 ` [PATCH 6.1 004/291] codel: remove sch->q.qlen check before qdisc_tree_reduce_backlog() Greg Kroah-Hartman
2025-04-23 14:39 ` [PATCH 6.1 005/291] net: tls: explicitly disallow disconnect Greg Kroah-Hartman
2025-04-23 14:39 ` [PATCH 6.1 006/291] rtnl: add helper to check if rtnl group has listeners Greg Kroah-Hartman
2025-04-23 14:39 ` [PATCH 6.1 007/291] rtnl: add helper to check if a notification is needed Greg Kroah-Hartman
2025-04-23 14:39 ` [PATCH 6.1 008/291] net/sched: cls_api: conditional notification of events Greg Kroah-Hartman
2025-04-23 14:39 ` [PATCH 6.1 009/291] tc: Ensure we have enough buffer space when sending filter netlink notifications Greg Kroah-Hartman
2025-04-23 14:39 ` [PATCH 6.1 010/291] net: ethtool: Dont call .cleanup_data when prepare_data fails Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 011/291] ata: sata_sx4: Add error handling in pdc20621_i2c_read() Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 012/291] nvmet-fcloop: swap list_add_tail arguments Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 013/291] net_sched: sch_sfq: use a temporary work area for validating configuration Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 014/291] net_sched: sch_sfq: move the limit validation Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 015/291] ipv6: Align behavior across nexthops during path selection Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 016/291] net: ppp: Add bound checking for skb data on ppp_sync_txmung Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 017/291] nft_set_pipapo: fix incorrect avx2 match of 5th field octet Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 018/291] iommu/mediatek: Fix NULL pointer deference in mtk_iommu_device_group Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 019/291] fs: consistently deref the files table with rcu_dereference_raw() Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 020/291] umount: Allow superblock owners to force umount Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 021/291] pm: cpupower: bench: Prevent NULL dereference on malloc failure Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 022/291] x86/cpu: Dont clear X86_FEATURE_LAHF_LM flag in init_amd_k8() on AMD when running in a virtual machine Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 023/291] perf: arm_pmu: Dont disable counter in armpmu_add() Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 024/291] arm64: cputype: Add QCOM_CPU_PART_KRYO_3XX_GOLD Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 025/291] xen/mcelog: Add __nonstring annotations for unterminated strings Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 026/291] HID: pidff: Convert infinite length from Linux API to PID standard Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 027/291] HID: pidff: Do not send effect envelope if its empty Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 028/291] HID: pidff: Fix null pointer dereference in pidff_find_fields Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 029/291] ALSA: hda: intel: Fix Optimus when GPU has no sound Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 031/291] ASoC: fsl_audmix: register card device depends on dais property Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 032/291] mmc: dw_mmc: add a quirk for accessing 64-bit FIFOs in two halves Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 033/291] ALSA: usb-audio: Fix CME quirk for UF series keyboards Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 034/291] ASoC: amd: Add DMI quirk for ACP6X mic support Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 035/291] f2fs: dont retry IO for corrupted data scenario Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 036/291] page_pool: avoid infinite loop to schedule delayed worker Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 037/291] jfs: Fix uninit-value access of imap allocated in the diMount() function Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 038/291] fs/jfs: cast inactags to s64 to prevent potential overflow Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 039/291] fs/jfs: Prevent integer overflow in AG size calculation Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 040/291] jfs: Prevent copying of nlink with value 0 from disk inode Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 041/291] jfs: add sanity check for agwidth in dbMount Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 042/291] ata: libata-eh: Do not use ATAPI DMA for a device limited to PIO mode Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 043/291] f2fs: fix to avoid out-of-bounds access in f2fs_truncate_inode_blocks() Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 044/291] ahci: add PCI ID for Marvell 88SE9215 SATA Controller Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 045/291] ext4: protect ext4_release_dquot against freezing Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 046/291] ext4: ignore xattrs past end Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 047/291] scsi: st: Fix array overflow in st_setup() Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 048/291] wifi: mt76: mt76x2u: add TP-Link TL-WDN6200 ID to device table Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 049/291] net: vlan: dont propagate flags on open Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 050/291] tracing: fix return value in __ftrace_event_enable_disable for TRACE_REG_UNREGISTER Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 051/291] Bluetooth: hci_uart: fix race during initialization Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 052/291] Bluetooth: qca: simplify WCN399x NVM loading Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 053/291] drm: allow encoder mode_set even when connectors change for crtc Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 054/291] drm/amd/display: Update Cursor request mode to the beginning prefetch always Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 055/291] drm: panel-orientation-quirks: Add support for AYANEO 2S Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 056/291] drm: panel-orientation-quirks: Add quirks for AYA NEO Flip DS and KB Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 057/291] drm: panel-orientation-quirks: Add quirk for AYA NEO Slide Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 058/291] drm: panel-orientation-quirks: Add new quirk for GPD Win 2 Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 059/291] drm: panel-orientation-quirks: Add quirk for OneXPlayer Mini (Intel) Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 060/291] drm/bridge: panel: forbid initializing a panel with unknown connector type Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 061/291] drivers: base: devres: Allow to release group on device release Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 062/291] drm/amdkfd: clamp queue size to minimum Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 063/291] drm/amdkfd: Fix mode1 reset crash issue Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 064/291] drm/amdkfd: Fix pqm_destroy_queue race with GPU reset Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 065/291] drm/mediatek: mtk_dpi: Move the input_2p_en bit to platform data Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 066/291] drm/mediatek: mtk_dpi: Explicitly manage TVD clock in power on/off Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 067/291] drm/amdgpu: handle amdgpu_cgs_create_device() errors in amd_powerplay_create() Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 068/291] PCI: vmd: Make vmd_dev::cfg_lock a raw_spinlock_t type Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 069/291] drm/amdgpu: grab an additional reference on the gang fence v2 Greg Kroah-Hartman
2025-04-23 14:40 ` [PATCH 6.1 070/291] fbdev: omapfb: Add plane value check Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 071/291] ktest: Fix Test Failures Due to Missing LOG_FILE Directories Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 072/291] tpm, tpm_tis: Workaround failed command reception on Infineon devices Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 073/291] pwm: mediatek: Prevent divide-by-zero in pwm_mediatek_config() Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 074/291] pwm: rcar: Improve register calculation Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 075/291] pwm: fsl-ftm: Handle clk_get_rate() returning 0 Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 076/291] bpf: support SKF_NET_OFF and SKF_LL_OFF on skb frags Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 077/291] ext4: dont treat fhandle lookup of ea_inode as FS corruption Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 078/291] media: i2c: adv748x: Fix test pattern selection mask Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 079/291] media: venus: hfi: add a check to handle OOB in sfr region Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 080/291] media: venus: hfi: add check to handle incorrect queue size Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 081/291] media: vim2m: print device name after registering device Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 082/291] media: siano: Fix error handling in smsdvb_module_init() Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 083/291] xenfs/xensyms: respect hypervisors "next" indication Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 084/291] arm64: cputype: Add MIDR_CORTEX_A76AE Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 085/291] arm64: errata: Add QCOM_KRYO_4XX_GOLD to the spectre_bhb_k24_list Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 086/291] arm64: errata: Assume that unknown CPUs _are_ vulnerable to Spectre BHB Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 087/291] arm64: errata: Add KRYO 2XX/3XX/4XX silver cores to Spectre BHB safe list Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 088/291] KVM: arm64: Tear down vGIC on failed vCPU creation Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 089/291] spi: cadence-qspi: Fix probe on AM62A LP SK Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 090/291] mtd: rawnand: brcmnand: fix PM resume warning Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 091/291] tpm, tpm_tis: Fix timeout handling when waiting for TPM status Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 092/291] media: streamzap: prevent processing IR data on URB failure Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 093/291] media: platform: stm32: Add check for clk_enable() Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 094/291] media: v4l2-dv-timings: prevent possible overflow in v4l2_detect_gtf() Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 095/291] media: i2c: ccs: Set the devices runtime PM status correctly in remove Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 096/291] media: i2c: ccs: Set the devices runtime PM status correctly in probe Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 097/291] media: i2c: ov7251: Set enable GPIO low " Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 098/291] media: i2c: ov7251: Introduce 1 ms delay between regulators and en GPIO Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 099/291] media: venus: hfi_parser: add check to avoid out of bound access Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 100/291] media: venus: hfi_parser: refactor hfi packet parsing logic Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 101/291] mptcp: sockopt: fix getting IPV6_V6ONLY Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 102/291] mtd: Add check for devm_kcalloc() Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 103/291] net: dsa: mv88e6xxx: workaround RGMII transmit delay erratum for 6320 family Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 104/291] mtd: Replace kcalloc() with devm_kcalloc() Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 105/291] clocksource/drivers/stm32-lptimer: Use wakeup capable instead of init wakeup Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 106/291] wifi: mt76: Add check for devm_kstrdup() Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 107/291] wifi: mac80211: fix integer overflow in hwmp_route_info_get() Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 108/291] io_uring/kbuf: reject zero sized provided buffers Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 109/291] ASoC: qdsp6: q6apm-dai: set 10 ms period and buffer alignment Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 110/291] ASoC: qdsp6: q6apm-dai: fix capture pipeline overruns Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 111/291] ASoC: qdsp6: q6asm-dai: fix q6asm_dai_compr_set_params error path Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 112/291] bus: mhi: host: Fix race between unprepare and queue_buf Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 113/291] ext4: fix off-by-one error in do_split Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 114/291] vdpa/mlx5: Fix oversized null mkey longer than 32bit Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 115/291] soc: samsung: exynos-chipid: Add NULL pointer check in exynos_chipid_probe() Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 116/291] smb311 client: fix missing tcon check when mounting with linux/posix extensions Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 117/291] i3c: master: svc: Use readsb helper for reading MDB Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 118/291] i3c: Add NULL pointer check in i3c_master_queue_ibi() Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 119/291] jbd2: remove wrong sb->s_sequence check Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 120/291] mfd: ene-kb3930: Fix a potential NULL pointer dereference Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 121/291] locking/lockdep: Decrease nr_unused_locks if lock unused in zap_class() Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 122/291] lib: scatterlist: fix sg_split_phys to preserve original scatterlist offsets Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 123/291] mptcp: fix NULL pointer in can_accept_new_subflow Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 124/291] mptcp: only inc MPJoinAckHMacFailure for HMAC failures Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 125/291] mtd: inftlcore: Add error check for inftl_read_oob() Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 126/291] mtd: rawnand: Add status chack in r852_ready() Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 127/291] arm64: mm: Correct the update of max_pfn Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 128/291] arm64: dts: mediatek: mt8173: Fix disp-pwm compatible string Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 129/291] btrfs: fix non-empty delayed iputs list on unmount due to compressed write workers Greg Kroah-Hartman
2025-04-23 14:41 ` [PATCH 6.1 130/291] sparc/mm: disable preemption in lazy mmu mode Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 131/291] mm/rmap: reject hugetlb folios in folio_make_device_exclusive() Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 132/291] mm: add missing release barrier on PGDAT_RECLAIM_LOCKED unlock Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 133/291] mm/hwpoison: do not send SIGBUS to processes with recovered clean pages Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 134/291] sctp: detect and prevent references to a freed transport in sendmsg Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 135/291] thermal/drivers/rockchip: Add missing rk3328 mapping entry Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 136/291] cifs: avoid NULL pointer dereference in dbg call Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 137/291] cifs: fix integer overflow in match_server() Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 138/291] clk: qcom: gdsc: Release pm subdomains in reverse add order Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 139/291] clk: qcom: gdsc: Capture pm_genpd_add_subdomain result code Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 140/291] clk: qcom: gdsc: Set retain_ff before moving to HW CTRL Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 141/291] crypto: ccp - Fix check for the primary ASP device Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 142/291] dm-ebs: fix prefetch-vs-suspend race Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 143/291] dm-integrity: set ti->error on memory allocation failure Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 144/291] dm-verity: fix prefetch-vs-suspend race Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 145/291] ftrace: Add cond_resched() to ftrace_graph_set_hash() Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 146/291] gpio: tegra186: fix resource handling in ACPI probe path Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 147/291] gpio: zynq: Fix wakeup source leaks on device unbind Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 148/291] gve: handle overflow when reporting TX consumed descriptors Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 149/291] KVM: x86: Acquire SRCU in KVM_GET_MP_STATE to protect guest memory accesses Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 150/291] ntb: use 64-bit arithmetic for the MSI doorbell mask Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 151/291] of/irq: Fix device node refcount leakage in API of_irq_parse_one() Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 152/291] of/irq: Fix device node refcount leakage in API of_irq_parse_raw() Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 153/291] of/irq: Fix device node refcount leakages in of_irq_count() Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 154/291] of/irq: Fix device node refcount leakage in API irq_of_parse_and_map() Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 155/291] of/irq: Fix device node refcount leakages in of_irq_init() Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 156/291] PCI: brcmstb: Fix missing of_node_put() in brcm_pcie_probe() Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 157/291] PCI: Fix reference leak in pci_alloc_child_bus() Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 158/291] pinctrl: qcom: Clear latched interrupt status when changing IRQ type Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 159/291] selftests: mptcp: close fd_in before returning in main_loop Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 160/291] arm64: errata: Add newer ARM cores to the spectre_bhb_loop_affected() lists Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 161/291] ACPI: platform-profile: Fix CFI violation when accessing sysfs files Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 162/291] x86/e820: Fix handling of subpage regions when calculating nosave ranges in e820__register_nosave_regions() Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 163/291] Bluetooth: hci_uart: Fix another race during initialization Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 164/291] HSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol Driver Due to Race Condition Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 165/291] scsi: hisi_sas: Enable force phy when SATA disk directly connected Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 166/291] wifi: at76c50x: fix use after free access in at76_disconnect Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 167/291] wifi: mac80211: Update skbs control block key in ieee80211_tx_dequeue() Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 168/291] wifi: mac80211: Purge vif txq in ieee80211_do_stop() Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 169/291] wifi: wl1251: fix memory leak in wl1251_tx_work Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 170/291] scsi: iscsi: Fix missing scsi_host_put() in error path Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 171/291] md/raid10: fix missing discard IO accounting Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 172/291] md/md-bitmap: fix stats collection for external bitmaps Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 173/291] RDMA/usnic: Fix passing zero to PTR_ERR in usnic_ib_pci_probe() Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 174/291] RDMA/hns: Fix wrong maximum DMA segment size Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 175/291] RDMA/core: Silence oversized kvmalloc() warning Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 176/291] Bluetooth: hci_event: Fix sending MGMT_EV_DEVICE_FOUND for invalid address Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 177/291] Bluetooth: btrtl: Prevent potential NULL dereference Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 178/291] Bluetooth: l2cap: Check encryption key size on incoming connection Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 179/291] Revert "wifi: mac80211: Update skbs control block key in ieee80211_tx_dequeue()" Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 180/291] igc: fix PTM cycle trigger logic Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 181/291] igc: move ktime snapshot into PTM retry loop Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 182/291] igc: handle the IGC_PTP_ENABLED flag correctly Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 183/291] igc: cleanup PTP module if probe fails Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 184/291] test suite: use %zu to print size_t Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 185/291] net: mctp: Set SOCK_RCU_FREE Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 186/291] net: openvswitch: fix nested key length validation in the set() action Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 187/291] cxgb4: fix memory leak in cxgb4_init_ethtool_filters() error path Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 188/291] net: b53: enable BPDU reception for management port Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 189/291] net: bridge: switchdev: do not notify new brentries as changed Greg Kroah-Hartman
2025-04-23 14:42 ` [PATCH 6.1 190/291] net: dsa: mv88e6xxx: avoid unregistering devlink regions which were never registered Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 191/291] net: dsa: mv88e6xxx: fix -ENOENT when deleting VLANs and MST is unsupported Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 192/291] net: dsa: avoid refcount warnings when ds->ops->tag_8021q_vlan_del() fails Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 193/291] ptp: ocp: fix start time alignment in ptp_ocp_signal_set Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 194/291] riscv: Properly export reserved regions in /proc/iomem Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 195/291] riscv: KGDB: Do not inline arch_kgdb_breakpoint() Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 196/291] riscv: KGDB: Remove ".option norvc/.option rvc" for kgdb_compiled_break Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 197/291] cpufreq/sched: Fix the usage of CPUFREQ_NEED_UPDATE_LIMITS Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 198/291] writeback: fix false warning in inode_to_wb() Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 199/291] Revert "PCI: Avoid reset when disabled via sysfs" Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 200/291] ASoC: codecs:lpass-wsa-macro: Fix vi feedback rate Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 201/291] ASoC: codecs:lpass-wsa-macro: Fix logic of enabling vi channels Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 202/291] asus-laptop: Fix an uninitialized variable Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 203/291] nfs: move nfs_fhandle_hash to common include file Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 204/291] nfs: add missing selections of CONFIG_CRC32 Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 205/291] nfsd: decrease sc_count directly if fail to queue dl_recall Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 206/291] btrfs: correctly escape subvol in btrfs_show_options() Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 207/291] cpufreq: Avoid using inconsistent policy->min and policy->max Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 208/291] crypto: caam/qi - Fix drv_ctx refcount bug Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 209/291] hfs/hfsplus: fix slab-out-of-bounds in hfs_bnode_read_key Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 210/291] i2c: cros-ec-tunnel: defer probe if parent EC is not present Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 211/291] isofs: Prevent the use of too small fid Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 212/291] loop: properly send KOBJ_CHANGED uevent for disk device Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 213/291] loop: LOOP_SET_FD: send uevents for partitions Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 214/291] mm/gup: fix wrongly calculated returned value in fault_in_safe_writeable() Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 215/291] mm: fix filemap_get_folios_contig returning batches of identical folios Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 216/291] ksmbd: Fix dangling pointer in krb_authenticate Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 217/291] ksmbd: Prevent integer overflow in calculation of deadtime Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 218/291] ksmbd: fix the warning from __kernel_write_iter Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 219/291] riscv: Avoid fortify warning in syscall_get_arguments() Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 220/291] smb3 client: fix open hardlink on deferred close file error Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 221/291] string: Add load_unaligned_zeropad() code path to sized_strscpy() Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 222/291] tracing: Fix filter string testing Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 223/291] virtiofs: add filesystem context source name check Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 224/291] scsi: megaraid_sas: Block zero-length ATA VPD inquiry Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 225/291] scsi: ufs: exynos: Ensure consistent phy reference counts Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 226/291] RDMA/cma: Fix workqueue crash in cma_netevent_work_handler Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 227/291] perf/x86/intel: Allow to update user space GPRs from PEBS records Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 228/291] perf/x86/intel/uncore: Fix the scale of IIO free running counters on SNR Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 229/291] perf/x86/intel/uncore: Fix the scale of IIO free running counters on ICX Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 230/291] perf/x86/intel/uncore: Fix the scale of IIO free running counters on SPR Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 231/291] drm/repaper: fix integer overflows in repeat functions Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 232/291] drm/msm/a6xx: Fix stale rpmh votes from GPU Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 233/291] drm/amd: Handle being compiled without SI or CIK support better Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 234/291] drm/amd/pm: Prevent division by zero Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 235/291] drm/amd/pm/powerplay: " Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 236/291] drm/amd/pm/smu11: " Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 237/291] drm/amd/pm/powerplay/hwmgr/smu7_thermal: " Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 238/291] drm/amd/pm/swsmu/smu13/smu_v13_0: " Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 239/291] drm/amd/pm/powerplay/hwmgr/vega20_thermal: " Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 240/291] drm/amdgpu/dma_buf: fix page_link check Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 241/291] drm/nouveau: prime: fix ttm_bo_delayed_delete oops Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 242/291] drm/sti: remove duplicate object names Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 243/291] drm/i915/gvt: fix unterminated-string-initialization warning Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 244/291] io_uring/net: fix accept multishot handling Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 245/291] KVM: arm64: Discard any SVE state when entering KVM guests Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 246/291] arm64/fpsimd: Track the saved FPSIMD state type separately to TIF_SVE Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 247/291] arm64/fpsimd: Have KVM explicitly say which FP registers to save Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 248/291] arm64/fpsimd: Stop using TIF_SVE to manage register saving in KVM Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 249/291] KVM: arm64: Unconditionally save+flush host FPSIMD/SVE/SME state Greg Kroah-Hartman
2025-04-23 14:43 ` [PATCH 6.1 250/291] KVM: arm64: Remove host FPSIMD saving for non-protected KVM Greg Kroah-Hartman
2025-04-23 14:44 ` [PATCH 6.1 251/291] KVM: arm64: Remove VHE host restore of CPACR_EL1.ZEN Greg Kroah-Hartman
2025-04-23 14:44 ` [PATCH 6.1 252/291] KVM: arm64: Remove VHE host restore of CPACR_EL1.SMEN Greg Kroah-Hartman
2025-04-23 14:44 ` [PATCH 6.1 253/291] KVM: arm64: Refactor exit handlers Greg Kroah-Hartman
2025-04-23 14:44 ` [PATCH 6.1 254/291] KVM: arm64: Mark some header functions as inline Greg Kroah-Hartman
2025-04-23 14:44 ` [PATCH 6.1 255/291] KVM: arm64: Calculate cptr_el2 traps on activating traps Greg Kroah-Hartman
2025-04-23 14:44 ` [PATCH 6.1 256/291] KVM: arm64: Eagerly switch ZCR_EL{1,2} Greg Kroah-Hartman
2025-04-23 14:44 ` [PATCH 6.1 257/291] cpufreq: Reference count policy in cpufreq_update_limits() Greg Kroah-Hartman
2025-04-23 14:44 ` [PATCH 6.1 258/291] kbuild: Add -fno-builtin-wcslen Greg Kroah-Hartman
2025-04-23 14:44 ` [PATCH 6.1 259/291] media: mediatek: vcodec: mark vdec_vp9_slice_map_counts_eob_coef noinline Greg Kroah-Hartman
2025-04-23 14:44 ` [PATCH 6.1 260/291] mptcp: sockopt: fix getting freebind & transparent Greg Kroah-Hartman
2025-04-23 14:44 ` [PATCH 6.1 261/291] misc: pci_endpoint_test: Avoid issue of interrupts remaining after request_irq error Greg Kroah-Hartman
2025-04-23 14:44 ` [PATCH 6.1 262/291] misc: pci_endpoint_test: Fix displaying irq_type " Greg Kroah-Hartman
2025-04-23 14:44 ` [PATCH 6.1 263/291] misc: pci_endpoint_test: Fix irq_type to convey the correct type Greg Kroah-Hartman
2025-04-23 14:44 ` [PATCH 6.1 264/291] mm: Fix is_zero_page() usage in try_grab_page() Greg Kroah-Hartman
2025-04-23 14:44 ` [PATCH 6.1 265/291] x86/split_lock: Fix the delayed detection logic Greg Kroah-Hartman
2025-04-23 14:44 ` [PATCH 6.1 266/291] x86/pvh: Call C code via the kernel virtual mapping Greg Kroah-Hartman
2025-04-23 14:44 ` [PATCH 6.1 267/291] powerpc/rtas: Prevent Spectre v1 gadget construction in sys_rtas() Greg Kroah-Hartman
2025-04-23 14:44 ` [PATCH 6.1 268/291] LoongArch: Eliminate superfluous get_numa_distances_cnt() Greg Kroah-Hartman
2025-04-23 14:44 ` [PATCH 6.1 269/291] btrfs: fix qgroup reserve leaks in cow_file_range Greg Kroah-Hartman
2025-04-23 14:44 ` [PATCH 6.1 270/291] btrfs: zoned: fix zone activation with missing devices Greg Kroah-Hartman
2025-04-23 14:44 ` [PATCH 6.1 271/291] btrfs: zoned: fix zone finishing " Greg Kroah-Hartman
2025-04-23 14:44 ` [PATCH 6.1 272/291] Revert "Xen/swiotlb: mark xen_swiotlb_fixup() __init" Greg Kroah-Hartman
2025-04-23 14:44 ` [PATCH 6.1 273/291] drm/amd/display: Stop amdgpu_dm initialize when link nums greater than max_links Greg Kroah-Hartman
2025-04-23 14:44 ` [PATCH 6.1 274/291] landlock: Add the errata interface Greg Kroah-Hartman
2025-04-23 14:44 ` [PATCH 6.1 275/291] Revert "LoongArch: BPF: Fix off-by-one error in build_prologue()" Greg Kroah-Hartman
2025-04-23 14:44 ` [PATCH 6.1 276/291] nvmet-fc: Remove unused functions Greg Kroah-Hartman
2025-04-23 14:44 ` [PATCH 6.1 277/291] smb/server: fix potential null-ptr-deref of lease_ctx_info in smb2_open() Greg Kroah-Hartman
2025-04-23 14:44 ` [PATCH 6.1 278/291] cifs: use origin fullpath for automounts Greg Kroah-Hartman
2025-04-23 14:44 ` [PATCH 6.1 279/291] net/sched: act_mirred: dont override retval if we already lost the skb Greg Kroah-Hartman
2025-04-23 14:44 ` [PATCH 6.1 280/291] btrfs: fix the length of reserved qgroup to free Greg Kroah-Hartman
2025-04-23 14:44 ` [PATCH 6.1 281/291] bpf: avoid holding freeze_mutex during mmap operation Greg Kroah-Hartman
2025-04-23 14:44 ` [PATCH 6.1 282/291] bpf: Prevent tail call between progs attached to different hooks Greg Kroah-Hartman
2025-04-23 14:44 ` [PATCH 6.1 283/291] blk-cgroup: support to track if policy is online Greg Kroah-Hartman
2025-04-23 14:44 ` [PATCH 6.1 284/291] blk-iocost: do not WARN if iocg was already offlined Greg Kroah-Hartman
2025-04-23 14:44 ` [PATCH 6.1 285/291] mm: fix apply_to_existing_page_range() Greg Kroah-Hartman
2025-04-23 14:44 ` [PATCH 6.1 286/291] sign-file,extract-cert: move common SSL helper functions to a header Greg Kroah-Hartman
2025-04-23 14:44 ` [PATCH 6.1 287/291] sign-file,extract-cert: avoid using deprecated ERR_get_error_line() Greg Kroah-Hartman
2025-04-23 14:44 ` [PATCH 6.1 288/291] sign-file,extract-cert: use pkcs11 provider for OPENSSL MAJOR >= 3 Greg Kroah-Hartman
2025-04-23 14:44 ` [PATCH 6.1 289/291] MIPS: dec: Declare which_prom() as static Greg Kroah-Hartman
2025-04-23 14:44 ` [PATCH 6.1 290/291] MIPS: cevt-ds1287: Add missing ds1287.h include Greg Kroah-Hartman
2025-04-23 14:44 ` [PATCH 6.1 291/291] MIPS: ds1287: Match ds1287_set_base_clock() function types Greg Kroah-Hartman
2025-04-23 16:52 ` [PATCH 6.1 000/291] 6.1.135-rc1 review Peter Schneider
2025-04-23 19:18 ` Pavel Machek
2025-04-23 21:17 ` Shuah Khan
2025-04-24 7:31 ` Ron Economos
2025-04-24 10:53 ` Jon Hunter
2025-04-24 11:58 ` Mark Brown
2025-04-24 12:46 ` Florian Fainelli
2025-04-24 13:31 ` Naresh Kamboju
2025-04-24 13:41 ` Greg Kroah-Hartman
2025-04-24 14:34 ` Arnd Bergmann
2025-04-24 15:28 ` Greg Kroah-Hartman
2025-04-28 7:50 ` He Zhe
2025-04-25 0:17 ` Miguel Ojeda
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox