* [PATCH 6.1 000/508] 6.1.142-rc1 review
@ 2025-06-23 13:00 Greg Kroah-Hartman
2025-06-23 13:00 ` [PATCH 6.1 001/508] mm/uffd: fix vma operation where start addr cuts part of vma Greg Kroah-Hartman
` (508 more replies)
0 siblings, 509 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, linux-kernel, torvalds, akpm, linux,
shuah, patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, srw, rwarsow, conor, hargar, broonie
This is the start of the stable review cycle for the 6.1.142 release.
There are 508 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Wed, 25 Jun 2025 13:05:52 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.1.142-rc1.gz
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.1.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Linux 6.1.142-rc1
Anup Patel <apatel@ventanamicro.com>
RISC-V: KVM: Don't treat SBI HFENCE calls as NOPs
Anup Patel <apatel@ventanamicro.com>
RISC-V: KVM: Fix the size parameter check in SBI SFENCE calls
Vitaliy Shevtsov <v.shevtsov@mt-integration.ru>
scsi: elx: efct: Fix memory leak in efct_hw_parse_filter()
Tengda Wu <wutengda@huaweicloud.com>
arm64/ptrace: Fix stack-out-of-bounds read in regs_get_kernel_stack_nth()
Peter Zijlstra <peterz@infradead.org>
perf: Fix sample vs do_exit()
Heiko Carstens <hca@linux.ibm.com>
s390/pci: Fix __pcilg_mio_inuser() inline assembly
Yao Zi <ziyao@disroot.org>
platform/loongarch: laptop: Add backlight power control support
zhangjian <zhangjian496@huawei.com>
smb: client: fix first command failure during re-negotiation
Jon Hunter <jonathanh@nvidia.com>
Revert "cpufreq: tegra186: Share policy per cluster"
Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
serial: sh-sci: Increment the runtime usage counter for the earlycon device
Marek Vasut <marex@denx.de>
arm64: dts: imx8mm: Drop sd-vsel-gpios from i.MX8M Mini Verdin SoM
Yemike Abhilash Chandra <y-abhilashchandra@ti.com>
arm64: dts: ti: k3-j721e-sk: Add DT nodes for power regulators
Geert Uytterhoeven <geert+renesas@glider.be>
ARM: dts: am335x-bone-common: Increase MDIO reset deassert delay to 50ms
Colin Foster <colin.foster@in-advantage.com>
ARM: dts: am335x-bone-common: Increase MDIO reset deassert time
Shengyu Qu <wiagn233@outlook.com>
ARM: dts: am335x-bone-common: Add GPIO PHY reset on revision C3 board
Renato Caldas <renato@calgera.com>
platform/x86: ideapad-laptop: add missing Ideapad Pro 5 fn keys
Akhil R <akhilrajeev@nvidia.com>
dt-bindings: i2c: nvidia,tegra20-i2c: Specify the required properties
Eric Dumazet <edumazet@google.com>
net: atm: fix /proc/net/atm/lec handling
Eric Dumazet <edumazet@google.com>
net: atm: add lec_mutex
Kuniyuki Iwashima <kuniyu@google.com>
calipso: Fix null-ptr-deref in calipso_req_{set,del}attr().
Alexey Kodanev <aleksei.kodanev@bell-sw.com>
net: lan743x: fix potential out-of-bounds write in lan743x_ptp_io_event_clock_get()
Rengarajan S <rengarajan.s@microchip.com>
net: microchip: lan743x: Reduce PTP timeout on HW failure
David Wei <dw@davidwei.uk>
tcp: fix passive TFO socket having invalid NAPI ID
Haixia Qu <hxqu@hillstonenet.com>
tipc: fix null-ptr-deref when acquiring remote ip of ethernet bearer
Neal Cardwell <ncardwell@google.com>
tcp: fix tcp_packet_delayed() for tcp_is_non_sack_preventing_reopen() behavior
Kuniyuki Iwashima <kuniyu@google.com>
atm: atmtcp: Free invalid length skb in atmtcp_c_send().
Kuniyuki Iwashima <kuniyu@google.com>
mpls: Use rcu_dereference_rtnl() in mpls_route_input_rcu().
Dmitry Antipov <dmantipov@yandex.ru>
wifi: carl9170: do not ping device which has failed to load firmware
Vladimir Oltean <vladimir.oltean@nxp.com>
ptp: allow reading of currently dialed frequency to succeed on free-running clocks
Vladimir Oltean <vladimir.oltean@nxp.com>
ptp: fix breakage after ptp_vclock_in_use() rework
Krishna Kumar <krikku@gmail.com>
net: ice: Perform accurate aRFS flow match
Justin Sanders <jsanders.devel@gmail.com>
aoe: clean device rq_list in aoedev_downdev()
Simon Horman <horms@kernel.org>
pldmfw: Select CRC32 when PLDMFW is selected
Arnd Bergmann <arnd@arndb.de>
hwmon: (occ) fix unaligned accesses
Arnd Bergmann <arnd@arndb.de>
hwmon: (occ) Rework attribute registration for stack usage
Jacob Keller <jacob.e.keller@intel.com>
drm/nouveau/bl: increase buffer size to avoid truncate warning
Brett Creeley <brett.creeley@amd.com>
ionic: Prevent driver/fw getting out of sync on devcmd(s)
Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
drm/msm/dsi/dsi_phy_10nm: Fix missing initial VCO rate
James A. MacInnes <james.a.macinnes@gmail.com>
drm/msm/disp: Correct porch timing for SDM845
Gao Xiang <xiang@kernel.org>
erofs: remove unused trace event erofs_destroy_inode
Paul Chaignon <paul.chaignon@gmail.com>
bpf: Fix L4 csum update on IPv6 in CHECKSUM_COMPLETE
Paul Chaignon <paul.chaignon@gmail.com>
net: Fix checksum update for ILA adj-transport
Gavin Guo <gavinguo@igalia.com>
mm/huge_memory: fix dereferencing invalid pmd migration entry
Jann Horn <jannh@google.com>
mm/hugetlb: fix huge_pmd_unshare() vs GUP-fast race
Liu Shixin <liushixin2@huawei.com>
mm: hugetlb: independent PMD page table shared count
Jann Horn <jannh@google.com>
mm/hugetlb: unshare page tables during VMA split, not before
Sean Nyekjaer <sean@geanix.com>
iio: accel: fxls8962af: Fix temperature calculation
Jonathan Lane <jon@borg.moe>
ALSA: hda/realtek: enable headset mic on Latitude 5420 Rugged
Takashi Iwai <tiwai@suse.de>
ALSA: hda/intel: Add Thinkpad E15 to PM deny list
wangdicheng <wangdicheng@kylinos.cn>
ALSA: usb-audio: Rename ALSA kcontrol PCM and PCM1 for the KTMicro sound card
Edward Adam Davis <eadavis@qq.com>
wifi: cfg80211: init wiphy_work before allocating rfkill fails
WangYuli <wangyuli@uniontech.com>
Input: sparcspkr - avoid unannotated fall-through
Kuniyuki Iwashima <kuniyu@google.com>
atm: Revert atm_account_tx() if copy_from_iter_full() fails.
Stephen Smalley <stephen.smalley.work@gmail.com>
selinux: fix selinux_xfrm_alloc_user() to set correct ctx_len
Namjae Jeon <linkinjeon@kernel.org>
ksmbd: fix null pointer dereference in destroy_previous_session
Xin Li (Intel) <xin@zytor.com>
selftests/x86: Add a test to detect infinite SIGTRAP handler loop
Marek Szyprowski <m.szyprowski@samsung.com>
udmabuf: use sgtable-based scatterlist wrappers
Eric Dumazet <edumazet@google.com>
net_sched: sch_sfq: reject invalid perturb period
Peter Oberparleiter <oberpar@linux.ibm.com>
scsi: s390: zfcp: Ensure synchronous unit_add
Dexuan Cui <decui@microsoft.com>
scsi: storvsc: Increase the timeouts to storvsc_timeout
Bharath SM <bharathsm.hsk@gmail.com>
smb: improve directory cache reuse for readdir operations
Fedor Pchelkin <pchelkin@ispras.ru>
jffs2: check jffs2_prealloc_raw_node_refs() result in few other places
Artem Sadovnikov <a.sadovnikov@ispras.ru>
jffs2: check that raw node were preallocated before writing summary
Huacai Chen <chenhuacai@kernel.org>
LoongArch: Avoid using $r0/$r1 as "mask" for csrxchg
Yao Zi <ziyao@disroot.org>
platform/loongarch: laptop: Unregister generic_sub_drivers on exit
Yao Zi <ziyao@disroot.org>
platform/loongarch: laptop: Get brightness setting from EC on probe
Andrew Morton <akpm@linux-foundation.org>
drivers/rapidio/rio_cm.c: prevent possible heap overwrite
Breno Leitao <leitao@debian.org>
Revert "x86/bugs: Make spectre user default depend on MITIGATION_SPECTRE_V2" on v6.6 and older
Narayana Murty N <nnmlinux@linux.ibm.com>
powerpc/eeh: Fix missing PE bridge reconfiguration during VFIO EEH recovery
Stuart Hayes <stuart.w.hayes@gmail.com>
platform/x86: dell_rbu: Stop overwriting data buffer
Stuart Hayes <stuart.w.hayes@gmail.com>
platform/x86: dell_rbu: Fix list usage
Alexander Sverdlin <alexander.sverdlin@siemens.com>
Revert "bus: ti-sysc: Probe for l4_wkup and l4_cfg interconnect devices first"
Jann Horn <jannh@google.com>
tee: Prevent size calculation wraparound on 32-bit kernels
Sukrut Bellary <sbellary@baylibre.com>
ARM: OMAP2+: Fix l4ls clk domain handling in STANDBY
Laurentiu Tudor <laurentiu.tudor@nxp.com>
bus: fsl-mc: increase MC_CMD_COMPLETION_TIMEOUT_MS value
Marcus Folkesson <marcus.folkesson@gmail.com>
watchdog: da9052_wdt: respect TWDMIN
Kees Cook <kees@kernel.org>
fbcon: Make sure modelist not set on unregistered console
Wentao Liang <vulab@iscas.ac.cn>
octeontx2-pf: Add error log forcn10k_map_unmap_rq_policer()
Linus Walleij <linus.walleij@linaro.org>
net: ethernet: cortina: Use TOE/TSO on all TCP
Jiayuan Chen <jiayuan.chen@linux.dev>
bpf, sockmap: Fix data lost during EAGAIN retries
Mateusz Pacuszka <mateuszx.pacuszka@intel.com>
ice: fix check for existing switch rule
Kyungwook Boo <bookyungwook@gmail.com>
i40e: fix MMIO write access to an invalid page in i40e_clear_hw
Zijun Hu <quic_zijuhu@quicinc.com>
sock: Correct error checking condition for (assign|release)_proto_idx()
Daniel Wagner <wagi@kernel.org>
scsi: lpfc: Use memcpy() for BIOS version
Mike Looijmans <mike.looijmans@topic.nl>
pinctrl: mcp23s08: Reset all pins to input at probe
Zijun Hu <quic_zijuhu@quicinc.com>
software node: Correct a OOB check in software_node_get_reference_args()
Ido Schimmel <idosch@nvidia.com>
vxlan: Do not treat dst cache initialization errors as fatal
Yong Wang <yongwang@nvidia.com>
net: bridge: mcast: re-implement br_multicast_{enable, disable}_port functions
Yong Wang <yongwang@nvidia.com>
net: bridge: mcast: update multicast contex when vlan state is changed
Edward Adam Davis <eadavis@qq.com>
wifi: mac80211_hwsim: Prevent tsf from setting if beacon is disabled
Sean Christopherson <seanjc@google.com>
iommu/amd: Ensure GA log notifier callbacks finish running before module unload
Justin Tee <justin.tee@broadcom.com>
scsi: lpfc: Fix lpfc_check_sli_ndlp() handling for GEN_REQUEST64 commands
Alan Maguire <alan.maguire@oracle.com>
libbpf: Add identical pointer detection to btf_dedup_is_equiv()
Heiko Stuebner <heiko@sntech.de>
clk: rockchip: rk3036: mark ddrphy as critical
Martin KaFai Lau <martin.lau@kernel.org>
bpftool: Fix cgroup command to only show cgroup bpf programs
Benjamin Berg <benjamin@sipsolutions.net>
wifi: mac80211: do not offer a mesh path if forwarding is disabled
Salah Triki <salah.triki@gmail.com>
wireless: purelifi: plfxlc: fix memory leak in plfxlc_usb_wreq_asyn()
Stefan Wahren <wahrenst@gmx.net>
net: vertexcom: mse102x: Return code for mse102x_rx_pkt_spi
Jason Xing <kernelxing@tencent.com>
net: mlx4: add SOF_TIMESTAMPING_TX_SOFTWARE flag when getting ts info
Gabor Juhos <j4g8y7@gmail.com>
pinctrl: armada-37xx: propagate error from armada_37xx_gpio_get()
Gabor Juhos <j4g8y7@gmail.com>
pinctrl: armada-37xx: propagate error from armada_37xx_pmx_gpio_set_direction()
Gabor Juhos <j4g8y7@gmail.com>
pinctrl: armada-37xx: propagate error from armada_37xx_gpio_get_direction()
Gabor Juhos <j4g8y7@gmail.com>
pinctrl: armada-37xx: propagate error from armada_37xx_pmx_set_by_name()
Jason Xing <kernelxing@tencent.com>
net: atlantic: generate software timestamp just before the doorbell
Sebastian Andrzej Siewior <bigeasy@linutronix.de>
ipv4/route: Use this_cpu_inc() for stats on PREEMPT_RT
Andrew Zaborowski <andrew.zaborowski@intel.com>
x86/sgx: Prevent attempts to reclaim poisoned pages
Eric Dumazet <edumazet@google.com>
tcp: fix initial tp->rcvq_space.space value for passive TS enabled flows
Eric Dumazet <edumazet@google.com>
tcp: always seek for minimal rtt in tcp_rcv_rtt_update()
Muhammad Usama Anjum <usama.anjum@collabora.com>
wifi: ath11k: Fix QMI memory reuse logic
Moon Yeounsu <yyyynoom@gmail.com>
net: dlink: add synchronization for stats update
Tali Perry <tali.perry1@gmail.com>
i2c: npcm: Add clock toggle recovery
Akhil R <akhilrajeev@nvidia.com>
i2c: tegra: check msg length in SMBUS block read
Mike Tipton <quic_mdtipton@quicinc.com>
cpufreq: scmi: Skip SCMI devices that aren't used by the CPUs
Petr Malat <oss@malat.biz>
sctp: Do not wake readers in __sctp_write_space()
Samuel Williams <sam8641@gmail.com>
wifi: mt76: mt7921: add 160 MHz AP for mt7922 device
Henk Vergonet <henk.vergonet@gmail.com>
wifi: mt76: mt76x2: Add support for LiteOn WN4516R,WN4519R
Alok Tiwari <alok.a.tiwari@oracle.com>
emulex/benet: correct command version selection in be_cmd_get_stats()
Tan En De <ende.tan@starfivetech.com>
i2c: designware: Invoke runtime suspend on quick slave re-registration
Hou Tao <houtao1@huawei.com>
bpf: Check rcu_read_lock_trace_held() in bpf_map_lookup_percpu_elem()
Zilin Guan <zilin@seu.edu.cn>
tipc: use kfree_sensitive() for aead cleanup
Rengarajan S <rengarajan.s@microchip.com>
net: lan743x: Modify the EEPROM and OTP size for PCI1xxxx devices
Sergio Perez Gonzalez <sperezglz@gmail.com>
net: macb: Check return value of dma_set_mask_and_coherent()
Peter Marheine <pmarheine@chromium.org>
ACPI: battery: negate current when discharging
Charan Teja Kalla <quic_charante@quicinc.com>
PM: runtime: fix denying of auto suspend in pm_suspend_timer_fn()
Yuanjun Gong <ruc_gongyuanjun@163.com>
ASoC: tegra210_ahub: Add check to of_device_get_match_data()
gldrk <me@rarity.fan>
ACPICA: utilities: Fix overflow check in vsnprintf()
Jerry Lv <Jerry.Lv@axis.com>
power: supply: bq27xxx: Retrieve again when busy
Seunghun Han <kkamagui@gmail.com>
ACPICA: fix acpi parse and parseext cache leaks
Armin Wolf <W_Armin@gmx.de>
ACPI: bus: Bail out if acpi_kobj registration fails
Hector Martin <marcan@marcan.st>
ASoC: tas2770: Power cycle amp on ISENSE/VSENSE change
Ahmed Salem <x0rw3ll@gmail.com>
ACPICA: Avoid sequence overread in call to strncmp()
Erick Shepherd <erick.shepherd@ni.com>
mmc: Add quirk to disable DDR50 tuning
Guilherme G. Piccoli <gpiccoli@igalia.com>
clocksource: Fix the CPUs' choice in the watchdog per CPU verification
Talhah Peerbhai <talhah.peerbhai@gmail.com>
ASoC: amd: yc: Add quirk for Lenovo Yoga Pro 7 14ASP9
Seunghun Han <kkamagui@gmail.com>
ACPICA: fix acpi operand cache leak in dswstate.c
David Lechner <dlechner@baylibre.com>
iio: adc: ad7606_spi: fix reg write value mask
Sean Nyekjaer <sean@geanix.com>
iio: imu: inv_icm42600: Fix temperature calculation
Sean Nyekjaer <sean@geanix.com>
iio: accel: fxls8962af: Fix temperature scan element sign
Diederik de Haas <didi.debian@cknow.org>
PCI: dw-rockchip: Fix PHY function call sequence in rockchip_pcie_phy_deinit()
Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
PCI: Fix lock symmetry in pci_slot_unlock()
Huacai Chen <chenhuacai@kernel.org>
PCI: Add ACS quirk for Loongson PCIe
Niklas Cassel <cassel@kernel.org>
PCI: cadence-ep: Correct PBA offset in .set_msix() callback
Long Li <longli@microsoft.com>
uio_hv_generic: Use correct size for interrupt and monitor pages
Shyam Prasad N <sprasad@microsoft.com>
cifs: reset connections for all channels when reconnect requested
Xiaolei Wang <xiaolei.wang@windriver.com>
remoteproc: core: Release rproc->clean_table after rproc_attach() fails
Xiaolei Wang <xiaolei.wang@windriver.com>
remoteproc: core: Cleanup acquired resources when rproc_handle_resources() fails in rproc_attach()
Wentao Liang <vulab@iscas.ac.cn>
regulator: max14577: Add error check for max14577_read_reg()
Khem Raj <raj.khem@gmail.com>
mips: Add -std= flag specified in KBUILD_CFLAGS to vdso CFLAGS
Gabriel Shahrouzi <gshahrouzi@gmail.com>
staging: iio: ad5933: Correct settling cycles encoding per datasheet
Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
KVM: s390: rename PROT_NONE to PROT_TYPE_DUMMY
Qasim Ijaz <qasdev00@gmail.com>
net: ch9200: fix uninitialised access during mii_nway_restart
Ye Bin <yebin10@huawei.com>
ftrace: Fix UAF when lookup kallsym after ftrace disabled
Mikulas Patocka <mpatocka@redhat.com>
dm-mirror: fix a tiny race condition
Yosry Ahmed <yosry.ahmed@linux.dev>
KVM: SVM: Clear current_vmcb during vCPU free for all *possible* CPUs
Wentao Liang <vulab@iscas.ac.cn>
mtd: nand: sunxi: Add randomizer configuration before randomizer enable
Wentao Liang <vulab@iscas.ac.cn>
mtd: rawnand: sunxi: Add randomizer configuration in sunxi_nfc_hw_ecc_write_chunk
Jinliang Zheng <alexjlzheng@tencent.com>
mm: fix ratelimit_pages update error in dirty_ratio_handler()
Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
RDMA/iwcm: Fix use-after-free of work objects after cm_id destruction
Jeongjun Park <aha310510@gmail.com>
ipc: fix to protect IPCS lookups using RCU
Da Xue <da@libre.computer>
clk: meson-g12a: add missing fclk_div2 to spicc
Arnd Bergmann <arnd@arndb.de>
parisc: fix building with gcc-15
GONG Ruiqi <gongruiqi1@huawei.com>
vgacon: Add check for vc_origin address range in vgacon_scroll()
Helge Deller <deller@gmx.de>
parisc/unaligned: Fix hex output to show 8 hex chars
Murad Masimov <m.masimov@mt-integration.ru>
fbdev: Fix fb_set_var to prevent null-ptr-deref in fb_videomode_to_var
Niravkumar L Rabara <niravkumar.l.rabara@intel.com>
EDAC/altera: Use correct write width with the INTTEST register
Heiner Kallweit <hkallweit1@gmail.com>
net: ftgmac100: select FIXED_PHY
Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
NFC: nci: uart: Set tty->disc_data only in success path
Chao Yu <chao@kernel.org>
f2fs: fix to do sanity check on sit_bitmap_size
Jaegeuk Kim <jaegeuk@kernel.org>
f2fs: prevent kernel warning due to negative i_nlink from corrupted image
Gatien Chevallier <gatien.chevallier@foss.st.com>
Input: gpio-keys - fix possible concurrent access in gpio_keys_irq_timer()
Dan Carpenter <dan.carpenter@linaro.org>
Input: ims-pcu - check record size in ims_pcu_flash_firmware()
Zhang Yi <yi.zhang@huawei.com>
ext4: ensure i_size is smaller than maxbytes
Zhang Yi <yi.zhang@huawei.com>
ext4: factor out ext4_get_maxbytes()
Jan Kara <jack@suse.cz>
ext4: fix calculation of credits for extent tree modification
Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
ext4: inline: fix len overflow in ext4_prepare_inline_data
Wan Junjie <junjie.wan@inceptio.ai>
bus: fsl-mc: fix GET/SET_TAILDROP command ids
Ioana Ciornei <ioana.ciornei@nxp.com>
bus: fsl-mc: do not add a device-link for the UAPI used DPMCP device
Tasos Sahanidis <tasos@tasossah.com>
ata: pata_via: Force PIO for ATAPI devices on VT6415/VT6330
Chen Ridong <chenridong@huawei.com>
cgroup,freezer: fix incomplete freezing when attaching tasks
Dennis Marttinen <twelho@welho.tech>
ceph: set superblock s_magic for IMA fsmagic matching
Brett Werling <brett.werling@garmin.com>
can: tcan4x5x: fix power regulator retrieval during probe
Jeff Hugo <quic_jhugo@quicinc.com>
bus: mhi: host: Fix conflict between power_up and SYSERR
Andreas Kemnade <andreas@kemnade.info>
ARM: omap: pmic-cpcap: do not mess around without CPCAP or OMAP4
Ross Stutterheim <ross.stutterheim@garmin.com>
ARM: 9447/1: arm/memremap: fix arch_memremap_can_ram_remap()
Ricardo Ribalda <ribalda@chromium.org>
media: uvcvideo: Fix deferred probing error
Ricardo Ribalda <ribalda@chromium.org>
media: uvcvideo: Send control events for partial succeeds
Ricardo Ribalda <ribalda@chromium.org>
media: uvcvideo: Return the number of processed controls
Ming Qian <ming.qian@oss.nxp.com>
media: imx-jpeg: Drop the first error frames
Denis Arefev <arefev@swemel.ru>
media: vivid: Change the siize of the composing
Edward Adam Davis <eadavis@qq.com>
media: vidtv: Terminating the subsequent process of initialization failure
Marek Szyprowski <m.szyprowski@samsung.com>
media: videobuf2: use sgtable-based scatterlist wrappers
Loic Poulain <loic.poulain@oss.qualcomm.com>
media: venus: Fix probe error handling
Ma Ke <make24@iscas.ac.cn>
media: v4l2-dev: fix error handling in __video_register_device()
Marek Szyprowski <m.szyprowski@samsung.com>
media: omap3isp: use sgtable-based scatterlist wrappers
Wentao Liang <vulab@iscas.ac.cn>
media: gspca: Add error handling for stv06xx_read_sensor()
Dmitry Nikiforov <Dm1tryNk@yandex.ru>
media: davinci: vpif: Fix memory leak in probe error path
Edward Adam Davis <eadavis@qq.com>
media: cxusb: no longer judge rbuf when the write fails
Sakari Ailus <sakari.ailus@linux.intel.com>
media: ccs-pll: Check for too high VT PLL multiplier in dual PLL case
Sakari Ailus <sakari.ailus@linux.intel.com>
media: ccs-pll: Correct the upper limit of maximum op_pre_pll_clk_div
Sakari Ailus <sakari.ailus@linux.intel.com>
media: ccs-pll: Start OP pre-PLL multiplier search from correct value
Sakari Ailus <sakari.ailus@linux.intel.com>
media: ccs-pll: Start VT pre-PLL multiplier search from correct value
Johan Hovold <johan+linaro@kernel.org>
media: ov8856: suppress probe deferral errors
Mingcong Bai <jeffbai@aosc.io>
wifi: rtlwifi: disable ASPM for RTL8723BE with subsystem ID 11ad:1723
Jeongjun Park <aha310510@gmail.com>
jbd2: fix data-race and null-ptr-deref in jbd2_journal_dirty_metadata()
Li Lingfeng <lilingfeng3@huawei.com>
nfsd: Initialize ssc before laundromat_work to prevent NULL dereference
NeilBrown <neil@brown.name>
nfsd: nfsd4_spo_must_allow() must check this is a v4 compound request
Johan Hovold <johan+linaro@kernel.org>
wifi: ath11k: fix ring-buffer corruption
Johan Hovold <johan+linaro@kernel.org>
wifi: ath11k: fix rx completion meta data corruption
Christian Lamparter <chunkeey@gmail.com>
wifi: p54: prevent buffer-overflow in p54_rx_eeprom_readback()
Wentao Liang <vulab@iscas.ac.cn>
net/mlx5: Add error handling in mlx5_query_nic_vport_node_guid()
Wentao Liang <vulab@iscas.ac.cn>
net/mlx5_core: Add error handling inmlx5_query_nic_vport_qkey_viol_cntr()
João Paulo Gonçalves <jpaulo.silvagoncalves@gmail.com>
regulator: max20086: Change enable gpio to optional
João Paulo Gonçalves <jpaulo.silvagoncalves@gmail.com>
regulator: max20086: Fix MAX200086 chip id
Gautam Menghani <gautam@linux.ibm.com>
powerpc/pseries/msi: Avoid reading PCI device registers in reduced power states
Pavel Begunkov <asml.silence@gmail.com>
io_uring: account drain memory to cgroup
Martin Blumenstingl <martin.blumenstingl@googlemail.com>
ASoC: meson: meson-card-utils: use of_property_present() for DT parsing
Wentao Liang <vulab@iscas.ac.cn>
ASoC: qcom: sdm845: Add error handling in sdm845_slim_snd_hw_params()
Alexander Aring <aahringo@redhat.com>
gfs2: move msleep to sleepable context
Herbert Xu <herbert@gondor.apana.org.au>
crypto: marvell/cesa - Do not chain submitted requests
Zijun Hu <quic_zijuhu@quicinc.com>
configfs: Do not override creating attribute file failure in populate_attrs()
Arnd Bergmann <arnd@arndb.de>
kbuild: hdrcheck: fix cross build with clang
Thomas Weißschuh <thomas.weissschuh@linutronix.de>
kbuild: userprogs: fix bitsize and target detection on clang
I Hsin Cheng <richard120310@gmail.com>
drm/meson: Use 1000ULL when operating with mode->clock
Oliver Neukum <oneukum@suse.com>
net: usb: aqc111: debug info before sanitation
Eric Dumazet <edumazet@google.com>
calipso: unlock rcu before returning -EAFNOSUPPORT
Thomas Gleixner <tglx@linutronix.de>
x86/iopl: Cure TIF_IO_BITMAP inconsistencies
Stefano Stabellini <stefano.stabellini@amd.com>
xen/arm: call uaccess_ttbr0_enable for dm_op hypercall
Amit Sunil Dhamne <amitsd@google.com>
usb: typec: tcpm/tcpci_maxim: Fix bounds check in process_rx()
Mathias Nyman <mathias.nyman@linux.intel.com>
usb: Flush altsetting 0 endpoints before reinitializating them after reset.
Pawel Laszczak <pawell@cadence.com>
usb: cdnsp: Fix issue with detecting USB 3.2 speed
Pawel Laszczak <pawell@cadence.com>
usb: cdnsp: Fix issue with detecting command completion event
Wupeng Ma <mawupeng1@huawei.com>
VMCI: fix race between vmci_host_setup_notify and vmci_ctx_unset_notify
Dave Penkler <dpenkler@gmail.com>
usb: usbtmc: Fix read_stb function and get_stb ioctl
Nathan Chancellor <nathan@kernel.org>
kbuild: Add KBUILD_CPPFLAGS to as-option invocation
Masahiro Yamada <masahiroy@kernel.org>
kbuild: add $(CLANG_FLAGS) to KBUILD_CPPFLAGS
Nathan Chancellor <nathan@kernel.org>
kbuild: Add CLANG_FLAGS to as-instr
Nathan Chancellor <nathan@kernel.org>
mips: Include KBUILD_CPPFLAGS in CHECKFLAGS invocation
Nathan Chancellor <nathan@kernel.org>
drm/amd/display: Do not add '-mhard-float' to dml_ccflags for clang
Oleg Nesterov <oleg@redhat.com>
posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del()
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Revert "io_uring: ensure deferred completions are posted for multishot"
Terry Junge <linuxhid@cosmicgizmosystems.com>
HID: usbhid: Eliminate recurrent out-of-bounds bug in usbhid_parse()
David Heimann <d@dmeh.net>
ALSA: usb-audio: Add implicit feedback quirk for RODE AI-1
Suleiman Souhlal <suleiman@google.com>
tools/resolve_btfids: Fix build when cross compiling kernel with clang.
Matthew Wilcox (Oracle) <willy@infradead.org>
bio: Fix bio_first_folio() for SPARSEMEM without VMEMMAP
Peter Zijlstra <peterz@infradead.org>
perf: Ensure bpf_perf_link path is properly serialized
Daniel Wagner <wagi@kernel.org>
nvmet-fcloop: access fcpreq only when holding reqlock
Zijun Hu <quic_zijuhu@quicinc.com>
fs/filesystems: Fix potential unsigned integer underflow in fs_name()
Eric Dumazet <edumazet@google.com>
net_sched: ets: fix a race in ets_qdisc_change()
Eric Dumazet <edumazet@google.com>
net_sched: tbf: fix a race in tbf_change()
Eric Dumazet <edumazet@google.com>
net_sched: red: fix a race in __red_change()
Eric Dumazet <edumazet@google.com>
net_sched: prio: fix a race in prio_tune()
Jianbo Liu <jianbol@nvidia.com>
net/mlx5e: Fix leak of Geneve TLV option object
Patrisious Haddad <phaddad@nvidia.com>
net/mlx5: Fix return value when searching for existing flow group
Moshe Shemesh <moshe@nvidia.com>
net/mlx5: Ensure fw pages are always allocated on same NUMA
Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Bluetooth: MGMT: Fix sparse errors
Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Bluetooth: hci_sync: Fix broadcast/PA when using an existing instance
Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Bluetooth: Fix NULL pointer deference on eir_get_service_data
Jakub Raczynski <j.raczynski@samsung.com>
net/mdiobus: Fix potential out-of-bounds read/write access
Andrew Lunn <andrew@lunn.ch>
net: mdio: C22 is now optional, EOPNOTSUPP if not provided
Carlos Fernandez <carlos.fernandez@technica-engineering.de>
macsec: MACsec SCI assignment for ES = 0
Michal Luczaj <mhal@rbox.co>
net: Fix TOCTOU issue in sk_is_readable()
Yunhui Cui <cuiyunhui@bytedance.com>
ACPI: CPPC: Fix NULL pointer dereference when nosmp is used
Robert Malz <robert.malz@canonical.com>
i40e: retry VFLR handling if there is ongoing VF reset
Robert Malz <robert.malz@canonical.com>
i40e: return false from i40e_reset_vf if reset is in progress
Martin Blumenstingl <martin.blumenstingl@googlemail.com>
drm/meson: fix more rounding issues with 59.94Hz modes
Martin Blumenstingl <martin.blumenstingl@googlemail.com>
drm/meson: use vclk_freq instead of pixel_freq in debug print
Martin Blumenstingl <martin.blumenstingl@googlemail.com>
drm/meson: fix debug log statement when setting the HDMI clocks
Martin Blumenstingl <martin.blumenstingl@googlemail.com>
drm/meson: use unsigned long long / Hz for frequency types
Haren Myneni <haren@linux.ibm.com>
powerpc/vas: Return -EINVAL if the offset is non-zero in mmap()
Ritesh Harjani (IBM) <ritesh.list@gmail.com>
powerpc/powernv/memtrace: Fix out of bounds issue in memtrace mmap
Eric Dumazet <edumazet@google.com>
net_sched: sch_sfq: fix a potential crash on gso_skb handling
Alok Tiwari <alok.a.tiwari@oracle.com>
scsi: iscsi: Fix incorrect error path labels for flashnode operations
Wojciech Slenska <wojciech.slenska@gmail.com>
pinctrl: qcom: pinctrl-qcm2290: Add missing pins
Dan Carpenter <dan.carpenter@linaro.org>
regulator: max20086: Fix refcount leak in max20086_parse_regulators_dt()
Rodrigo Gobbi <rodrigo.gobbi.7@gmail.com>
wifi: ath11k: validate ath11k_crypto_mode on top of ath11k_core_qmi_firmware_ready
Baochen Qiang <quic_bqiang@quicinc.com>
wifi: ath11k: don't wait when there is no vdev started
Baochen Qiang <quic_bqiang@quicinc.com>
wifi: ath11k: don't use static variables in ath11k_debugfs_fw_stats_process()
Baochen Qiang <quic_bqiang@quicinc.com>
wifi: ath11k: avoid burning CPU in ath11k_debugfs_fw_stats_request()
Easwar Hariharan <eahariha@linux.microsoft.com>
wifi: ath11k: convert timeouts to secs_to_jiffies()
Jeff Johnson <quic_jjohnson@quicinc.com>
wifi: ath11k: fix soc_dp_stats debugfs file permission
Govindaraj Saminathan <quic_gsaminat@quicinc.com>
wifi: ath11k: remove unused function ath11k_tm_event_wmi()
Caleb Connolly <caleb.connolly@linaro.org>
ath10k: snoc: fix unbalanced IRQ enable in crash recovery
Jeongjun Park <aha310510@gmail.com>
ptp: remove ptp->n_vclocks check logic in ptp_vclock_in_use()
Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Bluetooth: MGMT: Fix UAF on mgmt_remove_adv_monitor_complete
Pauli Virtanen <pav@iki.fi>
Bluetooth: hci_core: fix list_for_each_entry_rcu usage
Sanjeev Yadav <sanjeev.y@mediatek.com>
scsi: core: ufs: Fix a hang in the error handler
Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
serial: sh-sci: Clean sci_ports[0] after at earlycon exit
Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
serial: sh-sci: Move runtime PM enable to sci_probe_single()
Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
serial: sh-sci: Check if TX data was written to device in .tx_empty()
Judith Mendez <jm@ti.com>
arm64: dts: ti: k3-am65-main: Add missing taps to sdhci0
Judith Mendez <jm@ti.com>
arm64: dts: ti: k3-am65-main: Fix sdhci node properties
Nishanth Menon <nm@ti.com>
arm64: dts: ti: k3-am65-main: Drop deprecated ti,otap-del-sel property
Dmitry Torokhov <dmitry.torokhov@gmail.com>
Input: synaptics-rmi - fix crash with unsupported versions of F34
Gabor Juhos <j4g8y7@gmail.com>
arm64: dts: marvell: uDPU: define pinctrl state for alarm LEDs
Dan Carpenter <dan.carpenter@linaro.org>
pmdomain: core: Fix error checking in genpd_dev_pm_attach_by_id()
Darrick J. Wong <djwong@kernel.org>
xfs: reset rootdir extent size hint after growfsrt
Darrick J. Wong <djwong@kernel.org>
xfs: take m_growlock when running growfsrt
Darrick J. Wong <djwong@kernel.org>
xfs: use XFS_BUF_DADDR_NULL for daddrs in getfsmap code
Zizhi Wo <wozizhi@huawei.com>
xfs: Fix the owner setting issue for rmap query in xfs fsmap
Darrick J. Wong <djwong@kernel.org>
xfs: conditionally allow FS_XFLAG_REALTIME changes if S_DAX is set
Darrick J. Wong <djwong@kernel.org>
xfs: attr forks require attr, not attr2
Julian Sun <sunjunchao2870@gmail.com>
xfs: remove unused parameter in macro XFS_DQUOT_LOGRES
lei lu <llfamsec@gmail.com>
xfs: don't walk off the end of a directory data block
John Garry <john.g.garry@oracle.com>
xfs: Fix xfs_prepare_shift() range for RT
John Garry <john.g.garry@oracle.com>
xfs: Fix xfs_flush_unmap_range() range for RT
Darrick J. Wong <djwong@kernel.org>
xfs: create a new helper to return a file's allocation unit
Darrick J. Wong <djwong@kernel.org>
xfs: declare xfs_file.c symbols in xfs_file.h
Darrick J. Wong <djwong@kernel.org>
xfs: use consistent uid/gid when grabbing dquots for inodes
Darrick J. Wong <djwong@kernel.org>
xfs: verify buffer, inode, and dquot items every tx commit
Christoph Hellwig <hch@lst.de>
xfs: fix the contact address for the sysfs ABI documentation
Darrick J. Wong <djwong@kernel.org>
xfs: fix an agbno overflow in __xfs_getfsmap_datadev
Darrick J. Wong <djwong@kernel.org>
xfs: fix xfs_btree_query_range callers to initialize btree rec fully
Darrick J. Wong <djwong@kernel.org>
xfs: validate fsmap offsets specified in the query keys
Darrick J. Wong <djwong@kernel.org>
xfs: fix logdev fsmap query result filtering
Darrick J. Wong <djwong@kernel.org>
xfs: clean up the rtbitmap fsmap backend
Darrick J. Wong <djwong@kernel.org>
xfs: fix getfsmap reporting past the last rt extent
Darrick J. Wong <djwong@kernel.org>
xfs: fix integer overflows in the fsmap rtbitmap and logdev backends
Darrick J. Wong <djwong@kernel.org>
xfs: fix interval filtering in multi-step fsmap queries
Al Viro <viro@zeniv.linux.org.uk>
do_change_type(): refuse to operate on unmounted/not ours mounts
Al Viro <viro@zeniv.linux.org.uk>
fix propagation graph breakage by MOVE_MOUNT_SET_GROUP move_mount(2)
Cezary Rojewski <cezary.rojewski@intel.com>
ASoC: Intel: avs: Fix deadlock when the failing IPC is SET_D0IX
Cezary Rojewski <cezary.rojewski@intel.com>
ASoC: codecs: hda: Fix RPM usage count underflow
Ido Schimmel <idosch@nvidia.com>
seg6: Fix validation of nexthop addresses
Mirco Barone <mirco.barone@polito.it>
wireguard: device: enable threaded NAPI
Florian Westphal <fw@strlen.de>
netfilter: nf_set_pipapo_avx2: fix initial map fill
Alok Tiwari <alok.a.tiwari@oracle.com>
gve: add missing NULL check for gve_alloc_pending_packet() in TX DQO
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
PM: sleep: Fix power.is_suspended cleanup for direct-complete devices
Ronak Doshi <ronak.doshi@broadcom.com>
vmxnet3: correctly report gso type for UDP tunnels
Shiming Cheng <shiming.cheng@mediatek.com>
net: fix udp gso skb_segment after pull from frag_list
Alexis Lothoré <alexis.lothore@bootlin.com>
net: stmmac: make sure that ptp_rate is not 0 before configuring timestamping
Álvaro Fernández Rojas <noltari@gmail.com>
net: dsa: tag_brcm: legacy: fix pskb_may_pull length
Michal Kubiak <michal.kubiak@intel.com>
ice: fix rebuilding the Tx scheduler tree for large queue counts
Michal Kubiak <michal.kubiak@intel.com>
ice: create new Tx scheduler nodes for new queues only
Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Bluetooth: L2CAP: Fix not responding with L2CAP_CR_LE_ENCRYPTION
Álvaro Fernández Rojas <noltari@gmail.com>
spi: bcm63xx-hsspi: fix shared reset
Álvaro Fernández Rojas <noltari@gmail.com>
spi: bcm63xx-spi: fix shared reset
Horatiu Vultur <horatiu.vultur@microchip.com>
net: lan966x: Make sure to insert the vlan tags also in host mode
Dan Carpenter <dan.carpenter@linaro.org>
net/mlx4_en: Prevent potential integer overflow calculating Hz
Yanqing Wang <ot_yanqing.wang@mediatek.com>
driver: net: ethernet: mtk_star_emac: fix suspend/resume issue
Charalampos Mitrodimas <charmitro@posteo.net>
net: tipc: fix refcount warning in tipc_aead_encrypt
Alok Tiwari <alok.a.tiwari@oracle.com>
gve: Fix RX_BUFFERS_POSTED stat to report per-queue fill_cnt
Quentin Schulz <quentin.schulz@cherry.de>
net: stmmac: platform: guarantee uniqueness of bus_id
Nicolas Pitre <npitre@baylibre.com>
vt: remove VT_RESIZE and VT_RESIZEX from vt_compat_ioctl()
Yeoreum Yun <yeoreum.yun@arm.com>
coresight: prevent deactivate active config while enabling the config
Alexander Sverdlin <alexander.sverdlin@siemens.com>
counter: interrupt-cnt: Protect enable/disable OPs with mutex
WangYuli <wangyuli@uniontech.com>
MIPS: Loongson64: Add missing '#interrupt-cells' for loongson64c_ls7a
Uwe Kleine-König <u.kleine-koenig@baylibre.com>
iio: adc: ad7124: Fix 3dB filter frequency reading
Brian Pellegrino <bpellegrino@arka.org>
iio: filter: admv8818: Support frequencies >= 2^32
Sam Winchenbach <swinchenbach@arka.org>
iio: filter: admv8818: fix range calculation
Sam Winchenbach <swinchenbach@arka.org>
iio: filter: admv8818: fix integer overflow
Sam Winchenbach <swinchenbach@arka.org>
iio: filter: admv8818: fix band 4, state 15
Henry Martin <bsdhenrymartin@gmail.com>
serial: Fix potential null-ptr-deref in mlb_usio_probe()
Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
usb: renesas_usbhs: Reorder clock handling and power management in probe
Bjorn Helgaas <bhelgaas@google.com>
PCI/DPC: Initialize aer_err_info before using it
Henry Martin <bsdhenrymartin@gmail.com>
dmaengine: ti: Add NULL check in udma_probe()
Chenyuan Yang <chenyuan0y@gmail.com>
phy: qcom-qmp-usb: Fix an NULL vs IS_ERR() bug
Hector Martin <marcan@marcan.st>
PCI: apple: Use gpiod_set_value_cansleep in probe flow
Hans Zhang <18255117159@163.com>
PCI: cadence: Fix runtime atomic count underflow
Wolfram Sang <wsa+renesas@sang-engineering.com>
rtc: sh: assign correct interrupts with DT
Li Lingfeng <lilingfeng3@huawei.com>
nfs: ignore SB_RDONLY when remounting nfs
Li Lingfeng <lilingfeng3@huawei.com>
nfs: clear SB_RDONLY before getting superblock
Dapeng Mi <dapeng1.mi@linux.intel.com>
perf record: Fix incorrect --user-regs comments
Leo Yan <leo.yan@arm.com>
perf tests switch-tracking: Fix timestamp comparison
Alexey Gladkov <legion@kernel.org>
mfd: stmpe-spi: Correct the name used in MODULE_DEVICE_TABLE
Christophe JAILLET <christophe.jaillet@wanadoo.fr>
mfd: exynos-lpass: Avoid calling exynos_lpass_disable() twice in exynos_lpass_remove()
Dan Carpenter <dan.carpenter@linaro.org>
rpmsg: qcom_smd: Fix uninitialized return variable in __qcom_smd_send()
Siddharth Vadapalli <s-vadapalli@ti.com>
remoteproc: k3-r5: Drop check performed in k3_r5_rproc_{mbox_callback/kick}
Dan Carpenter <dan.carpenter@linaro.org>
remoteproc: qcom_wcnss_iris: Add missing put_device() on error in probe
Adrian Hunter <adrian.hunter@intel.com>
perf scripts python: exported-sql-viewer.py: Fix pattern matching with Python 3
Adrian Hunter <adrian.hunter@intel.com>
perf intel-pt: Fix PEBS-via-PT data_src
Alexei Safin <a.safin@rosa.ru>
hwmon: (asus-ec-sensors) check sensor index in read_string()
Mikhail Arkhipov <m.arhipov@rosa.ru>
mtd: nand: ecc-mxic: Fix use of uninitialized variable ret
Henry Martin <bsdhenrymartin@gmail.com>
backlight: pm8941: Add NULL check in wled_configure()
Benjamin Marzinski <bmarzins@redhat.com>
dm: free table mempools if not used in __bind
Benjamin Marzinski <bmarzins@redhat.com>
dm: don't change md if dm_table_set_restrictions() fails
Arnaldo Carvalho de Melo <acme@redhat.com>
perf ui browser hists: Set actions->thread before calling do_zoom_thread()
Arnaldo Carvalho de Melo <acme@redhat.com>
perf build: Warn when libdebuginfod devel files are not available
Kees Cook <kees@kernel.org>
randstruct: gcc-plugin: Fix attribute addition
Kees Cook <kees@kernel.org>
randstruct: gcc-plugin: Remove bogus void member
Sergey Shtylyov <s.shtylyov@omp.ru>
fbdev: core: fbcvt: avoid division by 0 in fb_cvt_hperiod()
Henry Martin <bsdhenrymartin@gmail.com>
soc: aspeed: Add NULL check in aspeed_lpc_enable_snoop()
Su Hui <suhui@nfschina.com>
soc: aspeed: lpc: Fix impossible judgment condition
Joel Stanley <joel@jms.id.au>
ARM: aspeed: Don't select SRAM
Julien Massot <julien.massot@collabora.com>
arm64: dts: mt6359: Rename RTC node to match binding expectations
Quentin Schulz <quentin.schulz@cherry.de>
arm64: dts: rockchip: disable unrouted USB controllers and PHY on RK3399 Puma with Haikou
Vignesh Raman <vignesh.raman@collabora.com>
arm64: defconfig: mediatek: enable PHY drivers
Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
ARM: dts: qcom: apq8064 merge hw splinlock into corresponding syscon device
Andre Przywara <andre.przywara@arm.com>
dt-bindings: vendor-prefixes: Add Liontron name
Ioana Ciornei <ioana.ciornei@nxp.com>
bus: fsl-mc: fix double-free on mc_dev
Ryusuke Konishi <konishi.ryusuke@gmail.com>
nilfs2: do not propagate ENOENT error from nilfs_btree_propagate()
Wentao Liang <vulab@iscas.ac.cn>
nilfs2: add pointer check for nilfs_direct_propagate()
Murad Masimov <m.masimov@mt-integration.ru>
ocfs2: fix possible memory leak in ocfs2_finish_quota_recovery
Phillip Lougher <phillip@squashfs.org.uk>
Squashfs: check return result of sb_min_blocksize
Alexey Minnekhanov <alexeymin@postmarketos.org>
arm64: dts: qcom: sda660-ifc6560: Fix dt-validate warning
Alexey Minnekhanov <alexeymin@postmarketos.org>
arm64: dts: qcom: sdm660-lavender: Add missing USB phy supply
Julien Massot <julien.massot@collabora.com>
arm64: dts: mt6359: Add missing 'compatible' property to regulators node
Adam Ford <aford173@gmail.com>
arm64: dts: imx8mn-beacon: Fix RTC capacitive load
Adam Ford <aford173@gmail.com>
arm64: dts: imx8mm-beacon: Fix RTC capacitive load
Alexey Minnekhanov <alexeymin@postmarketos.org>
arm64: dts: qcom: sdm660-xiaomi-lavender: Add missing SD card detect GPIO
AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
arm64: dts: mediatek: mt8195: Reparent vdec1/2 and venc1 power domains
Wolfram Sang <wsa+renesas@sang-engineering.com>
ARM: dts: at91: at91sam9263: fix NAND chip selects
Wolfram Sang <wsa+renesas@sang-engineering.com>
ARM: dts: at91: usb_a9263: fix GPIO for Dataflash chip select
Xilin Wu <wuxilin123@gmail.com>
arm64: dts: qcom: sm8250: Fix CPU7 opp table
Zhiguo Niu <zhiguo.niu@unisoc.com>
f2fs: fix to correct check conditions in f2fs_cross_rename
Zhiguo Niu <zhiguo.niu@unisoc.com>
f2fs: use d_inode(dentry) cleanup dentry->d_inode
Horatiu Vultur <horatiu.vultur@microchip.com>
net: phy: mscc: Stop clearing the the UDPv4 checksum for L2 frames
Faicker Mo <faicker.mo@zenlayer.com>
net: openvswitch: Fix the dead loop of MPLS parse
Kuniyuki Iwashima <kuniyu@amazon.com>
calipso: Don't call calipso functions for AF_INET sk.
Horatiu Vultur <horatiu.vultur@microchip.com>
net: phy: mscc: Fix memory leak when using one step timestamping
Thangaraj Samynathan <thangaraj.s@microchip.com>
net: lan743x: rename lan743x_reset_phy to lan743x_hw_reset_phy
KaFai Wan <mannkafai@gmail.com>
bpf: Avoid __bpf_prog_ret0_warn when jit fails
Jack Morgenstein <jackm@nvidia.com>
RDMA/cma: Fix hang when cma_netevent_callback fails to queue_work
Nikita Zhandarovich <n.zhandarovich@fintech.ru>
net: usb: aqc111: fix error handling of usbnet read calls
Fernando Fernandez Mancera <fmancera@suse.de>
netfilter: nft_tunnel: fix geneve_opt dump
Jiayuan Chen <jiayuan.chen@linux.dev>
bpf, sockmap: Avoid using sk_socket after free when sending
Dmitry Antipov <dmantipov@yandex.ru>
Bluetooth: MGMT: iterate over mesh commands in mgmt_mesh_foreach()
Li RongQing <lirongqing@baidu.com>
vfio/type1: Fix error unwind in migration dirty bitmap allocation
Florian Westphal <fw@strlen.de>
netfilter: nf_tables: nft_fib_ipv6: fix VRF ipv4/ipv6 result discrepancy
Michal Koutný <mkoutny@suse.com>
kernfs: Relax constraint in draining guard
Toke Høiland-Jørgensen <toke@toke.dk>
wifi: ath9k_htc: Abort software beacon handling if disabled
Longfang Liu <liulongfang@huawei.com>
hisi_acc_vfio_pci: add eq and aeq interruption restore
Longfang Liu <liulongfang@huawei.com>
hisi_acc_vfio_pci: fix XQE dma address error
Rolf Eike Beer <eb@emlix.com>
iommu: remove duplicate selection of DMAR_TABLE
Alexey Kodanev <aleksei.kodanev@bell-sw.com>
wifi: rtw88: fix the 'para' buffer size to avoid reading out of bounds
Ilya Leoshkevich <iii@linux.ibm.com>
s390/bpf: Store backchain even for leaf progs
Vincent Knecht <vincent.knecht@mailoo.org>
clk: qcom: gcc-msm8939: Fix mclk0 & mclk1 for 24 MHz
Tao Chen <chen.dylane@linux.dev>
bpf: Fix WARN() in get_bpf_raw_tp_regs
Andy Shevchenko <andriy.shevchenko@linux.intel.com>
pinctrl: at91: Fix possible out-of-boundary access
Anton Protopopov <a.s.protopopov@gmail.com>
libbpf: Use proper errno value in nlattr
Jiayuan Chen <jiayuan.chen@linux.dev>
ktls, sockmap: Fix missing uncharge operation
Miaoqian Lin <linmq006@gmail.com>
tracing: Fix error handling in event_trigger_parse()
Steven Rostedt <rostedt@goodmis.org>
tracing: Rename event_trigger_alloc() to trigger_data_alloc()
Hans Zhang <18255117159@163.com>
efi/libstub: Describe missing 'out' parameter in efi_load_initrd
Henry Martin <bsdhenrymartin@gmail.com>
clk: bcm: rpi: Add NULL check in raspberrypi_clk_register()
Luca Weiss <luca.weiss@fairphone.com>
clk: qcom: gpucc-sm6350: Add *_wait_val values for GDSCs
Luca Weiss <luca.weiss@fairphone.com>
clk: qcom: gcc-sm6350: Add *_wait_val values for GDSCs
Luca Weiss <luca.weiss@fairphone.com>
clk: qcom: dispcc-sm6350: Add *_wait_val values for GDSCs
Anton Protopopov <a.s.protopopov@gmail.com>
bpf: Fix uninitialized values in BPF_{CORE,PROBE}_READ
Patrisious Haddad <phaddad@nvidia.com>
RDMA/mlx5: Fix error flow upon firmware failure for RQ destruction
Zhongqiu Duan <dzq.aishenghu0@gmail.com>
netfilter: nft_quota: match correctly when the quota just depleted
Huajian Yang <huajianyang@asrmicro.com>
netfilter: bridge: Move specific fragmented packet to slow_path instead of dropping it
Anton Protopopov <a.s.protopopov@gmail.com>
libbpf: Use proper errno value in linker
Chao Yu <chao@kernel.org>
f2fs: fix to detect gcing page in f2fs_is_cp_guaranteed()
Chao Yu <chao@kernel.org>
f2fs: clean up w/ fscrypt_is_bounce_page()
Jason Gunthorpe <jgg@ziepe.ca>
iommu: Protect against overflow in iommu_pgsize()
Yihang Li <liyihang9@huawei.com>
scsi: hisi_sas: Call I_T_nexus after soft reset for SATA disk
Junxian Huang <huangjunxian6@hisilicon.com>
RDMA/hns: Include hnae3.h in hns_roce_hw_v2.h
Dmitry Antipov <dmantipov@yandex.ru>
wifi: rtw88: do not ignore hardware read error during DPK
Viktor Malik <vmalik@redhat.com>
libbpf: Fix buffer overflow in bpf_object__init_prog
Hari Kalavakunta <kalavakunta.hari.prasad@gmail.com>
net: ncsi: Fix GCPS 64-bit member variables
Chao Yu <chao@kernel.org>
f2fs: fix to do sanity check on sbi->total_valid_block_count
Jiayuan Chen <jiayuan.chen@linux.dev>
bpf, sockmap: Fix panic when calling skb_linearize
Jiayuan Chen <jiayuan.chen@linux.dev>
bpf, sockmap: fix duplicated data transmission
Jiayuan Chen <jiayuan.chen@linux.dev>
bpf: fix ktls panic with sockmap
Jacob Moroni <jmoroni@google.com>
IB/cm: use rwlock for MAD agent lock
Stone Zhang <quic_stonez@quicinc.com>
wifi: ath11k: fix node corruption in ar->arvifs list
Kees Cook <kees@kernel.org>
scsi: qedf: Use designated initializer for struct qed_fcoe_cb_ops
Huang Yiwei <quic_hyiwei@quicinc.com>
firmware: SDEI: Allow sdei initialization without ACPI_APEI_GHES
Biju Das <biju.das.jz@bp.renesas.com>
drm/tegra: rgb: Fix the unbound reference count
Kees Cook <kees@kernel.org>
drm/vkms: Adjust vkms_state->active_planes allocation type
Biju Das <biju.das.jz@bp.renesas.com>
drm: rcar-du: Fix memory leak in rcar_du_vsps_init()
Neill Kapron <nkapron@google.com>
selftests/seccomp: fix syscall_restart test for arm compat
Kornel Dulęba <korneld@google.com>
arm64: Support ARM64_VA_BITS=52 when setting ARCH_MMAP_RND_BITS_MAX
Miaoqian Lin <linmq006@gmail.com>
firmware: psci: Fix refcount leak in psci_dt_init
Finn Thain <fthain@linux-m68k.org>
m68k: mac: Fix macintosh_config for Mac II
Kees Cook <kees@kernel.org>
watchdog: exar: Shorten identity name to fit correctly
Andrey Vatoropin <a.vatoropin@crpt.ru>
fs/ntfs3: handle hdr_first_de() return value
Christophe JAILLET <christophe.jaillet@wanadoo.fr>
drm/bridge: lt9611uxc: Fix an error handling path in lt9611uxc_probe()
Mark Rutland <mark.rutland@arm.com>
arm64/fpsimd: Fix merging of FPSIMD state during signal return
Mark Brown <broonie@kernel.org>
arm64/fpsimd: Discard stale CPU state when handling SME traps
Jonas Karlman <jonas@kwiboo.se>
media: rkvdec: Fix frame size enumeration
Charles Han <hanchunchao@inspur.com>
drm/amd/pp: Fix potential NULL pointer dereference in atomctrl_initialize_mc_reg_table
Ian Forbes <ian.forbes@broadcom.com>
drm/vmwgfx: Add seqno waiter for sync_files
Martin Povišer <povik+lin@cutebit.org>
ASoC: apple: mca: Constrain channels according to TDM mask
Geert Uytterhoeven <geert+renesas@glider.be>
spi: sh-msiof: Fix maximum DMA transfer size
Armin Wolf <W_Armin@gmx.de>
ACPI: OSI: Stop advertising support for "3.0 _SCP Extensions"
Jiaqing Zhao <jiaqing.zhao@linux.intel.com>
x86/mtrr: Check if fixed-range MTRRs exist in mtrr_save_fixed_ranges()
Zijun Hu <quic_zijuhu@quicinc.com>
PM: wakeup: Delete space in the end of string shown by pm_show_wakelocks()
Alexander Shiyan <eagle.alexander923@gmail.com>
power: reset: at91-reset: Optimize at91_reset()
Vishwaroop A <va@nvidia.com>
spi: tegra210-quad: modify chip select (CS) deactivation
Vishwaroop A <va@nvidia.com>
spi: tegra210-quad: remove redundant error handling code
Vishwaroop A <va@nvidia.com>
spi: tegra210-quad: Fix X1_X2_X4 encoding and support x4 transfers
Qiuxu Zhuo <qiuxu.zhuo@intel.com>
EDAC/skx_common: Fix general protection fault
Hector Martin <marcan@marcan.st>
ASoC: tas2764: Enable main IRQs
Ovidiu Panait <ovidiu.panait.oss@gmail.com>
crypto: sun8i-ce - move fallback ahash_request to the end of the struct
Herbert Xu <herbert@gondor.apana.org.au>
crypto: xts - Only add ecb if it is not already there
Herbert Xu <herbert@gondor.apana.org.au>
crypto: lrw - Only add ecb if it is not already there
Herbert Xu <herbert@gondor.apana.org.au>
crypto: marvell/cesa - Avoid empty transfer descriptor
Herbert Xu <herbert@gondor.apana.org.au>
crypto: marvell/cesa - Handle zero-length skcipher requests
Ahmed S. Darwish <darwi@linutronix.de>
x86/cpu: Sanitize CPUID(0x80000000) output
Eddie James <eajames@linux.ibm.com>
powerpc/crash: Fix non-smp kexec preparation
Corentin Labbe <clabbe.montjoie@gmail.com>
crypto: sun8i-ss - do not use sg_dma_len before calling DMA functions
Ovidiu Panait <ovidiu.panait.oss@gmail.com>
crypto: sun8i-ce-cipher - fix error handling in sun8i_ce_cipher_prepare()
Qing Wang <wangqing7171@gmail.com>
perf/core: Fix broken throttling when max_samples_per_tick=1
Andreas Gruenbacher <agruenba@redhat.com>
gfs2: gfs2_create_inode error handling fix
Sergey Senozhatsky <senozhatsky@chromium.org>
thunderbolt: Do not double dequeue a configuration request
Dave Penkler <dpenkler@gmail.com>
usb: usbtmc: Fix timeout value in get_stb
Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
Bluetooth: hci_qca: move the SoC type check to the right place
Charles Yeh <charlesyeh522@gmail.com>
USB: serial: pl2303: add new chip PL2303GC-Q20 and PL2303GT-2AB
Hongyu Xie <xiehongyu1@kylinos.cn>
usb: storage: Ignore UAS driver for SanDisk 3.2 Gen2 storage device
Jiayi Li <lijiayi@kylinos.cn>
usb: quirks: Add NO_LPM quirk for SanDisk Extreme 55AE
Alexandre Mergnat <amergnat@baylibre.com>
rtc: Fix offset calculation for .start_secs < 0
Alexandre Mergnat <amergnat@baylibre.com>
rtc: Make rtc_time64_to_tm() support dates before 1970
Gautham R. Shenoy <gautham.shenoy@amd.com>
acpi-cpufreq: Fix nominal_freq units to KHz in get_max_boost_ratio()
Gabor Juhos <j4g8y7@gmail.com>
pinctrl: armada-37xx: set GPIO output value before setting direction
Gabor Juhos <j4g8y7@gmail.com>
pinctrl: armada-37xx: use correct OUTPUT_VAL register for GPIOs > 31
Pan Taixi <pantaixi@huaweicloud.com>
tracing: Fix compilation warning on arm32
Peter Xu <peterx@redhat.com>
mm/uffd: fix vma operation where start addr cuts part of vma
-------------
Diffstat:
Documentation/ABI/testing/sysfs-fs-xfs | 8 +-
Documentation/admin-guide/kernel-parameters.txt | 2 -
.../bindings/i2c/nvidia,tegra20-i2c.yaml | 24 +-
.../devicetree/bindings/vendor-prefixes.yaml | 2 +
Makefile | 8 +-
arch/arm/boot/dts/am335x-bone-common.dtsi | 8 +
arch/arm/boot/dts/at91sam9263ek.dts | 2 +-
arch/arm/boot/dts/qcom-apq8064.dtsi | 13 +-
arch/arm/boot/dts/tny_a9263.dts | 2 +-
arch/arm/boot/dts/usb_a9263.dts | 4 +-
arch/arm/mach-aspeed/Kconfig | 1 -
arch/arm/mach-omap2/clockdomain.h | 1 +
arch/arm/mach-omap2/clockdomains33xx_data.c | 2 +-
arch/arm/mach-omap2/cm33xx.c | 14 +-
arch/arm/mach-omap2/pmic-cpcap.c | 6 +-
arch/arm/mm/ioremap.c | 4 +-
arch/arm64/Kconfig | 6 +-
.../boot/dts/freescale/imx8mm-beacon-som.dtsi | 1 +
arch/arm64/boot/dts/freescale/imx8mm-verdin.dtsi | 1 -
.../boot/dts/freescale/imx8mn-beacon-som.dtsi | 1 +
arch/arm64/boot/dts/marvell/armada-3720-uDPU.dtsi | 8 +-
arch/arm64/boot/dts/mediatek/mt6359.dtsi | 4 +-
arch/arm64/boot/dts/mediatek/mt8195.dtsi | 50 ++--
.../arm64/boot/dts/qcom/sda660-inforce-ifc6560.dts | 2 +
.../arm64/boot/dts/qcom/sdm660-xiaomi-lavender.dts | 3 +
arch/arm64/boot/dts/qcom/sm8250.dtsi | 2 +-
.../arm64/boot/dts/rockchip/rk3399-puma-haikou.dts | 8 -
arch/arm64/boot/dts/ti/k3-am65-main.dtsi | 20 +-
arch/arm64/boot/dts/ti/k3-j721e-sk.dts | 31 +++
arch/arm64/configs/defconfig | 3 +
arch/arm64/kernel/fpsimd.c | 4 +-
arch/arm64/kernel/ptrace.c | 2 +-
arch/arm64/xen/hypercall.S | 21 +-
arch/loongarch/include/asm/irqflags.h | 16 +-
arch/m68k/mac/config.c | 2 +-
arch/mips/Makefile | 2 +-
.../boot/dts/loongson/loongson64c_4core_ls7a.dts | 1 +
arch/mips/vdso/Makefile | 1 +
arch/parisc/boot/compressed/Makefile | 1 +
arch/parisc/kernel/unaligned.c | 2 +-
arch/powerpc/kernel/eeh.c | 2 +
arch/powerpc/kexec/crash.c | 5 +-
arch/powerpc/platforms/book3s/vas-api.c | 9 +
arch/powerpc/platforms/powernv/memtrace.c | 8 +-
arch/powerpc/platforms/pseries/msi.c | 7 +-
arch/riscv/kvm/vcpu_sbi_replace.c | 8 +-
arch/s390/kvm/gaccess.c | 8 +-
arch/s390/net/bpf_jit_comp.c | 12 +-
arch/s390/pci/pci_mmio.c | 2 +-
arch/x86/kernel/cpu/bugs.c | 10 +-
arch/x86/kernel/cpu/common.c | 17 +-
arch/x86/kernel/cpu/mtrr/generic.c | 2 +-
arch/x86/kernel/cpu/sgx/main.c | 2 +
arch/x86/kernel/ioport.c | 13 +-
arch/x86/kernel/process.c | 6 +
arch/x86/kvm/svm/svm.c | 2 +-
crypto/lrw.c | 4 +-
crypto/xts.c | 4 +-
drivers/acpi/acpica/dsutils.c | 9 +-
drivers/acpi/acpica/psobject.c | 52 ++--
drivers/acpi/acpica/utprint.c | 7 +-
drivers/acpi/apei/Kconfig | 1 +
drivers/acpi/apei/ghes.c | 2 +-
drivers/acpi/battery.c | 19 +-
drivers/acpi/bus.c | 6 +-
drivers/acpi/cppc_acpi.c | 2 +-
drivers/acpi/osi.c | 1 -
drivers/ata/pata_via.c | 3 +-
drivers/atm/atmtcp.c | 4 +-
drivers/base/power/domain.c | 2 +-
drivers/base/power/main.c | 3 +-
drivers/base/power/runtime.c | 2 +-
drivers/base/swnode.c | 2 +-
drivers/block/aoe/aoedev.c | 8 +
drivers/bluetooth/hci_qca.c | 14 +-
drivers/bus/fsl-mc/fsl-mc-bus.c | 6 +-
drivers/bus/fsl-mc/fsl-mc-uapi.c | 4 +-
drivers/bus/fsl-mc/mc-io.c | 19 +-
drivers/bus/fsl-mc/mc-sys.c | 2 +-
drivers/bus/mhi/host/pm.c | 18 +-
drivers/bus/ti-sysc.c | 49 ----
drivers/clk/bcm/clk-raspberrypi.c | 2 +
drivers/clk/meson/g12a.c | 1 +
drivers/clk/qcom/dispcc-sm6350.c | 3 +
drivers/clk/qcom/gcc-msm8939.c | 4 +-
drivers/clk/qcom/gcc-sm6350.c | 6 +
drivers/clk/qcom/gpucc-sm6350.c | 6 +
drivers/clk/rockchip/clk-rk3036.c | 1 +
drivers/counter/interrupt-cnt.c | 9 +
drivers/cpufreq/acpi-cpufreq.c | 2 +-
drivers/cpufreq/scmi-cpufreq.c | 36 ++-
drivers/cpufreq/tegra186-cpufreq.c | 7 -
.../crypto/allwinner/sun8i-ce/sun8i-ce-cipher.c | 7 +-
drivers/crypto/allwinner/sun8i-ce/sun8i-ce.h | 2 +-
.../crypto/allwinner/sun8i-ss/sun8i-ss-cipher.c | 2 +-
drivers/crypto/marvell/cesa/cesa.c | 2 +-
drivers/crypto/marvell/cesa/cesa.h | 9 +-
drivers/crypto/marvell/cesa/cipher.c | 3 +
drivers/crypto/marvell/cesa/hash.c | 2 +-
drivers/crypto/marvell/cesa/tdma.c | 53 ++--
drivers/dma-buf/udmabuf.c | 5 +-
drivers/dma/ti/k3-udma.c | 3 +-
drivers/edac/altera_edac.c | 6 +-
drivers/edac/skx_common.c | 1 +
drivers/firmware/Kconfig | 1 -
drivers/firmware/arm_sdei.c | 11 +-
drivers/firmware/efi/libstub/efi-stub-helper.c | 1 +
drivers/firmware/psci/psci.c | 4 +-
drivers/gpu/drm/amd/display/dc/dml/Makefile | 3 +-
.../gpu/drm/amd/pm/powerplay/hwmgr/ppatomctrl.c | 8 +
drivers/gpu/drm/bridge/lontium-lt9611uxc.c | 6 +-
drivers/gpu/drm/meson/meson_drv.c | 2 +-
drivers/gpu/drm/meson/meson_drv.h | 2 +-
drivers/gpu/drm/meson/meson_encoder_hdmi.c | 29 ++-
drivers/gpu/drm/meson/meson_vclk.c | 226 +++++++++--------
drivers/gpu/drm/meson/meson_vclk.h | 13 +-
.../gpu/drm/msm/disp/dpu1/dpu_encoder_phys_vid.c | 14 +-
drivers/gpu/drm/msm/dsi/phy/dsi_phy_10nm.c | 7 +
drivers/gpu/drm/nouveau/nouveau_backlight.c | 2 +-
drivers/gpu/drm/rcar-du/rcar_du_kms.c | 10 +-
drivers/gpu/drm/tegra/rgb.c | 14 +-
drivers/gpu/drm/vkms/vkms_crtc.c | 2 +-
drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c | 26 ++
drivers/hid/hid-hyperv.c | 4 +-
drivers/hid/usbhid/hid-core.c | 25 +-
drivers/hwmon/asus-ec-sensors.c | 4 +
drivers/hwmon/occ/common.c | 238 ++++++++----------
drivers/hwtracing/coresight/coresight-config.h | 2 +-
drivers/hwtracing/coresight/coresight-syscfg.c | 49 ++--
drivers/i2c/busses/i2c-designware-slave.c | 2 +-
drivers/i2c/busses/i2c-npcm7xx.c | 12 +-
drivers/i2c/busses/i2c-tegra.c | 5 +
drivers/iio/accel/fxls8962af-core.c | 15 +-
drivers/iio/adc/ad7124.c | 4 +-
drivers/iio/adc/ad7606_spi.c | 2 +-
drivers/iio/filter/admv8818.c | 230 ++++++++++++-----
drivers/iio/imu/inv_icm42600/inv_icm42600_temp.c | 8 +-
drivers/infiniband/core/cm.c | 16 +-
drivers/infiniband/core/cma.c | 3 +-
drivers/infiniband/core/iwcm.c | 29 +--
drivers/infiniband/hw/hns/hns_roce_ah.c | 1 -
drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 1 -
drivers/infiniband/hw/hns/hns_roce_hw_v2.h | 1 +
drivers/infiniband/hw/hns/hns_roce_main.c | 1 -
drivers/infiniband/hw/hns/hns_roce_restrack.c | 1 -
drivers/infiniband/hw/mlx5/qpc.c | 30 ++-
drivers/input/keyboard/gpio_keys.c | 2 +
drivers/input/misc/ims-pcu.c | 6 +
drivers/input/misc/sparcspkr.c | 22 +-
drivers/input/rmi4/rmi_f34.c | 133 +++++-----
drivers/iommu/Kconfig | 1 -
drivers/iommu/amd/iommu.c | 8 +
drivers/iommu/iommu.c | 4 +-
drivers/md/dm-raid1.c | 5 +-
drivers/md/dm.c | 30 +--
drivers/media/common/videobuf2/videobuf2-dma-sg.c | 4 +-
drivers/media/i2c/ccs-pll.c | 11 +-
drivers/media/i2c/ov8856.c | 9 +-
drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c | 12 +-
drivers/media/platform/qcom/venus/core.c | 16 +-
drivers/media/platform/ti/davinci/vpif.c | 4 +-
drivers/media/platform/ti/omap3isp/ispccdc.c | 8 +-
drivers/media/platform/ti/omap3isp/ispstat.c | 6 +-
drivers/media/test-drivers/vidtv/vidtv_channel.c | 2 +-
drivers/media/test-drivers/vivid/vivid-vid-cap.c | 2 +-
drivers/media/usb/dvb-usb/cxusb.c | 3 +-
drivers/media/usb/gspca/stv06xx/stv06xx_hdcs.c | 7 +-
drivers/media/usb/uvc/uvc_ctrl.c | 23 +-
drivers/media/usb/uvc/uvc_driver.c | 27 +-
drivers/media/v4l2-core/v4l2-dev.c | 14 +-
drivers/mfd/exynos-lpass.c | 1 -
drivers/mfd/stmpe-spi.c | 2 +-
drivers/misc/vmw_vmci/vmci_host.c | 11 +-
drivers/mmc/core/card.h | 6 +
drivers/mmc/core/quirks.h | 10 +
drivers/mmc/core/sd.c | 32 ++-
drivers/mtd/nand/ecc-mxic.c | 2 +-
drivers/mtd/nand/raw/sunxi_nand.c | 2 +
drivers/net/can/m_can/tcan4x5x-core.c | 9 +-
drivers/net/ethernet/aquantia/atlantic/aq_main.c | 1 -
drivers/net/ethernet/aquantia/atlantic/aq_nic.c | 2 +
drivers/net/ethernet/cadence/macb_main.c | 6 +-
drivers/net/ethernet/cortina/gemini.c | 37 ++-
drivers/net/ethernet/dlink/dl2k.c | 14 +-
drivers/net/ethernet/dlink/dl2k.h | 2 +
drivers/net/ethernet/emulex/benet/be_cmds.c | 2 +-
drivers/net/ethernet/faraday/Kconfig | 1 +
drivers/net/ethernet/google/gve/gve_main.c | 2 +-
drivers/net/ethernet/google/gve/gve_tx_dqo.c | 3 +
drivers/net/ethernet/intel/i40e/i40e_common.c | 7 +-
drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 11 +-
drivers/net/ethernet/intel/ice/ice_arfs.c | 48 ++++
drivers/net/ethernet/intel/ice/ice_sched.c | 181 +++++++++++---
drivers/net/ethernet/intel/ice/ice_switch.c | 4 +-
drivers/net/ethernet/marvell/octeontx2/nic/cn10k.c | 9 +-
drivers/net/ethernet/mediatek/mtk_star_emac.c | 4 +
drivers/net/ethernet/mellanox/mlx4/en_clock.c | 2 +-
drivers/net/ethernet/mellanox/mlx4/en_ethtool.c | 1 +
drivers/net/ethernet/mellanox/mlx5/core/en_tc.c | 12 +-
drivers/net/ethernet/mellanox/mlx5/core/fs_core.c | 5 +-
.../net/ethernet/mellanox/mlx5/core/pagealloc.c | 2 +-
drivers/net/ethernet/mellanox/mlx5/core/vport.c | 18 +-
drivers/net/ethernet/microchip/lan743x_ethtool.c | 18 +-
drivers/net/ethernet/microchip/lan743x_main.c | 4 +-
drivers/net/ethernet/microchip/lan743x_ptp.c | 2 +-
drivers/net/ethernet/microchip/lan743x_ptp.h | 5 +-
.../net/ethernet/microchip/lan966x/lan966x_main.c | 1 +
.../net/ethernet/microchip/lan966x/lan966x_main.h | 1 +
.../ethernet/microchip/lan966x/lan966x_switchdev.c | 1 +
.../net/ethernet/microchip/lan966x/lan966x_vlan.c | 21 ++
drivers/net/ethernet/pensando/ionic/ionic_main.c | 3 +-
drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 5 +
.../net/ethernet/stmicro/stmmac/stmmac_platform.c | 11 +-
drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.c | 2 +-
drivers/net/ethernet/vertexcom/mse102x.c | 15 +-
drivers/net/macsec.c | 40 ++-
drivers/net/phy/mdio_bus.c | 16 +-
drivers/net/phy/mscc/mscc_ptp.c | 20 +-
drivers/net/usb/aqc111.c | 10 +-
drivers/net/usb/ch9200.c | 7 +-
drivers/net/vmxnet3/vmxnet3_drv.c | 26 ++
drivers/net/vxlan/vxlan_core.c | 8 +-
drivers/net/wireguard/device.c | 1 +
drivers/net/wireless/ath/ath10k/snoc.c | 4 +-
drivers/net/wireless/ath/ath11k/ce.c | 11 +-
drivers/net/wireless/ath/ath11k/core.c | 37 +--
drivers/net/wireless/ath/ath11k/core.h | 4 +-
drivers/net/wireless/ath/ath11k/debugfs.c | 61 ++---
drivers/net/wireless/ath/ath11k/dp_rx.c | 25 +-
drivers/net/wireless/ath/ath11k/hal.c | 4 +-
drivers/net/wireless/ath/ath11k/mac.c | 4 +-
drivers/net/wireless/ath/ath11k/qmi.c | 9 +
drivers/net/wireless/ath/ath11k/testmode.c | 64 +----
drivers/net/wireless/ath/ath11k/testmode.h | 8 +-
drivers/net/wireless/ath/ath11k/wmi.c | 2 +-
drivers/net/wireless/ath/ath9k/htc_drv_beacon.c | 3 +
drivers/net/wireless/ath/carl9170/usb.c | 19 +-
drivers/net/wireless/intersil/p54/fwio.c | 2 +
drivers/net/wireless/intersil/p54/p54.h | 1 +
drivers/net/wireless/intersil/p54/txrx.c | 13 +-
drivers/net/wireless/mac80211_hwsim.c | 5 +
drivers/net/wireless/mediatek/mt76/mt76x2/usb.c | 2 +
.../net/wireless/mediatek/mt76/mt76x2/usb_init.c | 13 +-
drivers/net/wireless/mediatek/mt76/mt7921/main.c | 5 +
drivers/net/wireless/purelifi/plfxlc/usb.c | 4 +-
drivers/net/wireless/realtek/rtlwifi/pci.c | 10 +
drivers/net/wireless/realtek/rtw88/coex.c | 2 +-
drivers/net/wireless/realtek/rtw88/rtw8822c.c | 3 +-
drivers/nvme/target/fcloop.c | 31 +--
drivers/pci/controller/cadence/pcie-cadence-ep.c | 5 +-
drivers/pci/controller/cadence/pcie-cadence-host.c | 11 +-
drivers/pci/controller/dwc/pcie-dw-rockchip.c | 2 +-
drivers/pci/controller/pcie-apple.c | 4 +-
drivers/pci/pci.c | 3 +-
drivers/pci/pcie/dpc.c | 2 +-
drivers/pci/quirks.c | 23 ++
drivers/phy/qualcomm/phy-qcom-qmp-usb.c | 6 +-
drivers/pinctrl/mvebu/pinctrl-armada-37xx.c | 35 +--
drivers/pinctrl/pinctrl-at91.c | 6 +-
drivers/pinctrl/pinctrl-mcp23s08.c | 8 +
drivers/pinctrl/qcom/pinctrl-qcm2290.c | 9 +
drivers/platform/loongarch/loongson-laptop.c | 87 ++++---
drivers/platform/x86/dell/dell_rbu.c | 6 +-
drivers/platform/x86/ideapad-laptop.c | 3 +
drivers/power/reset/at91-reset.c | 5 +-
drivers/power/supply/bq27xxx_battery.c | 2 +-
drivers/power/supply/bq27xxx_battery_i2c.c | 13 +-
drivers/ptp/ptp_clock.c | 3 +-
drivers/ptp/ptp_private.h | 12 +-
drivers/rapidio/rio_cm.c | 3 +
drivers/regulator/max14577-regulator.c | 5 +-
drivers/regulator/max20086-regulator.c | 10 +-
drivers/remoteproc/qcom_wcnss_iris.c | 2 +
drivers/remoteproc/remoteproc_core.c | 6 +-
drivers/remoteproc/ti_k3_r5_remoteproc.c | 8 -
drivers/rpmsg/qcom_smd.c | 2 +-
drivers/rtc/class.c | 2 +-
drivers/rtc/lib.c | 24 +-
drivers/rtc/rtc-sh.c | 12 +-
drivers/s390/scsi/zfcp_sysfs.c | 2 +
drivers/scsi/elx/efct/efct_hw.c | 5 +-
drivers/scsi/hisi_sas/hisi_sas_main.c | 29 +--
drivers/scsi/lpfc/lpfc_hbadisc.c | 2 +-
drivers/scsi/lpfc/lpfc_sli.c | 4 +-
drivers/scsi/qedf/qedf_main.c | 2 +-
drivers/scsi/scsi_transport_iscsi.c | 11 +-
drivers/scsi/storvsc_drv.c | 10 +-
drivers/soc/aspeed/aspeed-lpc-snoop.c | 17 +-
drivers/spi/spi-bcm63xx-hsspi.c | 2 +-
drivers/spi/spi-bcm63xx.c | 2 +-
drivers/spi/spi-sh-msiof.c | 13 +-
drivers/spi/spi-tegra210-quad.c | 24 +-
drivers/staging/iio/impedance-analyzer/ad5933.c | 2 +-
drivers/staging/media/rkvdec/rkvdec.c | 10 +-
drivers/tee/tee_core.c | 11 +-
drivers/thunderbolt/ctl.c | 5 +
drivers/tty/serial/milbeaut_usio.c | 5 +-
drivers/tty/serial/sh-sci.c | 97 ++++++--
drivers/tty/vt/vt_ioctl.c | 2 -
drivers/ufs/core/ufshcd.c | 7 +-
drivers/uio/uio_hv_generic.c | 4 +-
drivers/usb/cdns3/cdnsp-gadget.c | 21 +-
drivers/usb/cdns3/cdnsp-gadget.h | 4 +
drivers/usb/class/usbtmc.c | 21 +-
drivers/usb/core/hub.c | 16 +-
drivers/usb/core/quirks.c | 3 +
drivers/usb/gadget/function/f_hid.c | 12 +-
drivers/usb/renesas_usbhs/common.c | 50 +++-
drivers/usb/serial/pl2303.c | 2 +
drivers/usb/storage/unusual_uas.h | 7 +
drivers/usb/typec/tcpm/tcpci_maxim.c | 3 +-
drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.c | 57 ++++-
drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.h | 14 +-
drivers/vfio/vfio_iommu_type1.c | 2 +-
drivers/video/backlight/qcom-wled.c | 6 +-
drivers/video/console/vgacon.c | 2 +-
drivers/video/fbdev/core/fbcon.c | 7 +-
drivers/video/fbdev/core/fbcvt.c | 2 +-
drivers/video/fbdev/core/fbmem.c | 4 +-
drivers/watchdog/da9052_wdt.c | 1 +
drivers/watchdog/exar_wdt.c | 2 +-
fs/ceph/super.c | 1 +
fs/configfs/dir.c | 2 +-
fs/ext4/ext4.h | 7 +
fs/ext4/extents.c | 18 +-
fs/ext4/file.c | 7 +-
fs/ext4/inline.c | 2 +-
fs/ext4/inode.c | 3 +-
fs/f2fs/data.c | 4 +-
fs/f2fs/f2fs.h | 10 +-
fs/f2fs/namei.c | 19 +-
fs/f2fs/super.c | 12 +-
fs/filesystems.c | 14 +-
fs/gfs2/inode.c | 3 +-
fs/gfs2/lock_dlm.c | 3 +-
fs/jbd2/transaction.c | 5 +-
fs/jffs2/erase.c | 4 +-
fs/jffs2/scan.c | 4 +-
fs/jffs2/summary.c | 7 +-
fs/kernfs/dir.c | 5 +-
fs/kernfs/file.c | 3 +-
fs/namespace.c | 6 +-
fs/nfs/super.c | 19 ++
fs/nfsd/nfs4proc.c | 3 +-
fs/nfsd/nfssvc.c | 6 +-
fs/nilfs2/btree.c | 4 +-
fs/nilfs2/direct.c | 3 +
fs/ntfs3/index.c | 8 +
fs/ocfs2/quota_local.c | 2 +-
fs/smb/client/cached_dir.h | 8 +-
fs/smb/client/connect.c | 8 +
fs/smb/client/readdir.c | 28 ++-
fs/smb/server/smb2pdu.c | 11 +-
fs/squashfs/super.c | 5 +
fs/userfaultfd.c | 6 +
fs/xfs/Kconfig | 12 +
fs/xfs/libxfs/xfs_alloc.c | 10 +-
fs/xfs/libxfs/xfs_dir2_data.c | 31 ++-
fs/xfs/libxfs/xfs_dir2_priv.h | 7 +
fs/xfs/libxfs/xfs_quota_defs.h | 2 +-
fs/xfs/libxfs/xfs_refcount.c | 13 +-
fs/xfs/libxfs/xfs_rmap.c | 10 +-
fs/xfs/libxfs/xfs_trans_resv.c | 28 +--
fs/xfs/scrub/bmap.c | 8 +-
fs/xfs/xfs.h | 4 +
fs/xfs/xfs_bmap_util.c | 22 +-
fs/xfs/xfs_buf_item.c | 32 +++
fs/xfs/xfs_dquot_item.c | 31 +++
fs/xfs/xfs_file.c | 29 +--
fs/xfs/xfs_file.h | 15 ++
fs/xfs/xfs_fsmap.c | 276 ++++++++++++---------
fs/xfs/xfs_inode.c | 29 ++-
fs/xfs/xfs_inode.h | 2 +
fs/xfs/xfs_inode_item.c | 32 +++
fs/xfs/xfs_ioctl.c | 12 +
fs/xfs/xfs_iops.c | 1 +
fs/xfs/xfs_iops.h | 3 -
fs/xfs/xfs_rtalloc.c | 78 +++++-
fs/xfs/xfs_symlink.c | 8 +-
fs/xfs/xfs_trace.h | 25 ++
include/acpi/actypes.h | 2 +-
include/linux/arm_sdei.h | 4 +-
include/linux/atmdev.h | 6 +
include/linux/bio.h | 2 +-
include/linux/hid.h | 3 +-
include/linux/hugetlb.h | 3 +
include/linux/mlx5/driver.h | 1 +
include/linux/mm.h | 3 +
include/linux/mm_types.h | 3 +
include/linux/mmc/card.h | 1 +
include/net/bluetooth/hci_core.h | 1 -
include/net/checksum.h | 2 +-
include/net/sock.h | 7 +-
include/trace/events/erofs.h | 18 --
include/uapi/linux/bpf.h | 2 +
io_uring/io_uring.c | 10 +-
ipc/shm.c | 5 +-
kernel/bpf/core.c | 2 +-
kernel/bpf/helpers.c | 3 +-
kernel/cgroup/legacy_freezer.c | 3 +-
kernel/events/core.c | 57 ++++-
kernel/exit.c | 17 +-
kernel/power/wakelock.c | 3 +
kernel/time/clocksource.c | 2 +-
kernel/time/posix-cpu-timers.c | 9 +
kernel/trace/bpf_trace.c | 2 +-
kernel/trace/ftrace.c | 10 +-
kernel/trace/trace.c | 2 +-
kernel/trace/trace.h | 8 +-
kernel/trace/trace_events_hist.c | 2 +-
kernel/trace/trace_events_trigger.c | 20 +-
lib/Kconfig | 1 +
mm/huge_memory.c | 11 +-
mm/hugetlb.c | 83 +++++--
mm/mmap.c | 8 +
mm/page-writeback.c | 2 +-
net/atm/common.c | 1 +
net/atm/lec.c | 12 +-
net/atm/raw.c | 2 +-
net/bluetooth/eir.c | 10 +-
net/bluetooth/hci_core.c | 15 +-
net/bluetooth/hci_sync.c | 20 +-
net/bluetooth/l2cap_core.c | 3 +-
net/bluetooth/mgmt.c | 39 +--
net/bluetooth/mgmt_util.c | 2 +-
net/bridge/br_mst.c | 4 +-
net/bridge/br_multicast.c | 103 +++++++-
net/bridge/br_private.h | 11 +-
net/bridge/netfilter/nf_conntrack_bridge.c | 12 +-
net/core/filter.c | 5 +-
net/core/skmsg.c | 56 +++--
net/core/sock.c | 4 +-
net/core/utils.c | 4 +-
net/dsa/tag_brcm.c | 2 +-
net/ipv4/route.c | 4 +
net/ipv4/tcp_fastopen.c | 3 +
net/ipv4/tcp_input.c | 63 ++---
net/ipv4/udp_offload.c | 5 +
net/ipv6/calipso.c | 8 +
net/ipv6/ila/ila_common.c | 6 +-
net/ipv6/netfilter.c | 12 +-
net/ipv6/netfilter/nft_fib_ipv6.c | 13 +-
net/ipv6/seg6_local.c | 6 +-
net/mac80211/mesh_hwmp.c | 6 +-
net/mpls/af_mpls.c | 4 +-
net/ncsi/internal.h | 21 +-
net/ncsi/ncsi-pkt.h | 23 +-
net/ncsi/ncsi-rsp.c | 21 +-
net/netfilter/nft_quota.c | 20 +-
net/netfilter/nft_set_pipapo_avx2.c | 21 +-
net/netfilter/nft_tunnel.c | 8 +-
net/netlabel/netlabel_kapi.c | 5 +
net/nfc/nci/uart.c | 8 +-
net/openvswitch/flow.c | 2 +-
net/sched/sch_ets.c | 2 +-
net/sched/sch_prio.c | 2 +-
net/sched/sch_red.c | 2 +-
net/sched/sch_sfq.c | 15 +-
net/sched/sch_tbf.c | 2 +-
net/sctp/socket.c | 3 +-
net/tipc/crypto.c | 8 +-
net/tipc/udp_media.c | 4 +-
net/tls/tls_sw.c | 15 +-
net/wireless/core.c | 6 +-
scripts/Makefile.clang | 3 +-
scripts/Makefile.compiler | 4 +-
scripts/gcc-plugins/gcc-common.h | 32 +++
scripts/gcc-plugins/randomize_layout_plugin.c | 40 +--
security/selinux/xfrm.c | 2 +-
sound/pci/hda/hda_intel.c | 2 +
sound/pci/hda/patch_realtek.c | 1 +
sound/soc/amd/yc/acp6x-mach.c | 9 +-
sound/soc/apple/mca.c | 23 ++
sound/soc/codecs/hda.c | 4 +-
sound/soc/codecs/tas2764.c | 2 +-
sound/soc/codecs/tas2770.c | 30 ++-
sound/soc/intel/avs/ipc.c | 4 +-
sound/soc/meson/meson-card-utils.c | 2 +-
sound/soc/qcom/sdm845.c | 4 +
sound/soc/tegra/tegra210_ahub.c | 2 +
sound/usb/implicit.c | 1 +
sound/usb/mixer_maps.c | 12 +
tools/bpf/bpftool/cgroup.c | 12 +-
tools/bpf/resolve_btfids/Makefile | 2 +-
tools/include/uapi/linux/bpf.h | 2 +
tools/lib/bpf/bpf_core_read.h | 6 +
tools/lib/bpf/btf.c | 16 ++
tools/lib/bpf/libbpf.c | 2 +-
tools/lib/bpf/linker.c | 4 +-
tools/lib/bpf/nlattr.c | 15 +-
tools/perf/Makefile.config | 2 +
tools/perf/builtin-record.c | 2 +-
tools/perf/scripts/python/exported-sql-viewer.py | 5 +-
tools/perf/tests/switch-tracking.c | 2 +-
tools/perf/ui/browsers/hists.c | 2 +-
tools/perf/util/intel-pt.c | 205 ++++++++++++++-
tools/testing/selftests/seccomp/seccomp_bpf.c | 7 +-
tools/testing/selftests/x86/Makefile | 2 +-
tools/testing/selftests/x86/sigtrap_loop.c | 101 ++++++++
usr/include/Makefile | 2 +-
500 files changed, 4451 insertions(+), 2103 deletions(-)
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 001/508] mm/uffd: fix vma operation where start addr cuts part of vma
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
@ 2025-06-23 13:00 ` Greg Kroah-Hartman
2025-06-23 13:00 ` [PATCH 6.1 002/508] tracing: Fix compilation warning on arm32 Greg Kroah-Hartman
` (507 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Peter Xu, Mark Rutland,
Lorenzo Stoakes, Liam R. Howlett, Mike Rapoport (IBM),
Andrew Morton, linux-mm, Jakub Acs
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Xu <peterx@redhat.com>
commit 270aa010620697fb27b8f892cc4e194bc2b7d134 upstream.
Patch series "mm/uffd: Fix vma merge/split", v2.
This series contains two patches that fix vma merge/split for userfaultfd
on two separate issues.
Patch 1 fixes a regression since 6.1+ due to something we overlooked when
converting to maple tree apis. The plan is we use patch 1 to replace the
commit "2f628010799e (mm: userfaultfd: avoid passing an invalid range to
vma_merge())" in mm-hostfixes-unstable tree if possible, so as to bring
uffd vma operations back aligned with the rest code again.
Patch 2 fixes a long standing issue that vma can be left unmerged even if
we can for either uffd register or unregister.
Many thanks to Lorenzo on either noticing this issue from the assert
movement patch, looking at this problem, and also provided a reproducer on
the unmerged vma issue [1].
[1] https://gist.github.com/lorenzo-stoakes/a11a10f5f479e7a977fc456331266e0e
This patch (of 2):
It seems vma merging with uffd paths is broken with either
register/unregister, where right now we can feed wrong parameters to
vma_merge() and it's found by recent patch which moved asserts upwards in
vma_merge() by Lorenzo Stoakes:
https://lore.kernel.org/all/ZFunF7DmMdK05MoF@FVFF77S0Q05N.cambridge.arm.com/
It's possible that "start" is contained within vma but not clamped to its
start. We need to convert this into either "cannot merge" case or "can
merge" case 4 which permits subdivision of prev by assigning vma to prev.
As we loop, each subsequent VMA will be clamped to the start.
This patch will eliminate the report and make sure vma_merge() calls will
become legal again.
One thing to mention is that the "Fixes: 29417d292bd0" below is there only
to help explain where the warning can start to trigger, the real commit to
fix should be 69dbe6daf104. Commit 29417d292bd0 helps us to identify the
issue, but unfortunately we may want to keep it in Fixes too just to ease
kernel backporters for easier tracking.
Link: https://lkml.kernel.org/r/20230517190916.3429499-1-peterx@redhat.com
Link: https://lkml.kernel.org/r/20230517190916.3429499-2-peterx@redhat.com
Fixes: 69dbe6daf104 ("userfaultfd: use maple tree iterator to iterate VMAs")
Signed-off-by: Peter Xu <peterx@redhat.com>
Reported-by: Mark Rutland <mark.rutland@arm.com>
Reviewed-by: Lorenzo Stoakes <lstoakes@gmail.com>
Reviewed-by: Liam R. Howlett <Liam.Howlett@oracle.com>
Closes: https://lore.kernel.org/all/ZFunF7DmMdK05MoF@FVFF77S0Q05N.cambridge.arm.com/
Cc: Lorenzo Stoakes <lstoakes@gmail.com>
Cc: Mike Rapoport (IBM) <rppt@kernel.org>
Cc: Liam R. Howlett <Liam.Howlett@oracle.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
[acsjakub: contextual change - keep call to mas_next()]
Cc: <linux-mm@kvack.org>
Signed-off-by: Jakub Acs <acsjakub@amazon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/userfaultfd.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/fs/userfaultfd.c
+++ b/fs/userfaultfd.c
@@ -1426,6 +1426,9 @@ static int userfaultfd_register(struct u
if (prev != vma)
mas_next(&mas, ULONG_MAX);
+ if (vma->vm_start < start)
+ prev = vma;
+
ret = 0;
do {
cond_resched();
@@ -1603,6 +1606,9 @@ static int userfaultfd_unregister(struct
if (prev != vma)
mas_next(&mas, ULONG_MAX);
+ if (vma->vm_start < start)
+ prev = vma;
+
ret = 0;
do {
cond_resched();
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 002/508] tracing: Fix compilation warning on arm32
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
2025-06-23 13:00 ` [PATCH 6.1 001/508] mm/uffd: fix vma operation where start addr cuts part of vma Greg Kroah-Hartman
@ 2025-06-23 13:00 ` Greg Kroah-Hartman
2025-06-23 13:00 ` [PATCH 6.1 003/508] pinctrl: armada-37xx: use correct OUTPUT_VAL register for GPIOs > 31 Greg Kroah-Hartman
` (506 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jeongjun Park, Pan Taixi,
Steven Rostedt (Google)
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pan Taixi <pantaixi@huaweicloud.com>
commit 2fbdb6d8e03b70668c0876e635506540ae92ab05 upstream.
On arm32, size_t is defined to be unsigned int, while PAGE_SIZE is
unsigned long. This hence triggers a compilation warning as min()
asserts the type of two operands to be equal. Casting PAGE_SIZE to size_t
solves this issue and works on other target architectures as well.
Compilation warning details:
kernel/trace/trace.c: In function 'tracing_splice_read_pipe':
./include/linux/minmax.h:20:28: warning: comparison of distinct pointer types lacks a cast
(!!(sizeof((typeof(x) *)1 == (typeof(y) *)1)))
^
./include/linux/minmax.h:26:4: note: in expansion of macro '__typecheck'
(__typecheck(x, y) && __no_side_effects(x, y))
^~~~~~~~~~~
...
kernel/trace/trace.c:6771:8: note: in expansion of macro 'min'
min((size_t)trace_seq_used(&iter->seq),
^~~
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/20250526013731.1198030-1-pantaixi@huaweicloud.com
Fixes: f5178c41bb43 ("tracing: Fix oob write in trace_seq_to_buffer()")
Reviewed-by: Jeongjun Park <aha310510@gmail.com>
Signed-off-by: Pan Taixi <pantaixi@huaweicloud.com>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/trace/trace.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/kernel/trace/trace.c
+++ b/kernel/trace/trace.c
@@ -7050,7 +7050,7 @@ static ssize_t tracing_splice_read_pipe(
ret = trace_seq_to_buffer(&iter->seq,
page_address(spd.pages[i]),
min((size_t)trace_seq_used(&iter->seq),
- PAGE_SIZE));
+ (size_t)PAGE_SIZE));
if (ret < 0) {
__free_page(spd.pages[i]);
break;
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 003/508] pinctrl: armada-37xx: use correct OUTPUT_VAL register for GPIOs > 31
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
2025-06-23 13:00 ` [PATCH 6.1 001/508] mm/uffd: fix vma operation where start addr cuts part of vma Greg Kroah-Hartman
2025-06-23 13:00 ` [PATCH 6.1 002/508] tracing: Fix compilation warning on arm32 Greg Kroah-Hartman
@ 2025-06-23 13:00 ` Greg Kroah-Hartman
2025-06-23 13:00 ` [PATCH 6.1 004/508] pinctrl: armada-37xx: set GPIO output value before setting direction Greg Kroah-Hartman
` (505 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Imre Kaloz, Andrew Lunn, Gabor Juhos,
Linus Walleij
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gabor Juhos <j4g8y7@gmail.com>
commit 947c93eb29c2a581c0b0b6d5f21af3c2b7ff6d25 upstream.
The controller has two consecutive OUTPUT_VAL registers and both
holds output value for 32 GPIOs. Due to a missing adjustment, the
current code always uses the first register while setting the
output value whereas it should use the second one for GPIOs > 31.
Add the missing armada_37xx_update_reg() call to adjust the register
according to the 'offset' parameter of the function to fix the issue.
Cc: stable@vger.kernel.org
Fixes: 6702abb3bf23 ("pinctrl: armada-37xx: Fix direction_output() callback behavior")
Signed-off-by: Imre Kaloz <kaloz@openwrt.org>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: Gabor Juhos <j4g8y7@gmail.com>
Link: https://lore.kernel.org/20250514-pinctrl-a37xx-fixes-v2-1-07e9ac1ab737@gmail.com
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pinctrl/mvebu/pinctrl-armada-37xx.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/pinctrl/mvebu/pinctrl-armada-37xx.c
+++ b/drivers/pinctrl/mvebu/pinctrl-armada-37xx.c
@@ -419,6 +419,7 @@ static int armada_37xx_gpio_direction_ou
unsigned int offset, int value)
{
struct armada_37xx_pinctrl *info = gpiochip_get_data(chip);
+ unsigned int val_offset = offset;
unsigned int reg = OUTPUT_EN;
unsigned int mask, val, ret;
@@ -431,6 +432,8 @@ static int armada_37xx_gpio_direction_ou
return ret;
reg = OUTPUT_VAL;
+ armada_37xx_update_reg(®, &val_offset);
+
val = value ? mask : 0;
regmap_update_bits(info->regmap, reg, mask, val);
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 004/508] pinctrl: armada-37xx: set GPIO output value before setting direction
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (2 preceding siblings ...)
2025-06-23 13:00 ` [PATCH 6.1 003/508] pinctrl: armada-37xx: use correct OUTPUT_VAL register for GPIOs > 31 Greg Kroah-Hartman
@ 2025-06-23 13:00 ` Greg Kroah-Hartman
2025-06-23 13:00 ` [PATCH 6.1 005/508] acpi-cpufreq: Fix nominal_freq units to KHz in get_max_boost_ratio() Greg Kroah-Hartman
` (504 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Imre Kaloz, Andrew Lunn, Gabor Juhos,
Linus Walleij
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gabor Juhos <j4g8y7@gmail.com>
commit e6ebd4942981f8ad37189bbb36a3c8495e21ef4c upstream.
Changing the direction before updating the output value in the
OUTPUT_VAL register may result in a glitch on the output line
if the previous value in the OUTPUT_VAL register is different
from the one we want to set.
In order to avoid that, update the output value before changing
the direction.
Cc: stable@vger.kernel.org
Fixes: 6702abb3bf23 ("pinctrl: armada-37xx: Fix direction_output() callback behavior")
Signed-off-by: Imre Kaloz <kaloz@openwrt.org>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: Gabor Juhos <j4g8y7@gmail.com>
Link: https://lore.kernel.org/20250514-pinctrl-a37xx-fixes-v2-2-07e9ac1ab737@gmail.com
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pinctrl/mvebu/pinctrl-armada-37xx.c | 15 +++++++--------
1 file changed, 7 insertions(+), 8 deletions(-)
--- a/drivers/pinctrl/mvebu/pinctrl-armada-37xx.c
+++ b/drivers/pinctrl/mvebu/pinctrl-armada-37xx.c
@@ -419,23 +419,22 @@ static int armada_37xx_gpio_direction_ou
unsigned int offset, int value)
{
struct armada_37xx_pinctrl *info = gpiochip_get_data(chip);
- unsigned int val_offset = offset;
- unsigned int reg = OUTPUT_EN;
+ unsigned int en_offset = offset;
+ unsigned int reg = OUTPUT_VAL;
unsigned int mask, val, ret;
armada_37xx_update_reg(®, &offset);
mask = BIT(offset);
+ val = value ? mask : 0;
- ret = regmap_update_bits(info->regmap, reg, mask, mask);
-
+ ret = regmap_update_bits(info->regmap, reg, mask, val);
if (ret)
return ret;
- reg = OUTPUT_VAL;
- armada_37xx_update_reg(®, &val_offset);
+ reg = OUTPUT_EN;
+ armada_37xx_update_reg(®, &en_offset);
- val = value ? mask : 0;
- regmap_update_bits(info->regmap, reg, mask, val);
+ regmap_update_bits(info->regmap, reg, mask, mask);
return 0;
}
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 005/508] acpi-cpufreq: Fix nominal_freq units to KHz in get_max_boost_ratio()
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (3 preceding siblings ...)
2025-06-23 13:00 ` [PATCH 6.1 004/508] pinctrl: armada-37xx: set GPIO output value before setting direction Greg Kroah-Hartman
@ 2025-06-23 13:00 ` Greg Kroah-Hartman
2025-06-23 13:00 ` [PATCH 6.1 006/508] rtc: Make rtc_time64_to_tm() support dates before 1970 Greg Kroah-Hartman
` (503 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Manu Bretelle, Gautham R. Shenoy,
Rafael J. Wysocki
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gautham R. Shenoy <gautham.shenoy@amd.com>
commit cb6a85f38f456b086c366e346ebb67ffa70c7243 upstream.
commit 083466754596 ("cpufreq: ACPI: Fix max-frequency computation")
modified get_max_boost_ratio() to return the nominal_freq advertised
in the _CPC object. This was for the purposes of computing the maximum
frequency. The frequencies advertised in _CPC objects are in
MHz. However, cpufreq expects the frequency to be in KHz. Since the
nominal_freq returned by get_max_boost_ratio() was not in KHz but
instead in MHz,the cpuinfo_max_frequency that was computed using this
nominal_freq was incorrect and an invalid value which resulted in
cpufreq reporting the P0 frequency as the cpuinfo_max_freq.
Fix this by converting the nominal_freq to KHz before returning the
same from get_max_boost_ratio().
Reported-by: Manu Bretelle <chantr4@gmail.com>
Closes: https://lore.kernel.org/lkml/aDaB63tDvbdcV0cg@HQ-GR2X1W2P57/
Fixes: 083466754596 ("cpufreq: ACPI: Fix max-frequency computation")
Signed-off-by: Gautham R. Shenoy <gautham.shenoy@amd.com>
Cc: 6.14+ <stable@vger.kernel.org> # 6.14+
Link: https://patch.msgid.link/20250529085143.709-1-gautham.shenoy@amd.com
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/cpufreq/acpi-cpufreq.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/cpufreq/acpi-cpufreq.c
+++ b/drivers/cpufreq/acpi-cpufreq.c
@@ -666,7 +666,7 @@ static u64 get_max_boost_ratio(unsigned
nominal_perf = perf_caps.nominal_perf;
if (nominal_freq)
- *nominal_freq = perf_caps.nominal_freq;
+ *nominal_freq = perf_caps.nominal_freq * 1000;
if (!highest_perf || !nominal_perf) {
pr_debug("CPU%d: highest or nominal performance missing\n", cpu);
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 006/508] rtc: Make rtc_time64_to_tm() support dates before 1970
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (4 preceding siblings ...)
2025-06-23 13:00 ` [PATCH 6.1 005/508] acpi-cpufreq: Fix nominal_freq units to KHz in get_max_boost_ratio() Greg Kroah-Hartman
@ 2025-06-23 13:00 ` Greg Kroah-Hartman
2025-06-23 13:00 ` [PATCH 6.1 007/508] rtc: Fix offset calculation for .start_secs < 0 Greg Kroah-Hartman
` (502 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexandre Mergnat,
Uwe Kleine-König, Alexandre Belloni
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexandre Mergnat <amergnat@baylibre.com>
commit 7df4cfef8b351fec3156160bedfc7d6d29de4cce upstream.
Conversion of dates before 1970 is still relevant today because these
dates are reused on some hardwares to store dates bigger than the
maximal date that is representable in the device's native format.
This prominently and very soon affects the hardware covered by the
rtc-mt6397 driver that can only natively store dates in the interval
1900-01-01 up to 2027-12-31. So to store the date 2028-01-01 00:00:00
to such a device, rtc_time64_to_tm() must do the right thing for
time=-2208988800.
Signed-off-by: Alexandre Mergnat <amergnat@baylibre.com>
Reviewed-by: Uwe Kleine-König <u.kleine-koenig@baylibre.com>
Link: https://lore.kernel.org/r/20250428-enable-rtc-v4-1-2b2f7e3f9349@baylibre.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@baylibre.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/rtc/lib.c | 24 +++++++++++++++++++-----
1 file changed, 19 insertions(+), 5 deletions(-)
--- a/drivers/rtc/lib.c
+++ b/drivers/rtc/lib.c
@@ -46,24 +46,38 @@ EXPORT_SYMBOL(rtc_year_days);
* rtc_time64_to_tm - converts time64_t to rtc_time.
*
* @time: The number of seconds since 01-01-1970 00:00:00.
- * (Must be positive.)
+ * Works for values since at least 1900
* @tm: Pointer to the struct rtc_time.
*/
void rtc_time64_to_tm(time64_t time, struct rtc_time *tm)
{
- unsigned int secs;
- int days;
+ int days, secs;
u64 u64tmp;
u32 u32tmp, udays, century, day_of_century, year_of_century, year,
day_of_year, month, day;
bool is_Jan_or_Feb, is_leap_year;
- /* time must be positive */
+ /*
+ * Get days and seconds while preserving the sign to
+ * handle negative time values (dates before 1970-01-01)
+ */
days = div_s64_rem(time, 86400, &secs);
+ /*
+ * We need 0 <= secs < 86400 which isn't given for negative
+ * values of time. Fixup accordingly.
+ */
+ if (secs < 0) {
+ days -= 1;
+ secs += 86400;
+ }
+
/* day of the week, 1970-01-01 was a Thursday */
tm->tm_wday = (days + 4) % 7;
+ /* Ensure tm_wday is always positive */
+ if (tm->tm_wday < 0)
+ tm->tm_wday += 7;
/*
* The following algorithm is, basically, Proposition 6.3 of Neri
@@ -93,7 +107,7 @@ void rtc_time64_to_tm(time64_t time, str
* thus, is slightly different from [1].
*/
- udays = ((u32) days) + 719468;
+ udays = days + 719468;
u32tmp = 4 * udays + 3;
century = u32tmp / 146097;
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 007/508] rtc: Fix offset calculation for .start_secs < 0
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (5 preceding siblings ...)
2025-06-23 13:00 ` [PATCH 6.1 006/508] rtc: Make rtc_time64_to_tm() support dates before 1970 Greg Kroah-Hartman
@ 2025-06-23 13:00 ` Greg Kroah-Hartman
2025-06-23 13:00 ` [PATCH 6.1 008/508] usb: quirks: Add NO_LPM quirk for SanDisk Extreme 55AE Greg Kroah-Hartman
` (501 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexandre Mergnat,
Uwe Kleine-König, Alexandre Belloni
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexandre Mergnat <amergnat@baylibre.com>
commit fe9f5f96cfe8b82d0f24cbfa93718925560f4f8d upstream.
The comparison
rtc->start_secs > rtc->range_max
has a signed left-hand side and an unsigned right-hand side.
So the comparison might become true for negative start_secs which is
interpreted as a (possibly very large) positive value.
As a negative value can never be bigger than an unsigned value
the correct representation of the (mathematical) comparison
rtc->start_secs > rtc->range_max
in C is:
rtc->start_secs >= 0 && rtc->start_secs > rtc->range_max
Use that to fix the offset calculation currently used in the
rtc-mt6397 driver.
Fixes: 989515647e783 ("rtc: Add one offset seconds to expand RTC range")
Signed-off-by: Alexandre Mergnat <amergnat@baylibre.com>
Reviewed-by: Uwe Kleine-König <u.kleine-koenig@baylibre.com>
Link: https://lore.kernel.org/r/20250428-enable-rtc-v4-2-2b2f7e3f9349@baylibre.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@baylibre.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/rtc/class.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/rtc/class.c
+++ b/drivers/rtc/class.c
@@ -323,7 +323,7 @@ static void rtc_device_get_offset(struct
*
* Otherwise the offset seconds should be 0.
*/
- if (rtc->start_secs > rtc->range_max ||
+ if ((rtc->start_secs >= 0 && rtc->start_secs > rtc->range_max) ||
rtc->start_secs + range_secs - 1 < rtc->range_min)
rtc->offset_secs = rtc->start_secs - rtc->range_min;
else if (rtc->start_secs > rtc->range_min)
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 008/508] usb: quirks: Add NO_LPM quirk for SanDisk Extreme 55AE
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (6 preceding siblings ...)
2025-06-23 13:00 ` [PATCH 6.1 007/508] rtc: Fix offset calculation for .start_secs < 0 Greg Kroah-Hartman
@ 2025-06-23 13:00 ` Greg Kroah-Hartman
2025-06-23 13:00 ` [PATCH 6.1 009/508] usb: storage: Ignore UAS driver for SanDisk 3.2 Gen2 storage device Greg Kroah-Hartman
` (500 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jiayi Li, stable
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiayi Li <lijiayi@kylinos.cn>
commit 19f795591947596b5b9efa86fd4b9058e45786e9 upstream.
This device exhibits I/O errors during file transfers due to unstable
link power management (LPM) behavior. The kernel logs show repeated
warm resets and eventual disconnection when LPM is enabled:
[ 3467.810740] hub 2-0:1.0: state 7 ports 6 chg 0000 evt 0020
[ 3467.810740] usb usb2-port5: do warm reset
[ 3467.866444] usb usb2-port5: not warm reset yet, waiting 50ms
[ 3467.907407] sd 0:0:0:0: [sda] tag#12 sense submit err -19
[ 3467.994423] usb usb2-port5: status 02c0, change 0001, 10.0 Gb/s
[ 3467.994453] usb 2-5: USB disconnect, device number 4
The error -19 (ENODEV) occurs when the device disappears during write
operations. Adding USB_QUIRK_NO_LPM disables link power management
for this specific device, resolving the stability issues.
Signed-off-by: Jiayi Li <lijiayi@kylinos.cn>
Cc: stable <stable@kernel.org>
Link: https://lore.kernel.org/r/20250508055947.764538-1-lijiayi@kylinos.cn
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/core/quirks.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/usb/core/quirks.c
+++ b/drivers/usb/core/quirks.c
@@ -372,6 +372,9 @@ static const struct usb_device_id usb_qu
/* SanDisk Corp. SanDisk 3.2Gen1 */
{ USB_DEVICE(0x0781, 0x55a3), .driver_info = USB_QUIRK_DELAY_INIT },
+ /* SanDisk Extreme 55AE */
+ { USB_DEVICE(0x0781, 0x55ae), .driver_info = USB_QUIRK_NO_LPM },
+
/* Realforce 87U Keyboard */
{ USB_DEVICE(0x0853, 0x011b), .driver_info = USB_QUIRK_NO_LPM },
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 009/508] usb: storage: Ignore UAS driver for SanDisk 3.2 Gen2 storage device
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (7 preceding siblings ...)
2025-06-23 13:00 ` [PATCH 6.1 008/508] usb: quirks: Add NO_LPM quirk for SanDisk Extreme 55AE Greg Kroah-Hartman
@ 2025-06-23 13:00 ` Greg Kroah-Hartman
2025-06-23 13:00 ` [PATCH 6.1 010/508] USB: serial: pl2303: add new chip PL2303GC-Q20 and PL2303GT-2AB Greg Kroah-Hartman
` (499 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Hongyu Xie, stable
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hongyu Xie <xiehongyu1@kylinos.cn>
commit a541acceedf4f639f928f41fbb676b75946dc295 upstream.
SanDisk 3.2 Gen2 storage device(0781:55e8) doesn't work well with UAS.
Log says,
[ 6.507865][ 3] [ T159] usb 2-1.4: new SuperSpeed Gen 1 USB device number 4 using xhci_hcd
[ 6.540314][ 3] [ T159] usb 2-1.4: New USB device found, idVendor=0781, idProduct=55e8, bcdDevice= 0.01
[ 6.576304][ 3] [ T159] usb 2-1.4: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 6.584727][ 3] [ T159] usb 2-1.4: Product: SanDisk 3.2 Gen2
[ 6.590459][ 3] [ T159] usb 2-1.4: Manufacturer: SanDisk
[ 6.595845][ 3] [ T159] usb 2-1.4: SerialNumber: 03021707022525140940
[ 7.230852][ 0] [ T265] usbcore: registered new interface driver usb-storage
[ 7.251247][ 0] [ T265] scsi host3: uas
[ 7.255280][ 0] [ T265] usbcore: registered new interface driver uas
[ 7.270498][ 1] [ T192] scsi 3:0:0:0: Direct-Access SanDisk Extreme Pro DDE1 0110 PQ: 0 ANSI: 6
[ 7.299588][ 3] [ T192] scsi 3:0:0:1: Enclosure SanDisk SES Device 0110 PQ: 0 ANSI: 6
[ 7.321681][ 3] [ T192] sd 3:0:0:0: Attached scsi generic sg1 type 0
[ 7.328185][ 3] [ T192] scsi 3:0:0:1: Attached scsi generic sg2 type 13
[ 7.328804][ 0] [ T191] sd 3:0:0:0: [sda] 976773168 512-byte logical blocks: (500 GB/466 GiB)
[ 7.343486][ 0] [ T191] sd 3:0:0:0: [sda] 4096-byte physical blocks
[ 7.364611][ 0] [ T191] sd 3:0:0:0: [sda] Write Protect is off
[ 7.370524][ 0] [ T191] sd 3:0:0:0: [sda] Mode Sense: 3d 00 10 00
[ 7.390655][ 0] [ T191] sd 3:0:0:0: [sda] Write cache: enabled, read cache: enabled, supports DPO and FUA
[ 7.401363][ 0] [ T191] sd 3:0:0:0: [sda] Optimal transfer size 1048576 bytes
[ 7.436010][ 0] [ T191] sda: sda1
[ 7.450850][ 0] [ T191] sd 3:0:0:0: [sda] Attached SCSI disk
[ 7.470218][ 4] [ T262] scsi 3:0:0:1: Failed to get diagnostic page 0x1
[ 7.474869][ 0] [ C0] sd 3:0:0:0: [sda] tag#0 data cmplt err -75 uas-tag 2 inflight: CMD
[ 7.476911][ 4] [ T262] scsi 3:0:0:1: Failed to bind enclosure -19
[ 7.485330][ 0] [ C0] sd 3:0:0:0: [sda] tag#0 CDB: Read(10) 28 00 00 00 00 28 00 00 10 00
[ 7.491593][ 4] [ T262] ses 3:0:0:1: Attached Enclosure device
[ 38.066980][ 4] [ T192] sd 3:0:0:0: [sda] tag#4 uas_eh_abort_handler 0 uas-tag 5 inflight: CMD IN
[ 38.076012][ 4] [ T192] sd 3:0:0:0: [sda] tag#4 CDB: Read(10) 28 00 00 00 01 08 00 00 f8 00
[ 38.086485][ 4] [ T192] sd 3:0:0:0: [sda] tag#3 uas_eh_abort_handler 0 uas-tag 1 inflight: CMD IN
[ 38.095515][ 4] [ T192] sd 3:0:0:0: [sda] tag#3 CDB: Read(10) 28 00 00 00 00 10 00 00 08 00
[ 38.104122][ 4] [ T192] sd 3:0:0:0: [sda] tag#2 uas_eh_abort_handler 0 uas-tag 4 inflight: CMD IN
[ 38.113152][ 4] [ T192] sd 3:0:0:0: [sda] tag#2 CDB: Read(10) 28 00 00 00 00 88 00 00 78 00
[ 38.121761][ 4] [ T192] sd 3:0:0:0: [sda] tag#1 uas_eh_abort_handler 0 uas-tag 3 inflight: CMD IN
[ 38.130791][ 4] [ T192] sd 3:0:0:0: [sda] tag#1 CDB: Read(10) 28 00 00 00 00 48 00 00 30 00
[ 38.139401][ 4] [ T192] sd 3:0:0:0: [sda] tag#0 uas_eh_abort_handler 0 uas-tag 2 inflight: CMD
[ 38.148170][ 4] [ T192] sd 3:0:0:0: [sda] tag#0 CDB: Read(10) 28 00 00 00 00 28 00 00 10 00
[ 38.178980][ 2] [ T304] scsi host3: uas_eh_device_reset_handler start
[ 38.901540][ 2] [ T304] usb 2-1.4: reset SuperSpeed Gen 1 USB device number 4 using xhci_hcd
[ 38.936791][ 2] [ T304] scsi host3: uas_eh_device_reset_handler success
Device decriptor is below,
Bus 002 Device 006: ID 0781:55e8 SanDisk Corp. SanDisk 3.2 Gen2
Device Descriptor:
bLength 18
bDescriptorType 1
bcdUSB 3.20
bDeviceClass 0
bDeviceSubClass 0
bDeviceProtocol 0
bMaxPacketSize0 9
idVendor 0x0781 SanDisk Corp.
idProduct 0x55e8
bcdDevice 0.01
iManufacturer 1 SanDisk
iProduct 2 SanDisk 3.2 Gen2
iSerial 3 03021707022525140940
bNumConfigurations 1
Configuration Descriptor:
bLength 9
bDescriptorType 2
wTotalLength 0x0079
bNumInterfaces 1
bConfigurationValue 1
iConfiguration 0
bmAttributes 0x80
(Bus Powered)
MaxPower 896mA
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 0
bAlternateSetting 0
bNumEndpoints 2
bInterfaceClass 8 Mass Storage
bInterfaceSubClass 6 SCSI
bInterfaceProtocol 80 Bulk-Only
iInterface 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x82 EP 2 IN
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0400 1x 1024 bytes
bInterval 0
bMaxBurst 15
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x01 EP 1 OUT
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0400 1x 1024 bytes
bInterval 0
bMaxBurst 15
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 0
bAlternateSetting 1
bNumEndpoints 4
bInterfaceClass 8 Mass Storage
bInterfaceSubClass 6 SCSI
bInterfaceProtocol 98
iInterface 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x01 EP 1 OUT
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0400 1x 1024 bytes
bInterval 0
bMaxBurst 0
Command pipe (0x01)
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x84 EP 4 IN
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0400 1x 1024 bytes
bInterval 0
bMaxBurst 15
MaxStreams 32
Status pipe (0x02)
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x82 EP 2 IN
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0400 1x 1024 bytes
bInterval 0
bMaxBurst 15
MaxStreams 32
Data-in pipe (0x03)
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x03 EP 3 OUT
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0400 1x 1024 bytes
bInterval 0
bMaxBurst 15
MaxStreams 32
Data-out pipe (0x04)
Binary Object Store Descriptor:
bLength 5
bDescriptorType 15
wTotalLength 0x002a
bNumDeviceCaps 3
USB 2.0 Extension Device Capability:
bLength 7
bDescriptorType 16
bDevCapabilityType 2
bmAttributes 0x0000f41e
BESL Link Power Management (LPM) Supported
BESL value 1024 us
Deep BESL value 61440 us
SuperSpeed USB Device Capability:
bLength 10
bDescriptorType 16
bDevCapabilityType 3
bmAttributes 0x00
wSpeedsSupported 0x000e
Device can operate at Full Speed (12Mbps)
Device can operate at High Speed (480Mbps)
Device can operate at SuperSpeed (5Gbps)
bFunctionalitySupport 1
Lowest fully-functional device speed is Full Speed (12Mbps)
bU1DevExitLat 10 micro seconds
bU2DevExitLat 2047 micro seconds
SuperSpeedPlus USB Device Capability:
bLength 20
bDescriptorType 16
bDevCapabilityType 10
bmAttributes 0x00000001
Sublink Speed Attribute count 1
Sublink Speed ID count 0
wFunctionalitySupport 0x1100
bmSublinkSpeedAttr[0] 0x000a4030
Speed Attribute ID: 0 10Gb/s Symmetric RX SuperSpeedPlus
bmSublinkSpeedAttr[1] 0x000a40b0
Speed Attribute ID: 0 10Gb/s Symmetric TX SuperSpeedPlus
Device Status: 0x0000
(Bus Powered)
So ignore UAS driver for this device.
Signed-off-by: Hongyu Xie <xiehongyu1@kylinos.cn>
Cc: stable <stable@kernel.org>
Link: https://lore.kernel.org/r/20250519023328.1498856-1-xiehongyu1@kylinos.cn
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/storage/unusual_uas.h | 7 +++++++
1 file changed, 7 insertions(+)
--- a/drivers/usb/storage/unusual_uas.h
+++ b/drivers/usb/storage/unusual_uas.h
@@ -52,6 +52,13 @@ UNUSUAL_DEV(0x059f, 0x1061, 0x0000, 0x99
USB_SC_DEVICE, USB_PR_DEVICE, NULL,
US_FL_NO_REPORT_OPCODES | US_FL_NO_SAME),
+/* Reported-by: Zhihong Zhou <zhouzhihong@greatwall.com.cn> */
+UNUSUAL_DEV(0x0781, 0x55e8, 0x0000, 0x9999,
+ "SanDisk",
+ "",
+ USB_SC_DEVICE, USB_PR_DEVICE, NULL,
+ US_FL_IGNORE_UAS),
+
/* Reported-by: Hongling Zeng <zenghongling@kylinos.cn> */
UNUSUAL_DEV(0x090c, 0x2000, 0x0000, 0x9999,
"Hiksemi",
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 010/508] USB: serial: pl2303: add new chip PL2303GC-Q20 and PL2303GT-2AB
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (8 preceding siblings ...)
2025-06-23 13:00 ` [PATCH 6.1 009/508] usb: storage: Ignore UAS driver for SanDisk 3.2 Gen2 storage device Greg Kroah-Hartman
@ 2025-06-23 13:00 ` Greg Kroah-Hartman
2025-06-23 13:00 ` [PATCH 6.1 011/508] Bluetooth: hci_qca: move the SoC type check to the right place Greg Kroah-Hartman
` (498 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Charles Yeh, Johan Hovold
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Charles Yeh <charlesyeh522@gmail.com>
commit d3a889482bd5abf2bbdc1ec3d2d49575aa160c9c upstream.
Add new bcd (0x905) to support PL2303GT-2AB (TYPE_HXN).
Add new bcd (0x1005) to support PL2303GC-Q20 (TYPE_HXN).
Signed-off-by: Charles Yeh <charlesyeh522@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/pl2303.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/usb/serial/pl2303.c
+++ b/drivers/usb/serial/pl2303.c
@@ -457,6 +457,8 @@ static int pl2303_detect_type(struct usb
case 0x605:
case 0x700: /* GR */
case 0x705:
+ case 0x905: /* GT-2AB */
+ case 0x1005: /* GC-Q20 */
return TYPE_HXN;
}
break;
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 011/508] Bluetooth: hci_qca: move the SoC type check to the right place
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (9 preceding siblings ...)
2025-06-23 13:00 ` [PATCH 6.1 010/508] USB: serial: pl2303: add new chip PL2303GC-Q20 and PL2303GT-2AB Greg Kroah-Hartman
@ 2025-06-23 13:00 ` Greg Kroah-Hartman
2025-06-23 13:00 ` [PATCH 6.1 012/508] usb: usbtmc: Fix timeout value in get_stb Greg Kroah-Hartman
` (497 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bartosz Golaszewski,
Krzysztof Kozlowski, Hsin-chen Chuang, Luiz Augusto von Dentz
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
commit 0fb410c914eb03c7e9d821e26d03bac0a239e5db upstream.
Commit 3d05fc82237a ("Bluetooth: qca: set power_ctrl_enabled on NULL
returned by gpiod_get_optional()") accidentally changed the prevous
behavior where power control would be disabled without the BT_EN GPIO
only on QCA_WCN6750 and QCA_WCN6855 while also getting the error check
wrong. We should treat every IS_ERR() return value from
devm_gpiod_get_optional() as a reason to bail-out while we should only
set power_ctrl_enabled to false on the two models mentioned above. While
at it: use dev_err_probe() to save a LOC.
Cc: stable@vger.kernel.org
Fixes: 3d05fc82237a ("Bluetooth: qca: set power_ctrl_enabled on NULL returned by gpiod_get_optional()")
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Tested-by: Hsin-chen Chuang <chharry@chromium.org>
Reviewed-by: Hsin-chen Chuang <chharry@chromium.org>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/bluetooth/hci_qca.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
--- a/drivers/bluetooth/hci_qca.c
+++ b/drivers/bluetooth/hci_qca.c
@@ -2263,14 +2263,14 @@ static int qca_serdev_probe(struct serde
qcadev->bt_en = devm_gpiod_get_optional(&serdev->dev, "enable",
GPIOD_OUT_LOW);
- if (IS_ERR(qcadev->bt_en) &&
- (data->soc_type == QCA_WCN6750 ||
- data->soc_type == QCA_WCN6855)) {
- dev_err(&serdev->dev, "failed to acquire BT_EN gpio\n");
- return PTR_ERR(qcadev->bt_en);
- }
+ if (IS_ERR(qcadev->bt_en))
+ return dev_err_probe(&serdev->dev,
+ PTR_ERR(qcadev->bt_en),
+ "failed to acquire BT_EN gpio\n");
- if (!qcadev->bt_en)
+ if (!qcadev->bt_en &&
+ (data->soc_type == QCA_WCN6750 ||
+ data->soc_type == QCA_WCN6855))
power_ctrl_enabled = false;
qcadev->sw_ctrl = devm_gpiod_get_optional(&serdev->dev, "swctrl",
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 012/508] usb: usbtmc: Fix timeout value in get_stb
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (10 preceding siblings ...)
2025-06-23 13:00 ` [PATCH 6.1 011/508] Bluetooth: hci_qca: move the SoC type check to the right place Greg Kroah-Hartman
@ 2025-06-23 13:00 ` Greg Kroah-Hartman
2025-06-23 13:00 ` [PATCH 6.1 013/508] thunderbolt: Do not double dequeue a configuration request Greg Kroah-Hartman
` (496 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Dave Penkler
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dave Penkler <dpenkler@gmail.com>
commit 342e4955a1f1ce28c70a589999b76365082dbf10 upstream.
wait_event_interruptible_timeout requires a timeout argument
in units of jiffies. It was being called in usbtmc_get_stb
with the usb timeout value which is in units of milliseconds.
Pass the timeout argument converted to jiffies.
Fixes: 048c6d88a021 ("usb: usbtmc: Add ioctls to set/get usb timeout")
Cc: stable@vger.kernel.org
Signed-off-by: Dave Penkler <dpenkler@gmail.com>
Link: https://lore.kernel.org/r/20250521121656.18174-4-dpenkler@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/class/usbtmc.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/usb/class/usbtmc.c
+++ b/drivers/usb/class/usbtmc.c
@@ -483,6 +483,7 @@ static int usbtmc_get_stb(struct usbtmc_
u8 tag;
int rv;
long wait_rv;
+ unsigned long expire;
dev_dbg(dev, "Enter ioctl_read_stb iin_ep_present: %d\n",
data->iin_ep_present);
@@ -512,10 +513,11 @@ static int usbtmc_get_stb(struct usbtmc_
}
if (data->iin_ep_present) {
+ expire = msecs_to_jiffies(file_data->timeout);
wait_rv = wait_event_interruptible_timeout(
data->waitq,
atomic_read(&data->iin_data_valid) != 0,
- file_data->timeout);
+ expire);
if (wait_rv < 0) {
dev_dbg(dev, "wait interrupted %ld\n", wait_rv);
rv = wait_rv;
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 013/508] thunderbolt: Do not double dequeue a configuration request
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (11 preceding siblings ...)
2025-06-23 13:00 ` [PATCH 6.1 012/508] usb: usbtmc: Fix timeout value in get_stb Greg Kroah-Hartman
@ 2025-06-23 13:00 ` Greg Kroah-Hartman
2025-06-23 13:00 ` [PATCH 6.1 014/508] gfs2: gfs2_create_inode error handling fix Greg Kroah-Hartman
` (495 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sergey Senozhatsky, Mika Westerberg
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sergey Senozhatsky <senozhatsky@chromium.org>
commit 0f73628e9da1ee39daf5f188190cdbaee5e0c98c upstream.
Some of our devices crash in tb_cfg_request_dequeue():
general protection fault, probably for non-canonical address 0xdead000000000122
CPU: 6 PID: 91007 Comm: kworker/6:2 Tainted: G U W 6.6.65
RIP: 0010:tb_cfg_request_dequeue+0x2d/0xa0
Call Trace:
<TASK>
? tb_cfg_request_dequeue+0x2d/0xa0
tb_cfg_request_work+0x33/0x80
worker_thread+0x386/0x8f0
kthread+0xed/0x110
ret_from_fork+0x38/0x50
ret_from_fork_asm+0x1b/0x30
The circumstances are unclear, however, the theory is that
tb_cfg_request_work() can be scheduled twice for a request:
first time via frame.callback from ring_work() and second
time from tb_cfg_request(). Both times kworkers will execute
tb_cfg_request_dequeue(), which results in double list_del()
from the ctl->request_queue (the list poison deference hints
at it: 0xdead000000000122).
Do not dequeue requests that don't have TB_CFG_REQUEST_ACTIVE
bit set.
Signed-off-by: Sergey Senozhatsky <senozhatsky@chromium.org>
Cc: stable@vger.kernel.org
Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/thunderbolt/ctl.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/thunderbolt/ctl.c
+++ b/drivers/thunderbolt/ctl.c
@@ -143,6 +143,11 @@ static void tb_cfg_request_dequeue(struc
struct tb_ctl *ctl = req->ctl;
mutex_lock(&ctl->request_queue_lock);
+ if (!test_bit(TB_CFG_REQUEST_ACTIVE, &req->flags)) {
+ mutex_unlock(&ctl->request_queue_lock);
+ return;
+ }
+
list_del(&req->list);
clear_bit(TB_CFG_REQUEST_ACTIVE, &req->flags);
if (test_bit(TB_CFG_REQUEST_CANCELED, &req->flags))
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 014/508] gfs2: gfs2_create_inode error handling fix
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (12 preceding siblings ...)
2025-06-23 13:00 ` [PATCH 6.1 013/508] thunderbolt: Do not double dequeue a configuration request Greg Kroah-Hartman
@ 2025-06-23 13:00 ` Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 015/508] perf/core: Fix broken throttling when max_samples_per_tick=1 Greg Kroah-Hartman
` (494 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Andreas Gruenbacher, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andreas Gruenbacher <agruenba@redhat.com>
[ Upstream commit af4044fd0b77e915736527dd83011e46e6415f01 ]
When gfs2_create_inode() finds a directory, make sure to return -EISDIR.
Fixes: 571a4b57975a ("GFS2: bugger off early if O_CREAT open finds a directory")
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/gfs2/inode.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/fs/gfs2/inode.c b/fs/gfs2/inode.c
index 04fc3e72a96e4..06629aeefbe6f 100644
--- a/fs/gfs2/inode.c
+++ b/fs/gfs2/inode.c
@@ -631,7 +631,8 @@ static int gfs2_create_inode(struct inode *dir, struct dentry *dentry,
if (!IS_ERR(inode)) {
if (S_ISDIR(inode->i_mode)) {
iput(inode);
- inode = ERR_PTR(-EISDIR);
+ inode = NULL;
+ error = -EISDIR;
goto fail_gunlock;
}
d_instantiate(dentry, inode);
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 015/508] perf/core: Fix broken throttling when max_samples_per_tick=1
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (13 preceding siblings ...)
2025-06-23 13:00 ` [PATCH 6.1 014/508] gfs2: gfs2_create_inode error handling fix Greg Kroah-Hartman
@ 2025-06-23 13:01 ` Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 016/508] crypto: sun8i-ce-cipher - fix error handling in sun8i_ce_cipher_prepare() Greg Kroah-Hartman
` (493 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Qing Wang, Peter Zijlstra (Intel),
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qing Wang <wangqing7171@gmail.com>
[ Upstream commit f51972e6f8b9a737b2b3eb588069acb538fa72de ]
According to the throttling mechanism, the pmu interrupts number can not
exceed the max_samples_per_tick in one tick. But this mechanism is
ineffective when max_samples_per_tick=1, because the throttling check is
skipped during the first interrupt and only performed when the second
interrupt arrives.
Perhaps this bug may cause little influence in one tick, but if in a
larger time scale, the problem can not be underestimated.
When max_samples_per_tick = 1:
Allowed-interrupts-per-second max-samples-per-second default-HZ ARCH
200 100 100 X86
500 250 250 ARM64
...
Obviously, the pmu interrupt number far exceed the user's expect.
Fixes: e050e3f0a71b ("perf: Fix broken interrupt rate throttling")
Signed-off-by: Qing Wang <wangqing7171@gmail.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Link: https://lkml.kernel.org/r/20250405141635.243786-3-wangqing7171@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/events/core.c | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/kernel/events/core.c b/kernel/events/core.c
index 552bb00bfceb0..3544f26b58060 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -9359,14 +9359,14 @@ __perf_event_account_interrupt(struct perf_event *event, int throttle)
hwc->interrupts = 1;
} else {
hwc->interrupts++;
- if (unlikely(throttle &&
- hwc->interrupts > max_samples_per_tick)) {
- __this_cpu_inc(perf_throttled_count);
- tick_dep_set_cpu(smp_processor_id(), TICK_DEP_BIT_PERF_EVENTS);
- hwc->interrupts = MAX_INTERRUPTS;
- perf_log_throttle(event, 0);
- ret = 1;
- }
+ }
+
+ if (unlikely(throttle && hwc->interrupts >= max_samples_per_tick)) {
+ __this_cpu_inc(perf_throttled_count);
+ tick_dep_set_cpu(smp_processor_id(), TICK_DEP_BIT_PERF_EVENTS);
+ hwc->interrupts = MAX_INTERRUPTS;
+ perf_log_throttle(event, 0);
+ ret = 1;
}
if (event->attr.freq) {
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 016/508] crypto: sun8i-ce-cipher - fix error handling in sun8i_ce_cipher_prepare()
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (14 preceding siblings ...)
2025-06-23 13:01 ` [PATCH 6.1 015/508] perf/core: Fix broken throttling when max_samples_per_tick=1 Greg Kroah-Hartman
@ 2025-06-23 13:01 ` Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 017/508] crypto: sun8i-ss - do not use sg_dma_len before calling DMA functions Greg Kroah-Hartman
` (492 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:01 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ovidiu Panait, Herbert Xu,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ovidiu Panait <ovidiu.panait.oss@gmail.com>
[ Upstream commit f31adc3e356f7350d4a4d68c98d3f60f2f6e26b3 ]
Fix two DMA cleanup issues on the error path in sun8i_ce_cipher_prepare():
1] If dma_map_sg() fails for areq->dst, the device driver would try to free
DMA memory it has not allocated in the first place. To fix this, on the
"theend_sgs" error path, call dma unmap only if the corresponding dma
map was successful.
2] If the dma_map_single() call for the IV fails, the device driver would
try to free an invalid DMA memory address on the "theend_iv" path:
------------[ cut here ]------------
DMA-API: sun8i-ce 1904000.crypto: device driver tries to free an invalid DMA memory address
WARNING: CPU: 2 PID: 69 at kernel/dma/debug.c:968 check_unmap+0x123c/0x1b90
Modules linked in: skcipher_example(O+)
CPU: 2 UID: 0 PID: 69 Comm: 1904000.crypto- Tainted: G O 6.15.0-rc3+ #24 PREEMPT
Tainted: [O]=OOT_MODULE
Hardware name: OrangePi Zero2 (DT)
pc : check_unmap+0x123c/0x1b90
lr : check_unmap+0x123c/0x1b90
...
Call trace:
check_unmap+0x123c/0x1b90 (P)
debug_dma_unmap_page+0xac/0xc0
dma_unmap_page_attrs+0x1f4/0x5fc
sun8i_ce_cipher_do_one+0x1bd4/0x1f40
crypto_pump_work+0x334/0x6e0
kthread_worker_fn+0x21c/0x438
kthread+0x374/0x664
ret_from_fork+0x10/0x20
---[ end trace 0000000000000000 ]---
To fix this, check for !dma_mapping_error() before calling
dma_unmap_single() on the "theend_iv" path.
Fixes: 06f751b61329 ("crypto: allwinner - Add sun8i-ce Crypto Engine")
Signed-off-by: Ovidiu Panait <ovidiu.panait.oss@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/crypto/allwinner/sun8i-ce/sun8i-ce-cipher.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/drivers/crypto/allwinner/sun8i-ce/sun8i-ce-cipher.c b/drivers/crypto/allwinner/sun8i-ce/sun8i-ce-cipher.c
index 74b4e910a38d7..4c6afc7367235 100644
--- a/drivers/crypto/allwinner/sun8i-ce/sun8i-ce-cipher.c
+++ b/drivers/crypto/allwinner/sun8i-ce/sun8i-ce-cipher.c
@@ -270,13 +270,16 @@ static int sun8i_ce_cipher_prepare(struct crypto_engine *engine, void *async_req
} else {
if (nr_sgs > 0)
dma_unmap_sg(ce->dev, areq->src, ns, DMA_TO_DEVICE);
- dma_unmap_sg(ce->dev, areq->dst, nd, DMA_FROM_DEVICE);
+
+ if (nr_sgd > 0)
+ dma_unmap_sg(ce->dev, areq->dst, nd, DMA_FROM_DEVICE);
}
theend_iv:
if (areq->iv && ivsize > 0) {
- if (rctx->addr_iv)
+ if (!dma_mapping_error(ce->dev, rctx->addr_iv))
dma_unmap_single(ce->dev, rctx->addr_iv, rctx->ivlen, DMA_TO_DEVICE);
+
offset = areq->cryptlen - ivsize;
if (rctx->op_dir & CE_DECRYPTION) {
memcpy(areq->iv, chan->backup_iv, ivsize);
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 017/508] crypto: sun8i-ss - do not use sg_dma_len before calling DMA functions
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (15 preceding siblings ...)
2025-06-23 13:01 ` [PATCH 6.1 016/508] crypto: sun8i-ce-cipher - fix error handling in sun8i_ce_cipher_prepare() Greg Kroah-Hartman
@ 2025-06-23 13:01 ` Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 018/508] powerpc/crash: Fix non-smp kexec preparation Greg Kroah-Hartman
` (491 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:01 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Corentin Labbe, Herbert Xu,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Corentin Labbe <clabbe.montjoie@gmail.com>
[ Upstream commit 2dfc7cd74a5e062a5405560447517e7aab1c7341 ]
When testing sun8i-ss with multi_v7_defconfig, all CBC algorithm fail crypto
selftests.
This is strange since on sunxi_defconfig, everything was ok.
The problem was in the IV setup loop which never run because sg_dma_len
was 0.
Fixes: 359e893e8af4 ("crypto: sun8i-ss - rework handling of IV")
Signed-off-by: Corentin Labbe <clabbe.montjoie@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/crypto/allwinner/sun8i-ss/sun8i-ss-cipher.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/crypto/allwinner/sun8i-ss/sun8i-ss-cipher.c b/drivers/crypto/allwinner/sun8i-ss/sun8i-ss-cipher.c
index e97fb203690ae..5a864a71efa11 100644
--- a/drivers/crypto/allwinner/sun8i-ss/sun8i-ss-cipher.c
+++ b/drivers/crypto/allwinner/sun8i-ss/sun8i-ss-cipher.c
@@ -136,7 +136,7 @@ static int sun8i_ss_setup_ivs(struct skcipher_request *areq)
/* we need to copy all IVs from source in case DMA is bi-directionnal */
while (sg && len) {
- if (sg_dma_len(sg) == 0) {
+ if (sg->length == 0) {
sg = sg_next(sg);
continue;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 018/508] powerpc/crash: Fix non-smp kexec preparation
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (16 preceding siblings ...)
2025-06-23 13:01 ` [PATCH 6.1 017/508] crypto: sun8i-ss - do not use sg_dma_len before calling DMA functions Greg Kroah-Hartman
@ 2025-06-23 13:01 ` Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 019/508] x86/cpu: Sanitize CPUID(0x80000000) output Greg Kroah-Hartman
` (490 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eddie James, Hari Bathini,
Madhavan Srinivasan, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eddie James <eajames@linux.ibm.com>
[ Upstream commit 882b25af265de8e05c66f72b9a29f6047102958f ]
In non-smp configurations, crash_kexec_prepare is never called in
the crash shutdown path. One result of this is that the crashing_cpu
variable is never set, preventing crash_save_cpu from storing the
NT_PRSTATUS elf note in the core dump.
Fixes: c7255058b543 ("powerpc/crash: save cpu register data in crash_smp_send_stop()")
Signed-off-by: Eddie James <eajames@linux.ibm.com>
Reviewed-by: Hari Bathini <hbathini@linux.ibm.com>
Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
Link: https://patch.msgid.link/20250211162054.857762-1-eajames@linux.ibm.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/powerpc/kexec/crash.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/arch/powerpc/kexec/crash.c b/arch/powerpc/kexec/crash.c
index 252724ed666a3..14abe7046cd74 100644
--- a/arch/powerpc/kexec/crash.c
+++ b/arch/powerpc/kexec/crash.c
@@ -356,7 +356,10 @@ void default_machine_crash_shutdown(struct pt_regs *regs)
if (TRAP(regs) == INTERRUPT_SYSTEM_RESET)
is_via_system_reset = 1;
- crash_smp_send_stop();
+ if (IS_ENABLED(CONFIG_SMP))
+ crash_smp_send_stop();
+ else
+ crash_kexec_prepare();
crash_save_cpu(regs, crashing_cpu);
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 019/508] x86/cpu: Sanitize CPUID(0x80000000) output
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (17 preceding siblings ...)
2025-06-23 13:01 ` [PATCH 6.1 018/508] powerpc/crash: Fix non-smp kexec preparation Greg Kroah-Hartman
@ 2025-06-23 13:01 ` Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 020/508] crypto: marvell/cesa - Handle zero-length skcipher requests Greg Kroah-Hartman
` (489 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ahmed S. Darwish, Ingo Molnar,
Andrew Cooper, H. Peter Anvin, John Ogness, x86-cpuid,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ahmed S. Darwish <darwi@linutronix.de>
[ Upstream commit cc663ba3fe383a628a812f893cc98aafff39ab04 ]
CPUID(0x80000000).EAX returns the max extended CPUID leaf available. On
x86-32 machines without an extended CPUID range, a CPUID(0x80000000)
query will just repeat the output of the last valid standard CPUID leaf
on the CPU; i.e., a garbage values. Current tip:x86/cpu code protects against
this by doing:
eax = cpuid_eax(0x80000000);
c->extended_cpuid_level = eax;
if ((eax & 0xffff0000) == 0x80000000) {
// CPU has an extended CPUID range. Check for 0x80000001
if (eax >= 0x80000001) {
cpuid(0x80000001, ...);
}
}
This is correct so far. Afterwards though, the same possibly broken EAX
value is used to check the availability of other extended CPUID leaves:
if (c->extended_cpuid_level >= 0x80000007)
...
if (c->extended_cpuid_level >= 0x80000008)
...
if (c->extended_cpuid_level >= 0x8000000a)
...
if (c->extended_cpuid_level >= 0x8000001f)
...
which is invalid. Fix this by immediately setting the CPU's max extended
CPUID leaf to zero if CPUID(0x80000000).EAX doesn't indicate a valid
CPUID extended range.
While at it, add a comment, similar to kernel/head_32.S, clarifying the
CPUID(0x80000000) sanity check.
References: 8a50e5135af0 ("x86-32: Use symbolic constants, safer CPUID when enabling EFER.NX")
Fixes: 3da99c977637 ("x86: make (early)_identify_cpu more the same between 32bit and 64 bit")
Signed-off-by: Ahmed S. Darwish <darwi@linutronix.de>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Cc: Andrew Cooper <andrew.cooper3@citrix.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: John Ogness <john.ogness@linutronix.de>
Cc: x86-cpuid@lists.linux.dev
Link: https://lore.kernel.org/r/20250506050437.10264-3-darwi@linutronix.de
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/kernel/cpu/common.c | 17 +++++++++--------
1 file changed, 9 insertions(+), 8 deletions(-)
diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
index 48cc1612df49f..722eac51beae6 100644
--- a/arch/x86/kernel/cpu/common.c
+++ b/arch/x86/kernel/cpu/common.c
@@ -1045,17 +1045,18 @@ void get_cpu_cap(struct cpuinfo_x86 *c)
c->x86_capability[CPUID_D_1_EAX] = eax;
}
- /* AMD-defined flags: level 0x80000001 */
+ /*
+ * Check if extended CPUID leaves are implemented: Max extended
+ * CPUID leaf must be in the 0x80000001-0x8000ffff range.
+ */
eax = cpuid_eax(0x80000000);
- c->extended_cpuid_level = eax;
+ c->extended_cpuid_level = ((eax & 0xffff0000) == 0x80000000) ? eax : 0;
- if ((eax & 0xffff0000) == 0x80000000) {
- if (eax >= 0x80000001) {
- cpuid(0x80000001, &eax, &ebx, &ecx, &edx);
+ if (c->extended_cpuid_level >= 0x80000001) {
+ cpuid(0x80000001, &eax, &ebx, &ecx, &edx);
- c->x86_capability[CPUID_8000_0001_ECX] = ecx;
- c->x86_capability[CPUID_8000_0001_EDX] = edx;
- }
+ c->x86_capability[CPUID_8000_0001_ECX] = ecx;
+ c->x86_capability[CPUID_8000_0001_EDX] = edx;
}
if (c->extended_cpuid_level >= 0x80000007) {
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 020/508] crypto: marvell/cesa - Handle zero-length skcipher requests
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (18 preceding siblings ...)
2025-06-23 13:01 ` [PATCH 6.1 019/508] x86/cpu: Sanitize CPUID(0x80000000) output Greg Kroah-Hartman
@ 2025-06-23 13:01 ` Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 021/508] crypto: marvell/cesa - Avoid empty transfer descriptor Greg Kroah-Hartman
` (488 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:01 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Herbert Xu, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Herbert Xu <herbert@gondor.apana.org.au>
[ Upstream commit 8a4e047c6cc07676f637608a9dd675349b5de0a7 ]
Do not access random memory for zero-length skcipher requests.
Just return 0.
Fixes: f63601fd616a ("crypto: marvell/cesa - add a new driver for Marvell's CESA")
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/crypto/marvell/cesa/cipher.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/crypto/marvell/cesa/cipher.c b/drivers/crypto/marvell/cesa/cipher.c
index 0f37dfd42d850..3876e3ce822f4 100644
--- a/drivers/crypto/marvell/cesa/cipher.c
+++ b/drivers/crypto/marvell/cesa/cipher.c
@@ -459,6 +459,9 @@ static int mv_cesa_skcipher_queue_req(struct skcipher_request *req,
struct mv_cesa_skcipher_req *creq = skcipher_request_ctx(req);
struct mv_cesa_engine *engine;
+ if (!req->cryptlen)
+ return 0;
+
ret = mv_cesa_skcipher_req_init(req, tmpl);
if (ret)
return ret;
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 021/508] crypto: marvell/cesa - Avoid empty transfer descriptor
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (19 preceding siblings ...)
2025-06-23 13:01 ` [PATCH 6.1 020/508] crypto: marvell/cesa - Handle zero-length skcipher requests Greg Kroah-Hartman
@ 2025-06-23 13:01 ` Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 022/508] crypto: lrw - Only add ecb if it is not already there Greg Kroah-Hartman
` (487 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:01 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Herbert Xu, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Herbert Xu <herbert@gondor.apana.org.au>
[ Upstream commit 1bafd82d9a40cf09c6c40f1c09cc35b7050b1a9f ]
The user may set req->src even if req->nbytes == 0. If there
is no data to hash from req->src, do not generate an empty TDMA
descriptor.
Fixes: db509a45339f ("crypto: marvell/cesa - add TDMA support")
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/crypto/marvell/cesa/hash.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/crypto/marvell/cesa/hash.c b/drivers/crypto/marvell/cesa/hash.c
index 84c1065092796..72b0f863dee07 100644
--- a/drivers/crypto/marvell/cesa/hash.c
+++ b/drivers/crypto/marvell/cesa/hash.c
@@ -663,7 +663,7 @@ static int mv_cesa_ahash_dma_req_init(struct ahash_request *req)
if (ret)
goto err_free_tdma;
- if (iter.src.sg) {
+ if (iter.base.len > iter.src.op_offset) {
/*
* Add all the new data, inserting an operation block and
* launch command between each full SRAM block-worth of
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 022/508] crypto: lrw - Only add ecb if it is not already there
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (20 preceding siblings ...)
2025-06-23 13:01 ` [PATCH 6.1 021/508] crypto: marvell/cesa - Avoid empty transfer descriptor Greg Kroah-Hartman
@ 2025-06-23 13:01 ` Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 023/508] crypto: xts " Greg Kroah-Hartman
` (486 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, kernel test robot, Herbert Xu,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Herbert Xu <herbert@gondor.apana.org.au>
[ Upstream commit 3d73909bddc2ebb3224a8bc2e5ce00e9df70c15d ]
Only add ecb to the cipher name if it isn't already ecb.
Also use memcmp instead of strncmp since these strings are all
stored in an array of length CRYPTO_MAX_ALG_NAME.
Fixes: 700cb3f5fe75 ("crypto: lrw - Convert to skcipher")
Reported-by: kernel test robot <oliver.sang@intel.com>
Closes: https://lore.kernel.org/oe-lkp/202505151503.d8a6cf10-lkp@intel.com
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
crypto/lrw.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/crypto/lrw.c b/crypto/lrw.c
index fb8892ed179f5..99d9eb67e1827 100644
--- a/crypto/lrw.c
+++ b/crypto/lrw.c
@@ -322,7 +322,7 @@ static int lrw_create(struct crypto_template *tmpl, struct rtattr **tb)
err = crypto_grab_skcipher(spawn, skcipher_crypto_instance(inst),
cipher_name, 0, mask);
- if (err == -ENOENT) {
+ if (err == -ENOENT && memcmp(cipher_name, "ecb(", 4)) {
err = -ENAMETOOLONG;
if (snprintf(ecb_name, CRYPTO_MAX_ALG_NAME, "ecb(%s)",
cipher_name) >= CRYPTO_MAX_ALG_NAME)
@@ -356,7 +356,7 @@ static int lrw_create(struct crypto_template *tmpl, struct rtattr **tb)
/* Alas we screwed up the naming so we have to mangle the
* cipher name.
*/
- if (!strncmp(cipher_name, "ecb(", 4)) {
+ if (!memcmp(cipher_name, "ecb(", 4)) {
int len;
len = strscpy(ecb_name, cipher_name + 4, sizeof(ecb_name));
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 023/508] crypto: xts - Only add ecb if it is not already there
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (21 preceding siblings ...)
2025-06-23 13:01 ` [PATCH 6.1 022/508] crypto: lrw - Only add ecb if it is not already there Greg Kroah-Hartman
@ 2025-06-23 13:01 ` Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 024/508] crypto: sun8i-ce - move fallback ahash_request to the end of the struct Greg Kroah-Hartman
` (485 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:01 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Herbert Xu, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Herbert Xu <herbert@gondor.apana.org.au>
[ Upstream commit 270b6f13454cb7f2f7058c50df64df409c5dcf55 ]
Only add ecb to the cipher name if it isn't already ecb.
Also use memcmp instead of strncmp since these strings are all
stored in an array of length CRYPTO_MAX_ALG_NAME.
Fixes: f1c131b45410 ("crypto: xts - Convert to skcipher")
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
crypto/xts.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/crypto/xts.c b/crypto/xts.c
index b05020657cdc8..1972f40333f04 100644
--- a/crypto/xts.c
+++ b/crypto/xts.c
@@ -361,7 +361,7 @@ static int xts_create(struct crypto_template *tmpl, struct rtattr **tb)
err = crypto_grab_skcipher(&ctx->spawn, skcipher_crypto_instance(inst),
cipher_name, 0, mask);
- if (err == -ENOENT) {
+ if (err == -ENOENT && memcmp(cipher_name, "ecb(", 4)) {
err = -ENAMETOOLONG;
if (snprintf(ctx->name, CRYPTO_MAX_ALG_NAME, "ecb(%s)",
cipher_name) >= CRYPTO_MAX_ALG_NAME)
@@ -395,7 +395,7 @@ static int xts_create(struct crypto_template *tmpl, struct rtattr **tb)
/* Alas we screwed up the naming so we have to mangle the
* cipher name.
*/
- if (!strncmp(cipher_name, "ecb(", 4)) {
+ if (!memcmp(cipher_name, "ecb(", 4)) {
int len;
len = strscpy(ctx->name, cipher_name + 4, sizeof(ctx->name));
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 024/508] crypto: sun8i-ce - move fallback ahash_request to the end of the struct
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (22 preceding siblings ...)
2025-06-23 13:01 ` [PATCH 6.1 023/508] crypto: xts " Greg Kroah-Hartman
@ 2025-06-23 13:01 ` Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 025/508] ASoC: tas2764: Enable main IRQs Greg Kroah-Hartman
` (484 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:01 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ovidiu Panait, Herbert Xu,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ovidiu Panait <ovidiu.panait.oss@gmail.com>
[ Upstream commit c822831b426307a6ca426621504d3c7f99765a39 ]
'struct ahash_request' has a flexible array at the end, so it must be the
last member in a struct, to avoid overwriting other struct members.
Therefore, move 'fallback_req' to the end of the 'sun8i_ce_hash_reqctx'
struct.
Fixes: 56f6d5aee88d ("crypto: sun8i-ce - support hash algorithms")
Signed-off-by: Ovidiu Panait <ovidiu.panait.oss@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/crypto/allwinner/sun8i-ce/sun8i-ce.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/crypto/allwinner/sun8i-ce/sun8i-ce.h b/drivers/crypto/allwinner/sun8i-ce/sun8i-ce.h
index 8177aaba44349..a1658722d886d 100644
--- a/drivers/crypto/allwinner/sun8i-ce/sun8i-ce.h
+++ b/drivers/crypto/allwinner/sun8i-ce/sun8i-ce.h
@@ -297,8 +297,8 @@ struct sun8i_ce_hash_tfm_ctx {
* @flow: the flow to use for this request
*/
struct sun8i_ce_hash_reqctx {
- struct ahash_request fallback_req;
int flow;
+ struct ahash_request fallback_req; // keep at the end
};
/*
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 025/508] ASoC: tas2764: Enable main IRQs
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (23 preceding siblings ...)
2025-06-23 13:01 ` [PATCH 6.1 024/508] crypto: sun8i-ce - move fallback ahash_request to the end of the struct Greg Kroah-Hartman
@ 2025-06-23 13:01 ` Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 026/508] EDAC/skx_common: Fix general protection fault Greg Kroah-Hartman
` (483 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Neal Gompa, Hector Martin,
James Calligeros, Mark Brown, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hector Martin <marcan@marcan.st>
[ Upstream commit dd50f0e38563f15819059c923bf142200453e003 ]
IRQ handling was added in commit dae191fb957f ("ASoC: tas2764: Add IRQ
handling") however that same commit masks all interrupts coming from
the chip. Unmask the "main" interrupts so that we can see and
deal with a number of errors including clock, voltage, and current.
Fixes: dae191fb957f ("ASoC: tas2764: Add IRQ handling")
Reviewed-by: Neal Gompa <neal@gompa.dev>
Signed-off-by: Hector Martin <marcan@marcan.st>
Signed-off-by: James Calligeros <jcalligeros99@gmail.com>
Link: https://patch.msgid.link/20250406-apple-codec-changes-v5-4-50a00ec850a3@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/codecs/tas2764.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sound/soc/codecs/tas2764.c b/sound/soc/codecs/tas2764.c
index 10f0f07b90ff2..8baf92abcf000 100644
--- a/sound/soc/codecs/tas2764.c
+++ b/sound/soc/codecs/tas2764.c
@@ -542,7 +542,7 @@ static int tas2764_codec_probe(struct snd_soc_component *component)
tas2764_reset(tas2764);
if (tas2764->irq) {
- ret = snd_soc_component_write(tas2764->component, TAS2764_INT_MASK0, 0xff);
+ ret = snd_soc_component_write(tas2764->component, TAS2764_INT_MASK0, 0x00);
if (ret < 0)
return ret;
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 026/508] EDAC/skx_common: Fix general protection fault
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (24 preceding siblings ...)
2025-06-23 13:01 ` [PATCH 6.1 025/508] ASoC: tas2764: Enable main IRQs Greg Kroah-Hartman
@ 2025-06-23 13:01 ` Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 027/508] spi: tegra210-quad: Fix X1_X2_X4 encoding and support x4 transfers Greg Kroah-Hartman
` (482 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Feng Xu, Qiuxu Zhuo, Tony Luck,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qiuxu Zhuo <qiuxu.zhuo@intel.com>
[ Upstream commit 20d2d476b3ae18041be423671a8637ed5ffd6958 ]
After loading i10nm_edac (which automatically loads skx_edac_common), if
unload only i10nm_edac, then reload it and perform error injection testing,
a general protection fault may occur:
mce: [Hardware Error]: Machine check events logged
Oops: general protection fault ...
...
Workqueue: events mce_gen_pool_process
RIP: 0010:string+0x53/0xe0
...
Call Trace:
<TASK>
? die_addr+0x37/0x90
? exc_general_protection+0x1e7/0x3f0
? asm_exc_general_protection+0x26/0x30
? string+0x53/0xe0
vsnprintf+0x23e/0x4c0
snprintf+0x4d/0x70
skx_adxl_decode+0x16a/0x330 [skx_edac_common]
skx_mce_check_error.part.0+0xf8/0x220 [skx_edac_common]
skx_mce_check_error+0x17/0x20 [skx_edac_common]
...
The issue arose was because the variable 'adxl_component_count' (inside
skx_edac_common), which counts the ADXL components, was not reset. During
the reloading of i10nm_edac, the count was incremented by the actual number
of ADXL components again, resulting in a count that was double the real
number of ADXL components. This led to an out-of-bounds reference to the
ADXL component array, causing the general protection fault above.
Fix this issue by resetting the 'adxl_component_count' in adxl_put(),
which is called during the unloading of {skx,i10nm}_edac.
Fixes: 123b15863550 ("EDAC, i10nm: make skx_common.o a separate module")
Reported-by: Feng Xu <feng.f.xu@intel.com>
Signed-off-by: Qiuxu Zhuo <qiuxu.zhuo@intel.com>
Signed-off-by: Tony Luck <tony.luck@intel.com>
Tested-by: Feng Xu <feng.f.xu@intel.com>
Link: https://lore.kernel.org/r/20250417150724.1170168-2-qiuxu.zhuo@intel.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/edac/skx_common.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/edac/skx_common.c b/drivers/edac/skx_common.c
index e218909f9f9e8..c11870ac1b3c7 100644
--- a/drivers/edac/skx_common.c
+++ b/drivers/edac/skx_common.c
@@ -114,6 +114,7 @@ EXPORT_SYMBOL_GPL(skx_adxl_get);
void skx_adxl_put(void)
{
+ adxl_component_count = 0;
kfree(adxl_values);
kfree(adxl_msg);
}
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 027/508] spi: tegra210-quad: Fix X1_X2_X4 encoding and support x4 transfers
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (25 preceding siblings ...)
2025-06-23 13:01 ` [PATCH 6.1 026/508] EDAC/skx_common: Fix general protection fault Greg Kroah-Hartman
@ 2025-06-23 13:01 ` Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 028/508] spi: tegra210-quad: remove redundant error handling code Greg Kroah-Hartman
` (481 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:01 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Vishwaroop A, Mark Brown,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vishwaroop A <va@nvidia.com>
[ Upstream commit dcb06c638a1174008a985849fa30fc0da7d08904 ]
This patch corrects the QSPI_COMMAND_X1_X2_X4 and QSPI_ADDRESS_X1_X2_X4
macros to properly encode the bus width for x1, x2, and x4 transfers.
Although these macros were previously incorrect, they were not being
used in the driver, so no functionality was affected.
The patch updates tegra_qspi_cmd_config() and tegra_qspi_addr_config()
function calls to use the actual bus width from the transfer, instead of
hardcoding it to 0 (which implied x1 mode). This change enables proper
support for x1, x2, and x4 data transfers by correctly configuring the
interface width for commands and addresses.
These modifications improve the QSPI driver's flexibility and prepare it
for future use cases that may require different bus widths for commands
and addresses.
Fixes: 1b8342cc4a38 ("spi: tegra210-quad: combined sequence mode")
Signed-off-by: Vishwaroop A <va@nvidia.com>
Link: https://patch.msgid.link/20250416110606.2737315-2-va@nvidia.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/spi/spi-tegra210-quad.c | 12 ++++--------
1 file changed, 4 insertions(+), 8 deletions(-)
diff --git a/drivers/spi/spi-tegra210-quad.c b/drivers/spi/spi-tegra210-quad.c
index 442d42130ec87..b84dc830c4333 100644
--- a/drivers/spi/spi-tegra210-quad.c
+++ b/drivers/spi/spi-tegra210-quad.c
@@ -135,7 +135,7 @@
#define QSPI_COMMAND_VALUE_SET(X) (((x) & 0xFF) << 0)
#define QSPI_CMB_SEQ_CMD_CFG 0x1a0
-#define QSPI_COMMAND_X1_X2_X4(x) (((x) & 0x3) << 13)
+#define QSPI_COMMAND_X1_X2_X4(x) ((((x) >> 1) & 0x3) << 13)
#define QSPI_COMMAND_X1_X2_X4_MASK (0x03 << 13)
#define QSPI_COMMAND_SDR_DDR BIT(12)
#define QSPI_COMMAND_SIZE_SET(x) (((x) & 0xFF) << 0)
@@ -147,7 +147,7 @@
#define QSPI_ADDRESS_VALUE_SET(X) (((x) & 0xFFFF) << 0)
#define QSPI_CMB_SEQ_ADDR_CFG 0x1ac
-#define QSPI_ADDRESS_X1_X2_X4(x) (((x) & 0x3) << 13)
+#define QSPI_ADDRESS_X1_X2_X4(x) ((((x) >> 1) & 0x3) << 13)
#define QSPI_ADDRESS_X1_X2_X4_MASK (0x03 << 13)
#define QSPI_ADDRESS_SDR_DDR BIT(12)
#define QSPI_ADDRESS_SIZE_SET(x) (((x) & 0xFF) << 0)
@@ -1035,10 +1035,6 @@ static u32 tegra_qspi_addr_config(bool is_ddr, u8 bus_width, u8 len)
{
u32 addr_config = 0;
- /* Extract Address configuration and value */
- is_ddr = 0; //Only SDR mode supported
- bus_width = 0; //X1 mode
-
if (is_ddr)
addr_config |= QSPI_ADDRESS_SDR_DDR;
else
@@ -1072,13 +1068,13 @@ static int tegra_qspi_combined_seq_xfer(struct tegra_qspi *tqspi,
switch (transfer_phase) {
case CMD_TRANSFER:
/* X1 SDR mode */
- cmd_config = tegra_qspi_cmd_config(false, 0,
+ cmd_config = tegra_qspi_cmd_config(false, xfer->tx_nbits,
xfer->len);
cmd_value = *((const u8 *)(xfer->tx_buf));
break;
case ADDR_TRANSFER:
/* X1 SDR mode */
- addr_config = tegra_qspi_addr_config(false, 0,
+ addr_config = tegra_qspi_addr_config(false, xfer->tx_nbits,
xfer->len);
address_value = *((const u32 *)(xfer->tx_buf));
break;
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 028/508] spi: tegra210-quad: remove redundant error handling code
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (26 preceding siblings ...)
2025-06-23 13:01 ` [PATCH 6.1 027/508] spi: tegra210-quad: Fix X1_X2_X4 encoding and support x4 transfers Greg Kroah-Hartman
@ 2025-06-23 13:01 ` Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 029/508] spi: tegra210-quad: modify chip select (CS) deactivation Greg Kroah-Hartman
` (480 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:01 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Vishwaroop A, Mark Brown,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vishwaroop A <va@nvidia.com>
[ Upstream commit 400d9f1a27cc2fceabdb1ed93eaf0b89b6d32ba5 ]
Remove unnecessary error handling code that terminated transfers and
executed delay on errors. This code was redundant as error handling is
already done at a higher level in the SPI core.
Fixes: 1b8342cc4a38 ("spi: tegra210-quad: combined sequence mode")
Signed-off-by: Vishwaroop A <va@nvidia.com>
Link: https://patch.msgid.link/20250416110606.2737315-3-va@nvidia.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/spi/spi-tegra210-quad.c | 4 ----
1 file changed, 4 deletions(-)
diff --git a/drivers/spi/spi-tegra210-quad.c b/drivers/spi/spi-tegra210-quad.c
index b84dc830c4333..d09e0b9ac18c4 100644
--- a/drivers/spi/spi-tegra210-quad.c
+++ b/drivers/spi/spi-tegra210-quad.c
@@ -1168,10 +1168,6 @@ static int tegra_qspi_combined_seq_xfer(struct tegra_qspi *tqspi,
exit:
msg->status = ret;
- if (ret < 0) {
- tegra_qspi_transfer_end(spi);
- spi_transfer_delay_exec(xfer);
- }
return ret;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 029/508] spi: tegra210-quad: modify chip select (CS) deactivation
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (27 preceding siblings ...)
2025-06-23 13:01 ` [PATCH 6.1 028/508] spi: tegra210-quad: remove redundant error handling code Greg Kroah-Hartman
@ 2025-06-23 13:01 ` Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 030/508] power: reset: at91-reset: Optimize at91_reset() Greg Kroah-Hartman
` (479 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:01 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Vishwaroop A, Mark Brown,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vishwaroop A <va@nvidia.com>
[ Upstream commit d8966b65413390d1b5b706886987caac05fbe024 ]
Modify the chip select (CS) deactivation and inter-transfer delay
execution only during the DATA_TRANSFER phase when the cs_change
flag is not set. This ensures proper CS handling and timing between
transfers while eliminating redundant operations.
Fixes: 1b8342cc4a38 ("spi: tegra210-quad: combined sequence mode")
Signed-off-by: Vishwaroop A <va@nvidia.com>
Link: https://patch.msgid.link/20250416110606.2737315-4-va@nvidia.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/spi/spi-tegra210-quad.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/spi/spi-tegra210-quad.c b/drivers/spi/spi-tegra210-quad.c
index d09e0b9ac18c4..f2a4743efcb47 100644
--- a/drivers/spi/spi-tegra210-quad.c
+++ b/drivers/spi/spi-tegra210-quad.c
@@ -1152,16 +1152,16 @@ static int tegra_qspi_combined_seq_xfer(struct tegra_qspi *tqspi,
ret = -EIO;
goto exit;
}
- if (!xfer->cs_change) {
- tegra_qspi_transfer_end(spi);
- spi_transfer_delay_exec(xfer);
- }
break;
default:
ret = -EINVAL;
goto exit;
}
msg->actual_length += xfer->len;
+ if (!xfer->cs_change && transfer_phase == DATA_TRANSFER) {
+ tegra_qspi_transfer_end(spi);
+ spi_transfer_delay_exec(xfer);
+ }
transfer_phase++;
}
ret = 0;
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 030/508] power: reset: at91-reset: Optimize at91_reset()
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (28 preceding siblings ...)
2025-06-23 13:01 ` [PATCH 6.1 029/508] spi: tegra210-quad: modify chip select (CS) deactivation Greg Kroah-Hartman
@ 2025-06-23 13:01 ` Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 031/508] PM: wakeup: Delete space in the end of string shown by pm_show_wakelocks() Greg Kroah-Hartman
` (478 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexander Shiyan, Alexandre Belloni,
Sebastian Reichel, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexander Shiyan <eagle.alexander923@gmail.com>
[ Upstream commit 62d48983f215bf1dd48665913318101fa3414dcf ]
This patch adds a small optimization to the low-level at91_reset()
function, which includes:
- Removes the extra branch, since the following store operations
already have proper condition checks.
- Removes the definition of the clobber register r4, since it is
no longer used in the code.
Fixes: fcd0532fac2a ("power: reset: at91-reset: make at91sam9g45_restart() generic")
Signed-off-by: Alexander Shiyan <eagle.alexander923@gmail.com>
Reviewed-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Link: https://lore.kernel.org/r/20250307053809.20245-1-eagle.alexander923@gmail.com
Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/power/reset/at91-reset.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/drivers/power/reset/at91-reset.c b/drivers/power/reset/at91-reset.c
index 741e44a017c3f..f47346a0f099f 100644
--- a/drivers/power/reset/at91-reset.c
+++ b/drivers/power/reset/at91-reset.c
@@ -128,12 +128,11 @@ static int at91_reset(struct notifier_block *this, unsigned long mode,
" str %4, [%0, %6]\n\t"
/* Disable SDRAM1 accesses */
"1: tst %1, #0\n\t"
- " beq 2f\n\t"
" strne %3, [%1, #" __stringify(AT91_DDRSDRC_RTR) "]\n\t"
/* Power down SDRAM1 */
" strne %4, [%1, %6]\n\t"
/* Reset CPU */
- "2: str %5, [%2, #" __stringify(AT91_RSTC_CR) "]\n\t"
+ " str %5, [%2, #" __stringify(AT91_RSTC_CR) "]\n\t"
" b .\n\t"
:
@@ -144,7 +143,7 @@ static int at91_reset(struct notifier_block *this, unsigned long mode,
"r" cpu_to_le32(AT91_DDRSDRC_LPCB_POWER_DOWN),
"r" (reset->data->reset_args),
"r" (reset->ramc_lpr)
- : "r4");
+ );
return NOTIFY_DONE;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 031/508] PM: wakeup: Delete space in the end of string shown by pm_show_wakelocks()
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (29 preceding siblings ...)
2025-06-23 13:01 ` [PATCH 6.1 030/508] power: reset: at91-reset: Optimize at91_reset() Greg Kroah-Hartman
@ 2025-06-23 13:01 ` Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 032/508] x86/mtrr: Check if fixed-range MTRRs exist in mtrr_save_fixed_ranges() Greg Kroah-Hartman
` (477 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zijun Hu, Rafael J. Wysocki,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zijun Hu <quic_zijuhu@quicinc.com>
[ Upstream commit f0050a3e214aa941b78ad4caf122a735a24d81a6 ]
pm_show_wakelocks() is called to generate a string when showing
attributes /sys/power/wake_(lock|unlock), but the string ends
with an unwanted space that was added back by mistake by commit
c9d967b2ce40 ("PM: wakeup: simplify the output logic of
pm_show_wakelocks()").
Remove the unwanted space.
Fixes: c9d967b2ce40 ("PM: wakeup: simplify the output logic of pm_show_wakelocks()")
Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com>
Link: https://patch.msgid.link/20250505-fix_power-v1-1-0f7f2c2f338c@quicinc.com
[ rjw: Changelog edits ]
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/power/wakelock.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/kernel/power/wakelock.c b/kernel/power/wakelock.c
index 52571dcad768b..4e941999a53ba 100644
--- a/kernel/power/wakelock.c
+++ b/kernel/power/wakelock.c
@@ -49,6 +49,9 @@ ssize_t pm_show_wakelocks(char *buf, bool show_active)
len += sysfs_emit_at(buf, len, "%s ", wl->name);
}
+ if (len > 0)
+ --len;
+
len += sysfs_emit_at(buf, len, "\n");
mutex_unlock(&wakelocks_lock);
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 032/508] x86/mtrr: Check if fixed-range MTRRs exist in mtrr_save_fixed_ranges()
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (30 preceding siblings ...)
2025-06-23 13:01 ` [PATCH 6.1 031/508] PM: wakeup: Delete space in the end of string shown by pm_show_wakelocks() Greg Kroah-Hartman
@ 2025-06-23 13:01 ` Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 033/508] ACPI: OSI: Stop advertising support for "3.0 _SCP Extensions" Greg Kroah-Hartman
` (476 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jiaqing Zhao, Borislav Petkov (AMD),
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiaqing Zhao <jiaqing.zhao@linux.intel.com>
[ Upstream commit 824c6384e8d9275d4ec7204f3f79a4ac6bc10379 ]
When suspending, save_processor_state() calls mtrr_save_fixed_ranges()
to save fixed-range MTRRs.
On platforms without fixed-range MTRRs like the ACRN hypervisor which
has removed fixed-range MTRR emulation, accessing these MSRs will
trigger an unchecked MSR access error. Make sure fixed-range MTRRs are
supported before access to prevent such error.
Since mtrr_state.have_fixed is only set when MTRRs are present and
enabled, checking the CPU feature flag in mtrr_save_fixed_ranges() is
unnecessary.
Fixes: 3ebad5905609 ("[PATCH] x86: Save and restore the fixed-range MTRRs of the BSP when suspending")
Signed-off-by: Jiaqing Zhao <jiaqing.zhao@linux.intel.com>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Link: https://lore.kernel.org/20250509170633.3411169-2-jiaqing.zhao@linux.intel.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/kernel/cpu/mtrr/generic.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/x86/kernel/cpu/mtrr/generic.c b/arch/x86/kernel/cpu/mtrr/generic.c
index 558108296f3cf..31549e7f6b7c6 100644
--- a/arch/x86/kernel/cpu/mtrr/generic.c
+++ b/arch/x86/kernel/cpu/mtrr/generic.c
@@ -349,7 +349,7 @@ static void get_fixed_ranges(mtrr_type *frs)
void mtrr_save_fixed_ranges(void *info)
{
- if (boot_cpu_has(X86_FEATURE_MTRR))
+ if (mtrr_state.have_fixed)
get_fixed_ranges(mtrr_state.fixed_ranges);
}
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 033/508] ACPI: OSI: Stop advertising support for "3.0 _SCP Extensions"
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (31 preceding siblings ...)
2025-06-23 13:01 ` [PATCH 6.1 032/508] x86/mtrr: Check if fixed-range MTRRs exist in mtrr_save_fixed_ranges() Greg Kroah-Hartman
@ 2025-06-23 13:01 ` Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 034/508] spi: sh-msiof: Fix maximum DMA transfer size Greg Kroah-Hartman
` (475 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Armin Wolf, Rafael J. Wysocki,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Armin Wolf <W_Armin@gmx.de>
[ Upstream commit 8cf4fdac9bdead7bca15fc56fdecdf78d11c3ec6 ]
As specified in section 5.7.2 of the ACPI specification the feature
group string "3.0 _SCP Extensions" implies that the operating system
evaluates the _SCP control method with additional parameters.
However the ACPI thermal driver evaluates the _SCP control method
without those additional parameters, conflicting with the above
feature group string advertised to the firmware thru _OSI.
Stop advertising support for this feature string to avoid confusing
the ACPI firmware.
Fixes: e5f660ebef68 ("ACPI / osi: Collect _OSI handling into one single file")
Signed-off-by: Armin Wolf <W_Armin@gmx.de>
Link: https://patch.msgid.link/20250410165456.4173-2-W_Armin@gmx.de
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/acpi/osi.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/acpi/osi.c b/drivers/acpi/osi.c
index d4405e1ca9b97..ae9620757865b 100644
--- a/drivers/acpi/osi.c
+++ b/drivers/acpi/osi.c
@@ -42,7 +42,6 @@ static struct acpi_osi_entry
osi_setup_entries[OSI_STRING_ENTRIES_MAX] __initdata = {
{"Module Device", true},
{"Processor Device", true},
- {"3.0 _SCP Extensions", true},
{"Processor Aggregator Device", true},
};
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 034/508] spi: sh-msiof: Fix maximum DMA transfer size
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (32 preceding siblings ...)
2025-06-23 13:01 ` [PATCH 6.1 033/508] ACPI: OSI: Stop advertising support for "3.0 _SCP Extensions" Greg Kroah-Hartman
@ 2025-06-23 13:01 ` Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 035/508] ASoC: apple: mca: Constrain channels according to TDM mask Greg Kroah-Hartman
` (474 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Geert Uytterhoeven, Mark Brown,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Geert Uytterhoeven <geert+renesas@glider.be>
[ Upstream commit 0941d5166629cb766000530945e54b4e49680c68 ]
The maximum amount of data to transfer in a single DMA request is
calculated from the FIFO sizes (which is technically not 100% correct,
but a simplification, as it is limited by the maximum word count values
in the Transmit and Control Data Registers). However, in case there is
both data to transmit and to receive, the transmit limit is overwritten
by the receive limit.
Fix this by using the minimum applicable FIFO size instead. Move the
calculation outside the loop, so it is not repeated for each individual
DMA transfer.
As currently tx_fifo_size is always equal to rx_fifo_size, this bug had
no real impact.
Fixes: fe78d0b7691c0274 ("spi: sh-msiof: Fix FIFO size to 64 word from 256 word")
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Link: https://patch.msgid.link/d9961767a97758b2614f2ee8afe1bd56dc900a60.1747401908.git.geert+renesas@glider.be
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/spi/spi-sh-msiof.c | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)
diff --git a/drivers/spi/spi-sh-msiof.c b/drivers/spi/spi-sh-msiof.c
index ec3a4939ee984..374697b2d6061 100644
--- a/drivers/spi/spi-sh-msiof.c
+++ b/drivers/spi/spi-sh-msiof.c
@@ -919,6 +919,7 @@ static int sh_msiof_transfer_one(struct spi_controller *ctlr,
void *rx_buf = t->rx_buf;
unsigned int len = t->len;
unsigned int bits = t->bits_per_word;
+ unsigned int max_wdlen = 256;
unsigned int bytes_per_word;
unsigned int words;
int n;
@@ -932,17 +933,17 @@ static int sh_msiof_transfer_one(struct spi_controller *ctlr,
if (!spi_controller_is_slave(p->ctlr))
sh_msiof_spi_set_clk_regs(p, t);
+ if (tx_buf)
+ max_wdlen = min(max_wdlen, p->tx_fifo_size);
+ if (rx_buf)
+ max_wdlen = min(max_wdlen, p->rx_fifo_size);
+
while (ctlr->dma_tx && len > 15) {
/*
* DMA supports 32-bit words only, hence pack 8-bit and 16-bit
* words, with byte resp. word swapping.
*/
- unsigned int l = 0;
-
- if (tx_buf)
- l = min(round_down(len, 4), p->tx_fifo_size * 4);
- if (rx_buf)
- l = min(round_down(len, 4), p->rx_fifo_size * 4);
+ unsigned int l = min(round_down(len, 4), max_wdlen * 4);
if (bits <= 8) {
copy32 = copy_bswap32;
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 035/508] ASoC: apple: mca: Constrain channels according to TDM mask
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (33 preceding siblings ...)
2025-06-23 13:01 ` [PATCH 6.1 034/508] spi: sh-msiof: Fix maximum DMA transfer size Greg Kroah-Hartman
@ 2025-06-23 13:01 ` Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 036/508] drm/vmwgfx: Add seqno waiter for sync_files Greg Kroah-Hartman
` (473 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Martin Povišer,
James Calligeros, Mark Brown, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Martin Povišer <povik+lin@cutebit.org>
[ Upstream commit e717c661e2d1a660e96c40b0fe9933e23a1d7747 ]
We don't (and can't) configure the hardware correctly if the number of
channels exceeds the weight of the TDM mask. Report that constraint in
startup of FE.
Fixes: 3df5d0d97289 ("ASoC: apple: mca: Start new platform driver")
Signed-off-by: Martin Povišer <povik+lin@cutebit.org>
Signed-off-by: James Calligeros <jcalligeros99@gmail.com>
Link: https://patch.msgid.link/20250518-mca-fixes-v1-1-ee1015a695f6@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/apple/mca.c | 23 +++++++++++++++++++++++
1 file changed, 23 insertions(+)
diff --git a/sound/soc/apple/mca.c b/sound/soc/apple/mca.c
index 64750db9b9639..409b3a716ccbc 100644
--- a/sound/soc/apple/mca.c
+++ b/sound/soc/apple/mca.c
@@ -464,6 +464,28 @@ static int mca_configure_serdes(struct mca_cluster *cl, int serdes_unit,
return -EINVAL;
}
+static int mca_fe_startup(struct snd_pcm_substream *substream,
+ struct snd_soc_dai *dai)
+{
+ struct mca_cluster *cl = mca_dai_to_cluster(dai);
+ unsigned int mask, nchannels;
+
+ if (cl->tdm_slots) {
+ if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK)
+ mask = cl->tdm_tx_mask;
+ else
+ mask = cl->tdm_rx_mask;
+
+ nchannels = hweight32(mask);
+ } else {
+ nchannels = 2;
+ }
+
+ return snd_pcm_hw_constraint_minmax(substream->runtime,
+ SNDRV_PCM_HW_PARAM_CHANNELS,
+ 1, nchannels);
+}
+
static int mca_fe_set_tdm_slot(struct snd_soc_dai *dai, unsigned int tx_mask,
unsigned int rx_mask, int slots, int slot_width)
{
@@ -680,6 +702,7 @@ static int mca_fe_hw_params(struct snd_pcm_substream *substream,
}
static const struct snd_soc_dai_ops mca_fe_ops = {
+ .startup = mca_fe_startup,
.set_fmt = mca_fe_set_fmt,
.set_bclk_ratio = mca_set_bclk_ratio,
.set_tdm_slot = mca_fe_set_tdm_slot,
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 036/508] drm/vmwgfx: Add seqno waiter for sync_files
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (34 preceding siblings ...)
2025-06-23 13:01 ` [PATCH 6.1 035/508] ASoC: apple: mca: Constrain channels according to TDM mask Greg Kroah-Hartman
@ 2025-06-23 13:01 ` Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 037/508] drm/amd/pp: Fix potential NULL pointer dereference in atomctrl_initialize_mc_reg_table Greg Kroah-Hartman
` (472 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:01 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ian Forbes, Zack Rusin, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ian Forbes <ian.forbes@broadcom.com>
[ Upstream commit 0039a3b35b10d9c15d3d26320532ab56cc566750 ]
Because sync_files are passive waiters they do not participate in
the processing of fences like the traditional vmw_fence_wait IOCTL.
If userspace exclusively uses sync_files for synchronization then
nothing in the kernel actually processes fence updates as interrupts
for fences are masked and ignored if the kernel does not indicate to the
SVGA device that there are active waiters.
This oversight results in a bug where the entire GUI can freeze waiting
on a sync_file that will never be signalled as we've masked the interrupts
to signal its completion. This bug is incredibly racy as any process which
interacts with the fencing code via the 3D stack can process the stuck
fences on behalf of the stuck process causing it to run again. Even a
simple app like eglinfo is enough to resume the stuck process. Usually
this bug is seen at a login screen like GDM because there are no other
3D apps running.
By adding a seqno waiter we re-enable interrupt based processing of the
dma_fences associated with the sync_file which is signalled as part of a
dma_fence_callback.
This has likely been broken since it was initially added to the kernel in
2017 but has gone unnoticed until mutter recently started using sync_files
heavily over the course of 2024 as part of their explicit sync support.
Fixes: c906965dee22 ("drm/vmwgfx: Add export fence to file descriptor support")
Signed-off-by: Ian Forbes <ian.forbes@broadcom.com>
Signed-off-by: Zack Rusin <zack.rusin@broadcom.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20250228200633.642417-1-ian.forbes@broadcom.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c | 26 +++++++++++++++++++++++++
1 file changed, 26 insertions(+)
diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
index 2f7ac91149fc0..0d12d6af67c09 100644
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
@@ -4077,6 +4077,23 @@ static int vmw_execbuf_tie_context(struct vmw_private *dev_priv,
return 0;
}
+/*
+ * DMA fence callback to remove a seqno_waiter
+ */
+struct seqno_waiter_rm_context {
+ struct dma_fence_cb base;
+ struct vmw_private *dev_priv;
+};
+
+static void seqno_waiter_rm_cb(struct dma_fence *f, struct dma_fence_cb *cb)
+{
+ struct seqno_waiter_rm_context *ctx =
+ container_of(cb, struct seqno_waiter_rm_context, base);
+
+ vmw_seqno_waiter_remove(ctx->dev_priv);
+ kfree(ctx);
+}
+
int vmw_execbuf_process(struct drm_file *file_priv,
struct vmw_private *dev_priv,
void __user *user_commands, void *kernel_commands,
@@ -4257,6 +4274,15 @@ int vmw_execbuf_process(struct drm_file *file_priv,
} else {
/* Link the fence with the FD created earlier */
fd_install(out_fence_fd, sync_file->file);
+ struct seqno_waiter_rm_context *ctx =
+ kmalloc(sizeof(*ctx), GFP_KERNEL);
+ ctx->dev_priv = dev_priv;
+ vmw_seqno_waiter_add(dev_priv);
+ if (dma_fence_add_callback(&fence->base, &ctx->base,
+ seqno_waiter_rm_cb) < 0) {
+ vmw_seqno_waiter_remove(dev_priv);
+ kfree(ctx);
+ }
}
}
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 037/508] drm/amd/pp: Fix potential NULL pointer dereference in atomctrl_initialize_mc_reg_table
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (35 preceding siblings ...)
2025-06-23 13:01 ` [PATCH 6.1 036/508] drm/vmwgfx: Add seqno waiter for sync_files Greg Kroah-Hartman
@ 2025-06-23 13:01 ` Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 038/508] media: rkvdec: Fix frame size enumeration Greg Kroah-Hartman
` (471 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:01 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Charles Han, Alex Deucher,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Charles Han <hanchunchao@inspur.com>
[ Upstream commit 820116a39f96bdc7d426c33a804b52f53700a919 ]
The function atomctrl_initialize_mc_reg_table() and
atomctrl_initialize_mc_reg_table_v2_2() does not check the return
value of smu_atom_get_data_table(). If smu_atom_get_data_table()
fails to retrieve vram_info, it returns NULL which is later
dereferenced.
Fixes: b3892e2bb519 ("drm/amd/pp: Use atombios api directly in powerplay (v2)")
Fixes: 5f92b48cf62c ("drm/amd/pm: add mc register table initialization")
Signed-off-by: Charles Han <hanchunchao@inspur.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/pm/powerplay/hwmgr/ppatomctrl.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/ppatomctrl.c b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/ppatomctrl.c
index 1fbd23922082a..7e37354a03411 100644
--- a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/ppatomctrl.c
+++ b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/ppatomctrl.c
@@ -144,6 +144,10 @@ int atomctrl_initialize_mc_reg_table(
vram_info = (ATOM_VRAM_INFO_HEADER_V2_1 *)
smu_atom_get_data_table(hwmgr->adev,
GetIndexIntoMasterTable(DATA, VRAM_Info), &size, &frev, &crev);
+ if (!vram_info) {
+ pr_err("Could not retrieve the VramInfo table!");
+ return -EINVAL;
+ }
if (module_index >= vram_info->ucNumOfVRAMModule) {
pr_err("Invalid VramInfo table.");
@@ -181,6 +185,10 @@ int atomctrl_initialize_mc_reg_table_v2_2(
vram_info = (ATOM_VRAM_INFO_HEADER_V2_2 *)
smu_atom_get_data_table(hwmgr->adev,
GetIndexIntoMasterTable(DATA, VRAM_Info), &size, &frev, &crev);
+ if (!vram_info) {
+ pr_err("Could not retrieve the VramInfo table!");
+ return -EINVAL;
+ }
if (module_index >= vram_info->ucNumOfVRAMModule) {
pr_err("Invalid VramInfo table.");
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 038/508] media: rkvdec: Fix frame size enumeration
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (36 preceding siblings ...)
2025-06-23 13:01 ` [PATCH 6.1 037/508] drm/amd/pp: Fix potential NULL pointer dereference in atomctrl_initialize_mc_reg_table Greg Kroah-Hartman
@ 2025-06-23 13:01 ` Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 039/508] arm64/fpsimd: Discard stale CPU state when handling SME traps Greg Kroah-Hartman
` (470 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alex Bee, Jonas Karlman,
Nicolas Dufresne, Hans Verkuil, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jonas Karlman <jonas@kwiboo.se>
[ Upstream commit f270005b99fa19fee9a6b4006e8dee37c10f1944 ]
The VIDIOC_ENUM_FRAMESIZES ioctl should return all frame sizes (i.e.
width and height in pixels) that the device supports for the given pixel
format.
It doesn't make a lot of sense to return the frame-sizes in a stepwise
manner, which is used to enforce hardware alignments requirements for
CAPTURE buffers, for coded formats.
Instead, applications should receive an indication, about the maximum
supported frame size for that hardware decoder, via a continuous
frame-size enumeration.
Fixes: cd33c830448b ("media: rkvdec: Add the rkvdec driver")
Suggested-by: Alex Bee <knaerzche@gmail.com>
Signed-off-by: Jonas Karlman <jonas@kwiboo.se>
Reviewed-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
Signed-off-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/staging/media/rkvdec/rkvdec.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/drivers/staging/media/rkvdec/rkvdec.c b/drivers/staging/media/rkvdec/rkvdec.c
index d16cf4115d03a..b5847259f4541 100644
--- a/drivers/staging/media/rkvdec/rkvdec.c
+++ b/drivers/staging/media/rkvdec/rkvdec.c
@@ -213,8 +213,14 @@ static int rkvdec_enum_framesizes(struct file *file, void *priv,
if (!fmt)
return -EINVAL;
- fsize->type = V4L2_FRMSIZE_TYPE_STEPWISE;
- fsize->stepwise = fmt->frmsize;
+ fsize->type = V4L2_FRMSIZE_TYPE_CONTINUOUS;
+ fsize->stepwise.min_width = 1;
+ fsize->stepwise.max_width = fmt->frmsize.max_width;
+ fsize->stepwise.step_width = 1;
+ fsize->stepwise.min_height = 1;
+ fsize->stepwise.max_height = fmt->frmsize.max_height;
+ fsize->stepwise.step_height = 1;
+
return 0;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 039/508] arm64/fpsimd: Discard stale CPU state when handling SME traps
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (37 preceding siblings ...)
2025-06-23 13:01 ` [PATCH 6.1 038/508] media: rkvdec: Fix frame size enumeration Greg Kroah-Hartman
@ 2025-06-23 13:01 ` Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 040/508] arm64/fpsimd: Fix merging of FPSIMD state during signal return Greg Kroah-Hartman
` (469 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mark Rutland, Mark Brown,
Marc Zyngier, Will Deacon, Catalin Marinas, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mark Brown <broonie@kernel.org>
[ Upstream commit d3eaab3c70905c5467e5c4ea403053d67505adeb ]
The logic for handling SME traps manipulates saved FPSIMD/SVE/SME state
incorrectly, and a race with preemption can result in a task having
TIF_SME set and TIF_FOREIGN_FPSTATE clear even though the live CPU state
is stale (e.g. with SME traps enabled). This can result in warnings from
do_sme_acc() where SME traps are not expected while TIF_SME is set:
| /* With TIF_SME userspace shouldn't generate any traps */
| if (test_and_set_thread_flag(TIF_SME))
| WARN_ON(1);
This is very similar to the SVE issue we fixed in commit:
751ecf6afd6568ad ("arm64/sve: Discard stale CPU state when handling SVE traps")
The race can occur when the SME trap handler is preempted before and
after manipulating the saved FPSIMD/SVE/SME state, starting and ending on
the same CPU, e.g.
| void do_sme_acc(unsigned long esr, struct pt_regs *regs)
| {
| // Trap on CPU 0 with TIF_SME clear, SME traps enabled
| // task->fpsimd_cpu is 0.
| // per_cpu_ptr(&fpsimd_last_state, 0) is task.
|
| ...
|
| // Preempted; migrated from CPU 0 to CPU 1.
| // TIF_FOREIGN_FPSTATE is set.
|
| get_cpu_fpsimd_context();
|
| /* With TIF_SME userspace shouldn't generate any traps */
| if (test_and_set_thread_flag(TIF_SME))
| WARN_ON(1);
|
| if (!test_thread_flag(TIF_FOREIGN_FPSTATE)) {
| unsigned long vq_minus_one =
| sve_vq_from_vl(task_get_sme_vl(current)) - 1;
| sme_set_vq(vq_minus_one);
|
| fpsimd_bind_task_to_cpu();
| }
|
| put_cpu_fpsimd_context();
|
| // Preempted; migrated from CPU 1 to CPU 0.
| // task->fpsimd_cpu is still 0
| // If per_cpu_ptr(&fpsimd_last_state, 0) is still task then:
| // - Stale HW state is reused (with SME traps enabled)
| // - TIF_FOREIGN_FPSTATE is cleared
| // - A return to userspace skips HW state restore
| }
Fix the case where the state is not live and TIF_FOREIGN_FPSTATE is set
by calling fpsimd_flush_task_state() to detach from the saved CPU
state. This ensures that a subsequent context switch will not reuse the
stale CPU state, and will instead set TIF_FOREIGN_FPSTATE, forcing the
new state to be reloaded from memory prior to a return to userspace.
Note: this was originallly posted as [1].
Fixes: 8bd7f91c03d8 ("arm64/sme: Implement traps and syscall handling for SME")
Reported-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Link: https://lore.kernel.org/linux-arm-kernel/20241204-arm64-sme-reenable-v2-1-bae87728251d@kernel.org/
[ Rutland: rewrite commit message ]
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Cc: Marc Zyngier <maz@kernel.org>
Cc: Will Deacon <will@kernel.org>
Link: https://lore.kernel.org/r/20250409164010.3480271-6-mark.rutland@arm.com
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/kernel/fpsimd.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/arch/arm64/kernel/fpsimd.c b/arch/arm64/kernel/fpsimd.c
index b3e101a7d04f8..235131db8b8db 100644
--- a/arch/arm64/kernel/fpsimd.c
+++ b/arch/arm64/kernel/fpsimd.c
@@ -1504,6 +1504,8 @@ void do_sme_acc(unsigned long esr, struct pt_regs *regs)
sme_set_vq(vq_minus_one);
fpsimd_bind_task_to_cpu();
+ } else {
+ fpsimd_flush_task_state(current);
}
put_cpu_fpsimd_context();
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 040/508] arm64/fpsimd: Fix merging of FPSIMD state during signal return
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (38 preceding siblings ...)
2025-06-23 13:01 ` [PATCH 6.1 039/508] arm64/fpsimd: Discard stale CPU state when handling SME traps Greg Kroah-Hartman
@ 2025-06-23 13:01 ` Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 041/508] drm/bridge: lt9611uxc: Fix an error handling path in lt9611uxc_probe() Greg Kroah-Hartman
` (468 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mark Rutland, Marc Zyngier,
Mark Brown, Will Deacon, Catalin Marinas, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mark Rutland <mark.rutland@arm.com>
[ Upstream commit c94f2f326146a34066a0070ed90b8bc656b1842f ]
For backwards compatibility reasons, when a signal return occurs which
restores SVE state, the effective lower 128 bits of each of the SVE
vector registers are restored from the corresponding FPSIMD vector
register in the FPSIMD signal frame, overriding the values in the SVE
signal frame. This is intended to be the case regardless of streaming
mode.
To make this happen, restore_sve_fpsimd_context() uses
fpsimd_update_current_state() to merge the lower 128 bits from the
FPSIMD signal frame into the SVE register state. Unfortunately,
fpsimd_update_current_state() performs this merging dependent upon
TIF_SVE, which is not always correct for streaming SVE register state:
* When restoring non-streaming SVE register state there is no observable
problem, as the signal return code configures TIF_SVE and the saved
fp_type to match before calling fpsimd_update_current_state(), which
observes either:
- TIF_SVE set AND fp_type == FP_STATE_SVE
- TIF_SVE clear AND fp_type == FP_STATE_FPSIMD
* On systems which have SME but not SVE, TIF_SVE cannot be set. Thus the
merging will never happen for the streaming SVE register state.
* On systems which have SVE and SME, TIF_SVE can be set and cleared
independently of PSTATE.SM. Thus the merging may or may not happen for
streaming SVE register state.
As TIF_SVE can be cleared non-deterministically during syscalls
(including at the start of sigreturn()), the merging may occur
non-deterministically from the perspective of userspace.
This logic has been broken since its introduction in commit:
85ed24dad2904f7c ("arm64/sme: Implement streaming SVE signal handling")
... at which point both fpsimd_signal_preserve_current_state() and
fpsimd_update_current_state() only checked TIF SVE. When PSTATE.SM==1
and TIF_SVE was clear, signal delivery would place stale FPSIMD state
into the FPSIMD signal frame, and signal return would not merge this
into the restored register state.
Subsequently, signal delivery was fixed as part of commit:
61da7c8e2a602f66 ("arm64/signal: Don't assume that TIF_SVE means we saved SVE state")
... but signal restore was not given a corresponding fix, and when
TIF_SVE was clear, signal restore would still fail to merge the FPSIMD
state into the restored SVE register state. The 'Fixes' tag did not
indicate that this had been broken since its introduction.
Fix this by merging the FPSIMD state dependent upon the saved fp_type,
matching what we (currently) do during signal delivery.
As described above, when backporting this commit, it will also be
necessary to backport commit:
61da7c8e2a602f66 ("arm64/signal: Don't assume that TIF_SVE means we saved SVE state")
... and prior to commit:
baa8515281b30861 ("arm64/fpsimd: Track the saved FPSIMD state type separately to TIF_SVE")
... it will be necessary for fpsimd_signal_preserve_current_state() and
fpsimd_update_current_state() to consider both TIF_SVE and
thread_sm_enabled(¤t->thread), in place of the saved fp_type.
Fixes: 85ed24dad290 ("arm64/sme: Implement streaming SVE signal handling")
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Cc: Marc Zyngier <maz@kernel.org>
Cc: Mark Brown <broonie@kernel.org>
Cc: Will Deacon <will@kernel.org>
Reviewed-by: Mark Brown <broonie@kernel.org>
Link: https://lore.kernel.org/r/20250409164010.3480271-10-mark.rutland@arm.com
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/kernel/fpsimd.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/kernel/fpsimd.c b/arch/arm64/kernel/fpsimd.c
index 235131db8b8db..837d1937300a5 100644
--- a/arch/arm64/kernel/fpsimd.c
+++ b/arch/arm64/kernel/fpsimd.c
@@ -1783,7 +1783,7 @@ void fpsimd_update_current_state(struct user_fpsimd_state const *state)
get_cpu_fpsimd_context();
current->thread.uw.fpsimd_state = *state;
- if (test_thread_flag(TIF_SVE))
+ if (current->thread.fp_type == FP_STATE_SVE)
fpsimd_to_sve(current);
task_fpsimd_load();
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 041/508] drm/bridge: lt9611uxc: Fix an error handling path in lt9611uxc_probe()
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (39 preceding siblings ...)
2025-06-23 13:01 ` [PATCH 6.1 040/508] arm64/fpsimd: Fix merging of FPSIMD state during signal return Greg Kroah-Hartman
@ 2025-06-23 13:01 ` Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 042/508] fs/ntfs3: handle hdr_first_de() return value Greg Kroah-Hartman
` (467 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christophe JAILLET, Dmitry Baryshkov,
Dmitry Baryshkov, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
[ Upstream commit b848cd418aebdb313364b4843f41fae82281a823 ]
If lt9611uxc_audio_init() fails, some resources still need to be released
before returning the error code.
Use the existing error handling path.
Fixes: 0cbbd5b1a012 ("drm: bridge: add support for lontium LT9611UXC bridge")
Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Link: https://lore.kernel.org/r/f167608e392c6b4d7d7f6e45e3c21878feb60cbd.1744958833.git.christophe.jaillet@wanadoo.fr
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/bridge/lontium-lt9611uxc.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/bridge/lontium-lt9611uxc.c b/drivers/gpu/drm/bridge/lontium-lt9611uxc.c
index cb75da940b890..e9162125382f5 100644
--- a/drivers/gpu/drm/bridge/lontium-lt9611uxc.c
+++ b/drivers/gpu/drm/bridge/lontium-lt9611uxc.c
@@ -961,7 +961,11 @@ static int lt9611uxc_probe(struct i2c_client *client,
}
}
- return lt9611uxc_audio_init(dev, lt9611uxc);
+ ret = lt9611uxc_audio_init(dev, lt9611uxc);
+ if (ret)
+ goto err_remove_bridge;
+
+ return 0;
err_remove_bridge:
free_irq(client->irq, lt9611uxc);
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 042/508] fs/ntfs3: handle hdr_first_de() return value
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (40 preceding siblings ...)
2025-06-23 13:01 ` [PATCH 6.1 041/508] drm/bridge: lt9611uxc: Fix an error handling path in lt9611uxc_probe() Greg Kroah-Hartman
@ 2025-06-23 13:01 ` Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 043/508] watchdog: exar: Shorten identity name to fit correctly Greg Kroah-Hartman
` (466 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andrey Vatoropin, Konstantin Komarov,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andrey Vatoropin <a.vatoropin@crpt.ru>
[ Upstream commit af5cab0e5b6f8edb0be51a9f47f3f620e0b4fd70 ]
The hdr_first_de() function returns a pointer to a struct NTFS_DE. This
pointer may be NULL. To handle the NULL error effectively, it is important
to implement an error handler. This will help manage potential errors
consistently.
Additionally, error handling for the return value already exists at other
points where this function is called.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: 82cae269cfa9 ("fs/ntfs3: Add initialization of super block")
Signed-off-by: Andrey Vatoropin <a.vatoropin@crpt.ru>
Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ntfs3/index.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/fs/ntfs3/index.c b/fs/ntfs3/index.c
index 139bdaececd72..ee6de53d2ad12 100644
--- a/fs/ntfs3/index.c
+++ b/fs/ntfs3/index.c
@@ -2166,6 +2166,10 @@ static int indx_get_entry_to_replace(struct ntfs_index *indx,
e = hdr_first_de(&n->index->ihdr);
fnd_push(fnd, n, e);
+ if (!e) {
+ err = -EINVAL;
+ goto out;
+ }
if (!de_is_last(e)) {
/*
@@ -2187,6 +2191,10 @@ static int indx_get_entry_to_replace(struct ntfs_index *indx,
n = fnd->nodes[level];
te = hdr_first_de(&n->index->ihdr);
+ if (!te) {
+ err = -EINVAL;
+ goto out;
+ }
/* Copy the candidate entry into the replacement entry buffer. */
re = kmalloc(le16_to_cpu(te->size) + sizeof(u64), GFP_NOFS);
if (!re) {
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 043/508] watchdog: exar: Shorten identity name to fit correctly
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (41 preceding siblings ...)
2025-06-23 13:01 ` [PATCH 6.1 042/508] fs/ntfs3: handle hdr_first_de() return value Greg Kroah-Hartman
@ 2025-06-23 13:01 ` Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 044/508] m68k: mac: Fix macintosh_config for Mac II Greg Kroah-Hartman
` (465 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:01 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Guenter Roeck, Kees Cook,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kees Cook <kees@kernel.org>
[ Upstream commit 8e28276a569addb8a2324439ae473848ee52b056 ]
The static initializer for struct watchdog_info::identity is too long
and gets initialized without a trailing NUL byte. Since the length
of "identity" is part of UAPI and tied to ioctls, just shorten
the name of the device. Avoids the warning seen with GCC 15's
-Wunterminated-string-initialization option:
drivers/watchdog/exar_wdt.c:224:27: warning: initializer-string for array of 'unsigned char' truncates NUL terminator but destination lacks 'nonstring' attribute (33 chars into 32 available) [-Wunterminated-string-initialization]
224 | .identity = "Exar/MaxLinear XR28V38x Watchdog",
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Fixes: 81126222bd3a ("watchdog: Exar/MaxLinear XR28V38x driver")
Reviewed-by: Guenter Roeck <linux@roeck-us.net>
Link: https://lore.kernel.org/r/20250415225246.work.458-kees@kernel.org
Signed-off-by: Kees Cook <kees@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/watchdog/exar_wdt.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/watchdog/exar_wdt.c b/drivers/watchdog/exar_wdt.c
index 7c61ff3432711..c2e3bb08df899 100644
--- a/drivers/watchdog/exar_wdt.c
+++ b/drivers/watchdog/exar_wdt.c
@@ -221,7 +221,7 @@ static const struct watchdog_info exar_wdt_info = {
.options = WDIOF_KEEPALIVEPING |
WDIOF_SETTIMEOUT |
WDIOF_MAGICCLOSE,
- .identity = "Exar/MaxLinear XR28V38x Watchdog",
+ .identity = "Exar XR28V38x Watchdog",
};
static const struct watchdog_ops exar_wdt_ops = {
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 044/508] m68k: mac: Fix macintosh_config for Mac II
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (42 preceding siblings ...)
2025-06-23 13:01 ` [PATCH 6.1 043/508] watchdog: exar: Shorten identity name to fit correctly Greg Kroah-Hartman
@ 2025-06-23 13:01 ` Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 045/508] firmware: psci: Fix refcount leak in psci_dt_init Greg Kroah-Hartman
` (464 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Joshua Thompson, Finn Thain,
Geert Uytterhoeven, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Finn Thain <fthain@linux-m68k.org>
[ Upstream commit 52ae3f5da7e5adbe3d1319573b55dac470abb83c ]
When booted on my Mac II, the kernel prints this:
Detected Macintosh model: 6
Apple Macintosh Unknown
The catch-all entry ("Unknown") is mac_data_table[0] which is only needed
in the unlikely event that the bootinfo model ID can't be matched.
When model ID is 6, the search should begin and end at mac_data_table[1].
Fix the off-by-one error that causes this problem.
Cc: Joshua Thompson <funaho@jurai.org>
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Finn Thain <fthain@linux-m68k.org>
Reviewed-by: Geert Uytterhoeven <geert@linux-m68k.org>
Link: https://lore.kernel.org/d0f30a551064ca4810b1c48d5a90954be80634a9.1745453246.git.fthain@linux-m68k.org
Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/m68k/mac/config.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/m68k/mac/config.c b/arch/m68k/mac/config.c
index 382f656c29eae..9f5603e01a688 100644
--- a/arch/m68k/mac/config.c
+++ b/arch/m68k/mac/config.c
@@ -801,7 +801,7 @@ static void __init mac_identify(void)
}
macintosh_config = mac_data_table;
- for (m = macintosh_config; m->ident != -1; m++) {
+ for (m = &mac_data_table[1]; m->ident != -1; m++) {
if (m->ident == model) {
macintosh_config = m;
break;
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 045/508] firmware: psci: Fix refcount leak in psci_dt_init
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (43 preceding siblings ...)
2025-06-23 13:01 ` [PATCH 6.1 044/508] m68k: mac: Fix macintosh_config for Mac II Greg Kroah-Hartman
@ 2025-06-23 13:01 ` Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 046/508] arm64: Support ARM64_VA_BITS=52 when setting ARCH_MMAP_RND_BITS_MAX Greg Kroah-Hartman
` (463 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Miaoqian Lin, Gavin Shan,
Mark Rutland, Will Deacon, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Miaoqian Lin <linmq006@gmail.com>
[ Upstream commit 7ff37d29fd5c27617b9767e1b8946d115cf93a1e ]
Fix a reference counter leak in psci_dt_init() where of_node_put(np) was
missing after of_find_matching_node_and_match() when np is unavailable.
Fixes: d09a0011ec0d ("drivers: psci: Allow PSCI node to be disabled")
Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
Reviewed-by: Gavin Shan <gshan@redhat.com>
Acked-by: Mark Rutland <mark.rutland@arm.com>
Link: https://lore.kernel.org/r/20250318151712.28763-1-linmq006@gmail.com
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/firmware/psci/psci.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/firmware/psci/psci.c b/drivers/firmware/psci/psci.c
index a44ba09e49d9c..7eddf0912f96c 100644
--- a/drivers/firmware/psci/psci.c
+++ b/drivers/firmware/psci/psci.c
@@ -747,8 +747,10 @@ int __init psci_dt_init(void)
np = of_find_matching_node_and_match(NULL, psci_of_match, &matched_np);
- if (!np || !of_device_is_available(np))
+ if (!np || !of_device_is_available(np)) {
+ of_node_put(np);
return -ENODEV;
+ }
init_fn = (psci_initcall_t)matched_np->data;
ret = init_fn(np);
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 046/508] arm64: Support ARM64_VA_BITS=52 when setting ARCH_MMAP_RND_BITS_MAX
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (44 preceding siblings ...)
2025-06-23 13:01 ` [PATCH 6.1 045/508] firmware: psci: Fix refcount leak in psci_dt_init Greg Kroah-Hartman
@ 2025-06-23 13:01 ` Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 047/508] selftests/seccomp: fix syscall_restart test for arm compat Greg Kroah-Hartman
` (462 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kornel Dulęba,
Anshuman Khandual, Will Deacon, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kornel Dulęba <korneld@google.com>
[ Upstream commit f101c56447717c595d803894ba0e215f56c6fba4 ]
When the 52-bit virtual addressing was introduced the select like
ARCH_MMAP_RND_BITS_MAX logic was never updated to account for it.
Because of that the rnd max bits knob is set to the default value of 18
when ARM64_VA_BITS=52.
Fix this by setting ARCH_MMAP_RND_BITS_MAX to the same value that would
be used if 48-bit addressing was used. Higher values can't used here
because 52-bit addressing is used only if the caller provides a hint to
mmap, with a fallback to 48-bit. The knob in question is an upper bound
for what the user can set in /proc/sys/vm/mmap_rnd_bits, which in turn
is used to determine how many random bits can be inserted into the base
address used for mmap allocations. Since 48-bit allocations are legal
with ARM64_VA_BITS=52, we need to make sure that the base address is
small enough to facilitate this.
Fixes: b6d00d47e81a ("arm64: mm: Introduce 52-bit Kernel VAs")
Signed-off-by: Kornel Dulęba <korneld@google.com>
Reviewed-by: Anshuman Khandual <anshuman.khandual@arm.com>
Link: https://lore.kernel.org/r/20250417114754.3238273-1-korneld@google.com
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/Kconfig | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
index 57b437ed09747..6bb23a041e328 100644
--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@@ -280,9 +280,9 @@ config ARCH_MMAP_RND_BITS_MAX
default 24 if ARM64_VA_BITS=39
default 27 if ARM64_VA_BITS=42
default 30 if ARM64_VA_BITS=47
- default 29 if ARM64_VA_BITS=48 && ARM64_64K_PAGES
- default 31 if ARM64_VA_BITS=48 && ARM64_16K_PAGES
- default 33 if ARM64_VA_BITS=48
+ default 29 if (ARM64_VA_BITS=48 || ARM64_VA_BITS=52) && ARM64_64K_PAGES
+ default 31 if (ARM64_VA_BITS=48 || ARM64_VA_BITS=52) && ARM64_16K_PAGES
+ default 33 if (ARM64_VA_BITS=48 || ARM64_VA_BITS=52)
default 14 if ARM64_64K_PAGES
default 16 if ARM64_16K_PAGES
default 18
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 047/508] selftests/seccomp: fix syscall_restart test for arm compat
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (45 preceding siblings ...)
2025-06-23 13:01 ` [PATCH 6.1 046/508] arm64: Support ARM64_VA_BITS=52 when setting ARCH_MMAP_RND_BITS_MAX Greg Kroah-Hartman
@ 2025-06-23 13:01 ` Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 048/508] drm: rcar-du: Fix memory leak in rcar_du_vsps_init() Greg Kroah-Hartman
` (461 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:01 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Neill Kapron, Kees Cook, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Neill Kapron <nkapron@google.com>
[ Upstream commit 797002deed03491215a352ace891749b39741b69 ]
The inconsistencies in the systcall ABI between arm and arm-compat can
can cause a failure in the syscall_restart test due to the logic
attempting to work around the differences. The 'machine' field for an
ARM64 device running in compat mode can report 'armv8l' or 'armv8b'
which matches with the string 'arm' when only examining the first three
characters of the string.
This change adds additional validation to the workaround logic to make
sure we only take the arm path when running natively, not in arm-compat.
Fixes: 256d0afb11d6 ("selftests/seccomp: build and pass on arm64")
Signed-off-by: Neill Kapron <nkapron@google.com>
Link: https://lore.kernel.org/r/20250427094103.3488304-2-nkapron@google.com
Signed-off-by: Kees Cook <kees@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/selftests/seccomp/seccomp_bpf.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c
index 4ae6c89913074..b300e87404d8e 100644
--- a/tools/testing/selftests/seccomp/seccomp_bpf.c
+++ b/tools/testing/selftests/seccomp/seccomp_bpf.c
@@ -3136,12 +3136,15 @@ TEST(syscall_restart)
ret = get_syscall(_metadata, child_pid);
#if defined(__arm__)
/*
- * FIXME:
* - native ARM registers do NOT expose true syscall.
* - compat ARM registers on ARM64 DO expose true syscall.
+ * - values of utsbuf.machine include 'armv8l' or 'armb8b'
+ * for ARM64 running in compat mode.
*/
ASSERT_EQ(0, uname(&utsbuf));
- if (strncmp(utsbuf.machine, "arm", 3) == 0) {
+ if ((strncmp(utsbuf.machine, "arm", 3) == 0) &&
+ (strncmp(utsbuf.machine, "armv8l", 6) != 0) &&
+ (strncmp(utsbuf.machine, "armv8b", 6) != 0)) {
EXPECT_EQ(__NR_nanosleep, ret);
} else
#endif
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 048/508] drm: rcar-du: Fix memory leak in rcar_du_vsps_init()
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (46 preceding siblings ...)
2025-06-23 13:01 ` [PATCH 6.1 047/508] selftests/seccomp: fix syscall_restart test for arm compat Greg Kroah-Hartman
@ 2025-06-23 13:01 ` Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 049/508] drm/vkms: Adjust vkms_state->active_planes allocation type Greg Kroah-Hartman
` (460 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Biju Das, Laurent Pinchart,
Tomi Valkeinen, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Biju Das <biju.das.jz@bp.renesas.com>
[ Upstream commit 91e3bf09a90bb4340c0c3c51396e7531555efda4 ]
The rcar_du_vsps_init() doesn't free the np allocated by
of_parse_phandle_with_fixed_args() for the non-error case.
Fix memory leak for the non-error case.
While at it, replace the label 'error'->'done' as it applies to non-error
case as well and update the error check condition for rcar_du_vsp_init()
to avoid breakage in future, if it returns positive value.
Fixes: 3e81374e2014 ("drm: rcar-du: Support multiple sources from the same VSP")
Signed-off-by: Biju Das <biju.das.jz@bp.renesas.com>
Reviewed-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
Link: https://lore.kernel.org/r/20231116122424.80136-1-biju.das.jz@bp.renesas.com
Signed-off-by: Tomi Valkeinen <tomi.valkeinen+renesas@ideasonboard.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/rcar-du/rcar_du_kms.c | 10 ++++------
1 file changed, 4 insertions(+), 6 deletions(-)
diff --git a/drivers/gpu/drm/rcar-du/rcar_du_kms.c b/drivers/gpu/drm/rcar-du/rcar_du_kms.c
index 8c2719efda2a2..b64f62ad8dbd7 100644
--- a/drivers/gpu/drm/rcar-du/rcar_du_kms.c
+++ b/drivers/gpu/drm/rcar-du/rcar_du_kms.c
@@ -673,7 +673,7 @@ static int rcar_du_vsps_init(struct rcar_du_device *rcdu)
ret = of_parse_phandle_with_fixed_args(np, vsps_prop_name,
cells, i, &args);
if (ret < 0)
- goto error;
+ goto done;
/*
* Add the VSP to the list or update the corresponding existing
@@ -711,13 +711,11 @@ static int rcar_du_vsps_init(struct rcar_du_device *rcdu)
vsp->dev = rcdu;
ret = rcar_du_vsp_init(vsp, vsps[i].np, vsps[i].crtcs_mask);
- if (ret < 0)
- goto error;
+ if (ret)
+ goto done;
}
- return 0;
-
-error:
+done:
for (i = 0; i < ARRAY_SIZE(vsps); ++i)
of_node_put(vsps[i].np);
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 049/508] drm/vkms: Adjust vkms_state->active_planes allocation type
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (47 preceding siblings ...)
2025-06-23 13:01 ` [PATCH 6.1 048/508] drm: rcar-du: Fix memory leak in rcar_du_vsps_init() Greg Kroah-Hartman
@ 2025-06-23 13:01 ` Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 050/508] drm/tegra: rgb: Fix the unbound reference count Greg Kroah-Hartman
` (459 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kees Cook, Louis Chauvet,
Louis Chauvet, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kees Cook <kees@kernel.org>
[ Upstream commit 258aebf100540d36aba910f545d4d5ddf4ecaf0b ]
In preparation for making the kmalloc family of allocators type aware,
we need to make sure that the returned type from the allocation matches
the type of the variable being assigned. (Before, the allocator would
always return "void *", which can be implicitly cast to any pointer type.)
The assigned type is "struct vkms_plane_state **", but the returned type
will be "struct drm_plane **". These are the same size (pointer size), but
the types don't match. Adjust the allocation type to match the assignment.
Signed-off-by: Kees Cook <kees@kernel.org>
Reviewed-by: Louis Chauvet <louis.chauvet@bootlin.com>
Fixes: 8b1865873651 ("drm/vkms: totally reworked crc data tracking")
Link: https://lore.kernel.org/r/20250426061431.work.304-kees@kernel.org
Signed-off-by: Louis Chauvet <contact@louischauvet.fr>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/vkms/vkms_crtc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/vkms/vkms_crtc.c b/drivers/gpu/drm/vkms/vkms_crtc.c
index 57bbd32e9bebb..de8c2d5cc89c0 100644
--- a/drivers/gpu/drm/vkms/vkms_crtc.c
+++ b/drivers/gpu/drm/vkms/vkms_crtc.c
@@ -202,7 +202,7 @@ static int vkms_crtc_atomic_check(struct drm_crtc *crtc,
i++;
}
- vkms_state->active_planes = kcalloc(i, sizeof(plane), GFP_KERNEL);
+ vkms_state->active_planes = kcalloc(i, sizeof(*vkms_state->active_planes), GFP_KERNEL);
if (!vkms_state->active_planes)
return -ENOMEM;
vkms_state->num_active_planes = i;
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 050/508] drm/tegra: rgb: Fix the unbound reference count
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (48 preceding siblings ...)
2025-06-23 13:01 ` [PATCH 6.1 049/508] drm/vkms: Adjust vkms_state->active_planes allocation type Greg Kroah-Hartman
@ 2025-06-23 13:01 ` Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 051/508] firmware: SDEI: Allow sdei initialization without ACPI_APEI_GHES Greg Kroah-Hartman
` (458 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:01 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Biju Das, Thierry Reding,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Biju Das <biju.das.jz@bp.renesas.com>
[ Upstream commit 3c3642335065c3bde0742b0edc505b6ea8fdc2b3 ]
The of_get_child_by_name() increments the refcount in tegra_dc_rgb_probe,
but the driver does not decrement the refcount during unbind. Fix the
unbound reference count using devm_add_action_or_reset() helper.
Fixes: d8f4a9eda006 ("drm: Add NVIDIA Tegra20 support")
Signed-off-by: Biju Das <biju.das.jz@bp.renesas.com>
Signed-off-by: Thierry Reding <treding@nvidia.com>
Link: https://lore.kernel.org/r/20250205112137.36055-1-biju.das.jz@bp.renesas.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/tegra/rgb.c | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/tegra/rgb.c b/drivers/gpu/drm/tegra/rgb.c
index 86e55e5d12b39..20ac30673ed53 100644
--- a/drivers/gpu/drm/tegra/rgb.c
+++ b/drivers/gpu/drm/tegra/rgb.c
@@ -189,6 +189,11 @@ static const struct drm_encoder_helper_funcs tegra_rgb_encoder_helper_funcs = {
.atomic_check = tegra_rgb_encoder_atomic_check,
};
+static void tegra_dc_of_node_put(void *data)
+{
+ of_node_put(data);
+}
+
int tegra_dc_rgb_probe(struct tegra_dc *dc)
{
struct device_node *np;
@@ -196,7 +201,14 @@ int tegra_dc_rgb_probe(struct tegra_dc *dc)
int err;
np = of_get_child_by_name(dc->dev->of_node, "rgb");
- if (!np || !of_device_is_available(np))
+ if (!np)
+ return -ENODEV;
+
+ err = devm_add_action_or_reset(dc->dev, tegra_dc_of_node_put, np);
+ if (err < 0)
+ return err;
+
+ if (!of_device_is_available(np))
return -ENODEV;
rgb = devm_kzalloc(dc->dev, sizeof(*rgb), GFP_KERNEL);
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 051/508] firmware: SDEI: Allow sdei initialization without ACPI_APEI_GHES
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (49 preceding siblings ...)
2025-06-23 13:01 ` [PATCH 6.1 050/508] drm/tegra: rgb: Fix the unbound reference count Greg Kroah-Hartman
@ 2025-06-23 13:01 ` Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 052/508] scsi: qedf: Use designated initializer for struct qed_fcoe_cb_ops Greg Kroah-Hartman
` (457 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shuai Xue, Huang Yiwei, Gavin Shan,
Rafael J. Wysocki, Will Deacon, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Huang Yiwei <quic_hyiwei@quicinc.com>
[ Upstream commit 59529bbe642de4eb2191a541d9b4bae7eb73862e ]
SDEI usually initialize with the ACPI table, but on platforms where
ACPI is not used, the SDEI feature can still be used to handle
specific firmware calls or other customized purposes. Therefore, it
is not necessary for ARM_SDE_INTERFACE to depend on ACPI_APEI_GHES.
In commit dc4e8c07e9e2 ("ACPI: APEI: explicit init of HEST and GHES
in acpi_init()"), to make APEI ready earlier, sdei_init was moved
into acpi_ghes_init instead of being a standalone initcall, adding
ACPI_APEI_GHES dependency to ARM_SDE_INTERFACE. This restricts the
flexibility and usability of SDEI.
This patch corrects the dependency in Kconfig and splits sdei_init()
into two separate functions: sdei_init() and acpi_sdei_init().
sdei_init() will be called by arch_initcall and will only initialize
the platform driver, while acpi_sdei_init() will initialize the
device from acpi_ghes_init() when ACPI is ready. This allows the
initialization of SDEI without ACPI_APEI_GHES enabled.
Fixes: dc4e8c07e9e2 ("ACPI: APEI: explicit init of HEST and GHES in apci_init()")
Cc: Shuai Xue <xueshuai@linux.alibaba.com>
Signed-off-by: Huang Yiwei <quic_hyiwei@quicinc.com>
Reviewed-by: Shuai Xue <xueshuai@linux.alibaba.com>
Reviewed-by: Gavin Shan <gshan@redhat.com>
Acked-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Link: https://lore.kernel.org/r/20250507045757.2658795-1-quic_hyiwei@quicinc.com
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/acpi/apei/Kconfig | 1 +
drivers/acpi/apei/ghes.c | 2 +-
drivers/firmware/Kconfig | 1 -
drivers/firmware/arm_sdei.c | 11 ++++++++---
include/linux/arm_sdei.h | 4 ++--
5 files changed, 12 insertions(+), 7 deletions(-)
diff --git a/drivers/acpi/apei/Kconfig b/drivers/acpi/apei/Kconfig
index 6b18f8bc7be35..71e0d64a7792e 100644
--- a/drivers/acpi/apei/Kconfig
+++ b/drivers/acpi/apei/Kconfig
@@ -23,6 +23,7 @@ config ACPI_APEI_GHES
select ACPI_HED
select IRQ_WORK
select GENERIC_ALLOCATOR
+ select ARM_SDE_INTERFACE if ARM64
help
Generic Hardware Error Source provides a way to report
platform hardware errors (such as that from chipset). It
diff --git a/drivers/acpi/apei/ghes.c b/drivers/acpi/apei/ghes.c
index 83a4b417b27b9..1f327ec4c30b3 100644
--- a/drivers/acpi/apei/ghes.c
+++ b/drivers/acpi/apei/ghes.c
@@ -1478,7 +1478,7 @@ void __init acpi_ghes_init(void)
{
int rc;
- sdei_init();
+ acpi_sdei_init();
if (acpi_disabled)
return;
diff --git a/drivers/firmware/Kconfig b/drivers/firmware/Kconfig
index 5583ae61f214b..bffdf735ef781 100644
--- a/drivers/firmware/Kconfig
+++ b/drivers/firmware/Kconfig
@@ -40,7 +40,6 @@ config ARM_SCPI_POWER_DOMAIN
config ARM_SDE_INTERFACE
bool "ARM Software Delegated Exception Interface (SDEI)"
depends on ARM64
- depends on ACPI_APEI_GHES
help
The Software Delegated Exception Interface (SDEI) is an ARM
standard for registering callbacks from the platform firmware
diff --git a/drivers/firmware/arm_sdei.c b/drivers/firmware/arm_sdei.c
index 3e8051fe82965..71e2a9a89f6ad 100644
--- a/drivers/firmware/arm_sdei.c
+++ b/drivers/firmware/arm_sdei.c
@@ -1062,13 +1062,12 @@ static bool __init sdei_present_acpi(void)
return true;
}
-void __init sdei_init(void)
+void __init acpi_sdei_init(void)
{
struct platform_device *pdev;
int ret;
- ret = platform_driver_register(&sdei_driver);
- if (ret || !sdei_present_acpi())
+ if (!sdei_present_acpi())
return;
pdev = platform_device_register_simple(sdei_driver.driver.name,
@@ -1081,6 +1080,12 @@ void __init sdei_init(void)
}
}
+static int __init sdei_init(void)
+{
+ return platform_driver_register(&sdei_driver);
+}
+arch_initcall(sdei_init);
+
int sdei_event_handler(struct pt_regs *regs,
struct sdei_registered_event *arg)
{
diff --git a/include/linux/arm_sdei.h b/include/linux/arm_sdei.h
index 255701e1251b4..f652a5028b590 100644
--- a/include/linux/arm_sdei.h
+++ b/include/linux/arm_sdei.h
@@ -46,12 +46,12 @@ int sdei_unregister_ghes(struct ghes *ghes);
/* For use by arch code when CPU hotplug notifiers are not appropriate. */
int sdei_mask_local_cpu(void);
int sdei_unmask_local_cpu(void);
-void __init sdei_init(void);
+void __init acpi_sdei_init(void);
void sdei_handler_abort(void);
#else
static inline int sdei_mask_local_cpu(void) { return 0; }
static inline int sdei_unmask_local_cpu(void) { return 0; }
-static inline void sdei_init(void) { }
+static inline void acpi_sdei_init(void) { }
static inline void sdei_handler_abort(void) { }
#endif /* CONFIG_ARM_SDE_INTERFACE */
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 052/508] scsi: qedf: Use designated initializer for struct qed_fcoe_cb_ops
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (50 preceding siblings ...)
2025-06-23 13:01 ` [PATCH 6.1 051/508] firmware: SDEI: Allow sdei initialization without ACPI_APEI_GHES Greg Kroah-Hartman
@ 2025-06-23 13:01 ` Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 053/508] wifi: ath11k: fix node corruption in ar->arvifs list Greg Kroah-Hartman
` (456 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:01 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Kees Cook, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kees Cook <kees@kernel.org>
[ Upstream commit d8720235d5b5cad86c1f07f65117ef2a96f8bec7 ]
Recent fixes to the randstruct GCC plugin allowed it to notice
that this structure is entirely function pointers and is therefore
subject to randomization, but doing so requires that it always use
designated initializers. Explicitly specify the "common" member as being
initialized. Silences:
drivers/scsi/qedf/qedf_main.c:702:9: error: positional initialization of field in 'struct' declared with 'designated_init' attribute [-Werror=designated-init]
702 | {
| ^
Fixes: 035f7f87b729 ("randstruct: Enable Clang support")
Link: https://lore.kernel.org/r/20250502224156.work.617-kees@kernel.org
Signed-off-by: Kees Cook <kees@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/qedf/qedf_main.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/scsi/qedf/qedf_main.c b/drivers/scsi/qedf/qedf_main.c
index 288c96e7bc39f..a6f53cfff9383 100644
--- a/drivers/scsi/qedf/qedf_main.c
+++ b/drivers/scsi/qedf/qedf_main.c
@@ -699,7 +699,7 @@ static u32 qedf_get_login_failures(void *cookie)
}
static struct qed_fcoe_cb_ops qedf_cb_ops = {
- {
+ .common = {
.link_update = qedf_link_update,
.bw_update = qedf_bw_update,
.schedule_recovery_handler = qedf_schedule_recovery_handler,
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 053/508] wifi: ath11k: fix node corruption in ar->arvifs list
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (51 preceding siblings ...)
2025-06-23 13:01 ` [PATCH 6.1 052/508] scsi: qedf: Use designated initializer for struct qed_fcoe_cb_ops Greg Kroah-Hartman
@ 2025-06-23 13:01 ` Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 054/508] IB/cm: use rwlock for MAD agent lock Greg Kroah-Hartman
` (455 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:01 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Stone Zhang, Jeff Johnson,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stone Zhang <quic_stonez@quicinc.com>
[ Upstream commit 31e98e277ae47f56632e4d663b1d4fd12ba33ea8 ]
In current WLAN recovery code flow, ath11k_core_halt() only
reinitializes the "arvifs" list head. This will cause the
list node immediately following the list head to become an
invalid list node. Because the prev of that node still points
to the list head "arvifs", but the next of the list head "arvifs"
no longer points to that list node.
When a WLAN recovery occurs during the execution of a vif
removal, and it happens before the spin_lock_bh(&ar->data_lock)
in ath11k_mac_op_remove_interface(), list_del() will detect the
previously mentioned situation, thereby triggering a kernel panic.
The fix is to remove and reinitialize all vif list nodes from the
list head "arvifs" during WLAN halt. The reinitialization is to make
the list nodes valid, ensuring that the list_del() in
ath11k_mac_op_remove_interface() can execute normally.
Call trace:
__list_del_entry_valid_or_report+0xb8/0xd0
ath11k_mac_op_remove_interface+0xb0/0x27c [ath11k]
drv_remove_interface+0x48/0x194 [mac80211]
ieee80211_do_stop+0x6e0/0x844 [mac80211]
ieee80211_stop+0x44/0x17c [mac80211]
__dev_close_many+0xac/0x150
__dev_change_flags+0x194/0x234
dev_change_flags+0x24/0x6c
devinet_ioctl+0x3a0/0x670
inet_ioctl+0x200/0x248
sock_do_ioctl+0x60/0x118
sock_ioctl+0x274/0x35c
__arm64_sys_ioctl+0xac/0xf0
invoke_syscall+0x48/0x114
...
Tested-on: QCA6698AQ hw2.1 PCI WLAN.HSP.1.1-04591-QCAHSPSWPL_V1_V2_SILICONZ_IOE-1
Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices")
Signed-off-by: Stone Zhang <quic_stonez@quicinc.com>
Link: https://patch.msgid.link/20250320053145.3445187-1-quic_stonez@quicinc.com
Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath11k/core.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/ath/ath11k/core.c b/drivers/net/wireless/ath/ath11k/core.c
index 893fefadbba96..ef269244fe495 100644
--- a/drivers/net/wireless/ath/ath11k/core.c
+++ b/drivers/net/wireless/ath/ath11k/core.c
@@ -1621,6 +1621,7 @@ static int ath11k_core_reconfigure_on_crash(struct ath11k_base *ab)
void ath11k_core_halt(struct ath11k *ar)
{
struct ath11k_base *ab = ar->ab;
+ struct list_head *pos, *n;
lockdep_assert_held(&ar->conf_mutex);
@@ -1635,7 +1636,12 @@ void ath11k_core_halt(struct ath11k *ar)
rcu_assign_pointer(ab->pdevs_active[ar->pdev_idx], NULL);
synchronize_rcu();
- INIT_LIST_HEAD(&ar->arvifs);
+
+ spin_lock_bh(&ar->data_lock);
+ list_for_each_safe(pos, n, &ar->arvifs)
+ list_del_init(pos);
+ spin_unlock_bh(&ar->data_lock);
+
idr_init(&ar->txmgmt_idr);
}
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 054/508] IB/cm: use rwlock for MAD agent lock
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (52 preceding siblings ...)
2025-06-23 13:01 ` [PATCH 6.1 053/508] wifi: ath11k: fix node corruption in ar->arvifs list Greg Kroah-Hartman
@ 2025-06-23 13:01 ` Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 055/508] bpf: fix ktls panic with sockmap Greg Kroah-Hartman
` (454 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jacob Moroni, Eric Dumazet,
Zhu Yanjun, Jason Gunthorpe, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jacob Moroni <jmoroni@google.com>
[ Upstream commit 4dab26bed543584577b64b36aadb8b5b165bf44f ]
In workloads where there are many processes establishing connections using
RDMA CM in parallel (large scale MPI), there can be heavy contention for
mad_agent_lock in cm_alloc_msg.
This contention can occur while inside of a spin_lock_irq region, leading
to interrupts being disabled for extended durations on many
cores. Furthermore, it leads to the serialization of rdma_create_ah calls,
which has negative performance impacts for NICs which are capable of
processing multiple address handle creations in parallel.
The end result is the machine becoming unresponsive, hung task warnings,
netdev TX timeouts, etc.
Since the lock appears to be only for protection from cm_remove_one, it
can be changed to a rwlock to resolve these issues.
Reproducer:
Server:
for i in $(seq 1 512); do
ucmatose -c 32 -p $((i + 5000)) &
done
Client:
for i in $(seq 1 512); do
ucmatose -c 32 -p $((i + 5000)) -s 10.2.0.52 &
done
Fixes: 76039ac9095f ("IB/cm: Protect cm_dev, cm_ports and mad_agent with kref and lock")
Link: https://patch.msgid.link/r/20250220175612.2763122-1-jmoroni@google.com
Signed-off-by: Jacob Moroni <jmoroni@google.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Zhu Yanjun <yanjun.zhu@linux.dev>
Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/core/cm.c | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/drivers/infiniband/core/cm.c b/drivers/infiniband/core/cm.c
index 950fe205995b7..0a113d0d6b08f 100644
--- a/drivers/infiniband/core/cm.c
+++ b/drivers/infiniband/core/cm.c
@@ -166,7 +166,7 @@ struct cm_port {
struct cm_device {
struct kref kref;
struct list_head list;
- spinlock_t mad_agent_lock;
+ rwlock_t mad_agent_lock;
struct ib_device *ib_device;
u8 ack_delay;
int going_down;
@@ -284,7 +284,7 @@ static struct ib_mad_send_buf *cm_alloc_msg(struct cm_id_private *cm_id_priv)
if (!cm_id_priv->av.port)
return ERR_PTR(-EINVAL);
- spin_lock(&cm_id_priv->av.port->cm_dev->mad_agent_lock);
+ read_lock(&cm_id_priv->av.port->cm_dev->mad_agent_lock);
mad_agent = cm_id_priv->av.port->mad_agent;
if (!mad_agent) {
m = ERR_PTR(-EINVAL);
@@ -315,7 +315,7 @@ static struct ib_mad_send_buf *cm_alloc_msg(struct cm_id_private *cm_id_priv)
m->context[0] = cm_id_priv;
out:
- spin_unlock(&cm_id_priv->av.port->cm_dev->mad_agent_lock);
+ read_unlock(&cm_id_priv->av.port->cm_dev->mad_agent_lock);
return m;
}
@@ -1294,10 +1294,10 @@ static __be64 cm_form_tid(struct cm_id_private *cm_id_priv)
if (!cm_id_priv->av.port)
return cpu_to_be64(low_tid);
- spin_lock(&cm_id_priv->av.port->cm_dev->mad_agent_lock);
+ read_lock(&cm_id_priv->av.port->cm_dev->mad_agent_lock);
if (cm_id_priv->av.port->mad_agent)
hi_tid = ((u64)cm_id_priv->av.port->mad_agent->hi_tid) << 32;
- spin_unlock(&cm_id_priv->av.port->cm_dev->mad_agent_lock);
+ read_unlock(&cm_id_priv->av.port->cm_dev->mad_agent_lock);
return cpu_to_be64(hi_tid | low_tid);
}
@@ -4365,7 +4365,7 @@ static int cm_add_one(struct ib_device *ib_device)
return -ENOMEM;
kref_init(&cm_dev->kref);
- spin_lock_init(&cm_dev->mad_agent_lock);
+ rwlock_init(&cm_dev->mad_agent_lock);
cm_dev->ib_device = ib_device;
cm_dev->ack_delay = ib_device->attrs.local_ca_ack_delay;
cm_dev->going_down = 0;
@@ -4481,9 +4481,9 @@ static void cm_remove_one(struct ib_device *ib_device, void *client_data)
* The above ensures no call paths from the work are running,
* the remaining paths all take the mad_agent_lock.
*/
- spin_lock(&cm_dev->mad_agent_lock);
+ write_lock(&cm_dev->mad_agent_lock);
port->mad_agent = NULL;
- spin_unlock(&cm_dev->mad_agent_lock);
+ write_unlock(&cm_dev->mad_agent_lock);
ib_unregister_mad_agent(mad_agent);
ib_port_unregister_client_groups(ib_device, i,
cm_counter_groups);
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 055/508] bpf: fix ktls panic with sockmap
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (53 preceding siblings ...)
2025-06-23 13:01 ` [PATCH 6.1 054/508] IB/cm: use rwlock for MAD agent lock Greg Kroah-Hartman
@ 2025-06-23 13:01 ` Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 056/508] bpf, sockmap: fix duplicated data transmission Greg Kroah-Hartman
` (453 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jiayuan Chen, John Fastabend,
Alexei Starovoitov, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiayuan Chen <jiayuan.chen@linux.dev>
[ Upstream commit 54a3ecaeeeae8176da8badbd7d72af1017032c39 ]
[ 2172.936997] ------------[ cut here ]------------
[ 2172.936999] kernel BUG at lib/iov_iter.c:629!
......
[ 2172.944996] PKRU: 55555554
[ 2172.945155] Call Trace:
[ 2172.945299] <TASK>
[ 2172.945428] ? die+0x36/0x90
[ 2172.945601] ? do_trap+0xdd/0x100
[ 2172.945795] ? iov_iter_revert+0x178/0x180
[ 2172.946031] ? iov_iter_revert+0x178/0x180
[ 2172.946267] ? do_error_trap+0x7d/0x110
[ 2172.946499] ? iov_iter_revert+0x178/0x180
[ 2172.946736] ? exc_invalid_op+0x50/0x70
[ 2172.946961] ? iov_iter_revert+0x178/0x180
[ 2172.947197] ? asm_exc_invalid_op+0x1a/0x20
[ 2172.947446] ? iov_iter_revert+0x178/0x180
[ 2172.947683] ? iov_iter_revert+0x5c/0x180
[ 2172.947913] tls_sw_sendmsg_locked.isra.0+0x794/0x840
[ 2172.948206] tls_sw_sendmsg+0x52/0x80
[ 2172.948420] ? inet_sendmsg+0x1f/0x70
[ 2172.948634] __sys_sendto+0x1cd/0x200
[ 2172.948848] ? find_held_lock+0x2b/0x80
[ 2172.949072] ? syscall_trace_enter+0x140/0x270
[ 2172.949330] ? __lock_release.isra.0+0x5e/0x170
[ 2172.949595] ? find_held_lock+0x2b/0x80
[ 2172.949817] ? syscall_trace_enter+0x140/0x270
[ 2172.950211] ? lockdep_hardirqs_on_prepare+0xda/0x190
[ 2172.950632] ? ktime_get_coarse_real_ts64+0xc2/0xd0
[ 2172.951036] __x64_sys_sendto+0x24/0x30
[ 2172.951382] do_syscall_64+0x90/0x170
......
After calling bpf_exec_tx_verdict(), the size of msg_pl->sg may increase,
e.g., when the BPF program executes bpf_msg_push_data().
If the BPF program sets cork_bytes and sg.size is smaller than cork_bytes,
it will return -ENOSPC and attempt to roll back to the non-zero copy
logic. However, during rollback, msg->msg_iter is reset, but since
msg_pl->sg.size has been increased, subsequent executions will exceed the
actual size of msg_iter.
'''
iov_iter_revert(&msg->msg_iter, msg_pl->sg.size - orig_size);
'''
The changes in this commit are based on the following considerations:
1. When cork_bytes is set, rolling back to non-zero copy logic is
pointless and can directly go to zero-copy logic.
2. We can not calculate the correct number of bytes to revert msg_iter.
Assume the original data is "abcdefgh" (8 bytes), and after 3 pushes
by the BPF program, it becomes 11-byte data: "abc?de?fgh?".
Then, we set cork_bytes to 6, which means the first 6 bytes have been
processed, and the remaining 5 bytes "?fgh?" will be cached until the
length meets the cork_bytes requirement.
However, some data in "?fgh?" is not within 'sg->msg_iter'
(but in msg_pl instead), especially the data "?" we pushed.
So it doesn't seem as simple as just reverting through an offset of
msg_iter.
3. For non-TLS sockets in tcp_bpf_sendmsg, when a "cork" situation occurs,
the user-space send() doesn't return an error, and the returned length is
the same as the input length parameter, even if some data is cached.
Additionally, I saw that the current non-zero-copy logic for handling
corking is written as:
'''
line 1177
else if (ret != -EAGAIN) {
if (ret == -ENOSPC)
ret = 0;
goto send_end;
'''
So it's ok to just return 'copied' without error when a "cork" situation
occurs.
Fixes: fcb14cb1bdac ("new iov_iter flavour - ITER_UBUF")
Fixes: d3b18ad31f93 ("tls: add bpf support to sk_msg handling")
Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev>
Acked-by: John Fastabend <john.fastabend@gmail.com>
Link: https://lore.kernel.org/r/20250219052015.274405-2-jiayuan.chen@linux.dev
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/tls/tls_sw.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
index 5310441240e70..af820ae9b1a52 100644
--- a/net/tls/tls_sw.c
+++ b/net/tls/tls_sw.c
@@ -1075,9 +1075,13 @@ int tls_sw_sendmsg(struct sock *sk, struct msghdr *msg, size_t size)
num_async++;
else if (ret == -ENOMEM)
goto wait_for_memory;
- else if (ctx->open_rec && ret == -ENOSPC)
+ else if (ctx->open_rec && ret == -ENOSPC) {
+ if (msg_pl->cork_bytes) {
+ ret = 0;
+ goto send_end;
+ }
goto rollback_iter;
- else if (ret != -EAGAIN)
+ } else if (ret != -EAGAIN)
goto send_end;
}
continue;
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 056/508] bpf, sockmap: fix duplicated data transmission
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (54 preceding siblings ...)
2025-06-23 13:01 ` [PATCH 6.1 055/508] bpf: fix ktls panic with sockmap Greg Kroah-Hartman
@ 2025-06-23 13:01 ` Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 057/508] bpf, sockmap: Fix panic when calling skb_linearize Greg Kroah-Hartman
` (452 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jiayuan Chen, Alexei Starovoitov,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiayuan Chen <jiayuan.chen@linux.dev>
[ Upstream commit 3b4f14b794287be137ea2c6158765d1ea1e018a4 ]
In the !ingress path under sk_psock_handle_skb(), when sending data to the
remote under snd_buf limitations, partial skb data might be transmitted.
Although we preserved the partial transmission state (offset/length), the
state wasn't properly consumed during retries. This caused the retry path
to resend the entire skb data instead of continuing from the previous
offset, resulting in data overlap at the receiver side.
Fixes: 405df89dd52c ("bpf, sockmap: Improved check for empty queue")
Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev>
Link: https://lore.kernel.org/r/20250407142234.47591-3-jiayuan.chen@linux.dev
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/skmsg.c | 14 +++++++++-----
1 file changed, 9 insertions(+), 5 deletions(-)
diff --git a/net/core/skmsg.c b/net/core/skmsg.c
index 5a790cd1121b1..72f4949cbb70f 100644
--- a/net/core/skmsg.c
+++ b/net/core/skmsg.c
@@ -654,11 +654,6 @@ static void sk_psock_backlog(struct work_struct *work)
int ret;
mutex_lock(&psock->work_mutex);
- if (unlikely(state->len)) {
- len = state->len;
- off = state->off;
- }
-
while ((skb = skb_peek(&psock->ingress_skb))) {
len = skb->len;
off = 0;
@@ -668,6 +663,13 @@ static void sk_psock_backlog(struct work_struct *work)
off = stm->offset;
len = stm->full_len;
}
+
+ /* Resume processing from previous partial state */
+ if (unlikely(state->len)) {
+ len = state->len;
+ off = state->off;
+ }
+
ingress = skb_bpf_ingress(skb);
skb_bpf_redirect_clear(skb);
do {
@@ -695,6 +697,8 @@ static void sk_psock_backlog(struct work_struct *work)
len -= ret;
} while (len);
+ /* The entire skb sent, clear state */
+ sk_psock_skb_state(psock, state, 0, 0);
skb = skb_dequeue(&psock->ingress_skb);
kfree_skb(skb);
}
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 057/508] bpf, sockmap: Fix panic when calling skb_linearize
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (55 preceding siblings ...)
2025-06-23 13:01 ` [PATCH 6.1 056/508] bpf, sockmap: fix duplicated data transmission Greg Kroah-Hartman
@ 2025-06-23 13:01 ` Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 058/508] f2fs: fix to do sanity check on sbi->total_valid_block_count Greg Kroah-Hartman
` (451 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jiayuan Chen, Alexei Starovoitov,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiayuan Chen <jiayuan.chen@linux.dev>
[ Upstream commit 5ca2e29f6834c64c0e5a9ccf1278c21fb49b827e ]
The panic can be reproduced by executing the command:
./bench sockmap -c 2 -p 1 -a --rx-verdict-ingress --rx-strp 100000
Then a kernel panic was captured:
'''
[ 657.460555] kernel BUG at net/core/skbuff.c:2178!
[ 657.462680] Tainted: [W]=WARN
[ 657.463287] Workqueue: events sk_psock_backlog
...
[ 657.469610] <TASK>
[ 657.469738] ? die+0x36/0x90
[ 657.469916] ? do_trap+0x1d0/0x270
[ 657.470118] ? pskb_expand_head+0x612/0xf40
[ 657.470376] ? pskb_expand_head+0x612/0xf40
[ 657.470620] ? do_error_trap+0xa3/0x170
[ 657.470846] ? pskb_expand_head+0x612/0xf40
[ 657.471092] ? handle_invalid_op+0x2c/0x40
[ 657.471335] ? pskb_expand_head+0x612/0xf40
[ 657.471579] ? exc_invalid_op+0x2d/0x40
[ 657.471805] ? asm_exc_invalid_op+0x1a/0x20
[ 657.472052] ? pskb_expand_head+0xd1/0xf40
[ 657.472292] ? pskb_expand_head+0x612/0xf40
[ 657.472540] ? lock_acquire+0x18f/0x4e0
[ 657.472766] ? find_held_lock+0x2d/0x110
[ 657.472999] ? __pfx_pskb_expand_head+0x10/0x10
[ 657.473263] ? __kmalloc_cache_noprof+0x5b/0x470
[ 657.473537] ? __pfx___lock_release.isra.0+0x10/0x10
[ 657.473826] __pskb_pull_tail+0xfd/0x1d20
[ 657.474062] ? __kasan_slab_alloc+0x4e/0x90
[ 657.474707] sk_psock_skb_ingress_enqueue+0x3bf/0x510
[ 657.475392] ? __kasan_kmalloc+0xaa/0xb0
[ 657.476010] sk_psock_backlog+0x5cf/0xd70
[ 657.476637] process_one_work+0x858/0x1a20
'''
The panic originates from the assertion BUG_ON(skb_shared(skb)) in
skb_linearize(). A previous commit(see Fixes tag) introduced skb_get()
to avoid race conditions between skb operations in the backlog and skb
release in the recvmsg path. However, this caused the panic to always
occur when skb_linearize is executed.
The "--rx-strp 100000" parameter forces the RX path to use the strparser
module which aggregates data until it reaches 100KB before calling sockmap
logic. The 100KB payload exceeds MAX_MSG_FRAGS, triggering skb_linearize.
To fix this issue, just move skb_get into sk_psock_skb_ingress_enqueue.
'''
sk_psock_backlog:
sk_psock_handle_skb
skb_get(skb) <== we move it into 'sk_psock_skb_ingress_enqueue'
sk_psock_skb_ingress____________
↓
|
| → sk_psock_skb_ingress_self
| sk_psock_skb_ingress_enqueue
sk_psock_verdict_apply_________________↑ skb_linearize
'''
Note that for verdict_apply path, the skb_get operation is unnecessary so
we add 'take_ref' param to control it's behavior.
Fixes: a454d84ee20b ("bpf, sockmap: Fix skb refcnt race after locking changes")
Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev>
Link: https://lore.kernel.org/r/20250407142234.47591-4-jiayuan.chen@linux.dev
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/skmsg.c | 31 ++++++++++++++++---------------
1 file changed, 16 insertions(+), 15 deletions(-)
diff --git a/net/core/skmsg.c b/net/core/skmsg.c
index 72f4949cbb70f..0613f9a2543bb 100644
--- a/net/core/skmsg.c
+++ b/net/core/skmsg.c
@@ -528,16 +528,22 @@ static int sk_psock_skb_ingress_enqueue(struct sk_buff *skb,
u32 off, u32 len,
struct sk_psock *psock,
struct sock *sk,
- struct sk_msg *msg)
+ struct sk_msg *msg,
+ bool take_ref)
{
int num_sge, copied;
+ /* skb_to_sgvec will fail when the total number of fragments in
+ * frag_list and frags exceeds MAX_MSG_FRAGS. For example, the
+ * caller may aggregate multiple skbs.
+ */
num_sge = skb_to_sgvec(skb, msg->sg.data, off, len);
if (num_sge < 0) {
/* skb linearize may fail with ENOMEM, but lets simply try again
* later if this happens. Under memory pressure we don't want to
* drop the skb. We need to linearize the skb so that the mapping
* in skb_to_sgvec can not error.
+ * Note that skb_linearize requires the skb not to be shared.
*/
if (skb_linearize(skb))
return -EAGAIN;
@@ -554,7 +560,7 @@ static int sk_psock_skb_ingress_enqueue(struct sk_buff *skb,
msg->sg.start = 0;
msg->sg.size = copied;
msg->sg.end = num_sge;
- msg->skb = skb;
+ msg->skb = take_ref ? skb_get(skb) : skb;
sk_psock_queue_msg(psock, msg);
sk_psock_data_ready(sk, psock);
@@ -562,7 +568,7 @@ static int sk_psock_skb_ingress_enqueue(struct sk_buff *skb,
}
static int sk_psock_skb_ingress_self(struct sk_psock *psock, struct sk_buff *skb,
- u32 off, u32 len);
+ u32 off, u32 len, bool take_ref);
static int sk_psock_skb_ingress(struct sk_psock *psock, struct sk_buff *skb,
u32 off, u32 len)
@@ -576,7 +582,7 @@ static int sk_psock_skb_ingress(struct sk_psock *psock, struct sk_buff *skb,
* correctly.
*/
if (unlikely(skb->sk == sk))
- return sk_psock_skb_ingress_self(psock, skb, off, len);
+ return sk_psock_skb_ingress_self(psock, skb, off, len, true);
msg = sk_psock_create_ingress_msg(sk, skb);
if (!msg)
return -EAGAIN;
@@ -588,7 +594,7 @@ static int sk_psock_skb_ingress(struct sk_psock *psock, struct sk_buff *skb,
* into user buffers.
*/
skb_set_owner_r(skb, sk);
- err = sk_psock_skb_ingress_enqueue(skb, off, len, psock, sk, msg);
+ err = sk_psock_skb_ingress_enqueue(skb, off, len, psock, sk, msg, true);
if (err < 0)
kfree(msg);
return err;
@@ -599,7 +605,7 @@ static int sk_psock_skb_ingress(struct sk_psock *psock, struct sk_buff *skb,
* because the skb is already accounted for here.
*/
static int sk_psock_skb_ingress_self(struct sk_psock *psock, struct sk_buff *skb,
- u32 off, u32 len)
+ u32 off, u32 len, bool take_ref)
{
struct sk_msg *msg = alloc_sk_msg(GFP_ATOMIC);
struct sock *sk = psock->sk;
@@ -608,7 +614,7 @@ static int sk_psock_skb_ingress_self(struct sk_psock *psock, struct sk_buff *skb
if (unlikely(!msg))
return -EAGAIN;
skb_set_owner_r(skb, sk);
- err = sk_psock_skb_ingress_enqueue(skb, off, len, psock, sk, msg);
+ err = sk_psock_skb_ingress_enqueue(skb, off, len, psock, sk, msg, take_ref);
if (err < 0)
kfree(msg);
return err;
@@ -617,18 +623,13 @@ static int sk_psock_skb_ingress_self(struct sk_psock *psock, struct sk_buff *skb
static int sk_psock_handle_skb(struct sk_psock *psock, struct sk_buff *skb,
u32 off, u32 len, bool ingress)
{
- int err = 0;
-
if (!ingress) {
if (!sock_writeable(psock->sk))
return -EAGAIN;
return skb_send_sock(psock->sk, skb, off, len);
}
- skb_get(skb);
- err = sk_psock_skb_ingress(psock, skb, off, len);
- if (err < 0)
- kfree_skb(skb);
- return err;
+
+ return sk_psock_skb_ingress(psock, skb, off, len);
}
static void sk_psock_skb_state(struct sk_psock *psock,
@@ -1016,7 +1017,7 @@ static int sk_psock_verdict_apply(struct sk_psock *psock, struct sk_buff *skb,
off = stm->offset;
len = stm->full_len;
}
- err = sk_psock_skb_ingress_self(psock, skb, off, len);
+ err = sk_psock_skb_ingress_self(psock, skb, off, len, false);
}
if (err < 0) {
spin_lock_bh(&psock->ingress_lock);
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 058/508] f2fs: fix to do sanity check on sbi->total_valid_block_count
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (56 preceding siblings ...)
2025-06-23 13:01 ` [PATCH 6.1 057/508] bpf, sockmap: Fix panic when calling skb_linearize Greg Kroah-Hartman
@ 2025-06-23 13:01 ` Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 059/508] net: ncsi: Fix GCPS 64-bit member variables Greg Kroah-Hartman
` (450 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+8b376a77b2f364097fbe, Chao Yu,
Jaegeuk Kim, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chao Yu <chao@kernel.org>
[ Upstream commit 05872a167c2cab80ef186ef23cc34a6776a1a30c ]
syzbot reported a f2fs bug as below:
------------[ cut here ]------------
kernel BUG at fs/f2fs/f2fs.h:2521!
RIP: 0010:dec_valid_block_count+0x3b2/0x3c0 fs/f2fs/f2fs.h:2521
Call Trace:
f2fs_truncate_data_blocks_range+0xc8c/0x11a0 fs/f2fs/file.c:695
truncate_dnode+0x417/0x740 fs/f2fs/node.c:973
truncate_nodes+0x3ec/0xf50 fs/f2fs/node.c:1014
f2fs_truncate_inode_blocks+0x8e3/0x1370 fs/f2fs/node.c:1197
f2fs_do_truncate_blocks+0x840/0x12b0 fs/f2fs/file.c:810
f2fs_truncate_blocks+0x10d/0x300 fs/f2fs/file.c:838
f2fs_truncate+0x417/0x720 fs/f2fs/file.c:888
f2fs_setattr+0xc4f/0x12f0 fs/f2fs/file.c:1112
notify_change+0xbca/0xe90 fs/attr.c:552
do_truncate+0x222/0x310 fs/open.c:65
handle_truncate fs/namei.c:3466 [inline]
do_open fs/namei.c:3849 [inline]
path_openat+0x2e4f/0x35d0 fs/namei.c:4004
do_filp_open+0x284/0x4e0 fs/namei.c:4031
do_sys_openat2+0x12b/0x1d0 fs/open.c:1429
do_sys_open fs/open.c:1444 [inline]
__do_sys_creat fs/open.c:1522 [inline]
__se_sys_creat fs/open.c:1516 [inline]
__x64_sys_creat+0x124/0x170 fs/open.c:1516
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/syscall_64.c:94
The reason is: in fuzzed image, sbi->total_valid_block_count is
inconsistent w/ mapped blocks indexed by inode, so, we should
not trigger panic for such case, instead, let's print log and
set fsck flag.
Fixes: 39a53e0ce0df ("f2fs: add superblock and major in-memory structure")
Reported-by: syzbot+8b376a77b2f364097fbe@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/linux-f2fs-devel/67f3c0b2.050a0220.396535.0547.GAE@google.com
Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/f2fs/f2fs.h | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h
index 840a458554517..ef9149bd398ae 100644
--- a/fs/f2fs/f2fs.h
+++ b/fs/f2fs/f2fs.h
@@ -2387,8 +2387,14 @@ static inline void dec_valid_block_count(struct f2fs_sb_info *sbi,
blkcnt_t sectors = count << F2FS_LOG_SECTORS_PER_BLOCK;
spin_lock(&sbi->stat_lock);
- f2fs_bug_on(sbi, sbi->total_valid_block_count < (block_t) count);
- sbi->total_valid_block_count -= (block_t)count;
+ if (unlikely(sbi->total_valid_block_count < count)) {
+ f2fs_warn(sbi, "Inconsistent total_valid_block_count:%u, ino:%lu, count:%u",
+ sbi->total_valid_block_count, inode->i_ino, count);
+ sbi->total_valid_block_count = 0;
+ set_sbi_flag(sbi, SBI_NEED_FSCK);
+ } else {
+ sbi->total_valid_block_count -= count;
+ }
if (sbi->reserved_blocks &&
sbi->current_reserved_blocks < sbi->reserved_blocks)
sbi->current_reserved_blocks = min(sbi->reserved_blocks,
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 059/508] net: ncsi: Fix GCPS 64-bit member variables
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (57 preceding siblings ...)
2025-06-23 13:01 ` [PATCH 6.1 058/508] f2fs: fix to do sanity check on sbi->total_valid_block_count Greg Kroah-Hartman
@ 2025-06-23 13:01 ` Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 060/508] libbpf: Fix buffer overflow in bpf_object__init_prog Greg Kroah-Hartman
` (449 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hari Kalavakunta, Paul Fertser,
Paolo Abeni, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hari Kalavakunta <kalavakunta.hari.prasad@gmail.com>
[ Upstream commit e8a1bd8344054ce27bebf59f48e3f6bc10bc419b ]
Correct Get Controller Packet Statistics (GCPS) 64-bit wide member
variables, as per DSP0222 v1.0.0 and forward specs. The Driver currently
collects these stats, but they are yet to be exposed to the user.
Therefore, no user impact.
Statistics fixes:
Total Bytes Received (byte range 28..35)
Total Bytes Transmitted (byte range 36..43)
Total Unicast Packets Received (byte range 44..51)
Total Multicast Packets Received (byte range 52..59)
Total Broadcast Packets Received (byte range 60..67)
Total Unicast Packets Transmitted (byte range 68..75)
Total Multicast Packets Transmitted (byte range 76..83)
Total Broadcast Packets Transmitted (byte range 84..91)
Valid Bytes Received (byte range 204..11)
Signed-off-by: Hari Kalavakunta <kalavakunta.hari.prasad@gmail.com>
Reviewed-by: Paul Fertser <fercerpav@gmail.com>
Link: https://patch.msgid.link/20250410012309.1343-1-kalavakunta.hari.prasad@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ncsi/internal.h | 21 ++++++++++-----------
net/ncsi/ncsi-pkt.h | 23 +++++++++++------------
net/ncsi/ncsi-rsp.c | 21 ++++++++++-----------
3 files changed, 31 insertions(+), 34 deletions(-)
diff --git a/net/ncsi/internal.h b/net/ncsi/internal.h
index 4e0842df5234e..2c260f33b55cc 100644
--- a/net/ncsi/internal.h
+++ b/net/ncsi/internal.h
@@ -143,16 +143,15 @@ struct ncsi_channel_vlan_filter {
};
struct ncsi_channel_stats {
- u32 hnc_cnt_hi; /* Counter cleared */
- u32 hnc_cnt_lo; /* Counter cleared */
- u32 hnc_rx_bytes; /* Rx bytes */
- u32 hnc_tx_bytes; /* Tx bytes */
- u32 hnc_rx_uc_pkts; /* Rx UC packets */
- u32 hnc_rx_mc_pkts; /* Rx MC packets */
- u32 hnc_rx_bc_pkts; /* Rx BC packets */
- u32 hnc_tx_uc_pkts; /* Tx UC packets */
- u32 hnc_tx_mc_pkts; /* Tx MC packets */
- u32 hnc_tx_bc_pkts; /* Tx BC packets */
+ u64 hnc_cnt; /* Counter cleared */
+ u64 hnc_rx_bytes; /* Rx bytes */
+ u64 hnc_tx_bytes; /* Tx bytes */
+ u64 hnc_rx_uc_pkts; /* Rx UC packets */
+ u64 hnc_rx_mc_pkts; /* Rx MC packets */
+ u64 hnc_rx_bc_pkts; /* Rx BC packets */
+ u64 hnc_tx_uc_pkts; /* Tx UC packets */
+ u64 hnc_tx_mc_pkts; /* Tx MC packets */
+ u64 hnc_tx_bc_pkts; /* Tx BC packets */
u32 hnc_fcs_err; /* FCS errors */
u32 hnc_align_err; /* Alignment errors */
u32 hnc_false_carrier; /* False carrier detection */
@@ -181,7 +180,7 @@ struct ncsi_channel_stats {
u32 hnc_tx_1023_frames; /* Tx 512-1023 bytes frames */
u32 hnc_tx_1522_frames; /* Tx 1024-1522 bytes frames */
u32 hnc_tx_9022_frames; /* Tx 1523-9022 bytes frames */
- u32 hnc_rx_valid_bytes; /* Rx valid bytes */
+ u64 hnc_rx_valid_bytes; /* Rx valid bytes */
u32 hnc_rx_runt_pkts; /* Rx error runt packets */
u32 hnc_rx_jabber_pkts; /* Rx error jabber packets */
u32 ncsi_rx_cmds; /* Rx NCSI commands */
diff --git a/net/ncsi/ncsi-pkt.h b/net/ncsi/ncsi-pkt.h
index f2f3b5c1b9412..24edb27379724 100644
--- a/net/ncsi/ncsi-pkt.h
+++ b/net/ncsi/ncsi-pkt.h
@@ -252,16 +252,15 @@ struct ncsi_rsp_gp_pkt {
/* Get Controller Packet Statistics */
struct ncsi_rsp_gcps_pkt {
struct ncsi_rsp_pkt_hdr rsp; /* Response header */
- __be32 cnt_hi; /* Counter cleared */
- __be32 cnt_lo; /* Counter cleared */
- __be32 rx_bytes; /* Rx bytes */
- __be32 tx_bytes; /* Tx bytes */
- __be32 rx_uc_pkts; /* Rx UC packets */
- __be32 rx_mc_pkts; /* Rx MC packets */
- __be32 rx_bc_pkts; /* Rx BC packets */
- __be32 tx_uc_pkts; /* Tx UC packets */
- __be32 tx_mc_pkts; /* Tx MC packets */
- __be32 tx_bc_pkts; /* Tx BC packets */
+ __be64 cnt; /* Counter cleared */
+ __be64 rx_bytes; /* Rx bytes */
+ __be64 tx_bytes; /* Tx bytes */
+ __be64 rx_uc_pkts; /* Rx UC packets */
+ __be64 rx_mc_pkts; /* Rx MC packets */
+ __be64 rx_bc_pkts; /* Rx BC packets */
+ __be64 tx_uc_pkts; /* Tx UC packets */
+ __be64 tx_mc_pkts; /* Tx MC packets */
+ __be64 tx_bc_pkts; /* Tx BC packets */
__be32 fcs_err; /* FCS errors */
__be32 align_err; /* Alignment errors */
__be32 false_carrier; /* False carrier detection */
@@ -290,11 +289,11 @@ struct ncsi_rsp_gcps_pkt {
__be32 tx_1023_frames; /* Tx 512-1023 bytes frames */
__be32 tx_1522_frames; /* Tx 1024-1522 bytes frames */
__be32 tx_9022_frames; /* Tx 1523-9022 bytes frames */
- __be32 rx_valid_bytes; /* Rx valid bytes */
+ __be64 rx_valid_bytes; /* Rx valid bytes */
__be32 rx_runt_pkts; /* Rx error runt packets */
__be32 rx_jabber_pkts; /* Rx error jabber packets */
__be32 checksum; /* Checksum */
-};
+} __packed __aligned(4);
/* Get NCSI Statistics */
struct ncsi_rsp_gns_pkt {
diff --git a/net/ncsi/ncsi-rsp.c b/net/ncsi/ncsi-rsp.c
index 4a8ce2949faea..8668888c5a2f9 100644
--- a/net/ncsi/ncsi-rsp.c
+++ b/net/ncsi/ncsi-rsp.c
@@ -926,16 +926,15 @@ static int ncsi_rsp_handler_gcps(struct ncsi_request *nr)
/* Update HNC's statistics */
ncs = &nc->stats;
- ncs->hnc_cnt_hi = ntohl(rsp->cnt_hi);
- ncs->hnc_cnt_lo = ntohl(rsp->cnt_lo);
- ncs->hnc_rx_bytes = ntohl(rsp->rx_bytes);
- ncs->hnc_tx_bytes = ntohl(rsp->tx_bytes);
- ncs->hnc_rx_uc_pkts = ntohl(rsp->rx_uc_pkts);
- ncs->hnc_rx_mc_pkts = ntohl(rsp->rx_mc_pkts);
- ncs->hnc_rx_bc_pkts = ntohl(rsp->rx_bc_pkts);
- ncs->hnc_tx_uc_pkts = ntohl(rsp->tx_uc_pkts);
- ncs->hnc_tx_mc_pkts = ntohl(rsp->tx_mc_pkts);
- ncs->hnc_tx_bc_pkts = ntohl(rsp->tx_bc_pkts);
+ ncs->hnc_cnt = be64_to_cpu(rsp->cnt);
+ ncs->hnc_rx_bytes = be64_to_cpu(rsp->rx_bytes);
+ ncs->hnc_tx_bytes = be64_to_cpu(rsp->tx_bytes);
+ ncs->hnc_rx_uc_pkts = be64_to_cpu(rsp->rx_uc_pkts);
+ ncs->hnc_rx_mc_pkts = be64_to_cpu(rsp->rx_mc_pkts);
+ ncs->hnc_rx_bc_pkts = be64_to_cpu(rsp->rx_bc_pkts);
+ ncs->hnc_tx_uc_pkts = be64_to_cpu(rsp->tx_uc_pkts);
+ ncs->hnc_tx_mc_pkts = be64_to_cpu(rsp->tx_mc_pkts);
+ ncs->hnc_tx_bc_pkts = be64_to_cpu(rsp->tx_bc_pkts);
ncs->hnc_fcs_err = ntohl(rsp->fcs_err);
ncs->hnc_align_err = ntohl(rsp->align_err);
ncs->hnc_false_carrier = ntohl(rsp->false_carrier);
@@ -964,7 +963,7 @@ static int ncsi_rsp_handler_gcps(struct ncsi_request *nr)
ncs->hnc_tx_1023_frames = ntohl(rsp->tx_1023_frames);
ncs->hnc_tx_1522_frames = ntohl(rsp->tx_1522_frames);
ncs->hnc_tx_9022_frames = ntohl(rsp->tx_9022_frames);
- ncs->hnc_rx_valid_bytes = ntohl(rsp->rx_valid_bytes);
+ ncs->hnc_rx_valid_bytes = be64_to_cpu(rsp->rx_valid_bytes);
ncs->hnc_rx_runt_pkts = ntohl(rsp->rx_runt_pkts);
ncs->hnc_rx_jabber_pkts = ntohl(rsp->rx_jabber_pkts);
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 060/508] libbpf: Fix buffer overflow in bpf_object__init_prog
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (58 preceding siblings ...)
2025-06-23 13:01 ` [PATCH 6.1 059/508] net: ncsi: Fix GCPS 64-bit member variables Greg Kroah-Hartman
@ 2025-06-23 13:01 ` Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 061/508] wifi: rtw88: do not ignore hardware read error during DPK Greg Kroah-Hartman
` (448 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, lmarch2, Viktor Malik,
Andrii Nakryiko, Shung-Hsi Yu, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Viktor Malik <vmalik@redhat.com>
[ Upstream commit ee684de5c1b0ac01821320826baec7da93f3615b ]
As shown in [1], it is possible to corrupt a BPF ELF file such that
arbitrary BPF instructions are loaded by libbpf. This can be done by
setting a symbol (BPF program) section offset to a large (unsigned)
number such that <section start + symbol offset> overflows and points
before the section data in the memory.
Consider the situation below where:
- prog_start = sec_start + symbol_offset <-- size_t overflow here
- prog_end = prog_start + prog_size
prog_start sec_start prog_end sec_end
| | | |
v v v v
.....................|################################|............
The report in [1] also provides a corrupted BPF ELF which can be used as
a reproducer:
$ readelf -S crash
Section Headers:
[Nr] Name Type Address Offset
Size EntSize Flags Link Info Align
...
[ 2] uretprobe.mu[...] PROGBITS 0000000000000000 00000040
0000000000000068 0000000000000000 AX 0 0 8
$ readelf -s crash
Symbol table '.symtab' contains 8 entries:
Num: Value Size Type Bind Vis Ndx Name
...
6: ffffffffffffffb8 104 FUNC GLOBAL DEFAULT 2 handle_tp
Here, the handle_tp prog has section offset ffffffffffffffb8, i.e. will
point before the actual memory where section 2 is allocated.
This is also reported by AddressSanitizer:
=================================================================
==1232==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7c7302fe0000 at pc 0x7fc3046e4b77 bp 0x7ffe64677cd0 sp 0x7ffe64677490
READ of size 104 at 0x7c7302fe0000 thread T0
#0 0x7fc3046e4b76 in memcpy (/lib64/libasan.so.8+0xe4b76)
#1 0x00000040df3e in bpf_object__init_prog /src/libbpf/src/libbpf.c:856
#2 0x00000040df3e in bpf_object__add_programs /src/libbpf/src/libbpf.c:928
#3 0x00000040df3e in bpf_object__elf_collect /src/libbpf/src/libbpf.c:3930
#4 0x00000040df3e in bpf_object_open /src/libbpf/src/libbpf.c:8067
#5 0x00000040f176 in bpf_object__open_file /src/libbpf/src/libbpf.c:8090
#6 0x000000400c16 in main /poc/poc.c:8
#7 0x7fc3043d25b4 in __libc_start_call_main (/lib64/libc.so.6+0x35b4)
#8 0x7fc3043d2667 in __libc_start_main@@GLIBC_2.34 (/lib64/libc.so.6+0x3667)
#9 0x000000400b34 in _start (/poc/poc+0x400b34)
0x7c7302fe0000 is located 64 bytes before 104-byte region [0x7c7302fe0040,0x7c7302fe00a8)
allocated by thread T0 here:
#0 0x7fc3046e716b in malloc (/lib64/libasan.so.8+0xe716b)
#1 0x7fc3045ee600 in __libelf_set_rawdata_wrlock (/lib64/libelf.so.1+0xb600)
#2 0x7fc3045ef018 in __elf_getdata_rdlock (/lib64/libelf.so.1+0xc018)
#3 0x00000040642f in elf_sec_data /src/libbpf/src/libbpf.c:3740
The problem here is that currently, libbpf only checks that the program
end is within the section bounds. There used to be a check
`while (sec_off < sec_sz)` in bpf_object__add_programs, however, it was
removed by commit 6245947c1b3c ("libbpf: Allow gaps in BPF program
sections to support overriden weak functions").
Add a check for detecting the overflow of `sec_off + prog_sz` to
bpf_object__init_prog to fix this issue.
[1] https://github.com/lmarch2/poc/blob/main/libbpf/libbpf.md
Fixes: 6245947c1b3c ("libbpf: Allow gaps in BPF program sections to support overriden weak functions")
Reported-by: lmarch2 <2524158037@qq.com>
Signed-off-by: Viktor Malik <vmalik@redhat.com>
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Reviewed-by: Shung-Hsi Yu <shung-hsi.yu@suse.com>
Link: https://github.com/lmarch2/poc/blob/main/libbpf/libbpf.md
Link: https://lore.kernel.org/bpf/20250415155014.397603-1-vmalik@redhat.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/lib/bpf/libbpf.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c
index 98d5e566e0582..2fb66ca0f50a5 100644
--- a/tools/lib/bpf/libbpf.c
+++ b/tools/lib/bpf/libbpf.c
@@ -818,7 +818,7 @@ bpf_object__add_programs(struct bpf_object *obj, Elf_Data *sec_data,
return -LIBBPF_ERRNO__FORMAT;
}
- if (sec_off + prog_sz > sec_sz) {
+ if (sec_off + prog_sz > sec_sz || sec_off + prog_sz < sec_off) {
pr_warn("sec '%s': program at offset %zu crosses section boundary\n",
sec_name, sec_off);
return -LIBBPF_ERRNO__FORMAT;
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 061/508] wifi: rtw88: do not ignore hardware read error during DPK
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (59 preceding siblings ...)
2025-06-23 13:01 ` [PATCH 6.1 060/508] libbpf: Fix buffer overflow in bpf_object__init_prog Greg Kroah-Hartman
@ 2025-06-23 13:01 ` Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 062/508] RDMA/hns: Include hnae3.h in hns_roce_hw_v2.h Greg Kroah-Hartman
` (447 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ping-Ke Shih, Dmitry Antipov,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Antipov <dmantipov@yandex.ru>
[ Upstream commit 20d3c19bd8f9b498173c198eadf54580c8caa336 ]
In 'rtw8822c_dpk_cal_coef1()', do not ignore error returned
by 'check_hw_ready()' but issue a warning to denote possible
DPK issue. Compile tested only.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: 5227c2ee453d ("rtw88: 8822c: add SW DPK support")
Suggested-by: Ping-Ke Shih <pkshih@realtek.com>
Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/20250415090720.194048-1-dmantipov@yandex.ru
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/realtek/rtw88/rtw8822c.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/realtek/rtw88/rtw8822c.c b/drivers/net/wireless/realtek/rtw88/rtw8822c.c
index c6dacfde92005..d1b9031536496 100644
--- a/drivers/net/wireless/realtek/rtw88/rtw8822c.c
+++ b/drivers/net/wireless/realtek/rtw88/rtw8822c.c
@@ -3973,7 +3973,8 @@ static void rtw8822c_dpk_cal_coef1(struct rtw_dev *rtwdev)
rtw_write32(rtwdev, REG_NCTL0, 0x00001148);
rtw_write32(rtwdev, REG_NCTL0, 0x00001149);
- check_hw_ready(rtwdev, 0x2d9c, MASKBYTE0, 0x55);
+ if (!check_hw_ready(rtwdev, 0x2d9c, MASKBYTE0, 0x55))
+ rtw_warn(rtwdev, "DPK stuck, performance may be suboptimal");
rtw_write8(rtwdev, 0x1b10, 0x0);
rtw_write32_mask(rtwdev, REG_NCTL0, BIT_SUBPAGE, 0x0000000c);
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 062/508] RDMA/hns: Include hnae3.h in hns_roce_hw_v2.h
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (60 preceding siblings ...)
2025-06-23 13:01 ` [PATCH 6.1 061/508] wifi: rtw88: do not ignore hardware read error during DPK Greg Kroah-Hartman
@ 2025-06-23 13:01 ` Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 063/508] scsi: hisi_sas: Call I_T_nexus after soft reset for SATA disk Greg Kroah-Hartman
` (446 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Junxian Huang, Leon Romanovsky,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Junxian Huang <huangjunxian6@hisilicon.com>
[ Upstream commit 2b11d33de23262cb20d1dcb24b586dbb8f54d463 ]
hns_roce_hw_v2.h has a direct dependency on hnae3.h due to the
inline function hns_roce_write64(), but it doesn't include this
header currently. This leads to that files including
hns_roce_hw_v2.h must also include hnae3.h to avoid compilation
errors, even if they themselves don't really rely on hnae3.h.
This doesn't make sense, hns_roce_hw_v2.h should include hnae3.h
directly.
Fixes: d3743fa94ccd ("RDMA/hns: Fix the chip hanging caused by sending doorbell during reset")
Signed-off-by: Junxian Huang <huangjunxian6@hisilicon.com>
Link: https://patch.msgid.link/20250421132750.1363348-6-huangjunxian6@hisilicon.com
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/hw/hns/hns_roce_ah.c | 1 -
drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 1 -
drivers/infiniband/hw/hns/hns_roce_hw_v2.h | 1 +
drivers/infiniband/hw/hns/hns_roce_main.c | 1 -
drivers/infiniband/hw/hns/hns_roce_restrack.c | 1 -
5 files changed, 1 insertion(+), 4 deletions(-)
diff --git a/drivers/infiniband/hw/hns/hns_roce_ah.c b/drivers/infiniband/hw/hns/hns_roce_ah.c
index 103a7787b3712..3a6a1f2430571 100644
--- a/drivers/infiniband/hw/hns/hns_roce_ah.c
+++ b/drivers/infiniband/hw/hns/hns_roce_ah.c
@@ -33,7 +33,6 @@
#include <linux/pci.h>
#include <rdma/ib_addr.h>
#include <rdma/ib_cache.h>
-#include "hnae3.h"
#include "hns_roce_device.h"
#include "hns_roce_hw_v2.h"
diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
index ab0dca9d199ab..be5d7a8ab4d43 100644
--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
+++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
@@ -42,7 +42,6 @@
#include <rdma/ib_umem.h>
#include <rdma/uverbs_ioctl.h>
-#include "hnae3.h"
#include "hns_roce_common.h"
#include "hns_roce_device.h"
#include "hns_roce_cmd.h"
diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.h b/drivers/infiniband/hw/hns/hns_roce_hw_v2.h
index a9eff72f10c62..e032db5e3dbf3 100644
--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.h
+++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.h
@@ -34,6 +34,7 @@
#define _HNS_ROCE_HW_V2_H
#include <linux/bitops.h>
+#include "hnae3.h"
#define HNS_ROCE_V2_MAX_QP_NUM 0x1000
#define HNS_ROCE_V2_MAX_WQE_NUM 0x8000
diff --git a/drivers/infiniband/hw/hns/hns_roce_main.c b/drivers/infiniband/hw/hns/hns_roce_main.c
index eae22ac42e05d..3a35f1fb84db9 100644
--- a/drivers/infiniband/hw/hns/hns_roce_main.c
+++ b/drivers/infiniband/hw/hns/hns_roce_main.c
@@ -37,7 +37,6 @@
#include <rdma/ib_smi.h>
#include <rdma/ib_user_verbs.h>
#include <rdma/ib_cache.h>
-#include "hnae3.h"
#include "hns_roce_common.h"
#include "hns_roce_device.h"
#include "hns_roce_hem.h"
diff --git a/drivers/infiniband/hw/hns/hns_roce_restrack.c b/drivers/infiniband/hw/hns/hns_roce_restrack.c
index 989a2af2e9382..6ba064899bf14 100644
--- a/drivers/infiniband/hw/hns/hns_roce_restrack.c
+++ b/drivers/infiniband/hw/hns/hns_roce_restrack.c
@@ -4,7 +4,6 @@
#include <rdma/rdma_cm.h>
#include <rdma/restrack.h>
#include <uapi/rdma/rdma_netlink.h>
-#include "hnae3.h"
#include "hns_roce_common.h"
#include "hns_roce_device.h"
#include "hns_roce_hw_v2.h"
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 063/508] scsi: hisi_sas: Call I_T_nexus after soft reset for SATA disk
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (61 preceding siblings ...)
2025-06-23 13:01 ` [PATCH 6.1 062/508] RDMA/hns: Include hnae3.h in hns_roce_hw_v2.h Greg Kroah-Hartman
@ 2025-06-23 13:01 ` Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 064/508] iommu: Protect against overflow in iommu_pgsize() Greg Kroah-Hartman
` (445 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yihang Li, Martin K. Petersen,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yihang Li <liyihang9@huawei.com>
[ Upstream commit e4d953ca557e02edd3aed7390043e1b8ad1c9723 ]
In commit 21c7e972475e ("scsi: hisi_sas: Disable SATA disk phy for severe
I_T nexus reset failure"), if the softreset fails upon certain
conditions, the PHY connected to the disk is disabled directly. Manual
recovery is required, which is inconvenient for users in actual use.
In addition, SATA disks do not support simultaneous connection of multiple
hosts. Therefore, when multiple controllers are connected to a SATA disk
at the same time, the controller which is connected later failed to issue
an ATA softreset to the SATA disk. As a result, the PHY associated with
the disk is disabled and cannot be automatically recovered.
Now that, we will not focus on the execution result of softreset. No
matter whether the execution is successful or not, we will directly carry
out I_T_nexus_reset.
Fixes: 21c7e972475e ("scsi: hisi_sas: Disable SATA disk phy for severe I_T nexus reset failure")
Signed-off-by: Yihang Li <liyihang9@huawei.com>
Link: https://lore.kernel.org/r/20250414080845.1220997-4-liyihang9@huawei.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/hisi_sas/hisi_sas_main.c | 29 +++++----------------------
1 file changed, 5 insertions(+), 24 deletions(-)
diff --git a/drivers/scsi/hisi_sas/hisi_sas_main.c b/drivers/scsi/hisi_sas/hisi_sas_main.c
index 02855164bf28d..360f2799f2a13 100644
--- a/drivers/scsi/hisi_sas/hisi_sas_main.c
+++ b/drivers/scsi/hisi_sas/hisi_sas_main.c
@@ -1758,33 +1758,14 @@ static int hisi_sas_I_T_nexus_reset(struct domain_device *device)
}
hisi_sas_dereg_device(hisi_hba, device);
- rc = hisi_sas_debug_I_T_nexus_reset(device);
- if (rc == TMF_RESP_FUNC_COMPLETE && dev_is_sata(device)) {
- struct sas_phy *local_phy;
-
+ if (dev_is_sata(device)) {
rc = hisi_sas_softreset_ata_disk(device);
- switch (rc) {
- case -ECOMM:
- rc = -ENODEV;
- break;
- case TMF_RESP_FUNC_FAILED:
- case -EMSGSIZE:
- case -EIO:
- local_phy = sas_get_local_phy(device);
- rc = sas_phy_enable(local_phy, 0);
- if (!rc) {
- local_phy->enabled = 0;
- dev_err(dev, "Disabled local phy of ATA disk %016llx due to softreset fail (%d)\n",
- SAS_ADDR(device->sas_addr), rc);
- rc = -ENODEV;
- }
- sas_put_local_phy(local_phy);
- break;
- default:
- break;
- }
+ if (rc == TMF_RESP_FUNC_FAILED)
+ dev_err(dev, "ata disk %016llx reset (%d)\n",
+ SAS_ADDR(device->sas_addr), rc);
}
+ rc = hisi_sas_debug_I_T_nexus_reset(device);
if ((rc == TMF_RESP_FUNC_COMPLETE) || (rc == -ENODEV))
hisi_sas_release_task(hisi_hba, device);
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 064/508] iommu: Protect against overflow in iommu_pgsize()
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (62 preceding siblings ...)
2025-06-23 13:01 ` [PATCH 6.1 063/508] scsi: hisi_sas: Call I_T_nexus after soft reset for SATA disk Greg Kroah-Hartman
@ 2025-06-23 13:01 ` Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 065/508] f2fs: clean up w/ fscrypt_is_bounce_page() Greg Kroah-Hartman
` (444 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jason Gunthorpe, Lu Baolu,
Joerg Roedel, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jason Gunthorpe <jgg@nvidia.com>
[ Upstream commit e586e22974d2b7acbef3c6c3e01b2d5ce69efe33 ]
On a 32 bit system calling:
iommu_map(0, 0x40000000)
When using the AMD V1 page table type with a domain->pgsize of 0xfffff000
causes iommu_pgsize() to miscalculate a result of:
size=0x40000000 count=2
count should be 1. This completely corrupts the mapping process.
This is because the final test to adjust the pagesize malfunctions when
the addition overflows. Use check_add_overflow() to prevent this.
Fixes: b1d99dc5f983 ("iommu: Hook up '->unmap_pages' driver callback")
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Reviewed-by: Lu Baolu <baolu.lu@linux.intel.com>
Link: https://lore.kernel.org/r/0-v1-3ad28fc2e3a3+163327-iommu_overflow_pgsize_jgg@nvidia.com
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/iommu/iommu.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c
index 83736824f17d1..ae9ca0700ad22 100644
--- a/drivers/iommu/iommu.c
+++ b/drivers/iommu/iommu.c
@@ -2202,6 +2202,7 @@ static size_t iommu_pgsize(struct iommu_domain *domain, unsigned long iova,
unsigned int pgsize_idx, pgsize_idx_next;
unsigned long pgsizes;
size_t offset, pgsize, pgsize_next;
+ size_t offset_end;
unsigned long addr_merge = paddr | iova;
/* Page sizes supported by the hardware and small enough for @size */
@@ -2242,7 +2243,8 @@ static size_t iommu_pgsize(struct iommu_domain *domain, unsigned long iova,
* If size is big enough to accommodate the larger page, reduce
* the number of smaller pages.
*/
- if (offset + pgsize_next <= size)
+ if (!check_add_overflow(offset, pgsize_next, &offset_end) &&
+ offset_end <= size)
size = offset;
out_set_count:
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 065/508] f2fs: clean up w/ fscrypt_is_bounce_page()
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (63 preceding siblings ...)
2025-06-23 13:01 ` [PATCH 6.1 064/508] iommu: Protect against overflow in iommu_pgsize() Greg Kroah-Hartman
@ 2025-06-23 13:01 ` Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 066/508] f2fs: fix to detect gcing page in f2fs_is_cp_guaranteed() Greg Kroah-Hartman
` (443 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:01 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Chao Yu, Jaegeuk Kim, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chao Yu <chao@kernel.org>
[ Upstream commit 0c708e35cf26449ca317fcbfc274704660b6d269 ]
Just cleanup, no logic changes.
Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/f2fs/data.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/f2fs/data.c b/fs/f2fs/data.c
index 0b0e3d44e158e..2ae682f8d0c8e 100644
--- a/fs/f2fs/data.c
+++ b/fs/f2fs/data.c
@@ -56,7 +56,7 @@ bool f2fs_is_cp_guaranteed(struct page *page)
struct inode *inode;
struct f2fs_sb_info *sbi;
- if (!mapping)
+ if (fscrypt_is_bounce_page(page))
return false;
inode = mapping->host;
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 066/508] f2fs: fix to detect gcing page in f2fs_is_cp_guaranteed()
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (64 preceding siblings ...)
2025-06-23 13:01 ` [PATCH 6.1 065/508] f2fs: clean up w/ fscrypt_is_bounce_page() Greg Kroah-Hartman
@ 2025-06-23 13:01 ` Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 067/508] libbpf: Use proper errno value in linker Greg Kroah-Hartman
` (442 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jan Prusakowski, Chao Yu,
Jaegeuk Kim, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chao Yu <chao@kernel.org>
[ Upstream commit aa1be8dd64163eca4dde7fd2557eb19927a06a47 ]
Jan Prusakowski reported a f2fs bug as below:
f2fs/007 will hang kernel during testing w/ below configs:
kernel 6.12.18 (from pixel-kernel/android16-6.12)
export MKFS_OPTIONS="-O encrypt -O extra_attr -O project_quota -O quota"
export F2FS_MOUNT_OPTIONS="test_dummy_encryption,discard,fsync_mode=nobarrier,reserve_root=32768,checkpoint_merge,atgc"
cat /proc/<umount_proc_id>/stack
f2fs_wait_on_all_pages+0xa3/0x130
do_checkpoint+0x40c/0x5d0
f2fs_write_checkpoint+0x258/0x550
kill_f2fs_super+0x14f/0x190
deactivate_locked_super+0x30/0xb0
cleanup_mnt+0xba/0x150
task_work_run+0x59/0xa0
syscall_exit_to_user_mode+0x12d/0x130
do_syscall_64+0x57/0x110
entry_SYSCALL_64_after_hwframe+0x76/0x7e
cat /sys/kernel/debug/f2fs/status
- IO_W (CP: -256, Data: 256, Flush: ( 0 0 1), Discard: ( 0 0)) cmd: 0 undiscard: 0
CP IOs reference count becomes negative.
The root cause is:
After 4961acdd65c9 ("f2fs: fix to tag gcing flag on page during block
migration"), we will tag page w/ gcing flag for raw page of cluster
during its migration.
However, if the inode is both encrypted and compressed, during
ioc_decompress(), it will tag page w/ gcing flag, and it increase
F2FS_WB_DATA reference count:
- f2fs_write_multi_page
- f2fs_write_raw_page
- f2fs_write_single_page
- do_write_page
- f2fs_submit_page_write
- WB_DATA_TYPE(bio_page, fio->compressed_page)
: bio_page is encrypted, so mapping is NULL, and fio->compressed_page
is NULL, it returns F2FS_WB_DATA
- inc_page_count(.., F2FS_WB_DATA)
Then, during end_io(), it decrease F2FS_WB_CP_DATA reference count:
- f2fs_write_end_io
- f2fs_compress_write_end_io
- fscrypt_pagecache_folio
: get raw page from encrypted page
- WB_DATA_TYPE(&folio->page, false)
: raw page has gcing flag, it returns F2FS_WB_CP_DATA
- dec_page_count(.., F2FS_WB_CP_DATA)
In order to fix this issue, we need to detect gcing flag in raw page
in f2fs_is_cp_guaranteed().
Fixes: 4961acdd65c9 ("f2fs: fix to tag gcing flag on page during block migration")
Reported-by: Jan Prusakowski <jprusakowski@google.com>
Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/f2fs/data.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/f2fs/data.c b/fs/f2fs/data.c
index 2ae682f8d0c8e..7b65766d365f1 100644
--- a/fs/f2fs/data.c
+++ b/fs/f2fs/data.c
@@ -57,7 +57,7 @@ bool f2fs_is_cp_guaranteed(struct page *page)
struct f2fs_sb_info *sbi;
if (fscrypt_is_bounce_page(page))
- return false;
+ return page_private_gcing(fscrypt_pagecache_page(page));
inode = mapping->host;
sbi = F2FS_I_SB(inode);
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 067/508] libbpf: Use proper errno value in linker
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (65 preceding siblings ...)
2025-06-23 13:01 ` [PATCH 6.1 066/508] f2fs: fix to detect gcing page in f2fs_is_cp_guaranteed() Greg Kroah-Hartman
@ 2025-06-23 13:01 ` Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 068/508] netfilter: bridge: Move specific fragmented packet to slow_path instead of dropping it Greg Kroah-Hartman
` (441 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Anton Protopopov, Andrii Nakryiko,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Anton Protopopov <a.s.protopopov@gmail.com>
[ Upstream commit 358b1c0f56ebb6996fcec7dcdcf6bae5dcbc8b6c ]
Return values of the linker_append_sec_data() and the
linker_append_elf_relos() functions are propagated all the
way up to users of libbpf API. In some error cases these
functions return -1 which will be seen as -EPERM from user's
point of view. Instead, return a more reasonable -EINVAL.
Fixes: faf6ed321cf6 ("libbpf: Add BPF static linker APIs")
Signed-off-by: Anton Protopopov <a.s.protopopov@gmail.com>
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Link: https://lore.kernel.org/bpf/20250430120820.2262053-1-a.s.protopopov@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/lib/bpf/linker.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/tools/lib/bpf/linker.c b/tools/lib/bpf/linker.c
index 752ef88c9fd97..0bee018a6a6c0 100644
--- a/tools/lib/bpf/linker.c
+++ b/tools/lib/bpf/linker.c
@@ -1175,7 +1175,7 @@ static int linker_append_sec_data(struct bpf_linker *linker, struct src_obj *obj
} else {
if (!secs_match(dst_sec, src_sec)) {
pr_warn("ELF sections %s are incompatible\n", src_sec->sec_name);
- return -1;
+ return -EINVAL;
}
/* "license" and "version" sections are deduped */
@@ -2023,7 +2023,7 @@ static int linker_append_elf_relos(struct bpf_linker *linker, struct src_obj *ob
}
} else if (!secs_match(dst_sec, src_sec)) {
pr_warn("sections %s are not compatible\n", src_sec->sec_name);
- return -1;
+ return -EINVAL;
}
/* add_dst_sec() above could have invalidated linker->secs */
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 068/508] netfilter: bridge: Move specific fragmented packet to slow_path instead of dropping it
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (66 preceding siblings ...)
2025-06-23 13:01 ` [PATCH 6.1 067/508] libbpf: Use proper errno value in linker Greg Kroah-Hartman
@ 2025-06-23 13:01 ` Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 069/508] netfilter: nft_quota: match correctly when the quota just depleted Greg Kroah-Hartman
` (440 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Huajian Yang, Florian Westphal,
Pablo Neira Ayuso, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Huajian Yang <huajianyang@asrmicro.com>
[ Upstream commit aa04c6f45b9224b949aa35d4fa5f8d0ba07b23d4 ]
The config NF_CONNTRACK_BRIDGE will change the bridge forwarding for
fragmented packets.
The original bridge does not know that it is a fragmented packet and
forwards it directly, after NF_CONNTRACK_BRIDGE is enabled, function
nf_br_ip_fragment and br_ip6_fragment will check the headroom.
In original br_forward, insufficient headroom of skb may indeed exist,
but there's still a way to save the skb in the device driver after
dev_queue_xmit.So droping the skb will change the original bridge
forwarding in some cases.
Fixes: 3c171f496ef5 ("netfilter: bridge: add connection tracking system")
Signed-off-by: Huajian Yang <huajianyang@asrmicro.com>
Reviewed-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bridge/netfilter/nf_conntrack_bridge.c | 12 ++++++------
net/ipv6/netfilter.c | 12 ++++++------
2 files changed, 12 insertions(+), 12 deletions(-)
diff --git a/net/bridge/netfilter/nf_conntrack_bridge.c b/net/bridge/netfilter/nf_conntrack_bridge.c
index e60c38670f220..e7df2911d2be7 100644
--- a/net/bridge/netfilter/nf_conntrack_bridge.c
+++ b/net/bridge/netfilter/nf_conntrack_bridge.c
@@ -60,19 +60,19 @@ static int nf_br_ip_fragment(struct net *net, struct sock *sk,
struct ip_fraglist_iter iter;
struct sk_buff *frag;
- if (first_len - hlen > mtu ||
- skb_headroom(skb) < ll_rs)
+ if (first_len - hlen > mtu)
goto blackhole;
- if (skb_cloned(skb))
+ if (skb_cloned(skb) ||
+ skb_headroom(skb) < ll_rs)
goto slow_path;
skb_walk_frags(skb, frag) {
- if (frag->len > mtu ||
- skb_headroom(frag) < hlen + ll_rs)
+ if (frag->len > mtu)
goto blackhole;
- if (skb_shared(frag))
+ if (skb_shared(frag) ||
+ skb_headroom(frag) < hlen + ll_rs)
goto slow_path;
}
diff --git a/net/ipv6/netfilter.c b/net/ipv6/netfilter.c
index 857713d7a38a5..d873658fc821f 100644
--- a/net/ipv6/netfilter.c
+++ b/net/ipv6/netfilter.c
@@ -163,20 +163,20 @@ int br_ip6_fragment(struct net *net, struct sock *sk, struct sk_buff *skb,
struct ip6_fraglist_iter iter;
struct sk_buff *frag2;
- if (first_len - hlen > mtu ||
- skb_headroom(skb) < (hroom + sizeof(struct frag_hdr)))
+ if (first_len - hlen > mtu)
goto blackhole;
- if (skb_cloned(skb))
+ if (skb_cloned(skb) ||
+ skb_headroom(skb) < (hroom + sizeof(struct frag_hdr)))
goto slow_path;
skb_walk_frags(skb, frag2) {
- if (frag2->len > mtu ||
- skb_headroom(frag2) < (hlen + hroom + sizeof(struct frag_hdr)))
+ if (frag2->len > mtu)
goto blackhole;
/* Partially cloned skb? */
- if (skb_shared(frag2))
+ if (skb_shared(frag2) ||
+ skb_headroom(frag2) < (hlen + hroom + sizeof(struct frag_hdr)))
goto slow_path;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 069/508] netfilter: nft_quota: match correctly when the quota just depleted
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (67 preceding siblings ...)
2025-06-23 13:01 ` [PATCH 6.1 068/508] netfilter: bridge: Move specific fragmented packet to slow_path instead of dropping it Greg Kroah-Hartman
@ 2025-06-23 13:01 ` Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 070/508] RDMA/mlx5: Fix error flow upon firmware failure for RQ destruction Greg Kroah-Hartman
` (439 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhongqiu Duan, Pablo Neira Ayuso,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhongqiu Duan <dzq.aishenghu0@gmail.com>
[ Upstream commit bfe7cfb65c753952735c3eed703eba9a8b96a18d ]
The xt_quota compares skb length with remaining quota, but the nft_quota
compares it with consumed bytes.
The xt_quota can match consumed bytes up to quota at maximum. But the
nft_quota break match when consumed bytes equal to quota.
i.e., nft_quota match consumed bytes in [0, quota - 1], not [0, quota].
Fixes: 795595f68d6c ("netfilter: nft_quota: dump consumed quota")
Signed-off-by: Zhongqiu Duan <dzq.aishenghu0@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nft_quota.c | 20 +++++++++++++-------
1 file changed, 13 insertions(+), 7 deletions(-)
diff --git a/net/netfilter/nft_quota.c b/net/netfilter/nft_quota.c
index ef8e7cdbd0e6a..60e6d0c5f04ec 100644
--- a/net/netfilter/nft_quota.c
+++ b/net/netfilter/nft_quota.c
@@ -19,10 +19,16 @@ struct nft_quota {
};
static inline bool nft_overquota(struct nft_quota *priv,
- const struct sk_buff *skb)
+ const struct sk_buff *skb,
+ bool *report)
{
- return atomic64_add_return(skb->len, priv->consumed) >=
- atomic64_read(&priv->quota);
+ u64 consumed = atomic64_add_return(skb->len, priv->consumed);
+ u64 quota = atomic64_read(&priv->quota);
+
+ if (report)
+ *report = consumed >= quota;
+
+ return consumed > quota;
}
static inline bool nft_quota_invert(struct nft_quota *priv)
@@ -34,7 +40,7 @@ static inline void nft_quota_do_eval(struct nft_quota *priv,
struct nft_regs *regs,
const struct nft_pktinfo *pkt)
{
- if (nft_overquota(priv, pkt->skb) ^ nft_quota_invert(priv))
+ if (nft_overquota(priv, pkt->skb, NULL) ^ nft_quota_invert(priv))
regs->verdict.code = NFT_BREAK;
}
@@ -51,13 +57,13 @@ static void nft_quota_obj_eval(struct nft_object *obj,
const struct nft_pktinfo *pkt)
{
struct nft_quota *priv = nft_obj_data(obj);
- bool overquota;
+ bool overquota, report;
- overquota = nft_overquota(priv, pkt->skb);
+ overquota = nft_overquota(priv, pkt->skb, &report);
if (overquota ^ nft_quota_invert(priv))
regs->verdict.code = NFT_BREAK;
- if (overquota &&
+ if (report &&
!test_and_set_bit(NFT_QUOTA_DEPLETED_BIT, &priv->flags))
nft_obj_notify(nft_net(pkt), obj->key.table, obj, 0, 0,
NFT_MSG_NEWOBJ, 0, nft_pf(pkt), 0, GFP_ATOMIC);
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 070/508] RDMA/mlx5: Fix error flow upon firmware failure for RQ destruction
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (68 preceding siblings ...)
2025-06-23 13:01 ` [PATCH 6.1 069/508] netfilter: nft_quota: match correctly when the quota just depleted Greg Kroah-Hartman
@ 2025-06-23 13:01 ` Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 071/508] bpf: Fix uninitialized values in BPF_{CORE,PROBE}_READ Greg Kroah-Hartman
` (438 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Patrisious Haddad, Leon Romanovsky,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Patrisious Haddad <phaddad@nvidia.com>
[ Upstream commit 5d2ea5aebbb2f3ebde4403f9c55b2b057e5dd2d6 ]
Upon RQ destruction if the firmware command fails which is the
last resource to be destroyed some SW resources were already cleaned
regardless of the failure.
Now properly rollback the object to its original state upon such failure.
In order to avoid a use-after free in case someone tries to destroy the
object again, which results in the following kernel trace:
refcount_t: underflow; use-after-free.
WARNING: CPU: 0 PID: 37589 at lib/refcount.c:28 refcount_warn_saturate+0xf4/0x148
Modules linked in: rdma_ucm(OE) rdma_cm(OE) iw_cm(OE) ib_ipoib(OE) ib_cm(OE) ib_umad(OE) mlx5_ib(OE) rfkill mlx5_core(OE) mlxdevm(OE) ib_uverbs(OE) ib_core(OE) psample mlxfw(OE) mlx_compat(OE) macsec tls pci_hyperv_intf sunrpc vfat fat virtio_net net_failover failover fuse loop nfnetlink vsock_loopback vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vmw_vmci vsock xfs crct10dif_ce ghash_ce sha2_ce sha256_arm64 sha1_ce virtio_console virtio_gpu virtio_blk virtio_dma_buf virtio_mmio dm_mirror dm_region_hash dm_log dm_mod xpmem(OE)
CPU: 0 UID: 0 PID: 37589 Comm: python3 Kdump: loaded Tainted: G OE ------- --- 6.12.0-54.el10.aarch64 #1
Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015
pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : refcount_warn_saturate+0xf4/0x148
lr : refcount_warn_saturate+0xf4/0x148
sp : ffff80008b81b7e0
x29: ffff80008b81b7e0 x28: ffff000133d51600 x27: 0000000000000001
x26: 0000000000000000 x25: 00000000ffffffea x24: ffff00010ae80f00
x23: ffff00010ae80f80 x22: ffff0000c66e5d08 x21: 0000000000000000
x20: ffff0000c66e0000 x19: ffff00010ae80340 x18: 0000000000000006
x17: 0000000000000000 x16: 0000000000000020 x15: ffff80008b81b37f
x14: 0000000000000000 x13: 2e656572662d7265 x12: ffff80008283ef78
x11: ffff80008257efd0 x10: ffff80008283efd0 x9 : ffff80008021ed90
x8 : 0000000000000001 x7 : 00000000000bffe8 x6 : c0000000ffff7fff
x5 : ffff0001fb8e3408 x4 : 0000000000000000 x3 : ffff800179993000
x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff000133d51600
Call trace:
refcount_warn_saturate+0xf4/0x148
mlx5_core_put_rsc+0x88/0xa0 [mlx5_ib]
mlx5_core_destroy_rq_tracked+0x64/0x98 [mlx5_ib]
mlx5_ib_destroy_wq+0x34/0x80 [mlx5_ib]
ib_destroy_wq_user+0x30/0xc0 [ib_core]
uverbs_free_wq+0x28/0x58 [ib_uverbs]
destroy_hw_idr_uobject+0x34/0x78 [ib_uverbs]
uverbs_destroy_uobject+0x48/0x240 [ib_uverbs]
__uverbs_cleanup_ufile+0xd4/0x1a8 [ib_uverbs]
uverbs_destroy_ufile_hw+0x48/0x120 [ib_uverbs]
ib_uverbs_close+0x2c/0x100 [ib_uverbs]
__fput+0xd8/0x2f0
__fput_sync+0x50/0x70
__arm64_sys_close+0x40/0x90
invoke_syscall.constprop.0+0x74/0xd0
do_el0_svc+0x48/0xe8
el0_svc+0x44/0x1d0
el0t_64_sync_handler+0x120/0x130
el0t_64_sync+0x1a4/0x1a8
Fixes: e2013b212f9f ("net/mlx5_core: Add RQ and SQ event handling")
Signed-off-by: Patrisious Haddad <phaddad@nvidia.com>
Link: https://patch.msgid.link/3181433ccdd695c63560eeeb3f0c990961732101.1745839855.git.leon@kernel.org
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/hw/mlx5/qpc.c | 30 ++++++++++++++++++++++++++++--
include/linux/mlx5/driver.h | 1 +
2 files changed, 29 insertions(+), 2 deletions(-)
diff --git a/drivers/infiniband/hw/mlx5/qpc.c b/drivers/infiniband/hw/mlx5/qpc.c
index d4e7864c56f18..d75ec5e57c5fd 100644
--- a/drivers/infiniband/hw/mlx5/qpc.c
+++ b/drivers/infiniband/hw/mlx5/qpc.c
@@ -21,8 +21,10 @@ mlx5_get_rsc(struct mlx5_qp_table *table, u32 rsn)
spin_lock_irqsave(&table->lock, flags);
common = radix_tree_lookup(&table->tree, rsn);
- if (common)
+ if (common && !common->invalid)
refcount_inc(&common->refcount);
+ else
+ common = NULL;
spin_unlock_irqrestore(&table->lock, flags);
@@ -172,6 +174,18 @@ static int create_resource_common(struct mlx5_ib_dev *dev,
return 0;
}
+static void modify_resource_common_state(struct mlx5_ib_dev *dev,
+ struct mlx5_core_qp *qp,
+ bool invalid)
+{
+ struct mlx5_qp_table *table = &dev->qp_table;
+ unsigned long flags;
+
+ spin_lock_irqsave(&table->lock, flags);
+ qp->common.invalid = invalid;
+ spin_unlock_irqrestore(&table->lock, flags);
+}
+
static void destroy_resource_common(struct mlx5_ib_dev *dev,
struct mlx5_core_qp *qp)
{
@@ -584,8 +598,20 @@ int mlx5_core_create_rq_tracked(struct mlx5_ib_dev *dev, u32 *in, int inlen,
int mlx5_core_destroy_rq_tracked(struct mlx5_ib_dev *dev,
struct mlx5_core_qp *rq)
{
+ int ret;
+
+ /* The rq destruction can be called again in case it fails, hence we
+ * mark the common resource as invalid and only once FW destruction
+ * is completed successfully we actually destroy the resources.
+ */
+ modify_resource_common_state(dev, rq, true);
+ ret = destroy_rq_tracked(dev, rq->qpn, rq->uid);
+ if (ret) {
+ modify_resource_common_state(dev, rq, false);
+ return ret;
+ }
destroy_resource_common(dev, rq);
- return destroy_rq_tracked(dev, rq->qpn, rq->uid);
+ return 0;
}
static void destroy_sq_tracked(struct mlx5_ib_dev *dev, u32 sqn, u16 uid)
diff --git a/include/linux/mlx5/driver.h b/include/linux/mlx5/driver.h
index 3c3e0f26c2446..b05f69a8306c9 100644
--- a/include/linux/mlx5/driver.h
+++ b/include/linux/mlx5/driver.h
@@ -385,6 +385,7 @@ struct mlx5_core_rsc_common {
enum mlx5_res_type res;
refcount_t refcount;
struct completion free;
+ bool invalid;
};
struct mlx5_uars_page {
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 071/508] bpf: Fix uninitialized values in BPF_{CORE,PROBE}_READ
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (69 preceding siblings ...)
2025-06-23 13:01 ` [PATCH 6.1 070/508] RDMA/mlx5: Fix error flow upon firmware failure for RQ destruction Greg Kroah-Hartman
@ 2025-06-23 13:01 ` Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 072/508] clk: qcom: dispcc-sm6350: Add *_wait_val values for GDSCs Greg Kroah-Hartman
` (437 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Anton Protopopov, Andrii Nakryiko,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Anton Protopopov <a.s.protopopov@gmail.com>
[ Upstream commit 41d4ce6df3f4945341ec509a840cc002a413b6cc ]
With the latest LLVM bpf selftests build will fail with
the following error message:
progs/profiler.inc.h:710:31: error: default initialization of an object of type 'typeof ((parent_task)->real_cred->uid.val)' (aka 'const unsigned int') leaves the object uninitialized and is incompatible with C++ [-Werror,-Wdefault-const-init-unsafe]
710 | proc_exec_data->parent_uid = BPF_CORE_READ(parent_task, real_cred, uid.val);
| ^
tools/testing/selftests/bpf/tools/include/bpf/bpf_core_read.h:520:35: note: expanded from macro 'BPF_CORE_READ'
520 | ___type((src), a, ##__VA_ARGS__) __r; \
| ^
This happens because BPF_CORE_READ (and other macro) declare the
variable __r using the ___type macro which can inherit const modifier
from intermediate types.
Fix this by using __typeof_unqual__, when supported. (And when it
is not supported, the problem shouldn't appear, as older compilers
haven't complained.)
Fixes: 792001f4f7aa ("libbpf: Add user-space variants of BPF_CORE_READ() family of macros")
Fixes: a4b09a9ef945 ("libbpf: Add non-CO-RE variants of BPF_CORE_READ() macro family")
Signed-off-by: Anton Protopopov <a.s.protopopov@gmail.com>
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Link: https://lore.kernel.org/bpf/20250502193031.3522715-1-a.s.protopopov@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/lib/bpf/bpf_core_read.h | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/tools/lib/bpf/bpf_core_read.h b/tools/lib/bpf/bpf_core_read.h
index 41740ae8aad73..18c2ab57a9bff 100644
--- a/tools/lib/bpf/bpf_core_read.h
+++ b/tools/lib/bpf/bpf_core_read.h
@@ -312,7 +312,13 @@ enum bpf_enum_value_kind {
#define ___arrow10(a, b, c, d, e, f, g, h, i, j) a->b->c->d->e->f->g->h->i->j
#define ___arrow(...) ___apply(___arrow, ___narg(__VA_ARGS__))(__VA_ARGS__)
+#if defined(__clang__) && (__clang_major__ >= 19)
+#define ___type(...) __typeof_unqual__(___arrow(__VA_ARGS__))
+#elif defined(__GNUC__) && (__GNUC__ >= 14)
+#define ___type(...) __typeof_unqual__(___arrow(__VA_ARGS__))
+#else
#define ___type(...) typeof(___arrow(__VA_ARGS__))
+#endif
#define ___read(read_fn, dst, src_type, src, accessor) \
read_fn((void *)(dst), sizeof(*(dst)), &((src_type)(src))->accessor)
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 072/508] clk: qcom: dispcc-sm6350: Add *_wait_val values for GDSCs
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (70 preceding siblings ...)
2025-06-23 13:01 ` [PATCH 6.1 071/508] bpf: Fix uninitialized values in BPF_{CORE,PROBE}_READ Greg Kroah-Hartman
@ 2025-06-23 13:01 ` Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 073/508] clk: qcom: gcc-sm6350: " Greg Kroah-Hartman
` (436 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Luca Weiss, Taniya Das,
Bjorn Andersson, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luca Weiss <luca.weiss@fairphone.com>
[ Upstream commit 673989d27123618afab56df1143a75454178b4ae ]
Compared to the msm-4.19 driver the mainline GDSC driver always sets the
bits for en_rest, en_few & clk_dis, and if those values are not set
per-GDSC in the respective driver then the default value from the GDSC
driver is used. The downstream driver only conditionally sets
clk_dis_wait_val if qcom,clk-dis-wait-val is given in devicetree.
Correct this situation by explicitly setting those values. For all GDSCs
the reset value of those bits are used.
Fixes: 837519775f1d ("clk: qcom: Add display clock controller driver for SM6350")
Signed-off-by: Luca Weiss <luca.weiss@fairphone.com>
Reviewed-by: Taniya Das <quic_tdas@quicinc.com>
Link: https://lore.kernel.org/r/20250425-sm6350-gdsc-val-v1-2-1f252d9c5e4e@fairphone.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/qcom/dispcc-sm6350.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/clk/qcom/dispcc-sm6350.c b/drivers/clk/qcom/dispcc-sm6350.c
index ddacb4f76eca5..ea98a63746f0f 100644
--- a/drivers/clk/qcom/dispcc-sm6350.c
+++ b/drivers/clk/qcom/dispcc-sm6350.c
@@ -680,6 +680,9 @@ static struct clk_branch disp_cc_xo_clk = {
static struct gdsc mdss_gdsc = {
.gdscr = 0x1004,
+ .en_rest_wait_val = 0x2,
+ .en_few_wait_val = 0x2,
+ .clk_dis_wait_val = 0xf,
.pd = {
.name = "mdss_gdsc",
},
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 073/508] clk: qcom: gcc-sm6350: Add *_wait_val values for GDSCs
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (71 preceding siblings ...)
2025-06-23 13:01 ` [PATCH 6.1 072/508] clk: qcom: dispcc-sm6350: Add *_wait_val values for GDSCs Greg Kroah-Hartman
@ 2025-06-23 13:01 ` Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 074/508] clk: qcom: gpucc-sm6350: " Greg Kroah-Hartman
` (435 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Luca Weiss, Taniya Das,
Bjorn Andersson, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luca Weiss <luca.weiss@fairphone.com>
[ Upstream commit afdfd829a99e467869e3ca1955fb6c6e337c340a ]
Compared to the msm-4.19 driver the mainline GDSC driver always sets the
bits for en_rest, en_few & clk_dis, and if those values are not set
per-GDSC in the respective driver then the default value from the GDSC
driver is used. The downstream driver only conditionally sets
clk_dis_wait_val if qcom,clk-dis-wait-val is given in devicetree.
Correct this situation by explicitly setting those values. For all GDSCs
the reset value of those bits are used.
Fixes: 131abae905df ("clk: qcom: Add SM6350 GCC driver")
Signed-off-by: Luca Weiss <luca.weiss@fairphone.com>
Reviewed-by: Taniya Das <quic_tdas@quicinc.com>
Link: https://lore.kernel.org/r/20250425-sm6350-gdsc-val-v1-3-1f252d9c5e4e@fairphone.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/qcom/gcc-sm6350.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/clk/qcom/gcc-sm6350.c b/drivers/clk/qcom/gcc-sm6350.c
index 428cd99dcdcbe..4031613c6236f 100644
--- a/drivers/clk/qcom/gcc-sm6350.c
+++ b/drivers/clk/qcom/gcc-sm6350.c
@@ -2320,6 +2320,9 @@ static struct clk_branch gcc_video_xo_clk = {
static struct gdsc usb30_prim_gdsc = {
.gdscr = 0x1a004,
+ .en_rest_wait_val = 0x2,
+ .en_few_wait_val = 0x2,
+ .clk_dis_wait_val = 0xf,
.pd = {
.name = "usb30_prim_gdsc",
},
@@ -2328,6 +2331,9 @@ static struct gdsc usb30_prim_gdsc = {
static struct gdsc ufs_phy_gdsc = {
.gdscr = 0x3a004,
+ .en_rest_wait_val = 0x2,
+ .en_few_wait_val = 0x2,
+ .clk_dis_wait_val = 0xf,
.pd = {
.name = "ufs_phy_gdsc",
},
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 074/508] clk: qcom: gpucc-sm6350: Add *_wait_val values for GDSCs
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (72 preceding siblings ...)
2025-06-23 13:01 ` [PATCH 6.1 073/508] clk: qcom: gcc-sm6350: " Greg Kroah-Hartman
@ 2025-06-23 13:01 ` Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 075/508] clk: bcm: rpi: Add NULL check in raspberrypi_clk_register() Greg Kroah-Hartman
` (434 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Luca Weiss, Taniya Das,
Bjorn Andersson, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luca Weiss <luca.weiss@fairphone.com>
[ Upstream commit d988b0b866c2aeb23aa74022b5bbd463165a7a33 ]
Compared to the msm-4.19 driver the mainline GDSC driver always sets the
bits for en_rest, en_few & clk_dis, and if those values are not set
per-GDSC in the respective driver then the default value from the GDSC
driver is used. The downstream driver only conditionally sets
clk_dis_wait_val if qcom,clk-dis-wait-val is given in devicetree.
Correct this situation by explicitly setting those values. For all GDSCs
the reset value of those bits are used, with the exception of
gpu_cx_gdsc which has an explicit value (qcom,clk-dis-wait-val = <8>).
Fixes: 013804a727a0 ("clk: qcom: Add GPU clock controller driver for SM6350")
Signed-off-by: Luca Weiss <luca.weiss@fairphone.com>
Reviewed-by: Taniya Das <quic_tdas@quicinc.com>
Link: https://lore.kernel.org/r/20250425-sm6350-gdsc-val-v1-4-1f252d9c5e4e@fairphone.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/qcom/gpucc-sm6350.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/clk/qcom/gpucc-sm6350.c b/drivers/clk/qcom/gpucc-sm6350.c
index 0bcbba2a29436..86c8ad5b55bac 100644
--- a/drivers/clk/qcom/gpucc-sm6350.c
+++ b/drivers/clk/qcom/gpucc-sm6350.c
@@ -412,6 +412,9 @@ static struct clk_branch gpu_cc_gx_vsense_clk = {
static struct gdsc gpu_cx_gdsc = {
.gdscr = 0x106c,
.gds_hw_ctrl = 0x1540,
+ .en_rest_wait_val = 0x2,
+ .en_few_wait_val = 0x2,
+ .clk_dis_wait_val = 0x8,
.pd = {
.name = "gpu_cx_gdsc",
},
@@ -422,6 +425,9 @@ static struct gdsc gpu_cx_gdsc = {
static struct gdsc gpu_gx_gdsc = {
.gdscr = 0x100c,
.clamp_io_ctrl = 0x1508,
+ .en_rest_wait_val = 0x2,
+ .en_few_wait_val = 0x2,
+ .clk_dis_wait_val = 0x2,
.pd = {
.name = "gpu_gx_gdsc",
.power_on = gdsc_gx_do_nothing_enable,
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 075/508] clk: bcm: rpi: Add NULL check in raspberrypi_clk_register()
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (73 preceding siblings ...)
2025-06-23 13:01 ` [PATCH 6.1 074/508] clk: qcom: gpucc-sm6350: " Greg Kroah-Hartman
@ 2025-06-23 13:02 ` Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 076/508] efi/libstub: Describe missing out parameter in efi_load_initrd Greg Kroah-Hartman
` (433 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Henry Martin, Dave Stevenson,
Stefan Wahren, Stephen Boyd, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Henry Martin <bsdhenrymartin@gmail.com>
[ Upstream commit 73c46d9a93d071ca69858dea3f569111b03e549e ]
devm_kasprintf() returns NULL when memory allocation fails. Currently,
raspberrypi_clk_register() does not check for this case, which results
in a NULL pointer dereference.
Add NULL check after devm_kasprintf() to prevent this issue.
Fixes: 93d2725affd6 ("clk: bcm: rpi: Discover the firmware clocks")
Signed-off-by: Henry Martin <bsdhenrymartin@gmail.com>
Reviewed-by: Dave Stevenson <dave.stevenson@raspberrypi.com>
Link: https://lore.kernel.org/r/20250402020513.42628-1-bsdhenrymartin@gmail.com
Reviewed-by: Stefan Wahren <wahrenst@gmx.net>
Signed-off-by: Stephen Boyd <sboyd@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/bcm/clk-raspberrypi.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/clk/bcm/clk-raspberrypi.c b/drivers/clk/bcm/clk-raspberrypi.c
index 278f845572813..a7e18789839fe 100644
--- a/drivers/clk/bcm/clk-raspberrypi.c
+++ b/drivers/clk/bcm/clk-raspberrypi.c
@@ -290,6 +290,8 @@ static struct clk_hw *raspberrypi_clk_register(struct raspberrypi_clk *rpi,
init.name = devm_kasprintf(rpi->dev, GFP_KERNEL,
"fw-clk-%s",
rpi_firmware_clk_names[id]);
+ if (!init.name)
+ return ERR_PTR(-ENOMEM);
init.ops = &raspberrypi_firmware_clk_ops;
init.flags = CLK_GET_RATE_NOCACHE;
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 076/508] efi/libstub: Describe missing out parameter in efi_load_initrd
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (74 preceding siblings ...)
2025-06-23 13:02 ` [PATCH 6.1 075/508] clk: bcm: rpi: Add NULL check in raspberrypi_clk_register() Greg Kroah-Hartman
@ 2025-06-23 13:02 ` Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 077/508] tracing: Rename event_trigger_alloc() to trigger_data_alloc() Greg Kroah-Hartman
` (432 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:02 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Hans Zhang, Ard Biesheuvel,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hans Zhang <18255117159@163.com>
[ Upstream commit c8e1927e7f7d63721e32ec41d27ccb0eb1a1b0fc ]
The function efi_load_initrd() had a documentation warning due to
the missing description for the 'out' parameter. Add the parameter
description to the kernel-doc comment to resolve the warning and
improve API documentation.
Fixes the following compiler warning:
drivers/firmware/efi/libstub/efi-stub-helper.c:611: warning: Function parameter or struct member 'out' not described in 'efi_load_initrd'
Fixes: f4dc7fffa987 ("efi: libstub: unify initrd loading between architectures")
Signed-off-by: Hans Zhang <18255117159@163.com>
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/firmware/efi/libstub/efi-stub-helper.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/firmware/efi/libstub/efi-stub-helper.c b/drivers/firmware/efi/libstub/efi-stub-helper.c
index 97744822dd951..587ba946ba9d8 100644
--- a/drivers/firmware/efi/libstub/efi-stub-helper.c
+++ b/drivers/firmware/efi/libstub/efi-stub-helper.c
@@ -697,6 +697,7 @@ efi_status_t efi_load_initrd_cmdline(efi_loaded_image_t *image,
* @image: EFI loaded image protocol
* @soft_limit: preferred address for loading the initrd
* @hard_limit: upper limit address for loading the initrd
+ * @out: pointer to store the address of the initrd table
*
* Return: status code
*/
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 077/508] tracing: Rename event_trigger_alloc() to trigger_data_alloc()
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (75 preceding siblings ...)
2025-06-23 13:02 ` [PATCH 6.1 076/508] efi/libstub: Describe missing out parameter in efi_load_initrd Greg Kroah-Hartman
@ 2025-06-23 13:02 ` Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 078/508] tracing: Fix error handling in event_trigger_parse() Greg Kroah-Hartman
` (431 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Masami Hiramatsu, Mark Rutland,
Mathieu Desnoyers, Andrew Morton, Tom Zanussi,
Steven Rostedt (Google), Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Steven Rostedt <rostedt@goodmis.org>
[ Upstream commit f2947c4b7d0f235621c5daf78aecfbd6e22c05e5 ]
The function event_trigger_alloc() creates an event_trigger_data
descriptor and states that it needs to be freed via event_trigger_free().
This is incorrect, it needs to be freed by trigger_data_free() as
event_trigger_free() adds ref counting.
Rename event_trigger_alloc() to trigger_data_alloc() and state that it
needs to be freed via trigger_data_free(). This naming convention
was introducing bugs.
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Tom Zanussi <zanussi@kernel.org>
Link: https://lore.kernel.org/20250507145455.776436410@goodmis.org
Fixes: 86599dbe2c527 ("tracing: Add helper functions to simplify event_command.parse() callback handling")
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/trace/trace.h | 8 +++-----
kernel/trace/trace_events_hist.c | 2 +-
kernel/trace/trace_events_trigger.c | 16 ++++++++--------
3 files changed, 12 insertions(+), 14 deletions(-)
diff --git a/kernel/trace/trace.h b/kernel/trace/trace.h
index 49b297ca7fc72..950782b0ab1cb 100644
--- a/kernel/trace/trace.h
+++ b/kernel/trace/trace.h
@@ -1586,6 +1586,9 @@ extern int event_enable_register_trigger(char *glob,
extern void event_enable_unregister_trigger(char *glob,
struct event_trigger_data *test,
struct trace_event_file *file);
+extern struct event_trigger_data *
+trigger_data_alloc(struct event_command *cmd_ops, char *cmd, char *param,
+ void *private_data);
extern void trigger_data_free(struct event_trigger_data *data);
extern int event_trigger_init(struct event_trigger_data *data);
extern int trace_event_trigger_enable_disable(struct trace_event_file *file,
@@ -1612,11 +1615,6 @@ extern bool event_trigger_check_remove(const char *glob);
extern bool event_trigger_empty_param(const char *param);
extern int event_trigger_separate_filter(char *param_and_filter, char **param,
char **filter, bool param_required);
-extern struct event_trigger_data *
-event_trigger_alloc(struct event_command *cmd_ops,
- char *cmd,
- char *param,
- void *private_data);
extern int event_trigger_parse_num(char *trigger,
struct event_trigger_data *trigger_data);
extern int event_trigger_set_filter(struct event_command *cmd_ops,
diff --git a/kernel/trace/trace_events_hist.c b/kernel/trace/trace_events_hist.c
index a11392596a365..c53be68bcd111 100644
--- a/kernel/trace/trace_events_hist.c
+++ b/kernel/trace/trace_events_hist.c
@@ -6520,7 +6520,7 @@ static int event_hist_trigger_parse(struct event_command *cmd_ops,
return PTR_ERR(hist_data);
}
- trigger_data = event_trigger_alloc(cmd_ops, cmd, param, hist_data);
+ trigger_data = trigger_data_alloc(cmd_ops, cmd, param, hist_data);
if (!trigger_data) {
ret = -ENOMEM;
goto out_free;
diff --git a/kernel/trace/trace_events_trigger.c b/kernel/trace/trace_events_trigger.c
index afdbad16d00a6..22bee3eae7cc3 100644
--- a/kernel/trace/trace_events_trigger.c
+++ b/kernel/trace/trace_events_trigger.c
@@ -807,7 +807,7 @@ int event_trigger_separate_filter(char *param_and_filter, char **param,
}
/**
- * event_trigger_alloc - allocate and init event_trigger_data for a trigger
+ * trigger_data_alloc - allocate and init event_trigger_data for a trigger
* @cmd_ops: The event_command operations for the trigger
* @cmd: The cmd string
* @param: The param string
@@ -818,14 +818,14 @@ int event_trigger_separate_filter(char *param_and_filter, char **param,
* trigger_ops to assign to the event_trigger_data. @private_data can
* also be passed in and associated with the event_trigger_data.
*
- * Use event_trigger_free() to free an event_trigger_data object.
+ * Use trigger_data_free() to free an event_trigger_data object.
*
* Return: The trigger_data object success, NULL otherwise
*/
-struct event_trigger_data *event_trigger_alloc(struct event_command *cmd_ops,
- char *cmd,
- char *param,
- void *private_data)
+struct event_trigger_data *trigger_data_alloc(struct event_command *cmd_ops,
+ char *cmd,
+ char *param,
+ void *private_data)
{
struct event_trigger_data *trigger_data;
struct event_trigger_ops *trigger_ops;
@@ -992,7 +992,7 @@ event_trigger_parse(struct event_command *cmd_ops,
return ret;
ret = -ENOMEM;
- trigger_data = event_trigger_alloc(cmd_ops, cmd, param, file);
+ trigger_data = trigger_data_alloc(cmd_ops, cmd, param, file);
if (!trigger_data)
goto out;
@@ -1772,7 +1772,7 @@ int event_enable_trigger_parse(struct event_command *cmd_ops,
enable_data->enable = enable;
enable_data->file = event_enable_file;
- trigger_data = event_trigger_alloc(cmd_ops, cmd, param, enable_data);
+ trigger_data = trigger_data_alloc(cmd_ops, cmd, param, enable_data);
if (!trigger_data) {
kfree(enable_data);
goto out;
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 078/508] tracing: Fix error handling in event_trigger_parse()
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (76 preceding siblings ...)
2025-06-23 13:02 ` [PATCH 6.1 077/508] tracing: Rename event_trigger_alloc() to trigger_data_alloc() Greg Kroah-Hartman
@ 2025-06-23 13:02 ` Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 079/508] ktls, sockmap: Fix missing uncharge operation Greg Kroah-Hartman
` (430 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Masami Hiramatsu, Mark Rutland,
Andrew Morton, Mathieu Desnoyers, Tom Zanussi, Miaoqian Lin,
Steven Rostedt (Google), Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Miaoqian Lin <linmq006@gmail.com>
[ Upstream commit c5dd28e7fb4f63475b50df4f58311df92939d011 ]
According to trigger_data_alloc() doc, trigger_data_free() should be
used to free an event_trigger_data object. This fixes a mismatch introduced
when kzalloc was replaced with trigger_data_alloc without updating
the corresponding deallocation calls.
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Cc: Tom Zanussi <zanussi@kernel.org>
Link: https://lore.kernel.org/20250507145455.944453325@goodmis.org
Link: https://lore.kernel.org/20250318112737.4174-1-linmq006@gmail.com
Fixes: e1f187d09e11 ("tracing: Have existing event_command.parse() implementations use helpers")
Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
[ SDR: Changed event_trigger_alloc/free() to trigger_data_alloc/free() ]
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/trace/trace_events_trigger.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/kernel/trace/trace_events_trigger.c b/kernel/trace/trace_events_trigger.c
index 22bee3eae7cc3..782ccb2433bb4 100644
--- a/kernel/trace/trace_events_trigger.c
+++ b/kernel/trace/trace_events_trigger.c
@@ -998,7 +998,7 @@ event_trigger_parse(struct event_command *cmd_ops,
if (remove) {
event_trigger_unregister(cmd_ops, file, glob+1, trigger_data);
- kfree(trigger_data);
+ trigger_data_free(trigger_data);
ret = 0;
goto out;
}
@@ -1025,7 +1025,7 @@ event_trigger_parse(struct event_command *cmd_ops,
out_free:
event_trigger_reset_filter(cmd_ops, trigger_data);
- kfree(trigger_data);
+ trigger_data_free(trigger_data);
goto out;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 079/508] ktls, sockmap: Fix missing uncharge operation
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (77 preceding siblings ...)
2025-06-23 13:02 ` [PATCH 6.1 078/508] tracing: Fix error handling in event_trigger_parse() Greg Kroah-Hartman
@ 2025-06-23 13:02 ` Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 080/508] libbpf: Use proper errno value in nlattr Greg Kroah-Hartman
` (429 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Cong Wang, Jiayuan Chen,
Martin KaFai Lau, John Fastabend, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiayuan Chen <jiayuan.chen@linux.dev>
[ Upstream commit 79f0c39ae7d3dc628c01b02f23ca5d01f9875040 ]
When we specify apply_bytes, we divide the msg into multiple segments,
each with a length of 'send', and every time we send this part of the data
using tcp_bpf_sendmsg_redir(), we use sk_msg_return_zero() to uncharge the
memory of the specified 'send' size.
However, if the first segment of data fails to send, for example, the
peer's buffer is full, we need to release all of the msg. When releasing
the msg, we haven't uncharged the memory of the subsequent segments.
This modification does not make significant logical changes, but only
fills in the missing uncharge places.
This issue has existed all along, until it was exposed after we added the
apply test in test_sockmap:
commit 3448ad23b34e ("selftests/bpf: Add apply_bytes test to test_txmsg_redir_wait_sndmem in test_sockmap")
Fixes: d3b18ad31f93 ("tls: add bpf support to sk_msg handling")
Reported-by: Cong Wang <xiyou.wangcong@gmail.com>
Closes: https://lore.kernel.org/bpf/aAmIi0vlycHtbXeb@pop-os.localdomain/T/#t
Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev>
Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
Acked-by: John Fastabend <john.fastabend@gmail.com>
Reviewed-by: Cong Wang <xiyou.wangcong@gmail.com>
Link: https://lore.kernel.org/r/20250425060015.6968-2-jiayuan.chen@linux.dev
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/tls/tls_sw.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
index af820ae9b1a52..5f95f837dfc7f 100644
--- a/net/tls/tls_sw.c
+++ b/net/tls/tls_sw.c
@@ -904,6 +904,13 @@ static int bpf_exec_tx_verdict(struct sk_msg *msg, struct sock *sk,
&msg_redir, send, flags);
lock_sock(sk);
if (err < 0) {
+ /* Regardless of whether the data represented by
+ * msg_redir is sent successfully, we have already
+ * uncharged it via sk_msg_return_zero(). The
+ * msg->sg.size represents the remaining unprocessed
+ * data, which needs to be uncharged here.
+ */
+ sk_mem_uncharge(sk, msg->sg.size);
*copied -= sk_msg_free_nocharge(sk, &msg_redir);
msg->sg.size = 0;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 080/508] libbpf: Use proper errno value in nlattr
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (78 preceding siblings ...)
2025-06-23 13:02 ` [PATCH 6.1 079/508] ktls, sockmap: Fix missing uncharge operation Greg Kroah-Hartman
@ 2025-06-23 13:02 ` Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 081/508] pinctrl: at91: Fix possible out-of-boundary access Greg Kroah-Hartman
` (428 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andrii Nakryiko, Anton Protopopov,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Anton Protopopov <a.s.protopopov@gmail.com>
[ Upstream commit fd5fd538a1f4b34cee6823ba0ddda2f7a55aca96 ]
Return value of the validate_nla() function can be propagated all the
way up to users of libbpf API. In case of error this libbpf version
of validate_nla returns -1 which will be seen as -EPERM from user's
point of view. Instead, return a more reasonable -EINVAL.
Fixes: bbf48c18ee0c ("libbpf: add error reporting in XDP")
Suggested-by: Andrii Nakryiko <andrii@kernel.org>
Signed-off-by: Anton Protopopov <a.s.protopopov@gmail.com>
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Link: https://lore.kernel.org/bpf/20250510182011.2246631-1-a.s.protopopov@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/lib/bpf/nlattr.c | 15 +++++++--------
1 file changed, 7 insertions(+), 8 deletions(-)
diff --git a/tools/lib/bpf/nlattr.c b/tools/lib/bpf/nlattr.c
index 975e265eab3bf..06663f9ea581f 100644
--- a/tools/lib/bpf/nlattr.c
+++ b/tools/lib/bpf/nlattr.c
@@ -63,16 +63,16 @@ static int validate_nla(struct nlattr *nla, int maxtype,
minlen = nla_attr_minlen[pt->type];
if (libbpf_nla_len(nla) < minlen)
- return -1;
+ return -EINVAL;
if (pt->maxlen && libbpf_nla_len(nla) > pt->maxlen)
- return -1;
+ return -EINVAL;
if (pt->type == LIBBPF_NLA_STRING) {
char *data = libbpf_nla_data(nla);
if (data[libbpf_nla_len(nla) - 1] != '\0')
- return -1;
+ return -EINVAL;
}
return 0;
@@ -118,19 +118,18 @@ int libbpf_nla_parse(struct nlattr *tb[], int maxtype, struct nlattr *head,
if (policy) {
err = validate_nla(nla, maxtype, policy);
if (err < 0)
- goto errout;
+ return err;
}
- if (tb[type])
+ if (tb[type]) {
pr_warn("Attribute of type %#x found multiple times in message, "
"previous attribute is being ignored.\n", type);
+ }
tb[type] = nla;
}
- err = 0;
-errout:
- return err;
+ return 0;
}
/**
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 081/508] pinctrl: at91: Fix possible out-of-boundary access
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (79 preceding siblings ...)
2025-06-23 13:02 ` [PATCH 6.1 080/508] libbpf: Use proper errno value in nlattr Greg Kroah-Hartman
@ 2025-06-23 13:02 ` Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 082/508] bpf: Fix WARN() in get_bpf_raw_tp_regs Greg Kroah-Hartman
` (427 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andy Shevchenko, Linus Walleij,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
[ Upstream commit 762ef7d1e6eefad9896560bfcb9bcf7f1b6df9c1 ]
at91_gpio_probe() doesn't check that given OF alias is not available or
something went wrong when trying to get it. This might have consequences
when accessing gpio_chips array with that value as an index. Note, that
BUG() can be compiled out and hence won't actually perform the required
checks.
Fixes: 6732ae5cb47c ("ARM: at91: add pinctrl support")
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Closes: https://lore.kernel.org/r/202505052343.UHF1Zo93-lkp@intel.com/
Link: https://lore.kernel.org/20250508200807.1384558-1-andriy.shevchenko@linux.intel.com
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pinctrl/pinctrl-at91.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/pinctrl/pinctrl-at91.c b/drivers/pinctrl/pinctrl-at91.c
index 333f9d70c7f48..b82368ec59f4c 100644
--- a/drivers/pinctrl/pinctrl-at91.c
+++ b/drivers/pinctrl/pinctrl-at91.c
@@ -1812,12 +1812,16 @@ static int at91_gpio_probe(struct platform_device *pdev)
struct at91_gpio_chip *at91_chip = NULL;
struct gpio_chip *chip;
struct pinctrl_gpio_range *range;
+ int alias_idx;
int ret = 0;
int irq, i;
- int alias_idx = of_alias_get_id(np, "gpio");
uint32_t ngpio;
char **names;
+ alias_idx = of_alias_get_id(np, "gpio");
+ if (alias_idx < 0)
+ return alias_idx;
+
BUG_ON(alias_idx >= ARRAY_SIZE(gpio_chips));
if (gpio_chips[alias_idx]) {
ret = -EBUSY;
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 082/508] bpf: Fix WARN() in get_bpf_raw_tp_regs
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (80 preceding siblings ...)
2025-06-23 13:02 ` [PATCH 6.1 081/508] pinctrl: at91: Fix possible out-of-boundary access Greg Kroah-Hartman
@ 2025-06-23 13:02 ` Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 083/508] clk: qcom: gcc-msm8939: Fix mclk0 & mclk1 for 24 MHz Greg Kroah-Hartman
` (426 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+45b0c89a0fc7ae8dbadc,
Alexei Starovoitov, Tao Chen, Andrii Nakryiko, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tao Chen <chen.dylane@linux.dev>
[ Upstream commit 3880cdbed1c4607e378f58fa924c5d6df900d1d3 ]
syzkaller reported an issue:
WARNING: CPU: 3 PID: 5971 at kernel/trace/bpf_trace.c:1861 get_bpf_raw_tp_regs+0xa4/0x100 kernel/trace/bpf_trace.c:1861
Modules linked in:
CPU: 3 UID: 0 PID: 5971 Comm: syz-executor205 Not tainted 6.15.0-rc5-syzkaller-00038-g707df3375124 #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:get_bpf_raw_tp_regs+0xa4/0x100 kernel/trace/bpf_trace.c:1861
RSP: 0018:ffffc90003636fa8 EFLAGS: 00010293
RAX: 0000000000000000 RBX: 0000000000000003 RCX: ffffffff81c6bc4c
RDX: ffff888032efc880 RSI: ffffffff81c6bc83 RDI: 0000000000000005
RBP: ffff88806a730860 R08: 0000000000000005 R09: 0000000000000003
R10: 0000000000000004 R11: 0000000000000000 R12: 0000000000000004
R13: 0000000000000001 R14: ffffc90003637008 R15: 0000000000000900
FS: 0000000000000000(0000) GS:ffff8880d6cdf000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f7baee09130 CR3: 0000000029f5a000 CR4: 0000000000352ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
____bpf_get_stack_raw_tp kernel/trace/bpf_trace.c:1934 [inline]
bpf_get_stack_raw_tp+0x24/0x160 kernel/trace/bpf_trace.c:1931
bpf_prog_ec3b2eefa702d8d3+0x43/0x47
bpf_dispatcher_nop_func include/linux/bpf.h:1316 [inline]
__bpf_prog_run include/linux/filter.h:718 [inline]
bpf_prog_run include/linux/filter.h:725 [inline]
__bpf_trace_run kernel/trace/bpf_trace.c:2363 [inline]
bpf_trace_run3+0x23f/0x5a0 kernel/trace/bpf_trace.c:2405
__bpf_trace_mmap_lock_acquire_returned+0xfc/0x140 include/trace/events/mmap_lock.h:47
__traceiter_mmap_lock_acquire_returned+0x79/0xc0 include/trace/events/mmap_lock.h:47
__do_trace_mmap_lock_acquire_returned include/trace/events/mmap_lock.h:47 [inline]
trace_mmap_lock_acquire_returned include/trace/events/mmap_lock.h:47 [inline]
__mmap_lock_do_trace_acquire_returned+0x138/0x1f0 mm/mmap_lock.c:35
__mmap_lock_trace_acquire_returned include/linux/mmap_lock.h:36 [inline]
mmap_read_trylock include/linux/mmap_lock.h:204 [inline]
stack_map_get_build_id_offset+0x535/0x6f0 kernel/bpf/stackmap.c:157
__bpf_get_stack+0x307/0xa10 kernel/bpf/stackmap.c:483
____bpf_get_stack kernel/bpf/stackmap.c:499 [inline]
bpf_get_stack+0x32/0x40 kernel/bpf/stackmap.c:496
____bpf_get_stack_raw_tp kernel/trace/bpf_trace.c:1941 [inline]
bpf_get_stack_raw_tp+0x124/0x160 kernel/trace/bpf_trace.c:1931
bpf_prog_ec3b2eefa702d8d3+0x43/0x47
Tracepoint like trace_mmap_lock_acquire_returned may cause nested call
as the corner case show above, which will be resolved with more general
method in the future. As a result, WARN_ON_ONCE will be triggered. As
Alexei suggested, remove the WARN_ON_ONCE first.
Fixes: 9594dc3c7e71 ("bpf: fix nested bpf tracepoints with per-cpu data")
Reported-by: syzbot+45b0c89a0fc7ae8dbadc@syzkaller.appspotmail.com
Suggested-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Tao Chen <chen.dylane@linux.dev>
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Link: https://lore.kernel.org/bpf/20250513042747.757042-1-chen.dylane@linux.dev
Closes: https://lore.kernel.org/bpf/8bc2554d-1052-4922-8832-e0078a033e1d@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/trace/bpf_trace.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
index 7254c808b27c1..243122ca56793 100644
--- a/kernel/trace/bpf_trace.c
+++ b/kernel/trace/bpf_trace.c
@@ -1797,7 +1797,7 @@ static struct pt_regs *get_bpf_raw_tp_regs(void)
struct bpf_raw_tp_regs *tp_regs = this_cpu_ptr(&bpf_raw_tp_regs);
int nest_level = this_cpu_inc_return(bpf_raw_tp_nest_level);
- if (WARN_ON_ONCE(nest_level > ARRAY_SIZE(tp_regs->regs))) {
+ if (nest_level > ARRAY_SIZE(tp_regs->regs)) {
this_cpu_dec(bpf_raw_tp_nest_level);
return ERR_PTR(-EBUSY);
}
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 083/508] clk: qcom: gcc-msm8939: Fix mclk0 & mclk1 for 24 MHz
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (81 preceding siblings ...)
2025-06-23 13:02 ` [PATCH 6.1 082/508] bpf: Fix WARN() in get_bpf_raw_tp_regs Greg Kroah-Hartman
@ 2025-06-23 13:02 ` Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 084/508] s390/bpf: Store backchain even for leaf progs Greg Kroah-Hartman
` (425 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stephan Gerhold, Konrad Dybcio,
Bryan ODonoghue, Vincent Knecht, Bjorn Andersson, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vincent Knecht <vincent.knecht@mailoo.org>
[ Upstream commit 9e7acf70cf6aa7b22f67d911f50a8cd510e8fb00 ]
Fix mclk0 & mclk1 parent map to use correct GPLL6 configuration and
freq_tbl to use GPLL6 instead of GPLL0 so that they tick at 24 MHz.
Fixes: 1664014e4679 ("clk: qcom: gcc-msm8939: Add MSM8939 Generic Clock Controller")
Suggested-by: Stephan Gerhold <stephan@gerhold.net>
Reviewed-by: Konrad Dybcio <konrad.dybcio@linaro.org>
Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Signed-off-by: Vincent Knecht <vincent.knecht@mailoo.org>
Link: https://lore.kernel.org/r/20250414-gcc-msm8939-fixes-mclk-v2-resend2-v2-1-5ddcf572a6de@mailoo.org
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/qcom/gcc-msm8939.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/clk/qcom/gcc-msm8939.c b/drivers/clk/qcom/gcc-msm8939.c
index af608f1658967..ecf1c29a1f0e1 100644
--- a/drivers/clk/qcom/gcc-msm8939.c
+++ b/drivers/clk/qcom/gcc-msm8939.c
@@ -433,7 +433,7 @@ static const struct parent_map gcc_xo_gpll0_gpll1a_gpll6_sleep_map[] = {
{ P_XO, 0 },
{ P_GPLL0, 1 },
{ P_GPLL1_AUX, 2 },
- { P_GPLL6, 2 },
+ { P_GPLL6, 3 },
{ P_SLEEP_CLK, 6 },
};
@@ -1088,7 +1088,7 @@ static struct clk_rcg2 jpeg0_clk_src = {
};
static const struct freq_tbl ftbl_gcc_camss_mclk0_1_clk[] = {
- F(24000000, P_GPLL0, 1, 1, 45),
+ F(24000000, P_GPLL6, 1, 1, 45),
F(66670000, P_GPLL0, 12, 0, 0),
{ }
};
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 084/508] s390/bpf: Store backchain even for leaf progs
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (82 preceding siblings ...)
2025-06-23 13:02 ` [PATCH 6.1 083/508] clk: qcom: gcc-msm8939: Fix mclk0 & mclk1 for 24 MHz Greg Kroah-Hartman
@ 2025-06-23 13:02 ` Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 085/508] wifi: rtw88: fix the para buffer size to avoid reading out of bounds Greg Kroah-Hartman
` (424 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ilya Leoshkevich, Alexei Starovoitov,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ilya Leoshkevich <iii@linux.ibm.com>
[ Upstream commit 5f55f2168432298f5a55294831ab6a76a10cb3c3 ]
Currently a crash in a leaf prog (caused by a bug) produces the
following call trace:
[<000003ff600ebf00>] bpf_prog_6df0139e1fbf2789_fentry+0x20/0x78
[<0000000000000000>] 0x0
This is because leaf progs do not store backchain. Fix by making all
progs do it. This is what GCC and Clang-generated code does as well.
Now the call trace looks like this:
[<000003ff600eb0f2>] bpf_prog_6df0139e1fbf2789_fentry+0x2a/0x80
[<000003ff600ed096>] bpf_trampoline_201863462940+0x96/0xf4
[<000003ff600e3a40>] bpf_prog_05f379658fdd72f2_classifier_0+0x58/0xc0
[<000003ffe0aef070>] bpf_test_run+0x210/0x390
[<000003ffe0af0dc2>] bpf_prog_test_run_skb+0x25a/0x668
[<000003ffe038a90e>] __sys_bpf+0xa46/0xdb0
[<000003ffe038ad0c>] __s390x_sys_bpf+0x44/0x50
[<000003ffe0defea8>] __do_syscall+0x150/0x280
[<000003ffe0e01d5c>] system_call+0x74/0x98
Fixes: 054623105728 ("s390/bpf: Add s390x eBPF JIT compiler backend")
Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
Link: https://lore.kernel.org/r/20250512122717.54878-1-iii@linux.ibm.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/s390/net/bpf_jit_comp.c | 12 +++++-------
1 file changed, 5 insertions(+), 7 deletions(-)
diff --git a/arch/s390/net/bpf_jit_comp.c b/arch/s390/net/bpf_jit_comp.c
index 8623863935576..a9dbf74752586 100644
--- a/arch/s390/net/bpf_jit_comp.c
+++ b/arch/s390/net/bpf_jit_comp.c
@@ -543,17 +543,15 @@ static void bpf_jit_prologue(struct bpf_jit *jit, u32 stack_depth)
}
/* Setup stack and backchain */
if (is_first_pass(jit) || (jit->seen & SEEN_STACK)) {
- if (is_first_pass(jit) || (jit->seen & SEEN_FUNC))
- /* lgr %w1,%r15 (backchain) */
- EMIT4(0xb9040000, REG_W1, REG_15);
+ /* lgr %w1,%r15 (backchain) */
+ EMIT4(0xb9040000, REG_W1, REG_15);
/* la %bfp,STK_160_UNUSED(%r15) (BPF frame pointer) */
EMIT4_DISP(0x41000000, BPF_REG_FP, REG_15, STK_160_UNUSED);
/* aghi %r15,-STK_OFF */
EMIT4_IMM(0xa70b0000, REG_15, -(STK_OFF + stack_depth));
- if (is_first_pass(jit) || (jit->seen & SEEN_FUNC))
- /* stg %w1,152(%r15) (backchain) */
- EMIT6_DISP_LH(0xe3000000, 0x0024, REG_W1, REG_0,
- REG_15, 152);
+ /* stg %w1,152(%r15) (backchain) */
+ EMIT6_DISP_LH(0xe3000000, 0x0024, REG_W1, REG_0,
+ REG_15, 152);
}
}
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 085/508] wifi: rtw88: fix the para buffer size to avoid reading out of bounds
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (83 preceding siblings ...)
2025-06-23 13:02 ` [PATCH 6.1 084/508] s390/bpf: Store backchain even for leaf progs Greg Kroah-Hartman
@ 2025-06-23 13:02 ` Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 086/508] iommu: remove duplicate selection of DMAR_TABLE Greg Kroah-Hartman
` (423 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexey Kodanev, Ping-Ke Shih,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexey Kodanev <aleksei.kodanev@bell-sw.com>
[ Upstream commit 4c2c372de2e108319236203cce6de44d70ae15cd ]
Set the size to 6 instead of 2, since 'para' array is passed to
'rtw_fw_bt_wifi_control(rtwdev, para[0], ¶[1])', which reads
5 bytes:
void rtw_fw_bt_wifi_control(struct rtw_dev *rtwdev, u8 op_code, u8 *data)
{
...
SET_BT_WIFI_CONTROL_DATA1(h2c_pkt, *data);
SET_BT_WIFI_CONTROL_DATA2(h2c_pkt, *(data + 1));
...
SET_BT_WIFI_CONTROL_DATA5(h2c_pkt, *(data + 4));
Detected using the static analysis tool - Svace.
Fixes: 4136214f7c46 ("rtw88: add BT co-existence support")
Signed-off-by: Alexey Kodanev <aleksei.kodanev@bell-sw.com>
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/20250513121304.124141-1-aleksei.kodanev@bell-sw.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/realtek/rtw88/coex.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/wireless/realtek/rtw88/coex.c b/drivers/net/wireless/realtek/rtw88/coex.c
index 8627ab0ce3bdf..1a9336c595c12 100644
--- a/drivers/net/wireless/realtek/rtw88/coex.c
+++ b/drivers/net/wireless/realtek/rtw88/coex.c
@@ -309,7 +309,7 @@ static void rtw_coex_tdma_timer_base(struct rtw_dev *rtwdev, u8 type)
{
struct rtw_coex *coex = &rtwdev->coex;
struct rtw_coex_stat *coex_stat = &coex->stat;
- u8 para[2] = {0};
+ u8 para[6] = {};
u8 times;
u16 tbtt_interval = coex_stat->wl_beacon_interval;
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 086/508] iommu: remove duplicate selection of DMAR_TABLE
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (84 preceding siblings ...)
2025-06-23 13:02 ` [PATCH 6.1 085/508] wifi: rtw88: fix the para buffer size to avoid reading out of bounds Greg Kroah-Hartman
@ 2025-06-23 13:02 ` Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 087/508] hisi_acc_vfio_pci: fix XQE dma address error Greg Kroah-Hartman
` (422 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rolf Eike Beer, Lu Baolu,
Joerg Roedel, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rolf Eike Beer <eb@emlix.com>
[ Upstream commit 9548feff840a05d61783e6316d08ed37e115f3b1 ]
This is already done in intel/Kconfig.
Fixes: 70bad345e622 ("iommu: Fix compilation without CONFIG_IOMMU_INTEL")
Signed-off-by: Rolf Eike Beer <eb@emlix.com>
Reviewed-by: Lu Baolu <baolu.lu@linux.intel.com>
Link: https://lore.kernel.org/r/2232605.Mh6RI2rZIc@devpool92.emlix.com
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/iommu/Kconfig | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/iommu/Kconfig b/drivers/iommu/Kconfig
index dc19e7fb07cfe..fad36f0a4d14b 100644
--- a/drivers/iommu/Kconfig
+++ b/drivers/iommu/Kconfig
@@ -192,7 +192,6 @@ source "drivers/iommu/intel/Kconfig"
config IRQ_REMAP
bool "Support for Interrupt Remapping"
depends on X86_64 && X86_IO_APIC && PCI_MSI && ACPI
- select DMAR_TABLE if INTEL_IOMMU
help
Supports Interrupt remapping for IO-APIC and MSI devices.
To use x2apic mode in the CPU's which support x2APIC enhancements or
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 087/508] hisi_acc_vfio_pci: fix XQE dma address error
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (85 preceding siblings ...)
2025-06-23 13:02 ` [PATCH 6.1 086/508] iommu: remove duplicate selection of DMAR_TABLE Greg Kroah-Hartman
@ 2025-06-23 13:02 ` Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 088/508] hisi_acc_vfio_pci: add eq and aeq interruption restore Greg Kroah-Hartman
` (421 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Longfang Liu, Shameer Kolothum,
Alex Williamson, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Longfang Liu <liulongfang@huawei.com>
[ Upstream commit 8bb7170c5a055ea17c6857c256ee73c10ff872eb ]
The dma addresses of EQE and AEQE are wrong after migration and
results in guest kernel-mode encryption services failure.
Comparing the definition of hardware registers, we found that
there was an error when the data read from the register was
combined into an address. Therefore, the address combination
sequence needs to be corrected.
Even after fixing the above problem, we still have an issue
where the Guest from an old kernel can get migrated to
new kernel and may result in wrong data.
In order to ensure that the address is correct after migration,
if an old magic number is detected, the dma address needs to be
updated.
Fixes: b0eed085903e ("hisi_acc_vfio_pci: Add support for VFIO live migration")
Signed-off-by: Longfang Liu <liulongfang@huawei.com>
Reviewed-by: Shameer Kolothum <shameerali.kolothum.thodi@huawei.com>
Link: https://lore.kernel.org/r/20250510081155.55840-2-liulongfang@huawei.com
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../vfio/pci/hisilicon/hisi_acc_vfio_pci.c | 41 ++++++++++++++++---
.../vfio/pci/hisilicon/hisi_acc_vfio_pci.h | 14 ++++++-
2 files changed, 47 insertions(+), 8 deletions(-)
diff --git a/drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.c b/drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.c
index 39eeca18a0f7c..b5efb37712d5e 100644
--- a/drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.c
+++ b/drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.c
@@ -350,6 +350,32 @@ static int vf_qm_func_stop(struct hisi_qm *qm)
return hisi_qm_mb(qm, QM_MB_CMD_PAUSE_QM, 0, 0, 0);
}
+static int vf_qm_version_check(struct acc_vf_data *vf_data, struct device *dev)
+{
+ switch (vf_data->acc_magic) {
+ case ACC_DEV_MAGIC_V2:
+ if (vf_data->major_ver != ACC_DRV_MAJOR_VER) {
+ dev_info(dev, "migration driver version<%u.%u> not match!\n",
+ vf_data->major_ver, vf_data->minor_ver);
+ return -EINVAL;
+ }
+ break;
+ case ACC_DEV_MAGIC_V1:
+ /* Correct dma address */
+ vf_data->eqe_dma = vf_data->qm_eqc_dw[QM_XQC_ADDR_HIGH];
+ vf_data->eqe_dma <<= QM_XQC_ADDR_OFFSET;
+ vf_data->eqe_dma |= vf_data->qm_eqc_dw[QM_XQC_ADDR_LOW];
+ vf_data->aeqe_dma = vf_data->qm_aeqc_dw[QM_XQC_ADDR_HIGH];
+ vf_data->aeqe_dma <<= QM_XQC_ADDR_OFFSET;
+ vf_data->aeqe_dma |= vf_data->qm_aeqc_dw[QM_XQC_ADDR_LOW];
+ break;
+ default:
+ return -EINVAL;
+ }
+
+ return 0;
+}
+
static int vf_qm_check_match(struct hisi_acc_vf_core_device *hisi_acc_vdev,
struct hisi_acc_vf_migration_file *migf)
{
@@ -363,7 +389,8 @@ static int vf_qm_check_match(struct hisi_acc_vf_core_device *hisi_acc_vdev,
if (migf->total_length < QM_MATCH_SIZE)
return -EINVAL;
- if (vf_data->acc_magic != ACC_DEV_MAGIC) {
+ ret = vf_qm_version_check(vf_data, dev);
+ if (ret) {
dev_err(dev, "failed to match ACC_DEV_MAGIC\n");
return -EINVAL;
}
@@ -417,7 +444,9 @@ static int vf_qm_get_match_data(struct hisi_acc_vf_core_device *hisi_acc_vdev,
int vf_id = hisi_acc_vdev->vf_id;
int ret;
- vf_data->acc_magic = ACC_DEV_MAGIC;
+ vf_data->acc_magic = ACC_DEV_MAGIC_V2;
+ vf_data->major_ver = ACC_DRV_MAJOR_VER;
+ vf_data->minor_ver = ACC_DRV_MINOR_VER;
/* Save device id */
vf_data->dev_id = hisi_acc_vdev->vf_dev->device;
@@ -519,12 +548,12 @@ static int vf_qm_state_save(struct hisi_acc_vf_core_device *hisi_acc_vdev,
return -EINVAL;
/* Every reg is 32 bit, the dma address is 64 bit. */
- vf_data->eqe_dma = vf_data->qm_eqc_dw[1];
+ vf_data->eqe_dma = vf_data->qm_eqc_dw[QM_XQC_ADDR_HIGH];
vf_data->eqe_dma <<= QM_XQC_ADDR_OFFSET;
- vf_data->eqe_dma |= vf_data->qm_eqc_dw[0];
- vf_data->aeqe_dma = vf_data->qm_aeqc_dw[1];
+ vf_data->eqe_dma |= vf_data->qm_eqc_dw[QM_XQC_ADDR_LOW];
+ vf_data->aeqe_dma = vf_data->qm_aeqc_dw[QM_XQC_ADDR_HIGH];
vf_data->aeqe_dma <<= QM_XQC_ADDR_OFFSET;
- vf_data->aeqe_dma |= vf_data->qm_aeqc_dw[0];
+ vf_data->aeqe_dma |= vf_data->qm_aeqc_dw[QM_XQC_ADDR_LOW];
/* Through SQC_BT/CQC_BT to get sqc and cqc address */
ret = qm_get_sqc(vf_qm, &vf_data->sqc_dma);
diff --git a/drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.h b/drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.h
index 67343325b3201..f62247d0adf9a 100644
--- a/drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.h
+++ b/drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.h
@@ -38,6 +38,9 @@
#define QM_REG_ADDR_OFFSET 0x0004
#define QM_XQC_ADDR_OFFSET 32U
+#define QM_XQC_ADDR_LOW 0x1
+#define QM_XQC_ADDR_HIGH 0x2
+
#define QM_VF_AEQ_INT_MASK 0x0004
#define QM_VF_EQ_INT_MASK 0x000c
#define QM_IFC_INT_SOURCE_V 0x0020
@@ -49,10 +52,15 @@
#define QM_EQC_DW0 0X8000
#define QM_AEQC_DW0 0X8020
+#define ACC_DRV_MAJOR_VER 1
+#define ACC_DRV_MINOR_VER 0
+
+#define ACC_DEV_MAGIC_V1 0XCDCDCDCDFEEDAACC
+#define ACC_DEV_MAGIC_V2 0xAACCFEEDDECADEDE
+
struct acc_vf_data {
#define QM_MATCH_SIZE offsetofend(struct acc_vf_data, qm_rsv_state)
/* QM match information */
-#define ACC_DEV_MAGIC 0XCDCDCDCDFEEDAACC
u64 acc_magic;
u32 qp_num;
u32 dev_id;
@@ -60,7 +68,9 @@ struct acc_vf_data {
u32 qp_base;
u32 vf_qm_state;
/* QM reserved match information */
- u32 qm_rsv_state[3];
+ u16 major_ver;
+ u16 minor_ver;
+ u32 qm_rsv_state[2];
/* QM RW regs */
u32 aeq_int_mask;
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 088/508] hisi_acc_vfio_pci: add eq and aeq interruption restore
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (86 preceding siblings ...)
2025-06-23 13:02 ` [PATCH 6.1 087/508] hisi_acc_vfio_pci: fix XQE dma address error Greg Kroah-Hartman
@ 2025-06-23 13:02 ` Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 089/508] wifi: ath9k_htc: Abort software beacon handling if disabled Greg Kroah-Hartman
` (420 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Longfang Liu, Shameer Kolothum,
Alex Williamson, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Longfang Liu <liulongfang@huawei.com>
[ Upstream commit 3495cec0787721ba7a9d5c19d0bbb66d182de584 ]
In order to ensure that the task packets of the accelerator
device are not lost during the migration process, it is necessary
to send an EQ and AEQ command to the device after the live migration
is completed and to update the completion position of the task queue.
Let the device recheck the completed tasks data and if there are
uncollected packets, device resend a task completion interrupt
to the software.
Fixes: b0eed085903e ("hisi_acc_vfio_pci: Add support for VFIO live migration")
Signed-off-by: Longfang Liu <liulongfang@huawei.com>
Reviewed-by: Shameer Kolothum <shameerali.kolothum.thodi@huawei.com>
Link: https://lore.kernel.org/r/20250510081155.55840-3-liulongfang@huawei.com
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.c b/drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.c
index b5efb37712d5e..de3e1a148ddab 100644
--- a/drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.c
+++ b/drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.c
@@ -469,6 +469,19 @@ static int vf_qm_get_match_data(struct hisi_acc_vf_core_device *hisi_acc_vdev,
return 0;
}
+static void vf_qm_xeqc_save(struct hisi_qm *qm,
+ struct hisi_acc_vf_migration_file *migf)
+{
+ struct acc_vf_data *vf_data = &migf->vf_data;
+ u16 eq_head, aeq_head;
+
+ eq_head = vf_data->qm_eqc_dw[0] & 0xFFFF;
+ qm_db(qm, 0, QM_DOORBELL_CMD_EQ, eq_head, 0);
+
+ aeq_head = vf_data->qm_aeqc_dw[0] & 0xFFFF;
+ qm_db(qm, 0, QM_DOORBELL_CMD_AEQ, aeq_head, 0);
+}
+
static int vf_qm_load_data(struct hisi_acc_vf_core_device *hisi_acc_vdev,
struct hisi_acc_vf_migration_file *migf)
{
@@ -569,6 +582,9 @@ static int vf_qm_state_save(struct hisi_acc_vf_core_device *hisi_acc_vdev,
}
migf->total_length = sizeof(struct acc_vf_data);
+ /* Save eqc and aeqc interrupt information */
+ vf_qm_xeqc_save(vf_qm, migf);
+
return 0;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 089/508] wifi: ath9k_htc: Abort software beacon handling if disabled
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (87 preceding siblings ...)
2025-06-23 13:02 ` [PATCH 6.1 088/508] hisi_acc_vfio_pci: add eq and aeq interruption restore Greg Kroah-Hartman
@ 2025-06-23 13:02 ` Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 090/508] kernfs: Relax constraint in draining guard Greg Kroah-Hartman
` (419 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Robert Morris,
Toke Høiland-Jørgensen, Jeff Johnson, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Toke Høiland-Jørgensen <toke@toke.dk>
[ Upstream commit ac4e317a95a1092b5da5b9918b7118759342641c ]
A malicious USB device can send a WMI_SWBA_EVENTID event from an
ath9k_htc-managed device before beaconing has been enabled. This causes
a device-by-zero error in the driver, leading to either a crash or an
out of bounds read.
Prevent this by aborting the handling in ath9k_htc_swba() if beacons are
not enabled.
Reported-by: Robert Morris <rtm@csail.mit.edu>
Closes: https://lore.kernel.org/r/88967.1743099372@localhost
Fixes: 832f6a18fc2a ("ath9k_htc: Add beacon slots")
Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
Link: https://patch.msgid.link/20250402112217.58533-1-toke@toke.dk
Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath9k/htc_drv_beacon.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/net/wireless/ath/ath9k/htc_drv_beacon.c b/drivers/net/wireless/ath/ath9k/htc_drv_beacon.c
index 533471e694007..18c7654bc539d 100644
--- a/drivers/net/wireless/ath/ath9k/htc_drv_beacon.c
+++ b/drivers/net/wireless/ath/ath9k/htc_drv_beacon.c
@@ -290,6 +290,9 @@ void ath9k_htc_swba(struct ath9k_htc_priv *priv,
struct ath_common *common = ath9k_hw_common(priv->ah);
int slot;
+ if (!priv->cur_beacon_conf.enable_beacon)
+ return;
+
if (swba->beacon_pending != 0) {
priv->beacon.bmisscnt++;
if (priv->beacon.bmisscnt > BSTUCK_THRESHOLD) {
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 090/508] kernfs: Relax constraint in draining guard
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (88 preceding siblings ...)
2025-06-23 13:02 ` [PATCH 6.1 089/508] wifi: ath9k_htc: Abort software beacon handling if disabled Greg Kroah-Hartman
@ 2025-06-23 13:02 ` Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 091/508] netfilter: nf_tables: nft_fib_ipv6: fix VRF ipv4/ipv6 result discrepancy Greg Kroah-Hartman
` (418 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chen Ridong, Michal Koutný,
Tejun Heo, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michal Koutný <mkoutny@suse.com>
[ Upstream commit 071d8e4c2a3b0999a9b822e2eb8854784a350f8a ]
The active reference lifecycle provides the break/unbreak mechanism but
the active reference is not truly active after unbreak -- callers don't
use it afterwards but it's important for proper pairing of kn->active
counting. Assuming this mechanism is in place, the WARN check in
kernfs_should_drain_open_files() is too sensitive -- it may transiently
catch those (rightful) callers between
kernfs_unbreak_active_protection() and kernfs_put_active() as found out by Chen
Ridong:
kernfs_remove_by_name_ns kernfs_get_active // active=1
__kernfs_remove // active=0x80000002
kernfs_drain ...
wait_event
//waiting (active == 0x80000001)
kernfs_break_active_protection
// active = 0x80000001
// continue
kernfs_unbreak_active_protection
// active = 0x80000002
...
kernfs_should_drain_open_files
// warning occurs
kernfs_put_active
To avoid the false positives (mind panic_on_warn) remove the check altogether.
(This is meant as quick fix, I think active reference break/unbreak may be
simplified with larger rework.)
Fixes: bdb2fd7fc56e1 ("kernfs: Skip kernfs_drain_open_files() more aggressively")
Link: https://lore.kernel.org/r/kmmrseckjctb4gxcx2rdminrjnq2b4ipf7562nvfd432ld5v5m@2byj5eedkb2o/
Cc: Chen Ridong <chenridong@huawei.com>
Signed-off-by: Michal Koutný <mkoutny@suse.com>
Acked-by: Tejun Heo <tj@kernel.org>
Link: https://lore.kernel.org/r/20250505121201.879823-1-mkoutny@suse.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/kernfs/dir.c | 5 +++--
fs/kernfs/file.c | 3 ++-
2 files changed, 5 insertions(+), 3 deletions(-)
diff --git a/fs/kernfs/dir.c b/fs/kernfs/dir.c
index 2c74b24fc22aa..a259fe3471a98 100644
--- a/fs/kernfs/dir.c
+++ b/fs/kernfs/dir.c
@@ -1532,8 +1532,9 @@ void kernfs_break_active_protection(struct kernfs_node *kn)
* invoked before finishing the kernfs operation. Note that while this
* function restores the active reference, it doesn't and can't actually
* restore the active protection - @kn may already or be in the process of
- * being removed. Once kernfs_break_active_protection() is invoked, that
- * protection is irreversibly gone for the kernfs operation instance.
+ * being drained and removed. Once kernfs_break_active_protection() is
+ * invoked, that protection is irreversibly gone for the kernfs operation
+ * instance.
*
* While this function may be called at any point after
* kernfs_break_active_protection() is invoked, its most useful location
diff --git a/fs/kernfs/file.c b/fs/kernfs/file.c
index adf3536cfec81..cf57b7cc3a430 100644
--- a/fs/kernfs/file.c
+++ b/fs/kernfs/file.c
@@ -820,8 +820,9 @@ bool kernfs_should_drain_open_files(struct kernfs_node *kn)
/*
* @kn being deactivated guarantees that @kn->attr.open can't change
* beneath us making the lockless test below safe.
+ * Callers post kernfs_unbreak_active_protection may be counted in
+ * kn->active by now, do not WARN_ON because of them.
*/
- WARN_ON_ONCE(atomic_read(&kn->active) != KN_DEACTIVATED_BIAS);
rcu_read_lock();
on = rcu_dereference(kn->attr.open);
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 091/508] netfilter: nf_tables: nft_fib_ipv6: fix VRF ipv4/ipv6 result discrepancy
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (89 preceding siblings ...)
2025-06-23 13:02 ` [PATCH 6.1 090/508] kernfs: Relax constraint in draining guard Greg Kroah-Hartman
@ 2025-06-23 13:02 ` Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 092/508] vfio/type1: Fix error unwind in migration dirty bitmap allocation Greg Kroah-Hartman
` (417 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Florian Westphal, Pablo Neira Ayuso,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
[ Upstream commit 8b53f46eb430fe5b42d485873b85331d2de2c469 ]
With a VRF, ipv4 and ipv6 FIB expression behave differently.
fib daddr . iif oif
Will return the input interface name for ipv4, but the real device
for ipv6. Example:
If VRF device name is tvrf and real (incoming) device is veth0.
First round is ok, both ipv4 and ipv6 will yield 'veth0'.
But in the second round (incoming device will be set to "tvrf"), ipv4
will yield "tvrf" whereas ipv6 returns "veth0" for the second round too.
This makes ipv6 behave like ipv4.
A followup patch will add a test case for this, without this change
it will fail with:
get element inet t fibif6iif { tvrf . dead:1::99 . tvrf }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
FAIL: did not find tvrf . dead:1::99 . tvrf in fibif6iif
Alternatively we could either not do anything at all or change
ipv4 to also return the lower/real device, however, nft (userspace)
doc says "iif: if fib lookup provides a route then check its output
interface is identical to the packets input interface." which is what
the nft fib ipv4 behaviour is.
Fixes: f6d0cbcf09c5 ("netfilter: nf_tables: add fib expression")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv6/netfilter/nft_fib_ipv6.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/net/ipv6/netfilter/nft_fib_ipv6.c b/net/ipv6/netfilter/nft_fib_ipv6.c
index c9f1634b3838a..a89ce0fbfe4b1 100644
--- a/net/ipv6/netfilter/nft_fib_ipv6.c
+++ b/net/ipv6/netfilter/nft_fib_ipv6.c
@@ -158,6 +158,7 @@ void nft_fib6_eval(const struct nft_expr *expr, struct nft_regs *regs,
{
const struct nft_fib *priv = nft_expr_priv(expr);
int noff = skb_network_offset(pkt->skb);
+ const struct net_device *found = NULL;
const struct net_device *oif = NULL;
u32 *dest = ®s->data[priv->dreg];
struct ipv6hdr *iph, _iph;
@@ -202,11 +203,15 @@ void nft_fib6_eval(const struct nft_expr *expr, struct nft_regs *regs,
if (rt->rt6i_flags & (RTF_REJECT | RTF_ANYCAST | RTF_LOCAL))
goto put_rt_err;
- if (oif && oif != rt->rt6i_idev->dev &&
- l3mdev_master_ifindex_rcu(rt->rt6i_idev->dev) != oif->ifindex)
- goto put_rt_err;
+ if (!oif) {
+ found = rt->rt6i_idev->dev;
+ } else {
+ if (oif == rt->rt6i_idev->dev ||
+ l3mdev_master_ifindex_rcu(rt->rt6i_idev->dev) == oif->ifindex)
+ found = oif;
+ }
- nft_fib_store_result(dest, priv, rt->rt6i_idev->dev);
+ nft_fib_store_result(dest, priv, found);
put_rt_err:
ip6_rt_put(rt);
}
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 092/508] vfio/type1: Fix error unwind in migration dirty bitmap allocation
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (90 preceding siblings ...)
2025-06-23 13:02 ` [PATCH 6.1 091/508] netfilter: nf_tables: nft_fib_ipv6: fix VRF ipv4/ipv6 result discrepancy Greg Kroah-Hartman
@ 2025-06-23 13:02 ` Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 093/508] Bluetooth: MGMT: iterate over mesh commands in mgmt_mesh_foreach() Greg Kroah-Hartman
` (416 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Li RongQing, Alex Williamson,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Li RongQing <lirongqing@baidu.com>
[ Upstream commit 4518e5a60c7fbf0cdff393c2681db39d77b4f87e ]
When setting up dirty page tracking at the vfio IOMMU backend for
device migration, if an error is encountered allocating a tracking
bitmap, the unwind loop fails to free previously allocated tracking
bitmaps. This occurs because the wrong loop index is used to
generate the tracking object. This results in unintended memory
usage for the life of the current DMA mappings where bitmaps were
successfully allocated.
Use the correct loop index to derive the tracking object for
freeing during unwind.
Fixes: d6a4c185660c ("vfio iommu: Implementation of ioctl for dirty pages tracking")
Signed-off-by: Li RongQing <lirongqing@baidu.com>
Link: https://lore.kernel.org/r/20250521034647.2877-1-lirongqing@baidu.com
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/vfio/vfio_iommu_type1.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/vfio/vfio_iommu_type1.c b/drivers/vfio/vfio_iommu_type1.c
index 18a2dbbc77799..26fac124231f5 100644
--- a/drivers/vfio/vfio_iommu_type1.c
+++ b/drivers/vfio/vfio_iommu_type1.c
@@ -299,7 +299,7 @@ static int vfio_dma_bitmap_alloc_all(struct vfio_iommu *iommu, size_t pgsize)
struct rb_node *p;
for (p = rb_prev(n); p; p = rb_prev(p)) {
- struct vfio_dma *dma = rb_entry(n,
+ struct vfio_dma *dma = rb_entry(p,
struct vfio_dma, node);
vfio_dma_bitmap_free(dma);
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 093/508] Bluetooth: MGMT: iterate over mesh commands in mgmt_mesh_foreach()
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (91 preceding siblings ...)
2025-06-23 13:02 ` [PATCH 6.1 092/508] vfio/type1: Fix error unwind in migration dirty bitmap allocation Greg Kroah-Hartman
@ 2025-06-23 13:02 ` Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 094/508] bpf, sockmap: Avoid using sk_socket after free when sending Greg Kroah-Hartman
` (415 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Antipov,
Luiz Augusto von Dentz, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Antipov <dmantipov@yandex.ru>
[ Upstream commit 3bb88524b7d030160bb3c9b35f928b2778092111 ]
In 'mgmt_mesh_foreach()', iterate over mesh commands
rather than generic mgmt ones. Compile tested only.
Fixes: b338d91703fa ("Bluetooth: Implement support for Mesh")
Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/mgmt_util.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/bluetooth/mgmt_util.c b/net/bluetooth/mgmt_util.c
index 0115f783bde80..17e32605d9b00 100644
--- a/net/bluetooth/mgmt_util.c
+++ b/net/bluetooth/mgmt_util.c
@@ -321,7 +321,7 @@ void mgmt_mesh_foreach(struct hci_dev *hdev,
{
struct mgmt_mesh_tx *mesh_tx, *tmp;
- list_for_each_entry_safe(mesh_tx, tmp, &hdev->mgmt_pending, list) {
+ list_for_each_entry_safe(mesh_tx, tmp, &hdev->mesh_pending, list) {
if (!sk || mesh_tx->sk == sk)
cb(mesh_tx, data);
}
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 094/508] bpf, sockmap: Avoid using sk_socket after free when sending
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (92 preceding siblings ...)
2025-06-23 13:02 ` [PATCH 6.1 093/508] Bluetooth: MGMT: iterate over mesh commands in mgmt_mesh_foreach() Greg Kroah-Hartman
@ 2025-06-23 13:02 ` Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 095/508] netfilter: nft_tunnel: fix geneve_opt dump Greg Kroah-Hartman
` (414 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michal Luczaj, Jiayuan Chen,
Martin KaFai Lau, John Fastabend, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiayuan Chen <jiayuan.chen@linux.dev>
[ Upstream commit 8259eb0e06d8f64c700f5fbdb28a5c18e10de291 ]
The sk->sk_socket is not locked or referenced in backlog thread, and
during the call to skb_send_sock(), there is a race condition with
the release of sk_socket. All types of sockets(tcp/udp/unix/vsock)
will be affected.
Race conditions:
'''
CPU0 CPU1
backlog::skb_send_sock
sendmsg_unlocked
sock_sendmsg
sock_sendmsg_nosec
close(fd):
...
ops->release() -> sock_map_close()
sk_socket->ops = NULL
free(socket)
sock->ops->sendmsg
^
panic here
'''
The ref of psock become 0 after sock_map_close() executed.
'''
void sock_map_close()
{
...
if (likely(psock)) {
...
// !! here we remove psock and the ref of psock become 0
sock_map_remove_links(sk, psock)
psock = sk_psock_get(sk);
if (unlikely(!psock))
goto no_psock; <=== Control jumps here via goto
...
cancel_delayed_work_sync(&psock->work); <=== not executed
sk_psock_put(sk, psock);
...
}
'''
Based on the fact that we already wait for the workqueue to finish in
sock_map_close() if psock is held, we simply increase the psock
reference count to avoid race conditions.
With this patch, if the backlog thread is running, sock_map_close() will
wait for the backlog thread to complete and cancel all pending work.
If no backlog running, any pending work that hasn't started by then will
fail when invoked by sk_psock_get(), as the psock reference count have
been zeroed, and sk_psock_drop() will cancel all jobs via
cancel_delayed_work_sync().
In summary, we require synchronization to coordinate the backlog thread
and close() thread.
The panic I catched:
'''
Workqueue: events sk_psock_backlog
RIP: 0010:sock_sendmsg+0x21d/0x440
RAX: 0000000000000000 RBX: ffffc9000521fad8 RCX: 0000000000000001
...
Call Trace:
<TASK>
? die_addr+0x40/0xa0
? exc_general_protection+0x14c/0x230
? asm_exc_general_protection+0x26/0x30
? sock_sendmsg+0x21d/0x440
? sock_sendmsg+0x3e0/0x440
? __pfx_sock_sendmsg+0x10/0x10
__skb_send_sock+0x543/0xb70
sk_psock_backlog+0x247/0xb80
...
'''
Fixes: 4b4647add7d3 ("sock_map: avoid race between sock_map_close and sk_psock_put")
Reported-by: Michal Luczaj <mhal@rbox.co>
Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev>
Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
Reviewed-by: John Fastabend <john.fastabend@gmail.com>
Link: https://lore.kernel.org/r/20250516141713.291150-1-jiayuan.chen@linux.dev
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/skmsg.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/net/core/skmsg.c b/net/core/skmsg.c
index 0613f9a2543bb..e5ba57a5db126 100644
--- a/net/core/skmsg.c
+++ b/net/core/skmsg.c
@@ -654,6 +654,13 @@ static void sk_psock_backlog(struct work_struct *work)
bool ingress;
int ret;
+ /* Increment the psock refcnt to synchronize with close(fd) path in
+ * sock_map_close(), ensuring we wait for backlog thread completion
+ * before sk_socket freed. If refcnt increment fails, it indicates
+ * sock_map_close() completed with sk_socket potentially already freed.
+ */
+ if (!sk_psock_get(psock->sk))
+ return;
mutex_lock(&psock->work_mutex);
while ((skb = skb_peek(&psock->ingress_skb))) {
len = skb->len;
@@ -705,6 +712,7 @@ static void sk_psock_backlog(struct work_struct *work)
}
end:
mutex_unlock(&psock->work_mutex);
+ sk_psock_put(psock->sk, psock);
}
struct sk_psock *sk_psock_init(struct sock *sk, int node)
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 095/508] netfilter: nft_tunnel: fix geneve_opt dump
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (93 preceding siblings ...)
2025-06-23 13:02 ` [PATCH 6.1 094/508] bpf, sockmap: Avoid using sk_socket after free when sending Greg Kroah-Hartman
@ 2025-06-23 13:02 ` Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 096/508] net: usb: aqc111: fix error handling of usbnet read calls Greg Kroah-Hartman
` (413 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Fernando Fernandez Mancera,
Pablo Neira Ayuso, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fernando Fernandez Mancera <fmancera@suse.de>
[ Upstream commit 22a9613de4c29d7d0770bfb8a5a9d73eb8df7dad ]
When dumping a nft_tunnel with more than one geneve_opt configured the
netlink attribute hierarchy should be as follow:
NFTA_TUNNEL_KEY_OPTS
|
|--NFTA_TUNNEL_KEY_OPTS_GENEVE
| |
| |--NFTA_TUNNEL_KEY_GENEVE_CLASS
| |--NFTA_TUNNEL_KEY_GENEVE_TYPE
| |--NFTA_TUNNEL_KEY_GENEVE_DATA
|
|--NFTA_TUNNEL_KEY_OPTS_GENEVE
| |
| |--NFTA_TUNNEL_KEY_GENEVE_CLASS
| |--NFTA_TUNNEL_KEY_GENEVE_TYPE
| |--NFTA_TUNNEL_KEY_GENEVE_DATA
|
|--NFTA_TUNNEL_KEY_OPTS_GENEVE
...
Otherwise, userspace tools won't be able to fetch the geneve options
configured correctly.
Fixes: 925d844696d9 ("netfilter: nft_tunnel: add support for geneve opts")
Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nft_tunnel.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/net/netfilter/nft_tunnel.c b/net/netfilter/nft_tunnel.c
index d026982a00fc4..be741db50ffae 100644
--- a/net/netfilter/nft_tunnel.c
+++ b/net/netfilter/nft_tunnel.c
@@ -617,10 +617,10 @@ static int nft_tunnel_opts_dump(struct sk_buff *skb,
struct geneve_opt *opt;
int offset = 0;
- inner = nla_nest_start_noflag(skb, NFTA_TUNNEL_KEY_OPTS_GENEVE);
- if (!inner)
- goto failure;
while (opts->len > offset) {
+ inner = nla_nest_start_noflag(skb, NFTA_TUNNEL_KEY_OPTS_GENEVE);
+ if (!inner)
+ goto failure;
opt = (struct geneve_opt *)(opts->u.data + offset);
if (nla_put_be16(skb, NFTA_TUNNEL_KEY_GENEVE_CLASS,
opt->opt_class) ||
@@ -630,8 +630,8 @@ static int nft_tunnel_opts_dump(struct sk_buff *skb,
opt->length * 4, opt->opt_data))
goto inner_failure;
offset += sizeof(*opt) + opt->length * 4;
+ nla_nest_end(skb, inner);
}
- nla_nest_end(skb, inner);
}
nla_nest_end(skb, nest);
return 0;
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 096/508] net: usb: aqc111: fix error handling of usbnet read calls
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (94 preceding siblings ...)
2025-06-23 13:02 ` [PATCH 6.1 095/508] netfilter: nft_tunnel: fix geneve_opt dump Greg Kroah-Hartman
@ 2025-06-23 13:02 ` Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 097/508] RDMA/cma: Fix hang when cma_netevent_callback fails to queue_work Greg Kroah-Hartman
` (412 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+3b6b9ff7b80430020c7b,
Nikita Zhandarovich, Paolo Abeni, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
[ Upstream commit 405b0d610745fb5e84fc2961d9b960abb9f3d107 ]
Syzkaller, courtesy of syzbot, identified an error (see report [1]) in
aqc111 driver, caused by incomplete sanitation of usb read calls'
results. This problem is quite similar to the one fixed in commit
920a9fa27e78 ("net: asix: add proper error handling of usb read errors").
For instance, usbnet_read_cmd() may read fewer than 'size' bytes,
even if the caller expected the full amount, and aqc111_read_cmd()
will not check its result properly. As [1] shows, this may lead
to MAC address in aqc111_bind() being only partly initialized,
triggering KMSAN warnings.
Fix the issue by verifying that the number of bytes read is
as expected and not less.
[1] Partial syzbot report:
BUG: KMSAN: uninit-value in is_valid_ether_addr include/linux/etherdevice.h:208 [inline]
BUG: KMSAN: uninit-value in usbnet_probe+0x2e57/0x4390 drivers/net/usb/usbnet.c:1830
is_valid_ether_addr include/linux/etherdevice.h:208 [inline]
usbnet_probe+0x2e57/0x4390 drivers/net/usb/usbnet.c:1830
usb_probe_interface+0xd01/0x1310 drivers/usb/core/driver.c:396
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x4d1/0xd90 drivers/base/dd.c:658
__driver_probe_device+0x268/0x380 drivers/base/dd.c:800
...
Uninit was stored to memory at:
dev_addr_mod+0xb0/0x550 net/core/dev_addr_lists.c:582
__dev_addr_set include/linux/netdevice.h:4874 [inline]
eth_hw_addr_set include/linux/etherdevice.h:325 [inline]
aqc111_bind+0x35f/0x1150 drivers/net/usb/aqc111.c:717
usbnet_probe+0xbe6/0x4390 drivers/net/usb/usbnet.c:1772
usb_probe_interface+0xd01/0x1310 drivers/usb/core/driver.c:396
...
Uninit was stored to memory at:
ether_addr_copy include/linux/etherdevice.h:305 [inline]
aqc111_read_perm_mac drivers/net/usb/aqc111.c:663 [inline]
aqc111_bind+0x794/0x1150 drivers/net/usb/aqc111.c:713
usbnet_probe+0xbe6/0x4390 drivers/net/usb/usbnet.c:1772
usb_probe_interface+0xd01/0x1310 drivers/usb/core/driver.c:396
call_driver_probe drivers/base/dd.c:-1 [inline]
...
Local variable buf.i created at:
aqc111_read_perm_mac drivers/net/usb/aqc111.c:656 [inline]
aqc111_bind+0x221/0x1150 drivers/net/usb/aqc111.c:713
usbnet_probe+0xbe6/0x4390 drivers/net/usb/usbnet.c:1772
Reported-by: syzbot+3b6b9ff7b80430020c7b@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=3b6b9ff7b80430020c7b
Tested-by: syzbot+3b6b9ff7b80430020c7b@syzkaller.appspotmail.com
Fixes: df2d59a2ab6c ("net: usb: aqc111: Add support for getting and setting of MAC address")
Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
Link: https://patch.msgid.link/20250520113240.2369438-1-n.zhandarovich@fintech.ru
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/usb/aqc111.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/drivers/net/usb/aqc111.c b/drivers/net/usb/aqc111.c
index 284375f662f1e..04d5573123bec 100644
--- a/drivers/net/usb/aqc111.c
+++ b/drivers/net/usb/aqc111.c
@@ -30,10 +30,13 @@ static int aqc111_read_cmd_nopm(struct usbnet *dev, u8 cmd, u16 value,
ret = usbnet_read_cmd_nopm(dev, cmd, USB_DIR_IN | USB_TYPE_VENDOR |
USB_RECIP_DEVICE, value, index, data, size);
- if (unlikely(ret < 0))
+ if (unlikely(ret < size)) {
+ ret = ret < 0 ? ret : -ENODATA;
+
netdev_warn(dev->net,
"Failed to read(0x%x) reg index 0x%04x: %d\n",
cmd, index, ret);
+ }
return ret;
}
@@ -46,10 +49,13 @@ static int aqc111_read_cmd(struct usbnet *dev, u8 cmd, u16 value,
ret = usbnet_read_cmd(dev, cmd, USB_DIR_IN | USB_TYPE_VENDOR |
USB_RECIP_DEVICE, value, index, data, size);
- if (unlikely(ret < 0))
+ if (unlikely(ret < size)) {
+ ret = ret < 0 ? ret : -ENODATA;
+
netdev_warn(dev->net,
"Failed to read(0x%x) reg index 0x%04x: %d\n",
cmd, index, ret);
+ }
return ret;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 097/508] RDMA/cma: Fix hang when cma_netevent_callback fails to queue_work
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (95 preceding siblings ...)
2025-06-23 13:02 ` [PATCH 6.1 096/508] net: usb: aqc111: fix error handling of usbnet read calls Greg Kroah-Hartman
@ 2025-06-23 13:02 ` Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 098/508] bpf: Avoid __bpf_prog_ret0_warn when jit fails Greg Kroah-Hartman
` (411 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jack Morgenstein, Feng Liu,
Vlad Dumitrescu, Leon Romanovsky, Sharath Srinivasan, Kalesh AP,
Jason Gunthorpe, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jack Morgenstein <jackm@nvidia.com>
[ Upstream commit 92a251c3df8ea1991cd9fe00f1ab0cfce18d7711 ]
The cited commit fixed a crash when cma_netevent_callback was called for
a cma_id while work on that id from a previous call had not yet started.
The work item was re-initialized in the second call, which corrupted the
work item currently in the work queue.
However, it left a problem when queue_work fails (because the item is
still pending in the work queue from a previous call). In this case,
cma_id_put (which is called in the work handler) is therefore not
called. This results in a userspace process hang (zombie process).
Fix this by calling cma_id_put() if queue_work fails.
Fixes: 45f5dcdd0497 ("RDMA/cma: Fix workqueue crash in cma_netevent_work_handler")
Link: https://patch.msgid.link/r/4f3640b501e48d0166f312a64fdadf72b059bd04.1747827103.git.leon@kernel.org
Signed-off-by: Jack Morgenstein <jackm@nvidia.com>
Signed-off-by: Feng Liu <feliu@nvidia.com>
Reviewed-by: Vlad Dumitrescu <vdumitrescu@nvidia.com>
Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
Reviewed-by: Sharath Srinivasan <sharath.srinivasan@oracle.com>
Reviewed-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/core/cma.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/infiniband/core/cma.c b/drivers/infiniband/core/cma.c
index bb3c361bd8d45..0b2cb31d0f999 100644
--- a/drivers/infiniband/core/cma.c
+++ b/drivers/infiniband/core/cma.c
@@ -5190,7 +5190,8 @@ static int cma_netevent_callback(struct notifier_block *self,
neigh->ha, ETH_ALEN))
continue;
cma_id_get(current_id);
- queue_work(cma_wq, ¤t_id->id.net_work);
+ if (!queue_work(cma_wq, ¤t_id->id.net_work))
+ cma_id_put(current_id);
}
out:
spin_unlock_irqrestore(&id_table_lock, flags);
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 098/508] bpf: Avoid __bpf_prog_ret0_warn when jit fails
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (96 preceding siblings ...)
2025-06-23 13:02 ` [PATCH 6.1 097/508] RDMA/cma: Fix hang when cma_netevent_callback fails to queue_work Greg Kroah-Hartman
@ 2025-06-23 13:02 ` Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 099/508] net: lan743x: rename lan743x_reset_phy to lan743x_hw_reset_phy Greg Kroah-Hartman
` (410 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+0903f6d7f285e41cdf10,
KaFai Wan, Alexei Starovoitov, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: KaFai Wan <mannkafai@gmail.com>
[ Upstream commit 86bc9c742426a16b52a10ef61f5b721aecca2344 ]
syzkaller reported an issue:
WARNING: CPU: 3 PID: 217 at kernel/bpf/core.c:2357 __bpf_prog_ret0_warn+0xa/0x20 kernel/bpf/core.c:2357
Modules linked in:
CPU: 3 UID: 0 PID: 217 Comm: kworker/u32:6 Not tainted 6.15.0-rc4-syzkaller-00040-g8bac8898fe39
RIP: 0010:__bpf_prog_ret0_warn+0xa/0x20 kernel/bpf/core.c:2357
Call Trace:
<TASK>
bpf_dispatcher_nop_func include/linux/bpf.h:1316 [inline]
__bpf_prog_run include/linux/filter.h:718 [inline]
bpf_prog_run include/linux/filter.h:725 [inline]
cls_bpf_classify+0x74a/0x1110 net/sched/cls_bpf.c:105
...
When creating bpf program, 'fp->jit_requested' depends on bpf_jit_enable.
This issue is triggered because of CONFIG_BPF_JIT_ALWAYS_ON is not set
and bpf_jit_enable is set to 1, causing the arch to attempt JIT the prog,
but jit failed due to FAULT_INJECTION. As a result, incorrectly
treats the program as valid, when the program runs it calls
`__bpf_prog_ret0_warn` and triggers the WARN_ON_ONCE(1).
Reported-by: syzbot+0903f6d7f285e41cdf10@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/bpf/6816e34e.a70a0220.254cdc.002c.GAE@google.com
Fixes: fa9dd599b4da ("bpf: get rid of pure_initcall dependency to enable jits")
Signed-off-by: KaFai Wan <mannkafai@gmail.com>
Link: https://lore.kernel.org/r/20250526133358.2594176-1-mannkafai@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/bpf/core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
index c281f5b8705e1..2ed1d00bede0b 100644
--- a/kernel/bpf/core.c
+++ b/kernel/bpf/core.c
@@ -2209,7 +2209,7 @@ struct bpf_prog *bpf_prog_select_runtime(struct bpf_prog *fp, int *err)
/* In case of BPF to BPF calls, verifier did all the prep
* work with regards to JITing, etc.
*/
- bool jit_needed = false;
+ bool jit_needed = fp->jit_requested;
if (fp->bpf_func)
goto finalize;
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 099/508] net: lan743x: rename lan743x_reset_phy to lan743x_hw_reset_phy
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (97 preceding siblings ...)
2025-06-23 13:02 ` [PATCH 6.1 098/508] bpf: Avoid __bpf_prog_ret0_warn when jit fails Greg Kroah-Hartman
@ 2025-06-23 13:02 ` Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 100/508] net: phy: mscc: Fix memory leak when using one step timestamping Greg Kroah-Hartman
` (409 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thangaraj Samynathan, Andrew Lunn,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thangaraj Samynathan <thangaraj.s@microchip.com>
[ Upstream commit 68927eb52d0af04863584930db06075d2610e194 ]
rename the function to lan743x_hw_reset_phy to better describe it
operation.
Fixes: 23f0703c125be ("lan743x: Add main source files for new lan743x driver")
Signed-off-by: Thangaraj Samynathan <thangaraj.s@microchip.com>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Link: https://patch.msgid.link/20250526053048.287095-2-thangaraj.s@microchip.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/microchip/lan743x_main.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/microchip/lan743x_main.c b/drivers/net/ethernet/microchip/lan743x_main.c
index fd35554191793..0f456d389e53a 100644
--- a/drivers/net/ethernet/microchip/lan743x_main.c
+++ b/drivers/net/ethernet/microchip/lan743x_main.c
@@ -1389,7 +1389,7 @@ static int lan743x_mac_set_mtu(struct lan743x_adapter *adapter, int new_mtu)
}
/* PHY */
-static int lan743x_phy_reset(struct lan743x_adapter *adapter)
+static int lan743x_hw_reset_phy(struct lan743x_adapter *adapter)
{
u32 data;
@@ -1423,7 +1423,7 @@ static void lan743x_phy_update_flowcontrol(struct lan743x_adapter *adapter,
static int lan743x_phy_init(struct lan743x_adapter *adapter)
{
- return lan743x_phy_reset(adapter);
+ return lan743x_hw_reset_phy(adapter);
}
static void lan743x_phy_link_status_change(struct net_device *netdev)
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 100/508] net: phy: mscc: Fix memory leak when using one step timestamping
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (98 preceding siblings ...)
2025-06-23 13:02 ` [PATCH 6.1 099/508] net: lan743x: rename lan743x_reset_phy to lan743x_hw_reset_phy Greg Kroah-Hartman
@ 2025-06-23 13:02 ` Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 101/508] calipso: Dont call calipso functions for AF_INET sk Greg Kroah-Hartman
` (408 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Horatiu Vultur, Jakub Kicinski,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Horatiu Vultur <horatiu.vultur@microchip.com>
[ Upstream commit 846992645b25ec4253167e3f931e4597eb84af56 ]
Fix memory leak when running one-step timestamping. When running
one-step sync timestamping, the HW is configured to insert the TX time
into the frame, so there is no reason to keep the skb anymore. As in
this case the HW will never generate an interrupt to say that the frame
was timestamped, then the frame will never released.
Fix this by freeing the frame in case of one-step timestamping.
Fixes: 7d272e63e0979d ("net: phy: mscc: timestamping and PHC support")
Signed-off-by: Horatiu Vultur <horatiu.vultur@microchip.com>
Link: https://patch.msgid.link/20250522115722.2827199-1-horatiu.vultur@microchip.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/phy/mscc/mscc_ptp.c | 16 +++++++++++-----
1 file changed, 11 insertions(+), 5 deletions(-)
diff --git a/drivers/net/phy/mscc/mscc_ptp.c b/drivers/net/phy/mscc/mscc_ptp.c
index cf728bfd83e22..af44b01f3d383 100644
--- a/drivers/net/phy/mscc/mscc_ptp.c
+++ b/drivers/net/phy/mscc/mscc_ptp.c
@@ -1165,18 +1165,24 @@ static void vsc85xx_txtstamp(struct mii_timestamper *mii_ts,
container_of(mii_ts, struct vsc8531_private, mii_ts);
if (!vsc8531->ptp->configured)
- return;
+ goto out;
- if (vsc8531->ptp->tx_type == HWTSTAMP_TX_OFF) {
- kfree_skb(skb);
- return;
- }
+ if (vsc8531->ptp->tx_type == HWTSTAMP_TX_OFF)
+ goto out;
+
+ if (vsc8531->ptp->tx_type == HWTSTAMP_TX_ONESTEP_SYNC)
+ if (ptp_msg_is_sync(skb, type))
+ goto out;
skb_shinfo(skb)->tx_flags |= SKBTX_IN_PROGRESS;
mutex_lock(&vsc8531->ts_lock);
__skb_queue_tail(&vsc8531->ptp->tx_queue, skb);
mutex_unlock(&vsc8531->ts_lock);
+ return;
+
+out:
+ kfree_skb(skb);
}
static bool vsc85xx_rxtstamp(struct mii_timestamper *mii_ts,
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 101/508] calipso: Dont call calipso functions for AF_INET sk.
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (99 preceding siblings ...)
2025-06-23 13:02 ` [PATCH 6.1 100/508] net: phy: mscc: Fix memory leak when using one step timestamping Greg Kroah-Hartman
@ 2025-06-23 13:02 ` Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 102/508] net: openvswitch: Fix the dead loop of MPLS parse Greg Kroah-Hartman
` (407 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzkaller, John Cheung,
Kuniyuki Iwashima, Paul Moore, Paolo Abeni, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuniyuki Iwashima <kuniyu@amazon.com>
[ Upstream commit 6e9f2df1c550ead7cecb3e450af1105735020c92 ]
syzkaller reported a null-ptr-deref in txopt_get(). [0]
The offset 0x70 was of struct ipv6_txoptions in struct ipv6_pinfo,
so struct ipv6_pinfo was NULL there.
However, this never happens for IPv6 sockets as inet_sk(sk)->pinet6
is always set in inet6_create(), meaning the socket was not IPv6 one.
The root cause is missing validation in netlbl_conn_setattr().
netlbl_conn_setattr() switches branches based on struct
sockaddr.sa_family, which is passed from userspace. However,
netlbl_conn_setattr() does not check if the address family matches
the socket.
The syzkaller must have called connect() for an IPv6 address on
an IPv4 socket.
We have a proper validation in tcp_v[46]_connect(), but
security_socket_connect() is called in the earlier stage.
Let's copy the validation to netlbl_conn_setattr().
[0]:
Oops: general protection fault, probably for non-canonical address 0xdffffc000000000e: 0000 [#1] PREEMPT SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077]
CPU: 2 UID: 0 PID: 12928 Comm: syz.9.1677 Not tainted 6.12.0 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
RIP: 0010:txopt_get include/net/ipv6.h:390 [inline]
RIP: 0010:
Code: 02 00 00 49 8b ac 24 f8 02 00 00 e8 84 69 2a fd e8 ff 00 16 fd 48 8d 7d 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 53 02 00 00 48 8b 6d 70 48 85 ed 0f 84 ab 01 00
RSP: 0018:ffff88811b8afc48 EFLAGS: 00010212
RAX: dffffc0000000000 RBX: 1ffff11023715f8a RCX: ffffffff841ab00c
RDX: 000000000000000e RSI: ffffc90007d9e000 RDI: 0000000000000070
RBP: 0000000000000000 R08: ffffed1023715f9d R09: ffffed1023715f9e
R10: ffffed1023715f9d R11: 0000000000000003 R12: ffff888123075f00
R13: ffff88810245bd80 R14: ffff888113646780 R15: ffff888100578a80
FS: 00007f9019bd7640(0000) GS:ffff8882d2d00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f901b927bac CR3: 0000000104788003 CR4: 0000000000770ef0
PKRU: 80000000
Call Trace:
<TASK>
calipso_sock_setattr+0x56/0x80 net/netlabel/netlabel_calipso.c:557
netlbl_conn_setattr+0x10c/0x280 net/netlabel/netlabel_kapi.c:1177
selinux_netlbl_socket_connect_helper+0xd3/0x1b0 security/selinux/netlabel.c:569
selinux_netlbl_socket_connect_locked security/selinux/netlabel.c:597 [inline]
selinux_netlbl_socket_connect+0xb6/0x100 security/selinux/netlabel.c:615
selinux_socket_connect+0x5f/0x80 security/selinux/hooks.c:4931
security_socket_connect+0x50/0xa0 security/security.c:4598
__sys_connect_file+0xa4/0x190 net/socket.c:2067
__sys_connect+0x12c/0x170 net/socket.c:2088
__do_sys_connect net/socket.c:2098 [inline]
__se_sys_connect net/socket.c:2095 [inline]
__x64_sys_connect+0x73/0xb0 net/socket.c:2095
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xaa/0x1b0 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f901b61a12d
Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f9019bd6fa8 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
RAX: ffffffffffffffda RBX: 00007f901b925fa0 RCX: 00007f901b61a12d
RDX: 000000000000001c RSI: 0000200000000140 RDI: 0000000000000003
RBP: 00007f901b701505 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f901b5b62a0 R15: 00007f9019bb7000
</TASK>
Modules linked in:
Fixes: ceba1832b1b2 ("calipso: Set the calipso socket label to match the secattr.")
Reported-by: syzkaller <syzkaller@googlegroups.com>
Reported-by: John Cheung <john.cs.hey@gmail.com>
Closes: https://lore.kernel.org/netdev/CAP=Rh=M1LzunrcQB1fSGauMrJrhL6GGps5cPAKzHJXj6GQV+-g@mail.gmail.com/
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Acked-by: Paul Moore <paul@paul-moore.com>
Link: https://patch.msgid.link/20250522221858.91240-1-kuniyu@amazon.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netlabel/netlabel_kapi.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c
index 27511c90a26f4..75b645c1928db 100644
--- a/net/netlabel/netlabel_kapi.c
+++ b/net/netlabel/netlabel_kapi.c
@@ -1140,6 +1140,9 @@ int netlbl_conn_setattr(struct sock *sk,
break;
#if IS_ENABLED(CONFIG_IPV6)
case AF_INET6:
+ if (sk->sk_family != AF_INET6)
+ return -EAFNOSUPPORT;
+
addr6 = (struct sockaddr_in6 *)addr;
entry = netlbl_domhsh_getentry_af6(secattr->domain,
&addr6->sin6_addr);
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 102/508] net: openvswitch: Fix the dead loop of MPLS parse
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (100 preceding siblings ...)
2025-06-23 13:02 ` [PATCH 6.1 101/508] calipso: Dont call calipso functions for AF_INET sk Greg Kroah-Hartman
@ 2025-06-23 13:02 ` Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 103/508] net: phy: mscc: Stop clearing the the UDPv4 checksum for L2 frames Greg Kroah-Hartman
` (406 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Faicker Mo, Ilya Maximets,
Aaron Conole, Paolo Abeni, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Faicker Mo <faicker.mo@zenlayer.com>
[ Upstream commit 0bdc924bfb319fb10d1113cbf091fc26fb7b1f99 ]
The unexpected MPLS packet may not end with the bottom label stack.
When there are many stacks, The label count value has wrapped around.
A dead loop occurs, soft lockup/CPU stuck finally.
stack backtrace:
UBSAN: array-index-out-of-bounds in /build/linux-0Pa0xK/linux-5.15.0/net/openvswitch/flow.c:662:26
index -1 is out of range for type '__be32 [3]'
CPU: 34 PID: 0 Comm: swapper/34 Kdump: loaded Tainted: G OE 5.15.0-121-generic #131-Ubuntu
Hardware name: Dell Inc. PowerEdge C6420/0JP9TF, BIOS 2.12.2 07/14/2021
Call Trace:
<IRQ>
show_stack+0x52/0x5c
dump_stack_lvl+0x4a/0x63
dump_stack+0x10/0x16
ubsan_epilogue+0x9/0x36
__ubsan_handle_out_of_bounds.cold+0x44/0x49
key_extract_l3l4+0x82a/0x840 [openvswitch]
? kfree_skbmem+0x52/0xa0
key_extract+0x9c/0x2b0 [openvswitch]
ovs_flow_key_extract+0x124/0x350 [openvswitch]
ovs_vport_receive+0x61/0xd0 [openvswitch]
? kernel_init_free_pages.part.0+0x4a/0x70
? get_page_from_freelist+0x353/0x540
netdev_port_receive+0xc4/0x180 [openvswitch]
? netdev_port_receive+0x180/0x180 [openvswitch]
netdev_frame_hook+0x1f/0x40 [openvswitch]
__netif_receive_skb_core.constprop.0+0x23a/0xf00
__netif_receive_skb_list_core+0xfa/0x240
netif_receive_skb_list_internal+0x18e/0x2a0
napi_complete_done+0x7a/0x1c0
bnxt_poll+0x155/0x1c0 [bnxt_en]
__napi_poll+0x30/0x180
net_rx_action+0x126/0x280
? bnxt_msix+0x67/0x80 [bnxt_en]
handle_softirqs+0xda/0x2d0
irq_exit_rcu+0x96/0xc0
common_interrupt+0x8e/0xa0
</IRQ>
Fixes: fbdcdd78da7c ("Change in Openvswitch to support MPLS label depth of 3 in ingress direction")
Signed-off-by: Faicker Mo <faicker.mo@zenlayer.com>
Acked-by: Ilya Maximets <i.maximets@ovn.org>
Reviewed-by: Aaron Conole <aconole@redhat.com>
Link: https://patch.msgid.link/259D3404-575D-4A6D-B263-1DF59A67CF89@zenlayer.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/openvswitch/flow.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/openvswitch/flow.c b/net/openvswitch/flow.c
index 78960a8a38925..60ebc42a20e7e 100644
--- a/net/openvswitch/flow.c
+++ b/net/openvswitch/flow.c
@@ -785,7 +785,7 @@ static int key_extract_l3l4(struct sk_buff *skb, struct sw_flow_key *key)
memset(&key->ipv4, 0, sizeof(key->ipv4));
}
} else if (eth_p_mpls(key->eth.type)) {
- u8 label_count = 1;
+ size_t label_count = 1;
memset(&key->mpls, 0, sizeof(key->mpls));
skb_set_inner_network_header(skb, skb->mac_len);
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 103/508] net: phy: mscc: Stop clearing the the UDPv4 checksum for L2 frames
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (101 preceding siblings ...)
2025-06-23 13:02 ` [PATCH 6.1 102/508] net: openvswitch: Fix the dead loop of MPLS parse Greg Kroah-Hartman
@ 2025-06-23 13:02 ` Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 104/508] f2fs: use d_inode(dentry) cleanup dentry->d_inode Greg Kroah-Hartman
` (405 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Horatiu Vultur, Paolo Abeni,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Horatiu Vultur <horatiu.vultur@microchip.com>
[ Upstream commit 57a92d14659df3e7e7e0052358c8cc68bbbc3b5e ]
We have noticed that when PHY timestamping is enabled, L2 frames seems
to be modified by changing two 2 bytes with a value of 0. The place were
these 2 bytes seems to be random(or I couldn't find a pattern). In most
of the cases the userspace can ignore these frames but if for example
those 2 bytes are in the correction field there is nothing to do. This
seems to happen when configuring the HW for IPv4 even that the flow is
not enabled.
These 2 bytes correspond to the UDPv4 checksum and once we don't enable
clearing the checksum when using L2 frames then the frame doesn't seem
to be changed anymore.
Fixes: 7d272e63e0979d ("net: phy: mscc: timestamping and PHC support")
Signed-off-by: Horatiu Vultur <horatiu.vultur@microchip.com>
Link: https://patch.msgid.link/20250523082716.2935895-1-horatiu.vultur@microchip.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/phy/mscc/mscc_ptp.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/net/phy/mscc/mscc_ptp.c b/drivers/net/phy/mscc/mscc_ptp.c
index af44b01f3d383..7e7ce79eadffb 100644
--- a/drivers/net/phy/mscc/mscc_ptp.c
+++ b/drivers/net/phy/mscc/mscc_ptp.c
@@ -943,7 +943,9 @@ static int vsc85xx_ip1_conf(struct phy_device *phydev, enum ts_blk blk,
/* UDP checksum offset in IPv4 packet
* according to: https://tools.ietf.org/html/rfc768
*/
- val |= IP1_NXT_PROT_UDP_CHKSUM_OFF(26) | IP1_NXT_PROT_UDP_CHKSUM_CLEAR;
+ val |= IP1_NXT_PROT_UDP_CHKSUM_OFF(26);
+ if (enable)
+ val |= IP1_NXT_PROT_UDP_CHKSUM_CLEAR;
vsc85xx_ts_write_csr(phydev, blk, MSCC_ANA_IP1_NXT_PROT_UDP_CHKSUM,
val);
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 104/508] f2fs: use d_inode(dentry) cleanup dentry->d_inode
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (102 preceding siblings ...)
2025-06-23 13:02 ` [PATCH 6.1 103/508] net: phy: mscc: Stop clearing the the UDPv4 checksum for L2 frames Greg Kroah-Hartman
@ 2025-06-23 13:02 ` Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 105/508] f2fs: fix to correct check conditions in f2fs_cross_rename Greg Kroah-Hartman
` (404 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhiguo Niu, Chao Yu, Jaegeuk Kim,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhiguo Niu <zhiguo.niu@unisoc.com>
[ Upstream commit a6c397a31f58a1d577c2c8d04b624e9baa31951c ]
no logic changes.
Signed-off-by: Zhiguo Niu <zhiguo.niu@unisoc.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/f2fs/namei.c | 8 ++++----
fs/f2fs/super.c | 4 ++--
2 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/fs/f2fs/namei.c b/fs/f2fs/namei.c
index 9da104c0743c4..77fa3c639ba38 100644
--- a/fs/f2fs/namei.c
+++ b/fs/f2fs/namei.c
@@ -401,7 +401,7 @@ static int f2fs_link(struct dentry *old_dentry, struct inode *dir,
if (is_inode_flag_set(dir, FI_PROJ_INHERIT) &&
(!projid_eq(F2FS_I(dir)->i_projid,
- F2FS_I(old_dentry->d_inode)->i_projid)))
+ F2FS_I(inode)->i_projid)))
return -EXDEV;
err = f2fs_dquot_initialize(dir);
@@ -896,7 +896,7 @@ static int f2fs_rename(struct user_namespace *mnt_userns, struct inode *old_dir,
if (is_inode_flag_set(new_dir, FI_PROJ_INHERIT) &&
(!projid_eq(F2FS_I(new_dir)->i_projid,
- F2FS_I(old_dentry->d_inode)->i_projid)))
+ F2FS_I(old_inode)->i_projid)))
return -EXDEV;
/*
@@ -1085,10 +1085,10 @@ static int f2fs_cross_rename(struct inode *old_dir, struct dentry *old_dentry,
if ((is_inode_flag_set(new_dir, FI_PROJ_INHERIT) &&
!projid_eq(F2FS_I(new_dir)->i_projid,
- F2FS_I(old_dentry->d_inode)->i_projid)) ||
+ F2FS_I(old_inode)->i_projid)) ||
(is_inode_flag_set(new_dir, FI_PROJ_INHERIT) &&
!projid_eq(F2FS_I(old_dir)->i_projid,
- F2FS_I(new_dentry->d_inode)->i_projid)))
+ F2FS_I(new_inode)->i_projid)))
return -EXDEV;
err = f2fs_dquot_initialize(old_dir);
diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
index 72160b906f4b3..c1738820a8f0d 100644
--- a/fs/f2fs/super.c
+++ b/fs/f2fs/super.c
@@ -1830,9 +1830,9 @@ static int f2fs_statfs(struct dentry *dentry, struct kstatfs *buf)
buf->f_fsid = u64_to_fsid(id);
#ifdef CONFIG_QUOTA
- if (is_inode_flag_set(dentry->d_inode, FI_PROJ_INHERIT) &&
+ if (is_inode_flag_set(d_inode(dentry), FI_PROJ_INHERIT) &&
sb_has_quota_limits_enabled(sb, PRJQUOTA)) {
- f2fs_statfs_project(sb, F2FS_I(dentry->d_inode)->i_projid, buf);
+ f2fs_statfs_project(sb, F2FS_I(d_inode(dentry))->i_projid, buf);
}
#endif
return 0;
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 105/508] f2fs: fix to correct check conditions in f2fs_cross_rename
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (103 preceding siblings ...)
2025-06-23 13:02 ` [PATCH 6.1 104/508] f2fs: use d_inode(dentry) cleanup dentry->d_inode Greg Kroah-Hartman
@ 2025-06-23 13:02 ` Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 106/508] arm64: dts: qcom: sm8250: Fix CPU7 opp table Greg Kroah-Hartman
` (403 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhiguo Niu, Chao Yu, Jaegeuk Kim,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhiguo Niu <zhiguo.niu@unisoc.com>
[ Upstream commit 9883494c45a13dc88d27dde4f988c04823b42a2f ]
Should be "old_dir" here.
Fixes: 5c57132eaf52 ("f2fs: support project quota")
Signed-off-by: Zhiguo Niu <zhiguo.niu@unisoc.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/f2fs/namei.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/f2fs/namei.c b/fs/f2fs/namei.c
index 77fa3c639ba38..7bfa3249d9cc1 100644
--- a/fs/f2fs/namei.c
+++ b/fs/f2fs/namei.c
@@ -1086,7 +1086,7 @@ static int f2fs_cross_rename(struct inode *old_dir, struct dentry *old_dentry,
if ((is_inode_flag_set(new_dir, FI_PROJ_INHERIT) &&
!projid_eq(F2FS_I(new_dir)->i_projid,
F2FS_I(old_inode)->i_projid)) ||
- (is_inode_flag_set(new_dir, FI_PROJ_INHERIT) &&
+ (is_inode_flag_set(old_dir, FI_PROJ_INHERIT) &&
!projid_eq(F2FS_I(old_dir)->i_projid,
F2FS_I(new_inode)->i_projid)))
return -EXDEV;
--
2.39.5
uct no
stab = rtnl_dereference(q->root->stab);
- oper = rtnl_dereference(q->oper_sched);
+ rcu_read_lock();
+ oper = rcu_dereference(q->oper_sched);
if (oper)
taprio_update_queue_max_sdu(q, oper, stab);
- admin = rtnl_dereference(q->admin_sched);
+ admin = rcu_dereference(q->admin_sched);
if (admin)
taprio_update_queue_max_sdu(q, admin, stab);
+ rcu_read_unlock();
break;
}
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 106/508] arm64: dts: qcom: sm8250: Fix CPU7 opp table
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (104 preceding siblings ...)
2025-06-23 13:02 ` [PATCH 6.1 105/508] f2fs: fix to correct check conditions in f2fs_cross_rename Greg Kroah-Hartman
@ 2025-06-23 13:02 ` Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 107/508] ARM: dts: at91: usb_a9263: fix GPIO for Dataflash chip select Greg Kroah-Hartman
` (402 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xilin Wu, Konrad Dybcio,
Bjorn Andersson, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xilin Wu <wuxilin123@gmail.com>
[ Upstream commit 28f997b89967afdc0855d8aa7538b251fb44f654 ]
There is a typo in cpu7_opp9. Fix it to get rid of the following
errors.
[ 0.198043] cpu cpu7: Voltage update failed freq=1747200
[ 0.198052] cpu cpu7: failed to update OPP for freq=1747200
Fixes: 8e0e8016cb79 ("arm64: dts: qcom: sm8250: Add CPU opp tables")
Signed-off-by: Xilin Wu <wuxilin123@gmail.com>
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20250308-fix-sm8250-cpufreq-v1-1-8a0226721399@gmail.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/qcom/sm8250.dtsi | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/boot/dts/qcom/sm8250.dtsi b/arch/arm64/boot/dts/qcom/sm8250.dtsi
index eb500cb67c86c..72ab4ca129459 100644
--- a/arch/arm64/boot/dts/qcom/sm8250.dtsi
+++ b/arch/arm64/boot/dts/qcom/sm8250.dtsi
@@ -569,7 +569,7 @@
};
cpu7_opp9: opp-1747200000 {
- opp-hz = /bits/ 64 <1708800000>;
+ opp-hz = /bits/ 64 <1747200000>;
opp-peak-kBps = <5412000 42393600>;
};
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 107/508] ARM: dts: at91: usb_a9263: fix GPIO for Dataflash chip select
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (105 preceding siblings ...)
2025-06-23 13:02 ` [PATCH 6.1 106/508] arm64: dts: qcom: sm8250: Fix CPU7 opp table Greg Kroah-Hartman
@ 2025-06-23 13:02 ` Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 108/508] ARM: dts: at91: at91sam9263: fix NAND chip selects Greg Kroah-Hartman
` (401 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wolfram Sang, Claudiu Beznea,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wolfram Sang <wsa+renesas@sang-engineering.com>
[ Upstream commit 67ba341e57ab158423818ed33bfa1c40eb0e5e7e ]
Dataflash did not work on my board. After checking schematics and using
the proper GPIO, it works now. Also, make it active low to avoid:
flash@0 enforce active low on GPIO handle
Fixes: 2432d201468d ("ARM: at91: dt: usb-a9263: add dataflash support")
Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Link: https://lore.kernel.org/r/20250404112742.67416-2-wsa+renesas@sang-engineering.com
Signed-off-by: Claudiu Beznea <claudiu.beznea@tuxon.dev>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/boot/dts/usb_a9263.dts | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm/boot/dts/usb_a9263.dts b/arch/arm/boot/dts/usb_a9263.dts
index b6cb9cdf81973..c9d0058e90813 100644
--- a/arch/arm/boot/dts/usb_a9263.dts
+++ b/arch/arm/boot/dts/usb_a9263.dts
@@ -58,7 +58,7 @@
};
spi0: spi@fffa4000 {
- cs-gpios = <&pioB 15 GPIO_ACTIVE_HIGH>;
+ cs-gpios = <&pioA 5 GPIO_ACTIVE_LOW>;
status = "okay";
flash@0 {
compatible = "atmel,at45", "atmel,dataflash";
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 108/508] ARM: dts: at91: at91sam9263: fix NAND chip selects
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (106 preceding siblings ...)
2025-06-23 13:02 ` [PATCH 6.1 107/508] ARM: dts: at91: usb_a9263: fix GPIO for Dataflash chip select Greg Kroah-Hartman
@ 2025-06-23 13:02 ` Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 109/508] arm64: dts: mediatek: mt8195: Reparent vdec1/2 and venc1 power domains Greg Kroah-Hartman
` (400 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wolfram Sang, Alexandre Belloni,
Claudiu Beznea, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wolfram Sang <wsa+renesas@sang-engineering.com>
[ Upstream commit c72ede1c24be689733bcd2233a3a56f2478429c8 ]
NAND did not work on my USB-A9263. I discovered that the offending
commit converted the PIO bank for chip selects wrongly, so all A9263
boards need to be fixed.
Fixes: 1004a2977bdc ("ARM: dts: at91: Switch to the new NAND bindings")
Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Reviewed-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Link: https://lore.kernel.org/r/20250402210446.5972-2-wsa+renesas@sang-engineering.com
Signed-off-by: Claudiu Beznea <claudiu.beznea@tuxon.dev>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/boot/dts/at91sam9263ek.dts | 2 +-
arch/arm/boot/dts/tny_a9263.dts | 2 +-
arch/arm/boot/dts/usb_a9263.dts | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/arch/arm/boot/dts/at91sam9263ek.dts b/arch/arm/boot/dts/at91sam9263ek.dts
index ce8baff6a9f4e..e42e1a75a715d 100644
--- a/arch/arm/boot/dts/at91sam9263ek.dts
+++ b/arch/arm/boot/dts/at91sam9263ek.dts
@@ -152,7 +152,7 @@
nand@3 {
reg = <0x3 0x0 0x800000>;
rb-gpios = <&pioA 22 GPIO_ACTIVE_HIGH>;
- cs-gpios = <&pioA 15 GPIO_ACTIVE_HIGH>;
+ cs-gpios = <&pioD 15 GPIO_ACTIVE_HIGH>;
nand-bus-width = <8>;
nand-ecc-mode = "soft";
nand-on-flash-bbt;
diff --git a/arch/arm/boot/dts/tny_a9263.dts b/arch/arm/boot/dts/tny_a9263.dts
index 62b7d9f9a926c..c8b6318aaa838 100644
--- a/arch/arm/boot/dts/tny_a9263.dts
+++ b/arch/arm/boot/dts/tny_a9263.dts
@@ -64,7 +64,7 @@
nand@3 {
reg = <0x3 0x0 0x800000>;
rb-gpios = <&pioA 22 GPIO_ACTIVE_HIGH>;
- cs-gpios = <&pioA 15 GPIO_ACTIVE_HIGH>;
+ cs-gpios = <&pioD 15 GPIO_ACTIVE_HIGH>;
nand-bus-width = <8>;
nand-ecc-mode = "soft";
nand-on-flash-bbt;
diff --git a/arch/arm/boot/dts/usb_a9263.dts b/arch/arm/boot/dts/usb_a9263.dts
index c9d0058e90813..83d0b98dd287b 100644
--- a/arch/arm/boot/dts/usb_a9263.dts
+++ b/arch/arm/boot/dts/usb_a9263.dts
@@ -84,7 +84,7 @@
nand@3 {
reg = <0x3 0x0 0x800000>;
rb-gpios = <&pioA 22 GPIO_ACTIVE_HIGH>;
- cs-gpios = <&pioA 15 GPIO_ACTIVE_HIGH>;
+ cs-gpios = <&pioD 15 GPIO_ACTIVE_HIGH>;
nand-bus-width = <8>;
nand-ecc-mode = "soft";
nand-on-flash-bbt;
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 109/508] arm64: dts: mediatek: mt8195: Reparent vdec1/2 and venc1 power domains
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (107 preceding siblings ...)
2025-06-23 13:02 ` [PATCH 6.1 108/508] ARM: dts: at91: at91sam9263: fix NAND chip selects Greg Kroah-Hartman
@ 2025-06-23 13:02 ` Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 110/508] arm64: dts: qcom: sdm660-xiaomi-lavender: Add missing SD card detect GPIO Greg Kroah-Hartman
` (399 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chen-Yu Tsai,
AngeloGioacchino Del Regno, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
[ Upstream commit 394f29033324e2317bfd6a7ed99b9a60832b36a2 ]
By hardware, the first and second core of the video decoder IP
need the VDEC_SOC to be powered up in order to be able to be
accessed (both internally, by firmware, and externally, by the
kernel).
Similarly, for the video encoder IP, the second core needs the
first core to be powered up in order to be accessible.
Fix that by reparenting the VDEC1/2 power domains to be children
of VDEC0 (VDEC_SOC), and the VENC1 to be a child of VENC0.
Fixes: 2b515194bf0c ("arm64: dts: mt8195: Add power domains controller")
Reviewed-by: Chen-Yu Tsai <wenst@chromium.org>
Link: https://lore.kernel.org/r/20250402090615.25871-3-angelogioacchino.delregno@collabora.com
Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/mediatek/mt8195.dtsi | 50 +++++++++++++-----------
1 file changed, 27 insertions(+), 23 deletions(-)
diff --git a/arch/arm64/boot/dts/mediatek/mt8195.dtsi b/arch/arm64/boot/dts/mediatek/mt8195.dtsi
index 274edce5d5e6e..6f92451671355 100644
--- a/arch/arm64/boot/dts/mediatek/mt8195.dtsi
+++ b/arch/arm64/boot/dts/mediatek/mt8195.dtsi
@@ -461,22 +461,6 @@
#size-cells = <0>;
#power-domain-cells = <1>;
- power-domain@MT8195_POWER_DOMAIN_VDEC1 {
- reg = <MT8195_POWER_DOMAIN_VDEC1>;
- clocks = <&vdecsys CLK_VDEC_LARB1>;
- clock-names = "vdec1-0";
- mediatek,infracfg = <&infracfg_ao>;
- #power-domain-cells = <0>;
- };
-
- power-domain@MT8195_POWER_DOMAIN_VENC_CORE1 {
- reg = <MT8195_POWER_DOMAIN_VENC_CORE1>;
- clocks = <&vencsys_core1 CLK_VENC_CORE1_LARB>;
- clock-names = "venc1-larb";
- mediatek,infracfg = <&infracfg_ao>;
- #power-domain-cells = <0>;
- };
-
power-domain@MT8195_POWER_DOMAIN_VDOSYS0 {
reg = <MT8195_POWER_DOMAIN_VDOSYS0>;
clocks = <&topckgen CLK_TOP_CFG_VDO0>,
@@ -522,15 +506,25 @@
clocks = <&vdecsys_soc CLK_VDEC_SOC_LARB1>;
clock-names = "vdec0-0";
mediatek,infracfg = <&infracfg_ao>;
+ #address-cells = <1>;
+ #size-cells = <0>;
#power-domain-cells = <0>;
- };
- power-domain@MT8195_POWER_DOMAIN_VDEC2 {
- reg = <MT8195_POWER_DOMAIN_VDEC2>;
- clocks = <&vdecsys_core1 CLK_VDEC_CORE1_LARB1>;
- clock-names = "vdec2-0";
- mediatek,infracfg = <&infracfg_ao>;
- #power-domain-cells = <0>;
+ power-domain@MT8195_POWER_DOMAIN_VDEC1 {
+ reg = <MT8195_POWER_DOMAIN_VDEC1>;
+ clocks = <&vdecsys CLK_VDEC_LARB1>;
+ clock-names = "vdec1-0";
+ mediatek,infracfg = <&infracfg_ao>;
+ #power-domain-cells = <0>;
+ };
+
+ power-domain@MT8195_POWER_DOMAIN_VDEC2 {
+ reg = <MT8195_POWER_DOMAIN_VDEC2>;
+ clocks = <&vdecsys_core1 CLK_VDEC_CORE1_LARB1>;
+ clock-names = "vdec2-0";
+ mediatek,infracfg = <&infracfg_ao>;
+ #power-domain-cells = <0>;
+ };
};
power-domain@MT8195_POWER_DOMAIN_VENC {
@@ -538,7 +532,17 @@
clocks = <&vencsys CLK_VENC_LARB>;
clock-names = "venc0-larb";
mediatek,infracfg = <&infracfg_ao>;
+ #address-cells = <1>;
+ #size-cells = <0>;
#power-domain-cells = <0>;
+
+ power-domain@MT8195_POWER_DOMAIN_VENC_CORE1 {
+ reg = <MT8195_POWER_DOMAIN_VENC_CORE1>;
+ clocks = <&vencsys_core1 CLK_VENC_CORE1_LARB>;
+ clock-names = "venc1-larb";
+ mediatek,infracfg = <&infracfg_ao>;
+ #power-domain-cells = <0>;
+ };
};
power-domain@MT8195_POWER_DOMAIN_VDOSYS1 {
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 110/508] arm64: dts: qcom: sdm660-xiaomi-lavender: Add missing SD card detect GPIO
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (108 preceding siblings ...)
2025-06-23 13:02 ` [PATCH 6.1 109/508] arm64: dts: mediatek: mt8195: Reparent vdec1/2 and venc1 power domains Greg Kroah-Hartman
@ 2025-06-23 13:02 ` Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 111/508] arm64: dts: imx8mm-beacon: Fix RTC capacitive load Greg Kroah-Hartman
` (398 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexey Minnekhanov, Dmitry Baryshkov,
Bjorn Andersson, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexey Minnekhanov <alexeymin@postmarketos.org>
[ Upstream commit 2eca6af66709de0d1ba14cdf8b6d200a1337a3a2 ]
During initial porting these cd-gpios were missed. Having card detect is
beneficial because driver does not need to do polling every second and it
can just use IRQ. SD card detection in U-Boot is also fixed by this.
Fixes: cf85e9aee210 ("arm64: dts: qcom: sdm660-xiaomi-lavender: Add eMMC and SD")
Signed-off-by: Alexey Minnekhanov <alexeymin@postmarketos.org>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20250415130101.1429281-1-alexeymin@postmarketos.org
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/qcom/sdm660-xiaomi-lavender.dts | 2 ++
1 file changed, 2 insertions(+)
diff --git a/arch/arm64/boot/dts/qcom/sdm660-xiaomi-lavender.dts b/arch/arm64/boot/dts/qcom/sdm660-xiaomi-lavender.dts
index a3559f6e34a5e..9612671dc5afa 100644
--- a/arch/arm64/boot/dts/qcom/sdm660-xiaomi-lavender.dts
+++ b/arch/arm64/boot/dts/qcom/sdm660-xiaomi-lavender.dts
@@ -402,6 +402,8 @@
&sdhc_2 {
status = "okay";
+ cd-gpios = <&tlmm 54 GPIO_ACTIVE_HIGH>;
+
vmmc-supply = <&vreg_l5b_2p95>;
vqmmc-supply = <&vreg_l2b_2p95>;
};
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 111/508] arm64: dts: imx8mm-beacon: Fix RTC capacitive load
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (109 preceding siblings ...)
2025-06-23 13:02 ` [PATCH 6.1 110/508] arm64: dts: qcom: sdm660-xiaomi-lavender: Add missing SD card detect GPIO Greg Kroah-Hartman
@ 2025-06-23 13:02 ` Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 112/508] arm64: dts: imx8mn-beacon: " Greg Kroah-Hartman
` (397 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:02 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Adam Ford, Shawn Guo, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Adam Ford <aford173@gmail.com>
[ Upstream commit 2e98d456666d63f897ba153210bcef9d78ba0f3a ]
Although not noticeable when used every day, the RTC appears to drift when
left to sit over time. This is due to the capacitive load not being
properly set. Fix RTC drift by correcting the capacitive load setting
from 7000 to 12500, which matches the actual hardware configuration.
Fixes: 593816fa2f35 ("arm64: dts: imx: Add Beacon i.MX8m-Mini development kit")
Signed-off-by: Adam Ford <aford173@gmail.com>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/freescale/imx8mm-beacon-som.dtsi | 1 +
1 file changed, 1 insertion(+)
diff --git a/arch/arm64/boot/dts/freescale/imx8mm-beacon-som.dtsi b/arch/arm64/boot/dts/freescale/imx8mm-beacon-som.dtsi
index cf07987ccc10b..140e251094fa4 100644
--- a/arch/arm64/boot/dts/freescale/imx8mm-beacon-som.dtsi
+++ b/arch/arm64/boot/dts/freescale/imx8mm-beacon-som.dtsi
@@ -231,6 +231,7 @@
rtc: rtc@51 {
compatible = "nxp,pcf85263";
reg = <0x51>;
+ quartz-load-femtofarads = <12500>;
};
};
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 112/508] arm64: dts: imx8mn-beacon: Fix RTC capacitive load
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (110 preceding siblings ...)
2025-06-23 13:02 ` [PATCH 6.1 111/508] arm64: dts: imx8mm-beacon: Fix RTC capacitive load Greg Kroah-Hartman
@ 2025-06-23 13:02 ` Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 113/508] arm64: dts: mt6359: Add missing compatible property to regulators node Greg Kroah-Hartman
` (396 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Adam Ford, Frank Li, Shawn Guo,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Adam Ford <aford173@gmail.com>
[ Upstream commit c3f03bec30efd5082b55876846d57b5d17dae7b9 ]
Although not noticeable when used every day, the RTC appears to drift when
left to sit over time. This is due to the capacitive load not being
properly set. Fix RTC drift by correcting the capacitive load setting
from 7000 to 12500, which matches the actual hardware configuration.
Fixes: 36ca3c8ccb53 ("arm64: dts: imx: Add Beacon i.MX8M Nano development kit")
Signed-off-by: Adam Ford <aford173@gmail.com>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/freescale/imx8mn-beacon-som.dtsi | 1 +
1 file changed, 1 insertion(+)
diff --git a/arch/arm64/boot/dts/freescale/imx8mn-beacon-som.dtsi b/arch/arm64/boot/dts/freescale/imx8mn-beacon-som.dtsi
index 1133cded9be2f..c4b1c6029c9a9 100644
--- a/arch/arm64/boot/dts/freescale/imx8mn-beacon-som.dtsi
+++ b/arch/arm64/boot/dts/freescale/imx8mn-beacon-som.dtsi
@@ -240,6 +240,7 @@
rtc: rtc@51 {
compatible = "nxp,pcf85263";
reg = <0x51>;
+ quartz-load-femtofarads = <12500>;
};
};
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 113/508] arm64: dts: mt6359: Add missing compatible property to regulators node
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (111 preceding siblings ...)
2025-06-23 13:02 ` [PATCH 6.1 112/508] arm64: dts: imx8mn-beacon: " Greg Kroah-Hartman
@ 2025-06-23 13:02 ` Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 114/508] arm64: dts: qcom: sdm660-lavender: Add missing USB phy supply Greg Kroah-Hartman
` (395 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Julien Massot,
AngeloGioacchino Del Regno, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Julien Massot <julien.massot@collabora.com>
[ Upstream commit 1fe38d2a19950fa6dbc384ee8967c057aef9faf4 ]
The 'compatible' property is required by the
'mfd/mediatek,mt6397.yaml' binding. Add it to fix the following
dtb-check error:
mediatek/mt8395-radxa-nio-12l.dtb: pmic: regulators:
'compatible' is a required property
Fixes: 3b7d143be4b7 ("arm64: dts: mt6359: add PMIC MT6359 related nodes")
Signed-off-by: Julien Massot <julien.massot@collabora.com>
Link: https://lore.kernel.org/r/20250505-mt8395-dtb-errors-v1-3-9c4714dcdcdb@collabora.com
Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/mediatek/mt6359.dtsi | 2 ++
1 file changed, 2 insertions(+)
diff --git a/arch/arm64/boot/dts/mediatek/mt6359.dtsi b/arch/arm64/boot/dts/mediatek/mt6359.dtsi
index df3e822232d34..ef6ab90b99f93 100644
--- a/arch/arm64/boot/dts/mediatek/mt6359.dtsi
+++ b/arch/arm64/boot/dts/mediatek/mt6359.dtsi
@@ -13,6 +13,8 @@
};
regulators {
+ compatible = "mediatek,mt6359-regulator";
+
mt6359_vs1_buck_reg: buck_vs1 {
regulator-name = "vs1";
regulator-min-microvolt = <800000>;
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 114/508] arm64: dts: qcom: sdm660-lavender: Add missing USB phy supply
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (112 preceding siblings ...)
2025-06-23 13:02 ` [PATCH 6.1 113/508] arm64: dts: mt6359: Add missing compatible property to regulators node Greg Kroah-Hartman
@ 2025-06-23 13:02 ` Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 115/508] arm64: dts: qcom: sda660-ifc6560: Fix dt-validate warning Greg Kroah-Hartman
` (394 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexey Minnekhanov, Dmitry Baryshkov,
Bjorn Andersson, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexey Minnekhanov <alexeymin@postmarketos.org>
[ Upstream commit dbf62a117a1b7f605a98dd1fd1fd6c85ec324ea0 ]
Fixes the following dtbs check error:
phy@c012000: 'vdda-pll-supply' is a required property
Fixes: e5d3e752b050e ("arm64: dts: qcom: sdm660-xiaomi-lavender: Add USB")
Signed-off-by: Alexey Minnekhanov <alexeymin@postmarketos.org>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20250504115120.1432282-3-alexeymin@postmarketos.org
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/qcom/sdm660-xiaomi-lavender.dts | 1 +
1 file changed, 1 insertion(+)
diff --git a/arch/arm64/boot/dts/qcom/sdm660-xiaomi-lavender.dts b/arch/arm64/boot/dts/qcom/sdm660-xiaomi-lavender.dts
index 9612671dc5afa..6166099aa0c32 100644
--- a/arch/arm64/boot/dts/qcom/sdm660-xiaomi-lavender.dts
+++ b/arch/arm64/boot/dts/qcom/sdm660-xiaomi-lavender.dts
@@ -107,6 +107,7 @@
status = "okay";
vdd-supply = <&vreg_l1b_0p925>;
+ vdda-pll-supply = <&vreg_l10a_1p8>;
vdda-phy-dpdm-supply = <&vreg_l7b_3p125>;
};
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 115/508] arm64: dts: qcom: sda660-ifc6560: Fix dt-validate warning
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (113 preceding siblings ...)
2025-06-23 13:02 ` [PATCH 6.1 114/508] arm64: dts: qcom: sdm660-lavender: Add missing USB phy supply Greg Kroah-Hartman
@ 2025-06-23 13:02 ` Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 116/508] Squashfs: check return result of sb_min_blocksize Greg Kroah-Hartman
` (393 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexey Minnekhanov, Dmitry Baryshkov,
Bjorn Andersson, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexey Minnekhanov <alexeymin@postmarketos.org>
[ Upstream commit f5110806b41eaa0eb0ab1bf2787876a580c6246c ]
If you remove clocks property, you should remove clock-names, too.
Fixes warning with dtbs check:
'clocks' is a dependency of 'clock-names'
Fixes: 34279d6e3f32c ("arm64: dts: qcom: sdm660: Add initial Inforce IFC6560 board support")
Signed-off-by: Alexey Minnekhanov <alexeymin@postmarketos.org>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20250504115120.1432282-4-alexeymin@postmarketos.org
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/qcom/sda660-inforce-ifc6560.dts | 2 ++
1 file changed, 2 insertions(+)
diff --git a/arch/arm64/boot/dts/qcom/sda660-inforce-ifc6560.dts b/arch/arm64/boot/dts/qcom/sda660-inforce-ifc6560.dts
index 28050bc5f0813..502a3481ba284 100644
--- a/arch/arm64/boot/dts/qcom/sda660-inforce-ifc6560.dts
+++ b/arch/arm64/boot/dts/qcom/sda660-inforce-ifc6560.dts
@@ -155,6 +155,7 @@
* BAM DMA interconnects support is in place.
*/
/delete-property/ clocks;
+ /delete-property/ clock-names;
};
&blsp1_uart2 {
@@ -167,6 +168,7 @@
* BAM DMA interconnects support is in place.
*/
/delete-property/ clocks;
+ /delete-property/ clock-names;
};
&blsp2_uart1 {
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 116/508] Squashfs: check return result of sb_min_blocksize
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (114 preceding siblings ...)
2025-06-23 13:02 ` [PATCH 6.1 115/508] arm64: dts: qcom: sda660-ifc6560: Fix dt-validate warning Greg Kroah-Hartman
@ 2025-06-23 13:02 ` Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 117/508] ocfs2: fix possible memory leak in ocfs2_finish_quota_recovery Greg Kroah-Hartman
` (392 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+65761fc25a137b9c8c6e,
Phillip Lougher, Andrew Morton, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Phillip Lougher <phillip@squashfs.org.uk>
[ Upstream commit 734aa85390ea693bb7eaf2240623d41b03705c84 ]
Syzkaller reports an "UBSAN: shift-out-of-bounds in squashfs_bio_read" bug.
Syzkaller forks multiple processes which after mounting the Squashfs
filesystem, issues an ioctl("/dev/loop0", LOOP_SET_BLOCK_SIZE, 0x8000).
Now if this ioctl occurs at the same time another process is in the
process of mounting a Squashfs filesystem on /dev/loop0, the failure
occurs. When this happens the following code in squashfs_fill_super()
fails.
----
msblk->devblksize = sb_min_blocksize(sb, SQUASHFS_DEVBLK_SIZE);
msblk->devblksize_log2 = ffz(~msblk->devblksize);
----
sb_min_blocksize() returns 0, which means msblk->devblksize is set to 0.
As a result, ffz(~msblk->devblksize) returns 64, and msblk->devblksize_log2
is set to 64.
This subsequently causes the
UBSAN: shift-out-of-bounds in fs/squashfs/block.c:195:36
shift exponent 64 is too large for 64-bit type 'u64' (aka
'unsigned long long')
This commit adds a check for a 0 return by sb_min_blocksize().
Link: https://lkml.kernel.org/r/20250409024747.876480-1-phillip@squashfs.org.uk
Fixes: 0aa666190509 ("Squashfs: super block operations")
Reported-by: syzbot+65761fc25a137b9c8c6e@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/67f0dd7a.050a0220.0a13.0230.GAE@google.com/
Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/squashfs/super.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/fs/squashfs/super.c b/fs/squashfs/super.c
index 32565dafa7f3b..37579c07f6fde 100644
--- a/fs/squashfs/super.c
+++ b/fs/squashfs/super.c
@@ -137,6 +137,11 @@ static int squashfs_fill_super(struct super_block *sb, struct fs_context *fc)
msblk->panic_on_errors = (opts->errors == Opt_errors_panic);
msblk->devblksize = sb_min_blocksize(sb, SQUASHFS_DEVBLK_SIZE);
+ if (!msblk->devblksize) {
+ errorf(fc, "squashfs: unable to set blocksize\n");
+ return -EINVAL;
+ }
+
msblk->devblksize_log2 = ffz(~msblk->devblksize);
mutex_init(&msblk->meta_index_mutex);
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 117/508] ocfs2: fix possible memory leak in ocfs2_finish_quota_recovery
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (115 preceding siblings ...)
2025-06-23 13:02 ` [PATCH 6.1 116/508] Squashfs: check return result of sb_min_blocksize Greg Kroah-Hartman
@ 2025-06-23 13:02 ` Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 118/508] nilfs2: add pointer check for nilfs_direct_propagate() Greg Kroah-Hartman
` (391 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Murad Masimov, Jan Kara, Joseph Qi,
Mark Fasheh, Joel Becker, Junxiao Bi, Changwei Ge, Jun Piao,
Andrew Morton, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Murad Masimov <m.masimov@mt-integration.ru>
[ Upstream commit cdc3ed3035d0fe934aa1d9b78ce256752fd3bb7d ]
If ocfs2_finish_quota_recovery() exits due to an error before passing all
rc_list elements to ocfs2_recover_local_quota_file() then it can lead to a
memory leak as rc_list may still contain elements that have to be freed.
Release all memory allocated by ocfs2_add_recovery_chunk() using
ocfs2_free_quota_recovery() instead of kfree().
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
Link: https://lkml.kernel.org/r/20250402065628.706359-2-m.masimov@mt-integration.ru
Fixes: 2205363dce74 ("ocfs2: Implement quota recovery")
Signed-off-by: Murad Masimov <m.masimov@mt-integration.ru>
Reviewed-by: Jan Kara <jack@suse.cz>
Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Cc: Mark Fasheh <mark@fasheh.com>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Cc: Changwei Ge <gechangwei@live.cn>
Cc: Jun Piao <piaojun@huawei.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ocfs2/quota_local.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/ocfs2/quota_local.c b/fs/ocfs2/quota_local.c
index 0ca8975a1df47..c7bda48b5fb21 100644
--- a/fs/ocfs2/quota_local.c
+++ b/fs/ocfs2/quota_local.c
@@ -671,7 +671,7 @@ int ocfs2_finish_quota_recovery(struct ocfs2_super *osb,
break;
}
out:
- kfree(rec);
+ ocfs2_free_quota_recovery(rec);
return status;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 118/508] nilfs2: add pointer check for nilfs_direct_propagate()
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (116 preceding siblings ...)
2025-06-23 13:02 ` [PATCH 6.1 117/508] ocfs2: fix possible memory leak in ocfs2_finish_quota_recovery Greg Kroah-Hartman
@ 2025-06-23 13:02 ` Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 119/508] nilfs2: do not propagate ENOENT error from nilfs_btree_propagate() Greg Kroah-Hartman
` (390 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wentao Liang, Ryusuke Konishi,
Andrew Morton, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wentao Liang <vulab@iscas.ac.cn>
[ Upstream commit f43f02429295486059605997bc43803527d69791 ]
Patch series "nilfs2: improve sanity checks in dirty state propagation".
This fixes one missed check for block mapping anomalies and one improper
return of an error code during a preparation step for log writing, thereby
improving checking for filesystem corruption on writeback.
This patch (of 2):
In nilfs_direct_propagate(), the printer get from nilfs_direct_get_ptr()
need to be checked to ensure it is not an invalid pointer.
If the pointer value obtained by nilfs_direct_get_ptr() is
NILFS_BMAP_INVALID_PTR, means that the metadata (in this case, i_bmap in
the nilfs_inode_info struct) that should point to the data block at the
buffer head of the argument is corrupted and the data block is orphaned,
meaning that the file system has lost consistency.
Add a value check and return -EINVAL when it is an invalid pointer.
Link: https://lkml.kernel.org/r/20250428173808.6452-1-konishi.ryusuke@gmail.com
Link: https://lkml.kernel.org/r/20250428173808.6452-2-konishi.ryusuke@gmail.com
Fixes: 36a580eb489f ("nilfs2: direct block mapping")
Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nilfs2/direct.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/fs/nilfs2/direct.c b/fs/nilfs2/direct.c
index 893ab36824cc2..2d8dc6b35b547 100644
--- a/fs/nilfs2/direct.c
+++ b/fs/nilfs2/direct.c
@@ -273,6 +273,9 @@ static int nilfs_direct_propagate(struct nilfs_bmap *bmap,
dat = nilfs_bmap_get_dat(bmap);
key = nilfs_bmap_data_get_key(bmap, bh);
ptr = nilfs_direct_get_ptr(bmap, key);
+ if (ptr == NILFS_BMAP_INVALID_PTR)
+ return -EINVAL;
+
if (!buffer_nilfs_volatile(bh)) {
oldreq.pr_entry_nr = ptr;
newreq.pr_entry_nr = ptr;
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 119/508] nilfs2: do not propagate ENOENT error from nilfs_btree_propagate()
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (117 preceding siblings ...)
2025-06-23 13:02 ` [PATCH 6.1 118/508] nilfs2: add pointer check for nilfs_direct_propagate() Greg Kroah-Hartman
@ 2025-06-23 13:02 ` Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 120/508] bus: fsl-mc: fix double-free on mc_dev Greg Kroah-Hartman
` (389 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ryusuke Konishi, Wentao Liang,
Andrew Morton, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ryusuke Konishi <konishi.ryusuke@gmail.com>
[ Upstream commit 8e39fbb1edbb4ec9d7c1124f403877fc167fcecd ]
In preparation for writing logs, in nilfs_btree_propagate(), which makes
parent and ancestor node blocks dirty starting from a modified data block
or b-tree node block, if the starting block does not belong to the b-tree,
i.e. is isolated, nilfs_btree_do_lookup() called within the function
fails with -ENOENT.
In this case, even though -ENOENT is an internal code, it is propagated to
the log writer via nilfs_bmap_propagate() and may be erroneously returned
to system calls such as fsync().
Fix this issue by changing the error code to -EINVAL in this case, and
having the bmap layer detect metadata corruption and convert the error
code appropriately.
Link: https://lkml.kernel.org/r/20250428173808.6452-3-konishi.ryusuke@gmail.com
Fixes: 1f5abe7e7dbc ("nilfs2: replace BUG_ON and BUG calls triggerable from ioctl")
Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Cc: Wentao Liang <vulab@iscas.ac.cn>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nilfs2/btree.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/fs/nilfs2/btree.c b/fs/nilfs2/btree.c
index 3139a1863751b..29cb1236e1a9b 100644
--- a/fs/nilfs2/btree.c
+++ b/fs/nilfs2/btree.c
@@ -2094,11 +2094,13 @@ static int nilfs_btree_propagate(struct nilfs_bmap *btree,
ret = nilfs_btree_do_lookup(btree, path, key, NULL, level + 1, 0);
if (ret < 0) {
- if (unlikely(ret == -ENOENT))
+ if (unlikely(ret == -ENOENT)) {
nilfs_crit(btree->b_inode->i_sb,
"writing node/leaf block does not appear in b-tree (ino=%lu) at key=%llu, level=%d",
btree->b_inode->i_ino,
(unsigned long long)key, level);
+ ret = -EINVAL;
+ }
goto out;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 120/508] bus: fsl-mc: fix double-free on mc_dev
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (118 preceding siblings ...)
2025-06-23 13:02 ` [PATCH 6.1 119/508] nilfs2: do not propagate ENOENT error from nilfs_btree_propagate() Greg Kroah-Hartman
@ 2025-06-23 13:02 ` Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 121/508] dt-bindings: vendor-prefixes: Add Liontron name Greg Kroah-Hartman
` (388 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ioana Ciornei, Christophe Leroy,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ioana Ciornei <ioana.ciornei@nxp.com>
[ Upstream commit d694bf8a9acdbd061596f3e7549bc8cb70750a60 ]
The blamed commit tried to simplify how the deallocations are done but,
in the process, introduced a double-free on the mc_dev variable.
In case the MC device is a DPRC, a new mc_bus is allocated and the
mc_dev variable is just a reference to one of its fields. In this
circumstance, on the error path only the mc_bus should be freed.
This commit introduces back the following checkpatch warning which is a
false-positive.
WARNING: kfree(NULL) is safe and this check is probably not required
+ if (mc_bus)
+ kfree(mc_bus);
Fixes: a042fbed0290 ("staging: fsl-mc: simplify couple of deallocations")
Signed-off-by: Ioana Ciornei <ioana.ciornei@nxp.com>
Link: https://lore.kernel.org/r/20250408105814.2837951-2-ioana.ciornei@nxp.com
Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/bus/fsl-mc/fsl-mc-bus.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/bus/fsl-mc/fsl-mc-bus.c b/drivers/bus/fsl-mc/fsl-mc-bus.c
index 6143dbf31f311..6e4556530df58 100644
--- a/drivers/bus/fsl-mc/fsl-mc-bus.c
+++ b/drivers/bus/fsl-mc/fsl-mc-bus.c
@@ -910,8 +910,10 @@ int fsl_mc_device_add(struct fsl_mc_obj_desc *obj_desc,
error_cleanup_dev:
kfree(mc_dev->regions);
- kfree(mc_bus);
- kfree(mc_dev);
+ if (mc_bus)
+ kfree(mc_bus);
+ else
+ kfree(mc_dev);
return error;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 121/508] dt-bindings: vendor-prefixes: Add Liontron name
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (119 preceding siblings ...)
2025-06-23 13:02 ` [PATCH 6.1 120/508] bus: fsl-mc: fix double-free on mc_dev Greg Kroah-Hartman
@ 2025-06-23 13:02 ` Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 122/508] ARM: dts: qcom: apq8064 merge hw splinlock into corresponding syscon device Greg Kroah-Hartman
` (387 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andre Przywara, Rob Herring (Arm),
Chen-Yu Tsai, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andre Przywara <andre.przywara@arm.com>
[ Upstream commit 9baa27a2e9fc746143ab686b6dbe2d515284a4c5 ]
Liontron is a company based in Shenzen, China, making industrial
development boards and embedded computers, mostly using Rockchip and
Allwinner SoCs.
Add their name to the list of vendors.
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Acked-by: Rob Herring (Arm) <robh@kernel.org>
Link: https://patch.msgid.link/20250505164729.18175-2-andre.przywara@arm.com
Signed-off-by: Chen-Yu Tsai <wens@csie.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
Documentation/devicetree/bindings/vendor-prefixes.yaml | 2 ++
1 file changed, 2 insertions(+)
diff --git a/Documentation/devicetree/bindings/vendor-prefixes.yaml b/Documentation/devicetree/bindings/vendor-prefixes.yaml
index 77e9413cdee07..f955db429f55a 100644
--- a/Documentation/devicetree/bindings/vendor-prefixes.yaml
+++ b/Documentation/devicetree/bindings/vendor-prefixes.yaml
@@ -725,6 +725,8 @@ patternProperties:
description: Linux-specific binding
"^linx,.*":
description: Linx Technologies
+ "^liontron,.*":
+ description: Shenzhen Liontron Technology Co., Ltd
"^liteon,.*":
description: LITE-ON Technology Corp.
"^litex,.*":
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 122/508] ARM: dts: qcom: apq8064 merge hw splinlock into corresponding syscon device
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (120 preceding siblings ...)
2025-06-23 13:02 ` [PATCH 6.1 121/508] dt-bindings: vendor-prefixes: Add Liontron name Greg Kroah-Hartman
@ 2025-06-23 13:02 ` Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 123/508] arm64: defconfig: mediatek: enable PHY drivers Greg Kroah-Hartman
` (386 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Baryshkov, Konrad Dybcio,
Bjorn Andersson, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
[ Upstream commit 325c6a441ae1f8fcb1db9bb945b8bdbd3142141e ]
Follow up the expected way of describing the SFPB hwspinlock and merge
hwspinlock node into corresponding syscon node, fixing several dt-schema
warnings.
Fixes: 24a9baf933dc ("ARM: dts: qcom: apq8064: Add hwmutex and SMEM nodes")
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20250318-fix-nexus-4-v2-7-bcedd1406790@oss.qualcomm.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/boot/dts/qcom-apq8064.dtsi | 13 ++++---------
1 file changed, 4 insertions(+), 9 deletions(-)
diff --git a/arch/arm/boot/dts/qcom-apq8064.dtsi b/arch/arm/boot/dts/qcom-apq8064.dtsi
index 2b3927a829b70..da7e780dc3351 100644
--- a/arch/arm/boot/dts/qcom-apq8064.dtsi
+++ b/arch/arm/boot/dts/qcom-apq8064.dtsi
@@ -212,12 +212,6 @@
};
};
- sfpb_mutex: hwmutex {
- compatible = "qcom,sfpb-mutex";
- syscon = <&sfpb_wrapper_mutex 0x604 0x4>;
- #hwlock-cells = <1>;
- };
-
smem {
compatible = "qcom,smem";
memory-region = <&smem_region>;
@@ -361,9 +355,10 @@
pinctrl-0 = <&ps_hold>;
};
- sfpb_wrapper_mutex: syscon@1200000 {
- compatible = "syscon";
- reg = <0x01200000 0x8000>;
+ sfpb_mutex: hwmutex@1200600 {
+ compatible = "qcom,sfpb-mutex";
+ reg = <0x01200600 0x100>;
+ #hwlock-cells = <1>;
};
intc: interrupt-controller@2000000 {
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 123/508] arm64: defconfig: mediatek: enable PHY drivers
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (121 preceding siblings ...)
2025-06-23 13:02 ` [PATCH 6.1 122/508] ARM: dts: qcom: apq8064 merge hw splinlock into corresponding syscon device Greg Kroah-Hartman
@ 2025-06-23 13:02 ` Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 124/508] arm64: dts: rockchip: disable unrouted USB controllers and PHY on RK3399 Puma with Haikou Greg Kroah-Hartman
` (385 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nícolas F . R . A . Prado,
Vignesh Raman, AngeloGioacchino Del Regno, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vignesh Raman <vignesh.raman@collabora.com>
[ Upstream commit f52cd248d844f9451858992f924988ac413fdc7e ]
The mediatek display driver fails to probe on mt8173-elm-hana and
mt8183-kukui-jacuzzi-juniper-sku16 in v6.14-rc4 due to missing PHY
configurations.
Commit 924d66011f24 ("drm/mediatek: stop selecting foreign drivers")
stopped selecting the MediaTek PHY drivers, requiring them to be
explicitly enabled in defconfig.
Enable the following PHY drivers for MediaTek platforms:
CONFIG_PHY_MTK_HDMI=m for HDMI display
CONFIG_PHY_MTK_MIPI_DSI=m for DSI display
CONFIG_PHY_MTK_DP=m for DP display
Fixes: 924d66011f24 ("drm/mediatek: stop selecting foreign drivers")
Reviewed-by: Nícolas F. R. A. Prado <nfraprado@collabora.com>
Signed-off-by: Vignesh Raman <vignesh.raman@collabora.com>
Link: https://lore.kernel.org/r/20250512131933.1247830-1-vignesh.raman@collabora.com
Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/configs/defconfig | 3 +++
1 file changed, 3 insertions(+)
diff --git a/arch/arm64/configs/defconfig b/arch/arm64/configs/defconfig
index 623e9f308f38a..4543b292b50b4 100644
--- a/arch/arm64/configs/defconfig
+++ b/arch/arm64/configs/defconfig
@@ -1230,6 +1230,9 @@ CONFIG_PHY_HISTB_COMBPHY=y
CONFIG_PHY_HISI_INNO_USB2=y
CONFIG_PHY_MVEBU_CP110_COMPHY=y
CONFIG_PHY_MTK_TPHY=y
+CONFIG_PHY_MTK_HDMI=m
+CONFIG_PHY_MTK_MIPI_DSI=m
+CONFIG_PHY_MTK_DP=m
CONFIG_PHY_QCOM_EDP=m
CONFIG_PHY_QCOM_PCIE2=m
CONFIG_PHY_QCOM_QMP=m
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 124/508] arm64: dts: rockchip: disable unrouted USB controllers and PHY on RK3399 Puma with Haikou
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (122 preceding siblings ...)
2025-06-23 13:02 ` [PATCH 6.1 123/508] arm64: defconfig: mediatek: enable PHY drivers Greg Kroah-Hartman
@ 2025-06-23 13:02 ` Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 125/508] arm64: dts: mt6359: Rename RTC node to match binding expectations Greg Kroah-Hartman
` (384 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Quentin Schulz, Lukasz Czechowski,
Heiko Stuebner, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Quentin Schulz <quentin.schulz@cherry.de>
[ Upstream commit febd8c6ab52c683b447fe22fc740918c86feae43 ]
The u2phy0_host port is the part of the USB PHY0 (namely the
HOST0_DP/DM lanes) which routes directly to the USB2.0 HOST
controller[1]. The other lanes of the PHY are routed to the USB3.0 OTG
controller (dwc3), which we do use.
The HOST0_DP/DM lanes aren't routed on RK3399 Puma so let's simply
disable the USB2.0 controllers.
USB3 OTG has been known to be unstable on RK3399 Puma Haikou for a
while, one of the recurring issues being that only USB2 is detected and
not USB3 in host mode. Reading the justification above and seeing that
we are keeping u2phy0_host in the Haikou carrierboard DTS probably may
have bothered you since it should be changed to u2phy0_otg. The issue is
that if it's switched to that, USB OTG on Haikou is entirely broken. I
have checked the routing in the Gerber file, the lanes are going to the
expected ball pins (that is, NOT HOST0_DP/DM).
u2phy0_host is for sure the wrong part of the PHY to use, but it's the
only one that works at the moment for that board so keep it until we
figure out what exactly is broken.
No intended functional change.
[1] https://rockchip.fr/Rockchip%20RK3399%20TRM%20V1.3%20Part2.pdf
Chapter 2 USB2.0 PHY
Fixes: 2c66fc34e945 ("arm64: dts: rockchip: add RK3399-Q7 (Puma) SoM")
Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
Signed-off-by: Lukasz Czechowski <lukasz.czechowski@thaumatec.com>
Link: https://lore.kernel.org/r/20250425-onboard_usb_dev-v2-5-4a76a474a010@thaumatec.com
Signed-off-by: Heiko Stuebner <heiko@sntech.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/rockchip/rk3399-puma-haikou.dts | 8 --------
1 file changed, 8 deletions(-)
diff --git a/arch/arm64/boot/dts/rockchip/rk3399-puma-haikou.dts b/arch/arm64/boot/dts/rockchip/rk3399-puma-haikou.dts
index 115c14c0a3c68..396a6636073b5 100644
--- a/arch/arm64/boot/dts/rockchip/rk3399-puma-haikou.dts
+++ b/arch/arm64/boot/dts/rockchip/rk3399-puma-haikou.dts
@@ -251,14 +251,6 @@
status = "okay";
};
-&usb_host0_ehci {
- status = "okay";
-};
-
-&usb_host0_ohci {
- status = "okay";
-};
-
&vopb {
status = "okay";
};
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 125/508] arm64: dts: mt6359: Rename RTC node to match binding expectations
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (123 preceding siblings ...)
2025-06-23 13:02 ` [PATCH 6.1 124/508] arm64: dts: rockchip: disable unrouted USB controllers and PHY on RK3399 Puma with Haikou Greg Kroah-Hartman
@ 2025-06-23 13:02 ` Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 126/508] ARM: aspeed: Dont select SRAM Greg Kroah-Hartman
` (383 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Julien Massot,
AngeloGioacchino Del Regno, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Julien Massot <julien.massot@collabora.com>
[ Upstream commit cfe035d8662cfbd6edff9bd89c4b516bbb34c350 ]
Rename the node 'mt6359rtc' to 'rtc', as required by the binding.
Fix the following dtb-check error:
mediatek/mt8395-radxa-nio-12l.dtb: pmic: 'mt6359rtc' do not match
any of the regexes: 'pinctrl-[0-9]+'
Fixes: 3b7d143be4b7 ("arm64: dts: mt6359: add PMIC MT6359 related nodes")
Signed-off-by: Julien Massot <julien.massot@collabora.com>
Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Link: https://lore.kernel.org/r/20250514-mt8395-dtb-errors-v2-3-d67b9077c59a@collabora.com
Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/mediatek/mt6359.dtsi | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/boot/dts/mediatek/mt6359.dtsi b/arch/arm64/boot/dts/mediatek/mt6359.dtsi
index ef6ab90b99f93..29e784bebb69e 100644
--- a/arch/arm64/boot/dts/mediatek/mt6359.dtsi
+++ b/arch/arm64/boot/dts/mediatek/mt6359.dtsi
@@ -293,7 +293,7 @@
};
};
- mt6359rtc: mt6359rtc {
+ mt6359rtc: rtc {
compatible = "mediatek,mt6358-rtc";
};
};
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 126/508] ARM: aspeed: Dont select SRAM
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (124 preceding siblings ...)
2025-06-23 13:02 ` [PATCH 6.1 125/508] arm64: dts: mt6359: Rename RTC node to match binding expectations Greg Kroah-Hartman
@ 2025-06-23 13:02 ` Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 127/508] soc: aspeed: lpc: Fix impossible judgment condition Greg Kroah-Hartman
` (382 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Joel Stanley, Andrew Jeffery,
Arnd Bergmann, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Joel Stanley <joel@jms.id.au>
[ Upstream commit e4f59f873c3ffe2a0150e11115a83e2dfb671dbf ]
The ASPEED devices have SRAM, but don't require it for basic function
(or any function; there's no known users of the driver).
Fixes: 8c2ed9bcfbeb ("arm: Add Aspeed machine")
Signed-off-by: Joel Stanley <joel@jms.id.au>
Link: https://patch.msgid.link/20250115103942.421429-1-joel@jms.id.au
Signed-off-by: Andrew Jeffery <andrew@codeconstruct.com.au>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/mach-aspeed/Kconfig | 1 -
1 file changed, 1 deletion(-)
diff --git a/arch/arm/mach-aspeed/Kconfig b/arch/arm/mach-aspeed/Kconfig
index 080019aa6fcd8..fcf287edd0e5e 100644
--- a/arch/arm/mach-aspeed/Kconfig
+++ b/arch/arm/mach-aspeed/Kconfig
@@ -2,7 +2,6 @@
menuconfig ARCH_ASPEED
bool "Aspeed BMC architectures"
depends on (CPU_LITTLE_ENDIAN && ARCH_MULTI_V5) || ARCH_MULTI_V6 || ARCH_MULTI_V7
- select SRAM
select WATCHDOG
select ASPEED_WATCHDOG
select MFD_SYSCON
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 127/508] soc: aspeed: lpc: Fix impossible judgment condition
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (125 preceding siblings ...)
2025-06-23 13:02 ` [PATCH 6.1 126/508] ARM: aspeed: Dont select SRAM Greg Kroah-Hartman
@ 2025-06-23 13:02 ` Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 128/508] soc: aspeed: Add NULL check in aspeed_lpc_enable_snoop() Greg Kroah-Hartman
` (381 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Su Hui, Dan Carpenter,
Andrew Jeffery, Arnd Bergmann, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Su Hui <suhui@nfschina.com>
[ Upstream commit d9f0a97e859bdcef51f9c187b1eb712eb13fd3ff ]
smatch error:
drivers/soc/aspeed/aspeed-lpc-snoop.c:169
aspeed_lpc_snoop_config_irq() warn: platform_get_irq() does not return zero
platform_get_irq() return non-zero IRQ number or negative error code,
change '!lpc_snoop->irq' to 'lpc_snoop->irq < 0' to fix this.
Fixes: 9f4f9ae81d0a ("drivers/misc: add Aspeed LPC snoop driver")
Signed-off-by: Su Hui <suhui@nfschina.com>
Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org>
Link: https://lore.kernel.org/r/20231027020703.1231875-1-suhui@nfschina.com
Signed-off-by: Andrew Jeffery <andrew@codeconstruct.com.au>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/soc/aspeed/aspeed-lpc-snoop.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/soc/aspeed/aspeed-lpc-snoop.c b/drivers/soc/aspeed/aspeed-lpc-snoop.c
index eceeaf8dfbeba..d9bdc2e084086 100644
--- a/drivers/soc/aspeed/aspeed-lpc-snoop.c
+++ b/drivers/soc/aspeed/aspeed-lpc-snoop.c
@@ -167,7 +167,7 @@ static int aspeed_lpc_snoop_config_irq(struct aspeed_lpc_snoop *lpc_snoop,
int rc;
lpc_snoop->irq = platform_get_irq(pdev, 0);
- if (!lpc_snoop->irq)
+ if (lpc_snoop->irq < 0)
return -ENODEV;
rc = devm_request_irq(dev, lpc_snoop->irq,
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 128/508] soc: aspeed: Add NULL check in aspeed_lpc_enable_snoop()
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (126 preceding siblings ...)
2025-06-23 13:02 ` [PATCH 6.1 127/508] soc: aspeed: lpc: Fix impossible judgment condition Greg Kroah-Hartman
@ 2025-06-23 13:02 ` Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 129/508] fbdev: core: fbcvt: avoid division by 0 in fb_cvt_hperiod() Greg Kroah-Hartman
` (380 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Henry Martin, Andrew Jeffery,
Arnd Bergmann, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Henry Martin <bsdhenrymartin@gmail.com>
[ Upstream commit f1706e0e1a74b095cbc60375b9b1e6205f5f4c98 ]
devm_kasprintf() returns NULL when memory allocation fails. Currently,
aspeed_lpc_enable_snoop() does not check for this case, which results in a
NULL pointer dereference.
Add NULL check after devm_kasprintf() to prevent this issue.
Fixes: 3772e5da4454 ("drivers/misc: Aspeed LPC snoop output using misc chardev")
Signed-off-by: Henry Martin <bsdhenrymartin@gmail.com>
Link: https://patch.msgid.link/20250401074647.21300-1-bsdhenrymartin@gmail.com
[arj: Fix Fixes: tag to use subject from 3772e5da4454]
Signed-off-by: Andrew Jeffery <andrew@codeconstruct.com.au>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/soc/aspeed/aspeed-lpc-snoop.c | 15 +++++++++++++--
1 file changed, 13 insertions(+), 2 deletions(-)
diff --git a/drivers/soc/aspeed/aspeed-lpc-snoop.c b/drivers/soc/aspeed/aspeed-lpc-snoop.c
index d9bdc2e084086..22619b853f449 100644
--- a/drivers/soc/aspeed/aspeed-lpc-snoop.c
+++ b/drivers/soc/aspeed/aspeed-lpc-snoop.c
@@ -201,11 +201,15 @@ static int aspeed_lpc_enable_snoop(struct aspeed_lpc_snoop *lpc_snoop,
lpc_snoop->chan[channel].miscdev.minor = MISC_DYNAMIC_MINOR;
lpc_snoop->chan[channel].miscdev.name =
devm_kasprintf(dev, GFP_KERNEL, "%s%d", DEVICE_NAME, channel);
+ if (!lpc_snoop->chan[channel].miscdev.name) {
+ rc = -ENOMEM;
+ goto err_free_fifo;
+ }
lpc_snoop->chan[channel].miscdev.fops = &snoop_fops;
lpc_snoop->chan[channel].miscdev.parent = dev;
rc = misc_register(&lpc_snoop->chan[channel].miscdev);
if (rc)
- return rc;
+ goto err_free_fifo;
/* Enable LPC snoop channel at requested port */
switch (channel) {
@@ -222,7 +226,8 @@ static int aspeed_lpc_enable_snoop(struct aspeed_lpc_snoop *lpc_snoop,
hicrb_en = HICRB_ENSNP1D;
break;
default:
- return -EINVAL;
+ rc = -EINVAL;
+ goto err_misc_deregister;
}
regmap_update_bits(lpc_snoop->regmap, HICR5, hicr5_en, hicr5_en);
@@ -232,6 +237,12 @@ static int aspeed_lpc_enable_snoop(struct aspeed_lpc_snoop *lpc_snoop,
regmap_update_bits(lpc_snoop->regmap, HICRB,
hicrb_en, hicrb_en);
+ return 0;
+
+err_misc_deregister:
+ misc_deregister(&lpc_snoop->chan[channel].miscdev);
+err_free_fifo:
+ kfifo_free(&lpc_snoop->chan[channel].fifo);
return rc;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 129/508] fbdev: core: fbcvt: avoid division by 0 in fb_cvt_hperiod()
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (127 preceding siblings ...)
2025-06-23 13:02 ` [PATCH 6.1 128/508] soc: aspeed: Add NULL check in aspeed_lpc_enable_snoop() Greg Kroah-Hartman
@ 2025-06-23 13:02 ` Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 130/508] randstruct: gcc-plugin: Remove bogus void member Greg Kroah-Hartman
` (379 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sergey Shtylyov, Helge Deller,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sergey Shtylyov <s.shtylyov@omp.ru>
[ Upstream commit 3f6dae09fc8c306eb70fdfef70726e1f154e173a ]
In fb_find_mode_cvt(), iff mode->refresh somehow happens to be 0x80000000,
cvt.f_refresh will become 0 when multiplying it by 2 due to overflow. It's
then passed to fb_cvt_hperiod(), where it's used as a divider -- division
by 0 will result in kernel oops. Add a sanity check for cvt.f_refresh to
avoid such overflow...
Found by Linux Verification Center (linuxtesting.org) with the Svace static
analysis tool.
Fixes: 96fe6a2109db ("[PATCH] fbdev: Add VESA Coordinated Video Timings (CVT) support")
Signed-off-by: Sergey Shtylyov <s.shtylyov@omp.ru>
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/video/fbdev/core/fbcvt.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/video/fbdev/core/fbcvt.c b/drivers/video/fbdev/core/fbcvt.c
index 64843464c6613..cd3821bd82e56 100644
--- a/drivers/video/fbdev/core/fbcvt.c
+++ b/drivers/video/fbdev/core/fbcvt.c
@@ -312,7 +312,7 @@ int fb_find_mode_cvt(struct fb_videomode *mode, int margins, int rb)
cvt.f_refresh = cvt.refresh;
cvt.interlace = 1;
- if (!cvt.xres || !cvt.yres || !cvt.refresh) {
+ if (!cvt.xres || !cvt.yres || !cvt.refresh || cvt.f_refresh > INT_MAX) {
printk(KERN_INFO "fbcvt: Invalid input parameters\n");
return 1;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 130/508] randstruct: gcc-plugin: Remove bogus void member
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (128 preceding siblings ...)
2025-06-23 13:02 ` [PATCH 6.1 129/508] fbdev: core: fbcvt: avoid division by 0 in fb_cvt_hperiod() Greg Kroah-Hartman
@ 2025-06-23 13:02 ` Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 131/508] randstruct: gcc-plugin: Fix attribute addition Greg Kroah-Hartman
` (378 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dr. David Alan Gilbert, Mark Brown,
WangYuli, Kees Cook, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kees Cook <kees@kernel.org>
[ Upstream commit e136a4062174a9a8d1c1447ca040ea81accfa6a8 ]
When building the randomized replacement tree of struct members, the
randstruct GCC plugin would insert, as the first member, a 0-sized void
member. This appears as though it was done to catch non-designated
("unnamed") static initializers, which wouldn't be stable since they
depend on the original struct layout order.
This was accomplished by having the side-effect of the "void member"
tripping an assert in GCC internals (count_type_elements) if the member
list ever needed to be counted (e.g. for figuring out the order of members
during a non-designated initialization), which would catch impossible type
(void) in the struct:
security/landlock/fs.c: In function ‘hook_file_ioctl_common’:
security/landlock/fs.c:1745:61: internal compiler error: in count_type_elements, at expr.cc:7075
1745 | .u.op = &(struct lsm_ioctlop_audit) {
| ^
static HOST_WIDE_INT
count_type_elements (const_tree type, bool for_ctor_p)
{
switch (TREE_CODE (type))
...
case VOID_TYPE:
default:
gcc_unreachable ();
}
}
However this is a redundant safety measure since randstruct uses the
__designated_initializer attribute both internally and within the
__randomized_layout attribute macro so that this would be enforced
by the compiler directly even when randstruct was not enabled (via
-Wdesignated-init).
A recent change in Landlock ended up tripping the same member counting
routine when using a full-struct copy initializer as part of an anonymous
initializer. This, however, is a false positive as the initializer is
copying between identical structs (and hence identical layouts). The
"path" member is "struct path", a randomized struct, and is being copied
to from another "struct path", the "f_path" member:
landlock_log_denial(landlock_cred(file->f_cred), &(struct landlock_request) {
.type = LANDLOCK_REQUEST_FS_ACCESS,
.audit = {
.type = LSM_AUDIT_DATA_IOCTL_OP,
.u.op = &(struct lsm_ioctlop_audit) {
.path = file->f_path,
.cmd = cmd,
},
},
...
As can be seen with the coming randstruct KUnit test, there appears to
be no behavioral problems with this kind of initialization when the void
member is removed from the randstruct GCC plugin, so remove it.
Reported-by: "Dr. David Alan Gilbert" <linux@treblig.org>
Closes: https://lore.kernel.org/lkml/Z_PRaKx7q70MKgCA@gallifrey/
Reported-by: Mark Brown <broonie@kernel.org>
Closes: https://lore.kernel.org/lkml/20250407-kbuild-disable-gcc-plugins-v1-1-5d46ae583f5e@kernel.org/
Reported-by: WangYuli <wangyuli@uniontech.com>
Closes: https://lore.kernel.org/lkml/337D5D4887277B27+3c677db3-a8b9-47f0-93a4-7809355f1381@uniontech.com/
Fixes: 313dd1b62921 ("gcc-plugins: Add the randstruct plugin")
Signed-off-by: Kees Cook <kees@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
scripts/gcc-plugins/randomize_layout_plugin.c | 18 +-----------------
1 file changed, 1 insertion(+), 17 deletions(-)
diff --git a/scripts/gcc-plugins/randomize_layout_plugin.c b/scripts/gcc-plugins/randomize_layout_plugin.c
index 366395cab490d..2b93dd14bd7b6 100644
--- a/scripts/gcc-plugins/randomize_layout_plugin.c
+++ b/scripts/gcc-plugins/randomize_layout_plugin.c
@@ -359,29 +359,13 @@ static int relayout_struct(tree type)
shuffle(type, (tree *)newtree, shuffle_length);
- /*
- * set up a bogus anonymous struct field designed to error out on unnamed struct initializers
- * as gcc provides no other way to detect such code
- */
- list = make_node(FIELD_DECL);
- TREE_CHAIN(list) = newtree[0];
- TREE_TYPE(list) = void_type_node;
- DECL_SIZE(list) = bitsize_zero_node;
- DECL_NONADDRESSABLE_P(list) = 1;
- DECL_FIELD_BIT_OFFSET(list) = bitsize_zero_node;
- DECL_SIZE_UNIT(list) = size_zero_node;
- DECL_FIELD_OFFSET(list) = size_zero_node;
- DECL_CONTEXT(list) = type;
- // to satisfy the constify plugin
- TREE_READONLY(list) = 1;
-
for (i = 0; i < num_fields - 1; i++)
TREE_CHAIN(newtree[i]) = newtree[i+1];
TREE_CHAIN(newtree[num_fields - 1]) = NULL_TREE;
main_variant = TYPE_MAIN_VARIANT(type);
for (variant = main_variant; variant; variant = TYPE_NEXT_VARIANT(variant)) {
- TYPE_FIELDS(variant) = list;
+ TYPE_FIELDS(variant) = newtree[0];
TYPE_ATTRIBUTES(variant) = copy_list(TYPE_ATTRIBUTES(variant));
TYPE_ATTRIBUTES(variant) = tree_cons(get_identifier("randomize_performed"), NULL_TREE, TYPE_ATTRIBUTES(variant));
TYPE_ATTRIBUTES(variant) = tree_cons(get_identifier("designated_init"), NULL_TREE, TYPE_ATTRIBUTES(variant));
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 131/508] randstruct: gcc-plugin: Fix attribute addition
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (129 preceding siblings ...)
2025-06-23 13:02 ` [PATCH 6.1 130/508] randstruct: gcc-plugin: Remove bogus void member Greg Kroah-Hartman
@ 2025-06-23 13:02 ` Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 132/508] perf build: Warn when libdebuginfod devel files are not available Greg Kroah-Hartman
` (377 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thiago Jung Bauermann, Ingo Saitz,
Kees Cook, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kees Cook <kees@kernel.org>
[ Upstream commit f39f18f3c3531aa802b58a20d39d96e82eb96c14 ]
Based on changes in the 2021 public version of the randstruct
out-of-tree GCC plugin[1], more carefully update the attributes on
resulting decls, to avoid tripping checks in GCC 15's
comptypes_check_enum_int() when it has been configured with
"--enable-checking=misc":
arch/arm64/kernel/kexec_image.c:132:14: internal compiler error: in comptypes_check_enum_int, at c/c-typeck.cc:1519
132 | const struct kexec_file_ops kexec_image_ops = {
| ^~~~~~~~~~~~~~
internal_error(char const*, ...), at gcc/gcc/diagnostic-global-context.cc:517
fancy_abort(char const*, int, char const*), at gcc/gcc/diagnostic.cc:1803
comptypes_check_enum_int(tree_node*, tree_node*, bool*), at gcc/gcc/c/c-typeck.cc:1519
...
Link: https://archive.org/download/grsecurity/grsecurity-3.1-5.10.41-202105280954.patch.gz [1]
Reported-by: Thiago Jung Bauermann <thiago.bauermann@linaro.org>
Closes: https://github.com/KSPP/linux/issues/367
Closes: https://lore.kernel.org/lkml/20250530000646.104457-1-thiago.bauermann@linaro.org/
Reported-by: Ingo Saitz <ingo@hannover.ccc.de>
Closes: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1104745
Fixes: 313dd1b62921 ("gcc-plugins: Add the randstruct plugin")
Tested-by: Thiago Jung Bauermann <thiago.bauermann@linaro.org>
Link: https://lore.kernel.org/r/20250530221824.work.623-kees@kernel.org
Signed-off-by: Kees Cook <kees@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
scripts/gcc-plugins/gcc-common.h | 32 +++++++++++++++++++
scripts/gcc-plugins/randomize_layout_plugin.c | 22 ++++++-------
2 files changed, 43 insertions(+), 11 deletions(-)
diff --git a/scripts/gcc-plugins/gcc-common.h b/scripts/gcc-plugins/gcc-common.h
index 1ae39b9f4a95e..90e83d62adb54 100644
--- a/scripts/gcc-plugins/gcc-common.h
+++ b/scripts/gcc-plugins/gcc-common.h
@@ -128,6 +128,38 @@ static inline tree build_const_char_string(int len, const char *str)
return cstr;
}
+static inline void __add_type_attr(tree type, const char *attr, tree args)
+{
+ tree oldattr;
+
+ if (type == NULL_TREE)
+ return;
+ oldattr = lookup_attribute(attr, TYPE_ATTRIBUTES(type));
+ if (oldattr != NULL_TREE) {
+ gcc_assert(TREE_VALUE(oldattr) == args || TREE_VALUE(TREE_VALUE(oldattr)) == TREE_VALUE(args));
+ return;
+ }
+
+ TYPE_ATTRIBUTES(type) = copy_list(TYPE_ATTRIBUTES(type));
+ TYPE_ATTRIBUTES(type) = tree_cons(get_identifier(attr), args, TYPE_ATTRIBUTES(type));
+}
+
+static inline void add_type_attr(tree type, const char *attr, tree args)
+{
+ tree main_variant = TYPE_MAIN_VARIANT(type);
+
+ __add_type_attr(TYPE_CANONICAL(type), attr, args);
+ __add_type_attr(TYPE_CANONICAL(main_variant), attr, args);
+ __add_type_attr(main_variant, attr, args);
+
+ for (type = TYPE_NEXT_VARIANT(main_variant); type; type = TYPE_NEXT_VARIANT(type)) {
+ if (!lookup_attribute(attr, TYPE_ATTRIBUTES(type)))
+ TYPE_ATTRIBUTES(type) = TYPE_ATTRIBUTES(main_variant);
+
+ __add_type_attr(TYPE_CANONICAL(type), attr, args);
+ }
+}
+
#define PASS_INFO(NAME, REF, ID, POS) \
struct register_pass_info NAME##_pass_info = { \
.pass = make_##NAME##_pass(), \
diff --git a/scripts/gcc-plugins/randomize_layout_plugin.c b/scripts/gcc-plugins/randomize_layout_plugin.c
index 2b93dd14bd7b6..b00681ad3e383 100644
--- a/scripts/gcc-plugins/randomize_layout_plugin.c
+++ b/scripts/gcc-plugins/randomize_layout_plugin.c
@@ -77,6 +77,9 @@ static tree handle_randomize_layout_attr(tree *node, tree name, tree args, int f
if (TYPE_P(*node)) {
type = *node;
+ } else if (TREE_CODE(*node) == FIELD_DECL) {
+ *no_add_attrs = false;
+ return NULL_TREE;
} else {
gcc_assert(TREE_CODE(*node) == TYPE_DECL);
type = TREE_TYPE(*node);
@@ -363,15 +366,14 @@ static int relayout_struct(tree type)
TREE_CHAIN(newtree[i]) = newtree[i+1];
TREE_CHAIN(newtree[num_fields - 1]) = NULL_TREE;
+ add_type_attr(type, "randomize_performed", NULL_TREE);
+ add_type_attr(type, "designated_init", NULL_TREE);
+ if (has_flexarray)
+ add_type_attr(type, "has_flexarray", NULL_TREE);
+
main_variant = TYPE_MAIN_VARIANT(type);
- for (variant = main_variant; variant; variant = TYPE_NEXT_VARIANT(variant)) {
+ for (variant = main_variant; variant; variant = TYPE_NEXT_VARIANT(variant))
TYPE_FIELDS(variant) = newtree[0];
- TYPE_ATTRIBUTES(variant) = copy_list(TYPE_ATTRIBUTES(variant));
- TYPE_ATTRIBUTES(variant) = tree_cons(get_identifier("randomize_performed"), NULL_TREE, TYPE_ATTRIBUTES(variant));
- TYPE_ATTRIBUTES(variant) = tree_cons(get_identifier("designated_init"), NULL_TREE, TYPE_ATTRIBUTES(variant));
- if (has_flexarray)
- TYPE_ATTRIBUTES(type) = tree_cons(get_identifier("has_flexarray"), NULL_TREE, TYPE_ATTRIBUTES(type));
- }
/*
* force a re-layout of the main variant
@@ -439,10 +441,8 @@ static void randomize_type(tree type)
if (lookup_attribute("randomize_layout", TYPE_ATTRIBUTES(TYPE_MAIN_VARIANT(type))) || is_pure_ops_struct(type))
relayout_struct(type);
- for (variant = TYPE_MAIN_VARIANT(type); variant; variant = TYPE_NEXT_VARIANT(variant)) {
- TYPE_ATTRIBUTES(type) = copy_list(TYPE_ATTRIBUTES(type));
- TYPE_ATTRIBUTES(type) = tree_cons(get_identifier("randomize_considered"), NULL_TREE, TYPE_ATTRIBUTES(type));
- }
+ add_type_attr(type, "randomize_considered", NULL_TREE);
+
#ifdef __DEBUG_PLUGIN
fprintf(stderr, "Marking randomize_considered on struct %s\n", ORIG_TYPE_NAME(type));
#ifdef __DEBUG_VERBOSE
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 132/508] perf build: Warn when libdebuginfod devel files are not available
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (130 preceding siblings ...)
2025-06-23 13:02 ` [PATCH 6.1 131/508] randstruct: gcc-plugin: Fix attribute addition Greg Kroah-Hartman
@ 2025-06-23 13:02 ` Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 133/508] perf ui browser hists: Set actions->thread before calling do_zoom_thread() Greg Kroah-Hartman
` (376 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ingo Molnar, Adrian Hunter,
Dmitriy Vyukov, Howard Chu, Ian Rogers, Jiri Olsa, Kan Liang,
Namhyung Kim, Peter Zijlstra, Frank Ch. Eigler,
Arnaldo Carvalho de Melo, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arnaldo Carvalho de Melo <acme@redhat.com>
[ Upstream commit 4fce4b91fd1aabb326c46e237eb4b19ab72598f8 ]
While working on 'perf version --build-options' I noticed that:
$ perf version --build-options
perf version 6.15.rc1.g312a07a00d31
aio: [ on ] # HAVE_AIO_SUPPORT
bpf: [ on ] # HAVE_LIBBPF_SUPPORT
bpf_skeletons: [ on ] # HAVE_BPF_SKEL
debuginfod: [ OFF ] # HAVE_DEBUGINFOD_SUPPORT
<SNIP>
And looking at tools/perf/Makefile.config I also noticed that it is not
opt-in, meaning we will attempt to build with it in all normal cases.
So add the usual warning at build time to let the user know that
something recommended is missing, now we see:
Makefile.config:563: No elfutils/debuginfod.h found, no debuginfo server support, please install elfutils-debuginfod-client-devel or equivalent
And after following the recommendation:
$ perf check feature debuginfod
debuginfod: [ on ] # HAVE_DEBUGINFOD_SUPPORT
$ ldd ~/bin/perf | grep debuginfo
libdebuginfod.so.1 => /lib64/libdebuginfod.so.1 (0x00007fee5cf5f000)
$
With this feature on several perf tools will fetch what is needed and
not require all the contents of the debuginfo packages, for instance:
# rpm -qa | grep kernel-debuginfo
# pahole --running_kernel_vmlinux
pahole: couldn't find a vmlinux that matches the running kernel
HINT: Maybe you're inside a container or missing a debuginfo package?
#
# perf trace -e open* perf probe --vars icmp_rcv
0.000 ( 0.005 ms): perf/97391 openat(dfd: CWD, filename: "/etc/ld.so.cache", flags: RDONLY|CLOEXEC) = 3
0.014 ( 0.004 ms): perf/97391 openat(dfd: CWD, filename: "/lib64/libm.so.6", flags: RDONLY|CLOEXEC) = 3
<SNIP>
32130.100 ( 0.008 ms): perf/97391 openat(dfd: CWD, filename: "/root/.cache/debuginfod_client/aa3c82b4a13f9c0e0301bebb20fe958c4db6f362/debuginfo") = 3
<SNIP>
Available variables at icmp_rcv
@<icmp_rcv+0>
struct sk_buff* skb
<SNIP>
#
# pahole --running_kernel_vmlinux
/root/.cache/debuginfod_client/aa3c82b4a13f9c0e0301bebb20fe958c4db6f362/debuginfo
# file /root/.cache/debuginfod_client/aa3c82b4a13f9c0e0301bebb20fe958c4db6f362/debuginfo
/root/.cache/debuginfod_client/aa3c82b4a13f9c0e0301bebb20fe958c4db6f362/debuginfo: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, BuildID[sha1]=aa3c82b4a13f9c0e0301bebb20fe958c4db6f362, with debug_info, not stripped
# ls -la /root/.cache/debuginfod_client/aa3c82b4a13f9c0e0301bebb20fe958c4db6f362/debuginfo
-r--------. 1 root root 475401512 Mar 27 21:00 /root/.cache/debuginfod_client/aa3c82b4a13f9c0e0301bebb20fe958c4db6f362/debuginfo
#
Then, cached:
# perf stat --null perf probe --vars icmp_rcv
Available variables at icmp_rcv
@<icmp_rcv+0>
struct sk_buff* skb
Performance counter stats for 'perf probe --vars icmp_rcv':
0.671389041 seconds time elapsed
0.519176000 seconds user
0.150860000 seconds sys
Fixes: c7a14fdcb3fa7736 ("perf build-ids: Fall back to debuginfod query if debuginfo not found")
Tested-by: Ingo Molnar <mingo@kernel.org>
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: Dmitriy Vyukov <dvyukov@google.com>
Cc: Howard Chu <howardchu95@gmail.com>
Cc: Ian Rogers <irogers@google.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Kan Liang <kan.liang@linux.intel.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Frank Ch. Eigler <fche@redhat.com>
Link: https://lore.kernel.org/r/Z_dkNDj9EPFwPqq1@gmail.com
[ Folded patch from Ingo to have the debian/ubuntu devel package added build warning message ]
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/Makefile.config | 2 ++
1 file changed, 2 insertions(+)
diff --git a/tools/perf/Makefile.config b/tools/perf/Makefile.config
index fac6ba07eacdb..249f3d8415634 100644
--- a/tools/perf/Makefile.config
+++ b/tools/perf/Makefile.config
@@ -545,6 +545,8 @@ ifndef NO_LIBELF
ifeq ($(feature-libdebuginfod), 1)
CFLAGS += -DHAVE_DEBUGINFOD_SUPPORT
EXTLIBS += -ldebuginfod
+ else
+ $(warning No elfutils/debuginfod.h found, no debuginfo server support, please install libdebuginfod-dev/elfutils-debuginfod-client-devel or equivalent)
endif
endif
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 133/508] perf ui browser hists: Set actions->thread before calling do_zoom_thread()
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (131 preceding siblings ...)
2025-06-23 13:02 ` [PATCH 6.1 132/508] perf build: Warn when libdebuginfod devel files are not available Greg Kroah-Hartman
@ 2025-06-23 13:02 ` Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 134/508] dm: dont change md if dm_table_set_restrictions() fails Greg Kroah-Hartman
` (375 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ingo Molnar, Adrian Hunter,
Ian Rogers, James Clark, Jiri Olsa, Kan Liang, Namhyung Kim,
Arnaldo Carvalho de Melo, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arnaldo Carvalho de Melo <acme@redhat.com>
[ Upstream commit 1741189d843a1d5ef38538bc52a3760e2e46cb2e ]
In 7cecb7fe8388d5c3 ("perf hists: Move sort__has_comm into struct
perf_hpp_list") it assumes that act->thread is set prior to calling
do_zoom_thread().
This doesn't happen when we use ESC or the Left arrow key to Zoom out of
a specific thread, making this operation not to work and we get stuck
into the thread zoom.
In 6422184b087ff435 ("perf hists browser: Simplify zooming code using
pstack_peek()") it says no need to set actions->thread, and at that
point that was true, but in 7cecb7fe8388d5c3 a actions->thread == NULL
check was added before the zoom out of thread could kick in.
We can zoom out using the alternative 't' thread zoom toggle hotkey to
finally set actions->thread before calling do_zoom_thread() and zoom
out, but lets also fix the ESC/Zoom out of thread case.
Fixes: 7cecb7fe8388d5c3 ("perf hists: Move sort__has_comm into struct perf_hpp_list")
Reported-by: Ingo Molnar <mingo@kernel.org>
Tested-by: Ingo Molnar <mingo@kernel.org>
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: Ian Rogers <irogers@google.com>
Cc: James Clark <james.clark@linaro.org>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Kan Liang <kan.liang@linux.intel.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Link: https://lore.kernel.org/r/Z_TYux5fUg2pW-pF@gmail.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/ui/browsers/hists.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/perf/ui/browsers/hists.c b/tools/perf/ui/browsers/hists.c
index fd3e67d2c6bdd..a68d3ee1769d6 100644
--- a/tools/perf/ui/browsers/hists.c
+++ b/tools/perf/ui/browsers/hists.c
@@ -3238,10 +3238,10 @@ static int evsel__hists_browse(struct evsel *evsel, int nr_events, const char *h
/*
* No need to set actions->dso here since
* it's just to remove the current filter.
- * Ditto for thread below.
*/
do_zoom_dso(browser, actions);
} else if (top == &browser->hists->thread_filter) {
+ actions->thread = thread;
do_zoom_thread(browser, actions);
} else if (top == &browser->hists->socket_filter) {
do_zoom_socket(browser, actions);
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 134/508] dm: dont change md if dm_table_set_restrictions() fails
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (132 preceding siblings ...)
2025-06-23 13:02 ` [PATCH 6.1 133/508] perf ui browser hists: Set actions->thread before calling do_zoom_thread() Greg Kroah-Hartman
@ 2025-06-23 13:02 ` Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 135/508] dm: free table mempools if not used in __bind Greg Kroah-Hartman
` (374 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Damien Le Moal, Benjamin Marzinski,
Mikulas Patocka, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Benjamin Marzinski <bmarzins@redhat.com>
[ Upstream commit 9eb7109a5bfc5b8226e9517e9f3cc6d414391884 ]
__bind was changing the disk capacity, geometry and mempools of the
mapped device before calling dm_table_set_restrictions() which could
fail, forcing dm to drop the new table. Failing here would leave the
device using the old table but with the wrong capacity and mempools.
Move dm_table_set_restrictions() earlier in __bind(). Since it needs the
capacity to be set, save the old version and restore it on failure.
Fixes: bb37d77239af2 ("dm: introduce zone append emulation")
Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
Tested-by: Damien Le Moal <dlemoal@kernel.org>
Signed-off-by: Benjamin Marzinski <bmarzins@redhat.com>
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/md/dm.c | 22 ++++++++++++----------
1 file changed, 12 insertions(+), 10 deletions(-)
diff --git a/drivers/md/dm.c b/drivers/md/dm.c
index 4767265793de7..2b8fe98c515ed 100644
--- a/drivers/md/dm.c
+++ b/drivers/md/dm.c
@@ -2165,21 +2165,29 @@ static struct dm_table *__bind(struct mapped_device *md, struct dm_table *t,
struct queue_limits *limits)
{
struct dm_table *old_map;
- sector_t size;
+ sector_t size, old_size;
int ret;
lockdep_assert_held(&md->suspend_lock);
size = dm_table_get_size(t);
+ old_size = dm_get_size(md);
+ set_capacity(md->disk, size);
+
+ ret = dm_table_set_restrictions(t, md->queue, limits);
+ if (ret) {
+ set_capacity(md->disk, old_size);
+ old_map = ERR_PTR(ret);
+ goto out;
+ }
+
/*
* Wipe any geometry if the size of the table changed.
*/
- if (size != dm_get_size(md))
+ if (size != old_size)
memset(&md->geometry, 0, sizeof(md->geometry));
- set_capacity(md->disk, size);
-
dm_table_event_callback(t, event_callback, md);
if (dm_table_request_based(t)) {
@@ -2212,12 +2220,6 @@ static struct dm_table *__bind(struct mapped_device *md, struct dm_table *t,
t->mempools = NULL;
}
- ret = dm_table_set_restrictions(t, md->queue, limits);
- if (ret) {
- old_map = ERR_PTR(ret);
- goto out;
- }
-
old_map = rcu_dereference_protected(md->map, lockdep_is_held(&md->suspend_lock));
rcu_assign_pointer(md->map, (void *)t);
md->immutable_target_type = dm_table_get_immutable_target_type(t);
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 135/508] dm: free table mempools if not used in __bind
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (133 preceding siblings ...)
2025-06-23 13:02 ` [PATCH 6.1 134/508] dm: dont change md if dm_table_set_restrictions() fails Greg Kroah-Hartman
@ 2025-06-23 13:03 ` Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 136/508] backlight: pm8941: Add NULL check in wled_configure() Greg Kroah-Hartman
` (373 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Damien Le Moal, Benjamin Marzinski,
Mikulas Patocka, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Benjamin Marzinski <bmarzins@redhat.com>
[ Upstream commit e8819e7f03470c5b468720630d9e4e1d5b99159e ]
With request-based dm, the mempools don't need reloading when switching
tables, but the unused table mempools are not freed until the active
table is finally freed. Free them immediately if they are not needed.
Fixes: 29dec90a0f1d9 ("dm: fix bio_set allocation")
Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
Tested-by: Damien Le Moal <dlemoal@kernel.org>
Signed-off-by: Benjamin Marzinski <bmarzins@redhat.com>
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/md/dm.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/md/dm.c b/drivers/md/dm.c
index 2b8fe98c515ed..cf7520551b63b 100644
--- a/drivers/md/dm.c
+++ b/drivers/md/dm.c
@@ -2205,10 +2205,10 @@ static struct dm_table *__bind(struct mapped_device *md, struct dm_table *t,
* requests in the queue may refer to bio from the old bioset,
* so you must walk through the queue to unprep.
*/
- if (!md->mempools) {
+ if (!md->mempools)
md->mempools = t->mempools;
- t->mempools = NULL;
- }
+ else
+ dm_free_md_mempools(t->mempools);
} else {
/*
* The md may already have mempools that need changing.
@@ -2217,8 +2217,8 @@ static struct dm_table *__bind(struct mapped_device *md, struct dm_table *t,
*/
dm_free_md_mempools(md->mempools);
md->mempools = t->mempools;
- t->mempools = NULL;
}
+ t->mempools = NULL;
old_map = rcu_dereference_protected(md->map, lockdep_is_held(&md->suspend_lock));
rcu_assign_pointer(md->map, (void *)t);
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 136/508] backlight: pm8941: Add NULL check in wled_configure()
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (134 preceding siblings ...)
2025-06-23 13:03 ` [PATCH 6.1 135/508] dm: free table mempools if not used in __bind Greg Kroah-Hartman
@ 2025-06-23 13:03 ` Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 137/508] mtd: nand: ecc-mxic: Fix use of uninitialized variable ret Greg Kroah-Hartman
` (372 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Henry Martin, Dmitry Baryshkov,
Daniel Thompson (RISCstar), Lee Jones, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Henry Martin <bsdhenrymartin@gmail.com>
[ Upstream commit e12d3e1624a02706cdd3628bbf5668827214fa33 ]
devm_kasprintf() returns NULL when memory allocation fails. Currently,
wled_configure() does not check for this case, which results in a NULL
pointer dereference.
Add NULL check after devm_kasprintf() to prevent this issue.
Fixes: f86b77583d88 ("backlight: pm8941: Convert to using %pOFn instead of device_node.name")
Signed-off-by: Henry Martin <bsdhenrymartin@gmail.com>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Reviewed-by: "Daniel Thompson (RISCstar)" <danielt@kernel.org>
Link: https://lore.kernel.org/r/20250401091647.22784-1-bsdhenrymartin@gmail.com
Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/video/backlight/qcom-wled.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/video/backlight/qcom-wled.c b/drivers/video/backlight/qcom-wled.c
index 527210e857959..434c6c499fdef 100644
--- a/drivers/video/backlight/qcom-wled.c
+++ b/drivers/video/backlight/qcom-wled.c
@@ -1406,9 +1406,11 @@ static int wled_configure(struct wled *wled)
wled->ctrl_addr = be32_to_cpu(*prop_addr);
rc = of_property_read_string(dev->of_node, "label", &wled->name);
- if (rc)
+ if (rc) {
wled->name = devm_kasprintf(dev, GFP_KERNEL, "%pOFn", dev->of_node);
-
+ if (!wled->name)
+ return -ENOMEM;
+ }
switch (wled->version) {
case 3:
u32_opts = wled3_opts;
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 137/508] mtd: nand: ecc-mxic: Fix use of uninitialized variable ret
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (135 preceding siblings ...)
2025-06-23 13:03 ` [PATCH 6.1 136/508] backlight: pm8941: Add NULL check in wled_configure() Greg Kroah-Hartman
@ 2025-06-23 13:03 ` Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 138/508] hwmon: (asus-ec-sensors) check sensor index in read_string() Greg Kroah-Hartman
` (371 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mikhail Arkhipov, Miquel Raynal,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mikhail Arkhipov <m.arhipov@rosa.ru>
[ Upstream commit d95846350aac72303036a70c4cdc69ae314aa26d ]
If ctx->steps is zero, the loop processing ECC steps is skipped,
and the variable ret remains uninitialized. It is later checked
and returned, which leads to undefined behavior and may cause
unpredictable results in user space or kernel crashes.
This scenario can be triggered in edge cases such as misconfigured
geometry, ECC engine misuse, or if ctx->steps is not validated
after initialization.
Initialize ret to zero before the loop to ensure correct and safe
behavior regardless of the ctx->steps value.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: 48e6633a9fa2 ("mtd: nand: mxic-ecc: Add Macronix external ECC engine support")
Signed-off-by: Mikhail Arkhipov <m.arhipov@rosa.ru>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mtd/nand/ecc-mxic.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/mtd/nand/ecc-mxic.c b/drivers/mtd/nand/ecc-mxic.c
index 6b487ffe2f2dc..e8bbe009c04e8 100644
--- a/drivers/mtd/nand/ecc-mxic.c
+++ b/drivers/mtd/nand/ecc-mxic.c
@@ -614,7 +614,7 @@ static int mxic_ecc_finish_io_req_external(struct nand_device *nand,
{
struct mxic_ecc_engine *mxic = nand_to_mxic(nand);
struct mxic_ecc_ctx *ctx = nand_to_ecc_ctx(nand);
- int nents, step, ret;
+ int nents, step, ret = 0;
if (req->mode == MTD_OPS_RAW)
return 0;
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 138/508] hwmon: (asus-ec-sensors) check sensor index in read_string()
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (136 preceding siblings ...)
2025-06-23 13:03 ` [PATCH 6.1 137/508] mtd: nand: ecc-mxic: Fix use of uninitialized variable ret Greg Kroah-Hartman
@ 2025-06-23 13:03 ` Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 139/508] perf intel-pt: Fix PEBS-via-PT data_src Greg Kroah-Hartman
` (370 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexei Safin, Guenter Roeck,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexei Safin <a.safin@rosa.ru>
[ Upstream commit 25be318324563c63cbd9cb53186203a08d2f83a1 ]
Prevent a potential invalid memory access when the requested sensor
is not found.
find_ec_sensor_index() may return a negative value (e.g. -ENOENT),
but its result was used without checking, which could lead to
undefined behavior when passed to get_sensor_info().
Add a proper check to return -EINVAL if sensor_index is negative.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: d0ddfd241e57 ("hwmon: (asus-ec-sensors) add driver for ASUS EC")
Signed-off-by: Alexei Safin <a.safin@rosa.ru>
Link: https://lore.kernel.org/r/20250424202654.5902-1-a.safin@rosa.ru
[groeck: Return error code returned from find_ec_sensor_index]
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hwmon/asus-ec-sensors.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/hwmon/asus-ec-sensors.c b/drivers/hwmon/asus-ec-sensors.c
index d893cfd1cb829..6f20b55f41f2e 100644
--- a/drivers/hwmon/asus-ec-sensors.c
+++ b/drivers/hwmon/asus-ec-sensors.c
@@ -839,6 +839,10 @@ static int asus_ec_hwmon_read_string(struct device *dev,
{
struct ec_sensors_data *state = dev_get_drvdata(dev);
int sensor_index = find_ec_sensor_index(state, type, channel);
+
+ if (sensor_index < 0)
+ return sensor_index;
+
*str = get_sensor_info(state, sensor_index)->label;
return 0;
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 139/508] perf intel-pt: Fix PEBS-via-PT data_src
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (137 preceding siblings ...)
2025-06-23 13:03 ` [PATCH 6.1 138/508] hwmon: (asus-ec-sensors) check sensor index in read_string() Greg Kroah-Hartman
@ 2025-06-23 13:03 ` Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 140/508] perf scripts python: exported-sql-viewer.py: Fix pattern matching with Python 3 Greg Kroah-Hartman
` (369 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kan Liang, Adrian Hunter,
Alexander Shishkin, Ian Rogers, Jiri Olsa, Namhyung Kim,
Arnaldo Carvalho de Melo, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Adrian Hunter <adrian.hunter@intel.com>
[ Upstream commit e00eac6b5b6d956f38d8880c44bf7fd9954063c3 ]
The Fixes commit did not add support for decoding PEBS-via-PT data_src.
Fix by adding support.
PEBS-via-PT is a feature of some E-core processors, starting with
processors based on Tremont microarchitecture. Because the kernel only
supports Intel PT features that are on all processors, there is no support
for PEBS-via-PT on hybrids.
Currently that leaves processors based on Tremont, Gracemont and Crestmont,
however there are no events on Tremont that produce data_src information,
and for Gracemont and Crestmont there are only:
mem-loads event=0xd0,umask=0x5,ldlat=3
mem-stores event=0xd0,umask=0x6
Affected processors include Alder Lake N (Gracemont), Sierra Forest
(Crestmont) and Grand Ridge (Crestmont).
Example:
# perf record -d -e intel_pt/branch=0/ -e mem-loads/aux-output/pp uname
Before:
# perf.before script --itrace=o -Fdata_src
0 |OP No|LVL N/A|SNP N/A|TLB N/A|LCK No|BLK N/A
0 |OP No|LVL N/A|SNP N/A|TLB N/A|LCK No|BLK N/A
After:
# perf script --itrace=o -Fdata_src
10268100142 |OP LOAD|LVL L1 hit|SNP None|TLB L1 or L2 hit|LCK No|BLK N/A
10450100442 |OP LOAD|LVL L2 hit|SNP None|TLB L2 miss|LCK No|BLK N/A
Fixes: 975846eddf907297 ("perf intel-pt: Add memory information to synthesized PEBS sample")
Reviewed-by: Kan Liang <kan.liang@linux.intel.com>
Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Ian Rogers <irogers@google.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Namhyung Kim <namhyung@kernel.org>
Link: https://lore.kernel.org/r/20250512093932.79854-2-adrian.hunter@intel.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/util/intel-pt.c | 205 ++++++++++++++++++++++++++++++++++++-
1 file changed, 202 insertions(+), 3 deletions(-)
diff --git a/tools/perf/util/intel-pt.c b/tools/perf/util/intel-pt.c
index bd09af447eb0d..018eaddd4e6af 100644
--- a/tools/perf/util/intel-pt.c
+++ b/tools/perf/util/intel-pt.c
@@ -122,6 +122,7 @@ struct intel_pt {
bool single_pebs;
bool sample_pebs;
+ int pebs_data_src_fmt;
struct evsel *pebs_evsel;
u64 evt_sample_type;
@@ -170,6 +171,7 @@ enum switch_state {
struct intel_pt_pebs_event {
struct evsel *evsel;
u64 id;
+ int data_src_fmt;
};
struct intel_pt_queue {
@@ -2176,7 +2178,146 @@ static void intel_pt_add_lbrs(struct branch_stack *br_stack,
}
}
-static int intel_pt_do_synth_pebs_sample(struct intel_pt_queue *ptq, struct evsel *evsel, u64 id)
+#define P(a, b) PERF_MEM_S(a, b)
+#define OP_LH (P(OP, LOAD) | P(LVL, HIT))
+#define LEVEL(x) P(LVLNUM, x)
+#define REM P(REMOTE, REMOTE)
+#define SNOOP_NONE_MISS (P(SNOOP, NONE) | P(SNOOP, MISS))
+
+#define PERF_PEBS_DATA_SOURCE_GRT_MAX 0x10
+#define PERF_PEBS_DATA_SOURCE_GRT_MASK (PERF_PEBS_DATA_SOURCE_GRT_MAX - 1)
+
+/* Based on kernel __intel_pmu_pebs_data_source_grt() and pebs_data_source */
+static const u64 pebs_data_source_grt[PERF_PEBS_DATA_SOURCE_GRT_MAX] = {
+ P(OP, LOAD) | P(LVL, MISS) | LEVEL(L3) | P(SNOOP, NA), /* L3 miss|SNP N/A */
+ OP_LH | P(LVL, L1) | LEVEL(L1) | P(SNOOP, NONE), /* L1 hit|SNP None */
+ OP_LH | P(LVL, LFB) | LEVEL(LFB) | P(SNOOP, NONE), /* LFB/MAB hit|SNP None */
+ OP_LH | P(LVL, L2) | LEVEL(L2) | P(SNOOP, NONE), /* L2 hit|SNP None */
+ OP_LH | P(LVL, L3) | LEVEL(L3) | P(SNOOP, NONE), /* L3 hit|SNP None */
+ OP_LH | P(LVL, L3) | LEVEL(L3) | P(SNOOP, HIT), /* L3 hit|SNP Hit */
+ OP_LH | P(LVL, L3) | LEVEL(L3) | P(SNOOP, HITM), /* L3 hit|SNP HitM */
+ OP_LH | P(LVL, L3) | LEVEL(L3) | P(SNOOP, HITM), /* L3 hit|SNP HitM */
+ OP_LH | P(LVL, L3) | LEVEL(L3) | P(SNOOPX, FWD), /* L3 hit|SNP Fwd */
+ OP_LH | P(LVL, REM_CCE1) | REM | LEVEL(L3) | P(SNOOP, HITM), /* Remote L3 hit|SNP HitM */
+ OP_LH | P(LVL, LOC_RAM) | LEVEL(RAM) | P(SNOOP, HIT), /* RAM hit|SNP Hit */
+ OP_LH | P(LVL, REM_RAM1) | REM | LEVEL(L3) | P(SNOOP, HIT), /* Remote L3 hit|SNP Hit */
+ OP_LH | P(LVL, LOC_RAM) | LEVEL(RAM) | SNOOP_NONE_MISS, /* RAM hit|SNP None or Miss */
+ OP_LH | P(LVL, REM_RAM1) | LEVEL(RAM) | REM | SNOOP_NONE_MISS, /* Remote RAM hit|SNP None or Miss */
+ OP_LH | P(LVL, IO) | LEVEL(NA) | P(SNOOP, NONE), /* I/O hit|SNP None */
+ OP_LH | P(LVL, UNC) | LEVEL(NA) | P(SNOOP, NONE), /* Uncached hit|SNP None */
+};
+
+/* Based on kernel __intel_pmu_pebs_data_source_cmt() and pebs_data_source */
+static const u64 pebs_data_source_cmt[PERF_PEBS_DATA_SOURCE_GRT_MAX] = {
+ P(OP, LOAD) | P(LVL, MISS) | LEVEL(L3) | P(SNOOP, NA), /* L3 miss|SNP N/A */
+ OP_LH | P(LVL, L1) | LEVEL(L1) | P(SNOOP, NONE), /* L1 hit|SNP None */
+ OP_LH | P(LVL, LFB) | LEVEL(LFB) | P(SNOOP, NONE), /* LFB/MAB hit|SNP None */
+ OP_LH | P(LVL, L2) | LEVEL(L2) | P(SNOOP, NONE), /* L2 hit|SNP None */
+ OP_LH | P(LVL, L3) | LEVEL(L3) | P(SNOOP, NONE), /* L3 hit|SNP None */
+ OP_LH | P(LVL, L3) | LEVEL(L3) | P(SNOOP, MISS), /* L3 hit|SNP Hit */
+ OP_LH | P(LVL, L3) | LEVEL(L3) | P(SNOOP, HIT), /* L3 hit|SNP HitM */
+ OP_LH | P(LVL, L3) | LEVEL(L3) | P(SNOOPX, FWD), /* L3 hit|SNP HitM */
+ OP_LH | P(LVL, L3) | LEVEL(L3) | P(SNOOP, HITM), /* L3 hit|SNP Fwd */
+ OP_LH | P(LVL, REM_CCE1) | REM | LEVEL(L3) | P(SNOOP, HITM), /* Remote L3 hit|SNP HitM */
+ OP_LH | P(LVL, LOC_RAM) | LEVEL(RAM) | P(SNOOP, NONE), /* RAM hit|SNP Hit */
+ OP_LH | LEVEL(RAM) | REM | P(SNOOP, NONE), /* Remote L3 hit|SNP Hit */
+ OP_LH | LEVEL(RAM) | REM | P(SNOOPX, FWD), /* RAM hit|SNP None or Miss */
+ OP_LH | LEVEL(RAM) | REM | P(SNOOP, HITM), /* Remote RAM hit|SNP None or Miss */
+ OP_LH | P(LVL, IO) | LEVEL(NA) | P(SNOOP, NONE), /* I/O hit|SNP None */
+ OP_LH | P(LVL, UNC) | LEVEL(NA) | P(SNOOP, NONE), /* Uncached hit|SNP None */
+};
+
+/* Based on kernel pebs_set_tlb_lock() */
+static inline void pebs_set_tlb_lock(u64 *val, bool tlb, bool lock)
+{
+ /*
+ * TLB access
+ * 0 = did not miss 2nd level TLB
+ * 1 = missed 2nd level TLB
+ */
+ if (tlb)
+ *val |= P(TLB, MISS) | P(TLB, L2);
+ else
+ *val |= P(TLB, HIT) | P(TLB, L1) | P(TLB, L2);
+
+ /* locked prefix */
+ if (lock)
+ *val |= P(LOCK, LOCKED);
+}
+
+/* Based on kernel __grt_latency_data() */
+static u64 intel_pt_grt_latency_data(u8 dse, bool tlb, bool lock, bool blk,
+ const u64 *pebs_data_source)
+{
+ u64 val;
+
+ dse &= PERF_PEBS_DATA_SOURCE_GRT_MASK;
+ val = pebs_data_source[dse];
+
+ pebs_set_tlb_lock(&val, tlb, lock);
+
+ if (blk)
+ val |= P(BLK, DATA);
+ else
+ val |= P(BLK, NA);
+
+ return val;
+}
+
+/* Default value for data source */
+#define PERF_MEM_NA (PERF_MEM_S(OP, NA) |\
+ PERF_MEM_S(LVL, NA) |\
+ PERF_MEM_S(SNOOP, NA) |\
+ PERF_MEM_S(LOCK, NA) |\
+ PERF_MEM_S(TLB, NA) |\
+ PERF_MEM_S(LVLNUM, NA))
+
+enum DATA_SRC_FORMAT {
+ DATA_SRC_FORMAT_ERR = -1,
+ DATA_SRC_FORMAT_NA = 0,
+ DATA_SRC_FORMAT_GRT = 1,
+ DATA_SRC_FORMAT_CMT = 2,
+};
+
+/* Based on kernel grt_latency_data() and cmt_latency_data */
+static u64 intel_pt_get_data_src(u64 mem_aux_info, int data_src_fmt)
+{
+ switch (data_src_fmt) {
+ case DATA_SRC_FORMAT_GRT: {
+ union {
+ u64 val;
+ struct {
+ unsigned int dse:4;
+ unsigned int locked:1;
+ unsigned int stlb_miss:1;
+ unsigned int fwd_blk:1;
+ unsigned int reserved:25;
+ };
+ } x = {.val = mem_aux_info};
+ return intel_pt_grt_latency_data(x.dse, x.stlb_miss, x.locked, x.fwd_blk,
+ pebs_data_source_grt);
+ }
+ case DATA_SRC_FORMAT_CMT: {
+ union {
+ u64 val;
+ struct {
+ unsigned int dse:5;
+ unsigned int locked:1;
+ unsigned int stlb_miss:1;
+ unsigned int fwd_blk:1;
+ unsigned int reserved:24;
+ };
+ } x = {.val = mem_aux_info};
+ return intel_pt_grt_latency_data(x.dse, x.stlb_miss, x.locked, x.fwd_blk,
+ pebs_data_source_cmt);
+ }
+ default:
+ return PERF_MEM_NA;
+ }
+}
+
+static int intel_pt_do_synth_pebs_sample(struct intel_pt_queue *ptq, struct evsel *evsel,
+ u64 id, int data_src_fmt)
{
const struct intel_pt_blk_items *items = &ptq->state->items;
struct perf_sample sample = { .ip = 0, };
@@ -2294,6 +2435,18 @@ static int intel_pt_do_synth_pebs_sample(struct intel_pt_queue *ptq, struct evse
}
}
+ if (sample_type & PERF_SAMPLE_DATA_SRC) {
+ if (items->has_mem_aux_info && data_src_fmt) {
+ if (data_src_fmt < 0) {
+ pr_err("Intel PT missing data_src info\n");
+ return -1;
+ }
+ sample.data_src = intel_pt_get_data_src(items->mem_aux_info, data_src_fmt);
+ } else {
+ sample.data_src = PERF_MEM_NA;
+ }
+ }
+
if (sample_type & PERF_SAMPLE_TRANSACTION && items->has_tsx_aux_info) {
u64 ax = items->has_rax ? items->rax : 0;
/* Refer kernel's intel_hsw_transaction() */
@@ -2312,9 +2465,10 @@ static int intel_pt_synth_single_pebs_sample(struct intel_pt_queue *ptq)
{
struct intel_pt *pt = ptq->pt;
struct evsel *evsel = pt->pebs_evsel;
+ int data_src_fmt = pt->pebs_data_src_fmt;
u64 id = evsel->core.id[0];
- return intel_pt_do_synth_pebs_sample(ptq, evsel, id);
+ return intel_pt_do_synth_pebs_sample(ptq, evsel, id, data_src_fmt);
}
static int intel_pt_synth_pebs_sample(struct intel_pt_queue *ptq)
@@ -2339,7 +2493,7 @@ static int intel_pt_synth_pebs_sample(struct intel_pt_queue *ptq)
hw_id);
return intel_pt_synth_single_pebs_sample(ptq);
}
- err = intel_pt_do_synth_pebs_sample(ptq, pe->evsel, pe->id);
+ err = intel_pt_do_synth_pebs_sample(ptq, pe->evsel, pe->id, pe->data_src_fmt);
if (err)
return err;
}
@@ -3290,6 +3444,49 @@ static int intel_pt_process_itrace_start(struct intel_pt *pt,
event->itrace_start.tid);
}
+/*
+ * Events with data_src are identified by L1_Hit_Indication
+ * refer https://github.com/intel/perfmon
+ */
+static int intel_pt_data_src_fmt(struct intel_pt *pt, struct evsel *evsel)
+{
+ struct perf_env *env = pt->machine->env;
+ int fmt = DATA_SRC_FORMAT_NA;
+
+ if (!env->cpuid)
+ return DATA_SRC_FORMAT_ERR;
+
+ /*
+ * PEBS-via-PT is only supported on E-core non-hybrid. Of those only
+ * Gracemont and Crestmont have data_src. Check for:
+ * Alderlake N (Gracemont)
+ * Sierra Forest (Crestmont)
+ * Grand Ridge (Crestmont)
+ */
+
+ if (!strncmp(env->cpuid, "GenuineIntel,6,190,", 19))
+ fmt = DATA_SRC_FORMAT_GRT;
+
+ if (!strncmp(env->cpuid, "GenuineIntel,6,175,", 19) ||
+ !strncmp(env->cpuid, "GenuineIntel,6,182,", 19))
+ fmt = DATA_SRC_FORMAT_CMT;
+
+ if (fmt == DATA_SRC_FORMAT_NA)
+ return fmt;
+
+ /*
+ * Only data_src events are:
+ * mem-loads event=0xd0,umask=0x5
+ * mem-stores event=0xd0,umask=0x6
+ */
+ if (evsel->core.attr.type == PERF_TYPE_RAW &&
+ ((evsel->core.attr.config & 0xffff) == 0x5d0 ||
+ (evsel->core.attr.config & 0xffff) == 0x6d0))
+ return fmt;
+
+ return DATA_SRC_FORMAT_NA;
+}
+
static int intel_pt_process_aux_output_hw_id(struct intel_pt *pt,
union perf_event *event,
struct perf_sample *sample)
@@ -3310,6 +3507,7 @@ static int intel_pt_process_aux_output_hw_id(struct intel_pt *pt,
ptq->pebs[hw_id].evsel = evsel;
ptq->pebs[hw_id].id = sample->id;
+ ptq->pebs[hw_id].data_src_fmt = intel_pt_data_src_fmt(pt, evsel);
return 0;
}
@@ -3855,6 +4053,7 @@ static void intel_pt_setup_pebs_events(struct intel_pt *pt)
}
pt->single_pebs = true;
pt->sample_pebs = true;
+ pt->pebs_data_src_fmt = intel_pt_data_src_fmt(pt, evsel);
pt->pebs_evsel = evsel;
}
}
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 140/508] perf scripts python: exported-sql-viewer.py: Fix pattern matching with Python 3
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (138 preceding siblings ...)
2025-06-23 13:03 ` [PATCH 6.1 139/508] perf intel-pt: Fix PEBS-via-PT data_src Greg Kroah-Hartman
@ 2025-06-23 13:03 ` Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 141/508] remoteproc: qcom_wcnss_iris: Add missing put_device() on error in probe Greg Kroah-Hartman
` (368 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Adrian Hunter, Alexander Shishkin,
Ian Rogers, Jiri Olsa, Kan Liang, Namhyung Kim, Tony Jones,
Arnaldo Carvalho de Melo, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Adrian Hunter <adrian.hunter@intel.com>
[ Upstream commit 17e548405a81665fd14cee960db7d093d1396400 ]
The script allows the user to enter patterns to find symbols.
The pattern matching characters are converted for use in SQL.
For PostgreSQL the conversion involves using the Python maketrans()
method which is slightly different in Python 3 compared with Python 2.
Fix to work in Python 3.
Fixes: beda0e725e5f06ac ("perf script python: Add Python3 support to exported-sql-viewer.py")
Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Ian Rogers <irogers@google.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Kan Liang <kan.liang@linux.intel.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Tony Jones <tonyj@suse.de>
Link: https://lore.kernel.org/r/20250512093932.79854-4-adrian.hunter@intel.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/scripts/python/exported-sql-viewer.py | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/tools/perf/scripts/python/exported-sql-viewer.py b/tools/perf/scripts/python/exported-sql-viewer.py
index 13f2d8a816109..99742013676b3 100755
--- a/tools/perf/scripts/python/exported-sql-viewer.py
+++ b/tools/perf/scripts/python/exported-sql-viewer.py
@@ -680,7 +680,10 @@ class CallGraphModelBase(TreeModel):
s = value.replace("%", "\%")
s = s.replace("_", "\_")
# Translate * and ? into SQL LIKE pattern characters % and _
- trans = string.maketrans("*?", "%_")
+ if sys.version_info[0] == 3:
+ trans = str.maketrans("*?", "%_")
+ else:
+ trans = string.maketrans("*?", "%_")
match = " LIKE '" + str(s).translate(trans) + "'"
else:
match = " GLOB '" + str(value) + "'"
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 141/508] remoteproc: qcom_wcnss_iris: Add missing put_device() on error in probe
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (139 preceding siblings ...)
2025-06-23 13:03 ` [PATCH 6.1 140/508] perf scripts python: exported-sql-viewer.py: Fix pattern matching with Python 3 Greg Kroah-Hartman
@ 2025-06-23 13:03 ` Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 142/508] remoteproc: k3-r5: Drop check performed in k3_r5_rproc_{mbox_callback/kick} Greg Kroah-Hartman
` (367 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Dmitry Baryshkov,
Bjorn Andersson, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@linaro.org>
[ Upstream commit 0cb4b1b97041d8a1f773425208ded253c1cb5869 ]
The device_del() call matches with the device_add() but we also need
to call put_device() to trigger the qcom_iris_release().
Fixes: 1fcef985c8bd ("remoteproc: qcom: wcnss: Fix race with iris probe")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Link: https://lore.kernel.org/r/4604f7e0-3217-4095-b28a-3ff8b5afad3a@stanley.mountain
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/remoteproc/qcom_wcnss_iris.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/remoteproc/qcom_wcnss_iris.c b/drivers/remoteproc/qcom_wcnss_iris.c
index 09720ddddc857..7c7b688eda1d9 100644
--- a/drivers/remoteproc/qcom_wcnss_iris.c
+++ b/drivers/remoteproc/qcom_wcnss_iris.c
@@ -196,6 +196,7 @@ struct qcom_iris *qcom_iris_probe(struct device *parent, bool *use_48mhz_xo)
err_device_del:
device_del(&iris->dev);
+ put_device(&iris->dev);
return ERR_PTR(ret);
}
@@ -203,4 +204,5 @@ struct qcom_iris *qcom_iris_probe(struct device *parent, bool *use_48mhz_xo)
void qcom_iris_remove(struct qcom_iris *iris)
{
device_del(&iris->dev);
+ put_device(&iris->dev);
}
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 142/508] remoteproc: k3-r5: Drop check performed in k3_r5_rproc_{mbox_callback/kick}
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (140 preceding siblings ...)
2025-06-23 13:03 ` [PATCH 6.1 141/508] remoteproc: qcom_wcnss_iris: Add missing put_device() on error in probe Greg Kroah-Hartman
@ 2025-06-23 13:03 ` Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 143/508] rpmsg: qcom_smd: Fix uninitialized return variable in __qcom_smd_send() Greg Kroah-Hartman
` (366 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Siddharth Vadapalli, Beleswar Padhi,
Judith Mendez, Andrew Davis, Mathieu Poirier, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Siddharth Vadapalli <s-vadapalli@ti.com>
[ Upstream commit 9995dbfc2235efabdb3759606d522e1a7ec3bdcb ]
Commit f3f11cfe8907 ("remoteproc: k3-r5: Acquire mailbox handle during
probe routine") introduced a check in the "k3_r5_rproc_mbox_callback()"
and "k3_r5_rproc_kick()" callbacks, causing them to exit if the remote
core's state is "RPROC_DETACHED". However, the "__rproc_attach()"
function that is responsible for attaching to a remote core, updates
the state of the remote core to "RPROC_ATTACHED" only after invoking
"rproc_start_subdevices()".
The "rproc_start_subdevices()" function triggers the probe of the Virtio
RPMsg devices associated with the remote core, which require that the
"k3_r5_rproc_kick()" and "k3_r5_rproc_mbox_callback()" callbacks are
functional. Hence, drop the check in the callbacks.
Fixes: f3f11cfe8907 ("remoteproc: k3-r5: Acquire mailbox handle during probe routine")
Signed-off-by: Siddharth Vadapalli <s-vadapalli@ti.com>
Signed-off-by: Beleswar Padhi <b-padhi@ti.com>
Tested-by: Judith Mendez <jm@ti.com>
Reviewed-by: Andrew Davis <afd@ti.com>
Link: https://lore.kernel.org/r/20250513054510.3439842-2-b-padhi@ti.com
Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/remoteproc/ti_k3_r5_remoteproc.c | 8 --------
1 file changed, 8 deletions(-)
diff --git a/drivers/remoteproc/ti_k3_r5_remoteproc.c b/drivers/remoteproc/ti_k3_r5_remoteproc.c
index 580f86de654f2..75f0b8c99e0b1 100644
--- a/drivers/remoteproc/ti_k3_r5_remoteproc.c
+++ b/drivers/remoteproc/ti_k3_r5_remoteproc.c
@@ -189,10 +189,6 @@ static void k3_r5_rproc_mbox_callback(struct mbox_client *client, void *data)
const char *name = kproc->rproc->name;
u32 msg = omap_mbox_message(data);
- /* Do not forward message from a detached core */
- if (kproc->rproc->state == RPROC_DETACHED)
- return;
-
dev_dbg(dev, "mbox msg: 0x%x\n", msg);
switch (msg) {
@@ -228,10 +224,6 @@ static void k3_r5_rproc_kick(struct rproc *rproc, int vqid)
mbox_msg_t msg = (mbox_msg_t)vqid;
int ret;
- /* Do not forward message to a detached core */
- if (kproc->rproc->state == RPROC_DETACHED)
- return;
-
/* send the index of the triggered virtqueue in the mailbox payload */
ret = mbox_send_message(kproc->mbox, (void *)msg);
if (ret < 0)
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 143/508] rpmsg: qcom_smd: Fix uninitialized return variable in __qcom_smd_send()
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (141 preceding siblings ...)
2025-06-23 13:03 ` [PATCH 6.1 142/508] remoteproc: k3-r5: Drop check performed in k3_r5_rproc_{mbox_callback/kick} Greg Kroah-Hartman
@ 2025-06-23 13:03 ` Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 144/508] mfd: exynos-lpass: Avoid calling exynos_lpass_disable() twice in exynos_lpass_remove() Greg Kroah-Hartman
` (365 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Bjorn Andersson,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@linaro.org>
[ Upstream commit 5de775df3362090a6e90046d1f2d83fe62489aa0 ]
The "ret" variable isn't initialized if we don't enter the loop. For
example, if "channel->state" is not SMD_CHANNEL_OPENED.
Fixes: 33e3820dda88 ("rpmsg: smd: Use spinlock in tx path")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Link: https://lore.kernel.org/r/aAkhvV0nSbrsef1P@stanley.mountain
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/rpmsg/qcom_smd.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/rpmsg/qcom_smd.c b/drivers/rpmsg/qcom_smd.c
index 1044cf03c5422..eb2e66f5ca7b5 100644
--- a/drivers/rpmsg/qcom_smd.c
+++ b/drivers/rpmsg/qcom_smd.c
@@ -746,7 +746,7 @@ static int __qcom_smd_send(struct qcom_smd_channel *channel, const void *data,
__le32 hdr[5] = { cpu_to_le32(len), };
int tlen = sizeof(hdr) + len;
unsigned long flags;
- int ret;
+ int ret = 0;
/* Word aligned channels only accept word size aligned data */
if (channel->info_word && len % 4)
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 144/508] mfd: exynos-lpass: Avoid calling exynos_lpass_disable() twice in exynos_lpass_remove()
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (142 preceding siblings ...)
2025-06-23 13:03 ` [PATCH 6.1 143/508] rpmsg: qcom_smd: Fix uninitialized return variable in __qcom_smd_send() Greg Kroah-Hartman
@ 2025-06-23 13:03 ` Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 145/508] mfd: stmpe-spi: Correct the name used in MODULE_DEVICE_TABLE Greg Kroah-Hartman
` (364 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christophe JAILLET,
Krzysztof Kozlowski, Lee Jones, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
[ Upstream commit b70b84556eeca5262d290e8619fe0af5b7664a52 ]
exynos_lpass_disable() is called twice in the remove function. Remove
one of these calls.
Fixes: 90f447170c6f ("mfd: exynos-lpass: Add runtime PM support")
Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Link: https://lore.kernel.org/r/74d69e8de10308c9855db6d54155a3de4b11abfd.1745247209.git.christophe.jaillet@wanadoo.fr
Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mfd/exynos-lpass.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/mfd/exynos-lpass.c b/drivers/mfd/exynos-lpass.c
index 166cd21088cdd..5ee00f86e39c7 100644
--- a/drivers/mfd/exynos-lpass.c
+++ b/drivers/mfd/exynos-lpass.c
@@ -143,7 +143,6 @@ static int exynos_lpass_remove(struct platform_device *pdev)
{
struct exynos_lpass *lpass = platform_get_drvdata(pdev);
- exynos_lpass_disable(lpass);
pm_runtime_disable(&pdev->dev);
if (!pm_runtime_status_suspended(&pdev->dev))
exynos_lpass_disable(lpass);
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 145/508] mfd: stmpe-spi: Correct the name used in MODULE_DEVICE_TABLE
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (143 preceding siblings ...)
2025-06-23 13:03 ` [PATCH 6.1 144/508] mfd: exynos-lpass: Avoid calling exynos_lpass_disable() twice in exynos_lpass_remove() Greg Kroah-Hartman
@ 2025-06-23 13:03 ` Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 146/508] perf tests switch-tracking: Fix timestamp comparison Greg Kroah-Hartman
` (363 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexey Gladkov, Krzysztof Kozlowski,
Lee Jones, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexey Gladkov <legion@kernel.org>
[ Upstream commit 59d60c16ed41475f3b5f7b605e75fbf8e3628720 ]
The name used in the macro does not exist.
drivers/mfd/stmpe-spi.c:132:26: error: use of undeclared identifier 'stmpe_id'
132 | MODULE_DEVICE_TABLE(spi, stmpe_id);
Fixes: e789995d5c61 ("mfd: Add support for STMPE SPI interface")
Signed-off-by: Alexey Gladkov <legion@kernel.org>
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Link: https://lore.kernel.org/r/79d5a847303e45a46098f2d827d3d8a249a32be3.1745591072.git.legion@kernel.org
Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mfd/stmpe-spi.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/mfd/stmpe-spi.c b/drivers/mfd/stmpe-spi.c
index ad8055a0e2869..6791a53689777 100644
--- a/drivers/mfd/stmpe-spi.c
+++ b/drivers/mfd/stmpe-spi.c
@@ -129,7 +129,7 @@ static const struct spi_device_id stmpe_spi_id[] = {
{ "stmpe2403", STMPE2403 },
{ }
};
-MODULE_DEVICE_TABLE(spi, stmpe_id);
+MODULE_DEVICE_TABLE(spi, stmpe_spi_id);
static struct spi_driver stmpe_spi_driver = {
.driver = {
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 146/508] perf tests switch-tracking: Fix timestamp comparison
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (144 preceding siblings ...)
2025-06-23 13:03 ` [PATCH 6.1 145/508] mfd: stmpe-spi: Correct the name used in MODULE_DEVICE_TABLE Greg Kroah-Hartman
@ 2025-06-23 13:03 ` Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 147/508] perf record: Fix incorrect --user-regs comments Greg Kroah-Hartman
` (362 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ian Rogers, Leo Yan, Adrian Hunter,
James Clark, Kan Liang, Namhyung Kim, Arnaldo Carvalho de Melo,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Leo Yan <leo.yan@arm.com>
[ Upstream commit 628e124404b3db5e10e17228e680a2999018ab33 ]
The test might fail on the Arm64 platform with the error:
# perf test -vvv "Track with sched_switch"
Missing sched_switch events
#
The issue is caused by incorrect handling of timestamp comparisons. The
comparison result, a signed 64-bit value, was being directly cast to an
int, leading to incorrect sorting for sched events.
The case does not fail everytime, usually I can trigger the failure
after run 20 ~ 30 times:
# while true; do perf test "Track with sched_switch"; done
106: Track with sched_switch : Ok
106: Track with sched_switch : Ok
106: Track with sched_switch : Ok
106: Track with sched_switch : Ok
106: Track with sched_switch : Ok
106: Track with sched_switch : Ok
106: Track with sched_switch : Ok
106: Track with sched_switch : Ok
106: Track with sched_switch : Ok
106: Track with sched_switch : Ok
106: Track with sched_switch : Ok
106: Track with sched_switch : Ok
106: Track with sched_switch : Ok
106: Track with sched_switch : Ok
106: Track with sched_switch : FAILED!
106: Track with sched_switch : Ok
106: Track with sched_switch : Ok
106: Track with sched_switch : Ok
106: Track with sched_switch : Ok
106: Track with sched_switch : Ok
106: Track with sched_switch : Ok
106: Track with sched_switch : Ok
106: Track with sched_switch : Ok
106: Track with sched_switch : FAILED!
106: Track with sched_switch : Ok
106: Track with sched_switch : Ok
I used cross compiler to build Perf tool on my host machine and tested on
Debian / Juno board. Generally, I think this issue is not very specific
to GCC versions. As both internal CI and my local env can reproduce the
issue.
My Host Build compiler:
# aarch64-linux-gnu-gcc --version
aarch64-linux-gnu-gcc (Ubuntu 13.3.0-6ubuntu2~24.04) 13.3.0
Juno Board:
# lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description: Debian GNU/Linux 12 (bookworm)
Release: 12
Codename: bookworm
Fix this by explicitly returning 0, 1, or -1 based on whether the result
is zero, positive, or negative.
Fixes: d44bc558297222d9 ("perf tests: Add a test for tracking with sched_switch")
Reviewed-by: Ian Rogers <irogers@google.com>
Signed-off-by: Leo Yan <leo.yan@arm.com>
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: James Clark <james.clark@linaro.org>
Cc: Kan Liang <kan.liang@linux.intel.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Link: https://lore.kernel.org/r/20250331172759.115604-1-leo.yan@arm.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/tests/switch-tracking.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/perf/tests/switch-tracking.c b/tools/perf/tests/switch-tracking.c
index 87f565c7f650d..db6c61424badf 100644
--- a/tools/perf/tests/switch-tracking.c
+++ b/tools/perf/tests/switch-tracking.c
@@ -257,7 +257,7 @@ static int compar(const void *a, const void *b)
const struct event_node *nodeb = b;
s64 cmp = nodea->event_time - nodeb->event_time;
- return cmp;
+ return cmp < 0 ? -1 : (cmp > 0 ? 1 : 0);
}
static int process_events(struct evlist *evlist,
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 147/508] perf record: Fix incorrect --user-regs comments
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (145 preceding siblings ...)
2025-06-23 13:03 ` [PATCH 6.1 146/508] perf tests switch-tracking: Fix timestamp comparison Greg Kroah-Hartman
@ 2025-06-23 13:03 ` Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 148/508] nfs: clear SB_RDONLY before getting superblock Greg Kroah-Hartman
` (361 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ian Rogers, Dapeng Mi, Adrian Hunter,
Alexander Shishkin, Andi Kleen, Ingo Molnar, Kan Liang,
Namhyung Kim, Peter Zijlstra, Arnaldo Carvalho de Melo,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dapeng Mi <dapeng1.mi@linux.intel.com>
[ Upstream commit a4a859eb6704a8aa46aa1cec5396c8d41383a26b ]
The comment of "--user-regs" option is not correct, fix it.
"on interrupt," -> "in user space,"
Fixes: 84c417422798c897 ("perf record: Support direct --user-regs arguments")
Reviewed-by: Ian Rogers <irogers@google.com>
Signed-off-by: Dapeng Mi <dapeng1.mi@linux.intel.com>
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Andi Kleen <ak@linux.intel.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Kan Liang <kan.liang@linux.intel.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Link: https://lore.kernel.org/r/20250403060810.196028-1-dapeng1.mi@linux.intel.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/builtin-record.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/perf/builtin-record.c b/tools/perf/builtin-record.c
index ee3a5c4b8251e..a257a30a42efd 100644
--- a/tools/perf/builtin-record.c
+++ b/tools/perf/builtin-record.c
@@ -3438,7 +3438,7 @@ static struct option __record_options[] = {
"sample selected machine registers on interrupt,"
" use '-I?' to list register names", parse_intr_regs),
OPT_CALLBACK_OPTARG(0, "user-regs", &record.opts.sample_user_regs, NULL, "any register",
- "sample selected machine registers on interrupt,"
+ "sample selected machine registers in user space,"
" use '--user-regs=?' to list register names", parse_user_regs),
OPT_BOOLEAN(0, "running-time", &record.opts.running_time,
"Record running/enabled time of read (:S) events"),
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 148/508] nfs: clear SB_RDONLY before getting superblock
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (146 preceding siblings ...)
2025-06-23 13:03 ` [PATCH 6.1 147/508] perf record: Fix incorrect --user-regs comments Greg Kroah-Hartman
@ 2025-06-23 13:03 ` Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 149/508] nfs: ignore SB_RDONLY when remounting nfs Greg Kroah-Hartman
` (360 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Li Lingfeng, Anna Schumaker,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Li Lingfeng <lilingfeng3@huawei.com>
[ Upstream commit 8cd9b785943c57a136536250da80ba1eb6f8eb18 ]
As described in the link, commit 52cb7f8f1778 ("nfs: ignore SB_RDONLY when
mounting nfs") removed the check for the ro flag when determining whether
to share the superblock, which caused issues when mounting different
subdirectories under the same export directory via NFSv3. However, this
change did not affect NFSv4.
For NFSv3:
1) A single superblock is created for the initial mount.
2) When mounted read-only, this superblock carries the SB_RDONLY flag.
3) Before commit 52cb7f8f1778 ("nfs: ignore SB_RDONLY when mounting nfs"):
Subsequent rw mounts would not share the existing ro superblock due to
flag mismatch, creating a new superblock without SB_RDONLY.
After the commit:
The SB_RDONLY flag is ignored during superblock comparison, and this leads
to sharing the existing superblock even for rw mounts.
Ultimately results in write operations being rejected at the VFS layer.
For NFSv4:
1) Multiple superblocks are created and the last one will be kept.
2) The actually used superblock for ro mounts doesn't carry SB_RDONLY flag.
Therefore, commit 52cb7f8f1778 doesn't affect NFSv4 mounts.
Clear SB_RDONLY before getting superblock when NFS_MOUNT_UNSHARED is not
set to fix it.
Fixes: 52cb7f8f1778 ("nfs: ignore SB_RDONLY when mounting nfs")
Closes: https://lore.kernel.org/all/12d7ea53-1202-4e21-a7ef-431c94758ce5@app.fastmail.com/T/
Signed-off-by: Li Lingfeng <lilingfeng3@huawei.com>
Signed-off-by: Anna Schumaker <anna.schumaker@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nfs/super.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/fs/nfs/super.c b/fs/nfs/super.c
index 3dffeb1d17b9c..a4679cd75f70a 100644
--- a/fs/nfs/super.c
+++ b/fs/nfs/super.c
@@ -1273,8 +1273,17 @@ int nfs_get_tree_common(struct fs_context *fc)
if (IS_ERR(server))
return PTR_ERR(server);
+ /*
+ * When NFS_MOUNT_UNSHARED is not set, NFS forces the sharing of a
+ * superblock among each filesystem that mounts sub-directories
+ * belonging to a single exported root path.
+ * To prevent interference between different filesystems, the
+ * SB_RDONLY flag should be removed from the superblock.
+ */
if (server->flags & NFS_MOUNT_UNSHARED)
compare_super = NULL;
+ else
+ fc->sb_flags &= ~SB_RDONLY;
/* -o noac implies -o sync */
if (server->flags & NFS_MOUNT_NOAC)
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 149/508] nfs: ignore SB_RDONLY when remounting nfs
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (147 preceding siblings ...)
2025-06-23 13:03 ` [PATCH 6.1 148/508] nfs: clear SB_RDONLY before getting superblock Greg Kroah-Hartman
@ 2025-06-23 13:03 ` Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 150/508] rtc: sh: assign correct interrupts with DT Greg Kroah-Hartman
` (359 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Li Lingfeng, Anna Schumaker,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Li Lingfeng <lilingfeng3@huawei.com>
[ Upstream commit 80c4de6ab44c14e910117a02f2f8241ffc6ec54a ]
In some scenarios, when mounting NFS, more than one superblock may be
created. The final superblock used is the last one created, but only the
first superblock carries the ro flag passed from user space. If a ro flag
is added to the superblock via remount, it will trigger the issue
described in Link[1].
Link[2] attempted to address this by marking the superblock as ro during
the initial mount. However, this introduced a new problem in scenarios
where multiple mount points share the same superblock:
[root@a ~]# mount /dev/sdb /mnt/sdb
[root@a ~]# echo "/mnt/sdb *(rw,no_root_squash)" > /etc/exports
[root@a ~]# echo "/mnt/sdb/test_dir2 *(ro,no_root_squash)" >> /etc/exports
[root@a ~]# systemctl restart nfs-server
[root@a ~]# mount -t nfs -o rw 127.0.0.1:/mnt/sdb/test_dir1 /mnt/test_mp1
[root@a ~]# mount | grep nfs4
127.0.0.1:/mnt/sdb/test_dir1 on /mnt/test_mp1 type nfs4 (rw,relatime,...
[root@a ~]# mount -t nfs -o ro 127.0.0.1:/mnt/sdb/test_dir2 /mnt/test_mp2
[root@a ~]# mount | grep nfs4
127.0.0.1:/mnt/sdb/test_dir1 on /mnt/test_mp1 type nfs4 (ro,relatime,...
127.0.0.1:/mnt/sdb/test_dir2 on /mnt/test_mp2 type nfs4 (ro,relatime,...
[root@a ~]#
When mounting the second NFS, the shared superblock is marked as ro,
causing the previous NFS mount to become read-only.
To resolve both issues, the ro flag is no longer applied to the superblock
during remount. Instead, the ro flag on the mount is used to control
whether the mount point is read-only.
Fixes: 281cad46b34d ("NFS: Create a submount rpc_op")
Link[1]: https://lore.kernel.org/all/20240604112636.236517-3-lilingfeng@huaweicloud.com/
Link[2]: https://lore.kernel.org/all/20241130035818.1459775-1-lilingfeng3@huawei.com/
Signed-off-by: Li Lingfeng <lilingfeng3@huawei.com>
Signed-off-by: Anna Schumaker <anna.schumaker@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nfs/super.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/fs/nfs/super.c b/fs/nfs/super.c
index a4679cd75f70a..2dca011da034e 100644
--- a/fs/nfs/super.c
+++ b/fs/nfs/super.c
@@ -1017,6 +1017,16 @@ int nfs_reconfigure(struct fs_context *fc)
sync_filesystem(sb);
+ /*
+ * The SB_RDONLY flag has been removed from the superblock during
+ * mounts to prevent interference between different filesystems.
+ * Similarly, it is also necessary to ignore the SB_RDONLY flag
+ * during reconfiguration; otherwise, it may also result in the
+ * creation of redundant superblocks when mounting a directory with
+ * different rw and ro flags multiple times.
+ */
+ fc->sb_flags_mask &= ~SB_RDONLY;
+
/*
* Userspace mount programs that send binary options generally send
* them populated with default values. We have no way to know which
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 150/508] rtc: sh: assign correct interrupts with DT
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (148 preceding siblings ...)
2025-06-23 13:03 ` [PATCH 6.1 149/508] nfs: ignore SB_RDONLY when remounting nfs Greg Kroah-Hartman
@ 2025-06-23 13:03 ` Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 151/508] PCI: cadence: Fix runtime atomic count underflow Greg Kroah-Hartman
` (358 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wolfram Sang, Alexandre Belloni,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wolfram Sang <wsa+renesas@sang-engineering.com>
[ Upstream commit 8f2efdbc303fe7baa83843d3290dd6ea5ba3276c ]
The DT bindings for this driver define the interrupts in the order as
they are numbered in the interrupt controller. The old platform_data,
however, listed them in a different order. So, for DT based platforms,
they are mixed up. Assign them specifically for DT, so we can keep the
bindings stable. After the fix, 'rtctest' passes again on the Renesas
Genmai board (RZ-A1 / R7S72100).
Fixes: dab5aec64bf5 ("rtc: sh: add support for rza series")
Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Link: https://lore.kernel.org/r/20250227134256.9167-11-wsa+renesas@sang-engineering.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/rtc/rtc-sh.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/drivers/rtc/rtc-sh.c b/drivers/rtc/rtc-sh.c
index cd146b5741431..341b1b776e1a3 100644
--- a/drivers/rtc/rtc-sh.c
+++ b/drivers/rtc/rtc-sh.c
@@ -485,9 +485,15 @@ static int __init sh_rtc_probe(struct platform_device *pdev)
return -ENOENT;
}
- rtc->periodic_irq = ret;
- rtc->carry_irq = platform_get_irq(pdev, 1);
- rtc->alarm_irq = platform_get_irq(pdev, 2);
+ if (!pdev->dev.of_node) {
+ rtc->periodic_irq = ret;
+ rtc->carry_irq = platform_get_irq(pdev, 1);
+ rtc->alarm_irq = platform_get_irq(pdev, 2);
+ } else {
+ rtc->alarm_irq = ret;
+ rtc->periodic_irq = platform_get_irq(pdev, 1);
+ rtc->carry_irq = platform_get_irq(pdev, 2);
+ }
res = platform_get_resource(pdev, IORESOURCE_IO, 0);
if (!res)
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 151/508] PCI: cadence: Fix runtime atomic count underflow
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (149 preceding siblings ...)
2025-06-23 13:03 ` [PATCH 6.1 150/508] rtc: sh: assign correct interrupts with DT Greg Kroah-Hartman
@ 2025-06-23 13:03 ` Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 152/508] PCI: apple: Use gpiod_set_value_cansleep in probe flow Greg Kroah-Hartman
` (357 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hans Zhang, Manivannan Sadhasivam,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hans Zhang <18255117159@163.com>
[ Upstream commit 8805f32a96d3b97cef07999fa6f52112678f7e65 ]
If the call to pci_host_probe() in cdns_pcie_host_setup() fails, PM
runtime count is decremented in the error path using pm_runtime_put_sync().
But the runtime count is not incremented by this driver, but only by the
callers (cdns_plat_pcie_probe/j721e_pcie_probe). And the callers also
decrement the runtime PM count in their error path. So this leads to the
below warning from the PM core:
"runtime PM usage count underflow!"
So fix it by getting rid of pm_runtime_put_sync() in the error path and
directly return the errno.
Fixes: 49e427e6bdd1 ("Merge branch 'pci/host-probe-refactor'")
Signed-off-by: Hans Zhang <18255117159@163.com>
Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
Link: https://patch.msgid.link/20250419133058.162048-1-18255117159@163.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/controller/cadence/pcie-cadence-host.c | 11 +----------
1 file changed, 1 insertion(+), 10 deletions(-)
diff --git a/drivers/pci/controller/cadence/pcie-cadence-host.c b/drivers/pci/controller/cadence/pcie-cadence-host.c
index 5b14f7ee3c798..0a1b11d41a38a 100644
--- a/drivers/pci/controller/cadence/pcie-cadence-host.c
+++ b/drivers/pci/controller/cadence/pcie-cadence-host.c
@@ -558,14 +558,5 @@ int cdns_pcie_host_setup(struct cdns_pcie_rc *rc)
if (!bridge->ops)
bridge->ops = &cdns_pcie_host_ops;
- ret = pci_host_probe(bridge);
- if (ret < 0)
- goto err_init;
-
- return 0;
-
- err_init:
- pm_runtime_put_sync(dev);
-
- return ret;
+ return pci_host_probe(bridge);
}
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 152/508] PCI: apple: Use gpiod_set_value_cansleep in probe flow
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (150 preceding siblings ...)
2025-06-23 13:03 ` [PATCH 6.1 151/508] PCI: cadence: Fix runtime atomic count underflow Greg Kroah-Hartman
@ 2025-06-23 13:03 ` Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 153/508] phy: qcom-qmp-usb: Fix an NULL vs IS_ERR() bug Greg Kroah-Hartman
` (356 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hector Martin, Alyssa Rosenzweig,
Marc Zyngier, Manivannan Sadhasivam, Janne Grunau,
Rob Herring (Arm), Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hector Martin <marcan@marcan.st>
[ Upstream commit 7334364f9de79a9a236dd0243ba574b8d2876e89 ]
We're allowed to sleep here, so tell the GPIO core by using
gpiod_set_value_cansleep instead of gpiod_set_value.
Fixes: 1e33888fbe44 ("PCI: apple: Add initial hardware bring-up")
Signed-off-by: Hector Martin <marcan@marcan.st>
Signed-off-by: Alyssa Rosenzweig <alyssa@rosenzweig.io>
Signed-off-by: Marc Zyngier <maz@kernel.org>
Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
Tested-by: Janne Grunau <j@jannau.net>
Reviewed-by: Rob Herring (Arm) <robh@kernel.org>
Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
Acked-by: Alyssa Rosenzweig <alyssa@rosenzweig.io>
Link: https://patch.msgid.link/20250401091713.2765724-12-maz@kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/controller/pcie-apple.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/pci/controller/pcie-apple.c b/drivers/pci/controller/pcie-apple.c
index 2340dab6cd5bd..487d01f6b4f56 100644
--- a/drivers/pci/controller/pcie-apple.c
+++ b/drivers/pci/controller/pcie-apple.c
@@ -541,7 +541,7 @@ static int apple_pcie_setup_port(struct apple_pcie *pcie,
rmw_set(PORT_APPCLK_EN, port->base + PORT_APPCLK);
/* Assert PERST# before setting up the clock */
- gpiod_set_value(reset, 1);
+ gpiod_set_value_cansleep(reset, 1);
ret = apple_pcie_setup_refclk(pcie, port);
if (ret < 0)
@@ -552,7 +552,7 @@ static int apple_pcie_setup_port(struct apple_pcie *pcie,
/* Deassert PERST# */
rmw_set(PORT_PERST_OFF, port->base + PORT_PERST);
- gpiod_set_value(reset, 0);
+ gpiod_set_value_cansleep(reset, 0);
/* Wait for 100ms after PERST# deassertion (PCIe r5.0, 6.6.1) */
msleep(100);
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 153/508] phy: qcom-qmp-usb: Fix an NULL vs IS_ERR() bug
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (151 preceding siblings ...)
2025-06-23 13:03 ` [PATCH 6.1 152/508] PCI: apple: Use gpiod_set_value_cansleep in probe flow Greg Kroah-Hartman
@ 2025-06-23 13:03 ` Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 154/508] dmaengine: ti: Add NULL check in udma_probe() Greg Kroah-Hartman
` (355 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chenyuan Yang, Johan Hovold,
Krzysztof Kozlowski, Johan Hovold, Dmitry Baryshkov, Vinod Koul,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chenyuan Yang <chenyuan0y@gmail.com>
[ Upstream commit d14402a38c2d868cacb1facaf9be908ca6558e59 ]
The qmp_usb_iomap() helper function currently returns the raw result of
devm_ioremap() for non-exclusive mappings. Since devm_ioremap() may return
a NULL pointer and the caller only checks error pointers with IS_ERR(),
NULL could bypass the check and lead to an invalid dereference.
Fix the issue by checking if devm_ioremap() returns NULL. When it does,
qmp_usb_iomap() now returns an error pointer via IOMEM_ERR_PTR(-ENOMEM),
ensuring safe and consistent error handling.
Signed-off-by: Chenyuan Yang <chenyuan0y@gmail.com>
Fixes: a5d6b1ac56cb ("phy: qcom-qmp-usb: fix memleak on probe deferral")
CC: Johan Hovold <johan@kernel.org>
CC: Krzysztof Kozlowski <krzk@kernel.org>
Reviewed-by: Johan Hovold <johan+linaro@kernel.org>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20250414125050.2118619-1-chenyuan0y@gmail.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/phy/qualcomm/phy-qcom-qmp-usb.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/phy/qualcomm/phy-qcom-qmp-usb.c b/drivers/phy/qualcomm/phy-qcom-qmp-usb.c
index 605591314f256..a85bb0e1cd8c8 100644
--- a/drivers/phy/qualcomm/phy-qcom-qmp-usb.c
+++ b/drivers/phy/qualcomm/phy-qcom-qmp-usb.c
@@ -2428,12 +2428,16 @@ static void __iomem *qmp_usb_iomap(struct device *dev, struct device_node *np,
int index, bool exclusive)
{
struct resource res;
+ void __iomem *mem;
if (!exclusive) {
if (of_address_to_resource(np, index, &res))
return IOMEM_ERR_PTR(-EINVAL);
- return devm_ioremap(dev, res.start, resource_size(&res));
+ mem = devm_ioremap(dev, res.start, resource_size(&res));
+ if (!mem)
+ return IOMEM_ERR_PTR(-ENOMEM);
+ return mem;
}
return devm_of_iomap(dev, np, index, NULL);
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 154/508] dmaengine: ti: Add NULL check in udma_probe()
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (152 preceding siblings ...)
2025-06-23 13:03 ` [PATCH 6.1 153/508] phy: qcom-qmp-usb: Fix an NULL vs IS_ERR() bug Greg Kroah-Hartman
@ 2025-06-23 13:03 ` Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 155/508] PCI/DPC: Initialize aer_err_info before using it Greg Kroah-Hartman
` (354 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Henry Martin, Nathan Lynch,
Peter Ujfalusi, Vinod Koul, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Henry Martin <bsdhenrymartin@gmail.com>
[ Upstream commit fd447415e74bccd7362f760d4ea727f8e1ebfe91 ]
devm_kasprintf() returns NULL when memory allocation fails. Currently,
udma_probe() does not check for this case, which results in a NULL
pointer dereference.
Add NULL check after devm_kasprintf() to prevent this issue.
Fixes: 25dcb5dd7b7c ("dmaengine: ti: New driver for K3 UDMA")
Signed-off-by: Henry Martin <bsdhenrymartin@gmail.com>
Reviewed-by: Nathan Lynch <nathan.lynch@amd.com>
Acked-by: Peter Ujfalusi <peter.ujfalusi@gmail.com>
Link: https://lore.kernel.org/r/20250402023900.43440-1-bsdhenrymartin@gmail.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/dma/ti/k3-udma.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/dma/ti/k3-udma.c b/drivers/dma/ti/k3-udma.c
index edad538928dd7..1d12dc141070a 100644
--- a/drivers/dma/ti/k3-udma.c
+++ b/drivers/dma/ti/k3-udma.c
@@ -5490,7 +5490,8 @@ static int udma_probe(struct platform_device *pdev)
uc->config.dir = DMA_MEM_TO_MEM;
uc->name = devm_kasprintf(dev, GFP_KERNEL, "%s chan%d",
dev_name(dev), i);
-
+ if (!uc->name)
+ return -ENOMEM;
vchan_init(&uc->vc, &ud->ddev);
/* Use custom vchan completion handling */
tasklet_setup(&uc->vc.task, udma_vchan_complete);
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 155/508] PCI/DPC: Initialize aer_err_info before using it
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (153 preceding siblings ...)
2025-06-23 13:03 ` [PATCH 6.1 154/508] dmaengine: ti: Add NULL check in udma_probe() Greg Kroah-Hartman
@ 2025-06-23 13:03 ` Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 156/508] usb: renesas_usbhs: Reorder clock handling and power management in probe Greg Kroah-Hartman
` (353 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bjorn Helgaas,
Krzysztof Wilczyński, Kuppuswamy Sathyanarayanan,
Ilpo Järvinen, Jonathan Cameron, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bjorn Helgaas <bhelgaas@google.com>
[ Upstream commit a424b598e6a6c1e69a2bb801d6fd16e805ab2c38 ]
Previously the struct aer_err_info "info" was allocated on the stack
without being initialized, so it contained junk except for the fields we
explicitly set later.
Initialize "info" at declaration so it starts as all zeros.
Fixes: 8aefa9b0d910 ("PCI/DPC: Print AER status in DPC event handling")
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Tested-by: Krzysztof Wilczyński <kwilczynski@kernel.org>
Reviewed-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com>
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Link: https://patch.msgid.link/20250522232339.1525671-2-helgaas@kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/pcie/dpc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/pci/pcie/dpc.c b/drivers/pci/pcie/dpc.c
index a5cec2a4e057d..3c3ecb9cf57af 100644
--- a/drivers/pci/pcie/dpc.c
+++ b/drivers/pci/pcie/dpc.c
@@ -263,7 +263,7 @@ static int dpc_get_aer_uncorrect_severity(struct pci_dev *dev,
void dpc_process_error(struct pci_dev *pdev)
{
u16 cap = pdev->dpc_cap, status, source, reason, ext_reason;
- struct aer_err_info info;
+ struct aer_err_info info = {};
pci_read_config_word(pdev, cap + PCI_EXP_DPC_STATUS, &status);
pci_read_config_word(pdev, cap + PCI_EXP_DPC_SOURCE_ID, &source);
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 156/508] usb: renesas_usbhs: Reorder clock handling and power management in probe
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (154 preceding siblings ...)
2025-06-23 13:03 ` [PATCH 6.1 155/508] PCI/DPC: Initialize aer_err_info before using it Greg Kroah-Hartman
@ 2025-06-23 13:03 ` Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 157/508] serial: Fix potential null-ptr-deref in mlb_usio_probe() Greg Kroah-Hartman
` (352 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lad Prabhakar, Yoshihiro Shimoda,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
[ Upstream commit ffb34a60ce86656ba12d46e91f1ccc71dd221251 ]
Reorder the initialization sequence in `usbhs_probe()` to enable runtime
PM before accessing registers, preventing potential crashes due to
uninitialized clocks.
Currently, in the probe path, registers are accessed before enabling the
clocks, leading to a synchronous external abort on the RZ/V2H SoC.
The problematic call flow is as follows:
usbhs_probe()
usbhs_sys_clock_ctrl()
usbhs_bset()
usbhs_write()
iowrite16() <-- Register access before enabling clocks
Since `iowrite16()` is performed without ensuring the required clocks are
enabled, this can lead to access errors. To fix this, enable PM runtime
early in the probe function and ensure clocks are acquired before register
access, preventing crashes like the following on RZ/V2H:
[13.272640] Internal error: synchronous external abort: 0000000096000010 [#1] PREEMPT SMP
[13.280814] Modules linked in: cec renesas_usbhs(+) drm_kms_helper fuse drm backlight ipv6
[13.289088] CPU: 1 UID: 0 PID: 195 Comm: (udev-worker) Not tainted 6.14.0-rc7+ #98
[13.296640] Hardware name: Renesas RZ/V2H EVK Board based on r9a09g057h44 (DT)
[13.303834] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[13.310770] pc : usbhs_bset+0x14/0x4c [renesas_usbhs]
[13.315831] lr : usbhs_probe+0x2e4/0x5ac [renesas_usbhs]
[13.321138] sp : ffff8000827e3850
[13.324438] x29: ffff8000827e3860 x28: 0000000000000000 x27: ffff8000827e3ca0
[13.331554] x26: ffff8000827e3ba0 x25: ffff800081729668 x24: 0000000000000025
[13.338670] x23: ffff0000c0f08000 x22: 0000000000000000 x21: ffff0000c0f08010
[13.345783] x20: 0000000000000000 x19: ffff0000c3b52080 x18: 00000000ffffffff
[13.352895] x17: 0000000000000000 x16: 0000000000000000 x15: ffff8000827e36ce
[13.360009] x14: 00000000000003d7 x13: 00000000000003d7 x12: 0000000000000000
[13.367122] x11: 0000000000000000 x10: 0000000000000aa0 x9 : ffff8000827e3750
[13.374235] x8 : ffff0000c1850b00 x7 : 0000000003826060 x6 : 000000000000001c
[13.381347] x5 : 000000030d5fcc00 x4 : ffff8000825c0000 x3 : 0000000000000000
[13.388459] x2 : 0000000000000400 x1 : 0000000000000000 x0 : ffff0000c3b52080
[13.395574] Call trace:
[13.398013] usbhs_bset+0x14/0x4c [renesas_usbhs] (P)
[13.403076] platform_probe+0x68/0xdc
[13.406738] really_probe+0xbc/0x2c0
[13.410306] __driver_probe_device+0x78/0x120
[13.414653] driver_probe_device+0x3c/0x154
[13.418825] __driver_attach+0x90/0x1a0
[13.422647] bus_for_each_dev+0x7c/0xe0
[13.426470] driver_attach+0x24/0x30
[13.430032] bus_add_driver+0xe4/0x208
[13.433766] driver_register+0x68/0x130
[13.437587] __platform_driver_register+0x24/0x30
[13.442273] renesas_usbhs_driver_init+0x20/0x1000 [renesas_usbhs]
[13.448450] do_one_initcall+0x60/0x1d4
[13.452276] do_init_module+0x54/0x1f8
[13.456014] load_module+0x1754/0x1c98
[13.459750] init_module_from_file+0x88/0xcc
[13.464004] __arm64_sys_finit_module+0x1c4/0x328
[13.468689] invoke_syscall+0x48/0x104
[13.472426] el0_svc_common.constprop.0+0xc0/0xe0
[13.477113] do_el0_svc+0x1c/0x28
[13.480415] el0_svc+0x30/0xcc
[13.483460] el0t_64_sync_handler+0x10c/0x138
[13.487800] el0t_64_sync+0x198/0x19c
[13.491453] Code: 2a0103e1 12003c42 12003c63 8b010084 (79400084)
[13.497522] ---[ end trace 0000000000000000 ]---
Fixes: f1407d5c66240 ("usb: renesas_usbhs: Add Renesas USBHS common code")
Signed-off-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
Reviewed-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
Tested-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
Link: https://lore.kernel.org/r/20250407105002.107181-4-prabhakar.mahadev-lad.rj@bp.renesas.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/renesas_usbhs/common.c | 50 +++++++++++++++++++++++-------
1 file changed, 38 insertions(+), 12 deletions(-)
diff --git a/drivers/usb/renesas_usbhs/common.c b/drivers/usb/renesas_usbhs/common.c
index 9af61f17dfc75..6343ef4e184b5 100644
--- a/drivers/usb/renesas_usbhs/common.c
+++ b/drivers/usb/renesas_usbhs/common.c
@@ -674,10 +674,29 @@ static int usbhs_probe(struct platform_device *pdev)
INIT_DELAYED_WORK(&priv->notify_hotplug_work, usbhsc_notify_hotplug);
spin_lock_init(usbhs_priv_to_lock(priv));
+ /*
+ * Acquire clocks and enable power management (PM) early in the
+ * probe process, as the driver accesses registers during
+ * initialization. Ensure the device is active before proceeding.
+ */
+ pm_runtime_enable(dev);
+
+ ret = usbhsc_clk_get(dev, priv);
+ if (ret)
+ goto probe_pm_disable;
+
+ ret = pm_runtime_resume_and_get(dev);
+ if (ret)
+ goto probe_clk_put;
+
+ ret = usbhsc_clk_prepare_enable(priv);
+ if (ret)
+ goto probe_pm_put;
+
/* call pipe and module init */
ret = usbhs_pipe_probe(priv);
if (ret < 0)
- return ret;
+ goto probe_clk_dis_unprepare;
ret = usbhs_fifo_probe(priv);
if (ret < 0)
@@ -694,10 +713,6 @@ static int usbhs_probe(struct platform_device *pdev)
if (ret)
goto probe_fail_rst;
- ret = usbhsc_clk_get(dev, priv);
- if (ret)
- goto probe_fail_clks;
-
/*
* deviece reset here because
* USB device might be used in boot loader.
@@ -710,7 +725,7 @@ static int usbhs_probe(struct platform_device *pdev)
if (ret) {
dev_warn(dev, "USB function not selected (GPIO)\n");
ret = -ENOTSUPP;
- goto probe_end_mod_exit;
+ goto probe_assert_rest;
}
}
@@ -724,14 +739,19 @@ static int usbhs_probe(struct platform_device *pdev)
ret = usbhs_platform_call(priv, hardware_init, pdev);
if (ret < 0) {
dev_err(dev, "platform init failed.\n");
- goto probe_end_mod_exit;
+ goto probe_assert_rest;
}
/* reset phy for connection */
usbhs_platform_call(priv, phy_reset, pdev);
- /* power control */
- pm_runtime_enable(dev);
+ /*
+ * Disable the clocks that were enabled earlier in the probe path,
+ * and let the driver handle the clocks beyond this point.
+ */
+ usbhsc_clk_disable_unprepare(priv);
+ pm_runtime_put(dev);
+
if (!usbhs_get_dparam(priv, runtime_pwctrl)) {
usbhsc_power_ctrl(priv, 1);
usbhs_mod_autonomy_mode(priv);
@@ -748,9 +768,7 @@ static int usbhs_probe(struct platform_device *pdev)
return ret;
-probe_end_mod_exit:
- usbhsc_clk_put(priv);
-probe_fail_clks:
+probe_assert_rest:
reset_control_assert(priv->rsts);
probe_fail_rst:
usbhs_mod_remove(priv);
@@ -758,6 +776,14 @@ static int usbhs_probe(struct platform_device *pdev)
usbhs_fifo_remove(priv);
probe_end_pipe_exit:
usbhs_pipe_remove(priv);
+probe_clk_dis_unprepare:
+ usbhsc_clk_disable_unprepare(priv);
+probe_pm_put:
+ pm_runtime_put(dev);
+probe_clk_put:
+ usbhsc_clk_put(priv);
+probe_pm_disable:
+ pm_runtime_disable(dev);
dev_info(dev, "probe failed (%d)\n", ret);
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 157/508] serial: Fix potential null-ptr-deref in mlb_usio_probe()
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (155 preceding siblings ...)
2025-06-23 13:03 ` [PATCH 6.1 156/508] usb: renesas_usbhs: Reorder clock handling and power management in probe Greg Kroah-Hartman
@ 2025-06-23 13:03 ` Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 158/508] iio: filter: admv8818: fix band 4, state 15 Greg Kroah-Hartman
` (351 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:03 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Henry Martin, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Henry Martin <bsdhenrymartin@gmail.com>
[ Upstream commit 86bcae88c9209e334b2f8c252f4cc66beb261886 ]
devm_ioremap() can return NULL on error. Currently, mlb_usio_probe()
does not check for this case, which could result in a NULL pointer
dereference.
Add NULL check after devm_ioremap() to prevent this issue.
Fixes: ba44dc043004 ("serial: Add Milbeaut serial control")
Signed-off-by: Henry Martin <bsdhenrymartin@gmail.com>
Link: https://lore.kernel.org/r/20250403070339.64990-1-bsdhenrymartin@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/tty/serial/milbeaut_usio.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/tty/serial/milbeaut_usio.c b/drivers/tty/serial/milbeaut_usio.c
index c15e0d84dc7e3..c604c21e7fa33 100644
--- a/drivers/tty/serial/milbeaut_usio.c
+++ b/drivers/tty/serial/milbeaut_usio.c
@@ -524,7 +524,10 @@ static int mlb_usio_probe(struct platform_device *pdev)
}
port->membase = devm_ioremap(&pdev->dev, res->start,
resource_size(res));
-
+ if (!port->membase) {
+ ret = -ENOMEM;
+ goto failed;
+ }
ret = platform_get_irq_byname(pdev, "rx");
mlb_usio_irq[index][RX] = ret;
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 158/508] iio: filter: admv8818: fix band 4, state 15
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (156 preceding siblings ...)
2025-06-23 13:03 ` [PATCH 6.1 157/508] serial: Fix potential null-ptr-deref in mlb_usio_probe() Greg Kroah-Hartman
@ 2025-06-23 13:03 ` Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 159/508] iio: filter: admv8818: fix integer overflow Greg Kroah-Hartman
` (350 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sam Winchenbach, Jonathan Cameron,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sam Winchenbach <swinchenbach@arka.org>
[ Upstream commit ef0ce24f590ac075d5eda11f2d6434b303333ed6 ]
Corrects the upper range of LPF Band 4 from 18.5 GHz to 18.85 GHz per
the ADMV8818 datasheet
Fixes: f34fe888ad05 ("iio:filter:admv8818: add support for ADMV8818")
Signed-off-by: Sam Winchenbach <swinchenbach@arka.org>
Link: https://patch.msgid.link/20250328174831.227202-3-sam.winchenbach@framepointer.org
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/iio/filter/admv8818.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/iio/filter/admv8818.c b/drivers/iio/filter/admv8818.c
index c7f5911f9040d..a50a8ea2f8dda 100644
--- a/drivers/iio/filter/admv8818.c
+++ b/drivers/iio/filter/admv8818.c
@@ -102,7 +102,7 @@ static const unsigned long long freq_range_lpf[4][2] = {
{2050000000ULL, 3850000000ULL},
{3350000000ULL, 7250000000ULL},
{7000000000, 13000000000},
- {12550000000, 18500000000}
+ {12550000000, 18850000000}
};
static const struct regmap_config admv8818_regmap_config = {
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 159/508] iio: filter: admv8818: fix integer overflow
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (157 preceding siblings ...)
2025-06-23 13:03 ` [PATCH 6.1 158/508] iio: filter: admv8818: fix band 4, state 15 Greg Kroah-Hartman
@ 2025-06-23 13:03 ` Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 160/508] iio: filter: admv8818: fix range calculation Greg Kroah-Hartman
` (349 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sam Winchenbach, Jonathan Cameron,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sam Winchenbach <swinchenbach@arka.org>
[ Upstream commit fb6009a28d77edec4eb548b5875dae8c79b88467 ]
HZ_PER_MHZ is only unsigned long. This math overflows, leading to
incorrect results.
Fixes: f34fe888ad05 ("iio:filter:admv8818: add support for ADMV8818")
Signed-off-by: Sam Winchenbach <swinchenbach@arka.org>
Link: https://patch.msgid.link/20250328174831.227202-4-sam.winchenbach@framepointer.org
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/iio/filter/admv8818.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/iio/filter/admv8818.c b/drivers/iio/filter/admv8818.c
index a50a8ea2f8dda..831427aa89d83 100644
--- a/drivers/iio/filter/admv8818.c
+++ b/drivers/iio/filter/admv8818.c
@@ -152,7 +152,7 @@ static int __admv8818_hpf_select(struct admv8818_state *st, u64 freq)
}
/* Close HPF frequency gap between 12 and 12.5 GHz */
- if (freq >= 12000 * HZ_PER_MHZ && freq <= 12500 * HZ_PER_MHZ) {
+ if (freq >= 12000ULL * HZ_PER_MHZ && freq < 12500ULL * HZ_PER_MHZ) {
hpf_band = 3;
hpf_step = 15;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 160/508] iio: filter: admv8818: fix range calculation
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (158 preceding siblings ...)
2025-06-23 13:03 ` [PATCH 6.1 159/508] iio: filter: admv8818: fix integer overflow Greg Kroah-Hartman
@ 2025-06-23 13:03 ` Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 161/508] iio: filter: admv8818: Support frequencies >= 2^32 Greg Kroah-Hartman
` (348 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sam Winchenbach, Jonathan Cameron,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sam Winchenbach <swinchenbach@arka.org>
[ Upstream commit d542db7095d322bfcdc8e306db6f8c48358c9619 ]
Search for the minimum error while ensuring that the LPF corner
frequency is greater than the target, and the HPF corner frequency
is lower than the target
This fixes issues where the range calculations were suboptimal.
Add two new DTS properties to set the margin between the input frequency
and the calculated corner frequency
Below is a generated table of the differences between the old algorithm
and the new. This is a sweep from 0 to 20 GHz in 10 MHz steps.
=== HPF ===
freq = 1750 MHz, 3db: bypass => 1750 MHz
freq = 3400 MHz, 3db: 3310 => 3400 MHz
freq = 3410 MHz, 3db: 3310 => 3400 MHz
freq = 3420 MHz, 3db: 3310 => 3400 MHz
freq = 3660 MHz, 3db: 3550 => 3656 MHz
freq = 6600 MHz, 3db: 6479 => 6600 MHz
freq = 6610 MHz, 3db: 6479 => 6600 MHz
freq = 6620 MHz, 3db: 6479 => 6600 MHz
freq = 6630 MHz, 3db: 6479 => 6600 MHz
freq = 6640 MHz, 3db: 6479 => 6600 MHz
freq = 6650 MHz, 3db: 6479 => 6600 MHz
freq = 6660 MHz, 3db: 6479 => 6600 MHz
freq = 6670 MHz, 3db: 6479 => 6600 MHz
freq = 6680 MHz, 3db: 6479 => 6600 MHz
freq = 6690 MHz, 3db: 6479 => 6600 MHz
freq = 6700 MHz, 3db: 6479 => 6600 MHz
freq = 6710 MHz, 3db: 6479 => 6600 MHz
freq = 6720 MHz, 3db: 6479 => 6600 MHz
freq = 6730 MHz, 3db: 6479 => 6600 MHz
freq = 6960 MHz, 3db: 6736 => 6960 MHz
freq = 6970 MHz, 3db: 6736 => 6960 MHz
freq = 6980 MHz, 3db: 6736 => 6960 MHz
freq = 6990 MHz, 3db: 6736 => 6960 MHz
freq = 7320 MHz, 3db: 7249 => 7320 MHz
freq = 7330 MHz, 3db: 7249 => 7320 MHz
freq = 7340 MHz, 3db: 7249 => 7320 MHz
freq = 7350 MHz, 3db: 7249 => 7320 MHz
freq = 7360 MHz, 3db: 7249 => 7320 MHz
freq = 7370 MHz, 3db: 7249 => 7320 MHz
freq = 7380 MHz, 3db: 7249 => 7320 MHz
freq = 7390 MHz, 3db: 7249 => 7320 MHz
freq = 7400 MHz, 3db: 7249 => 7320 MHz
freq = 7410 MHz, 3db: 7249 => 7320 MHz
freq = 7420 MHz, 3db: 7249 => 7320 MHz
freq = 7430 MHz, 3db: 7249 => 7320 MHz
freq = 7440 MHz, 3db: 7249 => 7320 MHz
freq = 7450 MHz, 3db: 7249 => 7320 MHz
freq = 7460 MHz, 3db: 7249 => 7320 MHz
freq = 7470 MHz, 3db: 7249 => 7320 MHz
freq = 7480 MHz, 3db: 7249 => 7320 MHz
freq = 7490 MHz, 3db: 7249 => 7320 MHz
freq = 7500 MHz, 3db: 7249 => 7320 MHz
freq = 12500 MHz, 3db: 12000 => 12500 MHz
=== LPF ===
freq = 2050 MHz, 3db: bypass => 2050 MHz
freq = 2170 MHz, 3db: 2290 => 2170 MHz
freq = 2290 MHz, 3db: 2410 => 2290 MHz
freq = 2410 MHz, 3db: 2530 => 2410 MHz
freq = 2530 MHz, 3db: 2650 => 2530 MHz
freq = 2650 MHz, 3db: 2770 => 2650 MHz
freq = 2770 MHz, 3db: 2890 => 2770 MHz
freq = 2890 MHz, 3db: 3010 => 2890 MHz
freq = 3010 MHz, 3db: 3130 => 3010 MHz
freq = 3130 MHz, 3db: 3250 => 3130 MHz
freq = 3250 MHz, 3db: 3370 => 3250 MHz
freq = 3260 MHz, 3db: 3370 => 3350 MHz
freq = 3270 MHz, 3db: 3370 => 3350 MHz
freq = 3280 MHz, 3db: 3370 => 3350 MHz
freq = 3290 MHz, 3db: 3370 => 3350 MHz
freq = 3300 MHz, 3db: 3370 => 3350 MHz
freq = 3310 MHz, 3db: 3370 => 3350 MHz
freq = 3320 MHz, 3db: 3370 => 3350 MHz
freq = 3330 MHz, 3db: 3370 => 3350 MHz
freq = 3340 MHz, 3db: 3370 => 3350 MHz
freq = 3350 MHz, 3db: 3370 => 3350 MHz
freq = 3370 MHz, 3db: 3490 => 3370 MHz
freq = 3490 MHz, 3db: 3610 => 3490 MHz
freq = 3610 MHz, 3db: 3730 => 3610 MHz
freq = 3730 MHz, 3db: 3850 => 3730 MHz
freq = 3850 MHz, 3db: 3870 => 3850 MHz
freq = 3870 MHz, 3db: 4130 => 3870 MHz
freq = 4130 MHz, 3db: 4390 => 4130 MHz
freq = 4390 MHz, 3db: 4650 => 4390 MHz
freq = 4650 MHz, 3db: 4910 => 4650 MHz
freq = 4910 MHz, 3db: 5170 => 4910 MHz
freq = 5170 MHz, 3db: 5430 => 5170 MHz
freq = 5430 MHz, 3db: 5690 => 5430 MHz
freq = 5690 MHz, 3db: 5950 => 5690 MHz
freq = 5950 MHz, 3db: 6210 => 5950 MHz
freq = 6210 MHz, 3db: 6470 => 6210 MHz
freq = 6470 MHz, 3db: 6730 => 6470 MHz
freq = 6730 MHz, 3db: 6990 => 6730 MHz
freq = 6990 MHz, 3db: 7250 => 6990 MHz
freq = 7000 MHz, 3db: 7250 => 7000 MHz
freq = 7250 MHz, 3db: 7400 => 7250 MHz
freq = 7400 MHz, 3db: 7800 => 7400 MHz
freq = 7800 MHz, 3db: 8200 => 7800 MHz
freq = 8200 MHz, 3db: 8600 => 8200 MHz
freq = 8600 MHz, 3db: 9000 => 8600 MHz
freq = 9000 MHz, 3db: 9400 => 9000 MHz
freq = 9400 MHz, 3db: 9800 => 9400 MHz
freq = 9800 MHz, 3db: 10200 => 9800 MHz
freq = 10200 MHz, 3db: 10600 => 10200 MHz
freq = 10600 MHz, 3db: 11000 => 10600 MHz
freq = 11000 MHz, 3db: 11400 => 11000 MHz
freq = 11400 MHz, 3db: 11800 => 11400 MHz
freq = 11800 MHz, 3db: 12200 => 11800 MHz
freq = 12200 MHz, 3db: 12600 => 12200 MHz
freq = 12210 MHz, 3db: 12600 => 12550 MHz
freq = 12220 MHz, 3db: 12600 => 12550 MHz
freq = 12230 MHz, 3db: 12600 => 12550 MHz
freq = 12240 MHz, 3db: 12600 => 12550 MHz
freq = 12250 MHz, 3db: 12600 => 12550 MHz
freq = 12260 MHz, 3db: 12600 => 12550 MHz
freq = 12270 MHz, 3db: 12600 => 12550 MHz
freq = 12280 MHz, 3db: 12600 => 12550 MHz
freq = 12290 MHz, 3db: 12600 => 12550 MHz
freq = 12300 MHz, 3db: 12600 => 12550 MHz
freq = 12310 MHz, 3db: 12600 => 12550 MHz
freq = 12320 MHz, 3db: 12600 => 12550 MHz
freq = 12330 MHz, 3db: 12600 => 12550 MHz
freq = 12340 MHz, 3db: 12600 => 12550 MHz
freq = 12350 MHz, 3db: 12600 => 12550 MHz
freq = 12360 MHz, 3db: 12600 => 12550 MHz
freq = 12370 MHz, 3db: 12600 => 12550 MHz
freq = 12380 MHz, 3db: 12600 => 12550 MHz
freq = 12390 MHz, 3db: 12600 => 12550 MHz
freq = 12400 MHz, 3db: 12600 => 12550 MHz
freq = 12410 MHz, 3db: 12600 => 12550 MHz
freq = 12420 MHz, 3db: 12600 => 12550 MHz
freq = 12430 MHz, 3db: 12600 => 12550 MHz
freq = 12440 MHz, 3db: 12600 => 12550 MHz
freq = 12450 MHz, 3db: 12600 => 12550 MHz
freq = 12460 MHz, 3db: 12600 => 12550 MHz
freq = 12470 MHz, 3db: 12600 => 12550 MHz
freq = 12480 MHz, 3db: 12600 => 12550 MHz
freq = 12490 MHz, 3db: 12600 => 12550 MHz
freq = 12500 MHz, 3db: 12600 => 12550 MHz
freq = 12510 MHz, 3db: 12600 => 12550 MHz
freq = 12520 MHz, 3db: 12600 => 12550 MHz
freq = 12530 MHz, 3db: 12600 => 12550 MHz
freq = 12540 MHz, 3db: 12600 => 12550 MHz
freq = 12550 MHz, 3db: 12600 => 12550 MHz
freq = 12600 MHz, 3db: 13000 => 12600 MHz
freq = 12610 MHz, 3db: 13000 => 12970 MHz
freq = 12620 MHz, 3db: 13000 => 12970 MHz
freq = 12630 MHz, 3db: 13000 => 12970 MHz
freq = 12640 MHz, 3db: 13000 => 12970 MHz
freq = 12650 MHz, 3db: 13000 => 12970 MHz
freq = 12660 MHz, 3db: 13000 => 12970 MHz
freq = 12670 MHz, 3db: 13000 => 12970 MHz
freq = 12680 MHz, 3db: 13000 => 12970 MHz
freq = 12690 MHz, 3db: 13000 => 12970 MHz
freq = 12700 MHz, 3db: 13000 => 12970 MHz
freq = 12710 MHz, 3db: 13000 => 12970 MHz
freq = 12720 MHz, 3db: 13000 => 12970 MHz
freq = 12730 MHz, 3db: 13000 => 12970 MHz
freq = 12740 MHz, 3db: 13000 => 12970 MHz
freq = 12750 MHz, 3db: 13000 => 12970 MHz
freq = 12760 MHz, 3db: 13000 => 12970 MHz
freq = 12770 MHz, 3db: 13000 => 12970 MHz
freq = 12780 MHz, 3db: 13000 => 12970 MHz
freq = 12790 MHz, 3db: 13000 => 12970 MHz
freq = 12800 MHz, 3db: 13000 => 12970 MHz
freq = 12810 MHz, 3db: 13000 => 12970 MHz
freq = 12820 MHz, 3db: 13000 => 12970 MHz
freq = 12830 MHz, 3db: 13000 => 12970 MHz
freq = 12840 MHz, 3db: 13000 => 12970 MHz
freq = 12850 MHz, 3db: 13000 => 12970 MHz
freq = 12860 MHz, 3db: 13000 => 12970 MHz
freq = 12870 MHz, 3db: 13000 => 12970 MHz
freq = 12880 MHz, 3db: 13000 => 12970 MHz
freq = 12890 MHz, 3db: 13000 => 12970 MHz
freq = 12900 MHz, 3db: 13000 => 12970 MHz
freq = 12910 MHz, 3db: 13000 => 12970 MHz
freq = 12920 MHz, 3db: 13000 => 12970 MHz
freq = 12930 MHz, 3db: 13000 => 12970 MHz
freq = 12940 MHz, 3db: 13000 => 12970 MHz
freq = 12950 MHz, 3db: 13000 => 12970 MHz
freq = 12960 MHz, 3db: 13000 => 12970 MHz
freq = 12970 MHz, 3db: 13000 => 12970 MHz
freq = 13000 MHz, 3db: 13390 => 13000 MHz
freq = 13390 MHz, 3db: 13810 => 13390 MHz
freq = 13810 MHz, 3db: 14230 => 13810 MHz
freq = 14230 MHz, 3db: 14650 => 14230 MHz
freq = 14650 MHz, 3db: 15070 => 14650 MHz
freq = 15070 MHz, 3db: 15490 => 15070 MHz
freq = 15490 MHz, 3db: 15910 => 15490 MHz
freq = 15910 MHz, 3db: 16330 => 15910 MHz
freq = 16330 MHz, 3db: 16750 => 16330 MHz
freq = 16750 MHz, 3db: 17170 => 16750 MHz
freq = 17170 MHz, 3db: 17590 => 17170 MHz
freq = 17590 MHz, 3db: 18010 => 17590 MHz
freq = 18010 MHz, 3db: 18430 => 18010 MHz
freq = 18430 MHz, 3db: 18850 => 18430 MHz
freq = 18850 MHz, 3db: bypass => 18850 MHz
Fixes: f34fe888ad05 ("iio:filter:admv8818: add support for ADMV8818")
Signed-off-by: Sam Winchenbach <swinchenbach@arka.org>
Link: https://patch.msgid.link/20250328174831.227202-5-sam.winchenbach@framepointer.org
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/iio/filter/admv8818.c | 205 +++++++++++++++++++++++++---------
1 file changed, 152 insertions(+), 53 deletions(-)
diff --git a/drivers/iio/filter/admv8818.c b/drivers/iio/filter/admv8818.c
index 831427aa89d83..2dfa92e052af8 100644
--- a/drivers/iio/filter/admv8818.c
+++ b/drivers/iio/filter/admv8818.c
@@ -14,6 +14,7 @@
#include <linux/mod_devicetable.h>
#include <linux/mutex.h>
#include <linux/notifier.h>
+#include <linux/property.h>
#include <linux/regmap.h>
#include <linux/spi/spi.h>
#include <linux/units.h>
@@ -70,6 +71,16 @@
#define ADMV8818_HPF_WR0_MSK GENMASK(7, 4)
#define ADMV8818_LPF_WR0_MSK GENMASK(3, 0)
+#define ADMV8818_BAND_BYPASS 0
+#define ADMV8818_BAND_MIN 1
+#define ADMV8818_BAND_MAX 4
+#define ADMV8818_BAND_CORNER_LOW 0
+#define ADMV8818_BAND_CORNER_HIGH 1
+
+#define ADMV8818_STATE_MIN 0
+#define ADMV8818_STATE_MAX 15
+#define ADMV8818_NUM_STATES 16
+
enum {
ADMV8818_BW_FREQ,
ADMV8818_CENTER_FREQ
@@ -89,16 +100,20 @@ struct admv8818_state {
struct mutex lock;
unsigned int filter_mode;
u64 cf_hz;
+ u64 lpf_margin_hz;
+ u64 hpf_margin_hz;
};
-static const unsigned long long freq_range_hpf[4][2] = {
+static const unsigned long long freq_range_hpf[5][2] = {
+ {0ULL, 0ULL}, /* bypass */
{1750000000ULL, 3550000000ULL},
{3400000000ULL, 7250000000ULL},
{6600000000, 12000000000},
{12500000000, 19900000000}
};
-static const unsigned long long freq_range_lpf[4][2] = {
+static const unsigned long long freq_range_lpf[5][2] = {
+ {U64_MAX, U64_MAX}, /* bypass */
{2050000000ULL, 3850000000ULL},
{3350000000ULL, 7250000000ULL},
{7000000000, 13000000000},
@@ -119,44 +134,59 @@ static const char * const admv8818_modes[] = {
static int __admv8818_hpf_select(struct admv8818_state *st, u64 freq)
{
- unsigned int hpf_step = 0, hpf_band = 0, i, j;
- u64 freq_step;
- int ret;
+ int band, state, ret;
+ unsigned int hpf_state = ADMV8818_STATE_MIN, hpf_band = ADMV8818_BAND_BYPASS;
+ u64 freq_error, min_freq_error, freq_corner, freq_step;
- if (freq < freq_range_hpf[0][0])
+ if (freq < freq_range_hpf[ADMV8818_BAND_MIN][ADMV8818_BAND_CORNER_LOW])
goto hpf_write;
- if (freq > freq_range_hpf[3][1]) {
- hpf_step = 15;
- hpf_band = 4;
-
+ if (freq >= freq_range_hpf[ADMV8818_BAND_MAX][ADMV8818_BAND_CORNER_HIGH]) {
+ hpf_state = ADMV8818_STATE_MAX;
+ hpf_band = ADMV8818_BAND_MAX;
goto hpf_write;
}
- for (i = 0; i < 4; i++) {
- freq_step = div_u64((freq_range_hpf[i][1] -
- freq_range_hpf[i][0]), 15);
+ /* Close HPF frequency gap between 12 and 12.5 GHz */
+ if (freq >= 12000ULL * HZ_PER_MHZ && freq < 12500ULL * HZ_PER_MHZ) {
+ hpf_state = ADMV8818_STATE_MAX;
+ hpf_band = 3;
+ goto hpf_write;
+ }
- if (freq > freq_range_hpf[i][0] &&
- (freq < freq_range_hpf[i][1] + freq_step)) {
- hpf_band = i + 1;
+ min_freq_error = U64_MAX;
+ for (band = ADMV8818_BAND_MIN; band <= ADMV8818_BAND_MAX; band++) {
+ /*
+ * This (and therefore all other ranges) have a corner
+ * frequency higher than the target frequency.
+ */
+ if (freq_range_hpf[band][ADMV8818_BAND_CORNER_LOW] > freq)
+ break;
- for (j = 1; j <= 16; j++) {
- if (freq < (freq_range_hpf[i][0] + (freq_step * j))) {
- hpf_step = j - 1;
- break;
- }
+ freq_step = freq_range_hpf[band][ADMV8818_BAND_CORNER_HIGH] -
+ freq_range_hpf[band][ADMV8818_BAND_CORNER_LOW];
+ freq_step = div_u64(freq_step, ADMV8818_NUM_STATES - 1);
+
+ for (state = ADMV8818_STATE_MIN; state <= ADMV8818_STATE_MAX; state++) {
+ freq_corner = freq_range_hpf[band][ADMV8818_BAND_CORNER_LOW] +
+ freq_step * state;
+
+ /*
+ * This (and therefore all other states) have a corner
+ * frequency higher than the target frequency.
+ */
+ if (freq_corner > freq)
+ break;
+
+ freq_error = freq - freq_corner;
+ if (freq_error < min_freq_error) {
+ min_freq_error = freq_error;
+ hpf_state = state;
+ hpf_band = band;
}
- break;
}
}
- /* Close HPF frequency gap between 12 and 12.5 GHz */
- if (freq >= 12000ULL * HZ_PER_MHZ && freq < 12500ULL * HZ_PER_MHZ) {
- hpf_band = 3;
- hpf_step = 15;
- }
-
hpf_write:
ret = regmap_update_bits(st->regmap, ADMV8818_REG_WR0_SW,
ADMV8818_SW_IN_SET_WR0_MSK |
@@ -168,7 +198,7 @@ static int __admv8818_hpf_select(struct admv8818_state *st, u64 freq)
return regmap_update_bits(st->regmap, ADMV8818_REG_WR0_FILTER,
ADMV8818_HPF_WR0_MSK,
- FIELD_PREP(ADMV8818_HPF_WR0_MSK, hpf_step));
+ FIELD_PREP(ADMV8818_HPF_WR0_MSK, hpf_state));
}
static int admv8818_hpf_select(struct admv8818_state *st, u64 freq)
@@ -184,31 +214,52 @@ static int admv8818_hpf_select(struct admv8818_state *st, u64 freq)
static int __admv8818_lpf_select(struct admv8818_state *st, u64 freq)
{
- unsigned int lpf_step = 0, lpf_band = 0, i, j;
- u64 freq_step;
- int ret;
+ int band, state, ret;
+ unsigned int lpf_state = ADMV8818_STATE_MIN, lpf_band = ADMV8818_BAND_BYPASS;
+ u64 freq_error, min_freq_error, freq_corner, freq_step;
- if (freq > freq_range_lpf[3][1])
+ if (freq > freq_range_lpf[ADMV8818_BAND_MAX][ADMV8818_BAND_CORNER_HIGH])
goto lpf_write;
- if (freq < freq_range_lpf[0][0]) {
- lpf_band = 1;
-
+ if (freq < freq_range_lpf[ADMV8818_BAND_MIN][ADMV8818_BAND_CORNER_LOW]) {
+ lpf_state = ADMV8818_STATE_MIN;
+ lpf_band = ADMV8818_BAND_MIN;
goto lpf_write;
}
- for (i = 0; i < 4; i++) {
- if (freq > freq_range_lpf[i][0] && freq < freq_range_lpf[i][1]) {
- lpf_band = i + 1;
- freq_step = div_u64((freq_range_lpf[i][1] - freq_range_lpf[i][0]), 15);
+ min_freq_error = U64_MAX;
+ for (band = ADMV8818_BAND_MAX; band >= ADMV8818_BAND_MIN; --band) {
+ /*
+ * At this point the highest corner frequency of
+ * all remaining ranges is below the target.
+ * LPF corner should be >= the target.
+ */
+ if (freq > freq_range_lpf[band][ADMV8818_BAND_CORNER_HIGH])
+ break;
+
+ freq_step = freq_range_lpf[band][ADMV8818_BAND_CORNER_HIGH] -
+ freq_range_lpf[band][ADMV8818_BAND_CORNER_LOW];
+ freq_step = div_u64(freq_step, ADMV8818_NUM_STATES - 1);
+
+ for (state = ADMV8818_STATE_MAX; state >= ADMV8818_STATE_MIN; --state) {
- for (j = 0; j <= 15; j++) {
- if (freq < (freq_range_lpf[i][0] + (freq_step * j))) {
- lpf_step = j;
- break;
- }
+ freq_corner = freq_range_lpf[band][ADMV8818_BAND_CORNER_LOW] +
+ state * freq_step;
+
+ /*
+ * At this point all other states in range will
+ * place the corner frequency below the target
+ * LPF corner should >= the target.
+ */
+ if (freq > freq_corner)
+ break;
+
+ freq_error = freq_corner - freq;
+ if (freq_error < min_freq_error) {
+ min_freq_error = freq_error;
+ lpf_state = state;
+ lpf_band = band;
}
- break;
}
}
@@ -223,7 +274,7 @@ static int __admv8818_lpf_select(struct admv8818_state *st, u64 freq)
return regmap_update_bits(st->regmap, ADMV8818_REG_WR0_FILTER,
ADMV8818_LPF_WR0_MSK,
- FIELD_PREP(ADMV8818_LPF_WR0_MSK, lpf_step));
+ FIELD_PREP(ADMV8818_LPF_WR0_MSK, lpf_state));
}
static int admv8818_lpf_select(struct admv8818_state *st, u64 freq)
@@ -240,16 +291,28 @@ static int admv8818_lpf_select(struct admv8818_state *st, u64 freq)
static int admv8818_rfin_band_select(struct admv8818_state *st)
{
int ret;
+ u64 hpf_corner_target, lpf_corner_target;
st->cf_hz = clk_get_rate(st->clkin);
+ /* Check for underflow */
+ if (st->cf_hz > st->hpf_margin_hz)
+ hpf_corner_target = st->cf_hz - st->hpf_margin_hz;
+ else
+ hpf_corner_target = 0;
+
+ /* Check for overflow */
+ lpf_corner_target = st->cf_hz + st->lpf_margin_hz;
+ if (lpf_corner_target < st->cf_hz)
+ lpf_corner_target = U64_MAX;
+
mutex_lock(&st->lock);
- ret = __admv8818_hpf_select(st, st->cf_hz);
+ ret = __admv8818_hpf_select(st, hpf_corner_target);
if (ret)
goto exit;
- ret = __admv8818_lpf_select(st, st->cf_hz);
+ ret = __admv8818_lpf_select(st, lpf_corner_target);
exit:
mutex_unlock(&st->lock);
return ret;
@@ -276,8 +339,11 @@ static int __admv8818_read_hpf_freq(struct admv8818_state *st, u64 *hpf_freq)
hpf_state = FIELD_GET(ADMV8818_HPF_WR0_MSK, data);
- *hpf_freq = div_u64(freq_range_hpf[hpf_band - 1][1] - freq_range_hpf[hpf_band - 1][0], 15);
- *hpf_freq = freq_range_hpf[hpf_band - 1][0] + (*hpf_freq * hpf_state);
+ *hpf_freq = freq_range_hpf[hpf_band][ADMV8818_BAND_CORNER_HIGH] -
+ freq_range_hpf[hpf_band][ADMV8818_BAND_CORNER_LOW];
+ *hpf_freq = div_u64(*hpf_freq, ADMV8818_NUM_STATES - 1);
+ *hpf_freq = freq_range_hpf[hpf_band][ADMV8818_BAND_CORNER_LOW] +
+ (*hpf_freq * hpf_state);
return ret;
}
@@ -314,8 +380,11 @@ static int __admv8818_read_lpf_freq(struct admv8818_state *st, u64 *lpf_freq)
lpf_state = FIELD_GET(ADMV8818_LPF_WR0_MSK, data);
- *lpf_freq = div_u64(freq_range_lpf[lpf_band - 1][1] - freq_range_lpf[lpf_band - 1][0], 15);
- *lpf_freq = freq_range_lpf[lpf_band - 1][0] + (*lpf_freq * lpf_state);
+ *lpf_freq = freq_range_lpf[lpf_band][ADMV8818_BAND_CORNER_HIGH] -
+ freq_range_lpf[lpf_band][ADMV8818_BAND_CORNER_LOW];
+ *lpf_freq = div_u64(*lpf_freq, ADMV8818_NUM_STATES - 1);
+ *lpf_freq = freq_range_lpf[lpf_band][ADMV8818_BAND_CORNER_LOW] +
+ (*lpf_freq * lpf_state);
return ret;
}
@@ -594,6 +663,32 @@ static int admv8818_clk_setup(struct admv8818_state *st)
return devm_add_action_or_reset(&spi->dev, admv8818_clk_notifier_unreg, st);
}
+static int admv8818_read_properties(struct admv8818_state *st)
+{
+ struct spi_device *spi = st->spi;
+ u32 mhz;
+ int ret;
+
+ ret = device_property_read_u32(&spi->dev, "adi,lpf-margin-mhz", &mhz);
+ if (ret == 0)
+ st->lpf_margin_hz = (u64)mhz * HZ_PER_MHZ;
+ else if (ret == -EINVAL)
+ st->lpf_margin_hz = 0;
+ else
+ return ret;
+
+
+ ret = device_property_read_u32(&spi->dev, "adi,hpf-margin-mhz", &mhz);
+ if (ret == 0)
+ st->hpf_margin_hz = (u64)mhz * HZ_PER_MHZ;
+ else if (ret == -EINVAL)
+ st->hpf_margin_hz = 0;
+ else if (ret < 0)
+ return ret;
+
+ return 0;
+}
+
static int admv8818_probe(struct spi_device *spi)
{
struct iio_dev *indio_dev;
@@ -625,6 +720,10 @@ static int admv8818_probe(struct spi_device *spi)
mutex_init(&st->lock);
+ ret = admv8818_read_properties(st);
+ if (ret)
+ return ret;
+
ret = admv8818_init(st);
if (ret)
return ret;
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 161/508] iio: filter: admv8818: Support frequencies >= 2^32
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (159 preceding siblings ...)
2025-06-23 13:03 ` [PATCH 6.1 160/508] iio: filter: admv8818: fix range calculation Greg Kroah-Hartman
@ 2025-06-23 13:03 ` Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 162/508] iio: adc: ad7124: Fix 3dB filter frequency reading Greg Kroah-Hartman
` (347 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Brian Pellegrino, Sam Winchenbach,
Jonathan Cameron, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Brian Pellegrino <bpellegrino@arka.org>
[ Upstream commit 9016776f1301627de78a633bda7c898425a56572 ]
This patch allows writing u64 values to the ADMV8818's high and low-pass
filter frequencies. It includes the following changes:
- Rejects negative frequencies in admv8818_write_raw.
- Adds a write_raw_get_fmt function to admv8818's iio_info, returning
IIO_VAL_INT_64 for the high and low-pass filter 3dB frequency channels.
Fixes: f34fe888ad05 ("iio:filter:admv8818: add support for ADMV8818")
Signed-off-by: Brian Pellegrino <bpellegrino@arka.org>
Signed-off-by: Sam Winchenbach <swinchenbach@arka.org>
Link: https://patch.msgid.link/20250328174831.227202-7-sam.winchenbach@framepointer.org
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/iio/filter/admv8818.c | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/drivers/iio/filter/admv8818.c b/drivers/iio/filter/admv8818.c
index 2dfa92e052af8..b83d655274325 100644
--- a/drivers/iio/filter/admv8818.c
+++ b/drivers/iio/filter/admv8818.c
@@ -400,6 +400,19 @@ static int admv8818_read_lpf_freq(struct admv8818_state *st, u64 *lpf_freq)
return ret;
}
+static int admv8818_write_raw_get_fmt(struct iio_dev *indio_dev,
+ struct iio_chan_spec const *chan,
+ long mask)
+{
+ switch (mask) {
+ case IIO_CHAN_INFO_LOW_PASS_FILTER_3DB_FREQUENCY:
+ case IIO_CHAN_INFO_HIGH_PASS_FILTER_3DB_FREQUENCY:
+ return IIO_VAL_INT_64;
+ default:
+ return -EINVAL;
+ }
+}
+
static int admv8818_write_raw(struct iio_dev *indio_dev,
struct iio_chan_spec const *chan,
int val, int val2, long info)
@@ -408,6 +421,9 @@ static int admv8818_write_raw(struct iio_dev *indio_dev,
u64 freq = ((u64)val2 << 32 | (u32)val);
+ if ((s64)freq < 0)
+ return -EINVAL;
+
switch (info) {
case IIO_CHAN_INFO_LOW_PASS_FILTER_3DB_FREQUENCY:
return admv8818_lpf_select(st, freq);
@@ -524,6 +540,7 @@ static int admv8818_set_mode(struct iio_dev *indio_dev,
static const struct iio_info admv8818_info = {
.write_raw = admv8818_write_raw,
+ .write_raw_get_fmt = admv8818_write_raw_get_fmt,
.read_raw = admv8818_read_raw,
.debugfs_reg_access = &admv8818_reg_access,
};
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 162/508] iio: adc: ad7124: Fix 3dB filter frequency reading
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (160 preceding siblings ...)
2025-06-23 13:03 ` [PATCH 6.1 161/508] iio: filter: admv8818: Support frequencies >= 2^32 Greg Kroah-Hartman
@ 2025-06-23 13:03 ` Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 163/508] MIPS: Loongson64: Add missing #interrupt-cells for loongson64c_ls7a Greg Kroah-Hartman
` (346 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Uwe Kleine-König,
Marcelo Schmitt, Jonathan Cameron, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Uwe Kleine-König <u.kleine-koenig@baylibre.com>
[ Upstream commit 8712e4986e7ce42a14c762c4c350f290989986a5 ]
The sinc4 filter has a factor 0.23 between Output Data Rate and f_{3dB}
and for sinc3 the factor is 0.272 according to the data sheets for
ad7124-4 (Rev. E.) and ad7124-8 (Rev. F).
Fixes: cef2760954cf ("iio: adc: ad7124: add 3db filter")
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@baylibre.com>
Reviewed-by: Marcelo Schmitt <marcelo.schmitt@analog.com>
Link: https://patch.msgid.link/20250317115247.3735016-6-u.kleine-koenig@baylibre.com
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/iio/adc/ad7124.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/iio/adc/ad7124.c b/drivers/iio/adc/ad7124.c
index 307a607bf56c7..1e0af424f34f6 100644
--- a/drivers/iio/adc/ad7124.c
+++ b/drivers/iio/adc/ad7124.c
@@ -299,9 +299,9 @@ static int ad7124_get_3db_filter_freq(struct ad7124_state *st,
switch (st->channels[channel].cfg.filter_type) {
case AD7124_SINC3_FILTER:
- return DIV_ROUND_CLOSEST(fadc * 230, 1000);
+ return DIV_ROUND_CLOSEST(fadc * 272, 1000);
case AD7124_SINC4_FILTER:
- return DIV_ROUND_CLOSEST(fadc * 262, 1000);
+ return DIV_ROUND_CLOSEST(fadc * 230, 1000);
default:
return -EINVAL;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 163/508] MIPS: Loongson64: Add missing #interrupt-cells for loongson64c_ls7a
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (161 preceding siblings ...)
2025-06-23 13:03 ` [PATCH 6.1 162/508] iio: adc: ad7124: Fix 3dB filter frequency reading Greg Kroah-Hartman
@ 2025-06-23 13:03 ` Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 164/508] counter: interrupt-cnt: Protect enable/disable OPs with mutex Greg Kroah-Hartman
` (345 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, WangYuli,
Philippe Mathieu-Daudé, Thomas Bogendoerfer, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: WangYuli <wangyuli@uniontech.com>
[ Upstream commit 6d223b8ffcd1593d032b71875def2daa71c53111 ]
Similar to commit 98a9e2ac3755 ("MIPS: Loongson64: DTS: Fix msi node for ls7a").
Fix follow warnings:
arch/mips/boot/dts/loongson/loongson64c_4core_ls7a.dts:28.31-36.4: Warning (interrupt_provider): /bus@10000000/msi-controller@2ff00000: Missing '#interrupt-cells' in interrupt provider
arch/mips/boot/dts/loongson/loongson64c_4core_ls7a.dtb: Warning (interrupt_map): Failed prerequisite 'interrupt_provider'
Fixes: 24af105962c8 ("MIPS: Loongson64: DeviceTree for LS7A PCH")
Tested-by: WangYuli <wangyuli@uniontech.com>
Signed-off-by: WangYuli <wangyuli@uniontech.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/mips/boot/dts/loongson/loongson64c_4core_ls7a.dts | 1 +
1 file changed, 1 insertion(+)
diff --git a/arch/mips/boot/dts/loongson/loongson64c_4core_ls7a.dts b/arch/mips/boot/dts/loongson/loongson64c_4core_ls7a.dts
index c7ea4f1c0bb21..6c277ab83d4b9 100644
--- a/arch/mips/boot/dts/loongson/loongson64c_4core_ls7a.dts
+++ b/arch/mips/boot/dts/loongson/loongson64c_4core_ls7a.dts
@@ -29,6 +29,7 @@
compatible = "loongson,pch-msi-1.0";
reg = <0 0x2ff00000 0 0x8>;
interrupt-controller;
+ #interrupt-cells = <1>;
msi-controller;
loongson,msi-base-vec = <64>;
loongson,msi-num-vecs = <64>;
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 164/508] counter: interrupt-cnt: Protect enable/disable OPs with mutex
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (162 preceding siblings ...)
2025-06-23 13:03 ` [PATCH 6.1 163/508] MIPS: Loongson64: Add missing #interrupt-cells for loongson64c_ls7a Greg Kroah-Hartman
@ 2025-06-23 13:03 ` Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 165/508] coresight: prevent deactivate active config while enabling the config Greg Kroah-Hartman
` (344 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexander Sverdlin, Oleksij Rempel,
William Breathitt Gray, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexander Sverdlin <alexander.sverdlin@siemens.com>
[ Upstream commit 7351312632e831e51383f48957d47712fae791ef ]
Enable/disable seems to be racy on SMP, consider the following scenario:
CPU0 CPU1
interrupt_cnt_enable_write(true)
{
if (priv->enabled == enable)
return 0;
if (enable) {
priv->enabled = true;
interrupt_cnt_enable_write(false)
{
if (priv->enabled == enable)
return 0;
if (enable) {
priv->enabled = true;
enable_irq(priv->irq);
} else {
disable_irq(priv->irq)
priv->enabled = false;
}
enable_irq(priv->irq);
} else {
disable_irq(priv->irq);
priv->enabled = false;
}
The above would result in priv->enabled == false, but IRQ left enabled.
Protect both write (above race) and read (to propagate the value on SMP)
callbacks with a mutex.
Signed-off-by: Alexander Sverdlin <alexander.sverdlin@siemens.com>
Fixes: a55ebd47f21f ("counter: add IRQ or GPIO based counter")
Acked-by: Oleksij Rempel <o.rempel@pengutronix.de>
Link: https://lore.kernel.org/r/20250331163642.2382651-1-alexander.sverdlin@siemens.com
Signed-off-by: William Breathitt Gray <wbg@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/counter/interrupt-cnt.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/drivers/counter/interrupt-cnt.c b/drivers/counter/interrupt-cnt.c
index 229473855c5b3..bc762ba87a19b 100644
--- a/drivers/counter/interrupt-cnt.c
+++ b/drivers/counter/interrupt-cnt.c
@@ -3,12 +3,14 @@
* Copyright (c) 2021 Pengutronix, Oleksij Rempel <kernel@pengutronix.de>
*/
+#include <linux/cleanup.h>
#include <linux/counter.h>
#include <linux/gpio/consumer.h>
#include <linux/interrupt.h>
#include <linux/irq.h>
#include <linux/mod_devicetable.h>
#include <linux/module.h>
+#include <linux/mutex.h>
#include <linux/platform_device.h>
#include <linux/types.h>
@@ -19,6 +21,7 @@ struct interrupt_cnt_priv {
struct gpio_desc *gpio;
int irq;
bool enabled;
+ struct mutex lock;
struct counter_signal signals;
struct counter_synapse synapses;
struct counter_count cnts;
@@ -41,6 +44,8 @@ static int interrupt_cnt_enable_read(struct counter_device *counter,
{
struct interrupt_cnt_priv *priv = counter_priv(counter);
+ guard(mutex)(&priv->lock);
+
*enable = priv->enabled;
return 0;
@@ -51,6 +56,8 @@ static int interrupt_cnt_enable_write(struct counter_device *counter,
{
struct interrupt_cnt_priv *priv = counter_priv(counter);
+ guard(mutex)(&priv->lock);
+
if (priv->enabled == enable)
return 0;
@@ -227,6 +234,8 @@ static int interrupt_cnt_probe(struct platform_device *pdev)
if (ret)
return ret;
+ mutex_init(&priv->lock);
+
ret = devm_counter_add(dev, counter);
if (ret < 0)
return dev_err_probe(dev, ret, "Failed to add counter\n");
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 165/508] coresight: prevent deactivate active config while enabling the config
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (163 preceding siblings ...)
2025-06-23 13:03 ` [PATCH 6.1 164/508] counter: interrupt-cnt: Protect enable/disable OPs with mutex Greg Kroah-Hartman
@ 2025-06-23 13:03 ` Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 166/508] vt: remove VT_RESIZE and VT_RESIZEX from vt_compat_ioctl() Greg Kroah-Hartman
` (343 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Suzuki K Poulose, Yeoreum Yun,
Leo Yan, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yeoreum Yun <yeoreum.yun@arm.com>
[ Upstream commit 408c97c4a5e0b634dcd15bf8b8808b382e888164 ]
While enable active config via cscfg_csdev_enable_active_config(),
active config could be deactivated via configfs' sysfs interface.
This could make UAF issue in below scenario:
CPU0 CPU1
(sysfs enable) load module
cscfg_load_config_sets()
activate config. // sysfs
(sys_active_cnt == 1)
...
cscfg_csdev_enable_active_config()
lock(csdev->cscfg_csdev_lock)
// here load config activate by CPU1
unlock(csdev->cscfg_csdev_lock)
deactivate config // sysfs
(sys_activec_cnt == 0)
cscfg_unload_config_sets()
unload module
// access to config_desc which freed
// while unloading module.
cscfg_csdev_enable_config
To address this, use cscfg_config_desc's active_cnt as a reference count
which will be holded when
- activate the config.
- enable the activated config.
and put the module reference when config_active_cnt == 0.
Fixes: f8cce2ff3c04 ("coresight: syscfg: Add API to activate and enable configurations")
Suggested-by: Suzuki K Poulose <suzuki.poulose@arm.com>
Signed-off-by: Yeoreum Yun <yeoreum.yun@arm.com>
Reviewed-by: Leo Yan <leo.yan@arm.com>
Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
Link: https://lore.kernel.org/r/20250514161951.3427590-4-yeoreum.yun@arm.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../hwtracing/coresight/coresight-config.h | 2 +-
.../hwtracing/coresight/coresight-syscfg.c | 49 +++++++++++++------
2 files changed, 35 insertions(+), 16 deletions(-)
diff --git a/drivers/hwtracing/coresight/coresight-config.h b/drivers/hwtracing/coresight/coresight-config.h
index 6ba0139757418..84cdde6f0e4db 100644
--- a/drivers/hwtracing/coresight/coresight-config.h
+++ b/drivers/hwtracing/coresight/coresight-config.h
@@ -228,7 +228,7 @@ struct cscfg_feature_csdev {
* @feats_csdev:references to the device features to enable.
*/
struct cscfg_config_csdev {
- const struct cscfg_config_desc *config_desc;
+ struct cscfg_config_desc *config_desc;
struct coresight_device *csdev;
bool enabled;
struct list_head node;
diff --git a/drivers/hwtracing/coresight/coresight-syscfg.c b/drivers/hwtracing/coresight/coresight-syscfg.c
index 11138a9762b01..30a561d874819 100644
--- a/drivers/hwtracing/coresight/coresight-syscfg.c
+++ b/drivers/hwtracing/coresight/coresight-syscfg.c
@@ -867,6 +867,25 @@ void cscfg_csdev_reset_feats(struct coresight_device *csdev)
}
EXPORT_SYMBOL_GPL(cscfg_csdev_reset_feats);
+static bool cscfg_config_desc_get(struct cscfg_config_desc *config_desc)
+{
+ if (!atomic_fetch_inc(&config_desc->active_cnt)) {
+ /* must ensure that config cannot be unloaded in use */
+ if (unlikely(cscfg_owner_get(config_desc->load_owner))) {
+ atomic_dec(&config_desc->active_cnt);
+ return false;
+ }
+ }
+
+ return true;
+}
+
+static void cscfg_config_desc_put(struct cscfg_config_desc *config_desc)
+{
+ if (!atomic_dec_return(&config_desc->active_cnt))
+ cscfg_owner_put(config_desc->load_owner);
+}
+
/*
* This activate configuration for either perf or sysfs. Perf can have multiple
* active configs, selected per event, sysfs is limited to one.
@@ -890,22 +909,17 @@ static int _cscfg_activate_config(unsigned long cfg_hash)
if (config_desc->available == false)
return -EBUSY;
- /* must ensure that config cannot be unloaded in use */
- err = cscfg_owner_get(config_desc->load_owner);
- if (err)
+ if (!cscfg_config_desc_get(config_desc)) {
+ err = -EINVAL;
break;
+ }
+
/*
* increment the global active count - control changes to
* active configurations
*/
atomic_inc(&cscfg_mgr->sys_active_cnt);
- /*
- * mark the descriptor as active so enable config on a
- * device instance will use it
- */
- atomic_inc(&config_desc->active_cnt);
-
err = 0;
dev_dbg(cscfg_device(), "Activate config %s.\n", config_desc->name);
break;
@@ -920,9 +934,8 @@ static void _cscfg_deactivate_config(unsigned long cfg_hash)
list_for_each_entry(config_desc, &cscfg_mgr->config_desc_list, item) {
if ((unsigned long)config_desc->event_ea->var == cfg_hash) {
- atomic_dec(&config_desc->active_cnt);
atomic_dec(&cscfg_mgr->sys_active_cnt);
- cscfg_owner_put(config_desc->load_owner);
+ cscfg_config_desc_put(config_desc);
dev_dbg(cscfg_device(), "Deactivate config %s.\n", config_desc->name);
break;
}
@@ -1047,7 +1060,7 @@ int cscfg_csdev_enable_active_config(struct coresight_device *csdev,
unsigned long cfg_hash, int preset)
{
struct cscfg_config_csdev *config_csdev_active = NULL, *config_csdev_item;
- const struct cscfg_config_desc *config_desc;
+ struct cscfg_config_desc *config_desc;
unsigned long flags;
int err = 0;
@@ -1062,8 +1075,8 @@ int cscfg_csdev_enable_active_config(struct coresight_device *csdev,
spin_lock_irqsave(&csdev->cscfg_csdev_lock, flags);
list_for_each_entry(config_csdev_item, &csdev->config_csdev_list, node) {
config_desc = config_csdev_item->config_desc;
- if ((atomic_read(&config_desc->active_cnt)) &&
- ((unsigned long)config_desc->event_ea->var == cfg_hash)) {
+ if (((unsigned long)config_desc->event_ea->var == cfg_hash) &&
+ cscfg_config_desc_get(config_desc)) {
config_csdev_active = config_csdev_item;
csdev->active_cscfg_ctxt = (void *)config_csdev_active;
break;
@@ -1097,7 +1110,11 @@ int cscfg_csdev_enable_active_config(struct coresight_device *csdev,
err = -EBUSY;
spin_unlock_irqrestore(&csdev->cscfg_csdev_lock, flags);
}
+
+ if (err)
+ cscfg_config_desc_put(config_desc);
}
+
return err;
}
EXPORT_SYMBOL_GPL(cscfg_csdev_enable_active_config);
@@ -1136,8 +1153,10 @@ void cscfg_csdev_disable_active_config(struct coresight_device *csdev)
spin_unlock_irqrestore(&csdev->cscfg_csdev_lock, flags);
/* true if there was an enabled active config */
- if (config_csdev)
+ if (config_csdev) {
cscfg_csdev_disable_config(config_csdev);
+ cscfg_config_desc_put(config_csdev->config_desc);
+ }
}
EXPORT_SYMBOL_GPL(cscfg_csdev_disable_active_config);
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 166/508] vt: remove VT_RESIZE and VT_RESIZEX from vt_compat_ioctl()
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (164 preceding siblings ...)
2025-06-23 13:03 ` [PATCH 6.1 165/508] coresight: prevent deactivate active config while enabling the config Greg Kroah-Hartman
@ 2025-06-23 13:03 ` Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 167/508] net: stmmac: platform: guarantee uniqueness of bus_id Greg Kroah-Hartman
` (342 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:03 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Nicolas Pitre, Jiri Slaby,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nicolas Pitre <npitre@baylibre.com>
[ Upstream commit c4c7ead7b86c1e7f11c64915b7e5bb6d2e242691 ]
They are listed amon those cmd values that "treat 'arg' as an integer"
which is wrong. They should instead fall into the default case. Probably
nobody ever relied on that code since 2009 but still.
Fixes: e92166517e3c ("tty: handle VT specific compat ioctls in vt driver")
Signed-off-by: Nicolas Pitre <npitre@baylibre.com>
Reviewed-by: Jiri Slaby <jirislaby@kernel.org>
Link: https://lore.kernel.org/r/pr214s15-36r8-6732-2pop-159nq85o48r7@syhkavp.arg
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/tty/vt/vt_ioctl.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/drivers/tty/vt/vt_ioctl.c b/drivers/tty/vt/vt_ioctl.c
index 8c685b5014044..5b21b60547da1 100644
--- a/drivers/tty/vt/vt_ioctl.c
+++ b/drivers/tty/vt/vt_ioctl.c
@@ -1105,8 +1105,6 @@ long vt_compat_ioctl(struct tty_struct *tty,
case VT_WAITACTIVE:
case VT_RELDISP:
case VT_DISALLOCATE:
- case VT_RESIZE:
- case VT_RESIZEX:
return vt_ioctl(tty, cmd, arg);
/*
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 167/508] net: stmmac: platform: guarantee uniqueness of bus_id
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (165 preceding siblings ...)
2025-06-23 13:03 ` [PATCH 6.1 166/508] vt: remove VT_RESIZE and VT_RESIZEX from vt_compat_ioctl() Greg Kroah-Hartman
@ 2025-06-23 13:03 ` Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 168/508] gve: Fix RX_BUFFERS_POSTED stat to report per-queue fill_cnt Greg Kroah-Hartman
` (341 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Quentin Schulz, Maxime Chevallier,
Paolo Abeni, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Quentin Schulz <quentin.schulz@cherry.de>
[ Upstream commit eb7fd7aa35bfcc1e1fda4ecc42ccfcb526cdc780 ]
bus_id is currently derived from the ethernetX alias. If one is missing
for the device, 0 is used. If ethernet0 points to another stmmac device
or if there are 2+ stmmac devices without an ethernet alias, then bus_id
will be 0 for all of those.
This is an issue because the bus_id is used to generate the mdio bus id
(new_bus->id in drivers/net/ethernet/stmicro/stmmac/stmmac_mdio.c
stmmac_mdio_register) and this needs to be unique.
This allows to avoid needing to define ethernet aliases for devices with
multiple stmmac controllers (such as the Rockchip RK3588) for multiple
stmmac devices to probe properly.
Obviously, the bus_id isn't guaranteed to be stable across reboots if no
alias is set for the device but that is easily fixed by simply adding an
alias if this is desired.
Fixes: 25c83b5c2e82 ("dt:net:stmmac: Add support to dwmac version 3.610 and 3.710")
Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
Reviewed-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
Link: https://patch.msgid.link/20250527-stmmac-mdio-bus_id-v2-1-a5ca78454e3c@cherry.de
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c
index c368ef3cd9cb4..e81f54a4ac9b1 100644
--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c
+++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c
@@ -417,6 +417,7 @@ stmmac_probe_config_dt(struct platform_device *pdev, u8 *mac)
struct device_node *np = pdev->dev.of_node;
struct plat_stmmacenet_data *plat;
struct stmmac_dma_cfg *dma_cfg;
+ static int bus_id = -ENODEV;
int phy_mode;
void *ret;
int rc;
@@ -453,8 +454,14 @@ stmmac_probe_config_dt(struct platform_device *pdev, u8 *mac)
of_property_read_u32(np, "max-speed", &plat->max_speed);
plat->bus_id = of_alias_get_id(np, "ethernet");
- if (plat->bus_id < 0)
- plat->bus_id = 0;
+ if (plat->bus_id < 0) {
+ if (bus_id < 0)
+ bus_id = of_alias_get_highest_id("ethernet");
+ /* No ethernet alias found, init at -1 so first bus_id is 0 */
+ if (bus_id < 0)
+ bus_id = -1;
+ plat->bus_id = ++bus_id;
+ }
/* Default to phy auto-detection */
plat->phy_addr = -1;
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 168/508] gve: Fix RX_BUFFERS_POSTED stat to report per-queue fill_cnt
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (166 preceding siblings ...)
2025-06-23 13:03 ` [PATCH 6.1 167/508] net: stmmac: platform: guarantee uniqueness of bus_id Greg Kroah-Hartman
@ 2025-06-23 13:03 ` Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 169/508] net: tipc: fix refcount warning in tipc_aead_encrypt Greg Kroah-Hartman
` (340 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:03 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Alok Tiwari, Paolo Abeni,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alok Tiwari <alok.a.tiwari@oracle.com>
[ Upstream commit f41a94aade120dc60322865f363cee7865f2df01 ]
Previously, the RX_BUFFERS_POSTED stat incorrectly reported the
fill_cnt from RX queue 0 for all queues, resulting in inaccurate
per-queue statistics.
Fix this by correctly indexing priv->rx[idx].fill_cnt for each RX queue.
Fixes: 24aeb56f2d38 ("gve: Add Gvnic stats AQ command and ethtool show/set-priv-flags.")
Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
Link: https://patch.msgid.link/20250527130830.1812903-1-alok.a.tiwari@oracle.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/google/gve/gve_main.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/google/gve/gve_main.c b/drivers/net/ethernet/google/gve/gve_main.c
index 8771ccfc69b42..7e7890334ff60 100644
--- a/drivers/net/ethernet/google/gve/gve_main.c
+++ b/drivers/net/ethernet/google/gve/gve_main.c
@@ -1312,7 +1312,7 @@ void gve_handle_report_stats(struct gve_priv *priv)
};
stats[stats_idx++] = (struct stats) {
.stat_name = cpu_to_be32(RX_BUFFERS_POSTED),
- .value = cpu_to_be64(priv->rx[0].fill_cnt),
+ .value = cpu_to_be64(priv->rx[idx].fill_cnt),
.queue_id = cpu_to_be32(idx),
};
}
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 169/508] net: tipc: fix refcount warning in tipc_aead_encrypt
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (167 preceding siblings ...)
2025-06-23 13:03 ` [PATCH 6.1 168/508] gve: Fix RX_BUFFERS_POSTED stat to report per-queue fill_cnt Greg Kroah-Hartman
@ 2025-06-23 13:03 ` Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 170/508] driver: net: ethernet: mtk_star_emac: fix suspend/resume issue Greg Kroah-Hartman
` (339 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+f0c4a4aba757549ae26c,
Charalampos Mitrodimas, Tung Nguyen, Paolo Abeni, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Charalampos Mitrodimas <charmitro@posteo.net>
[ Upstream commit f29ccaa07cf3d35990f4d25028cc55470d29372b ]
syzbot reported a refcount warning [1] caused by calling get_net() on
a network namespace that is being destroyed (refcount=0). This happens
when a TIPC discovery timer fires during network namespace cleanup.
The recently added get_net() call in commit e279024617134 ("net/tipc:
fix slab-use-after-free Read in tipc_aead_encrypt_done") attempts to
hold a reference to the network namespace. However, if the namespace
is already being destroyed, its refcount might be zero, leading to the
use-after-free warning.
Replace get_net() with maybe_get_net(), which safely checks if the
refcount is non-zero before incrementing it. If the namespace is being
destroyed, return -ENODEV early, after releasing the bearer reference.
[1]: https://lore.kernel.org/all/68342b55.a70a0220.253bc2.0091.GAE@google.com/T/#m12019cf9ae77e1954f666914640efa36d52704a2
Reported-by: syzbot+f0c4a4aba757549ae26c@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/68342b55.a70a0220.253bc2.0091.GAE@google.com/T/#m12019cf9ae77e1954f666914640efa36d52704a2
Fixes: e27902461713 ("net/tipc: fix slab-use-after-free Read in tipc_aead_encrypt_done")
Signed-off-by: Charalampos Mitrodimas <charmitro@posteo.net>
Reviewed-by: Tung Nguyen <tung.quang.nguyen@est.tech>
Link: https://patch.msgid.link/20250527-net-tipc-warning-v2-1-df3dc398a047@posteo.net
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/tipc/crypto.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/net/tipc/crypto.c b/net/tipc/crypto.c
index a9c02fac039b5..17e2b09002853 100644
--- a/net/tipc/crypto.c
+++ b/net/tipc/crypto.c
@@ -818,7 +818,11 @@ static int tipc_aead_encrypt(struct tipc_aead *aead, struct sk_buff *skb,
}
/* Get net to avoid freed tipc_crypto when delete namespace */
- get_net(aead->crypto->net);
+ if (!maybe_get_net(aead->crypto->net)) {
+ tipc_bearer_put(b);
+ rc = -ENODEV;
+ goto exit;
+ }
/* Now, do encrypt */
rc = crypto_aead_encrypt(req);
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 170/508] driver: net: ethernet: mtk_star_emac: fix suspend/resume issue
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (168 preceding siblings ...)
2025-06-23 13:03 ` [PATCH 6.1 169/508] net: tipc: fix refcount warning in tipc_aead_encrypt Greg Kroah-Hartman
@ 2025-06-23 13:03 ` Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 171/508] net/mlx4_en: Prevent potential integer overflow calculating Hz Greg Kroah-Hartman
` (338 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yanqing Wang, Macpaul Lin,
Biao Huang, Paolo Abeni, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yanqing Wang <ot_yanqing.wang@mediatek.com>
[ Upstream commit ba99c627aac85bc746fb4a6e2d79edb3ad100326 ]
Identify the cause of the suspend/resume hang: netif_carrier_off()
is called during link state changes and becomes stuck while
executing linkwatch_work().
To resolve this issue, call netif_device_detach() during the Ethernet
suspend process to temporarily detach the network device from the
kernel and prevent the suspend/resume hang.
Fixes: 8c7bd5a454ff ("net: ethernet: mtk-star-emac: new driver")
Signed-off-by: Yanqing Wang <ot_yanqing.wang@mediatek.com>
Signed-off-by: Macpaul Lin <macpaul.lin@mediatek.com>
Signed-off-by: Biao Huang <biao.huang@mediatek.com>
Link: https://patch.msgid.link/20250528075351.593068-1-macpaul.lin@mediatek.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/mediatek/mtk_star_emac.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/net/ethernet/mediatek/mtk_star_emac.c b/drivers/net/ethernet/mediatek/mtk_star_emac.c
index c42e9f741f959..a631491a19da1 100644
--- a/drivers/net/ethernet/mediatek/mtk_star_emac.c
+++ b/drivers/net/ethernet/mediatek/mtk_star_emac.c
@@ -1475,6 +1475,8 @@ static __maybe_unused int mtk_star_suspend(struct device *dev)
if (netif_running(ndev))
mtk_star_disable(ndev);
+ netif_device_detach(ndev);
+
clk_bulk_disable_unprepare(MTK_STAR_NCLKS, priv->clks);
return 0;
@@ -1499,6 +1501,8 @@ static __maybe_unused int mtk_star_resume(struct device *dev)
clk_bulk_disable_unprepare(MTK_STAR_NCLKS, priv->clks);
}
+ netif_device_attach(ndev);
+
return ret;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 171/508] net/mlx4_en: Prevent potential integer overflow calculating Hz
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (169 preceding siblings ...)
2025-06-23 13:03 ` [PATCH 6.1 170/508] driver: net: ethernet: mtk_star_emac: fix suspend/resume issue Greg Kroah-Hartman
@ 2025-06-23 13:03 ` Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 172/508] net: lan966x: Make sure to insert the vlan tags also in host mode Greg Kroah-Hartman
` (337 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Simon Horman,
Paolo Abeni, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@linaro.org>
[ Upstream commit 54d34165b4f786d7fea8412a18fb4a54c1eab623 ]
The "freq" variable is in terms of MHz and "max_val_cycles" is in terms
of Hz. The fact that "max_val_cycles" is a u64 suggests that support
for high frequency is intended but the "freq_khz * 1000" would overflow
the u32 type if we went above 4GHz. Use unsigned long long type for the
mutliplication to prevent that.
Fixes: 31c128b66e5b ("net/mlx4_en: Choose time-stamping shift value according to HW frequency")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/aDbFHe19juIJKjsb@stanley.mountain
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/mellanox/mlx4/en_clock.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/mellanox/mlx4/en_clock.c b/drivers/net/ethernet/mellanox/mlx4/en_clock.c
index 024788549c256..060698b0c65cc 100644
--- a/drivers/net/ethernet/mellanox/mlx4/en_clock.c
+++ b/drivers/net/ethernet/mellanox/mlx4/en_clock.c
@@ -251,7 +251,7 @@ static const struct ptp_clock_info mlx4_en_ptp_clock_info = {
static u32 freq_to_shift(u16 freq)
{
u32 freq_khz = freq * 1000;
- u64 max_val_cycles = freq_khz * 1000 * MLX4_EN_WRAP_AROUND_SEC;
+ u64 max_val_cycles = freq_khz * 1000ULL * MLX4_EN_WRAP_AROUND_SEC;
u64 max_val_cycles_rounded = 1ULL << fls64(max_val_cycles - 1);
/* calculate max possible multiplier in order to fit in 64bit */
u64 max_mul = div64_u64(ULLONG_MAX, max_val_cycles_rounded);
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 172/508] net: lan966x: Make sure to insert the vlan tags also in host mode
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (170 preceding siblings ...)
2025-06-23 13:03 ` [PATCH 6.1 171/508] net/mlx4_en: Prevent potential integer overflow calculating Hz Greg Kroah-Hartman
@ 2025-06-23 13:03 ` Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 173/508] spi: bcm63xx-spi: fix shared reset Greg Kroah-Hartman
` (336 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maxime Chevallier, Horatiu Vultur,
Paolo Abeni, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Horatiu Vultur <horatiu.vultur@microchip.com>
[ Upstream commit 27eab4c644236a9324084a70fe79e511cbd07393 ]
When running these commands on DUT (and similar at the other end)
ip link set dev eth0 up
ip link add link eth0 name eth0.10 type vlan id 10
ip addr add 10.0.0.1/24 dev eth0.10
ip link set dev eth0.10 up
ping 10.0.0.2
The ping will fail.
The reason why is failing is because, the network interfaces for lan966x
have a flag saying that the HW can insert the vlan tags into the
frames(NETIF_F_HW_VLAN_CTAG_TX). Meaning that the frames that are
transmitted don't have the vlan tag inside the skb data, but they have
it inside the skb. We already get that vlan tag and put it in the IFH
but the problem is that we don't configure the HW to rewrite the frame
when the interface is in host mode.
The fix consists in actually configuring the HW to insert the vlan tag
if it is different than 0.
Reviewed-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
Fixes: 6d2c186afa5d ("net: lan966x: Add vlan support.")
Signed-off-by: Horatiu Vultur <horatiu.vultur@microchip.com>
Link: https://patch.msgid.link/20250528093619.3738998-1-horatiu.vultur@microchip.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../ethernet/microchip/lan966x/lan966x_main.c | 1 +
.../ethernet/microchip/lan966x/lan966x_main.h | 1 +
.../microchip/lan966x/lan966x_switchdev.c | 1 +
.../ethernet/microchip/lan966x/lan966x_vlan.c | 21 +++++++++++++++++++
4 files changed, 24 insertions(+)
diff --git a/drivers/net/ethernet/microchip/lan966x/lan966x_main.c b/drivers/net/ethernet/microchip/lan966x/lan966x_main.c
index 9ce46588aaf03..8c048ffde23d6 100644
--- a/drivers/net/ethernet/microchip/lan966x/lan966x_main.c
+++ b/drivers/net/ethernet/microchip/lan966x/lan966x_main.c
@@ -811,6 +811,7 @@ static int lan966x_probe_port(struct lan966x *lan966x, u32 p,
lan966x_vlan_port_set_vlan_aware(port, 0);
lan966x_vlan_port_set_vid(port, HOST_PVID, false, false);
lan966x_vlan_port_apply(port);
+ lan966x_vlan_port_rew_host(port);
return 0;
}
diff --git a/drivers/net/ethernet/microchip/lan966x/lan966x_main.h b/drivers/net/ethernet/microchip/lan966x/lan966x_main.h
index 4ec33999e4df6..ff5736d2c7a6b 100644
--- a/drivers/net/ethernet/microchip/lan966x/lan966x_main.h
+++ b/drivers/net/ethernet/microchip/lan966x/lan966x_main.h
@@ -388,6 +388,7 @@ void lan966x_vlan_port_apply(struct lan966x_port *port);
bool lan966x_vlan_cpu_member_cpu_vlan_mask(struct lan966x *lan966x, u16 vid);
void lan966x_vlan_port_set_vlan_aware(struct lan966x_port *port,
bool vlan_aware);
+void lan966x_vlan_port_rew_host(struct lan966x_port *port);
int lan966x_vlan_port_set_vid(struct lan966x_port *port,
u16 vid,
bool pvid,
diff --git a/drivers/net/ethernet/microchip/lan966x/lan966x_switchdev.c b/drivers/net/ethernet/microchip/lan966x/lan966x_switchdev.c
index 1c88120eb291a..bcb4db76b75cd 100644
--- a/drivers/net/ethernet/microchip/lan966x/lan966x_switchdev.c
+++ b/drivers/net/ethernet/microchip/lan966x/lan966x_switchdev.c
@@ -297,6 +297,7 @@ static void lan966x_port_bridge_leave(struct lan966x_port *port,
lan966x_vlan_port_set_vlan_aware(port, false);
lan966x_vlan_port_set_vid(port, HOST_PVID, false, false);
lan966x_vlan_port_apply(port);
+ lan966x_vlan_port_rew_host(port);
}
int lan966x_port_changeupper(struct net_device *dev,
diff --git a/drivers/net/ethernet/microchip/lan966x/lan966x_vlan.c b/drivers/net/ethernet/microchip/lan966x/lan966x_vlan.c
index 3c44660128dae..ffb245fb7d678 100644
--- a/drivers/net/ethernet/microchip/lan966x/lan966x_vlan.c
+++ b/drivers/net/ethernet/microchip/lan966x/lan966x_vlan.c
@@ -149,6 +149,27 @@ void lan966x_vlan_port_set_vlan_aware(struct lan966x_port *port,
port->vlan_aware = vlan_aware;
}
+/* When the interface is in host mode, the interface should not be vlan aware
+ * but it should insert all the tags that it gets from the network stack.
+ * The tags are not in the data of the frame but actually in the skb and the ifh
+ * is configured already to get this tag. So what we need to do is to update the
+ * rewriter to insert the vlan tag for all frames which have a vlan tag
+ * different than 0.
+ */
+void lan966x_vlan_port_rew_host(struct lan966x_port *port)
+{
+ struct lan966x *lan966x = port->lan966x;
+ u32 val;
+
+ /* Tag all frames except when VID=0*/
+ val = REW_TAG_CFG_TAG_CFG_SET(2);
+
+ /* Update only some bits in the register */
+ lan_rmw(val,
+ REW_TAG_CFG_TAG_CFG,
+ lan966x, REW_TAG_CFG(port->chip_port));
+}
+
void lan966x_vlan_port_apply(struct lan966x_port *port)
{
struct lan966x *lan966x = port->lan966x;
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 173/508] spi: bcm63xx-spi: fix shared reset
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (171 preceding siblings ...)
2025-06-23 13:03 ` [PATCH 6.1 172/508] net: lan966x: Make sure to insert the vlan tags also in host mode Greg Kroah-Hartman
@ 2025-06-23 13:03 ` Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 174/508] spi: bcm63xx-hsspi: " Greg Kroah-Hartman
` (335 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jonas Gorski,
Álvaro Fernández Rojas, Florian Fainelli, Mark Brown,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Álvaro Fernández Rojas <noltari@gmail.com>
[ Upstream commit 5ad20e3d8cfe3b2e42bbddc7e0ebaa74479bb589 ]
Some bmips SoCs (bcm6362, bcm63268) share the same SPI reset for both SPI
and HSSPI controllers, so reset shouldn't be exclusive.
Fixes: 38807adeaf1e ("spi: bcm63xx-spi: add reset support")
Reported-by: Jonas Gorski <jonas.gorski@gmail.com>
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
Link: https://patch.msgid.link/20250529130915.2519590-2-noltari@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/spi/spi-bcm63xx.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/spi/spi-bcm63xx.c b/drivers/spi/spi-bcm63xx.c
index 695ac74571286..2f2a130464651 100644
--- a/drivers/spi/spi-bcm63xx.c
+++ b/drivers/spi/spi-bcm63xx.c
@@ -533,7 +533,7 @@ static int bcm63xx_spi_probe(struct platform_device *pdev)
return PTR_ERR(clk);
}
- reset = devm_reset_control_get_optional_exclusive(dev, NULL);
+ reset = devm_reset_control_get_optional_shared(dev, NULL);
if (IS_ERR(reset))
return PTR_ERR(reset);
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 174/508] spi: bcm63xx-hsspi: fix shared reset
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (172 preceding siblings ...)
2025-06-23 13:03 ` [PATCH 6.1 173/508] spi: bcm63xx-spi: fix shared reset Greg Kroah-Hartman
@ 2025-06-23 13:03 ` Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 175/508] Bluetooth: L2CAP: Fix not responding with L2CAP_CR_LE_ENCRYPTION Greg Kroah-Hartman
` (334 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jonas Gorski,
Álvaro Fernández Rojas, Florian Fainelli, Mark Brown,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Álvaro Fernández Rojas <noltari@gmail.com>
[ Upstream commit 3d6d84c8f2f66d3fd6a43a1e2ce8e6b54c573960 ]
Some bmips SoCs (bcm6362, bcm63268) share the same SPI reset for both SPI
and HSSPI controllers, so reset shouldn't be exclusive.
Fixes: 0eeadddbf09a ("spi: bcm63xx-hsspi: add reset support")
Reported-by: Jonas Gorski <jonas.gorski@gmail.com>
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
Link: https://patch.msgid.link/20250529130915.2519590-3-noltari@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/spi/spi-bcm63xx-hsspi.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/spi/spi-bcm63xx-hsspi.c b/drivers/spi/spi-bcm63xx-hsspi.c
index 02f56fc001b47..7d8e5c66f6d17 100644
--- a/drivers/spi/spi-bcm63xx-hsspi.c
+++ b/drivers/spi/spi-bcm63xx-hsspi.c
@@ -357,7 +357,7 @@ static int bcm63xx_hsspi_probe(struct platform_device *pdev)
if (IS_ERR(clk))
return PTR_ERR(clk);
- reset = devm_reset_control_get_optional_exclusive(dev, NULL);
+ reset = devm_reset_control_get_optional_shared(dev, NULL);
if (IS_ERR(reset))
return PTR_ERR(reset);
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 175/508] Bluetooth: L2CAP: Fix not responding with L2CAP_CR_LE_ENCRYPTION
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (173 preceding siblings ...)
2025-06-23 13:03 ` [PATCH 6.1 174/508] spi: bcm63xx-hsspi: " Greg Kroah-Hartman
@ 2025-06-23 13:03 ` Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 176/508] ice: create new Tx scheduler nodes for new queues only Greg Kroah-Hartman
` (333 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:03 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Luiz Augusto von Dentz, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
[ Upstream commit 03dba9cea72f977e873e4e60e220fa596959dd8f ]
Depending on the security set the response to L2CAP_LE_CONN_REQ shall be
just L2CAP_CR_LE_ENCRYPTION if only encryption when BT_SECURITY_MEDIUM
is selected since that means security mode 2 which doesn't require
authentication which is something that is covered in the qualification
test L2CAP/LE/CFC/BV-25-C.
Link: https://github.com/bluez/bluez/issues/1270
Fixes: 27e2d4c8d28b ("Bluetooth: Add basic LE L2CAP connect request receiving support")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/l2cap_core.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index cb9b1edfcea2a..550c3da6f3910 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -5883,7 +5883,8 @@ static int l2cap_le_connect_req(struct l2cap_conn *conn,
if (!smp_sufficient_security(conn->hcon, pchan->sec_level,
SMP_ALLOW_STK)) {
- result = L2CAP_CR_LE_AUTHENTICATION;
+ result = pchan->sec_level == BT_SECURITY_MEDIUM ?
+ L2CAP_CR_LE_ENCRYPTION : L2CAP_CR_LE_AUTHENTICATION;
chan = NULL;
goto response_unlock;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 176/508] ice: create new Tx scheduler nodes for new queues only
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (174 preceding siblings ...)
2025-06-23 13:03 ` [PATCH 6.1 175/508] Bluetooth: L2CAP: Fix not responding with L2CAP_CR_LE_ENCRYPTION Greg Kroah-Hartman
@ 2025-06-23 13:03 ` Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 177/508] ice: fix rebuilding the Tx scheduler tree for large queue counts Greg Kroah-Hartman
` (332 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dawid Osuchowski, Przemek Kitszel,
Jacob Keller, Michal Kubiak, Simon Horman, Jesse Brandeburg,
Tony Nguyen, Sasha Levin, Saritha Sanigani
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michal Kubiak <michal.kubiak@intel.com>
[ Upstream commit 6fa2942578472c9cab13a8fc1dae0d830193e0a1 ]
The current implementation of the Tx scheduler tree attempts
to create nodes for all Tx queues, ignoring the fact that some
queues may already exist in the tree. For example, if the VSI
already has 128 Tx queues and the user requests for 16 new queues,
the Tx scheduler will compute the tree for 272 queues (128 existing
queues + 144 new queues), instead of 144 queues (128 existing queues
and 16 new queues).
Fix that by modifying the node count calculation algorithm to skip
the queues that already exist in the tree.
Fixes: 5513b920a4f7 ("ice: Update Tx scheduler tree for VSI multi-Tx queue support")
Reviewed-by: Dawid Osuchowski <dawid.osuchowski@linux.intel.com>
Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
Signed-off-by: Michal Kubiak <michal.kubiak@intel.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Tested-by: Jesse Brandeburg <jbrandeburg@cloudflare.com>
Tested-by: Saritha Sanigani <sarithax.sanigani@intel.com> (A Contingent Worker at Intel)
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/ice/ice_sched.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/drivers/net/ethernet/intel/ice/ice_sched.c b/drivers/net/ethernet/intel/ice/ice_sched.c
index b07bd0c059f75..3baa9d161a0bf 100644
--- a/drivers/net/ethernet/intel/ice/ice_sched.c
+++ b/drivers/net/ethernet/intel/ice/ice_sched.c
@@ -1591,16 +1591,16 @@ ice_sched_get_agg_node(struct ice_port_info *pi, struct ice_sched_node *tc_node,
/**
* ice_sched_calc_vsi_child_nodes - calculate number of VSI child nodes
* @hw: pointer to the HW struct
- * @num_qs: number of queues
+ * @num_new_qs: number of new queues that will be added to the tree
* @num_nodes: num nodes array
*
* This function calculates the number of VSI child nodes based on the
* number of queues.
*/
static void
-ice_sched_calc_vsi_child_nodes(struct ice_hw *hw, u16 num_qs, u16 *num_nodes)
+ice_sched_calc_vsi_child_nodes(struct ice_hw *hw, u16 num_new_qs, u16 *num_nodes)
{
- u16 num = num_qs;
+ u16 num = num_new_qs;
u8 i, qgl, vsil;
qgl = ice_sched_get_qgrp_layer(hw);
@@ -1848,8 +1848,9 @@ ice_sched_update_vsi_child_nodes(struct ice_port_info *pi, u16 vsi_handle,
return status;
}
- if (new_numqs)
- ice_sched_calc_vsi_child_nodes(hw, new_numqs, new_num_nodes);
+ ice_sched_calc_vsi_child_nodes(hw, new_numqs - prev_numqs,
+ new_num_nodes);
+
/* Keep the max number of queue configuration all the time. Update the
* tree only if number of queues > previous number of queues. This may
* leave some extra nodes in the tree if number of queues < previous
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 177/508] ice: fix rebuilding the Tx scheduler tree for large queue counts
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (175 preceding siblings ...)
2025-06-23 13:03 ` [PATCH 6.1 176/508] ice: create new Tx scheduler nodes for new queues only Greg Kroah-Hartman
@ 2025-06-23 13:03 ` Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 178/508] net: dsa: tag_brcm: legacy: fix pskb_may_pull length Greg Kroah-Hartman
` (331 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dawid Osuchowski, Przemek Kitszel,
Michal Kubiak, Simon Horman, Jesse Brandeburg, Tony Nguyen,
Sasha Levin, Saritha Sanigani
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michal Kubiak <michal.kubiak@intel.com>
[ Upstream commit 73145e6d81070d34a21431c9e0d7aaf2f29ca048 ]
The current implementation of the Tx scheduler allows the tree to be
rebuilt as the user adds more Tx queues to the VSI. In such a case,
additional child nodes are added to the tree to support the new number
of queues.
Unfortunately, this algorithm does not take into account that the limit
of the VSI support node may be exceeded, so an additional node in the
VSI layer may be required to handle all the requested queues.
Such a scenario occurs when adding XDP Tx queues on machines with many
CPUs. Although the driver still respects the queue limit returned by
the FW, the Tx scheduler was unable to add those queues to its tree
and returned one of the errors below.
Such a scenario occurs when adding XDP Tx queues on machines with many
CPUs (e.g. at least 321 CPUs, if there is already 128 Tx/Rx queue pairs).
Although the driver still respects the queue limit returned by the FW,
the Tx scheduler was unable to add those queues to its tree and returned
the following errors:
Failed VSI LAN queue config for XDP, error: -5
or:
Failed to set LAN Tx queue context, error: -22
Fix this problem by extending the tree rebuild algorithm to check if the
current VSI node can support the requested number of queues. If it
cannot, create as many additional VSI support nodes as necessary to
handle all the required Tx queues. Symmetrically, adjust the VSI node
removal algorithm to remove all nodes associated with the given VSI.
Also, make the search for the next free VSI node more restrictive. That is,
add queue group nodes only to the VSI support nodes that have a matching
VSI handle.
Finally, fix the comment describing the tree update algorithm to better
reflect the current scenario.
Fixes: b0153fdd7e8a ("ice: update VSI config dynamically")
Reviewed-by: Dawid Osuchowski <dawid.osuchowski@linux.intel.com>
Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
Signed-off-by: Michal Kubiak <michal.kubiak@intel.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Tested-by: Jesse Brandeburg <jbrandeburg@cloudflare.com>
Tested-by: Saritha Sanigani <sarithax.sanigani@intel.com> (A Contingent Worker at Intel)
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/ice/ice_sched.c | 170 +++++++++++++++++----
1 file changed, 142 insertions(+), 28 deletions(-)
diff --git a/drivers/net/ethernet/intel/ice/ice_sched.c b/drivers/net/ethernet/intel/ice/ice_sched.c
index 3baa9d161a0bf..f8f2f657bf9b6 100644
--- a/drivers/net/ethernet/intel/ice/ice_sched.c
+++ b/drivers/net/ethernet/intel/ice/ice_sched.c
@@ -84,6 +84,27 @@ ice_sched_find_node_by_teid(struct ice_sched_node *start_node, u32 teid)
return NULL;
}
+/**
+ * ice_sched_find_next_vsi_node - find the next node for a given VSI
+ * @vsi_node: VSI support node to start search with
+ *
+ * Return: Next VSI support node, or NULL.
+ *
+ * The function returns a pointer to the next node from the VSI layer
+ * assigned to the given VSI, or NULL if there is no such a node.
+ */
+static struct ice_sched_node *
+ice_sched_find_next_vsi_node(struct ice_sched_node *vsi_node)
+{
+ unsigned int vsi_handle = vsi_node->vsi_handle;
+
+ while ((vsi_node = vsi_node->sibling) != NULL)
+ if (vsi_node->vsi_handle == vsi_handle)
+ break;
+
+ return vsi_node;
+}
+
/**
* ice_aqc_send_sched_elem_cmd - send scheduling elements cmd
* @hw: pointer to the HW struct
@@ -1073,8 +1094,10 @@ ice_sched_add_nodes_to_layer(struct ice_port_info *pi,
if (parent->num_children < max_child_nodes) {
new_num_nodes = max_child_nodes - parent->num_children;
} else {
- /* This parent is full, try the next sibling */
- parent = parent->sibling;
+ /* This parent is full,
+ * try the next available sibling.
+ */
+ parent = ice_sched_find_next_vsi_node(parent);
/* Don't modify the first node TEID memory if the
* first node was added already in the above call.
* Instead send some temp memory for all other
@@ -1515,12 +1538,23 @@ ice_sched_get_free_qparent(struct ice_port_info *pi, u16 vsi_handle, u8 tc,
/* get the first queue group node from VSI sub-tree */
qgrp_node = ice_sched_get_first_node(pi, vsi_node, qgrp_layer);
while (qgrp_node) {
+ struct ice_sched_node *next_vsi_node;
+
/* make sure the qgroup node is part of the VSI subtree */
if (ice_sched_find_node_in_subtree(pi->hw, vsi_node, qgrp_node))
if (qgrp_node->num_children < max_children &&
qgrp_node->owner == owner)
break;
qgrp_node = qgrp_node->sibling;
+ if (qgrp_node)
+ continue;
+
+ next_vsi_node = ice_sched_find_next_vsi_node(vsi_node);
+ if (!next_vsi_node)
+ break;
+
+ vsi_node = next_vsi_node;
+ qgrp_node = ice_sched_get_first_node(pi, vsi_node, qgrp_layer);
}
/* Select the best queue group */
@@ -1764,7 +1798,11 @@ ice_sched_add_vsi_support_nodes(struct ice_port_info *pi, u16 vsi_handle,
if (!parent)
return -EIO;
- if (i == vsil)
+ /* Do not modify the VSI handle for already existing VSI nodes,
+ * (if no new VSI node was added to the tree).
+ * Assign the VSI handle only to newly added VSI nodes.
+ */
+ if (i == vsil && num_added)
parent->vsi_handle = vsi_handle;
}
@@ -1797,6 +1835,41 @@ ice_sched_add_vsi_to_topo(struct ice_port_info *pi, u16 vsi_handle, u8 tc)
num_nodes);
}
+/**
+ * ice_sched_recalc_vsi_support_nodes - recalculate VSI support nodes count
+ * @hw: pointer to the HW struct
+ * @vsi_node: pointer to the leftmost VSI node that needs to be extended
+ * @new_numqs: new number of queues that has to be handled by the VSI
+ * @new_num_nodes: pointer to nodes count table to modify the VSI layer entry
+ *
+ * This function recalculates the number of supported nodes that need to
+ * be added after adding more Tx queues for a given VSI.
+ * The number of new VSI support nodes that shall be added will be saved
+ * to the @new_num_nodes table for the VSI layer.
+ */
+static void
+ice_sched_recalc_vsi_support_nodes(struct ice_hw *hw,
+ struct ice_sched_node *vsi_node,
+ unsigned int new_numqs, u16 *new_num_nodes)
+{
+ u32 vsi_nodes_cnt = 1;
+ u32 max_queue_cnt = 1;
+ u32 qgl, vsil;
+
+ qgl = ice_sched_get_qgrp_layer(hw);
+ vsil = ice_sched_get_vsi_layer(hw);
+
+ for (u32 i = vsil; i <= qgl; i++)
+ max_queue_cnt *= hw->max_children[i];
+
+ while ((vsi_node = ice_sched_find_next_vsi_node(vsi_node)) != NULL)
+ vsi_nodes_cnt++;
+
+ if (new_numqs > (max_queue_cnt * vsi_nodes_cnt))
+ new_num_nodes[vsil] = DIV_ROUND_UP(new_numqs, max_queue_cnt) -
+ vsi_nodes_cnt;
+}
+
/**
* ice_sched_update_vsi_child_nodes - update VSI child nodes
* @pi: port information structure
@@ -1848,16 +1921,25 @@ ice_sched_update_vsi_child_nodes(struct ice_port_info *pi, u16 vsi_handle,
return status;
}
+ ice_sched_recalc_vsi_support_nodes(hw, vsi_node,
+ new_numqs, new_num_nodes);
ice_sched_calc_vsi_child_nodes(hw, new_numqs - prev_numqs,
new_num_nodes);
- /* Keep the max number of queue configuration all the time. Update the
- * tree only if number of queues > previous number of queues. This may
+ /* Never decrease the number of queues in the tree. Update the tree
+ * only if number of queues > previous number of queues. This may
* leave some extra nodes in the tree if number of queues < previous
* number but that wouldn't harm anything. Removing those extra nodes
* may complicate the code if those nodes are part of SRL or
* individually rate limited.
+ * Also, add the required VSI support nodes if the existing ones cannot
+ * handle the requested new number of queues.
*/
+ status = ice_sched_add_vsi_support_nodes(pi, vsi_handle, tc_node,
+ new_num_nodes);
+ if (status)
+ return status;
+
status = ice_sched_add_vsi_child_nodes(pi, vsi_handle, tc_node,
new_num_nodes, owner);
if (status)
@@ -1998,6 +2080,58 @@ static bool ice_sched_is_leaf_node_present(struct ice_sched_node *node)
return (node->info.data.elem_type == ICE_AQC_ELEM_TYPE_LEAF);
}
+/**
+ * ice_sched_rm_vsi_subtree - remove all nodes assigned to a given VSI
+ * @pi: port information structure
+ * @vsi_node: pointer to the leftmost node of the VSI to be removed
+ * @owner: LAN or RDMA
+ * @tc: TC number
+ *
+ * Return: Zero in case of success, or -EBUSY if the VSI has leaf nodes in TC.
+ *
+ * This function removes all the VSI support nodes associated with a given VSI
+ * and its LAN or RDMA children nodes from the scheduler tree.
+ */
+static int
+ice_sched_rm_vsi_subtree(struct ice_port_info *pi,
+ struct ice_sched_node *vsi_node, u8 owner, u8 tc)
+{
+ u16 vsi_handle = vsi_node->vsi_handle;
+ bool all_vsi_nodes_removed = true;
+ int j = 0;
+
+ while (vsi_node) {
+ struct ice_sched_node *next_vsi_node;
+
+ if (ice_sched_is_leaf_node_present(vsi_node)) {
+ ice_debug(pi->hw, ICE_DBG_SCHED, "VSI has leaf nodes in TC %d\n", tc);
+ return -EBUSY;
+ }
+ while (j < vsi_node->num_children) {
+ if (vsi_node->children[j]->owner == owner)
+ ice_free_sched_node(pi, vsi_node->children[j]);
+ else
+ j++;
+ }
+
+ next_vsi_node = ice_sched_find_next_vsi_node(vsi_node);
+
+ /* remove the VSI if it has no children */
+ if (!vsi_node->num_children)
+ ice_free_sched_node(pi, vsi_node);
+ else
+ all_vsi_nodes_removed = false;
+
+ vsi_node = next_vsi_node;
+ }
+
+ /* clean up aggregator related VSI info if any */
+ if (all_vsi_nodes_removed)
+ ice_sched_rm_agg_vsi_info(pi, vsi_handle);
+
+ return 0;
+}
+
/**
* ice_sched_rm_vsi_cfg - remove the VSI and its children nodes
* @pi: port information structure
@@ -2024,7 +2158,6 @@ ice_sched_rm_vsi_cfg(struct ice_port_info *pi, u16 vsi_handle, u8 owner)
ice_for_each_traffic_class(i) {
struct ice_sched_node *vsi_node, *tc_node;
- u8 j = 0;
tc_node = ice_sched_get_tc_node(pi, i);
if (!tc_node)
@@ -2034,31 +2167,12 @@ ice_sched_rm_vsi_cfg(struct ice_port_info *pi, u16 vsi_handle, u8 owner)
if (!vsi_node)
continue;
- if (ice_sched_is_leaf_node_present(vsi_node)) {
- ice_debug(pi->hw, ICE_DBG_SCHED, "VSI has leaf nodes in TC %d\n", i);
- status = -EBUSY;
+ status = ice_sched_rm_vsi_subtree(pi, vsi_node, owner, i);
+ if (status)
goto exit_sched_rm_vsi_cfg;
- }
- while (j < vsi_node->num_children) {
- if (vsi_node->children[j]->owner == owner) {
- ice_free_sched_node(pi, vsi_node->children[j]);
- /* reset the counter again since the num
- * children will be updated after node removal
- */
- j = 0;
- } else {
- j++;
- }
- }
- /* remove the VSI if it has no children */
- if (!vsi_node->num_children) {
- ice_free_sched_node(pi, vsi_node);
- vsi_ctx->sched.vsi_node[i] = NULL;
+ vsi_ctx->sched.vsi_node[i] = NULL;
- /* clean up aggregator related VSI info if any */
- ice_sched_rm_agg_vsi_info(pi, vsi_handle);
- }
if (owner == ICE_SCHED_NODE_OWNER_LAN)
vsi_ctx->sched.max_lanq[i] = 0;
else
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 178/508] net: dsa: tag_brcm: legacy: fix pskb_may_pull length
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (176 preceding siblings ...)
2025-06-23 13:03 ` [PATCH 6.1 177/508] ice: fix rebuilding the Tx scheduler tree for large queue counts Greg Kroah-Hartman
@ 2025-06-23 13:03 ` Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 179/508] net: stmmac: make sure that ptp_rate is not 0 before configuring timestamping Greg Kroah-Hartman
` (330 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Álvaro Fernández Rojas,
Florian Fainelli, Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Álvaro Fernández Rojas <noltari@gmail.com>
[ Upstream commit efdddc4484859082da6c7877ed144c8121c8ea55 ]
BRCM_LEG_PORT_ID was incorrectly used for pskb_may_pull length.
The correct check is BRCM_LEG_TAG_LEN + VLAN_HLEN, or 10 bytes.
Fixes: 964dbf186eaa ("net: dsa: tag_brcm: add support for legacy tags")
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
Link: https://patch.msgid.link/20250529124406.2513779-1-noltari@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/dsa/tag_brcm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/dsa/tag_brcm.c b/net/dsa/tag_brcm.c
index a65d62fb90094..04b57534fe4de 100644
--- a/net/dsa/tag_brcm.c
+++ b/net/dsa/tag_brcm.c
@@ -253,7 +253,7 @@ static struct sk_buff *brcm_leg_tag_rcv(struct sk_buff *skb,
int source_port;
u8 *brcm_tag;
- if (unlikely(!pskb_may_pull(skb, BRCM_LEG_PORT_ID)))
+ if (unlikely(!pskb_may_pull(skb, BRCM_LEG_TAG_LEN + VLAN_HLEN)))
return NULL;
brcm_tag = dsa_etype_header_pos_rx(skb);
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 179/508] net: stmmac: make sure that ptp_rate is not 0 before configuring timestamping
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (177 preceding siblings ...)
2025-06-23 13:03 ` [PATCH 6.1 178/508] net: dsa: tag_brcm: legacy: fix pskb_may_pull length Greg Kroah-Hartman
@ 2025-06-23 13:03 ` Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 180/508] net: fix udp gso skb_segment after pull from frag_list Greg Kroah-Hartman
` (329 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexis Lothoré, Yanteng Si,
Maxime Chevallier, Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexis Lothoré <alexis.lothore@bootlin.com>
[ Upstream commit 030ce919e114a111e83b7976ecb3597cefd33f26 ]
The stmmac platform drivers that do not open-code the clk_ptp_rate value
after having retrieved the default one from the device-tree can end up
with 0 in clk_ptp_rate (as clk_get_rate can return 0). It will
eventually propagate up to PTP initialization when bringing up the
interface, leading to a divide by 0:
Division by zero in kernel.
CPU: 1 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.12.30-00001-g48313bd5768a #22
Hardware name: STM32 (Device Tree Support)
Call trace:
unwind_backtrace from show_stack+0x18/0x1c
show_stack from dump_stack_lvl+0x6c/0x8c
dump_stack_lvl from Ldiv0_64+0x8/0x18
Ldiv0_64 from stmmac_init_tstamp_counter+0x190/0x1a4
stmmac_init_tstamp_counter from stmmac_hw_setup+0xc1c/0x111c
stmmac_hw_setup from __stmmac_open+0x18c/0x434
__stmmac_open from stmmac_open+0x3c/0xbc
stmmac_open from __dev_open+0xf4/0x1ac
__dev_open from __dev_change_flags+0x1cc/0x224
__dev_change_flags from dev_change_flags+0x24/0x60
dev_change_flags from ip_auto_config+0x2e8/0x11a0
ip_auto_config from do_one_initcall+0x84/0x33c
do_one_initcall from kernel_init_freeable+0x1b8/0x214
kernel_init_freeable from kernel_init+0x24/0x140
kernel_init from ret_from_fork+0x14/0x28
Exception stack(0xe0815fb0 to 0xe0815ff8)
Prevent this division by 0 by adding an explicit check and error log
about the actual issue. While at it, remove the same check from
stmmac_ptp_register, which then becomes duplicate
Fixes: 19d857c9038e ("stmmac: Fix calculations for ptp counters when clock input = 50Mhz.")
Signed-off-by: Alexis Lothoré <alexis.lothore@bootlin.com>
Reviewed-by: Yanteng Si <si.yanteng@linux.dev>
Reviewed-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
Link: https://patch.msgid.link/20250529-stmmac_tstamp_div-v4-1-d73340a794d5@bootlin.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 5 +++++
drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.c | 2 +-
2 files changed, 6 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
index 14e5b94b0b5ab..948e35c405a84 100644
--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
@@ -841,6 +841,11 @@ int stmmac_init_tstamp_counter(struct stmmac_priv *priv, u32 systime_flags)
if (!(priv->dma_cap.time_stamp || priv->dma_cap.atime_stamp))
return -EOPNOTSUPP;
+ if (!priv->plat->clk_ptp_rate) {
+ netdev_err(priv->dev, "Invalid PTP clock rate");
+ return -EINVAL;
+ }
+
stmmac_config_hw_tstamping(priv, priv->ptpaddr, systime_flags);
priv->systime_flags = systime_flags;
diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.c
index 9c91a3dc8e385..cc223fe086484 100644
--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.c
+++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.c
@@ -301,7 +301,7 @@ void stmmac_ptp_register(struct stmmac_priv *priv)
/* Calculate the clock domain crossing (CDC) error if necessary */
priv->plat->cdc_error_adj = 0;
- if (priv->plat->has_gmac4 && priv->plat->clk_ptp_rate)
+ if (priv->plat->has_gmac4)
priv->plat->cdc_error_adj = (2 * NSEC_PER_SEC) / priv->plat->clk_ptp_rate;
stmmac_ptp_clock_ops.n_per_out = priv->dma_cap.pps_out_num;
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 180/508] net: fix udp gso skb_segment after pull from frag_list
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (178 preceding siblings ...)
2025-06-23 13:03 ` [PATCH 6.1 179/508] net: stmmac: make sure that ptp_rate is not 0 before configuring timestamping Greg Kroah-Hartman
@ 2025-06-23 13:03 ` Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 181/508] vmxnet3: correctly report gso type for UDP tunnels Greg Kroah-Hartman
` (328 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shiming Cheng, Willem de Bruijn,
David S. Miller, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shiming Cheng <shiming.cheng@mediatek.com>
[ Upstream commit 3382a1ed7f778db841063f5d7e317ac55f9e7f72 ]
Commit a1e40ac5b5e9 ("net: gso: fix udp gso fraglist segmentation after
pull from frag_list") detected invalid geometry in frag_list skbs and
redirects them from skb_segment_list to more robust skb_segment. But some
packets with modified geometry can also hit bugs in that code. We don't
know how many such cases exist. Addressing each one by one also requires
touching the complex skb_segment code, which risks introducing bugs for
other types of skbs. Instead, linearize all these packets that fail the
basic invariants on gso fraglist skbs. That is more robust.
If only part of the fraglist payload is pulled into head_skb, it will
always cause exception when splitting skbs by skb_segment. For detailed
call stack information, see below.
Valid SKB_GSO_FRAGLIST skbs
- consist of two or more segments
- the head_skb holds the protocol headers plus first gso_size
- one or more frag_list skbs hold exactly one segment
- all but the last must be gso_size
Optional datapath hooks such as NAT and BPF (bpf_skb_pull_data) can
modify fraglist skbs, breaking these invariants.
In extreme cases they pull one part of data into skb linear. For UDP,
this causes three payloads with lengths of (11,11,10) bytes were
pulled tail to become (12,10,10) bytes.
The skbs no longer meets the above SKB_GSO_FRAGLIST conditions because
payload was pulled into head_skb, it needs to be linearized before pass
to regular skb_segment.
skb_segment+0xcd0/0xd14
__udp_gso_segment+0x334/0x5f4
udp4_ufo_fragment+0x118/0x15c
inet_gso_segment+0x164/0x338
skb_mac_gso_segment+0xc4/0x13c
__skb_gso_segment+0xc4/0x124
validate_xmit_skb+0x9c/0x2c0
validate_xmit_skb_list+0x4c/0x80
sch_direct_xmit+0x70/0x404
__dev_queue_xmit+0x64c/0xe5c
neigh_resolve_output+0x178/0x1c4
ip_finish_output2+0x37c/0x47c
__ip_finish_output+0x194/0x240
ip_finish_output+0x20/0xf4
ip_output+0x100/0x1a0
NF_HOOK+0xc4/0x16c
ip_forward+0x314/0x32c
ip_rcv+0x90/0x118
__netif_receive_skb+0x74/0x124
process_backlog+0xe8/0x1a4
__napi_poll+0x5c/0x1f8
net_rx_action+0x154/0x314
handle_softirqs+0x154/0x4b8
[118.376811] [C201134] rxq0_pus: [name:bug&]kernel BUG at net/core/skbuff.c:4278!
[118.376829] [C201134] rxq0_pus: [name:traps&]Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP
[118.470774] [C201134] rxq0_pus: [name:mrdump&]Kernel Offset: 0x178cc00000 from 0xffffffc008000000
[118.470810] [C201134] rxq0_pus: [name:mrdump&]PHYS_OFFSET: 0x40000000
[118.470827] [C201134] rxq0_pus: [name:mrdump&]pstate: 60400005 (nZCv daif +PAN -UAO)
[118.470848] [C201134] rxq0_pus: [name:mrdump&]pc : [0xffffffd79598aefc] skb_segment+0xcd0/0xd14
[118.470900] [C201134] rxq0_pus: [name:mrdump&]lr : [0xffffffd79598a5e8] skb_segment+0x3bc/0xd14
[118.470928] [C201134] rxq0_pus: [name:mrdump&]sp : ffffffc008013770
Fixes: a1e40ac5b5e9 ("gso: fix udp gso fraglist segmentation after pull from frag_list")
Signed-off-by: Shiming Cheng <shiming.cheng@mediatek.com>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/udp_offload.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/net/ipv4/udp_offload.c b/net/ipv4/udp_offload.c
index d415b4fb2f1f4..1a51c4b44c006 100644
--- a/net/ipv4/udp_offload.c
+++ b/net/ipv4/udp_offload.c
@@ -331,6 +331,7 @@ struct sk_buff *__udp_gso_segment(struct sk_buff *gso_skb,
bool copy_dtor;
__sum16 check;
__be16 newlen;
+ int ret = 0;
mss = skb_shinfo(gso_skb)->gso_size;
if (gso_skb->len <= sizeof(*uh) + mss)
@@ -353,6 +354,10 @@ struct sk_buff *__udp_gso_segment(struct sk_buff *gso_skb,
if (skb_pagelen(gso_skb) - sizeof(*uh) == skb_shinfo(gso_skb)->gso_size)
return __udp_gso_segment_list(gso_skb, features, is_ipv6);
+ ret = __skb_linearize(gso_skb);
+ if (ret)
+ return ERR_PTR(ret);
+
/* Setup csum, as fraglist skips this in udp4_gro_receive. */
gso_skb->csum_start = skb_transport_header(gso_skb) - gso_skb->head;
gso_skb->csum_offset = offsetof(struct udphdr, check);
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 181/508] vmxnet3: correctly report gso type for UDP tunnels
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (179 preceding siblings ...)
2025-06-23 13:03 ` [PATCH 6.1 180/508] net: fix udp gso skb_segment after pull from frag_list Greg Kroah-Hartman
@ 2025-06-23 13:03 ` Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 182/508] PM: sleep: Fix power.is_suspended cleanup for direct-complete devices Greg Kroah-Hartman
` (327 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ronak Doshi, Guolin Yang,
Paolo Abeni, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ronak Doshi <ronak.doshi@broadcom.com>
[ Upstream commit 982d30c30eaa2ec723df42e3bf526c014c1dbb88 ]
Commit 3d010c8031e3 ("udp: do not accept non-tunnel GSO skbs landing
in a tunnel") added checks in linux stack to not accept non-tunnel
GRO packets landing in a tunnel. This exposed an issue in vmxnet3
which was not correctly reporting GRO packets for tunnel packets.
This patch fixes this issue by setting correct GSO type for the
tunnel packets.
Currently, vmxnet3 does not support reporting inner fields for LRO
tunnel packets. The issue is not seen for egress drivers that do not
use skb inner fields. The workaround is to enable tnl-segmentation
offload on the egress interfaces if the driver supports it. This
problem pre-exists this patch fix and can be addressed as a separate
future patch.
Fixes: dacce2be3312 ("vmxnet3: add geneve and vxlan tunnel offload support")
Signed-off-by: Ronak Doshi <ronak.doshi@broadcom.com>
Acked-by: Guolin Yang <guolin.yang@broadcom.com>
Link: https://patch.msgid.link/20250530152701.70354-1-ronak.doshi@broadcom.com
[pabeni@redhat.com: dropped the changelog]
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/vmxnet3/vmxnet3_drv.c | 26 ++++++++++++++++++++++++++
1 file changed, 26 insertions(+)
diff --git a/drivers/net/vmxnet3/vmxnet3_drv.c b/drivers/net/vmxnet3/vmxnet3_drv.c
index da488cbb05428..8714e49004842 100644
--- a/drivers/net/vmxnet3/vmxnet3_drv.c
+++ b/drivers/net/vmxnet3/vmxnet3_drv.c
@@ -1407,6 +1407,30 @@ vmxnet3_get_hdr_len(struct vmxnet3_adapter *adapter, struct sk_buff *skb,
return (hlen + (hdr.tcp->doff << 2));
}
+static void
+vmxnet3_lro_tunnel(struct sk_buff *skb, __be16 ip_proto)
+{
+ struct udphdr *uh = NULL;
+
+ if (ip_proto == htons(ETH_P_IP)) {
+ struct iphdr *iph = (struct iphdr *)skb->data;
+
+ if (iph->protocol == IPPROTO_UDP)
+ uh = (struct udphdr *)(iph + 1);
+ } else {
+ struct ipv6hdr *iph = (struct ipv6hdr *)skb->data;
+
+ if (iph->nexthdr == IPPROTO_UDP)
+ uh = (struct udphdr *)(iph + 1);
+ }
+ if (uh) {
+ if (uh->check)
+ skb_shinfo(skb)->gso_type |= SKB_GSO_UDP_TUNNEL_CSUM;
+ else
+ skb_shinfo(skb)->gso_type |= SKB_GSO_UDP_TUNNEL;
+ }
+}
+
static int
vmxnet3_rq_rx_complete(struct vmxnet3_rx_queue *rq,
struct vmxnet3_adapter *adapter, int quota)
@@ -1663,6 +1687,8 @@ vmxnet3_rq_rx_complete(struct vmxnet3_rx_queue *rq,
if (segCnt != 0 && mss != 0) {
skb_shinfo(skb)->gso_type = rcd->v4 ?
SKB_GSO_TCPV4 : SKB_GSO_TCPV6;
+ if (encap_lro)
+ vmxnet3_lro_tunnel(skb, skb->protocol);
skb_shinfo(skb)->gso_size = mss;
skb_shinfo(skb)->gso_segs = segCnt;
} else if ((segCnt != 0 || skb->len > mtu) && !encap_lro) {
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 182/508] PM: sleep: Fix power.is_suspended cleanup for direct-complete devices
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (180 preceding siblings ...)
2025-06-23 13:03 ` [PATCH 6.1 181/508] vmxnet3: correctly report gso type for UDP tunnels Greg Kroah-Hartman
@ 2025-06-23 13:03 ` Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 183/508] gve: add missing NULL check for gve_alloc_pending_packet() in TX DQO Greg Kroah-Hartman
` (326 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rafael J. Wysocki, Mario Limonciello,
Sasha Levin, Chris Bainbridge
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
[ Upstream commit d46c4c839c20a599a0eb8d73708ce401f9c7d06d ]
Commit 03f1444016b7 ("PM: sleep: Fix handling devices with direct_complete
set on errors") caused power.is_suspended to be set for devices with
power.direct_complete set, but it forgot to ensure the clearing of that
flag for them in device_resume(), so power.is_suspended is still set for
them during the next system suspend-resume cycle.
If that cycle is aborted in dpm_suspend(), the subsequent invocation of
dpm_resume() will trigger a device_resume() call for every device and
because power.is_suspended is set for the devices in question, they will
not be skipped by device_resume() as expected which causes scary error
messages to be logged (as appropriate).
To address this issue, move the clearing of power.is_suspended in
device_resume() immediately after the power.is_suspended check so it
will be always cleared for all devices processed by that function.
Fixes: 03f1444016b7 ("PM: sleep: Fix handling devices with direct_complete set on errors")
Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4280
Reported-and-tested-by: Chris Bainbridge <chris.bainbridge@gmail.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Reviewed-by: Mario Limonciello <mario.limonciello@amd.com>
Link: https://patch.msgid.link/4990586.GXAFRqVoOG@rjwysocki.net
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/base/power/main.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/base/power/main.c b/drivers/base/power/main.c
index 343d3c966e7a7..baa31194cf20d 100644
--- a/drivers/base/power/main.c
+++ b/drivers/base/power/main.c
@@ -897,6 +897,8 @@ static void __device_resume(struct device *dev, pm_message_t state, bool async)
if (!dev->power.is_suspended)
goto Complete;
+ dev->power.is_suspended = false;
+
if (dev->power.direct_complete) {
/* Match the pm_runtime_disable() in __device_suspend(). */
pm_runtime_enable(dev);
@@ -952,7 +954,6 @@ static void __device_resume(struct device *dev, pm_message_t state, bool async)
End:
error = dpm_run_callback(callback, dev, state, info);
- dev->power.is_suspended = false;
device_unlock(dev);
dpm_watchdog_clear(&wd);
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 183/508] gve: add missing NULL check for gve_alloc_pending_packet() in TX DQO
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (181 preceding siblings ...)
2025-06-23 13:03 ` [PATCH 6.1 182/508] PM: sleep: Fix power.is_suspended cleanup for direct-complete devices Greg Kroah-Hartman
@ 2025-06-23 13:03 ` Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 184/508] netfilter: nf_set_pipapo_avx2: fix initial map fill Greg Kroah-Hartman
` (325 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alok Tiwari, Mina Almasry,
Simon Horman, David S. Miller, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alok Tiwari <alok.a.tiwari@oracle.com>
[ Upstream commit 12c331b29c7397ac3b03584e12902990693bc248 ]
gve_alloc_pending_packet() can return NULL, but gve_tx_add_skb_dqo()
did not check for this case before dereferencing the returned pointer.
Add a missing NULL check to prevent a potential NULL pointer
dereference when allocation fails.
This improves robustness in low-memory scenarios.
Fixes: a57e5de476be ("gve: DQO: Add TX path")
Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
Reviewed-by: Mina Almasry <almasrymina@google.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/google/gve/gve_tx_dqo.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/net/ethernet/google/gve/gve_tx_dqo.c b/drivers/net/ethernet/google/gve/gve_tx_dqo.c
index eabed3deca763..e32d9967966bc 100644
--- a/drivers/net/ethernet/google/gve/gve_tx_dqo.c
+++ b/drivers/net/ethernet/google/gve/gve_tx_dqo.c
@@ -452,6 +452,9 @@ static int gve_tx_add_skb_no_copy_dqo(struct gve_tx_ring *tx,
int i;
pkt = gve_alloc_pending_packet(tx);
+ if (!pkt)
+ return -ENOMEM;
+
pkt->skb = skb;
pkt->num_bufs = 0;
completion_tag = pkt - tx->dqo.pending_packets;
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 184/508] netfilter: nf_set_pipapo_avx2: fix initial map fill
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (182 preceding siblings ...)
2025-06-23 13:03 ` [PATCH 6.1 183/508] gve: add missing NULL check for gve_alloc_pending_packet() in TX DQO Greg Kroah-Hartman
@ 2025-06-23 13:03 ` Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 185/508] wireguard: device: enable threaded NAPI Greg Kroah-Hartman
` (324 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Florian Westphal, Stefano Brivio,
Pablo Neira Ayuso, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
[ Upstream commit ea77c397bff8b6d59f6d83dae1425b08f465e8b5 ]
If the first field doesn't cover the entire start map, then we must zero
out the remainder, else we leak those bits into the next match round map.
The early fix was incomplete and did only fix up the generic C
implementation.
A followup patch adds a test case to nft_concat_range.sh.
Fixes: 791a615b7ad2 ("netfilter: nf_set_pipapo: fix initial map fill")
Signed-off-by: Florian Westphal <fw@strlen.de>
Reviewed-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nft_set_pipapo_avx2.c | 21 ++++++++++++++++++++-
1 file changed, 20 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/nft_set_pipapo_avx2.c b/net/netfilter/nft_set_pipapo_avx2.c
index c15db28c5ebc4..be7c16c79f711 100644
--- a/net/netfilter/nft_set_pipapo_avx2.c
+++ b/net/netfilter/nft_set_pipapo_avx2.c
@@ -1113,6 +1113,25 @@ bool nft_pipapo_avx2_estimate(const struct nft_set_desc *desc, u32 features,
return true;
}
+/**
+ * pipapo_resmap_init_avx2() - Initialise result map before first use
+ * @m: Matching data, including mapping table
+ * @res_map: Result map
+ *
+ * Like pipapo_resmap_init() but do not set start map bits covered by the first field.
+ */
+static inline void pipapo_resmap_init_avx2(const struct nft_pipapo_match *m, unsigned long *res_map)
+{
+ const struct nft_pipapo_field *f = m->f;
+ int i;
+
+ /* Starting map doesn't need to be set to all-ones for this implementation,
+ * but we do need to zero the remaining bits, if any.
+ */
+ for (i = f->bsize; i < m->bsize_max; i++)
+ res_map[i] = 0ul;
+}
+
/**
* nft_pipapo_avx2_lookup() - Lookup function for AVX2 implementation
* @net: Network namespace
@@ -1171,7 +1190,7 @@ bool nft_pipapo_avx2_lookup(const struct net *net, const struct nft_set *set,
res = scratch->map + (map_index ? m->bsize_max : 0);
fill = scratch->map + (map_index ? 0 : m->bsize_max);
- /* Starting map doesn't need to be set for this implementation */
+ pipapo_resmap_init_avx2(m, res);
nft_pipapo_avx2_prepare();
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 185/508] wireguard: device: enable threaded NAPI
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (183 preceding siblings ...)
2025-06-23 13:03 ` [PATCH 6.1 184/508] netfilter: nf_set_pipapo_avx2: fix initial map fill Greg Kroah-Hartman
@ 2025-06-23 13:03 ` Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 186/508] seg6: Fix validation of nexthop addresses Greg Kroah-Hartman
` (323 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mirco Barone, Jason A. Donenfeld,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mirco Barone <mirco.barone@polito.it>
[ Upstream commit db9ae3b6b43c79b1ba87eea849fd65efa05b4b2e ]
Enable threaded NAPI by default for WireGuard devices in response to low
performance behavior that we observed when multiple tunnels (and thus
multiple wg devices) are deployed on a single host. This affects any
kind of multi-tunnel deployment, regardless of whether the tunnels share
the same endpoints or not (i.e., a VPN concentrator type of gateway
would also be affected).
The problem is caused by the fact that, in case of a traffic surge that
involves multiple tunnels at the same time, the polling of the NAPI
instance of all these wg devices tends to converge onto the same core,
causing underutilization of the CPU and bottlenecking performance.
This happens because NAPI polling is hosted by default in softirq
context, but the WireGuard driver only raises this softirq after the rx
peer queue has been drained, which doesn't happen during high traffic.
In this case, the softirq already active on a core is reused instead of
raising a new one.
As a result, once two or more tunnel softirqs have been scheduled on
the same core, they remain pinned there until the surge ends.
In our experiments, this almost always leads to all tunnel NAPIs being
handled on a single core shortly after a surge begins, limiting
scalability to less than 3× the performance of a single tunnel, despite
plenty of unused CPU cores being available.
The proposed mitigation is to enable threaded NAPI for all WireGuard
devices. This moves the NAPI polling context to a dedicated per-device
kernel thread, allowing the scheduler to balance the load across all
available cores.
On our 32-core gateways, enabling threaded NAPI yields a ~4× performance
improvement with 16 tunnels, increasing throughput from ~13 Gbps to
~48 Gbps. Meanwhile, CPU usage on the receiver (which is the bottleneck)
jumps from 20% to 100%.
We have found no performance regressions in any scenario we tested.
Single-tunnel throughput remains unchanged.
More details are available in our Netdev paper.
Link: https://netdevconf.info/0x18/docs/netdev-0x18-paper23-talk-paper.pdf
Signed-off-by: Mirco Barone <mirco.barone@polito.it>
Fixes: e7096c131e51 ("net: WireGuard secure network tunnel")
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Link: https://patch.msgid.link/20250605120616.2808744-1-Jason@zx2c4.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireguard/device.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/wireguard/device.c b/drivers/net/wireguard/device.c
index 895a621c9e267..531332e169df8 100644
--- a/drivers/net/wireguard/device.c
+++ b/drivers/net/wireguard/device.c
@@ -368,6 +368,7 @@ static int wg_newlink(struct net *src_net, struct net_device *dev,
if (ret < 0)
goto err_free_handshake_queue;
+ dev_set_threaded(dev, true);
ret = register_netdevice(dev);
if (ret < 0)
goto err_uninit_ratelimiter;
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 186/508] seg6: Fix validation of nexthop addresses
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (184 preceding siblings ...)
2025-06-23 13:03 ` [PATCH 6.1 185/508] wireguard: device: enable threaded NAPI Greg Kroah-Hartman
@ 2025-06-23 13:03 ` Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 187/508] ASoC: codecs: hda: Fix RPM usage count underflow Greg Kroah-Hartman
` (322 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Petr Machata, Ido Schimmel,
David Ahern, Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ido Schimmel <idosch@nvidia.com>
[ Upstream commit 7632fedb266d93ed0ed9f487133e6c6314a9b2d1 ]
The kernel currently validates that the length of the provided nexthop
address does not exceed the specified length. This can lead to the
kernel reading uninitialized memory if user space provided a shorter
length than the specified one.
Fix by validating that the provided length exactly matches the specified
one.
Fixes: d1df6fd8a1d2 ("ipv6: sr: define core operations for seg6local lightweight tunnel")
Reviewed-by: Petr Machata <petrm@nvidia.com>
Signed-off-by: Ido Schimmel <idosch@nvidia.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Link: https://patch.msgid.link/20250604113252.371528-1-idosch@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv6/seg6_local.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/net/ipv6/seg6_local.c b/net/ipv6/seg6_local.c
index 33cb0381b5749..b7d9a68a265d7 100644
--- a/net/ipv6/seg6_local.c
+++ b/net/ipv6/seg6_local.c
@@ -1250,10 +1250,8 @@ static const struct nla_policy seg6_local_policy[SEG6_LOCAL_MAX + 1] = {
[SEG6_LOCAL_SRH] = { .type = NLA_BINARY },
[SEG6_LOCAL_TABLE] = { .type = NLA_U32 },
[SEG6_LOCAL_VRFTABLE] = { .type = NLA_U32 },
- [SEG6_LOCAL_NH4] = { .type = NLA_BINARY,
- .len = sizeof(struct in_addr) },
- [SEG6_LOCAL_NH6] = { .type = NLA_BINARY,
- .len = sizeof(struct in6_addr) },
+ [SEG6_LOCAL_NH4] = NLA_POLICY_EXACT_LEN(sizeof(struct in_addr)),
+ [SEG6_LOCAL_NH6] = NLA_POLICY_EXACT_LEN(sizeof(struct in6_addr)),
[SEG6_LOCAL_IIF] = { .type = NLA_U32 },
[SEG6_LOCAL_OIF] = { .type = NLA_U32 },
[SEG6_LOCAL_BPF] = { .type = NLA_NESTED },
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 187/508] ASoC: codecs: hda: Fix RPM usage count underflow
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (185 preceding siblings ...)
2025-06-23 13:03 ` [PATCH 6.1 186/508] seg6: Fix validation of nexthop addresses Greg Kroah-Hartman
@ 2025-06-23 13:03 ` Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 188/508] ASoC: Intel: avs: Fix deadlock when the failing IPC is SET_D0IX Greg Kroah-Hartman
` (321 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Amadeusz Sławiński,
Cezary Rojewski, Mark Brown, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cezary Rojewski <cezary.rojewski@intel.com>
[ Upstream commit ff0045de4ee0288dec683690f66f2f369b7d3466 ]
RPM manipulation in hda_codec_probe_complete()'s error path is
superfluous and leads to RPM usage count underflow if the
build-controls operation fails.
hda_codec_probe_complete() is called in:
1) hda_codec_probe() for all non-HDMI codecs
2) in card->late_probe() for HDMI codecs
Error path for hda_codec_probe() takes care of bus' RPM already.
For 2) if late_probe() fails, ASoC performs card cleanup what
triggers hda_codec_remote() - same treatment is in 1).
Fixes: b5df2a7dca1c ("ASoC: codecs: Add HD-Audio codec driver")
Reviewed-by: Amadeusz Sławiński <amadeuszx.slawinski@linux.intel.com>
Signed-off-by: Cezary Rojewski <cezary.rojewski@intel.com>
Link: https://patch.msgid.link/20250530141025.2942936-2-cezary.rojewski@intel.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/codecs/hda.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/sound/soc/codecs/hda.c b/sound/soc/codecs/hda.c
index 61e8e9be6b8d7..bd81572a6775b 100644
--- a/sound/soc/codecs/hda.c
+++ b/sound/soc/codecs/hda.c
@@ -149,7 +149,7 @@ int hda_codec_probe_complete(struct hda_codec *codec)
ret = snd_hda_codec_build_controls(codec);
if (ret < 0) {
dev_err(&hdev->dev, "unable to create controls %d\n", ret);
- goto out;
+ return ret;
}
/* Bus suspended codecs as it does not manage their pm */
@@ -157,7 +157,7 @@ int hda_codec_probe_complete(struct hda_codec *codec)
/* rpm was forbidden in snd_hda_codec_device_new() */
snd_hda_codec_set_power_save(codec, 2000);
snd_hda_codec_register(codec);
-out:
+
/* Complement pm_runtime_get_sync(bus) in probe */
pm_runtime_mark_last_busy(bus->dev);
pm_runtime_put_autosuspend(bus->dev);
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 188/508] ASoC: Intel: avs: Fix deadlock when the failing IPC is SET_D0IX
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (186 preceding siblings ...)
2025-06-23 13:03 ` [PATCH 6.1 187/508] ASoC: codecs: hda: Fix RPM usage count underflow Greg Kroah-Hartman
@ 2025-06-23 13:03 ` Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 189/508] fix propagation graph breakage by MOVE_MOUNT_SET_GROUP move_mount(2) Greg Kroah-Hartman
` (320 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Amadeusz Sławiński,
Cezary Rojewski, Mark Brown, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cezary Rojewski <cezary.rojewski@intel.com>
[ Upstream commit 9ad1f3cd0d60444c69948854c7e50d2a61b63755 ]
The procedure handling IPC timeouts and EXCEPTION_CAUGHT notification
shall cancel any D0IX work before proceeding with DSP recovery. If
SET_D0IX called from delayed_work is the failing IPC the procedure will
deadlock. Conditionally skip cancelling the work to fix that.
Fixes: 335c4cbd201d ("ASoC: Intel: avs: D0ix power state support")
Reviewed-by: Amadeusz Sławiński <amadeuszx.slawinski@linux.intel.com>
Signed-off-by: Cezary Rojewski <cezary.rojewski@intel.com>
Link: https://patch.msgid.link/20250530141025.2942936-3-cezary.rojewski@intel.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/intel/avs/ipc.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/sound/soc/intel/avs/ipc.c b/sound/soc/intel/avs/ipc.c
index 306f0dc4eaf58..2e76aba7338e8 100644
--- a/sound/soc/intel/avs/ipc.c
+++ b/sound/soc/intel/avs/ipc.c
@@ -169,7 +169,9 @@ static void avs_dsp_exception_caught(struct avs_dev *adev, union avs_notify_msg
dev_crit(adev->dev, "communication severed, rebooting dsp..\n");
- cancel_delayed_work_sync(&ipc->d0ix_work);
+ /* Avoid deadlock as the exception may be the response to SET_D0IX. */
+ if (current_work() != &ipc->d0ix_work.work)
+ cancel_delayed_work_sync(&ipc->d0ix_work);
ipc->in_d0ix = false;
/* Re-enabled on recovery completion. */
pm_runtime_disable(adev->dev);
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 189/508] fix propagation graph breakage by MOVE_MOUNT_SET_GROUP move_mount(2)
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (187 preceding siblings ...)
2025-06-23 13:03 ` [PATCH 6.1 188/508] ASoC: Intel: avs: Fix deadlock when the failing IPC is SET_D0IX Greg Kroah-Hartman
@ 2025-06-23 13:03 ` Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 190/508] do_change_type(): refuse to operate on unmounted/not ours mounts Greg Kroah-Hartman
` (319 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:03 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Christian Brauner, Al Viro,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
[ Upstream commit d8cc0362f918d020ca1340d7694f07062dc30f36 ]
9ffb14ef61ba "move_mount: allow to add a mount into an existing group"
breaks assertions on ->mnt_share/->mnt_slave. For once, the data structures
in question are actually documented.
Documentation/filesystem/sharedsubtree.rst:
All vfsmounts in a peer group have the same ->mnt_master. If it is
non-NULL, they form a contiguous (ordered) segment of slave list.
do_set_group() puts a mount into the same place in propagation graph
as the old one. As the result, if old mount gets events from somewhere
and is not a pure event sink, new one needs to be placed next to the
old one in the slave list the old one's on. If it is a pure event
sink, we only need to make sure the new one doesn't end up in the
middle of some peer group.
"move_mount: allow to add a mount into an existing group" ends up putting
the new one in the beginning of list; that's definitely not going to be
in the middle of anything, so that's fine for case when old is not marked
shared. In case when old one _is_ marked shared (i.e. is not a pure event
sink), that breaks the assumptions of propagation graph iterators.
Put the new mount next to the old one on the list - that does the right thing
in "old is marked shared" case and is just as correct as the current behaviour
if old is not marked shared (kudos to Pavel for pointing that out - my original
suggested fix changed behaviour in the "nor marked" case, which complicated
things for no good reason).
Reviewed-by: Christian Brauner <brauner@kernel.org>
Fixes: 9ffb14ef61ba ("move_mount: allow to add a mount into an existing group")
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/namespace.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/namespace.c b/fs/namespace.c
index 211a81240680d..65aa3495db6a1 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -2809,7 +2809,7 @@ static int do_set_group(struct path *from_path, struct path *to_path)
if (IS_MNT_SLAVE(from)) {
struct mount *m = from->mnt_master;
- list_add(&to->mnt_slave, &m->mnt_slave_list);
+ list_add(&to->mnt_slave, &from->mnt_slave);
to->mnt_master = m;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 190/508] do_change_type(): refuse to operate on unmounted/not ours mounts
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (188 preceding siblings ...)
2025-06-23 13:03 ` [PATCH 6.1 189/508] fix propagation graph breakage by MOVE_MOUNT_SET_GROUP move_mount(2) Greg Kroah-Hartman
@ 2025-06-23 13:03 ` Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 191/508] xfs: fix interval filtering in multi-step fsmap queries Greg Kroah-Hartman
` (318 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christian Brauner, Orlando, Noah,
Al Viro, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
[ Upstream commit 12f147ddd6de7382dad54812e65f3f08d05809fc ]
Ensure that propagation settings can only be changed for mounts located
in the caller's mount namespace. This change aligns permission checking
with the rest of mount(2).
Reviewed-by: Christian Brauner <brauner@kernel.org>
Fixes: 07b20889e305 ("beginning of the shared-subtree proper")
Reported-by: "Orlando, Noah" <Noah.Orlando@deshaw.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/namespace.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/fs/namespace.c b/fs/namespace.c
index 65aa3495db6a1..aae1a77ac2d3f 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -2371,6 +2371,10 @@ static int do_change_type(struct path *path, int ms_flags)
return -EINVAL;
namespace_lock();
+ if (!check_mnt(mnt)) {
+ err = -EINVAL;
+ goto out_unlock;
+ }
if (type == MS_SHARED) {
err = invent_group_ids(mnt, recurse);
if (err)
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 191/508] xfs: fix interval filtering in multi-step fsmap queries
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (189 preceding siblings ...)
2025-06-23 13:03 ` [PATCH 6.1 190/508] do_change_type(): refuse to operate on unmounted/not ours mounts Greg Kroah-Hartman
@ 2025-06-23 13:03 ` Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 192/508] xfs: fix integer overflows in the fsmap rtbitmap and logdev backends Greg Kroah-Hartman
` (317 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Darrick J. Wong, Dave Chinner,
Leah Rumancik, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Darrick J. Wong <djwong@kernel.org>
[ Upstream commit 63ef7a35912dd743cabd65d5bb95891625c0dd46 ]
I noticed a bug in ranged GETFSMAP queries:
# xfs_io -c 'fsmap -vvvv' /opt
EXT: DEV BLOCK-RANGE OWNER FILE-OFFSET AG AG-OFFSET TOTAL
0: 8:80 [0..7]: static fs metadata 0 (0..7) 8
<snip>
9: 8:80 [192..223]: 137 0..31 0 (192..223) 32
# xfs_io -c 'fsmap -vvvv -d 208 208' /opt
#
That's not right -- we asked what block maps block 208, and we should've
received a mapping for inode 137 offset 16. Instead, we get nothing.
The root cause of this problem is a mis-interaction between the fsmap
code and how btree ranged queries work. xfs_btree_query_range returns
any btree record that overlaps with the query interval, even if the
record starts before or ends after the interval. Similarly, GETFSMAP is
supposed to return a recordset containing all records that overlap the
range queried.
However, it's possible that the recordset is larger than the buffer that
the caller provided to convey mappings to userspace. In /that/ case,
userspace is supposed to copy the last record returned to fmh_keys[0]
and call GETFSMAP again. In this case, we do not want to return
mappings that we have already supplied to the caller. The call to
xfs_btree_query_range is the same, but now we ignore any records that
start before fmh_keys[0].
Unfortunately, we didn't implement the filtering predicate correctly.
The predicate should only be called when we're calling back for more
records. Accomplish this by setting info->low.rm_blockcount to a
nonzero value and ensuring that it is cleared as necessary. As a
result, we no longer want to adjust dkeys[0] in the main setup function
because that's confusing.
This patch doesn't touch the logdev/rtbitmap backends because they have
bigger problems that will be addressed by subsequent patches.
Found via xfs/556 with parent pointers enabled.
Fixes: e89c041338ed ("xfs: implement the GETFSMAP ioctl")
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
Signed-off-by: Leah Rumancik <leah.rumancik@gmail.com>
Acked-by: "Darrick J. Wong" <djwong@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/xfs/xfs_fsmap.c | 67 +++++++++++++++++++++++++++++++++-------------
1 file changed, 48 insertions(+), 19 deletions(-)
diff --git a/fs/xfs/xfs_fsmap.c b/fs/xfs/xfs_fsmap.c
index a5b9754c62d1c..2011f1bf7ce0f 100644
--- a/fs/xfs/xfs_fsmap.c
+++ b/fs/xfs/xfs_fsmap.c
@@ -162,7 +162,14 @@ struct xfs_getfsmap_info {
xfs_daddr_t next_daddr; /* next daddr we expect */
u64 missing_owner; /* owner of holes */
u32 dev; /* device id */
- struct xfs_rmap_irec low; /* low rmap key */
+ /*
+ * Low rmap key for the query. If low.rm_blockcount is nonzero, this
+ * is the second (or later) call to retrieve the recordset in pieces.
+ * xfs_getfsmap_rec_before_start will compare all records retrieved
+ * by the rmapbt query to filter out any records that start before
+ * the last record.
+ */
+ struct xfs_rmap_irec low;
struct xfs_rmap_irec high; /* high rmap key */
bool last; /* last extent? */
};
@@ -237,6 +244,17 @@ xfs_getfsmap_format(
xfs_fsmap_from_internal(rec, xfm);
}
+static inline bool
+xfs_getfsmap_rec_before_start(
+ struct xfs_getfsmap_info *info,
+ const struct xfs_rmap_irec *rec,
+ xfs_daddr_t rec_daddr)
+{
+ if (info->low.rm_blockcount)
+ return xfs_rmap_compare(rec, &info->low) < 0;
+ return false;
+}
+
/*
* Format a reverse mapping for getfsmap, having translated rm_startblock
* into the appropriate daddr units.
@@ -260,7 +278,7 @@ xfs_getfsmap_helper(
* Filter out records that start before our startpoint, if the
* caller requested that.
*/
- if (xfs_rmap_compare(rec, &info->low) < 0) {
+ if (xfs_getfsmap_rec_before_start(info, rec, rec_daddr)) {
rec_daddr += XFS_FSB_TO_BB(mp, rec->rm_blockcount);
if (info->next_daddr < rec_daddr)
info->next_daddr = rec_daddr;
@@ -606,9 +624,27 @@ __xfs_getfsmap_datadev(
error = xfs_fsmap_owner_to_rmap(&info->low, &keys[0]);
if (error)
return error;
- info->low.rm_blockcount = 0;
+ info->low.rm_blockcount = XFS_BB_TO_FSBT(mp, keys[0].fmr_length);
xfs_getfsmap_set_irec_flags(&info->low, &keys[0]);
+ /* Adjust the low key if we are continuing from where we left off. */
+ if (info->low.rm_blockcount == 0) {
+ /* empty */
+ } else if (XFS_RMAP_NON_INODE_OWNER(info->low.rm_owner) ||
+ (info->low.rm_flags & (XFS_RMAP_ATTR_FORK |
+ XFS_RMAP_BMBT_BLOCK |
+ XFS_RMAP_UNWRITTEN))) {
+ info->low.rm_startblock += info->low.rm_blockcount;
+ info->low.rm_owner = 0;
+ info->low.rm_offset = 0;
+
+ start_fsb += info->low.rm_blockcount;
+ if (XFS_FSB_TO_DADDR(mp, start_fsb) >= eofs)
+ return 0;
+ } else {
+ info->low.rm_offset += info->low.rm_blockcount;
+ }
+
info->high.rm_startblock = -1U;
info->high.rm_owner = ULLONG_MAX;
info->high.rm_offset = ULLONG_MAX;
@@ -659,12 +695,8 @@ __xfs_getfsmap_datadev(
* Set the AG low key to the start of the AG prior to
* moving on to the next AG.
*/
- if (pag->pag_agno == start_ag) {
- info->low.rm_startblock = 0;
- info->low.rm_owner = 0;
- info->low.rm_offset = 0;
- info->low.rm_flags = 0;
- }
+ if (pag->pag_agno == start_ag)
+ memset(&info->low, 0, sizeof(info->low));
/*
* If this is the last AG, report any gap at the end of it
@@ -901,21 +933,17 @@ xfs_getfsmap(
* blocks could be mapped to several other files/offsets.
* According to rmapbt record ordering, the minimal next
* possible record for the block range is the next starting
- * offset in the same inode. Therefore, bump the file offset to
- * continue the search appropriately. For all other low key
- * mapping types (attr blocks, metadata), bump the physical
- * offset as there can be no other mapping for the same physical
- * block range.
+ * offset in the same inode. Therefore, each fsmap backend bumps
+ * the file offset to continue the search appropriately. For
+ * all other low key mapping types (attr blocks, metadata), each
+ * fsmap backend bumps the physical offset as there can be no
+ * other mapping for the same physical block range.
*/
dkeys[0] = head->fmh_keys[0];
if (dkeys[0].fmr_flags & (FMR_OF_SPECIAL_OWNER | FMR_OF_EXTENT_MAP)) {
- dkeys[0].fmr_physical += dkeys[0].fmr_length;
- dkeys[0].fmr_owner = 0;
if (dkeys[0].fmr_offset)
return -EINVAL;
- } else
- dkeys[0].fmr_offset += dkeys[0].fmr_length;
- dkeys[0].fmr_length = 0;
+ }
memset(&dkeys[1], 0xFF, sizeof(struct xfs_fsmap));
if (!xfs_getfsmap_check_keys(dkeys, &head->fmh_keys[1]))
@@ -960,6 +988,7 @@ xfs_getfsmap(
info.dev = handlers[i].dev;
info.last = false;
info.pag = NULL;
+ info.low.rm_blockcount = 0;
error = handlers[i].fn(tp, dkeys, &info);
if (error)
break;
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 192/508] xfs: fix integer overflows in the fsmap rtbitmap and logdev backends
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (190 preceding siblings ...)
2025-06-23 13:03 ` [PATCH 6.1 191/508] xfs: fix interval filtering in multi-step fsmap queries Greg Kroah-Hartman
@ 2025-06-23 13:03 ` Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 193/508] xfs: fix getfsmap reporting past the last rt extent Greg Kroah-Hartman
` (316 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Darrick J. Wong, Dave Chinner,
Leah Rumancik, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Darrick J. Wong <djwong@kernel.org>
[ Upstream commit 7975aba19cba4eba7ff60410f9294c90edc96dcf ]
It's not correct to use the rmap irec structure to hold query key
information to query the rtbitmap because the realtime volume can be
longer than 2^32 fsblocks in length. Because the rt volume doesn't have
allocation groups, introduce a daddr-based record filtering algorithm
and compute the rtextent values using 64-bit variables. The same
problem exists in the external log device fsmap implementation, so use
the same solution to fix it too.
After this patch, all the code that touches info->low and info->high
under xfs_getfsmap_logdev and __xfs_getfsmap_rtdev are unnecessary.
Cleaning this up will be done in subsequent patches.
Fixes: 4c934c7dd60c ("xfs: report realtime space information via the rtbitmap")
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
Signed-off-by: Leah Rumancik <leah.rumancik@gmail.com>
Acked-by: "Darrick J. Wong" <djwong@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/xfs/xfs_fsmap.c | 90 ++++++++++++++++++++++++++++++++--------------
1 file changed, 64 insertions(+), 26 deletions(-)
diff --git a/fs/xfs/xfs_fsmap.c b/fs/xfs/xfs_fsmap.c
index 2011f1bf7ce0f..5039d330ef98b 100644
--- a/fs/xfs/xfs_fsmap.c
+++ b/fs/xfs/xfs_fsmap.c
@@ -160,6 +160,8 @@ struct xfs_getfsmap_info {
struct xfs_buf *agf_bp; /* AGF, for refcount queries */
struct xfs_perag *pag; /* AG info, if applicable */
xfs_daddr_t next_daddr; /* next daddr we expect */
+ /* daddr of low fsmap key when we're using the rtbitmap */
+ xfs_daddr_t low_daddr;
u64 missing_owner; /* owner of holes */
u32 dev; /* device id */
/*
@@ -250,6 +252,8 @@ xfs_getfsmap_rec_before_start(
const struct xfs_rmap_irec *rec,
xfs_daddr_t rec_daddr)
{
+ if (info->low_daddr != -1ULL)
+ return rec_daddr < info->low_daddr;
if (info->low.rm_blockcount)
return xfs_rmap_compare(rec, &info->low) < 0;
return false;
@@ -257,14 +261,16 @@ xfs_getfsmap_rec_before_start(
/*
* Format a reverse mapping for getfsmap, having translated rm_startblock
- * into the appropriate daddr units.
+ * into the appropriate daddr units. Pass in a nonzero @len_daddr if the
+ * length could be larger than rm_blockcount in struct xfs_rmap_irec.
*/
STATIC int
xfs_getfsmap_helper(
struct xfs_trans *tp,
struct xfs_getfsmap_info *info,
const struct xfs_rmap_irec *rec,
- xfs_daddr_t rec_daddr)
+ xfs_daddr_t rec_daddr,
+ xfs_daddr_t len_daddr)
{
struct xfs_fsmap fmr;
struct xfs_mount *mp = tp->t_mountp;
@@ -274,12 +280,15 @@ xfs_getfsmap_helper(
if (fatal_signal_pending(current))
return -EINTR;
+ if (len_daddr == 0)
+ len_daddr = XFS_FSB_TO_BB(mp, rec->rm_blockcount);
+
/*
* Filter out records that start before our startpoint, if the
* caller requested that.
*/
if (xfs_getfsmap_rec_before_start(info, rec, rec_daddr)) {
- rec_daddr += XFS_FSB_TO_BB(mp, rec->rm_blockcount);
+ rec_daddr += len_daddr;
if (info->next_daddr < rec_daddr)
info->next_daddr = rec_daddr;
return 0;
@@ -298,7 +307,7 @@ xfs_getfsmap_helper(
info->head->fmh_entries++;
- rec_daddr += XFS_FSB_TO_BB(mp, rec->rm_blockcount);
+ rec_daddr += len_daddr;
if (info->next_daddr < rec_daddr)
info->next_daddr = rec_daddr;
return 0;
@@ -338,7 +347,7 @@ xfs_getfsmap_helper(
if (error)
return error;
fmr.fmr_offset = XFS_FSB_TO_BB(mp, rec->rm_offset);
- fmr.fmr_length = XFS_FSB_TO_BB(mp, rec->rm_blockcount);
+ fmr.fmr_length = len_daddr;
if (rec->rm_flags & XFS_RMAP_UNWRITTEN)
fmr.fmr_flags |= FMR_OF_PREALLOC;
if (rec->rm_flags & XFS_RMAP_ATTR_FORK)
@@ -355,7 +364,7 @@ xfs_getfsmap_helper(
xfs_getfsmap_format(mp, &fmr, info);
out:
- rec_daddr += XFS_FSB_TO_BB(mp, rec->rm_blockcount);
+ rec_daddr += len_daddr;
if (info->next_daddr < rec_daddr)
info->next_daddr = rec_daddr;
return 0;
@@ -376,7 +385,7 @@ xfs_getfsmap_datadev_helper(
fsb = XFS_AGB_TO_FSB(mp, cur->bc_ag.pag->pag_agno, rec->rm_startblock);
rec_daddr = XFS_FSB_TO_DADDR(mp, fsb);
- return xfs_getfsmap_helper(cur->bc_tp, info, rec, rec_daddr);
+ return xfs_getfsmap_helper(cur->bc_tp, info, rec, rec_daddr, 0);
}
/* Transform a bnobt irec into a fsmap */
@@ -400,7 +409,7 @@ xfs_getfsmap_datadev_bnobt_helper(
irec.rm_offset = 0;
irec.rm_flags = 0;
- return xfs_getfsmap_helper(cur->bc_tp, info, &irec, rec_daddr);
+ return xfs_getfsmap_helper(cur->bc_tp, info, &irec, rec_daddr, 0);
}
/* Set rmap flags based on the getfsmap flags */
@@ -427,9 +436,13 @@ xfs_getfsmap_logdev(
{
struct xfs_mount *mp = tp->t_mountp;
struct xfs_rmap_irec rmap;
+ xfs_daddr_t rec_daddr, len_daddr;
+ xfs_fsblock_t start_fsb;
int error;
/* Set up search keys */
+ start_fsb = XFS_BB_TO_FSBT(mp,
+ keys[0].fmr_physical + keys[0].fmr_length);
info->low.rm_startblock = XFS_BB_TO_FSBT(mp, keys[0].fmr_physical);
info->low.rm_offset = XFS_BB_TO_FSBT(mp, keys[0].fmr_offset);
error = xfs_fsmap_owner_to_rmap(&info->low, keys);
@@ -438,6 +451,10 @@ xfs_getfsmap_logdev(
info->low.rm_blockcount = 0;
xfs_getfsmap_set_irec_flags(&info->low, &keys[0]);
+ /* Adjust the low key if we are continuing from where we left off. */
+ if (keys[0].fmr_length > 0)
+ info->low_daddr = XFS_FSB_TO_BB(mp, start_fsb);
+
error = xfs_fsmap_owner_to_rmap(&info->high, keys + 1);
if (error)
return error;
@@ -451,7 +468,7 @@ xfs_getfsmap_logdev(
trace_xfs_fsmap_low_key(mp, info->dev, NULLAGNUMBER, &info->low);
trace_xfs_fsmap_high_key(mp, info->dev, NULLAGNUMBER, &info->high);
- if (keys[0].fmr_physical > 0)
+ if (start_fsb > 0)
return 0;
/* Fabricate an rmap entry for the external log device. */
@@ -461,7 +478,9 @@ xfs_getfsmap_logdev(
rmap.rm_offset = 0;
rmap.rm_flags = 0;
- return xfs_getfsmap_helper(tp, info, &rmap, 0);
+ rec_daddr = XFS_FSB_TO_BB(mp, rmap.rm_startblock);
+ len_daddr = XFS_FSB_TO_BB(mp, rmap.rm_blockcount);
+ return xfs_getfsmap_helper(tp, info, &rmap, rec_daddr, len_daddr);
}
#ifdef CONFIG_XFS_RT
@@ -475,16 +494,22 @@ xfs_getfsmap_rtdev_rtbitmap_helper(
{
struct xfs_getfsmap_info *info = priv;
struct xfs_rmap_irec irec;
- xfs_daddr_t rec_daddr;
+ xfs_rtblock_t rtbno;
+ xfs_daddr_t rec_daddr, len_daddr;
+
+ rtbno = rec->ar_startext * mp->m_sb.sb_rextsize;
+ rec_daddr = XFS_FSB_TO_BB(mp, rtbno);
+ irec.rm_startblock = rtbno;
+
+ rtbno = rec->ar_extcount * mp->m_sb.sb_rextsize;
+ len_daddr = XFS_FSB_TO_BB(mp, rtbno);
+ irec.rm_blockcount = rtbno;
- irec.rm_startblock = rec->ar_startext * mp->m_sb.sb_rextsize;
- rec_daddr = XFS_FSB_TO_BB(mp, irec.rm_startblock);
- irec.rm_blockcount = rec->ar_extcount * mp->m_sb.sb_rextsize;
irec.rm_owner = XFS_RMAP_OWN_NULL; /* "free" */
irec.rm_offset = 0;
irec.rm_flags = 0;
- return xfs_getfsmap_helper(tp, info, &irec, rec_daddr);
+ return xfs_getfsmap_helper(tp, info, &irec, rec_daddr, len_daddr);
}
/* Execute a getfsmap query against the realtime device. */
@@ -493,23 +518,26 @@ __xfs_getfsmap_rtdev(
struct xfs_trans *tp,
const struct xfs_fsmap *keys,
int (*query_fn)(struct xfs_trans *,
- struct xfs_getfsmap_info *),
+ struct xfs_getfsmap_info *,
+ xfs_rtblock_t start_rtb,
+ xfs_rtblock_t end_rtb),
struct xfs_getfsmap_info *info)
{
struct xfs_mount *mp = tp->t_mountp;
- xfs_fsblock_t start_fsb;
- xfs_fsblock_t end_fsb;
+ xfs_rtblock_t start_rtb;
+ xfs_rtblock_t end_rtb;
uint64_t eofs;
int error = 0;
eofs = XFS_FSB_TO_BB(mp, mp->m_sb.sb_rblocks);
if (keys[0].fmr_physical >= eofs)
return 0;
- start_fsb = XFS_BB_TO_FSBT(mp, keys[0].fmr_physical);
- end_fsb = XFS_BB_TO_FSB(mp, min(eofs - 1, keys[1].fmr_physical));
+ start_rtb = XFS_BB_TO_FSBT(mp,
+ keys[0].fmr_physical + keys[0].fmr_length);
+ end_rtb = XFS_BB_TO_FSB(mp, min(eofs - 1, keys[1].fmr_physical));
/* Set up search keys */
- info->low.rm_startblock = start_fsb;
+ info->low.rm_startblock = start_rtb;
error = xfs_fsmap_owner_to_rmap(&info->low, &keys[0]);
if (error)
return error;
@@ -517,7 +545,14 @@ __xfs_getfsmap_rtdev(
info->low.rm_blockcount = 0;
xfs_getfsmap_set_irec_flags(&info->low, &keys[0]);
- info->high.rm_startblock = end_fsb;
+ /* Adjust the low key if we are continuing from where we left off. */
+ if (keys[0].fmr_length > 0) {
+ info->low_daddr = XFS_FSB_TO_BB(mp, start_rtb);
+ if (info->low_daddr >= eofs)
+ return 0;
+ }
+
+ info->high.rm_startblock = end_rtb;
error = xfs_fsmap_owner_to_rmap(&info->high, &keys[1]);
if (error)
return error;
@@ -528,14 +563,16 @@ __xfs_getfsmap_rtdev(
trace_xfs_fsmap_low_key(mp, info->dev, NULLAGNUMBER, &info->low);
trace_xfs_fsmap_high_key(mp, info->dev, NULLAGNUMBER, &info->high);
- return query_fn(tp, info);
+ return query_fn(tp, info, start_rtb, end_rtb);
}
/* Actually query the realtime bitmap. */
STATIC int
xfs_getfsmap_rtdev_rtbitmap_query(
struct xfs_trans *tp,
- struct xfs_getfsmap_info *info)
+ struct xfs_getfsmap_info *info,
+ xfs_rtblock_t start_rtb,
+ xfs_rtblock_t end_rtb)
{
struct xfs_rtalloc_rec alow = { 0 };
struct xfs_rtalloc_rec ahigh = { 0 };
@@ -548,8 +585,8 @@ xfs_getfsmap_rtdev_rtbitmap_query(
* Set up query parameters to return free rtextents covering the range
* we want.
*/
- alow.ar_startext = info->low.rm_startblock;
- ahigh.ar_startext = info->high.rm_startblock;
+ alow.ar_startext = start_rtb;
+ ahigh.ar_startext = end_rtb;
do_div(alow.ar_startext, mp->m_sb.sb_rextsize);
if (do_div(ahigh.ar_startext, mp->m_sb.sb_rextsize))
ahigh.ar_startext++;
@@ -988,6 +1025,7 @@ xfs_getfsmap(
info.dev = handlers[i].dev;
info.last = false;
info.pag = NULL;
+ info.low_daddr = -1ULL;
info.low.rm_blockcount = 0;
error = handlers[i].fn(tp, dkeys, &info);
if (error)
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 193/508] xfs: fix getfsmap reporting past the last rt extent
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (191 preceding siblings ...)
2025-06-23 13:03 ` [PATCH 6.1 192/508] xfs: fix integer overflows in the fsmap rtbitmap and logdev backends Greg Kroah-Hartman
@ 2025-06-23 13:03 ` Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 194/508] xfs: clean up the rtbitmap fsmap backend Greg Kroah-Hartman
` (315 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Darrick J. Wong, Dave Chinner,
Leah Rumancik, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Darrick J. Wong <djwong@kernel.org>
[ Upstream commit d898137d789cac9ebe5eed9957e4cf25122ca524 ]
The realtime section ends at the last rt extent. If the user configures
the rt geometry with an extent size that is not an integer factor of the
number of rt blocks, it's possible for there to be rt blocks past the
end of the last rt extent. These tail blocks cannot ever be allocated
and will cause corruption reports if the last extent coincides with the
end of an rt bitmap block, so do not report consider them for the
GETFSMAP output.
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
Signed-off-by: Leah Rumancik <leah.rumancik@gmail.com>
Acked-by: "Darrick J. Wong" <djwong@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/xfs/xfs_fsmap.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/xfs/xfs_fsmap.c b/fs/xfs/xfs_fsmap.c
index 5039d330ef98b..7b72992c14d94 100644
--- a/fs/xfs/xfs_fsmap.c
+++ b/fs/xfs/xfs_fsmap.c
@@ -529,7 +529,7 @@ __xfs_getfsmap_rtdev(
uint64_t eofs;
int error = 0;
- eofs = XFS_FSB_TO_BB(mp, mp->m_sb.sb_rblocks);
+ eofs = XFS_FSB_TO_BB(mp, mp->m_sb.sb_rextents * mp->m_sb.sb_rextsize);
if (keys[0].fmr_physical >= eofs)
return 0;
start_rtb = XFS_BB_TO_FSBT(mp,
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 194/508] xfs: clean up the rtbitmap fsmap backend
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (192 preceding siblings ...)
2025-06-23 13:03 ` [PATCH 6.1 193/508] xfs: fix getfsmap reporting past the last rt extent Greg Kroah-Hartman
@ 2025-06-23 13:03 ` Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 195/508] xfs: fix logdev fsmap query result filtering Greg Kroah-Hartman
` (314 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Darrick J. Wong, Dave Chinner,
Leah Rumancik, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Darrick J. Wong <djwong@kernel.org>
[ Upstream commit f045dd00328d78f25d64913285f4547f772d13e2 ]
The rtbitmap fsmap backend doesn't query the rmapbt, so it's wasteful to
spend time initializing the rmap_irec objects. Worse yet, the logic to
query the rtbitmap is spread across three separate functions, which is
unnecessarily difficult to follow.
Compute the start rtextent that we want from keys[0] directly and
combine the functions to avoid passing parameters around everywhere, and
consolidate all the logic into a single function. At one point many
years ago I intended to use __xfs_getfsmap_rtdev as the launching point
for realtime rmapbt queries, but this hasn't been the case for a long
time.
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
Signed-off-by: Leah Rumancik <leah.rumancik@gmail.com>
Acked-by: "Darrick J. Wong" <djwong@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/xfs/xfs_fsmap.c | 62 +++++++---------------------------------------
fs/xfs/xfs_trace.h | 25 +++++++++++++++++++
2 files changed, 34 insertions(+), 53 deletions(-)
diff --git a/fs/xfs/xfs_fsmap.c b/fs/xfs/xfs_fsmap.c
index 7b72992c14d94..202f162515bd5 100644
--- a/fs/xfs/xfs_fsmap.c
+++ b/fs/xfs/xfs_fsmap.c
@@ -512,22 +512,21 @@ xfs_getfsmap_rtdev_rtbitmap_helper(
return xfs_getfsmap_helper(tp, info, &irec, rec_daddr, len_daddr);
}
-/* Execute a getfsmap query against the realtime device. */
+/* Execute a getfsmap query against the realtime device rtbitmap. */
STATIC int
-__xfs_getfsmap_rtdev(
+xfs_getfsmap_rtdev_rtbitmap(
struct xfs_trans *tp,
const struct xfs_fsmap *keys,
- int (*query_fn)(struct xfs_trans *,
- struct xfs_getfsmap_info *,
- xfs_rtblock_t start_rtb,
- xfs_rtblock_t end_rtb),
struct xfs_getfsmap_info *info)
{
+
+ struct xfs_rtalloc_rec alow = { 0 };
+ struct xfs_rtalloc_rec ahigh = { 0 };
struct xfs_mount *mp = tp->t_mountp;
xfs_rtblock_t start_rtb;
xfs_rtblock_t end_rtb;
uint64_t eofs;
- int error = 0;
+ int error;
eofs = XFS_FSB_TO_BB(mp, mp->m_sb.sb_rextents * mp->m_sb.sb_rextsize);
if (keys[0].fmr_physical >= eofs)
@@ -536,14 +535,7 @@ __xfs_getfsmap_rtdev(
keys[0].fmr_physical + keys[0].fmr_length);
end_rtb = XFS_BB_TO_FSB(mp, min(eofs - 1, keys[1].fmr_physical));
- /* Set up search keys */
- info->low.rm_startblock = start_rtb;
- error = xfs_fsmap_owner_to_rmap(&info->low, &keys[0]);
- if (error)
- return error;
- info->low.rm_offset = XFS_BB_TO_FSBT(mp, keys[0].fmr_offset);
- info->low.rm_blockcount = 0;
- xfs_getfsmap_set_irec_flags(&info->low, &keys[0]);
+ info->missing_owner = XFS_FMR_OWN_UNKNOWN;
/* Adjust the low key if we are continuing from where we left off. */
if (keys[0].fmr_length > 0) {
@@ -552,32 +544,8 @@ __xfs_getfsmap_rtdev(
return 0;
}
- info->high.rm_startblock = end_rtb;
- error = xfs_fsmap_owner_to_rmap(&info->high, &keys[1]);
- if (error)
- return error;
- info->high.rm_offset = XFS_BB_TO_FSBT(mp, keys[1].fmr_offset);
- info->high.rm_blockcount = 0;
- xfs_getfsmap_set_irec_flags(&info->high, &keys[1]);
-
- trace_xfs_fsmap_low_key(mp, info->dev, NULLAGNUMBER, &info->low);
- trace_xfs_fsmap_high_key(mp, info->dev, NULLAGNUMBER, &info->high);
-
- return query_fn(tp, info, start_rtb, end_rtb);
-}
-
-/* Actually query the realtime bitmap. */
-STATIC int
-xfs_getfsmap_rtdev_rtbitmap_query(
- struct xfs_trans *tp,
- struct xfs_getfsmap_info *info,
- xfs_rtblock_t start_rtb,
- xfs_rtblock_t end_rtb)
-{
- struct xfs_rtalloc_rec alow = { 0 };
- struct xfs_rtalloc_rec ahigh = { 0 };
- struct xfs_mount *mp = tp->t_mountp;
- int error;
+ trace_xfs_fsmap_low_key_linear(mp, info->dev, start_rtb);
+ trace_xfs_fsmap_high_key_linear(mp, info->dev, end_rtb);
xfs_ilock(mp->m_rbmip, XFS_ILOCK_SHARED);
@@ -609,18 +577,6 @@ xfs_getfsmap_rtdev_rtbitmap_query(
xfs_iunlock(mp->m_rbmip, XFS_ILOCK_SHARED);
return error;
}
-
-/* Execute a getfsmap query against the realtime device rtbitmap. */
-STATIC int
-xfs_getfsmap_rtdev_rtbitmap(
- struct xfs_trans *tp,
- const struct xfs_fsmap *keys,
- struct xfs_getfsmap_info *info)
-{
- info->missing_owner = XFS_FMR_OWN_UNKNOWN;
- return __xfs_getfsmap_rtdev(tp, keys, xfs_getfsmap_rtdev_rtbitmap_query,
- info);
-}
#endif /* CONFIG_XFS_RT */
/* Execute a getfsmap query against the regular data device. */
diff --git a/fs/xfs/xfs_trace.h b/fs/xfs/xfs_trace.h
index 20e2ec8b73aa8..a9e3081b6625d 100644
--- a/fs/xfs/xfs_trace.h
+++ b/fs/xfs/xfs_trace.h
@@ -3491,6 +3491,31 @@ DEFINE_FSMAP_EVENT(xfs_fsmap_low_key);
DEFINE_FSMAP_EVENT(xfs_fsmap_high_key);
DEFINE_FSMAP_EVENT(xfs_fsmap_mapping);
+DECLARE_EVENT_CLASS(xfs_fsmap_linear_class,
+ TP_PROTO(struct xfs_mount *mp, u32 keydev, uint64_t bno),
+ TP_ARGS(mp, keydev, bno),
+ TP_STRUCT__entry(
+ __field(dev_t, dev)
+ __field(dev_t, keydev)
+ __field(xfs_fsblock_t, bno)
+ ),
+ TP_fast_assign(
+ __entry->dev = mp->m_super->s_dev;
+ __entry->keydev = new_decode_dev(keydev);
+ __entry->bno = bno;
+ ),
+ TP_printk("dev %d:%d keydev %d:%d bno 0x%llx",
+ MAJOR(__entry->dev), MINOR(__entry->dev),
+ MAJOR(__entry->keydev), MINOR(__entry->keydev),
+ __entry->bno)
+)
+#define DEFINE_FSMAP_LINEAR_EVENT(name) \
+DEFINE_EVENT(xfs_fsmap_linear_class, name, \
+ TP_PROTO(struct xfs_mount *mp, u32 keydev, uint64_t bno), \
+ TP_ARGS(mp, keydev, bno))
+DEFINE_FSMAP_LINEAR_EVENT(xfs_fsmap_low_key_linear);
+DEFINE_FSMAP_LINEAR_EVENT(xfs_fsmap_high_key_linear);
+
DECLARE_EVENT_CLASS(xfs_getfsmap_class,
TP_PROTO(struct xfs_mount *mp, struct xfs_fsmap *fsmap),
TP_ARGS(mp, fsmap),
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 195/508] xfs: fix logdev fsmap query result filtering
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (193 preceding siblings ...)
2025-06-23 13:03 ` [PATCH 6.1 194/508] xfs: clean up the rtbitmap fsmap backend Greg Kroah-Hartman
@ 2025-06-23 13:04 ` Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 196/508] xfs: validate fsmap offsets specified in the query keys Greg Kroah-Hartman
` (313 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Darrick J. Wong, Dave Chinner,
Leah Rumancik, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Darrick J. Wong <djwong@kernel.org>
[ Upstream commit a949a1c2a198e048630a8b0741a99b85a5d88136 ]
The external log device fsmap backend doesn't have an rmapbt to query,
so it's wasteful to spend time initializing the rmap_irec objects.
Worse yet, the log could (someday) be longer than 2^32 fsblocks, so
using the rmap irec structure will result in integer overflows.
Fix this mess by computing the start address that we want from keys[0]
directly, and use the daddr-based record filtering algorithm that we
also use for rtbitmap queries.
Fixes: e89c041338ed ("xfs: implement the GETFSMAP ioctl")
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
Signed-off-by: Leah Rumancik <leah.rumancik@gmail.com>
Acked-by: "Darrick J. Wong" <djwong@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/xfs/xfs_fsmap.c | 30 ++++++++----------------------
1 file changed, 8 insertions(+), 22 deletions(-)
diff --git a/fs/xfs/xfs_fsmap.c b/fs/xfs/xfs_fsmap.c
index 202f162515bd5..cdd806d80b7cf 100644
--- a/fs/xfs/xfs_fsmap.c
+++ b/fs/xfs/xfs_fsmap.c
@@ -437,36 +437,22 @@ xfs_getfsmap_logdev(
struct xfs_mount *mp = tp->t_mountp;
struct xfs_rmap_irec rmap;
xfs_daddr_t rec_daddr, len_daddr;
- xfs_fsblock_t start_fsb;
- int error;
+ xfs_fsblock_t start_fsb, end_fsb;
+ uint64_t eofs;
- /* Set up search keys */
+ eofs = XFS_FSB_TO_BB(mp, mp->m_sb.sb_logblocks);
+ if (keys[0].fmr_physical >= eofs)
+ return 0;
start_fsb = XFS_BB_TO_FSBT(mp,
keys[0].fmr_physical + keys[0].fmr_length);
- info->low.rm_startblock = XFS_BB_TO_FSBT(mp, keys[0].fmr_physical);
- info->low.rm_offset = XFS_BB_TO_FSBT(mp, keys[0].fmr_offset);
- error = xfs_fsmap_owner_to_rmap(&info->low, keys);
- if (error)
- return error;
- info->low.rm_blockcount = 0;
- xfs_getfsmap_set_irec_flags(&info->low, &keys[0]);
+ end_fsb = XFS_BB_TO_FSB(mp, min(eofs - 1, keys[1].fmr_physical));
/* Adjust the low key if we are continuing from where we left off. */
if (keys[0].fmr_length > 0)
info->low_daddr = XFS_FSB_TO_BB(mp, start_fsb);
- error = xfs_fsmap_owner_to_rmap(&info->high, keys + 1);
- if (error)
- return error;
- info->high.rm_startblock = -1U;
- info->high.rm_owner = ULLONG_MAX;
- info->high.rm_offset = ULLONG_MAX;
- info->high.rm_blockcount = 0;
- info->high.rm_flags = XFS_RMAP_KEY_FLAGS | XFS_RMAP_REC_FLAGS;
- info->missing_owner = XFS_FMR_OWN_FREE;
-
- trace_xfs_fsmap_low_key(mp, info->dev, NULLAGNUMBER, &info->low);
- trace_xfs_fsmap_high_key(mp, info->dev, NULLAGNUMBER, &info->high);
+ trace_xfs_fsmap_low_key_linear(mp, info->dev, start_fsb);
+ trace_xfs_fsmap_high_key_linear(mp, info->dev, end_fsb);
if (start_fsb > 0)
return 0;
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 196/508] xfs: validate fsmap offsets specified in the query keys
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (194 preceding siblings ...)
2025-06-23 13:04 ` [PATCH 6.1 195/508] xfs: fix logdev fsmap query result filtering Greg Kroah-Hartman
@ 2025-06-23 13:04 ` Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 197/508] xfs: fix xfs_btree_query_range callers to initialize btree rec fully Greg Kroah-Hartman
` (312 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Darrick J. Wong, Dave Chinner,
Leah Rumancik, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Darrick J. Wong <djwong@kernel.org>
[ Upstream commit 3ee9351e74907fe3acb0721c315af25b05dc87da ]
Improve the validation of the fsmap offset fields in the query keys and
move the validation to the top of the function now that we have pushed
the low key adjustment code downwards.
Also fix some indenting issues that aren't worth a separate patch.
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
Signed-off-by: Leah Rumancik <leah.rumancik@gmail.com>
Acked-by: "Darrick J. Wong" <djwong@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/xfs/xfs_fsmap.c | 30 +++++++++++++++++++-----------
1 file changed, 19 insertions(+), 11 deletions(-)
diff --git a/fs/xfs/xfs_fsmap.c b/fs/xfs/xfs_fsmap.c
index cdd806d80b7cf..d10f2c719220d 100644
--- a/fs/xfs/xfs_fsmap.c
+++ b/fs/xfs/xfs_fsmap.c
@@ -802,6 +802,19 @@ xfs_getfsmap_check_keys(
struct xfs_fsmap *low_key,
struct xfs_fsmap *high_key)
{
+ if (low_key->fmr_flags & (FMR_OF_SPECIAL_OWNER | FMR_OF_EXTENT_MAP)) {
+ if (low_key->fmr_offset)
+ return false;
+ }
+ if (high_key->fmr_flags != -1U &&
+ (high_key->fmr_flags & (FMR_OF_SPECIAL_OWNER |
+ FMR_OF_EXTENT_MAP))) {
+ if (high_key->fmr_offset && high_key->fmr_offset != -1ULL)
+ return false;
+ }
+ if (high_key->fmr_length && high_key->fmr_length != -1ULL)
+ return false;
+
if (low_key->fmr_device > high_key->fmr_device)
return false;
if (low_key->fmr_device < high_key->fmr_device)
@@ -845,15 +858,15 @@ xfs_getfsmap_check_keys(
* ----------------
* There are multiple levels of keys and counters at work here:
* xfs_fsmap_head.fmh_keys -- low and high fsmap keys passed in;
- * these reflect fs-wide sector addrs.
+ * these reflect fs-wide sector addrs.
* dkeys -- fmh_keys used to query each device;
- * these are fmh_keys but w/ the low key
- * bumped up by fmr_length.
+ * these are fmh_keys but w/ the low key
+ * bumped up by fmr_length.
* xfs_getfsmap_info.next_daddr -- next disk addr we expect to see; this
* is how we detect gaps in the fsmap
records and report them.
* xfs_getfsmap_info.low/high -- per-AG low/high keys computed from
- * dkeys; used to query the metadata.
+ * dkeys; used to query the metadata.
*/
int
xfs_getfsmap(
@@ -874,6 +887,8 @@ xfs_getfsmap(
if (!xfs_getfsmap_is_valid_device(mp, &head->fmh_keys[0]) ||
!xfs_getfsmap_is_valid_device(mp, &head->fmh_keys[1]))
return -EINVAL;
+ if (!xfs_getfsmap_check_keys(&head->fmh_keys[0], &head->fmh_keys[1]))
+ return -EINVAL;
use_rmap = xfs_has_rmapbt(mp) &&
has_capability_noaudit(current, CAP_SYS_ADMIN);
@@ -919,15 +934,8 @@ xfs_getfsmap(
* other mapping for the same physical block range.
*/
dkeys[0] = head->fmh_keys[0];
- if (dkeys[0].fmr_flags & (FMR_OF_SPECIAL_OWNER | FMR_OF_EXTENT_MAP)) {
- if (dkeys[0].fmr_offset)
- return -EINVAL;
- }
memset(&dkeys[1], 0xFF, sizeof(struct xfs_fsmap));
- if (!xfs_getfsmap_check_keys(dkeys, &head->fmh_keys[1]))
- return -EINVAL;
-
info.next_daddr = head->fmh_keys[0].fmr_physical +
head->fmh_keys[0].fmr_length;
info.fsmap_recs = fsmap_recs;
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 197/508] xfs: fix xfs_btree_query_range callers to initialize btree rec fully
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (195 preceding siblings ...)
2025-06-23 13:04 ` [PATCH 6.1 196/508] xfs: validate fsmap offsets specified in the query keys Greg Kroah-Hartman
@ 2025-06-23 13:04 ` Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 198/508] xfs: fix an agbno overflow in __xfs_getfsmap_datadev Greg Kroah-Hartman
` (311 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Darrick J. Wong, Dave Chinner,
Leah Rumancik, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Darrick J. Wong <djwong@kernel.org>
[ Upstream commit 75dc0345312221971903b2e28279b7e24b7dbb1b ]
Use struct initializers to ensure that the xfs_btree_irecs passed into
the query_range function are completely initialized. No functional
changes, just closing some sloppy hygiene.
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
Signed-off-by: Leah Rumancik <leah.rumancik@gmail.com>
Acked-by: "Darrick J. Wong" <djwong@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/xfs/libxfs/xfs_alloc.c | 10 +++-------
fs/xfs/libxfs/xfs_refcount.c | 13 +++++++------
fs/xfs/libxfs/xfs_rmap.c | 10 +++-------
3 files changed, 13 insertions(+), 20 deletions(-)
diff --git a/fs/xfs/libxfs/xfs_alloc.c b/fs/xfs/libxfs/xfs_alloc.c
index c08265f191368..cd5b197d70464 100644
--- a/fs/xfs/libxfs/xfs_alloc.c
+++ b/fs/xfs/libxfs/xfs_alloc.c
@@ -3545,15 +3545,11 @@ xfs_alloc_query_range(
xfs_alloc_query_range_fn fn,
void *priv)
{
- union xfs_btree_irec low_brec;
- union xfs_btree_irec high_brec;
- struct xfs_alloc_query_range_info query;
+ union xfs_btree_irec low_brec = { .a = *low_rec };
+ union xfs_btree_irec high_brec = { .a = *high_rec };
+ struct xfs_alloc_query_range_info query = { .priv = priv, .fn = fn };
ASSERT(cur->bc_btnum == XFS_BTNUM_BNO);
- low_brec.a = *low_rec;
- high_brec.a = *high_rec;
- query.priv = priv;
- query.fn = fn;
return xfs_btree_query_range(cur, &low_brec, &high_brec,
xfs_alloc_query_range_helper, &query);
}
diff --git a/fs/xfs/libxfs/xfs_refcount.c b/fs/xfs/libxfs/xfs_refcount.c
index 4ec7a81dd3eff..7e16e76fd2e18 100644
--- a/fs/xfs/libxfs/xfs_refcount.c
+++ b/fs/xfs/libxfs/xfs_refcount.c
@@ -1903,8 +1903,13 @@ xfs_refcount_recover_cow_leftovers(
struct xfs_buf *agbp;
struct xfs_refcount_recovery *rr, *n;
struct list_head debris;
- union xfs_btree_irec low;
- union xfs_btree_irec high;
+ union xfs_btree_irec low = {
+ .rc.rc_domain = XFS_REFC_DOMAIN_COW,
+ };
+ union xfs_btree_irec high = {
+ .rc.rc_domain = XFS_REFC_DOMAIN_COW,
+ .rc.rc_startblock = -1U,
+ };
xfs_fsblock_t fsb;
int error;
@@ -1935,10 +1940,6 @@ xfs_refcount_recover_cow_leftovers(
cur = xfs_refcountbt_init_cursor(mp, tp, agbp, pag);
/* Find all the leftover CoW staging extents. */
- memset(&low, 0, sizeof(low));
- memset(&high, 0, sizeof(high));
- low.rc.rc_domain = high.rc.rc_domain = XFS_REFC_DOMAIN_COW;
- high.rc.rc_startblock = -1U;
error = xfs_btree_query_range(cur, &low, &high,
xfs_refcount_recover_extent, &debris);
xfs_btree_del_cursor(cur, error);
diff --git a/fs/xfs/libxfs/xfs_rmap.c b/fs/xfs/libxfs/xfs_rmap.c
index b56aca1e7c66c..95d3599561cea 100644
--- a/fs/xfs/libxfs/xfs_rmap.c
+++ b/fs/xfs/libxfs/xfs_rmap.c
@@ -2337,14 +2337,10 @@ xfs_rmap_query_range(
xfs_rmap_query_range_fn fn,
void *priv)
{
- union xfs_btree_irec low_brec;
- union xfs_btree_irec high_brec;
- struct xfs_rmap_query_range_info query;
+ union xfs_btree_irec low_brec = { .r = *low_rec };
+ union xfs_btree_irec high_brec = { .r = *high_rec };
+ struct xfs_rmap_query_range_info query = { .priv = priv, .fn = fn };
- low_brec.r = *low_rec;
- high_brec.r = *high_rec;
- query.priv = priv;
- query.fn = fn;
return xfs_btree_query_range(cur, &low_brec, &high_brec,
xfs_rmap_query_range_helper, &query);
}
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 198/508] xfs: fix an agbno overflow in __xfs_getfsmap_datadev
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (196 preceding siblings ...)
2025-06-23 13:04 ` [PATCH 6.1 197/508] xfs: fix xfs_btree_query_range callers to initialize btree rec fully Greg Kroah-Hartman
@ 2025-06-23 13:04 ` Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 199/508] xfs: fix the contact address for the sysfs ABI documentation Greg Kroah-Hartman
` (310 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dave Chinner, Darrick J. Wong,
Dave Chinner, Leah Rumancik, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Darrick J. Wong <djwong@kernel.org>
[ Upstream commit cfa2df68b7ceb49ac9eb2d295ab0c5974dbf17e7 ]
Dave Chinner reported that xfs/273 fails if the AG size happens to be an
exact power of two. I traced this to an agbno integer overflow when the
current GETFSMAP call is a continuation of a previous GETFSMAP call, and
the last record returned was non-shareable space at the end of an AG.
__xfs_getfsmap_datadev sets up a data device query by converting the
incoming fmr_physical into an xfs_fsblock_t and cracking it into an agno
and agbno pair. In the (failing) case of where fmr_blockcount of the
low key is nonzero and the record was for a non-shareable extent, it
will add fmr_blockcount to start_fsb and info->low.rm_startblock.
If the low key was actually the last record for that AG, then this
addition causes info->low.rm_startblock to point beyond EOAG. When the
rmapbt range query starts, it'll return an empty set, and fsmap moves on
to the next AG.
Or so I thought. Remember how we added to start_fsb?
If agsize < 1<<agblklog, start_fsb points to the same AG as the original
fmr_physical from the low key. We run the rmapbt query, which returns
nothing, so getfsmap zeroes info->low and moves on to the next AG.
If agsize == 1<<agblklog, start_fsb now points to the next AG. We run
the rmapbt query on the next AG with the excessively large
rm_startblock. If this next AG is actually the last AG, we'll set
info->high to EOFS (which is now has a lower rm_startblock than
info->low), and the ranged btree query code will return -EINVAL. If
it's not the last AG, we ignore all records for the intermediate AGs.
Oops.
Fix this by decoding start_fsb into agno and agbno only after making
adjustments to start_fsb. This means that info->low.rm_startblock will
always be set to a valid agbno, and we always start the rmapbt iteration
in the correct AG.
While we're at it, fix the predicate for determining if an fsmap record
represents non-shareable space to include file data on pre-reflink
filesystems.
Reported-by: Dave Chinner <david@fromorbit.com>
Fixes: 63ef7a35912dd ("xfs: fix interval filtering in multi-step fsmap queries")
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
Signed-off-by: Leah Rumancik <leah.rumancik@gmail.com>
Acked-by: "Darrick J. Wong" <djwong@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/xfs/xfs_fsmap.c | 25 ++++++++++++++++++-------
1 file changed, 18 insertions(+), 7 deletions(-)
diff --git a/fs/xfs/xfs_fsmap.c b/fs/xfs/xfs_fsmap.c
index d10f2c719220d..956a5670e56ce 100644
--- a/fs/xfs/xfs_fsmap.c
+++ b/fs/xfs/xfs_fsmap.c
@@ -565,6 +565,19 @@ xfs_getfsmap_rtdev_rtbitmap(
}
#endif /* CONFIG_XFS_RT */
+static inline bool
+rmap_not_shareable(struct xfs_mount *mp, const struct xfs_rmap_irec *r)
+{
+ if (!xfs_has_reflink(mp))
+ return true;
+ if (XFS_RMAP_NON_INODE_OWNER(r->rm_owner))
+ return true;
+ if (r->rm_flags & (XFS_RMAP_ATTR_FORK | XFS_RMAP_BMBT_BLOCK |
+ XFS_RMAP_UNWRITTEN))
+ return true;
+ return false;
+}
+
/* Execute a getfsmap query against the regular data device. */
STATIC int
__xfs_getfsmap_datadev(
@@ -598,7 +611,6 @@ __xfs_getfsmap_datadev(
* low to the fsmap low key and max out the high key to the end
* of the AG.
*/
- info->low.rm_startblock = XFS_FSB_TO_AGBNO(mp, start_fsb);
info->low.rm_offset = XFS_BB_TO_FSBT(mp, keys[0].fmr_offset);
error = xfs_fsmap_owner_to_rmap(&info->low, &keys[0]);
if (error)
@@ -608,12 +620,9 @@ __xfs_getfsmap_datadev(
/* Adjust the low key if we are continuing from where we left off. */
if (info->low.rm_blockcount == 0) {
- /* empty */
- } else if (XFS_RMAP_NON_INODE_OWNER(info->low.rm_owner) ||
- (info->low.rm_flags & (XFS_RMAP_ATTR_FORK |
- XFS_RMAP_BMBT_BLOCK |
- XFS_RMAP_UNWRITTEN))) {
- info->low.rm_startblock += info->low.rm_blockcount;
+ /* No previous record from which to continue */
+ } else if (rmap_not_shareable(mp, &info->low)) {
+ /* Last record seen was an unshareable extent */
info->low.rm_owner = 0;
info->low.rm_offset = 0;
@@ -621,8 +630,10 @@ __xfs_getfsmap_datadev(
if (XFS_FSB_TO_DADDR(mp, start_fsb) >= eofs)
return 0;
} else {
+ /* Last record seen was a shareable file data extent */
info->low.rm_offset += info->low.rm_blockcount;
}
+ info->low.rm_startblock = XFS_FSB_TO_AGBNO(mp, start_fsb);
info->high.rm_startblock = -1U;
info->high.rm_owner = ULLONG_MAX;
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 199/508] xfs: fix the contact address for the sysfs ABI documentation
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (197 preceding siblings ...)
2025-06-23 13:04 ` [PATCH 6.1 198/508] xfs: fix an agbno overflow in __xfs_getfsmap_datadev Greg Kroah-Hartman
@ 2025-06-23 13:04 ` Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 200/508] xfs: verify buffer, inode, and dquot items every tx commit Greg Kroah-Hartman
` (309 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christoph Hellwig, Darrick J. Wong,
Chandan Babu R, Leah Rumancik, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christoph Hellwig <hch@lst.de>
[ Upstream commit 9ff4490e2ab364ec433f15668ef3f5edfb53feca ]
oss.sgi.com is long dead, refer to the current linux-xfs list instead.
Signed-off-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Darrick J. Wong <djwong@kernel.org>
Signed-off-by: Chandan Babu R <chandanbabu@kernel.org>
Signed-off-by: Leah Rumancik <leah.rumancik@gmail.com>
Acked-by: "Darrick J. Wong" <djwong@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
Documentation/ABI/testing/sysfs-fs-xfs | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/Documentation/ABI/testing/sysfs-fs-xfs b/Documentation/ABI/testing/sysfs-fs-xfs
index f704925f6fe93..82d8e2f79834b 100644
--- a/Documentation/ABI/testing/sysfs-fs-xfs
+++ b/Documentation/ABI/testing/sysfs-fs-xfs
@@ -1,7 +1,7 @@
What: /sys/fs/xfs/<disk>/log/log_head_lsn
Date: July 2014
KernelVersion: 3.17
-Contact: xfs@oss.sgi.com
+Contact: linux-xfs@vger.kernel.org
Description:
The log sequence number (LSN) of the current head of the
log. The LSN is exported in "cycle:basic block" format.
@@ -10,7 +10,7 @@ Users: xfstests
What: /sys/fs/xfs/<disk>/log/log_tail_lsn
Date: July 2014
KernelVersion: 3.17
-Contact: xfs@oss.sgi.com
+Contact: linux-xfs@vger.kernel.org
Description:
The log sequence number (LSN) of the current tail of the
log. The LSN is exported in "cycle:basic block" format.
@@ -18,7 +18,7 @@ Description:
What: /sys/fs/xfs/<disk>/log/reserve_grant_head
Date: July 2014
KernelVersion: 3.17
-Contact: xfs@oss.sgi.com
+Contact: linux-xfs@vger.kernel.org
Description:
The current state of the log reserve grant head. It
represents the total log reservation of all currently
@@ -29,7 +29,7 @@ Users: xfstests
What: /sys/fs/xfs/<disk>/log/write_grant_head
Date: July 2014
KernelVersion: 3.17
-Contact: xfs@oss.sgi.com
+Contact: linux-xfs@vger.kernel.org
Description:
The current state of the log write grant head. It
represents the total log reservation of all currently
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 200/508] xfs: verify buffer, inode, and dquot items every tx commit
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (198 preceding siblings ...)
2025-06-23 13:04 ` [PATCH 6.1 199/508] xfs: fix the contact address for the sysfs ABI documentation Greg Kroah-Hartman
@ 2025-06-23 13:04 ` Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 201/508] xfs: use consistent uid/gid when grabbing dquots for inodes Greg Kroah-Hartman
` (308 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Darrick J. Wong, Christoph Hellwig,
Leah Rumancik, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Darrick J. Wong <djwong@kernel.org>
[ Upstream commit 150bb10a28b9c8709ae227fc898d9cf6136faa1e ]
generic/388 has an annoying tendency to fail like this during log
recovery:
XFS (sda4): Unmounting Filesystem 435fe39b-82b6-46ef-be56-819499585130
XFS (sda4): Mounting V5 Filesystem 435fe39b-82b6-46ef-be56-819499585130
XFS (sda4): Starting recovery (logdev: internal)
00000000: 49 4e 81 b6 03 02 00 00 00 00 00 07 00 00 00 07 IN..............
00000010: 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 10 ................
00000020: 35 9a 8b c1 3e 6e 81 00 35 9a 8b c1 3f dc b7 00 5...>n..5...?...
00000030: 35 9a 8b c1 3f dc b7 00 00 00 00 00 00 3c 86 4f 5...?........<.O
00000040: 00 00 00 00 00 00 02 f3 00 00 00 00 00 00 00 00 ................
00000050: 00 00 1f 01 00 00 00 00 00 00 00 02 b2 74 c9 0b .............t..
00000060: ff ff ff ff d7 45 73 10 00 00 00 00 00 00 00 2d .....Es........-
00000070: 00 00 07 92 00 01 fe 30 00 00 00 00 00 00 00 1a .......0........
00000080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000090: 35 9a 8b c1 3b 55 0c 00 00 00 00 00 04 27 b2 d1 5...;U.......'..
000000a0: 43 5f e3 9b 82 b6 46 ef be 56 81 94 99 58 51 30 C_....F..V...XQ0
XFS (sda4): Internal error Bad dinode after recovery at line 539 of file fs/xfs/xfs_inode_item_recover.c. Caller xlog_recover_items_pass2+0x4e/0xc0 [xfs]
CPU: 0 PID: 2189311 Comm: mount Not tainted 6.9.0-rc4-djwx #rc4
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20171121_152543-x86-ol7-builder-01.us.oracle.com-4.el7.1 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x4f/0x60
xfs_corruption_error+0x90/0xa0
xlog_recover_inode_commit_pass2+0x5f1/0xb00
xlog_recover_items_pass2+0x4e/0xc0
xlog_recover_commit_trans+0x2db/0x350
xlog_recovery_process_trans+0xab/0xe0
xlog_recover_process_data+0xa7/0x130
xlog_do_recovery_pass+0x398/0x840
xlog_do_log_recovery+0x62/0xc0
xlog_do_recover+0x34/0x1d0
xlog_recover+0xe9/0x1a0
xfs_log_mount+0xff/0x260
xfs_mountfs+0x5d9/0xb60
xfs_fs_fill_super+0x76b/0xa30
get_tree_bdev+0x124/0x1d0
vfs_get_tree+0x17/0xa0
path_mount+0x72b/0xa90
__x64_sys_mount+0x112/0x150
do_syscall_64+0x49/0x100
entry_SYSCALL_64_after_hwframe+0x4b/0x53
</TASK>
XFS (sda4): Corruption detected. Unmount and run xfs_repair
XFS (sda4): Metadata corruption detected at xfs_dinode_verify.part.0+0x739/0x920 [xfs], inode 0x427b2d1
XFS (sda4): Filesystem has been shut down due to log error (0x2).
XFS (sda4): Please unmount the filesystem and rectify the problem(s).
XFS (sda4): log mount/recovery failed: error -117
XFS (sda4): log mount failed
This inode log item recovery failing the dinode verifier after
replaying the contents of the inode log item into the ondisk inode.
Looking back into what the kernel was doing at the time of the fs
shutdown, a thread was in the middle of running a series of
transactions, each of which committed changes to the inode.
At some point in the middle of that chain, an invalid (at least
according to the verifier) change was committed. Had the filesystem not
shut down in the middle of the chain, a subsequent transaction would
have corrected the invalid state and nobody would have noticed. But
that's not what happened here. Instead, the invalid inode state was
committed to the ondisk log, so log recovery tripped over it.
The actual defect here was an overzealous inode verifier, which was
fixed in a separate patch. This patch adds some transaction precommit
functions for CONFIG_XFS_DEBUG=y mode so that we can detect these kinds
of transient errors at transaction commit time, where it's much easier
to find the root cause.
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Leah Rumancik <leah.rumancik@gmail.com>
Acked-by: "Darrick J. Wong" <djwong@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/xfs/Kconfig | 12 ++++++++++++
fs/xfs/xfs.h | 4 ++++
fs/xfs/xfs_buf_item.c | 32 ++++++++++++++++++++++++++++++++
fs/xfs/xfs_dquot_item.c | 31 +++++++++++++++++++++++++++++++
fs/xfs/xfs_inode_item.c | 32 ++++++++++++++++++++++++++++++++
5 files changed, 111 insertions(+)
diff --git a/fs/xfs/Kconfig b/fs/xfs/Kconfig
index 9fac5ea8d0e48..dff90db507e35 100644
--- a/fs/xfs/Kconfig
+++ b/fs/xfs/Kconfig
@@ -154,6 +154,18 @@ config XFS_DEBUG
Say N unless you are an XFS developer, or you play one on TV.
+config XFS_DEBUG_EXPENSIVE
+ bool "XFS expensive debugging checks"
+ depends on XFS_FS && XFS_DEBUG
+ help
+ Say Y here to get an XFS build with expensive debugging checks
+ enabled. These checks may affect performance significantly.
+
+ Note that the resulting code will be HUGER and SLOWER, and probably
+ not useful unless you are debugging a particular problem.
+
+ Say N unless you are an XFS developer, or you play one on TV.
+
config XFS_ASSERT_FATAL
bool "XFS fatal asserts"
default y
diff --git a/fs/xfs/xfs.h b/fs/xfs/xfs.h
index f6ffb4f248f78..9355ccad9503b 100644
--- a/fs/xfs/xfs.h
+++ b/fs/xfs/xfs.h
@@ -10,6 +10,10 @@
#define DEBUG 1
#endif
+#ifdef CONFIG_XFS_DEBUG_EXPENSIVE
+#define DEBUG_EXPENSIVE 1
+#endif
+
#ifdef CONFIG_XFS_ASSERT_FATAL
#define XFS_ASSERT_FATAL 1
#endif
diff --git a/fs/xfs/xfs_buf_item.c b/fs/xfs/xfs_buf_item.c
index 023d4e0385dd0..b02ce568de0c4 100644
--- a/fs/xfs/xfs_buf_item.c
+++ b/fs/xfs/xfs_buf_item.c
@@ -22,6 +22,7 @@
#include "xfs_trace.h"
#include "xfs_log.h"
#include "xfs_log_priv.h"
+#include "xfs_error.h"
struct kmem_cache *xfs_buf_item_cache;
@@ -781,8 +782,39 @@ xfs_buf_item_committed(
return lsn;
}
+#ifdef DEBUG_EXPENSIVE
+static int
+xfs_buf_item_precommit(
+ struct xfs_trans *tp,
+ struct xfs_log_item *lip)
+{
+ struct xfs_buf_log_item *bip = BUF_ITEM(lip);
+ struct xfs_buf *bp = bip->bli_buf;
+ struct xfs_mount *mp = bp->b_mount;
+ xfs_failaddr_t fa;
+
+ if (!bp->b_ops || !bp->b_ops->verify_struct)
+ return 0;
+ if (bip->bli_flags & XFS_BLI_STALE)
+ return 0;
+
+ fa = bp->b_ops->verify_struct(bp);
+ if (fa) {
+ xfs_buf_verifier_error(bp, -EFSCORRUPTED, bp->b_ops->name,
+ bp->b_addr, BBTOB(bp->b_length), fa);
+ xfs_force_shutdown(mp, SHUTDOWN_CORRUPT_INCORE);
+ ASSERT(fa == NULL);
+ }
+
+ return 0;
+}
+#else
+# define xfs_buf_item_precommit NULL
+#endif
+
static const struct xfs_item_ops xfs_buf_item_ops = {
.iop_size = xfs_buf_item_size,
+ .iop_precommit = xfs_buf_item_precommit,
.iop_format = xfs_buf_item_format,
.iop_pin = xfs_buf_item_pin,
.iop_unpin = xfs_buf_item_unpin,
diff --git a/fs/xfs/xfs_dquot_item.c b/fs/xfs/xfs_dquot_item.c
index 6a1aae799cf16..7d19091215b08 100644
--- a/fs/xfs/xfs_dquot_item.c
+++ b/fs/xfs/xfs_dquot_item.c
@@ -17,6 +17,7 @@
#include "xfs_trans_priv.h"
#include "xfs_qm.h"
#include "xfs_log.h"
+#include "xfs_error.h"
static inline struct xfs_dq_logitem *DQUOT_ITEM(struct xfs_log_item *lip)
{
@@ -193,8 +194,38 @@ xfs_qm_dquot_logitem_committing(
return xfs_qm_dquot_logitem_release(lip);
}
+#ifdef DEBUG_EXPENSIVE
+static int
+xfs_qm_dquot_logitem_precommit(
+ struct xfs_trans *tp,
+ struct xfs_log_item *lip)
+{
+ struct xfs_dquot *dqp = DQUOT_ITEM(lip)->qli_dquot;
+ struct xfs_mount *mp = dqp->q_mount;
+ struct xfs_disk_dquot ddq = { };
+ xfs_failaddr_t fa;
+
+ xfs_dquot_to_disk(&ddq, dqp);
+ fa = xfs_dquot_verify(mp, &ddq, dqp->q_id);
+ if (fa) {
+ XFS_CORRUPTION_ERROR("Bad dquot during logging",
+ XFS_ERRLEVEL_LOW, mp, &ddq, sizeof(ddq));
+ xfs_alert(mp,
+ "Metadata corruption detected at %pS, dquot 0x%x",
+ fa, dqp->q_id);
+ xfs_force_shutdown(mp, SHUTDOWN_CORRUPT_INCORE);
+ ASSERT(fa == NULL);
+ }
+
+ return 0;
+}
+#else
+# define xfs_qm_dquot_logitem_precommit NULL
+#endif
+
static const struct xfs_item_ops xfs_dquot_item_ops = {
.iop_size = xfs_qm_dquot_logitem_size,
+ .iop_precommit = xfs_qm_dquot_logitem_precommit,
.iop_format = xfs_qm_dquot_logitem_format,
.iop_pin = xfs_qm_dquot_logitem_pin,
.iop_unpin = xfs_qm_dquot_logitem_unpin,
diff --git a/fs/xfs/xfs_inode_item.c b/fs/xfs/xfs_inode_item.c
index 2ec23c9af760c..a734ca8d8f03c 100644
--- a/fs/xfs/xfs_inode_item.c
+++ b/fs/xfs/xfs_inode_item.c
@@ -36,6 +36,36 @@ xfs_inode_item_sort(
return INODE_ITEM(lip)->ili_inode->i_ino;
}
+#ifdef DEBUG_EXPENSIVE
+static void
+xfs_inode_item_precommit_check(
+ struct xfs_inode *ip)
+{
+ struct xfs_mount *mp = ip->i_mount;
+ struct xfs_dinode *dip;
+ xfs_failaddr_t fa;
+
+ dip = kzalloc(mp->m_sb.sb_inodesize, GFP_KERNEL | GFP_NOFS);
+ if (!dip) {
+ ASSERT(dip != NULL);
+ return;
+ }
+
+ xfs_inode_to_disk(ip, dip, 0);
+ xfs_dinode_calc_crc(mp, dip);
+ fa = xfs_dinode_verify(mp, ip->i_ino, dip);
+ if (fa) {
+ xfs_inode_verifier_error(ip, -EFSCORRUPTED, __func__, dip,
+ sizeof(*dip), fa);
+ xfs_force_shutdown(mp, SHUTDOWN_CORRUPT_INCORE);
+ ASSERT(fa == NULL);
+ }
+ kfree(dip);
+}
+#else
+# define xfs_inode_item_precommit_check(ip) ((void)0)
+#endif
+
/*
* Prior to finally logging the inode, we have to ensure that all the
* per-modification inode state changes are applied. This includes VFS inode
@@ -168,6 +198,8 @@ xfs_inode_item_precommit(
iip->ili_fields |= (flags | iip->ili_last_fields);
spin_unlock(&iip->ili_lock);
+ xfs_inode_item_precommit_check(ip);
+
/*
* We are done with the log item transaction dirty state, so clear it so
* that it doesn't pollute future transactions.
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 201/508] xfs: use consistent uid/gid when grabbing dquots for inodes
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (199 preceding siblings ...)
2025-06-23 13:04 ` [PATCH 6.1 200/508] xfs: verify buffer, inode, and dquot items every tx commit Greg Kroah-Hartman
@ 2025-06-23 13:04 ` Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 202/508] xfs: declare xfs_file.c symbols in xfs_file.h Greg Kroah-Hartman
` (307 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Darrick J. Wong, Christoph Hellwig,
Catherine Hoang, Sasha Levin, Leah Rumancik
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Darrick J. Wong <djwong@kernel.org>
[ Upstream commit 24a4e1cb322e2bf0f3a1afd1978b610a23aa8f36 ]
[ 6.1: resolved conflicts in xfs_inode.c and xfs_symlink.c due to 6.1
not having switched to idmap yet ]
I noticed that callers of xfs_qm_vop_dqalloc use the following code to
compute the anticipated uid of the new file:
mapped_fsuid(idmap, &init_user_ns);
whereas the VFS uses a slightly different computation for actually
assigning i_uid:
mapped_fsuid(idmap, i_user_ns(inode));
Technically, these are not the same things. According to Christian
Brauner, the only time that inode->i_sb->s_user_ns != &init_user_ns is
when the filesystem was mounted in a new mount namespace by an
unpriviledged user. XFS does not allow this, which is why we've never
seen bug reports about quotas being incorrect or the uid checks in
xfs_qm_vop_create_dqattach tripping debug assertions.
However, this /is/ a logic bomb, so let's make the code consistent.
Link: https://lore.kernel.org/linux-fsdevel/20240617-weitblick-gefertigt-4a41f37119fa@brauner/
Fixes: c14329d39f2d ("fs: port fs{g,u}id helpers to mnt_idmap")
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Catherine Hoang <catherine.hoang@oracle.com>
Acked-by: Darrick J. Wong <djwong@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Leah Rumancik <leah.rumancik@gmail.com>
Acked-by: "Darrick J. Wong" <djwong@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/xfs/xfs_inode.c | 16 ++++++++++------
fs/xfs/xfs_symlink.c | 8 +++++---
2 files changed, 15 insertions(+), 9 deletions(-)
diff --git a/fs/xfs/xfs_inode.c b/fs/xfs/xfs_inode.c
index b26d26d29273d..88d0a088fa862 100644
--- a/fs/xfs/xfs_inode.c
+++ b/fs/xfs/xfs_inode.c
@@ -983,10 +983,12 @@ xfs_create(
prid = xfs_get_initial_prid(dp);
/*
- * Make sure that we have allocated dquot(s) on disk.
+ * Make sure that we have allocated dquot(s) on disk. The uid/gid
+ * computation code must match what the VFS uses to assign i_[ug]id.
+ * INHERIT adjusts the gid computation for setgid/grpid systems.
*/
- error = xfs_qm_vop_dqalloc(dp, mapped_fsuid(mnt_userns, &init_user_ns),
- mapped_fsgid(mnt_userns, &init_user_ns), prid,
+ error = xfs_qm_vop_dqalloc(dp, mapped_fsuid(mnt_userns, i_user_ns(VFS_I(dp))),
+ mapped_fsgid(mnt_userns, i_user_ns(VFS_I(dp))), prid,
XFS_QMOPT_QUOTALL | XFS_QMOPT_INHERIT,
&udqp, &gdqp, &pdqp);
if (error)
@@ -1132,10 +1134,12 @@ xfs_create_tmpfile(
prid = xfs_get_initial_prid(dp);
/*
- * Make sure that we have allocated dquot(s) on disk.
+ * Make sure that we have allocated dquot(s) on disk. The uid/gid
+ * computation code must match what the VFS uses to assign i_[ug]id.
+ * INHERIT adjusts the gid computation for setgid/grpid systems.
*/
- error = xfs_qm_vop_dqalloc(dp, mapped_fsuid(mnt_userns, &init_user_ns),
- mapped_fsgid(mnt_userns, &init_user_ns), prid,
+ error = xfs_qm_vop_dqalloc(dp, mapped_fsuid(mnt_userns, i_user_ns(VFS_I(dp))),
+ mapped_fsgid(mnt_userns, i_user_ns(VFS_I(dp))), prid,
XFS_QMOPT_QUOTALL | XFS_QMOPT_INHERIT,
&udqp, &gdqp, &pdqp);
if (error)
diff --git a/fs/xfs/xfs_symlink.c b/fs/xfs/xfs_symlink.c
index 8389f3ef88ef2..78bd02a98aa53 100644
--- a/fs/xfs/xfs_symlink.c
+++ b/fs/xfs/xfs_symlink.c
@@ -191,10 +191,12 @@ xfs_symlink(
prid = xfs_get_initial_prid(dp);
/*
- * Make sure that we have allocated dquot(s) on disk.
+ * Make sure that we have allocated dquot(s) on disk. The uid/gid
+ * computation code must match what the VFS uses to assign i_[ug]id.
+ * INHERIT adjusts the gid computation for setgid/grpid systems.
*/
- error = xfs_qm_vop_dqalloc(dp, mapped_fsuid(mnt_userns, &init_user_ns),
- mapped_fsgid(mnt_userns, &init_user_ns), prid,
+ error = xfs_qm_vop_dqalloc(dp, mapped_fsuid(mnt_userns, i_user_ns(VFS_I(dp))),
+ mapped_fsgid(mnt_userns, i_user_ns(VFS_I(dp))), prid,
XFS_QMOPT_QUOTALL | XFS_QMOPT_INHERIT,
&udqp, &gdqp, &pdqp);
if (error)
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 202/508] xfs: declare xfs_file.c symbols in xfs_file.h
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (200 preceding siblings ...)
2025-06-23 13:04 ` [PATCH 6.1 201/508] xfs: use consistent uid/gid when grabbing dquots for inodes Greg Kroah-Hartman
@ 2025-06-23 13:04 ` Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 203/508] xfs: create a new helper to return a files allocation unit Greg Kroah-Hartman
` (306 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Darrick J. Wong, Christoph Hellwig,
Leah Rumancik, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Darrick J. Wong <djwong@kernel.org>
[ Upstream commit 00acb28d96746f78389f23a7b5309a917b45c12f ]
Move the two public symbols in xfs_file.c to xfs_file.h. We're about to
add more public symbols in that source file, so let's finally create the
header file.
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Leah Rumancik <leah.rumancik@gmail.com>
Acked-by: "Darrick J. Wong" <djwong@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/xfs/xfs_file.c | 1 +
fs/xfs/xfs_file.h | 12 ++++++++++++
fs/xfs/xfs_ioctl.c | 1 +
fs/xfs/xfs_iops.c | 1 +
fs/xfs/xfs_iops.h | 3 ---
5 files changed, 15 insertions(+), 3 deletions(-)
create mode 100644 fs/xfs/xfs_file.h
diff --git a/fs/xfs/xfs_file.c b/fs/xfs/xfs_file.c
index 821cb86a83bd5..6f7522977f7f7 100644
--- a/fs/xfs/xfs_file.c
+++ b/fs/xfs/xfs_file.c
@@ -24,6 +24,7 @@
#include "xfs_pnfs.h"
#include "xfs_iomap.h"
#include "xfs_reflink.h"
+#include "xfs_file.h"
#include <linux/dax.h>
#include <linux/falloc.h>
diff --git a/fs/xfs/xfs_file.h b/fs/xfs/xfs_file.h
new file mode 100644
index 0000000000000..7d39e3eca56dc
--- /dev/null
+++ b/fs/xfs/xfs_file.h
@@ -0,0 +1,12 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * Copyright (c) 2000-2005 Silicon Graphics, Inc.
+ * All Rights Reserved.
+ */
+#ifndef __XFS_FILE_H__
+#define __XFS_FILE_H__
+
+extern const struct file_operations xfs_file_operations;
+extern const struct file_operations xfs_dir_file_operations;
+
+#endif /* __XFS_FILE_H__ */
diff --git a/fs/xfs/xfs_ioctl.c b/fs/xfs/xfs_ioctl.c
index c7cb496dc3458..1afb1b1b831ea 100644
--- a/fs/xfs/xfs_ioctl.c
+++ b/fs/xfs/xfs_ioctl.c
@@ -38,6 +38,7 @@
#include "xfs_reflink.h"
#include "xfs_ioctl.h"
#include "xfs_xattr.h"
+#include "xfs_file.h"
#include <linux/mount.h>
#include <linux/namei.h>
diff --git a/fs/xfs/xfs_iops.c b/fs/xfs/xfs_iops.c
index 6fbdc0a19e54c..9ca1b8bf1f053 100644
--- a/fs/xfs/xfs_iops.c
+++ b/fs/xfs/xfs_iops.c
@@ -25,6 +25,7 @@
#include "xfs_error.h"
#include "xfs_ioctl.h"
#include "xfs_xattr.h"
+#include "xfs_file.h"
#include <linux/posix_acl.h>
#include <linux/security.h>
diff --git a/fs/xfs/xfs_iops.h b/fs/xfs/xfs_iops.h
index e570dcb5df8d5..73ff92355eaa7 100644
--- a/fs/xfs/xfs_iops.h
+++ b/fs/xfs/xfs_iops.h
@@ -8,9 +8,6 @@
struct xfs_inode;
-extern const struct file_operations xfs_file_operations;
-extern const struct file_operations xfs_dir_file_operations;
-
extern ssize_t xfs_vn_listxattr(struct dentry *, char *data, size_t size);
int xfs_vn_setattr_size(struct user_namespace *mnt_userns,
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 203/508] xfs: create a new helper to return a files allocation unit
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (201 preceding siblings ...)
2025-06-23 13:04 ` [PATCH 6.1 202/508] xfs: declare xfs_file.c symbols in xfs_file.h Greg Kroah-Hartman
@ 2025-06-23 13:04 ` Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 204/508] xfs: Fix xfs_flush_unmap_range() range for RT Greg Kroah-Hartman
` (305 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Darrick J. Wong, Christoph Hellwig,
Leah Rumancik, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Darrick J. Wong <djwong@kernel.org>
[ Upstream commit ee20808d848c87a51e176706d81b95a21747d6cf ]
Create a new helper function to calculate the fundamental allocation
unit (i.e. the smallest unit of space we can allocate) of a file.
Things are going to get hairy with range-exchange on the realtime
device, so prepare for this now.
Remove the static attribute from xfs_is_falloc_aligned since the next
patch will need it.
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Leah Rumancik <leah.rumancik@gmail.com>
Acked-by: "Darrick J. Wong" <djwong@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/xfs/xfs_file.c | 32 ++++++++++++--------------------
fs/xfs/xfs_file.h | 3 +++
fs/xfs/xfs_inode.c | 13 +++++++++++++
fs/xfs/xfs_inode.h | 2 ++
4 files changed, 30 insertions(+), 20 deletions(-)
diff --git a/fs/xfs/xfs_file.c b/fs/xfs/xfs_file.c
index 6f7522977f7f7..3c910e36da69b 100644
--- a/fs/xfs/xfs_file.c
+++ b/fs/xfs/xfs_file.c
@@ -39,33 +39,25 @@ static const struct vm_operations_struct xfs_file_vm_ops;
* Decide if the given file range is aligned to the size of the fundamental
* allocation unit for the file.
*/
-static bool
+bool
xfs_is_falloc_aligned(
struct xfs_inode *ip,
loff_t pos,
long long int len)
{
- struct xfs_mount *mp = ip->i_mount;
- uint64_t mask;
-
- if (XFS_IS_REALTIME_INODE(ip)) {
- if (!is_power_of_2(mp->m_sb.sb_rextsize)) {
- u64 rextbytes;
- u32 mod;
-
- rextbytes = XFS_FSB_TO_B(mp, mp->m_sb.sb_rextsize);
- div_u64_rem(pos, rextbytes, &mod);
- if (mod)
- return false;
- div_u64_rem(len, rextbytes, &mod);
- return mod == 0;
- }
- mask = XFS_FSB_TO_B(mp, mp->m_sb.sb_rextsize) - 1;
- } else {
- mask = mp->m_sb.sb_blocksize - 1;
+ unsigned int alloc_unit = xfs_inode_alloc_unitsize(ip);
+
+ if (!is_power_of_2(alloc_unit)) {
+ u32 mod;
+
+ div_u64_rem(pos, alloc_unit, &mod);
+ if (mod)
+ return false;
+ div_u64_rem(len, alloc_unit, &mod);
+ return mod == 0;
}
- return !((pos | len) & mask);
+ return !((pos | len) & (alloc_unit - 1));
}
/*
diff --git a/fs/xfs/xfs_file.h b/fs/xfs/xfs_file.h
index 7d39e3eca56dc..2ad91f755caf3 100644
--- a/fs/xfs/xfs_file.h
+++ b/fs/xfs/xfs_file.h
@@ -9,4 +9,7 @@
extern const struct file_operations xfs_file_operations;
extern const struct file_operations xfs_dir_file_operations;
+bool xfs_is_falloc_aligned(struct xfs_inode *ip, loff_t pos,
+ long long int len);
+
#endif /* __XFS_FILE_H__ */
diff --git a/fs/xfs/xfs_inode.c b/fs/xfs/xfs_inode.c
index 88d0a088fa862..3ccbc31767b3c 100644
--- a/fs/xfs/xfs_inode.c
+++ b/fs/xfs/xfs_inode.c
@@ -3775,3 +3775,16 @@ xfs_inode_reload_unlinked(
return error;
}
+
+/* Returns the size of fundamental allocation unit for a file, in bytes. */
+unsigned int
+xfs_inode_alloc_unitsize(
+ struct xfs_inode *ip)
+{
+ unsigned int blocks = 1;
+
+ if (XFS_IS_REALTIME_INODE(ip))
+ blocks = ip->i_mount->m_sb.sb_rextsize;
+
+ return XFS_FSB_TO_B(ip->i_mount, blocks);
+}
diff --git a/fs/xfs/xfs_inode.h b/fs/xfs/xfs_inode.h
index c177c92f3aa57..c4f426eadf8e2 100644
--- a/fs/xfs/xfs_inode.h
+++ b/fs/xfs/xfs_inode.h
@@ -622,4 +622,6 @@ xfs_inode_unlinked_incomplete(
int xfs_inode_reload_unlinked_bucket(struct xfs_trans *tp, struct xfs_inode *ip);
int xfs_inode_reload_unlinked(struct xfs_inode *ip);
+unsigned int xfs_inode_alloc_unitsize(struct xfs_inode *ip);
+
#endif /* __XFS_INODE_H__ */
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 204/508] xfs: Fix xfs_flush_unmap_range() range for RT
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (202 preceding siblings ...)
2025-06-23 13:04 ` [PATCH 6.1 203/508] xfs: create a new helper to return a files allocation unit Greg Kroah-Hartman
@ 2025-06-23 13:04 ` Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 205/508] xfs: Fix xfs_prepare_shift() " Greg Kroah-Hartman
` (304 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Darrick J. Wong, John Garry,
Chandan Babu R, Leah Rumancik, Sasha Levin, Christoph Hellwig
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: John Garry <john.g.garry@oracle.com>
[ Upstream commit d3b689d7c711a9f36d3e48db9eaa75784a892f4c ]
Currently xfs_flush_unmap_range() does unmap for a full RT extent range,
which we also want to ensure is clean and idle.
This code change is originally from Dave Chinner.
Reviewed-by: Christoph Hellwig <hch@lst.de>4
Reviewed-by: Darrick J. Wong <djwong@kernel.org>
Signed-off-by: John Garry <john.g.garry@oracle.com>
Signed-off-by: Chandan Babu R <chandanbabu@kernel.org>
Signed-off-by: Leah Rumancik <leah.rumancik@gmail.com>
Acked-by: "Darrick J. Wong" <djwong@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/xfs/xfs_bmap_util.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/fs/xfs/xfs_bmap_util.c b/fs/xfs/xfs_bmap_util.c
index 62b92e92a685d..dabae6323c503 100644
--- a/fs/xfs/xfs_bmap_util.c
+++ b/fs/xfs/xfs_bmap_util.c
@@ -963,14 +963,18 @@ xfs_flush_unmap_range(
xfs_off_t offset,
xfs_off_t len)
{
- struct xfs_mount *mp = ip->i_mount;
struct inode *inode = VFS_I(ip);
xfs_off_t rounding, start, end;
int error;
- rounding = max_t(xfs_off_t, mp->m_sb.sb_blocksize, PAGE_SIZE);
- start = round_down(offset, rounding);
- end = round_up(offset + len, rounding) - 1;
+ /*
+ * Make sure we extend the flush out to extent alignment
+ * boundaries so any extent range overlapping the start/end
+ * of the modification we are about to do is clean and idle.
+ */
+ rounding = max_t(xfs_off_t, xfs_inode_alloc_unitsize(ip), PAGE_SIZE);
+ start = rounddown_64(offset, rounding);
+ end = roundup_64(offset + len, rounding) - 1;
error = filemap_write_and_wait_range(inode->i_mapping, start, end);
if (error)
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 205/508] xfs: Fix xfs_prepare_shift() range for RT
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (203 preceding siblings ...)
2025-06-23 13:04 ` [PATCH 6.1 204/508] xfs: Fix xfs_flush_unmap_range() range for RT Greg Kroah-Hartman
@ 2025-06-23 13:04 ` Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 206/508] xfs: dont walk off the end of a directory data block Greg Kroah-Hartman
` (303 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christoph Hellwig, Darrick J. Wong,
John Garry, Chandan Babu R, Leah Rumancik, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: John Garry <john.g.garry@oracle.com>
[ Upstream commit f23660f059470ec7043748da7641e84183c23bc8 ]
The RT extent range must be considered in the xfs_flush_unmap_range() call
to stabilize the boundary.
This code change is originally from Dave Chinner.
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Darrick J. Wong <djwong@kernel.org>
Signed-off-by: John Garry <john.g.garry@oracle.com>
Signed-off-by: Chandan Babu R <chandanbabu@kernel.org>
Signed-off-by: Leah Rumancik <leah.rumancik@gmail.com>
Acked-by: "Darrick J. Wong" <djwong@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/xfs/xfs_bmap_util.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/fs/xfs/xfs_bmap_util.c b/fs/xfs/xfs_bmap_util.c
index dabae6323c503..bab8ba224e10d 100644
--- a/fs/xfs/xfs_bmap_util.c
+++ b/fs/xfs/xfs_bmap_util.c
@@ -1059,7 +1059,7 @@ xfs_prepare_shift(
struct xfs_inode *ip,
loff_t offset)
{
- struct xfs_mount *mp = ip->i_mount;
+ unsigned int rounding;
int error;
/*
@@ -1077,11 +1077,13 @@ xfs_prepare_shift(
* with the full range of the operation. If we don't, a COW writeback
* completion could race with an insert, front merge with the start
* extent (after split) during the shift and corrupt the file. Start
- * with the block just prior to the start to stabilize the boundary.
+ * with the allocation unit just prior to the start to stabilize the
+ * boundary.
*/
- offset = round_down(offset, mp->m_sb.sb_blocksize);
+ rounding = xfs_inode_alloc_unitsize(ip);
+ offset = rounddown_64(offset, rounding);
if (offset)
- offset -= mp->m_sb.sb_blocksize;
+ offset -= rounding;
/*
* Writeback and invalidate cache for the remainder of the file as we're
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 206/508] xfs: dont walk off the end of a directory data block
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (204 preceding siblings ...)
2025-06-23 13:04 ` [PATCH 6.1 205/508] xfs: Fix xfs_prepare_shift() " Greg Kroah-Hartman
@ 2025-06-23 13:04 ` Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 207/508] xfs: remove unused parameter in macro XFS_DQUOT_LOGRES Greg Kroah-Hartman
` (302 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, lei lu, Darrick J. Wong,
Chandan Babu R, Leah Rumancik, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: lei lu <llfamsec@gmail.com>
[ Upstream commit 0c7fcdb6d06cdf8b19b57c17605215b06afa864a ]
This adds sanity checks for xfs_dir2_data_unused and xfs_dir2_data_entry
to make sure don't stray beyond valid memory region. Before patching, the
loop simply checks that the start offset of the dup and dep is within the
range. So in a crafted image, if last entry is xfs_dir2_data_unused, we
can change dup->length to dup->length-1 and leave 1 byte of space. In the
next traversal, this space will be considered as dup or dep. We may
encounter an out of bound read when accessing the fixed members.
In the patch, we make sure that the remaining bytes large enough to hold
an unused entry before accessing xfs_dir2_data_unused and
xfs_dir2_data_unused is XFS_DIR2_DATA_ALIGN byte aligned. We also make
sure that the remaining bytes large enough to hold a dirent with a
single-byte name before accessing xfs_dir2_data_entry.
Signed-off-by: lei lu <llfamsec@gmail.com>
Reviewed-by: Darrick J. Wong <djwong@kernel.org>
Signed-off-by: Chandan Babu R <chandanbabu@kernel.org>
Signed-off-by: Leah Rumancik <leah.rumancik@gmail.com>
Acked-by: "Darrick J. Wong" <djwong@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/xfs/libxfs/xfs_dir2_data.c | 31 ++++++++++++++++++++++++++-----
fs/xfs/libxfs/xfs_dir2_priv.h | 7 +++++++
2 files changed, 33 insertions(+), 5 deletions(-)
diff --git a/fs/xfs/libxfs/xfs_dir2_data.c b/fs/xfs/libxfs/xfs_dir2_data.c
index dbcf58979a598..e1d5da6d8d4a6 100644
--- a/fs/xfs/libxfs/xfs_dir2_data.c
+++ b/fs/xfs/libxfs/xfs_dir2_data.c
@@ -177,6 +177,14 @@ __xfs_dir3_data_check(
while (offset < end) {
struct xfs_dir2_data_unused *dup = bp->b_addr + offset;
struct xfs_dir2_data_entry *dep = bp->b_addr + offset;
+ unsigned int reclen;
+
+ /*
+ * Are the remaining bytes large enough to hold an
+ * unused entry?
+ */
+ if (offset > end - xfs_dir2_data_unusedsize(1))
+ return __this_address;
/*
* If it's unused, look for the space in the bestfree table.
@@ -186,9 +194,13 @@ __xfs_dir3_data_check(
if (be16_to_cpu(dup->freetag) == XFS_DIR2_DATA_FREE_TAG) {
xfs_failaddr_t fa;
+ reclen = xfs_dir2_data_unusedsize(
+ be16_to_cpu(dup->length));
if (lastfree != 0)
return __this_address;
- if (offset + be16_to_cpu(dup->length) > end)
+ if (be16_to_cpu(dup->length) != reclen)
+ return __this_address;
+ if (offset + reclen > end)
return __this_address;
if (be16_to_cpu(*xfs_dir2_data_unused_tag_p(dup)) !=
offset)
@@ -206,10 +218,18 @@ __xfs_dir3_data_check(
be16_to_cpu(bf[2].length))
return __this_address;
}
- offset += be16_to_cpu(dup->length);
+ offset += reclen;
lastfree = 1;
continue;
}
+
+ /*
+ * This is not an unused entry. Are the remaining bytes
+ * large enough for a dirent with a single-byte name?
+ */
+ if (offset > end - xfs_dir2_data_entsize(mp, 1))
+ return __this_address;
+
/*
* It's a real entry. Validate the fields.
* If this is a block directory then make sure it's
@@ -218,9 +238,10 @@ __xfs_dir3_data_check(
*/
if (dep->namelen == 0)
return __this_address;
- if (!xfs_verify_dir_ino(mp, be64_to_cpu(dep->inumber)))
+ reclen = xfs_dir2_data_entsize(mp, dep->namelen);
+ if (offset + reclen > end)
return __this_address;
- if (offset + xfs_dir2_data_entsize(mp, dep->namelen) > end)
+ if (!xfs_verify_dir_ino(mp, be64_to_cpu(dep->inumber)))
return __this_address;
if (be16_to_cpu(*xfs_dir2_data_entry_tag_p(mp, dep)) != offset)
return __this_address;
@@ -244,7 +265,7 @@ __xfs_dir3_data_check(
if (i >= be32_to_cpu(btp->count))
return __this_address;
}
- offset += xfs_dir2_data_entsize(mp, dep->namelen);
+ offset += reclen;
}
/*
* Need to have seen all the entries and all the bestfree slots.
diff --git a/fs/xfs/libxfs/xfs_dir2_priv.h b/fs/xfs/libxfs/xfs_dir2_priv.h
index 7404a9ff1a929..9046d08554e9e 100644
--- a/fs/xfs/libxfs/xfs_dir2_priv.h
+++ b/fs/xfs/libxfs/xfs_dir2_priv.h
@@ -187,6 +187,13 @@ void xfs_dir2_sf_put_ftype(struct xfs_mount *mp,
extern int xfs_readdir(struct xfs_trans *tp, struct xfs_inode *dp,
struct dir_context *ctx, size_t bufsize);
+static inline unsigned int
+xfs_dir2_data_unusedsize(
+ unsigned int len)
+{
+ return round_up(len, XFS_DIR2_DATA_ALIGN);
+}
+
static inline unsigned int
xfs_dir2_data_entsize(
struct xfs_mount *mp,
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 207/508] xfs: remove unused parameter in macro XFS_DQUOT_LOGRES
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (205 preceding siblings ...)
2025-06-23 13:04 ` [PATCH 6.1 206/508] xfs: dont walk off the end of a directory data block Greg Kroah-Hartman
@ 2025-06-23 13:04 ` Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 208/508] xfs: attr forks require attr, not attr2 Greg Kroah-Hartman
` (301 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Julian Sun, Darrick J. Wong,
Chandan Babu R, Leah Rumancik, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Julian Sun <sunjunchao2870@gmail.com>
[ Upstream commit af5d92f2fad818663da2ce073b6fe15b9d56ffdc ]
In the macro definition of XFS_DQUOT_LOGRES, a parameter is accepted,
but it is not used. Hence, it should be removed.
This patch has only passed compilation test, but it should be fine.
Signed-off-by: Julian Sun <sunjunchao2870@gmail.com>
Reviewed-by: Darrick J. Wong <djwong@kernel.org>
Signed-off-by: Chandan Babu R <chandanbabu@kernel.org>
Signed-off-by: Leah Rumancik <leah.rumancik@gmail.com>
Acked-by: "Darrick J. Wong" <djwong@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/xfs/libxfs/xfs_quota_defs.h | 2 +-
fs/xfs/libxfs/xfs_trans_resv.c | 28 ++++++++++++++--------------
2 files changed, 15 insertions(+), 15 deletions(-)
diff --git a/fs/xfs/libxfs/xfs_quota_defs.h b/fs/xfs/libxfs/xfs_quota_defs.h
index cb035da3f990b..fb05f44f6c754 100644
--- a/fs/xfs/libxfs/xfs_quota_defs.h
+++ b/fs/xfs/libxfs/xfs_quota_defs.h
@@ -56,7 +56,7 @@ typedef uint8_t xfs_dqtype_t;
* And, of course, we also need to take into account the dquot log format item
* used to describe each dquot.
*/
-#define XFS_DQUOT_LOGRES(mp) \
+#define XFS_DQUOT_LOGRES \
((sizeof(struct xfs_dq_logformat) + sizeof(struct xfs_disk_dquot)) * 6)
#define XFS_IS_QUOTA_ON(mp) ((mp)->m_qflags & XFS_ALL_QUOTA_ACCT)
diff --git a/fs/xfs/libxfs/xfs_trans_resv.c b/fs/xfs/libxfs/xfs_trans_resv.c
index 5b2f27cbdb808..1bb2891b26ffb 100644
--- a/fs/xfs/libxfs/xfs_trans_resv.c
+++ b/fs/xfs/libxfs/xfs_trans_resv.c
@@ -334,11 +334,11 @@ xfs_calc_write_reservation(
blksz);
t1 += adj;
t3 += adj;
- return XFS_DQUOT_LOGRES(mp) + max3(t1, t2, t3);
+ return XFS_DQUOT_LOGRES + max3(t1, t2, t3);
}
t4 = xfs_calc_refcountbt_reservation(mp, 1);
- return XFS_DQUOT_LOGRES(mp) + max(t4, max3(t1, t2, t3));
+ return XFS_DQUOT_LOGRES + max(t4, max3(t1, t2, t3));
}
unsigned int
@@ -406,11 +406,11 @@ xfs_calc_itruncate_reservation(
xfs_refcountbt_block_count(mp, 4),
blksz);
- return XFS_DQUOT_LOGRES(mp) + max3(t1, t2, t3);
+ return XFS_DQUOT_LOGRES + max3(t1, t2, t3);
}
t4 = xfs_calc_refcountbt_reservation(mp, 2);
- return XFS_DQUOT_LOGRES(mp) + max(t4, max3(t1, t2, t3));
+ return XFS_DQUOT_LOGRES + max(t4, max3(t1, t2, t3));
}
unsigned int
@@ -436,7 +436,7 @@ STATIC uint
xfs_calc_rename_reservation(
struct xfs_mount *mp)
{
- return XFS_DQUOT_LOGRES(mp) +
+ return XFS_DQUOT_LOGRES +
max((xfs_calc_inode_res(mp, 5) +
xfs_calc_buf_res(2 * XFS_DIROP_LOG_COUNT(mp),
XFS_FSB_TO_B(mp, 1))),
@@ -475,7 +475,7 @@ STATIC uint
xfs_calc_link_reservation(
struct xfs_mount *mp)
{
- return XFS_DQUOT_LOGRES(mp) +
+ return XFS_DQUOT_LOGRES +
xfs_calc_iunlink_remove_reservation(mp) +
max((xfs_calc_inode_res(mp, 2) +
xfs_calc_buf_res(XFS_DIROP_LOG_COUNT(mp),
@@ -513,7 +513,7 @@ STATIC uint
xfs_calc_remove_reservation(
struct xfs_mount *mp)
{
- return XFS_DQUOT_LOGRES(mp) +
+ return XFS_DQUOT_LOGRES +
xfs_calc_iunlink_add_reservation(mp) +
max((xfs_calc_inode_res(mp, 2) +
xfs_calc_buf_res(XFS_DIROP_LOG_COUNT(mp),
@@ -572,7 +572,7 @@ xfs_calc_icreate_resv_alloc(
STATIC uint
xfs_calc_icreate_reservation(xfs_mount_t *mp)
{
- return XFS_DQUOT_LOGRES(mp) +
+ return XFS_DQUOT_LOGRES +
max(xfs_calc_icreate_resv_alloc(mp),
xfs_calc_create_resv_modify(mp));
}
@@ -581,7 +581,7 @@ STATIC uint
xfs_calc_create_tmpfile_reservation(
struct xfs_mount *mp)
{
- uint res = XFS_DQUOT_LOGRES(mp);
+ uint res = XFS_DQUOT_LOGRES;
res += xfs_calc_icreate_resv_alloc(mp);
return res + xfs_calc_iunlink_add_reservation(mp);
@@ -630,7 +630,7 @@ STATIC uint
xfs_calc_ifree_reservation(
struct xfs_mount *mp)
{
- return XFS_DQUOT_LOGRES(mp) +
+ return XFS_DQUOT_LOGRES +
xfs_calc_inode_res(mp, 1) +
xfs_calc_buf_res(3, mp->m_sb.sb_sectsize) +
xfs_calc_iunlink_remove_reservation(mp) +
@@ -647,7 +647,7 @@ STATIC uint
xfs_calc_ichange_reservation(
struct xfs_mount *mp)
{
- return XFS_DQUOT_LOGRES(mp) +
+ return XFS_DQUOT_LOGRES +
xfs_calc_inode_res(mp, 1) +
xfs_calc_buf_res(1, mp->m_sb.sb_sectsize);
@@ -756,7 +756,7 @@ STATIC uint
xfs_calc_addafork_reservation(
struct xfs_mount *mp)
{
- return XFS_DQUOT_LOGRES(mp) +
+ return XFS_DQUOT_LOGRES +
xfs_calc_inode_res(mp, 1) +
xfs_calc_buf_res(2, mp->m_sb.sb_sectsize) +
xfs_calc_buf_res(1, mp->m_dir_geo->blksize) +
@@ -804,7 +804,7 @@ STATIC uint
xfs_calc_attrsetm_reservation(
struct xfs_mount *mp)
{
- return XFS_DQUOT_LOGRES(mp) +
+ return XFS_DQUOT_LOGRES +
xfs_calc_inode_res(mp, 1) +
xfs_calc_buf_res(1, mp->m_sb.sb_sectsize) +
xfs_calc_buf_res(XFS_DA_NODE_MAXDEPTH, XFS_FSB_TO_B(mp, 1));
@@ -844,7 +844,7 @@ STATIC uint
xfs_calc_attrrm_reservation(
struct xfs_mount *mp)
{
- return XFS_DQUOT_LOGRES(mp) +
+ return XFS_DQUOT_LOGRES +
max((xfs_calc_inode_res(mp, 1) +
xfs_calc_buf_res(XFS_DA_NODE_MAXDEPTH,
XFS_FSB_TO_B(mp, 1)) +
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 208/508] xfs: attr forks require attr, not attr2
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (206 preceding siblings ...)
2025-06-23 13:04 ` [PATCH 6.1 207/508] xfs: remove unused parameter in macro XFS_DQUOT_LOGRES Greg Kroah-Hartman
@ 2025-06-23 13:04 ` Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 209/508] xfs: conditionally allow FS_XFLAG_REALTIME changes if S_DAX is set Greg Kroah-Hartman
` (300 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Darrick J. Wong, Christoph Hellwig,
Chandan Babu R, Leah Rumancik, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Darrick J. Wong <djwong@kernel.org>
[ Upstream commit 73c34b0b85d46bf9c2c0b367aeaffa1e2481b136 ]
It turns out that I misunderstood the difference between the attr and
attr2 feature bits. "attr" means that at some point an attr fork was
created somewhere in the filesystem. "attr2" means that inodes have
variable-sized forks, but says nothing about whether or not there
actually /are/ attr forks in the system.
If we have an attr fork, we only need to check that attr is set.
Fixes: 99d9d8d05da26 ("xfs: scrub inode block mappings")
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Chandan Babu R <chandanbabu@kernel.org>
Signed-off-by: Leah Rumancik <leah.rumancik@gmail.com>
Acked-by: "Darrick J. Wong" <djwong@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/xfs/scrub/bmap.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/fs/xfs/scrub/bmap.c b/fs/xfs/scrub/bmap.c
index f0b9cb6506fdd..45b135929144e 100644
--- a/fs/xfs/scrub/bmap.c
+++ b/fs/xfs/scrub/bmap.c
@@ -647,7 +647,13 @@ xchk_bmap(
}
break;
case XFS_ATTR_FORK:
- if (!xfs_has_attr(mp) && !xfs_has_attr2(mp))
+ /*
+ * "attr" means that an attr fork was created at some point in
+ * the life of this filesystem. "attr2" means that inodes have
+ * variable-sized data/attr fork areas. Hence we only check
+ * attr here.
+ */
+ if (!xfs_has_attr(mp))
xchk_ino_set_corrupt(sc, sc->ip->i_ino);
break;
default:
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 209/508] xfs: conditionally allow FS_XFLAG_REALTIME changes if S_DAX is set
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (207 preceding siblings ...)
2025-06-23 13:04 ` [PATCH 6.1 208/508] xfs: attr forks require attr, not attr2 Greg Kroah-Hartman
@ 2025-06-23 13:04 ` Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 210/508] xfs: Fix the owner setting issue for rmap query in xfs fsmap Greg Kroah-Hartman
` (299 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Darrick J. Wong, Christoph Hellwig,
Chandan Babu R, Leah Rumancik, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Darrick J. Wong <djwong@kernel.org>
[ Upstream commit 8d16762047c627073955b7ed171a36addaf7b1ff ]
If a file has the S_DAX flag (aka fsdax access mode) set, we cannot
allow users to change the realtime flag unless the datadev and rtdev
both support fsdax access modes. Even if there are no extents allocated
to the file, the setattr thread could be racing with another thread
that has already started down the write code paths.
Fixes: ba23cba9b3bdc ("fs: allow per-device dax status checking for filesystems")
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Chandan Babu R <chandanbabu@kernel.org>
Signed-off-by: Leah Rumancik <leah.rumancik@gmail.com>
Acked-by: "Darrick J. Wong" <djwong@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/xfs/xfs_ioctl.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/fs/xfs/xfs_ioctl.c b/fs/xfs/xfs_ioctl.c
index 1afb1b1b831ea..ef3dc07785669 100644
--- a/fs/xfs/xfs_ioctl.c
+++ b/fs/xfs/xfs_ioctl.c
@@ -1128,6 +1128,17 @@ xfs_ioctl_setattr_xflags(
/* Can't change realtime flag if any extents are allocated. */
if (ip->i_df.if_nextents || ip->i_delayed_blks)
return -EINVAL;
+
+ /*
+ * If S_DAX is enabled on this file, we can only switch the
+ * device if both support fsdax. We can't update S_DAX because
+ * there might be other threads walking down the access paths.
+ */
+ if (IS_DAX(VFS_I(ip)) &&
+ (mp->m_ddev_targp->bt_daxdev == NULL ||
+ (mp->m_rtdev_targp &&
+ mp->m_rtdev_targp->bt_daxdev == NULL)))
+ return -EINVAL;
}
if (rtflag) {
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 210/508] xfs: Fix the owner setting issue for rmap query in xfs fsmap
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (208 preceding siblings ...)
2025-06-23 13:04 ` [PATCH 6.1 209/508] xfs: conditionally allow FS_XFLAG_REALTIME changes if S_DAX is set Greg Kroah-Hartman
@ 2025-06-23 13:04 ` Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 211/508] xfs: use XFS_BUF_DADDR_NULL for daddrs in getfsmap code Greg Kroah-Hartman
` (298 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zizhi Wo, Darrick J. Wong,
Chandan Babu R, Leah Rumancik, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zizhi Wo <wozizhi@huawei.com>
[ Upstream commit 68415b349f3f16904f006275757f4fcb34b8ee43 ]
I notice a rmap query bug in xfs_io fsmap:
[root@fedora ~]# xfs_io -c 'fsmap -vvvv' /mnt
EXT: DEV BLOCK-RANGE OWNER FILE-OFFSET AG AG-OFFSET TOTAL
0: 253:16 [0..7]: static fs metadata 0 (0..7) 8
1: 253:16 [8..23]: per-AG metadata 0 (8..23) 16
2: 253:16 [24..39]: inode btree 0 (24..39) 16
3: 253:16 [40..47]: per-AG metadata 0 (40..47) 8
4: 253:16 [48..55]: refcount btree 0 (48..55) 8
5: 253:16 [56..103]: per-AG metadata 0 (56..103) 48
6: 253:16 [104..127]: free space 0 (104..127) 24
......
Bug:
[root@fedora ~]# xfs_io -c 'fsmap -vvvv -d 0 3' /mnt
[root@fedora ~]#
Normally, we should be able to get one record, but we got nothing.
The root cause of this problem lies in the incorrect setting of rm_owner in
the rmap query. In the case of the initial query where the owner is not
set, __xfs_getfsmap_datadev() first sets info->high.rm_owner to ULLONG_MAX.
This is done to prevent any omissions when comparing rmap items. However,
if the current ag is detected to be the last one, the function sets info's
high_irec based on the provided key. If high->rm_owner is not specified, it
should continue to be set to ULLONG_MAX; otherwise, there will be issues
with interval omissions. For example, consider "start" and "end" within the
same block. If high->rm_owner == 0, it will be smaller than the founded
record in rmapbt, resulting in a query with no records. The main call stack
is as follows:
xfs_ioc_getfsmap
xfs_getfsmap
xfs_getfsmap_datadev_rmapbt
__xfs_getfsmap_datadev
info->high.rm_owner = ULLONG_MAX
if (pag->pag_agno == end_ag)
xfs_fsmap_owner_to_rmap
// set info->high.rm_owner = 0 because fmr_owner == -1ULL
dest->rm_owner = 0
// get nothing
xfs_getfsmap_datadev_rmapbt_query
The problem can be resolved by simply modify the xfs_fsmap_owner_to_rmap
function internal logic to achieve.
After applying this patch, the above problem have been solved:
[root@fedora ~]# xfs_io -c 'fsmap -vvvv -d 0 3' /mnt
EXT: DEV BLOCK-RANGE OWNER FILE-OFFSET AG AG-OFFSET TOTAL
0: 253:16 [0..7]: static fs metadata 0 (0..7) 8
Fixes: e89c041338ed ("xfs: implement the GETFSMAP ioctl")
Signed-off-by: Zizhi Wo <wozizhi@huawei.com>
Reviewed-by: Darrick J. Wong <djwong@kernel.org>
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Signed-off-by: Chandan Babu R <chandanbabu@kernel.org>
Signed-off-by: Leah Rumancik <leah.rumancik@gmail.com>
Acked-by: "Darrick J. Wong" <djwong@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/xfs/xfs_fsmap.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/xfs/xfs_fsmap.c b/fs/xfs/xfs_fsmap.c
index 956a5670e56ce..1efd18437ca4c 100644
--- a/fs/xfs/xfs_fsmap.c
+++ b/fs/xfs/xfs_fsmap.c
@@ -71,7 +71,7 @@ xfs_fsmap_owner_to_rmap(
switch (src->fmr_owner) {
case 0: /* "lowest owner id possible" */
case -1ULL: /* "highest owner id possible" */
- dest->rm_owner = 0;
+ dest->rm_owner = src->fmr_owner;
break;
case XFS_FMR_OWN_FREE:
dest->rm_owner = XFS_RMAP_OWN_NULL;
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 211/508] xfs: use XFS_BUF_DADDR_NULL for daddrs in getfsmap code
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (209 preceding siblings ...)
2025-06-23 13:04 ` [PATCH 6.1 210/508] xfs: Fix the owner setting issue for rmap query in xfs fsmap Greg Kroah-Hartman
@ 2025-06-23 13:04 ` Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 212/508] xfs: take m_growlock when running growfsrt Greg Kroah-Hartman
` (297 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, wozizhi, Christoph Hellwig,
Darrick J. Wong, Chandan Babu R, Leah Rumancik, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Darrick J. Wong <djwong@kernel.org>
[ Upstream commit 6b35cc8d9239569700cc7cc737c8ed40b8b9cfdb ]
Use XFS_BUF_DADDR_NULL (instead of a magic sentinel value) to mean "this
field is null" like the rest of xfs.
Cc: wozizhi@huawei.com
Fixes: e89c041338ed6 ("xfs: implement the GETFSMAP ioctl")
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Signed-off-by: Chandan Babu R <chandanbabu@kernel.org>
Signed-off-by: Leah Rumancik <leah.rumancik@gmail.com>
Acked-by: "Darrick J. Wong" <djwong@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/xfs/xfs_fsmap.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/fs/xfs/xfs_fsmap.c b/fs/xfs/xfs_fsmap.c
index 1efd18437ca4c..a0668a1ef1006 100644
--- a/fs/xfs/xfs_fsmap.c
+++ b/fs/xfs/xfs_fsmap.c
@@ -252,7 +252,7 @@ xfs_getfsmap_rec_before_start(
const struct xfs_rmap_irec *rec,
xfs_daddr_t rec_daddr)
{
- if (info->low_daddr != -1ULL)
+ if (info->low_daddr != XFS_BUF_DADDR_NULL)
return rec_daddr < info->low_daddr;
if (info->low.rm_blockcount)
return xfs_rmap_compare(rec, &info->low) < 0;
@@ -986,7 +986,7 @@ xfs_getfsmap(
info.dev = handlers[i].dev;
info.last = false;
info.pag = NULL;
- info.low_daddr = -1ULL;
+ info.low_daddr = XFS_BUF_DADDR_NULL;
info.low.rm_blockcount = 0;
error = handlers[i].fn(tp, dkeys, &info);
if (error)
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 212/508] xfs: take m_growlock when running growfsrt
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (210 preceding siblings ...)
2025-06-23 13:04 ` [PATCH 6.1 211/508] xfs: use XFS_BUF_DADDR_NULL for daddrs in getfsmap code Greg Kroah-Hartman
@ 2025-06-23 13:04 ` Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 213/508] xfs: reset rootdir extent size hint after growfsrt Greg Kroah-Hartman
` (296 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christoph Hellwig, Darrick J. Wong,
Chandan Babu R, Leah Rumancik, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Darrick J. Wong <djwong@kernel.org>
[ Upstream commit 16e1fbdce9c8d084863fd63cdaff8fb2a54e2f88 ]
Take the grow lock when we're expanding the realtime volume, like we do
for the other growfs calls.
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Signed-off-by: Chandan Babu R <chandanbabu@kernel.org>
Signed-off-by: Leah Rumancik <leah.rumancik@gmail.com>
Acked-by: "Darrick J. Wong" <djwong@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/xfs/xfs_rtalloc.c | 38 +++++++++++++++++++++++++-------------
1 file changed, 25 insertions(+), 13 deletions(-)
diff --git a/fs/xfs/xfs_rtalloc.c b/fs/xfs/xfs_rtalloc.c
index 5cf1e91f4c205..149fcfc485d89 100644
--- a/fs/xfs/xfs_rtalloc.c
+++ b/fs/xfs/xfs_rtalloc.c
@@ -953,34 +953,39 @@ xfs_growfs_rt(
/* Needs to have been mounted with an rt device. */
if (!XFS_IS_REALTIME_MOUNT(mp))
return -EINVAL;
+
+ if (!mutex_trylock(&mp->m_growlock))
+ return -EWOULDBLOCK;
/*
* Mount should fail if the rt bitmap/summary files don't load, but
* we'll check anyway.
*/
+ error = -EINVAL;
if (!mp->m_rbmip || !mp->m_rsumip)
- return -EINVAL;
+ goto out_unlock;
/* Shrink not supported. */
if (in->newblocks <= sbp->sb_rblocks)
- return -EINVAL;
+ goto out_unlock;
/* Can only change rt extent size when adding rt volume. */
if (sbp->sb_rblocks > 0 && in->extsize != sbp->sb_rextsize)
- return -EINVAL;
+ goto out_unlock;
/* Range check the extent size. */
if (XFS_FSB_TO_B(mp, in->extsize) > XFS_MAX_RTEXTSIZE ||
XFS_FSB_TO_B(mp, in->extsize) < XFS_MIN_RTEXTSIZE)
- return -EINVAL;
+ goto out_unlock;
/* Unsupported realtime features. */
+ error = -EOPNOTSUPP;
if (xfs_has_rmapbt(mp) || xfs_has_reflink(mp) || xfs_has_quota(mp))
- return -EOPNOTSUPP;
+ goto out_unlock;
nrblocks = in->newblocks;
error = xfs_sb_validate_fsb_count(sbp, nrblocks);
if (error)
- return error;
+ goto out_unlock;
/*
* Read in the last block of the device, make sure it exists.
*/
@@ -988,7 +993,7 @@ xfs_growfs_rt(
XFS_FSB_TO_BB(mp, nrblocks - 1),
XFS_FSB_TO_BB(mp, 1), 0, &bp, NULL);
if (error)
- return error;
+ goto out_unlock;
xfs_buf_relse(bp);
/*
@@ -996,8 +1001,10 @@ xfs_growfs_rt(
*/
nrextents = nrblocks;
do_div(nrextents, in->extsize);
- if (!xfs_validate_rtextents(nrextents))
- return -EINVAL;
+ if (!xfs_validate_rtextents(nrextents)) {
+ error = -EINVAL;
+ goto out_unlock;
+ }
nrbmblocks = howmany_64(nrextents, NBBY * sbp->sb_blocksize);
nrextslog = xfs_compute_rextslog(nrextents);
nrsumlevels = nrextslog + 1;
@@ -1009,8 +1016,11 @@ xfs_growfs_rt(
* the log. This prevents us from getting a log overflow,
* since we'll log basically the whole summary file at once.
*/
- if (nrsumblocks > (mp->m_sb.sb_logblocks >> 1))
- return -EINVAL;
+ if (nrsumblocks > (mp->m_sb.sb_logblocks >> 1)) {
+ error = -EINVAL;
+ goto out_unlock;
+ }
+
/*
* Get the old block counts for bitmap and summary inodes.
* These can't change since other growfs callers are locked out.
@@ -1022,10 +1032,10 @@ xfs_growfs_rt(
*/
error = xfs_growfs_rt_alloc(mp, rbmblocks, nrbmblocks, mp->m_rbmip);
if (error)
- return error;
+ goto out_unlock;
error = xfs_growfs_rt_alloc(mp, rsumblocks, nrsumblocks, mp->m_rsumip);
if (error)
- return error;
+ goto out_unlock;
rsum_cache = mp->m_rsum_cache;
if (nrbmblocks != sbp->sb_rbmblocks)
@@ -1190,6 +1200,8 @@ xfs_growfs_rt(
}
}
+out_unlock:
+ mutex_unlock(&mp->m_growlock);
return error;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 213/508] xfs: reset rootdir extent size hint after growfsrt
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (211 preceding siblings ...)
2025-06-23 13:04 ` [PATCH 6.1 212/508] xfs: take m_growlock when running growfsrt Greg Kroah-Hartman
@ 2025-06-23 13:04 ` Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 214/508] pmdomain: core: Fix error checking in genpd_dev_pm_attach_by_id() Greg Kroah-Hartman
` (295 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christoph Hellwig, Darrick J. Wong,
Chandan Babu R, Leah Rumancik, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Darrick J. Wong <djwong@kernel.org>
[ Upstream commit a24cae8fc1f13f6f6929351309f248fd2e9351ce ]
If growfsrt is run on a filesystem that doesn't have a rt volume, it's
possible to change the rt extent size. If the root directory was
previously set up with an inherited extent size hint and rtinherit, it's
possible that the hint is no longer a multiple of the rt extent size.
Although the verifiers don't complain about this, xfs_repair will, so if
we detect this situation, log the root directory to clean it up. This
is still racy, but it's better than nothing.
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Signed-off-by: Chandan Babu R <chandanbabu@kernel.org>
Signed-off-by: Leah Rumancik <leah.rumancik@gmail.com>
Acked-by: "Darrick J. Wong" <djwong@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/xfs/xfs_rtalloc.c | 40 ++++++++++++++++++++++++++++++++++++++++
1 file changed, 40 insertions(+)
diff --git a/fs/xfs/xfs_rtalloc.c b/fs/xfs/xfs_rtalloc.c
index 149fcfc485d89..fc21b4e81ade8 100644
--- a/fs/xfs/xfs_rtalloc.c
+++ b/fs/xfs/xfs_rtalloc.c
@@ -915,6 +915,39 @@ xfs_alloc_rsum_cache(
xfs_warn(mp, "could not allocate realtime summary cache");
}
+/*
+ * If we changed the rt extent size (meaning there was no rt volume previously)
+ * and the root directory had EXTSZINHERIT and RTINHERIT set, it's possible
+ * that the extent size hint on the root directory is no longer congruent with
+ * the new rt extent size. Log the rootdir inode to fix this.
+ */
+static int
+xfs_growfs_rt_fixup_extsize(
+ struct xfs_mount *mp)
+{
+ struct xfs_inode *ip = mp->m_rootip;
+ struct xfs_trans *tp;
+ int error = 0;
+
+ xfs_ilock(ip, XFS_IOLOCK_EXCL);
+ if (!(ip->i_diflags & XFS_DIFLAG_RTINHERIT) ||
+ !(ip->i_diflags & XFS_DIFLAG_EXTSZINHERIT))
+ goto out_iolock;
+
+ error = xfs_trans_alloc_inode(ip, &M_RES(mp)->tr_ichange, 0, 0, false,
+ &tp);
+ if (error)
+ goto out_iolock;
+
+ xfs_trans_log_inode(tp, ip, XFS_ILOG_CORE);
+ error = xfs_trans_commit(tp);
+ xfs_iunlock(ip, XFS_ILOCK_EXCL);
+
+out_iolock:
+ xfs_iunlock(ip, XFS_IOLOCK_EXCL);
+ return error;
+}
+
/*
* Visible (exported) functions.
*/
@@ -944,6 +977,7 @@ xfs_growfs_rt(
xfs_sb_t *sbp; /* old superblock */
xfs_fsblock_t sumbno; /* summary block number */
uint8_t *rsum_cache; /* old summary cache */
+ xfs_agblock_t old_rextsize = mp->m_sb.sb_rextsize;
sbp = &mp->m_sb;
@@ -1177,6 +1211,12 @@ xfs_growfs_rt(
if (error)
goto out_free;
+ if (old_rextsize != in->extsize) {
+ error = xfs_growfs_rt_fixup_extsize(mp);
+ if (error)
+ goto out_free;
+ }
+
/* Update secondary superblocks now the physical grow has completed */
error = xfs_update_secondary_sbs(mp);
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 214/508] pmdomain: core: Fix error checking in genpd_dev_pm_attach_by_id()
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (212 preceding siblings ...)
2025-06-23 13:04 ` [PATCH 6.1 213/508] xfs: reset rootdir extent size hint after growfsrt Greg Kroah-Hartman
@ 2025-06-23 13:04 ` Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 215/508] arm64: dts: marvell: uDPU: define pinctrl state for alarm LEDs Greg Kroah-Hartman
` (294 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:04 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Ulf Hansson,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@linaro.org>
[ Upstream commit 0f5757667ec0aaf2456c3b76fcf0c6c3ea3591fe ]
The error checking for of_count_phandle_with_args() does not handle
negative error codes correctly. The problem is that "index" is a u32 so
in the condition "if (index >= num_domains)" negative error codes stored
in "num_domains" are type promoted to very high positive values and
"index" is always going to be valid.
Test for negative error codes first and then test if "index" is valid.
Fixes: 3ccf3f0cd197 ("PM / Domains: Enable genpd_dev_pm_attach_by_id|name() for single PM domain")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/aBxPQ8AI8N5v-7rL@stanley.mountain
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/base/power/domain.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/base/power/domain.c b/drivers/base/power/domain.c
index 3c44b0313a10e..a19a1f70adb2a 100644
--- a/drivers/base/power/domain.c
+++ b/drivers/base/power/domain.c
@@ -2840,7 +2840,7 @@ struct device *genpd_dev_pm_attach_by_id(struct device *dev,
/* Verify that the index is within a valid range. */
num_domains = of_count_phandle_with_args(dev->of_node, "power-domains",
"#power-domain-cells");
- if (index >= num_domains)
+ if (num_domains < 0 || index >= num_domains)
return NULL;
/* Allocate and register device on the genpd bus. */
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 215/508] arm64: dts: marvell: uDPU: define pinctrl state for alarm LEDs
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (213 preceding siblings ...)
2025-06-23 13:04 ` [PATCH 6.1 214/508] pmdomain: core: Fix error checking in genpd_dev_pm_attach_by_id() Greg Kroah-Hartman
@ 2025-06-23 13:04 ` Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 216/508] Input: synaptics-rmi - fix crash with unsupported versions of F34 Greg Kroah-Hartman
` (293 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gabor Juhos, Imre Kaloz,
Gregory CLEMENT, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gabor Juhos <j4g8y7@gmail.com>
[ Upstream commit b04f0d89e880bc2cca6a5c73cf287082c91878da ]
The two alarm LEDs of on the uDPU board are stopped working since
commit 78efa53e715e ("leds: Init leds class earlier").
The LEDs are driven by the GPIO{15,16} pins of the North Bridge
GPIO controller. These pins are part of the 'spi_quad' pin group
for which the 'spi' function is selected via the default pinctrl
state of the 'spi' node. This is wrong however, since in order to
allow controlling the LEDs, the pins should use the 'gpio' function.
Before the commit mentined above, the 'spi' function is selected
first by the pinctrl core before probing the spi driver, but then
it gets overridden to 'gpio' implicitly via the
devm_gpiod_get_index_optional() call from the 'leds-gpio' driver.
After the commit, the LED subsystem gets initialized before the
SPI subsystem, so the function of the pin group remains 'spi'
which in turn prevents controlling of the LEDs.
Despite the change of the initialization order, the root cause is
that the pinctrl state definition is wrong since its initial commit
0d45062cfc89 ("arm64: dts: marvell: Add device tree for uDPU board"),
To fix the problem, override the function in the 'spi_quad_pins'
node to 'gpio' and move the pinctrl state definition from the
'spi' node into the 'leds' node.
Cc: stable@vger.kernel.org # needs adjustment for < 6.1
Fixes: 0d45062cfc89 ("arm64: dts: marvell: Add device tree for uDPU board")
Signed-off-by: Gabor Juhos <j4g8y7@gmail.com>
Signed-off-by: Imre Kaloz <kaloz@openwrt.org>
Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/marvell/armada-3720-uDPU.dtsi | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/arch/arm64/boot/dts/marvell/armada-3720-uDPU.dtsi b/arch/arm64/boot/dts/marvell/armada-3720-uDPU.dtsi
index 3f79923376fb2..37244e8816d9e 100644
--- a/arch/arm64/boot/dts/marvell/armada-3720-uDPU.dtsi
+++ b/arch/arm64/boot/dts/marvell/armada-3720-uDPU.dtsi
@@ -26,6 +26,8 @@ memory@0 {
leds {
compatible = "gpio-leds";
+ pinctrl-names = "default";
+ pinctrl-0 = <&spi_quad_pins>;
led-power1 {
label = "udpu:green:power";
@@ -82,8 +84,6 @@ &sdhci0 {
&spi0 {
status = "okay";
- pinctrl-names = "default";
- pinctrl-0 = <&spi_quad_pins>;
flash@0 {
compatible = "jedec,spi-nor";
@@ -108,6 +108,10 @@ partition@180000 {
};
};
+&spi_quad_pins {
+ function = "gpio";
+};
+
&pinctrl_nb {
i2c2_recovery_pins: i2c2-recovery-pins {
groups = "i2c2";
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 216/508] Input: synaptics-rmi - fix crash with unsupported versions of F34
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (214 preceding siblings ...)
2025-06-23 13:04 ` [PATCH 6.1 215/508] arm64: dts: marvell: uDPU: define pinctrl state for alarm LEDs Greg Kroah-Hartman
@ 2025-06-23 13:04 ` Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 217/508] arm64: dts: ti: k3-am65-main: Drop deprecated ti,otap-del-sel property Greg Kroah-Hartman
` (292 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hanno Böck, Dmitry Torokhov,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
[ Upstream commit ca39500f6af9cfe6823dc5aa8fbaed788d6e35b2 ]
Sysfs interface for updating firmware for RMI devices is available even
when F34 probe fails. The code checks for presence of F34 "container"
pointer and then tries to use the function data attached to the
sub-device. F34 assigns the function data early, before it knows if
probe will succeed, leaving behind a stale pointer.
Fix this by expanding checks to not only test for presence of F34
"container" but also check if there is driver data assigned to the
sub-device, and call dev_set_drvdata() only after we are certain that
probe is successful.
This is not a complete fix, since F34 will be freed during firmware
update, so there is still a race when fetching and accessing this
pointer. This race will be addressed in follow-up changes.
Reported-by: Hanno Böck <hanno@hboeck.de>
Fixes: 29fd0ec2bdbe ("Input: synaptics-rmi4 - add support for F34 device reflash")
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/aBlAl6sGulam-Qcx@google.com
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/input/rmi4/rmi_f34.c | 135 ++++++++++++++++++++---------------
1 file changed, 76 insertions(+), 59 deletions(-)
diff --git a/drivers/input/rmi4/rmi_f34.c b/drivers/input/rmi4/rmi_f34.c
index 0d9a5756e3f59..cae1e41664921 100644
--- a/drivers/input/rmi4/rmi_f34.c
+++ b/drivers/input/rmi4/rmi_f34.c
@@ -4,6 +4,7 @@
* Copyright (C) 2016 Zodiac Inflight Innovations
*/
+#include "linux/device.h"
#include <linux/kernel.h>
#include <linux/rmi.h>
#include <linux/firmware.h>
@@ -298,39 +299,30 @@ static int rmi_f34_update_firmware(struct f34_data *f34,
return ret;
}
-static int rmi_f34_status(struct rmi_function *fn)
-{
- struct f34_data *f34 = dev_get_drvdata(&fn->dev);
-
- /*
- * The status is the percentage complete, or once complete,
- * zero for success or a negative return code.
- */
- return f34->update_status;
-}
-
static ssize_t rmi_driver_bootloader_id_show(struct device *dev,
struct device_attribute *dattr,
char *buf)
{
struct rmi_driver_data *data = dev_get_drvdata(dev);
- struct rmi_function *fn = data->f34_container;
+ struct rmi_function *fn;
struct f34_data *f34;
- if (fn) {
- f34 = dev_get_drvdata(&fn->dev);
-
- if (f34->bl_version == 5)
- return sysfs_emit(buf, "%c%c\n",
- f34->bootloader_id[0],
- f34->bootloader_id[1]);
- else
- return sysfs_emit(buf, "V%d.%d\n",
- f34->bootloader_id[1],
- f34->bootloader_id[0]);
- }
+ fn = data->f34_container;
+ if (!fn)
+ return -ENODEV;
- return 0;
+ f34 = dev_get_drvdata(&fn->dev);
+ if (!f34)
+ return -ENODEV;
+
+ if (f34->bl_version == 5)
+ return sysfs_emit(buf, "%c%c\n",
+ f34->bootloader_id[0],
+ f34->bootloader_id[1]);
+ else
+ return sysfs_emit(buf, "V%d.%d\n",
+ f34->bootloader_id[1],
+ f34->bootloader_id[0]);
}
static DEVICE_ATTR(bootloader_id, 0444, rmi_driver_bootloader_id_show, NULL);
@@ -343,13 +335,16 @@ static ssize_t rmi_driver_configuration_id_show(struct device *dev,
struct rmi_function *fn = data->f34_container;
struct f34_data *f34;
- if (fn) {
- f34 = dev_get_drvdata(&fn->dev);
+ fn = data->f34_container;
+ if (!fn)
+ return -ENODEV;
- return sysfs_emit(buf, "%s\n", f34->configuration_id);
- }
+ f34 = dev_get_drvdata(&fn->dev);
+ if (!f34)
+ return -ENODEV;
- return 0;
+
+ return sysfs_emit(buf, "%s\n", f34->configuration_id);
}
static DEVICE_ATTR(configuration_id, 0444,
@@ -365,10 +360,14 @@ static int rmi_firmware_update(struct rmi_driver_data *data,
if (!data->f34_container) {
dev_warn(dev, "%s: No F34 present!\n", __func__);
- return -EINVAL;
+ return -ENODEV;
}
f34 = dev_get_drvdata(&data->f34_container->dev);
+ if (!f34) {
+ dev_warn(dev, "%s: No valid F34 present!\n", __func__);
+ return -ENODEV;
+ }
if (f34->bl_version >= 7) {
if (data->pdt_props & HAS_BSR) {
@@ -494,10 +493,18 @@ static ssize_t rmi_driver_update_fw_status_show(struct device *dev,
char *buf)
{
struct rmi_driver_data *data = dev_get_drvdata(dev);
- int update_status = 0;
+ struct f34_data *f34;
+ int update_status = -ENODEV;
- if (data->f34_container)
- update_status = rmi_f34_status(data->f34_container);
+ /*
+ * The status is the percentage complete, or once complete,
+ * zero for success or a negative return code.
+ */
+ if (data->f34_container) {
+ f34 = dev_get_drvdata(&data->f34_container->dev);
+ if (f34)
+ update_status = f34->update_status;
+ }
return sysfs_emit(buf, "%d\n", update_status);
}
@@ -517,33 +524,21 @@ static const struct attribute_group rmi_firmware_attr_group = {
.attrs = rmi_firmware_attrs,
};
-static int rmi_f34_probe(struct rmi_function *fn)
+static int rmi_f34v5_probe(struct f34_data *f34)
{
- struct f34_data *f34;
- unsigned char f34_queries[9];
+ struct rmi_function *fn = f34->fn;
+ u8 f34_queries[9];
bool has_config_id;
- u8 version = fn->fd.function_version;
- int ret;
-
- f34 = devm_kzalloc(&fn->dev, sizeof(struct f34_data), GFP_KERNEL);
- if (!f34)
- return -ENOMEM;
-
- f34->fn = fn;
- dev_set_drvdata(&fn->dev, f34);
-
- /* v5 code only supported version 0, try V7 probe */
- if (version > 0)
- return rmi_f34v7_probe(f34);
+ int error;
f34->bl_version = 5;
- ret = rmi_read_block(fn->rmi_dev, fn->fd.query_base_addr,
- f34_queries, sizeof(f34_queries));
- if (ret) {
+ error = rmi_read_block(fn->rmi_dev, fn->fd.query_base_addr,
+ f34_queries, sizeof(f34_queries));
+ if (error) {
dev_err(&fn->dev, "%s: Failed to query properties\n",
__func__);
- return ret;
+ return error;
}
snprintf(f34->bootloader_id, sizeof(f34->bootloader_id),
@@ -569,11 +564,11 @@ static int rmi_f34_probe(struct rmi_function *fn)
f34->v5.config_blocks);
if (has_config_id) {
- ret = rmi_read_block(fn->rmi_dev, fn->fd.control_base_addr,
- f34_queries, sizeof(f34_queries));
- if (ret) {
+ error = rmi_read_block(fn->rmi_dev, fn->fd.control_base_addr,
+ f34_queries, sizeof(f34_queries));
+ if (error) {
dev_err(&fn->dev, "Failed to read F34 config ID\n");
- return ret;
+ return error;
}
snprintf(f34->configuration_id, sizeof(f34->configuration_id),
@@ -582,12 +577,34 @@ static int rmi_f34_probe(struct rmi_function *fn)
f34_queries[2], f34_queries[3]);
rmi_dbg(RMI_DEBUG_FN, &fn->dev, "Configuration ID: %s\n",
- f34->configuration_id);
+ f34->configuration_id);
}
return 0;
}
+static int rmi_f34_probe(struct rmi_function *fn)
+{
+ struct f34_data *f34;
+ u8 version = fn->fd.function_version;
+ int error;
+
+ f34 = devm_kzalloc(&fn->dev, sizeof(struct f34_data), GFP_KERNEL);
+ if (!f34)
+ return -ENOMEM;
+
+ f34->fn = fn;
+
+ /* v5 code only supported version 0 */
+ error = version == 0 ? rmi_f34v5_probe(f34) : rmi_f34v7_probe(f34);
+ if (error)
+ return error;
+
+ dev_set_drvdata(&fn->dev, f34);
+
+ return 0;
+}
+
int rmi_f34_create_sysfs(struct rmi_device *rmi_dev)
{
return sysfs_create_group(&rmi_dev->dev.kobj, &rmi_firmware_attr_group);
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 217/508] arm64: dts: ti: k3-am65-main: Drop deprecated ti,otap-del-sel property
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (215 preceding siblings ...)
2025-06-23 13:04 ` [PATCH 6.1 216/508] Input: synaptics-rmi - fix crash with unsupported versions of F34 Greg Kroah-Hartman
@ 2025-06-23 13:04 ` Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 218/508] arm64: dts: ti: k3-am65-main: Fix sdhci node properties Greg Kroah-Hartman
` (291 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nishanth Menon, Vignesh Raghavendra,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nishanth Menon <nm@ti.com>
[ Upstream commit 2b9bb988742d1794e78d4297a99658f38477eedd ]
ti,otap-del-sel has been deprecated in favor of ti,otap-del-sel-legacy.
Drop the duplicate and misleading ti,otap-del-sel property.
Signed-off-by: Nishanth Menon <nm@ti.com>
Link: https://lore.kernel.org/r/20230607132043.3932726-3-nm@ti.com
Signed-off-by: Vignesh Raghavendra <vigneshr@ti.com>
Stable-dep-of: f55c9f087cc2 ("arm64: dts: ti: k3-am65-main: Add missing taps to sdhci0")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/ti/k3-am65-main.dtsi | 1 -
1 file changed, 1 deletion(-)
diff --git a/arch/arm64/boot/dts/ti/k3-am65-main.dtsi b/arch/arm64/boot/dts/ti/k3-am65-main.dtsi
index 83dd8993027ab..9854cf0e7f7b4 100644
--- a/arch/arm64/boot/dts/ti/k3-am65-main.dtsi
+++ b/arch/arm64/boot/dts/ti/k3-am65-main.dtsi
@@ -295,7 +295,6 @@ sdhci1: mmc@4fa0000 {
ti,otap-del-sel-ddr52 = <0x4>;
ti,otap-del-sel-hs200 = <0x7>;
ti,clkbuf-sel = <0x7>;
- ti,otap-del-sel = <0x2>;
ti,trm-icp = <0x8>;
dma-coherent;
};
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 218/508] arm64: dts: ti: k3-am65-main: Fix sdhci node properties
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (216 preceding siblings ...)
2025-06-23 13:04 ` [PATCH 6.1 217/508] arm64: dts: ti: k3-am65-main: Drop deprecated ti,otap-del-sel property Greg Kroah-Hartman
@ 2025-06-23 13:04 ` Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 219/508] arm64: dts: ti: k3-am65-main: Add missing taps to sdhci0 Greg Kroah-Hartman
` (290 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Judith Mendez, Nishanth Menon,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Judith Mendez <jm@ti.com>
[ Upstream commit 8ffe9cb889f2b831a9d5bbb1f7ad42d30e31170f ]
Update otap-del-sel properties as per datasheet [0].
Add missing clkbuf-sel and itap-del-sel values also as per
datasheet [0].
Move clkbuf-sel and ti,trm-icp above the otap-del-sel properties
so the sdhci nodes could be more uniform across platforms.
[0] https://www.ti.com/lit/ds/symlink/am6548.pdf
Fixes: eac99d38f861 ("arm64: dts: ti: k3-am654-main: Update otap-del-sel values")
Fixes: d7600d070fb0 ("arm64: dts: ti: k3-am65-main: Add support for sdhci1")
Signed-off-by: Judith Mendez <jm@ti.com>
Link: https://lore.kernel.org/r/20240423151732.3541894-2-jm@ti.com
Signed-off-by: Nishanth Menon <nm@ti.com>
Stable-dep-of: f55c9f087cc2 ("arm64: dts: ti: k3-am65-main: Add missing taps to sdhci0")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/ti/k3-am65-main.dtsi | 17 +++++++++++------
1 file changed, 11 insertions(+), 6 deletions(-)
diff --git a/arch/arm64/boot/dts/ti/k3-am65-main.dtsi b/arch/arm64/boot/dts/ti/k3-am65-main.dtsi
index 9854cf0e7f7b4..c09457fef2db0 100644
--- a/arch/arm64/boot/dts/ti/k3-am65-main.dtsi
+++ b/arch/arm64/boot/dts/ti/k3-am65-main.dtsi
@@ -262,6 +262,8 @@ sdhci0: mmc@4f80000 {
interrupts = <GIC_SPI 136 IRQ_TYPE_LEVEL_HIGH>;
mmc-ddr-1_8v;
mmc-hs200-1_8v;
+ ti,clkbuf-sel = <0x7>;
+ ti,trm-icp = <0x8>;
ti,otap-del-sel-legacy = <0x0>;
ti,otap-del-sel-mmc-hs = <0x0>;
ti,otap-del-sel-sd-hs = <0x0>;
@@ -272,8 +274,7 @@ sdhci0: mmc@4f80000 {
ti,otap-del-sel-ddr50 = <0x5>;
ti,otap-del-sel-ddr52 = <0x5>;
ti,otap-del-sel-hs200 = <0x5>;
- ti,otap-del-sel-hs400 = <0x0>;
- ti,trm-icp = <0x8>;
+ ti,itap-del-sel-ddr52 = <0x0>;
dma-coherent;
};
@@ -284,18 +285,22 @@ sdhci1: mmc@4fa0000 {
clocks = <&k3_clks 48 0>, <&k3_clks 48 1>;
clock-names = "clk_ahb", "clk_xin";
interrupts = <GIC_SPI 137 IRQ_TYPE_LEVEL_HIGH>;
+ ti,clkbuf-sel = <0x7>;
+ ti,trm-icp = <0x8>;
ti,otap-del-sel-legacy = <0x0>;
ti,otap-del-sel-mmc-hs = <0x0>;
ti,otap-del-sel-sd-hs = <0x0>;
- ti,otap-del-sel-sdr12 = <0x0>;
- ti,otap-del-sel-sdr25 = <0x0>;
+ ti,otap-del-sel-sdr12 = <0xf>;
+ ti,otap-del-sel-sdr25 = <0xf>;
ti,otap-del-sel-sdr50 = <0x8>;
ti,otap-del-sel-sdr104 = <0x7>;
ti,otap-del-sel-ddr50 = <0x4>;
ti,otap-del-sel-ddr52 = <0x4>;
ti,otap-del-sel-hs200 = <0x7>;
- ti,clkbuf-sel = <0x7>;
- ti,trm-icp = <0x8>;
+ ti,itap-del-sel-legacy = <0xa>;
+ ti,itap-del-sel-sd-hs = <0x1>;
+ ti,itap-del-sel-sdr12 = <0xa>;
+ ti,itap-del-sel-sdr25 = <0x1>;
dma-coherent;
};
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 219/508] arm64: dts: ti: k3-am65-main: Add missing taps to sdhci0
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (217 preceding siblings ...)
2025-06-23 13:04 ` [PATCH 6.1 218/508] arm64: dts: ti: k3-am65-main: Fix sdhci node properties Greg Kroah-Hartman
@ 2025-06-23 13:04 ` Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 220/508] serial: sh-sci: Check if TX data was written to device in .tx_empty() Greg Kroah-Hartman
` (289 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Judith Mendez, Moteen Shah,
Nishanth Menon, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Judith Mendez <jm@ti.com>
[ Upstream commit f55c9f087cc2e2252d44ffd9d58def2066fc176e ]
For am65x, add missing ITAPDLYSEL values for Default Speed and High
Speed SDR modes to sdhci0 node according to the device datasheet [0].
[0] https://www.ti.com/lit/gpn/am6548
Fixes: eac99d38f861 ("arm64: dts: ti: k3-am654-main: Update otap-del-sel values")
Cc: stable@vger.kernel.org
Signed-off-by: Judith Mendez <jm@ti.com>
Reviewed-by: Moteen Shah <m-shah@ti.com>
Link: https://lore.kernel.org/r/20250429173009.33994-1-jm@ti.com
Signed-off-by: Nishanth Menon <nm@ti.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/ti/k3-am65-main.dtsi | 2 ++
1 file changed, 2 insertions(+)
diff --git a/arch/arm64/boot/dts/ti/k3-am65-main.dtsi b/arch/arm64/boot/dts/ti/k3-am65-main.dtsi
index c09457fef2db0..ebd8434c6b60b 100644
--- a/arch/arm64/boot/dts/ti/k3-am65-main.dtsi
+++ b/arch/arm64/boot/dts/ti/k3-am65-main.dtsi
@@ -274,6 +274,8 @@ sdhci0: mmc@4f80000 {
ti,otap-del-sel-ddr50 = <0x5>;
ti,otap-del-sel-ddr52 = <0x5>;
ti,otap-del-sel-hs200 = <0x5>;
+ ti,itap-del-sel-legacy = <0xa>;
+ ti,itap-del-sel-mmc-hs = <0x1>;
ti,itap-del-sel-ddr52 = <0x0>;
dma-coherent;
};
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 220/508] serial: sh-sci: Check if TX data was written to device in .tx_empty()
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (218 preceding siblings ...)
2025-06-23 13:04 ` [PATCH 6.1 219/508] arm64: dts: ti: k3-am65-main: Add missing taps to sdhci0 Greg Kroah-Hartman
@ 2025-06-23 13:04 ` Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 221/508] serial: sh-sci: Move runtime PM enable to sci_probe_single() Greg Kroah-Hartman
` (288 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:04 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Claudiu Beznea, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
commit 7cc0e0a43a91052477c2921f924a37d9c3891f0c upstream.
On the Renesas RZ/G3S, when doing suspend to RAM, the uart_suspend_port()
is called. The uart_suspend_port() calls 3 times the
struct uart_port::ops::tx_empty() before shutting down the port.
According to the documentation, the struct uart_port::ops::tx_empty()
API tests whether the transmitter FIFO and shifter for the port is
empty.
The Renesas RZ/G3S SCIFA IP reports the number of data units stored in the
transmit FIFO through the FDR (FIFO Data Count Register). The data units
in the FIFOs are written in the shift register and transmitted from there.
The TEND bit in the Serial Status Register reports if the data was
transmitted from the shift register.
In the previous code, in the tx_empty() API implemented by the sh-sci
driver, it is considered that the TX is empty if the hardware reports the
TEND bit set and the number of data units in the FIFO is zero.
According to the HW manual, the TEND bit has the following meaning:
0: Transmission is in the waiting state or in progress.
1: Transmission is completed.
It has been noticed that when opening the serial device w/o using it and
then switch to a power saving mode, the tx_empty() call in the
uart_port_suspend() function fails, leading to the "Unable to drain
transmitter" message being printed on the console. This is because the
TEND=0 if nothing has been transmitted and the FIFOs are empty. As the
TEND=0 has double meaning (waiting state, in progress) we can't
determined the scenario described above.
Add a software workaround for this. This sets a variable if any data has
been sent on the serial console (when using PIO) or if the DMA callback has
been called (meaning something has been transmitted). In the tx_empty()
API the status of the DMA transaction is also checked and if it is
completed or in progress the code falls back in checking the hardware
registers instead of relying on the software variable.
Fixes: 73a19e4c0301 ("serial: sh-sci: Add DMA support.")
Cc: stable@vger.kernel.org
Signed-off-by: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
Link: https://lore.kernel.org/r/20241125115856.513642-1-claudiu.beznea.uj@bp.renesas.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[claudiu.beznea: fixed conflict by:
- keeping serial_port_out() instead of sci_port_out() in
sci_transmit_chars()
- keeping !uart_circ_empty(xmit) condition in sci_dma_tx_complete(),
after s->tx_occurred = true; assignement]
Signed-off-by: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/tty/serial/sh-sci.c | 29 +++++++++++++++++++++++++++++
1 file changed, 29 insertions(+)
diff --git a/drivers/tty/serial/sh-sci.c b/drivers/tty/serial/sh-sci.c
index ed468b676f0b9..f8f301db84339 100644
--- a/drivers/tty/serial/sh-sci.c
+++ b/drivers/tty/serial/sh-sci.c
@@ -175,6 +175,7 @@ struct sci_port {
bool has_rtscts;
bool autorts;
+ bool tx_occurred;
};
#define SCI_NPORTS CONFIG_SERIAL_SH_SCI_NR_UARTS
@@ -825,6 +826,7 @@ static void sci_transmit_chars(struct uart_port *port)
{
struct circ_buf *xmit = &port->state->xmit;
unsigned int stopped = uart_tx_stopped(port);
+ struct sci_port *s = to_sci_port(port);
unsigned short status;
unsigned short ctrl;
int count;
@@ -856,6 +858,7 @@ static void sci_transmit_chars(struct uart_port *port)
}
serial_port_out(port, SCxTDR, c);
+ s->tx_occurred = true;
port->icount.tx++;
} while (--count > 0);
@@ -1208,6 +1211,8 @@ static void sci_dma_tx_complete(void *arg)
if (uart_circ_chars_pending(xmit) < WAKEUP_CHARS)
uart_write_wakeup(port);
+ s->tx_occurred = true;
+
if (!uart_circ_empty(xmit)) {
s->cookie_tx = 0;
schedule_work(&s->work_tx);
@@ -1688,6 +1693,19 @@ static void sci_flush_buffer(struct uart_port *port)
s->cookie_tx = -EINVAL;
}
}
+
+static void sci_dma_check_tx_occurred(struct sci_port *s)
+{
+ struct dma_tx_state state;
+ enum dma_status status;
+
+ if (!s->chan_tx)
+ return;
+
+ status = dmaengine_tx_status(s->chan_tx, s->cookie_tx, &state);
+ if (status == DMA_COMPLETE || status == DMA_IN_PROGRESS)
+ s->tx_occurred = true;
+}
#else /* !CONFIG_SERIAL_SH_SCI_DMA */
static inline void sci_request_dma(struct uart_port *port)
{
@@ -1697,6 +1715,10 @@ static inline void sci_free_dma(struct uart_port *port)
{
}
+static void sci_dma_check_tx_occurred(struct sci_port *s)
+{
+}
+
#define sci_flush_buffer NULL
#endif /* !CONFIG_SERIAL_SH_SCI_DMA */
@@ -2009,6 +2031,12 @@ static unsigned int sci_tx_empty(struct uart_port *port)
{
unsigned short status = serial_port_in(port, SCxSR);
unsigned short in_tx_fifo = sci_txfill(port);
+ struct sci_port *s = to_sci_port(port);
+
+ sci_dma_check_tx_occurred(s);
+
+ if (!s->tx_occurred)
+ return TIOCSER_TEMT;
return (status & SCxSR_TEND(port)) && !in_tx_fifo ? TIOCSER_TEMT : 0;
}
@@ -2179,6 +2207,7 @@ static int sci_startup(struct uart_port *port)
dev_dbg(port->dev, "%s(%d)\n", __func__, port->line);
+ s->tx_occurred = false;
sci_request_dma(port);
ret = sci_request_irq(s);
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 221/508] serial: sh-sci: Move runtime PM enable to sci_probe_single()
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (219 preceding siblings ...)
2025-06-23 13:04 ` [PATCH 6.1 220/508] serial: sh-sci: Check if TX data was written to device in .tx_empty() Greg Kroah-Hartman
@ 2025-06-23 13:04 ` Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 222/508] serial: sh-sci: Clean sci_ports[0] after at earlycon exit Greg Kroah-Hartman
` (287 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Geert Uytterhoeven, Claudiu Beznea,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
commit 239f11209e5f282e16f5241b99256e25dd0614b6 upstream.
Relocate the runtime PM enable operation to sci_probe_single(). This change
prepares the codebase for upcoming fixes.
While at it, replace the existing logic with a direct call to
devm_pm_runtime_enable() and remove sci_cleanup_single(). The
devm_pm_runtime_enable() function automatically handles disabling runtime
PM during driver removal.
Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
Link: https://lore.kernel.org/r/20250116182249.3828577-3-claudiu.beznea.uj@bp.renesas.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/tty/serial/sh-sci.c | 24 ++++++------------------
1 file changed, 6 insertions(+), 18 deletions(-)
diff --git a/drivers/tty/serial/sh-sci.c b/drivers/tty/serial/sh-sci.c
index f8f301db84339..48bc66e2c0444 100644
--- a/drivers/tty/serial/sh-sci.c
+++ b/drivers/tty/serial/sh-sci.c
@@ -2982,10 +2982,6 @@ static int sci_init_single(struct platform_device *dev,
ret = sci_init_clocks(sci_port, &dev->dev);
if (ret < 0)
return ret;
-
- port->dev = &dev->dev;
-
- pm_runtime_enable(&dev->dev);
}
port->type = p->type;
@@ -3015,11 +3011,6 @@ static int sci_init_single(struct platform_device *dev,
return 0;
}
-static void sci_cleanup_single(struct sci_port *port)
-{
- pm_runtime_disable(port->port.dev);
-}
-
#if defined(CONFIG_SERIAL_SH_SCI_CONSOLE) || \
defined(CONFIG_SERIAL_SH_SCI_EARLYCON)
static void serial_console_putchar(struct uart_port *port, unsigned char ch)
@@ -3177,8 +3168,6 @@ static int sci_remove(struct platform_device *dev)
sci_ports_in_use &= ~BIT(port->port.line);
uart_remove_one_port(&sci_uart_driver, &port->port);
- sci_cleanup_single(port);
-
if (port->port.fifosize > 1)
device_remove_file(&dev->dev, &dev_attr_rx_fifo_trigger);
if (type == PORT_SCIFA || type == PORT_SCIFB || type == PORT_HSCIF)
@@ -3341,6 +3330,11 @@ static int sci_probe_single(struct platform_device *dev,
if (ret)
return ret;
+ sciport->port.dev = &dev->dev;
+ ret = devm_pm_runtime_enable(&dev->dev);
+ if (ret)
+ return ret;
+
sciport->gpios = mctrl_gpio_init(&sciport->port, 0);
if (IS_ERR(sciport->gpios))
return PTR_ERR(sciport->gpios);
@@ -3354,13 +3348,7 @@ static int sci_probe_single(struct platform_device *dev,
sciport->port.flags |= UPF_HARD_FLOW;
}
- ret = uart_add_one_port(&sci_uart_driver, &sciport->port);
- if (ret) {
- sci_cleanup_single(sciport);
- return ret;
- }
-
- return 0;
+ return uart_add_one_port(&sci_uart_driver, &sciport->port);
}
static int sci_probe(struct platform_device *dev)
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 222/508] serial: sh-sci: Clean sci_ports[0] after at earlycon exit
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (220 preceding siblings ...)
2025-06-23 13:04 ` [PATCH 6.1 221/508] serial: sh-sci: Move runtime PM enable to sci_probe_single() Greg Kroah-Hartman
@ 2025-06-23 13:04 ` Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 223/508] scsi: core: ufs: Fix a hang in the error handler Greg Kroah-Hartman
` (286 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:04 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Claudiu Beznea, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
commit 5f1017069933489add0c08659673443c9905659e upstream.
The early_console_setup() function initializes sci_ports[0].port with an
object of type struct uart_port obtained from the struct earlycon_device
passed as an argument to early_console_setup().
Later, during serial port probing, the serial port used as earlycon
(e.g., port A) might be remapped to a different position in the sci_ports[]
array, and a different serial port (e.g., port B) might be assigned to slot
0. For example:
sci_ports[0] = port B
sci_ports[X] = port A
In this scenario, the new port mapped at index zero (port B) retains the
data associated with the earlycon configuration. Consequently, after the
Linux boot process, any access to the serial port now mapped to
sci_ports[0] (port B) will block the original earlycon port (port A).
To address this, introduce an early_console_exit() function to clean up
sci_ports[0] when earlycon is exited.
To prevent the cleanup of sci_ports[0] while the serial device is still
being used by earlycon, introduce the struct sci_port::probing flag and
account for it in early_console_exit().
Fixes: 0b0cced19ab1 ("serial: sh-sci: Add CONFIG_SERIAL_EARLYCON support")
Cc: stable@vger.kernel.org
Signed-off-by: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
Link: https://lore.kernel.org/r/20250116182249.3828577-5-claudiu.beznea.uj@bp.renesas.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/tty/serial/sh-sci.c | 32 ++++++++++++++++++++++++++++++--
1 file changed, 30 insertions(+), 2 deletions(-)
diff --git a/drivers/tty/serial/sh-sci.c b/drivers/tty/serial/sh-sci.c
index 48bc66e2c0444..cd724fc284700 100644
--- a/drivers/tty/serial/sh-sci.c
+++ b/drivers/tty/serial/sh-sci.c
@@ -184,6 +184,7 @@ static struct sci_port sci_ports[SCI_NPORTS];
static unsigned long sci_ports_in_use;
static struct uart_driver sci_uart_driver;
static bool sci_uart_earlycon;
+static bool sci_uart_earlycon_dev_probing;
static inline struct sci_port *
to_sci_port(struct uart_port *uart)
@@ -3301,7 +3302,8 @@ static struct plat_sci_port *sci_parse_dt(struct platform_device *pdev,
static int sci_probe_single(struct platform_device *dev,
unsigned int index,
struct plat_sci_port *p,
- struct sci_port *sciport)
+ struct sci_port *sciport,
+ struct resource *sci_res)
{
int ret;
@@ -3348,6 +3350,14 @@ static int sci_probe_single(struct platform_device *dev,
sciport->port.flags |= UPF_HARD_FLOW;
}
+ if (sci_uart_earlycon && sci_ports[0].port.mapbase == sci_res->start) {
+ /*
+ * Skip cleanup the sci_port[0] in early_console_exit(), this
+ * port is the same as the earlycon one.
+ */
+ sci_uart_earlycon_dev_probing = true;
+ }
+
return uart_add_one_port(&sci_uart_driver, &sciport->port);
}
@@ -3406,7 +3416,7 @@ static int sci_probe(struct platform_device *dev)
platform_set_drvdata(dev, sp);
- ret = sci_probe_single(dev, dev_id, p, sp);
+ ret = sci_probe_single(dev, dev_id, p, sp, res);
if (ret)
return ret;
@@ -3563,6 +3573,22 @@ sh_early_platform_init_buffer("earlyprintk", &sci_driver,
#ifdef CONFIG_SERIAL_SH_SCI_EARLYCON
static struct plat_sci_port port_cfg;
+static int early_console_exit(struct console *co)
+{
+ struct sci_port *sci_port = &sci_ports[0];
+
+ /*
+ * Clean the slot used by earlycon. A new SCI device might
+ * map to this slot.
+ */
+ if (!sci_uart_earlycon_dev_probing) {
+ memset(sci_port, 0, sizeof(*sci_port));
+ sci_uart_earlycon = false;
+ }
+
+ return 0;
+}
+
static int __init early_console_setup(struct earlycon_device *device,
int type)
{
@@ -3582,6 +3608,8 @@ static int __init early_console_setup(struct earlycon_device *device,
SCSCR_RE | SCSCR_TE | port_cfg.scscr);
device->con->write = serial_console_write;
+ device->con->exit = early_console_exit;
+
return 0;
}
static int __init sci_early_console_setup(struct earlycon_device *device,
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 223/508] scsi: core: ufs: Fix a hang in the error handler
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (221 preceding siblings ...)
2025-06-23 13:04 ` [PATCH 6.1 222/508] serial: sh-sci: Clean sci_ports[0] after at earlycon exit Greg Kroah-Hartman
@ 2025-06-23 13:04 ` Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 224/508] Bluetooth: hci_core: fix list_for_each_entry_rcu usage Greg Kroah-Hartman
` (285 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sanjeev Yadav, Bart Van Assche,
Peter Wang, Martin K. Petersen, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sanjeev Yadav <sanjeev.y@mediatek.com>
[ Upstream commit 8a3514d348de87a9d5e2ac00fbac4faae0b97996 ]
ufshcd_err_handling_prepare() calls ufshcd_rpm_get_sync(). The latter
function can only succeed if UFSHCD_EH_IN_PROGRESS is not set because
resuming involves submitting a SCSI command and ufshcd_queuecommand()
returns SCSI_MLQUEUE_HOST_BUSY if UFSHCD_EH_IN_PROGRESS is set. Fix this
hang by setting UFSHCD_EH_IN_PROGRESS after ufshcd_rpm_get_sync() has
been called instead of before.
Backtrace:
__switch_to+0x174/0x338
__schedule+0x600/0x9e4
schedule+0x7c/0xe8
schedule_timeout+0xa4/0x1c8
io_schedule_timeout+0x48/0x70
wait_for_common_io+0xa8/0x160 //waiting on START_STOP
wait_for_completion_io_timeout+0x10/0x20
blk_execute_rq+0xe4/0x1e4
scsi_execute_cmd+0x108/0x244
ufshcd_set_dev_pwr_mode+0xe8/0x250
__ufshcd_wl_resume+0x94/0x354
ufshcd_wl_runtime_resume+0x3c/0x174
scsi_runtime_resume+0x64/0xa4
rpm_resume+0x15c/0xa1c
__pm_runtime_resume+0x4c/0x90 // Runtime resume ongoing
ufshcd_err_handler+0x1a0/0xd08
process_one_work+0x174/0x808
worker_thread+0x15c/0x490
kthread+0xf4/0x1ec
ret_from_fork+0x10/0x20
Signed-off-by: Sanjeev Yadav <sanjeev.y@mediatek.com>
[ bvanassche: rewrote patch description ]
Fixes: 62694735ca95 ("[SCSI] ufs: Add runtime PM support for UFS host controller driver")
Signed-off-by: Bart Van Assche <bvanassche@acm.org>
Link: https://lore.kernel.org/r/20250523201409.1676055-1-bvanassche@acm.org
Reviewed-by: Peter Wang <peter.wang@mediatek.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/ufs/core/ufshcd.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c
index c5115f6adbdc2..dc17ae1dfe260 100644
--- a/drivers/ufs/core/ufshcd.c
+++ b/drivers/ufs/core/ufshcd.c
@@ -6285,9 +6285,14 @@ static void ufshcd_err_handler(struct work_struct *work)
up(&hba->host_sem);
return;
}
- ufshcd_set_eh_in_progress(hba);
spin_unlock_irqrestore(hba->host->host_lock, flags);
+
ufshcd_err_handling_prepare(hba);
+
+ spin_lock_irqsave(hba->host->host_lock, flags);
+ ufshcd_set_eh_in_progress(hba);
+ spin_unlock_irqrestore(hba->host->host_lock, flags);
+
/* Complete requests that have door-bell cleared by h/w */
ufshcd_complete_requests(hba);
spin_lock_irqsave(hba->host->host_lock, flags);
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 224/508] Bluetooth: hci_core: fix list_for_each_entry_rcu usage
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (222 preceding siblings ...)
2025-06-23 13:04 ` [PATCH 6.1 223/508] scsi: core: ufs: Fix a hang in the error handler Greg Kroah-Hartman
@ 2025-06-23 13:04 ` Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 225/508] Bluetooth: MGMT: Fix UAF on mgmt_remove_adv_monitor_complete Greg Kroah-Hartman
` (284 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pauli Virtanen, Paul Menzel,
Luiz Augusto von Dentz, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pauli Virtanen <pav@iki.fi>
[ Upstream commit 308a3a8ce8ea41b26c46169f3263e50f5997c28e ]
Releasing + re-acquiring RCU lock inside list_for_each_entry_rcu() loop
body is not correct.
Fix by taking the update-side hdev->lock instead.
Fixes: c7eaf80bfb0c ("Bluetooth: Fix hci_link_tx_to RCU lock usage")
Signed-off-by: Pauli Virtanen <pav@iki.fi>
Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/hci_core.c | 11 +++--------
1 file changed, 3 insertions(+), 8 deletions(-)
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index 3cd7c212375fc..dc53e3078ba79 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -3402,23 +3402,18 @@ static void hci_link_tx_to(struct hci_dev *hdev, __u8 type)
bt_dev_err(hdev, "link tx timeout");
- rcu_read_lock();
+ hci_dev_lock(hdev);
/* Kill stalled connections */
- list_for_each_entry_rcu(c, &h->list, list) {
+ list_for_each_entry(c, &h->list, list) {
if (c->type == type && c->sent) {
bt_dev_err(hdev, "killing stalled connection %pMR",
&c->dst);
- /* hci_disconnect might sleep, so, we have to release
- * the RCU read lock before calling it.
- */
- rcu_read_unlock();
hci_disconnect(c, HCI_ERROR_REMOTE_USER_TERM);
- rcu_read_lock();
}
}
- rcu_read_unlock();
+ hci_dev_unlock(hdev);
}
static struct hci_chan *hci_chan_sent(struct hci_dev *hdev, __u8 type,
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 225/508] Bluetooth: MGMT: Fix UAF on mgmt_remove_adv_monitor_complete
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (223 preceding siblings ...)
2025-06-23 13:04 ` [PATCH 6.1 224/508] Bluetooth: hci_core: fix list_for_each_entry_rcu usage Greg Kroah-Hartman
@ 2025-06-23 13:04 ` Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 226/508] ptp: remove ptp->n_vclocks check logic in ptp_vclock_in_use() Greg Kroah-Hartman
` (283 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+feb0dc579bbe30a13190,
Luiz Augusto von Dentz, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
[ Upstream commit e6ed54e86aae9e4f7286ce8d5c73780f91b48d1c ]
This reworks MGMT_OP_REMOVE_ADV_MONITOR to not use mgmt_pending_add to
avoid crashes like bellow:
==================================================================
BUG: KASAN: slab-use-after-free in mgmt_remove_adv_monitor_complete+0xe5/0x540 net/bluetooth/mgmt.c:5406
Read of size 8 at addr ffff88801c53f318 by task kworker/u5:5/5341
CPU: 0 UID: 0 PID: 5341 Comm: kworker/u5:5 Not tainted 6.15.0-syzkaller-10402-g4cb6c8af8591 #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Workqueue: hci0 hci_cmd_sync_work
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:408 [inline]
print_report+0xd2/0x2b0 mm/kasan/report.c:521
kasan_report+0x118/0x150 mm/kasan/report.c:634
mgmt_remove_adv_monitor_complete+0xe5/0x540 net/bluetooth/mgmt.c:5406
hci_cmd_sync_work+0x261/0x3a0 net/bluetooth/hci_sync.c:334
process_one_work kernel/workqueue.c:3238 [inline]
process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3321
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402
kthread+0x711/0x8a0 kernel/kthread.c:464
ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
Allocated by task 5987:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394
kasan_kmalloc include/linux/kasan.h:260 [inline]
__kmalloc_cache_noprof+0x230/0x3d0 mm/slub.c:4358
kmalloc_noprof include/linux/slab.h:905 [inline]
kzalloc_noprof include/linux/slab.h:1039 [inline]
mgmt_pending_new+0x65/0x240 net/bluetooth/mgmt_util.c:252
mgmt_pending_add+0x34/0x120 net/bluetooth/mgmt_util.c:279
remove_adv_monitor+0x103/0x1b0 net/bluetooth/mgmt.c:5454
hci_mgmt_cmd+0x9c9/0xef0 net/bluetooth/hci_sock.c:1719
hci_sock_sendmsg+0x6ca/0xef0 net/bluetooth/hci_sock.c:1839
sock_sendmsg_nosec net/socket.c:712 [inline]
__sock_sendmsg+0x219/0x270 net/socket.c:727
sock_write_iter+0x258/0x330 net/socket.c:1131
new_sync_write fs/read_write.c:593 [inline]
vfs_write+0x548/0xa90 fs/read_write.c:686
ksys_write+0x145/0x250 fs/read_write.c:738
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 5989:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576
poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x62/0x70 mm/kasan/common.c:264
kasan_slab_free include/linux/kasan.h:233 [inline]
slab_free_hook mm/slub.c:2380 [inline]
slab_free mm/slub.c:4642 [inline]
kfree+0x18e/0x440 mm/slub.c:4841
mgmt_pending_foreach+0xc9/0x120 net/bluetooth/mgmt_util.c:242
mgmt_index_removed+0x10d/0x2f0 net/bluetooth/mgmt.c:9366
hci_sock_bind+0xbe9/0x1000 net/bluetooth/hci_sock.c:1314
__sys_bind_socket net/socket.c:1810 [inline]
__sys_bind+0x2c3/0x3e0 net/socket.c:1841
__do_sys_bind net/socket.c:1846 [inline]
__se_sys_bind net/socket.c:1844 [inline]
__x64_sys_bind+0x7a/0x90 net/socket.c:1844
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Fixes: 66bd095ab5d4 ("Bluetooth: advmon offload MSFT remove monitor")
Closes: https://syzkaller.appspot.com/bug?extid=feb0dc579bbe30a13190
Reported-by: syzbot+feb0dc579bbe30a13190@syzkaller.appspotmail.com
Tested-by: syzbot+feb0dc579bbe30a13190@syzkaller.appspotmail.com
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/bluetooth/hci_core.h | 1 -
net/bluetooth/hci_core.c | 4 +---
net/bluetooth/mgmt.c | 37 ++++++++++----------------------
3 files changed, 12 insertions(+), 30 deletions(-)
diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h
index d26b57e87f7f4..97cde23f56ecd 100644
--- a/include/net/bluetooth/hci_core.h
+++ b/include/net/bluetooth/hci_core.h
@@ -2125,7 +2125,6 @@ void mgmt_advertising_added(struct sock *sk, struct hci_dev *hdev,
u8 instance);
void mgmt_advertising_removed(struct sock *sk, struct hci_dev *hdev,
u8 instance);
-void mgmt_adv_monitor_removed(struct hci_dev *hdev, u16 handle);
int mgmt_phy_configuration_changed(struct hci_dev *hdev, struct sock *skip);
void mgmt_adv_monitor_device_lost(struct hci_dev *hdev, u16 handle,
bdaddr_t *bdaddr, u8 addr_type);
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index dc53e3078ba79..a26323400bf53 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -1873,10 +1873,8 @@ void hci_free_adv_monitor(struct hci_dev *hdev, struct adv_monitor *monitor)
if (monitor->handle)
idr_remove(&hdev->adv_monitors_idr, monitor->handle);
- if (monitor->state != ADV_MONITOR_STATE_NOT_REGISTERED) {
+ if (monitor->state != ADV_MONITOR_STATE_NOT_REGISTERED)
hdev->adv_monitors_cnt--;
- mgmt_adv_monitor_removed(hdev, monitor->handle);
- }
kfree(monitor);
}
diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
index 27bd8c8ddeb02..123cf62e3c000 100644
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -5236,24 +5236,14 @@ static void mgmt_adv_monitor_added(struct sock *sk, struct hci_dev *hdev,
mgmt_event(MGMT_EV_ADV_MONITOR_ADDED, hdev, &ev, sizeof(ev), sk);
}
-void mgmt_adv_monitor_removed(struct hci_dev *hdev, u16 handle)
+static void mgmt_adv_monitor_removed(struct sock *sk, struct hci_dev *hdev,
+ u16 handle)
{
struct mgmt_ev_adv_monitor_removed ev;
- struct mgmt_pending_cmd *cmd;
- struct sock *sk_skip = NULL;
- struct mgmt_cp_remove_adv_monitor *cp;
-
- cmd = pending_find(MGMT_OP_REMOVE_ADV_MONITOR, hdev);
- if (cmd) {
- cp = cmd->param;
-
- if (cp->monitor_handle)
- sk_skip = cmd->sk;
- }
ev.monitor_handle = cpu_to_le16(handle);
- mgmt_event(MGMT_EV_ADV_MONITOR_REMOVED, hdev, &ev, sizeof(ev), sk_skip);
+ mgmt_event(MGMT_EV_ADV_MONITOR_REMOVED, hdev, &ev, sizeof(ev), sk);
}
static int read_adv_mon_features(struct sock *sk, struct hci_dev *hdev,
@@ -5355,8 +5345,7 @@ static int __add_adv_patterns_monitor(struct sock *sk, struct hci_dev *hdev,
if (pending_find(MGMT_OP_SET_LE, hdev) ||
pending_find(MGMT_OP_ADD_ADV_PATTERNS_MONITOR, hdev) ||
- pending_find(MGMT_OP_ADD_ADV_PATTERNS_MONITOR_RSSI, hdev) ||
- pending_find(MGMT_OP_REMOVE_ADV_MONITOR, hdev)) {
+ pending_find(MGMT_OP_ADD_ADV_PATTERNS_MONITOR_RSSI, hdev)) {
status = MGMT_STATUS_BUSY;
goto unlock;
}
@@ -5526,8 +5515,7 @@ static void mgmt_remove_adv_monitor_complete(struct hci_dev *hdev,
struct mgmt_pending_cmd *cmd = data;
struct mgmt_cp_remove_adv_monitor *cp;
- if (status == -ECANCELED ||
- cmd != pending_find(MGMT_OP_REMOVE_ADV_MONITOR, hdev))
+ if (status == -ECANCELED)
return;
hci_dev_lock(hdev);
@@ -5536,12 +5524,14 @@ static void mgmt_remove_adv_monitor_complete(struct hci_dev *hdev,
rp.monitor_handle = cp->monitor_handle;
- if (!status)
+ if (!status) {
+ mgmt_adv_monitor_removed(cmd->sk, hdev, cp->monitor_handle);
hci_update_passive_scan(hdev);
+ }
mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode,
mgmt_status(status), &rp, sizeof(rp));
- mgmt_pending_remove(cmd);
+ mgmt_pending_free(cmd);
hci_dev_unlock(hdev);
bt_dev_dbg(hdev, "remove monitor %d complete, status %d",
@@ -5551,10 +5541,6 @@ static void mgmt_remove_adv_monitor_complete(struct hci_dev *hdev,
static int mgmt_remove_adv_monitor_sync(struct hci_dev *hdev, void *data)
{
struct mgmt_pending_cmd *cmd = data;
-
- if (cmd != pending_find(MGMT_OP_REMOVE_ADV_MONITOR, hdev))
- return -ECANCELED;
-
struct mgmt_cp_remove_adv_monitor *cp = cmd->param;
u16 handle = __le16_to_cpu(cp->monitor_handle);
@@ -5573,14 +5559,13 @@ static int remove_adv_monitor(struct sock *sk, struct hci_dev *hdev,
hci_dev_lock(hdev);
if (pending_find(MGMT_OP_SET_LE, hdev) ||
- pending_find(MGMT_OP_REMOVE_ADV_MONITOR, hdev) ||
pending_find(MGMT_OP_ADD_ADV_PATTERNS_MONITOR, hdev) ||
pending_find(MGMT_OP_ADD_ADV_PATTERNS_MONITOR_RSSI, hdev)) {
status = MGMT_STATUS_BUSY;
goto unlock;
}
- cmd = mgmt_pending_add(sk, MGMT_OP_REMOVE_ADV_MONITOR, hdev, data, len);
+ cmd = mgmt_pending_new(sk, MGMT_OP_REMOVE_ADV_MONITOR, hdev, data, len);
if (!cmd) {
status = MGMT_STATUS_NO_RESOURCES;
goto unlock;
@@ -5590,7 +5575,7 @@ static int remove_adv_monitor(struct sock *sk, struct hci_dev *hdev,
mgmt_remove_adv_monitor_complete);
if (err) {
- mgmt_pending_remove(cmd);
+ mgmt_pending_free(cmd);
if (err == -ENOMEM)
status = MGMT_STATUS_NO_RESOURCES;
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 226/508] ptp: remove ptp->n_vclocks check logic in ptp_vclock_in_use()
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (224 preceding siblings ...)
2025-06-23 13:04 ` [PATCH 6.1 225/508] Bluetooth: MGMT: Fix UAF on mgmt_remove_adv_monitor_complete Greg Kroah-Hartman
@ 2025-06-23 13:04 ` Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 227/508] ath10k: snoc: fix unbalanced IRQ enable in crash recovery Greg Kroah-Hartman
` (282 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jeongjun Park, Richard Cochran,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jeongjun Park <aha310510@gmail.com>
[ Upstream commit 87f7ce260a3c838b49e1dc1ceedf1006795157a2 ]
There is no disagreement that we should check both ptp->is_virtual_clock
and ptp->n_vclocks to check if the ptp virtual clock is in use.
However, when we acquire ptp->n_vclocks_mux to read ptp->n_vclocks in
ptp_vclock_in_use(), we observe a recursive lock in the call trace
starting from n_vclocks_store().
============================================
WARNING: possible recursive locking detected
6.15.0-rc6 #1 Not tainted
--------------------------------------------
syz.0.1540/13807 is trying to acquire lock:
ffff888035a24868 (&ptp->n_vclocks_mux){+.+.}-{4:4}, at:
ptp_vclock_in_use drivers/ptp/ptp_private.h:103 [inline]
ffff888035a24868 (&ptp->n_vclocks_mux){+.+.}-{4:4}, at:
ptp_clock_unregister+0x21/0x250 drivers/ptp/ptp_clock.c:415
but task is already holding lock:
ffff888030704868 (&ptp->n_vclocks_mux){+.+.}-{4:4}, at:
n_vclocks_store+0xf1/0x6d0 drivers/ptp/ptp_sysfs.c:215
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0
----
lock(&ptp->n_vclocks_mux);
lock(&ptp->n_vclocks_mux);
*** DEADLOCK ***
....
============================================
The best way to solve this is to remove the logic that checks
ptp->n_vclocks in ptp_vclock_in_use().
The reason why this is appropriate is that any path that uses
ptp->n_vclocks must unconditionally check if ptp->n_vclocks is greater
than 0 before unregistering vclocks, and all functions are already
written this way. And in the function that uses ptp->n_vclocks, we
already get ptp->n_vclocks_mux before unregistering vclocks.
Therefore, we need to remove the redundant check for ptp->n_vclocks in
ptp_vclock_in_use() to prevent recursive locking.
Fixes: 73f37068d540 ("ptp: support ptp physical/virtual clocks conversion")
Signed-off-by: Jeongjun Park <aha310510@gmail.com>
Acked-by: Richard Cochran <richardcochran@gmail.com>
Link: https://patch.msgid.link/20250520160717.7350-1-aha310510@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/ptp/ptp_private.h | 12 +-----------
1 file changed, 1 insertion(+), 11 deletions(-)
diff --git a/drivers/ptp/ptp_private.h b/drivers/ptp/ptp_private.h
index b8d4f61f14be4..d0eb4555720eb 100644
--- a/drivers/ptp/ptp_private.h
+++ b/drivers/ptp/ptp_private.h
@@ -89,17 +89,7 @@ static inline int queue_cnt(const struct timestamp_event_queue *q)
/* Check if ptp virtual clock is in use */
static inline bool ptp_vclock_in_use(struct ptp_clock *ptp)
{
- bool in_use = false;
-
- if (mutex_lock_interruptible(&ptp->n_vclocks_mux))
- return true;
-
- if (!ptp->is_virtual_clock && ptp->n_vclocks)
- in_use = true;
-
- mutex_unlock(&ptp->n_vclocks_mux);
-
- return in_use;
+ return !ptp->is_virtual_clock;
}
/* Check if ptp clock shall be free running */
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 227/508] ath10k: snoc: fix unbalanced IRQ enable in crash recovery
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (225 preceding siblings ...)
2025-06-23 13:04 ` [PATCH 6.1 226/508] ptp: remove ptp->n_vclocks check logic in ptp_vclock_in_use() Greg Kroah-Hartman
@ 2025-06-23 13:04 ` Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 228/508] wifi: ath11k: remove unused function ath11k_tm_event_wmi() Greg Kroah-Hartman
` (281 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Caleb Connolly, Loic Poulain,
Jeff Johnson, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Caleb Connolly <caleb.connolly@linaro.org>
[ Upstream commit 1650d32b92b01db03a1a95d69ee74fcbc34d4b00 ]
In ath10k_snoc_hif_stop() we skip disabling the IRQs in the crash
recovery flow, but we still unconditionally call enable again in
ath10k_snoc_hif_start().
We can't check the ATH10K_FLAG_CRASH_FLUSH bit since it is cleared
before hif_start() is called, so instead check the
ATH10K_SNOC_FLAG_RECOVERY flag and skip enabling the IRQs during crash
recovery.
This fixes unbalanced IRQ enable splats that happen after recovering from
a crash.
Fixes: 0e622f67e041 ("ath10k: add support for WCN3990 firmware crash recovery")
Signed-off-by: Caleb Connolly <caleb.connolly@linaro.org>
Tested-by: Loic Poulain <loic.poulain@oss.qualcomm.com>
Link: https://patch.msgid.link/20250318205043.1043148-1-caleb.connolly@linaro.org
Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath10k/snoc.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/ath/ath10k/snoc.c b/drivers/net/wireless/ath/ath10k/snoc.c
index 4b7266d928470..b43658b016844 100644
--- a/drivers/net/wireless/ath/ath10k/snoc.c
+++ b/drivers/net/wireless/ath/ath10k/snoc.c
@@ -936,7 +936,9 @@ static int ath10k_snoc_hif_start(struct ath10k *ar)
bitmap_clear(ar_snoc->pending_ce_irqs, 0, CE_COUNT_MAX);
ath10k_core_napi_enable(ar);
- ath10k_snoc_irq_enable(ar);
+ /* IRQs are left enabled when we restart due to a firmware crash */
+ if (!test_bit(ATH10K_SNOC_FLAG_RECOVERY, &ar_snoc->flags))
+ ath10k_snoc_irq_enable(ar);
ath10k_snoc_rx_post(ar);
clear_bit(ATH10K_SNOC_FLAG_RECOVERY, &ar_snoc->flags);
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 228/508] wifi: ath11k: remove unused function ath11k_tm_event_wmi()
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (226 preceding siblings ...)
2025-06-23 13:04 ` [PATCH 6.1 227/508] ath10k: snoc: fix unbalanced IRQ enable in crash recovery Greg Kroah-Hartman
@ 2025-06-23 13:04 ` Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 229/508] wifi: ath11k: fix soc_dp_stats debugfs file permission Greg Kroah-Hartman
` (280 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Govindaraj Saminathan,
Raj Kumar Bhagat, Kalle Valo, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Govindaraj Saminathan <quic_gsaminat@quicinc.com>
[ Upstream commit 86f85575a3f6a20cef1c8bb98e78585fe3a53ccc ]
The function ath11k_tm_event_wmi() is only defined and it is not used
anywhere. Hence remove the unused.
Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1
Signed-off-by: Govindaraj Saminathan <quic_gsaminat@quicinc.com>
Signed-off-by: Raj Kumar Bhagat <quic_rajkbhag@quicinc.com>
Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
Link: https://lore.kernel.org/r/20230517135934.16408-2-quic_rajkbhag@quicinc.com
Stable-dep-of: 9f6e82d11bb9 ("wifi: ath11k: avoid burning CPU in ath11k_debugfs_fw_stats_request()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath11k/testmode.c | 64 +---------------------
drivers/net/wireless/ath/ath11k/testmode.h | 8 +--
2 files changed, 2 insertions(+), 70 deletions(-)
diff --git a/drivers/net/wireless/ath/ath11k/testmode.c b/drivers/net/wireless/ath/ath11k/testmode.c
index 4bf1931adbaae..ebeca5eb6a67a 100644
--- a/drivers/net/wireless/ath/ath11k/testmode.c
+++ b/drivers/net/wireless/ath/ath11k/testmode.c
@@ -1,6 +1,7 @@
// SPDX-License-Identifier: BSD-3-Clause-Clear
/*
* Copyright (c) 2018-2019 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved.
*/
#include "testmode.h"
@@ -20,69 +21,6 @@ static const struct nla_policy ath11k_tm_policy[ATH11K_TM_ATTR_MAX + 1] = {
[ATH11K_TM_ATTR_VERSION_MINOR] = { .type = NLA_U32 },
};
-/* Returns true if callee consumes the skb and the skb should be discarded.
- * Returns false if skb is not used. Does not sleep.
- */
-bool ath11k_tm_event_wmi(struct ath11k *ar, u32 cmd_id, struct sk_buff *skb)
-{
- struct sk_buff *nl_skb;
- bool consumed;
- int ret;
-
- ath11k_dbg(ar->ab, ATH11K_DBG_TESTMODE,
- "testmode event wmi cmd_id %d skb %pK skb->len %d\n",
- cmd_id, skb, skb->len);
-
- ath11k_dbg_dump(ar->ab, ATH11K_DBG_TESTMODE, NULL, "", skb->data, skb->len);
-
- spin_lock_bh(&ar->data_lock);
-
- consumed = true;
-
- nl_skb = cfg80211_testmode_alloc_event_skb(ar->hw->wiphy,
- 2 * sizeof(u32) + skb->len,
- GFP_ATOMIC);
- if (!nl_skb) {
- ath11k_warn(ar->ab,
- "failed to allocate skb for testmode wmi event\n");
- goto out;
- }
-
- ret = nla_put_u32(nl_skb, ATH11K_TM_ATTR_CMD, ATH11K_TM_CMD_WMI);
- if (ret) {
- ath11k_warn(ar->ab,
- "failed to put testmode wmi event cmd attribute: %d\n",
- ret);
- kfree_skb(nl_skb);
- goto out;
- }
-
- ret = nla_put_u32(nl_skb, ATH11K_TM_ATTR_WMI_CMDID, cmd_id);
- if (ret) {
- ath11k_warn(ar->ab,
- "failed to put testmode wmi even cmd_id: %d\n",
- ret);
- kfree_skb(nl_skb);
- goto out;
- }
-
- ret = nla_put(nl_skb, ATH11K_TM_ATTR_DATA, skb->len, skb->data);
- if (ret) {
- ath11k_warn(ar->ab,
- "failed to copy skb to testmode wmi event: %d\n",
- ret);
- kfree_skb(nl_skb);
- goto out;
- }
-
- cfg80211_testmode_event(nl_skb, GFP_ATOMIC);
-
-out:
- spin_unlock_bh(&ar->data_lock);
-
- return consumed;
-}
-
static int ath11k_tm_cmd_get_version(struct ath11k *ar, struct nlattr *tb[])
{
struct sk_buff *skb;
diff --git a/drivers/net/wireless/ath/ath11k/testmode.h b/drivers/net/wireless/ath/ath11k/testmode.h
index aaa122ed90697..ffdb0c30b276c 100644
--- a/drivers/net/wireless/ath/ath11k/testmode.h
+++ b/drivers/net/wireless/ath/ath11k/testmode.h
@@ -1,24 +1,18 @@
/* SPDX-License-Identifier: BSD-3-Clause-Clear */
/*
* Copyright (c) 2018-2019 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved.
*/
#include "core.h"
#ifdef CONFIG_NL80211_TESTMODE
-bool ath11k_tm_event_wmi(struct ath11k *ar, u32 cmd_id, struct sk_buff *skb);
int ath11k_tm_cmd(struct ieee80211_hw *hw, struct ieee80211_vif *vif,
void *data, int len);
#else
-static inline bool ath11k_tm_event_wmi(struct ath11k *ar, u32 cmd_id,
- struct sk_buff *skb)
-{
- return false;
-}
-
static inline int ath11k_tm_cmd(struct ieee80211_hw *hw,
struct ieee80211_vif *vif,
void *data, int len)
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 229/508] wifi: ath11k: fix soc_dp_stats debugfs file permission
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (227 preceding siblings ...)
2025-06-23 13:04 ` [PATCH 6.1 228/508] wifi: ath11k: remove unused function ath11k_tm_event_wmi() Greg Kroah-Hartman
@ 2025-06-23 13:04 ` Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 230/508] wifi: ath11k: convert timeouts to secs_to_jiffies() Greg Kroah-Hartman
` (279 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:04 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jeff Johnson, Kalle Valo,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jeff Johnson <quic_jjohnson@quicinc.com>
[ Upstream commit fa645e663165d69f05f95a0c3aa3b3d08f4fdeda ]
Currently the soc_dp_stats debugfs file has the following permissions:
-rw------- 1 root root 0 Mar 4 15:04 /sys/kernel/debug/ath11k/pci-0000:03:00.0/soc_dp_stats
However this file does not actually support write operations -- no .write()
method is registered. Therefore use the correct permissions when creating
the file.
After the change:
-r-------- 1 root root 0 Mar 4 15:15 /sys/kernel/debug/ath11k/pci-0000:03:00.0/soc_dp_stats
Tested-on: WCN6855 hw2.1 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.30
Signed-off-by: Jeff Johnson <quic_jjohnson@quicinc.com>
Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
Link: https://msgid.link/20240305-fix-soc_dp_stats-permission-v1-1-2ec10b42f755@quicinc.com
Stable-dep-of: 9f6e82d11bb9 ("wifi: ath11k: avoid burning CPU in ath11k_debugfs_fw_stats_request()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath11k/debugfs.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/ath/ath11k/debugfs.c b/drivers/net/wireless/ath/ath11k/debugfs.c
index 5bb6fd17fdf6f..34aa04d27a1d7 100644
--- a/drivers/net/wireless/ath/ath11k/debugfs.c
+++ b/drivers/net/wireless/ath/ath11k/debugfs.c
@@ -1,6 +1,7 @@
// SPDX-License-Identifier: BSD-3-Clause-Clear
/*
* Copyright (c) 2018-2020 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2021-2024 Qualcomm Innovation Center, Inc. All rights reserved.
*/
#include <linux/vmalloc.h>
@@ -979,7 +980,7 @@ int ath11k_debugfs_pdev_create(struct ath11k_base *ab)
debugfs_create_file("simulate_fw_crash", 0600, ab->debugfs_soc, ab,
&fops_simulate_fw_crash);
- debugfs_create_file("soc_dp_stats", 0600, ab->debugfs_soc, ab,
+ debugfs_create_file("soc_dp_stats", 0400, ab->debugfs_soc, ab,
&fops_soc_dp_stats);
if (ab->hw_params.sram_dump.start != 0)
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 230/508] wifi: ath11k: convert timeouts to secs_to_jiffies()
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (228 preceding siblings ...)
2025-06-23 13:04 ` [PATCH 6.1 229/508] wifi: ath11k: fix soc_dp_stats debugfs file permission Greg Kroah-Hartman
@ 2025-06-23 13:04 ` Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 231/508] wifi: ath11k: avoid burning CPU in ath11k_debugfs_fw_stats_request() Greg Kroah-Hartman
` (278 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jeff Johnson, Easwar Hariharan,
Alexander Gordeev, Andrew Lunn, Anna-Maria Behnsen,
Catalin Marinas, Christian Borntraeger, Christophe Leroy,
Daniel Mack, David Airlie, David S. Miller, Dick Kennedy,
Eric Dumazet, Florian Fainelli, Haojian Zhuang, Heiko Carstens,
Ilya Dryomov, Jack Wang, Jakub Kicinski, James Bottomley,
James Smart, Jaroslav Kysela, Jeff Johnson, Jens Axboe,
Jeroen de Borst, Jiri Kosina, Joe Lawrence, Johan Hedberg,
Josh Poimboeuf, Jozsef Kadlecsik, Julia Lawall, Kalle Valo,
Louis Peens, Lucas De Marchi, Luiz Augusto von Dentz,
Maarten Lankhorst, Madhavan Srinivasan, Marcel Holtmann,
Martin K. Petersen, Maxime Ripard, Michael Ellerman,
Miroslav Benes, Naveen N Rao, Nicholas Piggin, Nicolas Palix,
Oded Gabbay, Ofir Bitton, Pablo Neira Ayuso, Paolo Abeni,
Petr Mladek, Praveen Kaligineedi, Ray Jui, Robert Jarzmik,
Rodrigo Vivi, Roger Pau Monné, Russell King, Scott Branden,
Shailend Chand, Simona Vetter, Simon Horman, Sven Schnelle,
Takashi Iwai, Thomas Hellström, Thomas Zimmermann,
Vasily Gorbik, Xiubo Li, Andrew Morton, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Easwar Hariharan <eahariha@linux.microsoft.com>
[ Upstream commit b29425972c5234a59b6fb634125420ed74266377 ]
Commit b35108a51cf7 ("jiffies: Define secs_to_jiffies()") introduced
secs_to_jiffies(). As the value here is a multiple of 1000, use
secs_to_jiffies() instead of msecs_to_jiffies to avoid the multiplication.
This is converted using scripts/coccinelle/misc/secs_to_jiffies.cocci with
the following Coccinelle rules:
@@ constant C; @@
- msecs_to_jiffies(C * 1000)
+ secs_to_jiffies(C)
@@ constant C; @@
- msecs_to_jiffies(C * MSEC_PER_SEC)
+ secs_to_jiffies(C)
Link: https://lkml.kernel.org/r/20241210-converge-secs-to-jiffies-v3-14-ddfefd7e9f2a@linux.microsoft.com
Acked-by: Jeff Johnson <quic_jjohnson@quicinc.com>
Signed-off-by: Easwar Hariharan <eahariha@linux.microsoft.com>
Cc: Alexander Gordeev <agordeev@linux.ibm.com>
Cc: Andrew Lunn <andrew+netdev@lunn.ch>
Cc: Anna-Maria Behnsen <anna-maria@linutronix.de>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Christian Borntraeger <borntraeger@linux.ibm.com>
Cc: Christophe Leroy <christophe.leroy@csgroup.eu>
Cc: Daniel Mack <daniel@zonque.org>
Cc: David Airlie <airlied@gmail.com>
Cc: David S. Miller <davem@davemloft.net>
Cc: Dick Kennedy <dick.kennedy@broadcom.com>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Florian Fainelli <florian.fainelli@broadcom.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Haojian Zhuang <haojian.zhuang@gmail.com>
Cc: Heiko Carstens <hca@linux.ibm.com>
Cc: Ilya Dryomov <idryomov@gmail.com>
Cc: Jack Wang <jinpu.wang@cloud.ionos.com>
Cc: Jakub Kicinski <kuba@kernel.org>
Cc: James Bottomley <James.Bottomley@HansenPartnership.com>
Cc: James Smart <james.smart@broadcom.com>
Cc: Jaroslav Kysela <perex@perex.cz>
Cc: Jeff Johnson <jjohnson@kernel.org>
Cc: Jens Axboe <axboe@kernel.dk>
Cc: Jeroen de Borst <jeroendb@google.com>
Cc: Jiri Kosina <jikos@kernel.org>
Cc: Joe Lawrence <joe.lawrence@redhat.com>
Cc: Johan Hedberg <johan.hedberg@gmail.com>
Cc: Josh Poimboeuf <jpoimboe@kernel.org>
Cc: Jozsef Kadlecsik <kadlec@netfilter.org>
Cc: Julia Lawall <julia.lawall@inria.fr>
Cc: Kalle Valo <kvalo@kernel.org>
Cc: Louis Peens <louis.peens@corigine.com>
Cc: Lucas De Marchi <lucas.demarchi@intel.com>
Cc: Luiz Augusto von Dentz <luiz.dentz@gmail.com>
Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
Cc: Madhavan Srinivasan <maddy@linux.ibm.com>
Cc: Marcel Holtmann <marcel@holtmann.org>
Cc: Martin K. Petersen <martin.petersen@oracle.com>
Cc: Maxime Ripard <mripard@kernel.org>
Cc: Michael Ellerman <mpe@ellerman.id.au>
Cc: Miroslav Benes <mbenes@suse.cz>
Cc: Naveen N Rao <naveen@kernel.org>
Cc: Nicholas Piggin <npiggin@gmail.com>
Cc: Nicolas Palix <nicolas.palix@imag.fr>
Cc: Oded Gabbay <ogabbay@kernel.org>
Cc: Ofir Bitton <obitton@habana.ai>
Cc: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: Paolo Abeni <pabeni@redhat.com>
Cc: Petr Mladek <pmladek@suse.com>
Cc: Praveen Kaligineedi <pkaligineedi@google.com>
Cc: Ray Jui <rjui@broadcom.com>
Cc: Robert Jarzmik <robert.jarzmik@free.fr>
Cc: Rodrigo Vivi <rodrigo.vivi@intel.com>
Cc: Roger Pau Monné <roger.pau@citrix.com>
Cc: Russell King <linux@armlinux.org.uk>
Cc: Scott Branden <sbranden@broadcom.com>
Cc: Shailend Chand <shailend@google.com>
Cc: Simona Vetter <simona@ffwll.ch>
Cc: Simon Horman <horms@kernel.org>
Cc: Sven Schnelle <svens@linux.ibm.com>
Cc: Takashi Iwai <tiwai@suse.com>
Cc: Thomas Hellström <thomas.hellstrom@linux.intel.com>
Cc: Thomas Zimmermann <tzimmermann@suse.de>
Cc: Vasily Gorbik <gor@linux.ibm.com>
Cc: Xiubo Li <xiubli@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Stable-dep-of: 9f6e82d11bb9 ("wifi: ath11k: avoid burning CPU in ath11k_debugfs_fw_stats_request()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath11k/debugfs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/wireless/ath/ath11k/debugfs.c b/drivers/net/wireless/ath/ath11k/debugfs.c
index 34aa04d27a1d7..a8bd944f76d92 100644
--- a/drivers/net/wireless/ath/ath11k/debugfs.c
+++ b/drivers/net/wireless/ath/ath11k/debugfs.c
@@ -178,7 +178,7 @@ static int ath11k_debugfs_fw_stats_request(struct ath11k *ar,
* received 'update stats' event, we keep a 3 seconds timeout in case,
* fw_stats_done is not marked yet
*/
- timeout = jiffies + msecs_to_jiffies(3 * 1000);
+ timeout = jiffies + secs_to_jiffies(3);
ath11k_debugfs_fw_stats_reset(ar);
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 231/508] wifi: ath11k: avoid burning CPU in ath11k_debugfs_fw_stats_request()
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (229 preceding siblings ...)
2025-06-23 13:04 ` [PATCH 6.1 230/508] wifi: ath11k: convert timeouts to secs_to_jiffies() Greg Kroah-Hartman
@ 2025-06-23 13:04 ` Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 232/508] wifi: ath11k: dont use static variables in ath11k_debugfs_fw_stats_process() Greg Kroah-Hartman
` (277 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yury Vostrikov, Baochen Qiang,
Vasanthakumar Thiagarajan, Jeff Johnson, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Baochen Qiang <quic_bqiang@quicinc.com>
[ Upstream commit 9f6e82d11bb9692a90d20b10f87345598945c803 ]
We get report [1] that CPU is running a hot loop in
ath11k_debugfs_fw_stats_request():
94.60% 0.00% i3status [kernel.kallsyms] [k] do_syscall_64
|
--94.60%--do_syscall_64
|
--94.55%--__sys_sendmsg
___sys_sendmsg
____sys_sendmsg
netlink_sendmsg
netlink_unicast
genl_rcv
netlink_rcv_skb
genl_rcv_msg
|
--94.55%--genl_family_rcv_msg_dumpit
__netlink_dump_start
netlink_dump
genl_dumpit
nl80211_dump_station
|
--94.55%--ieee80211_dump_station
sta_set_sinfo
|
--94.55%--ath11k_mac_op_sta_statistics
ath11k_debugfs_get_fw_stats
|
--94.55%--ath11k_debugfs_fw_stats_request
|
|--41.73%--_raw_spin_lock_bh
|
|--22.74%--__local_bh_enable_ip
|
|--9.22%--_raw_spin_unlock_bh
|
--6.66%--srso_alias_safe_ret
This is because, if for whatever reason ar->fw_stats_done is not set by
ath11k_update_stats_event(), ath11k_debugfs_fw_stats_request() won't yield
CPU before an up to 3s timeout.
Change to completion mechanism to avoid CPU burning.
Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.37
Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices")
Reported-by: Yury Vostrikov <mon@unformed.ru>
Closes: https://lore.kernel.org/all/7324ac7a-8b7a-42a5-aa19-de52138ff638@app.fastmail.com/ # [1]
Signed-off-by: Baochen Qiang <quic_bqiang@quicinc.com>
Reviewed-by: Vasanthakumar Thiagarajan <vasanthakumar.thiagarajan@oss.qualcomm.com>
Link: https://patch.msgid.link/20250220082448.31039-2-quic_bqiang@quicinc.com
Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath11k/core.c | 1 +
drivers/net/wireless/ath/ath11k/core.h | 2 +-
drivers/net/wireless/ath/ath11k/debugfs.c | 38 +++++++++--------------
drivers/net/wireless/ath/ath11k/mac.c | 2 +-
drivers/net/wireless/ath/ath11k/wmi.c | 2 +-
5 files changed, 18 insertions(+), 27 deletions(-)
diff --git a/drivers/net/wireless/ath/ath11k/core.c b/drivers/net/wireless/ath/ath11k/core.c
index ef269244fe495..a8bdddccca4cb 100644
--- a/drivers/net/wireless/ath/ath11k/core.c
+++ b/drivers/net/wireless/ath/ath11k/core.c
@@ -644,6 +644,7 @@ void ath11k_fw_stats_init(struct ath11k *ar)
INIT_LIST_HEAD(&ar->fw_stats.bcn);
init_completion(&ar->fw_stats_complete);
+ init_completion(&ar->fw_stats_done);
}
void ath11k_fw_stats_free(struct ath11k_fw_stats *stats)
diff --git a/drivers/net/wireless/ath/ath11k/core.h b/drivers/net/wireless/ath/ath11k/core.h
index bd06536f82a64..69feef410b359 100644
--- a/drivers/net/wireless/ath/ath11k/core.h
+++ b/drivers/net/wireless/ath/ath11k/core.h
@@ -718,7 +718,7 @@ struct ath11k {
u8 alpha2[REG_ALPHA2_LEN + 1];
struct ath11k_fw_stats fw_stats;
struct completion fw_stats_complete;
- bool fw_stats_done;
+ struct completion fw_stats_done;
/* protected by conf_mutex */
bool ps_state_enable;
diff --git a/drivers/net/wireless/ath/ath11k/debugfs.c b/drivers/net/wireless/ath/ath11k/debugfs.c
index a8bd944f76d92..a5791155fe065 100644
--- a/drivers/net/wireless/ath/ath11k/debugfs.c
+++ b/drivers/net/wireless/ath/ath11k/debugfs.c
@@ -1,7 +1,7 @@
// SPDX-License-Identifier: BSD-3-Clause-Clear
/*
* Copyright (c) 2018-2020 The Linux Foundation. All rights reserved.
- * Copyright (c) 2021-2024 Qualcomm Innovation Center, Inc. All rights reserved.
+ * Copyright (c) 2021-2025 Qualcomm Innovation Center, Inc. All rights reserved.
*/
#include <linux/vmalloc.h>
@@ -96,7 +96,6 @@ void ath11k_debugfs_add_dbring_entry(struct ath11k *ar,
static void ath11k_debugfs_fw_stats_reset(struct ath11k *ar)
{
spin_lock_bh(&ar->data_lock);
- ar->fw_stats_done = false;
ath11k_fw_stats_pdevs_free(&ar->fw_stats.pdevs);
ath11k_fw_stats_vdevs_free(&ar->fw_stats.vdevs);
spin_unlock_bh(&ar->data_lock);
@@ -114,7 +113,7 @@ void ath11k_debugfs_fw_stats_process(struct ath11k *ar, struct ath11k_fw_stats *
/* WMI_REQUEST_PDEV_STAT request has been already processed */
if (stats->stats_id == WMI_REQUEST_RSSI_PER_CHAIN_STAT) {
- ar->fw_stats_done = true;
+ complete(&ar->fw_stats_done);
return;
}
@@ -138,7 +137,7 @@ void ath11k_debugfs_fw_stats_process(struct ath11k *ar, struct ath11k_fw_stats *
&ar->fw_stats.vdevs);
if (is_end) {
- ar->fw_stats_done = true;
+ complete(&ar->fw_stats_done);
num_vdev = 0;
}
return;
@@ -158,7 +157,7 @@ void ath11k_debugfs_fw_stats_process(struct ath11k *ar, struct ath11k_fw_stats *
&ar->fw_stats.bcn);
if (is_end) {
- ar->fw_stats_done = true;
+ complete(&ar->fw_stats_done);
num_bcn = 0;
}
}
@@ -168,21 +167,15 @@ static int ath11k_debugfs_fw_stats_request(struct ath11k *ar,
struct stats_request_params *req_param)
{
struct ath11k_base *ab = ar->ab;
- unsigned long timeout, time_left;
+ unsigned long time_left;
int ret;
lockdep_assert_held(&ar->conf_mutex);
- /* FW stats can get split when exceeding the stats data buffer limit.
- * In that case, since there is no end marking for the back-to-back
- * received 'update stats' event, we keep a 3 seconds timeout in case,
- * fw_stats_done is not marked yet
- */
- timeout = jiffies + secs_to_jiffies(3);
-
ath11k_debugfs_fw_stats_reset(ar);
reinit_completion(&ar->fw_stats_complete);
+ reinit_completion(&ar->fw_stats_done);
ret = ath11k_wmi_send_stats_request_cmd(ar, req_param);
@@ -193,21 +186,18 @@ static int ath11k_debugfs_fw_stats_request(struct ath11k *ar,
}
time_left = wait_for_completion_timeout(&ar->fw_stats_complete, 1 * HZ);
-
if (!time_left)
return -ETIMEDOUT;
- for (;;) {
- if (time_after(jiffies, timeout))
- break;
+ /* FW stats can get split when exceeding the stats data buffer limit.
+ * In that case, since there is no end marking for the back-to-back
+ * received 'update stats' event, we keep a 3 seconds timeout in case,
+ * fw_stats_done is not marked yet
+ */
+ time_left = wait_for_completion_timeout(&ar->fw_stats_done, 3 * HZ);
+ if (!time_left)
+ return -ETIMEDOUT;
- spin_lock_bh(&ar->data_lock);
- if (ar->fw_stats_done) {
- spin_unlock_bh(&ar->data_lock);
- break;
- }
- spin_unlock_bh(&ar->data_lock);
- }
return 0;
}
diff --git a/drivers/net/wireless/ath/ath11k/mac.c b/drivers/net/wireless/ath/ath11k/mac.c
index 8234e34269ed8..e5b4cc2486833 100644
--- a/drivers/net/wireless/ath/ath11k/mac.c
+++ b/drivers/net/wireless/ath/ath11k/mac.c
@@ -8510,11 +8510,11 @@ static int ath11k_fw_stats_request(struct ath11k *ar,
lockdep_assert_held(&ar->conf_mutex);
spin_lock_bh(&ar->data_lock);
- ar->fw_stats_done = false;
ath11k_fw_stats_pdevs_free(&ar->fw_stats.pdevs);
spin_unlock_bh(&ar->data_lock);
reinit_completion(&ar->fw_stats_complete);
+ reinit_completion(&ar->fw_stats_done);
ret = ath11k_wmi_send_stats_request_cmd(ar, req_param);
if (ret) {
diff --git a/drivers/net/wireless/ath/ath11k/wmi.c b/drivers/net/wireless/ath/ath11k/wmi.c
index 142b201052660..38756ed48082c 100644
--- a/drivers/net/wireless/ath/ath11k/wmi.c
+++ b/drivers/net/wireless/ath/ath11k/wmi.c
@@ -7575,7 +7575,7 @@ static void ath11k_update_stats_event(struct ath11k_base *ab, struct sk_buff *sk
*/
if (stats.stats_id == WMI_REQUEST_PDEV_STAT) {
list_splice_tail_init(&stats.pdevs, &ar->fw_stats.pdevs);
- ar->fw_stats_done = true;
+ complete(&ar->fw_stats_done);
goto complete;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 232/508] wifi: ath11k: dont use static variables in ath11k_debugfs_fw_stats_process()
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (230 preceding siblings ...)
2025-06-23 13:04 ` [PATCH 6.1 231/508] wifi: ath11k: avoid burning CPU in ath11k_debugfs_fw_stats_request() Greg Kroah-Hartman
@ 2025-06-23 13:04 ` Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 233/508] wifi: ath11k: dont wait when there is no vdev started Greg Kroah-Hartman
` (276 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Baochen Qiang, Kalle Valo,
Vasanthakumar Thiagarajan, Jeff Johnson, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Baochen Qiang <quic_bqiang@quicinc.com>
[ Upstream commit 2bcf73b2612dda7432f2c2eaad6679bd291791f2 ]
Currently ath11k_debugfs_fw_stats_process() is using static variables to count
firmware stat events. Taking num_vdev as an example, if for whatever reason (
say ar->num_started_vdevs is 0 or firmware bug etc.) the following condition
(++num_vdev) == total_vdevs_started
is not met, is_end is not set thus num_vdev won't be cleared. Next time when
firmware stats is requested again, even if everything is working fine, we will
fail due to the condition above will never be satisfied.
The same applies to num_bcn as well.
Change to use non-static counters so that we have a chance to clear them each
time firmware stats is requested. Currently only ath11k_fw_stats_request() and
ath11k_debugfs_fw_stats_request() are requesting firmware stats, so clear
counters there.
Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.37
Fixes: da3a9d3c1576 ("ath11k: refactor debugfs code into debugfs.c")
Signed-off-by: Baochen Qiang <quic_bqiang@quicinc.com>
Acked-by: Kalle Valo <kvalo@kernel.org>
Reviewed-by: Vasanthakumar Thiagarajan <vasanthakumar.thiagarajan@oss.qualcomm.com>
Link: https://patch.msgid.link/20250220082448.31039-3-quic_bqiang@quicinc.com
Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath11k/core.h | 2 ++
drivers/net/wireless/ath/ath11k/debugfs.c | 16 +++++++---------
drivers/net/wireless/ath/ath11k/mac.c | 2 ++
3 files changed, 11 insertions(+), 9 deletions(-)
diff --git a/drivers/net/wireless/ath/ath11k/core.h b/drivers/net/wireless/ath/ath11k/core.h
index 69feef410b359..a46fe85e592d8 100644
--- a/drivers/net/wireless/ath/ath11k/core.h
+++ b/drivers/net/wireless/ath/ath11k/core.h
@@ -538,6 +538,8 @@ struct ath11k_fw_stats {
struct list_head pdevs;
struct list_head vdevs;
struct list_head bcn;
+ u32 num_vdev_recvd;
+ u32 num_bcn_recvd;
};
struct ath11k_dbg_htt_stats {
diff --git a/drivers/net/wireless/ath/ath11k/debugfs.c b/drivers/net/wireless/ath/ath11k/debugfs.c
index a5791155fe065..5a375d6680594 100644
--- a/drivers/net/wireless/ath/ath11k/debugfs.c
+++ b/drivers/net/wireless/ath/ath11k/debugfs.c
@@ -98,6 +98,8 @@ static void ath11k_debugfs_fw_stats_reset(struct ath11k *ar)
spin_lock_bh(&ar->data_lock);
ath11k_fw_stats_pdevs_free(&ar->fw_stats.pdevs);
ath11k_fw_stats_vdevs_free(&ar->fw_stats.vdevs);
+ ar->fw_stats.num_vdev_recvd = 0;
+ ar->fw_stats.num_bcn_recvd = 0;
spin_unlock_bh(&ar->data_lock);
}
@@ -106,7 +108,6 @@ void ath11k_debugfs_fw_stats_process(struct ath11k *ar, struct ath11k_fw_stats *
struct ath11k_base *ab = ar->ab;
struct ath11k_pdev *pdev;
bool is_end;
- static unsigned int num_vdev, num_bcn;
size_t total_vdevs_started = 0;
int i;
@@ -131,15 +132,14 @@ void ath11k_debugfs_fw_stats_process(struct ath11k *ar, struct ath11k_fw_stats *
total_vdevs_started += ar->num_started_vdevs;
}
- is_end = ((++num_vdev) == total_vdevs_started);
+ is_end = ((++ar->fw_stats.num_vdev_recvd) == total_vdevs_started);
list_splice_tail_init(&stats->vdevs,
&ar->fw_stats.vdevs);
- if (is_end) {
+ if (is_end)
complete(&ar->fw_stats_done);
- num_vdev = 0;
- }
+
return;
}
@@ -151,15 +151,13 @@ void ath11k_debugfs_fw_stats_process(struct ath11k *ar, struct ath11k_fw_stats *
/* Mark end until we reached the count of all started VDEVs
* within the PDEV
*/
- is_end = ((++num_bcn) == ar->num_started_vdevs);
+ is_end = ((++ar->fw_stats.num_bcn_recvd) == ar->num_started_vdevs);
list_splice_tail_init(&stats->bcn,
&ar->fw_stats.bcn);
- if (is_end) {
+ if (is_end)
complete(&ar->fw_stats_done);
- num_bcn = 0;
- }
}
}
diff --git a/drivers/net/wireless/ath/ath11k/mac.c b/drivers/net/wireless/ath/ath11k/mac.c
index e5b4cc2486833..8be42227dd943 100644
--- a/drivers/net/wireless/ath/ath11k/mac.c
+++ b/drivers/net/wireless/ath/ath11k/mac.c
@@ -8511,6 +8511,8 @@ static int ath11k_fw_stats_request(struct ath11k *ar,
spin_lock_bh(&ar->data_lock);
ath11k_fw_stats_pdevs_free(&ar->fw_stats.pdevs);
+ ar->fw_stats.num_vdev_recvd = 0;
+ ar->fw_stats.num_bcn_recvd = 0;
spin_unlock_bh(&ar->data_lock);
reinit_completion(&ar->fw_stats_complete);
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 233/508] wifi: ath11k: dont wait when there is no vdev started
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (231 preceding siblings ...)
2025-06-23 13:04 ` [PATCH 6.1 232/508] wifi: ath11k: dont use static variables in ath11k_debugfs_fw_stats_process() Greg Kroah-Hartman
@ 2025-06-23 13:04 ` Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 234/508] wifi: ath11k: validate ath11k_crypto_mode on top of ath11k_core_qmi_firmware_ready Greg Kroah-Hartman
` (275 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Baochen Qiang,
Vasanthakumar Thiagarajan, Jeff Johnson, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Baochen Qiang <quic_bqiang@quicinc.com>
[ Upstream commit 3b6d00fa883075dcaf49221538230e038a9c0b43 ]
For WMI_REQUEST_VDEV_STAT request, firmware might split response into
multiple events dut to buffer limit, hence currently in
ath11k_debugfs_fw_stats_process() we wait until all events received.
In case there is no vdev started, this results in that below condition
would never get satisfied
((++ar->fw_stats.num_vdev_recvd) == total_vdevs_started)
finally the requestor would be blocked until wait time out.
The same applies to WMI_REQUEST_BCN_STAT request as well due to:
((++ar->fw_stats.num_bcn_recvd) == ar->num_started_vdevs)
Change to check the number of started vdev first: if it is zero, finish
wait directly; if not, follow the old way.
Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.37
Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices")
Signed-off-by: Baochen Qiang <quic_bqiang@quicinc.com>
Reviewed-by: Vasanthakumar Thiagarajan <vasanthakumar.thiagarajan@oss.qualcomm.com>
Link: https://patch.msgid.link/20250220082448.31039-4-quic_bqiang@quicinc.com
Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath11k/debugfs.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/drivers/net/wireless/ath/ath11k/debugfs.c b/drivers/net/wireless/ath/ath11k/debugfs.c
index 5a375d6680594..50bc17127e68a 100644
--- a/drivers/net/wireless/ath/ath11k/debugfs.c
+++ b/drivers/net/wireless/ath/ath11k/debugfs.c
@@ -107,7 +107,7 @@ void ath11k_debugfs_fw_stats_process(struct ath11k *ar, struct ath11k_fw_stats *
{
struct ath11k_base *ab = ar->ab;
struct ath11k_pdev *pdev;
- bool is_end;
+ bool is_end = true;
size_t total_vdevs_started = 0;
int i;
@@ -132,7 +132,9 @@ void ath11k_debugfs_fw_stats_process(struct ath11k *ar, struct ath11k_fw_stats *
total_vdevs_started += ar->num_started_vdevs;
}
- is_end = ((++ar->fw_stats.num_vdev_recvd) == total_vdevs_started);
+ if (total_vdevs_started)
+ is_end = ((++ar->fw_stats.num_vdev_recvd) ==
+ total_vdevs_started);
list_splice_tail_init(&stats->vdevs,
&ar->fw_stats.vdevs);
@@ -151,7 +153,9 @@ void ath11k_debugfs_fw_stats_process(struct ath11k *ar, struct ath11k_fw_stats *
/* Mark end until we reached the count of all started VDEVs
* within the PDEV
*/
- is_end = ((++ar->fw_stats.num_bcn_recvd) == ar->num_started_vdevs);
+ if (ar->num_started_vdevs)
+ is_end = ((++ar->fw_stats.num_bcn_recvd) ==
+ ar->num_started_vdevs);
list_splice_tail_init(&stats->bcn,
&ar->fw_stats.bcn);
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 234/508] wifi: ath11k: validate ath11k_crypto_mode on top of ath11k_core_qmi_firmware_ready
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (232 preceding siblings ...)
2025-06-23 13:04 ` [PATCH 6.1 233/508] wifi: ath11k: dont wait when there is no vdev started Greg Kroah-Hartman
@ 2025-06-23 13:04 ` Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 235/508] regulator: max20086: Fix refcount leak in max20086_parse_regulators_dt() Greg Kroah-Hartman
` (274 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rodrigo Gobbi, kernel test robot,
Dan Carpenter, Baochen Qiang, Jeff Johnson, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rodrigo Gobbi <rodrigo.gobbi.7@gmail.com>
[ Upstream commit b0d226a60856a1b765bb9a3848c7b2322fd08c47 ]
if ath11k_crypto_mode is invalid (not ATH11K_CRYPT_MODE_SW/ATH11K_CRYPT_MODE_HW),
ath11k_core_qmi_firmware_ready() will not undo some actions that was previously
started/configured. Do the validation as soon as possible in order to avoid
undoing actions in that case and also to fix the following smatch warning:
drivers/net/wireless/ath/ath11k/core.c:2166 ath11k_core_qmi_firmware_ready()
warn: missing unwind goto?
Signed-off-by: Rodrigo Gobbi <rodrigo.gobbi.7@gmail.com>
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <error27@gmail.com>
Closes: https://lore.kernel.org/r/202304151955.oqAetVFd-lkp@intel.com/
Fixes: aa2092a9bab3 ("ath11k: add raw mode and software crypto support")
Reviewed-by: Baochen Qiang <quic_bqiang@quicinc.com>
Link: https://patch.msgid.link/20250522200519.16858-1-rodrigo.gobbi.7@gmail.com
Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath11k/core.c | 28 +++++++++++++-------------
1 file changed, 14 insertions(+), 14 deletions(-)
diff --git a/drivers/net/wireless/ath/ath11k/core.c b/drivers/net/wireless/ath/ath11k/core.c
index a8bdddccca4cb..0910d06ed296f 100644
--- a/drivers/net/wireless/ath/ath11k/core.c
+++ b/drivers/net/wireless/ath/ath11k/core.c
@@ -1517,6 +1517,20 @@ int ath11k_core_qmi_firmware_ready(struct ath11k_base *ab)
{
int ret;
+ switch (ath11k_crypto_mode) {
+ case ATH11K_CRYPT_MODE_SW:
+ set_bit(ATH11K_FLAG_HW_CRYPTO_DISABLED, &ab->dev_flags);
+ set_bit(ATH11K_FLAG_RAW_MODE, &ab->dev_flags);
+ break;
+ case ATH11K_CRYPT_MODE_HW:
+ clear_bit(ATH11K_FLAG_HW_CRYPTO_DISABLED, &ab->dev_flags);
+ clear_bit(ATH11K_FLAG_RAW_MODE, &ab->dev_flags);
+ break;
+ default:
+ ath11k_info(ab, "invalid crypto_mode: %d\n", ath11k_crypto_mode);
+ return -EINVAL;
+ }
+
ret = ath11k_core_start_firmware(ab, ATH11K_FIRMWARE_MODE_NORMAL);
if (ret) {
ath11k_err(ab, "failed to start firmware: %d\n", ret);
@@ -1535,20 +1549,6 @@ int ath11k_core_qmi_firmware_ready(struct ath11k_base *ab)
goto err_firmware_stop;
}
- switch (ath11k_crypto_mode) {
- case ATH11K_CRYPT_MODE_SW:
- set_bit(ATH11K_FLAG_HW_CRYPTO_DISABLED, &ab->dev_flags);
- set_bit(ATH11K_FLAG_RAW_MODE, &ab->dev_flags);
- break;
- case ATH11K_CRYPT_MODE_HW:
- clear_bit(ATH11K_FLAG_HW_CRYPTO_DISABLED, &ab->dev_flags);
- clear_bit(ATH11K_FLAG_RAW_MODE, &ab->dev_flags);
- break;
- default:
- ath11k_info(ab, "invalid crypto_mode: %d\n", ath11k_crypto_mode);
- return -EINVAL;
- }
-
if (ath11k_frame_mode == ATH11K_HW_TXRX_RAW)
set_bit(ATH11K_FLAG_RAW_MODE, &ab->dev_flags);
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 235/508] regulator: max20086: Fix refcount leak in max20086_parse_regulators_dt()
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (233 preceding siblings ...)
2025-06-23 13:04 ` [PATCH 6.1 234/508] wifi: ath11k: validate ath11k_crypto_mode on top of ath11k_core_qmi_firmware_ready Greg Kroah-Hartman
@ 2025-06-23 13:04 ` Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 236/508] pinctrl: qcom: pinctrl-qcm2290: Add missing pins Greg Kroah-Hartman
` (273 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Laurent Pinchart,
Mark Brown, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@linaro.org>
[ Upstream commit 06118ae36855b7d3d22688298e74a766ccf0cb7a ]
There is a missing call to of_node_put() if devm_kcalloc() fails.
Fix this by changing the code to use cleanup.h magic to drop the
refcount.
Fixes: 6b0cd72757c6 ("regulator: max20086: fix invalid memory access")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Link: https://patch.msgid.link/aDVRLqgJWMxYU03G@stanley.mountain
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/regulator/max20086-regulator.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/regulator/max20086-regulator.c b/drivers/regulator/max20086-regulator.c
index 332fb58f90952..a24dfffce25c7 100644
--- a/drivers/regulator/max20086-regulator.c
+++ b/drivers/regulator/max20086-regulator.c
@@ -5,6 +5,7 @@
// Copyright (C) 2022 Laurent Pinchart <laurent.pinchart@idesonboard.com>
// Copyright (C) 2018 Avnet, Inc.
+#include <linux/cleanup.h>
#include <linux/err.h>
#include <linux/gpio.h>
#include <linux/gpio/consumer.h>
@@ -134,11 +135,11 @@ static int max20086_regulators_register(struct max20086 *chip)
static int max20086_parse_regulators_dt(struct max20086 *chip, bool *boot_on)
{
struct of_regulator_match *matches;
- struct device_node *node;
unsigned int i;
int ret;
- node = of_get_child_by_name(chip->dev->of_node, "regulators");
+ struct device_node *node __free(device_node) =
+ of_get_child_by_name(chip->dev->of_node, "regulators");
if (!node) {
dev_err(chip->dev, "regulators node not found\n");
return -ENODEV;
@@ -154,7 +155,6 @@ static int max20086_parse_regulators_dt(struct max20086 *chip, bool *boot_on)
ret = of_regulator_match(chip->dev, node, matches,
chip->info->num_outputs);
- of_node_put(node);
if (ret < 0) {
dev_err(chip->dev, "Failed to match regulators\n");
return -EINVAL;
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 236/508] pinctrl: qcom: pinctrl-qcm2290: Add missing pins
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (234 preceding siblings ...)
2025-06-23 13:04 ` [PATCH 6.1 235/508] regulator: max20086: Fix refcount leak in max20086_parse_regulators_dt() Greg Kroah-Hartman
@ 2025-06-23 13:04 ` Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 237/508] scsi: iscsi: Fix incorrect error path labels for flashnode operations Greg Kroah-Hartman
` (272 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wojciech Slenska, Dmitry Baryshkov,
Linus Walleij, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wojciech Slenska <wojciech.slenska@gmail.com>
[ Upstream commit 315345610faee8a0568b522dba9e35067d1732ab ]
Added the missing pins to the qcm2290_pins table.
Signed-off-by: Wojciech Slenska <wojciech.slenska@gmail.com>
Fixes: 48e049ef1238 ("pinctrl: qcom: Add QCM2290 pinctrl driver")
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Link: https://lore.kernel.org/20250523101437.59092-1-wojciech.slenska@gmail.com
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pinctrl/qcom/pinctrl-qcm2290.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/drivers/pinctrl/qcom/pinctrl-qcm2290.c b/drivers/pinctrl/qcom/pinctrl-qcm2290.c
index aa9325f333fba..fa4575a9396ae 100644
--- a/drivers/pinctrl/qcom/pinctrl-qcm2290.c
+++ b/drivers/pinctrl/qcom/pinctrl-qcm2290.c
@@ -173,6 +173,10 @@ static const struct pinctrl_pin_desc qcm2290_pins[] = {
PINCTRL_PIN(62, "GPIO_62"),
PINCTRL_PIN(63, "GPIO_63"),
PINCTRL_PIN(64, "GPIO_64"),
+ PINCTRL_PIN(65, "GPIO_65"),
+ PINCTRL_PIN(66, "GPIO_66"),
+ PINCTRL_PIN(67, "GPIO_67"),
+ PINCTRL_PIN(68, "GPIO_68"),
PINCTRL_PIN(69, "GPIO_69"),
PINCTRL_PIN(70, "GPIO_70"),
PINCTRL_PIN(71, "GPIO_71"),
@@ -187,12 +191,17 @@ static const struct pinctrl_pin_desc qcm2290_pins[] = {
PINCTRL_PIN(80, "GPIO_80"),
PINCTRL_PIN(81, "GPIO_81"),
PINCTRL_PIN(82, "GPIO_82"),
+ PINCTRL_PIN(83, "GPIO_83"),
+ PINCTRL_PIN(84, "GPIO_84"),
+ PINCTRL_PIN(85, "GPIO_85"),
PINCTRL_PIN(86, "GPIO_86"),
PINCTRL_PIN(87, "GPIO_87"),
PINCTRL_PIN(88, "GPIO_88"),
PINCTRL_PIN(89, "GPIO_89"),
PINCTRL_PIN(90, "GPIO_90"),
PINCTRL_PIN(91, "GPIO_91"),
+ PINCTRL_PIN(92, "GPIO_92"),
+ PINCTRL_PIN(93, "GPIO_93"),
PINCTRL_PIN(94, "GPIO_94"),
PINCTRL_PIN(95, "GPIO_95"),
PINCTRL_PIN(96, "GPIO_96"),
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 237/508] scsi: iscsi: Fix incorrect error path labels for flashnode operations
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (235 preceding siblings ...)
2025-06-23 13:04 ` [PATCH 6.1 236/508] pinctrl: qcom: pinctrl-qcm2290: Add missing pins Greg Kroah-Hartman
@ 2025-06-23 13:04 ` Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 238/508] net_sched: sch_sfq: fix a potential crash on gso_skb handling Greg Kroah-Hartman
` (271 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alok Tiwari, Mike Christie,
Martin K. Petersen, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alok Tiwari <alok.a.tiwari@oracle.com>
[ Upstream commit 9b17621366d210ffee83262a8754086ebbde5e55 ]
Correct the error handling goto labels used when host lookup fails in
various flashnode-related event handlers:
- iscsi_new_flashnode()
- iscsi_del_flashnode()
- iscsi_login_flashnode()
- iscsi_logout_flashnode()
- iscsi_logout_flashnode_sid()
scsi_host_put() is not required when shost is NULL, so jumping to the
correct label avoids unnecessary operations. These functions previously
jumped to the wrong goto label (put_host), which did not match the
intended cleanup logic.
Use the correct exit labels (exit_new_fnode, exit_del_fnode, etc.) to
ensure proper error handling. Also remove the unused put_host label
under iscsi_new_flashnode() as it is no longer needed.
No functional changes beyond accurate error path correction.
Fixes: c6a4bb2ef596 ("[SCSI] scsi_transport_iscsi: Add flash node mgmt support")
Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
Link: https://lore.kernel.org/r/20250530193012.3312911-1-alok.a.tiwari@oracle.com
Reviewed-by: Mike Christie <michael.christie@oracle.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/scsi_transport_iscsi.c | 11 +++++------
1 file changed, 5 insertions(+), 6 deletions(-)
diff --git a/drivers/scsi/scsi_transport_iscsi.c b/drivers/scsi/scsi_transport_iscsi.c
index 7f0fd03dd03bc..c44103752b699 100644
--- a/drivers/scsi/scsi_transport_iscsi.c
+++ b/drivers/scsi/scsi_transport_iscsi.c
@@ -3524,7 +3524,7 @@ static int iscsi_new_flashnode(struct iscsi_transport *transport,
pr_err("%s could not find host no %u\n",
__func__, ev->u.new_flashnode.host_no);
err = -ENODEV;
- goto put_host;
+ goto exit_new_fnode;
}
index = transport->new_flashnode(shost, data, len);
@@ -3534,7 +3534,6 @@ static int iscsi_new_flashnode(struct iscsi_transport *transport,
else
err = -EIO;
-put_host:
scsi_host_put(shost);
exit_new_fnode:
@@ -3559,7 +3558,7 @@ static int iscsi_del_flashnode(struct iscsi_transport *transport,
pr_err("%s could not find host no %u\n",
__func__, ev->u.del_flashnode.host_no);
err = -ENODEV;
- goto put_host;
+ goto exit_del_fnode;
}
idx = ev->u.del_flashnode.flashnode_idx;
@@ -3601,7 +3600,7 @@ static int iscsi_login_flashnode(struct iscsi_transport *transport,
pr_err("%s could not find host no %u\n",
__func__, ev->u.login_flashnode.host_no);
err = -ENODEV;
- goto put_host;
+ goto exit_login_fnode;
}
idx = ev->u.login_flashnode.flashnode_idx;
@@ -3653,7 +3652,7 @@ static int iscsi_logout_flashnode(struct iscsi_transport *transport,
pr_err("%s could not find host no %u\n",
__func__, ev->u.logout_flashnode.host_no);
err = -ENODEV;
- goto put_host;
+ goto exit_logout_fnode;
}
idx = ev->u.logout_flashnode.flashnode_idx;
@@ -3703,7 +3702,7 @@ static int iscsi_logout_flashnode_sid(struct iscsi_transport *transport,
pr_err("%s could not find host no %u\n",
__func__, ev->u.logout_flashnode.host_no);
err = -ENODEV;
- goto put_host;
+ goto exit_logout_sid;
}
session = iscsi_session_lookup(ev->u.logout_flashnode_sid.sid);
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 238/508] net_sched: sch_sfq: fix a potential crash on gso_skb handling
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (236 preceding siblings ...)
2025-06-23 13:04 ` [PATCH 6.1 237/508] scsi: iscsi: Fix incorrect error path labels for flashnode operations Greg Kroah-Hartman
@ 2025-06-23 13:04 ` Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 239/508] powerpc/powernv/memtrace: Fix out of bounds issue in memtrace mmap Greg Kroah-Hartman
` (270 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Marcus Wichelmann, Eric Dumazet,
Toke Høiland-Jørgensen, Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 82ffbe7776d0ac084031f114167712269bf3d832 ]
SFQ has an assumption of always being able to queue at least one packet.
However, after the blamed commit, sch->q.len can be inflated by packets
in sch->gso_skb, and an enqueue() on an empty SFQ qdisc can be followed
by an immediate drop.
Fix sfq_drop() to properly clear q->tail in this situation.
Tested:
ip netns add lb
ip link add dev to-lb type veth peer name in-lb netns lb
ethtool -K to-lb tso off # force qdisc to requeue gso_skb
ip netns exec lb ethtool -K in-lb gro on # enable NAPI
ip link set dev to-lb up
ip -netns lb link set dev in-lb up
ip addr add dev to-lb 192.168.20.1/24
ip -netns lb addr add dev in-lb 192.168.20.2/24
tc qdisc replace dev to-lb root sfq limit 100
ip netns exec lb netserver
netperf -H 192.168.20.2 -l 100 &
netperf -H 192.168.20.2 -l 100 &
netperf -H 192.168.20.2 -l 100 &
netperf -H 192.168.20.2 -l 100 &
Fixes: a53851e2c321 ("net: sched: explicit locking in gso_cpu fallback")
Reported-by: Marcus Wichelmann <marcus.wichelmann@hetzner-cloud.de>
Closes: https://lore.kernel.org/netdev/9da42688-bfaa-4364-8797-e9271f3bdaef@hetzner-cloud.de/
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Toke Høiland-Jørgensen <toke@redhat.com>
Link: https://patch.msgid.link/20250606165127.3629486-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_sfq.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/net/sched/sch_sfq.c b/net/sched/sch_sfq.c
index 002941d35b643..d564675a8be4d 100644
--- a/net/sched/sch_sfq.c
+++ b/net/sched/sch_sfq.c
@@ -310,7 +310,10 @@ static unsigned int sfq_drop(struct Qdisc *sch, struct sk_buff **to_free)
/* It is difficult to believe, but ALL THE SLOTS HAVE LENGTH 1. */
x = q->tail->next;
slot = &q->slots[x];
- q->tail->next = slot->next;
+ if (slot->next == x)
+ q->tail = NULL; /* no more active slots */
+ else
+ q->tail->next = slot->next;
q->ht[slot->hash] = SFQ_EMPTY_SLOT;
goto drop;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 239/508] powerpc/powernv/memtrace: Fix out of bounds issue in memtrace mmap
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (237 preceding siblings ...)
2025-06-23 13:04 ` [PATCH 6.1 238/508] net_sched: sch_sfq: fix a potential crash on gso_skb handling Greg Kroah-Hartman
@ 2025-06-23 13:04 ` Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 240/508] powerpc/vas: Return -EINVAL if the offset is non-zero in mmap() Greg Kroah-Hartman
` (269 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jonathan Greental,
Ritesh Harjani (IBM), Madhavan Srinivasan, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ritesh Harjani (IBM) <ritesh.list@gmail.com>
[ Upstream commit cd097df4596f3a1e9d75eb8520162de1eb8485b2 ]
memtrace mmap issue has an out of bounds issue. This patch fixes the by
checking that the requested mapping region size should stay within the
allocated region size.
Reported-by: Jonathan Greental <yonatan02greental@gmail.com>
Fixes: 08a022ad3dfa ("powerpc/powernv/memtrace: Allow mmaping trace buffers")
Signed-off-by: Ritesh Harjani (IBM) <ritesh.list@gmail.com>
Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
Link: https://patch.msgid.link/20250610021227.361980-1-maddy@linux.ibm.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/powerpc/platforms/powernv/memtrace.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/arch/powerpc/platforms/powernv/memtrace.c b/arch/powerpc/platforms/powernv/memtrace.c
index 877720c645151..35471b679638a 100644
--- a/arch/powerpc/platforms/powernv/memtrace.c
+++ b/arch/powerpc/platforms/powernv/memtrace.c
@@ -48,11 +48,15 @@ static ssize_t memtrace_read(struct file *filp, char __user *ubuf,
static int memtrace_mmap(struct file *filp, struct vm_area_struct *vma)
{
struct memtrace_entry *ent = filp->private_data;
+ unsigned long ent_nrpages = ent->size >> PAGE_SHIFT;
+ unsigned long vma_nrpages = vma_pages(vma);
- if (ent->size < vma->vm_end - vma->vm_start)
+ /* The requested page offset should be within object's page count */
+ if (vma->vm_pgoff >= ent_nrpages)
return -EINVAL;
- if (vma->vm_pgoff << PAGE_SHIFT >= ent->size)
+ /* The requested mapping range should remain within the bounds */
+ if (vma_nrpages > ent_nrpages - vma->vm_pgoff)
return -EINVAL;
vma->vm_page_prot = pgprot_noncached(vma->vm_page_prot);
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 240/508] powerpc/vas: Return -EINVAL if the offset is non-zero in mmap()
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (238 preceding siblings ...)
2025-06-23 13:04 ` [PATCH 6.1 239/508] powerpc/powernv/memtrace: Fix out of bounds issue in memtrace mmap Greg Kroah-Hartman
@ 2025-06-23 13:04 ` Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 241/508] drm/meson: use unsigned long long / Hz for frequency types Greg Kroah-Hartman
` (268 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jonathan Greental, Haren Myneni,
Madhavan Srinivasan, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haren Myneni <haren@linux.ibm.com>
[ Upstream commit 0d67f0dee6c9176bc09a5482dd7346e3a0f14d0b ]
The user space calls mmap() to map VAS window paste address
and the kernel returns the complete mapped page for each
window. So return -EINVAL if non-zero is passed for offset
parameter to mmap().
See Documentation/arch/powerpc/vas-api.rst for mmap()
restrictions.
Co-developed-by: Jonathan Greental <yonatan02greental@gmail.com>
Signed-off-by: Jonathan Greental <yonatan02greental@gmail.com>
Reported-by: Jonathan Greental <yonatan02greental@gmail.com>
Fixes: dda44eb29c23 ("powerpc/vas: Add VAS user space API")
Signed-off-by: Haren Myneni <haren@linux.ibm.com>
Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
Link: https://patch.msgid.link/20250610021227.361980-2-maddy@linux.ibm.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/powerpc/platforms/book3s/vas-api.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/arch/powerpc/platforms/book3s/vas-api.c b/arch/powerpc/platforms/book3s/vas-api.c
index d954ddf7f0592..0f73554c6ae90 100644
--- a/arch/powerpc/platforms/book3s/vas-api.c
+++ b/arch/powerpc/platforms/book3s/vas-api.c
@@ -521,6 +521,15 @@ static int coproc_mmap(struct file *fp, struct vm_area_struct *vma)
return -EINVAL;
}
+ /*
+ * Map complete page to the paste address. So the user
+ * space should pass 0ULL to the offset parameter.
+ */
+ if (vma->vm_pgoff) {
+ pr_debug("Page offset unsupported to map paste address\n");
+ return -EINVAL;
+ }
+
/* Ensure instance has an open send window */
if (!txwin) {
pr_err("No send window open?\n");
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 241/508] drm/meson: use unsigned long long / Hz for frequency types
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (239 preceding siblings ...)
2025-06-23 13:04 ` [PATCH 6.1 240/508] powerpc/vas: Return -EINVAL if the offset is non-zero in mmap() Greg Kroah-Hartman
@ 2025-06-23 13:04 ` Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 242/508] drm/meson: fix debug log statement when setting the HDMI clocks Greg Kroah-Hartman
` (267 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christian Hewitt,
Martin Blumenstingl, Neil Armstrong, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
[ Upstream commit 1017560164b6bbcbc93579266926e6e96675262a ]
Christian reports that 4K output using YUV420 encoding fails with the
following error:
Fatal Error, invalid HDMI vclk freq 593406
Modetest shows the following:
3840x2160 59.94 3840 4016 4104 4400 2160 2168 2178 2250 593407 flags: xxxx, xxxx,
drm calculated value -------------------------------------^
This indicates that there's a (1kHz) mismatch between the clock
calculated by the drm framework and the meson driver.
Relevant function call stack:
(drm framework)
-> meson_encoder_hdmi_atomic_enable()
-> meson_encoder_hdmi_set_vclk()
-> meson_vclk_setup()
The video clock requested by the drm framework is 593407kHz. This is
passed by meson_encoder_hdmi_atomic_enable() to
meson_encoder_hdmi_set_vclk() and the following formula is applied:
- the frequency is halved (which would be 296703.5kHz) and rounded down
to the next full integer, which is 296703kHz
- TMDS clock is calculated (296703kHz * 10)
- video encoder clock is calculated - this needs to match a table from
meson_vclk.c and so it doubles the previously halved value again
(resulting in 593406kHz)
- meson_vclk_setup() can't find (either directly, or by deriving it from
594000kHz * 1000 / 1001 and rounding to the closest integer value -
which is 593407kHz as originally requested by the drm framework) a
matching clock in it's internal table and errors out with "invalid
HDMI vclk freq"
Fix the division precision by switching the whole meson driver to use
unsigned long long (64-bit) Hz values for clock frequencies instead of
unsigned int (32-bit) kHz to fix the rouding error.
Fixes: e5fab2ec9ca4 ("drm/meson: vclk: add support for YUV420 setup")
Reported-by: Christian Hewitt <christianshewitt@gmail.com>
Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
Link: https://lore.kernel.org/r/20250421201300.778955-3-martin.blumenstingl@googlemail.com
Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
Link: https://lore.kernel.org/r/20250421201300.778955-3-martin.blumenstingl@googlemail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/meson/meson_drv.c | 2 +-
drivers/gpu/drm/meson/meson_drv.h | 2 +-
drivers/gpu/drm/meson/meson_encoder_hdmi.c | 29 +--
drivers/gpu/drm/meson/meson_vclk.c | 195 +++++++++++----------
drivers/gpu/drm/meson/meson_vclk.h | 13 +-
5 files changed, 126 insertions(+), 115 deletions(-)
diff --git a/drivers/gpu/drm/meson/meson_drv.c b/drivers/gpu/drm/meson/meson_drv.c
index f0df41cf39a36..5606a248f4c48 100644
--- a/drivers/gpu/drm/meson/meson_drv.c
+++ b/drivers/gpu/drm/meson/meson_drv.c
@@ -167,7 +167,7 @@ static const struct meson_drm_soc_attr meson_drm_soc_attrs[] = {
/* S805X/S805Y HDMI PLL won't lock for HDMI PHY freq > 1,65GHz */
{
.limits = {
- .max_hdmi_phy_freq = 1650000,
+ .max_hdmi_phy_freq = 1650000000,
},
.attrs = (const struct soc_device_attribute []) {
{ .soc_id = "GXL (S805*)", },
diff --git a/drivers/gpu/drm/meson/meson_drv.h b/drivers/gpu/drm/meson/meson_drv.h
index c62ee358456fa..3b03282f1e2b9 100644
--- a/drivers/gpu/drm/meson/meson_drv.h
+++ b/drivers/gpu/drm/meson/meson_drv.h
@@ -37,7 +37,7 @@ struct meson_drm_match_data {
};
struct meson_drm_soc_limits {
- unsigned int max_hdmi_phy_freq;
+ unsigned long long max_hdmi_phy_freq;
};
struct meson_drm {
diff --git a/drivers/gpu/drm/meson/meson_encoder_hdmi.c b/drivers/gpu/drm/meson/meson_encoder_hdmi.c
index 03062e7a02b64..c1401ec1354d1 100644
--- a/drivers/gpu/drm/meson/meson_encoder_hdmi.c
+++ b/drivers/gpu/drm/meson/meson_encoder_hdmi.c
@@ -68,12 +68,12 @@ static void meson_encoder_hdmi_set_vclk(struct meson_encoder_hdmi *encoder_hdmi,
{
struct meson_drm *priv = encoder_hdmi->priv;
int vic = drm_match_cea_mode(mode);
- unsigned int phy_freq;
- unsigned int vclk_freq;
- unsigned int venc_freq;
- unsigned int hdmi_freq;
+ unsigned long long phy_freq;
+ unsigned long long vclk_freq;
+ unsigned long long venc_freq;
+ unsigned long long hdmi_freq;
- vclk_freq = mode->clock;
+ vclk_freq = mode->clock * 1000;
/* For 420, pixel clock is half unlike venc clock */
if (encoder_hdmi->output_bus_fmt == MEDIA_BUS_FMT_UYYVYY8_0_5X24)
@@ -105,7 +105,8 @@ static void meson_encoder_hdmi_set_vclk(struct meson_encoder_hdmi *encoder_hdmi,
if (mode->flags & DRM_MODE_FLAG_DBLCLK)
venc_freq /= 2;
- dev_dbg(priv->dev, "vclk:%d phy=%d venc=%d hdmi=%d enci=%d\n",
+ dev_dbg(priv->dev,
+ "vclk:%lluHz phy=%lluHz venc=%lluHz hdmi=%lluHz enci=%d\n",
phy_freq, vclk_freq, venc_freq, hdmi_freq,
priv->venc.hdmi_use_enci);
@@ -120,10 +121,11 @@ static enum drm_mode_status meson_encoder_hdmi_mode_valid(struct drm_bridge *bri
struct meson_encoder_hdmi *encoder_hdmi = bridge_to_meson_encoder_hdmi(bridge);
struct meson_drm *priv = encoder_hdmi->priv;
bool is_hdmi2_sink = display_info->hdmi.scdc.supported;
- unsigned int phy_freq;
- unsigned int vclk_freq;
- unsigned int venc_freq;
- unsigned int hdmi_freq;
+ unsigned long long clock = mode->clock * 1000;
+ unsigned long long phy_freq;
+ unsigned long long vclk_freq;
+ unsigned long long venc_freq;
+ unsigned long long hdmi_freq;
int vic = drm_match_cea_mode(mode);
enum drm_mode_status status;
@@ -142,12 +144,12 @@ static enum drm_mode_status meson_encoder_hdmi_mode_valid(struct drm_bridge *bri
if (status != MODE_OK)
return status;
- return meson_vclk_dmt_supported_freq(priv, mode->clock);
+ return meson_vclk_dmt_supported_freq(priv, clock);
/* Check against supported VIC modes */
} else if (!meson_venc_hdmi_supported_vic(vic))
return MODE_BAD;
- vclk_freq = mode->clock;
+ vclk_freq = clock;
/* For 420, pixel clock is half unlike venc clock */
if (drm_mode_is_420_only(display_info, mode) ||
@@ -177,7 +179,8 @@ static enum drm_mode_status meson_encoder_hdmi_mode_valid(struct drm_bridge *bri
if (mode->flags & DRM_MODE_FLAG_DBLCLK)
venc_freq /= 2;
- dev_dbg(priv->dev, "%s: vclk:%d phy=%d venc=%d hdmi=%d\n",
+ dev_dbg(priv->dev,
+ "%s: vclk:%lluHz phy=%lluHz venc=%lluHz hdmi=%lluHz\n",
__func__, phy_freq, vclk_freq, venc_freq, hdmi_freq);
return meson_vclk_vic_supported_freq(priv, phy_freq, vclk_freq);
diff --git a/drivers/gpu/drm/meson/meson_vclk.c b/drivers/gpu/drm/meson/meson_vclk.c
index 2a82119eb58ed..3325580d885d0 100644
--- a/drivers/gpu/drm/meson/meson_vclk.c
+++ b/drivers/gpu/drm/meson/meson_vclk.c
@@ -110,7 +110,10 @@
#define HDMI_PLL_LOCK BIT(31)
#define HDMI_PLL_LOCK_G12A (3 << 30)
-#define FREQ_1000_1001(_freq) DIV_ROUND_CLOSEST(_freq * 1000, 1001)
+#define PIXEL_FREQ_1000_1001(_freq) \
+ DIV_ROUND_CLOSEST_ULL((_freq) * 1000ULL, 1001ULL)
+#define PHY_FREQ_1000_1001(_freq) \
+ (PIXEL_FREQ_1000_1001(DIV_ROUND_DOWN_ULL(_freq, 10ULL)) * 10)
/* VID PLL Dividers */
enum {
@@ -360,11 +363,11 @@ enum {
};
struct meson_vclk_params {
- unsigned int pll_freq;
- unsigned int phy_freq;
- unsigned int vclk_freq;
- unsigned int venc_freq;
- unsigned int pixel_freq;
+ unsigned long long pll_freq;
+ unsigned long long phy_freq;
+ unsigned long long vclk_freq;
+ unsigned long long venc_freq;
+ unsigned long long pixel_freq;
unsigned int pll_od1;
unsigned int pll_od2;
unsigned int pll_od3;
@@ -372,11 +375,11 @@ struct meson_vclk_params {
unsigned int vclk_div;
} params[] = {
[MESON_VCLK_HDMI_ENCI_54000] = {
- .pll_freq = 4320000,
- .phy_freq = 270000,
- .vclk_freq = 54000,
- .venc_freq = 54000,
- .pixel_freq = 54000,
+ .pll_freq = 4320000000,
+ .phy_freq = 270000000,
+ .vclk_freq = 54000000,
+ .venc_freq = 54000000,
+ .pixel_freq = 54000000,
.pll_od1 = 4,
.pll_od2 = 4,
.pll_od3 = 1,
@@ -384,11 +387,11 @@ struct meson_vclk_params {
.vclk_div = 1,
},
[MESON_VCLK_HDMI_DDR_54000] = {
- .pll_freq = 4320000,
- .phy_freq = 270000,
- .vclk_freq = 54000,
- .venc_freq = 54000,
- .pixel_freq = 27000,
+ .pll_freq = 4320000000,
+ .phy_freq = 270000000,
+ .vclk_freq = 54000000,
+ .venc_freq = 54000000,
+ .pixel_freq = 27000000,
.pll_od1 = 4,
.pll_od2 = 4,
.pll_od3 = 1,
@@ -396,11 +399,11 @@ struct meson_vclk_params {
.vclk_div = 1,
},
[MESON_VCLK_HDMI_DDR_148500] = {
- .pll_freq = 2970000,
- .phy_freq = 742500,
- .vclk_freq = 148500,
- .venc_freq = 148500,
- .pixel_freq = 74250,
+ .pll_freq = 2970000000,
+ .phy_freq = 742500000,
+ .vclk_freq = 148500000,
+ .venc_freq = 148500000,
+ .pixel_freq = 74250000,
.pll_od1 = 4,
.pll_od2 = 1,
.pll_od3 = 1,
@@ -408,11 +411,11 @@ struct meson_vclk_params {
.vclk_div = 1,
},
[MESON_VCLK_HDMI_74250] = {
- .pll_freq = 2970000,
- .phy_freq = 742500,
- .vclk_freq = 74250,
- .venc_freq = 74250,
- .pixel_freq = 74250,
+ .pll_freq = 2970000000,
+ .phy_freq = 742500000,
+ .vclk_freq = 74250000,
+ .venc_freq = 74250000,
+ .pixel_freq = 74250000,
.pll_od1 = 2,
.pll_od2 = 2,
.pll_od3 = 2,
@@ -420,11 +423,11 @@ struct meson_vclk_params {
.vclk_div = 1,
},
[MESON_VCLK_HDMI_148500] = {
- .pll_freq = 2970000,
- .phy_freq = 1485000,
- .vclk_freq = 148500,
- .venc_freq = 148500,
- .pixel_freq = 148500,
+ .pll_freq = 2970000000,
+ .phy_freq = 1485000000,
+ .vclk_freq = 148500000,
+ .venc_freq = 148500000,
+ .pixel_freq = 148500000,
.pll_od1 = 1,
.pll_od2 = 2,
.pll_od3 = 2,
@@ -432,11 +435,11 @@ struct meson_vclk_params {
.vclk_div = 1,
},
[MESON_VCLK_HDMI_297000] = {
- .pll_freq = 5940000,
- .phy_freq = 2970000,
- .venc_freq = 297000,
- .vclk_freq = 297000,
- .pixel_freq = 297000,
+ .pll_freq = 5940000000,
+ .phy_freq = 2970000000,
+ .venc_freq = 297000000,
+ .vclk_freq = 297000000,
+ .pixel_freq = 297000000,
.pll_od1 = 2,
.pll_od2 = 1,
.pll_od3 = 1,
@@ -444,11 +447,11 @@ struct meson_vclk_params {
.vclk_div = 2,
},
[MESON_VCLK_HDMI_594000] = {
- .pll_freq = 5940000,
- .phy_freq = 5940000,
- .venc_freq = 594000,
- .vclk_freq = 594000,
- .pixel_freq = 594000,
+ .pll_freq = 5940000000,
+ .phy_freq = 5940000000,
+ .venc_freq = 594000000,
+ .vclk_freq = 594000000,
+ .pixel_freq = 594000000,
.pll_od1 = 1,
.pll_od2 = 1,
.pll_od3 = 2,
@@ -456,11 +459,11 @@ struct meson_vclk_params {
.vclk_div = 1,
},
[MESON_VCLK_HDMI_594000_YUV420] = {
- .pll_freq = 5940000,
- .phy_freq = 2970000,
- .venc_freq = 594000,
- .vclk_freq = 594000,
- .pixel_freq = 297000,
+ .pll_freq = 5940000000,
+ .phy_freq = 2970000000,
+ .venc_freq = 594000000,
+ .vclk_freq = 594000000,
+ .pixel_freq = 297000000,
.pll_od1 = 2,
.pll_od2 = 1,
.pll_od3 = 1,
@@ -617,16 +620,16 @@ static void meson_hdmi_pll_set_params(struct meson_drm *priv, unsigned int m,
3 << 20, pll_od_to_reg(od3) << 20);
}
-#define XTAL_FREQ 24000
+#define XTAL_FREQ (24 * 1000 * 1000)
static unsigned int meson_hdmi_pll_get_m(struct meson_drm *priv,
- unsigned int pll_freq)
+ unsigned long long pll_freq)
{
/* The GXBB PLL has a /2 pre-multiplier */
if (meson_vpu_is_compatible(priv, VPU_COMPATIBLE_GXBB))
- pll_freq /= 2;
+ pll_freq = DIV_ROUND_DOWN_ULL(pll_freq, 2);
- return pll_freq / XTAL_FREQ;
+ return DIV_ROUND_DOWN_ULL(pll_freq, XTAL_FREQ);
}
#define HDMI_FRAC_MAX_GXBB 4096
@@ -635,12 +638,13 @@ static unsigned int meson_hdmi_pll_get_m(struct meson_drm *priv,
static unsigned int meson_hdmi_pll_get_frac(struct meson_drm *priv,
unsigned int m,
- unsigned int pll_freq)
+ unsigned long long pll_freq)
{
- unsigned int parent_freq = XTAL_FREQ;
+ unsigned long long parent_freq = XTAL_FREQ;
unsigned int frac_max = HDMI_FRAC_MAX_GXL;
unsigned int frac_m;
unsigned int frac;
+ u32 remainder;
/* The GXBB PLL has a /2 pre-multiplier and a larger FRAC width */
if (meson_vpu_is_compatible(priv, VPU_COMPATIBLE_GXBB)) {
@@ -652,11 +656,11 @@ static unsigned int meson_hdmi_pll_get_frac(struct meson_drm *priv,
frac_max = HDMI_FRAC_MAX_G12A;
/* We can have a perfect match !*/
- if (pll_freq / m == parent_freq &&
- pll_freq % m == 0)
+ if (div_u64_rem(pll_freq, m, &remainder) == parent_freq &&
+ remainder == 0)
return 0;
- frac = div_u64((u64)pll_freq * (u64)frac_max, parent_freq);
+ frac = mul_u64_u64_div_u64(pll_freq, frac_max, parent_freq);
frac_m = m * frac_max;
if (frac_m > frac)
return frac_max;
@@ -666,7 +670,7 @@ static unsigned int meson_hdmi_pll_get_frac(struct meson_drm *priv,
}
static bool meson_hdmi_pll_validate_params(struct meson_drm *priv,
- unsigned int m,
+ unsigned long long m,
unsigned int frac)
{
if (meson_vpu_is_compatible(priv, VPU_COMPATIBLE_GXBB)) {
@@ -694,7 +698,7 @@ static bool meson_hdmi_pll_validate_params(struct meson_drm *priv,
}
static bool meson_hdmi_pll_find_params(struct meson_drm *priv,
- unsigned int freq,
+ unsigned long long freq,
unsigned int *m,
unsigned int *frac,
unsigned int *od)
@@ -706,7 +710,7 @@ static bool meson_hdmi_pll_find_params(struct meson_drm *priv,
continue;
*frac = meson_hdmi_pll_get_frac(priv, *m, freq * *od);
- DRM_DEBUG_DRIVER("PLL params for %dkHz: m=%x frac=%x od=%d\n",
+ DRM_DEBUG_DRIVER("PLL params for %lluHz: m=%x frac=%x od=%d\n",
freq, *m, *frac, *od);
if (meson_hdmi_pll_validate_params(priv, *m, *frac))
@@ -718,7 +722,7 @@ static bool meson_hdmi_pll_find_params(struct meson_drm *priv,
/* pll_freq is the frequency after the OD dividers */
enum drm_mode_status
-meson_vclk_dmt_supported_freq(struct meson_drm *priv, unsigned int freq)
+meson_vclk_dmt_supported_freq(struct meson_drm *priv, unsigned long long freq)
{
unsigned int od, m, frac;
@@ -741,7 +745,7 @@ EXPORT_SYMBOL_GPL(meson_vclk_dmt_supported_freq);
/* pll_freq is the frequency after the OD dividers */
static void meson_hdmi_pll_generic_set(struct meson_drm *priv,
- unsigned int pll_freq)
+ unsigned long long pll_freq)
{
unsigned int od, m, frac, od1, od2, od3;
@@ -756,7 +760,7 @@ static void meson_hdmi_pll_generic_set(struct meson_drm *priv,
od1 = od / od2;
}
- DRM_DEBUG_DRIVER("PLL params for %dkHz: m=%x frac=%x od=%d/%d/%d\n",
+ DRM_DEBUG_DRIVER("PLL params for %lluHz: m=%x frac=%x od=%d/%d/%d\n",
pll_freq, m, frac, od1, od2, od3);
meson_hdmi_pll_set_params(priv, m, frac, od1, od2, od3);
@@ -764,17 +768,18 @@ static void meson_hdmi_pll_generic_set(struct meson_drm *priv,
return;
}
- DRM_ERROR("Fatal, unable to find parameters for PLL freq %d\n",
+ DRM_ERROR("Fatal, unable to find parameters for PLL freq %lluHz\n",
pll_freq);
}
enum drm_mode_status
-meson_vclk_vic_supported_freq(struct meson_drm *priv, unsigned int phy_freq,
- unsigned int vclk_freq)
+meson_vclk_vic_supported_freq(struct meson_drm *priv,
+ unsigned long long phy_freq,
+ unsigned long long vclk_freq)
{
int i;
- DRM_DEBUG_DRIVER("phy_freq = %d vclk_freq = %d\n",
+ DRM_DEBUG_DRIVER("phy_freq = %lluHz vclk_freq = %lluHz\n",
phy_freq, vclk_freq);
/* Check against soc revision/package limits */
@@ -785,19 +790,19 @@ meson_vclk_vic_supported_freq(struct meson_drm *priv, unsigned int phy_freq,
}
for (i = 0 ; params[i].pixel_freq ; ++i) {
- DRM_DEBUG_DRIVER("i = %d pixel_freq = %d alt = %d\n",
+ DRM_DEBUG_DRIVER("i = %d pixel_freq = %lluHz alt = %lluHz\n",
i, params[i].pixel_freq,
- FREQ_1000_1001(params[i].pixel_freq));
- DRM_DEBUG_DRIVER("i = %d phy_freq = %d alt = %d\n",
+ PIXEL_FREQ_1000_1001(params[i].pixel_freq));
+ DRM_DEBUG_DRIVER("i = %d phy_freq = %lluHz alt = %lluHz\n",
i, params[i].phy_freq,
- FREQ_1000_1001(params[i].phy_freq/10)*10);
+ PHY_FREQ_1000_1001(params[i].phy_freq));
/* Match strict frequency */
if (phy_freq == params[i].phy_freq &&
vclk_freq == params[i].vclk_freq)
return MODE_OK;
/* Match 1000/1001 variant */
- if (phy_freq == (FREQ_1000_1001(params[i].phy_freq/10)*10) &&
- vclk_freq == FREQ_1000_1001(params[i].vclk_freq))
+ if (phy_freq == PHY_FREQ_1000_1001(params[i].phy_freq) &&
+ vclk_freq == PIXEL_FREQ_1000_1001(params[i].vclk_freq))
return MODE_OK;
}
@@ -805,8 +810,9 @@ meson_vclk_vic_supported_freq(struct meson_drm *priv, unsigned int phy_freq,
}
EXPORT_SYMBOL_GPL(meson_vclk_vic_supported_freq);
-static void meson_vclk_set(struct meson_drm *priv, unsigned int pll_base_freq,
- unsigned int od1, unsigned int od2, unsigned int od3,
+static void meson_vclk_set(struct meson_drm *priv,
+ unsigned long long pll_base_freq, unsigned int od1,
+ unsigned int od2, unsigned int od3,
unsigned int vid_pll_div, unsigned int vclk_div,
unsigned int hdmi_tx_div, unsigned int venc_div,
bool hdmi_use_enci, bool vic_alternate_clock)
@@ -826,15 +832,15 @@ static void meson_vclk_set(struct meson_drm *priv, unsigned int pll_base_freq,
meson_hdmi_pll_generic_set(priv, pll_base_freq);
} else if (meson_vpu_is_compatible(priv, VPU_COMPATIBLE_GXBB)) {
switch (pll_base_freq) {
- case 2970000:
+ case 2970000000:
m = 0x3d;
frac = vic_alternate_clock ? 0xd02 : 0xe00;
break;
- case 4320000:
+ case 4320000000:
m = vic_alternate_clock ? 0x59 : 0x5a;
frac = vic_alternate_clock ? 0xe8f : 0;
break;
- case 5940000:
+ case 5940000000:
m = 0x7b;
frac = vic_alternate_clock ? 0xa05 : 0xc00;
break;
@@ -844,15 +850,15 @@ static void meson_vclk_set(struct meson_drm *priv, unsigned int pll_base_freq,
} else if (meson_vpu_is_compatible(priv, VPU_COMPATIBLE_GXM) ||
meson_vpu_is_compatible(priv, VPU_COMPATIBLE_GXL)) {
switch (pll_base_freq) {
- case 2970000:
+ case 2970000000:
m = 0x7b;
frac = vic_alternate_clock ? 0x281 : 0x300;
break;
- case 4320000:
+ case 4320000000:
m = vic_alternate_clock ? 0xb3 : 0xb4;
frac = vic_alternate_clock ? 0x347 : 0;
break;
- case 5940000:
+ case 5940000000:
m = 0xf7;
frac = vic_alternate_clock ? 0x102 : 0x200;
break;
@@ -861,15 +867,15 @@ static void meson_vclk_set(struct meson_drm *priv, unsigned int pll_base_freq,
meson_hdmi_pll_set_params(priv, m, frac, od1, od2, od3);
} else if (meson_vpu_is_compatible(priv, VPU_COMPATIBLE_G12A)) {
switch (pll_base_freq) {
- case 2970000:
+ case 2970000000:
m = 0x7b;
frac = vic_alternate_clock ? 0x140b4 : 0x18000;
break;
- case 4320000:
+ case 4320000000:
m = vic_alternate_clock ? 0xb3 : 0xb4;
frac = vic_alternate_clock ? 0x1a3ee : 0;
break;
- case 5940000:
+ case 5940000000:
m = 0xf7;
frac = vic_alternate_clock ? 0x8148 : 0x10000;
break;
@@ -1025,14 +1031,14 @@ static void meson_vclk_set(struct meson_drm *priv, unsigned int pll_base_freq,
}
void meson_vclk_setup(struct meson_drm *priv, unsigned int target,
- unsigned int phy_freq, unsigned int vclk_freq,
- unsigned int venc_freq, unsigned int dac_freq,
+ unsigned long long phy_freq, unsigned long long vclk_freq,
+ unsigned long long venc_freq, unsigned long long dac_freq,
bool hdmi_use_enci)
{
bool vic_alternate_clock = false;
- unsigned int freq;
- unsigned int hdmi_tx_div;
- unsigned int venc_div;
+ unsigned long long freq;
+ unsigned long long hdmi_tx_div;
+ unsigned long long venc_div;
if (target == MESON_VCLK_TARGET_CVBS) {
meson_venci_cvbs_clock_config(priv);
@@ -1052,27 +1058,27 @@ void meson_vclk_setup(struct meson_drm *priv, unsigned int target,
return;
}
- hdmi_tx_div = vclk_freq / dac_freq;
+ hdmi_tx_div = DIV_ROUND_DOWN_ULL(vclk_freq, dac_freq);
if (hdmi_tx_div == 0) {
- pr_err("Fatal Error, invalid HDMI-TX freq %d\n",
+ pr_err("Fatal Error, invalid HDMI-TX freq %lluHz\n",
dac_freq);
return;
}
- venc_div = vclk_freq / venc_freq;
+ venc_div = DIV_ROUND_DOWN_ULL(vclk_freq, venc_freq);
if (venc_div == 0) {
- pr_err("Fatal Error, invalid HDMI venc freq %d\n",
+ pr_err("Fatal Error, invalid HDMI venc freq %lluHz\n",
venc_freq);
return;
}
for (freq = 0 ; params[freq].pixel_freq ; ++freq) {
if ((phy_freq == params[freq].phy_freq ||
- phy_freq == FREQ_1000_1001(params[freq].phy_freq/10)*10) &&
+ phy_freq == PHY_FREQ_1000_1001(params[freq].phy_freq)) &&
(vclk_freq == params[freq].vclk_freq ||
- vclk_freq == FREQ_1000_1001(params[freq].vclk_freq))) {
+ vclk_freq == PIXEL_FREQ_1000_1001(params[freq].vclk_freq))) {
if (vclk_freq != params[freq].vclk_freq)
vic_alternate_clock = true;
else
@@ -1098,7 +1104,8 @@ void meson_vclk_setup(struct meson_drm *priv, unsigned int target,
}
if (!params[freq].pixel_freq) {
- pr_err("Fatal Error, invalid HDMI vclk freq %d\n", vclk_freq);
+ pr_err("Fatal Error, invalid HDMI vclk freq %lluHz\n",
+ vclk_freq);
return;
}
diff --git a/drivers/gpu/drm/meson/meson_vclk.h b/drivers/gpu/drm/meson/meson_vclk.h
index 60617aaf18dd1..7ac55744e5749 100644
--- a/drivers/gpu/drm/meson/meson_vclk.h
+++ b/drivers/gpu/drm/meson/meson_vclk.h
@@ -20,17 +20,18 @@ enum {
};
/* 27MHz is the CVBS Pixel Clock */
-#define MESON_VCLK_CVBS 27000
+#define MESON_VCLK_CVBS (27 * 1000 * 1000)
enum drm_mode_status
-meson_vclk_dmt_supported_freq(struct meson_drm *priv, unsigned int freq);
+meson_vclk_dmt_supported_freq(struct meson_drm *priv, unsigned long long freq);
enum drm_mode_status
-meson_vclk_vic_supported_freq(struct meson_drm *priv, unsigned int phy_freq,
- unsigned int vclk_freq);
+meson_vclk_vic_supported_freq(struct meson_drm *priv,
+ unsigned long long phy_freq,
+ unsigned long long vclk_freq);
void meson_vclk_setup(struct meson_drm *priv, unsigned int target,
- unsigned int phy_freq, unsigned int vclk_freq,
- unsigned int venc_freq, unsigned int dac_freq,
+ unsigned long long phy_freq, unsigned long long vclk_freq,
+ unsigned long long venc_freq, unsigned long long dac_freq,
bool hdmi_use_enci);
#endif /* __MESON_VCLK_H */
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 242/508] drm/meson: fix debug log statement when setting the HDMI clocks
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (240 preceding siblings ...)
2025-06-23 13:04 ` [PATCH 6.1 241/508] drm/meson: use unsigned long long / Hz for frequency types Greg Kroah-Hartman
@ 2025-06-23 13:04 ` Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 243/508] drm/meson: use vclk_freq instead of pixel_freq in debug print Greg Kroah-Hartman
` (266 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Martin Blumenstingl, Neil Armstrong,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
[ Upstream commit d17e61ab63fb7747b340d6a66bf1408cd5c6562b ]
The "phy" and "vclk" frequency labels were swapped, making it more
difficult to debug driver errors. Swap the label order to make them
match with the actual frequencies printed to correct this.
Fixes: e5fab2ec9ca4 ("drm/meson: vclk: add support for YUV420 setup")
Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
Link: https://lore.kernel.org/r/20250606203729.3311592-1-martin.blumenstingl@googlemail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/meson/meson_encoder_hdmi.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/meson/meson_encoder_hdmi.c b/drivers/gpu/drm/meson/meson_encoder_hdmi.c
index c1401ec1354d1..e34dc1e405882 100644
--- a/drivers/gpu/drm/meson/meson_encoder_hdmi.c
+++ b/drivers/gpu/drm/meson/meson_encoder_hdmi.c
@@ -106,7 +106,7 @@ static void meson_encoder_hdmi_set_vclk(struct meson_encoder_hdmi *encoder_hdmi,
venc_freq /= 2;
dev_dbg(priv->dev,
- "vclk:%lluHz phy=%lluHz venc=%lluHz hdmi=%lluHz enci=%d\n",
+ "phy:%lluHz vclk=%lluHz venc=%lluHz hdmi=%lluHz enci=%d\n",
phy_freq, vclk_freq, venc_freq, hdmi_freq,
priv->venc.hdmi_use_enci);
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 243/508] drm/meson: use vclk_freq instead of pixel_freq in debug print
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (241 preceding siblings ...)
2025-06-23 13:04 ` [PATCH 6.1 242/508] drm/meson: fix debug log statement when setting the HDMI clocks Greg Kroah-Hartman
@ 2025-06-23 13:04 ` Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 244/508] drm/meson: fix more rounding issues with 59.94Hz modes Greg Kroah-Hartman
` (265 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Martin Blumenstingl, Neil Armstrong,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
[ Upstream commit faf2f8382088e8c74bd6eeb236c8c9190e61615e ]
meson_vclk_vic_supported_freq() has a debug print which includes the
pixel freq. However, within the whole function the pixel freq is
irrelevant, other than checking the end of the params array. Switch to
printing the vclk_freq which is being compared / matched against the
inputs to the function to avoid confusion when analyzing error reports
from users.
Fixes: e5fab2ec9ca4 ("drm/meson: vclk: add support for YUV420 setup")
Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
Link: https://lore.kernel.org/r/20250606221031.3419353-1-martin.blumenstingl@googlemail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/meson/meson_vclk.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/gpu/drm/meson/meson_vclk.c b/drivers/gpu/drm/meson/meson_vclk.c
index 3325580d885d0..c4123bb958e4c 100644
--- a/drivers/gpu/drm/meson/meson_vclk.c
+++ b/drivers/gpu/drm/meson/meson_vclk.c
@@ -790,9 +790,9 @@ meson_vclk_vic_supported_freq(struct meson_drm *priv,
}
for (i = 0 ; params[i].pixel_freq ; ++i) {
- DRM_DEBUG_DRIVER("i = %d pixel_freq = %lluHz alt = %lluHz\n",
- i, params[i].pixel_freq,
- PIXEL_FREQ_1000_1001(params[i].pixel_freq));
+ DRM_DEBUG_DRIVER("i = %d vclk_freq = %lluHz alt = %lluHz\n",
+ i, params[i].vclk_freq,
+ PIXEL_FREQ_1000_1001(params[i].vclk_freq));
DRM_DEBUG_DRIVER("i = %d phy_freq = %lluHz alt = %lluHz\n",
i, params[i].phy_freq,
PHY_FREQ_1000_1001(params[i].phy_freq));
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 244/508] drm/meson: fix more rounding issues with 59.94Hz modes
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (242 preceding siblings ...)
2025-06-23 13:04 ` [PATCH 6.1 243/508] drm/meson: use vclk_freq instead of pixel_freq in debug print Greg Kroah-Hartman
@ 2025-06-23 13:04 ` Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 245/508] i40e: return false from i40e_reset_vf if reset is in progress Greg Kroah-Hartman
` (264 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christian Hewitt,
Martin Blumenstingl, Neil Armstrong, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
[ Upstream commit 0cee6c4d3518b2e757aedae78771f17149f57653 ]
Commit 1017560164b6 ("drm/meson: use unsigned long long / Hz for
frequency types") attempts to resolve video playback using 59.94Hz.
using YUV420 by changing the clock calculation to use
Hz instead of kHz (thus yielding more precision).
The basic calculation itself is correct, however the comparisions in
meson_vclk_vic_supported_freq() and meson_vclk_setup() don't work
anymore for 59.94Hz modes (using the freq * 1000 / 1001 logic). For
example, drm/edid specifies a 593407kHz clock for 3840x2160@59.94Hz.
With the mentioend commit we convert this to Hz. Then meson_vclk
tries to find a matchig "params" entry (as the clock setup code
currently only supports specific frequencies) by taking the venc_freq
from the params and calculating the "alt frequency" (used for the
59.94Hz modes) from it, which is:
(594000000Hz * 1000) / 1001 = 593406593Hz
Similar calculation is applied to the phy_freq (TMDS clock), which is 10
times the pixel clock.
Implement a new meson_vclk_freqs_are_matching_param() function whose
purpose is to compare if the requested and calculated frequencies. They
may not match exactly (for the reasons mentioned above). Allow the
clocks to deviate slightly to make the 59.94Hz modes again.
Fixes: 1017560164b6 ("drm/meson: use unsigned long long / Hz for frequency types")
Reported-by: Christian Hewitt <christianshewitt@gmail.com>
Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
Link: https://lore.kernel.org/r/20250609202751.962208-1-martin.blumenstingl@googlemail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/meson/meson_vclk.c | 55 ++++++++++++++++++------------
1 file changed, 34 insertions(+), 21 deletions(-)
diff --git a/drivers/gpu/drm/meson/meson_vclk.c b/drivers/gpu/drm/meson/meson_vclk.c
index c4123bb958e4c..dfe0c28a0f054 100644
--- a/drivers/gpu/drm/meson/meson_vclk.c
+++ b/drivers/gpu/drm/meson/meson_vclk.c
@@ -110,10 +110,7 @@
#define HDMI_PLL_LOCK BIT(31)
#define HDMI_PLL_LOCK_G12A (3 << 30)
-#define PIXEL_FREQ_1000_1001(_freq) \
- DIV_ROUND_CLOSEST_ULL((_freq) * 1000ULL, 1001ULL)
-#define PHY_FREQ_1000_1001(_freq) \
- (PIXEL_FREQ_1000_1001(DIV_ROUND_DOWN_ULL(_freq, 10ULL)) * 10)
+#define FREQ_1000_1001(_freq) DIV_ROUND_CLOSEST_ULL((_freq) * 1000ULL, 1001ULL)
/* VID PLL Dividers */
enum {
@@ -772,6 +769,36 @@ static void meson_hdmi_pll_generic_set(struct meson_drm *priv,
pll_freq);
}
+static bool meson_vclk_freqs_are_matching_param(unsigned int idx,
+ unsigned long long phy_freq,
+ unsigned long long vclk_freq)
+{
+ DRM_DEBUG_DRIVER("i = %d vclk_freq = %lluHz alt = %lluHz\n",
+ idx, params[idx].vclk_freq,
+ FREQ_1000_1001(params[idx].vclk_freq));
+ DRM_DEBUG_DRIVER("i = %d phy_freq = %lluHz alt = %lluHz\n",
+ idx, params[idx].phy_freq,
+ FREQ_1000_1001(params[idx].phy_freq));
+
+ /* Match strict frequency */
+ if (phy_freq == params[idx].phy_freq &&
+ vclk_freq == params[idx].vclk_freq)
+ return true;
+
+ /* Match 1000/1001 variant: vclk deviation has to be less than 1kHz
+ * (drm EDID is defined in 1kHz steps, so everything smaller must be
+ * rounding error) and the PHY freq deviation has to be less than
+ * 10kHz (as the TMDS clock is 10 times the pixel clock, so anything
+ * smaller must be rounding error as well).
+ */
+ if (abs(vclk_freq - FREQ_1000_1001(params[idx].vclk_freq)) < 1000 &&
+ abs(phy_freq - FREQ_1000_1001(params[idx].phy_freq)) < 10000)
+ return true;
+
+ /* no match */
+ return false;
+}
+
enum drm_mode_status
meson_vclk_vic_supported_freq(struct meson_drm *priv,
unsigned long long phy_freq,
@@ -790,19 +817,7 @@ meson_vclk_vic_supported_freq(struct meson_drm *priv,
}
for (i = 0 ; params[i].pixel_freq ; ++i) {
- DRM_DEBUG_DRIVER("i = %d vclk_freq = %lluHz alt = %lluHz\n",
- i, params[i].vclk_freq,
- PIXEL_FREQ_1000_1001(params[i].vclk_freq));
- DRM_DEBUG_DRIVER("i = %d phy_freq = %lluHz alt = %lluHz\n",
- i, params[i].phy_freq,
- PHY_FREQ_1000_1001(params[i].phy_freq));
- /* Match strict frequency */
- if (phy_freq == params[i].phy_freq &&
- vclk_freq == params[i].vclk_freq)
- return MODE_OK;
- /* Match 1000/1001 variant */
- if (phy_freq == PHY_FREQ_1000_1001(params[i].phy_freq) &&
- vclk_freq == PIXEL_FREQ_1000_1001(params[i].vclk_freq))
+ if (meson_vclk_freqs_are_matching_param(i, phy_freq, vclk_freq))
return MODE_OK;
}
@@ -1075,10 +1090,8 @@ void meson_vclk_setup(struct meson_drm *priv, unsigned int target,
}
for (freq = 0 ; params[freq].pixel_freq ; ++freq) {
- if ((phy_freq == params[freq].phy_freq ||
- phy_freq == PHY_FREQ_1000_1001(params[freq].phy_freq)) &&
- (vclk_freq == params[freq].vclk_freq ||
- vclk_freq == PIXEL_FREQ_1000_1001(params[freq].vclk_freq))) {
+ if (meson_vclk_freqs_are_matching_param(freq, phy_freq,
+ vclk_freq)) {
if (vclk_freq != params[freq].vclk_freq)
vic_alternate_clock = true;
else
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 245/508] i40e: return false from i40e_reset_vf if reset is in progress
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (243 preceding siblings ...)
2025-06-23 13:04 ` [PATCH 6.1 244/508] drm/meson: fix more rounding issues with 59.94Hz modes Greg Kroah-Hartman
@ 2025-06-23 13:04 ` Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 246/508] i40e: retry VFLR handling if there is ongoing VF reset Greg Kroah-Hartman
` (263 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Robert Malz, Rafal Romanowski,
Tony Nguyen, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Robert Malz <robert.malz@canonical.com>
[ Upstream commit a2c90d63b71223d69a813333c1abf4fdacddbbe5 ]
The function i40e_vc_reset_vf attempts, up to 20 times, to handle a
VF reset request, using the return value of i40e_reset_vf as an indicator
of whether the reset was successfully triggered. Currently, i40e_reset_vf
always returns true, which causes new reset requests to be ignored if a
different VF reset is already in progress.
This patch updates the return value of i40e_reset_vf to reflect when
another VF reset is in progress, allowing the caller to properly use
the retry mechanism.
Fixes: 52424f974bc5 ("i40e: Fix VF hang when reset is triggered on another VF")
Signed-off-by: Robert Malz <robert.malz@canonical.com>
Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
index 11e9858cc86a0..87d74b54a3337 100644
--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
+++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
@@ -1548,8 +1548,8 @@ static void i40e_cleanup_reset_vf(struct i40e_vf *vf)
* @vf: pointer to the VF structure
* @flr: VFLR was issued or not
*
- * Returns true if the VF is in reset, resets successfully, or resets
- * are disabled and false otherwise.
+ * Return: True if reset was performed successfully or if resets are disabled.
+ * False if reset is already in progress.
**/
bool i40e_reset_vf(struct i40e_vf *vf, bool flr)
{
@@ -1568,7 +1568,7 @@ bool i40e_reset_vf(struct i40e_vf *vf, bool flr)
/* If VF is being reset already we don't need to continue. */
if (test_and_set_bit(I40E_VF_STATE_RESETTING, &vf->vf_states))
- return true;
+ return false;
i40e_trigger_vf_reset(vf, flr);
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 246/508] i40e: retry VFLR handling if there is ongoing VF reset
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (244 preceding siblings ...)
2025-06-23 13:04 ` [PATCH 6.1 245/508] i40e: return false from i40e_reset_vf if reset is in progress Greg Kroah-Hartman
@ 2025-06-23 13:04 ` Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 247/508] ACPI: CPPC: Fix NULL pointer dereference when nosmp is used Greg Kroah-Hartman
` (262 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Robert Malz, Rafal Romanowski,
Tony Nguyen, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Robert Malz <robert.malz@canonical.com>
[ Upstream commit fb4e9239e029954a37a00818b21e837cebf2aa10 ]
When a VFLR interrupt is received during a VF reset initiated from a
different source, the VFLR may be not fully handled. This can
leave the VF in an undefined state.
To address this, set the I40E_VFLR_EVENT_PENDING bit again during VFLR
handling if the reset is not yet complete. This ensures the driver
will properly complete the VF reset in such scenarios.
Fixes: 52424f974bc5 ("i40e: Fix VF hang when reset is triggered on another VF")
Signed-off-by: Robert Malz <robert.malz@canonical.com>
Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
index 87d74b54a3337..ff4f1c4f3829b 100644
--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
+++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
@@ -4267,7 +4267,10 @@ int i40e_vc_process_vflr_event(struct i40e_pf *pf)
reg = rd32(hw, I40E_GLGEN_VFLRSTAT(reg_idx));
if (reg & BIT(bit_idx))
/* i40e_reset_vf will clear the bit in GLGEN_VFLRSTAT */
- i40e_reset_vf(vf, true);
+ if (!i40e_reset_vf(vf, true)) {
+ /* At least one VF did not finish resetting, retry next time */
+ set_bit(__I40E_VFLR_EVENT_PENDING, pf->state);
+ }
}
return 0;
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 247/508] ACPI: CPPC: Fix NULL pointer dereference when nosmp is used
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (245 preceding siblings ...)
2025-06-23 13:04 ` [PATCH 6.1 246/508] i40e: retry VFLR handling if there is ongoing VF reset Greg Kroah-Hartman
@ 2025-06-23 13:04 ` Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 248/508] net: Fix TOCTOU issue in sk_is_readable() Greg Kroah-Hartman
` (261 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xu Lu, Yunhui Cui, Rafael J. Wysocki,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yunhui Cui <cuiyunhui@bytedance.com>
[ Upstream commit 15eece6c5b05e5f9db0711978c3e3b7f1a2cfe12 ]
With nosmp in cmdline, other CPUs are not brought up, leaving
their cpc_desc_ptr NULL. CPU0's iteration via for_each_possible_cpu()
dereferences these NULL pointers, causing panic.
Panic backtrace:
[ 0.401123] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000b8
...
[ 0.403255] [<ffffffff809a5818>] cppc_allow_fast_switch+0x6a/0xd4
...
Kernel panic - not syncing: Attempted to kill init!
Fixes: 3cc30dd00a58 ("cpufreq: CPPC: Enable fast_switch")
Reported-by: Xu Lu <luxu.kernel@bytedance.com>
Signed-off-by: Yunhui Cui <cuiyunhui@bytedance.com>
Link: https://patch.msgid.link/20250604023036.99553-1-cuiyunhui@bytedance.com
[ rjw: New subject ]
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/acpi/cppc_acpi.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/acpi/cppc_acpi.c b/drivers/acpi/cppc_acpi.c
index 0e1fb97d5d763..504fe14c566e3 100644
--- a/drivers/acpi/cppc_acpi.c
+++ b/drivers/acpi/cppc_acpi.c
@@ -456,7 +456,7 @@ bool cppc_allow_fast_switch(void)
struct cpc_desc *cpc_ptr;
int cpu;
- for_each_possible_cpu(cpu) {
+ for_each_present_cpu(cpu) {
cpc_ptr = per_cpu(cpc_desc_ptr, cpu);
desired_reg = &cpc_ptr->cpc_regs[DESIRED_PERF];
if (!CPC_IN_SYSTEM_MEMORY(desired_reg) &&
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 248/508] net: Fix TOCTOU issue in sk_is_readable()
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (246 preceding siblings ...)
2025-06-23 13:04 ` [PATCH 6.1 247/508] ACPI: CPPC: Fix NULL pointer dereference when nosmp is used Greg Kroah-Hartman
@ 2025-06-23 13:04 ` Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 249/508] macsec: MACsec SCI assignment for ES = 0 Greg Kroah-Hartman
` (260 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jakub Sitnicki, Michal Luczaj,
Willem de Bruijn, Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michal Luczaj <mhal@rbox.co>
[ Upstream commit 2660a544fdc0940bba15f70508a46cf9a6491230 ]
sk->sk_prot->sock_is_readable is a valid function pointer when sk resides
in a sockmap. After the last sk_psock_put() (which usually happens when
socket is removed from sockmap), sk->sk_prot gets restored and
sk->sk_prot->sock_is_readable becomes NULL.
This makes sk_is_readable() racy, if the value of sk->sk_prot is reloaded
after the initial check. Which in turn may lead to a null pointer
dereference.
Ensure the function pointer does not turn NULL after the check.
Fixes: 8934ce2fd081 ("bpf: sockmap redirect ingress support")
Suggested-by: Jakub Sitnicki <jakub@cloudflare.com>
Signed-off-by: Michal Luczaj <mhal@rbox.co>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Link: https://patch.msgid.link/20250609-skisreadable-toctou-v1-1-d0dfb2d62c37@rbox.co
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/sock.h | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/include/net/sock.h b/include/net/sock.h
index e716b2ba00bba..e00cd9d0bec8e 100644
--- a/include/net/sock.h
+++ b/include/net/sock.h
@@ -3061,8 +3061,11 @@ int sock_copy_user_timeval(struct __kernel_sock_timeval *tv,
static inline bool sk_is_readable(struct sock *sk)
{
- if (sk->sk_prot->sock_is_readable)
- return sk->sk_prot->sock_is_readable(sk);
+ const struct proto *prot = READ_ONCE(sk->sk_prot);
+
+ if (prot->sock_is_readable)
+ return prot->sock_is_readable(sk);
+
return false;
}
#endif /* _SOCK_H */
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 249/508] macsec: MACsec SCI assignment for ES = 0
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (247 preceding siblings ...)
2025-06-23 13:04 ` [PATCH 6.1 248/508] net: Fix TOCTOU issue in sk_is_readable() Greg Kroah-Hartman
@ 2025-06-23 13:04 ` Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 250/508] net: mdio: C22 is now optional, EOPNOTSUPP if not provided Greg Kroah-Hartman
` (259 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andreu Montiel, Carlos Fernandez,
Subbaraya Sundeep, David S. Miller, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Carlos Fernandez <carlos.fernandez@technica-engineering.de>
[ Upstream commit d9816ec74e6d6aa29219d010bba3f780ba1d9d75 ]
According to 802.1AE standard, when ES and SC flags in TCI are zero,
used SCI should be the current active SC_RX. Current code uses the
header MAC address. Without this patch, when ES flag is 0 (using a
bridge or switch), header MAC will not fit the SCI and MACSec frames
will be discarted.
In order to test this issue, MACsec link should be stablished between
two interfaces, setting SC and ES flags to zero and a port identifier
different than one. For example, using ip macsec tools:
ip link add link $ETH0 macsec0 type macsec port 11 send_sci off
end_station off
ip macsec add macsec0 tx sa 0 pn 2 on key 01 $ETH1_KEY
ip macsec add macsec0 rx port 11 address $ETH1_MAC
ip macsec add macsec0 rx port 11 address $ETH1_MAC sa 0 pn 2 on key 02
ip link set dev macsec0 up
ip link add link $ETH1 macsec1 type macsec port 11 send_sci off
end_station off
ip macsec add macsec1 tx sa 0 pn 2 on key 01 $ETH0_KEY
ip macsec add macsec1 rx port 11 address $ETH0_MAC
ip macsec add macsec1 rx port 11 address $ETH0_MAC sa 0 pn 2 on key 02
ip link set dev macsec1 up
Fixes: c09440f7dcb3 ("macsec: introduce IEEE 802.1AE driver")
Co-developed-by: Andreu Montiel <Andreu.Montiel@technica-engineering.de>
Signed-off-by: Andreu Montiel <Andreu.Montiel@technica-engineering.de>
Signed-off-by: Carlos Fernandez <carlos.fernandez@technica-engineering.de>
Reviewed-by: Subbaraya Sundeep <sbhatta@marvell.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/macsec.c | 40 ++++++++++++++++++++++++++++++++++------
1 file changed, 34 insertions(+), 6 deletions(-)
diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c
index c007e262daf7d..e954b46ebe86b 100644
--- a/drivers/net/macsec.c
+++ b/drivers/net/macsec.c
@@ -243,15 +243,39 @@ static sci_t make_sci(const u8 *addr, __be16 port)
return sci;
}
-static sci_t macsec_frame_sci(struct macsec_eth_header *hdr, bool sci_present)
+static sci_t macsec_active_sci(struct macsec_secy *secy)
{
- sci_t sci;
+ struct macsec_rx_sc *rx_sc = rcu_dereference_bh(secy->rx_sc);
+
+ /* Case single RX SC */
+ if (rx_sc && !rcu_dereference_bh(rx_sc->next))
+ return (rx_sc->active) ? rx_sc->sci : 0;
+ /* Case no RX SC or multiple */
+ else
+ return 0;
+}
+
+static sci_t macsec_frame_sci(struct macsec_eth_header *hdr, bool sci_present,
+ struct macsec_rxh_data *rxd)
+{
+ struct macsec_dev *macsec;
+ sci_t sci = 0;
- if (sci_present)
+ /* SC = 1 */
+ if (sci_present) {
memcpy(&sci, hdr->secure_channel_id,
sizeof(hdr->secure_channel_id));
- else
+ /* SC = 0; ES = 0 */
+ } else if ((!(hdr->tci_an & (MACSEC_TCI_ES | MACSEC_TCI_SC))) &&
+ (list_is_singular(&rxd->secys))) {
+ /* Only one SECY should exist on this scenario */
+ macsec = list_first_or_null_rcu(&rxd->secys, struct macsec_dev,
+ secys);
+ if (macsec)
+ return macsec_active_sci(&macsec->secy);
+ } else {
sci = make_sci(hdr->eth.h_source, MACSEC_PORT_ES);
+ }
return sci;
}
@@ -1110,7 +1134,7 @@ static rx_handler_result_t macsec_handle_frame(struct sk_buff **pskb)
struct macsec_rxh_data *rxd;
struct macsec_dev *macsec;
unsigned int len;
- sci_t sci;
+ sci_t sci = 0;
u32 hdr_pn;
bool cbit;
struct pcpu_rx_sc_stats *rxsc_stats;
@@ -1157,11 +1181,14 @@ static rx_handler_result_t macsec_handle_frame(struct sk_buff **pskb)
macsec_skb_cb(skb)->has_sci = !!(hdr->tci_an & MACSEC_TCI_SC);
macsec_skb_cb(skb)->assoc_num = hdr->tci_an & MACSEC_AN_MASK;
- sci = macsec_frame_sci(hdr, macsec_skb_cb(skb)->has_sci);
rcu_read_lock();
rxd = macsec_data_rcu(skb->dev);
+ sci = macsec_frame_sci(hdr, macsec_skb_cb(skb)->has_sci, rxd);
+ if (!sci)
+ goto drop_nosc;
+
list_for_each_entry_rcu(macsec, &rxd->secys, secys) {
struct macsec_rx_sc *sc = find_rx_sc(&macsec->secy, sci);
@@ -1284,6 +1311,7 @@ static rx_handler_result_t macsec_handle_frame(struct sk_buff **pskb)
macsec_rxsa_put(rx_sa);
drop_nosa:
macsec_rxsc_put(rx_sc);
+drop_nosc:
rcu_read_unlock();
drop_direct:
kfree_skb(skb);
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 250/508] net: mdio: C22 is now optional, EOPNOTSUPP if not provided
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (248 preceding siblings ...)
2025-06-23 13:04 ` [PATCH 6.1 249/508] macsec: MACsec SCI assignment for ES = 0 Greg Kroah-Hartman
@ 2025-06-23 13:04 ` Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 251/508] net/mdiobus: Fix potential out-of-bounds read/write access Greg Kroah-Hartman
` (258 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andrew Lunn, Michael Walle,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andrew Lunn <andrew@lunn.ch>
[ Upstream commit b063b1924fd9bf0bc157cf644764dc2151d04ccc ]
When performing a C22 operation, check that the bus driver actually
provides the methods, and return -EOPNOTSUPP if not. C45 only busses
do exist, and in future their C22 methods will be NULL.
Signed-off-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: Michael Walle <michael@walle.cc>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: 0e629694126c ("net/mdiobus: Fix potential out-of-bounds read/write access")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/phy/mdio_bus.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/drivers/net/phy/mdio_bus.c b/drivers/net/phy/mdio_bus.c
index 16e021b477f06..ee5fc73cbe075 100644
--- a/drivers/net/phy/mdio_bus.c
+++ b/drivers/net/phy/mdio_bus.c
@@ -764,7 +764,10 @@ int __mdiobus_read(struct mii_bus *bus, int addr, u32 regnum)
lockdep_assert_held_once(&bus->mdio_lock);
- retval = bus->read(bus, addr, regnum);
+ if (bus->read)
+ retval = bus->read(bus, addr, regnum);
+ else
+ retval = -EOPNOTSUPP;
trace_mdio_access(bus, 1, addr, regnum, retval, retval);
mdiobus_stats_acct(&bus->stats[addr], true, retval);
@@ -790,7 +793,10 @@ int __mdiobus_write(struct mii_bus *bus, int addr, u32 regnum, u16 val)
lockdep_assert_held_once(&bus->mdio_lock);
- err = bus->write(bus, addr, regnum, val);
+ if (bus->write)
+ err = bus->write(bus, addr, regnum, val);
+ else
+ err = -EOPNOTSUPP;
trace_mdio_access(bus, 0, addr, regnum, val, err);
mdiobus_stats_acct(&bus->stats[addr], false, err);
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 251/508] net/mdiobus: Fix potential out-of-bounds read/write access
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (249 preceding siblings ...)
2025-06-23 13:04 ` [PATCH 6.1 250/508] net: mdio: C22 is now optional, EOPNOTSUPP if not provided Greg Kroah-Hartman
@ 2025-06-23 13:04 ` Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 252/508] Bluetooth: Fix NULL pointer deference on eir_get_service_data Greg Kroah-Hartman
` (257 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jakub Raczynski, Wenjing Shan,
David S. Miller, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jakub Raczynski <j.raczynski@samsung.com>
[ Upstream commit 0e629694126ca388916f059453a1c36adde219c4 ]
When using publicly available tools like 'mdio-tools' to read/write data
from/to network interface and its PHY via mdiobus, there is no verification of
parameters passed to the ioctl and it accepts any mdio address.
Currently there is support for 32 addresses in kernel via PHY_MAX_ADDR define,
but it is possible to pass higher value than that via ioctl.
While read/write operation should generally fail in this case,
mdiobus provides stats array, where wrong address may allow out-of-bounds
read/write.
Fix that by adding address verification before read/write operation.
While this excludes this access from any statistics, it improves security of
read/write operation.
Fixes: 080bb352fad00 ("net: phy: Maintain MDIO device and bus statistics")
Signed-off-by: Jakub Raczynski <j.raczynski@samsung.com>
Reported-by: Wenjing Shan <wenjing.shan@samsung.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/phy/mdio_bus.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/net/phy/mdio_bus.c b/drivers/net/phy/mdio_bus.c
index ee5fc73cbe075..7a2dce8d12433 100644
--- a/drivers/net/phy/mdio_bus.c
+++ b/drivers/net/phy/mdio_bus.c
@@ -764,6 +764,9 @@ int __mdiobus_read(struct mii_bus *bus, int addr, u32 regnum)
lockdep_assert_held_once(&bus->mdio_lock);
+ if (addr >= PHY_MAX_ADDR)
+ return -ENXIO;
+
if (bus->read)
retval = bus->read(bus, addr, regnum);
else
@@ -793,6 +796,9 @@ int __mdiobus_write(struct mii_bus *bus, int addr, u32 regnum, u16 val)
lockdep_assert_held_once(&bus->mdio_lock);
+ if (addr >= PHY_MAX_ADDR)
+ return -ENXIO;
+
if (bus->write)
err = bus->write(bus, addr, regnum, val);
else
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 252/508] Bluetooth: Fix NULL pointer deference on eir_get_service_data
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (250 preceding siblings ...)
2025-06-23 13:04 ` [PATCH 6.1 251/508] net/mdiobus: Fix potential out-of-bounds read/write access Greg Kroah-Hartman
@ 2025-06-23 13:04 ` Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 253/508] Bluetooth: hci_sync: Fix broadcast/PA when using an existing instance Greg Kroah-Hartman
` (256 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:04 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Luiz Augusto von Dentz, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
[ Upstream commit 20a2aa01f5aeb6daad9aeaa7c33dd512c58d81eb ]
The len parameter is considered optional so it can be NULL so it cannot
be used for skipping to next entry of EIR_SERVICE_DATA.
Fixes: 8f9ae5b3ae80 ("Bluetooth: eir: Add helpers for managing service data")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/eir.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/net/bluetooth/eir.c b/net/bluetooth/eir.c
index 1bc51e2b05a34..3e1713673ecc9 100644
--- a/net/bluetooth/eir.c
+++ b/net/bluetooth/eir.c
@@ -366,17 +366,19 @@ u8 eir_create_scan_rsp(struct hci_dev *hdev, u8 instance, u8 *ptr)
void *eir_get_service_data(u8 *eir, size_t eir_len, u16 uuid, size_t *len)
{
- while ((eir = eir_get_data(eir, eir_len, EIR_SERVICE_DATA, len))) {
+ size_t dlen;
+
+ while ((eir = eir_get_data(eir, eir_len, EIR_SERVICE_DATA, &dlen))) {
u16 value = get_unaligned_le16(eir);
if (uuid == value) {
if (len)
- *len -= 2;
+ *len = dlen - 2;
return &eir[2];
}
- eir += *len;
- eir_len -= *len;
+ eir += dlen;
+ eir_len -= dlen;
}
return NULL;
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 253/508] Bluetooth: hci_sync: Fix broadcast/PA when using an existing instance
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (251 preceding siblings ...)
2025-06-23 13:04 ` [PATCH 6.1 252/508] Bluetooth: Fix NULL pointer deference on eir_get_service_data Greg Kroah-Hartman
@ 2025-06-23 13:04 ` Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 254/508] Bluetooth: MGMT: Fix sparse errors Greg Kroah-Hartman
` (255 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:04 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Luiz Augusto von Dentz, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
[ Upstream commit 5725bc608252050ed8a4d47d59225b7dd73474c8 ]
When using and existing adv_info instance for broadcast source it
needs to be updated to periodic first before it can be reused, also in
case the existing instance already have data hci_set_adv_instance_data
cannot be used directly since it would overwrite the existing data so
this reappend the original data after the Broadcast ID, if one was
generated.
Example:
bluetoothctl># Add PBP to EA so it can be later referenced as the BIS ID
bluetoothctl> advertise.service 0x1856 0x00 0x00
bluetoothctl> advertise on
...
< HCI Command: LE Set Extended Advertising Data (0x08|0x0037) plen 13
Handle: 0x01
Operation: Complete extended advertising data (0x03)
Fragment preference: Minimize fragmentation (0x01)
Data length: 0x09
Service Data: Public Broadcast Announcement (0x1856)
Data[2]: 0000
Flags: 0x06
LE General Discoverable Mode
BR/EDR Not Supported
...
bluetoothctl># Attempt to acquire Broadcast Source transport
bluetoothctl>transport.acquire /org/bluez/hci0/pac_bcast0/fd0
...
< HCI Command: LE Set Extended Advertising Data (0x08|0x0037) plen 255
Handle: 0x01
Operation: Complete extended advertising data (0x03)
Fragment preference: Minimize fragmentation (0x01)
Data length: 0x0e
Service Data: Broadcast Audio Announcement (0x1852)
Broadcast ID: 11371620 (0xad8464)
Service Data: Public Broadcast Announcement (0x1856)
Data[2]: 0000
Flags: 0x06
LE General Discoverable Mode
BR/EDR Not Supported
Link: https://github.com/bluez/bluez/issues/1117
Fixes: eca0ae4aea66 ("Bluetooth: Add initial implementation of BIS connections")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/hci_sync.c | 20 +++++++++++++++-----
1 file changed, 15 insertions(+), 5 deletions(-)
diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
index c6108e68f5a91..bb4420cbc096b 100644
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -1539,7 +1539,8 @@ static int hci_enable_per_advertising_sync(struct hci_dev *hdev, u8 instance)
static int hci_adv_bcast_annoucement(struct hci_dev *hdev, struct adv_info *adv)
{
u8 bid[3];
- u8 ad[4 + 3];
+ u8 ad[HCI_MAX_EXT_AD_LENGTH];
+ u8 len;
/* Skip if NULL adv as instance 0x00 is used for general purpose
* advertising so it cannot used for the likes of Broadcast Announcement
@@ -1565,8 +1566,10 @@ static int hci_adv_bcast_annoucement(struct hci_dev *hdev, struct adv_info *adv)
/* Generate Broadcast ID */
get_random_bytes(bid, sizeof(bid));
- eir_append_service_data(ad, 0, 0x1852, bid, sizeof(bid));
- hci_set_adv_instance_data(hdev, adv->instance, sizeof(ad), ad, 0, NULL);
+ len = eir_append_service_data(ad, 0, 0x1852, bid, sizeof(bid));
+ memcpy(ad + len, adv->adv_data, adv->adv_data_len);
+ hci_set_adv_instance_data(hdev, adv->instance, len + adv->adv_data_len,
+ ad, 0, NULL);
return hci_update_adv_data_sync(hdev, adv->instance);
}
@@ -1583,8 +1586,15 @@ int hci_start_per_adv_sync(struct hci_dev *hdev, u8 instance, u8 data_len,
if (instance) {
adv = hci_find_adv_instance(hdev, instance);
- /* Create an instance if that could not be found */
- if (!adv) {
+ if (adv) {
+ /* Turn it into periodic advertising */
+ adv->periodic = true;
+ adv->per_adv_data_len = data_len;
+ if (data)
+ memcpy(adv->per_adv_data, data, data_len);
+ adv->flags = flags;
+ } else if (!adv) {
+ /* Create an instance if that could not be found */
adv = hci_add_per_instance(hdev, instance, flags,
data_len, data,
sync_interval,
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 254/508] Bluetooth: MGMT: Fix sparse errors
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (252 preceding siblings ...)
2025-06-23 13:04 ` [PATCH 6.1 253/508] Bluetooth: hci_sync: Fix broadcast/PA when using an existing instance Greg Kroah-Hartman
@ 2025-06-23 13:04 ` Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 255/508] net/mlx5: Ensure fw pages are always allocated on same NUMA Greg Kroah-Hartman
` (254 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, kernel test robot,
Luiz Augusto von Dentz, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
[ Upstream commit 7dd38ba4acbea9875b4ee061e20a26413e39d9f4 ]
This fixes the following errors:
net/bluetooth/mgmt.c:5400:59: sparse: sparse: incorrect type in argument 3
(different base types) @@ expected unsigned short [usertype] handle @@
got restricted __le16 [usertype] monitor_handle @@
net/bluetooth/mgmt.c:5400:59: sparse: expected unsigned short [usertype] handle
net/bluetooth/mgmt.c:5400:59: sparse: got restricted __le16 [usertype] monitor_handle
Fixes: e6ed54e86aae ("Bluetooth: MGMT: Fix UAF on mgmt_remove_adv_monitor_complete")
Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202506060347.ux2O1p7L-lkp@intel.com/
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/mgmt.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
index 123cf62e3c000..08bb78ba988d8 100644
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -5237,11 +5237,11 @@ static void mgmt_adv_monitor_added(struct sock *sk, struct hci_dev *hdev,
}
static void mgmt_adv_monitor_removed(struct sock *sk, struct hci_dev *hdev,
- u16 handle)
+ __le16 handle)
{
struct mgmt_ev_adv_monitor_removed ev;
- ev.monitor_handle = cpu_to_le16(handle);
+ ev.monitor_handle = handle;
mgmt_event(MGMT_EV_ADV_MONITOR_REMOVED, hdev, &ev, sizeof(ev), sk);
}
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 255/508] net/mlx5: Ensure fw pages are always allocated on same NUMA
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (253 preceding siblings ...)
2025-06-23 13:04 ` [PATCH 6.1 254/508] Bluetooth: MGMT: Fix sparse errors Greg Kroah-Hartman
@ 2025-06-23 13:05 ` Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 256/508] net/mlx5: Fix return value when searching for existing flow group Greg Kroah-Hartman
` (253 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Moshe Shemesh, Tariq Toukan,
Mark Bloch, Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Moshe Shemesh <moshe@nvidia.com>
[ Upstream commit f37258133c1e95e61db532e14067e28b4881bf24 ]
When firmware asks the driver to allocate more pages, using event of
give_pages, the driver should always allocate it from same NUMA, the
original device NUMA. Current code uses dev_to_node() which can result
in different NUMA as it is changed by other driver flows, such as
mlx5_dma_zalloc_coherent_node(). Instead, use saved numa node for
allocating firmware pages.
Fixes: 311c7c71c9bb ("net/mlx5e: Allocate DMA coherent memory on reader NUMA node")
Signed-off-by: Moshe Shemesh <moshe@nvidia.com>
Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
Signed-off-by: Mark Bloch <mbloch@nvidia.com>
Link: https://patch.msgid.link/20250610151514.1094735-2-mbloch@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/mellanox/mlx5/core/pagealloc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/pagealloc.c b/drivers/net/ethernet/mellanox/mlx5/core/pagealloc.c
index 95dc67fb30015..99909c74a2144 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/pagealloc.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/pagealloc.c
@@ -285,7 +285,7 @@ static void free_4k(struct mlx5_core_dev *dev, u64 addr, u32 function)
static int alloc_system_page(struct mlx5_core_dev *dev, u32 function)
{
struct device *device = mlx5_core_dma_dev(dev);
- int nid = dev_to_node(device);
+ int nid = dev->priv.numa_node;
struct page *page;
u64 zero_addr = 1;
u64 addr;
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 256/508] net/mlx5: Fix return value when searching for existing flow group
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (254 preceding siblings ...)
2025-06-23 13:05 ` [PATCH 6.1 255/508] net/mlx5: Ensure fw pages are always allocated on same NUMA Greg Kroah-Hartman
@ 2025-06-23 13:05 ` Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 257/508] net/mlx5e: Fix leak of Geneve TLV option object Greg Kroah-Hartman
` (252 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gavi Teitz, Roi Dayan,
Patrisious Haddad, Tariq Toukan, Mark Bloch, Jakub Kicinski,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Patrisious Haddad <phaddad@nvidia.com>
[ Upstream commit 8ec40e3f1f72bf8f8accf18020d487caa99f46a4 ]
When attempting to add a rule to an existing flow group, if a matching
flow group exists but is not active, the error code returned should be
EAGAIN, so that the rule can be added to the matching flow group once
it is active, rather than ENOENT, which indicates that no matching
flow group was found.
Fixes: bd71b08ec2ee ("net/mlx5: Support multiple updates of steering rules in parallel")
Signed-off-by: Gavi Teitz <gavi@nvidia.com>
Signed-off-by: Roi Dayan <roid@nvidia.com>
Signed-off-by: Patrisious Haddad <phaddad@nvidia.com>
Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
Signed-off-by: Mark Bloch <mbloch@nvidia.com>
Link: https://patch.msgid.link/20250610151514.1094735-4-mbloch@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/mellanox/mlx5/core/fs_core.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c
index 2717450e96661..b4c0a6dd171fd 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c
@@ -1918,6 +1918,7 @@ try_add_to_existing_fg(struct mlx5_flow_table *ft,
struct mlx5_flow_handle *rule;
struct match_list *iter;
bool take_write = false;
+ bool try_again = false;
struct fs_fte *fte;
u64 version = 0;
int err;
@@ -1977,6 +1978,7 @@ try_add_to_existing_fg(struct mlx5_flow_table *ft,
nested_down_write_ref_node(&g->node, FS_LOCK_PARENT);
if (!g->node.active) {
+ try_again = true;
up_write_ref_node(&g->node, false);
continue;
}
@@ -1998,7 +2000,8 @@ try_add_to_existing_fg(struct mlx5_flow_table *ft,
tree_put_node(&fte->node, false);
return rule;
}
- rule = ERR_PTR(-ENOENT);
+ err = try_again ? -EAGAIN : -ENOENT;
+ rule = ERR_PTR(err);
out:
kmem_cache_free(steering->ftes_cache, fte);
return rule;
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 257/508] net/mlx5e: Fix leak of Geneve TLV option object
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (255 preceding siblings ...)
2025-06-23 13:05 ` [PATCH 6.1 256/508] net/mlx5: Fix return value when searching for existing flow group Greg Kroah-Hartman
@ 2025-06-23 13:05 ` Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 258/508] net_sched: prio: fix a race in prio_tune() Greg Kroah-Hartman
` (251 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jianbo Liu, Tariq Toukan, Alex Lazar,
Mark Bloch, Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jianbo Liu <jianbol@nvidia.com>
[ Upstream commit aa9c44b842096c553871bc68a8cebc7861fa192b ]
Previously, a unique tunnel id was added for the matching on TC
non-zero chains, to support inner header rewrite with goto action.
Later, it was used to support VF tunnel offload for vxlan, then for
Geneve and GRE. To support VF tunnel, a temporary mlx5_flow_spec is
used to parse tunnel options. For Geneve, if there is TLV option, a
object is created, or refcnt is added if already exists. But the
temporary mlx5_flow_spec is directly freed after parsing, which causes
the leak because no information regarding the object is saved in
flow's mlx5_flow_spec, which is used to free the object when deleting
the flow.
To fix the leak, call mlx5_geneve_tlv_option_del() before free the
temporary spec if it has TLV object.
Fixes: 521933cdc4aa ("net/mlx5e: Support Geneve and GRE with VF tunnel offload")
Signed-off-by: Jianbo Liu <jianbol@nvidia.com>
Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
Reviewed-by: Alex Lazar <alazar@nvidia.com>
Signed-off-by: Mark Bloch <mbloch@nvidia.com>
Link: https://patch.msgid.link/20250610151514.1094735-9-mbloch@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/mellanox/mlx5/core/en_tc.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
index 43239555f7850..05888942ef276 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
@@ -1873,9 +1873,8 @@ mlx5e_tc_add_fdb_flow(struct mlx5e_priv *priv,
return err;
}
-static bool mlx5_flow_has_geneve_opt(struct mlx5e_tc_flow *flow)
+static bool mlx5_flow_has_geneve_opt(struct mlx5_flow_spec *spec)
{
- struct mlx5_flow_spec *spec = &flow->attr->parse_attr->spec;
void *headers_v = MLX5_ADDR_OF(fte_match_param,
spec->match_value,
misc_parameters_3);
@@ -1907,7 +1906,7 @@ static void mlx5e_tc_del_fdb_flow(struct mlx5e_priv *priv,
}
complete_all(&flow->del_hw_done);
- if (mlx5_flow_has_geneve_opt(flow))
+ if (mlx5_flow_has_geneve_opt(&attr->parse_attr->spec))
mlx5_geneve_tlv_option_del(priv->mdev->geneve);
mlx5_eswitch_del_vlan_action(esw, attr);
@@ -2415,12 +2414,13 @@ static int parse_tunnel_attr(struct mlx5e_priv *priv,
err = mlx5e_tc_tun_parse(filter_dev, priv, tmp_spec, f, match_level);
if (err) {
- kvfree(tmp_spec);
NL_SET_ERR_MSG_MOD(extack, "Failed to parse tunnel attributes");
netdev_warn(priv->netdev, "Failed to parse tunnel attributes");
- return err;
+ } else {
+ err = mlx5e_tc_set_attr_rx_tun(flow, tmp_spec);
}
- err = mlx5e_tc_set_attr_rx_tun(flow, tmp_spec);
+ if (mlx5_flow_has_geneve_opt(tmp_spec))
+ mlx5_geneve_tlv_option_del(priv->mdev->geneve);
kvfree(tmp_spec);
if (err)
return err;
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 258/508] net_sched: prio: fix a race in prio_tune()
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (256 preceding siblings ...)
2025-06-23 13:05 ` [PATCH 6.1 257/508] net/mlx5e: Fix leak of Geneve TLV option object Greg Kroah-Hartman
@ 2025-06-23 13:05 ` Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 259/508] net_sched: red: fix a race in __red_change() Greg Kroah-Hartman
` (250 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gerrard Tai, Eric Dumazet,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit d35acc1be3480505b5931f17e4ea9b7617fea4d3 ]
Gerrard Tai reported a race condition in PRIO, whenever SFQ perturb timer
fires at the wrong time.
The race is as follows:
CPU 0 CPU 1
[1]: lock root
[2]: qdisc_tree_flush_backlog()
[3]: unlock root
|
| [5]: lock root
| [6]: rehash
| [7]: qdisc_tree_reduce_backlog()
|
[4]: qdisc_put()
This can be abused to underflow a parent's qlen.
Calling qdisc_purge_queue() instead of qdisc_tree_flush_backlog()
should fix the race, because all packets will be purged from the qdisc
before releasing the lock.
Fixes: 7b8e0b6e6599 ("net: sched: prio: delay destroying child qdiscs on change")
Reported-by: Gerrard Tai <gerrard.tai@starlabs.sg>
Suggested-by: Gerrard Tai <gerrard.tai@starlabs.sg>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20250611111515.1983366-2-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_prio.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/sched/sch_prio.c b/net/sched/sch_prio.c
index fdc5ef52c3ee9..fdd9caa41e80f 100644
--- a/net/sched/sch_prio.c
+++ b/net/sched/sch_prio.c
@@ -211,7 +211,7 @@ static int prio_tune(struct Qdisc *sch, struct nlattr *opt,
memcpy(q->prio2band, qopt->priomap, TC_PRIO_MAX+1);
for (i = q->bands; i < oldbands; i++)
- qdisc_tree_flush_backlog(q->queues[i]);
+ qdisc_purge_queue(q->queues[i]);
for (i = oldbands; i < q->bands; i++) {
q->queues[i] = queues[i];
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 259/508] net_sched: red: fix a race in __red_change()
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (257 preceding siblings ...)
2025-06-23 13:05 ` [PATCH 6.1 258/508] net_sched: prio: fix a race in prio_tune() Greg Kroah-Hartman
@ 2025-06-23 13:05 ` Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 260/508] net_sched: tbf: fix a race in tbf_change() Greg Kroah-Hartman
` (249 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gerrard Tai, Eric Dumazet,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 85a3e0ede38450ea3053b8c45d28cf55208409b8 ]
Gerrard Tai reported a race condition in RED, whenever SFQ perturb timer
fires at the wrong time.
The race is as follows:
CPU 0 CPU 1
[1]: lock root
[2]: qdisc_tree_flush_backlog()
[3]: unlock root
|
| [5]: lock root
| [6]: rehash
| [7]: qdisc_tree_reduce_backlog()
|
[4]: qdisc_put()
This can be abused to underflow a parent's qlen.
Calling qdisc_purge_queue() instead of qdisc_tree_flush_backlog()
should fix the race, because all packets will be purged from the qdisc
before releasing the lock.
Fixes: 0c8d13ac9607 ("net: sched: red: delay destroying child qdisc on replace")
Reported-by: Gerrard Tai <gerrard.tai@starlabs.sg>
Suggested-by: Gerrard Tai <gerrard.tai@starlabs.sg>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20250611111515.1983366-3-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_red.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/sched/sch_red.c b/net/sched/sch_red.c
index 16277b6a0238d..3c6b4460cf2c0 100644
--- a/net/sched/sch_red.c
+++ b/net/sched/sch_red.c
@@ -283,7 +283,7 @@ static int __red_change(struct Qdisc *sch, struct nlattr **tb,
q->userbits = userbits;
q->limit = ctl->limit;
if (child) {
- qdisc_tree_flush_backlog(q->qdisc);
+ qdisc_purge_queue(q->qdisc);
old_child = q->qdisc;
q->qdisc = child;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 260/508] net_sched: tbf: fix a race in tbf_change()
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (258 preceding siblings ...)
2025-06-23 13:05 ` [PATCH 6.1 259/508] net_sched: red: fix a race in __red_change() Greg Kroah-Hartman
@ 2025-06-23 13:05 ` Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 261/508] net_sched: ets: fix a race in ets_qdisc_change() Greg Kroah-Hartman
` (248 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gerrard Tai, Eric Dumazet,
Zhengchao Shao, Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 43eb466041216d25dedaef1c383ad7bd89929cbc ]
Gerrard Tai reported a race condition in TBF, whenever SFQ perturb timer
fires at the wrong time.
The race is as follows:
CPU 0 CPU 1
[1]: lock root
[2]: qdisc_tree_flush_backlog()
[3]: unlock root
|
| [5]: lock root
| [6]: rehash
| [7]: qdisc_tree_reduce_backlog()
|
[4]: qdisc_put()
This can be abused to underflow a parent's qlen.
Calling qdisc_purge_queue() instead of qdisc_tree_flush_backlog()
should fix the race, because all packets will be purged from the qdisc
before releasing the lock.
Fixes: b05972f01e7d ("net: sched: tbf: don't call qdisc_put() while holding tree lock")
Reported-by: Gerrard Tai <gerrard.tai@starlabs.sg>
Suggested-by: Gerrard Tai <gerrard.tai@starlabs.sg>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Zhengchao Shao <shaozhengchao@huawei.com>
Link: https://patch.msgid.link/20250611111515.1983366-4-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_tbf.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/sched/sch_tbf.c b/net/sched/sch_tbf.c
index c4c91b55e98b0..ebf67b8a6ee79 100644
--- a/net/sched/sch_tbf.c
+++ b/net/sched/sch_tbf.c
@@ -451,7 +451,7 @@ static int tbf_change(struct Qdisc *sch, struct nlattr *opt,
sch_tree_lock(sch);
if (child) {
- qdisc_tree_flush_backlog(q->qdisc);
+ qdisc_purge_queue(q->qdisc);
old = q->qdisc;
q->qdisc = child;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 261/508] net_sched: ets: fix a race in ets_qdisc_change()
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (259 preceding siblings ...)
2025-06-23 13:05 ` [PATCH 6.1 260/508] net_sched: tbf: fix a race in tbf_change() Greg Kroah-Hartman
@ 2025-06-23 13:05 ` Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 262/508] fs/filesystems: Fix potential unsigned integer underflow in fs_name() Greg Kroah-Hartman
` (247 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gerrard Tai, Eric Dumazet,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit d92adacdd8c2960be856e0b82acc5b7c5395fddb ]
Gerrard Tai reported a race condition in ETS, whenever SFQ perturb timer
fires at the wrong time.
The race is as follows:
CPU 0 CPU 1
[1]: lock root
[2]: qdisc_tree_flush_backlog()
[3]: unlock root
|
| [5]: lock root
| [6]: rehash
| [7]: qdisc_tree_reduce_backlog()
|
[4]: qdisc_put()
This can be abused to underflow a parent's qlen.
Calling qdisc_purge_queue() instead of qdisc_tree_flush_backlog()
should fix the race, because all packets will be purged from the qdisc
before releasing the lock.
Fixes: b05972f01e7d ("net: sched: tbf: don't call qdisc_put() while holding tree lock")
Reported-by: Gerrard Tai <gerrard.tai@starlabs.sg>
Suggested-by: Gerrard Tai <gerrard.tai@starlabs.sg>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20250611111515.1983366-5-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_ets.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/sched/sch_ets.c b/net/sched/sch_ets.c
index 9da86db4d2c2f..3ee46f6e005da 100644
--- a/net/sched/sch_ets.c
+++ b/net/sched/sch_ets.c
@@ -661,7 +661,7 @@ static int ets_qdisc_change(struct Qdisc *sch, struct nlattr *opt,
for (i = q->nbands; i < oldbands; i++) {
if (i >= q->nstrict && q->classes[i].qdisc->q.qlen)
list_del_init(&q->classes[i].alist);
- qdisc_tree_flush_backlog(q->classes[i].qdisc);
+ qdisc_purge_queue(q->classes[i].qdisc);
}
q->nstrict = nstrict;
memcpy(q->prio2band, priomap, sizeof(priomap));
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 262/508] fs/filesystems: Fix potential unsigned integer underflow in fs_name()
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (260 preceding siblings ...)
2025-06-23 13:05 ` [PATCH 6.1 261/508] net_sched: ets: fix a race in ets_qdisc_change() Greg Kroah-Hartman
@ 2025-06-23 13:05 ` Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 263/508] nvmet-fcloop: access fcpreq only when holding reqlock Greg Kroah-Hartman
` (246 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zijun Hu, Christian Brauner,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zijun Hu <quic_zijuhu@quicinc.com>
[ Upstream commit 1363c134ade81e425873b410566e957fecebb261 ]
fs_name() has @index as unsigned int, so there is underflow risk for
operation '@index--'.
Fix by breaking the for loop when '@index == 0' which is also more proper
than '@index <= 0' for unsigned integer comparison.
Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com>
Link: https://lore.kernel.org/20250410-fix_fs-v1-1-7c14ccc8ebaa@quicinc.com
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/filesystems.c | 14 +++++++++-----
1 file changed, 9 insertions(+), 5 deletions(-)
diff --git a/fs/filesystems.c b/fs/filesystems.c
index 58b9067b2391c..95e5256821a53 100644
--- a/fs/filesystems.c
+++ b/fs/filesystems.c
@@ -156,15 +156,19 @@ static int fs_index(const char __user * __name)
static int fs_name(unsigned int index, char __user * buf)
{
struct file_system_type * tmp;
- int len, res;
+ int len, res = -EINVAL;
read_lock(&file_systems_lock);
- for (tmp = file_systems; tmp; tmp = tmp->next, index--)
- if (index <= 0 && try_module_get(tmp->owner))
+ for (tmp = file_systems; tmp; tmp = tmp->next, index--) {
+ if (index == 0) {
+ if (try_module_get(tmp->owner))
+ res = 0;
break;
+ }
+ }
read_unlock(&file_systems_lock);
- if (!tmp)
- return -EINVAL;
+ if (res)
+ return res;
/* OK, we got the reference, so we can safely block */
len = strlen(tmp->name) + 1;
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 263/508] nvmet-fcloop: access fcpreq only when holding reqlock
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (261 preceding siblings ...)
2025-06-23 13:05 ` [PATCH 6.1 262/508] fs/filesystems: Fix potential unsigned integer underflow in fs_name() Greg Kroah-Hartman
@ 2025-06-23 13:05 ` Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 264/508] perf: Ensure bpf_perf_link path is properly serialized Greg Kroah-Hartman
` (245 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Daniel Wagner, Christoph Hellwig,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Wagner <wagi@kernel.org>
[ Upstream commit 47a827cd7929d0550c3496d70b417fcb5649b27b ]
The abort handling logic expects that the state and the fcpreq are only
accessed when holding the reqlock lock.
While at it, only handle the aborts in the abort handler.
Signed-off-by: Daniel Wagner <wagi@kernel.org>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/nvme/target/fcloop.c | 31 ++++++++++++++++---------------
1 file changed, 16 insertions(+), 15 deletions(-)
diff --git a/drivers/nvme/target/fcloop.c b/drivers/nvme/target/fcloop.c
index 787dfb3859a0d..74fffcab88155 100644
--- a/drivers/nvme/target/fcloop.c
+++ b/drivers/nvme/target/fcloop.c
@@ -613,12 +613,13 @@ fcloop_fcp_recv_work(struct work_struct *work)
{
struct fcloop_fcpreq *tfcp_req =
container_of(work, struct fcloop_fcpreq, fcp_rcv_work);
- struct nvmefc_fcp_req *fcpreq = tfcp_req->fcpreq;
+ struct nvmefc_fcp_req *fcpreq;
unsigned long flags;
int ret = 0;
bool aborted = false;
spin_lock_irqsave(&tfcp_req->reqlock, flags);
+ fcpreq = tfcp_req->fcpreq;
switch (tfcp_req->inistate) {
case INI_IO_START:
tfcp_req->inistate = INI_IO_ACTIVE;
@@ -633,16 +634,19 @@ fcloop_fcp_recv_work(struct work_struct *work)
}
spin_unlock_irqrestore(&tfcp_req->reqlock, flags);
- if (unlikely(aborted))
- ret = -ECANCELED;
- else {
- if (likely(!check_for_drop(tfcp_req)))
- ret = nvmet_fc_rcv_fcp_req(tfcp_req->tport->targetport,
- &tfcp_req->tgt_fcp_req,
- fcpreq->cmdaddr, fcpreq->cmdlen);
- else
- pr_info("%s: dropped command ********\n", __func__);
+ if (unlikely(aborted)) {
+ /* the abort handler will call fcloop_call_host_done */
+ return;
+ }
+
+ if (unlikely(check_for_drop(tfcp_req))) {
+ pr_info("%s: dropped command ********\n", __func__);
+ return;
}
+
+ ret = nvmet_fc_rcv_fcp_req(tfcp_req->tport->targetport,
+ &tfcp_req->tgt_fcp_req,
+ fcpreq->cmdaddr, fcpreq->cmdlen);
if (ret)
fcloop_call_host_done(fcpreq, tfcp_req, ret);
@@ -659,9 +663,10 @@ fcloop_fcp_abort_recv_work(struct work_struct *work)
unsigned long flags;
spin_lock_irqsave(&tfcp_req->reqlock, flags);
- fcpreq = tfcp_req->fcpreq;
switch (tfcp_req->inistate) {
case INI_IO_ABORTED:
+ fcpreq = tfcp_req->fcpreq;
+ tfcp_req->fcpreq = NULL;
break;
case INI_IO_COMPLETED:
completed = true;
@@ -683,10 +688,6 @@ fcloop_fcp_abort_recv_work(struct work_struct *work)
nvmet_fc_rcv_fcp_abort(tfcp_req->tport->targetport,
&tfcp_req->tgt_fcp_req);
- spin_lock_irqsave(&tfcp_req->reqlock, flags);
- tfcp_req->fcpreq = NULL;
- spin_unlock_irqrestore(&tfcp_req->reqlock, flags);
-
fcloop_call_host_done(fcpreq, tfcp_req, -ECANCELED);
/* call_host_done releases reference for abort downcall */
}
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 264/508] perf: Ensure bpf_perf_link path is properly serialized
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (262 preceding siblings ...)
2025-06-23 13:05 ` [PATCH 6.1 263/508] nvmet-fcloop: access fcpreq only when holding reqlock Greg Kroah-Hartman
@ 2025-06-23 13:05 ` Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 265/508] bio: Fix bio_first_folio() for SPARSEMEM without VMEMMAP Greg Kroah-Hartman
` (244 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ravi Bangoria,
Peter Zijlstra (Intel), Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Zijlstra <peterz@infradead.org>
[ Upstream commit 7ed9138a72829d2035ecbd8dbd35b1bc3c137c40 ]
Ravi reported that the bpf_perf_link_attach() usage of
perf_event_set_bpf_prog() is not serialized by ctx->mutex, unlike the
PERF_EVENT_IOC_SET_BPF case.
Reported-by: Ravi Bangoria <ravi.bangoria@amd.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Ravi Bangoria <ravi.bangoria@amd.com>
Link: https://lkml.kernel.org/r/20250307193305.486326750@infradead.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/events/core.c | 34 ++++++++++++++++++++++++++++++----
1 file changed, 30 insertions(+), 4 deletions(-)
diff --git a/kernel/events/core.c b/kernel/events/core.c
index 3544f26b58060..25df8971a56ed 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -5726,6 +5726,9 @@ static int perf_event_set_output(struct perf_event *event,
static int perf_event_set_filter(struct perf_event *event, void __user *arg);
static int perf_copy_attr(struct perf_event_attr __user *uattr,
struct perf_event_attr *attr);
+static int __perf_event_set_bpf_prog(struct perf_event *event,
+ struct bpf_prog *prog,
+ u64 bpf_cookie);
static long _perf_ioctl(struct perf_event *event, unsigned int cmd, unsigned long arg)
{
@@ -5794,7 +5797,7 @@ static long _perf_ioctl(struct perf_event *event, unsigned int cmd, unsigned lon
if (IS_ERR(prog))
return PTR_ERR(prog);
- err = perf_event_set_bpf_prog(event, prog, 0);
+ err = __perf_event_set_bpf_prog(event, prog, 0);
if (err) {
bpf_prog_put(prog);
return err;
@@ -10350,8 +10353,9 @@ static inline bool perf_event_is_tracing(struct perf_event *event)
return false;
}
-int perf_event_set_bpf_prog(struct perf_event *event, struct bpf_prog *prog,
- u64 bpf_cookie)
+static int __perf_event_set_bpf_prog(struct perf_event *event,
+ struct bpf_prog *prog,
+ u64 bpf_cookie)
{
bool is_kprobe, is_uprobe, is_tracepoint, is_syscall_tp;
@@ -10389,6 +10393,20 @@ int perf_event_set_bpf_prog(struct perf_event *event, struct bpf_prog *prog,
return perf_event_attach_bpf_prog(event, prog, bpf_cookie);
}
+int perf_event_set_bpf_prog(struct perf_event *event,
+ struct bpf_prog *prog,
+ u64 bpf_cookie)
+{
+ struct perf_event_context *ctx;
+ int ret;
+
+ ctx = perf_event_ctx_lock(event);
+ ret = __perf_event_set_bpf_prog(event, prog, bpf_cookie);
+ perf_event_ctx_unlock(event, ctx);
+
+ return ret;
+}
+
void perf_event_free_bpf_prog(struct perf_event *event)
{
if (!perf_event_is_tracing(event)) {
@@ -10408,7 +10426,15 @@ static void perf_event_free_filter(struct perf_event *event)
{
}
-int perf_event_set_bpf_prog(struct perf_event *event, struct bpf_prog *prog,
+static int __perf_event_set_bpf_prog(struct perf_event *event,
+ struct bpf_prog *prog,
+ u64 bpf_cookie)
+{
+ return -ENOENT;
+}
+
+int perf_event_set_bpf_prog(struct perf_event *event,
+ struct bpf_prog *prog,
u64 bpf_cookie)
{
return -ENOENT;
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 265/508] bio: Fix bio_first_folio() for SPARSEMEM without VMEMMAP
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (263 preceding siblings ...)
2025-06-23 13:05 ` [PATCH 6.1 264/508] perf: Ensure bpf_perf_link path is properly serialized Greg Kroah-Hartman
@ 2025-06-23 13:05 ` Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 266/508] tools/resolve_btfids: Fix build when cross compiling kernel with clang Greg Kroah-Hartman
` (243 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matthew Wilcox (Oracle), Jens Axboe,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthew Wilcox (Oracle) <willy@infradead.org>
[ Upstream commit f826ec7966a63d48e16e0868af4e038bf9a1a3ae ]
It is possible for physically contiguous folios to have discontiguous
struct pages if SPARSEMEM is enabled and SPARSEMEM_VMEMMAP is not.
This is correctly handled by folio_page_idx(), so remove this open-coded
implementation.
Fixes: 640d1930bef4 (block: Add bio_for_each_folio_all())
Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
Link: https://lore.kernel.org/r/20250612144126.2849931-1-willy@infradead.org
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/bio.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/linux/bio.h b/include/linux/bio.h
index 00ab98ce1d438..6b2b06485684d 100644
--- a/include/linux/bio.h
+++ b/include/linux/bio.h
@@ -287,7 +287,7 @@ static inline void bio_first_folio(struct folio_iter *fi, struct bio *bio,
fi->folio = page_folio(bvec->bv_page);
fi->offset = bvec->bv_offset +
- PAGE_SIZE * (bvec->bv_page - &fi->folio->page);
+ PAGE_SIZE * folio_page_idx(fi->folio, bvec->bv_page);
fi->_seg_count = bvec->bv_len;
fi->length = min(folio_size(fi->folio) - fi->offset, fi->_seg_count);
fi->_next = folio_next(fi->folio);
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 266/508] tools/resolve_btfids: Fix build when cross compiling kernel with clang.
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (264 preceding siblings ...)
2025-06-23 13:05 ` [PATCH 6.1 265/508] bio: Fix bio_first_folio() for SPARSEMEM without VMEMMAP Greg Kroah-Hartman
@ 2025-06-23 13:05 ` Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 267/508] ALSA: usb-audio: Add implicit feedback quirk for RODE AI-1 Greg Kroah-Hartman
` (242 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Suleiman Souhlal, Andrii Nakryiko,
Jiri Olsa
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Suleiman Souhlal <suleiman@google.com>
commit a298bbab903e3fb4cbe16d36d6195e68fad1b776 upstream.
When cross compiling the kernel with clang, we need to override
CLANG_CROSS_FLAGS when preparing the step libraries.
Prior to commit d1d096312176 ("tools: fix annoying "mkdir -p ..." logs
when building tools in parallel"), MAKEFLAGS would have been set to a
value that wouldn't set a value for CLANG_CROSS_FLAGS, hiding the
fact that we weren't properly overriding it.
Fixes: 56a2df7615fa ("tools/resolve_btfids: Compile resolve_btfids as host program")
Signed-off-by: Suleiman Souhlal <suleiman@google.com>
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Acked-by: Jiri Olsa <jolsa@kernel.org>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/bpf/20250606074538.1608546-1-suleiman@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/bpf/resolve_btfids/Makefile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/tools/bpf/resolve_btfids/Makefile
+++ b/tools/bpf/resolve_btfids/Makefile
@@ -19,7 +19,7 @@ endif
# Overrides for the prepare step libraries.
HOST_OVERRIDES := AR="$(HOSTAR)" CC="$(HOSTCC)" LD="$(HOSTLD)" ARCH="$(HOSTARCH)" \
- CROSS_COMPILE="" EXTRA_CFLAGS="$(HOSTCFLAGS)"
+ CROSS_COMPILE="" CLANG_CROSS_FLAGS="" EXTRA_CFLAGS="$(HOSTCFLAGS)"
RM ?= rm
HOSTCC ?= gcc
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 267/508] ALSA: usb-audio: Add implicit feedback quirk for RODE AI-1
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (265 preceding siblings ...)
2025-06-23 13:05 ` [PATCH 6.1 266/508] tools/resolve_btfids: Fix build when cross compiling kernel with clang Greg Kroah-Hartman
@ 2025-06-23 13:05 ` Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 268/508] HID: usbhid: Eliminate recurrent out-of-bounds bug in usbhid_parse() Greg Kroah-Hartman
` (241 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:05 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, David Heimann, Takashi Iwai
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Heimann <d@dmeh.net>
commit 6a3439a417b910e662c666993798e0691bc81147 upstream.
The RODE AI-1 audio interface requires implicit feedback sync between
playback endpoint 0x03 and feedback endpoint 0x84 on interface 3, but
doesn't advertise this in its USB descriptors.
Without this quirk, the device receives audio data but produces no output.
Signed-off-by: David Heimann <d@dmeh.net>
Cc: <stable@vger.kernel.org>
Link: https://patch.msgid.link/084dc88c-1193-4a94-a002-5599adff936c@app.fastmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/implicit.c | 1 +
1 file changed, 1 insertion(+)
--- a/sound/usb/implicit.c
+++ b/sound/usb/implicit.c
@@ -57,6 +57,7 @@ static const struct snd_usb_implicit_fb_
IMPLICIT_FB_FIXED_DEV(0x31e9, 0x0002, 0x81, 2), /* Solid State Logic SSL2+ */
IMPLICIT_FB_FIXED_DEV(0x0499, 0x172f, 0x81, 2), /* Steinberg UR22C */
IMPLICIT_FB_FIXED_DEV(0x0d9a, 0x00df, 0x81, 2), /* RTX6001 */
+ IMPLICIT_FB_FIXED_DEV(0x19f7, 0x000a, 0x84, 3), /* RODE AI-1 */
IMPLICIT_FB_FIXED_DEV(0x22f0, 0x0006, 0x81, 3), /* Allen&Heath Qu-16 */
IMPLICIT_FB_FIXED_DEV(0x1686, 0xf029, 0x82, 2), /* Zoom UAC-2 */
IMPLICIT_FB_FIXED_DEV(0x2466, 0x8003, 0x86, 2), /* Fractal Audio Axe-Fx II */
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 268/508] HID: usbhid: Eliminate recurrent out-of-bounds bug in usbhid_parse()
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (266 preceding siblings ...)
2025-06-23 13:05 ` [PATCH 6.1 267/508] ALSA: usb-audio: Add implicit feedback quirk for RODE AI-1 Greg Kroah-Hartman
@ 2025-06-23 13:05 ` Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 269/508] Revert "io_uring: ensure deferred completions are posted for multishot" Greg Kroah-Hartman
` (240 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+c52569baf0c843f35495,
Terry Junge, Michael Kelley, Jiri Kosina
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Terry Junge <linuxhid@cosmicgizmosystems.com>
commit fe7f7ac8e0c708446ff017453add769ffc15deed upstream.
Update struct hid_descriptor to better reflect the mandatory and
optional parts of the HID Descriptor as per USB HID 1.11 specification.
Note: the kernel currently does not parse any optional HID class
descriptors, only the mandatory report descriptor.
Update all references to member element desc[0] to rpt_desc.
Add test to verify bLength and bNumDescriptors values are valid.
Replace the for loop with direct access to the mandatory HID class
descriptor member for the report descriptor. This eliminates the
possibility of getting an out-of-bounds fault.
Add a warning message if the HID descriptor contains any unsupported
optional HID class descriptors.
Reported-by: syzbot+c52569baf0c843f35495@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=c52569baf0c843f35495
Fixes: f043bfc98c19 ("HID: usbhid: fix out-of-bounds bug")
Cc: stable@vger.kernel.org
Signed-off-by: Terry Junge <linuxhid@cosmicgizmosystems.com>
Reviewed-by: Michael Kelley <mhklinux@outlook.com>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hid/hid-hyperv.c | 4 ++--
drivers/hid/usbhid/hid-core.c | 25 ++++++++++++++-----------
drivers/usb/gadget/function/f_hid.c | 12 ++++++------
include/linux/hid.h | 3 ++-
4 files changed, 24 insertions(+), 20 deletions(-)
--- a/drivers/hid/hid-hyperv.c
+++ b/drivers/hid/hid-hyperv.c
@@ -200,7 +200,7 @@ static void mousevsc_on_receive_device_i
goto cleanup;
input_device->report_desc_size = le16_to_cpu(
- desc->desc[0].wDescriptorLength);
+ desc->rpt_desc.wDescriptorLength);
if (input_device->report_desc_size == 0) {
input_device->dev_info_status = -EINVAL;
goto cleanup;
@@ -218,7 +218,7 @@ static void mousevsc_on_receive_device_i
memcpy(input_device->report_desc,
((unsigned char *)desc) + desc->bLength,
- le16_to_cpu(desc->desc[0].wDescriptorLength));
+ le16_to_cpu(desc->rpt_desc.wDescriptorLength));
/* Send the ack */
memset(&ack, 0, sizeof(struct mousevsc_prt_msg));
--- a/drivers/hid/usbhid/hid-core.c
+++ b/drivers/hid/usbhid/hid-core.c
@@ -982,12 +982,11 @@ static int usbhid_parse(struct hid_devic
struct usb_host_interface *interface = intf->cur_altsetting;
struct usb_device *dev = interface_to_usbdev (intf);
struct hid_descriptor *hdesc;
+ struct hid_class_descriptor *hcdesc;
u32 quirks = 0;
unsigned int rsize = 0;
char *rdesc;
- int ret, n;
- int num_descriptors;
- size_t offset = offsetof(struct hid_descriptor, desc);
+ int ret;
quirks = hid_lookup_quirk(hid);
@@ -1009,20 +1008,19 @@ static int usbhid_parse(struct hid_devic
return -ENODEV;
}
- if (hdesc->bLength < sizeof(struct hid_descriptor)) {
- dbg_hid("hid descriptor is too short\n");
+ if (!hdesc->bNumDescriptors ||
+ hdesc->bLength != sizeof(*hdesc) +
+ (hdesc->bNumDescriptors - 1) * sizeof(*hcdesc)) {
+ dbg_hid("hid descriptor invalid, bLen=%hhu bNum=%hhu\n",
+ hdesc->bLength, hdesc->bNumDescriptors);
return -EINVAL;
}
hid->version = le16_to_cpu(hdesc->bcdHID);
hid->country = hdesc->bCountryCode;
- num_descriptors = min_t(int, hdesc->bNumDescriptors,
- (hdesc->bLength - offset) / sizeof(struct hid_class_descriptor));
-
- for (n = 0; n < num_descriptors; n++)
- if (hdesc->desc[n].bDescriptorType == HID_DT_REPORT)
- rsize = le16_to_cpu(hdesc->desc[n].wDescriptorLength);
+ if (hdesc->rpt_desc.bDescriptorType == HID_DT_REPORT)
+ rsize = le16_to_cpu(hdesc->rpt_desc.wDescriptorLength);
if (!rsize || rsize > HID_MAX_DESCRIPTOR_SIZE) {
dbg_hid("weird size of report descriptor (%u)\n", rsize);
@@ -1050,6 +1048,11 @@ static int usbhid_parse(struct hid_devic
goto err;
}
+ if (hdesc->bNumDescriptors > 1)
+ hid_warn(intf,
+ "%u unsupported optional hid class descriptors\n",
+ (int)(hdesc->bNumDescriptors - 1));
+
hid->quirks |= quirks;
return 0;
--- a/drivers/usb/gadget/function/f_hid.c
+++ b/drivers/usb/gadget/function/f_hid.c
@@ -114,8 +114,8 @@ static struct hid_descriptor hidg_desc =
.bcdHID = cpu_to_le16(0x0101),
.bCountryCode = 0x00,
.bNumDescriptors = 0x1,
- /*.desc[0].bDescriptorType = DYNAMIC */
- /*.desc[0].wDescriptorLenght = DYNAMIC */
+ /*.rpt_desc.bDescriptorType = DYNAMIC */
+ /*.rpt_desc.wDescriptorLength = DYNAMIC */
};
/* Super-Speed Support */
@@ -724,8 +724,8 @@ static int hidg_setup(struct usb_functio
struct hid_descriptor hidg_desc_copy = hidg_desc;
VDBG(cdev, "USB_REQ_GET_DESCRIPTOR: HID\n");
- hidg_desc_copy.desc[0].bDescriptorType = HID_DT_REPORT;
- hidg_desc_copy.desc[0].wDescriptorLength =
+ hidg_desc_copy.rpt_desc.bDescriptorType = HID_DT_REPORT;
+ hidg_desc_copy.rpt_desc.wDescriptorLength =
cpu_to_le16(hidg->report_desc_length);
length = min_t(unsigned short, length,
@@ -966,8 +966,8 @@ static int hidg_bind(struct usb_configur
* We can use hidg_desc struct here but we should not relay
* that its content won't change after returning from this function.
*/
- hidg_desc.desc[0].bDescriptorType = HID_DT_REPORT;
- hidg_desc.desc[0].wDescriptorLength =
+ hidg_desc.rpt_desc.bDescriptorType = HID_DT_REPORT;
+ hidg_desc.rpt_desc.wDescriptorLength =
cpu_to_le16(hidg->report_desc_length);
hidg_hs_in_ep_desc.bEndpointAddress =
--- a/include/linux/hid.h
+++ b/include/linux/hid.h
@@ -703,8 +703,9 @@ struct hid_descriptor {
__le16 bcdHID;
__u8 bCountryCode;
__u8 bNumDescriptors;
+ struct hid_class_descriptor rpt_desc;
- struct hid_class_descriptor desc[1];
+ struct hid_class_descriptor opt_descs[];
} __attribute__ ((packed));
#define HID_DEVICE(b, g, ven, prod) \
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 269/508] Revert "io_uring: ensure deferred completions are posted for multishot"
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (267 preceding siblings ...)
2025-06-23 13:05 ` [PATCH 6.1 268/508] HID: usbhid: Eliminate recurrent out-of-bounds bug in usbhid_parse() Greg Kroah-Hartman
@ 2025-06-23 13:05 ` Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 270/508] posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del() Greg Kroah-Hartman
` (239 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:05 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jens Axboe
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This reverts commit b82c386898f7b00cb49abe3fbd622017aaa61230 which is
commit 687b2bae0efff9b25e071737d6af5004e6e35af5 upstream.
Jens writes:
There's some missing dependencies that makes this not work
right, I'll bring it back in a series instead.
Link: https://lore.kernel.org/r/313f2335-626f-4eea-8502-d5c3773db35a@kernel.dk
Reported-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
io_uring/io_uring.c | 8 --------
1 file changed, 8 deletions(-)
--- a/io_uring/io_uring.c
+++ b/io_uring/io_uring.c
@@ -820,14 +820,6 @@ bool io_post_aux_cqe(struct io_ring_ctx
{
bool filled;
- /*
- * If multishot has already posted deferred completions, ensure that
- * those are flushed first before posting this one. If not, CQEs
- * could get reordered.
- */
- if (!wq_list_empty(&ctx->submit_state.compl_reqs))
- __io_submit_flush_completions(ctx);
-
io_cq_lock(ctx);
filled = io_fill_cqe_aux(ctx, user_data, res, cflags, allow_overflow);
io_cq_unlock_post(ctx);
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 270/508] posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del()
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (268 preceding siblings ...)
2025-06-23 13:05 ` [PATCH 6.1 269/508] Revert "io_uring: ensure deferred completions are posted for multishot" Greg Kroah-Hartman
@ 2025-06-23 13:05 ` Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 271/508] drm/amd/display: Do not add -mhard-float to dml_ccflags for clang Greg Kroah-Hartman
` (238 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Benoît Sevens, Oleg Nesterov,
Linus Torvalds
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oleg Nesterov <oleg@redhat.com>
commit f90fff1e152dedf52b932240ebbd670d83330eca upstream.
If an exiting non-autoreaping task has already passed exit_notify() and
calls handle_posix_cpu_timers() from IRQ, it can be reaped by its parent
or debugger right after unlock_task_sighand().
If a concurrent posix_cpu_timer_del() runs at that moment, it won't be
able to detect timer->it.cpu.firing != 0: cpu_timer_task_rcu() and/or
lock_task_sighand() will fail.
Add the tsk->exit_state check into run_posix_cpu_timers() to fix this.
This fix is not needed if CONFIG_POSIX_CPU_TIMERS_TASK_WORK=y, because
exit_task_work() is called before exit_notify(). But the check still
makes sense, task_work_add(&tsk->posix_cputimers_work.work) will fail
anyway in this case.
Cc: stable@vger.kernel.org
Reported-by: Benoît Sevens <bsevens@google.com>
Fixes: 0bdd2ed4138e ("sched: run_posix_cpu_timers: Don't check ->exit_state, use lock_task_sighand()")
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/time/posix-cpu-timers.c | 9 +++++++++
1 file changed, 9 insertions(+)
--- a/kernel/time/posix-cpu-timers.c
+++ b/kernel/time/posix-cpu-timers.c
@@ -1439,6 +1439,15 @@ void run_posix_cpu_timers(void)
lockdep_assert_irqs_disabled();
/*
+ * Ensure that release_task(tsk) can't happen while
+ * handle_posix_cpu_timers() is running. Otherwise, a concurrent
+ * posix_cpu_timer_del() may fail to lock_task_sighand(tsk) and
+ * miss timer->it.cpu.firing != 0.
+ */
+ if (tsk->exit_state)
+ return;
+
+ /*
* If the actual expiry is deferred to task work context and the
* work is already scheduled there is no point to do anything here.
*/
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 271/508] drm/amd/display: Do not add -mhard-float to dml_ccflags for clang
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (269 preceding siblings ...)
2025-06-23 13:05 ` [PATCH 6.1 270/508] posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del() Greg Kroah-Hartman
@ 2025-06-23 13:05 ` Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 272/508] mips: Include KBUILD_CPPFLAGS in CHECKFLAGS invocation Greg Kroah-Hartman
` (237 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nathan Chancellor, Alex Deucher,
Linux Kernel Functional Testing, Anders Roxell, Masahiro Yamada
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nathan Chancellor <nathan@kernel.org>
commit 7db038d9790eda558dd6c1dde4cdd58b64789c47 upstream.
When clang's -Qunused-arguments is dropped from KBUILD_CPPFLAGS, it
warns:
clang-16: error: argument unused during compilation: '-mhard-float' [-Werror,-Wunused-command-line-argument]
Similar to commit 84edc2eff827 ("selftest/fpu: avoid clang warning"),
just add this flag to GCC builds. Commit 0f0727d971f6 ("drm/amd/display:
readd -msse2 to prevent Clang from emitting libcalls to undefined SW FP
routines") added '-msse2' to prevent clang from emitting software
floating point routines.
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Acked-by: Alex Deucher <alexander.deucher@amd.com>
Tested-by: Linux Kernel Functional Testing <lkft@linaro.org>
Tested-by: Anders Roxell <anders.roxell@linaro.org>
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/display/dc/dml/Makefile | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/gpu/drm/amd/display/dc/dml/Makefile
+++ b/drivers/gpu/drm/amd/display/dc/dml/Makefile
@@ -26,7 +26,8 @@
# subcomponents.
ifdef CONFIG_X86
-dml_ccflags := -mhard-float -msse
+dml_ccflags-$(CONFIG_CC_IS_GCC) := -mhard-float
+dml_ccflags := $(dml_ccflags-y) -msse
endif
ifdef CONFIG_PPC64
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 272/508] mips: Include KBUILD_CPPFLAGS in CHECKFLAGS invocation
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (270 preceding siblings ...)
2025-06-23 13:05 ` [PATCH 6.1 271/508] drm/amd/display: Do not add -mhard-float to dml_ccflags for clang Greg Kroah-Hartman
@ 2025-06-23 13:05 ` Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 273/508] kbuild: Add CLANG_FLAGS to as-instr Greg Kroah-Hartman
` (236 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:05 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Nathan Chancellor, Masahiro Yamada
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nathan Chancellor <nathan@kernel.org>
commit 08f6554ff90ef189e6b8f0303e57005bddfdd6a7 upstream.
A future change will move CLANG_FLAGS from KBUILD_{A,C}FLAGS to
KBUILD_CPPFLAGS so that '--target' is available while preprocessing.
When that occurs, the following error appears when building ARCH=mips
with clang (tip of tree error shown):
clang: error: unsupported option '-mabi=' for target 'x86_64-pc-linux-gnu'
Add KBUILD_CPPFLAGS in the CHECKFLAGS invocation to keep everything
working after the move.
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/mips/Makefile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/mips/Makefile
+++ b/arch/mips/Makefile
@@ -351,7 +351,7 @@ KBUILD_CFLAGS += -fno-asynchronous-unwin
KBUILD_LDFLAGS += -m $(ld-emul)
ifdef need-compiler
-CHECKFLAGS += $(shell $(CC) $(KBUILD_CFLAGS) -dM -E -x c /dev/null | \
+CHECKFLAGS += $(shell $(CC) $(KBUILD_CPPFLAGS) $(KBUILD_CFLAGS) -dM -E -x c /dev/null | \
grep -E -vw '__GNUC_(MINOR_|PATCHLEVEL_)?_' | \
sed -e "s/^\#define /-D'/" -e "s/ /'='/" -e "s/$$/'/" -e 's/\$$/&&/g')
endif
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 273/508] kbuild: Add CLANG_FLAGS to as-instr
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (271 preceding siblings ...)
2025-06-23 13:05 ` [PATCH 6.1 272/508] mips: Include KBUILD_CPPFLAGS in CHECKFLAGS invocation Greg Kroah-Hartman
@ 2025-06-23 13:05 ` Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 274/508] kbuild: add $(CLANG_FLAGS) to KBUILD_CPPFLAGS Greg Kroah-Hartman
` (235 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:05 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Nathan Chancellor, Masahiro Yamada
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nathan Chancellor <nathan@kernel.org>
commit cff6e7f50bd315e5b39c4e46c704ac587ceb965f upstream.
A future change will move CLANG_FLAGS from KBUILD_{A,C}FLAGS to
KBUILD_CPPFLAGS so that '--target' is available while preprocessing.
When that occurs, the following errors appear multiple times when
building ARCH=powerpc powernv_defconfig:
ld.lld: error: vmlinux.a(arch/powerpc/kernel/head_64.o):(.text+0x12d4): relocation R_PPC64_ADDR16_HI out of range: -4611686018409717520 is not in [-2147483648, 2147483647]; references '__start___soft_mask_table'
ld.lld: error: vmlinux.a(arch/powerpc/kernel/head_64.o):(.text+0x12e8): relocation R_PPC64_ADDR16_HI out of range: -4611686018409717392 is not in [-2147483648, 2147483647]; references '__stop___soft_mask_table'
Diffing the .o.cmd files reveals that -DHAVE_AS_ATHIGH=1 is not present
anymore, because as-instr only uses KBUILD_AFLAGS, which will no longer
contain '--target'.
Mirror Kconfig's as-instr and add CLANG_FLAGS explicitly to the
invocation to ensure the target information is always present.
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
scripts/Makefile.compiler | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/scripts/Makefile.compiler
+++ b/scripts/Makefile.compiler
@@ -38,7 +38,7 @@ as-option = $(call try-run,\
# Usage: aflags-y += $(call as-instr,instr,option1,option2)
as-instr = $(call try-run,\
- printf "%b\n" "$(1)" | $(CC) -Werror $(KBUILD_AFLAGS) -c -x assembler-with-cpp -o "$$TMP" -,$(2),$(3))
+ printf "%b\n" "$(1)" | $(CC) -Werror $(CLANG_FLAGS) $(KBUILD_AFLAGS) -c -x assembler-with-cpp -o "$$TMP" -,$(2),$(3))
# __cc-option
# Usage: MY_CFLAGS += $(call __cc-option,$(CC),$(MY_CFLAGS),-march=winchip-c6,-march=i586)
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 274/508] kbuild: add $(CLANG_FLAGS) to KBUILD_CPPFLAGS
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (272 preceding siblings ...)
2025-06-23 13:05 ` [PATCH 6.1 273/508] kbuild: Add CLANG_FLAGS to as-instr Greg Kroah-Hartman
@ 2025-06-23 13:05 ` Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 275/508] kbuild: Add KBUILD_CPPFLAGS to as-option invocation Greg Kroah-Hartman
` (234 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tom Rini, Masahiro Yamada,
Nathan Chancellor
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Masahiro Yamada <masahiroy@kernel.org>
commit feb843a469fb0ab00d2d23cfb9bcc379791011bb upstream.
When preprocessing arch/*/kernel/vmlinux.lds.S, the target triple is
not passed to $(CPP) because we add it only to KBUILD_{C,A}FLAGS.
As a result, the linker script is preprocessed with predefined macros
for the build host instead of the target.
Assuming you use an x86 build machine, compare the following:
$ clang -dM -E -x c /dev/null
$ clang -dM -E -x c /dev/null -target aarch64-linux-gnu
There is no actual problem presumably because our linker scripts do not
rely on such predefined macros, but it is better to define correct ones.
Move $(CLANG_FLAGS) to KBUILD_CPPFLAGS, so that all *.c, *.S, *.lds.S
will be processed with the proper target triple.
[Note]
After the patch submission, we got an actual problem that needs this
commit. (CBL issue 1859)
Link: https://github.com/ClangBuiltLinux/linux/issues/1859
Reported-by: Tom Rini <trini@konsulko.com>
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
Reviewed-by: Nathan Chancellor <nathan@kernel.org>
Tested-by: Nathan Chancellor <nathan@kernel.org>
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
scripts/Makefile.clang | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/scripts/Makefile.clang
+++ b/scripts/Makefile.clang
@@ -36,6 +36,5 @@ endif
# so they can be implemented or wrapped in cc-option.
CLANG_FLAGS += -Werror=unknown-warning-option
CLANG_FLAGS += -Werror=ignored-optimization-argument
-KBUILD_CFLAGS += $(CLANG_FLAGS)
-KBUILD_AFLAGS += $(CLANG_FLAGS)
+KBUILD_CPPFLAGS += $(CLANG_FLAGS)
export CLANG_FLAGS
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 275/508] kbuild: Add KBUILD_CPPFLAGS to as-option invocation
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (273 preceding siblings ...)
2025-06-23 13:05 ` [PATCH 6.1 274/508] kbuild: add $(CLANG_FLAGS) to KBUILD_CPPFLAGS Greg Kroah-Hartman
@ 2025-06-23 13:05 ` Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 276/508] usb: usbtmc: Fix read_stb function and get_stb ioctl Greg Kroah-Hartman
` (233 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Linux Kernel Functional Testing,
Nathan Chancellor, Naresh Kamboju, Masahiro Yamada
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nathan Chancellor <nathan@kernel.org>
commit 43fc0a99906e04792786edf8534d8d58d1e9de0c upstream.
After commit feb843a469fb ("kbuild: add $(CLANG_FLAGS) to
KBUILD_CPPFLAGS"), there is an error while building certain PowerPC
assembly files with clang:
arch/powerpc/lib/copypage_power7.S: Assembler messages:
arch/powerpc/lib/copypage_power7.S:34: Error: junk at end of line: `0b01000'
arch/powerpc/lib/copypage_power7.S:35: Error: junk at end of line: `0b01010'
arch/powerpc/lib/copypage_power7.S:37: Error: junk at end of line: `0b01000'
arch/powerpc/lib/copypage_power7.S:38: Error: junk at end of line: `0b01010'
arch/powerpc/lib/copypage_power7.S:40: Error: junk at end of line: `0b01010'
clang: error: assembler command failed with exit code 1 (use -v to see invocation)
as-option only uses KBUILD_AFLAGS, so after removing CLANG_FLAGS from
KBUILD_AFLAGS, there is no more '--target=' or '--prefix=' flags. As a
result of those missing flags, the host target
will be tested during as-option calls and likely fail, meaning necessary
flags may not get added when building assembly files, resulting in
errors like seen above.
Add KBUILD_CPPFLAGS to as-option invocations to clear up the errors.
This should have been done in commit d5c8d6e0fa61 ("kbuild: Update
assembler calls to use proper flags and language target"), which
switched from using the assembler target to the assembler-with-cpp
target, so flags that affect preprocessing are passed along in all
relevant tests. as-option now mirrors cc-option.
Fixes: feb843a469fb ("kbuild: add $(CLANG_FLAGS) to KBUILD_CPPFLAGS")
Reported-by: Linux Kernel Functional Testing <lkft@linaro.org>
Closes: https://lore.kernel.org/CA+G9fYs=koW9WardsTtora+nMgLR3raHz-LSLr58tgX4T5Mxag@mail.gmail.com/
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Tested-by: Naresh Kamboju <naresh.kamboju@linaro.org>
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
scripts/Makefile.compiler | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/scripts/Makefile.compiler
+++ b/scripts/Makefile.compiler
@@ -32,7 +32,7 @@ try-run = $(shell set -e; \
# Usage: aflags-y += $(call as-option,-Wa$(comma)-isa=foo,)
as-option = $(call try-run,\
- $(CC) -Werror $(KBUILD_AFLAGS) $(1) -c -x assembler-with-cpp /dev/null -o "$$TMP",$(1),$(2))
+ $(CC) -Werror $(KBUILD_CPPFLAGS) $(KBUILD_AFLAGS) $(1) -c -x assembler-with-cpp /dev/null -o "$$TMP",$(1),$(2))
# as-instr
# Usage: aflags-y += $(call as-instr,instr,option1,option2)
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 276/508] usb: usbtmc: Fix read_stb function and get_stb ioctl
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (274 preceding siblings ...)
2025-06-23 13:05 ` [PATCH 6.1 275/508] kbuild: Add KBUILD_CPPFLAGS to as-option invocation Greg Kroah-Hartman
@ 2025-06-23 13:05 ` Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 277/508] VMCI: fix race between vmci_host_setup_notify and vmci_ctx_unset_notify Greg Kroah-Hartman
` (232 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:05 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Dave Penkler
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dave Penkler <dpenkler@gmail.com>
commit acb3dac2805d3342ded7dbbd164add32bbfdf21c upstream.
The usbtmc488_ioctl_read_stb function relied on a positive return from
usbtmc_get_stb to reset the srq condition in the driver. The
USBTMC_IOCTL_GET_STB case tested for a positive return to return the stb
to the user.
Commit: <cac01bd178d6> ("usb: usbtmc: Fix erroneous get_stb ioctl
error returns") changed the return value of usbtmc_get_stb to 0 on
success instead of returning the value of usb_control_msg which is
positive in the normal case. This change caused the function
usbtmc488_ioctl_read_stb and the USBTMC_IOCTL_GET_STB ioctl to no
longer function correctly.
Change the test in usbtmc488_ioctl_read_stb to test for failure
first and return the failure code immediately.
Change the test for the USBTMC_IOCTL_GET_STB ioctl to test for 0
instead of a positive value.
Fixes: cac01bd178d6 ("usb: usbtmc: Fix erroneous get_stb ioctl error returns")
Cc: stable@vger.kernel.org
Signed-off-by: Dave Penkler <dpenkler@gmail.com>
Link: https://lore.kernel.org/r/20250521121656.18174-3-dpenkler@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/class/usbtmc.c | 17 +++++++++--------
1 file changed, 9 insertions(+), 8 deletions(-)
--- a/drivers/usb/class/usbtmc.c
+++ b/drivers/usb/class/usbtmc.c
@@ -565,14 +565,15 @@ static int usbtmc488_ioctl_read_stb(stru
rv = usbtmc_get_stb(file_data, &stb);
- if (rv > 0) {
- srq_asserted = atomic_xchg(&file_data->srq_asserted,
- srq_asserted);
- if (srq_asserted)
- stb |= 0x40; /* Set RQS bit */
+ if (rv < 0)
+ return rv;
+
+ srq_asserted = atomic_xchg(&file_data->srq_asserted, srq_asserted);
+ if (srq_asserted)
+ stb |= 0x40; /* Set RQS bit */
+
+ rv = put_user(stb, (__u8 __user *)arg);
- rv = put_user(stb, (__u8 __user *)arg);
- }
return rv;
}
@@ -2201,7 +2202,7 @@ static long usbtmc_ioctl(struct file *fi
case USBTMC_IOCTL_GET_STB:
retval = usbtmc_get_stb(file_data, &tmp_byte);
- if (retval > 0)
+ if (!retval)
retval = put_user(tmp_byte, (__u8 __user *)arg);
break;
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 277/508] VMCI: fix race between vmci_host_setup_notify and vmci_ctx_unset_notify
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (275 preceding siblings ...)
2025-06-23 13:05 ` [PATCH 6.1 276/508] usb: usbtmc: Fix read_stb function and get_stb ioctl Greg Kroah-Hartman
@ 2025-06-23 13:05 ` Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 278/508] usb: cdnsp: Fix issue with detecting command completion event Greg Kroah-Hartman
` (231 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:05 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Wupeng Ma
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wupeng Ma <mawupeng1@huawei.com>
commit 1bd6406fb5f36c2bb1e96e27d4c3e9f4d09edde4 upstream.
During our test, it is found that a warning can be trigger in try_grab_folio
as follow:
------------[ cut here ]------------
WARNING: CPU: 0 PID: 1678 at mm/gup.c:147 try_grab_folio+0x106/0x130
Modules linked in:
CPU: 0 UID: 0 PID: 1678 Comm: syz.3.31 Not tainted 6.15.0-rc5 #163 PREEMPT(undef)
RIP: 0010:try_grab_folio+0x106/0x130
Call Trace:
<TASK>
follow_huge_pmd+0x240/0x8e0
follow_pmd_mask.constprop.0.isra.0+0x40b/0x5c0
follow_pud_mask.constprop.0.isra.0+0x14a/0x170
follow_page_mask+0x1c2/0x1f0
__get_user_pages+0x176/0x950
__gup_longterm_locked+0x15b/0x1060
? gup_fast+0x120/0x1f0
gup_fast_fallback+0x17e/0x230
get_user_pages_fast+0x5f/0x80
vmci_host_unlocked_ioctl+0x21c/0xf80
RIP: 0033:0x54d2cd
---[ end trace 0000000000000000 ]---
Digging into the source, context->notify_page may init by get_user_pages_fast
and can be seen in vmci_ctx_unset_notify which will try to put_page. However
get_user_pages_fast is not finished here and lead to following
try_grab_folio warning. The race condition is shown as follow:
cpu0 cpu1
vmci_host_do_set_notify
vmci_host_setup_notify
get_user_pages_fast(uva, 1, FOLL_WRITE, &context->notify_page);
lockless_pages_from_mm
gup_pgd_range
gup_huge_pmd // update &context->notify_page
vmci_host_do_set_notify
vmci_ctx_unset_notify
notify_page = context->notify_page;
if (notify_page)
put_page(notify_page); // page is freed
__gup_longterm_locked
__get_user_pages
follow_trans_huge_pmd
try_grab_folio // warn here
To slove this, use local variable page to make notify_page can be seen
after finish get_user_pages_fast.
Fixes: a1d88436d53a ("VMCI: Fix two UVA mapping bugs")
Cc: stable <stable@kernel.org>
Closes: https://lore.kernel.org/all/e91da589-ad57-3969-d979-879bbd10dddd@huawei.com/
Signed-off-by: Wupeng Ma <mawupeng1@huawei.com>
Link: https://lore.kernel.org/r/20250510033040.901582-1-mawupeng1@huawei.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/misc/vmw_vmci/vmci_host.c | 11 +++++------
1 file changed, 5 insertions(+), 6 deletions(-)
--- a/drivers/misc/vmw_vmci/vmci_host.c
+++ b/drivers/misc/vmw_vmci/vmci_host.c
@@ -227,6 +227,7 @@ static int drv_cp_harray_to_user(void __
static int vmci_host_setup_notify(struct vmci_ctx *context,
unsigned long uva)
{
+ struct page *page;
int retval;
if (context->notify_page) {
@@ -243,13 +244,11 @@ static int vmci_host_setup_notify(struct
/*
* Lock physical page backing a given user VA.
*/
- retval = get_user_pages_fast(uva, 1, FOLL_WRITE, &context->notify_page);
- if (retval != 1) {
- context->notify_page = NULL;
+ retval = get_user_pages_fast(uva, 1, FOLL_WRITE, &page);
+ if (retval != 1)
return VMCI_ERROR_GENERIC;
- }
- if (context->notify_page == NULL)
- return VMCI_ERROR_UNAVAILABLE;
+
+ context->notify_page = page;
/*
* Map the locked page and set up notify pointer.
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 278/508] usb: cdnsp: Fix issue with detecting command completion event
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (276 preceding siblings ...)
2025-06-23 13:05 ` [PATCH 6.1 277/508] VMCI: fix race between vmci_host_setup_notify and vmci_ctx_unset_notify Greg Kroah-Hartman
@ 2025-06-23 13:05 ` Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 279/508] usb: cdnsp: Fix issue with detecting USB 3.2 speed Greg Kroah-Hartman
` (230 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:05 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Pawel Laszczak, Peter Chen
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pawel Laszczak <pawell@cadence.com>
commit f4ecdc352646f7d23f348e5c544dbe3212c94fc8 upstream.
In some cases, there is a small-time gap in which CMD_RING_BUSY can be
cleared by controller but adding command completion event to event ring
will be delayed. As the result driver will return error code.
This behavior has been detected on usbtest driver (test 9) with
configuration including ep1in/ep1out bulk and ep2in/ep2out isoc
endpoint.
Probably this gap occurred because controller was busy with adding some
other events to event ring.
The CMD_RING_BUSY is cleared to '0' when the Command Descriptor has been
executed and not when command completion event has been added to event
ring.
To fix this issue for this test the small delay is sufficient less than
10us) but to make sure the problem doesn't happen again in the future
the patch introduces 10 retries to check with delay about 20us before
returning error code.
Fixes: 3d82904559f4 ("usb: cdnsp: cdns3 Add main part of Cadence USBSSP DRD Driver")
Cc: stable <stable@kernel.org>
Signed-off-by: Pawel Laszczak <pawell@cadence.com>
Acked-by: Peter Chen <peter.chen@kernel.org>
Link: https://lore.kernel.org/r/PH7PR07MB9538AA45362ACCF1B94EE9B7DD96A@PH7PR07MB9538.namprd07.prod.outlook.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/cdns3/cdnsp-gadget.c | 18 +++++++++++++++++-
1 file changed, 17 insertions(+), 1 deletion(-)
--- a/drivers/usb/cdns3/cdnsp-gadget.c
+++ b/drivers/usb/cdns3/cdnsp-gadget.c
@@ -546,6 +546,7 @@ int cdnsp_wait_for_cmd_compl(struct cdns
dma_addr_t cmd_deq_dma;
union cdnsp_trb *event;
u32 cycle_state;
+ u32 retry = 10;
int ret, val;
u64 cmd_dma;
u32 flags;
@@ -577,8 +578,23 @@ int cdnsp_wait_for_cmd_compl(struct cdns
flags = le32_to_cpu(event->event_cmd.flags);
/* Check the owner of the TRB. */
- if ((flags & TRB_CYCLE) != cycle_state)
+ if ((flags & TRB_CYCLE) != cycle_state) {
+ /*
+ * Give some extra time to get chance controller
+ * to finish command before returning error code.
+ * Checking CMD_RING_BUSY is not sufficient because
+ * this bit is cleared to '0' when the Command
+ * Descriptor has been executed by controller
+ * and not when command completion event has
+ * be added to event ring.
+ */
+ if (retry--) {
+ udelay(20);
+ continue;
+ }
+
return -EINVAL;
+ }
cmd_dma = le64_to_cpu(event->event_cmd.cmd_trb);
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 279/508] usb: cdnsp: Fix issue with detecting USB 3.2 speed
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (277 preceding siblings ...)
2025-06-23 13:05 ` [PATCH 6.1 278/508] usb: cdnsp: Fix issue with detecting command completion event Greg Kroah-Hartman
@ 2025-06-23 13:05 ` Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 280/508] usb: Flush altsetting 0 endpoints before reinitializating them after reset Greg Kroah-Hartman
` (229 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:05 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Pawel Laszczak, Peter Chen
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pawel Laszczak <pawell@cadence.com>
commit 2852788cfbe9ca1ab68509d65804413871f741f9 upstream.
Patch adds support for detecting SuperSpeedPlus Gen1 x2 and
SuperSpeedPlus Gen2 x2 speed.
Fixes: 3d82904559f4 ("usb: cdnsp: cdns3 Add main part of Cadence USBSSP DRD Driver")
Cc: stable <stable@kernel.org>
Signed-off-by: Pawel Laszczak <pawell@cadence.com>
Acked-by: Peter Chen <peter.chen@kernel.org>
Link: https://lore.kernel.org/r/PH7PR07MB95387AD98EDCA695FECE52BADD96A@PH7PR07MB9538.namprd07.prod.outlook.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/cdns3/cdnsp-gadget.c | 3 ++-
drivers/usb/cdns3/cdnsp-gadget.h | 4 ++++
2 files changed, 6 insertions(+), 1 deletion(-)
--- a/drivers/usb/cdns3/cdnsp-gadget.c
+++ b/drivers/usb/cdns3/cdnsp-gadget.c
@@ -28,7 +28,8 @@
unsigned int cdnsp_port_speed(unsigned int port_status)
{
/*Detect gadget speed based on PORTSC register*/
- if (DEV_SUPERSPEEDPLUS(port_status))
+ if (DEV_SUPERSPEEDPLUS(port_status) ||
+ DEV_SSP_GEN1x2(port_status) || DEV_SSP_GEN2x2(port_status))
return USB_SPEED_SUPER_PLUS;
else if (DEV_SUPERSPEED(port_status))
return USB_SPEED_SUPER;
--- a/drivers/usb/cdns3/cdnsp-gadget.h
+++ b/drivers/usb/cdns3/cdnsp-gadget.h
@@ -285,11 +285,15 @@ struct cdnsp_port_regs {
#define XDEV_HS (0x3 << 10)
#define XDEV_SS (0x4 << 10)
#define XDEV_SSP (0x5 << 10)
+#define XDEV_SSP1x2 (0x6 << 10)
+#define XDEV_SSP2x2 (0x7 << 10)
#define DEV_UNDEFSPEED(p) (((p) & DEV_SPEED_MASK) == (0x0 << 10))
#define DEV_FULLSPEED(p) (((p) & DEV_SPEED_MASK) == XDEV_FS)
#define DEV_HIGHSPEED(p) (((p) & DEV_SPEED_MASK) == XDEV_HS)
#define DEV_SUPERSPEED(p) (((p) & DEV_SPEED_MASK) == XDEV_SS)
#define DEV_SUPERSPEEDPLUS(p) (((p) & DEV_SPEED_MASK) == XDEV_SSP)
+#define DEV_SSP_GEN1x2(p) (((p) & DEV_SPEED_MASK) == XDEV_SSP1x2)
+#define DEV_SSP_GEN2x2(p) (((p) & DEV_SPEED_MASK) == XDEV_SSP2x2)
#define DEV_SUPERSPEED_ANY(p) (((p) & DEV_SPEED_MASK) >= XDEV_SS)
#define DEV_PORT_SPEED(p) (((p) >> 10) & 0x0f)
/* Port Link State Write Strobe - set this when changing link state */
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 280/508] usb: Flush altsetting 0 endpoints before reinitializating them after reset.
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (278 preceding siblings ...)
2025-06-23 13:05 ` [PATCH 6.1 279/508] usb: cdnsp: Fix issue with detecting USB 3.2 speed Greg Kroah-Hartman
@ 2025-06-23 13:05 ` Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 281/508] usb: typec: tcpm/tcpci_maxim: Fix bounds check in process_rx() Greg Kroah-Hartman
` (228 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:05 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Mathias Nyman
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mathias Nyman <mathias.nyman@linux.intel.com>
commit 89bb3dc13ac29a563f4e4c555e422882f64742bd upstream.
usb core avoids sending a Set-Interface altsetting 0 request after device
reset, and instead relies on calling usb_disable_interface() and
usb_enable_interface() to flush and reset host-side of those endpoints.
xHCI hosts allocate and set up endpoint ring buffers and host_ep->hcpriv
during usb_hcd_alloc_bandwidth() callback, which in this case is called
before flushing the endpoint in usb_disable_interface().
Call usb_disable_interface() before usb_hcd_alloc_bandwidth() to ensure
URBs are flushed before new ring buffers for the endpoints are allocated.
Otherwise host driver will attempt to find and remove old stale URBs
from a freshly allocated new ringbuffer.
Cc: stable <stable@kernel.org>
Fixes: 4fe0387afa89 ("USB: don't send Set-Interface after reset")
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Link: https://lore.kernel.org/r/20250514132520.225345-1-mathias.nyman@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/core/hub.c | 16 ++++++++++++++--
1 file changed, 14 insertions(+), 2 deletions(-)
--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -6087,6 +6087,7 @@ static int usb_reset_and_verify_device(s
struct usb_hub *parent_hub;
struct usb_hcd *hcd = bus_to_hcd(udev->bus);
struct usb_device_descriptor descriptor;
+ struct usb_interface *intf;
struct usb_host_bos *bos;
int i, j, ret = 0;
int port1 = udev->portnum;
@@ -6140,6 +6141,18 @@ static int usb_reset_and_verify_device(s
if (!udev->actconfig)
goto done;
+ /*
+ * Some devices can't handle setting default altsetting 0 with a
+ * Set-Interface request. Disable host-side endpoints of those
+ * interfaces here. Enable and reset them back after host has set
+ * its internal endpoint structures during usb_hcd_alloc_bandwith()
+ */
+ for (i = 0; i < udev->actconfig->desc.bNumInterfaces; i++) {
+ intf = udev->actconfig->interface[i];
+ if (intf->cur_altsetting->desc.bAlternateSetting == 0)
+ usb_disable_interface(udev, intf, true);
+ }
+
mutex_lock(hcd->bandwidth_mutex);
ret = usb_hcd_alloc_bandwidth(udev, udev->actconfig, NULL, NULL);
if (ret < 0) {
@@ -6171,12 +6184,11 @@ static int usb_reset_and_verify_device(s
*/
for (i = 0; i < udev->actconfig->desc.bNumInterfaces; i++) {
struct usb_host_config *config = udev->actconfig;
- struct usb_interface *intf = config->interface[i];
struct usb_interface_descriptor *desc;
+ intf = config->interface[i];
desc = &intf->cur_altsetting->desc;
if (desc->bAlternateSetting == 0) {
- usb_disable_interface(udev, intf, true);
usb_enable_interface(udev, intf, true);
ret = 0;
} else {
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 281/508] usb: typec: tcpm/tcpci_maxim: Fix bounds check in process_rx()
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (279 preceding siblings ...)
2025-06-23 13:05 ` [PATCH 6.1 280/508] usb: Flush altsetting 0 endpoints before reinitializating them after reset Greg Kroah-Hartman
@ 2025-06-23 13:05 ` Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 282/508] xen/arm: call uaccess_ttbr0_enable for dm_op hypercall Greg Kroah-Hartman
` (227 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Amit Sunil Dhamne,
Badhri Jagan Sridharan, Kyle Tso, stable, Heikki Krogerus
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Amit Sunil Dhamne <amitsd@google.com>
commit 0736299d090f5c6a1032678705c4bc0a9511a3db upstream.
Register read of TCPC_RX_BYTE_CNT returns the total size consisting of:
PD message (pending read) size + 1 Byte for Frame Type (SOP*)
This is validated against the max PD message (`struct pd_message`) size
without accounting for the extra byte for the frame type. Note that the
struct pd_message does not contain a field for the frame_type. This
results in false negatives when the "PD message (pending read)" is equal
to the max PD message size.
Fixes: 6f413b559f86 ("usb: typec: tcpci_maxim: Chip level TCPC driver")
Signed-off-by: Amit Sunil Dhamne <amitsd@google.com>
Signed-off-by: Badhri Jagan Sridharan <badhri@google.com>
Reviewed-by: Kyle Tso <kyletso@google.com>
Cc: stable <stable@kernel.org>
Link: https://lore.kernel.org/stable/20250502-b4-new-fix-pd-rx-count-v1-1-e5711ed09b3d%40google.com
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Link: https://lore.kernel.org/r/20250502-b4-new-fix-pd-rx-count-v1-1-e5711ed09b3d@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/typec/tcpm/tcpci_maxim.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/usb/typec/tcpm/tcpci_maxim.c
+++ b/drivers/usb/typec/tcpm/tcpci_maxim.c
@@ -171,7 +171,8 @@ static void process_rx(struct max_tcpci_
return;
}
- if (count > sizeof(struct pd_message) || count + 1 > TCPC_RECEIVE_BUFFER_LEN) {
+ if (count > sizeof(struct pd_message) + 1 ||
+ count + 1 > TCPC_RECEIVE_BUFFER_LEN) {
dev_err(chip->dev, "Invalid TCPC_RX_BYTE_CNT %d\n", count);
return;
}
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 282/508] xen/arm: call uaccess_ttbr0_enable for dm_op hypercall
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (280 preceding siblings ...)
2025-06-23 13:05 ` [PATCH 6.1 281/508] usb: typec: tcpm/tcpci_maxim: Fix bounds check in process_rx() Greg Kroah-Hartman
@ 2025-06-23 13:05 ` Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 283/508] x86/iopl: Cure TIF_IO_BITMAP inconsistencies Greg Kroah-Hartman
` (226 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Stefano Stabellini,
Juergen Gross
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stefano Stabellini <stefano.stabellini@amd.com>
commit 7f9bbc1140ff8796230bc2634055763e271fd692 upstream.
dm_op hypercalls might come from userspace and pass memory addresses as
parameters. The memory addresses typically correspond to buffers
allocated in userspace to hold extra hypercall parameters.
On ARM, when CONFIG_ARM64_SW_TTBR0_PAN is enabled, they might not be
accessible by Xen, as a result ioreq hypercalls might fail. See the
existing comment in arch/arm64/xen/hypercall.S regarding privcmd_call
for reference.
For privcmd_call, Linux calls uaccess_ttbr0_enable before issuing the
hypercall thanks to commit 9cf09d68b89a. We need to do the same for
dm_op. This resolves the problem.
Cc: stable@kernel.org
Fixes: 9cf09d68b89a ("arm64: xen: Enable user access before a privcmd hvc call")
Signed-off-by: Stefano Stabellini <stefano.stabellini@amd.com>
Reviewed-by: Juergen Gross <jgross@suse.com>
Message-ID: <alpine.DEB.2.22.394.2505121446370.8380@ubuntu-linux-20-04-desktop>
Signed-off-by: Juergen Gross <jgross@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/xen/hypercall.S | 21 ++++++++++++++++++++-
1 file changed, 20 insertions(+), 1 deletion(-)
--- a/arch/arm64/xen/hypercall.S
+++ b/arch/arm64/xen/hypercall.S
@@ -83,7 +83,26 @@ HYPERCALL3(vcpu_op);
HYPERCALL1(platform_op_raw);
HYPERCALL2(multicall);
HYPERCALL2(vm_assist);
-HYPERCALL3(dm_op);
+
+SYM_FUNC_START(HYPERVISOR_dm_op)
+ mov x16, #__HYPERVISOR_dm_op; \
+ /*
+ * dm_op hypercalls are issued by the userspace. The kernel needs to
+ * enable access to TTBR0_EL1 as the hypervisor would issue stage 1
+ * translations to user memory via AT instructions. Since AT
+ * instructions are not affected by the PAN bit (ARMv8.1), we only
+ * need the explicit uaccess_enable/disable if the TTBR0 PAN emulation
+ * is enabled (it implies that hardware UAO and PAN disabled).
+ */
+ uaccess_ttbr0_enable x6, x7, x8
+ hvc XEN_IMM
+
+ /*
+ * Disable userspace access from kernel once the hyp call completed.
+ */
+ uaccess_ttbr0_disable x6, x7
+ ret
+SYM_FUNC_END(HYPERVISOR_dm_op);
SYM_FUNC_START(privcmd_call)
mov x16, x0
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 283/508] x86/iopl: Cure TIF_IO_BITMAP inconsistencies
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (281 preceding siblings ...)
2025-06-23 13:05 ` [PATCH 6.1 282/508] xen/arm: call uaccess_ttbr0_enable for dm_op hypercall Greg Kroah-Hartman
@ 2025-06-23 13:05 ` Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 284/508] calipso: unlock rcu before returning -EAFNOSUPPORT Greg Kroah-Hartman
` (225 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+e2b1803445d236442e54,
Thomas Gleixner, Borislav Petkov (AMD)
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Gleixner <tglx@linutronix.de>
commit 8b68e978718f14fdcb080c2a7791c52a0d09bc6d upstream.
io_bitmap_exit() is invoked from exit_thread() when a task exists or
when a fork fails. In the latter case the exit_thread() cleans up
resources which were allocated during fork().
io_bitmap_exit() invokes task_update_io_bitmap(), which in turn ends up
in tss_update_io_bitmap(). tss_update_io_bitmap() operates on the
current task. If current has TIF_IO_BITMAP set, but no bitmap installed,
tss_update_io_bitmap() crashes with a NULL pointer dereference.
There are two issues, which lead to that problem:
1) io_bitmap_exit() should not invoke task_update_io_bitmap() when
the task, which is cleaned up, is not the current task. That's a
clear indicator for a cleanup after a failed fork().
2) A task should not have TIF_IO_BITMAP set and neither a bitmap
installed nor IOPL emulation level 3 activated.
This happens when a kernel thread is created in the context of
a user space thread, which has TIF_IO_BITMAP set as the thread
flags are copied and the IO bitmap pointer is cleared.
Other than in the failed fork() case this has no impact because
kernel threads including IO workers never return to user space and
therefore never invoke tss_update_io_bitmap().
Cure this by adding the missing cleanups and checks:
1) Prevent io_bitmap_exit() to invoke task_update_io_bitmap() if
the to be cleaned up task is not the current task.
2) Clear TIF_IO_BITMAP in copy_thread() unconditionally. For user
space forks it is set later, when the IO bitmap is inherited in
io_bitmap_share().
For paranoia sake, add a warning into tss_update_io_bitmap() to catch
the case, when that code is invoked with inconsistent state.
Fixes: ea5f1cd7ab49 ("x86/ioperm: Remove bitmap if all permissions dropped")
Reported-by: syzbot+e2b1803445d236442e54@syzkaller.appspotmail.com
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/87wmdceom2.ffs@tglx
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kernel/ioport.c | 13 +++++++++----
arch/x86/kernel/process.c | 6 ++++++
2 files changed, 15 insertions(+), 4 deletions(-)
--- a/arch/x86/kernel/ioport.c
+++ b/arch/x86/kernel/ioport.c
@@ -33,8 +33,9 @@ void io_bitmap_share(struct task_struct
set_tsk_thread_flag(tsk, TIF_IO_BITMAP);
}
-static void task_update_io_bitmap(struct task_struct *tsk)
+static void task_update_io_bitmap(void)
{
+ struct task_struct *tsk = current;
struct thread_struct *t = &tsk->thread;
if (t->iopl_emul == 3 || t->io_bitmap) {
@@ -54,7 +55,12 @@ void io_bitmap_exit(struct task_struct *
struct io_bitmap *iobm = tsk->thread.io_bitmap;
tsk->thread.io_bitmap = NULL;
- task_update_io_bitmap(tsk);
+ /*
+ * Don't touch the TSS when invoked on a failed fork(). TSS
+ * reflects the state of @current and not the state of @tsk.
+ */
+ if (tsk == current)
+ task_update_io_bitmap();
if (iobm && refcount_dec_and_test(&iobm->refcnt))
kfree(iobm);
}
@@ -192,8 +198,7 @@ SYSCALL_DEFINE1(iopl, unsigned int, leve
}
t->iopl_emul = level;
- task_update_io_bitmap(current);
-
+ task_update_io_bitmap();
return 0;
}
--- a/arch/x86/kernel/process.c
+++ b/arch/x86/kernel/process.c
@@ -154,6 +154,7 @@ int copy_thread(struct task_struct *p, c
frame->ret_addr = (unsigned long) ret_from_fork;
p->thread.sp = (unsigned long) fork_frame;
p->thread.io_bitmap = NULL;
+ clear_tsk_thread_flag(p, TIF_IO_BITMAP);
p->thread.iopl_warn = 0;
memset(p->thread.ptrace_bps, 0, sizeof(p->thread.ptrace_bps));
@@ -428,6 +429,11 @@ void native_tss_update_io_bitmap(void)
} else {
struct io_bitmap *iobm = t->io_bitmap;
+ if (WARN_ON_ONCE(!iobm)) {
+ clear_thread_flag(TIF_IO_BITMAP);
+ native_tss_invalidate_io_bitmap();
+ }
+
/*
* Only copy bitmap data when the sequence number differs. The
* update time is accounted to the incoming task.
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 284/508] calipso: unlock rcu before returning -EAFNOSUPPORT
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (282 preceding siblings ...)
2025-06-23 13:05 ` [PATCH 6.1 283/508] x86/iopl: Cure TIF_IO_BITMAP inconsistencies Greg Kroah-Hartman
@ 2025-06-23 13:05 ` Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 285/508] net: usb: aqc111: debug info before sanitation Greg Kroah-Hartman
` (224 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot, Eric Dumazet,
Kuniyuki Iwashima, Paul Moore, Jakub Kicinski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
commit 3cae906e1a6184cdc9e4d260e4dbdf9a118d94ad upstream.
syzbot reported that a recent patch forgot to unlock rcu
in the error path.
Adopt the convention that netlbl_conn_setattr() is already using.
Fixes: 6e9f2df1c550 ("calipso: Don't call calipso functions for AF_INET sk.")
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Kuniyuki Iwashima <kuniyu@amazon.com>
Acked-by: Paul Moore <paul@paul-moore.com>
Link: https://patch.msgid.link/20250604133826.1667664-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/netlabel/netlabel_kapi.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/net/netlabel/netlabel_kapi.c
+++ b/net/netlabel/netlabel_kapi.c
@@ -1140,8 +1140,10 @@ int netlbl_conn_setattr(struct sock *sk,
break;
#if IS_ENABLED(CONFIG_IPV6)
case AF_INET6:
- if (sk->sk_family != AF_INET6)
- return -EAFNOSUPPORT;
+ if (sk->sk_family != AF_INET6) {
+ ret_val = -EAFNOSUPPORT;
+ goto conn_setattr_return;
+ }
addr6 = (struct sockaddr_in6 *)addr;
entry = netlbl_domhsh_getentry_af6(secattr->domain,
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 285/508] net: usb: aqc111: debug info before sanitation
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (283 preceding siblings ...)
2025-06-23 13:05 ` [PATCH 6.1 284/508] calipso: unlock rcu before returning -EAFNOSUPPORT Greg Kroah-Hartman
@ 2025-06-23 13:05 ` Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 286/508] drm/meson: Use 1000ULL when operating with mode->clock Greg Kroah-Hartman
` (223 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Oliver Neukum, Andrew Lunn,
David S. Miller
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oliver Neukum <oneukum@suse.com>
commit d3faab9b5a6a0477d69c38bd11c43aa5e936f929 upstream.
If we sanitize error returns, the debug statements need
to come before that so that we don't lose information.
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Fixes: 405b0d610745 ("net: usb: aqc111: fix error handling of usbnet read calls")
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/usb/aqc111.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/drivers/net/usb/aqc111.c
+++ b/drivers/net/usb/aqc111.c
@@ -31,11 +31,11 @@ static int aqc111_read_cmd_nopm(struct u
USB_RECIP_DEVICE, value, index, data, size);
if (unlikely(ret < size)) {
- ret = ret < 0 ? ret : -ENODATA;
-
netdev_warn(dev->net,
"Failed to read(0x%x) reg index 0x%04x: %d\n",
cmd, index, ret);
+
+ ret = ret < 0 ? ret : -ENODATA;
}
return ret;
@@ -50,11 +50,11 @@ static int aqc111_read_cmd(struct usbnet
USB_RECIP_DEVICE, value, index, data, size);
if (unlikely(ret < size)) {
- ret = ret < 0 ? ret : -ENODATA;
-
netdev_warn(dev->net,
"Failed to read(0x%x) reg index 0x%04x: %d\n",
cmd, index, ret);
+
+ ret = ret < 0 ? ret : -ENODATA;
}
return ret;
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 286/508] drm/meson: Use 1000ULL when operating with mode->clock
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (284 preceding siblings ...)
2025-06-23 13:05 ` [PATCH 6.1 285/508] net: usb: aqc111: debug info before sanitation Greg Kroah-Hartman
@ 2025-06-23 13:05 ` Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 287/508] kbuild: userprogs: fix bitsize and target detection on clang Greg Kroah-Hartman
` (222 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, I Hsin Cheng, Martin Blumenstingl,
Neil Armstrong
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: I Hsin Cheng <richard120310@gmail.com>
commit eb0851e14432f3b87c77b704c835ac376deda03a upstream.
Coverity scan reported the usage of "mode->clock * 1000" may lead to
integer overflow. Use "1000ULL" instead of "1000"
when utilizing it to avoid potential integer overflow issue.
Link: https://scan5.scan.coverity.com/#/project-view/10074/10063?selectedIssue=1646759
Signed-off-by: I Hsin Cheng <richard120310@gmail.com>
Reviewed-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
Fixes: 1017560164b6 ("drm/meson: use unsigned long long / Hz for frequency types")
Link: https://lore.kernel.org/r/20250505184338.678540-1-richard120310@gmail.com
Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/meson/meson_encoder_hdmi.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/gpu/drm/meson/meson_encoder_hdmi.c
+++ b/drivers/gpu/drm/meson/meson_encoder_hdmi.c
@@ -73,7 +73,7 @@ static void meson_encoder_hdmi_set_vclk(
unsigned long long venc_freq;
unsigned long long hdmi_freq;
- vclk_freq = mode->clock * 1000;
+ vclk_freq = mode->clock * 1000ULL;
/* For 420, pixel clock is half unlike venc clock */
if (encoder_hdmi->output_bus_fmt == MEDIA_BUS_FMT_UYYVYY8_0_5X24)
@@ -121,7 +121,7 @@ static enum drm_mode_status meson_encode
struct meson_encoder_hdmi *encoder_hdmi = bridge_to_meson_encoder_hdmi(bridge);
struct meson_drm *priv = encoder_hdmi->priv;
bool is_hdmi2_sink = display_info->hdmi.scdc.supported;
- unsigned long long clock = mode->clock * 1000;
+ unsigned long long clock = mode->clock * 1000ULL;
unsigned long long phy_freq;
unsigned long long vclk_freq;
unsigned long long venc_freq;
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 287/508] kbuild: userprogs: fix bitsize and target detection on clang
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (285 preceding siblings ...)
2025-06-23 13:05 ` [PATCH 6.1 286/508] drm/meson: Use 1000ULL when operating with mode->clock Greg Kroah-Hartman
@ 2025-06-23 13:05 ` Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 288/508] kbuild: hdrcheck: fix cross build with clang Greg Kroah-Hartman
` (221 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Weißschuh,
Nathan Chancellor, Masahiro Yamada
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
commit 1b71c2fb04e7a713abc6edde4a412416ff3158f2 upstream.
scripts/Makefile.clang was changed in the linked commit to move --target from
KBUILD_CFLAGS to KBUILD_CPPFLAGS, as that generally has a broader scope.
However that variable is not inspected by the userprogs logic,
breaking cross compilation on clang.
Use both variables to detect bitsize and target arguments for userprogs.
Fixes: feb843a469fb ("kbuild: add $(CLANG_FLAGS) to KBUILD_CPPFLAGS")
Cc: stable@vger.kernel.org
Signed-off-by: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
Reviewed-by: Nathan Chancellor <nathan@kernel.org>
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
Makefile | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/Makefile
+++ b/Makefile
@@ -1139,8 +1139,8 @@ LDFLAGS_vmlinux += --orphan-handling=war
endif
# Align the bit size of userspace programs with the kernel
-KBUILD_USERCFLAGS += $(filter -m32 -m64 --target=%, $(KBUILD_CFLAGS))
-KBUILD_USERLDFLAGS += $(filter -m32 -m64 --target=%, $(KBUILD_CFLAGS))
+KBUILD_USERCFLAGS += $(filter -m32 -m64 --target=%, $(KBUILD_CPPFLAGS) $(KBUILD_CFLAGS))
+KBUILD_USERLDFLAGS += $(filter -m32 -m64 --target=%, $(KBUILD_CPPFLAGS) $(KBUILD_CFLAGS))
# userspace programs are linked via the compiler, use the correct linker
ifeq ($(CONFIG_CC_IS_CLANG)$(CONFIG_LD_IS_LLD),yy)
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 288/508] kbuild: hdrcheck: fix cross build with clang
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (286 preceding siblings ...)
2025-06-23 13:05 ` [PATCH 6.1 287/508] kbuild: userprogs: fix bitsize and target detection on clang Greg Kroah-Hartman
@ 2025-06-23 13:05 ` Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 289/508] configfs: Do not override creating attribute file failure in populate_attrs() Greg Kroah-Hartman
` (220 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:05 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Nathan Chancellor, Arnd Bergmann
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arnd Bergmann <arnd@arndb.de>
commit 02e9a22ceef0227175e391902d8760425fa072c6 upstream.
The headercheck tries to call clang with a mix of compiler arguments
that don't include the target architecture. When building e.g. x86
headers on arm64, this produces a warning like
clang: warning: unknown platform, assuming -mfloat-abi=soft
Add in the KBUILD_CPPFLAGS, which contain the target, in order to make it
build properly.
See also 1b71c2fb04e7 ("kbuild: userprogs: fix bitsize and target
detection on clang").
Reviewed-by: Nathan Chancellor <nathan@kernel.org>
Fixes: feb843a469fb ("kbuild: add $(CLANG_FLAGS) to KBUILD_CPPFLAGS")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
usr/include/Makefile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/usr/include/Makefile
+++ b/usr/include/Makefile
@@ -10,7 +10,7 @@ UAPI_CFLAGS := -std=c90 -Wall -Werror=im
# In theory, we do not care -m32 or -m64 for header compile tests.
# It is here just because CONFIG_CC_CAN_LINK is tested with -m32 or -m64.
-UAPI_CFLAGS += $(filter -m32 -m64 --target=%, $(KBUILD_CFLAGS))
+UAPI_CFLAGS += $(filter -m32 -m64 --target=%, $(KBUILD_CPPFLAGS) $(KBUILD_CFLAGS))
# USERCFLAGS might contain sysroot location for CC.
UAPI_CFLAGS += $(USERCFLAGS)
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 289/508] configfs: Do not override creating attribute file failure in populate_attrs()
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (287 preceding siblings ...)
2025-06-23 13:05 ` [PATCH 6.1 288/508] kbuild: hdrcheck: fix cross build with clang Greg Kroah-Hartman
@ 2025-06-23 13:05 ` Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 290/508] crypto: marvell/cesa - Do not chain submitted requests Greg Kroah-Hartman
` (219 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Joel Becker, Breno Leitao, Zijun Hu,
Andreas Hindborg
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zijun Hu <quic_zijuhu@quicinc.com>
commit f830edbae247b89228c3e09294151b21e0dc849c upstream.
populate_attrs() may override failure for creating attribute files
by success for creating subsequent bin attribute files, and have
wrong return value.
Fix by creating bin attribute files under successfully creating
attribute files.
Fixes: 03607ace807b ("configfs: implement binary attributes")
Cc: stable@vger.kernel.org
Reviewed-by: Joel Becker <jlbec@evilplan.org>
Reviewed-by: Breno Leitao <leitao@debian.org>
Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com>
Link: https://lore.kernel.org/r/20250507-fix_configfs-v3-2-fe2d96de8dc4@quicinc.com
Signed-off-by: Andreas Hindborg <a.hindborg@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/configfs/dir.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/configfs/dir.c
+++ b/fs/configfs/dir.c
@@ -593,7 +593,7 @@ static int populate_attrs(struct config_
break;
}
}
- if (t->ct_bin_attrs) {
+ if (!error && t->ct_bin_attrs) {
for (i = 0; (bin_attr = t->ct_bin_attrs[i]) != NULL; i++) {
error = configfs_create_bin_file(item, bin_attr);
if (error)
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 290/508] crypto: marvell/cesa - Do not chain submitted requests
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (288 preceding siblings ...)
2025-06-23 13:05 ` [PATCH 6.1 289/508] configfs: Do not override creating attribute file failure in populate_attrs() Greg Kroah-Hartman
@ 2025-06-23 13:05 ` Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 291/508] gfs2: move msleep to sleepable context Greg Kroah-Hartman
` (218 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:05 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Klaus Kudielka, Herbert Xu
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Herbert Xu <herbert@gondor.apana.org.au>
commit 0413bcf0fc460a68a2a7a8354aee833293d7d693 upstream.
This driver tries to chain requests together before submitting them
to hardware in order to reduce completion interrupts.
However, it even extends chains that have already been submitted
to hardware. This is dangerous because there is no way of knowing
whether the hardware has already read the DMA memory in question
or not.
Fix this by splitting the chain list into two. One for submitted
requests and one for requests that have not yet been submitted.
Only extend the latter.
Reported-by: Klaus Kudielka <klaus.kudielka@gmail.com>
Fixes: 85030c5168f1 ("crypto: marvell - Add support for chaining crypto requests in TDMA mode")
Cc: <stable@vger.kernel.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/crypto/marvell/cesa/cesa.c | 2 -
drivers/crypto/marvell/cesa/cesa.h | 9 ++++--
drivers/crypto/marvell/cesa/tdma.c | 53 ++++++++++++++++++++++---------------
3 files changed, 39 insertions(+), 25 deletions(-)
--- a/drivers/crypto/marvell/cesa/cesa.c
+++ b/drivers/crypto/marvell/cesa/cesa.c
@@ -94,7 +94,7 @@ static int mv_cesa_std_process(struct mv
static int mv_cesa_int_process(struct mv_cesa_engine *engine, u32 status)
{
- if (engine->chain.first && engine->chain.last)
+ if (engine->chain_hw.first && engine->chain_hw.last)
return mv_cesa_tdma_process(engine, status);
return mv_cesa_std_process(engine, status);
--- a/drivers/crypto/marvell/cesa/cesa.h
+++ b/drivers/crypto/marvell/cesa/cesa.h
@@ -440,8 +440,10 @@ struct mv_cesa_dev {
* SRAM
* @queue: fifo of the pending crypto requests
* @load: engine load counter, useful for load balancing
- * @chain: list of the current tdma descriptors being processed
- * by this engine.
+ * @chain_hw: list of the current tdma descriptors being processed
+ * by the hardware.
+ * @chain_sw: list of the current tdma descriptors that will be
+ * submitted to the hardware.
* @complete_queue: fifo of the processed requests by the engine
*
* Structure storing CESA engine information.
@@ -463,7 +465,8 @@ struct mv_cesa_engine {
struct gen_pool *pool;
struct crypto_queue queue;
atomic_t load;
- struct mv_cesa_tdma_chain chain;
+ struct mv_cesa_tdma_chain chain_hw;
+ struct mv_cesa_tdma_chain chain_sw;
struct list_head complete_queue;
int irq;
};
--- a/drivers/crypto/marvell/cesa/tdma.c
+++ b/drivers/crypto/marvell/cesa/tdma.c
@@ -38,6 +38,15 @@ void mv_cesa_dma_step(struct mv_cesa_req
{
struct mv_cesa_engine *engine = dreq->engine;
+ spin_lock_bh(&engine->lock);
+ if (engine->chain_sw.first == dreq->chain.first) {
+ engine->chain_sw.first = NULL;
+ engine->chain_sw.last = NULL;
+ }
+ engine->chain_hw.first = dreq->chain.first;
+ engine->chain_hw.last = dreq->chain.last;
+ spin_unlock_bh(&engine->lock);
+
writel_relaxed(0, engine->regs + CESA_SA_CFG);
mv_cesa_set_int_mask(engine, CESA_SA_INT_ACC0_IDMA_DONE);
@@ -96,25 +105,27 @@ void mv_cesa_dma_prepare(struct mv_cesa_
void mv_cesa_tdma_chain(struct mv_cesa_engine *engine,
struct mv_cesa_req *dreq)
{
- if (engine->chain.first == NULL && engine->chain.last == NULL) {
- engine->chain.first = dreq->chain.first;
- engine->chain.last = dreq->chain.last;
- } else {
- struct mv_cesa_tdma_desc *last;
+ struct mv_cesa_tdma_desc *last = engine->chain_sw.last;
- last = engine->chain.last;
+ /*
+ * Break the DMA chain if the request being queued needs the IV
+ * regs to be set before lauching the request.
+ */
+ if (!last || dreq->chain.first->flags & CESA_TDMA_SET_STATE)
+ engine->chain_sw.first = dreq->chain.first;
+ else {
last->next = dreq->chain.first;
- engine->chain.last = dreq->chain.last;
-
- /*
- * Break the DMA chain if the CESA_TDMA_BREAK_CHAIN is set on
- * the last element of the current chain, or if the request
- * being queued needs the IV regs to be set before lauching
- * the request.
- */
- if (!(last->flags & CESA_TDMA_BREAK_CHAIN) &&
- !(dreq->chain.first->flags & CESA_TDMA_SET_STATE))
- last->next_dma = cpu_to_le32(dreq->chain.first->cur_dma);
+ last->next_dma = cpu_to_le32(dreq->chain.first->cur_dma);
+ }
+ last = dreq->chain.last;
+ engine->chain_sw.last = last;
+ /*
+ * Break the DMA chain if the CESA_TDMA_BREAK_CHAIN is set on
+ * the last element of the current chain.
+ */
+ if (last->flags & CESA_TDMA_BREAK_CHAIN) {
+ engine->chain_sw.first = NULL;
+ engine->chain_sw.last = NULL;
}
}
@@ -127,7 +138,7 @@ int mv_cesa_tdma_process(struct mv_cesa_
tdma_cur = readl(engine->regs + CESA_TDMA_CUR);
- for (tdma = engine->chain.first; tdma; tdma = next) {
+ for (tdma = engine->chain_hw.first; tdma; tdma = next) {
spin_lock_bh(&engine->lock);
next = tdma->next;
spin_unlock_bh(&engine->lock);
@@ -149,12 +160,12 @@ int mv_cesa_tdma_process(struct mv_cesa_
&backlog);
/* Re-chaining to the next request */
- engine->chain.first = tdma->next;
+ engine->chain_hw.first = tdma->next;
tdma->next = NULL;
/* If this is the last request, clear the chain */
- if (engine->chain.first == NULL)
- engine->chain.last = NULL;
+ if (engine->chain_hw.first == NULL)
+ engine->chain_hw.last = NULL;
spin_unlock_bh(&engine->lock);
ctx = crypto_tfm_ctx(req->tfm);
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 291/508] gfs2: move msleep to sleepable context
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (289 preceding siblings ...)
2025-06-23 13:05 ` [PATCH 6.1 290/508] crypto: marvell/cesa - Do not chain submitted requests Greg Kroah-Hartman
@ 2025-06-23 13:05 ` Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 294/508] io_uring: account drain memory to cgroup Greg Kroah-Hartman
` (217 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:05 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Andreas Gruenbacher, Alexander Aring
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexander Aring <aahringo@redhat.com>
commit ac5ee087d31ed93b6e45d2968a66828c6f621d8c upstream.
This patch moves the msleep_interruptible() out of the non-sleepable
context by moving the ls->ls_recover_spin spinlock around so
msleep_interruptible() will be called in a sleepable context.
Cc: stable@vger.kernel.org
Fixes: 4a7727725dc7 ("GFS2: Fix recovery issues for spectators")
Suggested-by: Andreas Gruenbacher <agruenba@redhat.com>
Signed-off-by: Alexander Aring <aahringo@redhat.com>
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/gfs2/lock_dlm.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/fs/gfs2/lock_dlm.c
+++ b/fs/gfs2/lock_dlm.c
@@ -950,14 +950,15 @@ locks_done:
if (sdp->sd_args.ar_spectator) {
fs_info(sdp, "Recovery is required. Waiting for a "
"non-spectator to mount.\n");
+ spin_unlock(&ls->ls_recover_spin);
msleep_interruptible(1000);
} else {
fs_info(sdp, "control_mount wait1 block %u start %u "
"mount %u lvb %u flags %lx\n", block_gen,
start_gen, mount_gen, lvb_gen,
ls->ls_recover_flags);
+ spin_unlock(&ls->ls_recover_spin);
}
- spin_unlock(&ls->ls_recover_spin);
goto restart;
}
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 294/508] io_uring: account drain memory to cgroup
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (290 preceding siblings ...)
2025-06-23 13:05 ` [PATCH 6.1 291/508] gfs2: move msleep to sleepable context Greg Kroah-Hartman
@ 2025-06-23 13:05 ` Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 295/508] powerpc/pseries/msi: Avoid reading PCI device registers in reduced power states Greg Kroah-Hartman
` (216 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:05 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Pavel Begunkov, Jens Axboe
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pavel Begunkov <asml.silence@gmail.com>
commit f979c20547e72568e3c793bc92c7522bc3166246 upstream.
Account drain allocations against memcg. It's not a big problem as each
such allocation is paired with a request, which is accounted, but it's
nicer to follow the limits more closely.
Cc: stable@vger.kernel.org # 6.1
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Link: https://lore.kernel.org/r/f8dfdbd755c41fd9c75d12b858af07dfba5bbb68.1746788718.git.asml.silence@gmail.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
io_uring/io_uring.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/io_uring/io_uring.c
+++ b/io_uring/io_uring.c
@@ -1654,7 +1654,7 @@ queue:
spin_unlock(&ctx->completion_lock);
io_prep_async_link(req);
- de = kmalloc(sizeof(*de), GFP_KERNEL);
+ de = kmalloc(sizeof(*de), GFP_KERNEL_ACCOUNT);
if (!de) {
ret = -ENOMEM;
io_req_complete_failed(req, ret);
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 295/508] powerpc/pseries/msi: Avoid reading PCI device registers in reduced power states
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (291 preceding siblings ...)
2025-06-23 13:05 ` [PATCH 6.1 294/508] io_uring: account drain memory to cgroup Greg Kroah-Hartman
@ 2025-06-23 13:05 ` Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 296/508] regulator: max20086: Fix MAX200086 chip id Greg Kroah-Hartman
` (215 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gautam Menghani,
Venkat Rao Bagalkote, Vaibhav Jain, Madhavan Srinivasan
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gautam Menghani <gautam@linux.ibm.com>
commit 9cc0eafd28c7faef300822992bb08d79cab2a36c upstream.
When a system is being suspended to RAM, the PCI devices are also
suspended and the PPC code ends up calling pseries_msi_compose_msg() and
this triggers the BUG_ON() in __pci_read_msi_msg() because the device at
this point is in reduced power state. In reduced power state, the memory
mapped registers of the PCI device are not accessible.
To replicate the bug:
1. Make sure deep sleep is selected
# cat /sys/power/mem_sleep
s2idle [deep]
2. Make sure console is not suspended (so that dmesg logs are visible)
echo N > /sys/module/printk/parameters/console_suspend
3. Suspend the system
echo mem > /sys/power/state
To fix this behaviour, read the cached msi message of the device when the
device is not in PCI_D0 power state instead of touching the hardware.
Fixes: a5f3d2c17b07 ("powerpc/pseries/pci: Add MSI domains")
Cc: stable@vger.kernel.org # v5.15+
Signed-off-by: Gautam Menghani <gautam@linux.ibm.com>
Tested-by: Venkat Rao Bagalkote <venkat88@linux.ibm.com>
Reviewed-by: Vaibhav Jain <vaibhav@linux.ibm.com>
Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
Link: https://patch.msgid.link/20250305090237.294633-1-gautam@linux.ibm.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/powerpc/platforms/pseries/msi.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/arch/powerpc/platforms/pseries/msi.c
+++ b/arch/powerpc/platforms/pseries/msi.c
@@ -522,7 +522,12 @@ static struct msi_domain_info pseries_ms
static void pseries_msi_compose_msg(struct irq_data *data, struct msi_msg *msg)
{
- __pci_read_msi_msg(irq_data_get_msi_desc(data), msg);
+ struct pci_dev *dev = msi_desc_to_pci_dev(irq_data_get_msi_desc(data));
+
+ if (dev->current_state == PCI_D0)
+ __pci_read_msi_msg(irq_data_get_msi_desc(data), msg);
+ else
+ get_cached_msi_msg(data->irq, msg);
}
static struct irq_chip pseries_msi_irq_chip = {
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 296/508] regulator: max20086: Fix MAX200086 chip id
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (292 preceding siblings ...)
2025-06-23 13:05 ` [PATCH 6.1 295/508] powerpc/pseries/msi: Avoid reading PCI device registers in reduced power states Greg Kroah-Hartman
@ 2025-06-23 13:05 ` Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 297/508] regulator: max20086: Change enable gpio to optional Greg Kroah-Hartman
` (214 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, João Paulo Gonçalves,
Mark Brown
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: João Paulo Gonçalves <jpaulo.silvagoncalves@gmail.com>
commit 71406b6d1155d883c80c1b4405939a52f723aa05 upstream.
>From MAX20086-MAX20089 datasheet, the id for a MAX20086 is 0x30 and not
0x40. With the current code, the driver will fail on probe when the
driver tries to identify the chip id from a MAX20086 device over I2C.
Cc: stable@vger.kernel.org
Fixes: bfff546aae50 ("regulator: Add MAX20086-MAX20089 driver")
Signed-off-by: João Paulo Gonçalves <jpaulo.silvagoncalves@gmail.com>
Link: https://patch.msgid.link/20250420-fix-max20086-v1-1-8cc9ee0d5a08@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/regulator/max20086-regulator.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/regulator/max20086-regulator.c
+++ b/drivers/regulator/max20086-regulator.c
@@ -30,7 +30,7 @@
#define MAX20086_REG_ADC4 0x09
/* DEVICE IDs */
-#define MAX20086_DEVICE_ID_MAX20086 0x40
+#define MAX20086_DEVICE_ID_MAX20086 0x30
#define MAX20086_DEVICE_ID_MAX20087 0x20
#define MAX20086_DEVICE_ID_MAX20088 0x10
#define MAX20086_DEVICE_ID_MAX20089 0x00
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 297/508] regulator: max20086: Change enable gpio to optional
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (293 preceding siblings ...)
2025-06-23 13:05 ` [PATCH 6.1 296/508] regulator: max20086: Fix MAX200086 chip id Greg Kroah-Hartman
@ 2025-06-23 13:05 ` Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 298/508] net/mlx5_core: Add error handling inmlx5_query_nic_vport_qkey_viol_cntr() Greg Kroah-Hartman
` (213 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, João Paulo Gonçalves,
Mark Brown
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: João Paulo Gonçalves <jpaulo.silvagoncalves@gmail.com>
commit e8ac7336dd62f0443a675ed80b17f0f0e6846e20 upstream.
The enable pin can be configured as always enabled by the hardware. Make
the enable gpio request optional so the driver doesn't fail to probe
when `enable-gpios` property is not present in the device tree.
Cc: stable@vger.kernel.org
Fixes: bfff546aae50 ("regulator: Add MAX20086-MAX20089 driver")
Signed-off-by: João Paulo Gonçalves <jpaulo.silvagoncalves@gmail.com>
Link: https://patch.msgid.link/20250420-fix-max20086-v1-2-8cc9ee0d5a08@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/regulator/max20086-regulator.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/regulator/max20086-regulator.c
+++ b/drivers/regulator/max20086-regulator.c
@@ -265,7 +265,7 @@ static int max20086_i2c_probe(struct i2c
* shutdown.
*/
flags = boot_on ? GPIOD_OUT_HIGH : GPIOD_OUT_LOW;
- chip->ena_gpiod = devm_gpiod_get(chip->dev, "enable", flags);
+ chip->ena_gpiod = devm_gpiod_get_optional(chip->dev, "enable", flags);
if (IS_ERR(chip->ena_gpiod)) {
ret = PTR_ERR(chip->ena_gpiod);
dev_err(chip->dev, "Failed to get enable GPIO: %d\n", ret);
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 298/508] net/mlx5_core: Add error handling inmlx5_query_nic_vport_qkey_viol_cntr()
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (294 preceding siblings ...)
2025-06-23 13:05 ` [PATCH 6.1 297/508] regulator: max20086: Change enable gpio to optional Greg Kroah-Hartman
@ 2025-06-23 13:05 ` Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 299/508] net/mlx5: Add error handling in mlx5_query_nic_vport_node_guid() Greg Kroah-Hartman
` (212 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:05 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Wentao Liang, Tariq Toukan,
Paolo Abeni
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wentao Liang <vulab@iscas.ac.cn>
commit f0b50730bdd8f2734e548de541e845c0d40dceb6 upstream.
The function mlx5_query_nic_vport_qkey_viol_cntr() calls the function
mlx5_query_nic_vport_context() but does not check its return value. This
could lead to undefined behavior if the query fails. A proper
implementation can be found in mlx5_nic_vport_query_local_lb().
Add error handling for mlx5_query_nic_vport_context(). If it fails, free
the out buffer via kvfree() and return error code.
Fixes: 9efa75254593 ("net/mlx5_core: Introduce access functions to query vport RoCE fields")
Cc: stable@vger.kernel.org # v4.5
Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
Link: https://patch.msgid.link/20250521133620.912-1-vulab@iscas.ac.cn
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/mellanox/mlx5/core/vport.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
--- a/drivers/net/ethernet/mellanox/mlx5/core/vport.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/vport.c
@@ -497,19 +497,22 @@ int mlx5_query_nic_vport_qkey_viol_cntr(
{
u32 *out;
int outlen = MLX5_ST_SZ_BYTES(query_nic_vport_context_out);
+ int err;
out = kvzalloc(outlen, GFP_KERNEL);
if (!out)
return -ENOMEM;
- mlx5_query_nic_vport_context(mdev, 0, out);
+ err = mlx5_query_nic_vport_context(mdev, 0, out);
+ if (err)
+ goto out;
*qkey_viol_cntr = MLX5_GET(query_nic_vport_context_out, out,
nic_vport_context.qkey_violation_counter);
-
+out:
kvfree(out);
- return 0;
+ return err;
}
EXPORT_SYMBOL_GPL(mlx5_query_nic_vport_qkey_viol_cntr);
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 299/508] net/mlx5: Add error handling in mlx5_query_nic_vport_node_guid()
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (295 preceding siblings ...)
2025-06-23 13:05 ` [PATCH 6.1 298/508] net/mlx5_core: Add error handling inmlx5_query_nic_vport_qkey_viol_cntr() Greg Kroah-Hartman
@ 2025-06-23 13:05 ` Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 300/508] wifi: p54: prevent buffer-overflow in p54_rx_eeprom_readback() Greg Kroah-Hartman
` (211 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wentao Liang, Tariq Toukan,
Jakub Kicinski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wentao Liang <vulab@iscas.ac.cn>
commit c6bb8a21cdad8c975a3a646b9e5c8df01ad29783 upstream.
The function mlx5_query_nic_vport_node_guid() calls the function
mlx5_query_nic_vport_context() but does not check its return value.
A proper implementation can be found in mlx5_nic_vport_query_local_lb().
Add error handling for mlx5_query_nic_vport_context(). If it fails, free
the out buffer via kvfree() and return error code.
Fixes: 9efa75254593 ("net/mlx5_core: Introduce access functions to query vport RoCE fields")
Cc: stable@vger.kernel.org # v4.5
Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
Link: https://patch.msgid.link/20250524163425.1695-1-vulab@iscas.ac.cn
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/mellanox/mlx5/core/vport.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
--- a/drivers/net/ethernet/mellanox/mlx5/core/vport.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/vport.c
@@ -443,19 +443,22 @@ int mlx5_query_nic_vport_node_guid(struc
{
u32 *out;
int outlen = MLX5_ST_SZ_BYTES(query_nic_vport_context_out);
+ int err;
out = kvzalloc(outlen, GFP_KERNEL);
if (!out)
return -ENOMEM;
- mlx5_query_nic_vport_context(mdev, 0, out);
+ err = mlx5_query_nic_vport_context(mdev, 0, out);
+ if (err)
+ goto out;
*node_guid = MLX5_GET64(query_nic_vport_context_out, out,
nic_vport_context.node_guid);
-
+out:
kvfree(out);
- return 0;
+ return err;
}
EXPORT_SYMBOL_GPL(mlx5_query_nic_vport_node_guid);
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 300/508] wifi: p54: prevent buffer-overflow in p54_rx_eeprom_readback()
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (296 preceding siblings ...)
2025-06-23 13:05 ` [PATCH 6.1 299/508] net/mlx5: Add error handling in mlx5_query_nic_vport_node_guid() Greg Kroah-Hartman
@ 2025-06-23 13:05 ` Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 301/508] wifi: ath11k: fix rx completion meta data corruption Greg Kroah-Hartman
` (210 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Robert Morris,
Christian Lamparter, Johannes Berg
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christian Lamparter <chunkeey@gmail.com>
commit da1b9a55ff116cb040528ef664c70a4eec03ae99 upstream.
Robert Morris reported:
|If a malicious USB device pretends to be an Intersil p54 wifi
|interface and generates an eeprom_readback message with a large
|eeprom->v1.len, p54_rx_eeprom_readback() will copy data from the
|message beyond the end of priv->eeprom.
|
|static void p54_rx_eeprom_readback(struct p54_common *priv,
| struct sk_buff *skb)
|{
| struct p54_hdr *hdr = (struct p54_hdr *) skb->data;
| struct p54_eeprom_lm86 *eeprom = (struct p54_eeprom_lm86 *) hdr->data;
|
| if (priv->fw_var >= 0x509) {
| memcpy(priv->eeprom, eeprom->v2.data,
| le16_to_cpu(eeprom->v2.len));
| } else {
| memcpy(priv->eeprom, eeprom->v1.data,
| le16_to_cpu(eeprom->v1.len));
| }
| [...]
The eeprom->v{1,2}.len is set by the driver in p54_download_eeprom().
The device is supposed to provide the same length back to the driver.
But yes, it's possible (like shown in the report) to alter the value
to something that causes a crash/panic due to overrun.
This patch addresses the issue by adding the size to the common device
context, so p54_rx_eeprom_readback no longer relies on possibly tampered
values... That said, it also checks if the "firmware" altered the value
and no longer copies them.
The one, small saving grace is: Before the driver tries to read the eeprom,
it needs to upload >a< firmware. the vendor firmware has a proprietary
license and as a reason, it is not present on most distributions by
default.
Cc: <stable@kernel.org>
Reported-by: Robert Morris <rtm@mit.edu>
Closes: https://lore.kernel.org/linux-wireless/28782.1747258414@localhost/
Fixes: 7cb770729ba8 ("p54: move eeprom code into common library")
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
Link: https://patch.msgid.link/20250516184107.47794-1-chunkeey@gmail.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/intersil/p54/fwio.c | 2 ++
drivers/net/wireless/intersil/p54/p54.h | 1 +
drivers/net/wireless/intersil/p54/txrx.c | 13 +++++++++----
3 files changed, 12 insertions(+), 4 deletions(-)
--- a/drivers/net/wireless/intersil/p54/fwio.c
+++ b/drivers/net/wireless/intersil/p54/fwio.c
@@ -231,6 +231,7 @@ int p54_download_eeprom(struct p54_commo
mutex_lock(&priv->eeprom_mutex);
priv->eeprom = buf;
+ priv->eeprom_slice_size = len;
eeprom_hdr = skb_put(skb, eeprom_hdr_size + len);
if (priv->fw_var < 0x509) {
@@ -253,6 +254,7 @@ int p54_download_eeprom(struct p54_commo
ret = -EBUSY;
}
priv->eeprom = NULL;
+ priv->eeprom_slice_size = 0;
mutex_unlock(&priv->eeprom_mutex);
return ret;
}
--- a/drivers/net/wireless/intersil/p54/p54.h
+++ b/drivers/net/wireless/intersil/p54/p54.h
@@ -258,6 +258,7 @@ struct p54_common {
/* eeprom handling */
void *eeprom;
+ size_t eeprom_slice_size;
struct completion eeprom_comp;
struct mutex eeprom_mutex;
};
--- a/drivers/net/wireless/intersil/p54/txrx.c
+++ b/drivers/net/wireless/intersil/p54/txrx.c
@@ -496,14 +496,19 @@ static void p54_rx_eeprom_readback(struc
return ;
if (priv->fw_var >= 0x509) {
- memcpy(priv->eeprom, eeprom->v2.data,
- le16_to_cpu(eeprom->v2.len));
+ if (le16_to_cpu(eeprom->v2.len) != priv->eeprom_slice_size)
+ return;
+
+ memcpy(priv->eeprom, eeprom->v2.data, priv->eeprom_slice_size);
} else {
- memcpy(priv->eeprom, eeprom->v1.data,
- le16_to_cpu(eeprom->v1.len));
+ if (le16_to_cpu(eeprom->v1.len) != priv->eeprom_slice_size)
+ return;
+
+ memcpy(priv->eeprom, eeprom->v1.data, priv->eeprom_slice_size);
}
priv->eeprom = NULL;
+ priv->eeprom_slice_size = 0;
tmp = p54_find_and_unlink_skb(priv, hdr->req_id);
dev_kfree_skb_any(tmp);
complete(&priv->eeprom_comp);
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 301/508] wifi: ath11k: fix rx completion meta data corruption
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (297 preceding siblings ...)
2025-06-23 13:05 ` [PATCH 6.1 300/508] wifi: p54: prevent buffer-overflow in p54_rx_eeprom_readback() Greg Kroah-Hartman
@ 2025-06-23 13:05 ` Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 302/508] wifi: ath11k: fix ring-buffer corruption Greg Kroah-Hartman
` (209 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Johan Hovold, Clayton Craft,
Jeff Johnson
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan+linaro@kernel.org>
commit ab52e3e44fe9b666281752e2481d11e25b0e3fdd upstream.
Add the missing memory barrier to make sure that the REO dest ring
descriptor is read after the head pointer to avoid using stale data on
weakly ordered architectures like aarch64.
This may fix the ring-buffer corruption worked around by commit
f9fff67d2d7c ("wifi: ath11k: Fix SKB corruption in REO destination
ring") by silently discarding data, and may possibly also address user
reported errors like:
ath11k_pci 0006:01:00.0: msdu_done bit in attention is not set
Tested-on: WCN6855 hw2.1 WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.41
Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices")
Cc: stable@vger.kernel.org # 5.6
Link: https://bugzilla.kernel.org/show_bug.cgi?id=218005
Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
Tested-by: Clayton Craft <clayton@craftyguy.net>
Link: https://patch.msgid.link/20250321145302.4775-1-johan+linaro@kernel.org
Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/ath/ath11k/dp_rx.c | 25 ++++++++++++++++---------
1 file changed, 16 insertions(+), 9 deletions(-)
--- a/drivers/net/wireless/ath/ath11k/dp_rx.c
+++ b/drivers/net/wireless/ath/ath11k/dp_rx.c
@@ -2648,7 +2648,7 @@ int ath11k_dp_process_rx(struct ath11k_b
struct ath11k *ar;
struct hal_reo_dest_ring *desc;
enum hal_reo_dest_ring_push_reason push_reason;
- u32 cookie;
+ u32 cookie, info0, rx_msdu_info0, rx_mpdu_info0;
int i;
for (i = 0; i < MAX_RADIOS; i++)
@@ -2661,11 +2661,14 @@ int ath11k_dp_process_rx(struct ath11k_b
try_again:
ath11k_hal_srng_access_begin(ab, srng);
+ /* Make sure descriptor is read after the head pointer. */
+ dma_rmb();
+
while (likely(desc =
(struct hal_reo_dest_ring *)ath11k_hal_srng_dst_get_next_entry(ab,
srng))) {
cookie = FIELD_GET(BUFFER_ADDR_INFO1_SW_COOKIE,
- desc->buf_addr_info.info1);
+ READ_ONCE(desc->buf_addr_info.info1));
buf_id = FIELD_GET(DP_RXDMA_BUF_COOKIE_BUF_ID,
cookie);
mac_id = FIELD_GET(DP_RXDMA_BUF_COOKIE_PDEV_ID, cookie);
@@ -2694,8 +2697,9 @@ try_again:
num_buffs_reaped[mac_id]++;
+ info0 = READ_ONCE(desc->info0);
push_reason = FIELD_GET(HAL_REO_DEST_RING_INFO0_PUSH_REASON,
- desc->info0);
+ info0);
if (unlikely(push_reason !=
HAL_REO_DEST_RING_PUSH_REASON_ROUTING_INSTRUCTION)) {
dev_kfree_skb_any(msdu);
@@ -2703,18 +2707,21 @@ try_again:
continue;
}
- rxcb->is_first_msdu = !!(desc->rx_msdu_info.info0 &
+ rx_msdu_info0 = READ_ONCE(desc->rx_msdu_info.info0);
+ rx_mpdu_info0 = READ_ONCE(desc->rx_mpdu_info.info0);
+
+ rxcb->is_first_msdu = !!(rx_msdu_info0 &
RX_MSDU_DESC_INFO0_FIRST_MSDU_IN_MPDU);
- rxcb->is_last_msdu = !!(desc->rx_msdu_info.info0 &
+ rxcb->is_last_msdu = !!(rx_msdu_info0 &
RX_MSDU_DESC_INFO0_LAST_MSDU_IN_MPDU);
- rxcb->is_continuation = !!(desc->rx_msdu_info.info0 &
+ rxcb->is_continuation = !!(rx_msdu_info0 &
RX_MSDU_DESC_INFO0_MSDU_CONTINUATION);
rxcb->peer_id = FIELD_GET(RX_MPDU_DESC_META_DATA_PEER_ID,
- desc->rx_mpdu_info.meta_data);
+ READ_ONCE(desc->rx_mpdu_info.meta_data));
rxcb->seq_no = FIELD_GET(RX_MPDU_DESC_INFO0_SEQ_NUM,
- desc->rx_mpdu_info.info0);
+ rx_mpdu_info0);
rxcb->tid = FIELD_GET(HAL_REO_DEST_RING_INFO0_RX_QUEUE_NUM,
- desc->info0);
+ info0);
rxcb->mac_id = mac_id;
__skb_queue_tail(&msdu_list[mac_id], msdu);
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 302/508] wifi: ath11k: fix ring-buffer corruption
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (298 preceding siblings ...)
2025-06-23 13:05 ` [PATCH 6.1 301/508] wifi: ath11k: fix rx completion meta data corruption Greg Kroah-Hartman
@ 2025-06-23 13:05 ` Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 303/508] nfsd: nfsd4_spo_must_allow() must check this is a v4 compound request Greg Kroah-Hartman
` (208 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Miaoqing Pan, Johan Hovold,
Steev Klimaszewski, Jens Glathe, Clayton Craft, Jeff Johnson
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan+linaro@kernel.org>
commit 6d037a372f817e9fcb56482f37917545596bd776 upstream.
Users of the Lenovo ThinkPad X13s have reported that Wi-Fi sometimes
breaks and the log fills up with errors like:
ath11k_pci 0006:01:00.0: HTC Rx: insufficient length, got 1484, expected 1492
ath11k_pci 0006:01:00.0: HTC Rx: insufficient length, got 1460, expected 1484
which based on a quick look at the driver seemed to indicate some kind
of ring-buffer corruption.
Miaoqing Pan tracked it down to the host seeing the updated destination
ring head pointer before the updated descriptor, and the error handling
for that in turn leaves the ring buffer in an inconsistent state.
Add the missing memory barrier to make sure that the descriptor is read
after the head pointer to address the root cause of the corruption while
fixing up the error handling in case there are ever any (ordering) bugs
on the device side.
Note that the READ_ONCE() are only needed to avoid compiler mischief in
case the ring-buffer helpers are ever inlined.
Tested-on: WCN6855 hw2.1 WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.41
Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices")
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218623
Link: https://lore.kernel.org/20250310010217.3845141-3-quic_miaoqing@quicinc.com
Cc: Miaoqing Pan <quic_miaoqing@quicinc.com>
Cc: stable@vger.kernel.org # 5.6
Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
Reviewed-by: Miaoqing Pan <quic_miaoqing@quicinc.com>
Tested-by: Steev Klimaszewski <steev@kali.org>
Tested-by: Jens Glathe <jens.glathe@oldschoolsolutions.biz>
Tested-by: Clayton Craft <clayton@craftyguy.net>
Link: https://patch.msgid.link/20250321094916.19098-1-johan+linaro@kernel.org
Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/ath/ath11k/ce.c | 11 +++++------
drivers/net/wireless/ath/ath11k/hal.c | 4 ++--
2 files changed, 7 insertions(+), 8 deletions(-)
--- a/drivers/net/wireless/ath/ath11k/ce.c
+++ b/drivers/net/wireless/ath/ath11k/ce.c
@@ -393,11 +393,10 @@ static int ath11k_ce_completed_recv_next
goto err;
}
+ /* Make sure descriptor is read after the head pointer. */
+ dma_rmb();
+
*nbytes = ath11k_hal_ce_dst_status_get_length(desc);
- if (*nbytes == 0) {
- ret = -EIO;
- goto err;
- }
*skb = pipe->dest_ring->skb[sw_index];
pipe->dest_ring->skb[sw_index] = NULL;
@@ -430,8 +429,8 @@ static void ath11k_ce_recv_process_cb(st
dma_unmap_single(ab->dev, ATH11K_SKB_RXCB(skb)->paddr,
max_nbytes, DMA_FROM_DEVICE);
- if (unlikely(max_nbytes < nbytes)) {
- ath11k_warn(ab, "rxed more than expected (nbytes %d, max %d)",
+ if (unlikely(max_nbytes < nbytes || nbytes == 0)) {
+ ath11k_warn(ab, "unexpected rx length (nbytes %d, max %d)",
nbytes, max_nbytes);
dev_kfree_skb_any(skb);
continue;
--- a/drivers/net/wireless/ath/ath11k/hal.c
+++ b/drivers/net/wireless/ath/ath11k/hal.c
@@ -601,7 +601,7 @@ u32 ath11k_hal_ce_dst_status_get_length(
(struct hal_ce_srng_dst_status_desc *)buf;
u32 len;
- len = FIELD_GET(HAL_CE_DST_STATUS_DESC_FLAGS_LEN, desc->flags);
+ len = FIELD_GET(HAL_CE_DST_STATUS_DESC_FLAGS_LEN, READ_ONCE(desc->flags));
desc->flags &= ~HAL_CE_DST_STATUS_DESC_FLAGS_LEN;
return len;
@@ -802,7 +802,7 @@ void ath11k_hal_srng_access_begin(struct
srng->u.src_ring.cached_tp =
*(volatile u32 *)srng->u.src_ring.tp_addr;
} else {
- srng->u.dst_ring.cached_hp = *srng->u.dst_ring.hp_addr;
+ srng->u.dst_ring.cached_hp = READ_ONCE(*srng->u.dst_ring.hp_addr);
/* Try to prefetch the next descriptor in the ring */
if (srng->flags & HAL_SRNG_FLAGS_CACHED)
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 303/508] nfsd: nfsd4_spo_must_allow() must check this is a v4 compound request
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (299 preceding siblings ...)
2025-06-23 13:05 ` [PATCH 6.1 302/508] wifi: ath11k: fix ring-buffer corruption Greg Kroah-Hartman
@ 2025-06-23 13:05 ` Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 304/508] nfsd: Initialize ssc before laundromat_work to prevent NULL dereference Greg Kroah-Hartman
` (207 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Olga Kornievskaia, Jeff Layton,
NeilBrown, Chuck Lever
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: NeilBrown <neil@brown.name>
commit 1244f0b2c3cecd3f349a877006e67c9492b41807 upstream.
If the request being processed is not a v4 compound request, then
examining the cstate can have undefined results.
This patch adds a check that the rpc procedure being executed
(rq_procinfo) is the NFSPROC4_COMPOUND procedure.
Reported-by: Olga Kornievskaia <okorniev@redhat.com>
Cc: stable@vger.kernel.org
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: NeilBrown <neil@brown.name>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nfsd/nfs4proc.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/fs/nfsd/nfs4proc.c
+++ b/fs/nfsd/nfs4proc.c
@@ -3536,7 +3536,8 @@ bool nfsd4_spo_must_allow(struct svc_rqs
struct nfs4_op_map *allow = &cstate->clp->cl_spo_must_allow;
u32 opiter;
- if (!cstate->minorversion)
+ if (rqstp->rq_procinfo != &nfsd_version4.vs_proc[NFSPROC4_COMPOUND] ||
+ cstate->minorversion == 0)
return false;
if (cstate->spo_must_allowed)
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 304/508] nfsd: Initialize ssc before laundromat_work to prevent NULL dereference
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (300 preceding siblings ...)
2025-06-23 13:05 ` [PATCH 6.1 303/508] nfsd: nfsd4_spo_must_allow() must check this is a v4 compound request Greg Kroah-Hartman
@ 2025-06-23 13:05 ` Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 305/508] jbd2: fix data-race and null-ptr-deref in jbd2_journal_dirty_metadata() Greg Kroah-Hartman
` (206 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:05 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jeff Layton, Li Lingfeng,
Chuck Lever
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Li Lingfeng <lilingfeng3@huawei.com>
commit b31da62889e6d610114d81dc7a6edbcaa503fcf8 upstream.
In nfs4_state_start_net(), laundromat_work may access nfsd_ssc through
nfs4_laundromat -> nfsd4_ssc_expire_umount. If nfsd_ssc isn't initialized,
this can cause NULL pointer dereference.
Normally the delayed start of laundromat_work allows sufficient time for
nfsd_ssc initialization to complete. However, when the kernel waits too
long for userspace responses (e.g. in nfs4_state_start_net ->
nfsd4_end_grace -> nfsd4_record_grace_done -> nfsd4_cld_grace_done ->
cld_pipe_upcall -> __cld_pipe_upcall -> wait_for_completion path), the
delayed work may start before nfsd_ssc initialization finishes.
Fix this by moving nfsd_ssc initialization before starting laundromat_work.
Fixes: f4e44b393389 ("NFSD: delay unmount source's export after inter-server copy completed.")
Cc: stable@vger.kernel.org
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Li Lingfeng <lilingfeng3@huawei.com>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nfsd/nfssvc.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/fs/nfsd/nfssvc.c
+++ b/fs/nfsd/nfssvc.c
@@ -427,13 +427,13 @@ static int nfsd_startup_net(struct net *
if (ret)
goto out_filecache;
+#ifdef CONFIG_NFSD_V4_2_INTER_SSC
+ nfsd4_ssc_init_umount_work(nn);
+#endif
ret = nfs4_state_start_net(net);
if (ret)
goto out_reply_cache;
-#ifdef CONFIG_NFSD_V4_2_INTER_SSC
- nfsd4_ssc_init_umount_work(nn);
-#endif
nn->nfsd_net_up = true;
return 0;
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 305/508] jbd2: fix data-race and null-ptr-deref in jbd2_journal_dirty_metadata()
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (301 preceding siblings ...)
2025-06-23 13:05 ` [PATCH 6.1 304/508] nfsd: Initialize ssc before laundromat_work to prevent NULL dereference Greg Kroah-Hartman
@ 2025-06-23 13:05 ` Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 306/508] wifi: rtlwifi: disable ASPM for RTL8723BE with subsystem ID 11ad:1723 Greg Kroah-Hartman
` (205 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+de24c3fe3c4091051710,
Jeongjun Park, Jan Kara, Theodore Tso, stable
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jeongjun Park <aha310510@gmail.com>
commit af98b0157adf6504fade79b3e6cb260c4ff68e37 upstream.
Since handle->h_transaction may be a NULL pointer, so we should change it
to call is_handle_aborted(handle) first before dereferencing it.
And the following data-race was reported in my fuzzer:
==================================================================
BUG: KCSAN: data-race in jbd2_journal_dirty_metadata / jbd2_journal_dirty_metadata
write to 0xffff888011024104 of 4 bytes by task 10881 on cpu 1:
jbd2_journal_dirty_metadata+0x2a5/0x770 fs/jbd2/transaction.c:1556
__ext4_handle_dirty_metadata+0xe7/0x4b0 fs/ext4/ext4_jbd2.c:358
ext4_do_update_inode fs/ext4/inode.c:5220 [inline]
ext4_mark_iloc_dirty+0x32c/0xd50 fs/ext4/inode.c:5869
__ext4_mark_inode_dirty+0xe1/0x450 fs/ext4/inode.c:6074
ext4_dirty_inode+0x98/0xc0 fs/ext4/inode.c:6103
....
read to 0xffff888011024104 of 4 bytes by task 10880 on cpu 0:
jbd2_journal_dirty_metadata+0xf2/0x770 fs/jbd2/transaction.c:1512
__ext4_handle_dirty_metadata+0xe7/0x4b0 fs/ext4/ext4_jbd2.c:358
ext4_do_update_inode fs/ext4/inode.c:5220 [inline]
ext4_mark_iloc_dirty+0x32c/0xd50 fs/ext4/inode.c:5869
__ext4_mark_inode_dirty+0xe1/0x450 fs/ext4/inode.c:6074
ext4_dirty_inode+0x98/0xc0 fs/ext4/inode.c:6103
....
value changed: 0x00000000 -> 0x00000001
==================================================================
This issue is caused by missing data-race annotation for jh->b_modified.
Therefore, the missing annotation needs to be added.
Reported-by: syzbot+de24c3fe3c4091051710@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=de24c3fe3c4091051710
Fixes: 6e06ae88edae ("jbd2: speedup jbd2_journal_dirty_metadata()")
Signed-off-by: Jeongjun Park <aha310510@gmail.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://patch.msgid.link/20250514130855.99010-1-aha310510@gmail.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/jbd2/transaction.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/fs/jbd2/transaction.c
+++ b/fs/jbd2/transaction.c
@@ -1518,7 +1518,7 @@ int jbd2_journal_dirty_metadata(handle_t
jh->b_next_transaction == transaction);
spin_unlock(&jh->b_state_lock);
}
- if (jh->b_modified == 1) {
+ if (data_race(jh->b_modified == 1)) {
/* If it's in our transaction it must be in BJ_Metadata list. */
if (data_race(jh->b_transaction == transaction &&
jh->b_jlist != BJ_Metadata)) {
@@ -1537,7 +1537,6 @@ int jbd2_journal_dirty_metadata(handle_t
goto out;
}
- journal = transaction->t_journal;
spin_lock(&jh->b_state_lock);
if (is_handle_aborted(handle)) {
@@ -1552,6 +1551,8 @@ int jbd2_journal_dirty_metadata(handle_t
goto out_unlock_bh;
}
+ journal = transaction->t_journal;
+
if (jh->b_modified == 0) {
/*
* This buffer's got modified and becoming part
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 306/508] wifi: rtlwifi: disable ASPM for RTL8723BE with subsystem ID 11ad:1723
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (302 preceding siblings ...)
2025-06-23 13:05 ` [PATCH 6.1 305/508] jbd2: fix data-race and null-ptr-deref in jbd2_journal_dirty_metadata() Greg Kroah-Hartman
@ 2025-06-23 13:05 ` Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 307/508] media: ov8856: suppress probe deferral errors Greg Kroah-Hartman
` (204 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Liangliang Zou, Mingcong Bai,
Ping-Ke Shih
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mingcong Bai <jeffbai@aosc.io>
commit 77a6407c6ab240527166fb19ee96e95f5be4d3cd upstream.
RTL8723BE found on some ASUSTek laptops, such as F441U and X555UQ with
subsystem ID 11ad:1723 are known to output large amounts of PCIe AER
errors during and after boot up, causing heavy lags and at times lock-ups:
pcieport 0000:00:1c.5: AER: Correctable error message received from 0000:00:1c.5
pcieport 0000:00:1c.5: PCIe Bus Error: severity=Correctable, type=Physical Layer, (Receiver ID)
pcieport 0000:00:1c.5: device [8086:9d15] error status/mask=00000001/00002000
pcieport 0000:00:1c.5: [ 0] RxErr
Disable ASPM on this combo as a quirk.
This patch is a revision of a previous patch (linked below) which
attempted to disable ASPM for RTL8723BE on all Intel Skylake and Kaby Lake
PCIe bridges. I take a more conservative approach as all known reports
point to ASUSTek laptops of these two generations with this particular
wireless card.
Please note, however, before the rtl8723be finishes probing, the AER
errors remained. After the module finishes probing, all AER errors would
indeed be eliminated, along with heavy lags, poor network throughput,
and/or occasional lock-ups.
Cc: <stable@vger.kernel.org>
Fixes: a619d1abe20c ("rtlwifi: rtl8723be: Add new driver")
Reported-by: Liangliang Zou <rawdiamondmc@outlook.com>
Link: https://bugzilla.kernel.org/show_bug.cgi?id=218127
Link: https://lore.kernel.org/lkml/05390e0b-27fd-4190-971e-e70a498c8221@lwfinger.net/T/
Tested-by: Liangliang Zou <rawdiamondmc@outlook.com>
Signed-off-by: Mingcong Bai <jeffbai@aosc.io>
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/20250422061755.356535-1-jeffbai@aosc.io
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/realtek/rtlwifi/pci.c | 10 ++++++++++
1 file changed, 10 insertions(+)
--- a/drivers/net/wireless/realtek/rtlwifi/pci.c
+++ b/drivers/net/wireless/realtek/rtlwifi/pci.c
@@ -155,6 +155,16 @@ static void _rtl_pci_update_default_sett
if (rtlpriv->rtlhal.hw_type == HARDWARE_TYPE_RTL8192SE &&
init_aspm == 0x43)
ppsc->support_aspm = false;
+
+ /* RTL8723BE found on some ASUSTek laptops, such as F441U and
+ * X555UQ with subsystem ID 11ad:1723 are known to output large
+ * amounts of PCIe AER errors during and after boot up, causing
+ * heavy lags, poor network throughput, and occasional lock-ups.
+ */
+ if (rtlpriv->rtlhal.hw_type == HARDWARE_TYPE_RTL8723BE &&
+ (rtlpci->pdev->subsystem_vendor == 0x11ad &&
+ rtlpci->pdev->subsystem_device == 0x1723))
+ ppsc->support_aspm = false;
}
static bool _rtl_pci_platform_switch_device_pci_aspm(
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 307/508] media: ov8856: suppress probe deferral errors
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (303 preceding siblings ...)
2025-06-23 13:05 ` [PATCH 6.1 306/508] wifi: rtlwifi: disable ASPM for RTL8723BE with subsystem ID 11ad:1723 Greg Kroah-Hartman
@ 2025-06-23 13:05 ` Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 308/508] media: ccs-pll: Start VT pre-PLL multiplier search from correct value Greg Kroah-Hartman
` (203 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Johan Hovold, Sakari Ailus,
Hans Verkuil
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan+linaro@kernel.org>
commit e3d86847fba58cf71f66e81b6a2515e07039ae17 upstream.
Probe deferral should not be logged as an error:
ov8856 24-0010: failed to get HW configuration: -517
Use dev_err_probe() for the clock lookup and drop the (mostly) redundant
dev_err() from sensor probe() to suppress it.
Note that errors during regulator lookup is already correctly logged
using dev_err_probe().
Fixes: 0c2c7a1e0d69 ("media: ov8856: Add devicetree support")
Cc: stable@vger.kernel.org
Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/i2c/ov8856.c | 9 +++------
1 file changed, 3 insertions(+), 6 deletions(-)
--- a/drivers/media/i2c/ov8856.c
+++ b/drivers/media/i2c/ov8856.c
@@ -2319,8 +2319,8 @@ static int ov8856_get_hwcfg(struct ov885
if (!is_acpi_node(fwnode)) {
ov8856->xvclk = devm_clk_get(dev, "xvclk");
if (IS_ERR(ov8856->xvclk)) {
- dev_err(dev, "could not get xvclk clock (%pe)\n",
- ov8856->xvclk);
+ dev_err_probe(dev, PTR_ERR(ov8856->xvclk),
+ "could not get xvclk clock\n");
return PTR_ERR(ov8856->xvclk);
}
@@ -2425,11 +2425,8 @@ static int ov8856_probe(struct i2c_clien
return -ENOMEM;
ret = ov8856_get_hwcfg(ov8856, &client->dev);
- if (ret) {
- dev_err(&client->dev, "failed to get HW configuration: %d",
- ret);
+ if (ret)
return ret;
- }
v4l2_i2c_subdev_init(&ov8856->sd, client, &ov8856_subdev_ops);
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 308/508] media: ccs-pll: Start VT pre-PLL multiplier search from correct value
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (304 preceding siblings ...)
2025-06-23 13:05 ` [PATCH 6.1 307/508] media: ov8856: suppress probe deferral errors Greg Kroah-Hartman
@ 2025-06-23 13:05 ` Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 309/508] media: ccs-pll: Start OP " Greg Kroah-Hartman
` (202 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sakari Ailus, Laurent Pinchart,
Hans Verkuil
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sakari Ailus <sakari.ailus@linux.intel.com>
commit 06d2d478b09e6764fb6161d1621fc10d9f0f2860 upstream.
The ccs_pll_calculate_vt_tree() function does a search over possible VT
PLL configurations to find the "best" one. If the sensor does not support
odd pre-PLL divisors and the minimum value (with constraints) isn't 1,
other odd values could be errorneously searched (and selected) for the
pre-PLL divisor. Fix this.
Fixes: 415ddd993978 ("media: ccs-pll: Split limits and PLL configuration into front and back parts")
Cc: stable@vger.kernel.org
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/i2c/ccs-pll.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/media/i2c/ccs-pll.c
+++ b/drivers/media/i2c/ccs-pll.c
@@ -397,6 +397,8 @@ static int ccs_pll_calculate_vt_tree(str
min_pre_pll_clk_div = max_t(u16, min_pre_pll_clk_div,
pll->ext_clk_freq_hz /
lim_fr->max_pll_ip_clk_freq_hz);
+ if (!(pll->flags & CCS_PLL_FLAG_EXT_IP_PLL_DIVIDER))
+ min_pre_pll_clk_div = clk_div_even(min_pre_pll_clk_div);
dev_dbg(dev, "vt min/max_pre_pll_clk_div: %u,%u\n",
min_pre_pll_clk_div, max_pre_pll_clk_div);
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 309/508] media: ccs-pll: Start OP pre-PLL multiplier search from correct value
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (305 preceding siblings ...)
2025-06-23 13:05 ` [PATCH 6.1 308/508] media: ccs-pll: Start VT pre-PLL multiplier search from correct value Greg Kroah-Hartman
@ 2025-06-23 13:05 ` Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 310/508] media: ccs-pll: Correct the upper limit of maximum op_pre_pll_clk_div Greg Kroah-Hartman
` (201 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sakari Ailus, Laurent Pinchart,
Hans Verkuil
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sakari Ailus <sakari.ailus@linux.intel.com>
commit 660e613d05e449766784c549faf5927ffaf281f1 upstream.
The ccs_pll_calculate() function does a search over possible PLL
configurations to find the "best" one. If the sensor does not support odd
pre-PLL divisors and the minimum value (with constraints) isn't 1, other
odd values could be errorneously searched (and selected) for the pre-PLL
divisor. Fix this.
Fixes: 415ddd993978 ("media: ccs-pll: Split limits and PLL configuration into front and back parts")
Cc: stable@vger.kernel.org
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/i2c/ccs-pll.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/media/i2c/ccs-pll.c
+++ b/drivers/media/i2c/ccs-pll.c
@@ -817,6 +817,8 @@ int ccs_pll_calculate(struct device *dev
one_or_more(
DIV_ROUND_UP(op_lim_fr->max_pll_op_clk_freq_hz,
pll->ext_clk_freq_hz))));
+ if (!(pll->flags & CCS_PLL_FLAG_EXT_IP_PLL_DIVIDER))
+ min_op_pre_pll_clk_div = clk_div_even(min_op_pre_pll_clk_div);
dev_dbg(dev, "pll_op check: min / max op_pre_pll_clk_div: %u / %u\n",
min_op_pre_pll_clk_div, max_op_pre_pll_clk_div);
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 310/508] media: ccs-pll: Correct the upper limit of maximum op_pre_pll_clk_div
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (306 preceding siblings ...)
2025-06-23 13:05 ` [PATCH 6.1 309/508] media: ccs-pll: Start OP " Greg Kroah-Hartman
@ 2025-06-23 13:05 ` Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 311/508] media: ccs-pll: Check for too high VT PLL multiplier in dual PLL case Greg Kroah-Hartman
` (200 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sakari Ailus, Laurent Pinchart,
Hans Verkuil
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sakari Ailus <sakari.ailus@linux.intel.com>
commit f639494db450770fa30d6845d9c84b9cb009758f upstream.
The PLL calculator does a search of the PLL configuration space for all
valid OP pre-PLL clock dividers. The maximum did not take into account the
CCS PLL flag CCS_PLL_FLAG_EXT_IP_PLL_DIVIDER in which case also odd PLL
dividers (other than 1) are valid. Do that now.
Fixes: 4e1e8d240dff ("media: ccs-pll: Add support for extended input PLL clock divider")
Cc: stable@vger.kernel.org
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/i2c/ccs-pll.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/media/i2c/ccs-pll.c
+++ b/drivers/media/i2c/ccs-pll.c
@@ -794,7 +794,7 @@ int ccs_pll_calculate(struct device *dev
op_lim_fr->min_pre_pll_clk_div, op_lim_fr->max_pre_pll_clk_div);
max_op_pre_pll_clk_div =
min_t(u16, op_lim_fr->max_pre_pll_clk_div,
- clk_div_even(pll->ext_clk_freq_hz /
+ DIV_ROUND_UP(pll->ext_clk_freq_hz,
op_lim_fr->min_pll_ip_clk_freq_hz));
min_op_pre_pll_clk_div =
max_t(u16, op_lim_fr->min_pre_pll_clk_div,
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 311/508] media: ccs-pll: Check for too high VT PLL multiplier in dual PLL case
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (307 preceding siblings ...)
2025-06-23 13:05 ` [PATCH 6.1 310/508] media: ccs-pll: Correct the upper limit of maximum op_pre_pll_clk_div Greg Kroah-Hartman
@ 2025-06-23 13:05 ` Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 312/508] media: cxusb: no longer judge rbuf when the write fails Greg Kroah-Hartman
` (199 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sakari Ailus, Laurent Pinchart,
Hans Verkuil
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sakari Ailus <sakari.ailus@linux.intel.com>
commit 6868b955acd6e5d7405a2b730c2ffb692ad50d2c upstream.
The check for VT PLL upper limit in dual PLL case was missing. Add it now.
Fixes: 6c7469e46b60 ("media: ccs-pll: Add trivial dual PLL support")
Cc: stable@vger.kernel.org
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/i2c/ccs-pll.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/media/i2c/ccs-pll.c
+++ b/drivers/media/i2c/ccs-pll.c
@@ -312,6 +312,11 @@ __ccs_pll_calculate_vt_tree(struct devic
dev_dbg(dev, "more_mul2: %u\n", more_mul);
pll_fr->pll_multiplier = mul * more_mul;
+ if (pll_fr->pll_multiplier > lim_fr->max_pll_multiplier) {
+ dev_dbg(dev, "pll multiplier %u too high\n",
+ pll_fr->pll_multiplier);
+ return -EINVAL;
+ }
if (pll_fr->pll_multiplier * pll_fr->pll_ip_clk_freq_hz >
lim_fr->max_pll_op_clk_freq_hz)
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 312/508] media: cxusb: no longer judge rbuf when the write fails
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (308 preceding siblings ...)
2025-06-23 13:05 ` [PATCH 6.1 311/508] media: ccs-pll: Check for too high VT PLL multiplier in dual PLL case Greg Kroah-Hartman
@ 2025-06-23 13:05 ` Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 313/508] media: davinci: vpif: Fix memory leak in probe error path Greg Kroah-Hartman
` (198 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+526bd95c0ec629993bf3,
Edward Adam Davis, Hans Verkuil
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Edward Adam Davis <eadavis@qq.com>
commit 73fb3b92da84637e3817580fa205d48065924e15 upstream.
syzbot reported a uninit-value in cxusb_i2c_xfer. [1]
Only when the write operation of usb_bulk_msg() in dvb_usb_generic_rw()
succeeds and rlen is greater than 0, the read operation of usb_bulk_msg()
will be executed to read rlen bytes of data from the dvb device into the
rbuf.
In this case, although rlen is 1, the write operation failed which resulted
in the dvb read operation not being executed, and ultimately variable i was
not initialized.
[1]
BUG: KMSAN: uninit-value in cxusb_gpio_tuner drivers/media/usb/dvb-usb/cxusb.c:124 [inline]
BUG: KMSAN: uninit-value in cxusb_i2c_xfer+0x153a/0x1a60 drivers/media/usb/dvb-usb/cxusb.c:196
cxusb_gpio_tuner drivers/media/usb/dvb-usb/cxusb.c:124 [inline]
cxusb_i2c_xfer+0x153a/0x1a60 drivers/media/usb/dvb-usb/cxusb.c:196
__i2c_transfer+0xe25/0x3150 drivers/i2c/i2c-core-base.c:-1
i2c_transfer+0x317/0x4a0 drivers/i2c/i2c-core-base.c:2315
i2c_transfer_buffer_flags+0x125/0x1e0 drivers/i2c/i2c-core-base.c:2343
i2c_master_send include/linux/i2c.h:109 [inline]
i2cdev_write+0x210/0x280 drivers/i2c/i2c-dev.c:183
do_loop_readv_writev fs/read_write.c:848 [inline]
vfs_writev+0x963/0x14e0 fs/read_write.c:1057
do_writev+0x247/0x5c0 fs/read_write.c:1101
__do_sys_writev fs/read_write.c:1169 [inline]
__se_sys_writev fs/read_write.c:1166 [inline]
__x64_sys_writev+0x98/0xe0 fs/read_write.c:1166
x64_sys_call+0x2229/0x3c80 arch/x86/include/generated/asm/syscalls_64.h:21
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0x1e0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Reported-by: syzbot+526bd95c0ec629993bf3@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=526bd95c0ec629993bf3
Tested-by: syzbot+526bd95c0ec629993bf3@syzkaller.appspotmail.com
Fixes: 22c6d93a7310 ("[PATCH] dvb: usb: support Medion hybrid USB2.0 DVB-T/analogue box")
Cc: stable@vger.kernel.org
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/usb/dvb-usb/cxusb.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/drivers/media/usb/dvb-usb/cxusb.c
+++ b/drivers/media/usb/dvb-usb/cxusb.c
@@ -119,9 +119,8 @@ static void cxusb_gpio_tuner(struct dvb_
o[0] = GPIO_TUNER;
o[1] = onoff;
- cxusb_ctrl_msg(d, CMD_GPIO_WRITE, o, 2, &i, 1);
- if (i != 0x01)
+ if (!cxusb_ctrl_msg(d, CMD_GPIO_WRITE, o, 2, &i, 1) && i != 0x01)
dev_info(&d->udev->dev, "gpio_write failed.\n");
st->gpio_write_state[GPIO_TUNER] = onoff;
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 313/508] media: davinci: vpif: Fix memory leak in probe error path
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (309 preceding siblings ...)
2025-06-23 13:05 ` [PATCH 6.1 312/508] media: cxusb: no longer judge rbuf when the write fails Greg Kroah-Hartman
@ 2025-06-23 13:05 ` Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 314/508] media: gspca: Add error handling for stv06xx_read_sensor() Greg Kroah-Hartman
` (197 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Nikiforov, Johan Hovold,
Hans Verkuil
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Nikiforov <Dm1tryNk@yandex.ru>
commit 024bf40edf1155e7a587f0ec46294049777d9b02 upstream.
If an error occurs during the initialization of `pdev_display`,
the allocated platform device `pdev_capture` is not released properly,
leading to a memory leak.
Adjust error path handling to fix the leak.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: 43acb728bbc4 ("media: davinci: vpif: fix use-after-free on driver unbind")
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Nikiforov <Dm1tryNk@yandex.ru>
Reviewed-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/ti/davinci/vpif.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/media/platform/ti/davinci/vpif.c
+++ b/drivers/media/platform/ti/davinci/vpif.c
@@ -505,7 +505,7 @@ static int vpif_probe(struct platform_de
pdev_display = kzalloc(sizeof(*pdev_display), GFP_KERNEL);
if (!pdev_display) {
ret = -ENOMEM;
- goto err_put_pdev_capture;
+ goto err_del_pdev_capture;
}
pdev_display->name = "vpif_display";
@@ -528,6 +528,8 @@ static int vpif_probe(struct platform_de
err_put_pdev_display:
platform_device_put(pdev_display);
+err_del_pdev_capture:
+ platform_device_del(pdev_capture);
err_put_pdev_capture:
platform_device_put(pdev_capture);
err_put_rpm:
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 314/508] media: gspca: Add error handling for stv06xx_read_sensor()
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (310 preceding siblings ...)
2025-06-23 13:05 ` [PATCH 6.1 313/508] media: davinci: vpif: Fix memory leak in probe error path Greg Kroah-Hartman
@ 2025-06-23 13:05 ` Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 315/508] media: omap3isp: use sgtable-based scatterlist wrappers Greg Kroah-Hartman
` (196 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:05 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Wentao Liang, Hans Verkuil
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wentao Liang <vulab@iscas.ac.cn>
commit 398a1b33f1479af35ca915c5efc9b00d6204f8fa upstream.
In hdcs_init(), the return value of stv06xx_read_sensor() needs to be
checked. A proper implementation can be found in vv6410_dump(). Add a
check in loop condition and propergate error code to fix this issue.
Fixes: 4c98834addfe ("V4L/DVB (10048): gspca - stv06xx: New subdriver.")
Cc: stable@vger.kernel.org # v2.6+
Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/usb/gspca/stv06xx/stv06xx_hdcs.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
--- a/drivers/media/usb/gspca/stv06xx/stv06xx_hdcs.c
+++ b/drivers/media/usb/gspca/stv06xx/stv06xx_hdcs.c
@@ -520,12 +520,13 @@ static int hdcs_init(struct sd *sd)
static int hdcs_dump(struct sd *sd)
{
u16 reg, val;
+ int err = 0;
pr_info("Dumping sensor registers:\n");
- for (reg = HDCS_IDENT; reg <= HDCS_ROWEXPH; reg++) {
- stv06xx_read_sensor(sd, reg, &val);
+ for (reg = HDCS_IDENT; reg <= HDCS_ROWEXPH && !err; reg++) {
+ err = stv06xx_read_sensor(sd, reg, &val);
pr_info("reg 0x%02x = 0x%02x\n", reg, val);
}
- return 0;
+ return (err < 0) ? err : 0;
}
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 315/508] media: omap3isp: use sgtable-based scatterlist wrappers
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (311 preceding siblings ...)
2025-06-23 13:05 ` [PATCH 6.1 314/508] media: gspca: Add error handling for stv06xx_read_sensor() Greg Kroah-Hartman
@ 2025-06-23 13:06 ` Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 316/508] media: v4l2-dev: fix error handling in __video_register_device() Greg Kroah-Hartman
` (195 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Marek Szyprowski, Laurent Pinchart,
Hans Verkuil
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marek Szyprowski <m.szyprowski@samsung.com>
commit 3de572fe2189a4a0bd80295e1f478401e739498e upstream.
Use common wrappers operating directly on the struct sg_table objects to
fix incorrect use of scatterlists sync calls. dma_sync_sg_for_*()
functions have to be called with the number of elements originally passed
to dma_map_sg_*() function, not the one returned in sgtable's nents.
Fixes: d33186d0be18 ("[media] omap3isp: ccdc: Use the DMA API for LSC")
Fixes: 0e24e90f2ca7 ("[media] omap3isp: stat: Use the DMA API")
CC: stable@vger.kernel.org
Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/ti/omap3isp/ispccdc.c | 8 ++++----
drivers/media/platform/ti/omap3isp/ispstat.c | 6 ++----
2 files changed, 6 insertions(+), 8 deletions(-)
--- a/drivers/media/platform/ti/omap3isp/ispccdc.c
+++ b/drivers/media/platform/ti/omap3isp/ispccdc.c
@@ -446,8 +446,8 @@ static int ccdc_lsc_config(struct isp_cc
if (ret < 0)
goto done;
- dma_sync_sg_for_cpu(isp->dev, req->table.sgt.sgl,
- req->table.sgt.nents, DMA_TO_DEVICE);
+ dma_sync_sgtable_for_cpu(isp->dev, &req->table.sgt,
+ DMA_TO_DEVICE);
if (copy_from_user(req->table.addr, config->lsc,
req->config.size)) {
@@ -455,8 +455,8 @@ static int ccdc_lsc_config(struct isp_cc
goto done;
}
- dma_sync_sg_for_device(isp->dev, req->table.sgt.sgl,
- req->table.sgt.nents, DMA_TO_DEVICE);
+ dma_sync_sgtable_for_device(isp->dev, &req->table.sgt,
+ DMA_TO_DEVICE);
}
spin_lock_irqsave(&ccdc->lsc.req_lock, flags);
--- a/drivers/media/platform/ti/omap3isp/ispstat.c
+++ b/drivers/media/platform/ti/omap3isp/ispstat.c
@@ -161,8 +161,7 @@ static void isp_stat_buf_sync_for_device
if (ISP_STAT_USES_DMAENGINE(stat))
return;
- dma_sync_sg_for_device(stat->isp->dev, buf->sgt.sgl,
- buf->sgt.nents, DMA_FROM_DEVICE);
+ dma_sync_sgtable_for_device(stat->isp->dev, &buf->sgt, DMA_FROM_DEVICE);
}
static void isp_stat_buf_sync_for_cpu(struct ispstat *stat,
@@ -171,8 +170,7 @@ static void isp_stat_buf_sync_for_cpu(st
if (ISP_STAT_USES_DMAENGINE(stat))
return;
- dma_sync_sg_for_cpu(stat->isp->dev, buf->sgt.sgl,
- buf->sgt.nents, DMA_FROM_DEVICE);
+ dma_sync_sgtable_for_cpu(stat->isp->dev, &buf->sgt, DMA_FROM_DEVICE);
}
static void isp_stat_buf_clear(struct ispstat *stat)
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 316/508] media: v4l2-dev: fix error handling in __video_register_device()
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (312 preceding siblings ...)
2025-06-23 13:06 ` [PATCH 6.1 315/508] media: omap3isp: use sgtable-based scatterlist wrappers Greg Kroah-Hartman
@ 2025-06-23 13:06 ` Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 317/508] media: venus: Fix probe error handling Greg Kroah-Hartman
` (194 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:06 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ma Ke, Sakari Ailus, Hans Verkuil
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ma Ke <make24@iscas.ac.cn>
commit 2a934fdb01db6458288fc9386d3d8ceba6dd551a upstream.
Once device_register() failed, we should call put_device() to
decrement reference count for cleanup. Or it could cause memory leak.
And move callback function v4l2_device_release() and v4l2_device_get()
before put_device().
As comment of device_register() says, 'NOTE: _Never_ directly free
@dev after calling this function, even if it returned an error! Always
use put_device() to give up the reference initialized in this function
instead.'
Found by code review.
Cc: stable@vger.kernel.org
Fixes: dc93a70cc7f9 ("V4L/DVB (9973): v4l2-dev: use the release callback from device instead of cdev")
Signed-off-by: Ma Ke <make24@iscas.ac.cn>
Reviewed-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/v4l2-core/v4l2-dev.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
--- a/drivers/media/v4l2-core/v4l2-dev.c
+++ b/drivers/media/v4l2-core/v4l2-dev.c
@@ -1032,25 +1032,25 @@ int __video_register_device(struct video
vdev->dev.class = &video_class;
vdev->dev.devt = MKDEV(VIDEO_MAJOR, vdev->minor);
vdev->dev.parent = vdev->dev_parent;
+ vdev->dev.release = v4l2_device_release;
dev_set_name(&vdev->dev, "%s%d", name_base, vdev->num);
+
+ /* Increase v4l2_device refcount */
+ v4l2_device_get(vdev->v4l2_dev);
+
mutex_lock(&videodev_lock);
ret = device_register(&vdev->dev);
if (ret < 0) {
mutex_unlock(&videodev_lock);
pr_err("%s: device_register failed\n", __func__);
- goto cleanup;
+ put_device(&vdev->dev);
+ return ret;
}
- /* Register the release callback that will be called when the last
- reference to the device goes away. */
- vdev->dev.release = v4l2_device_release;
if (nr != -1 && nr != vdev->num && warn_if_nr_in_use)
pr_warn("%s: requested %s%d, got %s\n", __func__,
name_base, nr, video_device_node_name(vdev));
- /* Increase v4l2_device refcount */
- v4l2_device_get(vdev->v4l2_dev);
-
/* Part 5: Register the entity. */
ret = video_register_media_controller(vdev);
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 317/508] media: venus: Fix probe error handling
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (313 preceding siblings ...)
2025-06-23 13:06 ` [PATCH 6.1 316/508] media: v4l2-dev: fix error handling in __video_register_device() Greg Kroah-Hartman
@ 2025-06-23 13:06 ` Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 318/508] media: videobuf2: use sgtable-based scatterlist wrappers Greg Kroah-Hartman
` (193 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Loic Poulain, Dikshita Agarwal,
Bryan ODonoghue, Hans Verkuil
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Loic Poulain <loic.poulain@oss.qualcomm.com>
commit 523cea3a19f0b3b020a4745344c136a636e6ffd7 upstream.
Video device registering has been moved earlier in the probe function,
but the new order has not been propagated to error handling. This means
we can end with unreleased resources on error (e.g dangling video device
on missing firmware probe aborting).
Fixes: 08b1cf474b7f7 ("media: venus: core, venc, vdec: Fix probe dependency error")
Cc: stable@vger.kernel.org
Signed-off-by: Loic Poulain <loic.poulain@oss.qualcomm.com>
Reviewed-by: Dikshita Agarwal <quic_dikshita@quicinc.com>
Reviewed-by: Bryan O'Donoghue <bod@kernel.org>
Signed-off-by: Bryan O'Donoghue <bod@kernel.org>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/qcom/venus/core.c | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
--- a/drivers/media/platform/qcom/venus/core.c
+++ b/drivers/media/platform/qcom/venus/core.c
@@ -347,7 +347,7 @@ static int venus_probe(struct platform_d
ret = v4l2_device_register(dev, &core->v4l2_dev);
if (ret)
- goto err_core_deinit;
+ goto err_hfi_destroy;
platform_set_drvdata(pdev, core);
@@ -379,24 +379,24 @@ static int venus_probe(struct platform_d
ret = venus_enumerate_codecs(core, VIDC_SESSION_TYPE_DEC);
if (ret)
- goto err_venus_shutdown;
+ goto err_core_deinit;
ret = venus_enumerate_codecs(core, VIDC_SESSION_TYPE_ENC);
if (ret)
- goto err_venus_shutdown;
+ goto err_core_deinit;
ret = pm_runtime_put_sync(dev);
if (ret) {
pm_runtime_get_noresume(dev);
- goto err_dev_unregister;
+ goto err_core_deinit;
}
venus_dbgfs_init(core);
return 0;
-err_dev_unregister:
- v4l2_device_unregister(&core->v4l2_dev);
+err_core_deinit:
+ hfi_core_deinit(core, false);
err_venus_shutdown:
venus_shutdown(core);
err_firmware_deinit:
@@ -407,9 +407,9 @@ err_runtime_disable:
pm_runtime_put_noidle(dev);
pm_runtime_disable(dev);
pm_runtime_set_suspended(dev);
+ v4l2_device_unregister(&core->v4l2_dev);
+err_hfi_destroy:
hfi_destroy(core);
-err_core_deinit:
- hfi_core_deinit(core, false);
err_core_put:
if (core->pm_ops->core_put)
core->pm_ops->core_put(core);
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 318/508] media: videobuf2: use sgtable-based scatterlist wrappers
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (314 preceding siblings ...)
2025-06-23 13:06 ` [PATCH 6.1 317/508] media: venus: Fix probe error handling Greg Kroah-Hartman
@ 2025-06-23 13:06 ` Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 319/508] media: vidtv: Terminating the subsequent process of initialization failure Greg Kroah-Hartman
` (192 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Marek Szyprowski, Sergey Senozhatsky,
Tomasz Figa, Hans Verkuil
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marek Szyprowski <m.szyprowski@samsung.com>
commit a704a3c503ae1cfd9de8a2e2d16a0c9430e98162 upstream.
Use common wrappers operating directly on the struct sg_table objects to
fix incorrect use of scatterlists sync calls. dma_sync_sg_for_*()
functions have to be called with the number of elements originally passed
to dma_map_sg_*() function, not the one returned in sgt->nents.
Fixes: d4db5eb57cab ("media: videobuf2: add begin/end cpu_access callbacks to dma-sg")
CC: stable@vger.kernel.org
Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Reviewed-by: Sergey Senozhatsky <senozhatsky@chromium.org>
Acked-by: Tomasz Figa <tfiga@chromium.org>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/common/videobuf2/videobuf2-dma-sg.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/media/common/videobuf2/videobuf2-dma-sg.c
+++ b/drivers/media/common/videobuf2/videobuf2-dma-sg.c
@@ -476,7 +476,7 @@ vb2_dma_sg_dmabuf_ops_begin_cpu_access(s
struct vb2_dma_sg_buf *buf = dbuf->priv;
struct sg_table *sgt = buf->dma_sgt;
- dma_sync_sg_for_cpu(buf->dev, sgt->sgl, sgt->nents, buf->dma_dir);
+ dma_sync_sgtable_for_cpu(buf->dev, sgt, buf->dma_dir);
return 0;
}
@@ -487,7 +487,7 @@ vb2_dma_sg_dmabuf_ops_end_cpu_access(str
struct vb2_dma_sg_buf *buf = dbuf->priv;
struct sg_table *sgt = buf->dma_sgt;
- dma_sync_sg_for_device(buf->dev, sgt->sgl, sgt->nents, buf->dma_dir);
+ dma_sync_sgtable_for_device(buf->dev, sgt, buf->dma_dir);
return 0;
}
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 319/508] media: vidtv: Terminating the subsequent process of initialization failure
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (315 preceding siblings ...)
2025-06-23 13:06 ` [PATCH 6.1 318/508] media: videobuf2: use sgtable-based scatterlist wrappers Greg Kroah-Hartman
@ 2025-06-23 13:06 ` Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 320/508] media: vivid: Change the siize of the composing Greg Kroah-Hartman
` (191 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+0d33ab192bd50b6c91e6,
Edward Adam Davis, Hans Verkuil
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Edward Adam Davis <eadavis@qq.com>
commit 1d5f88f053480326873115092bc116b7d14916ba upstream.
syzbot reported a slab-use-after-free Read in vidtv_mux_init. [1]
After PSI initialization fails, the si member is accessed again, resulting
in this uaf.
After si initialization fails, the subsequent process needs to be exited.
[1]
BUG: KASAN: slab-use-after-free in vidtv_mux_pid_ctx_init drivers/media/test-drivers/vidtv/vidtv_mux.c:78 [inline]
BUG: KASAN: slab-use-after-free in vidtv_mux_init+0xac2/0xbe0 drivers/media/test-drivers/vidtv/vidtv_mux.c:524
Read of size 8 at addr ffff88802fa42acc by task syz.2.37/6059
CPU: 0 UID: 0 PID: 6059 Comm: syz.2.37 Not tainted 6.14.0-rc5-syzkaller #0
Hardware name: Google Compute Engine, BIOS Google 02/12/2025
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:408 [inline]
print_report+0xc3/0x670 mm/kasan/report.c:521
kasan_report+0xd9/0x110 mm/kasan/report.c:634
vidtv_mux_pid_ctx_init drivers/media/test-drivers/vidtv/vidtv_mux.c:78
vidtv_mux_init+0xac2/0xbe0 drivers/media/test-drivers/vidtv/vidtv_mux.c:524
vidtv_start_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:194
vidtv_start_feed drivers/media/test-drivers/vidtv/vidtv_bridge.c:239
dmx_section_feed_start_filtering drivers/media/dvb-core/dvb_demux.c:973
dvb_dmxdev_feed_start drivers/media/dvb-core/dmxdev.c:508 [inline]
dvb_dmxdev_feed_restart.isra.0 drivers/media/dvb-core/dmxdev.c:537
dvb_dmxdev_filter_stop+0x2b4/0x3a0 drivers/media/dvb-core/dmxdev.c:564
dvb_dmxdev_filter_free drivers/media/dvb-core/dmxdev.c:840 [inline]
dvb_demux_release+0x92/0x550 drivers/media/dvb-core/dmxdev.c:1246
__fput+0x3ff/0xb70 fs/file_table.c:464
task_work_run+0x14e/0x250 kernel/task_work.c:227
exit_task_work include/linux/task_work.h:40 [inline]
do_exit+0xad8/0x2d70 kernel/exit.c:938
do_group_exit+0xd3/0x2a0 kernel/exit.c:1087
__do_sys_exit_group kernel/exit.c:1098 [inline]
__se_sys_exit_group kernel/exit.c:1096 [inline]
__x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1096
x64_sys_call+0x151f/0x1720 arch/x86/include/generated/asm/syscalls_64.h:232
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f871d58d169
Code: Unable to access opcode bytes at 0x7f871d58d13f.
RSP: 002b:00007fff4b19a788 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f871d58d169
RDX: 0000000000000064 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 00007fff4b19a7ec R08: 0000000b4b19a87f R09: 00000000000927c0
R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000003
R13: 00000000000927c0 R14: 000000000001d553 R15: 00007fff4b19a840
</TASK>
Allocated by task 6059:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394
kmalloc_noprof include/linux/slab.h:901 [inline]
kzalloc_noprof include/linux/slab.h:1037 [inline]
vidtv_psi_pat_table_init drivers/media/test-drivers/vidtv/vidtv_psi.c:970
vidtv_channel_si_init drivers/media/test-drivers/vidtv/vidtv_channel.c:423
vidtv_mux_init drivers/media/test-drivers/vidtv/vidtv_mux.c:519
vidtv_start_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:194
vidtv_start_feed drivers/media/test-drivers/vidtv/vidtv_bridge.c:239
dmx_section_feed_start_filtering drivers/media/dvb-core/dvb_demux.c:973
dvb_dmxdev_feed_start drivers/media/dvb-core/dmxdev.c:508 [inline]
dvb_dmxdev_feed_restart.isra.0 drivers/media/dvb-core/dmxdev.c:537
dvb_dmxdev_filter_stop+0x2b4/0x3a0 drivers/media/dvb-core/dmxdev.c:564
dvb_dmxdev_filter_free drivers/media/dvb-core/dmxdev.c:840 [inline]
dvb_demux_release+0x92/0x550 drivers/media/dvb-core/dmxdev.c:1246
__fput+0x3ff/0xb70 fs/file_table.c:464
task_work_run+0x14e/0x250 kernel/task_work.c:227
exit_task_work include/linux/task_work.h:40 [inline]
do_exit+0xad8/0x2d70 kernel/exit.c:938
do_group_exit+0xd3/0x2a0 kernel/exit.c:1087
__do_sys_exit_group kernel/exit.c:1098 [inline]
__se_sys_exit_group kernel/exit.c:1096 [inline]
__x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1096
x64_sys_call arch/x86/include/generated/asm/syscalls_64.h:232
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 6059:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:576
poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x51/0x70 mm/kasan/common.c:264
kasan_slab_free include/linux/kasan.h:233 [inline]
slab_free_hook mm/slub.c:2353 [inline]
slab_free mm/slub.c:4609 [inline]
kfree+0x2c4/0x4d0 mm/slub.c:4757
vidtv_channel_si_init drivers/media/test-drivers/vidtv/vidtv_channel.c:499
vidtv_mux_init drivers/media/test-drivers/vidtv/vidtv_mux.c:519
vidtv_start_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:194
vidtv_start_feed drivers/media/test-drivers/vidtv/vidtv_bridge.c:239
dmx_section_feed_start_filtering drivers/media/dvb-core/dvb_demux.c:973
dvb_dmxdev_feed_start drivers/media/dvb-core/dmxdev.c:508 [inline]
dvb_dmxdev_feed_restart.isra.0 drivers/media/dvb-core/dmxdev.c:537
dvb_dmxdev_filter_stop+0x2b4/0x3a0 drivers/media/dvb-core/dmxdev.c:564
dvb_dmxdev_filter_free drivers/media/dvb-core/dmxdev.c:840 [inline]
dvb_demux_release+0x92/0x550 drivers/media/dvb-core/dmxdev.c:1246
__fput+0x3ff/0xb70 fs/file_table.c:464
task_work_run+0x14e/0x250 kernel/task_work.c:227
exit_task_work include/linux/task_work.h:40 [inline]
do_exit+0xad8/0x2d70 kernel/exit.c:938
do_group_exit+0xd3/0x2a0 kernel/exit.c:1087
__do_sys_exit_group kernel/exit.c:1098 [inline]
__se_sys_exit_group kernel/exit.c:1096 [inline]
__x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1096
x64_sys_call arch/x86/include/generated/asm/syscalls_64.h:232
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Fixes: 3be8037960bc ("media: vidtv: add error checks")
Cc: stable@vger.kernel.org
Reported-by: syzbot+0d33ab192bd50b6c91e6@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=0d33ab192bd50b6c91e6
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/test-drivers/vidtv/vidtv_channel.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/media/test-drivers/vidtv/vidtv_channel.c
+++ b/drivers/media/test-drivers/vidtv/vidtv_channel.c
@@ -497,7 +497,7 @@ free_sdt:
vidtv_psi_sdt_table_destroy(m->si.sdt);
free_pat:
vidtv_psi_pat_table_destroy(m->si.pat);
- return 0;
+ return -EINVAL;
}
void vidtv_channel_si_destroy(struct vidtv_mux *m)
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 320/508] media: vivid: Change the siize of the composing
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (316 preceding siblings ...)
2025-06-23 13:06 ` [PATCH 6.1 319/508] media: vidtv: Terminating the subsequent process of initialization failure Greg Kroah-Hartman
@ 2025-06-23 13:06 ` Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 321/508] media: imx-jpeg: Drop the first error frames Greg Kroah-Hartman
` (190 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+365005005522b70a36f2,
Denis Arefev, Hans Verkuil
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Denis Arefev <arefev@swemel.ru>
commit f83ac8d30c43fd902af7c84c480f216157b60ef0 upstream.
syzkaller found a bug:
BUG: KASAN: vmalloc-out-of-bounds in tpg_fill_plane_pattern drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2608 [inline]
BUG: KASAN: vmalloc-out-of-bounds in tpg_fill_plane_buffer+0x1a9c/0x5af0 drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2705
Write of size 1440 at addr ffffc9000d0ffda0 by task vivid-000-vid-c/5304
CPU: 0 UID: 0 PID: 5304 Comm: vivid-000-vid-c Not tainted 6.14.0-rc2-syzkaller-00039-g09fbf3d50205 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0x169/0x550 mm/kasan/report.c:489
kasan_report+0x143/0x180 mm/kasan/report.c:602
kasan_check_range+0x282/0x290 mm/kasan/generic.c:189
__asan_memcpy+0x40/0x70 mm/kasan/shadow.c:106
tpg_fill_plane_pattern drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2608 [inline]
tpg_fill_plane_buffer+0x1a9c/0x5af0 drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2705
vivid_fillbuff drivers/media/test-drivers/vivid/vivid-kthread-cap.c:470 [inline]
vivid_thread_vid_cap_tick+0xf8e/0x60d0 drivers/media/test-drivers/vivid/vivid-kthread-cap.c:629
vivid_thread_vid_cap+0x8aa/0xf30 drivers/media/test-drivers/vivid/vivid-kthread-cap.c:767
kthread+0x7a9/0x920 kernel/kthread.c:464
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
The composition size cannot be larger than the size of fmt_cap_rect.
So execute v4l2_rect_map_inside() even if has_compose_cap == 0.
Fixes: 94a7ad928346 ("media: vivid: fix compose size exceed boundary")
Cc: stable@vger.kernel.org
Reported-by: syzbot+365005005522b70a36f2@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?id=8ed8e8cc30cbe0d86c9a25bd1d6a5775129b8ea3
Signed-off-by: Denis Arefev <arefev@swemel.ru>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/test-drivers/vivid/vivid-vid-cap.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/media/test-drivers/vivid/vivid-vid-cap.c
+++ b/drivers/media/test-drivers/vivid/vivid-vid-cap.c
@@ -974,8 +974,8 @@ int vivid_vid_cap_s_selection(struct fil
if (dev->has_compose_cap) {
v4l2_rect_set_min_size(compose, &min_rect);
v4l2_rect_set_max_size(compose, &max_rect);
- v4l2_rect_map_inside(compose, &fmt);
}
+ v4l2_rect_map_inside(compose, &fmt);
dev->fmt_cap_rect = fmt;
tpg_s_buf_height(&dev->tpg, fmt.height);
} else if (dev->has_compose_cap) {
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 321/508] media: imx-jpeg: Drop the first error frames
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (317 preceding siblings ...)
2025-06-23 13:06 ` [PATCH 6.1 320/508] media: vivid: Change the siize of the composing Greg Kroah-Hartman
@ 2025-06-23 13:06 ` Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 322/508] media: uvcvideo: Return the number of processed controls Greg Kroah-Hartman
` (189 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ming Qian, Nicolas Dufresne,
Hans Verkuil
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ming Qian <ming.qian@oss.nxp.com>
commit d52b9b7e2f10d22a49468128540533e8d76910cd upstream.
When an output buffer contains error frame header,
v4l2_jpeg_parse_header() will return error, then driver will mark this
buffer and a capture buffer done with error flag in device_run().
But if the error occurs in the first frames, before setup the capture
queue, there is no chance to schedule device_run(), and there may be no
capture to mark error.
So we need to drop this buffer with error flag, and make the decoding
can continue.
Fixes: 2db16c6ed72c ("media: imx-jpeg: Add V4L2 driver for i.MX8 JPEG Encoder/Decoder")
Cc: stable@vger.kernel.org
Signed-off-by: Ming Qian <ming.qian@oss.nxp.com>
Reviewed-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
Signed-off-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
--- a/drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c
+++ b/drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c
@@ -1468,9 +1468,19 @@ static void mxc_jpeg_buf_queue(struct vb
jpeg_src_buf = vb2_to_mxc_buf(vb);
jpeg_src_buf->jpeg_parse_error = false;
ret = mxc_jpeg_parse(ctx, vb);
- if (ret)
+ if (ret) {
jpeg_src_buf->jpeg_parse_error = true;
+ /*
+ * if the capture queue is not setup, the device_run() won't be scheduled,
+ * need to drop the error buffer, so that the decoding can continue
+ */
+ if (!vb2_is_streaming(v4l2_m2m_get_dst_vq(ctx->fh.m2m_ctx))) {
+ v4l2_m2m_buf_done(vbuf, VB2_BUF_STATE_ERROR);
+ return;
+ }
+ }
+
end:
v4l2_m2m_buf_queue(ctx->fh.m2m_ctx, vbuf);
}
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 322/508] media: uvcvideo: Return the number of processed controls
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (318 preceding siblings ...)
2025-06-23 13:06 ` [PATCH 6.1 321/508] media: imx-jpeg: Drop the first error frames Greg Kroah-Hartman
@ 2025-06-23 13:06 ` Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 323/508] media: uvcvideo: Send control events for partial succeeds Greg Kroah-Hartman
` (188 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Laurent Pinchart,
Ricardo Ribalda, Hans de Goede, Hans Verkuil
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ricardo Ribalda <ribalda@chromium.org>
commit ba4fafb02ad6a4eb2e00f861893b5db42ba54369 upstream.
If we let know our callers that we have not done anything, they will be
able to optimize their decisions.
Cc: stable@kernel.org
Fixes: b4012002f3a3 ("[media] uvcvideo: Add support for control events")
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
Message-ID: <20250224-uvc-data-backup-v2-1-de993ed9823b@chromium.org>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/usb/uvc/uvc_ctrl.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
--- a/drivers/media/usb/uvc/uvc_ctrl.c
+++ b/drivers/media/usb/uvc/uvc_ctrl.c
@@ -1734,12 +1734,17 @@ int uvc_ctrl_begin(struct uvc_video_chai
return mutex_lock_interruptible(&chain->ctrl_mutex) ? -ERESTARTSYS : 0;
}
+/*
+ * Returns the number of uvc controls that have been correctly set, or a
+ * negative number if there has been an error.
+ */
static int uvc_ctrl_commit_entity(struct uvc_device *dev,
struct uvc_fh *handle,
struct uvc_entity *entity,
int rollback,
struct uvc_control **err_ctrl)
{
+ unsigned int processed_ctrls = 0;
struct uvc_control *ctrl;
unsigned int i;
int ret;
@@ -1774,6 +1779,9 @@ static int uvc_ctrl_commit_entity(struct
else
ret = 0;
+ if (!ret)
+ processed_ctrls++;
+
if (rollback || ret < 0)
memcpy(uvc_ctrl_data(ctrl, UVC_CTRL_DATA_CURRENT),
uvc_ctrl_data(ctrl, UVC_CTRL_DATA_BACKUP),
@@ -1792,7 +1800,7 @@ static int uvc_ctrl_commit_entity(struct
uvc_ctrl_set_handle(handle, ctrl, handle);
}
- return 0;
+ return processed_ctrls;
}
static int uvc_ctrl_find_ctrl_idx(struct uvc_entity *entity,
@@ -1839,6 +1847,7 @@ int __uvc_ctrl_commit(struct uvc_fh *han
if (!rollback)
uvc_ctrl_send_events(handle, ctrls->controls, ctrls->count);
+ ret = 0;
done:
mutex_unlock(&chain->ctrl_mutex);
return ret;
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 323/508] media: uvcvideo: Send control events for partial succeeds
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (319 preceding siblings ...)
2025-06-23 13:06 ` [PATCH 6.1 322/508] media: uvcvideo: Return the number of processed controls Greg Kroah-Hartman
@ 2025-06-23 13:06 ` Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 324/508] media: uvcvideo: Fix deferred probing error Greg Kroah-Hartman
` (187 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Ricardo Ribalda,
Hans de Goede, Hans Verkuil
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ricardo Ribalda <ribalda@chromium.org>
commit 5c791467aea6277430da5f089b9b6c2a9d8a4af7 upstream.
Today, when we are applying a change to entities A, B. If A succeeds and B
fails the events for A are not sent.
This change changes the code so the events for A are send right after
they happen.
Cc: stable@kernel.org
Fixes: b4012002f3a3 ("[media] uvcvideo: Add support for control events")
Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
Message-ID: <20250224-uvc-data-backup-v2-2-de993ed9823b@chromium.org>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/usb/uvc/uvc_ctrl.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
--- a/drivers/media/usb/uvc/uvc_ctrl.c
+++ b/drivers/media/usb/uvc/uvc_ctrl.c
@@ -1593,7 +1593,9 @@ static bool uvc_ctrl_xctrls_has_control(
}
static void uvc_ctrl_send_events(struct uvc_fh *handle,
- const struct v4l2_ext_control *xctrls, unsigned int xctrls_count)
+ struct uvc_entity *entity,
+ const struct v4l2_ext_control *xctrls,
+ unsigned int xctrls_count)
{
struct uvc_control_mapping *mapping;
struct uvc_control *ctrl;
@@ -1604,6 +1606,9 @@ static void uvc_ctrl_send_events(struct
u32 changes = V4L2_EVENT_CTRL_CH_VALUE;
ctrl = uvc_find_control(handle->chain, xctrls[i].id, &mapping);
+ if (ctrl->entity != entity)
+ continue;
+
if (ctrl->info.flags & UVC_CTRL_FLAG_ASYNCHRONOUS)
/* Notification will be sent from an Interrupt event. */
continue;
@@ -1842,11 +1847,12 @@ int __uvc_ctrl_commit(struct uvc_fh *han
uvc_ctrl_find_ctrl_idx(entity, ctrls,
err_ctrl);
goto done;
+ } else if (ret > 0 && !rollback) {
+ uvc_ctrl_send_events(handle, entity,
+ ctrls->controls, ctrls->count);
}
}
- if (!rollback)
- uvc_ctrl_send_events(handle, ctrls->controls, ctrls->count);
ret = 0;
done:
mutex_unlock(&chain->ctrl_mutex);
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 324/508] media: uvcvideo: Fix deferred probing error
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (320 preceding siblings ...)
2025-06-23 13:06 ` [PATCH 6.1 323/508] media: uvcvideo: Send control events for partial succeeds Greg Kroah-Hartman
@ 2025-06-23 13:06 ` Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 325/508] ARM: 9447/1: arm/memremap: fix arch_memremap_can_ram_remap() Greg Kroah-Hartman
` (186 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Douglas Anderson, Ricardo Ribalda,
Hans de Goede, Hans Verkuil
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ricardo Ribalda <ribalda@chromium.org>
commit 387e8939307192d5a852a2afeeb83427fa477151 upstream.
uvc_gpio_parse() can return -EPROBE_DEFER when the GPIOs it depends on
have not yet been probed. This return code should be propagated to the
caller of uvc_probe() to ensure that probing is retried when the required
GPIOs become available.
Currently, this error code is incorrectly converted to -ENODEV,
causing some internal cameras to be ignored.
This commit fixes this issue by propagating the -EPROBE_DEFER error.
Cc: stable@vger.kernel.org
Fixes: 2886477ff987 ("media: uvcvideo: Implement UVC_EXT_GPIO_UNIT")
Reviewed-by: Douglas Anderson <dianders@chromium.org>
Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
Message-ID: <20250313-uvc-eprobedefer-v3-1-a1d312708eef@chromium.org>
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/usb/uvc/uvc_driver.c | 27 +++++++++++++++++++--------
1 file changed, 19 insertions(+), 8 deletions(-)
--- a/drivers/media/usb/uvc/uvc_driver.c
+++ b/drivers/media/usb/uvc/uvc_driver.c
@@ -2181,13 +2181,16 @@ static int uvc_probe(struct usb_interfac
#endif
/* Parse the Video Class control descriptor. */
- if (uvc_parse_control(dev) < 0) {
+ ret = uvc_parse_control(dev);
+ if (ret < 0) {
+ ret = -ENODEV;
uvc_dbg(dev, PROBE, "Unable to parse UVC descriptors\n");
goto error;
}
/* Parse the associated GPIOs. */
- if (uvc_gpio_parse(dev) < 0) {
+ ret = uvc_gpio_parse(dev);
+ if (ret < 0) {
uvc_dbg(dev, PROBE, "Unable to parse UVC GPIOs\n");
goto error;
}
@@ -2213,24 +2216,32 @@ static int uvc_probe(struct usb_interfac
}
/* Register the V4L2 device. */
- if (v4l2_device_register(&intf->dev, &dev->vdev) < 0)
+ ret = v4l2_device_register(&intf->dev, &dev->vdev);
+ if (ret < 0)
goto error;
/* Scan the device for video chains. */
- if (uvc_scan_device(dev) < 0)
+ if (uvc_scan_device(dev) < 0) {
+ ret = -ENODEV;
goto error;
+ }
/* Initialize controls. */
- if (uvc_ctrl_init_device(dev) < 0)
+ if (uvc_ctrl_init_device(dev) < 0) {
+ ret = -ENODEV;
goto error;
+ }
/* Register video device nodes. */
- if (uvc_register_chains(dev) < 0)
+ if (uvc_register_chains(dev) < 0) {
+ ret = -ENODEV;
goto error;
+ }
#ifdef CONFIG_MEDIA_CONTROLLER
/* Register the media device node */
- if (media_device_register(&dev->mdev) < 0)
+ ret = media_device_register(&dev->mdev);
+ if (ret < 0)
goto error;
#endif
/* Save our data pointer in the interface data. */
@@ -2257,7 +2268,7 @@ static int uvc_probe(struct usb_interfac
error:
uvc_unregister_video(dev);
kref_put(&dev->ref, uvc_delete);
- return -ENODEV;
+ return ret;
}
static void uvc_disconnect(struct usb_interface *intf)
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 325/508] ARM: 9447/1: arm/memremap: fix arch_memremap_can_ram_remap()
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (321 preceding siblings ...)
2025-06-23 13:06 ` [PATCH 6.1 324/508] media: uvcvideo: Fix deferred probing error Greg Kroah-Hartman
@ 2025-06-23 13:06 ` Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 326/508] ARM: omap: pmic-cpcap: do not mess around without CPCAP or OMAP4 Greg Kroah-Hartman
` (185 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ross Stutterheim, Mike Rapoport,
Catalin Marinas, Linus Walleij, Russell King (Oracle)
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ross Stutterheim <ross.stutterheim@garmin.com>
commit 96e0b355883006554a0bee3697da475971d6bba8 upstream.
arm/memremap: fix arch_memremap_can_ram_remap()
commit 260364d112bc ("arm[64]/memremap: don't abuse pfn_valid() to ensure
presence of linear map") added the definition of
arch_memremap_can_ram_remap() for arm[64] specific filtering of what pages
can be used from the linear mapping. memblock_is_map_memory() was called
with the pfn of the address given to arch_memremap_can_ram_remap();
however, memblock_is_map_memory() expects to be given an address for arm,
not a pfn.
This results in calls to memremap() returning a newly mapped area when
it should return an address in the existing linear mapping.
Fix this by removing the address to pfn translation and pass the
address directly.
Fixes: 260364d112bc ("arm[64]/memremap: don't abuse pfn_valid() to ensure presence of linear map")
Signed-off-by: Ross Stutterheim <ross.stutterheim@garmin.com>
Cc: Mike Rapoport <rppt@kernel.org>
Cc: stable@vger.kernel.org
Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm/mm/ioremap.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
--- a/arch/arm/mm/ioremap.c
+++ b/arch/arm/mm/ioremap.c
@@ -515,7 +515,5 @@ void __init early_ioremap_init(void)
bool arch_memremap_can_ram_remap(resource_size_t offset, size_t size,
unsigned long flags)
{
- unsigned long pfn = PHYS_PFN(offset);
-
- return memblock_is_map_memory(pfn);
+ return memblock_is_map_memory(offset);
}
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 326/508] ARM: omap: pmic-cpcap: do not mess around without CPCAP or OMAP4
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (322 preceding siblings ...)
2025-06-23 13:06 ` [PATCH 6.1 325/508] ARM: 9447/1: arm/memremap: fix arch_memremap_can_ram_remap() Greg Kroah-Hartman
@ 2025-06-23 13:06 ` Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 327/508] bus: mhi: host: Fix conflict between power_up and SYSERR Greg Kroah-Hartman
` (184 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andreas Kemnade, Kevin Hilman,
Tony Lindgren
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andreas Kemnade <andreas@kemnade.info>
commit 7397daf1029d5bfd3415ec8622f5179603d5702d upstream.
The late init call just writes to omap4 registers as soon as
CONFIG_MFD_CPCAP is enabled without checking whether the
cpcap driver is actually there or the SoC is indeed an
OMAP4.
Rather do these things only with the right device combination.
Fixes booting the BT200 with said configuration enabled and non-factory
X-Loader and probably also some surprising behavior on other devices.
Fixes: c145649bf262 ("ARM: OMAP2+: Configure voltage controller for cpcap to low-speed")
CC: stable@vger.kernel.org
Signed-off-by: Andreas Kemnade <andreas@kemnade.info>
Reivewed-by: Tony Lindgren <tony@atomide.com>
Link: https://lore.kernel.org/r/20250331144439.769697-1-andreas@kemnade.info
Signed-off-by: Kevin Hilman <khilman@baylibre.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm/mach-omap2/pmic-cpcap.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/arch/arm/mach-omap2/pmic-cpcap.c
+++ b/arch/arm/mach-omap2/pmic-cpcap.c
@@ -264,7 +264,11 @@ int __init omap4_cpcap_init(void)
static int __init cpcap_late_init(void)
{
- omap4_vc_set_pmic_signaling(PWRDM_POWER_RET);
+ if (!of_find_compatible_node(NULL, NULL, "motorola,cpcap"))
+ return 0;
+
+ if (soc_is_omap443x() || soc_is_omap446x() || soc_is_omap447x())
+ omap4_vc_set_pmic_signaling(PWRDM_POWER_RET);
return 0;
}
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 327/508] bus: mhi: host: Fix conflict between power_up and SYSERR
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (323 preceding siblings ...)
2025-06-23 13:06 ` [PATCH 6.1 326/508] ARM: omap: pmic-cpcap: do not mess around without CPCAP or OMAP4 Greg Kroah-Hartman
@ 2025-06-23 13:06 ` Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 328/508] can: tcan4x5x: fix power regulator retrieval during probe Greg Kroah-Hartman
` (183 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jeffrey Hugo, Jeff Hugo,
Manivannan Sadhasivam, Troy Hanson
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jeff Hugo <quic_jhugo@quicinc.com>
commit 4d92e7c5ccadc79764674ffc2c88d329aabbb7e0 upstream.
When mhi_async_power_up() enables IRQs, it is possible that we could
receive a SYSERR notification from the device if the firmware has crashed
for some reason. Then the SYSERR notification queues a work item that
cannot execute until the pm_mutex is released by mhi_async_power_up().
So the SYSERR work item will be pending. If mhi_async_power_up() detects
the SYSERR, it will handle it. If the device is in PBL, then the PBL state
transition event will be queued, resulting in a work item after the
pending SYSERR work item. Once mhi_async_power_up() releases the pm_mutex,
the SYSERR work item can run. It will blindly attempt to reset the MHI
state machine, which is the recovery action for SYSERR. PBL/SBL are not
interrupt driven and will ignore the MHI Reset unless SYSERR is actively
advertised. This will cause the SYSERR work item to timeout waiting for
reset to be cleared, and will leave the host state in SYSERR processing.
The PBL transition work item will then run, and immediately fail because
SYSERR processing is not a valid state for PBL transition.
This leaves the device uninitialized.
This issue has a fairly unique signature in the kernel log:
mhi mhi3: Requested to power ON
Qualcomm Cloud AI 100 0000:36:00.0: Fatal error received from
device. Attempting to recover
mhi mhi3: Power on setup success
mhi mhi3: Device failed to exit MHI Reset state
mhi mhi3: Device MHI is not in valid state
We cannot remove the SYSERR handling from mhi_async_power_up() because the
device may be in the SYSERR state, but we missed the notification as the
irq was fired before irqs were enabled. We also can't queue the SYSERR work
item from mhi_async_power_up() if SYSERR is detected because that may
result in a duplicate work item, and cause the same issue since the
duplicate item will blindly issue MHI reset even if SYSERR is no longer
active.
Instead, add a check in the SYSERR work item to make sure that MHI reset is
only issued if the device is in SYSERR state for PBL or SBL EEs.
Fixes: a6e2e3522f29 ("bus: mhi: core: Add support for PM state transitions")
Signed-off-by: Jeffrey Hugo <quic_jhugo@quicinc.com>
Signed-off-by: Jeff Hugo <jeff.hugo@oss.qualcomm.com>
Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
Reviewed-by: Troy Hanson <quic_thanson@quicinc.com>
Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20250328163526.3365497-1-jeff.hugo@oss.qualcomm.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/bus/mhi/host/pm.c | 18 +++++++++++++++++-
1 file changed, 17 insertions(+), 1 deletion(-)
--- a/drivers/bus/mhi/host/pm.c
+++ b/drivers/bus/mhi/host/pm.c
@@ -586,6 +586,7 @@ static void mhi_pm_sys_error_transition(
struct mhi_cmd *mhi_cmd;
struct mhi_event_ctxt *er_ctxt;
struct device *dev = &mhi_cntrl->mhi_dev->dev;
+ bool reset_device = false;
int ret, i;
dev_dbg(dev, "Transitioning from PM state: %s to: %s\n",
@@ -614,8 +615,23 @@ static void mhi_pm_sys_error_transition(
/* Wake up threads waiting for state transition */
wake_up_all(&mhi_cntrl->state_event);
- /* Trigger MHI RESET so that the device will not access host memory */
if (MHI_REG_ACCESS_VALID(prev_state)) {
+ /*
+ * If the device is in PBL or SBL, it will only respond to
+ * RESET if the device is in SYSERR state. SYSERR might
+ * already be cleared at this point.
+ */
+ enum mhi_state cur_state = mhi_get_mhi_state(mhi_cntrl);
+ enum mhi_ee_type cur_ee = mhi_get_exec_env(mhi_cntrl);
+
+ if (cur_state == MHI_STATE_SYS_ERR)
+ reset_device = true;
+ else if (cur_ee != MHI_EE_PBL && cur_ee != MHI_EE_SBL)
+ reset_device = true;
+ }
+
+ /* Trigger MHI RESET so that the device will not access host memory */
+ if (reset_device) {
u32 in_reset = -1;
unsigned long timeout = msecs_to_jiffies(mhi_cntrl->timeout_ms);
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 328/508] can: tcan4x5x: fix power regulator retrieval during probe
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (324 preceding siblings ...)
2025-06-23 13:06 ` [PATCH 6.1 327/508] bus: mhi: host: Fix conflict between power_up and SYSERR Greg Kroah-Hartman
@ 2025-06-23 13:06 ` Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 329/508] ceph: set superblock s_magic for IMA fsmagic matching Greg Kroah-Hartman
` (182 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:06 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Brett Werling, Marc Kleine-Budde
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Brett Werling <brett.werling@garmin.com>
commit db22720545207f734aaa9d9f71637bfc8b0155e0 upstream.
Fixes the power regulator retrieval in tcan4x5x_can_probe() by ensuring
the regulator pointer is not set to NULL in the successful return from
devm_regulator_get_optional().
Fixes: 3814ca3a10be ("can: tcan4x5x: tcan4x5x_can_probe(): turn on the power before parsing the config")
Signed-off-by: Brett Werling <brett.werling@garmin.com>
Link: https://patch.msgid.link/20250612191825.3646364-1-brett.werling@garmin.com
Cc: stable@vger.kernel.org
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/can/m_can/tcan4x5x-core.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
--- a/drivers/net/can/m_can/tcan4x5x-core.c
+++ b/drivers/net/can/m_can/tcan4x5x-core.c
@@ -310,10 +310,11 @@ static int tcan4x5x_can_probe(struct spi
priv = cdev_to_priv(mcan_class);
priv->power = devm_regulator_get_optional(&spi->dev, "vsup");
- if (PTR_ERR(priv->power) == -EPROBE_DEFER) {
- ret = -EPROBE_DEFER;
- goto out_m_can_class_free_dev;
- } else {
+ if (IS_ERR(priv->power)) {
+ if (PTR_ERR(priv->power) == -EPROBE_DEFER) {
+ ret = -EPROBE_DEFER;
+ goto out_m_can_class_free_dev;
+ }
priv->power = NULL;
}
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 329/508] ceph: set superblock s_magic for IMA fsmagic matching
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (325 preceding siblings ...)
2025-06-23 13:06 ` [PATCH 6.1 328/508] can: tcan4x5x: fix power regulator retrieval during probe Greg Kroah-Hartman
@ 2025-06-23 13:06 ` Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 330/508] cgroup,freezer: fix incomplete freezing when attaching tasks Greg Kroah-Hartman
` (181 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dennis Marttinen, Viacheslav Dubeyko,
Ilya Dryomov
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dennis Marttinen <twelho@welho.tech>
commit 72386d5245b249f5a0a8fabb881df7ad947b8ea4 upstream.
The CephFS kernel driver forgets to set the filesystem magic signature in
its superblock. As a result, IMA policy rules based on fsmagic matching do
not apply as intended. This causes a major performance regression in Talos
Linux [1] when mounting CephFS volumes, such as when deploying Rook Ceph
[2]. Talos Linux ships a hardened kernel with the following IMA policy
(irrelevant lines omitted):
[...]
dont_measure fsmagic=0xc36400 # CEPH_SUPER_MAGIC
[...]
measure func=FILE_CHECK mask=^MAY_READ euid=0
measure func=FILE_CHECK mask=^MAY_READ uid=0
[...]
Currently, IMA compares 0xc36400 == 0x0 for CephFS files, resulting in all
files opened with O_RDONLY or O_RDWR getting measured with SHA512 on every
open(2):
10 69990c87e8af323d47e2d6ae4... ima-ng sha512:<hash> /data/cephfs/test-file
Since O_WRONLY is rare, this results in an order of magnitude lower
performance than expected for practically all file operations. Properly
setting CEPH_SUPER_MAGIC in the CephFS superblock resolves the regression.
Tests performed on a 3x replicated Ceph v19.3.0 cluster across three
i5-7200U nodes each equipped with one Micron 7400 MAX M.2 disk (BlueStore)
and Gigabit ethernet, on Talos Linux v1.10.2:
FS-Mark 3.3
Test: 500 Files, Empty
Files/s > Higher Is Better
6.12.27-talos . 16.6 |====
+twelho patch . 208.4 |====================================================
FS-Mark 3.3
Test: 500 Files, 1KB Size
Files/s > Higher Is Better
6.12.27-talos . 15.6 |=======
+twelho patch . 118.6 |====================================================
FS-Mark 3.3
Test: 500 Files, 32 Sub Dirs, 1MB Size
Files/s > Higher Is Better
6.12.27-talos . 12.7 |===============
+twelho patch . 44.7 |=====================================================
IO500 [3] 2fcd6d6 results (benchmarks within variance omitted):
| IO500 benchmark | 6.12.27-talos | +twelho patch | Speedup |
|-------------------|----------------|----------------|-----------|
| mdtest-easy-write | 0.018524 kIOPS | 1.135027 kIOPS | 6027.33 % |
| mdtest-hard-write | 0.018498 kIOPS | 0.973312 kIOPS | 5161.71 % |
| ior-easy-read | 0.064727 GiB/s | 0.155324 GiB/s | 139.97 % |
| mdtest-hard-read | 0.018246 kIOPS | 0.780800 kIOPS | 4179.29 % |
This applies outside of synthetic benchmarks as well, for example, the time
to rsync a 55 MiB directory with ~12k of mostly small files drops from an
unusable 10m5s to a reasonable 26s (23x the throughput).
[1]: https://www.talos.dev/
[2]: https://www.talos.dev/v1.10/kubernetes-guides/configuration/ceph-with-rook/
[3]: https://github.com/IO500/io500
Cc: stable@vger.kernel.org
Signed-off-by: Dennis Marttinen <twelho@welho.tech>
Reviewed-by: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ceph/super.c | 1 +
1 file changed, 1 insertion(+)
--- a/fs/ceph/super.c
+++ b/fs/ceph/super.c
@@ -1136,6 +1136,7 @@ static int ceph_set_super(struct super_b
s->s_time_min = 0;
s->s_time_max = U32_MAX;
s->s_flags |= SB_NODIRATIME | SB_NOATIME;
+ s->s_magic = CEPH_SUPER_MAGIC;
ret = set_anon_super_fc(s, fc);
if (ret != 0)
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 330/508] cgroup,freezer: fix incomplete freezing when attaching tasks
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (326 preceding siblings ...)
2025-06-23 13:06 ` [PATCH 6.1 329/508] ceph: set superblock s_magic for IMA fsmagic matching Greg Kroah-Hartman
@ 2025-06-23 13:06 ` Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 331/508] ata: pata_via: Force PIO for ATAPI devices on VT6415/VT6330 Greg Kroah-Hartman
` (180 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhong Jiawei, Chen Ridong,
Michal Koutný, Tejun Heo
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chen Ridong <chenridong@huawei.com>
commit 37fb58a7273726e59f9429c89ade5116083a213d upstream.
An issue was found:
# cd /sys/fs/cgroup/freezer/
# mkdir test
# echo FROZEN > test/freezer.state
# cat test/freezer.state
FROZEN
# sleep 1000 &
[1] 863
# echo 863 > test/cgroup.procs
# cat test/freezer.state
FREEZING
When tasks are migrated to a frozen cgroup, the freezer fails to
immediately freeze the tasks, causing the cgroup to remain in the
"FREEZING".
The freeze_task() function is called before clearing the CGROUP_FROZEN
flag. This causes the freezing() check to incorrectly return false,
preventing __freeze_task() from being invoked for the migrated task.
To fix this issue, clear the CGROUP_FROZEN state before calling
freeze_task().
Fixes: f5d39b020809 ("freezer,sched: Rewrite core freezer logic")
Cc: stable@vger.kernel.org # v6.1+
Reported-by: Zhong Jiawei <zhongjiawei1@huawei.com>
Signed-off-by: Chen Ridong <chenridong@huawei.com>
Acked-by: Michal Koutný <mkoutny@suse.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/cgroup/legacy_freezer.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/kernel/cgroup/legacy_freezer.c
+++ b/kernel/cgroup/legacy_freezer.c
@@ -189,13 +189,12 @@ static void freezer_attach(struct cgroup
if (!(freezer->state & CGROUP_FREEZING)) {
__thaw_task(task);
} else {
- freeze_task(task);
-
/* clear FROZEN and propagate upwards */
while (freezer && (freezer->state & CGROUP_FROZEN)) {
freezer->state &= ~CGROUP_FROZEN;
freezer = parent_freezer(freezer);
}
+ freeze_task(task);
}
}
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 331/508] ata: pata_via: Force PIO for ATAPI devices on VT6415/VT6330
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (327 preceding siblings ...)
2025-06-23 13:06 ` [PATCH 6.1 330/508] cgroup,freezer: fix incomplete freezing when attaching tasks Greg Kroah-Hartman
@ 2025-06-23 13:06 ` Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 332/508] bus: fsl-mc: do not add a device-link for the UAPI used DPMCP device Greg Kroah-Hartman
` (179 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:06 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Tasos Sahanidis, Niklas Cassel
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tasos Sahanidis <tasos@tasossah.com>
commit d29fc02caad7f94b62d56ee1b01c954f9c961ba7 upstream.
The controller has a hardware bug that can hard hang the system when
doing ATAPI DMAs without any trace of what happened. Depending on the
device attached, it can also prevent the system from booting.
In this case, the system hangs when reading the ATIP from optical media
with cdrecord -vvv -atip on an _NEC DVD_RW ND-4571A 1-01 and an
Optiarc DVD RW AD-7200A 1.06 attached to an ASRock 990FX Extreme 4,
running at UDMA/33.
The issue can be reproduced by running the same command with a cygwin
build of cdrecord on WinXP, although it requires more attempts to cause
it. The hang in that case is also resolved by forcing PIO. It doesn't
appear that VIA has produced any drivers for that OS, thus no known
workaround exists.
HDDs attached to the controller do not suffer from any DMA issues.
Cc: stable@vger.kernel.org
Link: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/916677
Signed-off-by: Tasos Sahanidis <tasos@tasossah.com>
Link: https://lore.kernel.org/r/20250519085508.1398701-1-tasos@tasossah.com
Signed-off-by: Niklas Cassel <cassel@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/ata/pata_via.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/ata/pata_via.c
+++ b/drivers/ata/pata_via.c
@@ -368,7 +368,8 @@ static unsigned int via_mode_filter(stru
}
if (dev->class == ATA_DEV_ATAPI &&
- dmi_check_system(no_atapi_dma_dmi_table)) {
+ (dmi_check_system(no_atapi_dma_dmi_table) ||
+ config->id == PCI_DEVICE_ID_VIA_6415)) {
ata_dev_warn(dev, "controller locks up on ATAPI DMA, forcing PIO\n");
mask &= ATA_MASK_PIO;
}
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 332/508] bus: fsl-mc: do not add a device-link for the UAPI used DPMCP device
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (328 preceding siblings ...)
2025-06-23 13:06 ` [PATCH 6.1 331/508] ata: pata_via: Force PIO for ATAPI devices on VT6415/VT6330 Greg Kroah-Hartman
@ 2025-06-23 13:06 ` Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 333/508] bus: fsl-mc: fix GET/SET_TAILDROP command ids Greg Kroah-Hartman
` (178 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:06 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ioana Ciornei, Christophe Leroy
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ioana Ciornei <ioana.ciornei@nxp.com>
commit dd7d8e012b23de158ca0188239c7a1f2a83b4484 upstream.
The fsl-mc bus associated to the root DPRC in a DPAA2 system exports a
device file for userspace access to the MC firmware. In case the DPRC's
local MC portal (DPMCP) is currently in use, a new DPMCP device is
allocated through the fsl_mc_portal_allocate() function.
In this case, the call to fsl_mc_portal_allocate() will fail with -EINVAL
when trying to add a device link between the root DPRC (consumer) and
the newly allocated DPMCP device (supplier). This is because the DPMCP
is a dependent of the DPRC device (the bus).
Fix this by not adding a device link in case the DPMCP is allocated for
the root DPRC's usage.
Fixes: afb77422819f ("bus: fsl-mc: automatically add a device_link on fsl_mc_[portal,object]_allocate")
Signed-off-by: Ioana Ciornei <ioana.ciornei@nxp.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20250408105814.2837951-3-ioana.ciornei@nxp.com
Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/bus/fsl-mc/mc-io.c | 19 +++++++++++++------
1 file changed, 13 insertions(+), 6 deletions(-)
--- a/drivers/bus/fsl-mc/mc-io.c
+++ b/drivers/bus/fsl-mc/mc-io.c
@@ -214,12 +214,19 @@ int __must_check fsl_mc_portal_allocate(
if (error < 0)
goto error_cleanup_resource;
- dpmcp_dev->consumer_link = device_link_add(&mc_dev->dev,
- &dpmcp_dev->dev,
- DL_FLAG_AUTOREMOVE_CONSUMER);
- if (!dpmcp_dev->consumer_link) {
- error = -EINVAL;
- goto error_cleanup_mc_io;
+ /* If the DPRC device itself tries to allocate a portal (usually for
+ * UAPI interaction), don't add a device link between them since the
+ * DPMCP device is an actual child device of the DPRC and a reverse
+ * dependency is not allowed.
+ */
+ if (mc_dev != mc_bus_dev) {
+ dpmcp_dev->consumer_link = device_link_add(&mc_dev->dev,
+ &dpmcp_dev->dev,
+ DL_FLAG_AUTOREMOVE_CONSUMER);
+ if (!dpmcp_dev->consumer_link) {
+ error = -EINVAL;
+ goto error_cleanup_mc_io;
+ }
}
*new_mc_io = mc_io;
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 333/508] bus: fsl-mc: fix GET/SET_TAILDROP command ids
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (329 preceding siblings ...)
2025-06-23 13:06 ` [PATCH 6.1 332/508] bus: fsl-mc: do not add a device-link for the UAPI used DPMCP device Greg Kroah-Hartman
@ 2025-06-23 13:06 ` Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 334/508] ext4: inline: fix len overflow in ext4_prepare_inline_data Greg Kroah-Hartman
` (177 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wan Junjie, Ioana Ciornei,
Christophe Leroy
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wan Junjie <junjie.wan@inceptio.ai>
commit c78230ad34f82c6c0e0e986865073aeeef1f5d30 upstream.
Command ids for taildrop get/set can not pass the check when they are
using from the restool user space utility. Correct them according to the
user manual.
Fixes: d67cc29e6d1f ("bus: fsl-mc: list more commands as accepted through the ioctl")
Signed-off-by: Wan Junjie <junjie.wan@inceptio.ai>
Signed-off-by: Ioana Ciornei <ioana.ciornei@nxp.com>
Cc: stable@vger.kernel.org
Reviewed-by: Ioana Ciornei <ioana.ciornei@nxp.com>
Link: https://lore.kernel.org/r/20250408105814.2837951-4-ioana.ciornei@nxp.com
Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/bus/fsl-mc/fsl-mc-uapi.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/bus/fsl-mc/fsl-mc-uapi.c
+++ b/drivers/bus/fsl-mc/fsl-mc-uapi.c
@@ -275,13 +275,13 @@ static struct fsl_mc_cmd_desc fsl_mc_acc
.size = 8,
},
[DPSW_GET_TAILDROP] = {
- .cmdid_value = 0x0A80,
+ .cmdid_value = 0x0A90,
.cmdid_mask = 0xFFF0,
.token = true,
.size = 14,
},
[DPSW_SET_TAILDROP] = {
- .cmdid_value = 0x0A90,
+ .cmdid_value = 0x0A80,
.cmdid_mask = 0xFFF0,
.token = true,
.size = 24,
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 334/508] ext4: inline: fix len overflow in ext4_prepare_inline_data
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (330 preceding siblings ...)
2025-06-23 13:06 ` [PATCH 6.1 333/508] bus: fsl-mc: fix GET/SET_TAILDROP command ids Greg Kroah-Hartman
@ 2025-06-23 13:06 ` Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 335/508] ext4: fix calculation of credits for extent tree modification Greg Kroah-Hartman
` (176 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+fe2a25dae02a207717a0,
Thadeu Lima de Souza Cascardo, Jan Kara, Andreas Dilger,
Theodore Tso
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
commit 227cb4ca5a6502164f850d22aec3104d7888b270 upstream.
When running the following code on an ext4 filesystem with inline_data
feature enabled, it will lead to the bug below.
fd = open("file1", O_RDWR | O_CREAT | O_TRUNC, 0666);
ftruncate(fd, 30);
pwrite(fd, "a", 1, (1UL << 40) + 5UL);
That happens because write_begin will succeed as when
ext4_generic_write_inline_data calls ext4_prepare_inline_data, pos + len
will be truncated, leading to ext4_prepare_inline_data parameter to be 6
instead of 0x10000000006.
Then, later when write_end is called, we hit:
BUG_ON(pos + len > EXT4_I(inode)->i_inline_size);
at ext4_write_inline_data.
Fix it by using a loff_t type for the len parameter in
ext4_prepare_inline_data instead of an unsigned int.
[ 44.545164] ------------[ cut here ]------------
[ 44.545530] kernel BUG at fs/ext4/inline.c:240!
[ 44.545834] Oops: invalid opcode: 0000 [#1] SMP NOPTI
[ 44.546172] CPU: 3 UID: 0 PID: 343 Comm: test Not tainted 6.15.0-rc2-00003-g9080916f4863 #45 PREEMPT(full) 112853fcebfdb93254270a7959841d2c6aa2c8bb
[ 44.546523] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 44.546523] RIP: 0010:ext4_write_inline_data+0xfe/0x100
[ 44.546523] Code: 3c 0e 48 83 c7 48 48 89 de 5b 41 5c 41 5d 41 5e 41 5f 5d e9 e4 fa 43 01 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc cc 0f 0b <0f> 0b 0f 1f 44 00 00 55 41 57 41 56 41 55 41 54 53 48 83 ec 20 49
[ 44.546523] RSP: 0018:ffffb342008b79a8 EFLAGS: 00010216
[ 44.546523] RAX: 0000000000000001 RBX: ffff9329c579c000 RCX: 0000010000000006
[ 44.546523] RDX: 000000000000003c RSI: ffffb342008b79f0 RDI: ffff9329c158e738
[ 44.546523] RBP: 0000000000000001 R08: 0000000000000001 R09: 0000000000000000
[ 44.546523] R10: 00007ffffffff000 R11: ffffffff9bd0d910 R12: 0000006210000000
[ 44.546523] R13: fffffc7e4015e700 R14: 0000010000000005 R15: ffff9329c158e738
[ 44.546523] FS: 00007f4299934740(0000) GS:ffff932a60179000(0000) knlGS:0000000000000000
[ 44.546523] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 44.546523] CR2: 00007f4299a1ec90 CR3: 0000000002886002 CR4: 0000000000770eb0
[ 44.546523] PKRU: 55555554
[ 44.546523] Call Trace:
[ 44.546523] <TASK>
[ 44.546523] ext4_write_inline_data_end+0x126/0x2d0
[ 44.546523] generic_perform_write+0x17e/0x270
[ 44.546523] ext4_buffered_write_iter+0xc8/0x170
[ 44.546523] vfs_write+0x2be/0x3e0
[ 44.546523] __x64_sys_pwrite64+0x6d/0xc0
[ 44.546523] do_syscall_64+0x6a/0xf0
[ 44.546523] ? __wake_up+0x89/0xb0
[ 44.546523] ? xas_find+0x72/0x1c0
[ 44.546523] ? next_uptodate_folio+0x317/0x330
[ 44.546523] ? set_pte_range+0x1a6/0x270
[ 44.546523] ? filemap_map_pages+0x6ee/0x840
[ 44.546523] ? ext4_setattr+0x2fa/0x750
[ 44.546523] ? do_pte_missing+0x128/0xf70
[ 44.546523] ? security_inode_post_setattr+0x3e/0xd0
[ 44.546523] ? ___pte_offset_map+0x19/0x100
[ 44.546523] ? handle_mm_fault+0x721/0xa10
[ 44.546523] ? do_user_addr_fault+0x197/0x730
[ 44.546523] ? do_syscall_64+0x76/0xf0
[ 44.546523] ? arch_exit_to_user_mode_prepare+0x1e/0x60
[ 44.546523] ? irqentry_exit_to_user_mode+0x79/0x90
[ 44.546523] entry_SYSCALL_64_after_hwframe+0x55/0x5d
[ 44.546523] RIP: 0033:0x7f42999c6687
[ 44.546523] Code: 48 89 fa 4c 89 df e8 58 b3 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff ff
[ 44.546523] RSP: 002b:00007ffeae4a7930 EFLAGS: 00000202 ORIG_RAX: 0000000000000012
[ 44.546523] RAX: ffffffffffffffda RBX: 00007f4299934740 RCX: 00007f42999c6687
[ 44.546523] RDX: 0000000000000001 RSI: 000055ea6149200f RDI: 0000000000000003
[ 44.546523] RBP: 00007ffeae4a79a0 R08: 0000000000000000 R09: 0000000000000000
[ 44.546523] R10: 0000010000000005 R11: 0000000000000202 R12: 0000000000000000
[ 44.546523] R13: 00007ffeae4a7ac8 R14: 00007f4299b86000 R15: 000055ea61493dd8
[ 44.546523] </TASK>
[ 44.546523] Modules linked in:
[ 44.568501] ---[ end trace 0000000000000000 ]---
[ 44.568889] RIP: 0010:ext4_write_inline_data+0xfe/0x100
[ 44.569328] Code: 3c 0e 48 83 c7 48 48 89 de 5b 41 5c 41 5d 41 5e 41 5f 5d e9 e4 fa 43 01 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc cc 0f 0b <0f> 0b 0f 1f 44 00 00 55 41 57 41 56 41 55 41 54 53 48 83 ec 20 49
[ 44.570931] RSP: 0018:ffffb342008b79a8 EFLAGS: 00010216
[ 44.571356] RAX: 0000000000000001 RBX: ffff9329c579c000 RCX: 0000010000000006
[ 44.571959] RDX: 000000000000003c RSI: ffffb342008b79f0 RDI: ffff9329c158e738
[ 44.572571] RBP: 0000000000000001 R08: 0000000000000001 R09: 0000000000000000
[ 44.573148] R10: 00007ffffffff000 R11: ffffffff9bd0d910 R12: 0000006210000000
[ 44.573748] R13: fffffc7e4015e700 R14: 0000010000000005 R15: ffff9329c158e738
[ 44.574335] FS: 00007f4299934740(0000) GS:ffff932a60179000(0000) knlGS:0000000000000000
[ 44.575027] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 44.575520] CR2: 00007f4299a1ec90 CR3: 0000000002886002 CR4: 0000000000770eb0
[ 44.576112] PKRU: 55555554
[ 44.576338] Kernel panic - not syncing: Fatal exception
[ 44.576517] Kernel Offset: 0x1a600000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
Reported-by: syzbot+fe2a25dae02a207717a0@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=fe2a25dae02a207717a0
Fixes: f19d5870cbf7 ("ext4: add normal write support for inline data")
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
Cc: stable@vger.kernel.org
Reviewed-by: Jan Kara <jack@suse.cz>
Reviewed-by: Andreas Dilger <adilger@dilger.ca>
Link: https://patch.msgid.link/20250415-ext4-prepare-inline-overflow-v1-1-f4c13d900967@igalia.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/inline.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/ext4/inline.c
+++ b/fs/ext4/inline.c
@@ -393,7 +393,7 @@ out:
}
static int ext4_prepare_inline_data(handle_t *handle, struct inode *inode,
- unsigned int len)
+ loff_t len)
{
int ret, size, no_expand;
struct ext4_inode_info *ei = EXT4_I(inode);
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 335/508] ext4: fix calculation of credits for extent tree modification
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (331 preceding siblings ...)
2025-06-23 13:06 ` [PATCH 6.1 334/508] ext4: inline: fix len overflow in ext4_prepare_inline_data Greg Kroah-Hartman
@ 2025-06-23 13:06 ` Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 336/508] ext4: factor out ext4_get_maxbytes() Greg Kroah-Hartman
` (175 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Davidlohr Bueso, Luis Chamberlain,
kdevops, Jan Kara, Zhang Yi, Theodore Tso, stable
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jan Kara <jack@suse.cz>
commit 32a93f5bc9b9812fc710f43a4d8a6830f91e4988 upstream.
Luis and David are reporting that after running generic/750 test for 90+
hours on 2k ext4 filesystem, they are able to trigger a warning in
jbd2_journal_dirty_metadata() complaining that there are not enough
credits in the running transaction started in ext4_do_writepages().
Indeed the code in ext4_do_writepages() is racy and the extent tree can
change between the time we compute credits necessary for extent tree
computation and the time we actually modify the extent tree. Thus it may
happen that the number of credits actually needed is higher. Modify
ext4_ext_index_trans_blocks() to count with the worst case of maximum
tree depth. This can reduce the possible number of writers that can
operate in the system in parallel (because the credit estimates now won't
fit in one transaction) but for reasonably sized journals this shouldn't
really be an issue. So just go with a safe and simple fix.
Link: https://lore.kernel.org/all/20250415013641.f2ppw6wov4kn4wq2@offworld
Reported-by: Davidlohr Bueso <dave@stgolabs.net>
Reported-by: Luis Chamberlain <mcgrof@kernel.org>
Tested-by: kdevops@lists.linux.dev
Signed-off-by: Jan Kara <jack@suse.cz>
Reviewed-by: Zhang Yi <yi.zhang@huawei.com>
Link: https://patch.msgid.link/20250429175535.23125-2-jack@suse.cz
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/extents.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
--- a/fs/ext4/extents.c
+++ b/fs/ext4/extents.c
@@ -2374,18 +2374,19 @@ int ext4_ext_calc_credits_for_single_ext
int ext4_ext_index_trans_blocks(struct inode *inode, int extents)
{
int index;
- int depth;
/* If we are converting the inline data, only one is needed here. */
if (ext4_has_inline_data(inode))
return 1;
- depth = ext_depth(inode);
-
+ /*
+ * Extent tree can change between the time we estimate credits and
+ * the time we actually modify the tree. Assume the worst case.
+ */
if (extents <= 1)
- index = depth * 2;
+ index = EXT4_MAX_EXTENT_DEPTH * 2;
else
- index = depth * 3;
+ index = EXT4_MAX_EXTENT_DEPTH * 3;
return index;
}
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 336/508] ext4: factor out ext4_get_maxbytes()
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (332 preceding siblings ...)
2025-06-23 13:06 ` [PATCH 6.1 335/508] ext4: fix calculation of credits for extent tree modification Greg Kroah-Hartman
@ 2025-06-23 13:06 ` Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 337/508] ext4: ensure i_size is smaller than maxbytes Greg Kroah-Hartman
` (174 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhang Yi, Jan Kara, Baokun Li,
Theodore Tso, stable
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhang Yi <yi.zhang@huawei.com>
commit dbe27f06fa38b9bfc598f8864ae1c5d5831d9992 upstream.
There are several locations that get the correct maxbytes value based on
the inode's block type. It would be beneficial to extract a common
helper function to make the code more clear.
Signed-off-by: Zhang Yi <yi.zhang@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Reviewed-by: Baokun Li <libaokun1@huawei.com>
Link: https://patch.msgid.link/20250506012009.3896990-3-yi.zhang@huaweicloud.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/ext4.h | 7 +++++++
fs/ext4/extents.c | 7 +------
fs/ext4/file.c | 7 +------
3 files changed, 9 insertions(+), 12 deletions(-)
--- a/fs/ext4/ext4.h
+++ b/fs/ext4/ext4.h
@@ -3354,6 +3354,13 @@ static inline unsigned int ext4_flex_bg_
return 1 << sbi->s_log_groups_per_flex;
}
+static inline loff_t ext4_get_maxbytes(struct inode *inode)
+{
+ if (ext4_test_inode_flag(inode, EXT4_INODE_EXTENTS))
+ return inode->i_sb->s_maxbytes;
+ return EXT4_SB(inode->i_sb)->s_bitmap_maxbytes;
+}
+
#define ext4_std_error(sb, errno) \
do { \
if ((errno)) \
--- a/fs/ext4/extents.c
+++ b/fs/ext4/extents.c
@@ -4974,12 +4974,7 @@ static const struct iomap_ops ext4_iomap
static int ext4_fiemap_check_ranges(struct inode *inode, u64 start, u64 *len)
{
- u64 maxbytes;
-
- if (ext4_test_inode_flag(inode, EXT4_INODE_EXTENTS))
- maxbytes = inode->i_sb->s_maxbytes;
- else
- maxbytes = EXT4_SB(inode->i_sb)->s_bitmap_maxbytes;
+ u64 maxbytes = ext4_get_maxbytes(inode);
if (*len == 0)
return -EINVAL;
--- a/fs/ext4/file.c
+++ b/fs/ext4/file.c
@@ -880,12 +880,7 @@ static int ext4_file_open(struct inode *
loff_t ext4_llseek(struct file *file, loff_t offset, int whence)
{
struct inode *inode = file->f_mapping->host;
- loff_t maxbytes;
-
- if (!(ext4_test_inode_flag(inode, EXT4_INODE_EXTENTS)))
- maxbytes = EXT4_SB(inode->i_sb)->s_bitmap_maxbytes;
- else
- maxbytes = inode->i_sb->s_maxbytes;
+ loff_t maxbytes = ext4_get_maxbytes(inode);
switch (whence) {
default:
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 337/508] ext4: ensure i_size is smaller than maxbytes
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (333 preceding siblings ...)
2025-06-23 13:06 ` [PATCH 6.1 336/508] ext4: factor out ext4_get_maxbytes() Greg Kroah-Hartman
@ 2025-06-23 13:06 ` Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 338/508] Input: ims-pcu - check record size in ims_pcu_flash_firmware() Greg Kroah-Hartman
` (173 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhang Yi, Jan Kara, Baokun Li,
Theodore Tso, stable
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhang Yi <yi.zhang@huawei.com>
commit 1a77a028a392fab66dd637cdfac3f888450d00af upstream.
The inode i_size cannot be larger than maxbytes, check it while loading
inode from the disk.
Signed-off-by: Zhang Yi <yi.zhang@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Reviewed-by: Baokun Li <libaokun1@huawei.com>
Link: https://patch.msgid.link/20250506012009.3896990-4-yi.zhang@huaweicloud.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/inode.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -4968,7 +4968,8 @@ struct inode *__ext4_iget(struct super_b
ei->i_file_acl |=
((__u64)le16_to_cpu(raw_inode->i_file_acl_high)) << 32;
inode->i_size = ext4_isize(sb, raw_inode);
- if ((size = i_size_read(inode)) < 0) {
+ size = i_size_read(inode);
+ if (size < 0 || size > ext4_get_maxbytes(inode)) {
ext4_error_inode(inode, function, line, 0,
"iget: bad i_size value: %lld", size);
ret = -EFSCORRUPTED;
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 338/508] Input: ims-pcu - check record size in ims_pcu_flash_firmware()
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (334 preceding siblings ...)
2025-06-23 13:06 ` [PATCH 6.1 337/508] ext4: ensure i_size is smaller than maxbytes Greg Kroah-Hartman
@ 2025-06-23 13:06 ` Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 339/508] Input: gpio-keys - fix possible concurrent access in gpio_keys_irq_timer() Greg Kroah-Hartman
` (172 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:06 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Dmitry Torokhov
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@linaro.org>
commit a95ef0199e80f3384eb992889322957d26c00102 upstream.
The "len" variable comes from the firmware and we generally do
trust firmware, but it's always better to double check. If the "len"
is too large it could result in memory corruption when we do
"memcpy(fragment->data, rec->data, len);"
Fixes: 628329d52474 ("Input: add IMS Passenger Control Unit driver")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Link: https://lore.kernel.org/r/131fd1ae92c828ee9f4fa2de03d8c210ae1f3524.1748463049.git.dan.carpenter@linaro.org
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/input/misc/ims-pcu.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/drivers/input/misc/ims-pcu.c
+++ b/drivers/input/misc/ims-pcu.c
@@ -845,6 +845,12 @@ static int ims_pcu_flash_firmware(struct
addr = be32_to_cpu(rec->addr) / 2;
len = be16_to_cpu(rec->len);
+ if (len > sizeof(pcu->cmd_buf) - 1 - sizeof(*fragment)) {
+ dev_err(pcu->dev,
+ "Invalid record length in firmware: %d\n", len);
+ return -EINVAL;
+ }
+
fragment = (void *)&pcu->cmd_buf[1];
put_unaligned_le32(addr, &fragment->addr);
fragment->len = len;
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 339/508] Input: gpio-keys - fix possible concurrent access in gpio_keys_irq_timer()
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (335 preceding siblings ...)
2025-06-23 13:06 ` [PATCH 6.1 338/508] Input: ims-pcu - check record size in ims_pcu_flash_firmware() Greg Kroah-Hartman
@ 2025-06-23 13:06 ` Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 340/508] f2fs: prevent kernel warning due to negative i_nlink from corrupted image Greg Kroah-Hartman
` (171 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:06 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Gatien Chevallier, Dmitry Torokhov
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gatien Chevallier <gatien.chevallier@foss.st.com>
commit 8f38219fa139623c29db2cb0f17d0a197a86e344 upstream.
gpio_keys_irq_isr() and gpio_keys_irq_timer() access the same resources.
There could be a concurrent access if a GPIO interrupt occurs in parallel
of a HR timer interrupt.
Guard back those resources with a spinlock.
Fixes: 019002f20cb5 ("Input: gpio-keys - use hrtimer for release timer")
Signed-off-by: Gatien Chevallier <gatien.chevallier@foss.st.com>
Link: https://lore.kernel.org/r/20250528-gpio_keys_preempt_rt-v2-2-3fc55a9c3619@foss.st.com
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/input/keyboard/gpio_keys.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/input/keyboard/gpio_keys.c
+++ b/drivers/input/keyboard/gpio_keys.c
@@ -455,6 +455,8 @@ static enum hrtimer_restart gpio_keys_ir
release_timer);
struct input_dev *input = bdata->input;
+ guard(spinlock_irqsave)(&bdata->lock);
+
if (bdata->key_pressed) {
input_event(input, EV_KEY, *bdata->code, 0);
input_sync(input);
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 340/508] f2fs: prevent kernel warning due to negative i_nlink from corrupted image
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (336 preceding siblings ...)
2025-06-23 13:06 ` [PATCH 6.1 339/508] Input: gpio-keys - fix possible concurrent access in gpio_keys_irq_timer() Greg Kroah-Hartman
@ 2025-06-23 13:06 ` Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 341/508] f2fs: fix to do sanity check on sit_bitmap_size Greg Kroah-Hartman
` (170 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:06 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Chao Yu, Jaegeuk Kim
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jaegeuk Kim <jaegeuk@kernel.org>
commit 42cb74a92adaf88061039601ddf7c874f58b554e upstream.
WARNING: CPU: 1 PID: 9426 at fs/inode.c:417 drop_nlink+0xac/0xd0
home/cc/linux/fs/inode.c:417
Modules linked in:
CPU: 1 UID: 0 PID: 9426 Comm: syz-executor568 Not tainted
6.14.0-12627-g94d471a4f428 #2 PREEMPT(full)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.13.0-1ubuntu1.1 04/01/2014
RIP: 0010:drop_nlink+0xac/0xd0 home/cc/linux/fs/inode.c:417
Code: 48 8b 5d 28 be 08 00 00 00 48 8d bb 70 07 00 00 e8 f9 67 e6 ff
f0 48 ff 83 70 07 00 00 5b 5d e9 9a 12 82 ff e8 95 12 82 ff 90
<0f> 0b 90 c7 45 48 ff ff ff ff 5b 5d e9 83 12 82 ff e8 fe 5f e6
ff
RSP: 0018:ffffc900026b7c28 EFLAGS: 00010293
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff8239710f
RDX: ffff888041345a00 RSI: ffffffff8239717b RDI: 0000000000000005
RBP: ffff888054509ad0 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000000 R11: ffffffff9ab36f08 R12: ffff88804bb40000
R13: ffff8880545091e0 R14: 0000000000008000 R15: ffff8880545091e0
FS: 000055555d0c5880(0000) GS:ffff8880eb3e3000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f915c55b178 CR3: 0000000050d20000 CR4: 0000000000352ef0
Call Trace:
<task>
f2fs_i_links_write home/cc/linux/fs/f2fs/f2fs.h:3194 [inline]
f2fs_drop_nlink+0xd1/0x3c0 home/cc/linux/fs/f2fs/dir.c:845
f2fs_delete_entry+0x542/0x1450 home/cc/linux/fs/f2fs/dir.c:909
f2fs_unlink+0x45c/0x890 home/cc/linux/fs/f2fs/namei.c:581
vfs_unlink+0x2fb/0x9b0 home/cc/linux/fs/namei.c:4544
do_unlinkat+0x4c5/0x6a0 home/cc/linux/fs/namei.c:4608
__do_sys_unlink home/cc/linux/fs/namei.c:4654 [inline]
__se_sys_unlink home/cc/linux/fs/namei.c:4652 [inline]
__x64_sys_unlink+0xc5/0x110 home/cc/linux/fs/namei.c:4652
do_syscall_x64 home/cc/linux/arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xc7/0x250 home/cc/linux/arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fb3d092324b
Code: 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66
2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 57 00 00 00 0f 05
<48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01
48
RSP: 002b:00007ffdc232d938 EFLAGS: 00000206 ORIG_RAX: 0000000000000057
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fb3d092324b
RDX: 00007ffdc232d960 RSI: 00007ffdc232d960 RDI: 00007ffdc232d9f0
RBP: 00007ffdc232d9f0 R08: 0000000000000001 R09: 00007ffdc232d7c0
R10: 00000000fffffffd R11: 0000000000000206 R12: 00007ffdc232eaf0
R13: 000055555d0cebb0 R14: 00007ffdc232d958 R15: 0000000000000001
</task>
Cc: stable@vger.kernel.org
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/namei.c | 9 +++++++++
1 file changed, 9 insertions(+)
--- a/fs/f2fs/namei.c
+++ b/fs/f2fs/namei.c
@@ -550,6 +550,15 @@ static int f2fs_unlink(struct inode *dir
goto fail;
}
+ if (unlikely(inode->i_nlink == 0)) {
+ f2fs_warn(F2FS_I_SB(inode), "%s: inode (ino=%lx) has zero i_nlink",
+ __func__, inode->i_ino);
+ err = -EFSCORRUPTED;
+ set_sbi_flag(F2FS_I_SB(inode), SBI_NEED_FSCK);
+ f2fs_put_page(page, 0);
+ goto fail;
+ }
+
f2fs_balance_fs(sbi, true);
f2fs_lock_op(sbi);
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 341/508] f2fs: fix to do sanity check on sit_bitmap_size
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (337 preceding siblings ...)
2025-06-23 13:06 ` [PATCH 6.1 340/508] f2fs: prevent kernel warning due to negative i_nlink from corrupted image Greg Kroah-Hartman
@ 2025-06-23 13:06 ` Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 342/508] NFC: nci: uart: Set tty->disc_data only in success path Greg Kroah-Hartman
` (169 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:06 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Chao Yu, Jaegeuk Kim
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chao Yu <chao@kernel.org>
commit 5db0d252c64e91ba1929c70112352e85dc5751e7 upstream.
w/ below testcase, resize will generate a corrupted image which
contains inconsistent metadata, so when mounting such image, it
will trigger kernel panic:
touch img
truncate -s $((512*1024*1024*1024)) img
mkfs.f2fs -f img $((256*1024*1024))
resize.f2fs -s -i img -t $((1024*1024*1024))
mount img /mnt/f2fs
------------[ cut here ]------------
kernel BUG at fs/f2fs/segment.h:863!
Oops: invalid opcode: 0000 [#1] SMP PTI
CPU: 11 UID: 0 PID: 3922 Comm: mount Not tainted 6.15.0-rc1+ #191 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
RIP: 0010:f2fs_ra_meta_pages+0x47c/0x490
Call Trace:
f2fs_build_segment_manager+0x11c3/0x2600
f2fs_fill_super+0xe97/0x2840
mount_bdev+0xf4/0x140
legacy_get_tree+0x2b/0x50
vfs_get_tree+0x29/0xd0
path_mount+0x487/0xaf0
__x64_sys_mount+0x116/0x150
do_syscall_64+0x82/0x190
entry_SYSCALL_64_after_hwframe+0x76/0x7e
RIP: 0033:0x7fdbfde1bcfe
The reaseon is:
sit_i->bitmap_size is 192, so size of sit bitmap is 192*8=1536, at maximum
there are 1536 sit blocks, however MAIN_SEGS is 261893, so that sit_blk_cnt
is 4762, build_sit_entries() -> current_sit_addr() tries to access
out-of-boundary in sit_bitmap at offset from [1536, 4762), once sit_bitmap
and sit_bitmap_mirror is not the same, it will trigger f2fs_bug_on().
Let's add sanity check in f2fs_sanity_check_ckpt() to avoid panic.
Cc: stable@vger.kernel.org
Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/super.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/fs/f2fs/super.c
+++ b/fs/f2fs/super.c
@@ -3499,6 +3499,7 @@ int f2fs_sanity_check_ckpt(struct f2fs_s
block_t user_block_count, valid_user_blocks;
block_t avail_node_count, valid_node_count;
unsigned int nat_blocks, nat_bits_bytes, nat_bits_blocks;
+ unsigned int sit_blk_cnt;
int i, j;
total = le32_to_cpu(raw_super->segment_count);
@@ -3610,6 +3611,13 @@ skip_cross:
return 1;
}
+ sit_blk_cnt = DIV_ROUND_UP(main_segs, SIT_ENTRY_PER_BLOCK);
+ if (sit_bitmap_size * 8 < sit_blk_cnt) {
+ f2fs_err(sbi, "Wrong bitmap size: sit: %u, sit_blk_cnt:%u",
+ sit_bitmap_size, sit_blk_cnt);
+ return 1;
+ }
+
cp_pack_start_sum = __start_sum_addr(sbi);
cp_payload = __cp_payload(sbi);
if (cp_pack_start_sum < cp_payload + 1 ||
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 342/508] NFC: nci: uart: Set tty->disc_data only in success path
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (338 preceding siblings ...)
2025-06-23 13:06 ` [PATCH 6.1 341/508] f2fs: fix to do sanity check on sit_bitmap_size Greg Kroah-Hartman
@ 2025-06-23 13:06 ` Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 343/508] net: ftgmac100: select FIXED_PHY Greg Kroah-Hartman
` (168 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Linus Torvalds, Krzysztof Kozlowski,
Jakub Kicinski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
commit fc27ab48904ceb7e4792f0c400f1ef175edf16fe upstream.
Setting tty->disc_data before opening the NCI device means we need to
clean it up on error paths. This also opens some short window if device
starts sending data, even before NCIUARTSETDRIVER IOCTL succeeded
(broken hardware?). Close the window by exposing tty->disc_data only on
the success path, when opening of the NCI device and try_module_get()
succeeds.
The code differs in error path in one aspect: tty->disc_data won't be
ever assigned thus NULL-ified. This however should not be relevant
difference, because of "tty->disc_data=NULL" in nci_uart_tty_open().
Cc: Linus Torvalds <torvalds@linuxfoundation.org>
Fixes: 9961127d4bce ("NFC: nci: add generic uart support")
Cc: <stable@vger.kernel.org>
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Link: https://patch.msgid.link/20250618073649.25049-2-krzysztof.kozlowski@linaro.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/nfc/nci/uart.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/net/nfc/nci/uart.c
+++ b/net/nfc/nci/uart.c
@@ -119,22 +119,22 @@ static int nci_uart_set_driver(struct tt
memcpy(nu, nci_uart_drivers[driver], sizeof(struct nci_uart));
nu->tty = tty;
- tty->disc_data = nu;
skb_queue_head_init(&nu->tx_q);
INIT_WORK(&nu->write_work, nci_uart_write_work);
spin_lock_init(&nu->rx_lock);
ret = nu->ops.open(nu);
if (ret) {
- tty->disc_data = NULL;
kfree(nu);
+ return ret;
} else if (!try_module_get(nu->owner)) {
nu->ops.close(nu);
- tty->disc_data = NULL;
kfree(nu);
return -ENOENT;
}
- return ret;
+ tty->disc_data = nu;
+
+ return 0;
}
/* ------ LDISC part ------ */
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 343/508] net: ftgmac100: select FIXED_PHY
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (339 preceding siblings ...)
2025-06-23 13:06 ` [PATCH 6.1 342/508] NFC: nci: uart: Set tty->disc_data only in success path Greg Kroah-Hartman
@ 2025-06-23 13:06 ` Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 344/508] EDAC/altera: Use correct write width with the INTTEST register Greg Kroah-Hartman
` (167 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:06 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Heiner Kallweit, Jakub Kicinski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Heiner Kallweit <hkallweit1@gmail.com>
commit ae409629e022fbebbc6d31a1bfeccdbbeee20fd6 upstream.
Depending on e.g. DT configuration this driver uses a fixed link.
So we shouldn't rely on the user to enable FIXED_PHY, select it in
Kconfig instead. We may end up with a non-functional driver otherwise.
Fixes: 38561ded50d0 ("net: ftgmac100: support fixed link")
Cc: stable@vger.kernel.org
Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
Link: https://patch.msgid.link/476bb33b-5584-40f0-826a-7294980f2895@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/faraday/Kconfig | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/ethernet/faraday/Kconfig b/drivers/net/ethernet/faraday/Kconfig
index c699bd6bcbb9..474073c7f94d 100644
--- a/drivers/net/ethernet/faraday/Kconfig
+++ b/drivers/net/ethernet/faraday/Kconfig
@@ -31,6 +31,7 @@ config FTGMAC100
depends on ARM || COMPILE_TEST
depends on !64BIT || BROKEN
select PHYLIB
+ select FIXED_PHY
select MDIO_ASPEED if MACH_ASPEED_G6
select CRC32
help
--
2.50.0
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 344/508] EDAC/altera: Use correct write width with the INTTEST register
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (340 preceding siblings ...)
2025-06-23 13:06 ` [PATCH 6.1 343/508] net: ftgmac100: select FIXED_PHY Greg Kroah-Hartman
@ 2025-06-23 13:06 ` Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 345/508] fbdev: Fix fb_set_var to prevent null-ptr-deref in fb_videomode_to_var Greg Kroah-Hartman
` (166 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Niravkumar L Rabara, Matthew Gerlach,
Borislav Petkov (AMD), Dinh Nguyen, stable
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Niravkumar L Rabara <niravkumar.l.rabara@intel.com>
commit e5ef4cd2a47f27c0c9d8ff6c0f63a18937c071a3 upstream.
On the SoCFPGA platform, the INTTEST register supports only 16-bit writes.
A 32-bit write triggers an SError to the CPU so do 16-bit accesses only.
[ bp: AI-massage the commit message. ]
Fixes: c7b4be8db8bc ("EDAC, altera: Add Arria10 OCRAM ECC support")
Signed-off-by: Niravkumar L Rabara <niravkumar.l.rabara@intel.com>
Signed-off-by: Matthew Gerlach <matthew.gerlach@altera.com>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Acked-by: Dinh Nguyen <dinguyen@kernel.org>
Cc: stable@kernel.org
Link: https://lore.kernel.org/20250527145707.25458-1-matthew.gerlach@altera.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/edac/altera_edac.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/edac/altera_edac.c
+++ b/drivers/edac/altera_edac.c
@@ -1756,9 +1756,9 @@ altr_edac_a10_device_trig(struct file *f
local_irq_save(flags);
if (trig_type == ALTR_UE_TRIGGER_CHAR)
- writel(priv->ue_set_mask, set_addr);
+ writew(priv->ue_set_mask, set_addr);
else
- writel(priv->ce_set_mask, set_addr);
+ writew(priv->ce_set_mask, set_addr);
/* Ensure the interrupt test bits are set */
wmb();
@@ -1788,7 +1788,7 @@ altr_edac_a10_device_trig2(struct file *
local_irq_save(flags);
if (trig_type == ALTR_UE_TRIGGER_CHAR) {
- writel(priv->ue_set_mask, set_addr);
+ writew(priv->ue_set_mask, set_addr);
} else {
/* Setup read/write of 4 bytes */
writel(ECC_WORD_WRITE, drvdata->base + ECC_BLK_DBYTECTRL_OFST);
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 345/508] fbdev: Fix fb_set_var to prevent null-ptr-deref in fb_videomode_to_var
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (341 preceding siblings ...)
2025-06-23 13:06 ` [PATCH 6.1 344/508] EDAC/altera: Use correct write width with the INTTEST register Greg Kroah-Hartman
@ 2025-06-23 13:06 ` Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 346/508] parisc/unaligned: Fix hex output to show 8 hex chars Greg Kroah-Hartman
` (165 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:06 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Murad Masimov, Helge Deller
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Murad Masimov <m.masimov@mt-integration.ru>
commit 05f6e183879d9785a3cdf2f08a498bc31b7a20aa upstream.
If fb_add_videomode() in fb_set_var() fails to allocate memory for
fb_videomode, later it may lead to a null-ptr dereference in
fb_videomode_to_var(), as the fb_info is registered while not having the
mode in modelist that is expected to be there, i.e. the one that is
described in fb_info->var.
================================================================
general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
CPU: 1 PID: 30371 Comm: syz-executor.1 Not tainted 5.10.226-syzkaller #0
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
RIP: 0010:fb_videomode_to_var+0x24/0x610 drivers/video/fbdev/core/modedb.c:901
Call Trace:
display_to_var+0x3a/0x7c0 drivers/video/fbdev/core/fbcon.c:929
fbcon_resize+0x3e2/0x8f0 drivers/video/fbdev/core/fbcon.c:2071
resize_screen drivers/tty/vt/vt.c:1176 [inline]
vc_do_resize+0x53a/0x1170 drivers/tty/vt/vt.c:1263
fbcon_modechanged+0x3ac/0x6e0 drivers/video/fbdev/core/fbcon.c:2720
fbcon_update_vcs+0x43/0x60 drivers/video/fbdev/core/fbcon.c:2776
do_fb_ioctl+0x6d2/0x740 drivers/video/fbdev/core/fbmem.c:1128
fb_ioctl+0xe7/0x150 drivers/video/fbdev/core/fbmem.c:1203
vfs_ioctl fs/ioctl.c:48 [inline]
__do_sys_ioctl fs/ioctl.c:753 [inline]
__se_sys_ioctl fs/ioctl.c:739 [inline]
__x64_sys_ioctl+0x19a/0x210 fs/ioctl.c:739
do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x67/0xd1
================================================================
The reason is that fb_info->var is being modified in fb_set_var(), and
then fb_videomode_to_var() is called. If it fails to add the mode to
fb_info->modelist, fb_set_var() returns error, but does not restore the
old value of fb_info->var. Restore fb_info->var on failure the same way
it is done earlier in the function.
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Murad Masimov <m.masimov@mt-integration.ru>
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/video/fbdev/core/fbmem.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/video/fbdev/core/fbmem.c
+++ b/drivers/video/fbdev/core/fbmem.c
@@ -1061,8 +1061,10 @@ fb_set_var(struct fb_info *info, struct
!list_empty(&info->modelist))
ret = fb_add_videomode(&mode, &info->modelist);
- if (ret)
+ if (ret) {
+ info->var = old_var;
return ret;
+ }
event.info = info;
event.data = &mode;
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 346/508] parisc/unaligned: Fix hex output to show 8 hex chars
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (342 preceding siblings ...)
2025-06-23 13:06 ` [PATCH 6.1 345/508] fbdev: Fix fb_set_var to prevent null-ptr-deref in fb_videomode_to_var Greg Kroah-Hartman
@ 2025-06-23 13:06 ` Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 347/508] vgacon: Add check for vc_origin address range in vgacon_scroll() Greg Kroah-Hartman
` (164 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:06 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Helge Deller
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Helge Deller <deller@gmx.de>
commit 213205889d5ffc19cb8df06aa6778b2d4724c887 upstream.
Change back printk format to 0x%08lx instead of %#08lx, since the latter
does not seem to reliably format the value to 8 hex chars.
Signed-off-by: Helge Deller <deller@gmx.de>
Cc: stable@vger.kernel.org # v5.18+
Fixes: e5e9e7f222e5b ("parisc/unaligned: Enhance user-space visible output")
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/parisc/kernel/unaligned.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/parisc/kernel/unaligned.c
+++ b/arch/parisc/kernel/unaligned.c
@@ -22,7 +22,7 @@
#define DPRINTF(fmt, args...)
#endif
-#define RFMT "%#08lx"
+#define RFMT "0x%08lx"
/* 1111 1100 0000 0000 0001 0011 1100 0000 */
#define OPCODE1(a,b,c) ((a)<<26|(b)<<12|(c)<<6)
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 347/508] vgacon: Add check for vc_origin address range in vgacon_scroll()
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (343 preceding siblings ...)
2025-06-23 13:06 ` [PATCH 6.1 346/508] parisc/unaligned: Fix hex output to show 8 hex chars Greg Kroah-Hartman
@ 2025-06-23 13:06 ` Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 348/508] parisc: fix building with gcc-15 Greg Kroah-Hartman
` (163 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+9c09fda97a1a65ea859b, Yi Yang,
GONG Ruiqi, Helge Deller
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: GONG Ruiqi <gongruiqi1@huawei.com>
commit 864f9963ec6b4b76d104d595ba28110b87158003 upstream.
Our in-house Syzkaller reported the following BUG (twice), which we
believed was the same issue with [1]:
==================================================================
BUG: KASAN: slab-out-of-bounds in vcs_scr_readw+0xc2/0xd0 drivers/tty/vt/vt.c:4740
Read of size 2 at addr ffff88800f5bef60 by task syz.7.2620/12393
...
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x72/0xa0 lib/dump_stack.c:106
print_address_description.constprop.0+0x6b/0x3d0 mm/kasan/report.c:364
print_report+0xba/0x280 mm/kasan/report.c:475
kasan_report+0xa9/0xe0 mm/kasan/report.c:588
vcs_scr_readw+0xc2/0xd0 drivers/tty/vt/vt.c:4740
vcs_write_buf_noattr drivers/tty/vt/vc_screen.c:493 [inline]
vcs_write+0x586/0x840 drivers/tty/vt/vc_screen.c:690
vfs_write+0x219/0x960 fs/read_write.c:584
ksys_write+0x12e/0x260 fs/read_write.c:639
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x59/0x110 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x78/0xe2
...
</TASK>
Allocated by task 5614:
kasan_save_stack+0x20/0x40 mm/kasan/common.c:45
kasan_set_track+0x25/0x30 mm/kasan/common.c:52
____kasan_kmalloc mm/kasan/common.c:374 [inline]
__kasan_kmalloc+0x8f/0xa0 mm/kasan/common.c:383
kasan_kmalloc include/linux/kasan.h:201 [inline]
__do_kmalloc_node mm/slab_common.c:1007 [inline]
__kmalloc+0x62/0x140 mm/slab_common.c:1020
kmalloc include/linux/slab.h:604 [inline]
kzalloc include/linux/slab.h:721 [inline]
vc_do_resize+0x235/0xf40 drivers/tty/vt/vt.c:1193
vgacon_adjust_height+0x2d4/0x350 drivers/video/console/vgacon.c:1007
vgacon_font_set+0x1f7/0x240 drivers/video/console/vgacon.c:1031
con_font_set drivers/tty/vt/vt.c:4628 [inline]
con_font_op+0x4da/0xa20 drivers/tty/vt/vt.c:4675
vt_k_ioctl+0xa10/0xb30 drivers/tty/vt/vt_ioctl.c:474
vt_ioctl+0x14c/0x1870 drivers/tty/vt/vt_ioctl.c:752
tty_ioctl+0x655/0x1510 drivers/tty/tty_io.c:2779
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:871 [inline]
__se_sys_ioctl+0x12d/0x190 fs/ioctl.c:857
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x59/0x110 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x78/0xe2
Last potentially related work creation:
kasan_save_stack+0x20/0x40 mm/kasan/common.c:45
__kasan_record_aux_stack+0x94/0xa0 mm/kasan/generic.c:492
__call_rcu_common.constprop.0+0xc3/0xa10 kernel/rcu/tree.c:2713
netlink_release+0x620/0xc20 net/netlink/af_netlink.c:802
__sock_release+0xb5/0x270 net/socket.c:663
sock_close+0x1e/0x30 net/socket.c:1425
__fput+0x408/0xab0 fs/file_table.c:384
__fput_sync+0x4c/0x60 fs/file_table.c:465
__do_sys_close fs/open.c:1580 [inline]
__se_sys_close+0x68/0xd0 fs/open.c:1565
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x59/0x110 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x78/0xe2
Second to last potentially related work creation:
kasan_save_stack+0x20/0x40 mm/kasan/common.c:45
__kasan_record_aux_stack+0x94/0xa0 mm/kasan/generic.c:492
__call_rcu_common.constprop.0+0xc3/0xa10 kernel/rcu/tree.c:2713
netlink_release+0x620/0xc20 net/netlink/af_netlink.c:802
__sock_release+0xb5/0x270 net/socket.c:663
sock_close+0x1e/0x30 net/socket.c:1425
__fput+0x408/0xab0 fs/file_table.c:384
task_work_run+0x154/0x240 kernel/task_work.c:239
exit_task_work include/linux/task_work.h:45 [inline]
do_exit+0x8e5/0x1320 kernel/exit.c:874
do_group_exit+0xcd/0x280 kernel/exit.c:1023
get_signal+0x1675/0x1850 kernel/signal.c:2905
arch_do_signal_or_restart+0x80/0x3b0 arch/x86/kernel/signal.c:310
exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
syscall_exit_to_user_mode+0x1b3/0x1e0 kernel/entry/common.c:218
do_syscall_64+0x66/0x110 arch/x86/entry/common.c:87
entry_SYSCALL_64_after_hwframe+0x78/0xe2
The buggy address belongs to the object at ffff88800f5be000
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 2656 bytes to the right of
allocated 1280-byte region [ffff88800f5be000, ffff88800f5be500)
...
Memory state around the buggy address:
ffff88800f5bee00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88800f5bee80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88800f5bef00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff88800f5bef80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88800f5bf000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
By analyzing the vmcore, we found that vc->vc_origin was somehow placed
one line prior to vc->vc_screenbuf when vc was in KD_TEXT mode, and
further writings to /dev/vcs caused out-of-bounds reads (and writes
right after) in vcs_write_buf_noattr().
Our further experiments show that in most cases, vc->vc_origin equals to
vga_vram_base when the console is in KD_TEXT mode, and it's around
vc->vc_screenbuf for the KD_GRAPHICS mode. But via triggerring a
TIOCL_SETVESABLANK ioctl beforehand, we can make vc->vc_origin be around
vc->vc_screenbuf while the console is in KD_TEXT mode, and then by
writing the special 'ESC M' control sequence to the tty certain times
(depends on the value of `vc->state.y - vc->vc_top`), we can eventually
move vc->vc_origin prior to vc->vc_screenbuf. Here's the PoC, tested on
QEMU:
```
int main() {
const int RI_NUM = 10; // should be greater than `vc->state.y - vc->vc_top`
int tty_fd, vcs_fd;
const char *tty_path = "/dev/tty0";
const char *vcs_path = "/dev/vcs";
const char escape_seq[] = "\x1bM"; // ESC + M
const char trigger_seq[] = "Let's trigger an OOB write.";
struct vt_sizes vt_size = { 70, 2 };
int blank = TIOCL_BLANKSCREEN;
tty_fd = open(tty_path, O_RDWR);
char vesa_mode[] = { TIOCL_SETVESABLANK, 1 };
ioctl(tty_fd, TIOCLINUX, vesa_mode);
ioctl(tty_fd, TIOCLINUX, &blank);
ioctl(tty_fd, VT_RESIZE, &vt_size);
for (int i = 0; i < RI_NUM; ++i)
write(tty_fd, escape_seq, sizeof(escape_seq) - 1);
vcs_fd = open(vcs_path, O_RDWR);
write(vcs_fd, trigger_seq, sizeof(trigger_seq));
close(vcs_fd);
close(tty_fd);
return 0;
}
```
To solve this problem, add an address range validation check in
vgacon_scroll(), ensuring vc->vc_origin never precedes vc_screenbuf.
Reported-by: syzbot+9c09fda97a1a65ea859b@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=9c09fda97a1a65ea859b [1]
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Co-developed-by: Yi Yang <yiyang13@huawei.com>
Signed-off-by: Yi Yang <yiyang13@huawei.com>
Signed-off-by: GONG Ruiqi <gongruiqi1@huawei.com>
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/video/console/vgacon.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/video/console/vgacon.c
+++ b/drivers/video/console/vgacon.c
@@ -1157,7 +1157,7 @@ static bool vgacon_scroll(struct vc_data
c->vc_screenbuf_size - delta);
c->vc_origin = vga_vram_end - c->vc_screenbuf_size;
vga_rolled_over = 0;
- } else
+ } else if (oldo - delta >= (unsigned long)c->vc_screenbuf)
c->vc_origin -= delta;
c->vc_scr_end = c->vc_origin + c->vc_screenbuf_size;
scr_memsetw((u16 *) (c->vc_origin), c->vc_video_erase_char,
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 348/508] parisc: fix building with gcc-15
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (344 preceding siblings ...)
2025-06-23 13:06 ` [PATCH 6.1 347/508] vgacon: Add check for vc_origin address range in vgacon_scroll() Greg Kroah-Hartman
@ 2025-06-23 13:06 ` Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 349/508] clk: meson-g12a: add missing fclk_div2 to spicc Greg Kroah-Hartman
` (162 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:06 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Arnd Bergmann, Helge Deller
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arnd Bergmann <arnd@arndb.de>
commit 7cbb015e2d3d6f180256cde0c908eab21268e7b9 upstream.
The decompressor is built with the default C dialect, which is now gnu23
on gcc-15, and this clashes with the kernel's bool type definition:
In file included from include/uapi/linux/posix_types.h:5,
from arch/parisc/boot/compressed/misc.c:7:
include/linux/stddef.h:11:9: error: cannot use keyword 'false' as enumeration constant
11 | false = 0,
Add the -std=gnu11 argument here, as we do for all other architectures.
Cc: stable@vger.kernel.org
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/parisc/boot/compressed/Makefile | 1 +
1 file changed, 1 insertion(+)
--- a/arch/parisc/boot/compressed/Makefile
+++ b/arch/parisc/boot/compressed/Makefile
@@ -22,6 +22,7 @@ KBUILD_CFLAGS += -fno-PIE -mno-space-reg
ifndef CONFIG_64BIT
KBUILD_CFLAGS += -mfast-indirect-calls
endif
+KBUILD_CFLAGS += -std=gnu11
LDFLAGS_vmlinux := -X -e startup --as-needed -T
$(obj)/vmlinux: $(obj)/vmlinux.lds $(addprefix $(obj)/, $(OBJECTS)) $(LIBGCC) FORCE
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 349/508] clk: meson-g12a: add missing fclk_div2 to spicc
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (345 preceding siblings ...)
2025-06-23 13:06 ` [PATCH 6.1 348/508] parisc: fix building with gcc-15 Greg Kroah-Hartman
@ 2025-06-23 13:06 ` Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 350/508] ipc: fix to protect IPCS lookups using RCU Greg Kroah-Hartman
` (161 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Da Xue, Martin Blumenstingl,
Jerome Brunet
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Da Xue <da@libre.computer>
commit daf004f87c3520c414992893e2eadd5db5f86a5a upstream.
SPICC is missing fclk_div2, which means fclk_div5 and fclk_div7 indexes
are wrong on this clock. This causes the spicc module to output sclk at
2.5x the expected rate when clock index 3 is picked.
Adding the missing fclk_div2 resolves this.
[jbrunet: amended commit description]
Fixes: a18c8e0b7697 ("clk: meson: g12a: add support for the SPICC SCLK Source clocks")
Cc: stable@vger.kernel.org # 6.1
Signed-off-by: Da Xue <da@libre.computer>
Reviewed-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
Link: https://lore.kernel.org/r/20250512142617.2175291-1-da@libre.computer
Signed-off-by: Jerome Brunet <jbrunet@baylibre.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/clk/meson/g12a.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/clk/meson/g12a.c
+++ b/drivers/clk/meson/g12a.c
@@ -3969,6 +3969,7 @@ static const struct clk_parent_data spic
{ .hw = &g12a_clk81.hw },
{ .hw = &g12a_fclk_div4.hw },
{ .hw = &g12a_fclk_div3.hw },
+ { .hw = &g12a_fclk_div2.hw },
{ .hw = &g12a_fclk_div5.hw },
{ .hw = &g12a_fclk_div7.hw },
};
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 350/508] ipc: fix to protect IPCS lookups using RCU
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (346 preceding siblings ...)
2025-06-23 13:06 ` [PATCH 6.1 349/508] clk: meson-g12a: add missing fclk_div2 to spicc Greg Kroah-Hartman
@ 2025-06-23 13:06 ` Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 351/508] RDMA/iwcm: Fix use-after-free of work objects after cm_id destruction Greg Kroah-Hartman
` (160 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jeongjun Park,
syzbot+a2b84e569d06ca3a949c, Liam Howlett, Lorenzo Stoakes,
Matthew Wilcox (Oracle), Vasiliy Kulikov, Andrew Morton
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jeongjun Park <aha310510@gmail.com>
commit d66adabe91803ef34a8b90613c81267b5ded1472 upstream.
syzbot reported that it discovered a use-after-free vulnerability, [0]
[0]: https://lore.kernel.org/all/67af13f8.050a0220.21dd3.0038.GAE@google.com/
idr_for_each() is protected by rwsem, but this is not enough. If it is
not protected by RCU read-critical region, when idr_for_each() calls
radix_tree_node_free() through call_rcu() to free the radix_tree_node
structure, the node will be freed immediately, and when reading the next
node in radix_tree_for_each_slot(), the already freed memory may be read.
Therefore, we need to add code to make sure that idr_for_each() is
protected within the RCU read-critical region when we call it in
shm_destroy_orphaned().
Link: https://lkml.kernel.org/r/20250424143322.18830-1-aha310510@gmail.com
Fixes: b34a6b1da371 ("ipc: introduce shm_rmid_forced sysctl")
Signed-off-by: Jeongjun Park <aha310510@gmail.com>
Reported-by: syzbot+a2b84e569d06ca3a949c@syzkaller.appspotmail.com
Cc: Jeongjun Park <aha310510@gmail.com>
Cc: Liam Howlett <liam.howlett@oracle.com>
Cc: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
Cc: Vasiliy Kulikov <segoon@openwall.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
ipc/shm.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/ipc/shm.c
+++ b/ipc/shm.c
@@ -430,8 +430,11 @@ static int shm_try_destroy_orphaned(int
void shm_destroy_orphaned(struct ipc_namespace *ns)
{
down_write(&shm_ids(ns).rwsem);
- if (shm_ids(ns).in_use)
+ if (shm_ids(ns).in_use) {
+ rcu_read_lock();
idr_for_each(&shm_ids(ns).ipcs_idr, &shm_try_destroy_orphaned, ns);
+ rcu_read_unlock();
+ }
up_write(&shm_ids(ns).rwsem);
}
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 351/508] RDMA/iwcm: Fix use-after-free of work objects after cm_id destruction
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (347 preceding siblings ...)
2025-06-23 13:06 ` [PATCH 6.1 350/508] ipc: fix to protect IPCS lookups using RCU Greg Kroah-Hartman
@ 2025-06-23 13:06 ` Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 352/508] mm: fix ratelimit_pages update error in dirty_ratio_handler() Greg Kroah-Hartman
` (159 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shinichiro Kawasaki, Zhu Yanjun,
Leon Romanovsky
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
commit 6883b680e703c6b2efddb4e7a8d891ce1803d06b upstream.
The commit 59c68ac31e15 ("iw_cm: free cm_id resources on the last
deref") simplified cm_id resource management by freeing cm_id once all
references to the cm_id were removed. The references are removed either
upon completion of iw_cm event handlers or when the application destroys
the cm_id. This commit introduced the use-after-free condition where
cm_id_private object could still be in use by event handler works during
the destruction of cm_id. The commit aee2424246f9 ("RDMA/iwcm: Fix a
use-after-free related to destroying CM IDs") addressed this use-after-
free by flushing all pending works at the cm_id destruction.
However, still another use-after-free possibility remained. It happens
with the work objects allocated for each cm_id_priv within
alloc_work_entries() during cm_id creation, and subsequently freed in
dealloc_work_entries() once all references to the cm_id are removed.
If the cm_id's last reference is decremented in the event handler work,
the work object for the work itself gets removed, and causes the use-
after-free BUG below:
BUG: KASAN: slab-use-after-free in __pwq_activate_work+0x1ff/0x250
Read of size 8 at addr ffff88811f9cf800 by task kworker/u16:1/147091
CPU: 2 UID: 0 PID: 147091 Comm: kworker/u16:1 Not tainted 6.15.0-rc2+ #27 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014
Workqueue: 0x0 (iw_cm_wq)
Call Trace:
<TASK>
dump_stack_lvl+0x6a/0x90
print_report+0x174/0x554
? __virt_addr_valid+0x208/0x430
? __pwq_activate_work+0x1ff/0x250
kasan_report+0xae/0x170
? __pwq_activate_work+0x1ff/0x250
__pwq_activate_work+0x1ff/0x250
pwq_dec_nr_in_flight+0x8c5/0xfb0
process_one_work+0xc11/0x1460
? __pfx_process_one_work+0x10/0x10
? assign_work+0x16c/0x240
worker_thread+0x5ef/0xfd0
? __pfx_worker_thread+0x10/0x10
kthread+0x3b0/0x770
? __pfx_kthread+0x10/0x10
? rcu_is_watching+0x11/0xb0
? _raw_spin_unlock_irq+0x24/0x50
? rcu_is_watching+0x11/0xb0
? __pfx_kthread+0x10/0x10
ret_from_fork+0x30/0x70
? __pfx_kthread+0x10/0x10
ret_from_fork_asm+0x1a/0x30
</TASK>
Allocated by task 147416:
kasan_save_stack+0x2c/0x50
kasan_save_track+0x10/0x30
__kasan_kmalloc+0xa6/0xb0
alloc_work_entries+0xa9/0x260 [iw_cm]
iw_cm_connect+0x23/0x4a0 [iw_cm]
rdma_connect_locked+0xbfd/0x1920 [rdma_cm]
nvme_rdma_cm_handler+0x8e5/0x1b60 [nvme_rdma]
cma_cm_event_handler+0xae/0x320 [rdma_cm]
cma_work_handler+0x106/0x1b0 [rdma_cm]
process_one_work+0x84f/0x1460
worker_thread+0x5ef/0xfd0
kthread+0x3b0/0x770
ret_from_fork+0x30/0x70
ret_from_fork_asm+0x1a/0x30
Freed by task 147091:
kasan_save_stack+0x2c/0x50
kasan_save_track+0x10/0x30
kasan_save_free_info+0x37/0x60
__kasan_slab_free+0x4b/0x70
kfree+0x13a/0x4b0
dealloc_work_entries+0x125/0x1f0 [iw_cm]
iwcm_deref_id+0x6f/0xa0 [iw_cm]
cm_work_handler+0x136/0x1ba0 [iw_cm]
process_one_work+0x84f/0x1460
worker_thread+0x5ef/0xfd0
kthread+0x3b0/0x770
ret_from_fork+0x30/0x70
ret_from_fork_asm+0x1a/0x30
Last potentially related work creation:
kasan_save_stack+0x2c/0x50
kasan_record_aux_stack+0xa3/0xb0
__queue_work+0x2ff/0x1390
queue_work_on+0x67/0xc0
cm_event_handler+0x46a/0x820 [iw_cm]
siw_cm_upcall+0x330/0x650 [siw]
siw_cm_work_handler+0x6b9/0x2b20 [siw]
process_one_work+0x84f/0x1460
worker_thread+0x5ef/0xfd0
kthread+0x3b0/0x770
ret_from_fork+0x30/0x70
ret_from_fork_asm+0x1a/0x30
This BUG is reproducible by repeating the blktests test case nvme/061
for the rdma transport and the siw driver.
To avoid the use-after-free of cm_id_private work objects, ensure that
the last reference to the cm_id is decremented not in the event handler
works, but in the cm_id destruction context. For that purpose, move
iwcm_deref_id() call from destroy_cm_id() to the callers of
destroy_cm_id(). In iw_destroy_cm_id(), call iwcm_deref_id() after
flushing the pending works.
During the fix work, I noticed that iw_destroy_cm_id() is called from
cm_work_handler() and process_event() context. However, the comment of
iw_destroy_cm_id() notes that the function "cannot be called by the
event thread". Drop the false comment.
Closes: https://lore.kernel.org/linux-rdma/r5676e754sv35aq7cdsqrlnvyhiq5zktteaurl7vmfih35efko@z6lay7uypy3c/
Fixes: 59c68ac31e15 ("iw_cm: free cm_id resources on the last deref")
Cc: stable@vger.kernel.org
Signed-off-by: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
Link: https://patch.msgid.link/20250510101036.1756439-1-shinichiro.kawasaki@wdc.com
Reviewed-by: Zhu Yanjun <yanjun.zhu@linux.dev>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/infiniband/core/iwcm.c | 29 +++++++++++++++--------------
1 file changed, 15 insertions(+), 14 deletions(-)
--- a/drivers/infiniband/core/iwcm.c
+++ b/drivers/infiniband/core/iwcm.c
@@ -367,12 +367,9 @@ EXPORT_SYMBOL(iw_cm_disconnect);
/*
* CM_ID <-- DESTROYING
*
- * Clean up all resources associated with the connection and release
- * the initial reference taken by iw_create_cm_id.
- *
- * Returns true if and only if the last cm_id_priv reference has been dropped.
+ * Clean up all resources associated with the connection.
*/
-static bool destroy_cm_id(struct iw_cm_id *cm_id)
+static void destroy_cm_id(struct iw_cm_id *cm_id)
{
struct iwcm_id_private *cm_id_priv;
struct ib_qp *qp;
@@ -441,20 +438,22 @@ static bool destroy_cm_id(struct iw_cm_i
iwpm_remove_mapinfo(&cm_id->local_addr, &cm_id->m_local_addr);
iwpm_remove_mapping(&cm_id->local_addr, RDMA_NL_IWCM);
}
-
- return iwcm_deref_id(cm_id_priv);
}
/*
- * This function is only called by the application thread and cannot
- * be called by the event thread. The function will wait for all
- * references to be released on the cm_id and then kfree the cm_id
- * object.
+ * Destroy cm_id. If the cm_id still has other references, wait for all
+ * references to be released on the cm_id and then release the initial
+ * reference taken by iw_create_cm_id.
*/
void iw_destroy_cm_id(struct iw_cm_id *cm_id)
{
- if (!destroy_cm_id(cm_id))
+ struct iwcm_id_private *cm_id_priv;
+
+ cm_id_priv = container_of(cm_id, struct iwcm_id_private, id);
+ destroy_cm_id(cm_id);
+ if (refcount_read(&cm_id_priv->refcount) > 1)
flush_workqueue(iwcm_wq);
+ iwcm_deref_id(cm_id_priv);
}
EXPORT_SYMBOL(iw_destroy_cm_id);
@@ -1037,8 +1036,10 @@ static void cm_work_handler(struct work_
if (!test_bit(IWCM_F_DROP_EVENTS, &cm_id_priv->flags)) {
ret = process_event(cm_id_priv, &levent);
- if (ret)
- WARN_ON_ONCE(destroy_cm_id(&cm_id_priv->id));
+ if (ret) {
+ destroy_cm_id(&cm_id_priv->id);
+ WARN_ON_ONCE(iwcm_deref_id(cm_id_priv));
+ }
} else
pr_debug("dropping event %d\n", levent.event);
if (iwcm_deref_id(cm_id_priv))
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 352/508] mm: fix ratelimit_pages update error in dirty_ratio_handler()
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (348 preceding siblings ...)
2025-06-23 13:06 ` [PATCH 6.1 351/508] RDMA/iwcm: Fix use-after-free of work objects after cm_id destruction Greg Kroah-Hartman
@ 2025-06-23 13:06 ` Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 353/508] mtd: rawnand: sunxi: Add randomizer configuration in sunxi_nfc_hw_ecc_write_chunk Greg Kroah-Hartman
` (158 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jinliang Zheng, MengEn Sun,
Andrea Righi, Fenggaung Wu, Matthew Wilcox (Oracle),
Andrew Morton
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jinliang Zheng <alexjlzheng@tencent.com>
commit f83f362d40ccceb647f7d80eb92206733d76a36b upstream.
In dirty_ratio_handler(), vm_dirty_bytes must be set to zero before
calling writeback_set_ratelimit(), as global_dirty_limits() always
prioritizes the value of vm_dirty_bytes.
It's domain_dirty_limits() that's relevant here, not node_dirty_ok:
dirty_ratio_handler
writeback_set_ratelimit
global_dirty_limits(&dirty_thresh) <- ratelimit_pages based on dirty_thresh
domain_dirty_limits
if (bytes) <- bytes = vm_dirty_bytes <--------+
thresh = f1(bytes) <- prioritizes vm_dirty_bytes |
else |
thresh = f2(ratio) |
ratelimit_pages = f3(dirty_thresh) |
vm_dirty_bytes = 0 <- it's late! ---------------------+
This causes ratelimit_pages to still use the value calculated based on
vm_dirty_bytes, which is wrong now.
The impact visible to userspace is difficult to capture directly because
there is no procfs/sysfs interface exported to user space. However, it
will have a real impact on the balance of dirty pages.
For example:
1. On default, we have vm_dirty_ratio=40, vm_dirty_bytes=0
2. echo 8192 > dirty_bytes, then vm_dirty_bytes=8192,
vm_dirty_ratio=0, and ratelimit_pages is calculated based on
vm_dirty_bytes now.
3. echo 20 > dirty_ratio, then since vm_dirty_bytes is not reset to
zero when writeback_set_ratelimit() -> global_dirty_limits() ->
domain_dirty_limits() is called, reallimit_pages is still calculated
based on vm_dirty_bytes instead of vm_dirty_ratio. This does not
conform to the actual intent of the user.
Link: https://lkml.kernel.org/r/20250415090232.7544-1-alexjlzheng@tencent.com
Fixes: 9d823e8f6b1b ("writeback: per task dirty rate limit")
Signed-off-by: Jinliang Zheng <alexjlzheng@tencent.com>
Reviewed-by: MengEn Sun <mengensun@tencent.com>
Cc: Andrea Righi <andrea@betterlinux.com>
Cc: Fenggaung Wu <fengguang.wu@intel.com>
Cc: Jinliang Zheng <alexjlzheng@tencent.com>
Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/page-writeback.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/mm/page-writeback.c
+++ b/mm/page-writeback.c
@@ -540,8 +540,8 @@ static int dirty_ratio_handler(struct ct
ret = proc_dointvec_minmax(table, write, buffer, lenp, ppos);
if (ret == 0 && write && vm_dirty_ratio != old_ratio) {
- writeback_set_ratelimit();
vm_dirty_bytes = 0;
+ writeback_set_ratelimit();
}
return ret;
}
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 353/508] mtd: rawnand: sunxi: Add randomizer configuration in sunxi_nfc_hw_ecc_write_chunk
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (349 preceding siblings ...)
2025-06-23 13:06 ` [PATCH 6.1 352/508] mm: fix ratelimit_pages update error in dirty_ratio_handler() Greg Kroah-Hartman
@ 2025-06-23 13:06 ` Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 354/508] mtd: nand: sunxi: Add randomizer configuration before randomizer enable Greg Kroah-Hartman
` (157 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:06 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Wentao Liang, Miquel Raynal
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wentao Liang <vulab@iscas.ac.cn>
commit 44ed1f5ff73e9e115b6f5411744d5a22ea1c855b upstream.
The function sunxi_nfc_hw_ecc_write_chunk() calls the
sunxi_nfc_hw_ecc_write_chunk(), but does not call the configuration
function sunxi_nfc_randomizer_config(). Consequently, the randomization
might not conduct correctly, which will affect the lifespan of NAND flash.
A proper implementation can be found in sunxi_nfc_hw_ecc_write_page_dma().
Add the sunxi_nfc_randomizer_config() to config randomizer.
Fixes: 4be4e03efc7f ("mtd: nand: sunxi: add randomizer support")
Cc: stable@vger.kernel.org # v4.6
Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mtd/nand/raw/sunxi_nand.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/mtd/nand/raw/sunxi_nand.c
+++ b/drivers/mtd/nand/raw/sunxi_nand.c
@@ -1061,6 +1061,7 @@ static int sunxi_nfc_hw_ecc_write_chunk(
if (ret)
return ret;
+ sunxi_nfc_randomizer_config(nand, page, false);
sunxi_nfc_randomizer_enable(nand);
sunxi_nfc_hw_ecc_set_prot_oob_bytes(nand, oob, 0, bbm, page);
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 354/508] mtd: nand: sunxi: Add randomizer configuration before randomizer enable
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (350 preceding siblings ...)
2025-06-23 13:06 ` [PATCH 6.1 353/508] mtd: rawnand: sunxi: Add randomizer configuration in sunxi_nfc_hw_ecc_write_chunk Greg Kroah-Hartman
@ 2025-06-23 13:06 ` Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 355/508] KVM: SVM: Clear current_vmcb during vCPU free for all *possible* CPUs Greg Kroah-Hartman
` (156 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:06 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Wentao Liang, Miquel Raynal
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wentao Liang <vulab@iscas.ac.cn>
commit 4a5a99bc79cdc4be63933653682b0261a67a0c9f upstream.
In sunxi_nfc_hw_ecc_read_chunk(), the sunxi_nfc_randomizer_enable() is
called without the config of randomizer. A proper implementation can be
found in sunxi_nfc_hw_ecc_read_chunks_dma().
Add sunxi_nfc_randomizer_config() before the start of randomization.
Fixes: 4be4e03efc7f ("mtd: nand: sunxi: add randomizer support")
Cc: stable@vger.kernel.org # v4.6
Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mtd/nand/raw/sunxi_nand.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/mtd/nand/raw/sunxi_nand.c
+++ b/drivers/mtd/nand/raw/sunxi_nand.c
@@ -829,6 +829,7 @@ static int sunxi_nfc_hw_ecc_read_chunk(s
if (ret)
return ret;
+ sunxi_nfc_randomizer_config(nand, page, false);
sunxi_nfc_randomizer_enable(nand);
writel(NFC_DATA_TRANS | NFC_DATA_SWAP_METHOD | NFC_ECC_OP,
nfc->regs + NFC_REG_CMD);
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 355/508] KVM: SVM: Clear current_vmcb during vCPU free for all *possible* CPUs
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (351 preceding siblings ...)
2025-06-23 13:06 ` [PATCH 6.1 354/508] mtd: nand: sunxi: Add randomizer configuration before randomizer enable Greg Kroah-Hartman
@ 2025-06-23 13:06 ` Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 356/508] dm-mirror: fix a tiny race condition Greg Kroah-Hartman
` (155 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jim Mattson, Yosry Ahmed,
Sean Christopherson
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yosry Ahmed <yosry.ahmed@linux.dev>
commit 1bee4838eb3a2c689f23c7170ea66ae87ea7d93a upstream.
When freeing a vCPU and thus its VMCB, clear current_vmcb for all possible
CPUs, not just online CPUs, as it's theoretically possible a CPU could go
offline and come back online in conjunction with KVM reusing the page for
a new VMCB.
Link: https://lore.kernel.org/all/20250320013759.3965869-1-yosry.ahmed@linux.dev
Fixes: fd65d3142f73 ("kvm: svm: Ensure an IBPB on all affected CPUs when freeing a vmcb")
Cc: stable@vger.kernel.org
Cc: Jim Mattson <jmattson@google.com>
Signed-off-by: Yosry Ahmed <yosry.ahmed@linux.dev>
[sean: split to separate patch, write changelog]
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/svm/svm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/x86/kvm/svm/svm.c
+++ b/arch/x86/kvm/svm/svm.c
@@ -1426,7 +1426,7 @@ static void svm_clear_current_vmcb(struc
{
int i;
- for_each_online_cpu(i)
+ for_each_possible_cpu(i)
cmpxchg(per_cpu_ptr(&svm_data.current_vmcb, i), vmcb, NULL);
}
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 356/508] dm-mirror: fix a tiny race condition
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (352 preceding siblings ...)
2025-06-23 13:06 ` [PATCH 6.1 355/508] KVM: SVM: Clear current_vmcb during vCPU free for all *possible* CPUs Greg Kroah-Hartman
@ 2025-06-23 13:06 ` Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 357/508] ftrace: Fix UAF when lookup kallsym after ftrace disabled Greg Kroah-Hartman
` (154 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:06 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Mikulas Patocka
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mikulas Patocka <mpatocka@redhat.com>
commit 829451beaed6165eb11d7a9fb4e28eb17f489980 upstream.
There's a tiny race condition in dm-mirror. The functions queue_bio and
write_callback grab a spinlock, add a bio to the list, drop the spinlock
and wake up the mirrord thread that processes bios in the list.
It may be possible that the mirrord thread processes the bio just after
spin_unlock_irqrestore is called, before wakeup_mirrord. This spurious
wake-up is normally harmless, however if the device mapper device is
unloaded just after the bio was processed, it may be possible that
wakeup_mirrord(ms) uses invalid "ms" pointer.
Fix this bug by moving wakeup_mirrord inside the spinlock.
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/md/dm-raid1.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
--- a/drivers/md/dm-raid1.c
+++ b/drivers/md/dm-raid1.c
@@ -128,10 +128,9 @@ static void queue_bio(struct mirror_set
spin_lock_irqsave(&ms->lock, flags);
should_wake = !(bl->head);
bio_list_add(bl, bio);
- spin_unlock_irqrestore(&ms->lock, flags);
-
if (should_wake)
wakeup_mirrord(ms);
+ spin_unlock_irqrestore(&ms->lock, flags);
}
static void dispatch_bios(void *context, struct bio_list *bio_list)
@@ -635,9 +634,9 @@ static void write_callback(unsigned long
if (!ms->failures.head)
should_wake = 1;
bio_list_add(&ms->failures, bio);
- spin_unlock_irqrestore(&ms->lock, flags);
if (should_wake)
wakeup_mirrord(ms);
+ spin_unlock_irqrestore(&ms->lock, flags);
}
static void do_write(struct mirror_set *ms, struct bio *bio)
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 357/508] ftrace: Fix UAF when lookup kallsym after ftrace disabled
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (353 preceding siblings ...)
2025-06-23 13:06 ` [PATCH 6.1 356/508] dm-mirror: fix a tiny race condition Greg Kroah-Hartman
@ 2025-06-23 13:06 ` Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 358/508] net: ch9200: fix uninitialised access during mii_nway_restart Greg Kroah-Hartman
` (153 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:06 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ye Bin, Steven Rostedt (Google)
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ye Bin <yebin10@huawei.com>
commit f914b52c379c12288b7623bb814d0508dbe7481d upstream.
The following issue happens with a buggy module:
BUG: unable to handle page fault for address: ffffffffc05d0218
PGD 1bd66f067 P4D 1bd66f067 PUD 1bd671067 PMD 101808067 PTE 0
Oops: Oops: 0000 [#1] SMP KASAN PTI
Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
RIP: 0010:sized_strscpy+0x81/0x2f0
RSP: 0018:ffff88812d76fa08 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffffffffc0601010 RCX: dffffc0000000000
RDX: 0000000000000038 RSI: dffffc0000000000 RDI: ffff88812608da2d
RBP: 8080808080808080 R08: ffff88812608da2d R09: ffff88812608da68
R10: ffff88812608d82d R11: ffff88812608d810 R12: 0000000000000038
R13: ffff88812608da2d R14: ffffffffc05d0218 R15: fefefefefefefeff
FS: 00007fef552de740(0000) GS:ffff8884251c7000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffc05d0218 CR3: 00000001146f0000 CR4: 00000000000006f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
ftrace_mod_get_kallsym+0x1ac/0x590
update_iter_mod+0x239/0x5b0
s_next+0x5b/0xa0
seq_read_iter+0x8c9/0x1070
seq_read+0x249/0x3b0
proc_reg_read+0x1b0/0x280
vfs_read+0x17f/0x920
ksys_read+0xf3/0x1c0
do_syscall_64+0x5f/0x2e0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
The above issue may happen as follows:
(1) Add kprobe tracepoint;
(2) insmod test.ko;
(3) Module triggers ftrace disabled;
(4) rmmod test.ko;
(5) cat /proc/kallsyms; --> Will trigger UAF as test.ko already removed;
ftrace_mod_get_kallsym()
...
strscpy(module_name, mod_map->mod->name, MODULE_NAME_LEN);
...
The problem is when a module triggers an issue with ftrace and
sets ftrace_disable. The ftrace_disable is set when an anomaly is
discovered and to prevent any more damage, ftrace stops all text
modification. The issue that happened was that the ftrace_disable stops
more than just the text modification.
When a module is loaded, its init functions can also be traced. Because
kallsyms deletes the init functions after a module has loaded, ftrace
saves them when the module is loaded and function tracing is enabled. This
allows the output of the function trace to show the init function names
instead of just their raw memory addresses.
When a module is removed, ftrace_release_mod() is called, and if
ftrace_disable is set, it just returns without doing anything more. The
problem here is that it leaves the mod_list still around and if kallsyms
is called, it will call into this code and access the module memory that
has already been freed as it will return:
strscpy(module_name, mod_map->mod->name, MODULE_NAME_LEN);
Where the "mod" no longer exists and triggers a UAF bug.
Link: https://lore.kernel.org/all/20250523135452.626d8dcd@gandalf.local.home/
Cc: stable@vger.kernel.org
Fixes: aba4b5c22cba ("ftrace: Save module init functions kallsyms symbols for tracing")
Link: https://lore.kernel.org/20250529111955.2349189-2-yebin@huaweicloud.com
Signed-off-by: Ye Bin <yebin10@huawei.com>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/trace/ftrace.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
--- a/kernel/trace/ftrace.c
+++ b/kernel/trace/ftrace.c
@@ -6962,9 +6962,10 @@ void ftrace_release_mod(struct module *m
mutex_lock(&ftrace_lock);
- if (ftrace_disabled)
- goto out_unlock;
-
+ /*
+ * To avoid the UAF problem after the module is unloaded, the
+ * 'mod_map' resource needs to be released unconditionally.
+ */
list_for_each_entry_safe(mod_map, n, &ftrace_mod_maps, list) {
if (mod_map->mod == mod) {
list_del_rcu(&mod_map->list);
@@ -6973,6 +6974,9 @@ void ftrace_release_mod(struct module *m
}
}
+ if (ftrace_disabled)
+ goto out_unlock;
+
/*
* Each module has its own ftrace_pages, remove
* them from the list.
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 358/508] net: ch9200: fix uninitialised access during mii_nway_restart
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (354 preceding siblings ...)
2025-06-23 13:06 ` [PATCH 6.1 357/508] ftrace: Fix UAF when lookup kallsym after ftrace disabled Greg Kroah-Hartman
@ 2025-06-23 13:06 ` Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 359/508] KVM: s390: rename PROT_NONE to PROT_TYPE_DUMMY Greg Kroah-Hartman
` (152 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:06 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, syzbot, Qasim Ijaz, Jakub Kicinski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qasim Ijaz <qasdev00@gmail.com>
commit 9ad0452c0277b816a435433cca601304cfac7c21 upstream.
In mii_nway_restart() the code attempts to call
mii->mdio_read which is ch9200_mdio_read(). ch9200_mdio_read()
utilises a local buffer called "buff", which is initialised
with control_read(). However "buff" is conditionally
initialised inside control_read():
if (err == size) {
memcpy(data, buf, size);
}
If the condition of "err == size" is not met, then
"buff" remains uninitialised. Once this happens the
uninitialised "buff" is accessed and returned during
ch9200_mdio_read():
return (buff[0] | buff[1] << 8);
The problem stems from the fact that ch9200_mdio_read()
ignores the return value of control_read(), leading to
uinit-access of "buff".
To fix this we should check the return value of
control_read() and return early on error.
Reported-by: syzbot <syzbot+3361c2d6f78a3e0892f9@syzkaller.appspotmail.com>
Closes: https://syzkaller.appspot.com/bug?extid=3361c2d6f78a3e0892f9
Tested-by: syzbot <syzbot+3361c2d6f78a3e0892f9@syzkaller.appspotmail.com>
Fixes: 4a476bd6d1d9 ("usbnet: New driver for QinHeng CH9200 devices")
Cc: stable@vger.kernel.org
Signed-off-by: Qasim Ijaz <qasdev00@gmail.com>
Link: https://patch.msgid.link/20250526183607.66527-1-qasdev00@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/usb/ch9200.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
--- a/drivers/net/usb/ch9200.c
+++ b/drivers/net/usb/ch9200.c
@@ -178,6 +178,7 @@ static int ch9200_mdio_read(struct net_d
{
struct usbnet *dev = netdev_priv(netdev);
unsigned char buff[2];
+ int ret;
netdev_dbg(netdev, "%s phy_id:%02x loc:%02x\n",
__func__, phy_id, loc);
@@ -185,8 +186,10 @@ static int ch9200_mdio_read(struct net_d
if (phy_id != 0)
return -ENODEV;
- control_read(dev, REQUEST_READ, 0, loc * 2, buff, 0x02,
- CONTROL_TIMEOUT_MS);
+ ret = control_read(dev, REQUEST_READ, 0, loc * 2, buff, 0x02,
+ CONTROL_TIMEOUT_MS);
+ if (ret < 0)
+ return ret;
return (buff[0] | buff[1] << 8);
}
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 359/508] KVM: s390: rename PROT_NONE to PROT_TYPE_DUMMY
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (355 preceding siblings ...)
2025-06-23 13:06 ` [PATCH 6.1 358/508] net: ch9200: fix uninitialised access during mii_nway_restart Greg Kroah-Hartman
@ 2025-06-23 13:06 ` Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 360/508] staging: iio: ad5933: Correct settling cycles encoding per datasheet Greg Kroah-Hartman
` (151 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lorenzo Stoakes,
Ignacio Moreno Gonzalez, kernel test robot, Christian Borntraeger,
Yang Shi, David Hildenbrand, Liam R. Howlett, Oscar Salvador,
Claudio Imbrenda, Alexander Gordeev, Heiko Carstens,
James Houghton, Janosch Frank, Matthew Wilcox (Oracle),
Paolo Bonzini, Sven Schnelle, Vasily Gorbik, Andrew Morton
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
commit 15ac613f124e51a6623975efad9657b1f3ee47e7 upstream.
The enum type prot_type declared in arch/s390/kvm/gaccess.c declares an
unfortunate identifier within it - PROT_NONE.
This clashes with the protection bit define from the uapi for mmap()
declared in include/uapi/asm-generic/mman-common.h, which is indeed what
those casually reading this code would assume this to refer to.
This means that any changes which subsequently alter headers in any way
which results in the uapi header being imported here will cause build
errors.
Resolve the issue by renaming PROT_NONE to PROT_TYPE_DUMMY.
Link: https://lkml.kernel.org/r/20250519145657.178365-1-lorenzo.stoakes@oracle.com
Fixes: b3cefd6bf16e ("KVM: s390: Pass initialized arg even if unused")
Signed-off-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Suggested-by: Ignacio Moreno Gonzalez <Ignacio.MorenoGonzalez@kuka.com>
Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202505140943.IgHDa9s7-lkp@intel.com/
Acked-by: Christian Borntraeger <borntraeger@linux.ibm.com>
Acked-by: Ignacio Moreno Gonzalez <Ignacio.MorenoGonzalez@kuka.com>
Acked-by: Yang Shi <yang@os.amperecomputing.com>
Reviewed-by: David Hildenbrand <david@redhat.com>
Acked-by: Liam R. Howlett <Liam.Howlett@oracle.com>
Reviewed-by: Oscar Salvador <osalvador@suse.de>
Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
Cc: <stable@vger.kernel.org>
Cc: Alexander Gordeev <agordeev@linux.ibm.com>
Cc: Heiko Carstens <hca@linux.ibm.com>
Cc: James Houghton <jthoughton@google.com>
Cc: Janosch Frank <frankja@linux.ibm.com>
Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Sven Schnelle <svens@linux.ibm.com>
Cc: Vasily Gorbik <gor@linux.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/s390/kvm/gaccess.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/arch/s390/kvm/gaccess.c
+++ b/arch/s390/kvm/gaccess.c
@@ -490,7 +490,7 @@ enum prot_type {
PROT_TYPE_DAT = 3,
PROT_TYPE_IEP = 4,
/* Dummy value for passing an initialized value when code != PGM_PROTECTION */
- PROT_NONE,
+ PROT_TYPE_DUMMY,
};
static int trans_exc_ending(struct kvm_vcpu *vcpu, int code, unsigned long gva, u8 ar,
@@ -506,7 +506,7 @@ static int trans_exc_ending(struct kvm_v
switch (code) {
case PGM_PROTECTION:
switch (prot) {
- case PROT_NONE:
+ case PROT_TYPE_DUMMY:
/* We should never get here, acts like termination */
WARN_ON_ONCE(1);
break;
@@ -976,7 +976,7 @@ static int guest_range_to_gpas(struct kv
gpa = kvm_s390_real_to_abs(vcpu, ga);
if (kvm_is_error_gpa(vcpu->kvm, gpa)) {
rc = PGM_ADDRESSING;
- prot = PROT_NONE;
+ prot = PROT_TYPE_DUMMY;
}
}
if (rc)
@@ -1134,7 +1134,7 @@ int access_guest_with_key(struct kvm_vcp
if (rc == PGM_PROTECTION)
prot = PROT_TYPE_KEYC;
else
- prot = PROT_NONE;
+ prot = PROT_TYPE_DUMMY;
rc = trans_exc_ending(vcpu, rc, ga, ar, mode, prot, terminate);
}
out_unlock:
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 360/508] staging: iio: ad5933: Correct settling cycles encoding per datasheet
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (356 preceding siblings ...)
2025-06-23 13:06 ` [PATCH 6.1 359/508] KVM: s390: rename PROT_NONE to PROT_TYPE_DUMMY Greg Kroah-Hartman
@ 2025-06-23 13:06 ` Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 361/508] mips: Add -std= flag specified in KBUILD_CFLAGS to vdso CFLAGS Greg Kroah-Hartman
` (150 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gabriel Shahrouzi, Marcelo Schmitt,
Jonathan Cameron
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gabriel Shahrouzi <gshahrouzi@gmail.com>
commit 60638e2a2d4bc03798f00d5ab65ce9b83cb8b03b upstream.
The AD5933 datasheet (Table 13) lists the maximum cycles to be 0x7FC
(2044).
Clamp the user input to the maximum effective value of 0x7FC cycles.
Fixes: f94aa354d676 ("iio: impedance-analyzer: New driver for AD5933/4 Impedance Converter, Network Analyzer")
Cc: stable@vger.kernel.org
Signed-off-by: Gabriel Shahrouzi <gshahrouzi@gmail.com>
Reviewed-by: Marcelo Schmitt <marcelo.schmitt1@gmail.com>
Link: https://patch.msgid.link/20250420013009.847851-1-gshahrouzi@gmail.com
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/staging/iio/impedance-analyzer/ad5933.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/staging/iio/impedance-analyzer/ad5933.c
+++ b/drivers/staging/iio/impedance-analyzer/ad5933.c
@@ -412,7 +412,7 @@ static ssize_t ad5933_store(struct devic
ret = ad5933_cmd(st, 0);
break;
case AD5933_OUT_SETTLING_CYCLES:
- val = clamp(val, (u16)0, (u16)0x7FF);
+ val = clamp(val, (u16)0, (u16)0x7FC);
st->settling_cycles = val;
/* 2x, 4x handling, see datasheet */
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 361/508] mips: Add -std= flag specified in KBUILD_CFLAGS to vdso CFLAGS
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (357 preceding siblings ...)
2025-06-23 13:06 ` [PATCH 6.1 360/508] staging: iio: ad5933: Correct settling cycles encoding per datasheet Greg Kroah-Hartman
@ 2025-06-23 13:06 ` Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 362/508] regulator: max14577: Add error check for max14577_read_reg() Greg Kroah-Hartman
` (149 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:06 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Khem Raj, Thomas Bogendoerfer
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Khem Raj <raj.khem@gmail.com>
commit 0f4ae7c6ecb89bfda026d210dcf8216fb67d2333 upstream.
GCC 15 changed the default C standard dialect from gnu17 to gnu23,
which should not have impacted the kernel because it explicitly requests
the gnu11 standard in the main Makefile. However, mips/vdso code uses
its own CFLAGS without a '-std=' value, which break with this dialect
change because of the kernel's own definitions of bool, false, and true
conflicting with the C23 reserved keywords.
include/linux/stddef.h:11:9: error: cannot use keyword 'false' as enumeration constant
11 | false = 0,
| ^~~~~
include/linux/stddef.h:11:9: note: 'false' is a keyword with '-std=c23' onwards
include/linux/types.h:35:33: error: 'bool' cannot be defined via 'typedef'
35 | typedef _Bool bool;
| ^~~~
include/linux/types.h:35:33: note: 'bool' is a keyword with '-std=c23' onwards
Add -std as specified in KBUILD_CFLAGS to the decompressor and purgatory
CFLAGS to eliminate these errors and make the C standard version of these
areas match the rest of the kernel.
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/mips/vdso/Makefile | 1 +
1 file changed, 1 insertion(+)
--- a/arch/mips/vdso/Makefile
+++ b/arch/mips/vdso/Makefile
@@ -32,6 +32,7 @@ endif
# offsets.
cflags-vdso := $(ccflags-vdso) \
$(filter -W%,$(filter-out -Wa$(comma)%,$(KBUILD_CFLAGS))) \
+ $(filter -std=%,$(KBUILD_CFLAGS)) \
-O3 -g -fPIC -fno-strict-aliasing -fno-common -fno-builtin -G 0 \
-mrelax-pic-calls $(call cc-option, -mexplicit-relocs) \
-fno-stack-protector -fno-jump-tables -DDISABLE_BRANCH_PROFILING \
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 362/508] regulator: max14577: Add error check for max14577_read_reg()
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (358 preceding siblings ...)
2025-06-23 13:06 ` [PATCH 6.1 361/508] mips: Add -std= flag specified in KBUILD_CFLAGS to vdso CFLAGS Greg Kroah-Hartman
@ 2025-06-23 13:06 ` Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 363/508] remoteproc: core: Cleanup acquired resources when rproc_handle_resources() fails in rproc_attach() Greg Kroah-Hartman
` (148 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:06 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Wentao Liang, Mark Brown
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wentao Liang <vulab@iscas.ac.cn>
commit 65271f868cb1dca709ff69e45939bbef8d6d0b70 upstream.
The function max14577_reg_get_current_limit() calls the function
max14577_read_reg(), but does not check its return value. A proper
implementation can be found in max14577_get_online().
Add a error check for the max14577_read_reg() and return error code
if the function fails.
Fixes: b0902bbeb768 ("regulator: max14577: Add regulator driver for Maxim 14577")
Cc: stable@vger.kernel.org # v3.14
Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
Link: https://patch.msgid.link/20250526025627.407-1-vulab@iscas.ac.cn
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/regulator/max14577-regulator.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/drivers/regulator/max14577-regulator.c
+++ b/drivers/regulator/max14577-regulator.c
@@ -40,11 +40,14 @@ static int max14577_reg_get_current_limi
struct max14577 *max14577 = rdev_get_drvdata(rdev);
const struct maxim_charger_current *limits =
&maxim_charger_currents[max14577->dev_type];
+ int ret;
if (rdev_get_id(rdev) != MAX14577_CHARGER)
return -EINVAL;
- max14577_read_reg(rmap, MAX14577_CHG_REG_CHG_CTRL4, ®_data);
+ ret = max14577_read_reg(rmap, MAX14577_CHG_REG_CHG_CTRL4, ®_data);
+ if (ret < 0)
+ return ret;
if ((reg_data & CHGCTRL4_MBCICHWRCL_MASK) == 0)
return limits->min;
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 363/508] remoteproc: core: Cleanup acquired resources when rproc_handle_resources() fails in rproc_attach()
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (359 preceding siblings ...)
2025-06-23 13:06 ` [PATCH 6.1 362/508] regulator: max14577: Add error check for max14577_read_reg() Greg Kroah-Hartman
@ 2025-06-23 13:06 ` Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 364/508] remoteproc: core: Release rproc->clean_table after rproc_attach() fails Greg Kroah-Hartman
` (147 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:06 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Mathieu Poirier, Xiaolei Wang,
Peng Fan
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xiaolei Wang <xiaolei.wang@windriver.com>
commit 7692c9fbedd9087dc9050903f58095915458d9b1 upstream.
When rproc->state = RPROC_DETACHED and rproc_attach() is used
to attach to the remote processor, if rproc_handle_resources()
returns a failure, the resources allocated by imx_rproc_prepare()
should be released, otherwise the following memory leak will occur.
Since almost the same thing is done in imx_rproc_prepare() and
rproc_resource_cleanup(), Function rproc_resource_cleanup() is able
to deal with empty lists so it is better to fix the "goto" statements
in rproc_attach(). replace the "unprepare_device" goto statement with
"clean_up_resources" and get rid of the "unprepare_device" label.
unreferenced object 0xffff0000861c5d00 (size 128):
comm "kworker/u12:3", pid 59, jiffies 4294893509 (age 149.220s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 02 88 00 00 00 00 00 00 10 00 00 00 00 00 ............
backtrace:
[<00000000f949fe18>] slab_post_alloc_hook+0x98/0x37c
[<00000000adbfb3e7>] __kmem_cache_alloc_node+0x138/0x2e0
[<00000000521c0345>] kmalloc_trace+0x40/0x158
[<000000004e330a49>] rproc_mem_entry_init+0x60/0xf8
[<000000002815755e>] imx_rproc_prepare+0xe0/0x180
[<0000000003f61b4e>] rproc_boot+0x2ec/0x528
[<00000000e7e994ac>] rproc_add+0x124/0x17c
[<0000000048594076>] imx_rproc_probe+0x4ec/0x5d4
[<00000000efc298a1>] platform_probe+0x68/0xd8
[<00000000110be6fe>] really_probe+0x110/0x27c
[<00000000e245c0ae>] __driver_probe_device+0x78/0x12c
[<00000000f61f6f5e>] driver_probe_device+0x3c/0x118
[<00000000a7874938>] __device_attach_driver+0xb8/0xf8
[<0000000065319e69>] bus_for_each_drv+0x84/0xe4
[<00000000db3eb243>] __device_attach+0xfc/0x18c
[<0000000072e4e1a4>] device_initial_probe+0x14/0x20
Fixes: 10a3d4079eae ("remoteproc: imx_rproc: move memory parsing to rproc_ops")
Suggested-by: Mathieu Poirier <mathieu.poirier@linaro.org>
Signed-off-by: Xiaolei Wang <xiaolei.wang@windriver.com>
Reviewed-by: Peng Fan <peng.fan@nxp.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20250430092043.1819308-2-xiaolei.wang@windriver.com
Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/remoteproc/remoteproc_core.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
--- a/drivers/remoteproc/remoteproc_core.c
+++ b/drivers/remoteproc/remoteproc_core.c
@@ -1615,7 +1615,7 @@ static int rproc_attach(struct rproc *rp
ret = rproc_set_rsc_table(rproc);
if (ret) {
dev_err(dev, "can't load resource table: %d\n", ret);
- goto unprepare_device;
+ goto clean_up_resources;
}
/* reset max_notifyid */
@@ -1632,7 +1632,7 @@ static int rproc_attach(struct rproc *rp
ret = rproc_handle_resources(rproc, rproc_loading_handlers);
if (ret) {
dev_err(dev, "Failed to process resources: %d\n", ret);
- goto unprepare_device;
+ goto clean_up_resources;
}
/* Allocate carveout resources associated to rproc */
@@ -1651,7 +1651,6 @@ static int rproc_attach(struct rproc *rp
clean_up_resources:
rproc_resource_cleanup(rproc);
-unprepare_device:
/* release HW resources if needed */
rproc_unprepare_device(rproc);
disable_iommu:
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 364/508] remoteproc: core: Release rproc->clean_table after rproc_attach() fails
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (360 preceding siblings ...)
2025-06-23 13:06 ` [PATCH 6.1 363/508] remoteproc: core: Cleanup acquired resources when rproc_handle_resources() fails in rproc_attach() Greg Kroah-Hartman
@ 2025-06-23 13:06 ` Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 365/508] cifs: reset connections for all channels when reconnect requested Greg Kroah-Hartman
` (146 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:06 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Xiaolei Wang, Peng Fan,
Mathieu Poirier
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xiaolei Wang <xiaolei.wang@windriver.com>
commit bcd241230fdbc6005230f80a4f8646ff5a84f15b upstream.
When rproc->state = RPROC_DETACHED is attached to remote processor
through rproc_attach(), if rproc_handle_resources() returns failure,
then the clean table should be released, otherwise the following
memory leak will occur.
unreferenced object 0xffff000086a99800 (size 1024):
comm "kworker/u12:3", pid 59, jiffies 4294893670 (age 121.140s)
hex dump (first 32 bytes):
00 00 00 00 00 80 00 00 00 00 00 00 00 00 10 00 ............
00 00 00 00 00 00 08 00 00 00 00 00 00 00 00 00 ............
backtrace:
[<000000008bbe4ca8>] slab_post_alloc_hook+0x98/0x3fc
[<000000003b8a272b>] __kmem_cache_alloc_node+0x13c/0x230
[<000000007a507c51>] __kmalloc_node_track_caller+0x5c/0x260
[<0000000037818dae>] kmemdup+0x34/0x60
[<00000000610f7f57>] rproc_boot+0x35c/0x56c
[<0000000065f8871a>] rproc_add+0x124/0x17c
[<00000000497416ee>] imx_rproc_probe+0x4ec/0x5d4
[<000000003bcaa37d>] platform_probe+0x68/0xd8
[<00000000771577f9>] really_probe+0x110/0x27c
[<00000000531fea59>] __driver_probe_device+0x78/0x12c
[<0000000080036a04>] driver_probe_device+0x3c/0x118
[<000000007e0bddcb>] __device_attach_driver+0xb8/0xf8
[<000000000cf1fa33>] bus_for_each_drv+0x84/0xe4
[<000000001a53b53e>] __device_attach+0xfc/0x18c
[<00000000d1a2a32c>] device_initial_probe+0x14/0x20
[<00000000d8f8b7ae>] bus_probe_device+0xb0/0xb4
unreferenced object 0xffff0000864c9690 (size 16):
Fixes: 9dc9507f1880 ("remoteproc: Properly deal with the resource table when detaching")
Signed-off-by: Xiaolei Wang <xiaolei.wang@windriver.com>
Reviewed-by: Peng Fan <peng.fan@nxp.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20250430092043.1819308-3-xiaolei.wang@windriver.com
Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/remoteproc/remoteproc_core.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/remoteproc/remoteproc_core.c
+++ b/drivers/remoteproc/remoteproc_core.c
@@ -1653,6 +1653,7 @@ clean_up_resources:
rproc_resource_cleanup(rproc);
/* release HW resources if needed */
rproc_unprepare_device(rproc);
+ kfree(rproc->clean_table);
disable_iommu:
rproc_disable_iommu(rproc);
return ret;
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 365/508] cifs: reset connections for all channels when reconnect requested
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (361 preceding siblings ...)
2025-06-23 13:06 ` [PATCH 6.1 364/508] remoteproc: core: Release rproc->clean_table after rproc_attach() fails Greg Kroah-Hartman
@ 2025-06-23 13:06 ` Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 366/508] uio_hv_generic: Use correct size for interrupt and monitor pages Greg Kroah-Hartman
` (145 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:06 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Shyam Prasad N, Steve French
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shyam Prasad N <sprasad@microsoft.com>
commit 1f396b9bfe39aaf55ea74a7005806164b236653d upstream.
cifs_reconnect can be called with a flag to mark the session as needing
reconnect too. When this is done, we expect the connections of all
channels to be reconnected too, which is not happening today.
Without doing this, we have seen bad things happen when primary and
secondary channels are connected to different servers (in case of cloud
services like Azure Files SMB).
This change would force all connections to reconnect as well, not just
the sessions and tcons.
Cc: <stable@vger.kernel.org>
Signed-off-by: Shyam Prasad N <sprasad@microsoft.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/client/connect.c | 7 +++++++
1 file changed, 7 insertions(+)
--- a/fs/smb/client/connect.c
+++ b/fs/smb/client/connect.c
@@ -410,6 +410,13 @@ static int __cifs_reconnect(struct TCP_S
if (!cifs_tcp_ses_needs_reconnect(server, 1))
return 0;
+ /*
+ * if smb session has been marked for reconnect, also reconnect all
+ * connections. This way, the other connections do not end up bad.
+ */
+ if (mark_smb_session)
+ cifs_signal_cifsd_for_reconnect(server, mark_smb_session);
+
cifs_mark_tcp_ses_conns_for_reconnect(server, mark_smb_session);
cifs_abort_connection(server);
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 366/508] uio_hv_generic: Use correct size for interrupt and monitor pages
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (362 preceding siblings ...)
2025-06-23 13:06 ` [PATCH 6.1 365/508] cifs: reset connections for all channels when reconnect requested Greg Kroah-Hartman
@ 2025-06-23 13:06 ` Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 367/508] PCI: cadence-ep: Correct PBA offset in .set_msix() callback Greg Kroah-Hartman
` (144 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:06 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Long Li, Michael Kelley, Wei Liu
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Long Li <longli@microsoft.com>
commit c951ab8fd3589cf6991ed4111d2130816f2e3ac2 upstream.
Interrupt and monitor pages should be in Hyper-V page size (4k bytes).
This can be different from the system page size.
This size is read and used by the user-mode program to determine the
mapped data region. An example of such user-mode program is the VMBus
driver in DPDK.
Cc: stable@vger.kernel.org
Fixes: 95096f2fbd10 ("uio-hv-generic: new userspace i/o driver for VMBus")
Signed-off-by: Long Li <longli@microsoft.com>
Reviewed-by: Michael Kelley <mhklinux@outlook.com>
Link: https://lore.kernel.org/r/1746492997-4599-3-git-send-email-longli@linuxonhyperv.com
Signed-off-by: Wei Liu <wei.liu@kernel.org>
Message-ID: <1746492997-4599-3-git-send-email-longli@linuxonhyperv.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/uio/uio_hv_generic.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/uio/uio_hv_generic.c
+++ b/drivers/uio/uio_hv_generic.c
@@ -288,13 +288,13 @@ hv_uio_probe(struct hv_device *dev,
pdata->info.mem[INT_PAGE_MAP].name = "int_page";
pdata->info.mem[INT_PAGE_MAP].addr
= (uintptr_t)vmbus_connection.int_page;
- pdata->info.mem[INT_PAGE_MAP].size = PAGE_SIZE;
+ pdata->info.mem[INT_PAGE_MAP].size = HV_HYP_PAGE_SIZE;
pdata->info.mem[INT_PAGE_MAP].memtype = UIO_MEM_LOGICAL;
pdata->info.mem[MON_PAGE_MAP].name = "monitor_page";
pdata->info.mem[MON_PAGE_MAP].addr
= (uintptr_t)vmbus_connection.monitor_pages[1];
- pdata->info.mem[MON_PAGE_MAP].size = PAGE_SIZE;
+ pdata->info.mem[MON_PAGE_MAP].size = HV_HYP_PAGE_SIZE;
pdata->info.mem[MON_PAGE_MAP].memtype = UIO_MEM_LOGICAL;
pdata->recv_buf = vzalloc(RECV_BUFFER_SIZE);
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 367/508] PCI: cadence-ep: Correct PBA offset in .set_msix() callback
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (363 preceding siblings ...)
2025-06-23 13:06 ` [PATCH 6.1 366/508] uio_hv_generic: Use correct size for interrupt and monitor pages Greg Kroah-Hartman
@ 2025-06-23 13:06 ` Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 368/508] PCI: Add ACS quirk for Loongson PCIe Greg Kroah-Hartman
` (143 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Niklas Cassel, Manivannan Sadhasivam,
Bjorn Helgaas, Wilfred Mallawa, Damien Le Moal
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Niklas Cassel <cassel@kernel.org>
commit c8bcb01352a86bc5592403904109c22b66bd916e upstream.
While cdns_pcie_ep_set_msix() writes the Table Size field correctly (N-1),
the calculation of the PBA offset is wrong because it calculates space for
(N-1) entries instead of N.
This results in the following QEMU error when using PCI passthrough on a
device which relies on the PCI endpoint subsystem:
failed to add PCI capability 0x11[0x50]@0xb0: table & pba overlap, or they don't fit in BARs, or don't align
Fix the calculation of PBA offset in the MSI-X capability.
[bhelgaas: more specific subject and commit log]
Fixes: 3ef5d16f50f8 ("PCI: cadence: Add MSI-X support to Endpoint driver")
Signed-off-by: Niklas Cassel <cassel@kernel.org>
Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Reviewed-by: Wilfred Mallawa <wilfred.mallawa@wdc.com>
Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20250514074313.283156-10-cassel@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pci/controller/cadence/pcie-cadence-ep.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/drivers/pci/controller/cadence/pcie-cadence-ep.c
+++ b/drivers/pci/controller/cadence/pcie-cadence-ep.c
@@ -294,13 +294,14 @@ static int cdns_pcie_ep_set_msix(struct
struct cdns_pcie *pcie = &ep->pcie;
u32 cap = CDNS_PCIE_EP_FUNC_MSIX_CAP_OFFSET;
u32 val, reg;
+ u16 actual_interrupts = interrupts + 1;
fn = cdns_pcie_get_fn_from_vfn(pcie, fn, vfn);
reg = cap + PCI_MSIX_FLAGS;
val = cdns_pcie_ep_fn_readw(pcie, fn, reg);
val &= ~PCI_MSIX_FLAGS_QSIZE;
- val |= interrupts;
+ val |= interrupts; /* 0's based value */
cdns_pcie_ep_fn_writew(pcie, fn, reg, val);
/* Set MSIX BAR and offset */
@@ -310,7 +311,7 @@ static int cdns_pcie_ep_set_msix(struct
/* Set PBA BAR and offset. BAR must match MSIX BAR */
reg = cap + PCI_MSIX_PBA;
- val = (offset + (interrupts * PCI_MSIX_ENTRY_SIZE)) | bir;
+ val = (offset + (actual_interrupts * PCI_MSIX_ENTRY_SIZE)) | bir;
cdns_pcie_ep_fn_writel(pcie, fn, reg, val);
return 0;
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 368/508] PCI: Add ACS quirk for Loongson PCIe
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (364 preceding siblings ...)
2025-06-23 13:06 ` [PATCH 6.1 367/508] PCI: cadence-ep: Correct PBA offset in .set_msix() callback Greg Kroah-Hartman
@ 2025-06-23 13:06 ` Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 369/508] PCI: Fix lock symmetry in pci_slot_unlock() Greg Kroah-Hartman
` (142 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:06 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Xianglai Li, Huacai Chen,
Bjorn Helgaas
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Huacai Chen <chenhuacai@loongson.cn>
commit 1f3303aa92e15fa273779acac2d0023609de30f1 upstream.
Loongson PCIe Root Ports don't advertise an ACS capability, but they do not
allow peer-to-peer transactions between Root Ports. Add an ACS quirk so
each Root Port can be in a separate IOMMU group.
Signed-off-by: Xianglai Li <lixianglai@loongson.cn>
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20250403040756.720409-1-chenhuacai@loongson.cn
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pci/quirks.c | 23 +++++++++++++++++++++++
1 file changed, 23 insertions(+)
--- a/drivers/pci/quirks.c
+++ b/drivers/pci/quirks.c
@@ -4880,6 +4880,18 @@ static int pci_quirk_brcm_acs(struct pci
PCI_ACS_SV | PCI_ACS_RR | PCI_ACS_CR | PCI_ACS_UF);
}
+static int pci_quirk_loongson_acs(struct pci_dev *dev, u16 acs_flags)
+{
+ /*
+ * Loongson PCIe Root Ports don't advertise an ACS capability, but
+ * they do not allow peer-to-peer transactions between Root Ports.
+ * Allow each Root Port to be in a separate IOMMU group by masking
+ * SV/RR/CR/UF bits.
+ */
+ return pci_acs_ctrl_enabled(acs_flags,
+ PCI_ACS_SV | PCI_ACS_RR | PCI_ACS_CR | PCI_ACS_UF);
+}
+
/*
* Wangxun 40G/25G/10G/1G NICs have no ACS capability, but on
* multi-function devices, the hardware isolates the functions by
@@ -5013,6 +5025,17 @@ static const struct pci_dev_acs_enabled
{ PCI_VENDOR_ID_BROADCOM, 0x1762, pci_quirk_mf_endpoint_acs },
{ PCI_VENDOR_ID_BROADCOM, 0x1763, pci_quirk_mf_endpoint_acs },
{ PCI_VENDOR_ID_BROADCOM, 0xD714, pci_quirk_brcm_acs },
+ /* Loongson PCIe Root Ports */
+ { PCI_VENDOR_ID_LOONGSON, 0x3C09, pci_quirk_loongson_acs },
+ { PCI_VENDOR_ID_LOONGSON, 0x3C19, pci_quirk_loongson_acs },
+ { PCI_VENDOR_ID_LOONGSON, 0x3C29, pci_quirk_loongson_acs },
+ { PCI_VENDOR_ID_LOONGSON, 0x7A09, pci_quirk_loongson_acs },
+ { PCI_VENDOR_ID_LOONGSON, 0x7A19, pci_quirk_loongson_acs },
+ { PCI_VENDOR_ID_LOONGSON, 0x7A29, pci_quirk_loongson_acs },
+ { PCI_VENDOR_ID_LOONGSON, 0x7A39, pci_quirk_loongson_acs },
+ { PCI_VENDOR_ID_LOONGSON, 0x7A49, pci_quirk_loongson_acs },
+ { PCI_VENDOR_ID_LOONGSON, 0x7A59, pci_quirk_loongson_acs },
+ { PCI_VENDOR_ID_LOONGSON, 0x7A69, pci_quirk_loongson_acs },
/* Amazon Annapurna Labs */
{ PCI_VENDOR_ID_AMAZON_ANNAPURNA_LABS, 0x0031, pci_quirk_al_acs },
/* Zhaoxin multi-function devices */
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 369/508] PCI: Fix lock symmetry in pci_slot_unlock()
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (365 preceding siblings ...)
2025-06-23 13:06 ` [PATCH 6.1 368/508] PCI: Add ACS quirk for Loongson PCIe Greg Kroah-Hartman
@ 2025-06-23 13:06 ` Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 370/508] PCI: dw-rockchip: Fix PHY function call sequence in rockchip_pcie_phy_deinit() Greg Kroah-Hartman
` (141 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ilpo Järvinen, Bjorn Helgaas,
Lukas Wunner, Dave Jiang
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
commit f3efb9569b4a21354ef2caf7ab0608a3e14cc6e4 upstream.
The commit a4e772898f8b ("PCI: Add missing bridge lock to pci_bus_lock()")
made the lock function to call depend on dev->subordinate but left
pci_slot_unlock() unmodified creating locking asymmetry compared with
pci_slot_lock().
Because of the asymmetric lock handling, the same bridge device is unlocked
twice. First pci_bus_unlock() unlocks bus->self and then pci_slot_unlock()
will unconditionally unlock the same bridge device.
Move pci_dev_unlock() inside an else branch to match the logic in
pci_slot_lock().
Fixes: a4e772898f8b ("PCI: Add missing bridge lock to pci_bus_lock()")
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Reviewed-by: Lukas Wunner <lukas@wunner.de>
Reviewed-by: Dave Jiang <dave.jiang@intel.com>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20250505115412.37628-1-ilpo.jarvinen@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pci/pci.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/pci/pci.c
+++ b/drivers/pci/pci.c
@@ -5687,7 +5687,8 @@ static void pci_slot_unlock(struct pci_s
continue;
if (dev->subordinate)
pci_bus_unlock(dev->subordinate);
- pci_dev_unlock(dev);
+ else
+ pci_dev_unlock(dev);
}
}
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 370/508] PCI: dw-rockchip: Fix PHY function call sequence in rockchip_pcie_phy_deinit()
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (366 preceding siblings ...)
2025-06-23 13:06 ` [PATCH 6.1 369/508] PCI: Fix lock symmetry in pci_slot_unlock() Greg Kroah-Hartman
@ 2025-06-23 13:06 ` Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 371/508] iio: accel: fxls8962af: Fix temperature scan element sign Greg Kroah-Hartman
` (140 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Diederik de Haas,
Manivannan Sadhasivam, Niklas Cassel, Dragan Simic, Shawn Lin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Diederik de Haas <didi.debian@cknow.org>
commit 286ed198b899739862456f451eda884558526a9d upstream.
The documentation for the phy_power_off() function explicitly says that it
must be called before phy_exit().
Hence, follow the same rule in rockchip_pcie_phy_deinit().
Fixes: 0e898eb8df4e ("PCI: rockchip-dwc: Add Rockchip RK356X host controller driver")
Signed-off-by: Diederik de Haas <didi.debian@cknow.org>
[mani: commit message change]
Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
Reviewed-by: Niklas Cassel <cassel@kernel.org>
Reviewed-by: Dragan Simic <dsimic@manjaro.org>
Acked-by: Shawn Lin <shawn.lin@rock-chips.com>
Cc: stable@vger.kernel.org # v5.15+
Link: https://patch.msgid.link/20250417142138.1377451-1-didi.debian@cknow.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pci/controller/dwc/pcie-dw-rockchip.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/pci/controller/dwc/pcie-dw-rockchip.c
+++ b/drivers/pci/controller/dwc/pcie-dw-rockchip.c
@@ -275,8 +275,8 @@ static int rockchip_pcie_phy_init(struct
static void rockchip_pcie_phy_deinit(struct rockchip_pcie *rockchip)
{
- phy_exit(rockchip->phy);
phy_power_off(rockchip->phy);
+ phy_exit(rockchip->phy);
}
static const struct dw_pcie_ops dw_pcie_ops = {
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 371/508] iio: accel: fxls8962af: Fix temperature scan element sign
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (367 preceding siblings ...)
2025-06-23 13:06 ` [PATCH 6.1 370/508] PCI: dw-rockchip: Fix PHY function call sequence in rockchip_pcie_phy_deinit() Greg Kroah-Hartman
@ 2025-06-23 13:06 ` Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 372/508] iio: imu: inv_icm42600: Fix temperature calculation Greg Kroah-Hartman
` (139 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Marcelo Schmitt, Sean Nyekjaer,
Jonathan Cameron
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Nyekjaer <sean@geanix.com>
commit 9c78317b42e7c32523c91099859bc4721e9f75dd upstream.
Mark the temperature element signed, data read from the TEMP_OUT register
is in two's complement format.
This will avoid the temperature being mishandled and miss displayed.
Fixes: a3e0b51884ee ("iio: accel: add support for FXLS8962AF/FXLS8964AF accelerometers")
Suggested-by: Marcelo Schmitt <marcelo.schmitt1@gmail.com>
Cc: stable@vger.kernel.org
Reviewed-by: Marcelo Schmitt <marcelo.schmitt1@gmail.com>
Signed-off-by: Sean Nyekjaer <sean@geanix.com>
Link: https://patch.msgid.link/20250505-fxls-v4-2-a38652e21738@geanix.com
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/accel/fxls8962af-core.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/iio/accel/fxls8962af-core.c
+++ b/drivers/iio/accel/fxls8962af-core.c
@@ -738,6 +738,7 @@ static const struct iio_event_spec fxls8
BIT(IIO_CHAN_INFO_OFFSET),\
.scan_index = -1, \
.scan_type = { \
+ .sign = 's', \
.realbits = 8, \
.storagebits = 8, \
}, \
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 372/508] iio: imu: inv_icm42600: Fix temperature calculation
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (368 preceding siblings ...)
2025-06-23 13:06 ` [PATCH 6.1 371/508] iio: accel: fxls8962af: Fix temperature scan element sign Greg Kroah-Hartman
@ 2025-06-23 13:06 ` Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 373/508] iio: adc: ad7606_spi: fix reg write value mask Greg Kroah-Hartman
` (138 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sean Nyekjaer,
Jean-Baptiste Maneyrol, Stable, Jonathan Cameron
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Nyekjaer <sean@geanix.com>
commit e2f820014239df9360064079ae93f838ff3b7f8c upstream.
>From the documentation:
"offset to be added to <type>[Y]_raw prior toscaling by <type>[Y]_scale"
Offset should be applied before multiplying scale, so divide offset by
scale to make this correct.
Fixes: bc3eb0207fb5 ("iio: imu: inv_icm42600: add temperature sensor support")
Signed-off-by: Sean Nyekjaer <sean@geanix.com>
Acked-by: Jean-Baptiste Maneyrol <jean-baptiste.maneyrol@tdk.com>
Link: https://patch.msgid.link/20250502-imu-v1-1-129b8391a4e3@geanix.com
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/imu/inv_icm42600/inv_icm42600_temp.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
--- a/drivers/iio/imu/inv_icm42600/inv_icm42600_temp.c
+++ b/drivers/iio/imu/inv_icm42600/inv_icm42600_temp.c
@@ -67,16 +67,18 @@ int inv_icm42600_temp_read_raw(struct ii
return IIO_VAL_INT;
/*
* T°C = (temp / 132.48) + 25
- * Tm°C = 1000 * ((temp * 100 / 13248) + 25)
+ * Tm°C = 1000 * ((temp / 132.48) + 25)
+ * Tm°C = 7.548309 * temp + 25000
+ * Tm°C = (temp + 3312) * 7.548309
* scale: 100000 / 13248 ~= 7.548309
- * offset: 25000
+ * offset: 3312
*/
case IIO_CHAN_INFO_SCALE:
*val = 7;
*val2 = 548309;
return IIO_VAL_INT_PLUS_MICRO;
case IIO_CHAN_INFO_OFFSET:
- *val = 25000;
+ *val = 3312;
return IIO_VAL_INT;
default:
return -EINVAL;
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 373/508] iio: adc: ad7606_spi: fix reg write value mask
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (369 preceding siblings ...)
2025-06-23 13:06 ` [PATCH 6.1 372/508] iio: imu: inv_icm42600: Fix temperature calculation Greg Kroah-Hartman
@ 2025-06-23 13:06 ` Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 374/508] ACPICA: fix acpi operand cache leak in dswstate.c Greg Kroah-Hartman
` (137 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Lechner, Angelo Dureghello,
Stable, Jonathan Cameron
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Lechner <dlechner@baylibre.com>
commit 89944d88f8795c6c89b9514cb365998145511cd4 upstream.
Fix incorrect value mask for register write. Register values are 8-bit,
not 9. If this function was called with a value > 0xFF and an even addr,
it would cause writing to the next register.
Fixes: f2a22e1e172f ("iio: adc: ad7606: Add support for software mode for ad7616")
Signed-off-by: David Lechner <dlechner@baylibre.com>
Reviewed-by: Angelo Dureghello <adureghello@baylibre.com>
Link: https://patch.msgid.link/20250428-iio-adc-ad7606_spi-fix-write-value-mask-v1-1-a2d5e85a809f@baylibre.com
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/adc/ad7606_spi.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/iio/adc/ad7606_spi.c
+++ b/drivers/iio/adc/ad7606_spi.c
@@ -151,7 +151,7 @@ static int ad7606_spi_reg_write(struct a
struct spi_device *spi = to_spi_device(st->dev);
st->d16[0] = cpu_to_be16((st->bops->rd_wr_cmd(addr, 1) << 8) |
- (val & 0x1FF));
+ (val & 0xFF));
return spi_write(spi, &st->d16[0], sizeof(st->d16[0]));
}
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 374/508] ACPICA: fix acpi operand cache leak in dswstate.c
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (370 preceding siblings ...)
2025-06-23 13:06 ` [PATCH 6.1 373/508] iio: adc: ad7606_spi: fix reg write value mask Greg Kroah-Hartman
@ 2025-06-23 13:06 ` Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 375/508] ASoC: amd: yc: Add quirk for Lenovo Yoga Pro 7 14ASP9 Greg Kroah-Hartman
` (136 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Seunghun Han, Rafael J. Wysocki,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Seunghun Han <kkamagui@gmail.com>
[ Upstream commit 156fd20a41e776bbf334bd5e45c4f78dfc90ce1c ]
ACPICA commit 987a3b5cf7175916e2a4b6ea5b8e70f830dfe732
I found an ACPI cache leak in ACPI early termination and boot continuing case.
When early termination occurs due to malicious ACPI table, Linux kernel
terminates ACPI function and continues to boot process. While kernel terminates
ACPI function, kmem_cache_destroy() reports Acpi-Operand cache leak.
Boot log of ACPI operand cache leak is as follows:
>[ 0.585957] ACPI: Added _OSI(Module Device)
>[ 0.587218] ACPI: Added _OSI(Processor Device)
>[ 0.588530] ACPI: Added _OSI(3.0 _SCP Extensions)
>[ 0.589790] ACPI: Added _OSI(Processor Aggregator Device)
>[ 0.591534] ACPI Error: Illegal I/O port address/length above 64K: C806E00000004002/0x2 (20170303/hwvalid-155)
>[ 0.594351] ACPI Exception: AE_LIMIT, Unable to initialize fixed events (20170303/evevent-88)
>[ 0.597858] ACPI: Unable to start the ACPI Interpreter
>[ 0.599162] ACPI Error: Could not remove SCI handler (20170303/evmisc-281)
>[ 0.601836] kmem_cache_destroy Acpi-Operand: Slab cache still has objects
>[ 0.603556] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.12.0-rc5 #26
>[ 0.605159] Hardware name: innotek gmb_h virtual_box/virtual_box, BIOS virtual_box 12/01/2006
>[ 0.609177] Call Trace:
>[ 0.610063] ? dump_stack+0x5c/0x81
>[ 0.611118] ? kmem_cache_destroy+0x1aa/0x1c0
>[ 0.612632] ? acpi_sleep_proc_init+0x27/0x27
>[ 0.613906] ? acpi_os_delete_cache+0xa/0x10
>[ 0.617986] ? acpi_ut_delete_caches+0x3f/0x7b
>[ 0.619293] ? acpi_terminate+0xa/0x14
>[ 0.620394] ? acpi_init+0x2af/0x34f
>[ 0.621616] ? __class_create+0x4c/0x80
>[ 0.623412] ? video_setup+0x7f/0x7f
>[ 0.624585] ? acpi_sleep_proc_init+0x27/0x27
>[ 0.625861] ? do_one_initcall+0x4e/0x1a0
>[ 0.627513] ? kernel_init_freeable+0x19e/0x21f
>[ 0.628972] ? rest_init+0x80/0x80
>[ 0.630043] ? kernel_init+0xa/0x100
>[ 0.631084] ? ret_from_fork+0x25/0x30
>[ 0.633343] vgaarb: loaded
>[ 0.635036] EDAC MC: Ver: 3.0.0
>[ 0.638601] PCI: Probing PCI hardware
>[ 0.639833] PCI host bridge to bus 0000:00
>[ 0.641031] pci_bus 0000:00: root bus resource [io 0x0000-0xffff]
> ... Continue to boot and log is omitted ...
I analyzed this memory leak in detail and found acpi_ds_obj_stack_pop_and_
delete() function miscalculated the top of the stack. acpi_ds_obj_stack_push()
function uses walk_state->operand_index for start position of the top, but
acpi_ds_obj_stack_pop_and_delete() function considers index 0 for it.
Therefore, this causes acpi operand memory leak.
This cache leak causes a security threat because an old kernel (<= 4.9) shows
memory locations of kernel functions in stack dump. Some malicious users
could use this information to neutralize kernel ASLR.
I made a patch to fix ACPI operand cache leak.
Link: https://github.com/acpica/acpica/commit/987a3b5c
Signed-off-by: Seunghun Han <kkamagui@gmail.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Link: https://patch.msgid.link/4999480.31r3eYUQgx@rjwysocki.net
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/acpi/acpica/dsutils.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/drivers/acpi/acpica/dsutils.c b/drivers/acpi/acpica/dsutils.c
index fb9ed5e1da89d..2bdae8a25e084 100644
--- a/drivers/acpi/acpica/dsutils.c
+++ b/drivers/acpi/acpica/dsutils.c
@@ -668,6 +668,8 @@ acpi_ds_create_operands(struct acpi_walk_state *walk_state,
union acpi_parse_object *arguments[ACPI_OBJ_NUM_OPERANDS];
u32 arg_count = 0;
u32 index = walk_state->num_operands;
+ u32 prev_num_operands = walk_state->num_operands;
+ u32 new_num_operands;
u32 i;
ACPI_FUNCTION_TRACE_PTR(ds_create_operands, first_arg);
@@ -696,6 +698,7 @@ acpi_ds_create_operands(struct acpi_walk_state *walk_state,
/* Create the interpreter arguments, in reverse order */
+ new_num_operands = index;
index--;
for (i = 0; i < arg_count; i++) {
arg = arguments[index];
@@ -720,7 +723,11 @@ acpi_ds_create_operands(struct acpi_walk_state *walk_state,
* pop everything off of the operand stack and delete those
* objects
*/
- acpi_ds_obj_stack_pop_and_delete(arg_count, walk_state);
+ walk_state->num_operands = i;
+ acpi_ds_obj_stack_pop_and_delete(new_num_operands, walk_state);
+
+ /* Restore operand count */
+ walk_state->num_operands = prev_num_operands;
ACPI_EXCEPTION((AE_INFO, status, "While creating Arg %u", index));
return_ACPI_STATUS(status);
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 375/508] ASoC: amd: yc: Add quirk for Lenovo Yoga Pro 7 14ASP9
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (371 preceding siblings ...)
2025-06-23 13:06 ` [PATCH 6.1 374/508] ACPICA: fix acpi operand cache leak in dswstate.c Greg Kroah-Hartman
@ 2025-06-23 13:07 ` Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 376/508] clocksource: Fix the CPUs choice in the watchdog per CPU verification Greg Kroah-Hartman
` (135 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Talhah Peerbhai, Mark Brown,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Talhah Peerbhai <talhah.peerbhai@gmail.com>
[ Upstream commit a28206060dc5848a1a2a15b7f6ac6223d869084d ]
Similar to many other Lenovo models with AMD chips, the Lenovo
Yoga Pro 7 14ASP9 (product name 83HN) requires a specific quirk
to ensure internal mic detection. This patch adds a quirk fixing this.
Signed-off-by: Talhah Peerbhai <talhah.peerbhai@gmail.com>
Link: https://patch.msgid.link/20250515222741.144616-1-talhah.peerbhai@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/amd/yc/acp6x-mach.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/sound/soc/amd/yc/acp6x-mach.c b/sound/soc/amd/yc/acp6x-mach.c
index 1f94269e121af..d5dc1d48fca94 100644
--- a/sound/soc/amd/yc/acp6x-mach.c
+++ b/sound/soc/amd/yc/acp6x-mach.c
@@ -304,6 +304,13 @@ static const struct dmi_system_id yc_acp_quirk_table[] = {
DMI_MATCH(DMI_PRODUCT_NAME, "83AS"),
}
},
+ {
+ .driver_data = &acp6x_card,
+ .matches = {
+ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "83HN"),
+ }
+ },
{
.driver_data = &acp6x_card,
.matches = {
@@ -353,7 +360,7 @@ static const struct dmi_system_id yc_acp_quirk_table[] = {
DMI_MATCH(DMI_PRODUCT_NAME, "M5402RA"),
}
},
- {
+ {
.driver_data = &acp6x_card,
.matches = {
DMI_MATCH(DMI_BOARD_VENDOR, "ASUSTeK COMPUTER INC."),
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 376/508] clocksource: Fix the CPUs choice in the watchdog per CPU verification
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (372 preceding siblings ...)
2025-06-23 13:07 ` [PATCH 6.1 375/508] ASoC: amd: yc: Add quirk for Lenovo Yoga Pro 7 14ASP9 Greg Kroah-Hartman
@ 2025-06-23 13:07 ` Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 377/508] mmc: Add quirk to disable DDR50 tuning Greg Kroah-Hartman
` (134 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thadeu Lima de Souza Cascardo,
Guilherme G. Piccoli, Thomas Gleixner, Paul E. McKenney,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Guilherme G. Piccoli <gpiccoli@igalia.com>
[ Upstream commit 08d7becc1a6b8c936e25d827becabfe3bff72a36 ]
Right now, if the clocksource watchdog detects a clocksource skew, it might
perform a per CPU check, for example in the TSC case on x86. In other
words: supposing TSC is detected as unstable by the clocksource watchdog
running at CPU1, as part of marking TSC unstable the kernel will also run a
check of TSC readings on some CPUs to be sure it is synced between them
all.
But that check happens only on some CPUs, not all of them; this choice is
based on the parameter "verify_n_cpus" and in some random cpumask
calculation. So, the watchdog runs such per CPU checks on up to
"verify_n_cpus" random CPUs among all online CPUs, with the risk of
repeating CPUs (that aren't double checked) in the cpumask random
calculation.
But if "verify_n_cpus" > num_online_cpus(), it should skip the random
calculation and just go ahead and check the clocksource sync between
all online CPUs, without the risk of skipping some CPUs due to
duplicity in the random cpumask calculation.
Tests in a 4 CPU laptop with TSC skew detected led to some cases of the per
CPU verification skipping some CPU even with verify_n_cpus=8, due to the
duplicity on random cpumask generation. Skipping the randomization when the
number of online CPUs is smaller than verify_n_cpus, solves that.
Suggested-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
Signed-off-by: Guilherme G. Piccoli <gpiccoli@igalia.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Paul E. McKenney <paulmck@kernel.org>
Link: https://lore.kernel.org/all/20250323173857.372390-1-gpiccoli@igalia.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/time/clocksource.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/time/clocksource.c b/kernel/time/clocksource.c
index 9e221a97d2274..e89fd0bbc3b35 100644
--- a/kernel/time/clocksource.c
+++ b/kernel/time/clocksource.c
@@ -285,7 +285,7 @@ static void clocksource_verify_choose_cpus(void)
{
int cpu, i, n = verify_n_cpus;
- if (n < 0) {
+ if (n < 0 || n >= num_online_cpus()) {
/* Check all of the CPUs. */
cpumask_copy(&cpus_chosen, cpu_online_mask);
cpumask_clear_cpu(smp_processor_id(), &cpus_chosen);
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 377/508] mmc: Add quirk to disable DDR50 tuning
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (373 preceding siblings ...)
2025-06-23 13:07 ` [PATCH 6.1 376/508] clocksource: Fix the CPUs choice in the watchdog per CPU verification Greg Kroah-Hartman
@ 2025-06-23 13:07 ` Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 378/508] ACPICA: Avoid sequence overread in call to strncmp() Greg Kroah-Hartman
` (133 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Erick Shepherd, Adrian Hunter,
Ulf Hansson, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Erick Shepherd <erick.shepherd@ni.com>
[ Upstream commit 9510b38dc0ba358c93cbf5ee7c28820afb85937b ]
Adds the MMC_QUIRK_NO_UHS_DDR50_TUNING quirk and updates
mmc_execute_tuning() to return 0 if that quirk is set. This fixes an
issue on certain Swissbit SD cards that do not support DDR50 tuning
where tuning requests caused I/O errors to be thrown.
Signed-off-by: Erick Shepherd <erick.shepherd@ni.com>
Acked-by: Adrian Hunter <adrian.hunter@intel.com>
Link: https://lore.kernel.org/r/20250331221337.1414534-1-erick.shepherd@ni.com
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mmc/core/card.h | 6 ++++++
drivers/mmc/core/quirks.h | 10 ++++++++++
drivers/mmc/core/sd.c | 32 ++++++++++++++++++++++++--------
include/linux/mmc/card.h | 1 +
4 files changed, 41 insertions(+), 8 deletions(-)
diff --git a/drivers/mmc/core/card.h b/drivers/mmc/core/card.h
index 8476754b1b170..fe0b2fa3bb89d 100644
--- a/drivers/mmc/core/card.h
+++ b/drivers/mmc/core/card.h
@@ -86,6 +86,7 @@ struct mmc_fixup {
#define CID_MANFID_MICRON 0x13
#define CID_MANFID_SAMSUNG 0x15
#define CID_MANFID_APACER 0x27
+#define CID_MANFID_SWISSBIT 0x5D
#define CID_MANFID_KINGSTON 0x70
#define CID_MANFID_HYNIX 0x90
#define CID_MANFID_KINGSTON_SD 0x9F
@@ -291,4 +292,9 @@ static inline int mmc_card_broken_sd_poweroff_notify(const struct mmc_card *c)
return c->quirks & MMC_QUIRK_BROKEN_SD_POWEROFF_NOTIFY;
}
+static inline int mmc_card_no_uhs_ddr50_tuning(const struct mmc_card *c)
+{
+ return c->quirks & MMC_QUIRK_NO_UHS_DDR50_TUNING;
+}
+
#endif
diff --git a/drivers/mmc/core/quirks.h b/drivers/mmc/core/quirks.h
index 12c90b567ce38..d05f220fdeee3 100644
--- a/drivers/mmc/core/quirks.h
+++ b/drivers/mmc/core/quirks.h
@@ -34,6 +34,16 @@ static const struct mmc_fixup __maybe_unused mmc_sd_fixups[] = {
MMC_QUIRK_BROKEN_SD_CACHE | MMC_QUIRK_BROKEN_SD_POWEROFF_NOTIFY,
EXT_CSD_REV_ANY),
+ /*
+ * Swissbit series S46-u cards throw I/O errors during tuning requests
+ * after the initial tuning request expectedly times out. This has
+ * only been observed on cards manufactured on 01/2019 that are using
+ * Bay Trail host controllers.
+ */
+ _FIXUP_EXT("0016G", CID_MANFID_SWISSBIT, 0x5342, 2019, 1,
+ 0, -1ull, SDIO_ANY_ID, SDIO_ANY_ID, add_quirk_sd,
+ MMC_QUIRK_NO_UHS_DDR50_TUNING, EXT_CSD_REV_ANY),
+
END_FIXUP
};
diff --git a/drivers/mmc/core/sd.c b/drivers/mmc/core/sd.c
index 819af50ae175c..557c4ee1e2770 100644
--- a/drivers/mmc/core/sd.c
+++ b/drivers/mmc/core/sd.c
@@ -618,6 +618,29 @@ static int sd_set_current_limit(struct mmc_card *card, u8 *status)
return 0;
}
+/*
+ * Determine if the card should tune or not.
+ */
+static bool mmc_sd_use_tuning(struct mmc_card *card)
+{
+ /*
+ * SPI mode doesn't define CMD19 and tuning is only valid for SDR50 and
+ * SDR104 mode SD-cards. Note that tuning is mandatory for SDR104.
+ */
+ if (mmc_host_is_spi(card->host))
+ return false;
+
+ switch (card->host->ios.timing) {
+ case MMC_TIMING_UHS_SDR50:
+ case MMC_TIMING_UHS_SDR104:
+ return true;
+ case MMC_TIMING_UHS_DDR50:
+ return !mmc_card_no_uhs_ddr50_tuning(card);
+ }
+
+ return false;
+}
+
/*
* UHS-I specific initialization procedure
*/
@@ -661,14 +684,7 @@ static int mmc_sd_init_uhs_card(struct mmc_card *card)
if (err)
goto out;
- /*
- * SPI mode doesn't define CMD19 and tuning is only valid for SDR50 and
- * SDR104 mode SD-cards. Note that tuning is mandatory for SDR104.
- */
- if (!mmc_host_is_spi(card->host) &&
- (card->host->ios.timing == MMC_TIMING_UHS_SDR50 ||
- card->host->ios.timing == MMC_TIMING_UHS_DDR50 ||
- card->host->ios.timing == MMC_TIMING_UHS_SDR104)) {
+ if (mmc_sd_use_tuning(card)) {
err = mmc_execute_tuning(card);
/*
diff --git a/include/linux/mmc/card.h b/include/linux/mmc/card.h
index afa575e362a47..7c6da19fff9f0 100644
--- a/include/linux/mmc/card.h
+++ b/include/linux/mmc/card.h
@@ -297,6 +297,7 @@ struct mmc_card {
#define MMC_QUIRK_BROKEN_SD_CACHE (1<<15) /* Disable broken SD cache support */
#define MMC_QUIRK_BROKEN_CACHE_FLUSH (1<<16) /* Don't flush cache until the write has occurred */
#define MMC_QUIRK_BROKEN_SD_POWEROFF_NOTIFY (1<<17) /* Disable broken SD poweroff notify support */
+#define MMC_QUIRK_NO_UHS_DDR50_TUNING (1<<18) /* Disable DDR50 tuning */
bool written_flag; /* Indicates eMMC has been written since power on */
bool reenable_cmdq; /* Re-enable Command Queue */
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 378/508] ACPICA: Avoid sequence overread in call to strncmp()
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (374 preceding siblings ...)
2025-06-23 13:07 ` [PATCH 6.1 377/508] mmc: Add quirk to disable DDR50 tuning Greg Kroah-Hartman
@ 2025-06-23 13:07 ` Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 379/508] ASoC: tas2770: Power cycle amp on ISENSE/VSENSE change Greg Kroah-Hartman
` (132 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ahmed Salem, Rafael J. Wysocki,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ahmed Salem <x0rw3ll@gmail.com>
[ Upstream commit 64b9dfd0776e9c38d733094859a09f13282ce6f8 ]
ACPICA commit 8b83a8d88dfec59ea147fad35fc6deea8859c58c
ap_get_table_length() checks if tables are valid by
calling ap_is_valid_header(). The latter then calls
ACPI_VALIDATE_RSDP_SIG(Table->Signature).
ap_is_valid_header() accepts struct acpi_table_header as an argument, so
the signature size is always fixed to 4 bytes.
The problem is when the string comparison is between ACPI-defined table
signature and ACPI_SIG_RSDP. Common ACPI table header specifies the
Signature field to be 4 bytes long[1], with the exception of the RSDP
structure whose signature is 8 bytes long "RSD PTR " (including the
trailing blank character)[2]. Calling strncmp(sig, rsdp_sig, 8) would
then result in a sequence overread[3] as sig would be smaller (4 bytes)
than the specified bound (8 bytes).
As a workaround, pass the bound conditionally based on the size of the
signature being passed.
Link: https://uefi.org/specs/ACPI/6.5_A/05_ACPI_Software_Programming_Model.html#system-description-table-header [1]
Link: https://uefi.org/specs/ACPI/6.5_A/05_ACPI_Software_Programming_Model.html#root-system-description-pointer-rsdp-structure [2]
Link: https://gcc.gnu.org/onlinedocs/gcc/Warning-Options.html#index-Wstringop-overread [3]
Link: https://github.com/acpica/acpica/commit/8b83a8d8
Signed-off-by: Ahmed Salem <x0rw3ll@gmail.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Link: https://patch.msgid.link/2248233.Mh6RI2rZIc@rjwysocki.net
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/acpi/actypes.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/acpi/actypes.h b/include/acpi/actypes.h
index 3491e454b2abf..680586f885a8c 100644
--- a/include/acpi/actypes.h
+++ b/include/acpi/actypes.h
@@ -527,7 +527,7 @@ typedef u64 acpi_integer;
/* Support for the special RSDP signature (8 characters) */
-#define ACPI_VALIDATE_RSDP_SIG(a) (!strncmp (ACPI_CAST_PTR (char, (a)), ACPI_SIG_RSDP, 8))
+#define ACPI_VALIDATE_RSDP_SIG(a) (!strncmp (ACPI_CAST_PTR (char, (a)), ACPI_SIG_RSDP, (sizeof(a) < 8) ? ACPI_NAMESEG_SIZE : 8))
#define ACPI_MAKE_RSDP_SIG(dest) (memcpy (ACPI_CAST_PTR (char, (dest)), ACPI_SIG_RSDP, 8))
/* Support for OEMx signature (x can be any character) */
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 379/508] ASoC: tas2770: Power cycle amp on ISENSE/VSENSE change
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (375 preceding siblings ...)
2025-06-23 13:07 ` [PATCH 6.1 378/508] ACPICA: Avoid sequence overread in call to strncmp() Greg Kroah-Hartman
@ 2025-06-23 13:07 ` Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 380/508] ACPI: bus: Bail out if acpi_kobj registration fails Greg Kroah-Hartman
` (131 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Neal Gompa, Hector Martin,
James Calligeros, Mark Brown, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hector Martin <marcan@marcan.st>
[ Upstream commit f529c91be8a34ac12e7599bf87c65b6f4a2c9f5c ]
The ISENSE/VSENSE blocks are only powered up when the amplifier
transitions from shutdown to active. This means that if those controls
are flipped on while the amplifier is already playing back audio, they
will have no effect.
Fix this by forcing a power cycle around transitions in those controls.
Reviewed-by: Neal Gompa <neal@gompa.dev>
Signed-off-by: Hector Martin <marcan@marcan.st>
Signed-off-by: James Calligeros <jcalligeros99@gmail.com>
Link: https://patch.msgid.link/20250406-apple-codec-changes-v5-1-50a00ec850a3@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/codecs/tas2770.c | 30 ++++++++++++++++++++++++++++--
1 file changed, 28 insertions(+), 2 deletions(-)
diff --git a/sound/soc/codecs/tas2770.c b/sound/soc/codecs/tas2770.c
index e284a3a854591..8bd98e9817c97 100644
--- a/sound/soc/codecs/tas2770.c
+++ b/sound/soc/codecs/tas2770.c
@@ -158,11 +158,37 @@ static const struct snd_kcontrol_new isense_switch =
static const struct snd_kcontrol_new vsense_switch =
SOC_DAPM_SINGLE("Switch", TAS2770_PWR_CTRL, 2, 1, 1);
+static int sense_event(struct snd_soc_dapm_widget *w,
+ struct snd_kcontrol *kcontrol, int event)
+{
+ struct snd_soc_component *component = snd_soc_dapm_to_component(w->dapm);
+ struct tas2770_priv *tas2770 = snd_soc_component_get_drvdata(component);
+
+ /*
+ * Powering up ISENSE/VSENSE requires a trip through the shutdown state.
+ * Do that here to ensure that our changes are applied properly, otherwise
+ * we might end up with non-functional IVSENSE if playback started earlier,
+ * which would break software speaker protection.
+ */
+ switch (event) {
+ case SND_SOC_DAPM_PRE_REG:
+ return snd_soc_component_update_bits(component, TAS2770_PWR_CTRL,
+ TAS2770_PWR_CTRL_MASK,
+ TAS2770_PWR_CTRL_SHUTDOWN);
+ case SND_SOC_DAPM_POST_REG:
+ return tas2770_update_pwr_ctrl(tas2770);
+ default:
+ return 0;
+ }
+}
+
static const struct snd_soc_dapm_widget tas2770_dapm_widgets[] = {
SND_SOC_DAPM_AIF_IN("ASI1", "ASI1 Playback", 0, SND_SOC_NOPM, 0, 0),
SND_SOC_DAPM_MUX("ASI1 Sel", SND_SOC_NOPM, 0, 0, &tas2770_asi1_mux),
- SND_SOC_DAPM_SWITCH("ISENSE", TAS2770_PWR_CTRL, 3, 1, &isense_switch),
- SND_SOC_DAPM_SWITCH("VSENSE", TAS2770_PWR_CTRL, 2, 1, &vsense_switch),
+ SND_SOC_DAPM_SWITCH_E("ISENSE", TAS2770_PWR_CTRL, 3, 1, &isense_switch,
+ sense_event, SND_SOC_DAPM_PRE_REG | SND_SOC_DAPM_POST_REG),
+ SND_SOC_DAPM_SWITCH_E("VSENSE", TAS2770_PWR_CTRL, 2, 1, &vsense_switch,
+ sense_event, SND_SOC_DAPM_PRE_REG | SND_SOC_DAPM_POST_REG),
SND_SOC_DAPM_DAC_E("DAC", NULL, SND_SOC_NOPM, 0, 0, tas2770_dac_event,
SND_SOC_DAPM_POST_PMU | SND_SOC_DAPM_PRE_PMD),
SND_SOC_DAPM_OUTPUT("OUT"),
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 380/508] ACPI: bus: Bail out if acpi_kobj registration fails
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (376 preceding siblings ...)
2025-06-23 13:07 ` [PATCH 6.1 379/508] ASoC: tas2770: Power cycle amp on ISENSE/VSENSE change Greg Kroah-Hartman
@ 2025-06-23 13:07 ` Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 381/508] ACPICA: fix acpi parse and parseext cache leaks Greg Kroah-Hartman
` (130 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Armin Wolf, Rafael J. Wysocki,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Armin Wolf <W_Armin@gmx.de>
[ Upstream commit 94a370fc8def6038dbc02199db9584b0b3690f1a ]
The ACPI sysfs code will fail to initialize if acpi_kobj is NULL,
together with some ACPI drivers.
Follow the other firmware subsystems and bail out if the kobject
cannot be registered.
Signed-off-by: Armin Wolf <W_Armin@gmx.de>
Link: https://patch.msgid.link/20250518185111.3560-2-W_Armin@gmx.de
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/acpi/bus.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/acpi/bus.c b/drivers/acpi/bus.c
index a16b7de73d164..fafa15507b141 100644
--- a/drivers/acpi/bus.c
+++ b/drivers/acpi/bus.c
@@ -1389,8 +1389,10 @@ static int __init acpi_init(void)
}
acpi_kobj = kobject_create_and_add("acpi", firmware_kobj);
- if (!acpi_kobj)
- pr_debug("%s: kset create error\n", __func__);
+ if (!acpi_kobj) {
+ pr_err("Failed to register kobject\n");
+ return -ENOMEM;
+ }
init_prmt();
acpi_init_pcc();
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 381/508] ACPICA: fix acpi parse and parseext cache leaks
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (377 preceding siblings ...)
2025-06-23 13:07 ` [PATCH 6.1 380/508] ACPI: bus: Bail out if acpi_kobj registration fails Greg Kroah-Hartman
@ 2025-06-23 13:07 ` Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 382/508] power: supply: bq27xxx: Retrieve again when busy Greg Kroah-Hartman
` (129 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Seunghun Han, Rafael J. Wysocki,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Seunghun Han <kkamagui@gmail.com>
[ Upstream commit bed18f0bdcd6737a938264a59d67923688696fc4 ]
ACPICA commit 8829e70e1360c81e7a5a901b5d4f48330e021ea5
I'm Seunghun Han, and I work for National Security Research Institute of
South Korea.
I have been doing a research on ACPI and found an ACPI cache leak in ACPI
early abort cases.
Boot log of ACPI cache leak is as follows:
[ 0.352414] ACPI: Added _OSI(Module Device)
[ 0.353182] ACPI: Added _OSI(Processor Device)
[ 0.353182] ACPI: Added _OSI(3.0 _SCP Extensions)
[ 0.353182] ACPI: Added _OSI(Processor Aggregator Device)
[ 0.356028] ACPI: Unable to start the ACPI Interpreter
[ 0.356799] ACPI Error: Could not remove SCI handler (20170303/evmisc-281)
[ 0.360215] kmem_cache_destroy Acpi-State: Slab cache still has objects
[ 0.360648] CPU: 0 PID: 1 Comm: swapper/0 Tainted: G W
4.12.0-rc4-next-20170608+ #10
[ 0.361273] Hardware name: innotek gmb_h virtual_box/virtual_box, BIOS
virtual_box 12/01/2006
[ 0.361873] Call Trace:
[ 0.362243] ? dump_stack+0x5c/0x81
[ 0.362591] ? kmem_cache_destroy+0x1aa/0x1c0
[ 0.362944] ? acpi_sleep_proc_init+0x27/0x27
[ 0.363296] ? acpi_os_delete_cache+0xa/0x10
[ 0.363646] ? acpi_ut_delete_caches+0x6d/0x7b
[ 0.364000] ? acpi_terminate+0xa/0x14
[ 0.364000] ? acpi_init+0x2af/0x34f
[ 0.364000] ? __class_create+0x4c/0x80
[ 0.364000] ? video_setup+0x7f/0x7f
[ 0.364000] ? acpi_sleep_proc_init+0x27/0x27
[ 0.364000] ? do_one_initcall+0x4e/0x1a0
[ 0.364000] ? kernel_init_freeable+0x189/0x20a
[ 0.364000] ? rest_init+0xc0/0xc0
[ 0.364000] ? kernel_init+0xa/0x100
[ 0.364000] ? ret_from_fork+0x25/0x30
I analyzed this memory leak in detail. I found that “Acpi-State” cache and
“Acpi-Parse” cache were merged because the size of cache objects was same
slab cache size.
I finally found “Acpi-Parse” cache and “Acpi-parse_ext” cache were leaked
using SLAB_NEVER_MERGE flag in kmem_cache_create() function.
Real ACPI cache leak point is as follows:
[ 0.360101] ACPI: Added _OSI(Module Device)
[ 0.360101] ACPI: Added _OSI(Processor Device)
[ 0.360101] ACPI: Added _OSI(3.0 _SCP Extensions)
[ 0.361043] ACPI: Added _OSI(Processor Aggregator Device)
[ 0.364016] ACPI: Unable to start the ACPI Interpreter
[ 0.365061] ACPI Error: Could not remove SCI handler (20170303/evmisc-281)
[ 0.368174] kmem_cache_destroy Acpi-Parse: Slab cache still has objects
[ 0.369332] CPU: 1 PID: 1 Comm: swapper/0 Tainted: G W
4.12.0-rc4-next-20170608+ #8
[ 0.371256] Hardware name: innotek gmb_h virtual_box/virtual_box, BIOS
virtual_box 12/01/2006
[ 0.372000] Call Trace:
[ 0.372000] ? dump_stack+0x5c/0x81
[ 0.372000] ? kmem_cache_destroy+0x1aa/0x1c0
[ 0.372000] ? acpi_sleep_proc_init+0x27/0x27
[ 0.372000] ? acpi_os_delete_cache+0xa/0x10
[ 0.372000] ? acpi_ut_delete_caches+0x56/0x7b
[ 0.372000] ? acpi_terminate+0xa/0x14
[ 0.372000] ? acpi_init+0x2af/0x34f
[ 0.372000] ? __class_create+0x4c/0x80
[ 0.372000] ? video_setup+0x7f/0x7f
[ 0.372000] ? acpi_sleep_proc_init+0x27/0x27
[ 0.372000] ? do_one_initcall+0x4e/0x1a0
[ 0.372000] ? kernel_init_freeable+0x189/0x20a
[ 0.372000] ? rest_init+0xc0/0xc0
[ 0.372000] ? kernel_init+0xa/0x100
[ 0.372000] ? ret_from_fork+0x25/0x30
[ 0.388039] kmem_cache_destroy Acpi-parse_ext: Slab cache still has objects
[ 0.389063] CPU: 1 PID: 1 Comm: swapper/0 Tainted: G W
4.12.0-rc4-next-20170608+ #8
[ 0.390557] Hardware name: innotek gmb_h virtual_box/virtual_box, BIOS
virtual_box 12/01/2006
[ 0.392000] Call Trace:
[ 0.392000] ? dump_stack+0x5c/0x81
[ 0.392000] ? kmem_cache_destroy+0x1aa/0x1c0
[ 0.392000] ? acpi_sleep_proc_init+0x27/0x27
[ 0.392000] ? acpi_os_delete_cache+0xa/0x10
[ 0.392000] ? acpi_ut_delete_caches+0x6d/0x7b
[ 0.392000] ? acpi_terminate+0xa/0x14
[ 0.392000] ? acpi_init+0x2af/0x34f
[ 0.392000] ? __class_create+0x4c/0x80
[ 0.392000] ? video_setup+0x7f/0x7f
[ 0.392000] ? acpi_sleep_proc_init+0x27/0x27
[ 0.392000] ? do_one_initcall+0x4e/0x1a0
[ 0.392000] ? kernel_init_freeable+0x189/0x20a
[ 0.392000] ? rest_init+0xc0/0xc0
[ 0.392000] ? kernel_init+0xa/0x100
[ 0.392000] ? ret_from_fork+0x25/0x30
When early abort is occurred due to invalid ACPI information, Linux kernel
terminates ACPI by calling acpi_terminate() function. The function calls
acpi_ut_delete_caches() function to delete local caches (acpi_gbl_namespace_
cache, state_cache, operand_cache, ps_node_cache, ps_node_ext_cache).
But the deletion codes in acpi_ut_delete_caches() function only delete
slab caches using kmem_cache_destroy() function, therefore the cache
objects should be flushed before acpi_ut_delete_caches() function.
"Acpi-Parse" cache and "Acpi-ParseExt" cache are used in an AML parse
function, acpi_ps_parse_loop(). The function should complete all ops
using acpi_ps_complete_final_op() when an error occurs due to invalid
AML codes.
However, the current implementation of acpi_ps_complete_final_op() does not
complete all ops when it meets some errors and this cause cache leak.
This cache leak has a security threat because an old kernel (<= 4.9) shows
memory locations of kernel functions in stack dump. Some malicious users
could use this information to neutralize kernel ASLR.
To fix ACPI cache leak for enhancing security, I made a patch to complete all
ops unconditionally for acpi_ps_complete_final_op() function.
I hope that this patch improves the security of Linux kernel.
Thank you.
Link: https://github.com/acpica/acpica/commit/8829e70e
Signed-off-by: Seunghun Han <kkamagui@gmail.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Link: https://patch.msgid.link/2363774.ElGaqSPkdT@rjwysocki.net
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/acpi/acpica/psobject.c | 52 ++++++++++------------------------
1 file changed, 15 insertions(+), 37 deletions(-)
diff --git a/drivers/acpi/acpica/psobject.c b/drivers/acpi/acpica/psobject.c
index bca249e67c6b5..3c887515bad41 100644
--- a/drivers/acpi/acpica/psobject.c
+++ b/drivers/acpi/acpica/psobject.c
@@ -636,7 +636,8 @@ acpi_status
acpi_ps_complete_final_op(struct acpi_walk_state *walk_state,
union acpi_parse_object *op, acpi_status status)
{
- acpi_status status2;
+ acpi_status return_status = status;
+ u8 ascending = TRUE;
ACPI_FUNCTION_TRACE_PTR(ps_complete_final_op, walk_state);
@@ -650,7 +651,7 @@ acpi_ps_complete_final_op(struct acpi_walk_state *walk_state,
op));
do {
if (op) {
- if (walk_state->ascending_callback != NULL) {
+ if (ascending && walk_state->ascending_callback != NULL) {
walk_state->op = op;
walk_state->op_info =
acpi_ps_get_opcode_info(op->common.
@@ -672,49 +673,26 @@ acpi_ps_complete_final_op(struct acpi_walk_state *walk_state,
}
if (status == AE_CTRL_TERMINATE) {
- status = AE_OK;
-
- /* Clean up */
- do {
- if (op) {
- status2 =
- acpi_ps_complete_this_op
- (walk_state, op);
- if (ACPI_FAILURE
- (status2)) {
- return_ACPI_STATUS
- (status2);
- }
- }
-
- acpi_ps_pop_scope(&
- (walk_state->
- parser_state),
- &op,
- &walk_state->
- arg_types,
- &walk_state->
- arg_count);
-
- } while (op);
-
- return_ACPI_STATUS(status);
+ ascending = FALSE;
+ return_status = AE_CTRL_TERMINATE;
}
else if (ACPI_FAILURE(status)) {
/* First error is most important */
- (void)
- acpi_ps_complete_this_op(walk_state,
- op);
- return_ACPI_STATUS(status);
+ ascending = FALSE;
+ return_status = status;
}
}
- status2 = acpi_ps_complete_this_op(walk_state, op);
- if (ACPI_FAILURE(status2)) {
- return_ACPI_STATUS(status2);
+ status = acpi_ps_complete_this_op(walk_state, op);
+ if (ACPI_FAILURE(status)) {
+ ascending = FALSE;
+ if (ACPI_SUCCESS(return_status) ||
+ return_status == AE_CTRL_TERMINATE) {
+ return_status = status;
+ }
}
}
@@ -724,5 +702,5 @@ acpi_ps_complete_final_op(struct acpi_walk_state *walk_state,
} while (op);
- return_ACPI_STATUS(status);
+ return_ACPI_STATUS(return_status);
}
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 382/508] power: supply: bq27xxx: Retrieve again when busy
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (378 preceding siblings ...)
2025-06-23 13:07 ` [PATCH 6.1 381/508] ACPICA: fix acpi parse and parseext cache leaks Greg Kroah-Hartman
@ 2025-06-23 13:07 ` Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 383/508] ACPICA: utilities: Fix overflow check in vsnprintf() Greg Kroah-Hartman
` (128 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pali Rohár, Jerry Lv,
Sebastian Reichel, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jerry Lv <Jerry.Lv@axis.com>
[ Upstream commit f16d9fb6cf03fdbdefa41a8b32ba1e57afb7ae3d ]
Multiple applications may access the battery gauge at the same time, so
the gauge may be busy and EBUSY will be returned. The driver will set a
flag to record the EBUSY state, and this flag will be kept until the next
periodic update. When this flag is set, bq27xxx_battery_get_property()
will just return ENODEV until the flag is updated.
Even if the gauge was busy during the last accessing attempt, returning
ENODEV is not ideal, and can cause confusion in the applications layer.
Instead, retry accessing the I2C to update the flag is as expected, for
the gauge typically recovers from busy state within a few milliseconds.
If still failed to access the gauge, the real error code would be returned
instead of ENODEV (as suggested by Pali Rohár).
Reviewed-by: Pali Rohár <pali@kernel.org>
Signed-off-by: Jerry Lv <Jerry.Lv@axis.com>
Link: https://lore.kernel.org/r/20250415-foo-fix-v2-1-5b45a395e4cc@axis.com
Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/power/supply/bq27xxx_battery.c | 2 +-
drivers/power/supply/bq27xxx_battery_i2c.c | 13 ++++++++++++-
2 files changed, 13 insertions(+), 2 deletions(-)
diff --git a/drivers/power/supply/bq27xxx_battery.c b/drivers/power/supply/bq27xxx_battery.c
index 2868dcf3f96dc..b3dd64ab8d32c 100644
--- a/drivers/power/supply/bq27xxx_battery.c
+++ b/drivers/power/supply/bq27xxx_battery.c
@@ -2044,7 +2044,7 @@ static int bq27xxx_battery_get_property(struct power_supply *psy,
mutex_unlock(&di->lock);
if (psp != POWER_SUPPLY_PROP_PRESENT && di->cache.flags < 0)
- return -ENODEV;
+ return di->cache.flags;
switch (psp) {
case POWER_SUPPLY_PROP_STATUS:
diff --git a/drivers/power/supply/bq27xxx_battery_i2c.c b/drivers/power/supply/bq27xxx_battery_i2c.c
index 17b37354e32c0..b05d2693fde04 100644
--- a/drivers/power/supply/bq27xxx_battery_i2c.c
+++ b/drivers/power/supply/bq27xxx_battery_i2c.c
@@ -6,6 +6,7 @@
* Andrew F. Davis <afd@ti.com>
*/
+#include <linux/delay.h>
#include <linux/i2c.h>
#include <linux/interrupt.h>
#include <linux/module.h>
@@ -32,6 +33,7 @@ static int bq27xxx_battery_i2c_read(struct bq27xxx_device_info *di, u8 reg,
struct i2c_msg msg[2];
u8 data[2];
int ret;
+ int retry = 0;
if (!client->adapter)
return -ENODEV;
@@ -48,7 +50,16 @@ static int bq27xxx_battery_i2c_read(struct bq27xxx_device_info *di, u8 reg,
else
msg[1].len = 2;
- ret = i2c_transfer(client->adapter, msg, ARRAY_SIZE(msg));
+ do {
+ ret = i2c_transfer(client->adapter, msg, ARRAY_SIZE(msg));
+ if (ret == -EBUSY && ++retry < 3) {
+ /* sleep 10 milliseconds when busy */
+ usleep_range(10000, 11000);
+ continue;
+ }
+ break;
+ } while (1);
+
if (ret < 0)
return ret;
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 383/508] ACPICA: utilities: Fix overflow check in vsnprintf()
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (379 preceding siblings ...)
2025-06-23 13:07 ` [PATCH 6.1 382/508] power: supply: bq27xxx: Retrieve again when busy Greg Kroah-Hartman
@ 2025-06-23 13:07 ` Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 384/508] ASoC: tegra210_ahub: Add check to of_device_get_match_data() Greg Kroah-Hartman
` (127 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:07 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Rafael J. Wysocki, gldrk,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: gldrk <me@rarity.fan>
[ Upstream commit 12b660251007e00a3e4d47ec62dbe3a7ace7023e ]
ACPICA commit d9d59b7918514ae55063b93f3ec041b1a569bf49
The old version breaks sprintf on 64-bit systems for buffers
outside [0..UINT32_MAX].
Link: https://github.com/acpica/acpica/commit/d9d59b79
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Link: https://patch.msgid.link/4994935.GXAFRqVoOG@rjwysocki.net
Signed-off-by: gldrk <me@rarity.fan>
[ rjw: Added the tag from gldrk ]
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/acpi/acpica/utprint.c | 7 ++-----
1 file changed, 2 insertions(+), 5 deletions(-)
diff --git a/drivers/acpi/acpica/utprint.c b/drivers/acpi/acpica/utprint.c
index d5aa2109847f3..67104bfc184de 100644
--- a/drivers/acpi/acpica/utprint.c
+++ b/drivers/acpi/acpica/utprint.c
@@ -333,11 +333,8 @@ int vsnprintf(char *string, acpi_size size, const char *format, va_list args)
pos = string;
- if (size != ACPI_UINT32_MAX) {
- end = string + size;
- } else {
- end = ACPI_CAST_PTR(char, ACPI_UINT32_MAX);
- }
+ size = ACPI_MIN(size, ACPI_PTR_DIFF(ACPI_MAX_PTR, string));
+ end = string + size;
for (; *format; ++format) {
if (*format != '%') {
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 384/508] ASoC: tegra210_ahub: Add check to of_device_get_match_data()
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (380 preceding siblings ...)
2025-06-23 13:07 ` [PATCH 6.1 383/508] ACPICA: utilities: Fix overflow check in vsnprintf() Greg Kroah-Hartman
@ 2025-06-23 13:07 ` Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 385/508] PM: runtime: fix denying of auto suspend in pm_suspend_timer_fn() Greg Kroah-Hartman
` (126 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:07 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yuanjun Gong, Mark Brown,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yuanjun Gong <ruc_gongyuanjun@163.com>
[ Upstream commit 04cb269c204398763a620d426cbee43064854000 ]
In tegra_ahub_probe(), check the result of function
of_device_get_match_data(), return an error code in case it fails.
Signed-off-by: Yuanjun Gong <ruc_gongyuanjun@163.com>
Link: https://patch.msgid.link/20250513123744.3041724-1-ruc_gongyuanjun@163.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/tegra/tegra210_ahub.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/sound/soc/tegra/tegra210_ahub.c b/sound/soc/tegra/tegra210_ahub.c
index dfdcb4580cd75..4be5683504154 100644
--- a/sound/soc/tegra/tegra210_ahub.c
+++ b/sound/soc/tegra/tegra210_ahub.c
@@ -1369,6 +1369,8 @@ static int tegra_ahub_probe(struct platform_device *pdev)
return -ENOMEM;
ahub->soc_data = of_device_get_match_data(&pdev->dev);
+ if (!ahub->soc_data)
+ return -ENODEV;
platform_set_drvdata(pdev, ahub);
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 385/508] PM: runtime: fix denying of auto suspend in pm_suspend_timer_fn()
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (381 preceding siblings ...)
2025-06-23 13:07 ` [PATCH 6.1 384/508] ASoC: tegra210_ahub: Add check to of_device_get_match_data() Greg Kroah-Hartman
@ 2025-06-23 13:07 ` Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 386/508] ACPI: battery: negate current when discharging Greg Kroah-Hartman
` (125 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Patrick Daly, Charan Teja Kalla,
Rafael J. Wysocki, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Charan Teja Kalla <quic_charante@quicinc.com>
[ Upstream commit 40d3b40dce375d6f1c1dbf08d79eed3aed6c691d ]
pm_runtime_put_autosuspend() schedules a hrtimer to expire
at "dev->power.timer_expires". If the hrtimer's callback,
pm_suspend_timer_fn(), observes that the current time equals
"dev->power.timer_expires", it unexpectedly bails out instead of
proceeding with runtime suspend.
pm_suspend_timer_fn():
if (expires > 0 && expires < ktime_get_mono_fast_ns()) {
dev->power.timer_expires = 0;
rpm_suspend(..)
}
Additionally, as ->timer_expires is not cleared, all the future auto
suspend requests will not schedule hrtimer to perform auto suspend.
rpm_suspend():
if ((rpmflags & RPM_AUTO) &&...) {
if (!(dev->power.timer_expires && ...) { <-- this will fail.
hrtimer_start_range_ns(&dev->power.suspend_timer,...);
}
}
Fix this by as well checking if current time reaches the set expiration.
Co-developed-by: Patrick Daly <quic_pdaly@quicinc.com>
Signed-off-by: Patrick Daly <quic_pdaly@quicinc.com>
Signed-off-by: Charan Teja Kalla <quic_charante@quicinc.com>
Link: https://patch.msgid.link/20250515064125.1211561-1-quic_charante@quicinc.com
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/base/power/runtime.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/base/power/runtime.c b/drivers/base/power/runtime.c
index bb68cba4d85a9..313ccb7e77646 100644
--- a/drivers/base/power/runtime.c
+++ b/drivers/base/power/runtime.c
@@ -1001,7 +1001,7 @@ static enum hrtimer_restart pm_suspend_timer_fn(struct hrtimer *timer)
* If 'expires' is after the current time, we've been called
* too early.
*/
- if (expires > 0 && expires < ktime_get_mono_fast_ns()) {
+ if (expires > 0 && expires <= ktime_get_mono_fast_ns()) {
dev->power.timer_expires = 0;
rpm_suspend(dev, dev->power.timer_autosuspends ?
(RPM_ASYNC | RPM_AUTO) : RPM_ASYNC);
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 386/508] ACPI: battery: negate current when discharging
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (382 preceding siblings ...)
2025-06-23 13:07 ` [PATCH 6.1 385/508] PM: runtime: fix denying of auto suspend in pm_suspend_timer_fn() Greg Kroah-Hartman
@ 2025-06-23 13:07 ` Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 387/508] net: macb: Check return value of dma_set_mask_and_coherent() Greg Kroah-Hartman
` (124 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Peter Marheine, Rafael J. Wysocki,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Marheine <pmarheine@chromium.org>
[ Upstream commit 234f71555019d308c6bc6f98c78c5551cb8cd56a ]
The ACPI specification requires that battery rate is always positive,
but the kernel ABI for POWER_SUPPLY_PROP_CURRENT_NOW
(Documentation/ABI/testing/sysfs-class-power) specifies that it should
be negative when a battery is discharging. When reporting CURRENT_NOW,
massage the value to match the documented ABI.
This only changes the sign of `current_now` and not `power_now` because
documentation doesn't describe any particular meaning for `power_now` so
leaving `power_now` unchanged is less likely to confuse userspace
unnecessarily, whereas becoming consistent with the documented ABI is
worth potentially confusing clients that read `current_now`.
Signed-off-by: Peter Marheine <pmarheine@chromium.org>
Link: https://patch.msgid.link/20250508024146.1436129-1-pmarheine@chromium.org
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/acpi/battery.c | 19 ++++++++++++++++---
1 file changed, 16 insertions(+), 3 deletions(-)
diff --git a/drivers/acpi/battery.c b/drivers/acpi/battery.c
index 5a4e022662417..2f188a734a0c5 100644
--- a/drivers/acpi/battery.c
+++ b/drivers/acpi/battery.c
@@ -241,10 +241,23 @@ static int acpi_battery_get_property(struct power_supply *psy,
break;
case POWER_SUPPLY_PROP_CURRENT_NOW:
case POWER_SUPPLY_PROP_POWER_NOW:
- if (battery->rate_now == ACPI_BATTERY_VALUE_UNKNOWN)
+ if (battery->rate_now == ACPI_BATTERY_VALUE_UNKNOWN) {
ret = -ENODEV;
- else
- val->intval = battery->rate_now * 1000;
+ break;
+ }
+
+ val->intval = battery->rate_now * 1000;
+ /*
+ * When discharging, the current should be reported as a
+ * negative number as per the power supply class interface
+ * definition.
+ */
+ if (psp == POWER_SUPPLY_PROP_CURRENT_NOW &&
+ (battery->state & ACPI_BATTERY_STATE_DISCHARGING) &&
+ acpi_battery_handle_discharging(battery)
+ == POWER_SUPPLY_STATUS_DISCHARGING)
+ val->intval = -val->intval;
+
break;
case POWER_SUPPLY_PROP_CHARGE_FULL_DESIGN:
case POWER_SUPPLY_PROP_ENERGY_FULL_DESIGN:
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 387/508] net: macb: Check return value of dma_set_mask_and_coherent()
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (383 preceding siblings ...)
2025-06-23 13:07 ` [PATCH 6.1 386/508] ACPI: battery: negate current when discharging Greg Kroah-Hartman
@ 2025-06-23 13:07 ` Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 388/508] net: lan743x: Modify the EEPROM and OTP size for PCI1xxxx devices Greg Kroah-Hartman
` (123 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sergio Perez Gonzalez,
Claudiu Beznea, Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sergio Perez Gonzalez <sperezglz@gmail.com>
[ Upstream commit 3920a758800762917177a6b5ab39707d8e376fe6 ]
Issue flagged by coverity. Add a safety check for the return value
of dma_set_mask_and_coherent, go to a safe exit if it returns error.
Link: https://scan7.scan.coverity.com/#/project-view/53936/11354?selectedIssue=1643754
Signed-off-by: Sergio Perez Gonzalez <sperezglz@gmail.com>
Reviewed-by: Claudiu Beznea <claudiu.beznea@tuxon.dev>
Link: https://patch.msgid.link/20250526032034.84900-1-sperezglz@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/cadence/macb_main.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/cadence/macb_main.c b/drivers/net/ethernet/cadence/macb_main.c
index d2f4709dee0de..495a1cb0bc183 100644
--- a/drivers/net/ethernet/cadence/macb_main.c
+++ b/drivers/net/ethernet/cadence/macb_main.c
@@ -4956,7 +4956,11 @@ static int macb_probe(struct platform_device *pdev)
#ifdef CONFIG_ARCH_DMA_ADDR_T_64BIT
if (GEM_BFEXT(DAW64, gem_readl(bp, DCFG6))) {
- dma_set_mask_and_coherent(&pdev->dev, DMA_BIT_MASK(44));
+ err = dma_set_mask_and_coherent(&pdev->dev, DMA_BIT_MASK(44));
+ if (err) {
+ dev_err(&pdev->dev, "failed to set DMA mask\n");
+ goto err_out_free_netdev;
+ }
bp->hw_dma_cap |= HW_DMA_CAP_64B;
}
#endif
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 388/508] net: lan743x: Modify the EEPROM and OTP size for PCI1xxxx devices
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (384 preceding siblings ...)
2025-06-23 13:07 ` [PATCH 6.1 387/508] net: macb: Check return value of dma_set_mask_and_coherent() Greg Kroah-Hartman
@ 2025-06-23 13:07 ` Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 389/508] tipc: use kfree_sensitive() for aead cleanup Greg Kroah-Hartman
` (122 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rengarajan S, Jakub Kicinski,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rengarajan S <rengarajan.s@microchip.com>
[ Upstream commit 3b9935586a9b54d2da27901b830d3cf46ad66a1e ]
Maximum OTP and EEPROM size for hearthstone PCI1xxxx devices are 8 Kb
and 64 Kb respectively. Adjust max size definitions and return correct
EEPROM length based on device. Also prevent out-of-bound read/write.
Signed-off-by: Rengarajan S <rengarajan.s@microchip.com>
Link: https://patch.msgid.link/20250523173326.18509-1-rengarajan.s@microchip.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../net/ethernet/microchip/lan743x_ethtool.c | 18 ++++++++++++++++--
1 file changed, 16 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/microchip/lan743x_ethtool.c b/drivers/net/ethernet/microchip/lan743x_ethtool.c
index e47a579410fbb..bd00ee2ca69fd 100644
--- a/drivers/net/ethernet/microchip/lan743x_ethtool.c
+++ b/drivers/net/ethernet/microchip/lan743x_ethtool.c
@@ -18,6 +18,8 @@
#define EEPROM_MAC_OFFSET (0x01)
#define MAX_EEPROM_SIZE (512)
#define MAX_OTP_SIZE (1024)
+#define MAX_HS_OTP_SIZE (8 * 1024)
+#define MAX_HS_EEPROM_SIZE (64 * 1024)
#define OTP_INDICATOR_1 (0xF3)
#define OTP_INDICATOR_2 (0xF7)
@@ -272,6 +274,9 @@ static int lan743x_hs_otp_read(struct lan743x_adapter *adapter, u32 offset,
int ret;
int i;
+ if (offset + length > MAX_HS_OTP_SIZE)
+ return -EINVAL;
+
ret = lan743x_hs_syslock_acquire(adapter, LOCK_TIMEOUT_MAX_CNT);
if (ret < 0)
return ret;
@@ -320,6 +325,9 @@ static int lan743x_hs_otp_write(struct lan743x_adapter *adapter, u32 offset,
int ret;
int i;
+ if (offset + length > MAX_HS_OTP_SIZE)
+ return -EINVAL;
+
ret = lan743x_hs_syslock_acquire(adapter, LOCK_TIMEOUT_MAX_CNT);
if (ret < 0)
return ret;
@@ -497,6 +505,9 @@ static int lan743x_hs_eeprom_read(struct lan743x_adapter *adapter,
u32 val;
int i;
+ if (offset + length > MAX_HS_EEPROM_SIZE)
+ return -EINVAL;
+
retval = lan743x_hs_syslock_acquire(adapter, LOCK_TIMEOUT_MAX_CNT);
if (retval < 0)
return retval;
@@ -539,6 +550,9 @@ static int lan743x_hs_eeprom_write(struct lan743x_adapter *adapter,
u32 val;
int i;
+ if (offset + length > MAX_HS_EEPROM_SIZE)
+ return -EINVAL;
+
retval = lan743x_hs_syslock_acquire(adapter, LOCK_TIMEOUT_MAX_CNT);
if (retval < 0)
return retval;
@@ -604,9 +618,9 @@ static int lan743x_ethtool_get_eeprom_len(struct net_device *netdev)
struct lan743x_adapter *adapter = netdev_priv(netdev);
if (adapter->flags & LAN743X_ADAPTER_FLAG_OTP)
- return MAX_OTP_SIZE;
+ return adapter->is_pci11x1x ? MAX_HS_OTP_SIZE : MAX_OTP_SIZE;
- return MAX_EEPROM_SIZE;
+ return adapter->is_pci11x1x ? MAX_HS_EEPROM_SIZE : MAX_EEPROM_SIZE;
}
static int lan743x_ethtool_get_eeprom(struct net_device *netdev,
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 389/508] tipc: use kfree_sensitive() for aead cleanup
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (385 preceding siblings ...)
2025-06-23 13:07 ` [PATCH 6.1 388/508] net: lan743x: Modify the EEPROM and OTP size for PCI1xxxx devices Greg Kroah-Hartman
@ 2025-06-23 13:07 ` Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 390/508] bpf: Check rcu_read_lock_trace_held() in bpf_map_lookup_percpu_elem() Greg Kroah-Hartman
` (121 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zilin Guan, Tung Nguyen,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zilin Guan <zilin@seu.edu.cn>
[ Upstream commit c8ef20fe7274c5766a317f9193b70bed717b6b3d ]
The tipc_aead_free() function currently uses kfree() to release the aead
structure. However, this structure contains sensitive information, such
as key's SALT value, which should be securely erased from memory to
prevent potential leakage.
To enhance security, replace kfree() with kfree_sensitive() when freeing
the aead structure. This change ensures that sensitive data is explicitly
cleared before memory deallocation, aligning with the approach used in
tipc_aead_init() and adhering to best practices for handling confidential
information.
Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
Reviewed-by: Tung Nguyen <tung.quang.nguyen@est.tech>
Link: https://patch.msgid.link/20250523114717.4021518-1-zilin@seu.edu.cn
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/tipc/crypto.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/tipc/crypto.c b/net/tipc/crypto.c
index 17e2b09002853..d52829c6aa472 100644
--- a/net/tipc/crypto.c
+++ b/net/tipc/crypto.c
@@ -425,7 +425,7 @@ static void tipc_aead_free(struct rcu_head *rp)
}
free_percpu(aead->tfm_entry);
kfree_sensitive(aead->key);
- kfree(aead);
+ kfree_sensitive(aead);
}
static int tipc_aead_users(struct tipc_aead __rcu *aead)
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 390/508] bpf: Check rcu_read_lock_trace_held() in bpf_map_lookup_percpu_elem()
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (386 preceding siblings ...)
2025-06-23 13:07 ` [PATCH 6.1 389/508] tipc: use kfree_sensitive() for aead cleanup Greg Kroah-Hartman
@ 2025-06-23 13:07 ` Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 391/508] i2c: designware: Invoke runtime suspend on quick slave re-registration Greg Kroah-Hartman
` (120 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+dce5aae19ae4d6399986, Hou Tao,
Alexei Starovoitov, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hou Tao <houtao1@huawei.com>
[ Upstream commit d4965578267e2e81f67c86e2608481e77e9c8569 ]
bpf_map_lookup_percpu_elem() helper is also available for sleepable bpf
program. When BPF JIT is disabled or under 32-bit host,
bpf_map_lookup_percpu_elem() will not be inlined. Using it in a
sleepable bpf program will trigger the warning in
bpf_map_lookup_percpu_elem(), because the bpf program only holds
rcu_read_lock_trace lock. Therefore, add the missed check.
Reported-by: syzbot+dce5aae19ae4d6399986@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/bpf/000000000000176a130617420310@google.com/
Signed-off-by: Hou Tao <houtao1@huawei.com>
Link: https://lore.kernel.org/r/20250526062534.1105938-1-houtao@huaweicloud.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/bpf/helpers.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c
index 4fef0a0155255..94e85d311641b 100644
--- a/kernel/bpf/helpers.c
+++ b/kernel/bpf/helpers.c
@@ -125,7 +125,8 @@ const struct bpf_func_proto bpf_map_peek_elem_proto = {
BPF_CALL_3(bpf_map_lookup_percpu_elem, struct bpf_map *, map, void *, key, u32, cpu)
{
- WARN_ON_ONCE(!rcu_read_lock_held() && !rcu_read_lock_bh_held());
+ WARN_ON_ONCE(!rcu_read_lock_held() && !rcu_read_lock_trace_held() &&
+ !rcu_read_lock_bh_held());
return (unsigned long) map->ops->map_lookup_percpu_elem(map, key, cpu);
}
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 391/508] i2c: designware: Invoke runtime suspend on quick slave re-registration
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (387 preceding siblings ...)
2025-06-23 13:07 ` [PATCH 6.1 390/508] bpf: Check rcu_read_lock_trace_held() in bpf_map_lookup_percpu_elem() Greg Kroah-Hartman
@ 2025-06-23 13:07 ` Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 392/508] emulex/benet: correct command version selection in be_cmd_get_stats() Greg Kroah-Hartman
` (119 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tan En De, Jarkko Nikula, Andi Shyti,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tan En De <ende.tan@starfivetech.com>
[ Upstream commit 2fe2b969d911a09abcd6a47401a3c66c38a310e6 ]
Replaced pm_runtime_put() with pm_runtime_put_sync_suspend() to ensure
the runtime suspend is invoked immediately when unregistering a slave.
This prevents a race condition where suspend was skipped when
unregistering and registering slave in quick succession.
For example, consider the rapid sequence of
`delete_device -> new_device -> delete_device -> new_device`.
In this sequence, it is observed that the dw_i2c_plat_runtime_suspend()
might not be invoked after `delete_device` operation.
This is because after `delete_device` operation, when the
pm_runtime_put() is about to trigger suspend, the following `new_device`
operation might race and cancel the suspend.
If that happens, during the `new_device` operation,
dw_i2c_plat_runtime_resume() is skipped (since there was no suspend), which
means `i_dev->init()`, i.e. i2c_dw_init_slave(), is skipped.
Since i2c_dw_init_slave() is skipped, i2c_dw_configure_fifo_slave() is
skipped too, which leaves `DW_IC_INTR_MASK` unconfigured. If we inspect
the interrupt mask register using devmem, it will show as zero.
Example shell script to reproduce the issue:
```
#!/bin/sh
SLAVE_LADDR=0x1010
SLAVE_BUS=13
NEW_DEVICE=/sys/bus/i2c/devices/i2c-$SLAVE_BUS/new_device
DELETE_DEVICE=/sys/bus/i2c/devices/i2c-$SLAVE_BUS/delete_device
# Create initial device
echo slave-24c02 $SLAVE_LADDR > $NEW_DEVICE
sleep 2
# Rapid sequence of
# delete_device -> new_device -> delete_device -> new_device
echo $SLAVE_LADDR > $DELETE_DEVICE
echo slave-24c02 $SLAVE_LADDR > $NEW_DEVICE
echo $SLAVE_LADDR > $DELETE_DEVICE
echo slave-24c02 $SLAVE_LADDR > $NEW_DEVICE
# Using devmem to inspect IC_INTR_MASK will show as zero
```
Signed-off-by: Tan En De <ende.tan@starfivetech.com>
Acked-by: Jarkko Nikula <jarkko.nikula@linux.intel.com>
Link: https://lore.kernel.org/r/20250412023303.378600-1-ende.tan@starfivetech.com
Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/i2c/busses/i2c-designware-slave.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/i2c/busses/i2c-designware-slave.c b/drivers/i2c/busses/i2c-designware-slave.c
index 5b54a9b9ed1a3..09b8ccc040c6e 100644
--- a/drivers/i2c/busses/i2c-designware-slave.c
+++ b/drivers/i2c/busses/i2c-designware-slave.c
@@ -97,7 +97,7 @@ static int i2c_dw_unreg_slave(struct i2c_client *slave)
dev->disable(dev);
synchronize_irq(dev->irq);
dev->slave = NULL;
- pm_runtime_put(dev->dev);
+ pm_runtime_put_sync_suspend(dev->dev);
return 0;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 392/508] emulex/benet: correct command version selection in be_cmd_get_stats()
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (388 preceding siblings ...)
2025-06-23 13:07 ` [PATCH 6.1 391/508] i2c: designware: Invoke runtime suspend on quick slave re-registration Greg Kroah-Hartman
@ 2025-06-23 13:07 ` Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 393/508] wifi: mt76: mt76x2: Add support for LiteOn WN4516R,WN4519R Greg Kroah-Hartman
` (118 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alok Tiwari, Jakub Kicinski,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alok Tiwari <alok.a.tiwari@oracle.com>
[ Upstream commit edb888d29748cee674006a52e544925dacc7728e ]
Logic here always sets hdr->version to 2 if it is not a BE3 or Lancer chip,
even if it is BE2. Use 'else if' to prevent multiple assignments, setting
version 0 for BE2, version 1 for BE3 and Lancer, and version 2 for others.
Fixes potential incorrect version setting when BE2_chip and
BE3_chip/lancer_chip checks could both be true.
Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
Link: https://patch.msgid.link/20250519141731.691136-1-alok.a.tiwari@oracle.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/emulex/benet/be_cmds.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/emulex/benet/be_cmds.c b/drivers/net/ethernet/emulex/benet/be_cmds.c
index d00f4e29c9d88..17098cd89dfff 100644
--- a/drivers/net/ethernet/emulex/benet/be_cmds.c
+++ b/drivers/net/ethernet/emulex/benet/be_cmds.c
@@ -1608,7 +1608,7 @@ int be_cmd_get_stats(struct be_adapter *adapter, struct be_dma_mem *nonemb_cmd)
/* version 1 of the cmd is not supported only by BE2 */
if (BE2_chip(adapter))
hdr->version = 0;
- if (BE3_chip(adapter) || lancer_chip(adapter))
+ else if (BE3_chip(adapter) || lancer_chip(adapter))
hdr->version = 1;
else
hdr->version = 2;
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 393/508] wifi: mt76: mt76x2: Add support for LiteOn WN4516R,WN4519R
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (389 preceding siblings ...)
2025-06-23 13:07 ` [PATCH 6.1 392/508] emulex/benet: correct command version selection in be_cmd_get_stats() Greg Kroah-Hartman
@ 2025-06-23 13:07 ` Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 394/508] wifi: mt76: mt7921: add 160 MHz AP for mt7922 device Greg Kroah-Hartman
` (117 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Henk Vergonet, Lorenzo Bianconi,
Felix Fietkau, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Henk Vergonet <henk.vergonet@gmail.com>
[ Upstream commit 3c0e4f606d8693795a2c965d6f4987b1bfc31097 ]
Adds support for:
- LiteOn WN4516R
- LiteOn WN4519R
Both use:
- A nonstandard USB connector
- Mediatek chipset MT7600U
- ASIC revision: 76320044
Disabled VHT support on ASIC revision 76320044:
This fixes the 5G connectibity issue on LiteOn WN4519R module
see https://github.com/openwrt/mt76/issues/971
And may also fix the 5G issues on the XBox One Wireless Adapter
see https://github.com/openwrt/mt76/issues/200
I have looked at the FCC info related to the MT7632U chip as mentioned in here:
https://github.com/openwrt/mt76/issues/459
These confirm the chipset does not support 'ac' mode and hence VHT should be turned of.
Signed-off-by: Henk Vergonet <henk.vergonet@gmail.com>
Acked-by: Lorenzo Bianconi <lorenzo@kernel.org>
Link: https://patch.msgid.link/20250418143914.31384-1-henk.vergonet@gmail.com
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/mediatek/mt76/mt76x2/usb.c | 2 ++
.../net/wireless/mediatek/mt76/mt76x2/usb_init.c | 13 ++++++++++++-
2 files changed, 14 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/mediatek/mt76/mt76x2/usb.c b/drivers/net/wireless/mediatek/mt76/mt76x2/usb.c
index d804309992196..229a365370ef5 100644
--- a/drivers/net/wireless/mediatek/mt76/mt76x2/usb.c
+++ b/drivers/net/wireless/mediatek/mt76/mt76x2/usb.c
@@ -17,6 +17,8 @@ static const struct usb_device_id mt76x2u_device_table[] = {
{ USB_DEVICE(0x057c, 0x8503) }, /* Avm FRITZ!WLAN AC860 */
{ USB_DEVICE(0x7392, 0xb711) }, /* Edimax EW 7722 UAC */
{ USB_DEVICE(0x0e8d, 0x7632) }, /* HC-M7662BU1 */
+ { USB_DEVICE(0x0471, 0x2126) }, /* LiteOn WN4516R module, nonstandard USB connector */
+ { USB_DEVICE(0x0471, 0x7600) }, /* LiteOn WN4519R module, nonstandard USB connector */
{ USB_DEVICE(0x2c4e, 0x0103) }, /* Mercury UD13 */
{ USB_DEVICE(0x0846, 0x9053) }, /* Netgear A6210 */
{ USB_DEVICE(0x045e, 0x02e6) }, /* XBox One Wireless Adapter */
diff --git a/drivers/net/wireless/mediatek/mt76/mt76x2/usb_init.c b/drivers/net/wireless/mediatek/mt76/mt76x2/usb_init.c
index 33a14365ec9b9..3b55628115115 100644
--- a/drivers/net/wireless/mediatek/mt76/mt76x2/usb_init.c
+++ b/drivers/net/wireless/mediatek/mt76/mt76x2/usb_init.c
@@ -191,6 +191,7 @@ int mt76x2u_register_device(struct mt76x02_dev *dev)
{
struct ieee80211_hw *hw = mt76_hw(dev);
struct mt76_usb *usb = &dev->mt76.usb;
+ bool vht;
int err;
INIT_DELAYED_WORK(&dev->cal_work, mt76x2u_phy_calibrate);
@@ -217,7 +218,17 @@ int mt76x2u_register_device(struct mt76x02_dev *dev)
/* check hw sg support in order to enable AMSDU */
hw->max_tx_fragments = dev->mt76.usb.sg_en ? MT_TX_SG_MAX_SIZE : 1;
- err = mt76_register_device(&dev->mt76, true, mt76x02_rates,
+ switch (dev->mt76.rev) {
+ case 0x76320044:
+ /* these ASIC revisions do not support VHT */
+ vht = false;
+ break;
+ default:
+ vht = true;
+ break;
+ }
+
+ err = mt76_register_device(&dev->mt76, vht, mt76x02_rates,
ARRAY_SIZE(mt76x02_rates));
if (err)
goto fail;
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 394/508] wifi: mt76: mt7921: add 160 MHz AP for mt7922 device
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (390 preceding siblings ...)
2025-06-23 13:07 ` [PATCH 6.1 393/508] wifi: mt76: mt76x2: Add support for LiteOn WN4516R,WN4519R Greg Kroah-Hartman
@ 2025-06-23 13:07 ` Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 395/508] sctp: Do not wake readers in __sctp_write_space() Greg Kroah-Hartman
` (116 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Samuel Williams, Felix Fietkau,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Samuel Williams <sam8641@gmail.com>
[ Upstream commit 7011faebe543f8f094fdb3281d0ec9e1eab81309 ]
This allows mt7922 in hostapd mode to transmit up to 1.4 Gbps.
Signed-off-by: Samuel Williams <sam8641@gmail.com>
Link: https://patch.msgid.link/20250511005316.1118961-1-sam8641@gmail.com
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/mediatek/mt76/mt7921/main.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/main.c b/drivers/net/wireless/mediatek/mt76/mt7921/main.c
index 5070cc23917bd..7adda1718d6ac 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7921/main.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7921/main.c
@@ -104,6 +104,11 @@ mt7921_init_he_caps(struct mt7921_phy *phy, enum nl80211_band band,
he_cap_elem->phy_cap_info[9] |=
IEEE80211_HE_PHY_CAP9_TX_1024_QAM_LESS_THAN_242_TONE_RU |
IEEE80211_HE_PHY_CAP9_RX_1024_QAM_LESS_THAN_242_TONE_RU;
+
+ if (is_mt7922(phy->mt76->dev)) {
+ he_cap_elem->phy_cap_info[0] |=
+ IEEE80211_HE_PHY_CAP0_CHANNEL_WIDTH_SET_160MHZ_IN_5G;
+ }
break;
case NL80211_IFTYPE_STATION:
he_cap_elem->mac_cap_info[1] |=
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 395/508] sctp: Do not wake readers in __sctp_write_space()
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (391 preceding siblings ...)
2025-06-23 13:07 ` [PATCH 6.1 394/508] wifi: mt76: mt7921: add 160 MHz AP for mt7922 device Greg Kroah-Hartman
@ 2025-06-23 13:07 ` Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 396/508] cpufreq: scmi: Skip SCMI devices that arent used by the CPUs Greg Kroah-Hartman
` (115 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Petr Malat, Xin Long, Jakub Kicinski,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Petr Malat <oss@malat.biz>
[ Upstream commit af295892a7abbf05a3c2ba7abc4d81bb448623d6 ]
Function __sctp_write_space() doesn't set poll key, which leads to
ep_poll_callback() waking up all waiters, not only these waiting
for the socket being writable. Set the key properly using
wake_up_interruptible_poll(), which is preferred over the sync
variant, as writers are not woken up before at least half of the
queue is available. Also, TCP does the same.
Signed-off-by: Petr Malat <oss@malat.biz>
Acked-by: Xin Long <lucien.xin@gmail.com>
Link: https://patch.msgid.link/20250516081727.1361451-1-oss@malat.biz
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sctp/socket.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index 65162d67c3a3c..8a8a5cf8d8e65 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -9089,7 +9089,8 @@ static void __sctp_write_space(struct sctp_association *asoc)
wq = rcu_dereference(sk->sk_wq);
if (wq) {
if (waitqueue_active(&wq->wait))
- wake_up_interruptible(&wq->wait);
+ wake_up_interruptible_poll(&wq->wait, EPOLLOUT |
+ EPOLLWRNORM | EPOLLWRBAND);
/* Note that we try to include the Async I/O support
* here by modeling from the current TCP/UDP code.
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 396/508] cpufreq: scmi: Skip SCMI devices that arent used by the CPUs
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (392 preceding siblings ...)
2025-06-23 13:07 ` [PATCH 6.1 395/508] sctp: Do not wake readers in __sctp_write_space() Greg Kroah-Hartman
@ 2025-06-23 13:07 ` Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 397/508] i2c: tegra: check msg length in SMBUS block read Greg Kroah-Hartman
` (114 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mike Tipton, Peng Fan,
Cristian Marussi, Sudeep Holla, Viresh Kumar, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mike Tipton <quic_mdtipton@quicinc.com>
[ Upstream commit 6c9bb86922728c7a4cceb99f131e00dd87514f20 ]
Currently, all SCMI devices with performance domains attempt to register
a cpufreq driver, even if their performance domains aren't used to
control the CPUs. The cpufreq framework only supports registering a
single driver, so only the first device will succeed. And if that device
isn't used for the CPUs, then cpufreq will scale the wrong domains.
To avoid this, return early from scmi_cpufreq_probe() if the probing
SCMI device isn't referenced by the CPU device phandles.
This keeps the existing assumption that all CPUs are controlled by a
single SCMI device.
Signed-off-by: Mike Tipton <quic_mdtipton@quicinc.com>
Reviewed-by: Peng Fan <peng.fan@nxp.com>
Reviewed-by: Cristian Marussi <cristian.marussi@arm.com>
Reviewed-by: Sudeep Holla <sudeep.holla@arm.com>
Tested-by: Cristian Marussi <cristian.marussi@arm.com>
Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/cpufreq/scmi-cpufreq.c | 36 +++++++++++++++++++++++++++++++++-
1 file changed, 35 insertions(+), 1 deletion(-)
diff --git a/drivers/cpufreq/scmi-cpufreq.c b/drivers/cpufreq/scmi-cpufreq.c
index e4989764efe2a..6ff77003a96ea 100644
--- a/drivers/cpufreq/scmi-cpufreq.c
+++ b/drivers/cpufreq/scmi-cpufreq.c
@@ -299,6 +299,40 @@ static struct cpufreq_driver scmi_cpufreq_driver = {
.register_em = scmi_cpufreq_register_em,
};
+static bool scmi_dev_used_by_cpus(struct device *scmi_dev)
+{
+ struct device_node *scmi_np = dev_of_node(scmi_dev);
+ struct device_node *cpu_np, *np;
+ struct device *cpu_dev;
+ int cpu, idx;
+
+ if (!scmi_np)
+ return false;
+
+ for_each_possible_cpu(cpu) {
+ cpu_dev = get_cpu_device(cpu);
+ if (!cpu_dev)
+ continue;
+
+ cpu_np = dev_of_node(cpu_dev);
+
+ np = of_parse_phandle(cpu_np, "clocks", 0);
+ of_node_put(np);
+
+ if (np == scmi_np)
+ return true;
+
+ idx = of_property_match_string(cpu_np, "power-domain-names", "perf");
+ np = of_parse_phandle(cpu_np, "power-domains", idx);
+ of_node_put(np);
+
+ if (np == scmi_np)
+ return true;
+ }
+
+ return false;
+}
+
static int scmi_cpufreq_probe(struct scmi_device *sdev)
{
int ret;
@@ -307,7 +341,7 @@ static int scmi_cpufreq_probe(struct scmi_device *sdev)
handle = sdev->handle;
- if (!handle)
+ if (!handle || !scmi_dev_used_by_cpus(dev))
return -ENODEV;
perf_ops = handle->devm_protocol_get(sdev, SCMI_PROTOCOL_PERF, &ph);
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 397/508] i2c: tegra: check msg length in SMBUS block read
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (393 preceding siblings ...)
2025-06-23 13:07 ` [PATCH 6.1 396/508] cpufreq: scmi: Skip SCMI devices that arent used by the CPUs Greg Kroah-Hartman
@ 2025-06-23 13:07 ` Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 398/508] i2c: npcm: Add clock toggle recovery Greg Kroah-Hartman
` (113 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Akhil R, Thierry Reding, Andi Shyti,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Akhil R <akhilrajeev@nvidia.com>
[ Upstream commit a6e04f05ce0b070ab39d5775580e65c7d943da0b ]
For SMBUS block read, do not continue to read if the message length
passed from the device is '0' or greater than the maximum allowed bytes.
Signed-off-by: Akhil R <akhilrajeev@nvidia.com>
Acked-by: Thierry Reding <treding@nvidia.com>
Link: https://lore.kernel.org/r/20250424053320.19211-1-akhilrajeev@nvidia.com
Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/i2c/busses/i2c-tegra.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/i2c/busses/i2c-tegra.c b/drivers/i2c/busses/i2c-tegra.c
index f7b4977d66496..b8726167cf739 100644
--- a/drivers/i2c/busses/i2c-tegra.c
+++ b/drivers/i2c/busses/i2c-tegra.c
@@ -1425,6 +1425,11 @@ static int tegra_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[],
ret = tegra_i2c_xfer_msg(i2c_dev, &msgs[i], MSG_END_CONTINUE);
if (ret)
break;
+
+ /* Validate message length before proceeding */
+ if (msgs[i].buf[0] == 0 || msgs[i].buf[0] > I2C_SMBUS_BLOCK_MAX)
+ break;
+
/* Set the msg length from first byte */
msgs[i].len += msgs[i].buf[0];
dev_dbg(i2c_dev->dev, "reading %d bytes\n", msgs[i].len);
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 398/508] i2c: npcm: Add clock toggle recovery
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (394 preceding siblings ...)
2025-06-23 13:07 ` [PATCH 6.1 397/508] i2c: tegra: check msg length in SMBUS block read Greg Kroah-Hartman
@ 2025-06-23 13:07 ` Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 399/508] net: dlink: add synchronization for stats update Greg Kroah-Hartman
` (112 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tali Perry, Mohammed Elbadry,
Mukesh Kumar Savaliya, Andi Shyti, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tali Perry <tali.perry1@gmail.com>
[ Upstream commit 38010591a0fc3203f1cee45b01ab358b72dd9ab2 ]
During init of the bus, the module checks that the bus is idle.
If one of the lines are stuck try to recover them first before failing.
Sometimes SDA and SCL are low if improper reset occurs (e.g., reboot).
Signed-off-by: Tali Perry <tali.perry1@gmail.com>
Signed-off-by: Mohammed Elbadry <mohammed.0.elbadry@gmail.com>
Reviewed-by: Mukesh Kumar Savaliya <quic_msavaliy@quicinc.com>
Link: https://lore.kernel.org/r/20250328193252.1570811-1-mohammed.0.elbadry@gmail.com
Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/i2c/busses/i2c-npcm7xx.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/drivers/i2c/busses/i2c-npcm7xx.c b/drivers/i2c/busses/i2c-npcm7xx.c
index 0947e3d155c56..828234d1ee477 100644
--- a/drivers/i2c/busses/i2c-npcm7xx.c
+++ b/drivers/i2c/busses/i2c-npcm7xx.c
@@ -1973,10 +1973,14 @@ static int npcm_i2c_init_module(struct npcm_i2c *bus, enum i2c_mode mode,
/* Check HW is OK: SDA and SCL should be high at this point. */
if ((npcm_i2c_get_SDA(&bus->adap) == 0) || (npcm_i2c_get_SCL(&bus->adap) == 0)) {
- dev_err(bus->dev, "I2C%d init fail: lines are low\n", bus->num);
- dev_err(bus->dev, "SDA=%d SCL=%d\n", npcm_i2c_get_SDA(&bus->adap),
- npcm_i2c_get_SCL(&bus->adap));
- return -ENXIO;
+ dev_warn(bus->dev, " I2C%d SDA=%d SCL=%d, attempting to recover\n", bus->num,
+ npcm_i2c_get_SDA(&bus->adap), npcm_i2c_get_SCL(&bus->adap));
+ if (npcm_i2c_recovery_tgclk(&bus->adap)) {
+ dev_err(bus->dev, "I2C%d init fail: SDA=%d SCL=%d\n",
+ bus->num, npcm_i2c_get_SDA(&bus->adap),
+ npcm_i2c_get_SCL(&bus->adap));
+ return -ENXIO;
+ }
}
npcm_i2c_int_enable(bus, true);
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 399/508] net: dlink: add synchronization for stats update
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (395 preceding siblings ...)
2025-06-23 13:07 ` [PATCH 6.1 398/508] i2c: npcm: Add clock toggle recovery Greg Kroah-Hartman
@ 2025-06-23 13:07 ` Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 400/508] wifi: ath11k: Fix QMI memory reuse logic Greg Kroah-Hartman
` (111 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Moon Yeounsu, Jakub Kicinski,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Moon Yeounsu <yyyynoom@gmail.com>
[ Upstream commit 12889ce926e9a9baf6b83d809ba316af539b89e2 ]
This patch synchronizes code that accesses from both user-space
and IRQ contexts. The `get_stats()` function can be called from both
context.
`dev->stats.tx_errors` and `dev->stats.collisions` are also updated
in the `tx_errors()` function. Therefore, these fields must also be
protected by synchronized.
There is no code that accessses `dev->stats.tx_errors` between the
previous and updated lines, so the updating point can be moved.
Signed-off-by: Moon Yeounsu <yyyynoom@gmail.com>
Link: https://patch.msgid.link/20250515075333.48290-1-yyyynoom@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/dlink/dl2k.c | 14 +++++++++++++-
drivers/net/ethernet/dlink/dl2k.h | 2 ++
2 files changed, 15 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/dlink/dl2k.c b/drivers/net/ethernet/dlink/dl2k.c
index 71cb7fe63de3c..dfc23cc173097 100644
--- a/drivers/net/ethernet/dlink/dl2k.c
+++ b/drivers/net/ethernet/dlink/dl2k.c
@@ -146,6 +146,8 @@ rio_probe1 (struct pci_dev *pdev, const struct pci_device_id *ent)
np->ioaddr = ioaddr;
np->chip_id = chip_idx;
np->pdev = pdev;
+
+ spin_lock_init(&np->stats_lock);
spin_lock_init (&np->tx_lock);
spin_lock_init (&np->rx_lock);
@@ -868,7 +870,6 @@ tx_error (struct net_device *dev, int tx_status)
frame_id = (tx_status & 0xffff0000);
printk (KERN_ERR "%s: Transmit error, TxStatus %4.4x, FrameId %d.\n",
dev->name, tx_status, frame_id);
- dev->stats.tx_errors++;
/* Ttransmit Underrun */
if (tx_status & 0x10) {
dev->stats.tx_fifo_errors++;
@@ -905,9 +906,15 @@ tx_error (struct net_device *dev, int tx_status)
rio_set_led_mode(dev);
/* Let TxStartThresh stay default value */
}
+
+ spin_lock(&np->stats_lock);
/* Maximum Collisions */
if (tx_status & 0x08)
dev->stats.collisions++;
+
+ dev->stats.tx_errors++;
+ spin_unlock(&np->stats_lock);
+
/* Restart the Tx */
dw32(MACCtrl, dr16(MACCtrl) | TxEnable);
}
@@ -1076,7 +1083,9 @@ get_stats (struct net_device *dev)
int i;
#endif
unsigned int stat_reg;
+ unsigned long flags;
+ spin_lock_irqsave(&np->stats_lock, flags);
/* All statistics registers need to be acknowledged,
else statistic overflow could cause problems */
@@ -1126,6 +1135,9 @@ get_stats (struct net_device *dev)
dr16(TCPCheckSumErrors);
dr16(UDPCheckSumErrors);
dr16(IPCheckSumErrors);
+
+ spin_unlock_irqrestore(&np->stats_lock, flags);
+
return &dev->stats;
}
diff --git a/drivers/net/ethernet/dlink/dl2k.h b/drivers/net/ethernet/dlink/dl2k.h
index 0e33e2eaae960..56aff2f0bdbfa 100644
--- a/drivers/net/ethernet/dlink/dl2k.h
+++ b/drivers/net/ethernet/dlink/dl2k.h
@@ -372,6 +372,8 @@ struct netdev_private {
struct pci_dev *pdev;
void __iomem *ioaddr;
void __iomem *eeprom_addr;
+ // To ensure synchronization when stats are updated.
+ spinlock_t stats_lock;
spinlock_t tx_lock;
spinlock_t rx_lock;
unsigned int rx_buf_sz; /* Based on MTU+slack. */
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 400/508] wifi: ath11k: Fix QMI memory reuse logic
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (396 preceding siblings ...)
2025-06-23 13:07 ` [PATCH 6.1 399/508] net: dlink: add synchronization for stats update Greg Kroah-Hartman
@ 2025-06-23 13:07 ` Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 401/508] tcp: always seek for minimal rtt in tcp_rcv_rtt_update() Greg Kroah-Hartman
` (110 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Muhammad Usama Anjum, Baochen Qiang,
Jeff Johnson, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Muhammad Usama Anjum <usama.anjum@collabora.com>
[ Upstream commit cd2e7bae92bd7e65063ab8d04721d2b711ba4cbe ]
Firmware requests 2 segments at first. The first segment is of 6799360
whose allocation fails due to dma remapping not available. The success
is returned to firmware. Then firmware asks for 22 smaller segments
instead of 2 big ones. Those get allocated successfully. At suspend/
hibernation time, these segments aren't freed as they will be reused
by firmware after resuming.
After resuming, the firmware asks for the 2 segments again with the
first segment of 6799360 size. Since chunk->vaddr is not NULL, the
type and size are compared with the previous type and size to know if
it can be reused or not. Unfortunately, it is detected that it cannot
be reused and this first smaller segment is freed. Then we continue to
allocate 6799360 size memory which fails and ath11k_qmi_free_target_mem_chunk()
is called which frees the second smaller segment as well. Later success
is returned to firmware which asks for 22 smaller segments again. But
as we had freed 2 segments already, we'll allocate the first 2 new
smaller segments again and reuse the remaining 20. Hence 20 small
segments are being reused instead of 22.
Add skip logic when vaddr is set, but size/type don't match. Use the
same skip and success logic as used when dma_alloc_coherent() fails.
By skipping, the possibility of resume failure due to kernel failing to
allocate memory for QMI can be avoided.
kernel: ath11k_pci 0000:03:00.0: failed to allocate dma memory for qmi (524288 B type 1)
ath11k_pci 0000:03:00.0: failed to allocate qmi target memory: -22
Tested-on: WCN6855 WLAN.HSP.1.1-03926.13-QCAHSPSWPL_V2_SILICONZ_CE-2.52297.6
Signed-off-by: Muhammad Usama Anjum <usama.anjum@collabora.com>
Reviewed-by: Baochen Qiang <quic_bqiang@quicinc.com>
Link: https://patch.msgid.link/20250428080242.466901-1-usama.anjum@collabora.com
Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath11k/qmi.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/drivers/net/wireless/ath/ath11k/qmi.c b/drivers/net/wireless/ath/ath11k/qmi.c
index 764cd320c6c18..f790759c86115 100644
--- a/drivers/net/wireless/ath/ath11k/qmi.c
+++ b/drivers/net/wireless/ath/ath11k/qmi.c
@@ -1989,6 +1989,15 @@ static int ath11k_qmi_alloc_target_mem_chunk(struct ath11k_base *ab)
chunk->prev_size == chunk->size)
continue;
+ if (ab->qmi.mem_seg_count <= ATH11K_QMI_FW_MEM_REQ_SEGMENT_CNT) {
+ ath11k_dbg(ab, ATH11K_DBG_QMI,
+ "size/type mismatch (current %d %u) (prev %d %u), try later with small size\n",
+ chunk->size, chunk->type,
+ chunk->prev_size, chunk->prev_type);
+ ab->qmi.target_mem_delayed = true;
+ return 0;
+ }
+
/* cannot reuse the existing chunk */
dma_free_coherent(ab->dev, chunk->prev_size,
chunk->vaddr, chunk->paddr);
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 401/508] tcp: always seek for minimal rtt in tcp_rcv_rtt_update()
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (397 preceding siblings ...)
2025-06-23 13:07 ` [PATCH 6.1 400/508] wifi: ath11k: Fix QMI memory reuse logic Greg Kroah-Hartman
@ 2025-06-23 13:07 ` Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 402/508] tcp: fix initial tp->rcvq_space.space value for passive TS enabled flows Greg Kroah-Hartman
` (109 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Jakub Kicinski,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit b879dcb1aeeca278eacaac0b1e2425b1c7599f9f ]
tcp_rcv_rtt_update() goal is to maintain an estimation of the RTT
in tp->rcv_rtt_est.rtt_us, used by tcp_rcv_space_adjust()
When TCP TS are enabled, tcp_rcv_rtt_update() is using
EWMA to smooth the samples.
Change this to immediately latch the incoming value if it
is lower than tp->rcv_rtt_est.rtt_us, so that tcp_rcv_space_adjust()
does not overshoot tp->rcvq_space.space and sk->sk_rcvbuf.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20250513193919.1089692-8-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/tcp_input.c | 22 ++++++++--------------
1 file changed, 8 insertions(+), 14 deletions(-)
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index db1a99df29d55..1044e9bce2d88 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -649,10 +649,12 @@ EXPORT_SYMBOL(tcp_initialize_rcv_mss);
*/
static void tcp_rcv_rtt_update(struct tcp_sock *tp, u32 sample, int win_dep)
{
- u32 new_sample = tp->rcv_rtt_est.rtt_us;
- long m = sample;
+ u32 new_sample, old_sample = tp->rcv_rtt_est.rtt_us;
+ long m = sample << 3;
- if (new_sample != 0) {
+ if (old_sample == 0 || m < old_sample) {
+ new_sample = m;
+ } else {
/* If we sample in larger samples in the non-timestamp
* case, we could grossly overestimate the RTT especially
* with chatty applications or bulk transfer apps which
@@ -663,17 +665,9 @@ static void tcp_rcv_rtt_update(struct tcp_sock *tp, u32 sample, int win_dep)
* else with timestamps disabled convergence takes too
* long.
*/
- if (!win_dep) {
- m -= (new_sample >> 3);
- new_sample += m;
- } else {
- m <<= 3;
- if (m < new_sample)
- new_sample = m;
- }
- } else {
- /* No previous measure. */
- new_sample = m << 3;
+ if (win_dep)
+ return;
+ new_sample = old_sample - (old_sample >> 3) + sample;
}
tp->rcv_rtt_est.rtt_us = new_sample;
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 402/508] tcp: fix initial tp->rcvq_space.space value for passive TS enabled flows
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (398 preceding siblings ...)
2025-06-23 13:07 ` [PATCH 6.1 401/508] tcp: always seek for minimal rtt in tcp_rcv_rtt_update() Greg Kroah-Hartman
@ 2025-06-23 13:07 ` Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 403/508] x86/sgx: Prevent attempts to reclaim poisoned pages Greg Kroah-Hartman
` (108 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Wei Wang,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit cd171461b90a2d2cf230943df60d580174633718 ]
tcp_rcv_state_process() must tweak tp->advmss for TS enabled flows
before the call to tcp_init_transfer() / tcp_init_buffer_space().
Otherwise tp->rcvq_space.space is off by 120 bytes
(TCP_INIT_CWND * TCPOLEN_TSTAMP_ALIGNED).
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Wei Wang <weiwan@google.com>
Link: https://patch.msgid.link/20250513193919.1089692-7-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/tcp_input.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index 1044e9bce2d88..2888aaae0d76f 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -6633,6 +6633,9 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb)
if (!tp->srtt_us)
tcp_synack_rtt_meas(sk, req);
+ if (tp->rx_opt.tstamp_ok)
+ tp->advmss -= TCPOLEN_TSTAMP_ALIGNED;
+
if (req) {
tcp_rcv_synrecv_state_fastopen(sk);
} else {
@@ -6657,9 +6660,6 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb)
tp->snd_wnd = ntohs(th->window) << tp->rx_opt.snd_wscale;
tcp_init_wl(tp, TCP_SKB_CB(skb)->seq);
- if (tp->rx_opt.tstamp_ok)
- tp->advmss -= TCPOLEN_TSTAMP_ALIGNED;
-
if (!inet_csk(sk)->icsk_ca_ops->cong_control)
tcp_update_pacing_rate(sk);
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 403/508] x86/sgx: Prevent attempts to reclaim poisoned pages
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (399 preceding siblings ...)
2025-06-23 13:07 ` [PATCH 6.1 402/508] tcp: fix initial tp->rcvq_space.space value for passive TS enabled flows Greg Kroah-Hartman
@ 2025-06-23 13:07 ` Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 404/508] ipv4/route: Use this_cpu_inc() for stats on PREEMPT_RT Greg Kroah-Hartman
` (107 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andrew Zaborowski, Ingo Molnar,
Dave Hansen, H. Peter Anvin, Linus Torvalds, Tony Luck, balrogg,
linux-sgx, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andrew Zaborowski <andrew.zaborowski@intel.com>
[ Upstream commit ed16618c380c32c68c06186d0ccbb0d5e0586e59 ]
TL;DR: SGX page reclaim touches the page to copy its contents to
secondary storage. SGX instructions do not gracefully handle machine
checks. Despite this, the existing SGX code will try to reclaim pages
that it _knows_ are poisoned. Avoid even trying to reclaim poisoned pages.
The longer story:
Pages used by an enclave only get epc_page->poison set in
arch_memory_failure() but they currently stay on sgx_active_page_list until
sgx_encl_release(), with the SGX_EPC_PAGE_RECLAIMER_TRACKED flag untouched.
epc_page->poison is not checked in the reclaimer logic meaning that, if other
conditions are met, an attempt will be made to reclaim an EPC page that was
poisoned. This is bad because 1. we don't want that page to end up added
to another enclave and 2. it is likely to cause one core to shut down
and the kernel to panic.
Specifically, reclaiming uses microcode operations including "EWB" which
accesses the EPC page contents to encrypt and write them out to non-SGX
memory. Those operations cannot handle MCEs in their accesses other than
by putting the executing core into a special shutdown state (affecting
both threads with HT.) The kernel will subsequently panic on the
remaining cores seeing the core didn't enter MCE handler(s) in time.
Call sgx_unmark_page_reclaimable() to remove the affected EPC page from
sgx_active_page_list on memory error to stop it being considered for
reclaiming.
Testing epc_page->poison in sgx_reclaim_pages() would also work but I assume
it's better to add code in the less likely paths.
The affected EPC page is not added to &node->sgx_poison_page_list until
later in sgx_encl_release()->sgx_free_epc_page() when it is EREMOVEd.
Membership on other lists doesn't change to avoid changing any of the
lists' semantics except for sgx_active_page_list. There's a "TBD" comment
in arch_memory_failure() about pre-emptive actions, the goal here is not
to address everything that it may imply.
This also doesn't completely close the time window when a memory error
notification will be fatal (for a not previously poisoned EPC page) --
the MCE can happen after sgx_reclaim_pages() has selected its candidates
or even *inside* a microcode operation (actually easy to trigger due to
the amount of time spent in them.)
The spinlock in sgx_unmark_page_reclaimable() is safe because
memory_failure() runs in process context and no spinlocks are held,
explicitly noted in a mm/memory-failure.c comment.
Signed-off-by: Andrew Zaborowski <andrew.zaborowski@intel.com>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Acked-by: Dave Hansen <dave.hansen@linux.intel.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Tony Luck <tony.luck@intel.com>
Cc: balrogg@gmail.com
Cc: linux-sgx@vger.kernel.org
Link: https://lore.kernel.org/r/20250508230429.456271-1-andrew.zaborowski@intel.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/kernel/cpu/sgx/main.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/arch/x86/kernel/cpu/sgx/main.c b/arch/x86/kernel/cpu/sgx/main.c
index c4960b8e5195f..b86eb601827bf 100644
--- a/arch/x86/kernel/cpu/sgx/main.c
+++ b/arch/x86/kernel/cpu/sgx/main.c
@@ -718,6 +718,8 @@ int arch_memory_failure(unsigned long pfn, int flags)
goto out;
}
+ sgx_unmark_page_reclaimable(page);
+
/*
* TBD: Add additional plumbing to enable pre-emptive
* action for asynchronous poison notification. Until
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 404/508] ipv4/route: Use this_cpu_inc() for stats on PREEMPT_RT
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (400 preceding siblings ...)
2025-06-23 13:07 ` [PATCH 6.1 403/508] x86/sgx: Prevent attempts to reclaim poisoned pages Greg Kroah-Hartman
@ 2025-06-23 13:07 ` Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 405/508] net: atlantic: generate software timestamp just before the doorbell Greg Kroah-Hartman
` (106 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Ahern,
Sebastian Andrzej Siewior, Paolo Abeni, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
[ Upstream commit 1c0829788a6e6e165846b9bedd0b908ef16260b6 ]
The statistics are incremented with raw_cpu_inc() assuming it always
happens with bottom half disabled. Without per-CPU locking in
local_bh_disable() on PREEMPT_RT this is no longer true.
Use this_cpu_inc() on PREEMPT_RT for the increment to not worry about
preemption.
Cc: David Ahern <dsahern@kernel.org>
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Link: https://patch.msgid.link/20250512092736.229935-4-bigeasy@linutronix.de
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/route.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index 4574dcba9f193..8701081010173 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -192,7 +192,11 @@ const __u8 ip_tos2prio[16] = {
EXPORT_SYMBOL(ip_tos2prio);
static DEFINE_PER_CPU(struct rt_cache_stat, rt_cache_stat);
+#ifndef CONFIG_PREEMPT_RT
#define RT_CACHE_STAT_INC(field) raw_cpu_inc(rt_cache_stat.field)
+#else
+#define RT_CACHE_STAT_INC(field) this_cpu_inc(rt_cache_stat.field)
+#endif
#ifdef CONFIG_PROC_FS
static void *rt_cache_seq_start(struct seq_file *seq, loff_t *pos)
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 405/508] net: atlantic: generate software timestamp just before the doorbell
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (401 preceding siblings ...)
2025-06-23 13:07 ` [PATCH 6.1 404/508] ipv4/route: Use this_cpu_inc() for stats on PREEMPT_RT Greg Kroah-Hartman
@ 2025-06-23 13:07 ` Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 406/508] pinctrl: armada-37xx: propagate error from armada_37xx_pmx_set_by_name() Greg Kroah-Hartman
` (105 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:07 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jason Xing, Jakub Kicinski,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jason Xing <kernelxing@tencent.com>
[ Upstream commit 285ad7477559b6b5ceed10ba7ecfed9d17c0e7c6 ]
Make sure the call of skb_tx_timestamp is as close as possible to the
doorbell.
Signed-off-by: Jason Xing <kernelxing@tencent.com>
Link: https://patch.msgid.link/20250510134812.48199-2-kerneljasonxing@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/aquantia/atlantic/aq_main.c | 1 -
drivers/net/ethernet/aquantia/atlantic/aq_nic.c | 2 ++
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/aquantia/atlantic/aq_main.c b/drivers/net/ethernet/aquantia/atlantic/aq_main.c
index 77609dc0a08d6..9d877f436e335 100644
--- a/drivers/net/ethernet/aquantia/atlantic/aq_main.c
+++ b/drivers/net/ethernet/aquantia/atlantic/aq_main.c
@@ -122,7 +122,6 @@ static netdev_tx_t aq_ndev_start_xmit(struct sk_buff *skb, struct net_device *nd
}
#endif
- skb_tx_timestamp(skb);
return aq_nic_xmit(aq_nic, skb);
}
diff --git a/drivers/net/ethernet/aquantia/atlantic/aq_nic.c b/drivers/net/ethernet/aquantia/atlantic/aq_nic.c
index a467c8f91020b..3bfd9027cccac 100644
--- a/drivers/net/ethernet/aquantia/atlantic/aq_nic.c
+++ b/drivers/net/ethernet/aquantia/atlantic/aq_nic.c
@@ -893,6 +893,8 @@ int aq_nic_xmit(struct aq_nic_s *self, struct sk_buff *skb)
frags = aq_nic_map_skb(self, skb, ring);
+ skb_tx_timestamp(skb);
+
if (likely(frags)) {
err = self->aq_hw_ops->hw_ring_tx_xmit(self->aq_hw,
ring, frags);
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 406/508] pinctrl: armada-37xx: propagate error from armada_37xx_pmx_set_by_name()
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (402 preceding siblings ...)
2025-06-23 13:07 ` [PATCH 6.1 405/508] net: atlantic: generate software timestamp just before the doorbell Greg Kroah-Hartman
@ 2025-06-23 13:07 ` Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 407/508] pinctrl: armada-37xx: propagate error from armada_37xx_gpio_get_direction() Greg Kroah-Hartman
` (104 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Imre Kaloz, Andrew Lunn, Gabor Juhos,
Linus Walleij, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gabor Juhos <j4g8y7@gmail.com>
[ Upstream commit 4229c28323db141eda69cb99427be75d3edba071 ]
The regmap_update_bits() function can fail, so propagate its error
up to the stack instead of silently ignoring that.
Signed-off-by: Imre Kaloz <kaloz@openwrt.org>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: Gabor Juhos <j4g8y7@gmail.com>
Link: https://lore.kernel.org/20250514-pinctrl-a37xx-fixes-v2-7-07e9ac1ab737@gmail.com
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pinctrl/mvebu/pinctrl-armada-37xx.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/drivers/pinctrl/mvebu/pinctrl-armada-37xx.c b/drivers/pinctrl/mvebu/pinctrl-armada-37xx.c
index eb6043d6c499c..7483ffa2a409c 100644
--- a/drivers/pinctrl/mvebu/pinctrl-armada-37xx.c
+++ b/drivers/pinctrl/mvebu/pinctrl-armada-37xx.c
@@ -360,9 +360,7 @@ static int armada_37xx_pmx_set_by_name(struct pinctrl_dev *pctldev,
val = grp->val[func];
- regmap_update_bits(info->regmap, reg, mask, val);
-
- return 0;
+ return regmap_update_bits(info->regmap, reg, mask, val);
}
static int armada_37xx_pmx_set(struct pinctrl_dev *pctldev,
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 407/508] pinctrl: armada-37xx: propagate error from armada_37xx_gpio_get_direction()
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (403 preceding siblings ...)
2025-06-23 13:07 ` [PATCH 6.1 406/508] pinctrl: armada-37xx: propagate error from armada_37xx_pmx_set_by_name() Greg Kroah-Hartman
@ 2025-06-23 13:07 ` Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 408/508] pinctrl: armada-37xx: propagate error from armada_37xx_pmx_gpio_set_direction() Greg Kroah-Hartman
` (103 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Imre Kaloz, Andrew Lunn, Gabor Juhos,
Linus Walleij, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gabor Juhos <j4g8y7@gmail.com>
[ Upstream commit 6481c0a83367b0672951ccc876fbae7ee37b594b ]
The regmap_read() function can fail, so propagate its error up to
the stack instead of silently ignoring that.
Signed-off-by: Imre Kaloz <kaloz@openwrt.org>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: Gabor Juhos <j4g8y7@gmail.com>
Link: https://lore.kernel.org/20250514-pinctrl-a37xx-fixes-v2-6-07e9ac1ab737@gmail.com
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pinctrl/mvebu/pinctrl-armada-37xx.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/pinctrl/mvebu/pinctrl-armada-37xx.c b/drivers/pinctrl/mvebu/pinctrl-armada-37xx.c
index 7483ffa2a409c..e9032359a68a5 100644
--- a/drivers/pinctrl/mvebu/pinctrl-armada-37xx.c
+++ b/drivers/pinctrl/mvebu/pinctrl-armada-37xx.c
@@ -402,10 +402,13 @@ static int armada_37xx_gpio_get_direction(struct gpio_chip *chip,
struct armada_37xx_pinctrl *info = gpiochip_get_data(chip);
unsigned int reg = OUTPUT_EN;
unsigned int val, mask;
+ int ret;
armada_37xx_update_reg(®, &offset);
mask = BIT(offset);
- regmap_read(info->regmap, reg, &val);
+ ret = regmap_read(info->regmap, reg, &val);
+ if (ret)
+ return ret;
if (val & mask)
return GPIO_LINE_DIRECTION_OUT;
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 408/508] pinctrl: armada-37xx: propagate error from armada_37xx_pmx_gpio_set_direction()
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (404 preceding siblings ...)
2025-06-23 13:07 ` [PATCH 6.1 407/508] pinctrl: armada-37xx: propagate error from armada_37xx_gpio_get_direction() Greg Kroah-Hartman
@ 2025-06-23 13:07 ` Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 409/508] pinctrl: armada-37xx: propagate error from armada_37xx_gpio_get() Greg Kroah-Hartman
` (102 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Imre Kaloz, Andrew Lunn, Gabor Juhos,
Linus Walleij, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gabor Juhos <j4g8y7@gmail.com>
[ Upstream commit bfa0ff804ffa8b1246ade8be08de98c9eb19d16f ]
The armada_37xx_gpio_direction_{in,out}put() functions can fail, so
propagate their error values back to the stack instead of silently
ignoring those.
Signed-off-by: Imre Kaloz <kaloz@openwrt.org>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: Gabor Juhos <j4g8y7@gmail.com>
Link: https://lore.kernel.org/20250514-pinctrl-a37xx-fixes-v2-5-07e9ac1ab737@gmail.com
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pinctrl/mvebu/pinctrl-armada-37xx.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/drivers/pinctrl/mvebu/pinctrl-armada-37xx.c b/drivers/pinctrl/mvebu/pinctrl-armada-37xx.c
index e9032359a68a5..3ada8dcaa806b 100644
--- a/drivers/pinctrl/mvebu/pinctrl-armada-37xx.c
+++ b/drivers/pinctrl/mvebu/pinctrl-armada-37xx.c
@@ -474,16 +474,17 @@ static int armada_37xx_pmx_gpio_set_direction(struct pinctrl_dev *pctldev,
{
struct armada_37xx_pinctrl *info = pinctrl_dev_get_drvdata(pctldev);
struct gpio_chip *chip = range->gc;
+ int ret;
dev_dbg(info->dev, "gpio_direction for pin %u as %s-%d to %s\n",
offset, range->name, offset, input ? "input" : "output");
if (input)
- armada_37xx_gpio_direction_input(chip, offset);
+ ret = armada_37xx_gpio_direction_input(chip, offset);
else
- armada_37xx_gpio_direction_output(chip, offset, 0);
+ ret = armada_37xx_gpio_direction_output(chip, offset, 0);
- return 0;
+ return ret;
}
static int armada_37xx_gpio_request_enable(struct pinctrl_dev *pctldev,
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 409/508] pinctrl: armada-37xx: propagate error from armada_37xx_gpio_get()
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (405 preceding siblings ...)
2025-06-23 13:07 ` [PATCH 6.1 408/508] pinctrl: armada-37xx: propagate error from armada_37xx_pmx_gpio_set_direction() Greg Kroah-Hartman
@ 2025-06-23 13:07 ` Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 410/508] net: mlx4: add SOF_TIMESTAMPING_TX_SOFTWARE flag when getting ts info Greg Kroah-Hartman
` (101 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Imre Kaloz, Andrew Lunn, Gabor Juhos,
Linus Walleij, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gabor Juhos <j4g8y7@gmail.com>
[ Upstream commit 57273ff8bb16f3842c2597b5bbcd49e7fa12edf7 ]
The regmap_read() function can fail, so propagate its error up to
the stack instead of silently ignoring that.
Signed-off-by: Imre Kaloz <kaloz@openwrt.org>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: Gabor Juhos <j4g8y7@gmail.com>
Link: https://lore.kernel.org/20250514-pinctrl-a37xx-fixes-v2-4-07e9ac1ab737@gmail.com
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pinctrl/mvebu/pinctrl-armada-37xx.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/pinctrl/mvebu/pinctrl-armada-37xx.c b/drivers/pinctrl/mvebu/pinctrl-armada-37xx.c
index 3ada8dcaa806b..f68caea15b03d 100644
--- a/drivers/pinctrl/mvebu/pinctrl-armada-37xx.c
+++ b/drivers/pinctrl/mvebu/pinctrl-armada-37xx.c
@@ -445,11 +445,14 @@ static int armada_37xx_gpio_get(struct gpio_chip *chip, unsigned int offset)
struct armada_37xx_pinctrl *info = gpiochip_get_data(chip);
unsigned int reg = INPUT_VAL;
unsigned int val, mask;
+ int ret;
armada_37xx_update_reg(®, &offset);
mask = BIT(offset);
- regmap_read(info->regmap, reg, &val);
+ ret = regmap_read(info->regmap, reg, &val);
+ if (ret)
+ return ret;
return (val & mask) != 0;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 410/508] net: mlx4: add SOF_TIMESTAMPING_TX_SOFTWARE flag when getting ts info
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (406 preceding siblings ...)
2025-06-23 13:07 ` [PATCH 6.1 409/508] pinctrl: armada-37xx: propagate error from armada_37xx_gpio_get() Greg Kroah-Hartman
@ 2025-06-23 13:07 ` Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 411/508] net: vertexcom: mse102x: Return code for mse102x_rx_pkt_spi Greg Kroah-Hartman
` (100 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jason Xing, Tariq Toukan,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jason Xing <kernelxing@tencent.com>
[ Upstream commit b86bcfee30576b752302c55693fff97242b35dfd ]
As mlx4 has implemented skb_tx_timestamp() in mlx4_en_xmit(), the
SOFTWARE flag is surely needed when users are trying to get timestamp
information.
Signed-off-by: Jason Xing <kernelxing@tencent.com>
Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
Link: https://patch.msgid.link/20250510093442.79711-1-kerneljasonxing@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/mellanox/mlx4/en_ethtool.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c b/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c
index 7d45f1d55f799..d1a319ad6af1a 100644
--- a/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c
+++ b/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c
@@ -1916,6 +1916,7 @@ static int mlx4_en_get_ts_info(struct net_device *dev,
if (mdev->dev->caps.flags2 & MLX4_DEV_CAP_FLAG2_TS) {
info->so_timestamping |=
SOF_TIMESTAMPING_TX_HARDWARE |
+ SOF_TIMESTAMPING_TX_SOFTWARE |
SOF_TIMESTAMPING_RX_HARDWARE |
SOF_TIMESTAMPING_RAW_HARDWARE;
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 411/508] net: vertexcom: mse102x: Return code for mse102x_rx_pkt_spi
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (407 preceding siblings ...)
2025-06-23 13:07 ` [PATCH 6.1 410/508] net: mlx4: add SOF_TIMESTAMPING_TX_SOFTWARE flag when getting ts info Greg Kroah-Hartman
@ 2025-06-23 13:07 ` Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 412/508] wireless: purelifi: plfxlc: fix memory leak in plfxlc_usb_wreq_asyn() Greg Kroah-Hartman
` (99 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stefan Wahren, Jakub Kicinski,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stefan Wahren <wahrenst@gmx.net>
[ Upstream commit 4ecf56f4b66011b583644bf9a62188d05dfcd78c ]
The MSE102x doesn't provide any interrupt register, so the only way
to handle the level interrupt is to fetch the whole packet from
the MSE102x internal buffer via SPI. So in cases the interrupt
handler fails to do this, it should return IRQ_NONE. This allows
the core to disable the interrupt in case the issue persists
and prevent an interrupt storm.
Signed-off-by: Stefan Wahren <wahrenst@gmx.net>
Link: https://patch.msgid.link/20250509120435.43646-6-wahrenst@gmx.net
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/vertexcom/mse102x.c | 15 +++++++++------
1 file changed, 9 insertions(+), 6 deletions(-)
diff --git a/drivers/net/ethernet/vertexcom/mse102x.c b/drivers/net/ethernet/vertexcom/mse102x.c
index 060a566bc6aae..c902f8761d5d4 100644
--- a/drivers/net/ethernet/vertexcom/mse102x.c
+++ b/drivers/net/ethernet/vertexcom/mse102x.c
@@ -306,7 +306,7 @@ static void mse102x_dump_packet(const char *msg, int len, const char *data)
data, len, true);
}
-static void mse102x_rx_pkt_spi(struct mse102x_net *mse)
+static irqreturn_t mse102x_rx_pkt_spi(struct mse102x_net *mse)
{
struct sk_buff *skb;
unsigned int rxalign;
@@ -327,7 +327,7 @@ static void mse102x_rx_pkt_spi(struct mse102x_net *mse)
mse102x_tx_cmd_spi(mse, CMD_CTR);
ret = mse102x_rx_cmd_spi(mse, (u8 *)&rx);
if (ret)
- return;
+ return IRQ_NONE;
cmd_resp = be16_to_cpu(rx);
if ((cmd_resp & CMD_MASK) != CMD_RTS) {
@@ -360,7 +360,7 @@ static void mse102x_rx_pkt_spi(struct mse102x_net *mse)
rxalign = ALIGN(rxlen + DET_SOF_LEN + DET_DFT_LEN, 4);
skb = netdev_alloc_skb_ip_align(mse->ndev, rxalign);
if (!skb)
- return;
+ return IRQ_NONE;
/* 2 bytes Start of frame (before ethernet header)
* 2 bytes Data frame tail (after ethernet frame)
@@ -370,7 +370,7 @@ static void mse102x_rx_pkt_spi(struct mse102x_net *mse)
if (mse102x_rx_frame_spi(mse, rxpkt, rxlen, drop)) {
mse->ndev->stats.rx_errors++;
dev_kfree_skb(skb);
- return;
+ return IRQ_HANDLED;
}
if (netif_msg_pktdata(mse))
@@ -381,6 +381,8 @@ static void mse102x_rx_pkt_spi(struct mse102x_net *mse)
mse->ndev->stats.rx_packets++;
mse->ndev->stats.rx_bytes += rxlen;
+
+ return IRQ_HANDLED;
}
static int mse102x_tx_pkt_spi(struct mse102x_net *mse, struct sk_buff *txb,
@@ -512,12 +514,13 @@ static irqreturn_t mse102x_irq(int irq, void *_mse)
{
struct mse102x_net *mse = _mse;
struct mse102x_net_spi *mses = to_mse102x_spi(mse);
+ irqreturn_t ret;
mutex_lock(&mses->lock);
- mse102x_rx_pkt_spi(mse);
+ ret = mse102x_rx_pkt_spi(mse);
mutex_unlock(&mses->lock);
- return IRQ_HANDLED;
+ return ret;
}
static int mse102x_net_open(struct net_device *ndev)
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 412/508] wireless: purelifi: plfxlc: fix memory leak in plfxlc_usb_wreq_asyn()
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (408 preceding siblings ...)
2025-06-23 13:07 ` [PATCH 6.1 411/508] net: vertexcom: mse102x: Return code for mse102x_rx_pkt_spi Greg Kroah-Hartman
@ 2025-06-23 13:07 ` Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 413/508] wifi: mac80211: do not offer a mesh path if forwarding is disabled Greg Kroah-Hartman
` (98 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:07 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Salah Triki, Johannes Berg,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Salah Triki <salah.triki@gmail.com>
[ Upstream commit 63a9a727d373fa5b8ce509eef50dbc45e0f745b9 ]
Add usb_free_urb() in the error path to prevent memory leak.
Signed-off-by: Salah Triki <salah.triki@gmail.com>
Link: https://patch.msgid.link/aA3_maPlEJzO7wrL@pc
[fix subject]
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/purelifi/plfxlc/usb.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/purelifi/plfxlc/usb.c b/drivers/net/wireless/purelifi/plfxlc/usb.c
index 311676c1ece0a..8151bc5e00ccc 100644
--- a/drivers/net/wireless/purelifi/plfxlc/usb.c
+++ b/drivers/net/wireless/purelifi/plfxlc/usb.c
@@ -503,8 +503,10 @@ int plfxlc_usb_wreq_async(struct plfxlc_usb *usb, const u8 *buffer,
(void *)buffer, buffer_len, complete_fn, context);
r = usb_submit_urb(urb, GFP_ATOMIC);
- if (r)
+ if (r) {
+ usb_free_urb(urb);
dev_err(&udev->dev, "Async write submit failed (%d)\n", r);
+ }
return r;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 413/508] wifi: mac80211: do not offer a mesh path if forwarding is disabled
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (409 preceding siblings ...)
2025-06-23 13:07 ` [PATCH 6.1 412/508] wireless: purelifi: plfxlc: fix memory leak in plfxlc_usb_wreq_asyn() Greg Kroah-Hartman
@ 2025-06-23 13:07 ` Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 414/508] bpftool: Fix cgroup command to only show cgroup bpf programs Greg Kroah-Hartman
` (97 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Benjamin Berg, Rouven Czerwinski,
Johannes Berg, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Benjamin Berg <benjamin@sipsolutions.net>
[ Upstream commit cf1b684a06170d253b47d6a5287821de976435bd ]
When processing a PREQ the code would always check whether we have a
mesh path locally and reply accordingly. However, when forwarding is
disabled then we should not reply with this information as we will not
forward data packets down that path.
Move the check for dot11MeshForwarding up in the function and skip the
mesh path lookup in that case. In the else block, set forward to false
so that the rest of the function becomes a no-op and the
dot11MeshForwarding check does not need to be duplicated.
This explains an effect observed in the Freifunk community where mesh
forwarding is disabled. In that case a mesh with three STAs and only bad
links in between them, individual STAs would occionally have indirect
mpath entries. This should not have happened.
Signed-off-by: Benjamin Berg <benjamin@sipsolutions.net>
Reviewed-by: Rouven Czerwinski <rouven@czerwinskis.de>
Link: https://patch.msgid.link/20250430191042.3287004-1-benjamin@sipsolutions.net
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/mac80211/mesh_hwmp.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/net/mac80211/mesh_hwmp.c b/net/mac80211/mesh_hwmp.c
index 47eb67dc11cfe..da9e152a7aaba 100644
--- a/net/mac80211/mesh_hwmp.c
+++ b/net/mac80211/mesh_hwmp.c
@@ -625,7 +625,7 @@ static void hwmp_preq_frame_process(struct ieee80211_sub_if_data *sdata,
mesh_path_add_gate(mpath);
}
rcu_read_unlock();
- } else {
+ } else if (ifmsh->mshcfg.dot11MeshForwarding) {
rcu_read_lock();
mpath = mesh_path_lookup(sdata, target_addr);
if (mpath) {
@@ -643,6 +643,8 @@ static void hwmp_preq_frame_process(struct ieee80211_sub_if_data *sdata,
}
}
rcu_read_unlock();
+ } else {
+ forward = false;
}
if (reply) {
@@ -660,7 +662,7 @@ static void hwmp_preq_frame_process(struct ieee80211_sub_if_data *sdata,
}
}
- if (forward && ifmsh->mshcfg.dot11MeshForwarding) {
+ if (forward) {
u32 preq_id;
u8 hopcount;
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 414/508] bpftool: Fix cgroup command to only show cgroup bpf programs
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (410 preceding siblings ...)
2025-06-23 13:07 ` [PATCH 6.1 413/508] wifi: mac80211: do not offer a mesh path if forwarding is disabled Greg Kroah-Hartman
@ 2025-06-23 13:07 ` Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 415/508] clk: rockchip: rk3036: mark ddrphy as critical Greg Kroah-Hartman
` (96 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Quentin Monnet, Takshak Chahande,
Martin KaFai Lau, Daniel Borkmann, Alexei Starovoitov,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Martin KaFai Lau <martin.lau@kernel.org>
[ Upstream commit b69d4413aa1961930fbf9ffad8376d577378daf9 ]
The netkit program is not a cgroup bpf program and should not be shown
in the output of the "bpftool cgroup show" command.
However, if the netkit device happens to have ifindex 3,
the "bpftool cgroup show" command will output the netkit
bpf program as well:
> ip -d link show dev nk1
3: nk1@if2: ...
link/ether ...
netkit mode ...
> bpftool net show
tc:
nk1(3) netkit/peer tw_ns_nk2phy prog_id 469447
> bpftool cgroup show /sys/fs/cgroup/...
ID AttachType AttachFlags Name
... ... ...
469447 netkit_peer tw_ns_nk2phy
The reason is that the target_fd (which is the cgroup_fd here) and
the target_ifindex are in a union in the uapi/linux/bpf.h. The bpftool
iterates all values in "enum bpf_attach_type" which includes
non cgroup attach types like netkit. The cgroup_fd is usually 3 here,
so the bug is triggered when the netkit ifindex just happens
to be 3 as well.
The bpftool's cgroup.c already has a list of cgroup-only attach type
defined in "cgroup_attach_types[]". This patch fixes it by iterating
over "cgroup_attach_types[]" instead of "__MAX_BPF_ATTACH_TYPE".
Cc: Quentin Monnet <qmo@kernel.org>
Reported-by: Takshak Chahande <ctakshak@meta.com>
Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Reviewed-by: Quentin Monnet <qmo@kernel.org>
Link: https://lore.kernel.org/r/20250507203232.1420762-1-martin.lau@linux.dev
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/bpf/bpftool/cgroup.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/tools/bpf/bpftool/cgroup.c b/tools/bpf/bpftool/cgroup.c
index b46a998d8f8df..d157f58ec7d5a 100644
--- a/tools/bpf/bpftool/cgroup.c
+++ b/tools/bpf/bpftool/cgroup.c
@@ -284,11 +284,11 @@ static int show_bpf_progs(int cgroup_fd, enum bpf_attach_type type,
static int do_show(int argc, char **argv)
{
- enum bpf_attach_type type;
int has_attached_progs;
const char *path;
int cgroup_fd;
int ret = -1;
+ unsigned int i;
query_flags = 0;
@@ -336,14 +336,14 @@ static int do_show(int argc, char **argv)
"AttachFlags", "Name");
btf_vmlinux = libbpf_find_kernel_btf();
- for (type = 0; type < __MAX_BPF_ATTACH_TYPE; type++) {
+ for (i = 0; i < ARRAY_SIZE(cgroup_attach_types); i++) {
/*
* Not all attach types may be supported, so it's expected,
* that some requests will fail.
* If we were able to get the show for at least one
* attach type, let's return 0.
*/
- if (show_bpf_progs(cgroup_fd, type, 0) == 0)
+ if (show_bpf_progs(cgroup_fd, cgroup_attach_types[i], 0) == 0)
ret = 0;
}
@@ -366,9 +366,9 @@ static int do_show(int argc, char **argv)
static int do_show_tree_fn(const char *fpath, const struct stat *sb,
int typeflag, struct FTW *ftw)
{
- enum bpf_attach_type type;
int has_attached_progs;
int cgroup_fd;
+ unsigned int i;
if (typeflag != FTW_D)
return 0;
@@ -400,8 +400,8 @@ static int do_show_tree_fn(const char *fpath, const struct stat *sb,
}
btf_vmlinux = libbpf_find_kernel_btf();
- for (type = 0; type < __MAX_BPF_ATTACH_TYPE; type++)
- show_bpf_progs(cgroup_fd, type, ftw->level);
+ for (i = 0; i < ARRAY_SIZE(cgroup_attach_types); i++)
+ show_bpf_progs(cgroup_fd, cgroup_attach_types[i], ftw->level);
if (errno == EINVAL)
/* Last attach type does not support query.
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 415/508] clk: rockchip: rk3036: mark ddrphy as critical
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (411 preceding siblings ...)
2025-06-23 13:07 ` [PATCH 6.1 414/508] bpftool: Fix cgroup command to only show cgroup bpf programs Greg Kroah-Hartman
@ 2025-06-23 13:07 ` Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 416/508] libbpf: Add identical pointer detection to btf_dedup_is_equiv() Greg Kroah-Hartman
` (95 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:07 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Heiko Stuebner, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Heiko Stuebner <heiko@sntech.de>
[ Upstream commit 596a977b34a722c00245801a5774aa79cec4e81d ]
The ddrphy is supplied by the dpll, but due to the limited number of PLLs
on the rk3036, the dpll also is used for other periperhals, like the GPU.
So it happened, when the Lima driver turned off the gpu clock, this in
turn also disabled the dpll and thus the ram.
Signed-off-by: Heiko Stuebner <heiko@sntech.de>
Link: https://lore.kernel.org/r/20250503202532.992033-4-heiko@sntech.de
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/rockchip/clk-rk3036.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/clk/rockchip/clk-rk3036.c b/drivers/clk/rockchip/clk-rk3036.c
index d644bc155ec6e..f5f27535087a3 100644
--- a/drivers/clk/rockchip/clk-rk3036.c
+++ b/drivers/clk/rockchip/clk-rk3036.c
@@ -431,6 +431,7 @@ static const char *const rk3036_critical_clocks[] __initconst = {
"hclk_peri",
"pclk_peri",
"pclk_ddrupctl",
+ "ddrphy",
};
static void __init rk3036_clk_init(struct device_node *np)
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 416/508] libbpf: Add identical pointer detection to btf_dedup_is_equiv()
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (412 preceding siblings ...)
2025-06-23 13:07 ` [PATCH 6.1 415/508] clk: rockchip: rk3036: mark ddrphy as critical Greg Kroah-Hartman
@ 2025-06-23 13:07 ` Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 417/508] scsi: lpfc: Fix lpfc_check_sli_ndlp() handling for GEN_REQUEST64 commands Greg Kroah-Hartman
` (94 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexei Starovoitov, Alan Maguire,
Andrii Nakryiko, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alan Maguire <alan.maguire@oracle.com>
[ Upstream commit 8e64c387c942229c551d0f23de4d9993d3a2acb6 ]
Recently as a side-effect of
commit ac053946f5c4 ("compiler.h: introduce TYPEOF_UNQUAL() macro")
issues were observed in deduplication between modules and kernel BTF
such that a large number of kernel types were not deduplicated so
were found in module BTF (task_struct, bpf_prog etc). The root cause
appeared to be a failure to dedup struct types, specifically those
with members that were pointers with __percpu annotations.
The issue in dedup is at the point that we are deduplicating structures,
we have not yet deduplicated reference types like pointers. If multiple
copies of a pointer point at the same (deduplicated) integer as in this
case, we do not see them as identical. Special handling already exists
to deal with structures and arrays, so add pointer handling here too.
Reported-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Alan Maguire <alan.maguire@oracle.com>
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Link: https://lore.kernel.org/bpf/20250429161042.2069678-1-alan.maguire@oracle.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/lib/bpf/btf.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/tools/lib/bpf/btf.c b/tools/lib/bpf/btf.c
index 8224a797c2da5..f7e3209d6c641 100644
--- a/tools/lib/bpf/btf.c
+++ b/tools/lib/bpf/btf.c
@@ -3939,6 +3939,19 @@ static bool btf_dedup_identical_structs(struct btf_dedup *d, __u32 id1, __u32 id
return true;
}
+static bool btf_dedup_identical_ptrs(struct btf_dedup *d, __u32 id1, __u32 id2)
+{
+ struct btf_type *t1, *t2;
+
+ t1 = btf_type_by_id(d->btf, id1);
+ t2 = btf_type_by_id(d->btf, id2);
+
+ if (!btf_is_ptr(t1) || !btf_is_ptr(t2))
+ return false;
+
+ return t1->type == t2->type;
+}
+
/*
* Check equivalence of BTF type graph formed by candidate struct/union (we'll
* call it "candidate graph" in this description for brevity) to a type graph
@@ -4071,6 +4084,9 @@ static int btf_dedup_is_equiv(struct btf_dedup *d, __u32 cand_id,
*/
if (btf_dedup_identical_structs(d, hypot_type_id, cand_id))
return 1;
+ /* A similar case is again observed for PTRs. */
+ if (btf_dedup_identical_ptrs(d, hypot_type_id, cand_id))
+ return 1;
return 0;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 417/508] scsi: lpfc: Fix lpfc_check_sli_ndlp() handling for GEN_REQUEST64 commands
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (413 preceding siblings ...)
2025-06-23 13:07 ` [PATCH 6.1 416/508] libbpf: Add identical pointer detection to btf_dedup_is_equiv() Greg Kroah-Hartman
@ 2025-06-23 13:07 ` Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 418/508] iommu/amd: Ensure GA log notifier callbacks finish running before module unload Greg Kroah-Hartman
` (93 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Justin Tee, Martin K. Petersen,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Justin Tee <justin.tee@broadcom.com>
[ Upstream commit 05ae6c9c7315d844fbc15afe393f5ba5e5771126 ]
In lpfc_check_sli_ndlp(), the get_job_els_rsp64_did remote_id assignment
does not apply for GEN_REQUEST64 commands as it only has meaning for a
ELS_REQUEST64 command. So, if (iocb->ndlp == ndlp) is false, we could
erroneously return the wrong value. Fix by replacing the fallthrough
statement with a break statement before the remote_id check.
Signed-off-by: Justin Tee <justin.tee@broadcom.com>
Link: https://lore.kernel.org/r/20250425194806.3585-2-justintee8345@gmail.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/lpfc/lpfc_hbadisc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/scsi/lpfc/lpfc_hbadisc.c b/drivers/scsi/lpfc/lpfc_hbadisc.c
index b04112c77fcd1..3a55e410235c0 100644
--- a/drivers/scsi/lpfc/lpfc_hbadisc.c
+++ b/drivers/scsi/lpfc/lpfc_hbadisc.c
@@ -5074,7 +5074,7 @@ lpfc_check_sli_ndlp(struct lpfc_hba *phba,
case CMD_GEN_REQUEST64_CR:
if (iocb->ndlp == ndlp)
return 1;
- fallthrough;
+ break;
case CMD_ELS_REQUEST64_CR:
if (remote_id == ndlp->nlp_DID)
return 1;
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 418/508] iommu/amd: Ensure GA log notifier callbacks finish running before module unload
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (414 preceding siblings ...)
2025-06-23 13:07 ` [PATCH 6.1 417/508] scsi: lpfc: Fix lpfc_check_sli_ndlp() handling for GEN_REQUEST64 commands Greg Kroah-Hartman
@ 2025-06-23 13:07 ` Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 419/508] wifi: mac80211_hwsim: Prevent tsf from setting if beacon is disabled Greg Kroah-Hartman
` (92 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sean Christopherson, Joerg Roedel,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
[ Upstream commit 94c721ea03c7078163f41dbaa101ac721ddac329 ]
Synchronize RCU when unregistering KVM's GA log notifier to ensure all
in-flight interrupt handlers complete before KVM-the module is unloaded.
Signed-off-by: Sean Christopherson <seanjc@google.com>
Link: https://lore.kernel.org/r/20250315031048.2374109-1-seanjc@google.com
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/iommu/amd/iommu.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/drivers/iommu/amd/iommu.c b/drivers/iommu/amd/iommu.c
index 4421b464947b8..b778023388715 100644
--- a/drivers/iommu/amd/iommu.c
+++ b/drivers/iommu/amd/iommu.c
@@ -770,6 +770,14 @@ int amd_iommu_register_ga_log_notifier(int (*notifier)(u32))
{
iommu_ga_log_notifier = notifier;
+ /*
+ * Ensure all in-flight IRQ handlers run to completion before returning
+ * to the caller, e.g. to ensure module code isn't unloaded while it's
+ * being executed in the IRQ handler.
+ */
+ if (!notifier)
+ synchronize_rcu();
+
return 0;
}
EXPORT_SYMBOL(amd_iommu_register_ga_log_notifier);
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 419/508] wifi: mac80211_hwsim: Prevent tsf from setting if beacon is disabled
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (415 preceding siblings ...)
2025-06-23 13:07 ` [PATCH 6.1 418/508] iommu/amd: Ensure GA log notifier callbacks finish running before module unload Greg Kroah-Hartman
@ 2025-06-23 13:07 ` Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 421/508] net: bridge: mcast: re-implement br_multicast_{enable, disable}_port functions Greg Kroah-Hartman
` (91 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+064815c6cd721082a52a,
Edward Adam Davis, Johannes Berg, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Edward Adam Davis <eadavis@qq.com>
[ Upstream commit c575f5374be7a5c4be4acb9fe6be3a4669d94674 ]
Setting tsf is meaningless if beacon is disabled, so check that beacon
is enabled before setting tsf.
Reported-by: syzbot+064815c6cd721082a52a@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=064815c6cd721082a52a
Tested-by: syzbot+064815c6cd721082a52a@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
Link: https://patch.msgid.link/tencent_3609AC2EFAAED68CA5A7E3C6D212D1C67806@qq.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/mac80211_hwsim.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c
index abcd165a62cfe..80a2a668cfb9e 100644
--- a/drivers/net/wireless/mac80211_hwsim.c
+++ b/drivers/net/wireless/mac80211_hwsim.c
@@ -1091,6 +1091,11 @@ static void mac80211_hwsim_set_tsf(struct ieee80211_hw *hw,
/* MLD not supported here */
u32 bcn_int = data->link_data[0].beacon_int;
u64 delta = abs(tsf - now);
+ struct ieee80211_bss_conf *conf;
+
+ conf = link_conf_dereference_protected(vif, data->link_data[0].link_id);
+ if (conf && !conf->enable_beacon)
+ return;
/* adjust after beaconing with new timestamp at old TBTT */
if (tsf > now) {
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 421/508] net: bridge: mcast: re-implement br_multicast_{enable, disable}_port functions
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (416 preceding siblings ...)
2025-06-23 13:07 ` [PATCH 6.1 419/508] wifi: mac80211_hwsim: Prevent tsf from setting if beacon is disabled Greg Kroah-Hartman
@ 2025-06-23 13:07 ` Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 422/508] vxlan: Do not treat dst cache initialization errors as fatal Greg Kroah-Hartman
` (90 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yong Wang, Andy Roulin, Ido Schimmel,
Petr Machata, Nikolay Aleksandrov, David S. Miller, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yong Wang <yongwang@nvidia.com>
[ Upstream commit 4b30ae9adb047dd0a7982975ec3933c529537026 ]
When a bridge port STP state is changed from BLOCKING/DISABLED to
FORWARDING, the port's igmp query timer will NOT re-arm itself if the
bridge has been configured as per-VLAN multicast snooping.
Solve this by choosing the correct multicast context(s) to enable/disable
port multicast based on whether per-VLAN multicast snooping is enabled or
not, i.e. using per-{port, VLAN} context in case of per-VLAN multicast
snooping by re-implementing br_multicast_enable_port() and
br_multicast_disable_port() functions.
Before the patch, the IGMP query does not happen in the last step of the
following test sequence, i.e. no growth for tx counter:
# ip link add name br1 up type bridge vlan_filtering 1 mcast_snooping 1 mcast_vlan_snooping 1 mcast_querier 1 mcast_stats_enabled 1
# bridge vlan global set vid 1 dev br1 mcast_snooping 1 mcast_querier 1 mcast_query_interval 100 mcast_startup_query_count 0
# ip link add name swp1 up master br1 type dummy
# bridge link set dev swp1 state 0
# ip -j -p stats show dev swp1 group xstats_slave subgroup bridge suite mcast | jq '.[]["multicast"]["igmp_queries"]["tx_v2"]'
1
# sleep 1
# ip -j -p stats show dev swp1 group xstats_slave subgroup bridge suite mcast | jq '.[]["multicast"]["igmp_queries"]["tx_v2"]'
1
# bridge link set dev swp1 state 3
# sleep 2
# ip -j -p stats show dev swp1 group xstats_slave subgroup bridge suite mcast | jq '.[]["multicast"]["igmp_queries"]["tx_v2"]'
1
After the patch, the IGMP query happens in the last step of the test:
# ip link add name br1 up type bridge vlan_filtering 1 mcast_snooping 1 mcast_vlan_snooping 1 mcast_querier 1 mcast_stats_enabled 1
# bridge vlan global set vid 1 dev br1 mcast_snooping 1 mcast_querier 1 mcast_query_interval 100 mcast_startup_query_count 0
# ip link add name swp1 up master br1 type dummy
# bridge link set dev swp1 state 0
# ip -j -p stats show dev swp1 group xstats_slave subgroup bridge suite mcast | jq '.[]["multicast"]["igmp_queries"]["tx_v2"]'
1
# sleep 1
# ip -j -p stats show dev swp1 group xstats_slave subgroup bridge suite mcast | jq '.[]["multicast"]["igmp_queries"]["tx_v2"]'
1
# bridge link set dev swp1 state 3
# sleep 2
# ip -j -p stats show dev swp1 group xstats_slave subgroup bridge suite mcast | jq '.[]["multicast"]["igmp_queries"]["tx_v2"]'
3
Signed-off-by: Yong Wang <yongwang@nvidia.com>
Reviewed-by: Andy Roulin <aroulin@nvidia.com>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Signed-off-by: Petr Machata <petrm@nvidia.com>
Acked-by: Nikolay Aleksandrov <razor@blackwall.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bridge/br_multicast.c | 77 +++++++++++++++++++++++++++++++++++----
1 file changed, 69 insertions(+), 8 deletions(-)
diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c
index 5972821ce1950..e28c9db0c4db2 100644
--- a/net/bridge/br_multicast.c
+++ b/net/bridge/br_multicast.c
@@ -1931,12 +1931,17 @@ static void __br_multicast_enable_port_ctx(struct net_bridge_mcast_port *pmctx)
}
}
-void br_multicast_enable_port(struct net_bridge_port *port)
+static void br_multicast_enable_port_ctx(struct net_bridge_mcast_port *pmctx)
{
- struct net_bridge *br = port->br;
+ struct net_bridge *br = pmctx->port->br;
spin_lock_bh(&br->multicast_lock);
- __br_multicast_enable_port_ctx(&port->multicast_ctx);
+ if (br_multicast_port_ctx_is_vlan(pmctx) &&
+ !(pmctx->vlan->priv_flags & BR_VLFLAG_MCAST_ENABLED)) {
+ spin_unlock_bh(&br->multicast_lock);
+ return;
+ }
+ __br_multicast_enable_port_ctx(pmctx);
spin_unlock_bh(&br->multicast_lock);
}
@@ -1963,11 +1968,67 @@ static void __br_multicast_disable_port_ctx(struct net_bridge_mcast_port *pmctx)
br_multicast_rport_del_notify(pmctx, del);
}
+static void br_multicast_disable_port_ctx(struct net_bridge_mcast_port *pmctx)
+{
+ struct net_bridge *br = pmctx->port->br;
+
+ spin_lock_bh(&br->multicast_lock);
+ if (br_multicast_port_ctx_is_vlan(pmctx) &&
+ !(pmctx->vlan->priv_flags & BR_VLFLAG_MCAST_ENABLED)) {
+ spin_unlock_bh(&br->multicast_lock);
+ return;
+ }
+
+ __br_multicast_disable_port_ctx(pmctx);
+ spin_unlock_bh(&br->multicast_lock);
+}
+
+static void br_multicast_toggle_port(struct net_bridge_port *port, bool on)
+{
+#if IS_ENABLED(CONFIG_BRIDGE_VLAN_FILTERING)
+ if (br_opt_get(port->br, BROPT_MCAST_VLAN_SNOOPING_ENABLED)) {
+ struct net_bridge_vlan_group *vg;
+ struct net_bridge_vlan *vlan;
+
+ rcu_read_lock();
+ vg = nbp_vlan_group_rcu(port);
+ if (!vg) {
+ rcu_read_unlock();
+ return;
+ }
+
+ /* iterate each vlan, toggle vlan multicast context */
+ list_for_each_entry_rcu(vlan, &vg->vlan_list, vlist) {
+ struct net_bridge_mcast_port *pmctx =
+ &vlan->port_mcast_ctx;
+ u8 state = br_vlan_get_state(vlan);
+ /* enable vlan multicast context when state is
+ * LEARNING or FORWARDING
+ */
+ if (on && br_vlan_state_allowed(state, true))
+ br_multicast_enable_port_ctx(pmctx);
+ else
+ br_multicast_disable_port_ctx(pmctx);
+ }
+ rcu_read_unlock();
+ return;
+ }
+#endif
+ /* toggle port multicast context when vlan snooping is disabled */
+ if (on)
+ br_multicast_enable_port_ctx(&port->multicast_ctx);
+ else
+ br_multicast_disable_port_ctx(&port->multicast_ctx);
+}
+
+void br_multicast_enable_port(struct net_bridge_port *port)
+{
+ br_multicast_toggle_port(port, true);
+}
+
void br_multicast_disable_port(struct net_bridge_port *port)
{
- spin_lock_bh(&port->br->multicast_lock);
- __br_multicast_disable_port_ctx(&port->multicast_ctx);
- spin_unlock_bh(&port->br->multicast_lock);
+ br_multicast_toggle_port(port, false);
}
static int __grp_src_delete_marked(struct net_bridge_port_group *pg)
@@ -4156,9 +4217,9 @@ int br_multicast_toggle_vlan_snooping(struct net_bridge *br, bool on,
__br_multicast_open(&br->multicast_ctx);
list_for_each_entry(p, &br->port_list, list) {
if (on)
- br_multicast_disable_port(p);
+ br_multicast_disable_port_ctx(&p->multicast_ctx);
else
- br_multicast_enable_port(p);
+ br_multicast_enable_port_ctx(&p->multicast_ctx);
}
list_for_each_entry(vlan, &vg->vlan_list, vlist)
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 422/508] vxlan: Do not treat dst cache initialization errors as fatal
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (417 preceding siblings ...)
2025-06-23 13:07 ` [PATCH 6.1 421/508] net: bridge: mcast: re-implement br_multicast_{enable, disable}_port functions Greg Kroah-Hartman
@ 2025-06-23 13:07 ` Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 423/508] software node: Correct a OOB check in software_node_get_reference_args() Greg Kroah-Hartman
` (89 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Petr Machata, Ido Schimmel,
Nikolay Aleksandrov, Paolo Abeni, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ido Schimmel <idosch@nvidia.com>
[ Upstream commit 20c76dadc783759fd3819d289c72be590660cc8b ]
FDB entries are allocated in an atomic context as they can be added from
the data path when learning is enabled.
After converting the FDB hash table to rhashtable, the insertion rate
will be much higher (*) which will entail a much higher rate of per-CPU
allocations via dst_cache_init().
When adding a large number of entries (e.g., 256k) in a batch, a small
percentage (< 0.02%) of these per-CPU allocations will fail [1]. This
does not happen with the current code since the insertion rate is low
enough to give the per-CPU allocator a chance to asynchronously create
new chunks of per-CPU memory.
Given that:
a. Only a small percentage of these per-CPU allocations fail.
b. The scenario where this happens might not be the most realistic one.
c. The driver can work correctly without dst caches. The dst_cache_*()
APIs first check that the dst cache was properly initialized.
d. The dst caches are not always used (e.g., 'tos inherit').
It seems reasonable to not treat these allocation failures as fatal.
Therefore, do not bail when dst_cache_init() fails and suppress warnings
by specifying '__GFP_NOWARN'.
[1] percpu: allocation failed, size=40 align=8 atomic=1, atomic alloc failed, no space left
(*) 97% reduction in average latency of vxlan_fdb_update() when adding
256k entries in a batch.
Reviewed-by: Petr Machata <petrm@nvidia.com>
Signed-off-by: Ido Schimmel <idosch@nvidia.com>
Link: https://patch.msgid.link/20250415121143.345227-14-idosch@nvidia.com
Reviewed-by: Nikolay Aleksandrov <razor@blackwall.org>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/vxlan/vxlan_core.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/net/vxlan/vxlan_core.c b/drivers/net/vxlan/vxlan_core.c
index ef61eab81707c..747ce00dd321d 100644
--- a/drivers/net/vxlan/vxlan_core.c
+++ b/drivers/net/vxlan/vxlan_core.c
@@ -653,10 +653,10 @@ static int vxlan_fdb_append(struct vxlan_fdb *f,
if (rd == NULL)
return -ENOMEM;
- if (dst_cache_init(&rd->dst_cache, GFP_ATOMIC)) {
- kfree(rd);
- return -ENOMEM;
- }
+ /* The driver can work correctly without a dst cache, so do not treat
+ * dst cache initialization errors as fatal.
+ */
+ dst_cache_init(&rd->dst_cache, GFP_ATOMIC | __GFP_NOWARN);
rd->remote_ip = *ip;
rd->remote_port = port;
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 423/508] software node: Correct a OOB check in software_node_get_reference_args()
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (418 preceding siblings ...)
2025-06-23 13:07 ` [PATCH 6.1 422/508] vxlan: Do not treat dst cache initialization errors as fatal Greg Kroah-Hartman
@ 2025-06-23 13:07 ` Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 424/508] pinctrl: mcp23s08: Reset all pins to input at probe Greg Kroah-Hartman
` (88 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:07 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sakari Ailus, Zijun Hu, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zijun Hu <quic_zijuhu@quicinc.com>
[ Upstream commit 31e4e12e0e9609850cefd4b2e1adf782f56337d6 ]
software_node_get_reference_args() wants to get @index-th element, so
the property value requires at least '(index + 1) * sizeof(*ref)' bytes
but that can not be guaranteed by current OOB check, and may cause OOB
for malformed property.
Fix by using as OOB check '((index + 1) * sizeof(*ref) > prop->length)'.
Reviewed-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com>
Link: https://lore.kernel.org/r/20250414-fix_swnode-v2-1-9c9e6ae11eab@quicinc.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/base/swnode.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/base/swnode.c b/drivers/base/swnode.c
index 44153caa893ad..fdea6b93eb30e 100644
--- a/drivers/base/swnode.c
+++ b/drivers/base/swnode.c
@@ -518,7 +518,7 @@ software_node_get_reference_args(const struct fwnode_handle *fwnode,
if (prop->is_inline)
return -EINVAL;
- if (index * sizeof(*ref) >= prop->length)
+ if ((index + 1) * sizeof(*ref) > prop->length)
return -ENOENT;
ref_array = prop->pointer;
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 424/508] pinctrl: mcp23s08: Reset all pins to input at probe
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (419 preceding siblings ...)
2025-06-23 13:07 ` [PATCH 6.1 423/508] software node: Correct a OOB check in software_node_get_reference_args() Greg Kroah-Hartman
@ 2025-06-23 13:07 ` Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 425/508] scsi: lpfc: Use memcpy() for BIOS version Greg Kroah-Hartman
` (87 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mike Looijmans, Linus Walleij,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mike Looijmans <mike.looijmans@topic.nl>
[ Upstream commit 3ede3f8b4b4b399b0ca41e44959f80d5cf84fc98 ]
At startup, the driver just assumes that all registers have their
default values. But after a soft reset, the chip will just be in the
state it was, and some pins may have been configured as outputs. Any
modification of the output register will cause these pins to be driven
low, which leads to unexpected/unwanted effects. To prevent this from
happening, set the chip's IO configuration register to a known safe
mode (all inputs) before toggling any other bits.
Signed-off-by: Mike Looijmans <mike.looijmans@topic.nl>
Link: https://lore.kernel.org/20250314151803.28903-1-mike.looijmans@topic.nl
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pinctrl/pinctrl-mcp23s08.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/drivers/pinctrl/pinctrl-mcp23s08.c b/drivers/pinctrl/pinctrl-mcp23s08.c
index 2e8bbef8ca344..ca001fa63ed39 100644
--- a/drivers/pinctrl/pinctrl-mcp23s08.c
+++ b/drivers/pinctrl/pinctrl-mcp23s08.c
@@ -563,6 +563,14 @@ int mcp23s08_probe_one(struct mcp23s08 *mcp, struct device *dev,
mcp->reset_gpio = devm_gpiod_get_optional(dev, "reset", GPIOD_OUT_LOW);
+ /*
+ * Reset the chip - we don't really know what state it's in, so reset
+ * all pins to input first to prevent surprises.
+ */
+ ret = mcp_write(mcp, MCP_IODIR, mcp->chip.ngpio == 16 ? 0xFFFF : 0xFF);
+ if (ret < 0)
+ return ret;
+
/* verify MCP_IOCON.SEQOP = 0, so sequential reads work,
* and MCP_IOCON.HAEN = 1, so we work with all chips.
*/
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 425/508] scsi: lpfc: Use memcpy() for BIOS version
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (420 preceding siblings ...)
2025-06-23 13:07 ` [PATCH 6.1 424/508] pinctrl: mcp23s08: Reset all pins to input at probe Greg Kroah-Hartman
@ 2025-06-23 13:07 ` Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 426/508] sock: Correct error checking condition for (assign|release)_proto_idx() Greg Kroah-Hartman
` (86 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Daniel Wagner, Justin Tee,
Martin K. Petersen, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Wagner <wagi@kernel.org>
[ Upstream commit ae82eaf4aeea060bb736c3e20c0568b67c701d7d ]
The strlcat() with FORTIFY support is triggering a panic because it
thinks the target buffer will overflow although the correct target
buffer size is passed in.
Anyway, instead of memset() with 0 followed by a strlcat(), just use
memcpy() and ensure that the resulting buffer is NULL terminated.
BIOSVersion is only used for the lpfc_printf_log() which expects a
properly terminated string.
Signed-off-by: Daniel Wagner <wagi@kernel.org>
Link: https://lore.kernel.org/r/20250409-fix-lpfc-bios-str-v1-1-05dac9e51e13@kernel.org
Reviewed-by: Justin Tee <justin.tee@broadcom.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/lpfc/lpfc_sli.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c
index 1e04b6fc127af..d5e21e74888a7 100644
--- a/drivers/scsi/lpfc/lpfc_sli.c
+++ b/drivers/scsi/lpfc/lpfc_sli.c
@@ -6031,9 +6031,9 @@ lpfc_sli4_get_ctl_attr(struct lpfc_hba *phba)
phba->sli4_hba.flash_id = bf_get(lpfc_cntl_attr_flash_id, cntl_attr);
phba->sli4_hba.asic_rev = bf_get(lpfc_cntl_attr_asic_rev, cntl_attr);
- memset(phba->BIOSVersion, 0, sizeof(phba->BIOSVersion));
- strlcat(phba->BIOSVersion, (char *)cntl_attr->bios_ver_str,
+ memcpy(phba->BIOSVersion, cntl_attr->bios_ver_str,
sizeof(phba->BIOSVersion));
+ phba->BIOSVersion[sizeof(phba->BIOSVersion) - 1] = '\0';
lpfc_printf_log(phba, KERN_INFO, LOG_SLI,
"3086 lnk_type:%d, lnk_numb:%d, bios_ver:%s, "
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 426/508] sock: Correct error checking condition for (assign|release)_proto_idx()
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (421 preceding siblings ...)
2025-06-23 13:07 ` [PATCH 6.1 425/508] scsi: lpfc: Use memcpy() for BIOS version Greg Kroah-Hartman
@ 2025-06-23 13:07 ` Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 427/508] i40e: fix MMIO write access to an invalid page in i40e_clear_hw Greg Kroah-Hartman
` (85 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zijun Hu, Kuniyuki Iwashima,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zijun Hu <quic_zijuhu@quicinc.com>
[ Upstream commit faeefc173be40512341b102cf1568aa0b6571acd ]
(assign|release)_proto_idx() wrongly check find_first_zero_bit() failure
by condition '(prot->inuse_idx == PROTO_INUSE_NR - 1)' obviously.
Fix by correcting the condition to '(prot->inuse_idx == PROTO_INUSE_NR)'
Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com>
Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Link: https://patch.msgid.link/20250410-fix_net-v2-1-d69e7c5739a4@quicinc.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/sock.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/core/sock.c b/net/core/sock.c
index 168e7f42c0542..d8c0650322ea6 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -3797,7 +3797,7 @@ static int assign_proto_idx(struct proto *prot)
{
prot->inuse_idx = find_first_zero_bit(proto_inuse_idx, PROTO_INUSE_NR);
- if (unlikely(prot->inuse_idx == PROTO_INUSE_NR - 1)) {
+ if (unlikely(prot->inuse_idx == PROTO_INUSE_NR)) {
pr_err("PROTO_INUSE_NR exhausted\n");
return -ENOSPC;
}
@@ -3808,7 +3808,7 @@ static int assign_proto_idx(struct proto *prot)
static void release_proto_idx(struct proto *prot)
{
- if (prot->inuse_idx != PROTO_INUSE_NR - 1)
+ if (prot->inuse_idx != PROTO_INUSE_NR)
clear_bit(prot->inuse_idx, proto_inuse_idx);
}
#else
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 427/508] i40e: fix MMIO write access to an invalid page in i40e_clear_hw
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (422 preceding siblings ...)
2025-06-23 13:07 ` [PATCH 6.1 426/508] sock: Correct error checking condition for (assign|release)_proto_idx() Greg Kroah-Hartman
@ 2025-06-23 13:07 ` Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 428/508] ice: fix check for existing switch rule Greg Kroah-Hartman
` (84 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kyungwook Boo, Przemek Kitszel,
Simon Horman, Aleksandr Loktionov, Tony Nguyen, Sasha Levin,
Rinitha S
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kyungwook Boo <bookyungwook@gmail.com>
[ Upstream commit 015bac5daca978448f2671478c553ce1f300c21e ]
When the device sends a specific input, an integer underflow can occur, leading
to MMIO write access to an invalid page.
Prevent the integer underflow by changing the type of related variables.
Signed-off-by: Kyungwook Boo <bookyungwook@gmail.com>
Link: https://lore.kernel.org/lkml/ffc91764-1142-4ba2-91b6-8c773f6f7095@gmail.com/T/
Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Tested-by: Rinitha S <sx.rinitha@intel.com> (A Contingent worker at Intel)
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/i40e/i40e_common.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/drivers/net/ethernet/intel/i40e/i40e_common.c b/drivers/net/ethernet/intel/i40e/i40e_common.c
index 6266756b47b9d..a707974e42794 100644
--- a/drivers/net/ethernet/intel/i40e/i40e_common.c
+++ b/drivers/net/ethernet/intel/i40e/i40e_common.c
@@ -1063,10 +1063,11 @@ int i40e_pf_reset(struct i40e_hw *hw)
void i40e_clear_hw(struct i40e_hw *hw)
{
u32 num_queues, base_queue;
- u32 num_pf_int;
- u32 num_vf_int;
+ s32 num_pf_int;
+ s32 num_vf_int;
u32 num_vfs;
- u32 i, j;
+ s32 i;
+ u32 j;
u32 val;
u32 eol = 0x7ff;
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 428/508] ice: fix check for existing switch rule
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (423 preceding siblings ...)
2025-06-23 13:07 ` [PATCH 6.1 427/508] i40e: fix MMIO write access to an invalid page in i40e_clear_hw Greg Kroah-Hartman
@ 2025-06-23 13:07 ` Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 429/508] bpf, sockmap: Fix data lost during EAGAIN retries Greg Kroah-Hartman
` (83 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mateusz Pacuszka, Przemek Kitszel,
Michal Swiatkowski, Larysa Zaremba, Simon Horman,
Rafal Romanowski, Tony Nguyen, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mateusz Pacuszka <mateuszx.pacuszka@intel.com>
[ Upstream commit a808691df39b52cd9db861b118e88e18b63e2299 ]
In case the rule already exists and another VSI wants to subscribe to it
new VSI list is being created and both VSIs are moved to it.
Currently, the check for already existing VSI with the same rule is done
based on fdw_id.hw_vsi_id, which applies only to LOOKUP_RX flag.
Change it to vsi_handle. This is software VSI ID, but it can be applied
here, because vsi_map itself is also based on it.
Additionally change return status in case the VSI already exists in the
VSI map to "Already exists". Such case should be handled by the caller.
Signed-off-by: Mateusz Pacuszka <mateuszx.pacuszka@intel.com>
Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
Reviewed-by: Michal Swiatkowski <michal.swiatkowski@linux.intel.com>
Signed-off-by: Larysa Zaremba <larysa.zaremba@intel.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/ice/ice_switch.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/intel/ice/ice_switch.c b/drivers/net/ethernet/intel/ice/ice_switch.c
index 3a29ae46fb397..11dda98e70e5a 100644
--- a/drivers/net/ethernet/intel/ice/ice_switch.c
+++ b/drivers/net/ethernet/intel/ice/ice_switch.c
@@ -3013,7 +3013,7 @@ ice_add_update_vsi_list(struct ice_hw *hw,
u16 vsi_handle_arr[2];
/* A rule already exists with the new VSI being added */
- if (cur_fltr->fwd_id.hw_vsi_id == new_fltr->fwd_id.hw_vsi_id)
+ if (cur_fltr->vsi_handle == new_fltr->vsi_handle)
return -EEXIST;
vsi_handle_arr[0] = cur_fltr->vsi_handle;
@@ -6014,7 +6014,7 @@ ice_adv_add_update_vsi_list(struct ice_hw *hw,
/* A rule already exists with the new VSI being added */
if (test_bit(vsi_handle, m_entry->vsi_list_info->vsi_map))
- return 0;
+ return -EEXIST;
/* Update the previously created VSI list set with
* the new VSI ID passed in
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 429/508] bpf, sockmap: Fix data lost during EAGAIN retries
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (424 preceding siblings ...)
2025-06-23 13:07 ` [PATCH 6.1 428/508] ice: fix check for existing switch rule Greg Kroah-Hartman
@ 2025-06-23 13:07 ` Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 430/508] net: ethernet: cortina: Use TOE/TSO on all TCP Greg Kroah-Hartman
` (82 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jiayuan Chen, Alexei Starovoitov,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiayuan Chen <jiayuan.chen@linux.dev>
[ Upstream commit 7683167196bd727ad5f3c3fc6a9ca70f54520a81 ]
We call skb_bpf_redirect_clear() to clean _sk_redir before handling skb in
backlog, but when sk_psock_handle_skb() return EAGAIN due to sk_rcvbuf
limit, the redirect info in _sk_redir is not recovered.
Fix skb redir loss during EAGAIN retries by restoring _sk_redir
information using skb_bpf_set_redir().
Before this patch:
'''
./bench sockmap -c 2 -p 1 -a --rx-verdict-ingress
Setting up benchmark 'sockmap'...
create socket fd c1:13 p1:14 c2:15 p2:16
Benchmark 'sockmap' started.
Send Speed 1343.172 MB/s, BPF Speed 1343.238 MB/s, Rcv Speed 65.271 MB/s
Send Speed 1352.022 MB/s, BPF Speed 1352.088 MB/s, Rcv Speed 0 MB/s
Send Speed 1354.105 MB/s, BPF Speed 1354.105 MB/s, Rcv Speed 0 MB/s
Send Speed 1355.018 MB/s, BPF Speed 1354.887 MB/s, Rcv Speed 0 MB/s
'''
Due to the high send rate, the RX processing path may frequently hit the
sk_rcvbuf limit. Once triggered, incorrect _sk_redir will cause the flow
to mistakenly enter the "!ingress" path, leading to send failures.
(The Rcv speed depends on tcp_rmem).
After this patch:
'''
./bench sockmap -c 2 -p 1 -a --rx-verdict-ingress
Setting up benchmark 'sockmap'...
create socket fd c1:13 p1:14 c2:15 p2:16
Benchmark 'sockmap' started.
Send Speed 1347.236 MB/s, BPF Speed 1347.367 MB/s, Rcv Speed 65.402 MB/s
Send Speed 1353.320 MB/s, BPF Speed 1353.320 MB/s, Rcv Speed 65.536 MB/s
Send Speed 1353.186 MB/s, BPF Speed 1353.121 MB/s, Rcv Speed 65.536 MB/s
'''
Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev>
Link: https://lore.kernel.org/r/20250407142234.47591-2-jiayuan.chen@linux.dev
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/skmsg.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/core/skmsg.c b/net/core/skmsg.c
index e5ba57a5db126..2aa6262f19e84 100644
--- a/net/core/skmsg.c
+++ b/net/core/skmsg.c
@@ -688,7 +688,8 @@ static void sk_psock_backlog(struct work_struct *work)
if (ret <= 0) {
if (ret == -EAGAIN) {
sk_psock_skb_state(psock, state, len, off);
-
+ /* Restore redir info we cleared before */
+ skb_bpf_set_redir(skb, psock->sk, ingress);
/* Delay slightly to prioritize any
* other work that might be here.
*/
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 430/508] net: ethernet: cortina: Use TOE/TSO on all TCP
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (425 preceding siblings ...)
2025-06-23 13:07 ` [PATCH 6.1 429/508] bpf, sockmap: Fix data lost during EAGAIN retries Greg Kroah-Hartman
@ 2025-06-23 13:07 ` Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 431/508] octeontx2-pf: Add error log forcn10k_map_unmap_rq_policer() Greg Kroah-Hartman
` (81 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Linus Walleij, Jakub Kicinski,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Linus Walleij <linus.walleij@linaro.org>
[ Upstream commit 6a07e3af4973402fa199a80036c10060b922c92c ]
It is desireable to push the hardware accelerator to also
process non-segmented TCP frames: we pass the skb->len
to the "TOE/TSO" offloader and it will handle them.
Without this quirk the driver becomes unstable and lock
up and and crash.
I do not know exactly why, but it is probably due to the
TOE (TCP offload engine) feature that is coupled with the
segmentation feature - it is not possible to turn one
part off and not the other, either both TOE and TSO are
active, or neither of them.
Not having the TOE part active seems detrimental, as if
that hardware feature is not really supposed to be turned
off.
The datasheet says:
"Based on packet parsing and TCP connection/NAT table
lookup results, the NetEngine puts the packets
belonging to the same TCP connection to the same queue
for the software to process. The NetEngine puts
incoming packets to the buffer or series of buffers
for a jumbo packet. With this hardware acceleration,
IP/TCP header parsing, checksum validation and
connection lookup are offloaded from the software
processing."
After numerous tests with the hardware locking up after
something between minutes and hours depending on load
using iperf3 I have concluded this is necessary to stabilize
the hardware.
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Link: https://patch.msgid.link/20250408-gemini-ethernet-tso-always-v1-1-e669f932359c@linaro.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/cortina/gemini.c | 37 +++++++++++++++++++++------
1 file changed, 29 insertions(+), 8 deletions(-)
diff --git a/drivers/net/ethernet/cortina/gemini.c b/drivers/net/ethernet/cortina/gemini.c
index 7cc0ea3737b2d..729a69007ec47 100644
--- a/drivers/net/ethernet/cortina/gemini.c
+++ b/drivers/net/ethernet/cortina/gemini.c
@@ -1148,6 +1148,7 @@ static int gmac_map_tx_bufs(struct net_device *netdev, struct sk_buff *skb,
struct gmac_txdesc *txd;
skb_frag_t *skb_frag;
dma_addr_t mapping;
+ bool tcp = false;
void *buffer;
u16 mss;
int ret;
@@ -1155,6 +1156,13 @@ static int gmac_map_tx_bufs(struct net_device *netdev, struct sk_buff *skb,
word1 = skb->len;
word3 = SOF_BIT;
+ /* Determine if we are doing TCP */
+ if (skb->protocol == htons(ETH_P_IP))
+ tcp = (ip_hdr(skb)->protocol == IPPROTO_TCP);
+ else
+ /* IPv6 */
+ tcp = (ipv6_hdr(skb)->nexthdr == IPPROTO_TCP);
+
mss = skb_shinfo(skb)->gso_size;
if (mss) {
/* This means we are dealing with TCP and skb->len is the
@@ -1167,8 +1175,26 @@ static int gmac_map_tx_bufs(struct net_device *netdev, struct sk_buff *skb,
mss, skb->len);
word1 |= TSS_MTU_ENABLE_BIT;
word3 |= mss;
+ } else if (tcp) {
+ /* Even if we are not using TSO, use the hardware offloader
+ * for transferring the TCP frame: this hardware has partial
+ * TCP awareness (called TOE - TCP Offload Engine) and will
+ * according to the datasheet put packets belonging to the
+ * same TCP connection in the same queue for the TOE/TSO
+ * engine to process. The engine will deal with chopping
+ * up frames that exceed ETH_DATA_LEN which the
+ * checksumming engine cannot handle (see below) into
+ * manageable chunks. It flawlessly deals with quite big
+ * frames and frames containing custom DSA EtherTypes.
+ */
+ mss = netdev->mtu + skb_tcp_all_headers(skb);
+ mss = min(mss, skb->len);
+ netdev_dbg(netdev, "TOE/TSO len %04x mtu %04x mss %04x\n",
+ skb->len, netdev->mtu, mss);
+ word1 |= TSS_MTU_ENABLE_BIT;
+ word3 |= mss;
} else if (skb->len >= ETH_FRAME_LEN) {
- /* Hardware offloaded checksumming isn't working on frames
+ /* Hardware offloaded checksumming isn't working on non-TCP frames
* bigger than 1514 bytes. A hypothesis about this is that the
* checksum buffer is only 1518 bytes, so when the frames get
* bigger they get truncated, or the last few bytes get
@@ -1185,21 +1211,16 @@ static int gmac_map_tx_bufs(struct net_device *netdev, struct sk_buff *skb,
}
if (skb->ip_summed == CHECKSUM_PARTIAL) {
- int tcp = 0;
-
/* We do not switch off the checksumming on non TCP/UDP
* frames: as is shown from tests, the checksumming engine
* is smart enough to see that a frame is not actually TCP
* or UDP and then just pass it through without any changes
* to the frame.
*/
- if (skb->protocol == htons(ETH_P_IP)) {
+ if (skb->protocol == htons(ETH_P_IP))
word1 |= TSS_IP_CHKSUM_BIT;
- tcp = ip_hdr(skb)->protocol == IPPROTO_TCP;
- } else { /* IPv6 */
+ else
word1 |= TSS_IPV6_ENABLE_BIT;
- tcp = ipv6_hdr(skb)->nexthdr == IPPROTO_TCP;
- }
word1 |= tcp ? TSS_TCP_CHKSUM_BIT : TSS_UDP_CHKSUM_BIT;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 431/508] octeontx2-pf: Add error log forcn10k_map_unmap_rq_policer()
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (426 preceding siblings ...)
2025-06-23 13:07 ` [PATCH 6.1 430/508] net: ethernet: cortina: Use TOE/TSO on all TCP Greg Kroah-Hartman
@ 2025-06-23 13:07 ` Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 432/508] fbcon: Make sure modelist not set on unregistered console Greg Kroah-Hartman
` (80 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wentao Liang, Simon Horman,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wentao Liang <vulab@iscas.ac.cn>
[ Upstream commit 9c056ec6dd1654b1420dafbbe2a69718850e6ff2 ]
The cn10k_free_matchall_ipolicer() calls the cn10k_map_unmap_rq_policer()
for each queue in a for loop without checking for any errors.
Check the return value of the cn10k_map_unmap_rq_policer() function during
each loop, and report a warning if the function fails.
Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20250408032602.2909-1-vulab@iscas.ac.cn
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/marvell/octeontx2/nic/cn10k.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/cn10k.c b/drivers/net/ethernet/marvell/octeontx2/nic/cn10k.c
index 7417087b6db59..a2807a1e4f4a6 100644
--- a/drivers/net/ethernet/marvell/octeontx2/nic/cn10k.c
+++ b/drivers/net/ethernet/marvell/octeontx2/nic/cn10k.c
@@ -352,9 +352,12 @@ int cn10k_free_matchall_ipolicer(struct otx2_nic *pfvf)
mutex_lock(&pfvf->mbox.lock);
/* Remove RQ's policer mapping */
- for (qidx = 0; qidx < hw->rx_queues; qidx++)
- cn10k_map_unmap_rq_policer(pfvf, qidx,
- hw->matchall_ipolicer, false);
+ for (qidx = 0; qidx < hw->rx_queues; qidx++) {
+ rc = cn10k_map_unmap_rq_policer(pfvf, qidx, hw->matchall_ipolicer, false);
+ if (rc)
+ dev_warn(pfvf->dev, "Failed to unmap RQ %d's policer (error %d).",
+ qidx, rc);
+ }
rc = cn10k_free_leaf_profile(pfvf, hw->matchall_ipolicer);
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 432/508] fbcon: Make sure modelist not set on unregistered console
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (427 preceding siblings ...)
2025-06-23 13:07 ` [PATCH 6.1 431/508] octeontx2-pf: Add error log forcn10k_map_unmap_rq_policer() Greg Kroah-Hartman
@ 2025-06-23 13:07 ` Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 433/508] watchdog: da9052_wdt: respect TWDMIN Greg Kroah-Hartman
` (79 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+a7d4444e7b6e743572f7,
Kees Cook, Helge Deller, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kees Cook <kees@kernel.org>
[ Upstream commit cedc1b63394a866bf8663a3e40f4546f1d28c8d8 ]
It looks like attempting to write to the "store_modes" sysfs node will
run afoul of unregistered consoles:
UBSAN: array-index-out-of-bounds in drivers/video/fbdev/core/fbcon.c:122:28
index -1 is out of range for type 'fb_info *[32]'
...
fbcon_info_from_console+0x192/0x1a0 drivers/video/fbdev/core/fbcon.c:122
fbcon_new_modelist+0xbf/0x2d0 drivers/video/fbdev/core/fbcon.c:3048
fb_new_modelist+0x328/0x440 drivers/video/fbdev/core/fbmem.c:673
store_modes+0x1c9/0x3e0 drivers/video/fbdev/core/fbsysfs.c:113
dev_attr_store+0x55/0x80 drivers/base/core.c:2439
static struct fb_info *fbcon_registered_fb[FB_MAX];
...
static signed char con2fb_map[MAX_NR_CONSOLES];
...
static struct fb_info *fbcon_info_from_console(int console)
...
return fbcon_registered_fb[con2fb_map[console]];
If con2fb_map contains a -1 things go wrong here. Instead, return NULL,
as callers of fbcon_info_from_console() are trying to compare against
existing "info" pointers, so error handling should kick in correctly.
Reported-by: syzbot+a7d4444e7b6e743572f7@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/679d0a8f.050a0220.163cdc.000c.GAE@google.com/
Signed-off-by: Kees Cook <kees@kernel.org>
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/video/fbdev/core/fbcon.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c
index 538e932055ca5..3f9d2178d3871 100644
--- a/drivers/video/fbdev/core/fbcon.c
+++ b/drivers/video/fbdev/core/fbcon.c
@@ -115,9 +115,14 @@ static signed char con2fb_map_boot[MAX_NR_CONSOLES];
static struct fb_info *fbcon_info_from_console(int console)
{
+ signed char fb;
WARN_CONSOLE_UNLOCKED();
- return fbcon_registered_fb[con2fb_map[console]];
+ fb = con2fb_map[console];
+ if (fb < 0 || fb >= ARRAY_SIZE(fbcon_registered_fb))
+ return NULL;
+
+ return fbcon_registered_fb[fb];
}
static int logo_lines;
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 433/508] watchdog: da9052_wdt: respect TWDMIN
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (428 preceding siblings ...)
2025-06-23 13:07 ` [PATCH 6.1 432/508] fbcon: Make sure modelist not set on unregistered console Greg Kroah-Hartman
@ 2025-06-23 13:07 ` Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 434/508] bus: fsl-mc: increase MC_CMD_COMPLETION_TIMEOUT_MS value Greg Kroah-Hartman
` (78 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Marcus Folkesson, Guenter Roeck,
Wim Van Sebroeck, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marcus Folkesson <marcus.folkesson@gmail.com>
[ Upstream commit 325f510fcd9cda5a44bcb662b74ba4e3dabaca10 ]
We have to wait at least the minimium time for the watchdog window
(TWDMIN) before writings to the wdt register after the
watchdog is activated.
Otherwise the chip will assert TWD_ERROR and power down to reset mode.
Signed-off-by: Marcus Folkesson <marcus.folkesson@gmail.com>
Reviewed-by: Guenter Roeck <linux@roeck-us.net>
Link: https://lore.kernel.org/r/20250326-da9052-fixes-v3-4-a38a560fef0e@gmail.com
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Wim Van Sebroeck <wim@linux-watchdog.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/watchdog/da9052_wdt.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/watchdog/da9052_wdt.c b/drivers/watchdog/da9052_wdt.c
index d708c091bf1b1..180526220d8c4 100644
--- a/drivers/watchdog/da9052_wdt.c
+++ b/drivers/watchdog/da9052_wdt.c
@@ -164,6 +164,7 @@ static int da9052_wdt_probe(struct platform_device *pdev)
da9052_wdt = &driver_data->wdt;
da9052_wdt->timeout = DA9052_DEF_TIMEOUT;
+ da9052_wdt->min_hw_heartbeat_ms = DA9052_TWDMIN;
da9052_wdt->info = &da9052_wdt_info;
da9052_wdt->ops = &da9052_wdt_ops;
da9052_wdt->parent = dev;
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 434/508] bus: fsl-mc: increase MC_CMD_COMPLETION_TIMEOUT_MS value
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (429 preceding siblings ...)
2025-06-23 13:07 ` [PATCH 6.1 433/508] watchdog: da9052_wdt: respect TWDMIN Greg Kroah-Hartman
@ 2025-06-23 13:07 ` Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 435/508] ARM: OMAP2+: Fix l4ls clk domain handling in STANDBY Greg Kroah-Hartman
` (77 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Laurentiu Tudor, Ioana Ciornei,
Christophe Leroy, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Laurentiu Tudor <laurentiu.tudor@nxp.com>
[ Upstream commit 23d060136841c58c2f9ee8c08ad945d1879ead4b ]
In case the MC firmware runs in debug mode with extensive prints pushed
to the console, the current timeout of 500ms is not enough.
Increase the timeout value so that we don't have any chance of wrongly
assuming that the firmware is not responding when it's just taking more
time.
Signed-off-by: Laurentiu Tudor <laurentiu.tudor@nxp.com>
Signed-off-by: Ioana Ciornei <ioana.ciornei@nxp.com>
Link: https://lore.kernel.org/r/20250408105814.2837951-7-ioana.ciornei@nxp.com
Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/bus/fsl-mc/mc-sys.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/bus/fsl-mc/mc-sys.c b/drivers/bus/fsl-mc/mc-sys.c
index f2052cd0a0517..b22c59d57c8f0 100644
--- a/drivers/bus/fsl-mc/mc-sys.c
+++ b/drivers/bus/fsl-mc/mc-sys.c
@@ -19,7 +19,7 @@
/*
* Timeout in milliseconds to wait for the completion of an MC command
*/
-#define MC_CMD_COMPLETION_TIMEOUT_MS 500
+#define MC_CMD_COMPLETION_TIMEOUT_MS 15000
/*
* usleep_range() min and max values used to throttle down polling
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 435/508] ARM: OMAP2+: Fix l4ls clk domain handling in STANDBY
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (430 preceding siblings ...)
2025-06-23 13:07 ` [PATCH 6.1 434/508] bus: fsl-mc: increase MC_CMD_COMPLETION_TIMEOUT_MS value Greg Kroah-Hartman
@ 2025-06-23 13:08 ` Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 436/508] tee: Prevent size calculation wraparound on 32-bit kernels Greg Kroah-Hartman
` (76 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sukrut Bellary, Judith Mendez,
Kevin Hilman, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sukrut Bellary <sbellary@baylibre.com>
[ Upstream commit 47fe74098f3dadba2f9cc1e507d813a4aa93f5f3 ]
Don't put the l4ls clk domain to sleep in case of standby.
Since CM3 PM FW[1](ti-v4.1.y) doesn't wake-up/enable the l4ls clk domain
upon wake-up, CM3 PM FW fails to wake-up the MPU.
[1] https://git.ti.com/cgit/processor-firmware/ti-amx3-cm3-pm-firmware/
Signed-off-by: Sukrut Bellary <sbellary@baylibre.com>
Tested-by: Judith Mendez <jm@ti.com>
Link: https://lore.kernel.org/r/20250318230042.3138542-2-sbellary@baylibre.com
Signed-off-by: Kevin Hilman <khilman@baylibre.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/mach-omap2/clockdomain.h | 1 +
arch/arm/mach-omap2/clockdomains33xx_data.c | 2 +-
arch/arm/mach-omap2/cm33xx.c | 14 +++++++++++++-
3 files changed, 15 insertions(+), 2 deletions(-)
diff --git a/arch/arm/mach-omap2/clockdomain.h b/arch/arm/mach-omap2/clockdomain.h
index 68550b23c938d..eb6ca2ea80679 100644
--- a/arch/arm/mach-omap2/clockdomain.h
+++ b/arch/arm/mach-omap2/clockdomain.h
@@ -48,6 +48,7 @@
#define CLKDM_NO_AUTODEPS (1 << 4)
#define CLKDM_ACTIVE_WITH_MPU (1 << 5)
#define CLKDM_MISSING_IDLE_REPORTING (1 << 6)
+#define CLKDM_STANDBY_FORCE_WAKEUP BIT(7)
#define CLKDM_CAN_HWSUP (CLKDM_CAN_ENABLE_AUTO | CLKDM_CAN_DISABLE_AUTO)
#define CLKDM_CAN_SWSUP (CLKDM_CAN_FORCE_SLEEP | CLKDM_CAN_FORCE_WAKEUP)
diff --git a/arch/arm/mach-omap2/clockdomains33xx_data.c b/arch/arm/mach-omap2/clockdomains33xx_data.c
index 87f4e927eb183..c05a3c07d4486 100644
--- a/arch/arm/mach-omap2/clockdomains33xx_data.c
+++ b/arch/arm/mach-omap2/clockdomains33xx_data.c
@@ -19,7 +19,7 @@ static struct clockdomain l4ls_am33xx_clkdm = {
.pwrdm = { .name = "per_pwrdm" },
.cm_inst = AM33XX_CM_PER_MOD,
.clkdm_offs = AM33XX_CM_PER_L4LS_CLKSTCTRL_OFFSET,
- .flags = CLKDM_CAN_SWSUP,
+ .flags = CLKDM_CAN_SWSUP | CLKDM_STANDBY_FORCE_WAKEUP,
};
static struct clockdomain l3s_am33xx_clkdm = {
diff --git a/arch/arm/mach-omap2/cm33xx.c b/arch/arm/mach-omap2/cm33xx.c
index d61fa06117b42..5c833dec6352f 100644
--- a/arch/arm/mach-omap2/cm33xx.c
+++ b/arch/arm/mach-omap2/cm33xx.c
@@ -20,6 +20,9 @@
#include "cm-regbits-34xx.h"
#include "cm-regbits-33xx.h"
#include "prm33xx.h"
+#if IS_ENABLED(CONFIG_SUSPEND)
+#include <linux/suspend.h>
+#endif
/*
* CLKCTRL_IDLEST_*: possible values for the CM_*_CLKCTRL.IDLEST bitfield:
@@ -328,8 +331,17 @@ static int am33xx_clkdm_clk_disable(struct clockdomain *clkdm)
{
bool hwsup = false;
+#if IS_ENABLED(CONFIG_SUSPEND)
+ /*
+ * In case of standby, Don't put the l4ls clk domain to sleep.
+ * Since CM3 PM FW doesn't wake-up/enable the l4ls clk domain
+ * upon wake-up, CM3 PM FW fails to wake-up th MPU.
+ */
+ if (pm_suspend_target_state == PM_SUSPEND_STANDBY &&
+ (clkdm->flags & CLKDM_STANDBY_FORCE_WAKEUP))
+ return 0;
+#endif
hwsup = am33xx_cm_is_clkdm_in_hwsup(clkdm->cm_inst, clkdm->clkdm_offs);
-
if (!hwsup && (clkdm->flags & CLKDM_CAN_FORCE_SLEEP))
am33xx_clkdm_sleep(clkdm);
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 436/508] tee: Prevent size calculation wraparound on 32-bit kernels
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (431 preceding siblings ...)
2025-06-23 13:08 ` [PATCH 6.1 435/508] ARM: OMAP2+: Fix l4ls clk domain handling in STANDBY Greg Kroah-Hartman
@ 2025-06-23 13:08 ` Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 437/508] Revert "bus: ti-sysc: Probe for l4_wkup and l4_cfg interconnect devices first" Greg Kroah-Hartman
` (75 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jann Horn, Jens Wiklander,
Rouven Czerwinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jann Horn <jannh@google.com>
[ Upstream commit 39bb67edcc582b3b386a9ec983da67fa8a10ec03 ]
The current code around TEE_IOCTL_PARAM_SIZE() is a bit wrong on
32-bit kernels: Multiplying a user-provided 32-bit value with the
size of a structure can wrap around on such platforms.
Fix it by using saturating arithmetic for the size calculation.
This has no security consequences because, in all users of
TEE_IOCTL_PARAM_SIZE(), the subsequent kcalloc() implicitly checks
for wrapping.
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Tested-by: Rouven Czerwinski <rouven.czerwinski@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/tee/tee_core.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/drivers/tee/tee_core.c b/drivers/tee/tee_core.c
index 98da206cd7615..a9a893bc19fa4 100644
--- a/drivers/tee/tee_core.c
+++ b/drivers/tee/tee_core.c
@@ -10,6 +10,7 @@
#include <linux/fs.h>
#include <linux/idr.h>
#include <linux/module.h>
+#include <linux/overflow.h>
#include <linux/slab.h>
#include <linux/tee_drv.h>
#include <linux/uaccess.h>
@@ -19,7 +20,7 @@
#define TEE_NUM_DEVICES 32
-#define TEE_IOCTL_PARAM_SIZE(x) (sizeof(struct tee_param) * (x))
+#define TEE_IOCTL_PARAM_SIZE(x) (size_mul(sizeof(struct tee_param), (x)))
#define TEE_UUID_NS_NAME_SIZE 128
@@ -487,7 +488,7 @@ static int tee_ioctl_open_session(struct tee_context *ctx,
if (copy_from_user(&arg, uarg, sizeof(arg)))
return -EFAULT;
- if (sizeof(arg) + TEE_IOCTL_PARAM_SIZE(arg.num_params) != buf.buf_len)
+ if (size_add(sizeof(arg), TEE_IOCTL_PARAM_SIZE(arg.num_params)) != buf.buf_len)
return -EINVAL;
if (arg.num_params) {
@@ -565,7 +566,7 @@ static int tee_ioctl_invoke(struct tee_context *ctx,
if (copy_from_user(&arg, uarg, sizeof(arg)))
return -EFAULT;
- if (sizeof(arg) + TEE_IOCTL_PARAM_SIZE(arg.num_params) != buf.buf_len)
+ if (size_add(sizeof(arg), TEE_IOCTL_PARAM_SIZE(arg.num_params)) != buf.buf_len)
return -EINVAL;
if (arg.num_params) {
@@ -699,7 +700,7 @@ static int tee_ioctl_supp_recv(struct tee_context *ctx,
if (get_user(num_params, &uarg->num_params))
return -EFAULT;
- if (sizeof(*uarg) + TEE_IOCTL_PARAM_SIZE(num_params) != buf.buf_len)
+ if (size_add(sizeof(*uarg), TEE_IOCTL_PARAM_SIZE(num_params)) != buf.buf_len)
return -EINVAL;
params = kcalloc(num_params, sizeof(struct tee_param), GFP_KERNEL);
@@ -798,7 +799,7 @@ static int tee_ioctl_supp_send(struct tee_context *ctx,
get_user(num_params, &uarg->num_params))
return -EFAULT;
- if (sizeof(*uarg) + TEE_IOCTL_PARAM_SIZE(num_params) > buf.buf_len)
+ if (size_add(sizeof(*uarg), TEE_IOCTL_PARAM_SIZE(num_params)) > buf.buf_len)
return -EINVAL;
params = kcalloc(num_params, sizeof(struct tee_param), GFP_KERNEL);
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 437/508] Revert "bus: ti-sysc: Probe for l4_wkup and l4_cfg interconnect devices first"
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (432 preceding siblings ...)
2025-06-23 13:08 ` [PATCH 6.1 436/508] tee: Prevent size calculation wraparound on 32-bit kernels Greg Kroah-Hartman
@ 2025-06-23 13:08 ` Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 438/508] platform/x86: dell_rbu: Fix list usage Greg Kroah-Hartman
` (74 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tony Lindgren, Alexander Sverdlin,
Kevin Hilman, Sasha Levin, Andreas Kemnade
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexander Sverdlin <alexander.sverdlin@siemens.com>
[ Upstream commit 36305857b1ead8f6ca033a913162ebc09bee0b43 ]
This reverts commit 4700a00755fb5a4bb5109128297d6fd2d1272ee6.
It breaks target-module@2b300050 ("ti,sysc-omap2") probe on AM62x in a case
when minimally-configured system tries to network-boot:
[ 6.888776] probe of 2b300050.target-module returned 517 after 258 usecs
[ 17.129637] probe of 2b300050.target-module returned 517 after 708 usecs
[ 17.137397] platform 2b300050.target-module: deferred probe pending: (reason unknown)
[ 26.878471] Waiting up to 100 more seconds for network.
There are minimal configurations possible when the deferred device is not
being probed any more (because everything else has been successfully
probed) and deferral lists are not processed any more.
Stable mmc enumeration can be achieved by filling /aliases node properly
(4700a00755fb commit's rationale).
After revert:
[ 9.006816] IP-Config: Complete:
[ 9.010058] device=lan0, ...
Tested-by: Andreas Kemnade <andreas@kemnade.info> # GTA04, Panda, BT200
Reviewed-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Alexander Sverdlin <alexander.sverdlin@siemens.com>
Link: https://lore.kernel.org/r/20250401090643.2776793-1-alexander.sverdlin@siemens.com
Signed-off-by: Kevin Hilman <khilman@baylibre.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/bus/ti-sysc.c | 49 -------------------------------------------
1 file changed, 49 deletions(-)
diff --git a/drivers/bus/ti-sysc.c b/drivers/bus/ti-sysc.c
index 15c6b85b125d4..172b17fe87c42 100644
--- a/drivers/bus/ti-sysc.c
+++ b/drivers/bus/ti-sysc.c
@@ -689,51 +689,6 @@ static int sysc_parse_and_check_child_range(struct sysc *ddata)
return 0;
}
-/* Interconnect instances to probe before l4_per instances */
-static struct resource early_bus_ranges[] = {
- /* am3/4 l4_wkup */
- { .start = 0x44c00000, .end = 0x44c00000 + 0x300000, },
- /* omap4/5 and dra7 l4_cfg */
- { .start = 0x4a000000, .end = 0x4a000000 + 0x300000, },
- /* omap4 l4_wkup */
- { .start = 0x4a300000, .end = 0x4a300000 + 0x30000, },
- /* omap5 and dra7 l4_wkup without dra7 dcan segment */
- { .start = 0x4ae00000, .end = 0x4ae00000 + 0x30000, },
-};
-
-static atomic_t sysc_defer = ATOMIC_INIT(10);
-
-/**
- * sysc_defer_non_critical - defer non_critical interconnect probing
- * @ddata: device driver data
- *
- * We want to probe l4_cfg and l4_wkup interconnect instances before any
- * l4_per instances as l4_per instances depend on resources on l4_cfg and
- * l4_wkup interconnects.
- */
-static int sysc_defer_non_critical(struct sysc *ddata)
-{
- struct resource *res;
- int i;
-
- if (!atomic_read(&sysc_defer))
- return 0;
-
- for (i = 0; i < ARRAY_SIZE(early_bus_ranges); i++) {
- res = &early_bus_ranges[i];
- if (ddata->module_pa >= res->start &&
- ddata->module_pa <= res->end) {
- atomic_set(&sysc_defer, 0);
-
- return 0;
- }
- }
-
- atomic_dec_if_positive(&sysc_defer);
-
- return -EPROBE_DEFER;
-}
-
static struct device_node *stdout_path;
static void sysc_init_stdout_path(struct sysc *ddata)
@@ -959,10 +914,6 @@ static int sysc_map_and_check_registers(struct sysc *ddata)
if (error)
return error;
- error = sysc_defer_non_critical(ddata);
- if (error)
- return error;
-
sysc_check_children(ddata);
if (!of_get_property(np, "reg", NULL))
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 438/508] platform/x86: dell_rbu: Fix list usage
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (433 preceding siblings ...)
2025-06-23 13:08 ` [PATCH 6.1 437/508] Revert "bus: ti-sysc: Probe for l4_wkup and l4_cfg interconnect devices first" Greg Kroah-Hartman
@ 2025-06-23 13:08 ` Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 439/508] platform/x86: dell_rbu: Stop overwriting data buffer Greg Kroah-Hartman
` (73 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stuart Hayes, Ilpo Järvinen,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stuart Hayes <stuart.w.hayes@gmail.com>
[ Upstream commit 61ce04601e0d8265ec6d2ffa6df5a7e1bce64854 ]
Pass the correct list head to list_for_each_entry*() when looping through
the packet list.
Without this patch, reading the packet data via sysfs will show the data
incorrectly (because it starts at the wrong packet), and clearing the
packet list will result in a NULL pointer dereference.
Fixes: d19f359fbdc6 ("platform/x86: dell_rbu: don't open code list_for_each_entry*()")
Signed-off-by: Stuart Hayes <stuart.w.hayes@gmail.com>
Link: https://lore.kernel.org/r/20250609184659.7210-3-stuart.w.hayes@gmail.com
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/platform/x86/dell/dell_rbu.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/platform/x86/dell/dell_rbu.c b/drivers/platform/x86/dell/dell_rbu.c
index 9f51e0fcab04e..4d2b5f6dd513f 100644
--- a/drivers/platform/x86/dell/dell_rbu.c
+++ b/drivers/platform/x86/dell/dell_rbu.c
@@ -292,7 +292,7 @@ static int packet_read_list(char *data, size_t * pread_length)
remaining_bytes = *pread_length;
bytes_read = rbu_data.packet_read_count;
- list_for_each_entry(newpacket, (&packet_data_head.list)->next, list) {
+ list_for_each_entry(newpacket, &packet_data_head.list, list) {
bytes_copied = do_packet_read(pdest, newpacket,
remaining_bytes, bytes_read, &temp_count);
remaining_bytes -= bytes_copied;
@@ -315,7 +315,7 @@ static void packet_empty_list(void)
{
struct packet_data *newpacket, *tmp;
- list_for_each_entry_safe(newpacket, tmp, (&packet_data_head.list)->next, list) {
+ list_for_each_entry_safe(newpacket, tmp, &packet_data_head.list, list) {
list_del(&newpacket->list);
/*
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 439/508] platform/x86: dell_rbu: Stop overwriting data buffer
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (434 preceding siblings ...)
2025-06-23 13:08 ` [PATCH 6.1 438/508] platform/x86: dell_rbu: Fix list usage Greg Kroah-Hartman
@ 2025-06-23 13:08 ` Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 440/508] powerpc/eeh: Fix missing PE bridge reconfiguration during VFIO EEH recovery Greg Kroah-Hartman
` (72 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stuart Hayes, Ilpo Järvinen,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stuart Hayes <stuart.w.hayes@gmail.com>
[ Upstream commit f4b0fa38d5fefe9aed6ed831f3bd3538c168ee19 ]
The dell_rbu driver will use memset() to clear the data held by each
packet when it is no longer needed (when the driver is unloaded, the
packet size is changed, etc).
The amount of memory that is cleared (before this patch) is the normal
packet size. However, the last packet in the list may be smaller.
Fix this to only clear the memory actually used by each packet, to prevent
it from writing past the end of data buffer.
Because the packet data buffers are allocated with __get_free_pages() (in
page-sized increments), this bug could only result in a buffer being
overwritten when a packet size larger than one page is used. The only user
of the dell_rbu module should be the Dell BIOS update program, which uses
a packet size of 4096, so no issues should be seen without the patch, it
just blocks the possiblity.
Fixes: 6c54c28e69f2 ("[PATCH] dell_rbu: new Dell BIOS update driver")
Signed-off-by: Stuart Hayes <stuart.w.hayes@gmail.com>
Link: https://lore.kernel.org/r/20250609184659.7210-5-stuart.w.hayes@gmail.com
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/platform/x86/dell/dell_rbu.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/platform/x86/dell/dell_rbu.c b/drivers/platform/x86/dell/dell_rbu.c
index 4d2b5f6dd513f..fee20866b41e4 100644
--- a/drivers/platform/x86/dell/dell_rbu.c
+++ b/drivers/platform/x86/dell/dell_rbu.c
@@ -322,7 +322,7 @@ static void packet_empty_list(void)
* zero out the RBU packet memory before freeing
* to make sure there are no stale RBU packets left in memory
*/
- memset(newpacket->data, 0, rbu_data.packetsize);
+ memset(newpacket->data, 0, newpacket->length);
set_memory_wb((unsigned long)newpacket->data,
1 << newpacket->ordernum);
free_pages((unsigned long) newpacket->data,
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 440/508] powerpc/eeh: Fix missing PE bridge reconfiguration during VFIO EEH recovery
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (435 preceding siblings ...)
2025-06-23 13:08 ` [PATCH 6.1 439/508] platform/x86: dell_rbu: Stop overwriting data buffer Greg Kroah-Hartman
@ 2025-06-23 13:08 ` Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 441/508] Revert "x86/bugs: Make spectre user default depend on MITIGATION_SPECTRE_V2" on v6.6 and older Greg Kroah-Hartman
` (71 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Narayana Murty N, Vaibhav Jain,
Ganesh Goudar, Madhavan Srinivasan, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Narayana Murty N <nnmlinux@linux.ibm.com>
[ Upstream commit 33bc69cf6655cf60829a803a45275f11a74899e5 ]
VFIO EEH recovery for PCI passthrough devices fails on PowerNV and pseries
platforms due to missing host-side PE bridge reconfiguration. In the
current implementation, eeh_pe_configure() only performs RTAS or OPAL-based
bridge reconfiguration for native host devices, but skips it entirely for
PEs managed through VFIO in guest passthrough scenarios.
This leads to incomplete EEH recovery when a PCI error affects a
passthrough device assigned to a QEMU/KVM guest. Although VFIO triggers the
EEH recovery flow through VFIO_EEH_PE_ENABLE ioctl, the platform-specific
bridge reconfiguration step is silently bypassed. As a result, the PE's
config space is not fully restored, causing subsequent config space access
failures or EEH freeze-on-access errors inside the guest.
This patch fixes the issue by ensuring that eeh_pe_configure() always
invokes the platform's configure_bridge() callback (e.g.,
pseries_eeh_phb_configure_bridge) even for VFIO-managed PEs. This ensures
that RTAS or OPAL calls to reconfigure the PE bridge are correctly issued
on the host side, restoring the PE's configuration space after an EEH
event.
This fix is essential for reliable EEH recovery in QEMU/KVM guests using
VFIO PCI passthrough on PowerNV and pseries systems.
Tested with:
- QEMU/KVM guest using VFIO passthrough (IBM Power9,(lpar)Power11 host)
- Injected EEH errors with pseries EEH errinjct tool on host, recovery
verified on qemu guest.
- Verified successful config space access and CAP_EXP DevCtl restoration
after recovery
Fixes: 212d16cdca2d ("powerpc/eeh: EEH support for VFIO PCI device")
Signed-off-by: Narayana Murty N <nnmlinux@linux.ibm.com>
Reviewed-by: Vaibhav Jain <vaibhav@linux.ibm.com>
Reviewed-by: Ganesh Goudar <ganeshgr@linux.ibm.com>
Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
Link: https://patch.msgid.link/20250508062928.146043-1-nnmlinux@linux.ibm.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/powerpc/kernel/eeh.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/arch/powerpc/kernel/eeh.c b/arch/powerpc/kernel/eeh.c
index ab316e155ea9f..2e286bba2f645 100644
--- a/arch/powerpc/kernel/eeh.c
+++ b/arch/powerpc/kernel/eeh.c
@@ -1516,6 +1516,8 @@ int eeh_pe_configure(struct eeh_pe *pe)
/* Invalid PE ? */
if (!pe)
return -ENODEV;
+ else
+ ret = eeh_ops->configure_bridge(pe);
return ret;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 441/508] Revert "x86/bugs: Make spectre user default depend on MITIGATION_SPECTRE_V2" on v6.6 and older
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (436 preceding siblings ...)
2025-06-23 13:08 ` [PATCH 6.1 440/508] powerpc/eeh: Fix missing PE bridge reconfiguration during VFIO EEH recovery Greg Kroah-Hartman
@ 2025-06-23 13:08 ` Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 442/508] drivers/rapidio/rio_cm.c: prevent possible heap overwrite Greg Kroah-Hartman
` (70 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David.Kaplan, peterz,
pawan.kumar.gupta, mingo, brad.spengler, Salvatore Bonaccorso,
Breno Leitao
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Breno Leitao <leitao@debian.org>
This reverts commit 594dbf0a19d607f106ed552332b9b8fecd2b64a3 which is
commit 98fdaeb296f51ef08e727a7cc72e5b5c864c4f4d upstream.
commit 7adb96687ce8 ("x86/bugs: Make spectre user default depend on
MITIGATION_SPECTRE_V2") depends on commit 72c70f480a70 ("x86/bugs: Add
a separate config for Spectre V2"), which introduced
MITIGATION_SPECTRE_V2.
commit 72c70f480a70 ("x86/bugs: Add a separate config for Spectre V2")
never landed in stable tree, thus, stable tree doesn't have
MITIGATION_SPECTRE_V2, that said, commit 7adb96687ce8 ("x86/bugs: Make
spectre user default depend on MITIGATION_SPECTRE_V2") has no value if
the dependecy was not applied.
Revert commit 7adb96687ce8 ("x86/bugs: Make spectre user default
depend on MITIGATION_SPECTRE_V2") in stable kernel which landed in in
5.4.294, 5.10.238, 5.15.185, 6.1.141 and 6.6.93 stable versions.
Cc: David.Kaplan@amd.com
Cc: peterz@infradead.org
Cc: pawan.kumar.gupta@linux.intel.com
Cc: mingo@kernel.org
Cc: brad.spengler@opensrcsec.com
Cc: stable@vger.kernel.org # 6.6 6.1 5.15 5.10 5.4
Reported-by: Brad Spengler <brad.spengler@opensrcsec.com>
Reported-by: Salvatore Bonaccorso <carnil@debian.org>
Signed-off-by: Breno Leitao <leitao@debian.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
Documentation/admin-guide/kernel-parameters.txt | 2 --
arch/x86/kernel/cpu/bugs.c | 10 +++-------
2 files changed, 3 insertions(+), 9 deletions(-)
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@@ -5780,8 +5780,6 @@
Selecting 'on' will also enable the mitigation
against user space to user space task attacks.
- Selecting specific mitigation does not force enable
- user mitigations.
Selecting 'off' will disable both the kernel and
the user space protections.
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -1382,13 +1382,9 @@ static __ro_after_init enum spectre_v2_m
static enum spectre_v2_user_cmd __init
spectre_v2_parse_user_cmdline(void)
{
- enum spectre_v2_user_cmd mode;
char arg[20];
int ret, i;
- mode = IS_ENABLED(CONFIG_MITIGATION_SPECTRE_V2) ?
- SPECTRE_V2_USER_CMD_AUTO : SPECTRE_V2_USER_CMD_NONE;
-
switch (spectre_v2_cmd) {
case SPECTRE_V2_CMD_NONE:
return SPECTRE_V2_USER_CMD_NONE;
@@ -1401,7 +1397,7 @@ spectre_v2_parse_user_cmdline(void)
ret = cmdline_find_option(boot_command_line, "spectre_v2_user",
arg, sizeof(arg));
if (ret < 0)
- return mode;
+ return SPECTRE_V2_USER_CMD_AUTO;
for (i = 0; i < ARRAY_SIZE(v2_user_options); i++) {
if (match_option(arg, ret, v2_user_options[i].option)) {
@@ -1411,8 +1407,8 @@ spectre_v2_parse_user_cmdline(void)
}
}
- pr_err("Unknown user space protection option (%s). Switching to default\n", arg);
- return mode;
+ pr_err("Unknown user space protection option (%s). Switching to AUTO select\n", arg);
+ return SPECTRE_V2_USER_CMD_AUTO;
}
static inline bool spectre_v2_in_eibrs_mode(enum spectre_v2_mitigation mode)
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 442/508] drivers/rapidio/rio_cm.c: prevent possible heap overwrite
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (437 preceding siblings ...)
2025-06-23 13:08 ` [PATCH 6.1 441/508] Revert "x86/bugs: Make spectre user default depend on MITIGATION_SPECTRE_V2" on v6.6 and older Greg Kroah-Hartman
@ 2025-06-23 13:08 ` Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 443/508] platform/loongarch: laptop: Get brightness setting from EC on probe Greg Kroah-Hartman
` (69 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, maher azz, Matt Porter,
Alexandre Bounine, Linus Torvalds, Andrew Morton
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andrew Morton <akpm@linux-foundation.org>
commit 50695153d7ddde3b1696dbf0085be0033bf3ddb3 upstream.
In
riocm_cdev_ioctl(RIO_CM_CHAN_SEND)
-> cm_chan_msg_send()
-> riocm_ch_send()
cm_chan_msg_send() checks that userspace didn't send too much data but
riocm_ch_send() failed to check that userspace sent sufficient data. The
result is that riocm_ch_send() can write to fields in the rio_ch_chan_hdr
which were outside the bounds of the space which cm_chan_msg_send()
allocated.
Address this by teaching riocm_ch_send() to check that the entire
rio_ch_chan_hdr was copied in from userspace.
Reported-by: maher azz <maherazz04@gmail.com>
Cc: Matt Porter <mporter@kernel.crashing.org>
Cc: Alexandre Bounine <alex.bou9@gmail.com>
Cc: Linus Torvalds <torvalds@linuxfoundation.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/rapidio/rio_cm.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/rapidio/rio_cm.c
+++ b/drivers/rapidio/rio_cm.c
@@ -787,6 +787,9 @@ static int riocm_ch_send(u16 ch_id, void
if (buf == NULL || ch_id == 0 || len == 0 || len > RIO_MAX_MSG_SIZE)
return -EINVAL;
+ if (len < sizeof(struct rio_ch_chan_hdr))
+ return -EINVAL; /* insufficient data from user */
+
ch = riocm_get_channel(ch_id);
if (!ch) {
riocm_error("%s(%d) ch_%d not found", current->comm,
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 443/508] platform/loongarch: laptop: Get brightness setting from EC on probe
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (438 preceding siblings ...)
2025-06-23 13:08 ` [PATCH 6.1 442/508] drivers/rapidio/rio_cm.c: prevent possible heap overwrite Greg Kroah-Hartman
@ 2025-06-23 13:08 ` Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 444/508] platform/loongarch: laptop: Unregister generic_sub_drivers on exit Greg Kroah-Hartman
` (68 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:08 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yao Zi, Huacai Chen
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yao Zi <ziyao@disroot.org>
commit 1205088fd0393bd9eae96b62bf1e4b9eb1b73edf upstream.
Previously during driver probe, 1 is unconditionally taken as current
brightness value and set to props.brightness, which will be considered
as the brightness before suspend and restored to EC on resume. Since a
brightness value of 1 almost never matches EC's state on coldboot (my
laptop's EC defaults to 80), this causes surprising changes of screen
brightness on the first time of resume after coldboot.
Let's get brightness from EC and take it as the current brightness on
probe of the laptop driver to avoid the surprising behavior. Tested on
TongFang L860-T2 Loongson-3A5000 laptop.
Cc: stable@vger.kernel.org
Fixes: 6246ed09111f ("LoongArch: Add ACPI-based generic laptop driver")
Signed-off-by: Yao Zi <ziyao@disroot.org>
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/platform/loongarch/loongson-laptop.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/platform/loongarch/loongson-laptop.c
+++ b/drivers/platform/loongarch/loongson-laptop.c
@@ -392,8 +392,8 @@ static int laptop_backlight_register(voi
if (!acpi_evalf(hotkey_handle, &status, "ECLL", "d"))
return -EIO;
- props.brightness = 1;
props.max_brightness = status;
+ props.brightness = ec_get_brightness();
props.type = BACKLIGHT_PLATFORM;
backlight_device_register("loongson_laptop",
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 444/508] platform/loongarch: laptop: Unregister generic_sub_drivers on exit
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (439 preceding siblings ...)
2025-06-23 13:08 ` [PATCH 6.1 443/508] platform/loongarch: laptop: Get brightness setting from EC on probe Greg Kroah-Hartman
@ 2025-06-23 13:08 ` Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 445/508] LoongArch: Avoid using $r0/$r1 as "mask" for csrxchg Greg Kroah-Hartman
` (67 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:08 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yao Zi, Huacai Chen
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yao Zi <ziyao@disroot.org>
commit f78fb2576f22b0ba5297412a9aa7691920666c41 upstream.
Without correct unregisteration, ACPI notify handlers and the platform
drivers installed by generic_subdriver_init() will become dangling
references after removing the loongson_laptop module, triggering various
kernel faults when a hotkey is sent or at kernel shutdown.
Cc: stable@vger.kernel.org
Fixes: 6246ed09111f ("LoongArch: Add ACPI-based generic laptop driver")
Signed-off-by: Yao Zi <ziyao@disroot.org>
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/platform/loongarch/loongson-laptop.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
--- a/drivers/platform/loongarch/loongson-laptop.c
+++ b/drivers/platform/loongarch/loongson-laptop.c
@@ -611,11 +611,17 @@ static int __init generic_acpi_laptop_in
static void __exit generic_acpi_laptop_exit(void)
{
+ int i;
+
if (generic_inputdev) {
- if (input_device_registered)
- input_unregister_device(generic_inputdev);
- else
+ if (!input_device_registered) {
input_free_device(generic_inputdev);
+ } else {
+ input_unregister_device(generic_inputdev);
+
+ for (i = 0; i < ARRAY_SIZE(generic_sub_drivers); i++)
+ generic_subdriver_exit(&generic_sub_drivers[i]);
+ }
}
}
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 445/508] LoongArch: Avoid using $r0/$r1 as "mask" for csrxchg
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (440 preceding siblings ...)
2025-06-23 13:08 ` [PATCH 6.1 444/508] platform/loongarch: laptop: Unregister generic_sub_drivers on exit Greg Kroah-Hartman
@ 2025-06-23 13:08 ` Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 446/508] jffs2: check that raw node were preallocated before writing summary Greg Kroah-Hartman
` (66 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:08 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yanteng Si, WANG Rui, Huacai Chen
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Huacai Chen <chenhuacai@loongson.cn>
commit 52c22661c79a7b6af7fad9f77200738fc6c51878 upstream.
When building kernel with LLVM there are occasionally such errors:
In file included from ./include/linux/spinlock.h:59:
In file included from ./include/linux/irqflags.h:17:
arch/loongarch/include/asm/irqflags.h:38:3: error: must not be $r0 or $r1
38 | "csrxchg %[val], %[mask], %[reg]\n\t"
| ^
<inline asm>:1:16: note: instantiated into assembly here
1 | csrxchg $a1, $ra, 0
| ^
To prevent the compiler from allocating $r0 or $r1 for the "mask" of the
csrxchg instruction, the 'q' constraint must be used but Clang < 21 does
not support it. So force to use $t0 in the inline asm, in order to avoid
using $r0/$r1 while keeping the backward compatibility.
Cc: stable@vger.kernel.org
Link: https://github.com/llvm/llvm-project/pull/141037
Reviewed-by: Yanteng Si <si.yanteng@linux.dev>
Suggested-by: WANG Rui <wangrui@loongson.cn>
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/loongarch/include/asm/irqflags.h | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)
--- a/arch/loongarch/include/asm/irqflags.h
+++ b/arch/loongarch/include/asm/irqflags.h
@@ -14,40 +14,48 @@
static inline void arch_local_irq_enable(void)
{
u32 flags = CSR_CRMD_IE;
+ register u32 mask asm("t0") = CSR_CRMD_IE;
+
__asm__ __volatile__(
"csrxchg %[val], %[mask], %[reg]\n\t"
: [val] "+r" (flags)
- : [mask] "r" (CSR_CRMD_IE), [reg] "i" (LOONGARCH_CSR_CRMD)
+ : [mask] "r" (mask), [reg] "i" (LOONGARCH_CSR_CRMD)
: "memory");
}
static inline void arch_local_irq_disable(void)
{
u32 flags = 0;
+ register u32 mask asm("t0") = CSR_CRMD_IE;
+
__asm__ __volatile__(
"csrxchg %[val], %[mask], %[reg]\n\t"
: [val] "+r" (flags)
- : [mask] "r" (CSR_CRMD_IE), [reg] "i" (LOONGARCH_CSR_CRMD)
+ : [mask] "r" (mask), [reg] "i" (LOONGARCH_CSR_CRMD)
: "memory");
}
static inline unsigned long arch_local_irq_save(void)
{
u32 flags = 0;
+ register u32 mask asm("t0") = CSR_CRMD_IE;
+
__asm__ __volatile__(
"csrxchg %[val], %[mask], %[reg]\n\t"
: [val] "+r" (flags)
- : [mask] "r" (CSR_CRMD_IE), [reg] "i" (LOONGARCH_CSR_CRMD)
+ : [mask] "r" (mask), [reg] "i" (LOONGARCH_CSR_CRMD)
: "memory");
return flags;
}
static inline void arch_local_irq_restore(unsigned long flags)
{
+ register u32 mask asm("t0") = CSR_CRMD_IE;
+
__asm__ __volatile__(
"csrxchg %[val], %[mask], %[reg]\n\t"
: [val] "+r" (flags)
- : [mask] "r" (CSR_CRMD_IE), [reg] "i" (LOONGARCH_CSR_CRMD)
+ : [mask] "r" (mask), [reg] "i" (LOONGARCH_CSR_CRMD)
: "memory");
}
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 446/508] jffs2: check that raw node were preallocated before writing summary
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (441 preceding siblings ...)
2025-06-23 13:08 ` [PATCH 6.1 445/508] LoongArch: Avoid using $r0/$r1 as "mask" for csrxchg Greg Kroah-Hartman
@ 2025-06-23 13:08 ` Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 447/508] jffs2: check jffs2_prealloc_raw_node_refs() result in few other places Greg Kroah-Hartman
` (65 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Artem Sadovnikov, Zhihao Cheng,
Richard Weinberger
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Artem Sadovnikov <a.sadovnikov@ispras.ru>
commit ec9e6f22bce433b260ea226de127ec68042849b0 upstream.
Syzkaller detected a kernel bug in jffs2_link_node_ref, caused by fault
injection in jffs2_prealloc_raw_node_refs. jffs2_sum_write_sumnode doesn't
check return value of jffs2_prealloc_raw_node_refs and simply lets any
error propagate into jffs2_sum_write_data, which eventually calls
jffs2_link_node_ref in order to link the summary to an expectedly allocated
node.
kernel BUG at fs/jffs2/nodelist.c:592!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI
CPU: 1 PID: 31277 Comm: syz-executor.7 Not tainted 6.1.128-syzkaller-00139-ge10f83ca10a1 #0
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
RIP: 0010:jffs2_link_node_ref+0x570/0x690 fs/jffs2/nodelist.c:592
Call Trace:
<TASK>
jffs2_sum_write_data fs/jffs2/summary.c:841 [inline]
jffs2_sum_write_sumnode+0xd1a/0x1da0 fs/jffs2/summary.c:874
jffs2_do_reserve_space+0xa18/0xd60 fs/jffs2/nodemgmt.c:388
jffs2_reserve_space+0x55f/0xaa0 fs/jffs2/nodemgmt.c:197
jffs2_write_inode_range+0x246/0xb50 fs/jffs2/write.c:362
jffs2_write_end+0x726/0x15d0 fs/jffs2/file.c:301
generic_perform_write+0x314/0x5d0 mm/filemap.c:3856
__generic_file_write_iter+0x2ae/0x4d0 mm/filemap.c:3973
generic_file_write_iter+0xe3/0x350 mm/filemap.c:4005
call_write_iter include/linux/fs.h:2265 [inline]
do_iter_readv_writev+0x20f/0x3c0 fs/read_write.c:735
do_iter_write+0x186/0x710 fs/read_write.c:861
vfs_iter_write+0x70/0xa0 fs/read_write.c:902
iter_file_splice_write+0x73b/0xc90 fs/splice.c:685
do_splice_from fs/splice.c:763 [inline]
direct_splice_actor+0x10c/0x170 fs/splice.c:950
splice_direct_to_actor+0x337/0xa10 fs/splice.c:896
do_splice_direct+0x1a9/0x280 fs/splice.c:1002
do_sendfile+0xb13/0x12c0 fs/read_write.c:1255
__do_sys_sendfile64 fs/read_write.c:1323 [inline]
__se_sys_sendfile64 fs/read_write.c:1309 [inline]
__x64_sys_sendfile64+0x1cf/0x210 fs/read_write.c:1309
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x35/0x80 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x6e/0xd8
Fix this issue by checking return value of jffs2_prealloc_raw_node_refs
before calling jffs2_sum_write_data.
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
Cc: stable@vger.kernel.org
Fixes: 2f785402f39b ("[JFFS2] Reduce visibility of raw_node_ref to upper layers of JFFS2 code.")
Signed-off-by: Artem Sadovnikov <a.sadovnikov@ispras.ru>
Reviewed-by: Zhihao Cheng <chengzhihao1@huawei.com>
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/jffs2/summary.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/fs/jffs2/summary.c
+++ b/fs/jffs2/summary.c
@@ -858,7 +858,10 @@ int jffs2_sum_write_sumnode(struct jffs2
spin_unlock(&c->erase_completion_lock);
jeb = c->nextblock;
- jffs2_prealloc_raw_node_refs(c, jeb, 1);
+ ret = jffs2_prealloc_raw_node_refs(c, jeb, 1);
+
+ if (ret)
+ goto out;
if (!c->summary->sum_num || !c->summary->sum_list_head) {
JFFS2_WARNING("Empty summary info!!!\n");
@@ -872,6 +875,8 @@ int jffs2_sum_write_sumnode(struct jffs2
datasize += padsize;
ret = jffs2_sum_write_data(c, jeb, infosize, datasize, padsize);
+
+out:
spin_lock(&c->erase_completion_lock);
return ret;
}
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 447/508] jffs2: check jffs2_prealloc_raw_node_refs() result in few other places
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (442 preceding siblings ...)
2025-06-23 13:08 ` [PATCH 6.1 446/508] jffs2: check that raw node were preallocated before writing summary Greg Kroah-Hartman
@ 2025-06-23 13:08 ` Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 448/508] smb: improve directory cache reuse for readdir operations Greg Kroah-Hartman
` (64 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Fedor Pchelkin, Zhihao Cheng,
Richard Weinberger
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fedor Pchelkin <pchelkin@ispras.ru>
commit 2b6d96503255a3ed676cd70f8368870c6d6a25c6 upstream.
Fuzzing hit another invalid pointer dereference due to the lack of
checking whether jffs2_prealloc_raw_node_refs() completed successfully.
Subsequent logic implies that the node refs have been allocated.
Handle that. The code is ready for propagating the error upwards.
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
CPU: 1 PID: 5835 Comm: syz-executor145 Not tainted 5.10.234-syzkaller #0
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
RIP: 0010:jffs2_link_node_ref+0xac/0x690 fs/jffs2/nodelist.c:600
Call Trace:
jffs2_mark_erased_block fs/jffs2/erase.c:460 [inline]
jffs2_erase_pending_blocks+0x688/0x1860 fs/jffs2/erase.c:118
jffs2_garbage_collect_pass+0x638/0x1a00 fs/jffs2/gc.c:253
jffs2_reserve_space+0x3f4/0xad0 fs/jffs2/nodemgmt.c:167
jffs2_write_inode_range+0x246/0xb50 fs/jffs2/write.c:362
jffs2_write_end+0x712/0x1110 fs/jffs2/file.c:302
generic_perform_write+0x2c2/0x500 mm/filemap.c:3347
__generic_file_write_iter+0x252/0x610 mm/filemap.c:3465
generic_file_write_iter+0xdb/0x230 mm/filemap.c:3497
call_write_iter include/linux/fs.h:2039 [inline]
do_iter_readv_writev+0x46d/0x750 fs/read_write.c:740
do_iter_write+0x18c/0x710 fs/read_write.c:866
vfs_writev+0x1db/0x6a0 fs/read_write.c:939
do_pwritev fs/read_write.c:1036 [inline]
__do_sys_pwritev fs/read_write.c:1083 [inline]
__se_sys_pwritev fs/read_write.c:1078 [inline]
__x64_sys_pwritev+0x235/0x310 fs/read_write.c:1078
do_syscall_64+0x30/0x40 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x67/0xd1
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
Fixes: 2f785402f39b ("[JFFS2] Reduce visibility of raw_node_ref to upper layers of JFFS2 code.")
Fixes: f560928baa60 ("[JFFS2] Allocate node_ref for wasted space when skipping to page boundary")
Cc: stable@vger.kernel.org
Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
Reviewed-by: Zhihao Cheng <chengzhihao1@huawei.com>
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/jffs2/erase.c | 4 +++-
fs/jffs2/scan.c | 4 +++-
2 files changed, 6 insertions(+), 2 deletions(-)
--- a/fs/jffs2/erase.c
+++ b/fs/jffs2/erase.c
@@ -425,7 +425,9 @@ static void jffs2_mark_erased_block(stru
.totlen = cpu_to_je32(c->cleanmarker_size)
};
- jffs2_prealloc_raw_node_refs(c, jeb, 1);
+ ret = jffs2_prealloc_raw_node_refs(c, jeb, 1);
+ if (ret)
+ goto filebad;
marker.hdr_crc = cpu_to_je32(crc32(0, &marker, sizeof(struct jffs2_unknown_node)-4));
--- a/fs/jffs2/scan.c
+++ b/fs/jffs2/scan.c
@@ -256,7 +256,9 @@ int jffs2_scan_medium(struct jffs2_sb_in
jffs2_dbg(1, "%s(): Skipping %d bytes in nextblock to ensure page alignment\n",
__func__, skip);
- jffs2_prealloc_raw_node_refs(c, c->nextblock, 1);
+ ret = jffs2_prealloc_raw_node_refs(c, c->nextblock, 1);
+ if (ret)
+ goto out;
jffs2_scan_dirty_space(c, c->nextblock, skip);
}
#endif
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 448/508] smb: improve directory cache reuse for readdir operations
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (443 preceding siblings ...)
2025-06-23 13:08 ` [PATCH 6.1 447/508] jffs2: check jffs2_prealloc_raw_node_refs() result in few other places Greg Kroah-Hartman
@ 2025-06-23 13:08 ` Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 449/508] scsi: storvsc: Increase the timeouts to storvsc_timeout Greg Kroah-Hartman
` (63 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bharath SM, Shyam Prasad N,
Steve French
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bharath SM <bharathsm.hsk@gmail.com>
commit 72dd7961a4bb4fa1fc456169a61dd12e68e50645 upstream.
Currently, cached directory contents were not reused across subsequent
'ls' operations because the cache validity check relied on comparing
the ctx pointer, which changes with each readdir invocation. As a
result, the cached dir entries was not marked as valid and the cache was
not utilized for subsequent 'ls' operations.
This change uses the file pointer, which remains consistent across all
readdir calls for a given directory instance, to associate and validate
the cache. As a result, cached directory contents can now be
correctly reused, improving performance for repeated directory listings.
Performance gains with local windows SMB server:
Without the patch and default actimeo=1:
1000 directory enumeration operations on dir with 10k files took 135.0s
With this patch and actimeo=0:
1000 directory enumeration operations on dir with 10k files took just 5.1s
Signed-off-by: Bharath SM <bharathsm@microsoft.com>
Reviewed-by: Shyam Prasad N <sprasad@microsoft.com>
Cc: stable@vger.kernel.org
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/client/cached_dir.h | 8 ++++----
fs/smb/client/readdir.c | 28 +++++++++++++++-------------
2 files changed, 19 insertions(+), 17 deletions(-)
--- a/fs/smb/client/cached_dir.h
+++ b/fs/smb/client/cached_dir.h
@@ -21,10 +21,10 @@ struct cached_dirent {
struct cached_dirents {
bool is_valid:1;
bool is_failed:1;
- struct dir_context *ctx; /*
- * Only used to make sure we only take entries
- * from a single context. Never dereferenced.
- */
+ struct file *file; /*
+ * Used to associate the cache with a single
+ * open file instance.
+ */
struct mutex de_mutex;
int pos; /* Expected ctx->pos */
struct list_head entries;
--- a/fs/smb/client/readdir.c
+++ b/fs/smb/client/readdir.c
@@ -882,9 +882,9 @@ static bool emit_cached_dirents(struct c
}
static void update_cached_dirents_count(struct cached_dirents *cde,
- struct dir_context *ctx)
+ struct file *file)
{
- if (cde->ctx != ctx)
+ if (cde->file != file)
return;
if (cde->is_valid || cde->is_failed)
return;
@@ -893,9 +893,9 @@ static void update_cached_dirents_count(
}
static void finished_cached_dirents_count(struct cached_dirents *cde,
- struct dir_context *ctx)
+ struct dir_context *ctx, struct file *file)
{
- if (cde->ctx != ctx)
+ if (cde->file != file)
return;
if (cde->is_valid || cde->is_failed)
return;
@@ -908,11 +908,12 @@ static void finished_cached_dirents_coun
static void add_cached_dirent(struct cached_dirents *cde,
struct dir_context *ctx,
const char *name, int namelen,
- struct cifs_fattr *fattr)
+ struct cifs_fattr *fattr,
+ struct file *file)
{
struct cached_dirent *de;
- if (cde->ctx != ctx)
+ if (cde->file != file)
return;
if (cde->is_valid || cde->is_failed)
return;
@@ -942,7 +943,8 @@ static void add_cached_dirent(struct cac
static bool cifs_dir_emit(struct dir_context *ctx,
const char *name, int namelen,
struct cifs_fattr *fattr,
- struct cached_fid *cfid)
+ struct cached_fid *cfid,
+ struct file *file)
{
bool rc;
ino_t ino = cifs_uniqueid_to_ino_t(fattr->cf_uniqueid);
@@ -954,7 +956,7 @@ static bool cifs_dir_emit(struct dir_con
if (cfid) {
mutex_lock(&cfid->dirents.de_mutex);
add_cached_dirent(&cfid->dirents, ctx, name, namelen,
- fattr);
+ fattr, file);
mutex_unlock(&cfid->dirents.de_mutex);
}
@@ -1054,7 +1056,7 @@ static int cifs_filldir(char *find_entry
cifs_prime_dcache(file_dentry(file), &name, &fattr);
return !cifs_dir_emit(ctx, name.name, name.len,
- &fattr, cfid);
+ &fattr, cfid, file);
}
@@ -1105,8 +1107,8 @@ int cifs_readdir(struct file *file, stru
* we need to initialize scanning and storing the
* directory content.
*/
- if (ctx->pos == 0 && cfid->dirents.ctx == NULL) {
- cfid->dirents.ctx = ctx;
+ if (ctx->pos == 0 && cfid->dirents.file == NULL) {
+ cfid->dirents.file = file;
cfid->dirents.pos = 2;
}
/*
@@ -1174,7 +1176,7 @@ int cifs_readdir(struct file *file, stru
} else {
if (cfid) {
mutex_lock(&cfid->dirents.de_mutex);
- finished_cached_dirents_count(&cfid->dirents, ctx);
+ finished_cached_dirents_count(&cfid->dirents, ctx, file);
mutex_unlock(&cfid->dirents.de_mutex);
}
cifs_dbg(FYI, "Could not find entry\n");
@@ -1215,7 +1217,7 @@ int cifs_readdir(struct file *file, stru
ctx->pos++;
if (cfid) {
mutex_lock(&cfid->dirents.de_mutex);
- update_cached_dirents_count(&cfid->dirents, ctx);
+ update_cached_dirents_count(&cfid->dirents, file);
mutex_unlock(&cfid->dirents.de_mutex);
}
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 449/508] scsi: storvsc: Increase the timeouts to storvsc_timeout
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (444 preceding siblings ...)
2025-06-23 13:08 ` [PATCH 6.1 448/508] smb: improve directory cache reuse for readdir operations Greg Kroah-Hartman
@ 2025-06-23 13:08 ` Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 450/508] scsi: s390: zfcp: Ensure synchronous unit_add Greg Kroah-Hartman
` (62 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Dexuan Cui, Long Li,
Martin K. Petersen
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dexuan Cui <decui@microsoft.com>
commit b2f966568faaad326de97481096d0f3dc0971c43 upstream.
Currently storvsc_timeout is only used in storvsc_sdev_configure(), and
5s and 10s are used elsewhere. It turns out that rarely the 5s is not
enough on Azure, so let's use storvsc_timeout everywhere.
In case a timeout happens and storvsc_channel_init() returns an error,
close the VMBus channel so that any host-to-guest messages in the
channel's ringbuffer, which might come late, can be safely ignored.
Add a "const" to storvsc_timeout.
Cc: stable@kernel.org
Signed-off-by: Dexuan Cui <decui@microsoft.com>
Link: https://lore.kernel.org/r/1749243459-10419-1-git-send-email-decui@microsoft.com
Reviewed-by: Long Li <longli@microsoft.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/scsi/storvsc_drv.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
--- a/drivers/scsi/storvsc_drv.c
+++ b/drivers/scsi/storvsc_drv.c
@@ -358,7 +358,7 @@ MODULE_PARM_DESC(ring_avail_percent_lowa
/*
* Timeout in seconds for all devices managed by this driver.
*/
-static int storvsc_timeout = 180;
+static const int storvsc_timeout = 180;
#if IS_ENABLED(CONFIG_SCSI_FC_ATTRS)
static struct scsi_transport_template *fc_transport_template;
@@ -764,7 +764,7 @@ static void handle_multichannel_storage
return;
}
- t = wait_for_completion_timeout(&request->wait_event, 10*HZ);
+ t = wait_for_completion_timeout(&request->wait_event, storvsc_timeout * HZ);
if (t == 0) {
dev_err(dev, "Failed to create sub-channel: timed out\n");
return;
@@ -829,7 +829,7 @@ static int storvsc_execute_vstor_op(stru
if (ret != 0)
return ret;
- t = wait_for_completion_timeout(&request->wait_event, 5*HZ);
+ t = wait_for_completion_timeout(&request->wait_event, storvsc_timeout * HZ);
if (t == 0)
return -ETIMEDOUT;
@@ -1342,6 +1342,8 @@ static int storvsc_connect_to_vsp(struct
return ret;
ret = storvsc_channel_init(device, is_fc);
+ if (ret)
+ vmbus_close(device->channel);
return ret;
}
@@ -1659,7 +1661,7 @@ static int storvsc_host_reset_handler(st
if (ret != 0)
return FAILED;
- t = wait_for_completion_timeout(&request->wait_event, 5*HZ);
+ t = wait_for_completion_timeout(&request->wait_event, storvsc_timeout * HZ);
if (t == 0)
return TIMEOUT_ERROR;
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 450/508] scsi: s390: zfcp: Ensure synchronous unit_add
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (445 preceding siblings ...)
2025-06-23 13:08 ` [PATCH 6.1 449/508] scsi: storvsc: Increase the timeouts to storvsc_timeout Greg Kroah-Hartman
@ 2025-06-23 13:08 ` Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 451/508] net_sched: sch_sfq: reject invalid perturb period Greg Kroah-Hartman
` (61 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, M Nikhil, Nihar Panda,
Peter Oberparleiter, Martin K. Petersen
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Oberparleiter <oberpar@linux.ibm.com>
commit 9697ca0d53e3db357be26d2414276143c4a2cd49 upstream.
Improve the usability of the unit_add sysfs attribute by ensuring that
the associated FCP LUN scan processing is completed synchronously. This
enables configuration tooling to consistently determine the end of the
scan process to allow for serialization of follow-on actions.
While the scan process associated with unit_add typically completes
synchronously, it is deferred to an asynchronous background process if
unit_add is used before initial remote port scanning has completed. This
occurs when unit_add is used immediately after setting the associated FCP
device online.
To ensure synchronous unit_add processing, wait for remote port scanning
to complete before initiating the FCP LUN scan.
Cc: stable@vger.kernel.org
Reviewed-by: M Nikhil <nikh1092@linux.ibm.com>
Reviewed-by: Nihar Panda <niharp@linux.ibm.com>
Signed-off-by: Peter Oberparleiter <oberpar@linux.ibm.com>
Signed-off-by: Nihar Panda <niharp@linux.ibm.com>
Link: https://lore.kernel.org/r/20250603182252.2287285-2-niharp@linux.ibm.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/s390/scsi/zfcp_sysfs.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/s390/scsi/zfcp_sysfs.c
+++ b/drivers/s390/scsi/zfcp_sysfs.c
@@ -450,6 +450,8 @@ static ssize_t zfcp_sysfs_unit_add_store
if (kstrtoull(buf, 0, (unsigned long long *) &fcp_lun))
return -EINVAL;
+ flush_work(&port->rport_work);
+
retval = zfcp_unit_add(port, fcp_lun);
if (retval)
return retval;
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 451/508] net_sched: sch_sfq: reject invalid perturb period
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (446 preceding siblings ...)
2025-06-23 13:08 ` [PATCH 6.1 450/508] scsi: s390: zfcp: Ensure synchronous unit_add Greg Kroah-Hartman
@ 2025-06-23 13:08 ` Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 452/508] udmabuf: use sgtable-based scatterlist wrappers Greg Kroah-Hartman
` (60 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gerrard Tai, Eric Dumazet,
Jakub Kicinski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
commit 7ca52541c05c832d32b112274f81a985101f9ba8 upstream.
Gerrard Tai reported that SFQ perturb_period has no range check yet,
and this can be used to trigger a race condition fixed in a separate patch.
We want to make sure ctl->perturb_period * HZ will not overflow
and is positive.
Tested:
tc qd add dev lo root sfq perturb -10 # negative value : error
Error: sch_sfq: invalid perturb period.
tc qd add dev lo root sfq perturb 1000000000 # too big : error
Error: sch_sfq: invalid perturb period.
tc qd add dev lo root sfq perturb 2000000 # acceptable value
tc -s -d qd sh dev lo
qdisc sfq 8005: root refcnt 2 limit 127p quantum 64Kb depth 127 flows 128 divisor 1024 perturb 2000000sec
Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
backlog 0b 0p requeues 0
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: Gerrard Tai <gerrard.tai@starlabs.sg>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20250611083501.1810459-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/sched/sch_sfq.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
--- a/net/sched/sch_sfq.c
+++ b/net/sched/sch_sfq.c
@@ -656,6 +656,14 @@ static int sfq_change(struct Qdisc *sch,
NL_SET_ERR_MSG_MOD(extack, "invalid quantum");
return -EINVAL;
}
+
+ if (ctl->perturb_period < 0 ||
+ ctl->perturb_period > INT_MAX / HZ) {
+ NL_SET_ERR_MSG_MOD(extack, "invalid perturb period");
+ return -EINVAL;
+ }
+ perturb_period = ctl->perturb_period * HZ;
+
if (ctl_v1 && !red_check_params(ctl_v1->qth_min, ctl_v1->qth_max,
ctl_v1->Wlog, ctl_v1->Scell_log, NULL))
return -EINVAL;
@@ -672,14 +680,12 @@ static int sfq_change(struct Qdisc *sch,
headdrop = q->headdrop;
maxdepth = q->maxdepth;
maxflows = q->maxflows;
- perturb_period = q->perturb_period;
quantum = q->quantum;
flags = q->flags;
/* update and validate configuration */
if (ctl->quantum)
quantum = ctl->quantum;
- perturb_period = ctl->perturb_period * HZ;
if (ctl->flows)
maxflows = min_t(u32, ctl->flows, SFQ_MAX_FLOWS);
if (ctl->divisor) {
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 452/508] udmabuf: use sgtable-based scatterlist wrappers
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (447 preceding siblings ...)
2025-06-23 13:08 ` [PATCH 6.1 451/508] net_sched: sch_sfq: reject invalid perturb period Greg Kroah-Hartman
@ 2025-06-23 13:08 ` Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 453/508] selftests/x86: Add a test to detect infinite SIGTRAP handler loop Greg Kroah-Hartman
` (59 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Marek Szyprowski, Vivek Kasireddy,
Christian König
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marek Szyprowski <m.szyprowski@samsung.com>
commit afe382843717d44b24ef5014d57dcbaab75a4052 upstream.
Use common wrappers operating directly on the struct sg_table objects to
fix incorrect use of scatterlists sync calls. dma_sync_sg_for_*()
functions have to be called with the number of elements originally passed
to dma_map_sg_*() function, not the one returned in sgtable's nents.
Fixes: 1ffe09590121 ("udmabuf: fix dma-buf cpu access")
CC: stable@vger.kernel.org
Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Acked-by: Vivek Kasireddy <vivek.kasireddy@intel.com>
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Christian König <christian.koenig@amd.com>
Link: https://lore.kernel.org/r/20250507160913.2084079-3-m.szyprowski@samsung.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/dma-buf/udmabuf.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
--- a/drivers/dma-buf/udmabuf.c
+++ b/drivers/dma-buf/udmabuf.c
@@ -133,8 +133,7 @@ static int begin_cpu_udmabuf(struct dma_
ubuf->sg = NULL;
}
} else {
- dma_sync_sg_for_cpu(dev, ubuf->sg->sgl, ubuf->sg->nents,
- direction);
+ dma_sync_sgtable_for_cpu(dev, ubuf->sg, direction);
}
return ret;
@@ -149,7 +148,7 @@ static int end_cpu_udmabuf(struct dma_bu
if (!ubuf->sg)
return -EINVAL;
- dma_sync_sg_for_device(dev, ubuf->sg->sgl, ubuf->sg->nents, direction);
+ dma_sync_sgtable_for_device(dev, ubuf->sg, direction);
return 0;
}
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 453/508] selftests/x86: Add a test to detect infinite SIGTRAP handler loop
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (448 preceding siblings ...)
2025-06-23 13:08 ` [PATCH 6.1 452/508] udmabuf: use sgtable-based scatterlist wrappers Greg Kroah-Hartman
@ 2025-06-23 13:08 ` Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 454/508] ksmbd: fix null pointer dereference in destroy_previous_session Greg Kroah-Hartman
` (58 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xin Li (Intel), Dave Hansen,
Sohil Mehta
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xin Li (Intel) <xin@zytor.com>
commit f287822688eeb44ae1cf6ac45701d965efc33218 upstream.
When FRED is enabled, if the Trap Flag (TF) is set without an external
debugger attached, it can lead to an infinite loop in the SIGTRAP
handler. To avoid this, the software event flag in the augmented SS
must be cleared, ensuring that no single-step trap remains pending when
ERETU completes.
This test checks for that specific scenario—verifying whether the kernel
correctly prevents an infinite SIGTRAP loop in this edge case when FRED
is enabled.
The test should _always_ pass with IDT event delivery, thus no need to
disable the test even when FRED is not enabled.
Signed-off-by: Xin Li (Intel) <xin@zytor.com>
Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Tested-by: Sohil Mehta <sohil.mehta@intel.com>
Cc:stable@vger.kernel.org
Link: https://lore.kernel.org/all/20250609084054.2083189-3-xin%40zytor.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/testing/selftests/x86/Makefile | 2
tools/testing/selftests/x86/sigtrap_loop.c | 101 +++++++++++++++++++++++++++++
2 files changed, 102 insertions(+), 1 deletion(-)
create mode 100644 tools/testing/selftests/x86/sigtrap_loop.c
--- a/tools/testing/selftests/x86/Makefile
+++ b/tools/testing/selftests/x86/Makefile
@@ -12,7 +12,7 @@ CAN_BUILD_WITH_NOPIE := $(shell ./check_
TARGETS_C_BOTHBITS := single_step_syscall sysret_ss_attrs syscall_nt test_mremap_vdso \
check_initial_reg_state sigreturn iopl ioperm \
- test_vsyscall mov_ss_trap \
+ test_vsyscall mov_ss_trap sigtrap_loop \
syscall_arg_fault fsgsbase_restore sigaltstack
TARGETS_C_32BIT_ONLY := entry_from_vm86 test_syscall_vdso unwind_vdso \
test_FCMOV test_FCOMI test_FISTTP \
--- /dev/null
+++ b/tools/testing/selftests/x86/sigtrap_loop.c
@@ -0,0 +1,101 @@
+// SPDX-License-Identifier: GPL-2.0-only
+/*
+ * Copyright (C) 2025 Intel Corporation
+ */
+#define _GNU_SOURCE
+
+#include <err.h>
+#include <signal.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/ucontext.h>
+
+#ifdef __x86_64__
+# define REG_IP REG_RIP
+#else
+# define REG_IP REG_EIP
+#endif
+
+static void sethandler(int sig, void (*handler)(int, siginfo_t *, void *), int flags)
+{
+ struct sigaction sa;
+
+ memset(&sa, 0, sizeof(sa));
+ sa.sa_sigaction = handler;
+ sa.sa_flags = SA_SIGINFO | flags;
+ sigemptyset(&sa.sa_mask);
+
+ if (sigaction(sig, &sa, 0))
+ err(1, "sigaction");
+
+ return;
+}
+
+static void sigtrap(int sig, siginfo_t *info, void *ctx_void)
+{
+ ucontext_t *ctx = (ucontext_t *)ctx_void;
+ static unsigned int loop_count_on_same_ip;
+ static unsigned long last_trap_ip;
+
+ if (last_trap_ip == ctx->uc_mcontext.gregs[REG_IP]) {
+ printf("\tTrapped at %016lx\n", last_trap_ip);
+
+ /*
+ * If the same IP is hit more than 10 times in a row, it is
+ * _considered_ an infinite loop.
+ */
+ if (++loop_count_on_same_ip > 10) {
+ printf("[FAIL]\tDetected SIGTRAP infinite loop\n");
+ exit(1);
+ }
+
+ return;
+ }
+
+ loop_count_on_same_ip = 0;
+ last_trap_ip = ctx->uc_mcontext.gregs[REG_IP];
+ printf("\tTrapped at %016lx\n", last_trap_ip);
+}
+
+int main(int argc, char *argv[])
+{
+ sethandler(SIGTRAP, sigtrap, 0);
+
+ /*
+ * Set the Trap Flag (TF) to single-step the test code, therefore to
+ * trigger a SIGTRAP signal after each instruction until the TF is
+ * cleared.
+ *
+ * Because the arithmetic flags are not significant here, the TF is
+ * set by pushing 0x302 onto the stack and then popping it into the
+ * flags register.
+ *
+ * Four instructions in the following asm code are executed with the
+ * TF set, thus the SIGTRAP handler is expected to run four times.
+ */
+ printf("[RUN]\tSIGTRAP infinite loop detection\n");
+ asm volatile(
+#ifdef __x86_64__
+ /*
+ * Avoid clobbering the redzone
+ *
+ * Equivalent to "sub $128, %rsp", however -128 can be encoded
+ * in a single byte immediate while 128 uses 4 bytes.
+ */
+ "add $-128, %rsp\n\t"
+#endif
+ "push $0x302\n\t"
+ "popf\n\t"
+ "nop\n\t"
+ "nop\n\t"
+ "push $0x202\n\t"
+ "popf\n\t"
+#ifdef __x86_64__
+ "sub $-128, %rsp\n\t"
+#endif
+ );
+
+ printf("[OK]\tNo SIGTRAP infinite loop detected\n");
+ return 0;
+}
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 454/508] ksmbd: fix null pointer dereference in destroy_previous_session
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (449 preceding siblings ...)
2025-06-23 13:08 ` [PATCH 6.1 453/508] selftests/x86: Add a test to detect infinite SIGTRAP handler loop Greg Kroah-Hartman
@ 2025-06-23 13:08 ` Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 455/508] selinux: fix selinux_xfrm_alloc_user() to set correct ctx_len Greg Kroah-Hartman
` (57 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Namjae Jeon, Steve French,
zdi-disclosures
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Namjae Jeon <linkinjeon@kernel.org>
commit 7ac5b66acafcc9292fb935d7e03790f2b8b2dc0e upstream.
If client set ->PreviousSessionId on kerberos session setup stage,
NULL pointer dereference error will happen. Since sess->user is not
set yet, It can pass the user argument as NULL to destroy_previous_session.
sess->user will be set in ksmbd_krb5_authenticate(). So this patch move
calling destroy_previous_session() after ksmbd_krb5_authenticate().
Cc: stable@vger.kernel.org
Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-27391
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/server/smb2pdu.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
--- a/fs/smb/server/smb2pdu.c
+++ b/fs/smb/server/smb2pdu.c
@@ -1610,17 +1610,18 @@ static int krb5_authenticate(struct ksmb
out_len = work->response_sz -
(le16_to_cpu(rsp->SecurityBufferOffset) + 4);
- /* Check previous session */
- prev_sess_id = le64_to_cpu(req->PreviousSessionId);
- if (prev_sess_id && prev_sess_id != sess->id)
- destroy_previous_session(conn, sess->user, prev_sess_id);
-
retval = ksmbd_krb5_authenticate(sess, in_blob, in_len,
out_blob, &out_len);
if (retval) {
ksmbd_debug(SMB, "krb5 authentication failed\n");
return -EINVAL;
}
+
+ /* Check previous session */
+ prev_sess_id = le64_to_cpu(req->PreviousSessionId);
+ if (prev_sess_id && prev_sess_id != sess->id)
+ destroy_previous_session(conn, sess->user, prev_sess_id);
+
rsp->SecurityBufferLength = cpu_to_le16(out_len);
if ((conn->sign || server_conf.enforced_signing) ||
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 455/508] selinux: fix selinux_xfrm_alloc_user() to set correct ctx_len
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (450 preceding siblings ...)
2025-06-23 13:08 ` [PATCH 6.1 454/508] ksmbd: fix null pointer dereference in destroy_previous_session Greg Kroah-Hartman
@ 2025-06-23 13:08 ` Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 456/508] atm: Revert atm_account_tx() if copy_from_iter_full() fails Greg Kroah-Hartman
` (56 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christian Göttsche,
Stephen Smalley, Paul Moore
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stephen Smalley <stephen.smalley.work@gmail.com>
commit 86c8db86af43f52f682e53a0f2f0828683be1e52 upstream.
We should count the terminating NUL byte as part of the ctx_len.
Otherwise, UBSAN logs a warning:
UBSAN: array-index-out-of-bounds in security/selinux/xfrm.c:99:14
index 60 is out of range for type 'char [*]'
The allocation itself is correct so there is no actual out of bounds
indexing, just a warning.
Cc: stable@vger.kernel.org
Suggested-by: Christian Göttsche <cgzones@googlemail.com>
Link: https://lore.kernel.org/selinux/CAEjxPJ6tA5+LxsGfOJokzdPeRomBHjKLBVR6zbrg+_w3ZZbM3A@mail.gmail.com/
Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
security/selinux/xfrm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/security/selinux/xfrm.c
+++ b/security/selinux/xfrm.c
@@ -95,7 +95,7 @@ static int selinux_xfrm_alloc_user(struc
ctx->ctx_doi = XFRM_SC_DOI_LSM;
ctx->ctx_alg = XFRM_SC_ALG_SELINUX;
- ctx->ctx_len = str_len;
+ ctx->ctx_len = str_len + 1;
memcpy(ctx->ctx_str, &uctx[1], str_len);
ctx->ctx_str[str_len] = '\0';
rc = security_context_to_sid(&selinux_state, ctx->ctx_str, str_len,
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 456/508] atm: Revert atm_account_tx() if copy_from_iter_full() fails.
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (451 preceding siblings ...)
2025-06-23 13:08 ` [PATCH 6.1 455/508] selinux: fix selinux_xfrm_alloc_user() to set correct ctx_len Greg Kroah-Hartman
@ 2025-06-23 13:08 ` Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 457/508] Input: sparcspkr - avoid unannotated fall-through Greg Kroah-Hartman
` (55 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Simon Horman, Kuniyuki Iwashima,
Jakub Kicinski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuniyuki Iwashima <kuniyu@google.com>
commit 7851263998d4269125fd6cb3fdbfc7c6db853859 upstream.
In vcc_sendmsg(), we account skb->truesize to sk->sk_wmem_alloc by
atm_account_tx().
It is expected to be reverted by atm_pop_raw() later called by
vcc->dev->ops->send(vcc, skb).
However, vcc_sendmsg() misses the same revert when copy_from_iter_full()
fails, and then we will leak a socket.
Let's factorise the revert part as atm_return_tx() and call it in
the failure path.
Note that the corresponding sk_wmem_alloc operation can be found in
alloc_tx() as of the blamed commit.
$ git blame -L:alloc_tx net/atm/common.c c55fa3cccbc2c~
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: Simon Horman <horms@kernel.org>
Closes: https://lore.kernel.org/netdev/20250614161959.GR414686@horms.kernel.org/
Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
Link: https://patch.msgid.link/20250616182147.963333-3-kuni1840@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/atmdev.h | 6 ++++++
net/atm/common.c | 1 +
net/atm/raw.c | 2 +-
3 files changed, 8 insertions(+), 1 deletion(-)
--- a/include/linux/atmdev.h
+++ b/include/linux/atmdev.h
@@ -249,6 +249,12 @@ static inline void atm_account_tx(struct
ATM_SKB(skb)->atm_options = vcc->atm_options;
}
+static inline void atm_return_tx(struct atm_vcc *vcc, struct sk_buff *skb)
+{
+ WARN_ON_ONCE(refcount_sub_and_test(ATM_SKB(skb)->acct_truesize,
+ &sk_atm(vcc)->sk_wmem_alloc));
+}
+
static inline void atm_force_charge(struct atm_vcc *vcc,int truesize)
{
atomic_add(truesize, &sk_atm(vcc)->sk_rmem_alloc);
--- a/net/atm/common.c
+++ b/net/atm/common.c
@@ -635,6 +635,7 @@ int vcc_sendmsg(struct socket *sock, str
skb->dev = NULL; /* for paths shared with net_device interfaces */
if (!copy_from_iter_full(skb_put(skb, size), size, &m->msg_iter)) {
+ atm_return_tx(vcc, skb);
kfree_skb(skb);
error = -EFAULT;
goto out;
--- a/net/atm/raw.c
+++ b/net/atm/raw.c
@@ -36,7 +36,7 @@ static void atm_pop_raw(struct atm_vcc *
pr_debug("(%d) %d -= %d\n",
vcc->vci, sk_wmem_alloc_get(sk), ATM_SKB(skb)->acct_truesize);
- WARN_ON(refcount_sub_and_test(ATM_SKB(skb)->acct_truesize, &sk->sk_wmem_alloc));
+ atm_return_tx(vcc, skb);
dev_kfree_skb_any(skb);
sk->sk_write_space(sk);
}
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 457/508] Input: sparcspkr - avoid unannotated fall-through
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (452 preceding siblings ...)
2025-06-23 13:08 ` [PATCH 6.1 456/508] atm: Revert atm_account_tx() if copy_from_iter_full() fails Greg Kroah-Hartman
@ 2025-06-23 13:08 ` Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 458/508] wifi: cfg80211: init wiphy_work before allocating rfkill fails Greg Kroah-Hartman
` (54 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:08 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, WangYuli, Dmitry Torokhov
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: WangYuli <wangyuli@uniontech.com>
commit 8b1d858cbd4e1800e9336404ba7892b5a721230d upstream.
Fix follow warnings with clang-21i (and reformat for clarity):
drivers/input/misc/sparcspkr.c:78:3: warning: unannotated fall-through between switch labels [-Wimplicit-fallthrough]
78 | case SND_TONE: break;
| ^
drivers/input/misc/sparcspkr.c:78:3: note: insert 'break;' to avoid fall-through
78 | case SND_TONE: break;
| ^
| break;
drivers/input/misc/sparcspkr.c:113:3: warning: unannotated fall-through between switch labels [-Wimplicit-fallthrough]
113 | case SND_TONE: break;
| ^
drivers/input/misc/sparcspkr.c:113:3: note: insert 'break;' to avoid fall-through
113 | case SND_TONE: break;
| ^
| break;
2 warnings generated.
Signed-off-by: WangYuli <wangyuli@uniontech.com>
Link: https://lore.kernel.org/r/6730E40353C76908+20250415052439.155051-1-wangyuli@uniontech.com
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/input/misc/sparcspkr.c | 22 ++++++++++++++++------
1 file changed, 16 insertions(+), 6 deletions(-)
--- a/drivers/input/misc/sparcspkr.c
+++ b/drivers/input/misc/sparcspkr.c
@@ -74,9 +74,14 @@ static int bbc_spkr_event(struct input_d
return -1;
switch (code) {
- case SND_BELL: if (value) value = 1000;
- case SND_TONE: break;
- default: return -1;
+ case SND_BELL:
+ if (value)
+ value = 1000;
+ break;
+ case SND_TONE:
+ break;
+ default:
+ return -1;
}
if (value > 20 && value < 32767)
@@ -112,9 +117,14 @@ static int grover_spkr_event(struct inpu
return -1;
switch (code) {
- case SND_BELL: if (value) value = 1000;
- case SND_TONE: break;
- default: return -1;
+ case SND_BELL:
+ if (value)
+ value = 1000;
+ break;
+ case SND_TONE:
+ break;
+ default:
+ return -1;
}
if (value > 20 && value < 32767)
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 458/508] wifi: cfg80211: init wiphy_work before allocating rfkill fails
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (453 preceding siblings ...)
2025-06-23 13:08 ` [PATCH 6.1 457/508] Input: sparcspkr - avoid unannotated fall-through Greg Kroah-Hartman
@ 2025-06-23 13:08 ` Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 459/508] ALSA: usb-audio: Rename ALSA kcontrol PCM and PCM1 for the KTMicro sound card Greg Kroah-Hartman
` (53 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+aaf0488c83d1d5f4f029,
Edward Adam Davis, Johannes Berg, WangYuli
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Edward Adam Davis <eadavis@qq.com>
commit fc88dee89d7b63eeb17699393eb659aadf9d9b7c upstream.
syzbort reported a uninitialize wiphy_work_lock in cfg80211_dev_free. [1]
After rfkill allocation fails, the wiphy release process will be performed,
which will cause cfg80211_dev_free to access the uninitialized wiphy_work
related data.
Move the initialization of wiphy_work to before rfkill initialization to
avoid this issue.
[1]
INFO: trying to register non-static key.
The code is fine but needs lockdep annotation, or maybe
you didn't initialize this object before use?
turning off the locking correctness validator.
CPU: 0 UID: 0 PID: 5935 Comm: syz-executor550 Not tainted 6.14.0-rc6-syzkaller-00103-g4003c9e78778 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
assign_lock_key kernel/locking/lockdep.c:983 [inline]
register_lock_class+0xc39/0x1240 kernel/locking/lockdep.c:1297
__lock_acquire+0x135/0x3c40 kernel/locking/lockdep.c:5103
lock_acquire.part.0+0x11b/0x380 kernel/locking/lockdep.c:5851
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0x3a/0x60 kernel/locking/spinlock.c:162
cfg80211_dev_free+0x30/0x3d0 net/wireless/core.c:1196
device_release+0xa1/0x240 drivers/base/core.c:2568
kobject_cleanup lib/kobject.c:689 [inline]
kobject_release lib/kobject.c:720 [inline]
kref_put include/linux/kref.h:65 [inline]
kobject_put+0x1e4/0x5a0 lib/kobject.c:737
put_device+0x1f/0x30 drivers/base/core.c:3774
wiphy_free net/wireless/core.c:1224 [inline]
wiphy_new_nm+0x1c1f/0x2160 net/wireless/core.c:562
ieee80211_alloc_hw_nm+0x1b7a/0x2260 net/mac80211/main.c:835
mac80211_hwsim_new_radio+0x1d6/0x54e0 drivers/net/wireless/virtual/mac80211_hwsim.c:5185
hwsim_new_radio_nl+0xb42/0x12b0 drivers/net/wireless/virtual/mac80211_hwsim.c:6242
genl_family_rcv_msg_doit+0x202/0x2f0 net/netlink/genetlink.c:1115
genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]
genl_rcv_msg+0x565/0x800 net/netlink/genetlink.c:1210
netlink_rcv_skb+0x16b/0x440 net/netlink/af_netlink.c:2533
genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219
netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline]
netlink_unicast+0x53c/0x7f0 net/netlink/af_netlink.c:1338
netlink_sendmsg+0x8b8/0xd70 net/netlink/af_netlink.c:1882
sock_sendmsg_nosec net/socket.c:718 [inline]
__sock_sendmsg net/socket.c:733 [inline]
____sys_sendmsg+0xaaf/0xc90 net/socket.c:2573
___sys_sendmsg+0x135/0x1e0 net/socket.c:2627
__sys_sendmsg+0x16e/0x220 net/socket.c:2659
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
Fixes: 72d520476a2f ("wifi: cfg80211: cancel wiphy_work before freeing wiphy")
Reported-by: syzbot+aaf0488c83d1d5f4f029@syzkaller.appspotmail.com
Close: https://syzkaller.appspot.com/bug?extid=aaf0488c83d1d5f4f029
Tested-by: syzbot+aaf0488c83d1d5f4f029@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
Link: https://patch.msgid.link/tencent_258DD9121DDDB9DD9A1939CFAA0D8625B107@qq.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: WangYuli <wangyuli@uniontech.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/wireless/core.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/net/wireless/core.c
+++ b/net/wireless/core.c
@@ -546,6 +546,9 @@ use_default_name:
INIT_WORK(&rdev->mgmt_registrations_update_wk,
cfg80211_mgmt_registrations_update_wk);
spin_lock_init(&rdev->mgmt_registrations_lock);
+ INIT_WORK(&rdev->wiphy_work, cfg80211_wiphy_work);
+ INIT_LIST_HEAD(&rdev->wiphy_work_list);
+ spin_lock_init(&rdev->wiphy_work_lock);
#ifdef CONFIG_CFG80211_DEFAULT_PS
rdev->wiphy.flags |= WIPHY_FLAG_PS_ON_BY_DEFAULT;
@@ -563,9 +566,6 @@ use_default_name:
return NULL;
}
- INIT_WORK(&rdev->wiphy_work, cfg80211_wiphy_work);
- INIT_LIST_HEAD(&rdev->wiphy_work_list);
- spin_lock_init(&rdev->wiphy_work_lock);
INIT_WORK(&rdev->rfkill_block, cfg80211_rfkill_block_work);
INIT_WORK(&rdev->conn_work, cfg80211_conn_work);
INIT_WORK(&rdev->event_work, cfg80211_event_work);
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 459/508] ALSA: usb-audio: Rename ALSA kcontrol PCM and PCM1 for the KTMicro sound card
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (454 preceding siblings ...)
2025-06-23 13:08 ` [PATCH 6.1 458/508] wifi: cfg80211: init wiphy_work before allocating rfkill fails Greg Kroah-Hartman
@ 2025-06-23 13:08 ` Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 460/508] ALSA: hda/intel: Add Thinkpad E15 to PM deny list Greg Kroah-Hartman
` (52 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:08 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, wangdicheng, Takashi Iwai
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: wangdicheng <wangdicheng@kylinos.cn>
commit 93adf20ff4d6e865e0b974110d3cf2f07c057177 upstream.
PCM1 not in Pulseaudio's control list; standardize control to
"Speaker" and "Headphone".
Signed-off-by: wangdicheng <wangdicheng@kylinos.cn>
Cc: <stable@vger.kernel.org>
Link: https://patch.msgid.link/20250613063636.239683-1-wangdich9700@163.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/mixer_maps.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
--- a/sound/usb/mixer_maps.c
+++ b/sound/usb/mixer_maps.c
@@ -383,6 +383,13 @@ static const struct usbmix_name_map ms_u
{ 0 } /* terminator */
};
+/* KTMicro USB */
+static struct usbmix_name_map s31b2_0022_map[] = {
+ { 23, "Speaker Playback" },
+ { 18, "Headphone Playback" },
+ { 0 }
+};
+
/* ASUS ROG Zenith II with Realtek ALC1220-VB */
static const struct usbmix_name_map asus_zenith_ii_map[] = {
{ 19, NULL, 12 }, /* FU, Input Gain Pad - broken response, disabled */
@@ -692,6 +699,11 @@ static const struct usbmix_ctl_map usbmi
.id = USB_ID(0x045e, 0x083c),
.map = ms_usb_link_map,
},
+ {
+ /* KTMicro USB */
+ .id = USB_ID(0X31b2, 0x0022),
+ .map = s31b2_0022_map,
+ },
{ 0 } /* terminator */
};
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 460/508] ALSA: hda/intel: Add Thinkpad E15 to PM deny list
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (455 preceding siblings ...)
2025-06-23 13:08 ` [PATCH 6.1 459/508] ALSA: usb-audio: Rename ALSA kcontrol PCM and PCM1 for the KTMicro sound card Greg Kroah-Hartman
@ 2025-06-23 13:08 ` Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 461/508] ALSA: hda/realtek: enable headset mic on Latitude 5420 Rugged Greg Kroah-Hartman
` (51 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:08 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Takashi Iwai
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
commit c987a390f1b3b8bdac11031d7004e3410fe259bd upstream.
Lenovo Thinkpad E15 with Conexant CX8070 codec seems causing ugly
noises after runtime-PM suspend. Disable the codec runtime PM as a
workaround.
Link: https://bugzilla.kernel.org/show_bug.cgi?id=220210
Cc: <stable@vger.kernel.org>
Link: https://patch.msgid.link/20250608091415.21170-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/pci/hda/hda_intel.c | 2 ++
1 file changed, 2 insertions(+)
--- a/sound/pci/hda/hda_intel.c
+++ b/sound/pci/hda/hda_intel.c
@@ -2261,6 +2261,8 @@ static const struct snd_pci_quirk power_
SND_PCI_QUIRK(0x1734, 0x1232, "KONTRON SinglePC", 0),
/* Dell ALC3271 */
SND_PCI_QUIRK(0x1028, 0x0962, "Dell ALC3271", 0),
+ /* https://bugzilla.kernel.org/show_bug.cgi?id=220210 */
+ SND_PCI_QUIRK(0x17aa, 0x5079, "Lenovo Thinkpad E15", 0),
{}
};
#endif /* CONFIG_PM */
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 461/508] ALSA: hda/realtek: enable headset mic on Latitude 5420 Rugged
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (456 preceding siblings ...)
2025-06-23 13:08 ` [PATCH 6.1 460/508] ALSA: hda/intel: Add Thinkpad E15 to PM deny list Greg Kroah-Hartman
@ 2025-06-23 13:08 ` Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 462/508] iio: accel: fxls8962af: Fix temperature calculation Greg Kroah-Hartman
` (50 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:08 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jonathan Lane, Takashi Iwai
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jonathan Lane <jon@borg.moe>
commit efa6bdf1bc75e26cafaa5f1d775e8bb7c5b0c431 upstream.
Like many Dell laptops, the 3.5mm port by default can not detect a
combined headphones+mic headset or even a pure microphone. This
change enables the port's functionality.
Signed-off-by: Jonathan Lane <jon@borg.moe>
Cc: <stable@vger.kernel.org>
Link: https://patch.msgid.link/20250611193124.26141-2-jon@borg.moe
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/pci/hda/patch_realtek.c | 1 +
1 file changed, 1 insertion(+)
--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -9809,6 +9809,7 @@ static const struct snd_pci_quirk alc269
SND_PCI_QUIRK(0x1028, 0x0871, "Dell Precision 3630", ALC255_FIXUP_DELL_HEADSET_MIC),
SND_PCI_QUIRK(0x1028, 0x0872, "Dell Precision 3630", ALC255_FIXUP_DELL_HEADSET_MIC),
SND_PCI_QUIRK(0x1028, 0x0873, "Dell Precision 3930", ALC255_FIXUP_DUMMY_LINEOUT_VERB),
+ SND_PCI_QUIRK(0x1028, 0x0879, "Dell Latitude 5420 Rugged", ALC269_FIXUP_DELL4_MIC_NO_PRESENCE),
SND_PCI_QUIRK(0x1028, 0x08ad, "Dell WYSE AIO", ALC225_FIXUP_DELL_WYSE_AIO_MIC_NO_PRESENCE),
SND_PCI_QUIRK(0x1028, 0x08ae, "Dell WYSE NB", ALC225_FIXUP_DELL1_MIC_NO_PRESENCE),
SND_PCI_QUIRK(0x1028, 0x0935, "Dell", ALC274_FIXUP_DELL_AIO_LINEOUT_VERB),
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 462/508] iio: accel: fxls8962af: Fix temperature calculation
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (457 preceding siblings ...)
2025-06-23 13:08 ` [PATCH 6.1 461/508] ALSA: hda/realtek: enable headset mic on Latitude 5420 Rugged Greg Kroah-Hartman
@ 2025-06-23 13:08 ` Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 463/508] mm/hugetlb: unshare page tables during VMA split, not before Greg Kroah-Hartman
` (49 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Marcelo Schmitt, Sean Nyekjaer,
Jonathan Cameron
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Nyekjaer <sean@geanix.com>
commit 16038474e3a0263572f36326ef85057aaf341814 upstream.
According to spec temperature should be returned in milli degrees Celsius.
Add in_temp_scale to calculate from Celsius to milli Celsius.
Fixes: a3e0b51884ee ("iio: accel: add support for FXLS8962AF/FXLS8964AF accelerometers")
Cc: stable@vger.kernel.org
Reviewed-by: Marcelo Schmitt <marcelo.schmitt1@gmail.com>
Signed-off-by: Sean Nyekjaer <sean@geanix.com>
Link: https://patch.msgid.link/20250505-fxls-v4-1-a38652e21738@geanix.com
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/accel/fxls8962af-core.c | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
--- a/drivers/iio/accel/fxls8962af-core.c
+++ b/drivers/iio/accel/fxls8962af-core.c
@@ -20,6 +20,7 @@
#include <linux/pm_runtime.h>
#include <linux/regulator/consumer.h>
#include <linux/regmap.h>
+#include <linux/units.h>
#include <linux/iio/buffer.h>
#include <linux/iio/events.h>
@@ -435,8 +436,16 @@ static int fxls8962af_read_raw(struct ii
*val = FXLS8962AF_TEMP_CENTER_VAL;
return IIO_VAL_INT;
case IIO_CHAN_INFO_SCALE:
- *val = 0;
- return fxls8962af_read_full_scale(data, val2);
+ switch (chan->type) {
+ case IIO_TEMP:
+ *val = MILLIDEGREE_PER_DEGREE;
+ return IIO_VAL_INT;
+ case IIO_ACCEL:
+ *val = 0;
+ return fxls8962af_read_full_scale(data, val2);
+ default:
+ return -EINVAL;
+ }
case IIO_CHAN_INFO_SAMP_FREQ:
return fxls8962af_read_samp_freq(data, val, val2);
default:
@@ -735,6 +744,7 @@ static const struct iio_event_spec fxls8
.type = IIO_TEMP, \
.address = FXLS8962AF_TEMP_OUT, \
.info_mask_separate = BIT(IIO_CHAN_INFO_RAW) | \
+ BIT(IIO_CHAN_INFO_SCALE) | \
BIT(IIO_CHAN_INFO_OFFSET),\
.scan_index = -1, \
.scan_type = { \
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 463/508] mm/hugetlb: unshare page tables during VMA split, not before
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (458 preceding siblings ...)
2025-06-23 13:08 ` [PATCH 6.1 462/508] iio: accel: fxls8962af: Fix temperature calculation Greg Kroah-Hartman
@ 2025-06-23 13:08 ` Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 464/508] mm: hugetlb: independent PMD page table shared count Greg Kroah-Hartman
` (48 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jann Horn, Liam Howlett,
Lorenzo Stoakes, Oscar Salvador, Vlastimil Babka, Andrew Morton
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jann Horn <jannh@google.com>
commit 081056dc00a27bccb55ccc3c6f230a3d5fd3f7e0 upstream.
Currently, __split_vma() triggers hugetlb page table unsharing through
vm_ops->may_split(). This happens before the VMA lock and rmap locks are
taken - which is too early, it allows racing VMA-locked page faults in our
process and racing rmap walks from other processes to cause page tables to
be shared again before we actually perform the split.
Fix it by explicitly calling into the hugetlb unshare logic from
__split_vma() in the same place where THP splitting also happens. At that
point, both the VMA and the rmap(s) are write-locked.
An annoying detail is that we can now call into the helper
hugetlb_unshare_pmds() from two different locking contexts:
1. from hugetlb_split(), holding:
- mmap lock (exclusively)
- VMA lock
- file rmap lock (exclusively)
2. hugetlb_unshare_all_pmds(), which I think is designed to be able to
call us with only the mmap lock held (in shared mode), but currently
only runs while holding mmap lock (exclusively) and VMA lock
Backporting note:
This commit fixes a racy protection that was introduced in commit
b30c14cd6102 ("hugetlb: unshare some PMDs when splitting VMAs"); that
commit claimed to fix an issue introduced in 5.13, but it should actually
also go all the way back.
[jannh@google.com: v2]
Link: https://lkml.kernel.org/r/20250528-hugetlb-fixes-splitrace-v2-1-1329349bad1a@google.com
Link: https://lkml.kernel.org/r/20250528-hugetlb-fixes-splitrace-v2-0-1329349bad1a@google.com
Link: https://lkml.kernel.org/r/20250527-hugetlb-fixes-splitrace-v1-1-f4136f5ec58a@google.com
Fixes: 39dde65c9940 ("[PATCH] shared page table for hugetlb page")
Signed-off-by: Jann Horn <jannh@google.com>
Cc: Liam Howlett <liam.howlett@oracle.com>
Reviewed-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Reviewed-by: Oscar Salvador <osalvador@suse.de>
Cc: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: <stable@vger.kernel.org> [b30c14cd6102: hugetlb: unshare some PMDs when splitting VMAs]
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
[stable backport: code got moved around, VMA splitting is in __vma_adjust]
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/hugetlb.h | 3 ++
mm/hugetlb.c | 60 +++++++++++++++++++++++++++++++++++-------------
mm/mmap.c | 8 ++++++
3 files changed, 55 insertions(+), 16 deletions(-)
--- a/include/linux/hugetlb.h
+++ b/include/linux/hugetlb.h
@@ -239,6 +239,7 @@ unsigned long hugetlb_change_protection(
bool is_hugetlb_entry_migration(pte_t pte);
void hugetlb_unshare_all_pmds(struct vm_area_struct *vma);
+void hugetlb_split(struct vm_area_struct *vma, unsigned long addr);
#else /* !CONFIG_HUGETLB_PAGE */
@@ -472,6 +473,8 @@ static inline vm_fault_t hugetlb_fault(s
static inline void hugetlb_unshare_all_pmds(struct vm_area_struct *vma) { }
+static inline void hugetlb_split(struct vm_area_struct *vma, unsigned long addr) {}
+
#endif /* !CONFIG_HUGETLB_PAGE */
/*
* hugepages at page global directory. If arch support
--- a/mm/hugetlb.c
+++ b/mm/hugetlb.c
@@ -95,7 +95,7 @@ static void hugetlb_vma_lock_free(struct
static void hugetlb_vma_lock_alloc(struct vm_area_struct *vma);
static void __hugetlb_vma_unlock_write_free(struct vm_area_struct *vma);
static void hugetlb_unshare_pmds(struct vm_area_struct *vma,
- unsigned long start, unsigned long end);
+ unsigned long start, unsigned long end, bool take_locks);
static struct resv_map *vma_resv_map(struct vm_area_struct *vma);
static inline bool subpool_is_free(struct hugepage_subpool *spool)
@@ -4900,26 +4900,40 @@ static int hugetlb_vm_op_split(struct vm
{
if (addr & ~(huge_page_mask(hstate_vma(vma))))
return -EINVAL;
+ return 0;
+}
+void hugetlb_split(struct vm_area_struct *vma, unsigned long addr)
+{
/*
* PMD sharing is only possible for PUD_SIZE-aligned address ranges
* in HugeTLB VMAs. If we will lose PUD_SIZE alignment due to this
* split, unshare PMDs in the PUD_SIZE interval surrounding addr now.
+ * This function is called in the middle of a VMA split operation, with
+ * MM, VMA and rmap all write-locked to prevent concurrent page table
+ * walks (except hardware and gup_fast()).
*/
+ mmap_assert_write_locked(vma->vm_mm);
+ i_mmap_assert_write_locked(vma->vm_file->f_mapping);
+
if (addr & ~PUD_MASK) {
- /*
- * hugetlb_vm_op_split is called right before we attempt to
- * split the VMA. We will need to unshare PMDs in the old and
- * new VMAs, so let's unshare before we split.
- */
unsigned long floor = addr & PUD_MASK;
unsigned long ceil = floor + PUD_SIZE;
- if (floor >= vma->vm_start && ceil <= vma->vm_end)
- hugetlb_unshare_pmds(vma, floor, ceil);
+ if (floor >= vma->vm_start && ceil <= vma->vm_end) {
+ /*
+ * Locking:
+ * Use take_locks=false here.
+ * The file rmap lock is already held.
+ * The hugetlb VMA lock can't be taken when we already
+ * hold the file rmap lock, and we don't need it because
+ * its purpose is to synchronize against concurrent page
+ * table walks, which are not possible thanks to the
+ * locks held by our caller.
+ */
+ hugetlb_unshare_pmds(vma, floor, ceil, /* take_locks = */ false);
+ }
}
-
- return 0;
}
static unsigned long hugetlb_vm_op_pagesize(struct vm_area_struct *vma)
@@ -7495,9 +7509,16 @@ void move_hugetlb_state(struct page *old
}
}
+/*
+ * If @take_locks is false, the caller must ensure that no concurrent page table
+ * access can happen (except for gup_fast() and hardware page walks).
+ * If @take_locks is true, we take the hugetlb VMA lock (to lock out things like
+ * concurrent page fault handling) and the file rmap lock.
+ */
static void hugetlb_unshare_pmds(struct vm_area_struct *vma,
unsigned long start,
- unsigned long end)
+ unsigned long end,
+ bool take_locks)
{
struct hstate *h = hstate_vma(vma);
unsigned long sz = huge_page_size(h);
@@ -7521,8 +7542,12 @@ static void hugetlb_unshare_pmds(struct
mmu_notifier_range_init(&range, MMU_NOTIFY_CLEAR, 0, vma, mm,
start, end);
mmu_notifier_invalidate_range_start(&range);
- hugetlb_vma_lock_write(vma);
- i_mmap_lock_write(vma->vm_file->f_mapping);
+ if (take_locks) {
+ hugetlb_vma_lock_write(vma);
+ i_mmap_lock_write(vma->vm_file->f_mapping);
+ } else {
+ i_mmap_assert_write_locked(vma->vm_file->f_mapping);
+ }
for (address = start; address < end; address += PUD_SIZE) {
ptep = huge_pte_offset(mm, address, sz);
if (!ptep)
@@ -7532,8 +7557,10 @@ static void hugetlb_unshare_pmds(struct
spin_unlock(ptl);
}
flush_hugetlb_tlb_range(vma, start, end);
- i_mmap_unlock_write(vma->vm_file->f_mapping);
- hugetlb_vma_unlock_write(vma);
+ if (take_locks) {
+ i_mmap_unlock_write(vma->vm_file->f_mapping);
+ hugetlb_vma_unlock_write(vma);
+ }
/*
* No need to call mmu_notifier_invalidate_range(), see
* Documentation/mm/mmu_notifier.rst.
@@ -7548,7 +7575,8 @@ static void hugetlb_unshare_pmds(struct
void hugetlb_unshare_all_pmds(struct vm_area_struct *vma)
{
hugetlb_unshare_pmds(vma, ALIGN(vma->vm_start, PUD_SIZE),
- ALIGN_DOWN(vma->vm_end, PUD_SIZE));
+ ALIGN_DOWN(vma->vm_end, PUD_SIZE),
+ /* take_locks = */ true);
}
#ifdef CONFIG_CMA
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -727,7 +727,15 @@ int __vma_adjust(struct vm_area_struct *
return -ENOMEM;
}
+ /*
+ * Get rid of huge pages and shared page tables straddling the split
+ * boundary.
+ */
vma_adjust_trans_huge(orig_vma, start, end, adjust_next);
+ if (is_vm_hugetlb_page(orig_vma)) {
+ hugetlb_split(orig_vma, start);
+ hugetlb_split(orig_vma, end);
+ }
if (file) {
mapping = file->f_mapping;
root = &mapping->i_mmap;
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 464/508] mm: hugetlb: independent PMD page table shared count
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (459 preceding siblings ...)
2025-06-23 13:08 ` [PATCH 6.1 463/508] mm/hugetlb: unshare page tables during VMA split, not before Greg Kroah-Hartman
@ 2025-06-23 13:08 ` Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 465/508] mm/hugetlb: fix huge_pmd_unshare() vs GUP-fast race Greg Kroah-Hartman
` (47 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Liu Shixin, Kefeng Wang, Ken Chen,
Muchun Song, Nanyong Sun, Jane Chu, Andrew Morton, Jann Horn
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Liu Shixin <liushixin2@huawei.com>
commit 59d9094df3d79443937add8700b2ef1a866b1081 upstream.
The folio refcount may be increased unexpectly through try_get_folio() by
caller such as split_huge_pages. In huge_pmd_unshare(), we use refcount
to check whether a pmd page table is shared. The check is incorrect if
the refcount is increased by the above caller, and this can cause the page
table leaked:
BUG: Bad page state in process sh pfn:109324
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x66 pfn:0x109324
flags: 0x17ffff800000000(node=0|zone=2|lastcpupid=0xfffff)
page_type: f2(table)
raw: 017ffff800000000 0000000000000000 0000000000000000 0000000000000000
raw: 0000000000000066 0000000000000000 00000000f2000000 0000000000000000
page dumped because: nonzero mapcount
...
CPU: 31 UID: 0 PID: 7515 Comm: sh Kdump: loaded Tainted: G B 6.13.0-rc2master+ #7
Tainted: [B]=BAD_PAGE
Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015
Call trace:
show_stack+0x20/0x38 (C)
dump_stack_lvl+0x80/0xf8
dump_stack+0x18/0x28
bad_page+0x8c/0x130
free_page_is_bad_report+0xa4/0xb0
free_unref_page+0x3cc/0x620
__folio_put+0xf4/0x158
split_huge_pages_all+0x1e0/0x3e8
split_huge_pages_write+0x25c/0x2d8
full_proxy_write+0x64/0xd8
vfs_write+0xcc/0x280
ksys_write+0x70/0x110
__arm64_sys_write+0x24/0x38
invoke_syscall+0x50/0x120
el0_svc_common.constprop.0+0xc8/0xf0
do_el0_svc+0x24/0x38
el0_svc+0x34/0x128
el0t_64_sync_handler+0xc8/0xd0
el0t_64_sync+0x190/0x198
The issue may be triggered by damon, offline_page, page_idle, etc, which
will increase the refcount of page table.
1. The page table itself will be discarded after reporting the
"nonzero mapcount".
2. The HugeTLB page mapped by the page table miss freeing since we
treat the page table as shared and a shared page table will not be
unmapped.
Fix it by introducing independent PMD page table shared count. As
described by comment, pt_index/pt_mm/pt_frag_refcount are used for s390
gmap, x86 pgds and powerpc, pt_share_count is used for x86/arm64/riscv
pmds, so we can reuse the field as pt_share_count.
Link: https://lkml.kernel.org/r/20241216071147.3984217-1-liushixin2@huawei.com
Fixes: 39dde65c9940 ("[PATCH] shared page table for hugetlb page")
Signed-off-by: Liu Shixin <liushixin2@huawei.com>
Cc: Kefeng Wang <wangkefeng.wang@huawei.com>
Cc: Ken Chen <kenneth.w.chen@intel.com>
Cc: Muchun Song <muchun.song@linux.dev>
Cc: Nanyong Sun <sunnanyong@huawei.com>
Cc: Jane Chu <jane.chu@oracle.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
[backport note: struct ptdesc did not exist yet, stuff it equivalently
into struct page instead]
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/mm.h | 3 +++
include/linux/mm_types.h | 3 +++
mm/hugetlb.c | 16 +++++++---------
3 files changed, 13 insertions(+), 9 deletions(-)
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -2537,6 +2537,9 @@ static inline bool pgtable_pmd_page_ctor
if (!pmd_ptlock_init(page))
return false;
__SetPageTable(page);
+#ifdef CONFIG_ARCH_WANT_HUGE_PMD_SHARE
+ atomic_set(&page->pt_share_count, 0);
+#endif
inc_lruvec_page_state(page, NR_PAGETABLE);
return true;
}
--- a/include/linux/mm_types.h
+++ b/include/linux/mm_types.h
@@ -160,6 +160,9 @@ struct page {
union {
struct mm_struct *pt_mm; /* x86 pgds only */
atomic_t pt_frag_refcount; /* powerpc */
+#ifdef CONFIG_ARCH_WANT_HUGE_PMD_SHARE
+ atomic_t pt_share_count;
+#endif
};
#if ALLOC_SPLIT_PTLOCKS
spinlock_t *ptl;
--- a/mm/hugetlb.c
+++ b/mm/hugetlb.c
@@ -7114,7 +7114,7 @@ pte_t *huge_pmd_share(struct mm_struct *
spte = huge_pte_offset(svma->vm_mm, saddr,
vma_mmu_pagesize(svma));
if (spte) {
- get_page(virt_to_page(spte));
+ atomic_inc(&virt_to_page(spte)->pt_share_count);
break;
}
}
@@ -7129,7 +7129,7 @@ pte_t *huge_pmd_share(struct mm_struct *
(pmd_t *)((unsigned long)spte & PAGE_MASK));
mm_inc_nr_pmds(mm);
} else {
- put_page(virt_to_page(spte));
+ atomic_dec(&virt_to_page(spte)->pt_share_count);
}
spin_unlock(ptl);
out:
@@ -7141,10 +7141,6 @@ out:
/*
* unmap huge page backed by shared pte.
*
- * Hugetlb pte page is ref counted at the time of mapping. If pte is shared
- * indicated by page_count > 1, unmap is achieved by clearing pud and
- * decrementing the ref count. If count == 1, the pte page is not shared.
- *
* Called with page table lock held.
*
* returns: 1 successfully unmapped a shared pte page
@@ -7153,18 +7149,20 @@ out:
int huge_pmd_unshare(struct mm_struct *mm, struct vm_area_struct *vma,
unsigned long addr, pte_t *ptep)
{
+ unsigned long sz = huge_page_size(hstate_vma(vma));
pgd_t *pgd = pgd_offset(mm, addr);
p4d_t *p4d = p4d_offset(pgd, addr);
pud_t *pud = pud_offset(p4d, addr);
i_mmap_assert_write_locked(vma->vm_file->f_mapping);
hugetlb_vma_assert_locked(vma);
- BUG_ON(page_count(virt_to_page(ptep)) == 0);
- if (page_count(virt_to_page(ptep)) == 1)
+ if (sz != PMD_SIZE)
+ return 0;
+ if (!atomic_read(&virt_to_page(ptep)->pt_share_count))
return 0;
pud_clear(pud);
- put_page(virt_to_page(ptep));
+ atomic_dec(&virt_to_page(ptep)->pt_share_count);
mm_dec_nr_pmds(mm);
return 1;
}
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 465/508] mm/hugetlb: fix huge_pmd_unshare() vs GUP-fast race
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (460 preceding siblings ...)
2025-06-23 13:08 ` [PATCH 6.1 464/508] mm: hugetlb: independent PMD page table shared count Greg Kroah-Hartman
@ 2025-06-23 13:08 ` Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 466/508] mm/huge_memory: fix dereferencing invalid pmd migration entry Greg Kroah-Hartman
` (46 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jann Horn, Lorenzo Stoakes,
Liam Howlett, Muchun Song, Oscar Salvador, Vlastimil Babka,
Andrew Morton
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jann Horn <jannh@google.com>
commit 1013af4f585fccc4d3e5c5824d174de2257f7d6d upstream.
huge_pmd_unshare() drops a reference on a page table that may have
previously been shared across processes, potentially turning it into a
normal page table used in another process in which unrelated VMAs can
afterwards be installed.
If this happens in the middle of a concurrent gup_fast(), gup_fast() could
end up walking the page tables of another process. While I don't see any
way in which that immediately leads to kernel memory corruption, it is
really weird and unexpected.
Fix it with an explicit broadcast IPI through tlb_remove_table_sync_one(),
just like we do in khugepaged when removing page tables for a THP
collapse.
Link: https://lkml.kernel.org/r/20250528-hugetlb-fixes-splitrace-v2-2-1329349bad1a@google.com
Link: https://lkml.kernel.org/r/20250527-hugetlb-fixes-splitrace-v1-2-f4136f5ec58a@google.com
Fixes: 39dde65c9940 ("[PATCH] shared page table for hugetlb page")
Signed-off-by: Jann Horn <jannh@google.com>
Reviewed-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Cc: Liam Howlett <liam.howlett@oracle.com>
Cc: Muchun Song <muchun.song@linux.dev>
Cc: Oscar Salvador <osalvador@suse.de>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/hugetlb.c | 7 +++++++
1 file changed, 7 insertions(+)
--- a/mm/hugetlb.c
+++ b/mm/hugetlb.c
@@ -7162,6 +7162,13 @@ int huge_pmd_unshare(struct mm_struct *m
return 0;
pud_clear(pud);
+ /*
+ * Once our caller drops the rmap lock, some other process might be
+ * using this page table as a normal, non-hugetlb page table.
+ * Wait for pending gup_fast() in other threads to finish before letting
+ * that happen.
+ */
+ tlb_remove_table_sync_one();
atomic_dec(&virt_to_page(ptep)->pt_share_count);
mm_dec_nr_pmds(mm);
return 1;
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 466/508] mm/huge_memory: fix dereferencing invalid pmd migration entry
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (461 preceding siblings ...)
2025-06-23 13:08 ` [PATCH 6.1 465/508] mm/hugetlb: fix huge_pmd_unshare() vs GUP-fast race Greg Kroah-Hartman
@ 2025-06-23 13:08 ` Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 467/508] net: Fix checksum update for ILA adj-transport Greg Kroah-Hartman
` (45 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gavin Guo, David Hildenbrand,
Hugh Dickins, Zi Yan, Gavin Shan, Florent Revest,
Matthew Wilcox (Oracle), Miaohe Lin, Andrew Morton
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gavin Guo <gavinguo@igalia.com>
commit be6e843fc51a584672dfd9c4a6a24c8cb81d5fb7 upstream.
When migrating a THP, concurrent access to the PMD migration entry during
a deferred split scan can lead to an invalid address access, as
illustrated below. To prevent this invalid access, it is necessary to
check the PMD migration entry and return early. In this context, there is
no need to use pmd_to_swp_entry and pfn_swap_entry_to_page to verify the
equality of the target folio. Since the PMD migration entry is locked, it
cannot be served as the target.
Mailing list discussion and explanation from Hugh Dickins: "An anon_vma
lookup points to a location which may contain the folio of interest, but
might instead contain another folio: and weeding out those other folios is
precisely what the "folio != pmd_folio((*pmd)" check (and the "risk of
replacing the wrong folio" comment a few lines above it) is for."
BUG: unable to handle page fault for address: ffffea60001db008
CPU: 0 UID: 0 PID: 2199114 Comm: tee Not tainted 6.14.0+ #4 NONE
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
RIP: 0010:split_huge_pmd_locked+0x3b5/0x2b60
Call Trace:
<TASK>
try_to_migrate_one+0x28c/0x3730
rmap_walk_anon+0x4f6/0x770
unmap_folio+0x196/0x1f0
split_huge_page_to_list_to_order+0x9f6/0x1560
deferred_split_scan+0xac5/0x12a0
shrinker_debugfs_scan_write+0x376/0x470
full_proxy_write+0x15c/0x220
vfs_write+0x2fc/0xcb0
ksys_write+0x146/0x250
do_syscall_64+0x6a/0x120
entry_SYSCALL_64_after_hwframe+0x76/0x7e
The bug is found by syzkaller on an internal kernel, then confirmed on
upstream.
Link: https://lkml.kernel.org/r/20250421113536.3682201-1-gavinguo@igalia.com
Link: https://lore.kernel.org/all/20250414072737.1698513-1-gavinguo@igalia.com/
Link: https://lore.kernel.org/all/20250418085802.2973519-1-gavinguo@igalia.com/
Fixes: 84c3fc4e9c56 ("mm: thp: check pmd migration entry in common path")
Signed-off-by: Gavin Guo <gavinguo@igalia.com>
Acked-by: David Hildenbrand <david@redhat.com>
Acked-by: Hugh Dickins <hughd@google.com>
Acked-by: Zi Yan <ziy@nvidia.com>
Reviewed-by: Gavin Shan <gshan@redhat.com>
Cc: Florent Revest <revest@google.com>
Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
Cc: Miaohe Lin <linmiaohe@huawei.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
[gavin: backport the migration checking logic to __split_huge_pmd]
Signed-off-by: Gavin Guo <gavinguo@igalia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/huge_memory.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
--- a/mm/huge_memory.c
+++ b/mm/huge_memory.c
@@ -2282,12 +2282,14 @@ void __split_huge_pmd(struct vm_area_str
{
spinlock_t *ptl;
struct mmu_notifier_range range;
+ bool pmd_migration;
mmu_notifier_range_init(&range, MMU_NOTIFY_CLEAR, 0, vma, vma->vm_mm,
address & HPAGE_PMD_MASK,
(address & HPAGE_PMD_MASK) + HPAGE_PMD_SIZE);
mmu_notifier_invalidate_range_start(&range);
ptl = pmd_lock(vma->vm_mm, pmd);
+ pmd_migration = is_pmd_migration_entry(*pmd);
/*
* If caller asks to setup a migration entry, we need a folio to check
@@ -2296,13 +2298,12 @@ void __split_huge_pmd(struct vm_area_str
VM_BUG_ON(freeze && !folio);
VM_WARN_ON_ONCE(folio && !folio_test_locked(folio));
- if (pmd_trans_huge(*pmd) || pmd_devmap(*pmd) ||
- is_pmd_migration_entry(*pmd)) {
+ if (pmd_trans_huge(*pmd) || pmd_devmap(*pmd) || pmd_migration) {
/*
- * It's safe to call pmd_page when folio is set because it's
- * guaranteed that pmd is present.
+ * Do not apply pmd_folio() to a migration entry; and folio lock
+ * guarantees that it must be of the wrong folio anyway.
*/
- if (folio && folio != page_folio(pmd_page(*pmd)))
+ if (folio && (pmd_migration || folio != page_folio(pmd_page(*pmd))))
goto out;
__split_huge_pmd_locked(vma, pmd, range.start, freeze);
}
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 467/508] net: Fix checksum update for ILA adj-transport
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (462 preceding siblings ...)
2025-06-23 13:08 ` [PATCH 6.1 466/508] mm/huge_memory: fix dereferencing invalid pmd migration entry Greg Kroah-Hartman
@ 2025-06-23 13:08 ` Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 468/508] bpf: Fix L4 csum update on IPv6 in CHECKSUM_COMPLETE Greg Kroah-Hartman
` (44 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paul Chaignon, Daniel Borkmann,
Jakub Kicinski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paul Chaignon <paul.chaignon@gmail.com>
commit 6043b794c7668c19dabc4a93c75b924a19474d59 upstream.
During ILA address translations, the L4 checksums can be handled in
different ways. One of them, adj-transport, consist in parsing the
transport layer and updating any found checksum. This logic relies on
inet_proto_csum_replace_by_diff and produces an incorrect skb->csum when
in state CHECKSUM_COMPLETE.
This bug can be reproduced with a simple ILA to SIR mapping, assuming
packets are received with CHECKSUM_COMPLETE:
$ ip a show dev eth0
14: eth0@if15: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 62:ae:35:9e:0f:8d brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet6 3333:0:0:1::c078/64 scope global
valid_lft forever preferred_lft forever
inet6 fd00:10:244:1::c078/128 scope global nodad
valid_lft forever preferred_lft forever
inet6 fe80::60ae:35ff:fe9e:f8d/64 scope link proto kernel_ll
valid_lft forever preferred_lft forever
$ ip ila add loc_match fd00:10:244:1 loc 3333:0:0:1 \
csum-mode adj-transport ident-type luid dev eth0
Then I hit [fd00:10:244:1::c078]:8000 with a server listening only on
[3333:0:0:1::c078]:8000. With the bug, the SYN packet is dropped with
SKB_DROP_REASON_TCP_CSUM after inet_proto_csum_replace_by_diff changed
skb->csum. The translation and drop are visible on pwru [1] traces:
IFACE TUPLE FUNC
eth0:9 [fd00:10:244:3::3d8]:51420->[fd00:10:244:1::c078]:8000(tcp) ipv6_rcv
eth0:9 [fd00:10:244:3::3d8]:51420->[fd00:10:244:1::c078]:8000(tcp) ip6_rcv_core
eth0:9 [fd00:10:244:3::3d8]:51420->[fd00:10:244:1::c078]:8000(tcp) nf_hook_slow
eth0:9 [fd00:10:244:3::3d8]:51420->[fd00:10:244:1::c078]:8000(tcp) inet_proto_csum_replace_by_diff
eth0:9 [fd00:10:244:3::3d8]:51420->[3333:0:0:1::c078]:8000(tcp) tcp_v6_early_demux
eth0:9 [fd00:10:244:3::3d8]:51420->[3333:0:0:1::c078]:8000(tcp) ip6_route_input
eth0:9 [fd00:10:244:3::3d8]:51420->[3333:0:0:1::c078]:8000(tcp) ip6_input
eth0:9 [fd00:10:244:3::3d8]:51420->[3333:0:0:1::c078]:8000(tcp) ip6_input_finish
eth0:9 [fd00:10:244:3::3d8]:51420->[3333:0:0:1::c078]:8000(tcp) ip6_protocol_deliver_rcu
eth0:9 [fd00:10:244:3::3d8]:51420->[3333:0:0:1::c078]:8000(tcp) raw6_local_deliver
eth0:9 [fd00:10:244:3::3d8]:51420->[3333:0:0:1::c078]:8000(tcp) ipv6_raw_deliver
eth0:9 [fd00:10:244:3::3d8]:51420->[3333:0:0:1::c078]:8000(tcp) tcp_v6_rcv
eth0:9 [fd00:10:244:3::3d8]:51420->[3333:0:0:1::c078]:8000(tcp) __skb_checksum_complete
eth0:9 [fd00:10:244:3::3d8]:51420->[3333:0:0:1::c078]:8000(tcp) kfree_skb_reason(SKB_DROP_REASON_TCP_CSUM)
eth0:9 [fd00:10:244:3::3d8]:51420->[3333:0:0:1::c078]:8000(tcp) skb_release_head_state
eth0:9 [fd00:10:244:3::3d8]:51420->[3333:0:0:1::c078]:8000(tcp) skb_release_data
eth0:9 [fd00:10:244:3::3d8]:51420->[3333:0:0:1::c078]:8000(tcp) skb_free_head
eth0:9 [fd00:10:244:3::3d8]:51420->[3333:0:0:1::c078]:8000(tcp) kfree_skbmem
This is happening because inet_proto_csum_replace_by_diff is updating
skb->csum when it shouldn't. The L4 checksum is updated such that it
"cancels" the IPv6 address change in terms of checksum computation, so
the impact on skb->csum is null.
Note this would be different for an IPv4 packet since three fields
would be updated: the IPv4 address, the IP checksum, and the L4
checksum. Two would cancel each other and skb->csum would still need
to be updated to take the L4 checksum change into account.
This patch fixes it by passing an ipv6 flag to
inet_proto_csum_replace_by_diff, to skip the skb->csum update if we're
in the IPv6 case. Note the behavior of the only other user of
inet_proto_csum_replace_by_diff, the BPF subsystem, is left as is in
this patch and fixed in the subsequent patch.
With the fix, using the reproduction from above, I can confirm
skb->csum is not touched by inet_proto_csum_replace_by_diff and the TCP
SYN proceeds to the application after the ILA translation.
Link: https://github.com/cilium/pwru [1]
Fixes: 65d7ab8de582 ("net: Identifier Locator Addressing module")
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Link: https://patch.msgid.link/b5539869e3550d46068504feb02d37653d939c0b.1748509484.git.paul.chaignon@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/net/checksum.h | 2 +-
net/core/filter.c | 2 +-
net/core/utils.c | 4 ++--
net/ipv6/ila/ila_common.c | 6 +++---
4 files changed, 7 insertions(+), 7 deletions(-)
--- a/include/net/checksum.h
+++ b/include/net/checksum.h
@@ -156,7 +156,7 @@ void inet_proto_csum_replace16(__sum16 *
const __be32 *from, const __be32 *to,
bool pseudohdr);
void inet_proto_csum_replace_by_diff(__sum16 *sum, struct sk_buff *skb,
- __wsum diff, bool pseudohdr);
+ __wsum diff, bool pseudohdr, bool ipv6);
static __always_inline
void inet_proto_csum_replace2(__sum16 *sum, struct sk_buff *skb,
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -1977,7 +1977,7 @@ BPF_CALL_5(bpf_l4_csum_replace, struct s
if (unlikely(from != 0))
return -EINVAL;
- inet_proto_csum_replace_by_diff(ptr, skb, to, is_pseudo);
+ inet_proto_csum_replace_by_diff(ptr, skb, to, is_pseudo, false);
break;
case 2:
inet_proto_csum_replace2(ptr, skb, from, to, is_pseudo);
--- a/net/core/utils.c
+++ b/net/core/utils.c
@@ -473,11 +473,11 @@ void inet_proto_csum_replace16(__sum16 *
EXPORT_SYMBOL(inet_proto_csum_replace16);
void inet_proto_csum_replace_by_diff(__sum16 *sum, struct sk_buff *skb,
- __wsum diff, bool pseudohdr)
+ __wsum diff, bool pseudohdr, bool ipv6)
{
if (skb->ip_summed != CHECKSUM_PARTIAL) {
csum_replace_by_diff(sum, diff);
- if (skb->ip_summed == CHECKSUM_COMPLETE && pseudohdr)
+ if (skb->ip_summed == CHECKSUM_COMPLETE && pseudohdr && !ipv6)
skb->csum = ~csum_sub(diff, skb->csum);
} else if (pseudohdr) {
*sum = ~csum_fold(csum_add(diff, csum_unfold(*sum)));
--- a/net/ipv6/ila/ila_common.c
+++ b/net/ipv6/ila/ila_common.c
@@ -86,7 +86,7 @@ static void ila_csum_adjust_transport(st
diff = get_csum_diff(ip6h, p);
inet_proto_csum_replace_by_diff(&th->check, skb,
- diff, true);
+ diff, true, true);
}
break;
case NEXTHDR_UDP:
@@ -97,7 +97,7 @@ static void ila_csum_adjust_transport(st
if (uh->check || skb->ip_summed == CHECKSUM_PARTIAL) {
diff = get_csum_diff(ip6h, p);
inet_proto_csum_replace_by_diff(&uh->check, skb,
- diff, true);
+ diff, true, true);
if (!uh->check)
uh->check = CSUM_MANGLED_0;
}
@@ -111,7 +111,7 @@ static void ila_csum_adjust_transport(st
diff = get_csum_diff(ip6h, p);
inet_proto_csum_replace_by_diff(&ih->icmp6_cksum, skb,
- diff, true);
+ diff, true, true);
}
break;
}
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 468/508] bpf: Fix L4 csum update on IPv6 in CHECKSUM_COMPLETE
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (463 preceding siblings ...)
2025-06-23 13:08 ` [PATCH 6.1 467/508] net: Fix checksum update for ILA adj-transport Greg Kroah-Hartman
@ 2025-06-23 13:08 ` Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 469/508] erofs: remove unused trace event erofs_destroy_inode Greg Kroah-Hartman
` (43 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paul Chaignon, Daniel Borkmann,
Jakub Kicinski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paul Chaignon <paul.chaignon@gmail.com>
commit ead7f9b8de65632ef8060b84b0c55049a33cfea1 upstream.
In Cilium, we use bpf_csum_diff + bpf_l4_csum_replace to, among other
things, update the L4 checksum after reverse SNATing IPv6 packets. That
use case is however not currently supported and leads to invalid
skb->csum values in some cases. This patch adds support for IPv6 address
changes in bpf_l4_csum_update via a new flag.
When calling bpf_l4_csum_replace in Cilium, it ends up calling
inet_proto_csum_replace_by_diff:
1: void inet_proto_csum_replace_by_diff(__sum16 *sum, struct sk_buff *skb,
2: __wsum diff, bool pseudohdr)
3: {
4: if (skb->ip_summed != CHECKSUM_PARTIAL) {
5: csum_replace_by_diff(sum, diff);
6: if (skb->ip_summed == CHECKSUM_COMPLETE && pseudohdr)
7: skb->csum = ~csum_sub(diff, skb->csum);
8: } else if (pseudohdr) {
9: *sum = ~csum_fold(csum_add(diff, csum_unfold(*sum)));
10: }
11: }
The bug happens when we're in the CHECKSUM_COMPLETE state. We've just
updated one of the IPv6 addresses. The helper now updates the L4 header
checksum on line 5. Next, it updates skb->csum on line 7. It shouldn't.
For an IPv6 packet, the updates of the IPv6 address and of the L4
checksum will cancel each other. The checksums are set such that
computing a checksum over the packet including its checksum will result
in a sum of 0. So the same is true here when we update the L4 checksum
on line 5. We'll update it as to cancel the previous IPv6 address
update. Hence skb->csum should remain untouched in this case.
The same bug doesn't affect IPv4 packets because, in that case, three
fields are updated: the IPv4 address, the IP checksum, and the L4
checksum. The change to the IPv4 address and one of the checksums still
cancel each other in skb->csum, but we're left with one checksum update
and should therefore update skb->csum accordingly. That's exactly what
inet_proto_csum_replace_by_diff does.
This special case for IPv6 L4 checksums is also described atop
inet_proto_csum_replace16, the function we should be using in this case.
This patch introduces a new bpf_l4_csum_replace flag, BPF_F_IPV6,
to indicate that we're updating the L4 checksum of an IPv6 packet. When
the flag is set, inet_proto_csum_replace_by_diff will skip the
skb->csum update.
Fixes: 7d672345ed295 ("bpf: add generic bpf_csum_diff helper")
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Link: https://patch.msgid.link/96a6bc3a443e6f0b21ff7b7834000e17fb549e05.1748509484.git.paul.chaignon@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/uapi/linux/bpf.h | 2 ++
net/core/filter.c | 5 +++--
tools/include/uapi/linux/bpf.h | 2 ++
3 files changed, 7 insertions(+), 2 deletions(-)
--- a/include/uapi/linux/bpf.h
+++ b/include/uapi/linux/bpf.h
@@ -1787,6 +1787,7 @@ union bpf_attr {
* for updates resulting in a null checksum the value is set to
* **CSUM_MANGLED_0** instead. Flag **BPF_F_PSEUDO_HDR** indicates
* the checksum is to be computed against a pseudo-header.
+ * Flag **BPF_F_IPV6** should be set for IPv6 packets.
*
* This helper works in combination with **bpf_csum_diff**\ (),
* which does not update the checksum in-place, but offers more
@@ -5715,6 +5716,7 @@ enum {
BPF_F_PSEUDO_HDR = (1ULL << 4),
BPF_F_MARK_MANGLED_0 = (1ULL << 5),
BPF_F_MARK_ENFORCE = (1ULL << 6),
+ BPF_F_IPV6 = (1ULL << 7),
};
/* BPF_FUNC_skb_set_tunnel_key and BPF_FUNC_skb_get_tunnel_key flags. */
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -1958,10 +1958,11 @@ BPF_CALL_5(bpf_l4_csum_replace, struct s
bool is_pseudo = flags & BPF_F_PSEUDO_HDR;
bool is_mmzero = flags & BPF_F_MARK_MANGLED_0;
bool do_mforce = flags & BPF_F_MARK_ENFORCE;
+ bool is_ipv6 = flags & BPF_F_IPV6;
__sum16 *ptr;
if (unlikely(flags & ~(BPF_F_MARK_MANGLED_0 | BPF_F_MARK_ENFORCE |
- BPF_F_PSEUDO_HDR | BPF_F_HDR_FIELD_MASK)))
+ BPF_F_PSEUDO_HDR | BPF_F_HDR_FIELD_MASK | BPF_F_IPV6)))
return -EINVAL;
if (unlikely(offset > 0xffff || offset & 1))
return -EFAULT;
@@ -1977,7 +1978,7 @@ BPF_CALL_5(bpf_l4_csum_replace, struct s
if (unlikely(from != 0))
return -EINVAL;
- inet_proto_csum_replace_by_diff(ptr, skb, to, is_pseudo, false);
+ inet_proto_csum_replace_by_diff(ptr, skb, to, is_pseudo, is_ipv6);
break;
case 2:
inet_proto_csum_replace2(ptr, skb, from, to, is_pseudo);
--- a/tools/include/uapi/linux/bpf.h
+++ b/tools/include/uapi/linux/bpf.h
@@ -1787,6 +1787,7 @@ union bpf_attr {
* for updates resulting in a null checksum the value is set to
* **CSUM_MANGLED_0** instead. Flag **BPF_F_PSEUDO_HDR** indicates
* the checksum is to be computed against a pseudo-header.
+ * Flag **BPF_F_IPV6** should be set for IPv6 packets.
*
* This helper works in combination with **bpf_csum_diff**\ (),
* which does not update the checksum in-place, but offers more
@@ -5715,6 +5716,7 @@ enum {
BPF_F_PSEUDO_HDR = (1ULL << 4),
BPF_F_MARK_MANGLED_0 = (1ULL << 5),
BPF_F_MARK_ENFORCE = (1ULL << 6),
+ BPF_F_IPV6 = (1ULL << 7),
};
/* BPF_FUNC_clone_redirect and BPF_FUNC_redirect flags. */
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 469/508] erofs: remove unused trace event erofs_destroy_inode
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (464 preceding siblings ...)
2025-06-23 13:08 ` [PATCH 6.1 468/508] bpf: Fix L4 csum update on IPv6 in CHECKSUM_COMPLETE Greg Kroah-Hartman
@ 2025-06-23 13:08 ` Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 470/508] drm/msm/disp: Correct porch timing for SDM845 Greg Kroah-Hartman
` (42 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:08 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Steven Rostedt, Hongbo Li, Gao Xiang
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gao Xiang <hsiangkao@linux.alibaba.com>
commit 30b58444807c93bffeaba7d776110f2a909d2f9a upstream.
The trace event `erofs_destroy_inode` was added but remains unused. This
unused event contributes approximately 5KB to the kernel module size.
Reported-by: Steven Rostedt <rostedt@goodmis.org>
Closes: https://lore.kernel.org/r/20250612224906.15000244@batman.local.home
Fixes: 13f06f48f7bf ("staging: erofs: support tracepoint")
Cc: stable@vger.kernel.org
Reviewed-by: Hongbo Li <lihongbo22@huawei.com>
Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
Link: https://lore.kernel.org/r/20250617054056.3232365-1-hsiangkao@linux.alibaba.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/trace/events/erofs.h | 18 ------------------
1 file changed, 18 deletions(-)
--- a/include/trace/events/erofs.h
+++ b/include/trace/events/erofs.h
@@ -232,24 +232,6 @@ DEFINE_EVENT(erofs__map_blocks_exit, z_e
TP_ARGS(inode, map, flags, ret)
);
-TRACE_EVENT(erofs_destroy_inode,
- TP_PROTO(struct inode *inode),
-
- TP_ARGS(inode),
-
- TP_STRUCT__entry(
- __field( dev_t, dev )
- __field( erofs_nid_t, nid )
- ),
-
- TP_fast_assign(
- __entry->dev = inode->i_sb->s_dev;
- __entry->nid = EROFS_I(inode)->nid;
- ),
-
- TP_printk("dev = (%d,%d), nid = %llu", show_dev_nid(__entry))
-);
-
#endif /* _TRACE_EROFS_H */
/* This part must be outside protection */
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 470/508] drm/msm/disp: Correct porch timing for SDM845
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (465 preceding siblings ...)
2025-06-23 13:08 ` [PATCH 6.1 469/508] erofs: remove unused trace event erofs_destroy_inode Greg Kroah-Hartman
@ 2025-06-23 13:08 ` Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 471/508] drm/msm/dsi/dsi_phy_10nm: Fix missing initial VCO rate Greg Kroah-Hartman
` (41 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, James A. MacInnes, Dmitry Baryshkov,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: James A. MacInnes <james.a.macinnes@gmail.com>
[ Upstream commit 146e87f3e11de0dfa091ff87e34b4bc6eec761a4 ]
Type-C DisplayPort inoperable due to incorrect porch settings.
- Re-used wide_bus_en as flag to prevent porch shifting
Fixes: c943b4948b58 ("drm/msm/dp: add displayPort driver support")
Signed-off-by: James A. MacInnes <james.a.macinnes@gmail.com>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Patchwork: https://patchwork.freedesktop.org/patch/636945/
Link: https://lore.kernel.org/r/20250212-sdm845_dp-v2-2-4954e51458f4@gmail.com
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../gpu/drm/msm/disp/dpu1/dpu_encoder_phys_vid.c | 14 +++++++++-----
1 file changed, 9 insertions(+), 5 deletions(-)
diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_vid.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_vid.c
index aba2488c32fa1..4b7952c4e639f 100644
--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_vid.c
+++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_vid.c
@@ -91,17 +91,21 @@ static void drm_mode_to_intf_timing_params(
timing->vsync_polarity = 0;
}
- /* for DP/EDP, Shift timings to align it to bottom right */
- if (phys_enc->hw_intf->cap->type == INTF_DP) {
+ timing->wide_bus_en = dpu_encoder_is_widebus_enabled(phys_enc->parent);
+ timing->compression_en = dpu_encoder_is_dsc_enabled(phys_enc->parent);
+
+ /*
+ * For DP/EDP, Shift timings to align it to bottom right.
+ * wide_bus_en is set for everything excluding SDM845 &
+ * porch changes cause DisplayPort failure and HDMI tearing.
+ */
+ if (phys_enc->hw_intf->cap->type == INTF_DP && timing->wide_bus_en) {
timing->h_back_porch += timing->h_front_porch;
timing->h_front_porch = 0;
timing->v_back_porch += timing->v_front_porch;
timing->v_front_porch = 0;
}
- timing->wide_bus_en = dpu_encoder_is_widebus_enabled(phys_enc->parent);
- timing->compression_en = dpu_encoder_is_dsc_enabled(phys_enc->parent);
-
/*
* for DP, divide the horizonal parameters by 2 when
* widebus is enabled
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 471/508] drm/msm/dsi/dsi_phy_10nm: Fix missing initial VCO rate
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (466 preceding siblings ...)
2025-06-23 13:08 ` [PATCH 6.1 470/508] drm/msm/disp: Correct porch timing for SDM845 Greg Kroah-Hartman
@ 2025-06-23 13:08 ` Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 472/508] ionic: Prevent driver/fw getting out of sync on devcmd(s) Greg Kroah-Hartman
` (40 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Baryshkov,
Krzysztof Kozlowski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
[ Upstream commit 8a48e35becb214743214f5504e726c3ec131cd6d ]
Driver unconditionally saves current state on first init in
dsi_pll_10nm_init(), but does not save the VCO rate, only some of the
divider registers. The state is then restored during probe/enable via
msm_dsi_phy_enable() -> msm_dsi_phy_pll_restore_state() ->
dsi_10nm_pll_restore_state().
Restoring calls dsi_pll_10nm_vco_set_rate() with
pll_10nm->vco_current_rate=0, which basically overwrites existing rate of
VCO and messes with clock hierarchy, by setting frequency to 0 to clock
tree. This makes anyway little sense - VCO rate was not saved, so
should not be restored.
If PLL was not configured configure it to minimum rate to avoid glitches
and configuring entire in clock hierarchy to 0 Hz.
Suggested-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Link: https://lore.kernel.org/r/sz4kbwy5nwsebgf64ia7uq4ee7wbsa5uy3xmlqwcstsbntzcov@ew3dcyjdzmi2/
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Fixes: a4ccc37693a2 ("drm/msm/dsi_pll_10nm: restore VCO rate during
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Patchwork: https://patchwork.freedesktop.org/patch/654796/
Link: https://lore.kernel.org/r/20250520111325.92352-2-krzysztof.kozlowski@linaro.org
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/msm/dsi/phy/dsi_phy_10nm.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/gpu/drm/msm/dsi/phy/dsi_phy_10nm.c b/drivers/gpu/drm/msm/dsi/phy/dsi_phy_10nm.c
index 27b592c776a30..1c111969342a7 100644
--- a/drivers/gpu/drm/msm/dsi/phy/dsi_phy_10nm.c
+++ b/drivers/gpu/drm/msm/dsi/phy/dsi_phy_10nm.c
@@ -716,6 +716,13 @@ static int dsi_pll_10nm_init(struct msm_dsi_phy *phy)
/* TODO: Remove this when we have proper display handover support */
msm_dsi_phy_pll_save_state(phy);
+ /*
+ * Store also proper vco_current_rate, because its value will be used in
+ * dsi_10nm_pll_restore_state().
+ */
+ if (!dsi_pll_10nm_vco_recalc_rate(&pll_10nm->clk_hw, VCO_REF_CLK_RATE))
+ pll_10nm->vco_current_rate = pll_10nm->phy->cfg->min_pll_rate;
+
return 0;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 472/508] ionic: Prevent driver/fw getting out of sync on devcmd(s)
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (467 preceding siblings ...)
2025-06-23 13:08 ` [PATCH 6.1 471/508] drm/msm/dsi/dsi_phy_10nm: Fix missing initial VCO rate Greg Kroah-Hartman
@ 2025-06-23 13:08 ` Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 473/508] drm/nouveau/bl: increase buffer size to avoid truncate warning Greg Kroah-Hartman
` (39 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Brett Creeley, Shannon Nelson,
Simon Horman, Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Brett Creeley <brett.creeley@amd.com>
[ Upstream commit 5466491c9e3309ed5c7adbb8fad6e93fcc9a8fe9 ]
Some stress/negative firmware testing around devcmd(s) returning
EAGAIN found that the done bit could get out of sync in the
firmware when it wasn't cleared in a retry case.
While here, change the type of the local done variable to a bool
to match the return type from ionic_dev_cmd_done().
Fixes: ec8ee714736e ("ionic: stretch heartbeat detection")
Signed-off-by: Brett Creeley <brett.creeley@amd.com>
Signed-off-by: Shannon Nelson <shannon.nelson@amd.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20250609212827.53842-1-shannon.nelson@amd.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/pensando/ionic/ionic_main.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/pensando/ionic/ionic_main.c b/drivers/net/ethernet/pensando/ionic/ionic_main.c
index d2038ff316ca5..16f96ed73909c 100644
--- a/drivers/net/ethernet/pensando/ionic/ionic_main.c
+++ b/drivers/net/ethernet/pensando/ionic/ionic_main.c
@@ -461,9 +461,9 @@ static int __ionic_dev_cmd_wait(struct ionic *ionic, unsigned long max_seconds,
unsigned long start_time;
unsigned long max_wait;
unsigned long duration;
- int done = 0;
bool fw_up;
int opcode;
+ bool done;
int err;
/* Wait for dev cmd to complete, retrying if we get EAGAIN,
@@ -471,6 +471,7 @@ static int __ionic_dev_cmd_wait(struct ionic *ionic, unsigned long max_seconds,
*/
max_wait = jiffies + (max_seconds * HZ);
try_again:
+ done = false;
opcode = idev->opcode;
start_time = jiffies;
for (fw_up = ionic_is_fw_running(idev);
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 473/508] drm/nouveau/bl: increase buffer size to avoid truncate warning
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (468 preceding siblings ...)
2025-06-23 13:08 ` [PATCH 6.1 472/508] ionic: Prevent driver/fw getting out of sync on devcmd(s) Greg Kroah-Hartman
@ 2025-06-23 13:08 ` Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 474/508] hwmon: (occ) Rework attribute registration for stack usage Greg Kroah-Hartman
` (38 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, kernel test robot, Timur Tabi,
Jacob Keller, Danilo Krummrich, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jacob Keller <jacob.e.keller@intel.com>
[ Upstream commit 61b2b3737499f1fb361a54a16828db24a8345e85 ]
The nouveau_get_backlight_name() function generates a unique name for the
backlight interface, appending an id from 1 to 99 for all backlight devices
after the first.
GCC 15 (and likely other compilers) produce the following
-Wformat-truncation warning:
nouveau_backlight.c: In function ‘nouveau_backlight_init’:
nouveau_backlight.c:56:69: error: ‘%d’ directive output may be truncated writing between 1 and 10 bytes into a region of size 3 [-Werror=format-truncation=]
56 | snprintf(backlight_name, BL_NAME_SIZE, "nv_backlight%d", nb);
| ^~
In function ‘nouveau_get_backlight_name’,
inlined from ‘nouveau_backlight_init’ at nouveau_backlight.c:351:7:
nouveau_backlight.c:56:56: note: directive argument in the range [1, 2147483647]
56 | snprintf(backlight_name, BL_NAME_SIZE, "nv_backlight%d", nb);
| ^~~~~~~~~~~~~~~~
nouveau_backlight.c:56:17: note: ‘snprintf’ output between 14 and 23 bytes into a destination of size 15
56 | snprintf(backlight_name, BL_NAME_SIZE, "nv_backlight%d", nb);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The warning started appearing after commit ab244be47a8f ("drm/nouveau:
Fix a potential theorical leak in nouveau_get_backlight_name()") This fix
for the ida usage removed the explicit value check for ids larger than 99.
The compiler is unable to intuit that the ida_alloc_max() limits the
returned value range between 0 and 99.
Because the compiler can no longer infer that the number ranges from 0 to
99, it thinks that it could use as many as 11 digits (10 + the potential -
sign for negative numbers).
The warning has gone unfixed for some time, with at least one kernel test
robot report. The code breaks W=1 builds, which is especially frustrating
with the introduction of CONFIG_WERROR.
The string is stored temporarily on the stack and then copied into the
device name. Its not a big deal to use 11 more bytes of stack rounding out
to an even 24 bytes. Increase BL_NAME_SIZE to 24 to avoid the truncation
warning. This fixes the W=1 builds that include this driver.
Compile tested only.
Fixes: ab244be47a8f ("drm/nouveau: Fix a potential theorical leak in nouveau_get_backlight_name()")
Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202312050324.0kv4PnfZ-lkp@intel.com/
Suggested-by: Timur Tabi <ttabi@nvidia.com>
Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
Link: https://lore.kernel.org/r/20250610-jk-nouveua-drm-bl-snprintf-fix-v2-1-7fdd4b84b48e@intel.com
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/nouveau/nouveau_backlight.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/nouveau/nouveau_backlight.c b/drivers/gpu/drm/nouveau/nouveau_backlight.c
index a614582779cae..6469820e46151 100644
--- a/drivers/gpu/drm/nouveau/nouveau_backlight.c
+++ b/drivers/gpu/drm/nouveau/nouveau_backlight.c
@@ -41,7 +41,7 @@
#include "nouveau_acpi.h"
static struct ida bl_ida;
-#define BL_NAME_SIZE 15 // 12 for name + 2 for digits + 1 for '\0'
+#define BL_NAME_SIZE 24 // 12 for name + 11 for digits + 1 for '\0'
static bool
nouveau_get_backlight_name(char backlight_name[BL_NAME_SIZE],
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 474/508] hwmon: (occ) Rework attribute registration for stack usage
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (469 preceding siblings ...)
2025-06-23 13:08 ` [PATCH 6.1 473/508] drm/nouveau/bl: increase buffer size to avoid truncate warning Greg Kroah-Hartman
@ 2025-06-23 13:08 ` Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 475/508] hwmon: (occ) fix unaligned accesses Greg Kroah-Hartman
` (37 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Arnd Bergmann, Guenter Roeck,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arnd Bergmann <arnd@arndb.de>
[ Upstream commit 744c2fe950e936c4d62430de899d6253424200ed ]
clang produces an output with excessive stack usage when building the
occ_setup_sensor_attrs() function, apparently the result of having
a lot of struct literals and building with the -fno-strict-overflow
option that leads clang to skip some optimization in case the 'attr'
pointer overruns:
drivers/hwmon/occ/common.c:775:12: error: stack frame size (1392) exceeds limit (1280) in 'occ_setup_sensor_attrs' [-Werror,-Wframe-larger-than]
Replace the custom macros for initializing the attributes with a
simpler function call that does not run into this corner case.
Link: https://godbolt.org/z/Wf1Yx76a5
Fixes: 54076cb3b5ff ("hwmon (occ): Add sensor attributes and register hwmon device")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Link: https://lore.kernel.org/r/20250610092315.2640039-1-arnd@kernel.org
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hwmon/occ/common.c | 212 +++++++++++++++----------------------
1 file changed, 85 insertions(+), 127 deletions(-)
diff --git a/drivers/hwmon/occ/common.c b/drivers/hwmon/occ/common.c
index dd690f700d499..256cda99fdc95 100644
--- a/drivers/hwmon/occ/common.c
+++ b/drivers/hwmon/occ/common.c
@@ -747,29 +747,30 @@ static ssize_t occ_show_extended(struct device *dev,
}
/*
- * Some helper macros to make it easier to define an occ_attribute. Since these
- * are dynamically allocated, we shouldn't use the existing kernel macros which
+ * A helper to make it easier to define an occ_attribute. Since these
+ * are dynamically allocated, we cannot use the existing kernel macros which
* stringify the name argument.
*/
-#define ATTR_OCC(_name, _mode, _show, _store) { \
- .attr = { \
- .name = _name, \
- .mode = VERIFY_OCTAL_PERMISSIONS(_mode), \
- }, \
- .show = _show, \
- .store = _store, \
-}
-
-#define SENSOR_ATTR_OCC(_name, _mode, _show, _store, _nr, _index) { \
- .dev_attr = ATTR_OCC(_name, _mode, _show, _store), \
- .index = _index, \
- .nr = _nr, \
+static void occ_init_attribute(struct occ_attribute *attr, int mode,
+ ssize_t (*show)(struct device *dev, struct device_attribute *attr, char *buf),
+ ssize_t (*store)(struct device *dev, struct device_attribute *attr,
+ const char *buf, size_t count),
+ int nr, int index, const char *fmt, ...)
+{
+ va_list args;
+
+ va_start(args, fmt);
+ vsnprintf(attr->name, sizeof(attr->name), fmt, args);
+ va_end(args);
+
+ attr->sensor.dev_attr.attr.name = attr->name;
+ attr->sensor.dev_attr.attr.mode = mode;
+ attr->sensor.dev_attr.show = show;
+ attr->sensor.dev_attr.store = store;
+ attr->sensor.index = index;
+ attr->sensor.nr = nr;
}
-#define OCC_INIT_ATTR(_name, _mode, _show, _store, _nr, _index) \
- ((struct sensor_device_attribute_2) \
- SENSOR_ATTR_OCC(_name, _mode, _show, _store, _nr, _index))
-
/*
* Allocate and instatiate sensor_device_attribute_2s. It's most efficient to
* use our own instead of the built-in hwmon attribute types.
@@ -855,14 +856,15 @@ static int occ_setup_sensor_attrs(struct occ *occ)
sensors->extended.num_sensors = 0;
}
- occ->attrs = devm_kzalloc(dev, sizeof(*occ->attrs) * num_attrs,
+ occ->attrs = devm_kcalloc(dev, num_attrs, sizeof(*occ->attrs),
GFP_KERNEL);
if (!occ->attrs)
return -ENOMEM;
/* null-terminated list */
- occ->group.attrs = devm_kzalloc(dev, sizeof(*occ->group.attrs) *
- num_attrs + 1, GFP_KERNEL);
+ occ->group.attrs = devm_kcalloc(dev, num_attrs + 1,
+ sizeof(*occ->group.attrs),
+ GFP_KERNEL);
if (!occ->group.attrs)
return -ENOMEM;
@@ -872,43 +874,33 @@ static int occ_setup_sensor_attrs(struct occ *occ)
s = i + 1;
temp = ((struct temp_sensor_2 *)sensors->temp.data) + i;
- snprintf(attr->name, sizeof(attr->name), "temp%d_label", s);
- attr->sensor = OCC_INIT_ATTR(attr->name, 0444, show_temp, NULL,
- 0, i);
+ occ_init_attribute(attr, 0444, show_temp, NULL,
+ 0, i, "temp%d_label", s);
attr++;
if (sensors->temp.version == 2 &&
temp->fru_type == OCC_FRU_TYPE_VRM) {
- snprintf(attr->name, sizeof(attr->name),
- "temp%d_alarm", s);
+ occ_init_attribute(attr, 0444, show_temp, NULL,
+ 1, i, "temp%d_alarm", s);
} else {
- snprintf(attr->name, sizeof(attr->name),
- "temp%d_input", s);
+ occ_init_attribute(attr, 0444, show_temp, NULL,
+ 1, i, "temp%d_input", s);
}
- attr->sensor = OCC_INIT_ATTR(attr->name, 0444, show_temp, NULL,
- 1, i);
attr++;
if (sensors->temp.version > 1) {
- snprintf(attr->name, sizeof(attr->name),
- "temp%d_fru_type", s);
- attr->sensor = OCC_INIT_ATTR(attr->name, 0444,
- show_temp, NULL, 2, i);
+ occ_init_attribute(attr, 0444, show_temp, NULL,
+ 2, i, "temp%d_fru_type", s);
attr++;
- snprintf(attr->name, sizeof(attr->name),
- "temp%d_fault", s);
- attr->sensor = OCC_INIT_ATTR(attr->name, 0444,
- show_temp, NULL, 3, i);
+ occ_init_attribute(attr, 0444, show_temp, NULL,
+ 3, i, "temp%d_fault", s);
attr++;
if (sensors->temp.version == 0x10) {
- snprintf(attr->name, sizeof(attr->name),
- "temp%d_max", s);
- attr->sensor = OCC_INIT_ATTR(attr->name, 0444,
- show_temp, NULL,
- 4, i);
+ occ_init_attribute(attr, 0444, show_temp, NULL,
+ 4, i, "temp%d_max", s);
attr++;
}
}
@@ -917,14 +909,12 @@ static int occ_setup_sensor_attrs(struct occ *occ)
for (i = 0; i < sensors->freq.num_sensors; ++i) {
s = i + 1;
- snprintf(attr->name, sizeof(attr->name), "freq%d_label", s);
- attr->sensor = OCC_INIT_ATTR(attr->name, 0444, show_freq, NULL,
- 0, i);
+ occ_init_attribute(attr, 0444, show_freq, NULL,
+ 0, i, "freq%d_label", s);
attr++;
- snprintf(attr->name, sizeof(attr->name), "freq%d_input", s);
- attr->sensor = OCC_INIT_ATTR(attr->name, 0444, show_freq, NULL,
- 1, i);
+ occ_init_attribute(attr, 0444, show_freq, NULL,
+ 1, i, "freq%d_input", s);
attr++;
}
@@ -940,32 +930,24 @@ static int occ_setup_sensor_attrs(struct occ *occ)
s = (i * 4) + 1;
for (j = 0; j < 4; ++j) {
- snprintf(attr->name, sizeof(attr->name),
- "power%d_label", s);
- attr->sensor = OCC_INIT_ATTR(attr->name, 0444,
- show_power, NULL,
- nr++, i);
+ occ_init_attribute(attr, 0444, show_power,
+ NULL, nr++, i,
+ "power%d_label", s);
attr++;
- snprintf(attr->name, sizeof(attr->name),
- "power%d_average", s);
- attr->sensor = OCC_INIT_ATTR(attr->name, 0444,
- show_power, NULL,
- nr++, i);
+ occ_init_attribute(attr, 0444, show_power,
+ NULL, nr++, i,
+ "power%d_average", s);
attr++;
- snprintf(attr->name, sizeof(attr->name),
- "power%d_average_interval", s);
- attr->sensor = OCC_INIT_ATTR(attr->name, 0444,
- show_power, NULL,
- nr++, i);
+ occ_init_attribute(attr, 0444, show_power,
+ NULL, nr++, i,
+ "power%d_average_interval", s);
attr++;
- snprintf(attr->name, sizeof(attr->name),
- "power%d_input", s);
- attr->sensor = OCC_INIT_ATTR(attr->name, 0444,
- show_power, NULL,
- nr++, i);
+ occ_init_attribute(attr, 0444, show_power,
+ NULL, nr++, i,
+ "power%d_input", s);
attr++;
s++;
@@ -977,28 +959,20 @@ static int occ_setup_sensor_attrs(struct occ *occ)
for (i = 0; i < sensors->power.num_sensors; ++i) {
s = i + 1;
- snprintf(attr->name, sizeof(attr->name),
- "power%d_label", s);
- attr->sensor = OCC_INIT_ATTR(attr->name, 0444,
- show_power, NULL, 0, i);
+ occ_init_attribute(attr, 0444, show_power, NULL,
+ 0, i, "power%d_label", s);
attr++;
- snprintf(attr->name, sizeof(attr->name),
- "power%d_average", s);
- attr->sensor = OCC_INIT_ATTR(attr->name, 0444,
- show_power, NULL, 1, i);
+ occ_init_attribute(attr, 0444, show_power, NULL,
+ 1, i, "power%d_average", s);
attr++;
- snprintf(attr->name, sizeof(attr->name),
- "power%d_average_interval", s);
- attr->sensor = OCC_INIT_ATTR(attr->name, 0444,
- show_power, NULL, 2, i);
+ occ_init_attribute(attr, 0444, show_power, NULL,
+ 2, i, "power%d_average_interval", s);
attr++;
- snprintf(attr->name, sizeof(attr->name),
- "power%d_input", s);
- attr->sensor = OCC_INIT_ATTR(attr->name, 0444,
- show_power, NULL, 3, i);
+ occ_init_attribute(attr, 0444, show_power, NULL,
+ 3, i, "power%d_input", s);
attr++;
}
@@ -1006,56 +980,43 @@ static int occ_setup_sensor_attrs(struct occ *occ)
}
if (sensors->caps.num_sensors >= 1) {
- snprintf(attr->name, sizeof(attr->name), "power%d_label", s);
- attr->sensor = OCC_INIT_ATTR(attr->name, 0444, show_caps, NULL,
- 0, 0);
+ occ_init_attribute(attr, 0444, show_caps, NULL,
+ 0, 0, "power%d_label", s);
attr++;
- snprintf(attr->name, sizeof(attr->name), "power%d_cap", s);
- attr->sensor = OCC_INIT_ATTR(attr->name, 0444, show_caps, NULL,
- 1, 0);
+ occ_init_attribute(attr, 0444, show_caps, NULL,
+ 1, 0, "power%d_cap", s);
attr++;
- snprintf(attr->name, sizeof(attr->name), "power%d_input", s);
- attr->sensor = OCC_INIT_ATTR(attr->name, 0444, show_caps, NULL,
- 2, 0);
+ occ_init_attribute(attr, 0444, show_caps, NULL,
+ 2, 0, "power%d_input", s);
attr++;
- snprintf(attr->name, sizeof(attr->name),
- "power%d_cap_not_redundant", s);
- attr->sensor = OCC_INIT_ATTR(attr->name, 0444, show_caps, NULL,
- 3, 0);
+ occ_init_attribute(attr, 0444, show_caps, NULL,
+ 3, 0, "power%d_cap_not_redundant", s);
attr++;
- snprintf(attr->name, sizeof(attr->name), "power%d_cap_max", s);
- attr->sensor = OCC_INIT_ATTR(attr->name, 0444, show_caps, NULL,
- 4, 0);
+ occ_init_attribute(attr, 0444, show_caps, NULL,
+ 4, 0, "power%d_cap_max", s);
attr++;
- snprintf(attr->name, sizeof(attr->name), "power%d_cap_min", s);
- attr->sensor = OCC_INIT_ATTR(attr->name, 0444, show_caps, NULL,
- 5, 0);
+ occ_init_attribute(attr, 0444, show_caps, NULL,
+ 5, 0, "power%d_cap_min", s);
attr++;
- snprintf(attr->name, sizeof(attr->name), "power%d_cap_user",
- s);
- attr->sensor = OCC_INIT_ATTR(attr->name, 0644, show_caps,
- occ_store_caps_user, 6, 0);
+ occ_init_attribute(attr, 0644, show_caps, occ_store_caps_user,
+ 6, 0, "power%d_cap_user", s);
attr++;
if (sensors->caps.version > 1) {
- snprintf(attr->name, sizeof(attr->name),
- "power%d_cap_user_source", s);
- attr->sensor = OCC_INIT_ATTR(attr->name, 0444,
- show_caps, NULL, 7, 0);
+ occ_init_attribute(attr, 0444, show_caps, NULL,
+ 7, 0, "power%d_cap_user_source", s);
attr++;
if (sensors->caps.version > 2) {
- snprintf(attr->name, sizeof(attr->name),
- "power%d_cap_min_soft", s);
- attr->sensor = OCC_INIT_ATTR(attr->name, 0444,
- show_caps, NULL,
- 8, 0);
+ occ_init_attribute(attr, 0444, show_caps, NULL,
+ 8, 0,
+ "power%d_cap_min_soft", s);
attr++;
}
}
@@ -1064,19 +1025,16 @@ static int occ_setup_sensor_attrs(struct occ *occ)
for (i = 0; i < sensors->extended.num_sensors; ++i) {
s = i + 1;
- snprintf(attr->name, sizeof(attr->name), "extn%d_label", s);
- attr->sensor = OCC_INIT_ATTR(attr->name, 0444,
- occ_show_extended, NULL, 0, i);
+ occ_init_attribute(attr, 0444, occ_show_extended, NULL,
+ 0, i, "extn%d_label", s);
attr++;
- snprintf(attr->name, sizeof(attr->name), "extn%d_flags", s);
- attr->sensor = OCC_INIT_ATTR(attr->name, 0444,
- occ_show_extended, NULL, 1, i);
+ occ_init_attribute(attr, 0444, occ_show_extended, NULL,
+ 1, i, "extn%d_flags", s);
attr++;
- snprintf(attr->name, sizeof(attr->name), "extn%d_input", s);
- attr->sensor = OCC_INIT_ATTR(attr->name, 0444,
- occ_show_extended, NULL, 2, i);
+ occ_init_attribute(attr, 0444, occ_show_extended, NULL,
+ 2, i, "extn%d_input", s);
attr++;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 475/508] hwmon: (occ) fix unaligned accesses
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (470 preceding siblings ...)
2025-06-23 13:08 ` [PATCH 6.1 474/508] hwmon: (occ) Rework attribute registration for stack usage Greg Kroah-Hartman
@ 2025-06-23 13:08 ` Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 476/508] pldmfw: Select CRC32 when PLDMFW is selected Greg Kroah-Hartman
` (36 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Arnd Bergmann, Guenter Roeck,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arnd Bergmann <arnd@arndb.de>
[ Upstream commit 2c021b45c154958566aad0cae9f74ab26a2d5732 ]
Passing a pointer to an unaligned integer as a function argument is
undefined behavior:
drivers/hwmon/occ/common.c:492:27: warning: taking address of packed member 'accumulator' of class or structure 'power_sensor_2' may result in an unaligned pointer value [-Waddress-of-packed-member]
492 | val = occ_get_powr_avg(&power->accumulator,
| ^~~~~~~~~~~~~~~~~~
drivers/hwmon/occ/common.c:493:13: warning: taking address of packed member 'update_tag' of class or structure 'power_sensor_2' may result in an unaligned pointer value [-Waddress-of-packed-member]
493 | &power->update_tag);
| ^~~~~~~~~~~~~~~~~
Move the get_unaligned() calls out of the function and pass these
through argument registers instead.
Fixes: c10e753d43eb ("hwmon (occ): Add sensor types and versions")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Link: https://lore.kernel.org/r/20250610092553.2641094-1-arnd@kernel.org
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hwmon/occ/common.c | 28 +++++++++++++---------------
1 file changed, 13 insertions(+), 15 deletions(-)
diff --git a/drivers/hwmon/occ/common.c b/drivers/hwmon/occ/common.c
index 256cda99fdc95..483f79b394298 100644
--- a/drivers/hwmon/occ/common.c
+++ b/drivers/hwmon/occ/common.c
@@ -459,12 +459,10 @@ static ssize_t occ_show_power_1(struct device *dev,
return sysfs_emit(buf, "%llu\n", val);
}
-static u64 occ_get_powr_avg(u64 *accum, u32 *samples)
+static u64 occ_get_powr_avg(u64 accum, u32 samples)
{
- u64 divisor = get_unaligned_be32(samples);
-
- return (divisor == 0) ? 0 :
- div64_u64(get_unaligned_be64(accum) * 1000000ULL, divisor);
+ return (samples == 0) ? 0 :
+ mul_u64_u32_div(accum, 1000000UL, samples);
}
static ssize_t occ_show_power_2(struct device *dev,
@@ -489,8 +487,8 @@ static ssize_t occ_show_power_2(struct device *dev,
get_unaligned_be32(&power->sensor_id),
power->function_id, power->apss_channel);
case 1:
- val = occ_get_powr_avg(&power->accumulator,
- &power->update_tag);
+ val = occ_get_powr_avg(get_unaligned_be64(&power->accumulator),
+ get_unaligned_be32(&power->update_tag));
break;
case 2:
val = (u64)get_unaligned_be32(&power->update_tag) *
@@ -527,8 +525,8 @@ static ssize_t occ_show_power_a0(struct device *dev,
return sysfs_emit(buf, "%u_system\n",
get_unaligned_be32(&power->sensor_id));
case 1:
- val = occ_get_powr_avg(&power->system.accumulator,
- &power->system.update_tag);
+ val = occ_get_powr_avg(get_unaligned_be64(&power->system.accumulator),
+ get_unaligned_be32(&power->system.update_tag));
break;
case 2:
val = (u64)get_unaligned_be32(&power->system.update_tag) *
@@ -541,8 +539,8 @@ static ssize_t occ_show_power_a0(struct device *dev,
return sysfs_emit(buf, "%u_proc\n",
get_unaligned_be32(&power->sensor_id));
case 5:
- val = occ_get_powr_avg(&power->proc.accumulator,
- &power->proc.update_tag);
+ val = occ_get_powr_avg(get_unaligned_be64(&power->proc.accumulator),
+ get_unaligned_be32(&power->proc.update_tag));
break;
case 6:
val = (u64)get_unaligned_be32(&power->proc.update_tag) *
@@ -555,8 +553,8 @@ static ssize_t occ_show_power_a0(struct device *dev,
return sysfs_emit(buf, "%u_vdd\n",
get_unaligned_be32(&power->sensor_id));
case 9:
- val = occ_get_powr_avg(&power->vdd.accumulator,
- &power->vdd.update_tag);
+ val = occ_get_powr_avg(get_unaligned_be64(&power->vdd.accumulator),
+ get_unaligned_be32(&power->vdd.update_tag));
break;
case 10:
val = (u64)get_unaligned_be32(&power->vdd.update_tag) *
@@ -569,8 +567,8 @@ static ssize_t occ_show_power_a0(struct device *dev,
return sysfs_emit(buf, "%u_vdn\n",
get_unaligned_be32(&power->sensor_id));
case 13:
- val = occ_get_powr_avg(&power->vdn.accumulator,
- &power->vdn.update_tag);
+ val = occ_get_powr_avg(get_unaligned_be64(&power->vdn.accumulator),
+ get_unaligned_be32(&power->vdn.update_tag));
break;
case 14:
val = (u64)get_unaligned_be32(&power->vdn.update_tag) *
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 476/508] pldmfw: Select CRC32 when PLDMFW is selected
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (471 preceding siblings ...)
2025-06-23 13:08 ` [PATCH 6.1 475/508] hwmon: (occ) fix unaligned accesses Greg Kroah-Hartman
@ 2025-06-23 13:08 ` Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 477/508] aoe: clean device rq_list in aoedev_downdev() Greg Kroah-Hartman
` (35 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Simon Horman, Jacob Keller,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Simon Horman <horms@kernel.org>
[ Upstream commit 1224b218a4b9203656ecc932152f4c81a97b4fcc ]
pldmfw calls crc32 code and depends on it being enabled, else
there is a link error as follows. So PLDMFW should select CRC32.
lib/pldmfw/pldmfw.o: In function `pldmfw_flash_image':
pldmfw.c:(.text+0x70f): undefined reference to `crc32_le_base'
This problem was introduced by commit b8265621f488 ("Add pldmfw library
for PLDM firmware update").
It manifests as of commit d69ea414c9b4 ("ice: implement device flash
update via devlink").
And is more likely to occur as of commit 9ad19171b6d6 ("lib/crc: remove
unnecessary prompt for CONFIG_CRC32 and drop 'default y'").
Found by chance while exercising builds based on tinyconfig.
Fixes: b8265621f488 ("Add pldmfw library for PLDM firmware update")
Signed-off-by: Simon Horman <horms@kernel.org>
Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
Link: https://patch.msgid.link/20250613-pldmfw-crc32-v1-1-f3fad109eee6@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
lib/Kconfig | 1 +
1 file changed, 1 insertion(+)
diff --git a/lib/Kconfig b/lib/Kconfig
index 9bbf8a4b2108e..0610fad65a366 100644
--- a/lib/Kconfig
+++ b/lib/Kconfig
@@ -744,6 +744,7 @@ config GENERIC_LIB_DEVMEM_IS_ALLOWED
config PLDMFW
bool
+ select CRC32
default n
config ASN1_ENCODER
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 477/508] aoe: clean device rq_list in aoedev_downdev()
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (472 preceding siblings ...)
2025-06-23 13:08 ` [PATCH 6.1 476/508] pldmfw: Select CRC32 when PLDMFW is selected Greg Kroah-Hartman
@ 2025-06-23 13:08 ` Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 478/508] net: ice: Perform accurate aRFS flow match Greg Kroah-Hartman
` (34 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Justin Sanders, Valentin Kleibel,
Jens Axboe, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Justin Sanders <jsanders.devel@gmail.com>
[ Upstream commit 7f90d45e57cb2ef1f0adcaf925ddffdfc5e680ca ]
An aoe device's rq_list contains accepted block requests that are
waiting to be transmitted to the aoe target. This queue was added as
part of the conversion to blk_mq. However, the queue was not cleaned out
when an aoe device is downed which caused blk_mq_freeze_queue() to sleep
indefinitely waiting for those requests to complete, causing a hang. This
fix cleans out the queue before calling blk_mq_freeze_queue().
Link: https://bugzilla.kernel.org/show_bug.cgi?id=212665
Fixes: 3582dd291788 ("aoe: convert aoeblk to blk-mq")
Signed-off-by: Justin Sanders <jsanders.devel@gmail.com>
Link: https://lore.kernel.org/r/20250610170600.869-1-jsanders.devel@gmail.com
Tested-By: Valentin Kleibel <valentin@vrvis.at>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/block/aoe/aoedev.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/drivers/block/aoe/aoedev.c b/drivers/block/aoe/aoedev.c
index 3523dd82d7a00..280679bde3a50 100644
--- a/drivers/block/aoe/aoedev.c
+++ b/drivers/block/aoe/aoedev.c
@@ -198,6 +198,7 @@ aoedev_downdev(struct aoedev *d)
{
struct aoetgt *t, **tt, **te;
struct list_head *head, *pos, *nx;
+ struct request *rq, *rqnext;
int i;
d->flags &= ~DEVFL_UP;
@@ -223,6 +224,13 @@ aoedev_downdev(struct aoedev *d)
/* clean out the in-process request (if any) */
aoe_failip(d);
+ /* clean out any queued block requests */
+ list_for_each_entry_safe(rq, rqnext, &d->rq_list, queuelist) {
+ list_del_init(&rq->queuelist);
+ blk_mq_start_request(rq);
+ blk_mq_end_request(rq, BLK_STS_IOERR);
+ }
+
/* fast fail all pending I/O */
if (d->blkq) {
/* UP is cleared, freeze+quiesce to insure all are errored */
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 478/508] net: ice: Perform accurate aRFS flow match
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (473 preceding siblings ...)
2025-06-23 13:08 ` [PATCH 6.1 477/508] aoe: clean device rq_list in aoedev_downdev() Greg Kroah-Hartman
@ 2025-06-23 13:08 ` Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 479/508] ptp: fix breakage after ptp_vclock_in_use() rework Greg Kroah-Hartman
` (33 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Krishna Kumar, Simon Horman,
Tony Nguyen, Sasha Levin, Rinitha S
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Krishna Kumar <krikku@gmail.com>
[ Upstream commit 5d3bc9e5e725aa36cca9b794e340057feb6880b4 ]
This patch fixes an issue seen in a large-scale deployment under heavy
incoming pkts where the aRFS flow wrongly matches a flow and reprograms the
NIC with wrong settings. That mis-steering causes RX-path latency spikes
and noisy neighbor effects when many connections collide on the same
hash (some of our production servers have 20-30K connections).
set_rps_cpu() calls ndo_rx_flow_steer() with flow_id that is calculated by
hashing the skb sized by the per rx-queue table size. This results in
multiple connections (even across different rx-queues) getting the same
hash value. The driver steer function modifies the wrong flow to use this
rx-queue, e.g.: Flow#1 is first added:
Flow#1: <ip1, port1, ip2, port2>, Hash 'h', q#10
Later when a new flow needs to be added:
Flow#2: <ip3, port3, ip4, port4>, Hash 'h', q#20
The driver finds the hash 'h' from Flow#1 and updates it to use q#20. This
results in both flows getting un-optimized - packets for Flow#1 goes to
q#20, and then reprogrammed back to q#10 later and so on; and Flow #2
programming is never done as Flow#1 is matched first for all misses. Many
flows may wrongly share the same hash and reprogram rules of the original
flow each with their own q#.
Tested on two 144-core servers with 16K netperf sessions for 180s. Netperf
clients are pinned to cores 0-71 sequentially (so that wrong packets on q#s
72-143 can be measured). IRQs are set 1:1 for queues -> CPUs, enable XPS,
enable aRFS (global value is 144 * rps_flow_cnt).
Test notes about results from ice_rx_flow_steer():
---------------------------------------------------
1. "Skip:" counter increments here:
if (fltr_info->q_index == rxq_idx ||
arfs_entry->fltr_state != ICE_ARFS_ACTIVE)
goto out;
2. "Add:" counter increments here:
ret = arfs_entry->fltr_info.fltr_id;
INIT_HLIST_NODE(&arfs_entry->list_entry);
3. "Update:" counter increments here:
/* update the queue to forward to on an already existing flow */
Runtime comparison: original code vs with the patch for different
rps_flow_cnt values.
+-------------------------------+--------------+--------------+
| rps_flow_cnt | 512 | 2048 |
+-------------------------------+--------------+--------------+
| Ratio of Pkts on Good:Bad q's | 214 vs 822K | 1.1M vs 980K |
| Avoid wrong aRFS programming | 0 vs 310K | 0 vs 30K |
| CPU User | 216 vs 183 | 216 vs 206 |
| CPU System | 1441 vs 1171 | 1447 vs 1320 |
| CPU Softirq | 1245 vs 920 | 1238 vs 961 |
| CPU Total | 29 vs 22.7 | 29 vs 24.9 |
| aRFS Update | 533K vs 59 | 521K vs 32 |
| aRFS Skip | 82M vs 77M | 7.2M vs 4.5M |
+-------------------------------+--------------+--------------+
A separate TCP_STREAM and TCP_RR with 1,4,8,16,64,128,256,512 connections
showed no performance degradation.
Some points on the patch/aRFS behavior:
1. Enabling full tuple matching ensures flows are always correctly matched,
even with smaller hash sizes.
2. 5-6% drop in CPU utilization as the packets arrive at the correct CPUs
and fewer calls to driver for programming on misses.
3. Larger hash tables reduces mis-steering due to more unique flow hashes,
but still has clashes. However, with larger per-device rps_flow_cnt, old
flows take more time to expire and new aRFS flows cannot be added if h/w
limits are reached (rps_may_expire_flow() succeeds when 10*rps_flow_cnt
pkts have been processed by this cpu that are not part of the flow).
Fixes: 28bf26724fdb0 ("ice: Implement aRFS")
Signed-off-by: Krishna Kumar <krikku@gmail.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Tested-by: Rinitha S <sx.rinitha@intel.com> (A Contingent worker at Intel)
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/ice/ice_arfs.c | 48 +++++++++++++++++++++++
1 file changed, 48 insertions(+)
diff --git a/drivers/net/ethernet/intel/ice/ice_arfs.c b/drivers/net/ethernet/intel/ice/ice_arfs.c
index 79074f041e39b..e3114c12e1293 100644
--- a/drivers/net/ethernet/intel/ice/ice_arfs.c
+++ b/drivers/net/ethernet/intel/ice/ice_arfs.c
@@ -376,6 +376,50 @@ ice_arfs_is_perfect_flow_set(struct ice_hw *hw, __be16 l3_proto, u8 l4_proto)
return false;
}
+/**
+ * ice_arfs_cmp - Check if aRFS filter matches this flow.
+ * @fltr_info: filter info of the saved ARFS entry.
+ * @fk: flow dissector keys.
+ * @n_proto: One of htons(ETH_P_IP) or htons(ETH_P_IPV6).
+ * @ip_proto: One of IPPROTO_TCP or IPPROTO_UDP.
+ *
+ * Since this function assumes limited values for n_proto and ip_proto, it
+ * is meant to be called only from ice_rx_flow_steer().
+ *
+ * Return:
+ * * true - fltr_info refers to the same flow as fk.
+ * * false - fltr_info and fk refer to different flows.
+ */
+static bool
+ice_arfs_cmp(const struct ice_fdir_fltr *fltr_info, const struct flow_keys *fk,
+ __be16 n_proto, u8 ip_proto)
+{
+ /* Determine if the filter is for IPv4 or IPv6 based on flow_type,
+ * which is one of ICE_FLTR_PTYPE_NONF_IPV{4,6}_{TCP,UDP}.
+ */
+ bool is_v4 = fltr_info->flow_type == ICE_FLTR_PTYPE_NONF_IPV4_TCP ||
+ fltr_info->flow_type == ICE_FLTR_PTYPE_NONF_IPV4_UDP;
+
+ /* Following checks are arranged in the quickest and most discriminative
+ * fields first for early failure.
+ */
+ if (is_v4)
+ return n_proto == htons(ETH_P_IP) &&
+ fltr_info->ip.v4.src_port == fk->ports.src &&
+ fltr_info->ip.v4.dst_port == fk->ports.dst &&
+ fltr_info->ip.v4.src_ip == fk->addrs.v4addrs.src &&
+ fltr_info->ip.v4.dst_ip == fk->addrs.v4addrs.dst &&
+ fltr_info->ip.v4.proto == ip_proto;
+
+ return fltr_info->ip.v6.src_port == fk->ports.src &&
+ fltr_info->ip.v6.dst_port == fk->ports.dst &&
+ fltr_info->ip.v6.proto == ip_proto &&
+ !memcmp(&fltr_info->ip.v6.src_ip, &fk->addrs.v6addrs.src,
+ sizeof(struct in6_addr)) &&
+ !memcmp(&fltr_info->ip.v6.dst_ip, &fk->addrs.v6addrs.dst,
+ sizeof(struct in6_addr));
+}
+
/**
* ice_rx_flow_steer - steer the Rx flow to where application is being run
* @netdev: ptr to the netdev being adjusted
@@ -447,6 +491,10 @@ ice_rx_flow_steer(struct net_device *netdev, const struct sk_buff *skb,
continue;
fltr_info = &arfs_entry->fltr_info;
+
+ if (!ice_arfs_cmp(fltr_info, &fk, n_proto, ip_proto))
+ continue;
+
ret = fltr_info->fltr_id;
if (fltr_info->q_index == rxq_idx ||
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 479/508] ptp: fix breakage after ptp_vclock_in_use() rework
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (474 preceding siblings ...)
2025-06-23 13:08 ` [PATCH 6.1 478/508] net: ice: Perform accurate aRFS flow match Greg Kroah-Hartman
@ 2025-06-23 13:08 ` Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 480/508] ptp: allow reading of currently dialed frequency to succeed on free-running clocks Greg Kroah-Hartman
` (32 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vladimir Oltean, Jakub Kicinski,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vladimir Oltean <vladimir.oltean@nxp.com>
[ Upstream commit 5ab73b010cad294851e558f1d4714a85c6f206c7 ]
What is broken
--------------
ptp4l, and any other application which calls clock_adjtime() on a
physical clock, is greeted with error -EBUSY after commit 87f7ce260a3c
("ptp: remove ptp->n_vclocks check logic in ptp_vclock_in_use()").
Explanation for the breakage
----------------------------
The blamed commit was based on the false assumption that
ptp_vclock_in_use() callers already test for n_vclocks prior to calling
this function.
This is notably incorrect for the code path below, in which there is, in
fact, no n_vclocks test:
ptp_clock_adjtime()
-> ptp_clock_freerun()
-> ptp_vclock_in_use()
The result is that any clock adjustment on any physical clock is now
impossible. This is _despite_ there not being any vclock over this
physical clock.
$ ptp4l -i eno0 -2 -P -m
ptp4l[58.425]: selected /dev/ptp0 as PTP clock
[ 58.429749] ptp: physical clock is free running
ptp4l[58.431]: Failed to open /dev/ptp0: Device or resource busy
failed to create a clock
$ cat /sys/class/ptp/ptp0/n_vclocks
0
The patch makes the ptp_vclock_in_use() function say "if it's not a
virtual clock, then this physical clock does have virtual clocks on
top".
Then ptp_clock_freerun() uses this information to say "this physical
clock has virtual clocks on top, so it must stay free-running".
Then ptp_clock_adjtime() uses this information to say "well, if this
physical clock has to be free-running, I can't do it, return -EBUSY".
Simply put, ptp_vclock_in_use() cannot be simplified so as to remove the
test whether vclocks are in use.
What did the blamed commit intend to fix
----------------------------------------
The blamed commit presents a lockdep warning stating "possible recursive
locking detected", with the n_vclocks_store() and ptp_clock_unregister()
functions involved.
The recursive locking seems this:
n_vclocks_store()
-> mutex_lock_interruptible(&ptp->n_vclocks_mux) // 1
-> device_for_each_child_reverse(..., unregister_vclock)
-> unregister_vclock()
-> ptp_vclock_unregister()
-> ptp_clock_unregister()
-> ptp_vclock_in_use()
-> mutex_lock_interruptible(&ptp->n_vclocks_mux) // 2
The issue can be triggered by creating and then deleting vclocks:
$ echo 2 > /sys/class/ptp/ptp0/n_vclocks
$ echo 0 > /sys/class/ptp/ptp0/n_vclocks
But note that in the original stack trace, the address of the first lock
is different from the address of the second lock. This is because at
step 1 marked above, &ptp->n_vclocks_mux is the lock of the parent
(physical) PTP clock, and at step 2, the lock is of the child (virtual)
PTP clock. They are different locks of different devices.
In this situation there is no real deadlock, the lockdep warning is
caused by the fact that the mutexes have the same lock class on both the
parent and the child. Functionally it is fine.
Proposed alternative solution
-----------------------------
We must reintroduce the body of ptp_vclock_in_use() mostly as it was
structured prior to the blamed commit, but avoid the lockdep warning.
Based on the fact that vclocks cannot be nested on top of one another
(ptp_is_attribute_visible() hides n_vclocks for virtual clocks), we
already know that ptp->n_vclocks is zero for a virtual clock. And
ptp->is_virtual_clock is a runtime invariant, established at
ptp_clock_register() time and never changed. There is no need to
serialize on any mutex in order to read ptp->is_virtual_clock, and we
take advantage of that by moving it outside the lock.
Thus, virtual clocks do not need to acquire &ptp->n_vclocks_mux at
all, and step 2 in the code walkthrough above can simply go away.
We can simply return false to the question "ptp_vclock_in_use(a virtual
clock)".
Other notes
-----------
Releasing &ptp->n_vclocks_mux before ptp_vclock_in_use() returns
execution seems racy, because the returned value can become stale as
soon as the function returns and before the return value is used (i.e.
n_vclocks_store() can run any time). The locking requirement should
somehow be transferred to the caller, to ensure a longer life time for
the returned value, but this seems out of scope for this severe bug fix.
Because we are also fixing up the logic from the original commit, there
is another Fixes: tag for that.
Fixes: 87f7ce260a3c ("ptp: remove ptp->n_vclocks check logic in ptp_vclock_in_use()")
Fixes: 73f37068d540 ("ptp: support ptp physical/virtual clocks conversion")
Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
Link: https://patch.msgid.link/20250613174749.406826-2-vladimir.oltean@nxp.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/ptp/ptp_private.h | 22 +++++++++++++++++++++-
1 file changed, 21 insertions(+), 1 deletion(-)
diff --git a/drivers/ptp/ptp_private.h b/drivers/ptp/ptp_private.h
index d0eb4555720eb..a54124269c2f4 100644
--- a/drivers/ptp/ptp_private.h
+++ b/drivers/ptp/ptp_private.h
@@ -89,7 +89,27 @@ static inline int queue_cnt(const struct timestamp_event_queue *q)
/* Check if ptp virtual clock is in use */
static inline bool ptp_vclock_in_use(struct ptp_clock *ptp)
{
- return !ptp->is_virtual_clock;
+ bool in_use = false;
+
+ /* Virtual clocks can't be stacked on top of virtual clocks.
+ * Avoid acquiring the n_vclocks_mux on virtual clocks, to allow this
+ * function to be called from code paths where the n_vclocks_mux of the
+ * parent physical clock is already held. Functionally that's not an
+ * issue, but lockdep would complain, because they have the same lock
+ * class.
+ */
+ if (ptp->is_virtual_clock)
+ return false;
+
+ if (mutex_lock_interruptible(&ptp->n_vclocks_mux))
+ return true;
+
+ if (ptp->n_vclocks)
+ in_use = true;
+
+ mutex_unlock(&ptp->n_vclocks_mux);
+
+ return in_use;
}
/* Check if ptp clock shall be free running */
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 480/508] ptp: allow reading of currently dialed frequency to succeed on free-running clocks
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (475 preceding siblings ...)
2025-06-23 13:08 ` [PATCH 6.1 479/508] ptp: fix breakage after ptp_vclock_in_use() rework Greg Kroah-Hartman
@ 2025-06-23 13:08 ` Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 481/508] wifi: carl9170: do not ping device which has failed to load firmware Greg Kroah-Hartman
` (31 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vladimir Oltean, Jakub Kicinski,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vladimir Oltean <vladimir.oltean@nxp.com>
[ Upstream commit aa112cbc5f0ac6f3b44d829005bf34005d9fe9bb ]
There is a bug in ptp_clock_adjtime() which makes it refuse the
operation even if we just want to read the current clock dialed
frequency, not modify anything (tx->modes == 0). That should be possible
even if the clock is free-running. For context, the kernel UAPI is the
same for getting and setting the frequency of a POSIX clock.
For example, ptp4l errors out at clock_create() -> clockadj_get_freq()
-> clock_adjtime() time, when it should logically only have failed on
actual adjustments to the clock, aka if the clock was configured as
slave. But in master mode it should work.
This was discovered when examining the issue described in the previous
commit, where ptp_clock_freerun() returned true despite n_vclocks being
zero.
Fixes: 73f37068d540 ("ptp: support ptp physical/virtual clocks conversion")
Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
Link: https://patch.msgid.link/20250613174749.406826-3-vladimir.oltean@nxp.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/ptp/ptp_clock.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/ptp/ptp_clock.c b/drivers/ptp/ptp_clock.c
index af66ed48dc006..642c939d4523c 100644
--- a/drivers/ptp/ptp_clock.c
+++ b/drivers/ptp/ptp_clock.c
@@ -104,7 +104,8 @@ static int ptp_clock_adjtime(struct posix_clock *pc, struct __kernel_timex *tx)
struct ptp_clock_info *ops;
int err = -EOPNOTSUPP;
- if (ptp_clock_freerun(ptp)) {
+ if (tx->modes & (ADJ_SETOFFSET | ADJ_FREQUENCY | ADJ_OFFSET) &&
+ ptp_clock_freerun(ptp)) {
pr_err("ptp: physical clock is free running\n");
return -EBUSY;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 481/508] wifi: carl9170: do not ping device which has failed to load firmware
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (476 preceding siblings ...)
2025-06-23 13:08 ` [PATCH 6.1 480/508] ptp: allow reading of currently dialed frequency to succeed on free-running clocks Greg Kroah-Hartman
@ 2025-06-23 13:08 ` Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 482/508] mpls: Use rcu_dereference_rtnl() in mpls_route_input_rcu() Greg Kroah-Hartman
` (30 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Antipov, Christian Lamparter,
Jeff Johnson, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Antipov <dmantipov@yandex.ru>
[ Upstream commit 15d25307692312cec4b57052da73387f91a2e870 ]
Syzkaller reports [1, 2] crashes caused by an attempts to ping
the device which has failed to load firmware. Since such a device
doesn't pass 'ieee80211_register_hw()', an internal workqueue
managed by 'ieee80211_queue_work()' is not yet created and an
attempt to queue work on it causes null-ptr-deref.
[1] https://syzkaller.appspot.com/bug?extid=9a4aec827829942045ff
[2] https://syzkaller.appspot.com/bug?extid=0d8afba53e8fb2633217
Fixes: e4a668c59080 ("carl9170: fix spurious restart due to high latency")
Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
Acked-by: Christian Lamparter <chunkeey@gmail.com>
Link: https://patch.msgid.link/20250616181205.38883-1-dmantipov@yandex.ru
Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/carl9170/usb.c | 19 +++++++++++++------
1 file changed, 13 insertions(+), 6 deletions(-)
diff --git a/drivers/net/wireless/ath/carl9170/usb.c b/drivers/net/wireless/ath/carl9170/usb.c
index a5265997b5767..debac4699687e 100644
--- a/drivers/net/wireless/ath/carl9170/usb.c
+++ b/drivers/net/wireless/ath/carl9170/usb.c
@@ -438,14 +438,21 @@ static void carl9170_usb_rx_complete(struct urb *urb)
if (atomic_read(&ar->rx_anch_urbs) == 0) {
/*
- * The system is too slow to cope with
- * the enormous workload. We have simply
- * run out of active rx urbs and this
- * unfortunately leads to an unpredictable
- * device.
+ * At this point, either the system is too slow to
+ * cope with the enormous workload (so we have simply
+ * run out of active rx urbs and this unfortunately
+ * leads to an unpredictable device), or the device
+ * is not fully functional after an unsuccessful
+ * firmware loading attempts (so it doesn't pass
+ * ieee80211_register_hw() and there is no internal
+ * workqueue at all).
*/
- ieee80211_queue_work(ar->hw, &ar->ping_work);
+ if (ar->registered)
+ ieee80211_queue_work(ar->hw, &ar->ping_work);
+ else
+ pr_warn_once("device %s is not registered\n",
+ dev_name(&ar->udev->dev));
}
} else {
/*
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 482/508] mpls: Use rcu_dereference_rtnl() in mpls_route_input_rcu().
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (477 preceding siblings ...)
2025-06-23 13:08 ` [PATCH 6.1 481/508] wifi: carl9170: do not ping device which has failed to load firmware Greg Kroah-Hartman
@ 2025-06-23 13:08 ` Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 483/508] atm: atmtcp: Free invalid length skb in atmtcp_c_send() Greg Kroah-Hartman
` (29 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+8a583bdd1a5cc0b0e068,
Kuniyuki Iwashima, Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuniyuki Iwashima <kuniyu@google.com>
[ Upstream commit 6dbb0d97c5096072c78a6abffe393584e57ae945 ]
As syzbot reported [0], mpls_route_input_rcu() can be called
from mpls_getroute(), where is under RTNL.
net->mpls.platform_label is only updated under RTNL.
Let's use rcu_dereference_rtnl() in mpls_route_input_rcu() to
silence the splat.
[0]:
WARNING: suspicious RCU usage
6.15.0-rc7-syzkaller-00082-g5cdb2c77c4c3 #0 Not tainted
----------------------------
net/mpls/af_mpls.c:84 suspicious rcu_dereference_check() usage!
other info that might help us debug this:
rcu_scheduler_active = 2, debug_locks = 1
1 lock held by syz.2.4451/17730:
#0: ffffffff9012a3e8 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_lock net/core/rtnetlink.c:80 [inline]
#0: ffffffff9012a3e8 (rtnl_mutex){+.+.}-{4:4}, at: rtnetlink_rcv_msg+0x371/0xe90 net/core/rtnetlink.c:6961
stack backtrace:
CPU: 1 UID: 0 PID: 17730 Comm: syz.2.4451 Not tainted 6.15.0-rc7-syzkaller-00082-g5cdb2c77c4c3 #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120
lockdep_rcu_suspicious+0x166/0x260 kernel/locking/lockdep.c:6865
mpls_route_input_rcu+0x1d4/0x200 net/mpls/af_mpls.c:84
mpls_getroute+0x621/0x1ea0 net/mpls/af_mpls.c:2381
rtnetlink_rcv_msg+0x3c9/0xe90 net/core/rtnetlink.c:6964
netlink_rcv_skb+0x16d/0x440 net/netlink/af_netlink.c:2534
netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline]
netlink_unicast+0x53a/0x7f0 net/netlink/af_netlink.c:1339
netlink_sendmsg+0x8d1/0xdd0 net/netlink/af_netlink.c:1883
sock_sendmsg_nosec net/socket.c:712 [inline]
__sock_sendmsg net/socket.c:727 [inline]
____sys_sendmsg+0xa98/0xc70 net/socket.c:2566
___sys_sendmsg+0x134/0x1d0 net/socket.c:2620
__sys_sendmmsg+0x200/0x420 net/socket.c:2709
__do_sys_sendmmsg net/socket.c:2736 [inline]
__se_sys_sendmmsg net/socket.c:2733 [inline]
__x64_sys_sendmmsg+0x9c/0x100 net/socket.c:2733
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0x230 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f0a2818e969
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f0a28f52038 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
RAX: ffffffffffffffda RBX: 00007f0a283b5fa0 RCX: 00007f0a2818e969
RDX: 0000000000000003 RSI: 0000200000000080 RDI: 0000000000000003
RBP: 00007f0a28210ab1 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f0a283b5fa0 R15: 00007ffce5e9f268
</TASK>
Fixes: 0189197f4416 ("mpls: Basic routing support")
Reported-by: syzbot+8a583bdd1a5cc0b0e068@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/68507981.a70a0220.395abc.01ef.GAE@google.com/
Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
Link: https://patch.msgid.link/20250616201532.1036568-1-kuni1840@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/mpls/af_mpls.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/mpls/af_mpls.c b/net/mpls/af_mpls.c
index f1f43894efb8e..2d29d230f5698 100644
--- a/net/mpls/af_mpls.c
+++ b/net/mpls/af_mpls.c
@@ -80,8 +80,8 @@ static struct mpls_route *mpls_route_input_rcu(struct net *net, unsigned index)
if (index < net->mpls.platform_labels) {
struct mpls_route __rcu **platform_label =
- rcu_dereference(net->mpls.platform_label);
- rt = rcu_dereference(platform_label[index]);
+ rcu_dereference_rtnl(net->mpls.platform_label);
+ rt = rcu_dereference_rtnl(platform_label[index]);
}
return rt;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 483/508] atm: atmtcp: Free invalid length skb in atmtcp_c_send().
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (478 preceding siblings ...)
2025-06-23 13:08 ` [PATCH 6.1 482/508] mpls: Use rcu_dereference_rtnl() in mpls_route_input_rcu() Greg Kroah-Hartman
@ 2025-06-23 13:08 ` Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 484/508] tcp: fix tcp_packet_delayed() for tcp_is_non_sack_preventing_reopen() behavior Greg Kroah-Hartman
` (28 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+1d3c235276f62963e93a,
Kuniyuki Iwashima, Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuniyuki Iwashima <kuniyu@google.com>
[ Upstream commit 2f370ae1fb6317985f3497b1bb80d457508ca2f7 ]
syzbot reported the splat below. [0]
vcc_sendmsg() copies data passed from userspace to skb and passes
it to vcc->dev->ops->send().
atmtcp_c_send() accesses skb->data as struct atmtcp_hdr after
checking if skb->len is 0, but it's not enough.
Also, when skb->len == 0, skb and sk (vcc) were leaked because
dev_kfree_skb() is not called and sk_wmem_alloc adjustment is missing
to revert atm_account_tx() in vcc_sendmsg(), which is expected
to be done in atm_pop_raw().
Let's properly free skb with an invalid length in atmtcp_c_send().
[0]:
BUG: KMSAN: uninit-value in atmtcp_c_send+0x255/0xed0 drivers/atm/atmtcp.c:294
atmtcp_c_send+0x255/0xed0 drivers/atm/atmtcp.c:294
vcc_sendmsg+0xd7c/0xff0 net/atm/common.c:644
sock_sendmsg_nosec net/socket.c:712 [inline]
__sock_sendmsg+0x330/0x3d0 net/socket.c:727
____sys_sendmsg+0x7e0/0xd80 net/socket.c:2566
___sys_sendmsg+0x271/0x3b0 net/socket.c:2620
__sys_sendmsg net/socket.c:2652 [inline]
__do_sys_sendmsg net/socket.c:2657 [inline]
__se_sys_sendmsg net/socket.c:2655 [inline]
__x64_sys_sendmsg+0x211/0x3e0 net/socket.c:2655
x64_sys_call+0x32fb/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:47
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Uninit was created at:
slab_post_alloc_hook mm/slub.c:4154 [inline]
slab_alloc_node mm/slub.c:4197 [inline]
kmem_cache_alloc_node_noprof+0x818/0xf00 mm/slub.c:4249
kmalloc_reserve+0x13c/0x4b0 net/core/skbuff.c:579
__alloc_skb+0x347/0x7d0 net/core/skbuff.c:670
alloc_skb include/linux/skbuff.h:1336 [inline]
vcc_sendmsg+0xb40/0xff0 net/atm/common.c:628
sock_sendmsg_nosec net/socket.c:712 [inline]
__sock_sendmsg+0x330/0x3d0 net/socket.c:727
____sys_sendmsg+0x7e0/0xd80 net/socket.c:2566
___sys_sendmsg+0x271/0x3b0 net/socket.c:2620
__sys_sendmsg net/socket.c:2652 [inline]
__do_sys_sendmsg net/socket.c:2657 [inline]
__se_sys_sendmsg net/socket.c:2655 [inline]
__x64_sys_sendmsg+0x211/0x3e0 net/socket.c:2655
x64_sys_call+0x32fb/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:47
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
CPU: 1 UID: 0 PID: 5798 Comm: syz-executor192 Not tainted 6.16.0-rc1-syzkaller-00010-g2c4a1f3fe03e #0 PREEMPT(undef)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: syzbot+1d3c235276f62963e93a@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=1d3c235276f62963e93a
Tested-by: syzbot+1d3c235276f62963e93a@syzkaller.appspotmail.com
Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
Link: https://patch.msgid.link/20250616182147.963333-2-kuni1840@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/atm/atmtcp.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/atm/atmtcp.c b/drivers/atm/atmtcp.c
index 96bea1ab1eccf..ff558908897f3 100644
--- a/drivers/atm/atmtcp.c
+++ b/drivers/atm/atmtcp.c
@@ -288,7 +288,9 @@ static int atmtcp_c_send(struct atm_vcc *vcc,struct sk_buff *skb)
struct sk_buff *new_skb;
int result = 0;
- if (!skb->len) return 0;
+ if (skb->len < sizeof(struct atmtcp_hdr))
+ goto done;
+
dev = vcc->dev_data;
hdr = (struct atmtcp_hdr *) skb->data;
if (hdr->length == ATMTCP_HDR_MAGIC) {
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 484/508] tcp: fix tcp_packet_delayed() for tcp_is_non_sack_preventing_reopen() behavior
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (479 preceding siblings ...)
2025-06-23 13:08 ` [PATCH 6.1 483/508] atm: atmtcp: Free invalid length skb in atmtcp_c_send() Greg Kroah-Hartman
@ 2025-06-23 13:08 ` Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 485/508] tipc: fix null-ptr-deref when acquiring remote ip of ethernet bearer Greg Kroah-Hartman
` (27 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Wheeler, Neal Cardwell,
Yuchung Cheng, Eric Dumazet, David S. Miller, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Neal Cardwell <ncardwell@google.com>
[ Upstream commit d0fa59897e049e84432600e86df82aab3dce7aa5 ]
After the following commit from 2024:
commit e37ab7373696 ("tcp: fix to allow timestamp undo if no retransmits were sent")
...there was buggy behavior where TCP connections without SACK support
could easily see erroneous undo events at the end of fast recovery or
RTO recovery episodes. The erroneous undo events could cause those
connections to suffer repeated loss recovery episodes and high
retransmit rates.
The problem was an interaction between the non-SACK behavior on these
connections and the undo logic. The problem is that, for non-SACK
connections at the end of a loss recovery episode, if snd_una ==
high_seq, then tcp_is_non_sack_preventing_reopen() holds steady in
CA_Recovery or CA_Loss, but clears tp->retrans_stamp to 0. Then upon
the next ACK the "tcp: fix to allow timestamp undo if no retransmits
were sent" logic saw the tp->retrans_stamp at 0 and erroneously
concluded that no data was retransmitted, and erroneously performed an
undo of the cwnd reduction, restoring cwnd immediately to the value it
had before loss recovery. This caused an immediate burst of traffic
and build-up of queues and likely another immediate loss recovery
episode.
This commit fixes tcp_packet_delayed() to ignore zero retrans_stamp
values for non-SACK connections when snd_una is at or above high_seq,
because tcp_is_non_sack_preventing_reopen() clears retrans_stamp in
this case, so it's not a valid signal that we can undo.
Note that the commit named in the Fixes footer restored long-present
behavior from roughly 2005-2019, so apparently this bug was present
for a while during that era, and this was simply not caught.
Fixes: e37ab7373696 ("tcp: fix to allow timestamp undo if no retransmits were sent")
Reported-by: Eric Wheeler <netdev@lists.ewheeler.net>
Closes: https://lore.kernel.org/netdev/64ea9333-e7f9-0df-b0f2-8d566143acab@ewheeler.net/
Signed-off-by: Neal Cardwell <ncardwell@google.com>
Co-developed-by: Yuchung Cheng <ycheng@google.com>
Signed-off-by: Yuchung Cheng <ycheng@google.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/tcp_input.c | 37 +++++++++++++++++++++++++------------
1 file changed, 25 insertions(+), 12 deletions(-)
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index 2888aaae0d76f..222b829f33f42 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -2441,20 +2441,33 @@ static inline bool tcp_packet_delayed(const struct tcp_sock *tp)
{
const struct sock *sk = (const struct sock *)tp;
- if (tp->retrans_stamp &&
- tcp_tsopt_ecr_before(tp, tp->retrans_stamp))
- return true; /* got echoed TS before first retransmission */
-
- /* Check if nothing was retransmitted (retrans_stamp==0), which may
- * happen in fast recovery due to TSQ. But we ignore zero retrans_stamp
- * in TCP_SYN_SENT, since when we set FLAG_SYN_ACKED we also clear
- * retrans_stamp even if we had retransmitted the SYN.
+ /* Received an echoed timestamp before the first retransmission? */
+ if (tp->retrans_stamp)
+ return tcp_tsopt_ecr_before(tp, tp->retrans_stamp);
+
+ /* We set tp->retrans_stamp upon the first retransmission of a loss
+ * recovery episode, so normally if tp->retrans_stamp is 0 then no
+ * retransmission has happened yet (likely due to TSQ, which can cause
+ * fast retransmits to be delayed). So if snd_una advanced while
+ * (tp->retrans_stamp is 0 then apparently a packet was merely delayed,
+ * not lost. But there are exceptions where we retransmit but then
+ * clear tp->retrans_stamp, so we check for those exceptions.
*/
- if (!tp->retrans_stamp && /* no record of a retransmit/SYN? */
- sk->sk_state != TCP_SYN_SENT) /* not the FLAG_SYN_ACKED case? */
- return true; /* nothing was retransmitted */
- return false;
+ /* (1) For non-SACK connections, tcp_is_non_sack_preventing_reopen()
+ * clears tp->retrans_stamp when snd_una == high_seq.
+ */
+ if (!tcp_is_sack(tp) && !before(tp->snd_una, tp->high_seq))
+ return false;
+
+ /* (2) In TCP_SYN_SENT tcp_clean_rtx_queue() clears tp->retrans_stamp
+ * when setting FLAG_SYN_ACKED is set, even if the SYN was
+ * retransmitted.
+ */
+ if (sk->sk_state == TCP_SYN_SENT)
+ return false;
+
+ return true; /* tp->retrans_stamp is zero; no retransmit yet */
}
/* Undo procedures. */
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 485/508] tipc: fix null-ptr-deref when acquiring remote ip of ethernet bearer
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (480 preceding siblings ...)
2025-06-23 13:08 ` [PATCH 6.1 484/508] tcp: fix tcp_packet_delayed() for tcp_is_non_sack_preventing_reopen() behavior Greg Kroah-Hartman
@ 2025-06-23 13:08 ` Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 486/508] tcp: fix passive TFO socket having invalid NAPI ID Greg Kroah-Hartman
` (26 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Haixia Qu, Tung Nguyen,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haixia Qu <hxqu@hillstonenet.com>
[ Upstream commit f82727adcf2992822e12198792af450a76ebd5ef ]
The reproduction steps:
1. create a tun interface
2. enable l2 bearer
3. TIPC_NL_UDP_GET_REMOTEIP with media name set to tun
tipc: Started in network mode
tipc: Node identity 8af312d38a21, cluster identity 4711
tipc: Enabled bearer <eth:syz_tun>, priority 1
Oops: general protection fault
KASAN: null-ptr-deref in range
CPU: 1 UID: 1000 PID: 559 Comm: poc Not tainted 6.16.0-rc1+ #117 PREEMPT
Hardware name: QEMU Ubuntu 24.04 PC
RIP: 0010:tipc_udp_nl_dump_remoteip+0x4a4/0x8f0
the ub was in fact a struct dev.
when bid != 0 && skip_cnt != 0, bearer_list[bid] may be NULL or
other media when other thread changes it.
fix this by checking media_id.
Fixes: 832629ca5c313 ("tipc: add UDP remoteip dump to netlink API")
Signed-off-by: Haixia Qu <hxqu@hillstonenet.com>
Reviewed-by: Tung Nguyen <tung.quang.nguyen@est.tech>
Link: https://patch.msgid.link/20250617055624.2680-1-hxqu@hillstonenet.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/tipc/udp_media.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/tipc/udp_media.c b/net/tipc/udp_media.c
index f5bd75d931c1b..e1305d159834b 100644
--- a/net/tipc/udp_media.c
+++ b/net/tipc/udp_media.c
@@ -489,7 +489,7 @@ int tipc_udp_nl_dump_remoteip(struct sk_buff *skb, struct netlink_callback *cb)
rtnl_lock();
b = tipc_bearer_find(net, bname);
- if (!b) {
+ if (!b || b->bcast_addr.media_id != TIPC_MEDIA_TYPE_UDP) {
rtnl_unlock();
return -EINVAL;
}
@@ -500,7 +500,7 @@ int tipc_udp_nl_dump_remoteip(struct sk_buff *skb, struct netlink_callback *cb)
rtnl_lock();
b = rtnl_dereference(tn->bearer_list[bid]);
- if (!b) {
+ if (!b || b->bcast_addr.media_id != TIPC_MEDIA_TYPE_UDP) {
rtnl_unlock();
return -EINVAL;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 486/508] tcp: fix passive TFO socket having invalid NAPI ID
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (481 preceding siblings ...)
2025-06-23 13:08 ` [PATCH 6.1 485/508] tipc: fix null-ptr-deref when acquiring remote ip of ethernet bearer Greg Kroah-Hartman
@ 2025-06-23 13:08 ` Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 487/508] net: microchip: lan743x: Reduce PTP timeout on HW failure Greg Kroah-Hartman
` (25 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Wei, Kuniyuki Iwashima,
Eric Dumazet, Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Wei <dw@davidwei.uk>
[ Upstream commit dbe0ca8da1f62b6252e7be6337209f4d86d4a914 ]
There is a bug with passive TFO sockets returning an invalid NAPI ID 0
from SO_INCOMING_NAPI_ID. Normally this is not an issue, but zero copy
receive relies on a correct NAPI ID to process sockets on the right
queue.
Fix by adding a sk_mark_napi_id_set().
Fixes: e5907459ce7e ("tcp: Record Rx hash and NAPI ID in tcp_child_process")
Signed-off-by: David Wei <dw@davidwei.uk>
Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20250617212102.175711-5-dw@davidwei.uk
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/tcp_fastopen.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/ipv4/tcp_fastopen.c b/net/ipv4/tcp_fastopen.c
index cb01c770d8cf5..cbce1306bb08c 100644
--- a/net/ipv4/tcp_fastopen.c
+++ b/net/ipv4/tcp_fastopen.c
@@ -3,6 +3,7 @@
#include <linux/tcp.h>
#include <linux/rcupdate.h>
#include <net/tcp.h>
+#include <net/busy_poll.h>
void tcp_fastopen_init_key_once(struct net *net)
{
@@ -279,6 +280,8 @@ static struct sock *tcp_fastopen_create_child(struct sock *sk,
refcount_set(&req->rsk_refcnt, 2);
+ sk_mark_napi_id_set(child, skb);
+
/* Now finish processing the fastopen child socket. */
tcp_init_transfer(child, BPF_SOCK_OPS_PASSIVE_ESTABLISHED_CB, skb);
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 487/508] net: microchip: lan743x: Reduce PTP timeout on HW failure
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (482 preceding siblings ...)
2025-06-23 13:08 ` [PATCH 6.1 486/508] tcp: fix passive TFO socket having invalid NAPI ID Greg Kroah-Hartman
@ 2025-06-23 13:08 ` Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 488/508] net: lan743x: fix potential out-of-bounds write in lan743x_ptp_io_event_clock_get() Greg Kroah-Hartman
` (24 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rengarajan S, Simon Horman,
Paolo Abeni, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rengarajan S <rengarajan.s@microchip.com>
[ Upstream commit b1de3c0df7abc41dc41862c0b08386411f2799d7 ]
The PTP_CMD_CTL is a self clearing register which controls the PTP clock
values. In the current implementation driver waits for a duration of 20
sec in case of HW failure to clear the PTP_CMD_CTL register bit. This
timeout of 20 sec is very long to recognize a HW failure, as it is
typically cleared in one clock(<16ns). Hence reducing the timeout to 1 sec
would be sufficient to conclude if there is any HW failure observed. The
usleep_range will sleep somewhere between 1 msec to 20 msec for each
iteration. By setting the PTP_CMD_CTL_TIMEOUT_CNT to 50 the max timeout
is extended to 1 sec.
Signed-off-by: Rengarajan S <rengarajan.s@microchip.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://lore.kernel.org/r/20240502050300.38689-1-rengarajan.s@microchip.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Stable-dep-of: e353b0854d3a ("net: lan743x: fix potential out-of-bounds write in lan743x_ptp_io_event_clock_get()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/microchip/lan743x_ptp.c | 2 +-
drivers/net/ethernet/microchip/lan743x_ptp.h | 1 +
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/microchip/lan743x_ptp.c b/drivers/net/ethernet/microchip/lan743x_ptp.c
index da3ea905adbb8..7ace578551a09 100644
--- a/drivers/net/ethernet/microchip/lan743x_ptp.c
+++ b/drivers/net/ethernet/microchip/lan743x_ptp.c
@@ -58,7 +58,7 @@ int lan743x_gpio_init(struct lan743x_adapter *adapter)
static void lan743x_ptp_wait_till_cmd_done(struct lan743x_adapter *adapter,
u32 bit_mask)
{
- int timeout = 1000;
+ int timeout = PTP_CMD_CTL_TIMEOUT_CNT;
u32 data = 0;
while (timeout &&
diff --git a/drivers/net/ethernet/microchip/lan743x_ptp.h b/drivers/net/ethernet/microchip/lan743x_ptp.h
index e26d4eff71336..0d29914cd4606 100644
--- a/drivers/net/ethernet/microchip/lan743x_ptp.h
+++ b/drivers/net/ethernet/microchip/lan743x_ptp.h
@@ -21,6 +21,7 @@
#define LAN743X_PTP_N_EXTTS 4
#define LAN743X_PTP_N_PPS 0
#define PCI11X1X_PTP_IO_MAX_CHANNELS 8
+#define PTP_CMD_CTL_TIMEOUT_CNT 50
struct lan743x_adapter;
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 488/508] net: lan743x: fix potential out-of-bounds write in lan743x_ptp_io_event_clock_get()
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (483 preceding siblings ...)
2025-06-23 13:08 ` [PATCH 6.1 487/508] net: microchip: lan743x: Reduce PTP timeout on HW failure Greg Kroah-Hartman
@ 2025-06-23 13:08 ` Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 489/508] calipso: Fix null-ptr-deref in calipso_req_{set,del}attr() Greg Kroah-Hartman
` (23 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexey Kodanev, Jacob Keller,
Rengarajan S, Paolo Abeni, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexey Kodanev <aleksei.kodanev@bell-sw.com>
[ Upstream commit e353b0854d3a1a31cb061df8d022fbfea53a0f24 ]
Before calling lan743x_ptp_io_event_clock_get(), the 'channel' value
is checked against the maximum value of PCI11X1X_PTP_IO_MAX_CHANNELS(8).
This seems correct and aligns with the PTP interrupt status register
(PTP_INT_STS) specifications.
However, lan743x_ptp_io_event_clock_get() writes to ptp->extts[] with
only LAN743X_PTP_N_EXTTS(4) elements, using channel as an index:
lan743x_ptp_io_event_clock_get(..., u8 channel,...)
{
...
/* Update Local timestamp */
extts = &ptp->extts[channel];
extts->ts.tv_sec = sec;
...
}
To avoid an out-of-bounds write and utilize all the supported GPIO
inputs, set LAN743X_PTP_N_EXTTS to 8.
Detected using the static analysis tool - Svace.
Fixes: 60942c397af6 ("net: lan743x: Add support for PTP-IO Event Input External Timestamp (extts)")
Signed-off-by: Alexey Kodanev <aleksei.kodanev@bell-sw.com>
Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
Acked-by: Rengarajan S <rengarajan.s@microchip.com>
Link: https://patch.msgid.link/20250616113743.36284-1-aleksei.kodanev@bell-sw.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/microchip/lan743x_ptp.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/microchip/lan743x_ptp.h b/drivers/net/ethernet/microchip/lan743x_ptp.h
index 0d29914cd4606..225e8232474d7 100644
--- a/drivers/net/ethernet/microchip/lan743x_ptp.h
+++ b/drivers/net/ethernet/microchip/lan743x_ptp.h
@@ -18,9 +18,9 @@
*/
#define LAN743X_PTP_N_EVENT_CHAN 2
#define LAN743X_PTP_N_PEROUT LAN743X_PTP_N_EVENT_CHAN
-#define LAN743X_PTP_N_EXTTS 4
-#define LAN743X_PTP_N_PPS 0
#define PCI11X1X_PTP_IO_MAX_CHANNELS 8
+#define LAN743X_PTP_N_EXTTS PCI11X1X_PTP_IO_MAX_CHANNELS
+#define LAN743X_PTP_N_PPS 0
#define PTP_CMD_CTL_TIMEOUT_CNT 50
struct lan743x_adapter;
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 489/508] calipso: Fix null-ptr-deref in calipso_req_{set,del}attr().
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (484 preceding siblings ...)
2025-06-23 13:08 ` [PATCH 6.1 488/508] net: lan743x: fix potential out-of-bounds write in lan743x_ptp_io_event_clock_get() Greg Kroah-Hartman
@ 2025-06-23 13:08 ` Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 490/508] net: atm: add lec_mutex Greg Kroah-Hartman
` (22 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzkaller, John Cheung,
Kuniyuki Iwashima, Paul Moore, Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuniyuki Iwashima <kuniyu@google.com>
[ Upstream commit 10876da918fa1aec0227fb4c67647513447f53a9 ]
syzkaller reported a null-ptr-deref in sock_omalloc() while allocating
a CALIPSO option. [0]
The NULL is of struct sock, which was fetched by sk_to_full_sk() in
calipso_req_setattr().
Since commit a1a5344ddbe8 ("tcp: avoid two atomic ops for syncookies"),
reqsk->rsk_listener could be NULL when SYN Cookie is returned to its
client, as hinted by the leading SYN Cookie log.
Here are 3 options to fix the bug:
1) Return 0 in calipso_req_setattr()
2) Return an error in calipso_req_setattr()
3) Alaways set rsk_listener
1) is no go as it bypasses LSM, but 2) effectively disables SYN Cookie
for CALIPSO. 3) is also no go as there have been many efforts to reduce
atomic ops and make TCP robust against DDoS. See also commit 3b24d854cb35
("tcp/dccp: do not touch listener sk_refcnt under synflood").
As of the blamed commit, SYN Cookie already did not need refcounting,
and no one has stumbled on the bug for 9 years, so no CALIPSO user will
care about SYN Cookie.
Let's return an error in calipso_req_setattr() and calipso_req_delattr()
in the SYN Cookie case.
This can be reproduced by [1] on Fedora and now connect() of nc times out.
[0]:
TCP: request_sock_TCPv6: Possible SYN flooding on port [::]:20002. Sending cookies.
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] PREEMPT SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]
CPU: 3 UID: 0 PID: 12262 Comm: syz.1.2611 Not tainted 6.14.0 #2
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
RIP: 0010:read_pnet include/net/net_namespace.h:406 [inline]
RIP: 0010:sock_net include/net/sock.h:655 [inline]
RIP: 0010:sock_kmalloc+0x35/0x170 net/core/sock.c:2806
Code: 89 d5 41 54 55 89 f5 53 48 89 fb e8 25 e3 c6 fd e8 f0 91 e3 00 48 8d 7b 30 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 26 01 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b
RSP: 0018:ffff88811af89038 EFLAGS: 00010216
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffff888105266400
RDX: 0000000000000006 RSI: ffff88800c890000 RDI: 0000000000000030
RBP: 0000000000000050 R08: 0000000000000000 R09: ffff88810526640e
R10: ffffed1020a4cc81 R11: ffff88810526640f R12: 0000000000000000
R13: 0000000000000820 R14: ffff888105266400 R15: 0000000000000050
FS: 00007f0653a07640(0000) GS:ffff88811af80000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f863ba096f4 CR3: 00000000163c0005 CR4: 0000000000770ef0
PKRU: 80000000
Call Trace:
<IRQ>
ipv6_renew_options+0x279/0x950 net/ipv6/exthdrs.c:1288
calipso_req_setattr+0x181/0x340 net/ipv6/calipso.c:1204
calipso_req_setattr+0x56/0x80 net/netlabel/netlabel_calipso.c:597
netlbl_req_setattr+0x18a/0x440 net/netlabel/netlabel_kapi.c:1249
selinux_netlbl_inet_conn_request+0x1fb/0x320 security/selinux/netlabel.c:342
selinux_inet_conn_request+0x1eb/0x2c0 security/selinux/hooks.c:5551
security_inet_conn_request+0x50/0xa0 security/security.c:4945
tcp_v6_route_req+0x22c/0x550 net/ipv6/tcp_ipv6.c:825
tcp_conn_request+0xec8/0x2b70 net/ipv4/tcp_input.c:7275
tcp_v6_conn_request+0x1e3/0x440 net/ipv6/tcp_ipv6.c:1328
tcp_rcv_state_process+0xafa/0x52b0 net/ipv4/tcp_input.c:6781
tcp_v6_do_rcv+0x8a6/0x1a40 net/ipv6/tcp_ipv6.c:1667
tcp_v6_rcv+0x505e/0x5b50 net/ipv6/tcp_ipv6.c:1904
ip6_protocol_deliver_rcu+0x17c/0x1da0 net/ipv6/ip6_input.c:436
ip6_input_finish+0x103/0x180 net/ipv6/ip6_input.c:480
NF_HOOK include/linux/netfilter.h:314 [inline]
NF_HOOK include/linux/netfilter.h:308 [inline]
ip6_input+0x13c/0x6b0 net/ipv6/ip6_input.c:491
dst_input include/net/dst.h:469 [inline]
ip6_rcv_finish net/ipv6/ip6_input.c:79 [inline]
ip6_rcv_finish+0xb6/0x490 net/ipv6/ip6_input.c:69
NF_HOOK include/linux/netfilter.h:314 [inline]
NF_HOOK include/linux/netfilter.h:308 [inline]
ipv6_rcv+0xf9/0x490 net/ipv6/ip6_input.c:309
__netif_receive_skb_one_core+0x12e/0x1f0 net/core/dev.c:5896
__netif_receive_skb+0x1d/0x170 net/core/dev.c:6009
process_backlog+0x41e/0x13b0 net/core/dev.c:6357
__napi_poll+0xbd/0x710 net/core/dev.c:7191
napi_poll net/core/dev.c:7260 [inline]
net_rx_action+0x9de/0xde0 net/core/dev.c:7382
handle_softirqs+0x19a/0x770 kernel/softirq.c:561
do_softirq.part.0+0x36/0x70 kernel/softirq.c:462
</IRQ>
<TASK>
do_softirq arch/x86/include/asm/preempt.h:26 [inline]
__local_bh_enable_ip+0xf1/0x110 kernel/softirq.c:389
local_bh_enable include/linux/bottom_half.h:33 [inline]
rcu_read_unlock_bh include/linux/rcupdate.h:919 [inline]
__dev_queue_xmit+0xc2a/0x3c40 net/core/dev.c:4679
dev_queue_xmit include/linux/netdevice.h:3313 [inline]
neigh_hh_output include/net/neighbour.h:523 [inline]
neigh_output include/net/neighbour.h:537 [inline]
ip6_finish_output2+0xd69/0x1f80 net/ipv6/ip6_output.c:141
__ip6_finish_output net/ipv6/ip6_output.c:215 [inline]
ip6_finish_output+0x5dc/0xd60 net/ipv6/ip6_output.c:226
NF_HOOK_COND include/linux/netfilter.h:303 [inline]
ip6_output+0x24b/0x8d0 net/ipv6/ip6_output.c:247
dst_output include/net/dst.h:459 [inline]
NF_HOOK include/linux/netfilter.h:314 [inline]
NF_HOOK include/linux/netfilter.h:308 [inline]
ip6_xmit+0xbbc/0x20d0 net/ipv6/ip6_output.c:366
inet6_csk_xmit+0x39a/0x720 net/ipv6/inet6_connection_sock.c:135
__tcp_transmit_skb+0x1a7b/0x3b40 net/ipv4/tcp_output.c:1471
tcp_transmit_skb net/ipv4/tcp_output.c:1489 [inline]
tcp_send_syn_data net/ipv4/tcp_output.c:4059 [inline]
tcp_connect+0x1c0c/0x4510 net/ipv4/tcp_output.c:4148
tcp_v6_connect+0x156c/0x2080 net/ipv6/tcp_ipv6.c:333
__inet_stream_connect+0x3a7/0xed0 net/ipv4/af_inet.c:677
tcp_sendmsg_fastopen+0x3e2/0x710 net/ipv4/tcp.c:1039
tcp_sendmsg_locked+0x1e82/0x3570 net/ipv4/tcp.c:1091
tcp_sendmsg+0x2f/0x50 net/ipv4/tcp.c:1358
inet6_sendmsg+0xb9/0x150 net/ipv6/af_inet6.c:659
sock_sendmsg_nosec net/socket.c:718 [inline]
__sock_sendmsg+0xf4/0x2a0 net/socket.c:733
__sys_sendto+0x29a/0x390 net/socket.c:2187
__do_sys_sendto net/socket.c:2194 [inline]
__se_sys_sendto net/socket.c:2190 [inline]
__x64_sys_sendto+0xe1/0x1c0 net/socket.c:2190
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xc3/0x1d0 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f06553c47ed
Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f0653a06fc8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00007f0655605fa0 RCX: 00007f06553c47ed
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000000000000000b
RBP: 00007f065545db38 R08: 0000200000000140 R09: 000000000000001c
R10: f7384d4ea84b01bd R11: 0000000000000246 R12: 0000000000000000
R13: 00007f0655605fac R14: 00007f0655606038 R15: 00007f06539e7000
</TASK>
Modules linked in:
[1]:
dnf install -y selinux-policy-targeted policycoreutils netlabel_tools procps-ng nmap-ncat
mount -t selinuxfs none /sys/fs/selinux
load_policy
netlabelctl calipso add pass doi:1
netlabelctl map del default
netlabelctl map add default address:::1 protocol:calipso,1
sysctl net.ipv4.tcp_syncookies=2
nc -l ::1 80 &
nc ::1 80
Fixes: e1adea927080 ("calipso: Allow request sockets to be relabelled by the lsm.")
Reported-by: syzkaller <syzkaller@googlegroups.com>
Reported-by: John Cheung <john.cs.hey@gmail.com>
Closes: https://lore.kernel.org/netdev/CAP=Rh=MvfhrGADy+-WJiftV2_WzMH4VEhEFmeT28qY+4yxNu4w@mail.gmail.com/
Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
Acked-by: Paul Moore <paul@paul-moore.com>
Link: https://patch.msgid.link/20250617224125.17299-1-kuni1840@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv6/calipso.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/net/ipv6/calipso.c b/net/ipv6/calipso.c
index c07e3da08d2a8..24666291c54a8 100644
--- a/net/ipv6/calipso.c
+++ b/net/ipv6/calipso.c
@@ -1210,6 +1210,10 @@ static int calipso_req_setattr(struct request_sock *req,
struct ipv6_opt_hdr *old, *new;
struct sock *sk = sk_to_full_sk(req_to_sk(req));
+ /* sk is NULL for SYN+ACK w/ SYN Cookie */
+ if (!sk)
+ return -ENOMEM;
+
if (req_inet->ipv6_opt && req_inet->ipv6_opt->hopopt)
old = req_inet->ipv6_opt->hopopt;
else
@@ -1250,6 +1254,10 @@ static void calipso_req_delattr(struct request_sock *req)
struct ipv6_txoptions *txopts;
struct sock *sk = sk_to_full_sk(req_to_sk(req));
+ /* sk is NULL for SYN+ACK w/ SYN Cookie */
+ if (!sk)
+ return;
+
if (!req_inet->ipv6_opt || !req_inet->ipv6_opt->hopopt)
return;
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 490/508] net: atm: add lec_mutex
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (485 preceding siblings ...)
2025-06-23 13:08 ` [PATCH 6.1 489/508] calipso: Fix null-ptr-deref in calipso_req_{set,del}attr() Greg Kroah-Hartman
@ 2025-06-23 13:08 ` Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 491/508] net: atm: fix /proc/net/atm/lec handling Greg Kroah-Hartman
` (21 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+8b64dec3affaed7b3af5,
Eric Dumazet, Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit d13a3824bfd2b4774b671a75cf766a16637a0e67 ]
syzbot found its way in net/atm/lec.c, and found an error path
in lecd_attach() could leave a dangling pointer in dev_lec[].
Add a mutex to protect dev_lecp[] uses from lecd_attach(),
lec_vcc_attach() and lec_mcast_attach().
Following patch will use this mutex for /proc/net/atm/lec.
BUG: KASAN: slab-use-after-free in lecd_attach net/atm/lec.c:751 [inline]
BUG: KASAN: slab-use-after-free in lane_ioctl+0x2224/0x23e0 net/atm/lec.c:1008
Read of size 8 at addr ffff88807c7b8e68 by task syz.1.17/6142
CPU: 1 UID: 0 PID: 6142 Comm: syz.1.17 Not tainted 6.16.0-rc1-syzkaller-00239-g08215f5486ec #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:408 [inline]
print_report+0xcd/0x680 mm/kasan/report.c:521
kasan_report+0xe0/0x110 mm/kasan/report.c:634
lecd_attach net/atm/lec.c:751 [inline]
lane_ioctl+0x2224/0x23e0 net/atm/lec.c:1008
do_vcc_ioctl+0x12c/0x930 net/atm/ioctl.c:159
sock_do_ioctl+0x118/0x280 net/socket.c:1190
sock_ioctl+0x227/0x6b0 net/socket.c:1311
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl fs/ioctl.c:893 [inline]
__x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:893
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
</TASK>
Allocated by task 6132:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394
kasan_kmalloc include/linux/kasan.h:260 [inline]
__do_kmalloc_node mm/slub.c:4328 [inline]
__kvmalloc_node_noprof+0x27b/0x620 mm/slub.c:5015
alloc_netdev_mqs+0xd2/0x1570 net/core/dev.c:11711
lecd_attach net/atm/lec.c:737 [inline]
lane_ioctl+0x17db/0x23e0 net/atm/lec.c:1008
do_vcc_ioctl+0x12c/0x930 net/atm/ioctl.c:159
sock_do_ioctl+0x118/0x280 net/socket.c:1190
sock_ioctl+0x227/0x6b0 net/socket.c:1311
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl fs/ioctl.c:893 [inline]
__x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:893
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 6132:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:576
poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x51/0x70 mm/kasan/common.c:264
kasan_slab_free include/linux/kasan.h:233 [inline]
slab_free_hook mm/slub.c:2381 [inline]
slab_free mm/slub.c:4643 [inline]
kfree+0x2b4/0x4d0 mm/slub.c:4842
free_netdev+0x6c5/0x910 net/core/dev.c:11892
lecd_attach net/atm/lec.c:744 [inline]
lane_ioctl+0x1ce8/0x23e0 net/atm/lec.c:1008
do_vcc_ioctl+0x12c/0x930 net/atm/ioctl.c:159
sock_do_ioctl+0x118/0x280 net/socket.c:1190
sock_ioctl+0x227/0x6b0 net/socket.c:1311
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl fs/ioctl.c:893 [inline]
__x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:893
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: syzbot+8b64dec3affaed7b3af5@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/6852c6f6.050a0220.216029.0018.GAE@google.com/T/#u
Signed-off-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20250618140844.1686882-2-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/atm/lec.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/net/atm/lec.c b/net/atm/lec.c
index ac3cfc1ae5102..d4ac1488eca6f 100644
--- a/net/atm/lec.c
+++ b/net/atm/lec.c
@@ -124,6 +124,7 @@ static unsigned char bus_mac[ETH_ALEN] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
/* Device structures */
static struct net_device *dev_lec[MAX_LEC_ITF];
+static DEFINE_MUTEX(lec_mutex);
#if IS_ENABLED(CONFIG_BRIDGE)
static void lec_handle_bridge(struct sk_buff *skb, struct net_device *dev)
@@ -685,6 +686,7 @@ static int lec_vcc_attach(struct atm_vcc *vcc, void __user *arg)
int bytes_left;
struct atmlec_ioc ioc_data;
+ lockdep_assert_held(&lec_mutex);
/* Lecd must be up in this case */
bytes_left = copy_from_user(&ioc_data, arg, sizeof(struct atmlec_ioc));
if (bytes_left != 0)
@@ -710,6 +712,7 @@ static int lec_vcc_attach(struct atm_vcc *vcc, void __user *arg)
static int lec_mcast_attach(struct atm_vcc *vcc, int arg)
{
+ lockdep_assert_held(&lec_mutex);
if (arg < 0 || arg >= MAX_LEC_ITF)
return -EINVAL;
arg = array_index_nospec(arg, MAX_LEC_ITF);
@@ -725,6 +728,7 @@ static int lecd_attach(struct atm_vcc *vcc, int arg)
int i;
struct lec_priv *priv;
+ lockdep_assert_held(&lec_mutex);
if (arg < 0)
arg = 0;
if (arg >= MAX_LEC_ITF)
@@ -742,6 +746,7 @@ static int lecd_attach(struct atm_vcc *vcc, int arg)
snprintf(dev_lec[i]->name, IFNAMSIZ, "lec%d", i);
if (register_netdev(dev_lec[i])) {
free_netdev(dev_lec[i]);
+ dev_lec[i] = NULL;
return -EINVAL;
}
@@ -1003,6 +1008,7 @@ static int lane_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
return -ENOIOCTLCMD;
}
+ mutex_lock(&lec_mutex);
switch (cmd) {
case ATMLEC_CTRL:
err = lecd_attach(vcc, (int)arg);
@@ -1017,6 +1023,7 @@ static int lane_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
break;
}
+ mutex_unlock(&lec_mutex);
return err;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 491/508] net: atm: fix /proc/net/atm/lec handling
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (486 preceding siblings ...)
2025-06-23 13:08 ` [PATCH 6.1 490/508] net: atm: add lec_mutex Greg Kroah-Hartman
@ 2025-06-23 13:08 ` Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 492/508] dt-bindings: i2c: nvidia,tegra20-i2c: Specify the required properties Greg Kroah-Hartman
` (20 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Jakub Kicinski,
Sasha Levin, Francois Romieu
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit d03b79f459c7935cff830d98373474f440bd03ae ]
/proc/net/atm/lec must ensure safety against dev_lec[] changes.
It appears it had dev_put() calls without prior dev_hold(),
leading to imbalance and UAF.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Acked-by: Francois Romieu <romieu@fr.zoreil.com> # Minor atm contributor
Link: https://patch.msgid.link/20250618140844.1686882-3-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/atm/lec.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/net/atm/lec.c b/net/atm/lec.c
index d4ac1488eca6f..b7fa48a9b7205 100644
--- a/net/atm/lec.c
+++ b/net/atm/lec.c
@@ -909,7 +909,6 @@ static void *lec_itf_walk(struct lec_state *state, loff_t *l)
v = (dev && netdev_priv(dev)) ?
lec_priv_walk(state, l, netdev_priv(dev)) : NULL;
if (!v && dev) {
- dev_put(dev);
/* Partial state reset for the next time we get called */
dev = NULL;
}
@@ -933,6 +932,7 @@ static void *lec_seq_start(struct seq_file *seq, loff_t *pos)
{
struct lec_state *state = seq->private;
+ mutex_lock(&lec_mutex);
state->itf = 0;
state->dev = NULL;
state->locked = NULL;
@@ -950,8 +950,9 @@ static void lec_seq_stop(struct seq_file *seq, void *v)
if (state->dev) {
spin_unlock_irqrestore(&state->locked->lec_arp_lock,
state->flags);
- dev_put(state->dev);
+ state->dev = NULL;
}
+ mutex_unlock(&lec_mutex);
}
static void *lec_seq_next(struct seq_file *seq, void *v, loff_t *pos)
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 492/508] dt-bindings: i2c: nvidia,tegra20-i2c: Specify the required properties
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (487 preceding siblings ...)
2025-06-23 13:08 ` [PATCH 6.1 491/508] net: atm: fix /proc/net/atm/lec handling Greg Kroah-Hartman
@ 2025-06-23 13:08 ` Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 493/508] platform/x86: ideapad-laptop: add missing Ideapad Pro 5 fn keys Greg Kroah-Hartman
` (19 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Akhil R, Krzysztof Kozlowski,
Andi Shyti
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Akhil R <akhilrajeev@nvidia.com>
commit 903cc7096db22f889d48e2cee8840709ce04fdac upstream.
Specify the properties which are essential and which are not for the
Tegra I2C driver to function correctly. This was not added correctly when
the TXT binding was converted to yaml. All the existing DT nodes have
these properties already and hence this does not break the ABI.
dmas and dma-names which were specified as a must in the TXT binding
is now made optional since the driver can work in PIO mode if dmas are
missing.
Fixes: f10a9b722f80 ("dt-bindings: i2c: tegra: Convert to json-schema”)
Signed-off-by: Akhil R <akhilrajeev@nvidia.com>
Cc: <stable@vger.kernel.org> # v5.17+
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Signed-off-by: Andi Shyti <andi@smida.it>
Link: https://lore.kernel.org/r/20250603153022.39434-1-akhilrajeev@nvidia.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
Documentation/devicetree/bindings/i2c/nvidia,tegra20-i2c.yaml | 24 +++++++++-
1 file changed, 23 insertions(+), 1 deletion(-)
--- a/Documentation/devicetree/bindings/i2c/nvidia,tegra20-i2c.yaml
+++ b/Documentation/devicetree/bindings/i2c/nvidia,tegra20-i2c.yaml
@@ -103,7 +103,10 @@ properties:
resets:
items:
- - description: module reset
+ - description:
+ Module reset. This property is optional for controllers in Tegra194,
+ Tegra234 etc where an internal software reset is available as an
+ alternative.
reset-names:
items:
@@ -119,6 +122,13 @@ properties:
- const: rx
- const: tx
+required:
+ - compatible
+ - reg
+ - interrupts
+ - clocks
+ - clock-names
+
allOf:
- $ref: /schemas/i2c/i2c-controller.yaml
- if:
@@ -172,6 +182,18 @@ allOf:
items:
- description: phandle to the VENC power domain
+ - if:
+ not:
+ properties:
+ compatible:
+ contains:
+ enum:
+ - nvidia,tegra194-i2c
+ then:
+ required:
+ - resets
+ - reset-names
+
unevaluatedProperties: false
examples:
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 493/508] platform/x86: ideapad-laptop: add missing Ideapad Pro 5 fn keys
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (488 preceding siblings ...)
2025-06-23 13:08 ` [PATCH 6.1 492/508] dt-bindings: i2c: nvidia,tegra20-i2c: Specify the required properties Greg Kroah-Hartman
@ 2025-06-23 13:08 ` Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 494/508] ARM: dts: am335x-bone-common: Add GPIO PHY reset on revision C3 board Greg Kroah-Hartman
` (18 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:08 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Renato Caldas, Hans de Goede,
WangYuli
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Renato Caldas <renato@calgera.com>
commit 36e66be874a7ea9d28fb9757629899a8449b8748 upstream.
The scancodes for the Mic Mute and Airplane keys on the Ideapad Pro 5
(14AHP9 at least, probably the other variants too) are different and
were not being picked up by the driver. This adds them to the keymap.
Apart from what is already supported, the remaining fn keys are
unfortunately producing windows-specific key-combos.
Signed-off-by: Renato Caldas <renato@calgera.com>
Link: https://lore.kernel.org/r/20241102183116.30142-1-renato@calgera.com
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: WangYuli <wangyuli@uniontech.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/platform/x86/ideapad-laptop.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/platform/x86/ideapad-laptop.c
+++ b/drivers/platform/x86/ideapad-laptop.c
@@ -1191,6 +1191,9 @@ static const struct key_entry ideapad_ke
{ KE_KEY, 0x27 | IDEAPAD_WMI_KEY, { KEY_HELP } },
/* Refresh Rate Toggle */
{ KE_KEY, 0x0a | IDEAPAD_WMI_KEY, { KEY_DISPLAYTOGGLE } },
+ /* Specific to some newer models */
+ { KE_KEY, 0x3e | IDEAPAD_WMI_KEY, { KEY_MICMUTE } },
+ { KE_KEY, 0x3f | IDEAPAD_WMI_KEY, { KEY_RFKILL } },
{ KE_END },
};
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 494/508] ARM: dts: am335x-bone-common: Add GPIO PHY reset on revision C3 board
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (489 preceding siblings ...)
2025-06-23 13:08 ` [PATCH 6.1 493/508] platform/x86: ideapad-laptop: add missing Ideapad Pro 5 fn keys Greg Kroah-Hartman
@ 2025-06-23 13:08 ` Greg Kroah-Hartman
2025-06-23 13:09 ` [PATCH 6.1 495/508] ARM: dts: am335x-bone-common: Increase MDIO reset deassert time Greg Kroah-Hartman
` (17 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Robert Nelson, Shengyu Qu,
Tony Lindgren, Nobuhiro Iwamatsu (CIP)
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shengyu Qu <wiagn233@outlook.com>
commit 623cef652768860bd5f205fb7b741be278585fba upstream.
This patch adds ethernet PHY reset GPIO config for Beaglebone Black
series boards with revision C3. This fixes a random phy startup failure
bug discussed at [1]. The GPIO pin used for reset is not used on older
revisions, so it is ok to apply to all board revisions. The reset timing
was discussed and tested at [2].
[1] https://forum.digikey.com/t/ethernet-device-is-not-detecting-on-ubuntu-20-04-lts-on-bbg/19948
[2] https://forum.beagleboard.org/t/recognizing-a-beaglebone-black-rev-c3-board/31249/
Signed-off-by: Robert Nelson <robertcnelson@gmail.com>
Signed-off-by: Shengyu Qu <wiagn233@outlook.com>
Message-ID: <TY3P286MB26113797A3B2EC7E0348BBB2980FA@TY3P286MB2611.JPNP286.PROD.OUTLOOK.COM>
Signed-off-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Nobuhiro Iwamatsu (CIP) <nobuhiro1.iwamatsu@toshiba.co.jp>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm/boot/dts/am335x-bone-common.dtsi | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/arch/arm/boot/dts/am335x-bone-common.dtsi
+++ b/arch/arm/boot/dts/am335x-bone-common.dtsi
@@ -145,6 +145,8 @@
/* MDIO */
AM33XX_PADCONF(AM335X_PIN_MDIO, PIN_INPUT_PULLUP | SLEWCTRL_FAST, MUX_MODE0)
AM33XX_PADCONF(AM335X_PIN_MDC, PIN_OUTPUT_PULLUP, MUX_MODE0)
+ /* Added to support GPIO controlled PHY reset */
+ AM33XX_PADCONF(AM335X_PIN_UART0_CTSN, PIN_OUTPUT_PULLUP, MUX_MODE7)
>;
};
@@ -153,6 +155,8 @@
/* MDIO reset value */
AM33XX_PADCONF(AM335X_PIN_MDIO, PIN_INPUT_PULLDOWN, MUX_MODE7)
AM33XX_PADCONF(AM335X_PIN_MDC, PIN_INPUT_PULLDOWN, MUX_MODE7)
+ /* Added to support GPIO controlled PHY reset */
+ AM33XX_PADCONF(AM335X_PIN_UART0_CTSN, PIN_INPUT_PULLDOWN, MUX_MODE7)
>;
};
@@ -377,6 +381,10 @@
ethphy0: ethernet-phy@0 {
reg = <0>;
+ /* Support GPIO reset on revision C3 boards */
+ reset-gpios = <&gpio1 8 GPIO_ACTIVE_LOW>;
+ reset-assert-us = <300>;
+ reset-deassert-us = <6500>;
};
};
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 495/508] ARM: dts: am335x-bone-common: Increase MDIO reset deassert time
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (490 preceding siblings ...)
2025-06-23 13:08 ` [PATCH 6.1 494/508] ARM: dts: am335x-bone-common: Add GPIO PHY reset on revision C3 board Greg Kroah-Hartman
@ 2025-06-23 13:09 ` Greg Kroah-Hartman
2025-06-23 13:09 ` [PATCH 6.1 496/508] ARM: dts: am335x-bone-common: Increase MDIO reset deassert delay to 50ms Greg Kroah-Hartman
` (16 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Colin Foster, Kevin Hilman,
Nobuhiro Iwamatsu (CIP)
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Colin Foster <colin.foster@in-advantage.com>
commit b9bf5612610aa7e38d58fee16f489814db251c01 upstream.
Prior to commit df16c1c51d81 ("net: phy: mdio_device: Reset device only
when necessary") MDIO reset deasserts were performed twice during boot.
Now that the second deassert is no longer performed, device probe
failures happen due to the change in timing with the following error
message:
SMSC LAN8710/LAN8720: probe of 4a101000.mdio:00 failed with error -5
Restore the original effective timing, which resolves the probe
failures.
Signed-off-by: Colin Foster <colin.foster@in-advantage.com>
Link: https://lore.kernel.org/r/20240531183817.2698445-1-colin.foster@in-advantage.com
Signed-off-by: Kevin Hilman <khilman@baylibre.com>
Signed-off-by: Nobuhiro Iwamatsu (CIP) <nobuhiro1.iwamatsu@toshiba.co.jp>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm/boot/dts/am335x-bone-common.dtsi | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/arm/boot/dts/am335x-bone-common.dtsi
+++ b/arch/arm/boot/dts/am335x-bone-common.dtsi
@@ -384,7 +384,7 @@
/* Support GPIO reset on revision C3 boards */
reset-gpios = <&gpio1 8 GPIO_ACTIVE_LOW>;
reset-assert-us = <300>;
- reset-deassert-us = <6500>;
+ reset-deassert-us = <13000>;
};
};
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 496/508] ARM: dts: am335x-bone-common: Increase MDIO reset deassert delay to 50ms
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (491 preceding siblings ...)
2025-06-23 13:09 ` [PATCH 6.1 495/508] ARM: dts: am335x-bone-common: Increase MDIO reset deassert time Greg Kroah-Hartman
@ 2025-06-23 13:09 ` Greg Kroah-Hartman
2025-06-23 13:09 ` [PATCH 6.1 497/508] arm64: dts: ti: k3-j721e-sk: Add DT nodes for power regulators Greg Kroah-Hartman
` (15 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Geert Uytterhoeven, Roger Quadros,
Kevin Hilman, Nobuhiro Iwamatsu (CIP)
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Geert Uytterhoeven <geert+renesas@glider.be>
commit 929d8490f8790164f5f63671c1c58d6c50411cb2 upstream.
Commit b9bf5612610aa7e3 ("ARM: dts: am335x-bone-common: Increase MDIO
reset deassert time") already increased the MDIO reset deassert delay
from 6.5 to 13 ms, but this may still cause Ethernet PHY probe failures:
SMSC LAN8710/LAN8720 4a101000.mdio:00: probe with driver SMSC LAN8710/LAN8720 failed with error -5
On BeagleBone Black Rev. C3, ETH_RESETn is controlled by an open-drain
AND gate. It is pulled high by a 10K resistor, and has a 4.7µF
capacitor to ground, giving an RC time constant of 47ms. As it takes
0.7RC to charge the capacitor above the threshold voltage of a CMOS
input (VDD/2), the delay should be at least 33ms. Considering the
typical tolerance of 20% on capacitors, 40ms would be safer. Add an
additional safety margin and settle for 50ms.
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Reviewed-by: Roger Quadros <rogerq@kernel.org>
Link: https://lore.kernel.org/r/9002a58daa1b2983f39815b748ee9d2f8dcc4829.1730366936.git.geert+renesas@glider.be
Signed-off-by: Kevin Hilman <khilman@baylibre.com>
Signed-off-by: Nobuhiro Iwamatsu (CIP) <nobuhiro1.iwamatsu@toshiba.co.jp>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm/boot/dts/am335x-bone-common.dtsi | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/arm/boot/dts/am335x-bone-common.dtsi
+++ b/arch/arm/boot/dts/am335x-bone-common.dtsi
@@ -384,7 +384,7 @@
/* Support GPIO reset on revision C3 boards */
reset-gpios = <&gpio1 8 GPIO_ACTIVE_LOW>;
reset-assert-us = <300>;
- reset-deassert-us = <13000>;
+ reset-deassert-us = <50000>;
};
};
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 497/508] arm64: dts: ti: k3-j721e-sk: Add DT nodes for power regulators
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (492 preceding siblings ...)
2025-06-23 13:09 ` [PATCH 6.1 496/508] ARM: dts: am335x-bone-common: Increase MDIO reset deassert delay to 50ms Greg Kroah-Hartman
@ 2025-06-23 13:09 ` Greg Kroah-Hartman
2025-06-23 13:09 ` [PATCH 6.1 498/508] arm64: dts: imx8mm: Drop sd-vsel-gpios from i.MX8M Mini Verdin SoM Greg Kroah-Hartman
` (14 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yemike Abhilash Chandra, Udit Kumar,
Nishanth Menon
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yemike Abhilash Chandra <y-abhilashchandra@ti.com>
commit 97b67cc102dc2cc8aa39a569c22a196e21af5a21 upstream.
Add device tree nodes for two power regulators on the J721E SK board.
vsys_5v0: A fixed regulator representing the 5V supply output from the
LM61460 and vdd_sd_dv: A GPIO-controlled TLV71033 regulator.
J721E-SK schematics: https://www.ti.com/lit/zip/sprr438
Fixes: 1bfda92a3a36 ("arm64: dts: ti: Add support for J721E SK")
Cc: stable@vger.kernel.org
Signed-off-by: Yemike Abhilash Chandra <y-abhilashchandra@ti.com>
Reviewed-by: Udit Kumar <u-kumar1@ti.com>
Link: https://lore.kernel.org/r/20250415111328.3847502-2-y-abhilashchandra@ti.com
Signed-off-by: Nishanth Menon <nm@ti.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/boot/dts/ti/k3-j721e-sk.dts | 31 +++++++++++++++++++++++++++++++
1 file changed, 31 insertions(+)
--- a/arch/arm64/boot/dts/ti/k3-j721e-sk.dts
+++ b/arch/arm64/boot/dts/ti/k3-j721e-sk.dts
@@ -175,6 +175,17 @@
regulator-boot-on;
};
+ vsys_5v0: fixedregulator-vsys5v0 {
+ /* Output of LM61460 */
+ compatible = "regulator-fixed";
+ regulator-name = "vsys_5v0";
+ regulator-min-microvolt = <5000000>;
+ regulator-max-microvolt = <5000000>;
+ vin-supply = <&vusb_main>;
+ regulator-always-on;
+ regulator-boot-on;
+ };
+
vdd_mmc1: fixedregulator-sd {
compatible = "regulator-fixed";
pinctrl-names = "default";
@@ -202,6 +213,20 @@
<3300000 0x1>;
};
+ vdd_sd_dv: gpio-regulator-TLV71033 {
+ compatible = "regulator-gpio";
+ pinctrl-names = "default";
+ pinctrl-0 = <&vdd_sd_dv_pins_default>;
+ regulator-name = "tlv71033";
+ regulator-min-microvolt = <1800000>;
+ regulator-max-microvolt = <3300000>;
+ regulator-boot-on;
+ vin-supply = <&vsys_5v0>;
+ gpios = <&main_gpio0 118 GPIO_ACTIVE_HIGH>;
+ states = <1800000 0x0>,
+ <3300000 0x1>;
+ };
+
dp_pwr_3v3: fixedregulator-dp-prw {
compatible = "regulator-fixed";
regulator-name = "dp-pwr";
@@ -455,6 +480,12 @@
>;
};
+ vdd_sd_dv_pins_default: vdd-sd-dv-default-pins {
+ pinctrl-single,pins = <
+ J721E_IOPAD(0x1dc, PIN_OUTPUT, 7) /* (Y1) SPI1_CLK.GPIO0_118 */
+ >;
+ };
+
wkup_i2c0_pins_default: wkup-i2c0-pins-default {
pinctrl-single,pins = <
J721E_WKUP_IOPAD(0xf8, PIN_INPUT_PULLUP, 0) /* (J25) WKUP_I2C0_SCL */
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 498/508] arm64: dts: imx8mm: Drop sd-vsel-gpios from i.MX8M Mini Verdin SoM
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (493 preceding siblings ...)
2025-06-23 13:09 ` [PATCH 6.1 497/508] arm64: dts: ti: k3-j721e-sk: Add DT nodes for power regulators Greg Kroah-Hartman
@ 2025-06-23 13:09 ` Greg Kroah-Hartman
2025-06-23 13:09 ` [PATCH 6.1 499/508] serial: sh-sci: Increment the runtime usage counter for the earlycon device Greg Kroah-Hartman
` (13 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Marek Vasut, Frieder Schrempf,
Shawn Guo, Francesco Dolcini
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marek Vasut <marex@denx.de>
commit 8bad8c923f217d238ba4f1a6d19d761e53bfbd26 upstream.
The VSELECT pin is configured as MX8MM_IOMUXC_GPIO1_IO04_USDHC2_VSELECT
and not as a GPIO, drop the bogus sd-vsel-gpios property as the eSDHC
block handles the VSELECT pin on its own.
Signed-off-by: Marek Vasut <marex@denx.de>
Reviewed-by: Frieder Schrempf <frieder.schrempf@kontron.de>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Francesco Dolcini <francesco.dolcini@toradex.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/boot/dts/freescale/imx8mm-verdin.dtsi | 1 -
1 file changed, 1 deletion(-)
--- a/arch/arm64/boot/dts/freescale/imx8mm-verdin.dtsi
+++ b/arch/arm64/boot/dts/freescale/imx8mm-verdin.dtsi
@@ -372,7 +372,6 @@
pinctrl-names = "default";
pinctrl-0 = <&pinctrl_pmic>;
reg = <0x25>;
- sd-vsel-gpios = <&gpio1 4 GPIO_ACTIVE_HIGH>;
/*
* The bootloader is expected to switch on the I2C level shifter for the TLA2024 ADC
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 499/508] serial: sh-sci: Increment the runtime usage counter for the earlycon device
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (494 preceding siblings ...)
2025-06-23 13:09 ` [PATCH 6.1 498/508] arm64: dts: imx8mm: Drop sd-vsel-gpios from i.MX8M Mini Verdin SoM Greg Kroah-Hartman
@ 2025-06-23 13:09 ` Greg Kroah-Hartman
2025-06-23 13:09 ` [PATCH 6.1 500/508] Revert "cpufreq: tegra186: Share policy per cluster" Greg Kroah-Hartman
` (12 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:09 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Claudiu Beznea
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
commit 651dee03696e1dfde6d9a7e8664bbdcd9a10ea7f upstream.
In the sh-sci driver, serial ports are mapped to the sci_ports[] array,
with earlycon mapped at index zero.
The uart_add_one_port() function eventually calls __device_attach(),
which, in turn, calls pm_request_idle(). The identified code path is as
follows:
uart_add_one_port() ->
serial_ctrl_register_port() ->
serial_core_register_port() ->
serial_core_port_device_add() ->
serial_base_port_add() ->
device_add() ->
bus_probe_device() ->
device_initial_probe() ->
__device_attach() ->
// ...
if (dev->p->dead) {
// ...
} else if (dev->driver) {
// ...
} else {
// ...
pm_request_idle(dev);
// ...
}
The earlycon device clocks are enabled by the bootloader. However, the
pm_request_idle() call in __device_attach() disables the SCI port clocks
while earlycon is still active.
The earlycon write function, serial_console_write(), calls
sci_poll_put_char() via serial_console_putchar(). If the SCI port clocks
are disabled, writing to earlycon may sometimes cause the SR.TDFE bit to
remain unset indefinitely, causing the while loop in sci_poll_put_char()
to never exit. On single-core SoCs, this can result in the system being
blocked during boot when this issue occurs.
To resolve this, increment the runtime PM usage counter for the earlycon
SCI device before registering the UART port.
Fixes: 0b0cced19ab1 ("serial: sh-sci: Add CONFIG_SERIAL_EARLYCON support")
Cc: stable@vger.kernel.org
Signed-off-by: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
Link: https://lore.kernel.org/r/20250116182249.3828577-6-claudiu.beznea.uj@bp.renesas.com
Signed-off-by: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/sh-sci.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
--- a/drivers/tty/serial/sh-sci.c
+++ b/drivers/tty/serial/sh-sci.c
@@ -3352,6 +3352,22 @@ static int sci_probe_single(struct platf
if (sci_uart_earlycon && sci_ports[0].port.mapbase == sci_res->start) {
/*
+ * In case:
+ * - this is the earlycon port (mapped on index 0 in sci_ports[]) and
+ * - it now maps to an alias other than zero and
+ * - the earlycon is still alive (e.g., "earlycon keep_bootcon" is
+ * available in bootargs)
+ *
+ * we need to avoid disabling clocks and PM domains through the runtime
+ * PM APIs called in __device_attach(). For this, increment the runtime
+ * PM reference counter (the clocks and PM domains were already enabled
+ * by the bootloader). Otherwise the earlycon may access the HW when it
+ * has no clocks enabled leading to failures (infinite loop in
+ * sci_poll_put_char()).
+ */
+ pm_runtime_get_noresume(&dev->dev);
+
+ /*
* Skip cleanup the sci_port[0] in early_console_exit(), this
* port is the same as the earlycon one.
*/
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 500/508] Revert "cpufreq: tegra186: Share policy per cluster"
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (495 preceding siblings ...)
2025-06-23 13:09 ` [PATCH 6.1 499/508] serial: sh-sci: Increment the runtime usage counter for the earlycon device Greg Kroah-Hartman
@ 2025-06-23 13:09 ` Greg Kroah-Hartman
2025-06-23 13:09 ` [PATCH 6.1 501/508] smb: client: fix first command failure during re-negotiation Greg Kroah-Hartman
` (11 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:09 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jon Hunter
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jon Hunter <jonathanh@nvidia.com>
This reverts commit 89172666228de1cefcacf5bc6f61c6281751d2ed which is
upstream commit be4ae8c19492cd6d5de61ccb34ffb3f5ede5eec8.
This commit is causing a suspend regression on Tegra186 Jetson TX2 with
Linux v6.12.y kernels. This is not seen with Linux v6.15 that includes
this change but indicates that there are there changes missing.
Therefore, revert this change.
Link: https://lore.kernel.org/linux-tegra/bf1dabf7-0337-40e9-8b8e-4e93a0ffd4cc@nvidia.com/
Fixes: 89172666228d ("cpufreq: tegra186: Share policy per cluster")
Signed-off-by: Jon Hunter <jonathanh@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/cpufreq/tegra186-cpufreq.c | 7 -------
1 file changed, 7 deletions(-)
--- a/drivers/cpufreq/tegra186-cpufreq.c
+++ b/drivers/cpufreq/tegra186-cpufreq.c
@@ -73,18 +73,11 @@ static int tegra186_cpufreq_init(struct
{
struct tegra186_cpufreq_data *data = cpufreq_get_driver_data();
unsigned int cluster = data->cpus[policy->cpu].bpmp_cluster_id;
- u32 cpu;
policy->freq_table = data->clusters[cluster].table;
policy->cpuinfo.transition_latency = 300 * 1000;
policy->driver_data = NULL;
- /* set same policy for all cpus in a cluster */
- for (cpu = 0; cpu < ARRAY_SIZE(tegra186_cpus); cpu++) {
- if (data->cpus[cpu].bpmp_cluster_id == cluster)
- cpumask_set_cpu(cpu, policy->cpus);
- }
-
return 0;
}
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 501/508] smb: client: fix first command failure during re-negotiation
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (496 preceding siblings ...)
2025-06-23 13:09 ` [PATCH 6.1 500/508] Revert "cpufreq: tegra186: Share policy per cluster" Greg Kroah-Hartman
@ 2025-06-23 13:09 ` Greg Kroah-Hartman
2025-06-23 13:09 ` [PATCH 6.1 502/508] platform/loongarch: laptop: Add backlight power control support Greg Kroah-Hartman
` (10 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paulo Alcantara (Red Hat),
Meetakshi Setiya, zhangjian, Steve French
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: zhangjian <zhangjian496@huawei.com>
commit 34331d7beed7576acfc98e991c39738b96162499 upstream.
after fabc4ed200f9, server_unresponsive add a condition to check whether client
need to reconnect depending on server->lstrp. When client failed to reconnect
for some time and abort connection, server->lstrp is updated for the last time.
In the following scene, server->lstrp is too old. This cause next command
failure in re-negotiation rather than waiting for re-negotiation done.
1. mount -t cifs -o username=Everyone,echo_internal=10 //$server_ip/export /mnt
2. ssh $server_ip "echo b > /proc/sysrq-trigger &"
3. ls /mnt
4. sleep 21s
5. ssh $server_ip "service firewalld stop"
6. ls # return EHOSTDOWN
If the interval between 5 and 6 is too small, 6 may trigger sending negotiation
request. Before backgrounding cifsd thread try to receive negotiation response
from server in cifs_readv_from_socket, server_unresponsive may trigger
cifs_reconnect which cause 6 to be failed:
ls thread
----------------
smb2_negotiate
server->tcpStatus = CifsInNegotiate
compound_send_recv
wait_for_compound_request
cifsd thread
----------------
cifs_readv_from_socket
server_unresponsive
server->tcpStatus == CifsInNegotiate && jiffies > server->lstrp + 20s
cifs_reconnect
cifs_abort_connection: mid_state = MID_RETRY_NEEDED
ls thread
----------------
cifs_sync_mid_result return EAGAIN
smb2_negotiate return EHOSTDOWN
Though server->lstrp means last server response time, it is updated in
cifs_abort_connection and cifs_get_tcp_session. We can also update server->lstrp
before switching into CifsInNegotiate state to avoid failure in 6.
Fixes: 7ccc1465465d ("smb: client: fix hang in wait_for_response() for negproto")
Acked-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
Acked-by: Meetakshi Setiya <msetiya@microsoft.com>
Signed-off-by: zhangjian <zhangjian496@huawei.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/client/connect.c | 1 +
1 file changed, 1 insertion(+)
--- a/fs/smb/client/connect.c
+++ b/fs/smb/client/connect.c
@@ -4217,6 +4217,7 @@ retry:
return 0;
}
+ server->lstrp = jiffies;
server->tcpStatus = CifsInNegotiate;
spin_unlock(&server->srv_lock);
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 502/508] platform/loongarch: laptop: Add backlight power control support
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (497 preceding siblings ...)
2025-06-23 13:09 ` [PATCH 6.1 501/508] smb: client: fix first command failure during re-negotiation Greg Kroah-Hartman
@ 2025-06-23 13:09 ` Greg Kroah-Hartman
2025-06-23 13:09 ` [PATCH 6.1 503/508] s390/pci: Fix __pcilg_mio_inuser() inline assembly Greg Kroah-Hartman
` (9 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:09 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yao Zi, Huacai Chen
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yao Zi <ziyao@disroot.org>
commit 53c762b47f726e4079a1f06f684bce2fc0d56fba upstream.
loongson_laptop_turn_{on,off}_backlight() are designed for controlling
the power of the backlight, but they aren't really used in the driver
previously.
Unify these two functions since they only differ in arguments passed to
ACPI method, and wire up loongson_laptop_backlight_update() to update
the power state of the backlight as well. Tested on the TongFang L860-T2
Loongson-3A5000 laptop.
Cc: stable@vger.kernel.org
Fixes: 6246ed09111f ("LoongArch: Add ACPI-based generic laptop driver")
Signed-off-by: Yao Zi <ziyao@disroot.org>
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/platform/loongarch/loongson-laptop.c | 73 +++++++++++++--------------
1 file changed, 37 insertions(+), 36 deletions(-)
--- a/drivers/platform/loongarch/loongson-laptop.c
+++ b/drivers/platform/loongarch/loongson-laptop.c
@@ -56,8 +56,7 @@ static struct input_dev *generic_inputde
static acpi_handle hotkey_handle;
static struct key_entry hotkey_keycode_map[GENERIC_HOTKEY_MAP_MAX];
-int loongson_laptop_turn_on_backlight(void);
-int loongson_laptop_turn_off_backlight(void);
+static bool bl_powered;
static int loongson_laptop_backlight_update(struct backlight_device *bd);
/* 2. ACPI Helpers and device model */
@@ -354,16 +353,42 @@ static int ec_backlight_level(u8 level)
return level;
}
+static int ec_backlight_set_power(bool state)
+{
+ int status;
+ union acpi_object arg0 = { ACPI_TYPE_INTEGER };
+ struct acpi_object_list args = { 1, &arg0 };
+
+ arg0.integer.value = state;
+ status = acpi_evaluate_object(NULL, "\\BLSW", &args, NULL);
+ if (ACPI_FAILURE(status)) {
+ pr_info("Loongson lvds error: 0x%x\n", status);
+ return -EIO;
+ }
+
+ return 0;
+}
+
static int loongson_laptop_backlight_update(struct backlight_device *bd)
{
- int lvl = ec_backlight_level(bd->props.brightness);
+ bool target_powered = !backlight_is_blank(bd);
+ int ret = 0, lvl = ec_backlight_level(bd->props.brightness);
if (lvl < 0)
return -EIO;
+
if (ec_set_brightness(lvl))
return -EIO;
- return 0;
+ if (target_powered != bl_powered) {
+ ret = ec_backlight_set_power(target_powered);
+ if (ret < 0)
+ return ret;
+
+ bl_powered = target_powered;
+ }
+
+ return ret;
}
static int loongson_laptop_get_brightness(struct backlight_device *bd)
@@ -384,7 +409,7 @@ static const struct backlight_ops backli
static int laptop_backlight_register(void)
{
- int status = 0;
+ int status = 0, ret;
struct backlight_properties props;
memset(&props, 0, sizeof(props));
@@ -392,44 +417,20 @@ static int laptop_backlight_register(voi
if (!acpi_evalf(hotkey_handle, &status, "ECLL", "d"))
return -EIO;
+ ret = ec_backlight_set_power(true);
+ if (ret)
+ return ret;
+
+ bl_powered = true;
+
props.max_brightness = status;
props.brightness = ec_get_brightness();
+ props.power = FB_BLANK_UNBLANK;
props.type = BACKLIGHT_PLATFORM;
backlight_device_register("loongson_laptop",
NULL, NULL, &backlight_laptop_ops, &props);
- return 0;
-}
-
-int loongson_laptop_turn_on_backlight(void)
-{
- int status;
- union acpi_object arg0 = { ACPI_TYPE_INTEGER };
- struct acpi_object_list args = { 1, &arg0 };
-
- arg0.integer.value = 1;
- status = acpi_evaluate_object(NULL, "\\BLSW", &args, NULL);
- if (ACPI_FAILURE(status)) {
- pr_info("Loongson lvds error: 0x%x\n", status);
- return -ENODEV;
- }
-
- return 0;
-}
-
-int loongson_laptop_turn_off_backlight(void)
-{
- int status;
- union acpi_object arg0 = { ACPI_TYPE_INTEGER };
- struct acpi_object_list args = { 1, &arg0 };
-
- arg0.integer.value = 0;
- status = acpi_evaluate_object(NULL, "\\BLSW", &args, NULL);
- if (ACPI_FAILURE(status)) {
- pr_info("Loongson lvds error: 0x%x\n", status);
- return -ENODEV;
- }
return 0;
}
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 503/508] s390/pci: Fix __pcilg_mio_inuser() inline assembly
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (498 preceding siblings ...)
2025-06-23 13:09 ` [PATCH 6.1 502/508] platform/loongarch: laptop: Add backlight power control support Greg Kroah-Hartman
@ 2025-06-23 13:09 ` Greg Kroah-Hartman
2025-06-23 13:09 ` [PATCH 6.1 504/508] perf: Fix sample vs do_exit() Greg Kroah-Hartman
` (8 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:09 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Niklas Schnelle, Heiko Carstens
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Heiko Carstens <hca@linux.ibm.com>
commit c4abe6234246c75cdc43326415d9cff88b7cf06c upstream.
Use "a" constraint for the shift operand of the __pcilg_mio_inuser() inline
assembly. The used "d" constraint allows the compiler to use any general
purpose register for the shift operand, including register zero.
If register zero is used this my result in incorrect code generation:
8f6: a7 0a ff f8 ahi %r0,-8
8fa: eb 32 00 00 00 0c srlg %r3,%r2,0 <----
If register zero is selected to contain the shift value, the srlg
instruction ignores the contents of the register and always shifts zero
bits. Therefore use the "a" constraint which does not permit to select
register zero.
Fixes: f058599e22d5 ("s390/pci: Fix s390_mmio_read/write with MIO")
Cc: stable@vger.kernel.org
Reported-by: Niklas Schnelle <schnelle@linux.ibm.com>
Reviewed-by: Niklas Schnelle <schnelle@linux.ibm.com>
Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
Signed-off-by: Niklas Schnelle <schnelle@linux.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/s390/pci/pci_mmio.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/s390/pci/pci_mmio.c
+++ b/arch/s390/pci/pci_mmio.c
@@ -223,7 +223,7 @@ static inline int __pcilg_mio_inuser(
[ioaddr_len] "+&d" (ioaddr_len.pair),
[cc] "+d" (cc), [val] "=d" (val),
[dst] "+a" (dst), [cnt] "+d" (cnt), [tmp] "=d" (tmp),
- [shift] "+d" (shift)
+ [shift] "+a" (shift)
:: "cc", "memory");
/* did we write everything to the user space buffer? */
^ permalink raw reply [flat|nested] 510+ messages in thread
* [PATCH 6.1 504/508] perf: Fix sample vs do_exit()
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (499 preceding siblings ...)
2025-06-23 13:09 ` [PATCH 6.1 503/508] s390/pci: Fix __pcilg_mio_inuser() inline assembly Greg Kroah-Hartman
@ 2025-06-23 13:09 ` Greg Kroah-Hartman
2025-06-23 13:09 ` [PATCH 6.1 505/508] arm64/ptrace: Fix stack-out-of-bounds read in regs_get_kernel_stack_nth() Greg Kroah-Hartman
` (7 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Baisheng Gao, Mark Rutland,
Peter Zijlstra (Intel), Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Zijlstra <peterz@infradead.org>
[ Upstream commit 4f6fc782128355931527cefe3eb45338abd8ab39 ]
Baisheng Gao reported an ARM64 crash, which Mark decoded as being a
synchronous external abort -- most likely due to trying to access
MMIO in bad ways.
The crash further shows perf trying to do a user stack sample while in
exit_mmap()'s tlb_finish_mmu() -- i.e. while tearing down the address
space it is trying to access.
It turns out that we stop perf after we tear down the userspace mm; a
receipie for disaster, since perf likes to access userspace for
various reasons.
Flip this order by moving up where we stop perf in do_exit().
Additionally, harden PERF_SAMPLE_CALLCHAIN and PERF_SAMPLE_STACK_USER
to abort when the current task does not have an mm (exit_mm() makes
sure to set current->mm = NULL; before commencing with the actual
teardown). Such that CPU wide events don't trip on this same problem.
Fixes: c5ebcedb566e ("perf: Add ability to attach user stack dump to sample")
Reported-by: Baisheng Gao <baisheng.gao@unisoc.com>
Suggested-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Link: https://lkml.kernel.org/r/20250605110815.GQ39944@noisy.programming.kicks-ass.net
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/events/core.c | 7 +++++++
kernel/exit.c | 17 +++++++++--------
2 files changed, 16 insertions(+), 8 deletions(-)
diff --git a/kernel/events/core.c b/kernel/events/core.c
index 25df8971a56ed..2761db0365ddc 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -6800,6 +6800,10 @@ perf_sample_ustack_size(u16 stack_size, u16 header_size,
if (!regs)
return 0;
+ /* No mm, no stack, no dump. */
+ if (!current->mm)
+ return 0;
+
/*
* Check if we fit in with the requested stack size into the:
* - TASK_SIZE
@@ -7485,6 +7489,9 @@ perf_callchain(struct perf_event *event, struct pt_regs *regs)
const u32 max_stack = event->attr.sample_max_stack;
struct perf_callchain_entry *callchain;
+ if (!current->mm)
+ user = false;
+
if (!kernel && !user)
return &__empty_callchain;
diff --git a/kernel/exit.c b/kernel/exit.c
index 156283b3c1bf6..10af26a4ab010 100644
--- a/kernel/exit.c
+++ b/kernel/exit.c
@@ -855,6 +855,15 @@ void __noreturn do_exit(long code)
tsk->exit_code = code;
taskstats_exit(tsk, group_dead);
+ /*
+ * Since sampling can touch ->mm, make sure to stop everything before we
+ * tear it down.
+ *
+ * Also flushes inherited counters to the parent - before the parent
+ * gets woken up by child-exit notifications.
+ */
+ perf_event_exit_task(tsk);
+
exit_mm();
if (group_dead)
@@ -871,14 +880,6 @@ void __noreturn do_exit(long code)
exit_task_work(tsk);
exit_thread(tsk);
- /*
- * Flush inherited counters to the parent - before the parent
- * gets woken up by child-exit notifications.
- *
- * because of cgroup mode, must be called before cgroup_exit()
- */
- perf_event_exit_task(tsk);
-
sched_autogroup_exit_task(tsk);
cgroup_exit(tsk);
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 505/508] arm64/ptrace: Fix stack-out-of-bounds read in regs_get_kernel_stack_nth()
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (500 preceding siblings ...)
2025-06-23 13:09 ` [PATCH 6.1 504/508] perf: Fix sample vs do_exit() Greg Kroah-Hartman
@ 2025-06-23 13:09 ` Greg Kroah-Hartman
2025-06-23 13:09 ` [PATCH 6.1 506/508] scsi: elx: efct: Fix memory leak in efct_hw_parse_filter() Greg Kroah-Hartman
` (6 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:09 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Tengda Wu, Will Deacon, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tengda Wu <wutengda@huaweicloud.com>
[ Upstream commit 39dfc971e42d886e7df01371cd1bef505076d84c ]
KASAN reports a stack-out-of-bounds read in regs_get_kernel_stack_nth().
Call Trace:
[ 97.283505] BUG: KASAN: stack-out-of-bounds in regs_get_kernel_stack_nth+0xa8/0xc8
[ 97.284677] Read of size 8 at addr ffff800089277c10 by task 1.sh/2550
[ 97.285732]
[ 97.286067] CPU: 7 PID: 2550 Comm: 1.sh Not tainted 6.6.0+ #11
[ 97.287032] Hardware name: linux,dummy-virt (DT)
[ 97.287815] Call trace:
[ 97.288279] dump_backtrace+0xa0/0x128
[ 97.288946] show_stack+0x20/0x38
[ 97.289551] dump_stack_lvl+0x78/0xc8
[ 97.290203] print_address_description.constprop.0+0x84/0x3c8
[ 97.291159] print_report+0xb0/0x280
[ 97.291792] kasan_report+0x84/0xd0
[ 97.292421] __asan_load8+0x9c/0xc0
[ 97.293042] regs_get_kernel_stack_nth+0xa8/0xc8
[ 97.293835] process_fetch_insn+0x770/0xa30
[ 97.294562] kprobe_trace_func+0x254/0x3b0
[ 97.295271] kprobe_dispatcher+0x98/0xe0
[ 97.295955] kprobe_breakpoint_handler+0x1b0/0x210
[ 97.296774] call_break_hook+0xc4/0x100
[ 97.297451] brk_handler+0x24/0x78
[ 97.298073] do_debug_exception+0xac/0x178
[ 97.298785] el1_dbg+0x70/0x90
[ 97.299344] el1h_64_sync_handler+0xcc/0xe8
[ 97.300066] el1h_64_sync+0x78/0x80
[ 97.300699] kernel_clone+0x0/0x500
[ 97.301331] __arm64_sys_clone+0x70/0x90
[ 97.302084] invoke_syscall+0x68/0x198
[ 97.302746] el0_svc_common.constprop.0+0x11c/0x150
[ 97.303569] do_el0_svc+0x38/0x50
[ 97.304164] el0_svc+0x44/0x1d8
[ 97.304749] el0t_64_sync_handler+0x100/0x130
[ 97.305500] el0t_64_sync+0x188/0x190
[ 97.306151]
[ 97.306475] The buggy address belongs to stack of task 1.sh/2550
[ 97.307461] and is located at offset 0 in frame:
[ 97.308257] __se_sys_clone+0x0/0x138
[ 97.308910]
[ 97.309241] This frame has 1 object:
[ 97.309873] [48, 184) 'args'
[ 97.309876]
[ 97.310749] The buggy address belongs to the virtual mapping at
[ 97.310749] [ffff800089270000, ffff800089279000) created by:
[ 97.310749] dup_task_struct+0xc0/0x2e8
[ 97.313347]
[ 97.313674] The buggy address belongs to the physical page:
[ 97.314604] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x14f69a
[ 97.315885] flags: 0x15ffffe00000000(node=1|zone=2|lastcpupid=0xfffff)
[ 97.316957] raw: 015ffffe00000000 0000000000000000 dead000000000122 0000000000000000
[ 97.318207] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
[ 97.319445] page dumped because: kasan: bad access detected
[ 97.320371]
[ 97.320694] Memory state around the buggy address:
[ 97.321511] ffff800089277b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 97.322681] ffff800089277b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 97.323846] >ffff800089277c00: 00 00 f1 f1 f1 f1 f1 f1 00 00 00 00 00 00 00 00
[ 97.325023] ^
[ 97.325683] ffff800089277c80: 00 00 00 00 00 00 00 00 00 f3 f3 f3 f3 f3 f3 f3
[ 97.326856] ffff800089277d00: f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00
This issue seems to be related to the behavior of some gcc compilers and
was also fixed on the s390 architecture before:
commit d93a855c31b7 ("s390/ptrace: Avoid KASAN false positives in regs_get_kernel_stack_nth()")
As described in that commit, regs_get_kernel_stack_nth() has confirmed that
`addr` is on the stack, so reading the value at `*addr` should be allowed.
Use READ_ONCE_NOCHECK() helper to silence the KASAN check for this case.
Fixes: 0a8ea52c3eb1 ("arm64: Add HAVE_REGS_AND_STACK_ACCESS_API feature")
Signed-off-by: Tengda Wu <wutengda@huaweicloud.com>
Link: https://lore.kernel.org/r/20250604005533.1278992-1-wutengda@huaweicloud.com
[will: Use '*addr' as the argument to READ_ONCE_NOCHECK()]
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/kernel/ptrace.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c
index 2f1f86d916129..3025d14c253de 100644
--- a/arch/arm64/kernel/ptrace.c
+++ b/arch/arm64/kernel/ptrace.c
@@ -139,7 +139,7 @@ unsigned long regs_get_kernel_stack_nth(struct pt_regs *regs, unsigned int n)
addr += n;
if (regs_within_kernel_stack(regs, (unsigned long)addr))
- return *addr;
+ return READ_ONCE_NOCHECK(*addr);
else
return 0;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 506/508] scsi: elx: efct: Fix memory leak in efct_hw_parse_filter()
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (501 preceding siblings ...)
2025-06-23 13:09 ` [PATCH 6.1 505/508] arm64/ptrace: Fix stack-out-of-bounds read in regs_get_kernel_stack_nth() Greg Kroah-Hartman
@ 2025-06-23 13:09 ` Greg Kroah-Hartman
2025-06-23 13:09 ` [PATCH 6.1 507/508] RISC-V: KVM: Fix the size parameter check in SBI SFENCE calls Greg Kroah-Hartman
` (5 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vitaliy Shevtsov, Daniel Wagner,
Martin K. Petersen, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vitaliy Shevtsov <v.shevtsov@mt-integration.ru>
[ Upstream commit 2a8a5a5dd06eef580f9818567773fd75057cb875 ]
strsep() modifies the address of the pointer passed to it so that it no
longer points to the original address. This means kfree() gets the wrong
pointer.
Fix this by passing unmodified pointer returned from kstrdup() to
kfree().
Found by Linux Verification Center (linuxtesting.org) with Svace.
Fixes: 4df84e846624 ("scsi: elx: efct: Driver initialization routines")
Signed-off-by: Vitaliy Shevtsov <v.shevtsov@mt-integration.ru>
Link: https://lore.kernel.org/r/20250612163616.24298-1-v.shevtsov@mt-integration.ru
Reviewed-by: Daniel Wagner <dwagner@suse.de>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/elx/efct/efct_hw.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/scsi/elx/efct/efct_hw.c b/drivers/scsi/elx/efct/efct_hw.c
index 5a5525054d71c..5b079b8b7a082 100644
--- a/drivers/scsi/elx/efct/efct_hw.c
+++ b/drivers/scsi/elx/efct/efct_hw.c
@@ -1120,7 +1120,7 @@ int
efct_hw_parse_filter(struct efct_hw *hw, void *value)
{
int rc = 0;
- char *p = NULL;
+ char *p = NULL, *pp = NULL;
char *token;
u32 idx = 0;
@@ -1132,6 +1132,7 @@ efct_hw_parse_filter(struct efct_hw *hw, void *value)
efc_log_err(hw->os, "p is NULL\n");
return -ENOMEM;
}
+ pp = p;
idx = 0;
while ((token = strsep(&p, ",")) && *token) {
@@ -1144,7 +1145,7 @@ efct_hw_parse_filter(struct efct_hw *hw, void *value)
if (idx == ARRAY_SIZE(hw->config.filter_def))
break;
}
- kfree(p);
+ kfree(pp);
return rc;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 507/508] RISC-V: KVM: Fix the size parameter check in SBI SFENCE calls
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (502 preceding siblings ...)
2025-06-23 13:09 ` [PATCH 6.1 506/508] scsi: elx: efct: Fix memory leak in efct_hw_parse_filter() Greg Kroah-Hartman
@ 2025-06-23 13:09 ` Greg Kroah-Hartman
2025-06-23 13:09 ` [PATCH 6.1 508/508] RISC-V: KVM: Dont treat SBI HFENCE calls as NOPs Greg Kroah-Hartman
` (4 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Atish Patra, Anup Patel, Anup Patel,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Anup Patel <apatel@ventanamicro.com>
[ Upstream commit 6aba0cb5bba6141158d5449f2cf53187b7f755f9 ]
As-per the SBI specification, an SBI remote fence operation applies
to the entire address space if either:
1) start_addr and size are both 0
2) size is equal to 2^XLEN-1
>From the above, only #1 is checked by SBI SFENCE calls so fix the
size parameter check in SBI SFENCE calls to cover #2 as well.
Fixes: 13acfec2dbcc ("RISC-V: KVM: Add remote HFENCE functions based on VCPU requests")
Reviewed-by: Atish Patra <atishp@rivosinc.com>
Signed-off-by: Anup Patel <apatel@ventanamicro.com>
Link: https://lore.kernel.org/r/20250605061458.196003-2-apatel@ventanamicro.com
Signed-off-by: Anup Patel <anup@brainfault.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/riscv/kvm/vcpu_sbi_replace.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/riscv/kvm/vcpu_sbi_replace.c b/arch/riscv/kvm/vcpu_sbi_replace.c
index 4c034d8a606a1..304d29383e6c0 100644
--- a/arch/riscv/kvm/vcpu_sbi_replace.c
+++ b/arch/riscv/kvm/vcpu_sbi_replace.c
@@ -91,14 +91,14 @@ static int kvm_sbi_ext_rfence_handler(struct kvm_vcpu *vcpu, struct kvm_run *run
kvm_riscv_fence_i(vcpu->kvm, hbase, hmask);
break;
case SBI_EXT_RFENCE_REMOTE_SFENCE_VMA:
- if (cp->a2 == 0 && cp->a3 == 0)
+ if ((cp->a2 == 0 && cp->a3 == 0) || cp->a3 == -1UL)
kvm_riscv_hfence_vvma_all(vcpu->kvm, hbase, hmask);
else
kvm_riscv_hfence_vvma_gva(vcpu->kvm, hbase, hmask,
cp->a2, cp->a3, PAGE_SHIFT);
break;
case SBI_EXT_RFENCE_REMOTE_SFENCE_VMA_ASID:
- if (cp->a2 == 0 && cp->a3 == 0)
+ if ((cp->a2 == 0 && cp->a3 == 0) || cp->a3 == -1UL)
kvm_riscv_hfence_vvma_asid_all(vcpu->kvm,
hbase, hmask, cp->a4);
else
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* [PATCH 6.1 508/508] RISC-V: KVM: Dont treat SBI HFENCE calls as NOPs
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (503 preceding siblings ...)
2025-06-23 13:09 ` [PATCH 6.1 507/508] RISC-V: KVM: Fix the size parameter check in SBI SFENCE calls Greg Kroah-Hartman
@ 2025-06-23 13:09 ` Greg Kroah-Hartman
2025-06-23 17:31 ` [PATCH 6.1 000/508] 6.1.142-rc1 review Peter Schneider
` (3 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-23 13:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Atish Patra, Anup Patel, Anup Patel,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Anup Patel <apatel@ventanamicro.com>
[ Upstream commit 2e7be162996640bbe3b6da694cc064c511b8a5d9 ]
The SBI specification clearly states that SBI HFENCE calls should
return SBI_ERR_NOT_SUPPORTED when one of the target hart doesn’t
support hypervisor extension (aka nested virtualization in-case
of KVM RISC-V).
Fixes: c7fa3c48de86 ("RISC-V: KVM: Treat SBI HFENCE calls as NOPs")
Reviewed-by: Atish Patra <atishp@rivosinc.com>
Signed-off-by: Anup Patel <apatel@ventanamicro.com>
Link: https://lore.kernel.org/r/20250605061458.196003-3-apatel@ventanamicro.com
Signed-off-by: Anup Patel <anup@brainfault.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/riscv/kvm/vcpu_sbi_replace.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/riscv/kvm/vcpu_sbi_replace.c b/arch/riscv/kvm/vcpu_sbi_replace.c
index 304d29383e6c0..1b8b3fa5f74ab 100644
--- a/arch/riscv/kvm/vcpu_sbi_replace.c
+++ b/arch/riscv/kvm/vcpu_sbi_replace.c
@@ -113,9 +113,9 @@ static int kvm_sbi_ext_rfence_handler(struct kvm_vcpu *vcpu, struct kvm_run *run
case SBI_EXT_RFENCE_REMOTE_HFENCE_VVMA_ASID:
/*
* Until nested virtualization is implemented, the
- * SBI HFENCE calls should be treated as NOPs
+ * SBI HFENCE calls should return not supported
+ * hence fallthrough.
*/
- break;
default:
ret = -EOPNOTSUPP;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 510+ messages in thread
* Re: [PATCH 6.1 000/508] 6.1.142-rc1 review
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (504 preceding siblings ...)
2025-06-23 13:09 ` [PATCH 6.1 508/508] RISC-V: KVM: Dont treat SBI HFENCE calls as NOPs Greg Kroah-Hartman
@ 2025-06-23 17:31 ` Peter Schneider
2025-06-23 22:12 ` Florian Fainelli
` (2 subsequent siblings)
508 siblings, 0 replies; 510+ messages in thread
From: Peter Schneider @ 2025-06-23 17:31 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee, srw,
rwarsow, conor, hargar, broonie
Am 23.06.2025 um 15:00 schrieb Greg Kroah-Hartman:
> This is the start of the stable review cycle for the 6.1.142 release.
> There are 508 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
Builds, boots and works on my 2-socket Ivy Bridge Xeon E5-2697 v2 server. No dmesg
oddities or regressions found.
Tested-by: Peter Schneider <pschneider1968@googlemail.com>
Beste Grüße,
Peter Schneider
--
Climb the mountain not to plant your flag, but to embrace the challenge,
enjoy the air and behold the view. Climb it so you can see the world,
not so the world can see you. -- David McCullough Jr.
OpenPGP: 0xA3828BD796CCE11A8CADE8866E3A92C92C3FF244
Download: https://www.peters-netzplatz.de/download/pschneider1968_pub.asc
https://keys.mailvelope.com/pks/lookup?op=get&search=pschneider1968@googlemail.com
https://keys.mailvelope.com/pks/lookup?op=get&search=pschneider1968@gmail.com
^ permalink raw reply [flat|nested] 510+ messages in thread
* Re: [PATCH 6.1 000/508] 6.1.142-rc1 review
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (505 preceding siblings ...)
2025-06-23 17:31 ` [PATCH 6.1 000/508] 6.1.142-rc1 review Peter Schneider
@ 2025-06-23 22:12 ` Florian Fainelli
2025-06-24 8:29 ` Ron Economos
2025-06-24 11:58 ` Mark Brown
508 siblings, 0 replies; 510+ messages in thread
From: Florian Fainelli @ 2025-06-23 22:12 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, sudipm.mukherjee, srw, rwarsow,
conor, hargar, broonie
On 6/23/25 06:00, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.1.142 release.
> There are 508 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Wed, 25 Jun 2025 13:05:52 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.1.142-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.1.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
On ARCH_BRCMSTB using 32-bit and 64-bit ARM kernels, build tested on
BMIPS_GENERIC:
Tested-by: Florian Fainelli <florian.fainelli@broadcom.com>
--
Florian
^ permalink raw reply [flat|nested] 510+ messages in thread
* Re: [PATCH 6.1 000/508] 6.1.142-rc1 review
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (506 preceding siblings ...)
2025-06-23 22:12 ` Florian Fainelli
@ 2025-06-24 8:29 ` Ron Economos
2025-06-24 11:58 ` Mark Brown
508 siblings, 0 replies; 510+ messages in thread
From: Ron Economos @ 2025-06-24 8:29 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee, srw,
rwarsow, conor, hargar, broonie
On 6/23/25 06:00, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.1.142 release.
> There are 508 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Wed, 25 Jun 2025 13:05:52 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.1.142-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.1.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
Built and booted successfully on RISC-V RV64 (HiFive Unmatched).
Tested-by: Ron Economos <re@w6rz.net>
^ permalink raw reply [flat|nested] 510+ messages in thread
* Re: [PATCH 6.1 000/508] 6.1.142-rc1 review
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
` (507 preceding siblings ...)
2025-06-24 8:29 ` Ron Economos
@ 2025-06-24 11:58 ` Mark Brown
508 siblings, 0 replies; 510+ messages in thread
From: Mark Brown @ 2025-06-24 11:58 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, srw, rwarsow, conor, hargar
[-- Attachment #1: Type: text/plain, Size: 346 bytes --]
On Mon, Jun 23, 2025 at 03:00:45PM +0200, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.1.142 release.
> There are 508 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
Tested-by: Mark Brown <broonie@kernel.org>
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
^ permalink raw reply [flat|nested] 510+ messages in thread
end of thread, other threads:[~2025-06-24 11:58 UTC | newest]
Thread overview: 510+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-06-23 13:00 [PATCH 6.1 000/508] 6.1.142-rc1 review Greg Kroah-Hartman
2025-06-23 13:00 ` [PATCH 6.1 001/508] mm/uffd: fix vma operation where start addr cuts part of vma Greg Kroah-Hartman
2025-06-23 13:00 ` [PATCH 6.1 002/508] tracing: Fix compilation warning on arm32 Greg Kroah-Hartman
2025-06-23 13:00 ` [PATCH 6.1 003/508] pinctrl: armada-37xx: use correct OUTPUT_VAL register for GPIOs > 31 Greg Kroah-Hartman
2025-06-23 13:00 ` [PATCH 6.1 004/508] pinctrl: armada-37xx: set GPIO output value before setting direction Greg Kroah-Hartman
2025-06-23 13:00 ` [PATCH 6.1 005/508] acpi-cpufreq: Fix nominal_freq units to KHz in get_max_boost_ratio() Greg Kroah-Hartman
2025-06-23 13:00 ` [PATCH 6.1 006/508] rtc: Make rtc_time64_to_tm() support dates before 1970 Greg Kroah-Hartman
2025-06-23 13:00 ` [PATCH 6.1 007/508] rtc: Fix offset calculation for .start_secs < 0 Greg Kroah-Hartman
2025-06-23 13:00 ` [PATCH 6.1 008/508] usb: quirks: Add NO_LPM quirk for SanDisk Extreme 55AE Greg Kroah-Hartman
2025-06-23 13:00 ` [PATCH 6.1 009/508] usb: storage: Ignore UAS driver for SanDisk 3.2 Gen2 storage device Greg Kroah-Hartman
2025-06-23 13:00 ` [PATCH 6.1 010/508] USB: serial: pl2303: add new chip PL2303GC-Q20 and PL2303GT-2AB Greg Kroah-Hartman
2025-06-23 13:00 ` [PATCH 6.1 011/508] Bluetooth: hci_qca: move the SoC type check to the right place Greg Kroah-Hartman
2025-06-23 13:00 ` [PATCH 6.1 012/508] usb: usbtmc: Fix timeout value in get_stb Greg Kroah-Hartman
2025-06-23 13:00 ` [PATCH 6.1 013/508] thunderbolt: Do not double dequeue a configuration request Greg Kroah-Hartman
2025-06-23 13:00 ` [PATCH 6.1 014/508] gfs2: gfs2_create_inode error handling fix Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 015/508] perf/core: Fix broken throttling when max_samples_per_tick=1 Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 016/508] crypto: sun8i-ce-cipher - fix error handling in sun8i_ce_cipher_prepare() Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 017/508] crypto: sun8i-ss - do not use sg_dma_len before calling DMA functions Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 018/508] powerpc/crash: Fix non-smp kexec preparation Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 019/508] x86/cpu: Sanitize CPUID(0x80000000) output Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 020/508] crypto: marvell/cesa - Handle zero-length skcipher requests Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 021/508] crypto: marvell/cesa - Avoid empty transfer descriptor Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 022/508] crypto: lrw - Only add ecb if it is not already there Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 023/508] crypto: xts " Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 024/508] crypto: sun8i-ce - move fallback ahash_request to the end of the struct Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 025/508] ASoC: tas2764: Enable main IRQs Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 026/508] EDAC/skx_common: Fix general protection fault Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 027/508] spi: tegra210-quad: Fix X1_X2_X4 encoding and support x4 transfers Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 028/508] spi: tegra210-quad: remove redundant error handling code Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 029/508] spi: tegra210-quad: modify chip select (CS) deactivation Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 030/508] power: reset: at91-reset: Optimize at91_reset() Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 031/508] PM: wakeup: Delete space in the end of string shown by pm_show_wakelocks() Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 032/508] x86/mtrr: Check if fixed-range MTRRs exist in mtrr_save_fixed_ranges() Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 033/508] ACPI: OSI: Stop advertising support for "3.0 _SCP Extensions" Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 034/508] spi: sh-msiof: Fix maximum DMA transfer size Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 035/508] ASoC: apple: mca: Constrain channels according to TDM mask Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 036/508] drm/vmwgfx: Add seqno waiter for sync_files Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 037/508] drm/amd/pp: Fix potential NULL pointer dereference in atomctrl_initialize_mc_reg_table Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 038/508] media: rkvdec: Fix frame size enumeration Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 039/508] arm64/fpsimd: Discard stale CPU state when handling SME traps Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 040/508] arm64/fpsimd: Fix merging of FPSIMD state during signal return Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 041/508] drm/bridge: lt9611uxc: Fix an error handling path in lt9611uxc_probe() Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 042/508] fs/ntfs3: handle hdr_first_de() return value Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 043/508] watchdog: exar: Shorten identity name to fit correctly Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 044/508] m68k: mac: Fix macintosh_config for Mac II Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 045/508] firmware: psci: Fix refcount leak in psci_dt_init Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 046/508] arm64: Support ARM64_VA_BITS=52 when setting ARCH_MMAP_RND_BITS_MAX Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 047/508] selftests/seccomp: fix syscall_restart test for arm compat Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 048/508] drm: rcar-du: Fix memory leak in rcar_du_vsps_init() Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 049/508] drm/vkms: Adjust vkms_state->active_planes allocation type Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 050/508] drm/tegra: rgb: Fix the unbound reference count Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 051/508] firmware: SDEI: Allow sdei initialization without ACPI_APEI_GHES Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 052/508] scsi: qedf: Use designated initializer for struct qed_fcoe_cb_ops Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 053/508] wifi: ath11k: fix node corruption in ar->arvifs list Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 054/508] IB/cm: use rwlock for MAD agent lock Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 055/508] bpf: fix ktls panic with sockmap Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 056/508] bpf, sockmap: fix duplicated data transmission Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 057/508] bpf, sockmap: Fix panic when calling skb_linearize Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 058/508] f2fs: fix to do sanity check on sbi->total_valid_block_count Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 059/508] net: ncsi: Fix GCPS 64-bit member variables Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 060/508] libbpf: Fix buffer overflow in bpf_object__init_prog Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 061/508] wifi: rtw88: do not ignore hardware read error during DPK Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 062/508] RDMA/hns: Include hnae3.h in hns_roce_hw_v2.h Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 063/508] scsi: hisi_sas: Call I_T_nexus after soft reset for SATA disk Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 064/508] iommu: Protect against overflow in iommu_pgsize() Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 065/508] f2fs: clean up w/ fscrypt_is_bounce_page() Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 066/508] f2fs: fix to detect gcing page in f2fs_is_cp_guaranteed() Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 067/508] libbpf: Use proper errno value in linker Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 068/508] netfilter: bridge: Move specific fragmented packet to slow_path instead of dropping it Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 069/508] netfilter: nft_quota: match correctly when the quota just depleted Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 070/508] RDMA/mlx5: Fix error flow upon firmware failure for RQ destruction Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 071/508] bpf: Fix uninitialized values in BPF_{CORE,PROBE}_READ Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 072/508] clk: qcom: dispcc-sm6350: Add *_wait_val values for GDSCs Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 073/508] clk: qcom: gcc-sm6350: " Greg Kroah-Hartman
2025-06-23 13:01 ` [PATCH 6.1 074/508] clk: qcom: gpucc-sm6350: " Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 075/508] clk: bcm: rpi: Add NULL check in raspberrypi_clk_register() Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 076/508] efi/libstub: Describe missing out parameter in efi_load_initrd Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 077/508] tracing: Rename event_trigger_alloc() to trigger_data_alloc() Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 078/508] tracing: Fix error handling in event_trigger_parse() Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 079/508] ktls, sockmap: Fix missing uncharge operation Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 080/508] libbpf: Use proper errno value in nlattr Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 081/508] pinctrl: at91: Fix possible out-of-boundary access Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 082/508] bpf: Fix WARN() in get_bpf_raw_tp_regs Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 083/508] clk: qcom: gcc-msm8939: Fix mclk0 & mclk1 for 24 MHz Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 084/508] s390/bpf: Store backchain even for leaf progs Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 085/508] wifi: rtw88: fix the para buffer size to avoid reading out of bounds Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 086/508] iommu: remove duplicate selection of DMAR_TABLE Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 087/508] hisi_acc_vfio_pci: fix XQE dma address error Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 088/508] hisi_acc_vfio_pci: add eq and aeq interruption restore Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 089/508] wifi: ath9k_htc: Abort software beacon handling if disabled Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 090/508] kernfs: Relax constraint in draining guard Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 091/508] netfilter: nf_tables: nft_fib_ipv6: fix VRF ipv4/ipv6 result discrepancy Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 092/508] vfio/type1: Fix error unwind in migration dirty bitmap allocation Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 093/508] Bluetooth: MGMT: iterate over mesh commands in mgmt_mesh_foreach() Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 094/508] bpf, sockmap: Avoid using sk_socket after free when sending Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 095/508] netfilter: nft_tunnel: fix geneve_opt dump Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 096/508] net: usb: aqc111: fix error handling of usbnet read calls Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 097/508] RDMA/cma: Fix hang when cma_netevent_callback fails to queue_work Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 098/508] bpf: Avoid __bpf_prog_ret0_warn when jit fails Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 099/508] net: lan743x: rename lan743x_reset_phy to lan743x_hw_reset_phy Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 100/508] net: phy: mscc: Fix memory leak when using one step timestamping Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 101/508] calipso: Dont call calipso functions for AF_INET sk Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 102/508] net: openvswitch: Fix the dead loop of MPLS parse Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 103/508] net: phy: mscc: Stop clearing the the UDPv4 checksum for L2 frames Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 104/508] f2fs: use d_inode(dentry) cleanup dentry->d_inode Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 105/508] f2fs: fix to correct check conditions in f2fs_cross_rename Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 106/508] arm64: dts: qcom: sm8250: Fix CPU7 opp table Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 107/508] ARM: dts: at91: usb_a9263: fix GPIO for Dataflash chip select Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 108/508] ARM: dts: at91: at91sam9263: fix NAND chip selects Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 109/508] arm64: dts: mediatek: mt8195: Reparent vdec1/2 and venc1 power domains Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 110/508] arm64: dts: qcom: sdm660-xiaomi-lavender: Add missing SD card detect GPIO Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 111/508] arm64: dts: imx8mm-beacon: Fix RTC capacitive load Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 112/508] arm64: dts: imx8mn-beacon: " Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 113/508] arm64: dts: mt6359: Add missing compatible property to regulators node Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 114/508] arm64: dts: qcom: sdm660-lavender: Add missing USB phy supply Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 115/508] arm64: dts: qcom: sda660-ifc6560: Fix dt-validate warning Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 116/508] Squashfs: check return result of sb_min_blocksize Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 117/508] ocfs2: fix possible memory leak in ocfs2_finish_quota_recovery Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 118/508] nilfs2: add pointer check for nilfs_direct_propagate() Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 119/508] nilfs2: do not propagate ENOENT error from nilfs_btree_propagate() Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 120/508] bus: fsl-mc: fix double-free on mc_dev Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 121/508] dt-bindings: vendor-prefixes: Add Liontron name Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 122/508] ARM: dts: qcom: apq8064 merge hw splinlock into corresponding syscon device Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 123/508] arm64: defconfig: mediatek: enable PHY drivers Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 124/508] arm64: dts: rockchip: disable unrouted USB controllers and PHY on RK3399 Puma with Haikou Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 125/508] arm64: dts: mt6359: Rename RTC node to match binding expectations Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 126/508] ARM: aspeed: Dont select SRAM Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 127/508] soc: aspeed: lpc: Fix impossible judgment condition Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 128/508] soc: aspeed: Add NULL check in aspeed_lpc_enable_snoop() Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 129/508] fbdev: core: fbcvt: avoid division by 0 in fb_cvt_hperiod() Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 130/508] randstruct: gcc-plugin: Remove bogus void member Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 131/508] randstruct: gcc-plugin: Fix attribute addition Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 132/508] perf build: Warn when libdebuginfod devel files are not available Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 133/508] perf ui browser hists: Set actions->thread before calling do_zoom_thread() Greg Kroah-Hartman
2025-06-23 13:02 ` [PATCH 6.1 134/508] dm: dont change md if dm_table_set_restrictions() fails Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 135/508] dm: free table mempools if not used in __bind Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 136/508] backlight: pm8941: Add NULL check in wled_configure() Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 137/508] mtd: nand: ecc-mxic: Fix use of uninitialized variable ret Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 138/508] hwmon: (asus-ec-sensors) check sensor index in read_string() Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 139/508] perf intel-pt: Fix PEBS-via-PT data_src Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 140/508] perf scripts python: exported-sql-viewer.py: Fix pattern matching with Python 3 Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 141/508] remoteproc: qcom_wcnss_iris: Add missing put_device() on error in probe Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 142/508] remoteproc: k3-r5: Drop check performed in k3_r5_rproc_{mbox_callback/kick} Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 143/508] rpmsg: qcom_smd: Fix uninitialized return variable in __qcom_smd_send() Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 144/508] mfd: exynos-lpass: Avoid calling exynos_lpass_disable() twice in exynos_lpass_remove() Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 145/508] mfd: stmpe-spi: Correct the name used in MODULE_DEVICE_TABLE Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 146/508] perf tests switch-tracking: Fix timestamp comparison Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 147/508] perf record: Fix incorrect --user-regs comments Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 148/508] nfs: clear SB_RDONLY before getting superblock Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 149/508] nfs: ignore SB_RDONLY when remounting nfs Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 150/508] rtc: sh: assign correct interrupts with DT Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 151/508] PCI: cadence: Fix runtime atomic count underflow Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 152/508] PCI: apple: Use gpiod_set_value_cansleep in probe flow Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 153/508] phy: qcom-qmp-usb: Fix an NULL vs IS_ERR() bug Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 154/508] dmaengine: ti: Add NULL check in udma_probe() Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 155/508] PCI/DPC: Initialize aer_err_info before using it Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 156/508] usb: renesas_usbhs: Reorder clock handling and power management in probe Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 157/508] serial: Fix potential null-ptr-deref in mlb_usio_probe() Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 158/508] iio: filter: admv8818: fix band 4, state 15 Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 159/508] iio: filter: admv8818: fix integer overflow Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 160/508] iio: filter: admv8818: fix range calculation Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 161/508] iio: filter: admv8818: Support frequencies >= 2^32 Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 162/508] iio: adc: ad7124: Fix 3dB filter frequency reading Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 163/508] MIPS: Loongson64: Add missing #interrupt-cells for loongson64c_ls7a Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 164/508] counter: interrupt-cnt: Protect enable/disable OPs with mutex Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 165/508] coresight: prevent deactivate active config while enabling the config Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 166/508] vt: remove VT_RESIZE and VT_RESIZEX from vt_compat_ioctl() Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 167/508] net: stmmac: platform: guarantee uniqueness of bus_id Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 168/508] gve: Fix RX_BUFFERS_POSTED stat to report per-queue fill_cnt Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 169/508] net: tipc: fix refcount warning in tipc_aead_encrypt Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 170/508] driver: net: ethernet: mtk_star_emac: fix suspend/resume issue Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 171/508] net/mlx4_en: Prevent potential integer overflow calculating Hz Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 172/508] net: lan966x: Make sure to insert the vlan tags also in host mode Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 173/508] spi: bcm63xx-spi: fix shared reset Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 174/508] spi: bcm63xx-hsspi: " Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 175/508] Bluetooth: L2CAP: Fix not responding with L2CAP_CR_LE_ENCRYPTION Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 176/508] ice: create new Tx scheduler nodes for new queues only Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 177/508] ice: fix rebuilding the Tx scheduler tree for large queue counts Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 178/508] net: dsa: tag_brcm: legacy: fix pskb_may_pull length Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 179/508] net: stmmac: make sure that ptp_rate is not 0 before configuring timestamping Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 180/508] net: fix udp gso skb_segment after pull from frag_list Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 181/508] vmxnet3: correctly report gso type for UDP tunnels Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 182/508] PM: sleep: Fix power.is_suspended cleanup for direct-complete devices Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 183/508] gve: add missing NULL check for gve_alloc_pending_packet() in TX DQO Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 184/508] netfilter: nf_set_pipapo_avx2: fix initial map fill Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 185/508] wireguard: device: enable threaded NAPI Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 186/508] seg6: Fix validation of nexthop addresses Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 187/508] ASoC: codecs: hda: Fix RPM usage count underflow Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 188/508] ASoC: Intel: avs: Fix deadlock when the failing IPC is SET_D0IX Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 189/508] fix propagation graph breakage by MOVE_MOUNT_SET_GROUP move_mount(2) Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 190/508] do_change_type(): refuse to operate on unmounted/not ours mounts Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 191/508] xfs: fix interval filtering in multi-step fsmap queries Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 192/508] xfs: fix integer overflows in the fsmap rtbitmap and logdev backends Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 193/508] xfs: fix getfsmap reporting past the last rt extent Greg Kroah-Hartman
2025-06-23 13:03 ` [PATCH 6.1 194/508] xfs: clean up the rtbitmap fsmap backend Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 195/508] xfs: fix logdev fsmap query result filtering Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 196/508] xfs: validate fsmap offsets specified in the query keys Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 197/508] xfs: fix xfs_btree_query_range callers to initialize btree rec fully Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 198/508] xfs: fix an agbno overflow in __xfs_getfsmap_datadev Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 199/508] xfs: fix the contact address for the sysfs ABI documentation Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 200/508] xfs: verify buffer, inode, and dquot items every tx commit Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 201/508] xfs: use consistent uid/gid when grabbing dquots for inodes Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 202/508] xfs: declare xfs_file.c symbols in xfs_file.h Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 203/508] xfs: create a new helper to return a files allocation unit Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 204/508] xfs: Fix xfs_flush_unmap_range() range for RT Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 205/508] xfs: Fix xfs_prepare_shift() " Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 206/508] xfs: dont walk off the end of a directory data block Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 207/508] xfs: remove unused parameter in macro XFS_DQUOT_LOGRES Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 208/508] xfs: attr forks require attr, not attr2 Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 209/508] xfs: conditionally allow FS_XFLAG_REALTIME changes if S_DAX is set Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 210/508] xfs: Fix the owner setting issue for rmap query in xfs fsmap Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 211/508] xfs: use XFS_BUF_DADDR_NULL for daddrs in getfsmap code Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 212/508] xfs: take m_growlock when running growfsrt Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 213/508] xfs: reset rootdir extent size hint after growfsrt Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 214/508] pmdomain: core: Fix error checking in genpd_dev_pm_attach_by_id() Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 215/508] arm64: dts: marvell: uDPU: define pinctrl state for alarm LEDs Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 216/508] Input: synaptics-rmi - fix crash with unsupported versions of F34 Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 217/508] arm64: dts: ti: k3-am65-main: Drop deprecated ti,otap-del-sel property Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 218/508] arm64: dts: ti: k3-am65-main: Fix sdhci node properties Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 219/508] arm64: dts: ti: k3-am65-main: Add missing taps to sdhci0 Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 220/508] serial: sh-sci: Check if TX data was written to device in .tx_empty() Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 221/508] serial: sh-sci: Move runtime PM enable to sci_probe_single() Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 222/508] serial: sh-sci: Clean sci_ports[0] after at earlycon exit Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 223/508] scsi: core: ufs: Fix a hang in the error handler Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 224/508] Bluetooth: hci_core: fix list_for_each_entry_rcu usage Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 225/508] Bluetooth: MGMT: Fix UAF on mgmt_remove_adv_monitor_complete Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 226/508] ptp: remove ptp->n_vclocks check logic in ptp_vclock_in_use() Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 227/508] ath10k: snoc: fix unbalanced IRQ enable in crash recovery Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 228/508] wifi: ath11k: remove unused function ath11k_tm_event_wmi() Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 229/508] wifi: ath11k: fix soc_dp_stats debugfs file permission Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 230/508] wifi: ath11k: convert timeouts to secs_to_jiffies() Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 231/508] wifi: ath11k: avoid burning CPU in ath11k_debugfs_fw_stats_request() Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 232/508] wifi: ath11k: dont use static variables in ath11k_debugfs_fw_stats_process() Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 233/508] wifi: ath11k: dont wait when there is no vdev started Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 234/508] wifi: ath11k: validate ath11k_crypto_mode on top of ath11k_core_qmi_firmware_ready Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 235/508] regulator: max20086: Fix refcount leak in max20086_parse_regulators_dt() Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 236/508] pinctrl: qcom: pinctrl-qcm2290: Add missing pins Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 237/508] scsi: iscsi: Fix incorrect error path labels for flashnode operations Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 238/508] net_sched: sch_sfq: fix a potential crash on gso_skb handling Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 239/508] powerpc/powernv/memtrace: Fix out of bounds issue in memtrace mmap Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 240/508] powerpc/vas: Return -EINVAL if the offset is non-zero in mmap() Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 241/508] drm/meson: use unsigned long long / Hz for frequency types Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 242/508] drm/meson: fix debug log statement when setting the HDMI clocks Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 243/508] drm/meson: use vclk_freq instead of pixel_freq in debug print Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 244/508] drm/meson: fix more rounding issues with 59.94Hz modes Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 245/508] i40e: return false from i40e_reset_vf if reset is in progress Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 246/508] i40e: retry VFLR handling if there is ongoing VF reset Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 247/508] ACPI: CPPC: Fix NULL pointer dereference when nosmp is used Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 248/508] net: Fix TOCTOU issue in sk_is_readable() Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 249/508] macsec: MACsec SCI assignment for ES = 0 Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 250/508] net: mdio: C22 is now optional, EOPNOTSUPP if not provided Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 251/508] net/mdiobus: Fix potential out-of-bounds read/write access Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 252/508] Bluetooth: Fix NULL pointer deference on eir_get_service_data Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 253/508] Bluetooth: hci_sync: Fix broadcast/PA when using an existing instance Greg Kroah-Hartman
2025-06-23 13:04 ` [PATCH 6.1 254/508] Bluetooth: MGMT: Fix sparse errors Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 255/508] net/mlx5: Ensure fw pages are always allocated on same NUMA Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 256/508] net/mlx5: Fix return value when searching for existing flow group Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 257/508] net/mlx5e: Fix leak of Geneve TLV option object Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 258/508] net_sched: prio: fix a race in prio_tune() Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 259/508] net_sched: red: fix a race in __red_change() Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 260/508] net_sched: tbf: fix a race in tbf_change() Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 261/508] net_sched: ets: fix a race in ets_qdisc_change() Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 262/508] fs/filesystems: Fix potential unsigned integer underflow in fs_name() Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 263/508] nvmet-fcloop: access fcpreq only when holding reqlock Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 264/508] perf: Ensure bpf_perf_link path is properly serialized Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 265/508] bio: Fix bio_first_folio() for SPARSEMEM without VMEMMAP Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 266/508] tools/resolve_btfids: Fix build when cross compiling kernel with clang Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 267/508] ALSA: usb-audio: Add implicit feedback quirk for RODE AI-1 Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 268/508] HID: usbhid: Eliminate recurrent out-of-bounds bug in usbhid_parse() Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 269/508] Revert "io_uring: ensure deferred completions are posted for multishot" Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 270/508] posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del() Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 271/508] drm/amd/display: Do not add -mhard-float to dml_ccflags for clang Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 272/508] mips: Include KBUILD_CPPFLAGS in CHECKFLAGS invocation Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 273/508] kbuild: Add CLANG_FLAGS to as-instr Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 274/508] kbuild: add $(CLANG_FLAGS) to KBUILD_CPPFLAGS Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 275/508] kbuild: Add KBUILD_CPPFLAGS to as-option invocation Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 276/508] usb: usbtmc: Fix read_stb function and get_stb ioctl Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 277/508] VMCI: fix race between vmci_host_setup_notify and vmci_ctx_unset_notify Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 278/508] usb: cdnsp: Fix issue with detecting command completion event Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 279/508] usb: cdnsp: Fix issue with detecting USB 3.2 speed Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 280/508] usb: Flush altsetting 0 endpoints before reinitializating them after reset Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 281/508] usb: typec: tcpm/tcpci_maxim: Fix bounds check in process_rx() Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 282/508] xen/arm: call uaccess_ttbr0_enable for dm_op hypercall Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 283/508] x86/iopl: Cure TIF_IO_BITMAP inconsistencies Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 284/508] calipso: unlock rcu before returning -EAFNOSUPPORT Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 285/508] net: usb: aqc111: debug info before sanitation Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 286/508] drm/meson: Use 1000ULL when operating with mode->clock Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 287/508] kbuild: userprogs: fix bitsize and target detection on clang Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 288/508] kbuild: hdrcheck: fix cross build with clang Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 289/508] configfs: Do not override creating attribute file failure in populate_attrs() Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 290/508] crypto: marvell/cesa - Do not chain submitted requests Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 291/508] gfs2: move msleep to sleepable context Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 294/508] io_uring: account drain memory to cgroup Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 295/508] powerpc/pseries/msi: Avoid reading PCI device registers in reduced power states Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 296/508] regulator: max20086: Fix MAX200086 chip id Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 297/508] regulator: max20086: Change enable gpio to optional Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 298/508] net/mlx5_core: Add error handling inmlx5_query_nic_vport_qkey_viol_cntr() Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 299/508] net/mlx5: Add error handling in mlx5_query_nic_vport_node_guid() Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 300/508] wifi: p54: prevent buffer-overflow in p54_rx_eeprom_readback() Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 301/508] wifi: ath11k: fix rx completion meta data corruption Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 302/508] wifi: ath11k: fix ring-buffer corruption Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 303/508] nfsd: nfsd4_spo_must_allow() must check this is a v4 compound request Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 304/508] nfsd: Initialize ssc before laundromat_work to prevent NULL dereference Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 305/508] jbd2: fix data-race and null-ptr-deref in jbd2_journal_dirty_metadata() Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 306/508] wifi: rtlwifi: disable ASPM for RTL8723BE with subsystem ID 11ad:1723 Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 307/508] media: ov8856: suppress probe deferral errors Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 308/508] media: ccs-pll: Start VT pre-PLL multiplier search from correct value Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 309/508] media: ccs-pll: Start OP " Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 310/508] media: ccs-pll: Correct the upper limit of maximum op_pre_pll_clk_div Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 311/508] media: ccs-pll: Check for too high VT PLL multiplier in dual PLL case Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 312/508] media: cxusb: no longer judge rbuf when the write fails Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 313/508] media: davinci: vpif: Fix memory leak in probe error path Greg Kroah-Hartman
2025-06-23 13:05 ` [PATCH 6.1 314/508] media: gspca: Add error handling for stv06xx_read_sensor() Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 315/508] media: omap3isp: use sgtable-based scatterlist wrappers Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 316/508] media: v4l2-dev: fix error handling in __video_register_device() Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 317/508] media: venus: Fix probe error handling Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 318/508] media: videobuf2: use sgtable-based scatterlist wrappers Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 319/508] media: vidtv: Terminating the subsequent process of initialization failure Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 320/508] media: vivid: Change the siize of the composing Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 321/508] media: imx-jpeg: Drop the first error frames Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 322/508] media: uvcvideo: Return the number of processed controls Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 323/508] media: uvcvideo: Send control events for partial succeeds Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 324/508] media: uvcvideo: Fix deferred probing error Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 325/508] ARM: 9447/1: arm/memremap: fix arch_memremap_can_ram_remap() Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 326/508] ARM: omap: pmic-cpcap: do not mess around without CPCAP or OMAP4 Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 327/508] bus: mhi: host: Fix conflict between power_up and SYSERR Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 328/508] can: tcan4x5x: fix power regulator retrieval during probe Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 329/508] ceph: set superblock s_magic for IMA fsmagic matching Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 330/508] cgroup,freezer: fix incomplete freezing when attaching tasks Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 331/508] ata: pata_via: Force PIO for ATAPI devices on VT6415/VT6330 Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 332/508] bus: fsl-mc: do not add a device-link for the UAPI used DPMCP device Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 333/508] bus: fsl-mc: fix GET/SET_TAILDROP command ids Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 334/508] ext4: inline: fix len overflow in ext4_prepare_inline_data Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 335/508] ext4: fix calculation of credits for extent tree modification Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 336/508] ext4: factor out ext4_get_maxbytes() Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 337/508] ext4: ensure i_size is smaller than maxbytes Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 338/508] Input: ims-pcu - check record size in ims_pcu_flash_firmware() Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 339/508] Input: gpio-keys - fix possible concurrent access in gpio_keys_irq_timer() Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 340/508] f2fs: prevent kernel warning due to negative i_nlink from corrupted image Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 341/508] f2fs: fix to do sanity check on sit_bitmap_size Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 342/508] NFC: nci: uart: Set tty->disc_data only in success path Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 343/508] net: ftgmac100: select FIXED_PHY Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 344/508] EDAC/altera: Use correct write width with the INTTEST register Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 345/508] fbdev: Fix fb_set_var to prevent null-ptr-deref in fb_videomode_to_var Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 346/508] parisc/unaligned: Fix hex output to show 8 hex chars Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 347/508] vgacon: Add check for vc_origin address range in vgacon_scroll() Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 348/508] parisc: fix building with gcc-15 Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 349/508] clk: meson-g12a: add missing fclk_div2 to spicc Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 350/508] ipc: fix to protect IPCS lookups using RCU Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 351/508] RDMA/iwcm: Fix use-after-free of work objects after cm_id destruction Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 352/508] mm: fix ratelimit_pages update error in dirty_ratio_handler() Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 353/508] mtd: rawnand: sunxi: Add randomizer configuration in sunxi_nfc_hw_ecc_write_chunk Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 354/508] mtd: nand: sunxi: Add randomizer configuration before randomizer enable Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 355/508] KVM: SVM: Clear current_vmcb during vCPU free for all *possible* CPUs Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 356/508] dm-mirror: fix a tiny race condition Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 357/508] ftrace: Fix UAF when lookup kallsym after ftrace disabled Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 358/508] net: ch9200: fix uninitialised access during mii_nway_restart Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 359/508] KVM: s390: rename PROT_NONE to PROT_TYPE_DUMMY Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 360/508] staging: iio: ad5933: Correct settling cycles encoding per datasheet Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 361/508] mips: Add -std= flag specified in KBUILD_CFLAGS to vdso CFLAGS Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 362/508] regulator: max14577: Add error check for max14577_read_reg() Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 363/508] remoteproc: core: Cleanup acquired resources when rproc_handle_resources() fails in rproc_attach() Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 364/508] remoteproc: core: Release rproc->clean_table after rproc_attach() fails Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 365/508] cifs: reset connections for all channels when reconnect requested Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 366/508] uio_hv_generic: Use correct size for interrupt and monitor pages Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 367/508] PCI: cadence-ep: Correct PBA offset in .set_msix() callback Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 368/508] PCI: Add ACS quirk for Loongson PCIe Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 369/508] PCI: Fix lock symmetry in pci_slot_unlock() Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 370/508] PCI: dw-rockchip: Fix PHY function call sequence in rockchip_pcie_phy_deinit() Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 371/508] iio: accel: fxls8962af: Fix temperature scan element sign Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 372/508] iio: imu: inv_icm42600: Fix temperature calculation Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 373/508] iio: adc: ad7606_spi: fix reg write value mask Greg Kroah-Hartman
2025-06-23 13:06 ` [PATCH 6.1 374/508] ACPICA: fix acpi operand cache leak in dswstate.c Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 375/508] ASoC: amd: yc: Add quirk for Lenovo Yoga Pro 7 14ASP9 Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 376/508] clocksource: Fix the CPUs choice in the watchdog per CPU verification Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 377/508] mmc: Add quirk to disable DDR50 tuning Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 378/508] ACPICA: Avoid sequence overread in call to strncmp() Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 379/508] ASoC: tas2770: Power cycle amp on ISENSE/VSENSE change Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 380/508] ACPI: bus: Bail out if acpi_kobj registration fails Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 381/508] ACPICA: fix acpi parse and parseext cache leaks Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 382/508] power: supply: bq27xxx: Retrieve again when busy Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 383/508] ACPICA: utilities: Fix overflow check in vsnprintf() Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 384/508] ASoC: tegra210_ahub: Add check to of_device_get_match_data() Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 385/508] PM: runtime: fix denying of auto suspend in pm_suspend_timer_fn() Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 386/508] ACPI: battery: negate current when discharging Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 387/508] net: macb: Check return value of dma_set_mask_and_coherent() Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 388/508] net: lan743x: Modify the EEPROM and OTP size for PCI1xxxx devices Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 389/508] tipc: use kfree_sensitive() for aead cleanup Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 390/508] bpf: Check rcu_read_lock_trace_held() in bpf_map_lookup_percpu_elem() Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 391/508] i2c: designware: Invoke runtime suspend on quick slave re-registration Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 392/508] emulex/benet: correct command version selection in be_cmd_get_stats() Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 393/508] wifi: mt76: mt76x2: Add support for LiteOn WN4516R,WN4519R Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 394/508] wifi: mt76: mt7921: add 160 MHz AP for mt7922 device Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 395/508] sctp: Do not wake readers in __sctp_write_space() Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 396/508] cpufreq: scmi: Skip SCMI devices that arent used by the CPUs Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 397/508] i2c: tegra: check msg length in SMBUS block read Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 398/508] i2c: npcm: Add clock toggle recovery Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 399/508] net: dlink: add synchronization for stats update Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 400/508] wifi: ath11k: Fix QMI memory reuse logic Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 401/508] tcp: always seek for minimal rtt in tcp_rcv_rtt_update() Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 402/508] tcp: fix initial tp->rcvq_space.space value for passive TS enabled flows Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 403/508] x86/sgx: Prevent attempts to reclaim poisoned pages Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 404/508] ipv4/route: Use this_cpu_inc() for stats on PREEMPT_RT Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 405/508] net: atlantic: generate software timestamp just before the doorbell Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 406/508] pinctrl: armada-37xx: propagate error from armada_37xx_pmx_set_by_name() Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 407/508] pinctrl: armada-37xx: propagate error from armada_37xx_gpio_get_direction() Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 408/508] pinctrl: armada-37xx: propagate error from armada_37xx_pmx_gpio_set_direction() Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 409/508] pinctrl: armada-37xx: propagate error from armada_37xx_gpio_get() Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 410/508] net: mlx4: add SOF_TIMESTAMPING_TX_SOFTWARE flag when getting ts info Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 411/508] net: vertexcom: mse102x: Return code for mse102x_rx_pkt_spi Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 412/508] wireless: purelifi: plfxlc: fix memory leak in plfxlc_usb_wreq_asyn() Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 413/508] wifi: mac80211: do not offer a mesh path if forwarding is disabled Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 414/508] bpftool: Fix cgroup command to only show cgroup bpf programs Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 415/508] clk: rockchip: rk3036: mark ddrphy as critical Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 416/508] libbpf: Add identical pointer detection to btf_dedup_is_equiv() Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 417/508] scsi: lpfc: Fix lpfc_check_sli_ndlp() handling for GEN_REQUEST64 commands Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 418/508] iommu/amd: Ensure GA log notifier callbacks finish running before module unload Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 419/508] wifi: mac80211_hwsim: Prevent tsf from setting if beacon is disabled Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 421/508] net: bridge: mcast: re-implement br_multicast_{enable, disable}_port functions Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 422/508] vxlan: Do not treat dst cache initialization errors as fatal Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 423/508] software node: Correct a OOB check in software_node_get_reference_args() Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 424/508] pinctrl: mcp23s08: Reset all pins to input at probe Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 425/508] scsi: lpfc: Use memcpy() for BIOS version Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 426/508] sock: Correct error checking condition for (assign|release)_proto_idx() Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 427/508] i40e: fix MMIO write access to an invalid page in i40e_clear_hw Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 428/508] ice: fix check for existing switch rule Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 429/508] bpf, sockmap: Fix data lost during EAGAIN retries Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 430/508] net: ethernet: cortina: Use TOE/TSO on all TCP Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 431/508] octeontx2-pf: Add error log forcn10k_map_unmap_rq_policer() Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 432/508] fbcon: Make sure modelist not set on unregistered console Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 433/508] watchdog: da9052_wdt: respect TWDMIN Greg Kroah-Hartman
2025-06-23 13:07 ` [PATCH 6.1 434/508] bus: fsl-mc: increase MC_CMD_COMPLETION_TIMEOUT_MS value Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 435/508] ARM: OMAP2+: Fix l4ls clk domain handling in STANDBY Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 436/508] tee: Prevent size calculation wraparound on 32-bit kernels Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 437/508] Revert "bus: ti-sysc: Probe for l4_wkup and l4_cfg interconnect devices first" Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 438/508] platform/x86: dell_rbu: Fix list usage Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 439/508] platform/x86: dell_rbu: Stop overwriting data buffer Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 440/508] powerpc/eeh: Fix missing PE bridge reconfiguration during VFIO EEH recovery Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 441/508] Revert "x86/bugs: Make spectre user default depend on MITIGATION_SPECTRE_V2" on v6.6 and older Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 442/508] drivers/rapidio/rio_cm.c: prevent possible heap overwrite Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 443/508] platform/loongarch: laptop: Get brightness setting from EC on probe Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 444/508] platform/loongarch: laptop: Unregister generic_sub_drivers on exit Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 445/508] LoongArch: Avoid using $r0/$r1 as "mask" for csrxchg Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 446/508] jffs2: check that raw node were preallocated before writing summary Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 447/508] jffs2: check jffs2_prealloc_raw_node_refs() result in few other places Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 448/508] smb: improve directory cache reuse for readdir operations Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 449/508] scsi: storvsc: Increase the timeouts to storvsc_timeout Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 450/508] scsi: s390: zfcp: Ensure synchronous unit_add Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 451/508] net_sched: sch_sfq: reject invalid perturb period Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 452/508] udmabuf: use sgtable-based scatterlist wrappers Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 453/508] selftests/x86: Add a test to detect infinite SIGTRAP handler loop Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 454/508] ksmbd: fix null pointer dereference in destroy_previous_session Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 455/508] selinux: fix selinux_xfrm_alloc_user() to set correct ctx_len Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 456/508] atm: Revert atm_account_tx() if copy_from_iter_full() fails Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 457/508] Input: sparcspkr - avoid unannotated fall-through Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 458/508] wifi: cfg80211: init wiphy_work before allocating rfkill fails Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 459/508] ALSA: usb-audio: Rename ALSA kcontrol PCM and PCM1 for the KTMicro sound card Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 460/508] ALSA: hda/intel: Add Thinkpad E15 to PM deny list Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 461/508] ALSA: hda/realtek: enable headset mic on Latitude 5420 Rugged Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 462/508] iio: accel: fxls8962af: Fix temperature calculation Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 463/508] mm/hugetlb: unshare page tables during VMA split, not before Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 464/508] mm: hugetlb: independent PMD page table shared count Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 465/508] mm/hugetlb: fix huge_pmd_unshare() vs GUP-fast race Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 466/508] mm/huge_memory: fix dereferencing invalid pmd migration entry Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 467/508] net: Fix checksum update for ILA adj-transport Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 468/508] bpf: Fix L4 csum update on IPv6 in CHECKSUM_COMPLETE Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 469/508] erofs: remove unused trace event erofs_destroy_inode Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 470/508] drm/msm/disp: Correct porch timing for SDM845 Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 471/508] drm/msm/dsi/dsi_phy_10nm: Fix missing initial VCO rate Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 472/508] ionic: Prevent driver/fw getting out of sync on devcmd(s) Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 473/508] drm/nouveau/bl: increase buffer size to avoid truncate warning Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 474/508] hwmon: (occ) Rework attribute registration for stack usage Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 475/508] hwmon: (occ) fix unaligned accesses Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 476/508] pldmfw: Select CRC32 when PLDMFW is selected Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 477/508] aoe: clean device rq_list in aoedev_downdev() Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 478/508] net: ice: Perform accurate aRFS flow match Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 479/508] ptp: fix breakage after ptp_vclock_in_use() rework Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 480/508] ptp: allow reading of currently dialed frequency to succeed on free-running clocks Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 481/508] wifi: carl9170: do not ping device which has failed to load firmware Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 482/508] mpls: Use rcu_dereference_rtnl() in mpls_route_input_rcu() Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 483/508] atm: atmtcp: Free invalid length skb in atmtcp_c_send() Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 484/508] tcp: fix tcp_packet_delayed() for tcp_is_non_sack_preventing_reopen() behavior Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 485/508] tipc: fix null-ptr-deref when acquiring remote ip of ethernet bearer Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 486/508] tcp: fix passive TFO socket having invalid NAPI ID Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 487/508] net: microchip: lan743x: Reduce PTP timeout on HW failure Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 488/508] net: lan743x: fix potential out-of-bounds write in lan743x_ptp_io_event_clock_get() Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 489/508] calipso: Fix null-ptr-deref in calipso_req_{set,del}attr() Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 490/508] net: atm: add lec_mutex Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 491/508] net: atm: fix /proc/net/atm/lec handling Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 492/508] dt-bindings: i2c: nvidia,tegra20-i2c: Specify the required properties Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 493/508] platform/x86: ideapad-laptop: add missing Ideapad Pro 5 fn keys Greg Kroah-Hartman
2025-06-23 13:08 ` [PATCH 6.1 494/508] ARM: dts: am335x-bone-common: Add GPIO PHY reset on revision C3 board Greg Kroah-Hartman
2025-06-23 13:09 ` [PATCH 6.1 495/508] ARM: dts: am335x-bone-common: Increase MDIO reset deassert time Greg Kroah-Hartman
2025-06-23 13:09 ` [PATCH 6.1 496/508] ARM: dts: am335x-bone-common: Increase MDIO reset deassert delay to 50ms Greg Kroah-Hartman
2025-06-23 13:09 ` [PATCH 6.1 497/508] arm64: dts: ti: k3-j721e-sk: Add DT nodes for power regulators Greg Kroah-Hartman
2025-06-23 13:09 ` [PATCH 6.1 498/508] arm64: dts: imx8mm: Drop sd-vsel-gpios from i.MX8M Mini Verdin SoM Greg Kroah-Hartman
2025-06-23 13:09 ` [PATCH 6.1 499/508] serial: sh-sci: Increment the runtime usage counter for the earlycon device Greg Kroah-Hartman
2025-06-23 13:09 ` [PATCH 6.1 500/508] Revert "cpufreq: tegra186: Share policy per cluster" Greg Kroah-Hartman
2025-06-23 13:09 ` [PATCH 6.1 501/508] smb: client: fix first command failure during re-negotiation Greg Kroah-Hartman
2025-06-23 13:09 ` [PATCH 6.1 502/508] platform/loongarch: laptop: Add backlight power control support Greg Kroah-Hartman
2025-06-23 13:09 ` [PATCH 6.1 503/508] s390/pci: Fix __pcilg_mio_inuser() inline assembly Greg Kroah-Hartman
2025-06-23 13:09 ` [PATCH 6.1 504/508] perf: Fix sample vs do_exit() Greg Kroah-Hartman
2025-06-23 13:09 ` [PATCH 6.1 505/508] arm64/ptrace: Fix stack-out-of-bounds read in regs_get_kernel_stack_nth() Greg Kroah-Hartman
2025-06-23 13:09 ` [PATCH 6.1 506/508] scsi: elx: efct: Fix memory leak in efct_hw_parse_filter() Greg Kroah-Hartman
2025-06-23 13:09 ` [PATCH 6.1 507/508] RISC-V: KVM: Fix the size parameter check in SBI SFENCE calls Greg Kroah-Hartman
2025-06-23 13:09 ` [PATCH 6.1 508/508] RISC-V: KVM: Dont treat SBI HFENCE calls as NOPs Greg Kroah-Hartman
2025-06-23 17:31 ` [PATCH 6.1 000/508] 6.1.142-rc1 review Peter Schneider
2025-06-23 22:12 ` Florian Fainelli
2025-06-24 8:29 ` Ron Economos
2025-06-24 11:58 ` Mark Brown
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox