* [PATCH 6.17 000/371] 6.17.4-rc1 review
@ 2025-10-17 14:49 Greg Kroah-Hartman
2025-10-17 14:49 ` [PATCH 6.17 001/371] fs: always return zero on success from replace_fd() Greg Kroah-Hartman
` (383 more replies)
0 siblings, 384 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, linux-kernel, torvalds, akpm, linux,
shuah, patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill
This is the start of the stable review cycle for the 6.17.4 release.
There are 371 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Sun, 19 Oct 2025 14:50:59 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.17.4-rc1.gz
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.17.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Linux 6.17.4-rc1
Christian Brauner <brauner@kernel.org>
mount: handle NULL values in mnt_ns_release()
Christian Brauner <brauner@kernel.org>
pidfs: validate extensible ioctls
Darrick J. Wong <djwong@kernel.org>
iomap: error out on file IO when there is no inline_data buffer
Jan Kara <jack@suse.cz>
writeback: Avoid excessively long inode switching times
Jan Kara <jack@suse.cz>
writeback: Avoid softlockup when switching many inodes
Al Viro <viro@zeniv.linux.org.uk>
mnt_ns_tree_remove(): DTRT if mnt_ns had never been added to mnt_ns_list
Christian Brauner <brauner@kernel.org>
nsfs: validate extensible ioctls
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
cramfs: Verify inode mode when loading from disk
Lichen Liu <lichliu@redhat.com>
fs: Add 'initramfs_options' to set initramfs mount options
Oleg Nesterov <oleg@redhat.com>
pid: make __task_pid_nr_ns(ns => NULL) safe for zombie callers
gaoxiang17 <gaoxiang17@xiaomi.com>
pid: Add a judgment for ns null in pid_nr_ns
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
minixfs: Verify inode mode when loading from disk
Miklos Szeredi <mszeredi@redhat.com>
copy_file_range: limit size if in compat mode
Lucas Zampieri <lzampier@redhat.com>
irqchip/sifive-plic: Avoid interrupt ID 0 handling during suspend/resume
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
ACPI: property: Do not pass NULL handles to acpi_attach_data()
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
ACPI: property: Add code comments explaining what is going on
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
ACPI: property: Disregard references in data-only subnode lists
Viken Dadhaniya <viken.dadhaniya@oss.qualcomm.com>
arm64: dts: qcom: qcs615: add missing dt property in QUP SEs
Edward Adam Davis <eadavis@qq.com>
media: mc: Clear minor number before put device
Donet Tom <donettom@linux.ibm.com>
mm/ksm: fix incorrect KSM counter handling in mm_struct during fork
Phillip Lougher <phillip@squashfs.org.uk>
Squashfs: reject negative file sizes in squashfs_read_inode()
Phillip Lougher <phillip@squashfs.org.uk>
Squashfs: add additional inode sanity checking
Guenter Roeck <linux@roeck-us.net>
ipmi: Fix handling of messages with provided receive message pointer
Jan Kara <jack@suse.cz>
ext4: free orphan info with kvfree
Huacai Chen <chenhuacai@kernel.org>
ACPICA: Allow to skip Global Lock initialization
Deepanshu Kartikey <kartikey406@gmail.com>
ext4: validate ea_ino and size in check_xattrs
Ahmet Eray Karadag <eraykrdg1@gmail.com>
ext4: guard against EA inode refcount underflow in xattr update
Zhang Yi <yi.zhang@huawei.com>
ext4: fix an off-by-one issue during moving extents
Theodore Ts'o <tytso@mit.edu>
ext4: avoid potential buffer over-read in parse_apply_sb_mount_options()
Ojaswin Mujoo <ojaswin@linux.ibm.com>
ext4: correctly handle queries for metadata mappings
Yongjian Sun <sunyongjian1@huawei.com>
ext4: increase i_disksize to offset + len in ext4_update_disksize_before_punch()
Jan Kara <jack@suse.cz>
ext4: verify orphan file size is not too big
Jan Kara <jack@suse.cz>
ext4: fail unaligned direct IO write with EINVAL
Baokun Li <libaokun1@huawei.com>
ext4: add ext4_sb_bread_nofail() helper function for ext4_free_branches()
Dikshita Agarwal <quic_dikshita@quicinc.com>
media: iris: Allow stop on firmware only if start was issued.
Dikshita Agarwal <quic_dikshita@quicinc.com>
media: iris: Fix format check for CAPTURE plane in try_fmt
Dikshita Agarwal <quic_dikshita@quicinc.com>
media: iris: Fix missing LAST flag handling during drain
Dikshita Agarwal <quic_dikshita@quicinc.com>
media: iris: Send dummy buffer address for all codecs during drain
Dikshita Agarwal <quic_dikshita@quicinc.com>
media: iris: Update vbuf flags before v4l2_m2m_buf_done
Dikshita Agarwal <quic_dikshita@quicinc.com>
media: iris: Simplify session stop logic by relying on vb2 checks
Dikshita Agarwal <quic_dikshita@quicinc.com>
media: iris: Always destroy internal buffers on firmware release response
Dikshita Agarwal <quic_dikshita@quicinc.com>
media: iris: Allow substate transition to load resources during output streaming
Dikshita Agarwal <quic_dikshita@quicinc.com>
media: iris: Fix buffer count reporting in internal buffer check
Dikshita Agarwal <quic_dikshita@quicinc.com>
media: iris: Fix port streaming handling
Dikshita Agarwal <quic_dikshita@quicinc.com>
media: iris: vpu3x: Add MNoC low power handshake during hardware power-off
Neil Armstrong <neil.armstrong@linaro.org>
media: iris: fix module removal if firmware download failed
Stephan Gerhold <stephan.gerhold@linaro.org>
media: iris: Fix firmware reference leak and unmap memory after load
Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
media: iris: Call correct power off callback in cleanup path
Olga Kornievskaia <okorniev@redhat.com>
nfsd: nfserr_jukebox in nlm_fopen should lead to a retry
Thorsten Blum <thorsten.blum@linux.dev>
NFSD: Fix destination buffer size in nfsd4_ssc_setup_dul()
Scott Mayhew <smayhew@redhat.com>
nfsd: decouple the xprtsec policy check from check_nfsd_access()
SeongJae Park <sj@kernel.org>
mm/damon/lru_sort: use param_ctx for damon_attrs staging
SeongJae Park <sj@kernel.org>
mm/damon/vaddr: do not repeat pte_offset_map_lock() until success
Li RongQing <lirongqing@baidu.com>
mm/hugetlb: early exit from hugetlb_pages_alloc_boot() when max_huge_pages=0
Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
mm/page_alloc: only set ALLOC_HIGHATOMIC for __GPF_HIGH allocations
Lance Yang <lance.yang@linux.dev>
mm/rmap: fix soft-dirty and uffd-wp bit loss when remapping zero-filled mTHP subpage to shared zeropage
Lance Yang <lance.yang@linux.dev>
mm/thp: fix MTE tag mismatch when replacing zero-filled subpages
Nick Morrow <morrownr@gmail.com>
wifi: mt76: mt7921u: Add VID/PID for Netgear A7500
Nick Morrow <morrownr@gmail.com>
wifi: mt76: mt7925u: Add VID/PID for Netgear A9000
Fedor Pchelkin <pchelkin@ispras.ru>
wifi: rtw89: avoid possible TX wait initialization race
Miaoqian Lin <linmq006@gmail.com>
wifi: iwlwifi: Fix dentry reference leak in iwl_mld_add_link_debugfs
Muhammad Usama Anjum <usama.anjum@collabora.com>
wifi: ath11k: HAL SRNG: don't deinitialize and re-initialize again
Suren Baghdasaryan <surenb@google.com>
slab: mark slab->obj_exts allocation failures unconditionally
Suren Baghdasaryan <surenb@google.com>
slab: prevent warnings when slab obj_exts vector allocation fails
Heiko Carstens <hca@linux.ibm.com>
s390: Add -Wno-pointer-sign to KBUILD_CFLAGS_DECOMPRESSOR
Jaehoon Kim <jhkim@linux.ibm.com>
s390/dasd: Return BLK_STS_INVAL for EINVAL from do_dasd_request
Jaehoon Kim <jhkim@linux.ibm.com>
s390/dasd: enforce dma_alignment to ensure proper buffer validation
Heiko Carstens <hca@linux.ibm.com>
s390/cio/ioasm: Fix __xsch() condition code handling
Matthieu Baerts (NGI0) <matttbe@kernel.org>
selftests: mptcp: join: validate C-flag + def limit
Matthieu Baerts (NGI0) <matttbe@kernel.org>
mptcp: reset blackhole on success with non-loopback ifaces
Matthieu Baerts (NGI0) <matttbe@kernel.org>
mptcp: pm: in-kernel: usable client side with C-flag
Sean Christopherson <seanjc@google.com>
x86/umip: Fix decoding of register forms of 0F 01 (SGDT and SIDT aliases)
Sean Christopherson <seanjc@google.com>
x86/umip: Check that the instruction opcode is at least two bytes
Xin Li (Intel) <xin@zytor.com>
x86/fred: Remove ENDBR64 from FRED entry points
Darrick J. Wong <djwong@kernel.org>
xfs: use deferred intent items for reaping crosslinked blocks
Santhosh Kumar K <s-k6@ti.com>
spi: cadence-quadspi: Fix cqspi_setup_flash()
Pratyush Yadav <pratyush@kernel.org>
spi: cadence-quadspi: Flush posted register writes before DAC access
Pratyush Yadav <pratyush@kernel.org>
spi: cadence-quadspi: Flush posted register writes before INDAC access
Johan Hovold <johan+linaro@kernel.org>
PCI/pwrctrl: Fix device leak at device stop
Johan Hovold <johan+linaro@kernel.org>
PCI/pwrctrl: Fix device and OF node leak at bus scan
Johan Hovold <johan+linaro@kernel.org>
PCI/pwrctrl: Fix device leak at registration
Niklas Cassel <cassel@kernel.org>
PCI: tegra194: Reset BARs when running in PCIe endpoint mode
Vidya Sagar <vidyas@nvidia.com>
PCI: tegra194: Handle errors in BPMP response
Niklas Cassel <cassel@kernel.org>
PCI: tegra194: Fix broken tegra_pcie_ep_raise_msi_irq()
Marek Vasut <marek.vasut+renesas@mailbox.org>
PCI: rcar-host: Convert struct rcar_msi mask_lock into raw spinlock
Marek Vasut <marek.vasut+renesas@mailbox.org>
PCI: rcar-host: Drop PMSR spinlock
Marek Vasut <marek.vasut+renesas@mailbox.org>
PCI: rcar-gen4: Fix PHY initialization
Siddharth Vadapalli <s-vadapalli@ti.com>
PCI: keystone: Use devm_request_irq() to free "ks-pcie-error-irq" on exit
Siddharth Vadapalli <s-vadapalli@ti.com>
PCI: j721e: Fix programming sequence of "strap" settings
Siddharth Vadapalli <s-vadapalli@ti.com>
PCI: j721e: Fix module autoloading
Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
PCI: Fix failure detection during resource resize
Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
PCI: Ensure relaxed tail alignment does not increase min_align
Lukas Wunner <lukas@wunner.de>
PCI/AER: Support errors introduced by PCIe r6.0
Niklas Schnelle <schnelle@linux.ibm.com>
PCI/AER: Fix missing uevent on recovery when a reset is requested
Lukas Wunner <lukas@wunner.de>
PCI/ERR: Fix uevent on failure to recover
Niklas Schnelle <schnelle@linux.ibm.com>
PCI/IOV: Add PCI rescan-remove locking when enabling/disabling SR-IOV
Brian Norris <briannorris@google.com>
PCI/sysfs: Ensure devices are powered for config reads
Marek Vasut <marek.vasut+renesas@mailbox.org>
PCI: tegra: Convert struct tegra_msi mask_lock into raw spinlock
Jani Nurminen <jani.nurminen@windriver.com>
PCI: xilinx-nwl: Fix ECAM programming
Sean Christopherson <seanjc@google.com>
rseq/selftests: Use weak symbol reference, not definition, to link with glibc
Esben Haabendal <esben@geanix.com>
rtc: interface: Fix long-standing race when setting alarm
Esben Haabendal <esben@geanix.com>
rtc: interface: Ensure alarm irq is enabled when UIE is enabled
Patrice Chotard <patrice.chotard@foss.st.com>
memory: stm32_omm: Fix req2ack update test
Zhen Ni <zhen.ni@easystack.cn>
memory: samsung: exynos-srom: Fix of_iomap leak in exynos_srom_probe
Rex Chen <rex.chen_1@nxp.com>
mmc: mmc_spi: multiple block read remove read crc ack
Rex Chen <rex.chen_1@nxp.com>
mmc: core: SPI mode remove cmd7
Maarten Zanders <maarten@zanders.be>
mtd: nand: raw: gpmi: fix clocks when CONFIG_PM=N
Linus Walleij <linus.walleij@linaro.org>
mtd: rawnand: fsmc: Default to autodetect buswidth
Alexander Lobakin <aleksander.lobakin@intel.com>
xsk: Harden userspace-supplied xdp_desc validation
Miaoqian Lin <linmq006@gmail.com>
xtensa: simdisk: add input size check in proc_write_simdisk
Ma Ke <make24@iscas.ac.cn>
sparc: fix error handling in scan_one_device()
Anthony Yznaga <anthony.yznaga@oracle.com>
sparc64: fix hugetlb for sun4u
Bharath SM <bharathsm@microsoft.com>
smb client: fix bug with newly created file in cached dir
Eric Biggers <ebiggers@kernel.org>
sctp: Fix MAC comparison to be constant-time
Abinash Singh <abinashsinghlalotra@gmail.com>
scsi: sd: Fix build warning in sd_revalidate_disk()
Thorsten Blum <thorsten.blum@linux.dev>
scsi: hpsa: Fix potential memory leak in hpsa_big_passthru_ioctl()
Harshit Agarwal <harshit@nutanix.com>
sched/deadline: Fix race in push_dl_task()
Alexandre Ghiti <alexghiti@rivosinc.com>
riscv: use an atomic xchg in pudp_huge_get_and_clear()
Corey Minyard <corey@minyard.net>
Revert "ipmi: fix msg stack when IPMI is disconnected"
Colin Ian King <colin.i.king@gmail.com>
pwm: Fix incorrect variable used in error message
Jisheng Zhang <jszhang@kernel.org>
pwm: berlin: Fix wrong register in suspend/resume
Nam Cao <namcao@linutronix.de>
powerpc/pseries/msi: Fix potential underflow and leak issue
Nam Cao <namcao@linutronix.de>
powerpc/powernv/pci: Fix underflow and leak issue
Dzmitry Sankouski <dsankouski@gmail.com>
power: supply: max77976_charger: fix constant current reporting
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
PM: hibernate: Restrict GFP mask in power_down()
Mario Limonciello (AMD) <superm1@kernel.org>
PM: hibernate: Fix hybrid-sleep
Christian Loehle <christian.loehle@arm.com>
PM: EM: Fix late boot with holes in CPU topology
Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
pinctrl: samsung: Drop unused S3C24xx driver data
Georg Gottleuber <ggo@tuxedocomputers.com>
nvme-pci: Add TUXEDO IBS Gen8 to Samsung sleep quirk
John David Anglin <dave.anglin@bell.net>
parisc: Remove spurious if statement from raw_copy_from_user()
Sam James <sam@gentoo.org>
parisc: don't reference obsolete termio struct for TC* constants
Xiao Liang <shaw.leon@gmail.com>
padata: Reset next CPU when reorder sequence wraps around
Askar Safin <safinaskar@zohomail.com>
openat2: don't trigger automounts with RESOLVE_NO_XDEV
Ma Ke <make24@iscas.ac.cn>
of: unittest: Fix device reference count leak in of_unittest_pci_node_verify
Yu Kuai <yukuai3@huawei.com>
md: fix mssing blktrace bio split events
Li Chen <me@linux.beauty>
loop: fix backing file reference leak on validation error
Johan Hovold <johan@kernel.org>
lib/genalloc: fix device leak in of_gen_pool_get()
Pratyush Yadav <pratyush@kernel.org>
kho: only fill kimage if KHO is finalized
Eric Biggers <ebiggers@kernel.org>
KEYS: trusted_tpm1: Compare HMAC values in constant time
Oleg Nesterov <oleg@redhat.com>
kernel/sys.c: fix the racy usage of task_lock(tsk->group_leader) in sys_prlimit64() paths
Corey Minyard <corey@minyard.net>
ipmi:msghandler:Change seq_lock to a mutex
Corey Minyard <corey@minyard.net>
ipmi: Rework user message limit handling
Lu Baolu <baolu.lu@linux.intel.com>
iommu/vt-d: PRS isn't usable if PDS isn't supported
Sean Nyekjaer <sean@geanix.com>
iio: imu: inv_icm42600: Avoid configuring if already pm_runtime suspended
Sean Nyekjaer <sean@geanix.com>
iio: imu: inv_icm42600: Drop redundant pm_runtime reinitialization in resume
Sean Nyekjaer <sean@geanix.com>
iio: imu: inv_icm42600: Simplify pm_runtime setup
Huacai Chen <chenhuacai@kernel.org>
init: handle bootloader identifier in kernel parameters
Sean Anderson <sean.anderson@linux.dev>
iio: xilinx-ams: Unmask interrupts after updating alarms
Sean Anderson <sean.anderson@linux.dev>
iio: xilinx-ams: Fix AMS_ALARM_THR_DIRECT_MASK
Michael Hennerich <michael.hennerich@analog.com>
iio: frequency: adf4350: Fix prescaler usage.
Qianfeng Rong <rongqianfeng@vivo.com>
iio: dac: ad5421: use int type to store negative error codes
Qianfeng Rong <rongqianfeng@vivo.com>
iio: dac: ad5360: use int type to store negative error codes
Aleksandar Gerasimovski <aleksandar.gerasimovski@belden.com>
iio/adc/pac1934: fix channel disable configuration
Jarkko Nikula <jarkko.nikula@linux.intel.com>
i3c: Fix default I2C adapter timeout value
Conor Dooley <conor.dooley@microchip.com>
gpio: mpfs: fix setting gpio direction to output
Darrick J. Wong <djwong@kernel.org>
fuse: fix livelock in synchronous file put from fuseblk workers
Miklos Szeredi <mszeredi@redhat.com>
fuse: fix possibly missing fuse_copy_finish() call in fuse_notify()
Ryan Roberts <ryan.roberts@arm.com>
fsnotify: pass correct offset to fsnotify_mmap_perm()
Shashank A P <shashank.ap@samsung.com>
fs: quota: create dedicated workqueue for quota_release_work
Haoxiang Li <haoxiang_li2024@163.com>
fs/ntfs3: Fix a resource leak bug in wnd_extend()
Finn Thain <fthain@linux-m68k.org>
fbdev: Fix logic error in "offb" name match
Nam Cao <namcao@linutronix.de>
eventpoll: Replace rwlock with spinlock
Thomas Fourier <fourier.thomas@gmail.com>
crypto: rockchip - Fix dma_unmap_sg() nents value
Thomas Fourier <fourier.thomas@gmail.com>
crypto: atmel - Fix dma_unmap_sg() direction
Thomas Fourier <fourier.thomas@gmail.com>
crypto: aspeed - Fix dma_unmap_sg() direction
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
cpufreq: intel_pstate: Fix object lifecycle issue in update_qos_request()
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
cpufreq: CPPC: Avoid using CPUFREQ_ETERNAL as transition delay
Simon Schuster <schuster.simon@siemens-energy.com>
copy_sighand: Handle architectures where sizeof(unsigned long) < sizeof(u64)
Denzeel Oliva <wachiturroxd150@gmail.com>
clk: samsung: exynos990: Replace bogus divs with fixed-factor clocks
Denzeel Oliva <wachiturroxd150@gmail.com>
clk: samsung: exynos990: Fix CMU_TOP mux/div bit widths
Denzeel Oliva <wachiturroxd150@gmail.com>
clk: samsung: exynos990: Use PLL_CON0 for PLL parent muxes
Abel Vesa <abel.vesa@linaro.org>
clk: qcom: tcsrcc-x1e80100: Set the bi_tcxo as parent to eDP refclk
Miaoqian Lin <linmq006@gmail.com>
cdx: Fix device node reference leak in cdx_msi_domain_init
Adam Xue <zxue@semtech.com>
bus: mhi: host: Do not use uninitialized 'dev' pointer in mhi_init_irq_setup()
Sumit Kumar <sumit.kumar@oss.qualcomm.com>
bus: mhi: ep: Fix chained transfer handling in read path
Anderson Nascimento <anderson@allelesecurity.com>
btrfs: avoid potential out-of-bounds in btrfs_encode_fh()
Yu Kuai <yukuai3@huawei.com>
blk-crypto: fix missing blktrace bio split events
Ard Biesheuvel <ardb@kernel.org>
drm/amd/display: Fix unsafe uses of kernel mode FPU
Fangzhi Zuo <Jerry.Zuo@amd.com>
drm/amd/display: Enable Dynamic DTBCLK Switch
Jesse Agate <jesse.agate@amd.com>
drm/amd/display: Incorrect Mirror Cositing
Matthew Auld <matthew.auld@intel.com>
drm/xe/uapi: loosen used tracking restriction
Shuhao Fu <sfual@cse.ust.hk>
drm/nouveau: fix bad ret code in nouveau_bo_move_prep
Marek Vasut <marek.vasut+renesas@mailbox.org>
drm/rcar-du: dsi: Fix 1/2/3 lane support
Akhil P Oommen <akhilpo@oss.qualcomm.com>
drm/msm/a6xx: Fix PDC sleep sequence
Jann Horn <jannh@google.com>
drm/panthor: Fix memory leak in panthor_ioctl_group_create()
Kaustabh Chakraborty <kauschluss@disroot.org>
drm/exynos: exynos7_drm_decon: remove ctx->suspended
Ma Ke <make24@iscas.ac.cn>
media: lirc: Fix error handling in lirc_register()
Jai Luthra <jai.luthra@ideasonboard.com>
media: ti: j721e-csi2rx: Fix source subdev link creation
Jai Luthra <jai.luthra@ideasonboard.com>
media: ti: j721e-csi2rx: Use devm_of_platform_populate
Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
media: vsp1: Export missing vsp1_isp_free_buffer symbol
Hans Verkuil <hverkuil+cisco@kernel.org>
media: vivid: fix disappearing <Vendor Command With ID> messages
Renjiang Han <quic_renjiang@quicinc.com>
media: venus: pm_helpers: add fallback for the opp-table
Stephan Gerhold <stephan.gerhold@linaro.org>
media: venus: firmware: Use correct reset sequence for IRIS2
Desnes Nunes <desnesn@redhat.com>
media: uvcvideo: Avoid variable shadowing in uvc_ctrl_cleanup_fh
Bingbu Cao <bingbu.cao@intel.com>
media: staging/ipu7: fix isys device runtime PM usage in firmware closing
Arnd Bergmann <arnd@arndb.de>
media: s5p-mfc: remove an unused/uninitialized variable
Nícolas F. R. A. Prado <nfraprado@collabora.com>
media: platform: mtk-mdp3: Add missing MT8188 compatible to comp_dt_ids
David Lechner <dlechner@baylibre.com>
media: pci: mg4b: fix uninitialized iio scan data
Thomas Fourier <fourier.thomas@gmail.com>
media: pci: ivtv: Add missing check after DMA map
Laurent Pinchart <laurent.pinchart@ideasonboard.com>
media: mc: Fix MUST_CONNECT handling for pads with no links
Qianfeng Rong <rongqianfeng@vivo.com>
media: i2c: mt9v111: fix incorrect type for ret
Hans Verkuil <hverkuil+cisco@kernel.org>
media: i2c: mt9p031: fix mbus code initialization
Thomas Fourier <fourier.thomas@gmail.com>
media: cx18: Add missing check after DMA map
Randy Dunlap <rdunlap@infradead.org>
media: cec: extron-da-hd-4k-plus: drop external-module make commands
Johan Hovold <johan@kernel.org>
firmware: meson_sm: fix device leak at probe
Tudor Ambarus <tudor.ambarus@linaro.org>
firmware: exynos-acpm: fix PMIC returned errno
Jason Andryuk <jason.andryuk@amd.com>
xen/events: Update virq_to_irq on migration
Jason Andryuk <jason.andryuk@amd.com>
xen/events: Return -EEXIST for bound VIRQs
Lukas Wunner <lukas@wunner.de>
xen/manage: Fix suspend error path
Jason Andryuk <jason.andryuk@amd.com>
xen/events: Cleanup find_virq() return codes
Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
xen: take system_transition_mutex on suspend
Michael Riesch <michael.riesch@collabora.com>
dt-bindings: phy: rockchip-inno-csi-dphy: make power-domains non-required
Tony Lindgren <tony.lindgren@linux.intel.com>
KVM: TDX: Fix uninitialized error code for __tdx_bringup()
Hou Wenlong <houwenlong.hwl@antgroup.com>
KVM: SVM: Re-load current, not host, TSC_AUX on #VMEXIT from SEV-ES guest
Sean Christopherson <seanjc@google.com>
x86/kvm: Force legacy PCI hole to UC when overriding MTRRs for TDX/SNP
Fuad Tabba <tabba@google.com>
KVM: arm64: Fix page leak in user_mem_abort()
Ben Horgan <ben.horgan@arm.com>
KVM: arm64: Fix debug checking for np-guests using huge mappings
Gautam Gala <ggala@linux.ibm.com>
KVM: s390: Fix to clear PTE when discarding a swapped page
Robin Murphy <robin.murphy@arm.com>
perf/arm-cmn: Fix CMN S3 DTM offset
Johan Hovold <johan@kernel.org>
firmware: arm_scmi: quirk: Prevent writes to string constants
Miaoqian Lin <linmq006@gmail.com>
ARM: OMAP2+: pm33xx-core: ix device node reference leaks in amx3_idle_init
Alexander Sverdlin <alexander.sverdlin@gmail.com>
ARM: AM33xx: Implement TI advisory 1.0.36 (EMU0/EMU1 pins state on reset)
Catalin Marinas <catalin.marinas@arm.com>
arm64: mte: Do not flag the zero page as PG_mte_tagged
Yang Shi <yang@os.amperecomputing.com>
arm64: kprobes: call set_memory_rox() for kprobe page
Judith Mendez <jm@ti.com>
arm64: dts: ti: k3-am62p: Fix supported hardware for 1GHz OPP
Vibhore Vardhan <vibhore@ti.com>
arm64: dts: ti: k3-am62a-main: Fix main padcfg length
Aleksandrs Vinarskis <alex.vinarskis@gmail.com>
arm64: dts: qcom: x1e80100-pmics: Disable pm8010 by default
Stephan Gerhold <stephan.gerhold@linaro.org>
arm64: dts: qcom: sdm845: Fix slimbam num-channels/ees
Stephan Gerhold <stephan.gerhold@linaro.org>
arm64: dts: qcom: msm8939: Add missing MDSS reset
Stephan Gerhold <stephan.gerhold@linaro.org>
arm64: dts: qcom: msm8916: Add missing MDSS reset
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
ACPI: battery: Add synchronization between interface updates
Amir Mohammad Jahangirzad <a.jahangirzad@gmail.com>
ACPI: debug: fix signedness issues in read/write helpers
Ahmed Salem <x0rw3ll@gmail.com>
ACPICA: Debugger: drop ACPI_NONSTRING attribute from name_seg
Daniel Tang <danielzgtg.opensource@gmail.com>
ACPI: TAD: Add missing sysfs_remove_group() for ACPI_TAD_RT
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
ACPI: property: Fix buffer properties extraction for subnodes
Ahmed Salem <x0rw3ll@gmail.com>
ACPICA: acpidump: drop ACPI_NONSTRING attribute from file_name
Nathan Chancellor <nathan@kernel.org>
s390/vmlinux.lds.S: Move .vmlinux.info to end of allocatable sections
Alexey Gladkov <legion@kernel.org>
s390: vmlinux.lds.S: Reorder sections
Nathan Chancellor <nathan@kernel.org>
kbuild: Add '.rel.*' strip pattern for vmlinux
Nathan Chancellor <nathan@kernel.org>
kbuild: Restore pattern to avoid stripping .rela.dyn from vmlinux
Masahiro Yamada <masahiroy@kernel.org>
kbuild: keep .modinfo section in vmlinux.unstripped
Masahiro Yamada <masahiroy@kernel.org>
kbuild: always create intermediate vmlinux.unstripped
KaFai Wan <kafai.wan@linux.dev>
bpf: Avoid RCU context warning when unpinning htab with internal structs
Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
gpio: wcd934x: mark the GPIO controller as sleeping
Gunnar Kudrjavets <gunnarku@amazon.com>
tpm_tis: Fix incorrect arguments in tpm_tis_probe_irq_single
Pali Rohár <pali@kernel.org>
cifs: Query EA $LXMOD in cifs_query_path_info() for WSL reparse points
Esben Haabendal <esben@geanix.com>
rtc: isl12022: Fix initial enable_irq/disable_irq balance
Paulo Alcantara <pc@manguebit.org>
smb: client: fix missing timestamp updates after utime(2)
Fushuai Wang <wangfushuai@baidu.com>
cifs: Fix copy_to_iter return value check
Lorenzo Bianconi <lorenzo@kernel.org>
net: airoha: Fix loopback mode configuration for GDM2 port
Herbert Xu <herbert@gondor.apana.org.au>
crypto: essiv - Check ssize for decryption and in-place encryption
Pavel Begunkov <asml.silence@gmail.com>
io_uring/zcrx: increment fallback loop src offset
Florian Westphal <fw@strlen.de>
selftests: netfilter: query conntrack state to check for port clash resolution
Florian Westphal <fw@strlen.de>
selftests: netfilter: nft_fib.sh: fix spurious test failures
Eric Woudstra <ericwouds@gmail.com>
bridge: br_vlan_fill_forward_path_pvid: use br_vlan_group_rcu()
Fernando Fernandez Mancera <fmancera@suse.de>
netfilter: nft_objref: validate objref and objrefmap expressions
T Pratham <t-pratham@ti.com>
crypto: skcipher - Fix reqsize handling
Thomas Wismer <thomas.wismer@scs.ch>
net: pse-pd: tps23881: Fix current measurement scaling
Philip Yang <Philip.Yang@amd.com>
drm/amdkfd: Fix kfd process ref leaking when userptr unmapping
Timur Kristóf <timur.kristof@gmail.com>
drm/amd/display: Disable scaling on DCE6 for now
Timur Kristóf <timur.kristof@gmail.com>
drm/amd/display: Properly disable scaling on DCE6
Timur Kristóf <timur.kristof@gmail.com>
drm/amd/display: Properly clear SCL_*_FILTER_CONTROL on DCE6
Timur Kristóf <timur.kristof@gmail.com>
drm/amd/display: Add missing DCE6 SCL_HORZ_FILTER_INIT* SRIs
Alex Deucher <alexander.deucher@amd.com>
drm/amdgpu: Add additional DCE6 SCL registers
Jason-JH Lin <jason-jh.lin@mediatek.com>
mailbox: mtk-cmdq: Remove pm_runtime APIs from cmdq_mbox_send_data()
Carolina Jubran <cjubran@nvidia.com>
net/mlx5e: Prevent tunnel reformat when tunnel mode not allowed
Carolina Jubran <cjubran@nvidia.com>
net/mlx5: Prevent tunnel mode conflicts between FDB and NIC IPsec tables
Daniel Machon <daniel.machon@microchip.com>
net: sparx5/lan969x: fix flooding configuration on bridge join/leave
Maxime Chevallier <maxime.chevallier@bootlin.com>
net: mdio: mdio-i2c: Hold the i2c bus lock during smbus transactions
Daniel Borkmann <daniel@iogearbox.net>
bpf: Fix metadata_dst leak __bpf_redirect_neigh_v{4,6}
Harini T <harini.t@amd.com>
mailbox: zynqmp-ipi: Fix SGI cleanup on unbind
Harini T <harini.t@amd.com>
mailbox: zynqmp-ipi: Fix out-of-bounds access in mailbox cleanup loop
Harini T <harini.t@amd.com>
mailbox: zynqmp-ipi: Remove dev.parent check in zynqmp_ipi_free_mboxes
Harini T <harini.t@amd.com>
mailbox: zynqmp-ipi: Remove redundant mbox_controller_unregister() call
Vincent Minet <v.minet@criteo.com>
perf tools: Fix arm64 libjvmti build by generating unistd_64.h
Eric Dumazet <edumazet@google.com>
tcp: take care of zero tp->window_clamp in tcp_set_rcvlowat()
Leo Yan <leo.yan@arm.com>
perf python: split Clang options when invoking Popen
Leo Yan <leo.yan@arm.com>
tools build: Align warning options with perf
Erick Karanja <karanja99erick@gmail.com>
net: fsl_pq_mdio: Fix device node reference leak in fsl_pq_mdio_probe
Haotian Zhang <vulab@iscas.ac.cn>
ice: ice_adapter: release xa entry on adapter allocation failure
Sidharth Seela <sidharthseela@gmail.com>
selftest: net: ovpn: Fix uninit return values
Duoming Zhou <duoming@zju.edu.cn>
net: mscc: ocelot: Fix use-after-free caused by cyclic delayed work
Kuniyuki Iwashima <kuniyu@google.com>
tcp: Don't call reqsk_fastopen_remove() in tcp_conn_request().
Alexandr Sapozhnikov <alsp705@gmail.com>
net/sctp: fix a null dereference in sctp_disposition sctp_sf_do_5_1D_ce()
Ian Forbes <ian.forbes@broadcom.com>
drm/vmwgfx: Fix copy-paste typo in validation
Ian Forbes <ian.forbes@broadcom.com>
drm/vmwgfx: Fix Use-after-free in validation
Zack Rusin <zack.rusin@broadcom.com>
drm/vmwgfx: Fix a null-ptr access in the cursor snooper
Vineeth Vijayan <vneethv@linux.ibm.com>
s390/cio: Update purge function to unregister the unused subchannels
Raag Jadav <raag.jadav@intel.com>
drm/xe/i2c: Don't rely on d3cold.allowed flag in system PM path
Shuicheng Lin <shuicheng.lin@intel.com>
drm/xe/hw_engine_group: Fix double write lock release in error path
Dan Carpenter <dan.carpenter@linaro.org>
net/mlx4: prevent potential use after free in mlx4_en_do_uc_filter()
Bhanu Seshu Kumar Valluri <bhanuseshukumar@gmail.com>
net: usb: lan78xx: Fix lost EEPROM read timeout error(-ETIMEDOUT) in lan78xx_read_raw_eeprom
Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
ASoC: SOF: Intel: Read the LLP via the associated Link DMA channel
Huacai Chen <chenhuacai@kernel.org>
LoongArch: Init acpi_gbl_use_global_lock to false
Huacai Chen <chenhuacai@kernel.org>
LoongArch: Fix build error for LTO with LLVM-18
Tiezhu Yang <yangtiezhu@loongson.cn>
LoongArch: Add cflag -fno-isolate-erroneous-paths-dereference
Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
ASoC: SOF: Intel: hda-pcm: Place the constraint on period time instead of buffer time
Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
ASoC: SOF: ipc4-topology: Account for different ChainDMA host buffer size
Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
ASoC: SOF: ipc4-topology: Correct the minimum host DMA buffer size
Ian Rogers <irogers@google.com>
perf bpf_counter: Fix handling of cpumap fixing hybrid
Sean Christopherson <seanjc@google.com>
mshv: Handle NEED_RESCHED_LAZY before transferring to guest
Daniel Lee <chullee@google.com>
scsi: ufs: sysfs: Make HID attributes visible
Ian Rogers <irogers@google.com>
perf bpf-filter: Fix opts declaration on older libbpfs
Duoming Zhou <duoming@zju.edu.cn>
scsi: mvsas: Fix use-after-free bugs in mvs_work_queue
Aaron Kling <webgeek1234@gmail.com>
cpufreq: tegra186: Set target frequency for all cpus in policy
Pin-yen Lin <treapking@chromium.org>
PM: sleep: Do not wait on SYNC_STATE_ONLY device links
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
PM: core: Add two macros for walking device links
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
PM: core: Annotate loops walking device links as _srcu
Feng Yang <yangfeng@kylinos.cn>
tracing: Fix the bug where bpf_get_stackid returns -EFAULT on the ARM64
Jeff Layton <jlayton@kernel.org>
nfsd: fix timestamp updates in CB_GETATTR
Jeff Layton <jlayton@kernel.org>
nfsd: fix SETATTR updates for delegated timestamps
Jeff Layton <jlayton@kernel.org>
nfsd: track original timestamps in nfs4_delegation
Jeff Layton <jlayton@kernel.org>
nfsd: use ATTR_CTIME_SET for delegated ctime updates
Jeff Layton <jlayton@kernel.org>
vfs: add ATTR_CTIME_SET flag
Jeff Layton <jlayton@kernel.org>
nfsd: ignore ATTR_DELEG when checking ia_valid before notify_change()
Jeff Layton <jlayton@kernel.org>
nfsd: fix assignment of ia_ctime.tv_nsec on delegated mtime update
Fedor Pchelkin <pchelkin@ispras.ru>
clk: tegra: do not overallocate memory for bpmp clocks
Alok Tiwari <alok.a.tiwari@oracle.com>
clk: nxp: Fix pll0 rate check condition in LPC18xx CGU driver
Brian Masney <bmasney@redhat.com>
clk: nxp: lpc18xx-cgu: convert from round_rate() to determine_rate()
Chen-Yu Tsai <wenst@chromium.org>
clk: mediatek: clk-mux: Do not pass flags to clk_mux_determine_rate_flags()
AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
clk: mediatek: mt8195-infra_ao: Fix parent for infra_ao_hdmi_26m
Ian Rogers <irogers@google.com>
perf build-id: Ensure snprintf string is empty when size is 0
Ian Rogers <irogers@google.com>
perf evsel: Ensure the fallback message is always written to
Ian Rogers <irogers@google.com>
perf test: Avoid uncore_imc/clockticks in uniquification test
Ian Rogers <irogers@google.com>
perf evsel: Fix uniquification when PMU given without suffix
Ian Rogers <irogers@google.com>
perf test: Don't leak workload gopipe in PERF_RECORD_*
Leo Yan <leo.yan@arm.com>
perf session: Fix handling when buffer exceeds 2 GiB
Fushuai Wang <wangfushuai@baidu.com>
perf trace: Fix IS_ERR() vs NULL check bug
Ian Rogers <irogers@google.com>
perf test shell lbr: Avoid failures with perf event paranoia
Ian Rogers <irogers@google.com>
perf test: AMD IBS swfilt skip kernel tests if paranoia is >1
Ilkka Koskinen <ilkka@os.amperecomputing.com>
perf vendor events arm64 AmpereOneX: Fix typo - should be l1d_cache_access_prefetches
Leo Yan <leo.yan@arm.com>
perf arm_spe: Correct memory level for remote access
Leo Yan <leo.yan@arm.com>
perf arm_spe: Correct setting remote access
Clément Le Goffic <clement.legoffic@foss.st.com>
rtc: optee: fix memory leak on driver removal
Rob Herring (Arm) <robh@kernel.org>
rtc: x1205: Fix Xicor X1205 vendor prefix
Yunseong Kim <ysk@kzalloc.com>
perf util: Fix compression checks returning -1 as bool
GuoHan Zhao <zhaoguohan@kylinos.cn>
perf drm_pmu: Fix fd_dir leaks in for_each_drm_fdinfo_in_dir()
Christophe Leroy <christophe.leroy@csgroup.eu>
perf: Completely remove possibility to override MAX_NR_CPUS
Yuan CHen <chenyuan@kylinos.cn>
clk: renesas: cpg-mssr: Fix memory leak in cpg_mssr_reserved_init()
Brian Masney <bmasney@redhat.com>
clk: at91: peripheral: fix return value
Ian Rogers <irogers@google.com>
perf parse-events: Handle fake PMUs in CPU terms
Lukas Bulwahn <lukas.bulwahn@redhat.com>
clk: qcom: Select the intended config in QCS_DISPCC_615
Dan Carpenter <dan.carpenter@linaro.org>
clk: qcom: common: Fix NULL vs IS_ERR() check in qcom_cc_icc_register()
Ian Rogers <irogers@google.com>
libperf event: Ensure tracing data is multiple of 8 sized
Ian Rogers <irogers@google.com>
perf evsel: Avoid container_of on a NULL leader
Ian Rogers <irogers@google.com>
perf test trace_btf_enum: Skip if permissions are insufficient
Ian Rogers <irogers@google.com>
perf disasm: Avoid undefined behavior in incrementing NULL
Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
clk: renesas: r9a08g045: Add MSTOP for GPIO
Michal Wilczynski <m.wilczynski@samsung.com>
clk: thead: Correct parent for DPU pixel clocks
Icenowy Zheng <uwu@icenowy.me>
clk: thead: th1520-ap: fix parent of padctrl0 clock
Icenowy Zheng <uwu@icenowy.me>
clk: thead: th1520-ap: describe gate clocks with clk_gate
Arnd Bergmann <arnd@arndb.de>
clk: npcm: select CONFIG_AUXILIARY_BUS
Varad Gautam <varadgautam@google.com>
asm-generic/io.h: Skip trace helpers if rwmmio events are disabled
Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
media: v4l2-subdev: Fix alloc failure check in v4l2_subdev_call_state_try()
Michael Hennerich <michael.hennerich@analog.com>
iio: frequency: adf4350: Fix ADF4350_REG3_12BIT_CLKDIV_MODE
Sean Christopherson <seanjc@google.com>
KVM: SVM: Emulate PERF_CNTR_GLOBAL_STATUS_SET for PerfMonV2
Hou Wenlong <houwenlong.hwl@antgroup.com>
KVM: x86: Add helper to retrieve current value of user return MSR
Olga Kornievskaia <okorniev@redhat.com>
nfsd: unregister with rpcbind when deleting a transport
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
cpufreq: Make drivers using CPUFREQ_ETERNAL specify transition latency
Petr Tesarik <ptesarik@suse.com>
dma-mapping: fix direction in dma_alloc direction traces
Brian Norris <briannorris@chromium.org>
PM: runtime: Update kerneldoc return codes
Toke Høiland-Jørgensen <toke@redhat.com>
page_pool: Fix PP_MAGIC_MASK to avoid crashing on some 32-bit arches
Shakeel Butt <shakeel.butt@linux.dev>
memcg: skip cgroup_file_notify if spinning is not allowed
Zhen Ni <zhen.ni@easystack.cn>
clocksource/drivers/clps711x: Fix resource leaks in error paths
Christian Brauner <brauner@kernel.org>
listmount: don't call path_put() under namespace semaphore
Christian Brauner <brauner@kernel.org>
statmount: don't call path_put() under namespace semaphore
Thomas Gleixner <tglx@linutronix.de>
rseq: Protect event mask against membarrier IPI
Omar Sandoval <osandov@fb.com>
arm64: map [_text, _stext) virtual address range non-executable+read-only
Qu Wenruo <wqu@suse.com>
btrfs: fix the incorrect max_bytes value for find_lock_delalloc_range()
Aleksa Sarai <cyphar@cyphar.com>
fscontext: do not consume log entries when returning -EMSGSIZE
Thomas Weißschuh <thomas.weissschuh@linutronix.de>
fs: always return zero on success from replace_fd()
-------------
Diffstat:
Documentation/admin-guide/kernel-parameters.txt | 3 +
.../bindings/phy/rockchip-inno-csi-dphy.yaml | 15 +-
Makefile | 4 +-
arch/arm/mach-omap2/am33xx-restart.c | 36 ++
arch/arm/mach-omap2/pm33xx-core.c | 6 +-
arch/arm64/boot/dts/qcom/msm8916.dtsi | 2 +
arch/arm64/boot/dts/qcom/msm8939.dtsi | 2 +
arch/arm64/boot/dts/qcom/qcs615.dtsi | 6 +
arch/arm64/boot/dts/qcom/sdm845.dtsi | 4 +-
arch/arm64/boot/dts/qcom/x1e80100-pmics.dtsi | 2 +
arch/arm64/boot/dts/ti/k3-am62a-main.dtsi | 2 +-
arch/arm64/boot/dts/ti/k3-am62p5.dtsi | 2 +-
arch/arm64/include/asm/ftrace.h | 1 +
arch/arm64/kernel/cpufeature.c | 10 +-
arch/arm64/kernel/mte.c | 2 +-
arch/arm64/kernel/pi/map_kernel.c | 6 +
arch/arm64/kernel/probes/kprobes.c | 12 +
arch/arm64/kernel/setup.c | 4 +-
arch/arm64/kvm/hyp/nvhe/mem_protect.c | 9 +-
arch/arm64/kvm/mmu.c | 9 +-
arch/arm64/mm/init.c | 2 +-
arch/arm64/mm/mmu.c | 14 +-
arch/loongarch/Makefile | 4 +-
arch/loongarch/kernel/setup.c | 1 +
arch/parisc/include/uapi/asm/ioctls.h | 8 +-
arch/parisc/lib/memcpy.c | 1 -
arch/powerpc/platforms/powernv/pci-ioda.c | 2 +-
arch/powerpc/platforms/pseries/msi.c | 2 +-
arch/riscv/include/asm/pgtable.h | 11 +
arch/s390/Makefile | 1 +
arch/s390/include/asm/pgtable.h | 22 +
arch/s390/kernel/vmlinux.lds.S | 54 +--
arch/s390/mm/gmap_helpers.c | 12 +-
arch/s390/mm/pgtable.c | 23 +-
arch/sparc/kernel/of_device_32.c | 1 +
arch/sparc/kernel/of_device_64.c | 1 +
arch/sparc/mm/hugetlbpage.c | 20 +
arch/x86/entry/entry_64_fred.S | 2 +-
arch/x86/include/asm/kvm_host.h | 1 +
arch/x86/include/asm/msr-index.h | 1 +
arch/x86/kernel/kvm.c | 21 +-
arch/x86/kernel/umip.c | 15 +-
arch/x86/kvm/pmu.c | 5 +
arch/x86/kvm/svm/pmu.c | 1 +
arch/x86/kvm/svm/sev.c | 10 +
arch/x86/kvm/svm/svm.c | 25 +-
arch/x86/kvm/svm/svm.h | 2 +
arch/x86/kvm/vmx/tdx.c | 10 +-
arch/x86/kvm/x86.c | 8 +
arch/xtensa/platforms/iss/simdisk.c | 6 +-
block/blk-crypto-fallback.c | 3 +
crypto/essiv.c | 14 +-
crypto/skcipher.c | 2 +
drivers/acpi/acpi_dbg.c | 26 +-
drivers/acpi/acpi_tad.c | 3 +
drivers/acpi/acpica/acdebug.h | 2 +-
drivers/acpi/acpica/evglock.c | 4 +
drivers/acpi/battery.c | 43 +-
drivers/acpi/property.c | 139 +++---
drivers/base/base.h | 9 +
drivers/base/core.c | 2 +-
drivers/base/power/main.c | 24 +-
drivers/base/power/runtime.c | 3 +-
drivers/block/loop.c | 8 +-
drivers/bus/mhi/ep/main.c | 37 +-
drivers/bus/mhi/host/init.c | 5 +-
drivers/cdx/cdx_msi.c | 1 +
drivers/char/ipmi/ipmi_kcs_sm.c | 16 +-
drivers/char/ipmi/ipmi_msghandler.c | 490 ++++++++++-----------
drivers/char/tpm/tpm_tis_core.c | 4 +-
drivers/clk/Kconfig | 1 +
drivers/clk/at91/clk-peripheral.c | 7 +-
drivers/clk/mediatek/clk-mt8195-infra_ao.c | 2 +-
drivers/clk/mediatek/clk-mux.c | 4 +-
drivers/clk/nxp/clk-lpc18xx-cgu.c | 20 +-
drivers/clk/qcom/Kconfig | 2 +-
drivers/clk/qcom/common.c | 4 +-
drivers/clk/qcom/tcsrcc-x1e80100.c | 4 +
drivers/clk/renesas/r9a08g045-cpg.c | 3 +-
drivers/clk/renesas/renesas-cpg-mssr.c | 7 +-
drivers/clk/samsung/clk-exynos990.c | 52 ++-
drivers/clk/tegra/clk-bpmp.c | 2 +-
drivers/clk/thead/clk-th1520-ap.c | 390 ++++++++--------
drivers/clocksource/clps711x-timer.c | 23 +-
drivers/cpufreq/cppc_cpufreq.c | 14 +-
drivers/cpufreq/cpufreq-dt.c | 2 +-
drivers/cpufreq/imx6q-cpufreq.c | 2 +-
drivers/cpufreq/intel_pstate.c | 8 +-
drivers/cpufreq/mediatek-cpufreq-hw.c | 2 +-
drivers/cpufreq/rcpufreq_dt.rs | 2 +-
drivers/cpufreq/scmi-cpufreq.c | 2 +-
drivers/cpufreq/scpi-cpufreq.c | 2 +-
drivers/cpufreq/spear-cpufreq.c | 2 +-
drivers/cpufreq/tegra186-cpufreq.c | 8 +-
drivers/crypto/aspeed/aspeed-hace-crypto.c | 2 +-
drivers/crypto/atmel-tdes.c | 2 +-
drivers/crypto/rockchip/rk3288_crypto_ahash.c | 2 +-
drivers/firmware/arm_scmi/quirks.c | 15 +-
drivers/firmware/meson/meson_sm.c | 7 +-
drivers/firmware/samsung/exynos-acpm-pmic.c | 25 +-
drivers/gpio/gpio-mpfs.c | 2 +-
drivers/gpio/gpio-wcd934x.c | 2 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c | 9 +-
drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 4 +
drivers/gpu/drm/amd/display/dc/dce/dce_transform.c | 21 +-
drivers/gpu/drm/amd/display/dc/dce/dce_transform.h | 4 +
.../gpu/drm/amd/display/dc/dml/dcn31/dcn31_fpu.c | 4 +
.../gpu/drm/amd/display/dc/dml/dcn35/dcn35_fpu.c | 6 +-
.../gpu/drm/amd/display/dc/dml/dcn351/dcn351_fpu.c | 4 +-
.../amd/display/dc/resource/dce60/dce60_resource.c | 4 +-
.../amd/display/dc/resource/dcn35/dcn35_resource.c | 16 +-
.../display/dc/resource/dcn351/dcn351_resource.c | 17 +-
.../amd/display/dc/resource/dcn36/dcn36_resource.c | 16 +-
drivers/gpu/drm/amd/display/dc/sspl/dc_spl.c | 10 +-
.../gpu/drm/amd/include/asic_reg/dce/dce_6_0_d.h | 7 +
.../drm/amd/include/asic_reg/dce/dce_6_0_sh_mask.h | 2 +
drivers/gpu/drm/exynos/exynos7_drm_decon.c | 36 --
drivers/gpu/drm/msm/adreno/a6xx_gmu.c | 28 +-
drivers/gpu/drm/msm/adreno/a6xx_gmu.h | 6 +
drivers/gpu/drm/nouveau/nouveau_bo.c | 2 +-
drivers/gpu/drm/panthor/panthor_drv.c | 11 +-
drivers/gpu/drm/renesas/rcar-du/rcar_mipi_dsi.c | 5 +-
.../gpu/drm/renesas/rcar-du/rcar_mipi_dsi_regs.h | 8 +-
drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c | 17 +-
drivers/gpu/drm/vmwgfx/vmwgfx_validation.c | 6 +-
drivers/gpu/drm/xe/xe_hw_engine_group.c | 6 +-
drivers/gpu/drm/xe/xe_pm.c | 2 +-
drivers/gpu/drm/xe/xe_query.c | 15 +-
drivers/hv/mshv_common.c | 2 +-
drivers/hv/mshv_root_main.c | 3 +-
drivers/i3c/master.c | 2 +-
drivers/iio/adc/pac1934.c | 20 +-
drivers/iio/adc/xilinx-ams.c | 47 +-
drivers/iio/dac/ad5360.c | 2 +-
drivers/iio/dac/ad5421.c | 2 +-
drivers/iio/frequency/adf4350.c | 20 +-
drivers/iio/imu/inv_icm42600/inv_icm42600_core.c | 39 +-
drivers/iommu/intel/iommu.c | 2 +-
drivers/irqchip/irq-sifive-plic.c | 6 +-
drivers/mailbox/mtk-cmdq-mailbox.c | 12 +-
drivers/mailbox/zynqmp-ipi-mailbox.c | 24 +-
drivers/md/md-linear.c | 1 +
drivers/md/raid0.c | 4 +
drivers/md/raid1.c | 4 +
drivers/md/raid10.c | 8 +
drivers/md/raid5.c | 2 +
.../media/cec/usb/extron-da-hd-4k-plus/Makefile | 6 -
drivers/media/i2c/mt9p031.c | 4 +-
drivers/media/i2c/mt9v111.c | 2 +-
drivers/media/mc/mc-devnode.c | 6 +-
drivers/media/mc/mc-entity.c | 2 +-
drivers/media/pci/cx18/cx18-queue.c | 13 +-
drivers/media/pci/ivtv/ivtv-irq.c | 2 +-
drivers/media/pci/ivtv/ivtv-yuv.c | 8 +-
drivers/media/pci/mgb4/mgb4_trigger.c | 2 +-
.../media/platform/mediatek/mdp3/mtk-mdp3-comp.c | 3 +
drivers/media/platform/qcom/iris/iris_buffer.c | 31 +-
drivers/media/platform/qcom/iris/iris_buffer.h | 1 +
drivers/media/platform/qcom/iris/iris_core.c | 10 +-
drivers/media/platform/qcom/iris/iris_firmware.c | 15 +-
.../platform/qcom/iris/iris_hfi_gen1_command.c | 45 +-
.../platform/qcom/iris/iris_hfi_gen1_response.c | 4 +-
.../platform/qcom/iris/iris_hfi_gen2_response.c | 5 +-
drivers/media/platform/qcom/iris/iris_state.c | 5 +-
drivers/media/platform/qcom/iris/iris_state.h | 1 +
drivers/media/platform/qcom/iris/iris_vb2.c | 8 +-
drivers/media/platform/qcom/iris/iris_vdec.c | 2 +-
drivers/media/platform/qcom/iris/iris_vidc.c | 1 +
drivers/media/platform/qcom/iris/iris_vpu3x.c | 32 +-
drivers/media/platform/qcom/iris/iris_vpu_common.c | 2 +-
drivers/media/platform/qcom/venus/firmware.c | 8 +-
drivers/media/platform/qcom/venus/pm_helpers.c | 9 +-
drivers/media/platform/renesas/vsp1/vsp1_vspx.c | 1 +
.../platform/samsung/s5p-mfc/s5p_mfc_cmd_v6.c | 35 +-
.../media/platform/ti/j721e-csi2rx/j721e-csi2rx.c | 9 +-
drivers/media/rc/lirc_dev.c | 9 +-
drivers/media/test-drivers/vivid/vivid-cec.c | 12 +-
drivers/media/usb/uvc/uvc_ctrl.c | 3 +-
drivers/memory/samsung/exynos-srom.c | 10 +-
drivers/memory/stm32_omm.c | 2 +-
drivers/mmc/core/sdio.c | 6 +-
drivers/mmc/host/mmc_spi.c | 2 +-
drivers/mtd/nand/raw/fsmc_nand.c | 6 +-
drivers/mtd/nand/raw/gpmi-nand/gpmi-nand.c | 14 +-
drivers/net/ethernet/airoha/airoha_eth.c | 4 +-
drivers/net/ethernet/airoha/airoha_regs.h | 3 +
drivers/net/ethernet/freescale/fsl_pq_mdio.c | 2 +
drivers/net/ethernet/intel/ice/ice_adapter.c | 10 +-
drivers/net/ethernet/mellanox/mlx4/en_netdev.c | 2 +-
.../ethernet/mellanox/mlx5/core/en_accel/ipsec.c | 38 +-
.../ethernet/mellanox/mlx5/core/en_accel/ipsec.h | 2 +-
.../mellanox/mlx5/core/en_accel/ipsec_fs.c | 32 +-
drivers/net/ethernet/mellanox/mlx5/core/eswitch.h | 5 +-
.../ethernet/mellanox/mlx5/core/eswitch_offloads.c | 18 +-
.../net/ethernet/microchip/sparx5/sparx5_main.c | 5 +
.../ethernet/microchip/sparx5/sparx5_switchdev.c | 12 +
.../net/ethernet/microchip/sparx5/sparx5_vlan.c | 10 -
drivers/net/ethernet/mscc/ocelot_stats.c | 2 +-
drivers/net/mdio/mdio-i2c.c | 39 +-
drivers/net/pse-pd/tps23881.c | 2 +-
drivers/net/usb/lan78xx.c | 11 +-
drivers/net/wireless/ath/ath11k/core.c | 6 +-
drivers/net/wireless/ath/ath11k/hal.c | 16 +
drivers/net/wireless/ath/ath11k/hal.h | 1 +
drivers/net/wireless/intel/iwlwifi/mld/debugfs.c | 6 +-
drivers/net/wireless/mediatek/mt76/mt7921/usb.c | 3 +
drivers/net/wireless/mediatek/mt76/mt7925/usb.c | 3 +
drivers/net/wireless/realtek/rtw89/core.c | 39 +-
drivers/net/wireless/realtek/rtw89/core.h | 3 +-
drivers/net/wireless/realtek/rtw89/pci.c | 2 -
drivers/nvme/host/pci.c | 2 +
drivers/of/unittest.c | 1 +
drivers/pci/bus.c | 14 +-
drivers/pci/controller/cadence/pci-j721e.c | 26 ++
drivers/pci/controller/dwc/pci-keystone.c | 4 +-
drivers/pci/controller/dwc/pcie-rcar-gen4.c | 2 +-
drivers/pci/controller/dwc/pcie-tegra194.c | 32 +-
drivers/pci/controller/pci-tegra.c | 27 +-
drivers/pci/controller/pcie-rcar-host.c | 40 +-
drivers/pci/controller/pcie-xilinx-nwl.c | 7 +-
drivers/pci/iov.c | 5 +
drivers/pci/pci-driver.c | 1 +
drivers/pci/pci-sysfs.c | 20 +-
drivers/pci/pcie/aer.c | 12 +-
drivers/pci/pcie/err.c | 8 +-
drivers/pci/probe.c | 19 +-
drivers/pci/remove.c | 2 +
drivers/pci/setup-bus.c | 37 +-
drivers/perf/arm-cmn.c | 9 +-
drivers/pinctrl/samsung/pinctrl-samsung.h | 4 -
drivers/power/supply/max77976_charger.c | 12 +-
drivers/pwm/core.c | 2 +-
drivers/pwm/pwm-berlin.c | 4 +-
drivers/rtc/interface.c | 27 ++
drivers/rtc/rtc-isl12022.c | 1 +
drivers/rtc/rtc-optee.c | 1 +
drivers/rtc/rtc-x1205.c | 2 +-
drivers/s390/block/dasd.c | 17 +-
drivers/s390/cio/device.c | 37 +-
drivers/s390/cio/ioasm.c | 7 +-
drivers/scsi/hpsa.c | 21 +-
drivers/scsi/mvsas/mv_init.c | 2 +-
drivers/scsi/sd.c | 50 ++-
drivers/spi/spi-cadence-quadspi.c | 18 +-
drivers/staging/media/ipu7/ipu7-isys-video.c | 1 +
drivers/ufs/core/ufs-sysfs.c | 2 +-
drivers/ufs/core/ufs-sysfs.h | 1 +
drivers/ufs/core/ufshcd.c | 2 +
drivers/video/fbdev/core/fb_cmdline.c | 2 +-
drivers/xen/events/events_base.c | 37 +-
drivers/xen/manage.c | 14 +-
fs/attr.c | 44 +-
fs/btrfs/export.c | 8 +-
fs/btrfs/extent_io.c | 14 +-
fs/cramfs/inode.c | 11 +-
fs/eventpoll.c | 139 ++----
fs/ext4/ext4.h | 2 +
fs/ext4/fsmap.c | 14 +-
fs/ext4/indirect.c | 2 +-
fs/ext4/inode.c | 45 +-
fs/ext4/move_extent.c | 2 +-
fs/ext4/orphan.c | 17 +-
fs/ext4/super.c | 26 +-
fs/ext4/xattr.c | 19 +-
fs/file.c | 5 +-
fs/fs-writeback.c | 32 +-
fs/fsopen.c | 70 +--
fs/fuse/dev.c | 2 +-
fs/fuse/file.c | 8 +-
fs/iomap/buffered-io.c | 15 +-
fs/iomap/direct-io.c | 3 +
fs/minix/inode.c | 8 +-
fs/namei.c | 8 +
fs/namespace.c | 110 +++--
fs/nfsd/export.c | 82 ++--
fs/nfsd/export.h | 3 +
fs/nfsd/lockd.c | 15 +
fs/nfsd/nfs4proc.c | 33 +-
fs/nfsd/nfs4state.c | 44 +-
fs/nfsd/nfs4xdr.c | 5 +-
fs/nfsd/nfsfh.c | 24 +-
fs/nfsd/state.h | 8 +
fs/nfsd/vfs.c | 2 +-
fs/nsfs.c | 4 +-
fs/ntfs3/bitmap.c | 1 +
fs/pidfs.c | 2 +-
fs/quota/dquot.c | 10 +-
fs/read_write.c | 14 +-
fs/smb/client/dir.c | 1 +
fs/smb/client/smb1ops.c | 62 ++-
fs/smb/client/smb2inode.c | 22 +-
fs/smb/client/smb2ops.c | 10 +-
fs/squashfs/inode.c | 24 +-
fs/xfs/scrub/reap.c | 9 +-
include/acpi/acpixf.h | 6 +
include/asm-generic/io.h | 98 +++--
include/asm-generic/vmlinux.lds.h | 2 +-
include/linux/cpufreq.h | 3 +
include/linux/fs.h | 15 +
include/linux/iio/frequency/adf4350.h | 2 +-
include/linux/ksm.h | 8 +-
include/linux/memcontrol.h | 26 +-
include/linux/mm.h | 22 +-
include/linux/pm_runtime.h | 56 +--
include/linux/rseq.h | 11 +-
include/linux/sunrpc/svc_xprt.h | 3 +
include/media/v4l2-subdev.h | 30 +-
include/trace/events/dma.h | 1 +
init/main.c | 12 +
io_uring/zcrx.c | 1 +
kernel/bpf/inode.c | 4 +-
kernel/fork.c | 2 +-
kernel/kexec_handover.c | 2 +-
kernel/padata.c | 6 +-
kernel/pid.c | 5 +-
kernel/power/energy_model.c | 11 +-
kernel/power/hibernate.c | 6 +
kernel/rseq.c | 10 +-
kernel/sched/deadline.c | 73 ++-
kernel/sys.c | 22 +-
lib/genalloc.c | 5 +-
mm/damon/lru_sort.c | 2 +-
mm/damon/vaddr.c | 8 +-
mm/huge_memory.c | 15 +-
mm/hugetlb.c | 3 +
mm/memcontrol.c | 7 +-
mm/migrate.c | 23 +-
mm/page_alloc.c | 2 +-
mm/slab.h | 8 +-
mm/slub.c | 3 +-
mm/util.c | 3 +-
net/bridge/br_vlan.c | 2 +-
net/core/filter.c | 2 +
net/core/page_pool.c | 76 +++-
net/ipv4/tcp.c | 5 +-
net/ipv4/tcp_input.c | 1 -
net/mptcp/ctrl.c | 2 +-
net/mptcp/pm.c | 7 +-
net/mptcp/pm_kernel.c | 50 ++-
net/mptcp/protocol.h | 8 +
net/netfilter/nft_objref.c | 39 ++
net/sctp/sm_make_chunk.c | 3 +-
net/sctp/sm_statefuns.c | 6 +-
net/sunrpc/svc_xprt.c | 13 +
net/sunrpc/svcsock.c | 2 +
net/xdp/xsk_queue.h | 45 +-
rust/kernel/cpufreq.rs | 7 +-
scripts/Makefile.vmlinux | 51 ++-
scripts/mksysmap | 3 +
security/keys/trusted-keys/trusted_tpm1.c | 7 +-
sound/soc/sof/intel/hda-pcm.c | 29 +-
sound/soc/sof/intel/hda-stream.c | 29 +-
sound/soc/sof/ipc4-topology.c | 9 +-
sound/soc/sof/ipc4-topology.h | 7 +-
tools/build/feature/Makefile | 4 +-
tools/lib/perf/include/perf/event.h | 1 +
tools/perf/Makefile.perf | 2 +-
tools/perf/builtin-trace.c | 4 +-
tools/perf/perf.h | 2 -
.../arch/arm64/ampere/ampereonex/metrics.json | 10 +-
tools/perf/tests/perf-record.c | 4 +
tools/perf/tests/shell/amd-ibs-swfilt.sh | 51 ++-
tools/perf/tests/shell/record_lbr.sh | 26 +-
tools/perf/tests/shell/stat+event_uniquifying.sh | 113 +++--
tools/perf/tests/shell/trace_btf_enum.sh | 11 +
tools/perf/util/arm-spe.c | 6 +-
tools/perf/util/bpf-filter.c | 8 +
tools/perf/util/bpf_counter.c | 26 +-
tools/perf/util/bpf_counter_cgroup.c | 3 +-
tools/perf/util/bpf_skel/kwork_top.bpf.c | 2 -
tools/perf/util/build-id.c | 7 +
tools/perf/util/disasm.c | 7 +-
tools/perf/util/drm_pmu.c | 4 +-
tools/perf/util/evsel.c | 44 +-
tools/perf/util/lzma.c | 2 +-
tools/perf/util/parse-events.c | 116 ++---
tools/perf/util/session.c | 2 +-
tools/perf/util/setup.py | 5 +-
tools/perf/util/zlib.c | 2 +-
tools/power/acpi/tools/acpidump/apfiles.c | 2 +-
tools/testing/selftests/net/mptcp/mptcp_join.sh | 11 +
.../selftests/net/netfilter/nf_nat_edemux.sh | 58 ++-
tools/testing/selftests/net/netfilter/nft_fib.sh | 13 +-
tools/testing/selftests/net/ovpn/ovpn-cli.c | 2 +
tools/testing/selftests/rseq/rseq.c | 8 +-
385 files changed, 3704 insertions(+), 2240 deletions(-)
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 001/371] fs: always return zero on success from replace_fd()
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
@ 2025-10-17 14:49 ` Greg Kroah-Hartman
2025-10-17 14:49 ` [PATCH 6.17 002/371] fscontext: do not consume log entries when returning -EMSGSIZE Greg Kroah-Hartman
` (382 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Al Viro, Thomas Weißschuh,
Christian Brauner
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
commit 708c04a5c2b78e22f56e2350de41feba74dfccd9 upstream.
replace_fd() returns the number of the new file descriptor through the
return value of do_dup2(). However its callers never care about the
specific returned number. In fact the caller in receive_fd_replace() treats
any non-zero return value as an error and therefore never calls
__receive_sock() for most file descriptors, which is a bug.
To fix the bug in receive_fd_replace() and to avoid the same issue
happening in future callers, signal success through a plain zero.
Suggested-by: Al Viro <viro@zeniv.linux.org.uk>
Link: https://lore.kernel.org/lkml/20250801220215.GS222315@ZenIV/
Fixes: 173817151b15 ("fs: Expand __receive_fd() to accept existing fd")
Fixes: 42eb0d54c08a ("fs: split receive_fd_replace from __receive_fd")
Cc: stable@vger.kernel.org
Signed-off-by: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
Link: https://lore.kernel.org/20250805-fix-receive_fd_replace-v3-1-b72ba8b34bac@linutronix.de
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/file.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/fs/file.c
+++ b/fs/file.c
@@ -1330,7 +1330,10 @@ int replace_fd(unsigned fd, struct file
err = expand_files(files, fd);
if (unlikely(err < 0))
goto out_unlock;
- return do_dup2(files, file, fd, flags);
+ err = do_dup2(files, file, fd, flags);
+ if (err < 0)
+ return err;
+ return 0;
out_unlock:
spin_unlock(&files->file_lock);
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 002/371] fscontext: do not consume log entries when returning -EMSGSIZE
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
2025-10-17 14:49 ` [PATCH 6.17 001/371] fs: always return zero on success from replace_fd() Greg Kroah-Hartman
@ 2025-10-17 14:49 ` Greg Kroah-Hartman
2025-10-17 14:49 ` [PATCH 6.17 003/371] btrfs: fix the incorrect max_bytes value for find_lock_delalloc_range() Greg Kroah-Hartman
` (381 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Howells, Aleksa Sarai,
Christian Brauner
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Aleksa Sarai <cyphar@cyphar.com>
commit 72d271a7baa7062cb27e774ac37c5459c6d20e22 upstream.
Userspace generally expects APIs that return -EMSGSIZE to allow for them
to adjust their buffer size and retry the operation. However, the
fscontext log would previously clear the message even in the -EMSGSIZE
case.
Given that it is very cheap for us to check whether the buffer is too
small before we remove the message from the ring buffer, let's just do
that instead. While we're at it, refactor some fscontext_read() into a
separate helper to make the ring buffer logic a bit easier to read.
Fixes: 007ec26cdc9f ("vfs: Implement logging through fs_context")
Cc: David Howells <dhowells@redhat.com>
Cc: stable@vger.kernel.org # v5.2+
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
Link: https://lore.kernel.org/20250807-fscontext-log-cleanups-v3-1-8d91d6242dc3@cyphar.com
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/fsopen.c | 70 ++++++++++++++++++++++++++++++++----------------------------
1 file changed, 38 insertions(+), 32 deletions(-)
--- a/fs/fsopen.c
+++ b/fs/fsopen.c
@@ -18,50 +18,56 @@
#include "internal.h"
#include "mount.h"
+static inline const char *fetch_message_locked(struct fc_log *log, size_t len,
+ bool *need_free)
+{
+ const char *p;
+ int index;
+
+ if (unlikely(log->head == log->tail))
+ return ERR_PTR(-ENODATA);
+
+ index = log->tail & (ARRAY_SIZE(log->buffer) - 1);
+ p = log->buffer[index];
+ if (unlikely(strlen(p) > len))
+ return ERR_PTR(-EMSGSIZE);
+
+ log->buffer[index] = NULL;
+ *need_free = log->need_free & (1 << index);
+ log->need_free &= ~(1 << index);
+ log->tail++;
+
+ return p;
+}
+
/*
* Allow the user to read back any error, warning or informational messages.
+ * Only one message is returned for each read(2) call.
*/
static ssize_t fscontext_read(struct file *file,
char __user *_buf, size_t len, loff_t *pos)
{
struct fs_context *fc = file->private_data;
- struct fc_log *log = fc->log.log;
- unsigned int logsize = ARRAY_SIZE(log->buffer);
- ssize_t ret;
- char *p;
+ ssize_t err;
+ const char *p __free(kfree) = NULL, *message;
bool need_free;
- int index, n;
-
- ret = mutex_lock_interruptible(&fc->uapi_mutex);
- if (ret < 0)
- return ret;
-
- if (log->head == log->tail) {
- mutex_unlock(&fc->uapi_mutex);
- return -ENODATA;
- }
+ int n;
- index = log->tail & (logsize - 1);
- p = log->buffer[index];
- need_free = log->need_free & (1 << index);
- log->buffer[index] = NULL;
- log->need_free &= ~(1 << index);
- log->tail++;
+ err = mutex_lock_interruptible(&fc->uapi_mutex);
+ if (err < 0)
+ return err;
+ message = fetch_message_locked(fc->log.log, len, &need_free);
mutex_unlock(&fc->uapi_mutex);
+ if (IS_ERR(message))
+ return PTR_ERR(message);
- ret = -EMSGSIZE;
- n = strlen(p);
- if (n > len)
- goto err_free;
- ret = -EFAULT;
- if (copy_to_user(_buf, p, n) != 0)
- goto err_free;
- ret = n;
-
-err_free:
if (need_free)
- kfree(p);
- return ret;
+ p = message;
+
+ n = strlen(message);
+ if (copy_to_user(_buf, message, n))
+ return -EFAULT;
+ return n;
}
static int fscontext_release(struct inode *inode, struct file *file)
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 003/371] btrfs: fix the incorrect max_bytes value for find_lock_delalloc_range()
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
2025-10-17 14:49 ` [PATCH 6.17 001/371] fs: always return zero on success from replace_fd() Greg Kroah-Hartman
2025-10-17 14:49 ` [PATCH 6.17 002/371] fscontext: do not consume log entries when returning -EMSGSIZE Greg Kroah-Hartman
@ 2025-10-17 14:49 ` Greg Kroah-Hartman
2025-10-17 15:42 ` David Sterba
2025-10-17 14:49 ` [PATCH 6.17 004/371] arm64: map [_text, _stext) virtual address range non-executable+read-only Greg Kroah-Hartman
` (380 subsequent siblings)
383 siblings, 1 reply; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:49 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Qu Wenruo, David Sterba
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qu Wenruo <wqu@suse.com>
commit 7b26da407420e5054e3f06c5d13271697add9423 upstream.
[BUG]
With my local branch to enable bs > ps support for btrfs, sometimes I
hit the following ASSERT() inside submit_one_sector():
ASSERT(block_start != EXTENT_MAP_HOLE);
Please note that it's not yet possible to hit this ASSERT() in the wild
yet, as it requires btrfs bs > ps support, which is not even in the
development branch.
But on the other hand, there is also a very low chance to hit above
ASSERT() with bs < ps cases, so this is an existing bug affect not only
the incoming bs > ps support but also the existing bs < ps support.
[CAUSE]
Firstly that ASSERT() means we're trying to submit a dirty block but
without a real extent map nor ordered extent map backing it.
Furthermore with extra debugging, the folio triggering such ASSERT() is
always larger than the fs block size in my bs > ps case.
(8K block size, 4K page size)
After some more debugging, the ASSERT() is trigger by the following
sequence:
extent_writepage()
| We got a 32K folio (4 fs blocks) at file offset 0, and the fs block
| size is 8K, page size is 4K.
| And there is another 8K folio at file offset 32K, which is also
| dirty.
| So the filemap layout looks like the following:
|
| "||" is the filio boundary in the filemap.
| "//| is the dirty range.
|
| 0 8K 16K 24K 32K 40K
| |////////| |//////////////////////||////////|
|
|- writepage_delalloc()
| |- find_lock_delalloc_range() for [0, 8K)
| | Now range [0, 8K) is properly locked.
| |
| |- find_lock_delalloc_range() for [16K, 40K)
| | |- btrfs_find_delalloc_range() returned range [16K, 40K)
| | |- lock_delalloc_folios() locked folio 0 successfully
| | |
| | | The filemap range [32K, 40K) got dropped from filemap.
| | |
| | |- lock_delalloc_folios() failed with -EAGAIN on folio 32K
| | | As the folio at 32K is dropped.
| | |
| | |- loops = 1;
| | |- max_bytes = PAGE_SIZE;
| | |- goto again;
| | | This will re-do the lookup for dirty delalloc ranges.
| | |
| | |- btrfs_find_delalloc_range() called with @max_bytes == 4K
| | | This is smaller than block size, so
| | | btrfs_find_delalloc_range() is unable to return any range.
| | \- return false;
| |
| \- Now only range [0, 8K) has an OE for it, but for dirty range
| [16K, 32K) it's dirty without an OE.
| This breaks the assumption that writepage_delalloc() will find
| and lock all dirty ranges inside the folio.
|
|- extent_writepage_io()
|- submit_one_sector() for [0, 8K)
| Succeeded
|
|- submit_one_sector() for [16K, 24K)
Triggering the ASSERT(), as there is no OE, and the original
extent map is a hole.
Please note that, this also exposed the same problem for bs < ps
support. E.g. with 64K page size and 4K block size.
If we failed to lock a folio, and falls back into the "loops = 1;"
branch, we will re-do the search using 64K as max_bytes.
Which may fail again to lock the next folio, and exit early without
handling all dirty blocks inside the folio.
[FIX]
Instead of using the fixed size PAGE_SIZE as @max_bytes, use
@sectorsize, so that we are ensured to find and lock any remaining
blocks inside the folio.
And since we're here, add an extra ASSERT() to
before calling btrfs_find_delalloc_range() to make sure the @max_bytes is
at least no smaller than a block to avoid false negative.
Cc: stable@vger.kernel.org # 5.15+
Signed-off-by: Qu Wenruo <wqu@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/extent_io.c | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
--- a/fs/btrfs/extent_io.c
+++ b/fs/btrfs/extent_io.c
@@ -345,6 +345,13 @@ again:
/* step one, find a bunch of delalloc bytes starting at start */
delalloc_start = *start;
delalloc_end = 0;
+
+ /*
+ * If @max_bytes is smaller than a block, btrfs_find_delalloc_range() can
+ * return early without handling any dirty ranges.
+ */
+ ASSERT(max_bytes >= fs_info->sectorsize);
+
found = btrfs_find_delalloc_range(tree, &delalloc_start, &delalloc_end,
max_bytes, &cached_state);
if (!found || delalloc_end <= *start || delalloc_start > orig_end) {
@@ -375,13 +382,14 @@ again:
delalloc_end);
ASSERT(!ret || ret == -EAGAIN);
if (ret == -EAGAIN) {
- /* some of the folios are gone, lets avoid looping by
- * shortening the size of the delalloc range we're searching
+ /*
+ * Some of the folios are gone, lets avoid looping by
+ * shortening the size of the delalloc range we're searching.
*/
btrfs_free_extent_state(cached_state);
cached_state = NULL;
if (!loops) {
- max_bytes = PAGE_SIZE;
+ max_bytes = fs_info->sectorsize;
loops = 1;
goto again;
} else {
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 004/371] arm64: map [_text, _stext) virtual address range non-executable+read-only
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (2 preceding siblings ...)
2025-10-17 14:49 ` [PATCH 6.17 003/371] btrfs: fix the incorrect max_bytes value for find_lock_delalloc_range() Greg Kroah-Hartman
@ 2025-10-17 14:49 ` Greg Kroah-Hartman
2025-10-17 14:49 ` [PATCH 6.17 005/371] rseq: Protect event mask against membarrier IPI Greg Kroah-Hartman
` (379 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:49 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Omar Sandoval, Will Deacon
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Omar Sandoval <osandov@fb.com>
commit 5973a62efa34c80c9a4e5eac1fca6f6209b902af upstream.
Since the referenced fixes commit, the kernel's .text section is only
mapped starting from _stext; the region [_text, _stext) is omitted. As a
result, other vmalloc/vmap allocations may use the virtual addresses
nominally in the range [_text, _stext). This address reuse confuses
multiple things:
1. crash_prepare_elf64_headers() sets up a segment in /proc/vmcore
mapping the entire range [_text, _end) to
[__pa_symbol(_text), __pa_symbol(_end)). Reading an address in
[_text, _stext) from /proc/vmcore therefore gives the incorrect
result.
2. Tools doing symbolization (either by reading /proc/kallsyms or based
on the vmlinux ELF file) will incorrectly identify vmalloc/vmap
allocations in [_text, _stext) as kernel symbols.
In practice, both of these issues affect the drgn debugger.
Specifically, there were cases where the vmap IRQ stacks for some CPUs
were allocated in [_text, _stext). As a result, drgn could not get the
stack trace for a crash in an IRQ handler because the core dump
contained invalid data for the IRQ stack address. The stack addresses
were also symbolized as being in the _text symbol.
Fix this by bringing back the mapping of [_text, _stext), but now make
it non-executable and read-only. This prevents other allocations from
using it while still achieving the original goal of not mapping
unpredictable data as executable. Other than the changed protection,
this is effectively a revert of the fixes commit.
Fixes: e2a073dde921 ("arm64: omit [_text, _stext) from permanent kernel mapping")
Cc: stable@vger.kernel.org
Signed-off-by: Omar Sandoval <osandov@fb.com>
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/kernel/pi/map_kernel.c | 6 ++++++
arch/arm64/kernel/setup.c | 4 ++--
arch/arm64/mm/init.c | 2 +-
arch/arm64/mm/mmu.c | 14 +++++++++-----
4 files changed, 18 insertions(+), 8 deletions(-)
--- a/arch/arm64/kernel/pi/map_kernel.c
+++ b/arch/arm64/kernel/pi/map_kernel.c
@@ -78,6 +78,12 @@ static void __init map_kernel(u64 kaslr_
twopass |= enable_scs;
prot = twopass ? data_prot : text_prot;
+ /*
+ * [_stext, _text) isn't executed after boot and contains some
+ * non-executable, unpredictable data, so map it non-executable.
+ */
+ map_segment(init_pg_dir, &pgdp, va_offset, _text, _stext, data_prot,
+ false, root_level);
map_segment(init_pg_dir, &pgdp, va_offset, _stext, _etext, prot,
!twopass, root_level);
map_segment(init_pg_dir, &pgdp, va_offset, __start_rodata,
--- a/arch/arm64/kernel/setup.c
+++ b/arch/arm64/kernel/setup.c
@@ -214,7 +214,7 @@ static void __init request_standard_reso
unsigned long i = 0;
size_t res_size;
- kernel_code.start = __pa_symbol(_stext);
+ kernel_code.start = __pa_symbol(_text);
kernel_code.end = __pa_symbol(__init_begin - 1);
kernel_data.start = __pa_symbol(_sdata);
kernel_data.end = __pa_symbol(_end - 1);
@@ -280,7 +280,7 @@ u64 cpu_logical_map(unsigned int cpu)
void __init __no_sanitize_address setup_arch(char **cmdline_p)
{
- setup_initial_init_mm(_stext, _etext, _edata, _end);
+ setup_initial_init_mm(_text, _etext, _edata, _end);
*cmdline_p = boot_command_line;
--- a/arch/arm64/mm/init.c
+++ b/arch/arm64/mm/init.c
@@ -279,7 +279,7 @@ void __init arm64_memblock_init(void)
* Register the kernel text, kernel data, initrd, and initial
* pagetables with memblock.
*/
- memblock_reserve(__pa_symbol(_stext), _end - _stext);
+ memblock_reserve(__pa_symbol(_text), _end - _text);
if (IS_ENABLED(CONFIG_BLK_DEV_INITRD) && phys_initrd_size) {
/* the generic initrd code expects virtual addresses */
initrd_start = __phys_to_virt(phys_initrd_start);
--- a/arch/arm64/mm/mmu.c
+++ b/arch/arm64/mm/mmu.c
@@ -574,8 +574,8 @@ void __init mark_linear_text_alias_ro(vo
/*
* Remove the write permissions from the linear alias of .text/.rodata
*/
- update_mapping_prot(__pa_symbol(_stext), (unsigned long)lm_alias(_stext),
- (unsigned long)__init_begin - (unsigned long)_stext,
+ update_mapping_prot(__pa_symbol(_text), (unsigned long)lm_alias(_text),
+ (unsigned long)__init_begin - (unsigned long)_text,
PAGE_KERNEL_RO);
}
@@ -636,7 +636,7 @@ static inline void arm64_kfence_map_pool
static void __init map_mem(pgd_t *pgdp)
{
static const u64 direct_map_end = _PAGE_END(VA_BITS_MIN);
- phys_addr_t kernel_start = __pa_symbol(_stext);
+ phys_addr_t kernel_start = __pa_symbol(_text);
phys_addr_t kernel_end = __pa_symbol(__init_begin);
phys_addr_t start, end;
phys_addr_t early_kfence_pool;
@@ -683,7 +683,7 @@ static void __init map_mem(pgd_t *pgdp)
}
/*
- * Map the linear alias of the [_stext, __init_begin) interval
+ * Map the linear alias of the [_text, __init_begin) interval
* as non-executable now, and remove the write permission in
* mark_linear_text_alias_ro() below (which will be called after
* alternative patching has completed). This makes the contents
@@ -710,6 +710,10 @@ void mark_rodata_ro(void)
WRITE_ONCE(rodata_is_rw, false);
update_mapping_prot(__pa_symbol(__start_rodata), (unsigned long)__start_rodata,
section_size, PAGE_KERNEL_RO);
+ /* mark the range between _text and _stext as read only. */
+ update_mapping_prot(__pa_symbol(_text), (unsigned long)_text,
+ (unsigned long)_stext - (unsigned long)_text,
+ PAGE_KERNEL_RO);
}
static void __init declare_vma(struct vm_struct *vma,
@@ -780,7 +784,7 @@ static void __init declare_kernel_vmas(v
{
static struct vm_struct vmlinux_seg[KERNEL_SEGMENT_COUNT];
- declare_vma(&vmlinux_seg[0], _stext, _etext, VM_NO_GUARD);
+ declare_vma(&vmlinux_seg[0], _text, _etext, VM_NO_GUARD);
declare_vma(&vmlinux_seg[1], __start_rodata, __inittext_begin, VM_NO_GUARD);
declare_vma(&vmlinux_seg[2], __inittext_begin, __inittext_end, VM_NO_GUARD);
declare_vma(&vmlinux_seg[3], __initdata_begin, __initdata_end, VM_NO_GUARD);
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 005/371] rseq: Protect event mask against membarrier IPI
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (3 preceding siblings ...)
2025-10-17 14:49 ` [PATCH 6.17 004/371] arm64: map [_text, _stext) virtual address range non-executable+read-only Greg Kroah-Hartman
@ 2025-10-17 14:49 ` Greg Kroah-Hartman
2025-10-17 14:49 ` [PATCH 6.17 006/371] statmount: dont call path_put() under namespace semaphore Greg Kroah-Hartman
` (378 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Gleixner, Boqun Feng,
Mathieu Desnoyers
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Gleixner <tglx@linutronix.de>
commit 6eb350a2233100a283f882c023e5ad426d0ed63b upstream.
rseq_need_restart() reads and clears task::rseq_event_mask with preemption
disabled to guard against the scheduler.
But membarrier() uses an IPI and sets the PREEMPT bit in the event mask
from the IPI, which leaves that RMW operation unprotected.
Use guard(irq) if CONFIG_MEMBARRIER is enabled to fix that.
Fixes: 2a36ab717e8f ("rseq/membarrier: Add MEMBARRIER_CMD_PRIVATE_EXPEDITED_RSEQ")
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Boqun Feng <boqun.feng@gmail.com>
Reviewed-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/rseq.h | 11 ++++++++---
kernel/rseq.c | 10 +++++-----
2 files changed, 13 insertions(+), 8 deletions(-)
--- a/include/linux/rseq.h
+++ b/include/linux/rseq.h
@@ -7,6 +7,12 @@
#include <linux/preempt.h>
#include <linux/sched.h>
+#ifdef CONFIG_MEMBARRIER
+# define RSEQ_EVENT_GUARD irq
+#else
+# define RSEQ_EVENT_GUARD preempt
+#endif
+
/*
* Map the event mask on the user-space ABI enum rseq_cs_flags
* for direct mask checks.
@@ -41,9 +47,8 @@ static inline void rseq_handle_notify_re
static inline void rseq_signal_deliver(struct ksignal *ksig,
struct pt_regs *regs)
{
- preempt_disable();
- __set_bit(RSEQ_EVENT_SIGNAL_BIT, ¤t->rseq_event_mask);
- preempt_enable();
+ scoped_guard(RSEQ_EVENT_GUARD)
+ __set_bit(RSEQ_EVENT_SIGNAL_BIT, ¤t->rseq_event_mask);
rseq_handle_notify_resume(ksig, regs);
}
--- a/kernel/rseq.c
+++ b/kernel/rseq.c
@@ -342,12 +342,12 @@ static int rseq_need_restart(struct task
/*
* Load and clear event mask atomically with respect to
- * scheduler preemption.
+ * scheduler preemption and membarrier IPIs.
*/
- preempt_disable();
- event_mask = t->rseq_event_mask;
- t->rseq_event_mask = 0;
- preempt_enable();
+ scoped_guard(RSEQ_EVENT_GUARD) {
+ event_mask = t->rseq_event_mask;
+ t->rseq_event_mask = 0;
+ }
return !!event_mask;
}
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 006/371] statmount: dont call path_put() under namespace semaphore
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (4 preceding siblings ...)
2025-10-17 14:49 ` [PATCH 6.17 005/371] rseq: Protect event mask against membarrier IPI Greg Kroah-Hartman
@ 2025-10-17 14:49 ` Greg Kroah-Hartman
2025-10-17 14:49 ` [PATCH 6.17 007/371] listmount: " Greg Kroah-Hartman
` (377 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:49 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Christian Brauner
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christian Brauner <brauner@kernel.org>
commit e8c84e2082e69335f66c8ade4895e80ec270d7c4 upstream.
Massage statmount() and make sure we don't call path_put() under the
namespace semaphore. If we put the last reference we're fscked.
Fixes: 46eae99ef733 ("add statmount(2) syscall")
Cc: stable@vger.kernel.org # v6.8+
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/namespace.c | 8 +++-----
1 file changed, 3 insertions(+), 5 deletions(-)
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -5711,7 +5711,6 @@ static int grab_requested_root(struct mn
static int do_statmount(struct kstatmount *s, u64 mnt_id, u64 mnt_ns_id,
struct mnt_namespace *ns)
{
- struct path root __free(path_put) = {};
struct mount *m;
int err;
@@ -5723,7 +5722,7 @@ static int do_statmount(struct kstatmoun
if (!s->mnt)
return -ENOENT;
- err = grab_requested_root(ns, &root);
+ err = grab_requested_root(ns, &s->root);
if (err)
return err;
@@ -5732,7 +5731,7 @@ static int do_statmount(struct kstatmoun
* mounts to show users.
*/
m = real_mount(s->mnt);
- if (!is_path_reachable(m, m->mnt.mnt_root, &root) &&
+ if (!is_path_reachable(m, m->mnt.mnt_root, &s->root) &&
!ns_capable_noaudit(ns->user_ns, CAP_SYS_ADMIN))
return -EPERM;
@@ -5740,8 +5739,6 @@ static int do_statmount(struct kstatmoun
if (err)
return err;
- s->root = root;
-
/*
* Note that mount properties in mnt->mnt_flags, mnt->mnt_idmap
* can change concurrently as we only hold the read-side of the
@@ -5963,6 +5960,7 @@ retry:
if (!ret)
ret = copy_statmount_to_user(ks);
kvfree(ks->seq.buf);
+ path_put(&ks->root);
if (retry_statmount(ret, &seq_size))
goto retry;
return ret;
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 007/371] listmount: dont call path_put() under namespace semaphore
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (5 preceding siblings ...)
2025-10-17 14:49 ` [PATCH 6.17 006/371] statmount: dont call path_put() under namespace semaphore Greg Kroah-Hartman
@ 2025-10-17 14:49 ` Greg Kroah-Hartman
2025-10-17 14:49 ` [PATCH 6.17 008/371] clocksource/drivers/clps711x: Fix resource leaks in error paths Greg Kroah-Hartman
` (376 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:49 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Christian Brauner
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christian Brauner <brauner@kernel.org>
commit c1f86d0ac322c7e77f6f8dbd216c65d39358ffc0 upstream.
Massage listmount() and make sure we don't call path_put() under the
namespace semaphore. If we put the last reference we're fscked.
Fixes: b4c2bea8ceaa ("add listmount(2) syscall")
Cc: stable@vger.kernel.org # v6.8+
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/namespace.c | 87 ++++++++++++++++++++++++++++++++++++++-------------------
1 file changed, 59 insertions(+), 28 deletions(-)
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -5966,23 +5966,34 @@ retry:
return ret;
}
-static ssize_t do_listmount(struct mnt_namespace *ns, u64 mnt_parent_id,
- u64 last_mnt_id, u64 *mnt_ids, size_t nr_mnt_ids,
- bool reverse)
+struct klistmount {
+ u64 last_mnt_id;
+ u64 mnt_parent_id;
+ u64 *kmnt_ids;
+ u32 nr_mnt_ids;
+ struct mnt_namespace *ns;
+ struct path root;
+};
+
+static ssize_t do_listmount(struct klistmount *kls, bool reverse)
{
- struct path root __free(path_put) = {};
+ struct mnt_namespace *ns = kls->ns;
+ u64 mnt_parent_id = kls->mnt_parent_id;
+ u64 last_mnt_id = kls->last_mnt_id;
+ u64 *mnt_ids = kls->kmnt_ids;
+ size_t nr_mnt_ids = kls->nr_mnt_ids;
struct path orig;
struct mount *r, *first;
ssize_t ret;
rwsem_assert_held(&namespace_sem);
- ret = grab_requested_root(ns, &root);
+ ret = grab_requested_root(ns, &kls->root);
if (ret)
return ret;
if (mnt_parent_id == LSMT_ROOT) {
- orig = root;
+ orig = kls->root;
} else {
orig.mnt = lookup_mnt_in_ns(mnt_parent_id, ns);
if (!orig.mnt)
@@ -5994,7 +6005,7 @@ static ssize_t do_listmount(struct mnt_n
* Don't trigger audit denials. We just want to determine what
* mounts to show users.
*/
- if (!is_path_reachable(real_mount(orig.mnt), orig.dentry, &root) &&
+ if (!is_path_reachable(real_mount(orig.mnt), orig.dentry, &kls->root) &&
!ns_capable_noaudit(ns->user_ns, CAP_SYS_ADMIN))
return -EPERM;
@@ -6027,14 +6038,45 @@ static ssize_t do_listmount(struct mnt_n
return ret;
}
+static void __free_klistmount_free(const struct klistmount *kls)
+{
+ path_put(&kls->root);
+ kvfree(kls->kmnt_ids);
+ mnt_ns_release(kls->ns);
+}
+
+static inline int prepare_klistmount(struct klistmount *kls, struct mnt_id_req *kreq,
+ size_t nr_mnt_ids)
+{
+
+ u64 last_mnt_id = kreq->param;
+
+ /* The first valid unique mount id is MNT_UNIQUE_ID_OFFSET + 1. */
+ if (last_mnt_id != 0 && last_mnt_id <= MNT_UNIQUE_ID_OFFSET)
+ return -EINVAL;
+
+ kls->last_mnt_id = last_mnt_id;
+
+ kls->nr_mnt_ids = nr_mnt_ids;
+ kls->kmnt_ids = kvmalloc_array(nr_mnt_ids, sizeof(*kls->kmnt_ids),
+ GFP_KERNEL_ACCOUNT);
+ if (!kls->kmnt_ids)
+ return -ENOMEM;
+
+ kls->ns = grab_requested_mnt_ns(kreq);
+ if (!kls->ns)
+ return -ENOENT;
+
+ kls->mnt_parent_id = kreq->mnt_id;
+ return 0;
+}
+
SYSCALL_DEFINE4(listmount, const struct mnt_id_req __user *, req,
u64 __user *, mnt_ids, size_t, nr_mnt_ids, unsigned int, flags)
{
- u64 *kmnt_ids __free(kvfree) = NULL;
+ struct klistmount kls __free(klistmount_free) = {};
const size_t maxcount = 1000000;
- struct mnt_namespace *ns __free(mnt_ns_release) = NULL;
struct mnt_id_req kreq;
- u64 last_mnt_id;
ssize_t ret;
if (flags & ~LISTMOUNT_REVERSE)
@@ -6055,22 +6097,12 @@ SYSCALL_DEFINE4(listmount, const struct
if (ret)
return ret;
- last_mnt_id = kreq.param;
- /* The first valid unique mount id is MNT_UNIQUE_ID_OFFSET + 1. */
- if (last_mnt_id != 0 && last_mnt_id <= MNT_UNIQUE_ID_OFFSET)
- return -EINVAL;
-
- kmnt_ids = kvmalloc_array(nr_mnt_ids, sizeof(*kmnt_ids),
- GFP_KERNEL_ACCOUNT);
- if (!kmnt_ids)
- return -ENOMEM;
-
- ns = grab_requested_mnt_ns(&kreq);
- if (!ns)
- return -ENOENT;
+ ret = prepare_klistmount(&kls, &kreq, nr_mnt_ids);
+ if (ret)
+ return ret;
- if (kreq.mnt_ns_id && (ns != current->nsproxy->mnt_ns) &&
- !ns_capable_noaudit(ns->user_ns, CAP_SYS_ADMIN))
+ if (kreq.mnt_ns_id && (kls.ns != current->nsproxy->mnt_ns) &&
+ !ns_capable_noaudit(kls.ns->user_ns, CAP_SYS_ADMIN))
return -ENOENT;
/*
@@ -6078,12 +6110,11 @@ SYSCALL_DEFINE4(listmount, const struct
* listmount() doesn't care about any mount properties.
*/
scoped_guard(rwsem_read, &namespace_sem)
- ret = do_listmount(ns, kreq.mnt_id, last_mnt_id, kmnt_ids,
- nr_mnt_ids, (flags & LISTMOUNT_REVERSE));
+ ret = do_listmount(&kls, (flags & LISTMOUNT_REVERSE));
if (ret <= 0)
return ret;
- if (copy_to_user(mnt_ids, kmnt_ids, ret * sizeof(*mnt_ids)))
+ if (copy_to_user(mnt_ids, kls.kmnt_ids, ret * sizeof(*mnt_ids)))
return -EFAULT;
return ret;
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 008/371] clocksource/drivers/clps711x: Fix resource leaks in error paths
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (6 preceding siblings ...)
2025-10-17 14:49 ` [PATCH 6.17 007/371] listmount: " Greg Kroah-Hartman
@ 2025-10-17 14:49 ` Greg Kroah-Hartman
2025-10-17 14:49 ` [PATCH 6.17 009/371] memcg: skip cgroup_file_notify if spinning is not allowed Greg Kroah-Hartman
` (375 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:49 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zhen Ni, Daniel Lezcano
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhen Ni <zhen.ni@easystack.cn>
commit cd32e596f02fc981674573402c1138f616df1728 upstream.
The current implementation of clps711x_timer_init() has multiple error
paths that directly return without releasing the base I/O memory mapped
via of_iomap(). Fix of_iomap leaks in error paths.
Fixes: 04410efbb6bc ("clocksource/drivers/clps711x: Convert init function to return error")
Fixes: 2a6a8e2d9004 ("clocksource/drivers/clps711x: Remove board support")
Signed-off-by: Zhen Ni <zhen.ni@easystack.cn>
Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20250814123324.1516495-1-zhen.ni@easystack.cn
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/clocksource/clps711x-timer.c | 23 ++++++++++++++++-------
1 file changed, 16 insertions(+), 7 deletions(-)
--- a/drivers/clocksource/clps711x-timer.c
+++ b/drivers/clocksource/clps711x-timer.c
@@ -78,24 +78,33 @@ static int __init clps711x_timer_init(st
unsigned int irq = irq_of_parse_and_map(np, 0);
struct clk *clock = of_clk_get(np, 0);
void __iomem *base = of_iomap(np, 0);
+ int ret = 0;
if (!base)
return -ENOMEM;
- if (!irq)
- return -EINVAL;
- if (IS_ERR(clock))
- return PTR_ERR(clock);
+ if (!irq) {
+ ret = -EINVAL;
+ goto unmap_io;
+ }
+ if (IS_ERR(clock)) {
+ ret = PTR_ERR(clock);
+ goto unmap_io;
+ }
switch (of_alias_get_id(np, "timer")) {
case CLPS711X_CLKSRC_CLOCKSOURCE:
clps711x_clksrc_init(clock, base);
break;
case CLPS711X_CLKSRC_CLOCKEVENT:
- return _clps711x_clkevt_init(clock, base, irq);
+ ret = _clps711x_clkevt_init(clock, base, irq);
+ break;
default:
- return -EINVAL;
+ ret = -EINVAL;
+ break;
}
- return 0;
+unmap_io:
+ iounmap(base);
+ return ret;
}
TIMER_OF_DECLARE(clps711x, "cirrus,ep7209-timer", clps711x_timer_init);
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 009/371] memcg: skip cgroup_file_notify if spinning is not allowed
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (7 preceding siblings ...)
2025-10-17 14:49 ` [PATCH 6.17 008/371] clocksource/drivers/clps711x: Fix resource leaks in error paths Greg Kroah-Hartman
@ 2025-10-17 14:49 ` Greg Kroah-Hartman
2025-10-17 14:49 ` [PATCH 6.17 010/371] page_pool: Fix PP_MAGIC_MASK to avoid crashing on some 32-bit arches Greg Kroah-Hartman
` (374 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shakeel Butt, Michal Hocko,
Alexei Starovoitov, Johannes Weiner, Kumar Kartikeya Dwivedi,
Muchun Song, Peilin Ye, Roman Gushchin, Tejun Heo, Andrew Morton
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shakeel Butt <shakeel.butt@linux.dev>
commit fcc0669c5aa681994c507b50f1c706c969d99730 upstream.
Generally memcg charging is allowed from all the contexts including NMI
where even spinning on spinlock can cause locking issues. However one
call chain was missed during the addition of memcg charging from any
context support. That is try_charge_memcg() -> memcg_memory_event() ->
cgroup_file_notify().
The possible function call tree under cgroup_file_notify() can acquire
many different spin locks in spinning mode. Some of them are
cgroup_file_kn_lock, kernfs_notify_lock, pool_workqeue's lock. So, let's
just skip cgroup_file_notify() from memcg charging if the context does not
allow spinning.
Alternative approach was also explored where instead of skipping
cgroup_file_notify(), we defer the memcg event processing to irq_work [1].
However it adds complexity and it was decided to keep things simple until
we need more memcg events with !allow_spinning requirement.
Link: https://lore.kernel.org/all/5qi2llyzf7gklncflo6gxoozljbm4h3tpnuv4u4ej4ztysvi6f@x44v7nz2wdzd/ [1]
Link: https://lkml.kernel.org/r/20250922220203.261714-1-shakeel.butt@linux.dev
Fixes: 3ac4638a734a ("memcg: make memcg_rstat_updated nmi safe")
Signed-off-by: Shakeel Butt <shakeel.butt@linux.dev>
Acked-by: Michal Hocko <mhocko@suse.com>
Closes: https://lore.kernel.org/all/20250905061919.439648-1-yepeilin@google.com/
Cc: Alexei Starovoitov <ast@kernel.org>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: Kumar Kartikeya Dwivedi <memxor@gmail.com>
Cc: Muchun Song <muchun.song@linux.dev>
Cc: Peilin Ye <yepeilin@google.com>
Cc: Roman Gushchin <roman.gushchin@linux.dev>
Cc: Tejun Heo <tj@kernel.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/memcontrol.h | 26 +++++++++++++++++++-------
mm/memcontrol.c | 7 ++++---
2 files changed, 23 insertions(+), 10 deletions(-)
--- a/include/linux/memcontrol.h
+++ b/include/linux/memcontrol.h
@@ -987,22 +987,28 @@ static inline void count_memcg_event_mm(
count_memcg_events_mm(mm, idx, 1);
}
-static inline void memcg_memory_event(struct mem_cgroup *memcg,
- enum memcg_memory_event event)
+static inline void __memcg_memory_event(struct mem_cgroup *memcg,
+ enum memcg_memory_event event,
+ bool allow_spinning)
{
bool swap_event = event == MEMCG_SWAP_HIGH || event == MEMCG_SWAP_MAX ||
event == MEMCG_SWAP_FAIL;
+ /* For now only MEMCG_MAX can happen with !allow_spinning context. */
+ VM_WARN_ON_ONCE(!allow_spinning && event != MEMCG_MAX);
+
atomic_long_inc(&memcg->memory_events_local[event]);
- if (!swap_event)
+ if (!swap_event && allow_spinning)
cgroup_file_notify(&memcg->events_local_file);
do {
atomic_long_inc(&memcg->memory_events[event]);
- if (swap_event)
- cgroup_file_notify(&memcg->swap_events_file);
- else
- cgroup_file_notify(&memcg->events_file);
+ if (allow_spinning) {
+ if (swap_event)
+ cgroup_file_notify(&memcg->swap_events_file);
+ else
+ cgroup_file_notify(&memcg->events_file);
+ }
if (!cgroup_subsys_on_dfl(memory_cgrp_subsys))
break;
@@ -1012,6 +1018,12 @@ static inline void memcg_memory_event(st
!mem_cgroup_is_root(memcg));
}
+static inline void memcg_memory_event(struct mem_cgroup *memcg,
+ enum memcg_memory_event event)
+{
+ __memcg_memory_event(memcg, event, true);
+}
+
static inline void memcg_memory_event_mm(struct mm_struct *mm,
enum memcg_memory_event event)
{
--- a/mm/memcontrol.c
+++ b/mm/memcontrol.c
@@ -2309,12 +2309,13 @@ static int try_charge_memcg(struct mem_c
bool drained = false;
bool raised_max_event = false;
unsigned long pflags;
+ bool allow_spinning = gfpflags_allow_spinning(gfp_mask);
retry:
if (consume_stock(memcg, nr_pages))
return 0;
- if (!gfpflags_allow_spinning(gfp_mask))
+ if (!allow_spinning)
/* Avoid the refill and flush of the older stock */
batch = nr_pages;
@@ -2350,7 +2351,7 @@ retry:
if (!gfpflags_allow_blocking(gfp_mask))
goto nomem;
- memcg_memory_event(mem_over_limit, MEMCG_MAX);
+ __memcg_memory_event(mem_over_limit, MEMCG_MAX, allow_spinning);
raised_max_event = true;
psi_memstall_enter(&pflags);
@@ -2417,7 +2418,7 @@ force:
* a MEMCG_MAX event.
*/
if (!raised_max_event)
- memcg_memory_event(mem_over_limit, MEMCG_MAX);
+ __memcg_memory_event(mem_over_limit, MEMCG_MAX, allow_spinning);
/*
* The allocation either can't fail or will lead to more memory
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 010/371] page_pool: Fix PP_MAGIC_MASK to avoid crashing on some 32-bit arches
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (8 preceding siblings ...)
2025-10-17 14:49 ` [PATCH 6.17 009/371] memcg: skip cgroup_file_notify if spinning is not allowed Greg Kroah-Hartman
@ 2025-10-17 14:49 ` Greg Kroah-Hartman
2025-10-17 14:49 ` [PATCH 6.17 011/371] PM: runtime: Update kerneldoc return codes Greg Kroah-Hartman
` (373 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Helge Deller,
Toke Høiland-Jørgensen, Mina Almasry, Jakub Kicinski
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Toke Høiland-Jørgensen <toke@redhat.com>
commit 95920c2ed02bde551ab654e9749c2ca7bc3100e0 upstream.
Helge reported that the introduction of PP_MAGIC_MASK let to crashes on
boot on his 32-bit parisc machine. The cause of this is the mask is set
too wide, so the page_pool_page_is_pp() incurs false positives which
crashes the machine.
Just disabling the check in page_pool_is_pp() will lead to the page_pool
code itself malfunctioning; so instead of doing this, this patch changes
the define for PP_DMA_INDEX_BITS to avoid mistaking arbitrary kernel
pointers for page_pool-tagged pages.
The fix relies on the kernel pointers that alias with the pp_magic field
always being above PAGE_OFFSET. With this assumption, we can use the
lowest bit of the value of PAGE_OFFSET as the upper bound of the
PP_DMA_INDEX_MASK, which should avoid the false positives.
Because we cannot rely on PAGE_OFFSET always being a compile-time
constant, nor on it always being >0, we fall back to disabling the
dma_index storage when there are not enough bits available. This leaves
us in the situation we were in before the patch in the Fixes tag, but
only on a subset of architecture configurations. This seems to be the
best we can do until the transition to page types in complete for
page_pool pages.
v2:
- Make sure there's at least 8 bits available and that the PAGE_OFFSET
bit calculation doesn't wrap
Link: https://lore.kernel.org/all/aMNJMFa5fDalFmtn@p100/
Fixes: ee62ce7a1d90 ("page_pool: Track DMA-mapped pages and unmap them when destroying the pool")
Cc: stable@vger.kernel.org # 6.15+
Tested-by: Helge Deller <deller@gmx.de>
Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
Reviewed-by: Mina Almasry <almasrymina@google.com>
Tested-by: Helge Deller <deller@gmx.de>
Link: https://patch.msgid.link/20250930114331.675412-1-toke@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/mm.h | 22 ++++++++------
net/core/page_pool.c | 76 +++++++++++++++++++++++++++++++++++----------------
2 files changed, 66 insertions(+), 32 deletions(-)
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -4159,14 +4159,13 @@ int arch_lock_shadow_stack_status(struct
* since this value becomes part of PP_SIGNATURE; meaning we can just use the
* space between the PP_SIGNATURE value (without POISON_POINTER_DELTA), and the
* lowest bits of POISON_POINTER_DELTA. On arches where POISON_POINTER_DELTA is
- * 0, we make sure that we leave the two topmost bits empty, as that guarantees
- * we won't mistake a valid kernel pointer for a value we set, regardless of the
- * VMSPLIT setting.
+ * 0, we use the lowest bit of PAGE_OFFSET as the boundary if that value is
+ * known at compile-time.
*
- * Altogether, this means that the number of bits available is constrained by
- * the size of an unsigned long (at the upper end, subtracting two bits per the
- * above), and the definition of PP_SIGNATURE (with or without
- * POISON_POINTER_DELTA).
+ * If the value of PAGE_OFFSET is not known at compile time, or if it is too
+ * small to leave at least 8 bits available above PP_SIGNATURE, we define the
+ * number of bits to be 0, which turns off the DMA index tracking altogether
+ * (see page_pool_register_dma_index()).
*/
#define PP_DMA_INDEX_SHIFT (1 + __fls(PP_SIGNATURE - POISON_POINTER_DELTA))
#if POISON_POINTER_DELTA > 0
@@ -4175,8 +4174,13 @@ int arch_lock_shadow_stack_status(struct
*/
#define PP_DMA_INDEX_BITS MIN(32, __ffs(POISON_POINTER_DELTA) - PP_DMA_INDEX_SHIFT)
#else
-/* Always leave out the topmost two; see above. */
-#define PP_DMA_INDEX_BITS MIN(32, BITS_PER_LONG - PP_DMA_INDEX_SHIFT - 2)
+/* Use the lowest bit of PAGE_OFFSET if there's at least 8 bits available; see above */
+#define PP_DMA_INDEX_MIN_OFFSET (1 << (PP_DMA_INDEX_SHIFT + 8))
+#define PP_DMA_INDEX_BITS ((__builtin_constant_p(PAGE_OFFSET) && \
+ PAGE_OFFSET >= PP_DMA_INDEX_MIN_OFFSET && \
+ !(PAGE_OFFSET & (PP_DMA_INDEX_MIN_OFFSET - 1))) ? \
+ MIN(32, __ffs(PAGE_OFFSET) - PP_DMA_INDEX_SHIFT) : 0)
+
#endif
#define PP_DMA_INDEX_MASK GENMASK(PP_DMA_INDEX_BITS + PP_DMA_INDEX_SHIFT - 1, \
--- a/net/core/page_pool.c
+++ b/net/core/page_pool.c
@@ -472,11 +472,60 @@ page_pool_dma_sync_for_device(const stru
}
}
+static int page_pool_register_dma_index(struct page_pool *pool,
+ netmem_ref netmem, gfp_t gfp)
+{
+ int err = 0;
+ u32 id;
+
+ if (unlikely(!PP_DMA_INDEX_BITS))
+ goto out;
+
+ if (in_softirq())
+ err = xa_alloc(&pool->dma_mapped, &id, netmem_to_page(netmem),
+ PP_DMA_INDEX_LIMIT, gfp);
+ else
+ err = xa_alloc_bh(&pool->dma_mapped, &id, netmem_to_page(netmem),
+ PP_DMA_INDEX_LIMIT, gfp);
+ if (err) {
+ WARN_ONCE(err != -ENOMEM, "couldn't track DMA mapping, please report to netdev@");
+ goto out;
+ }
+
+ netmem_set_dma_index(netmem, id);
+out:
+ return err;
+}
+
+static int page_pool_release_dma_index(struct page_pool *pool,
+ netmem_ref netmem)
+{
+ struct page *old, *page = netmem_to_page(netmem);
+ unsigned long id;
+
+ if (unlikely(!PP_DMA_INDEX_BITS))
+ return 0;
+
+ id = netmem_get_dma_index(netmem);
+ if (!id)
+ return -1;
+
+ if (in_softirq())
+ old = xa_cmpxchg(&pool->dma_mapped, id, page, NULL, 0);
+ else
+ old = xa_cmpxchg_bh(&pool->dma_mapped, id, page, NULL, 0);
+ if (old != page)
+ return -1;
+
+ netmem_set_dma_index(netmem, 0);
+
+ return 0;
+}
+
static bool page_pool_dma_map(struct page_pool *pool, netmem_ref netmem, gfp_t gfp)
{
dma_addr_t dma;
int err;
- u32 id;
/* Setup DMA mapping: use 'struct page' area for storing DMA-addr
* since dma_addr_t can be either 32 or 64 bits and does not always fit
@@ -495,18 +544,10 @@ static bool page_pool_dma_map(struct pag
goto unmap_failed;
}
- if (in_softirq())
- err = xa_alloc(&pool->dma_mapped, &id, netmem_to_page(netmem),
- PP_DMA_INDEX_LIMIT, gfp);
- else
- err = xa_alloc_bh(&pool->dma_mapped, &id, netmem_to_page(netmem),
- PP_DMA_INDEX_LIMIT, gfp);
- if (err) {
- WARN_ONCE(err != -ENOMEM, "couldn't track DMA mapping, please report to netdev@");
+ err = page_pool_register_dma_index(pool, netmem, gfp);
+ if (err)
goto unset_failed;
- }
- netmem_set_dma_index(netmem, id);
page_pool_dma_sync_for_device(pool, netmem, pool->p.max_len);
return true;
@@ -678,8 +719,6 @@ void page_pool_clear_pp_info(netmem_ref
static __always_inline void __page_pool_release_netmem_dma(struct page_pool *pool,
netmem_ref netmem)
{
- struct page *old, *page = netmem_to_page(netmem);
- unsigned long id;
dma_addr_t dma;
if (!pool->dma_map)
@@ -688,15 +727,7 @@ static __always_inline void __page_pool_
*/
return;
- id = netmem_get_dma_index(netmem);
- if (!id)
- return;
-
- if (in_softirq())
- old = xa_cmpxchg(&pool->dma_mapped, id, page, NULL, 0);
- else
- old = xa_cmpxchg_bh(&pool->dma_mapped, id, page, NULL, 0);
- if (old != page)
+ if (page_pool_release_dma_index(pool, netmem))
return;
dma = page_pool_get_dma_addr_netmem(netmem);
@@ -706,7 +737,6 @@ static __always_inline void __page_pool_
PAGE_SIZE << pool->p.order, pool->p.dma_dir,
DMA_ATTR_SKIP_CPU_SYNC | DMA_ATTR_WEAK_ORDERING);
page_pool_set_dma_addr_netmem(netmem, 0);
- netmem_set_dma_index(netmem, 0);
}
/* Disconnects a page (from a page_pool). API users can have a need
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 011/371] PM: runtime: Update kerneldoc return codes
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (9 preceding siblings ...)
2025-10-17 14:49 ` [PATCH 6.17 010/371] page_pool: Fix PP_MAGIC_MASK to avoid crashing on some 32-bit arches Greg Kroah-Hartman
@ 2025-10-17 14:49 ` Greg Kroah-Hartman
2025-10-17 14:49 ` [PATCH 6.17 012/371] dma-mapping: fix direction in dma_alloc direction traces Greg Kroah-Hartman
` (372 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Brian Norris, Sakari Ailus,
Rafael J. Wysocki
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Brian Norris <briannorris@chromium.org>
commit fed7eaa4f037361fe4f3d4170649d6849a25998d upstream.
APIs based on __pm_runtime_idle() (pm_runtime_idle(), pm_request_idle())
do not return 1 when already suspended. They return -EAGAIN. This is
already covered in the docs, so the entry for "1" is redundant and
conflicting.
(pm_runtime_put() and pm_runtime_put_sync() were previously incorrect,
but that's fixed in "PM: runtime: pm_runtime_put{,_sync}() returns 1
when already suspended", to ensure consistency with APIs like
pm_runtime_put_autosuspend().)
RPM_GET_PUT APIs based on __pm_runtime_suspend() do return 1 when
already suspended, but the language is a little unclear -- it's not
really an "error", so it seems better to list as a clarification before
the 0/success case. Additionally, they only actually return 1 when the
refcount makes it to 0; if the usage counter is still non-zero, we
return 0.
pm_runtime_put(), etc., also don't appear at first like they can ever
see "-EAGAIN: Runtime PM usage_count non-zero", because in non-racy
conditions, pm_runtime_put() would drop its reference count, see it's
non-zero, and return early (in __pm_runtime_idle()). However, it's
possible to race with another actor that increments the usage_count
afterward, since rpm_idle() is protected by a separate lock; in such a
case, we may see -EAGAIN.
Because this case is only seen in the presence of concurrent actors, it
makes sense to clarify that this is when "usage_count **became**
non-zero", by way of some racing actor.
Lastly, pm_runtime_put_sync_suspend() duplicated some -EAGAIN language.
Fix that.
Fixes: 271ff96d6066 ("PM: runtime: Document return values of suspend-related API functions")
Link: https://lore.kernel.org/linux-pm/aJ5pkEJuixTaybV4@google.com/
Signed-off-by: Brian Norris <briannorris@chromium.org>
Reviewed-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Cc: 6.17+ <stable@vger.kernel.org> # 6.17+
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/pm_runtime.h | 56 ++++++++++++++++++++++++---------------------
1 file changed, 31 insertions(+), 25 deletions(-)
--- a/include/linux/pm_runtime.h
+++ b/include/linux/pm_runtime.h
@@ -350,13 +350,12 @@ static inline int pm_runtime_force_resum
* * 0: Success.
* * -EINVAL: Runtime PM error.
* * -EACCES: Runtime PM disabled.
- * * -EAGAIN: Runtime PM usage_count non-zero, Runtime PM status change ongoing
- * or device not in %RPM_ACTIVE state.
+ * * -EAGAIN: Runtime PM usage counter non-zero, Runtime PM status change
+ * ongoing or device not in %RPM_ACTIVE state.
* * -EBUSY: Runtime PM child_count non-zero.
* * -EPERM: Device PM QoS resume latency 0.
* * -EINPROGRESS: Suspend already in progress.
* * -ENOSYS: CONFIG_PM not enabled.
- * * 1: Device already suspended.
* Other values and conditions for the above values are possible as returned by
* Runtime PM idle and suspend callbacks.
*/
@@ -370,14 +369,15 @@ static inline int pm_runtime_idle(struct
* @dev: Target device.
*
* Return:
+ * * 1: Success; device was already suspended.
* * 0: Success.
* * -EINVAL: Runtime PM error.
* * -EACCES: Runtime PM disabled.
- * * -EAGAIN: Runtime PM usage_count non-zero or Runtime PM status change ongoing.
+ * * -EAGAIN: Runtime PM usage counter non-zero or Runtime PM status change
+ * ongoing.
* * -EBUSY: Runtime PM child_count non-zero.
* * -EPERM: Device PM QoS resume latency 0.
* * -ENOSYS: CONFIG_PM not enabled.
- * * 1: Device already suspended.
* Other values and conditions for the above values are possible as returned by
* Runtime PM suspend callbacks.
*/
@@ -396,14 +396,15 @@ static inline int pm_runtime_suspend(str
* engaging its "idle check" callback.
*
* Return:
+ * * 1: Success; device was already suspended.
* * 0: Success.
* * -EINVAL: Runtime PM error.
* * -EACCES: Runtime PM disabled.
- * * -EAGAIN: Runtime PM usage_count non-zero or Runtime PM status change ongoing.
+ * * -EAGAIN: Runtime PM usage counter non-zero or Runtime PM status change
+ * ongoing.
* * -EBUSY: Runtime PM child_count non-zero.
* * -EPERM: Device PM QoS resume latency 0.
* * -ENOSYS: CONFIG_PM not enabled.
- * * 1: Device already suspended.
* Other values and conditions for the above values are possible as returned by
* Runtime PM suspend callbacks.
*/
@@ -433,13 +434,12 @@ static inline int pm_runtime_resume(stru
* * 0: Success.
* * -EINVAL: Runtime PM error.
* * -EACCES: Runtime PM disabled.
- * * -EAGAIN: Runtime PM usage_count non-zero, Runtime PM status change ongoing
- * or device not in %RPM_ACTIVE state.
+ * * -EAGAIN: Runtime PM usage counter non-zero, Runtime PM status change
+ * ongoing or device not in %RPM_ACTIVE state.
* * -EBUSY: Runtime PM child_count non-zero.
* * -EPERM: Device PM QoS resume latency 0.
* * -EINPROGRESS: Suspend already in progress.
* * -ENOSYS: CONFIG_PM not enabled.
- * * 1: Device already suspended.
*/
static inline int pm_request_idle(struct device *dev)
{
@@ -464,15 +464,16 @@ static inline int pm_request_resume(stru
* equivalent pm_runtime_autosuspend() for @dev asynchronously.
*
* Return:
+ * * 1: Success; device was already suspended.
* * 0: Success.
* * -EINVAL: Runtime PM error.
* * -EACCES: Runtime PM disabled.
- * * -EAGAIN: Runtime PM usage_count non-zero or Runtime PM status change ongoing.
+ * * -EAGAIN: Runtime PM usage counter non-zero or Runtime PM status change
+ * ongoing.
* * -EBUSY: Runtime PM child_count non-zero.
* * -EPERM: Device PM QoS resume latency 0.
* * -EINPROGRESS: Suspend already in progress.
* * -ENOSYS: CONFIG_PM not enabled.
- * * 1: Device already suspended.
*/
static inline int pm_request_autosuspend(struct device *dev)
{
@@ -540,15 +541,16 @@ static inline int pm_runtime_resume_and_
* equal to 0, queue up a work item for @dev like in pm_request_idle().
*
* Return:
+ * * 1: Success. Usage counter dropped to zero, but device was already suspended.
* * 0: Success.
* * -EINVAL: Runtime PM error.
* * -EACCES: Runtime PM disabled.
- * * -EAGAIN: Runtime PM usage_count non-zero or Runtime PM status change ongoing.
+ * * -EAGAIN: Runtime PM usage counter became non-zero or Runtime PM status
+ * change ongoing.
* * -EBUSY: Runtime PM child_count non-zero.
* * -EPERM: Device PM QoS resume latency 0.
* * -EINPROGRESS: Suspend already in progress.
* * -ENOSYS: CONFIG_PM not enabled.
- * * 1: Device already suspended.
*/
static inline int pm_runtime_put(struct device *dev)
{
@@ -565,15 +567,16 @@ DEFINE_FREE(pm_runtime_put, struct devic
* equal to 0, queue up a work item for @dev like in pm_request_autosuspend().
*
* Return:
+ * * 1: Success. Usage counter dropped to zero, but device was already suspended.
* * 0: Success.
* * -EINVAL: Runtime PM error.
* * -EACCES: Runtime PM disabled.
- * * -EAGAIN: Runtime PM usage_count non-zero or Runtime PM status change ongoing.
+ * * -EAGAIN: Runtime PM usage counter became non-zero or Runtime PM status
+ * change ongoing.
* * -EBUSY: Runtime PM child_count non-zero.
* * -EPERM: Device PM QoS resume latency 0.
* * -EINPROGRESS: Suspend already in progress.
* * -ENOSYS: CONFIG_PM not enabled.
- * * 1: Device already suspended.
*/
static inline int __pm_runtime_put_autosuspend(struct device *dev)
{
@@ -590,15 +593,16 @@ static inline int __pm_runtime_put_autos
* in pm_request_autosuspend().
*
* Return:
+ * * 1: Success. Usage counter dropped to zero, but device was already suspended.
* * 0: Success.
* * -EINVAL: Runtime PM error.
* * -EACCES: Runtime PM disabled.
- * * -EAGAIN: Runtime PM usage_count non-zero or Runtime PM status change ongoing.
+ * * -EAGAIN: Runtime PM usage counter became non-zero or Runtime PM status
+ * change ongoing.
* * -EBUSY: Runtime PM child_count non-zero.
* * -EPERM: Device PM QoS resume latency 0.
* * -EINPROGRESS: Suspend already in progress.
* * -ENOSYS: CONFIG_PM not enabled.
- * * 1: Device already suspended.
*/
static inline int pm_runtime_put_autosuspend(struct device *dev)
{
@@ -619,14 +623,15 @@ static inline int pm_runtime_put_autosus
* if it returns an error code.
*
* Return:
+ * * 1: Success. Usage counter dropped to zero, but device was already suspended.
* * 0: Success.
* * -EINVAL: Runtime PM error.
* * -EACCES: Runtime PM disabled.
- * * -EAGAIN: Runtime PM usage_count non-zero or Runtime PM status change ongoing.
+ * * -EAGAIN: Runtime PM usage counter became non-zero or Runtime PM status
+ * change ongoing.
* * -EBUSY: Runtime PM child_count non-zero.
* * -EPERM: Device PM QoS resume latency 0.
* * -ENOSYS: CONFIG_PM not enabled.
- * * 1: Device already suspended.
* Other values and conditions for the above values are possible as returned by
* Runtime PM suspend callbacks.
*/
@@ -646,15 +651,15 @@ static inline int pm_runtime_put_sync(st
* if it returns an error code.
*
* Return:
+ * * 1: Success. Usage counter dropped to zero, but device was already suspended.
* * 0: Success.
* * -EINVAL: Runtime PM error.
* * -EACCES: Runtime PM disabled.
- * * -EAGAIN: Runtime PM usage_count non-zero or Runtime PM status change ongoing.
- * * -EAGAIN: usage_count non-zero or Runtime PM status change ongoing.
+ * * -EAGAIN: Runtime PM usage counter became non-zero or Runtime PM status
+ * change ongoing.
* * -EBUSY: Runtime PM child_count non-zero.
* * -EPERM: Device PM QoS resume latency 0.
* * -ENOSYS: CONFIG_PM not enabled.
- * * 1: Device already suspended.
* Other values and conditions for the above values are possible as returned by
* Runtime PM suspend callbacks.
*/
@@ -677,15 +682,16 @@ static inline int pm_runtime_put_sync_su
* if it returns an error code.
*
* Return:
+ * * 1: Success. Usage counter dropped to zero, but device was already suspended.
* * 0: Success.
* * -EINVAL: Runtime PM error.
* * -EACCES: Runtime PM disabled.
- * * -EAGAIN: Runtime PM usage_count non-zero or Runtime PM status change ongoing.
+ * * -EAGAIN: Runtime PM usage counter became non-zero or Runtime PM status
+ * change ongoing.
* * -EBUSY: Runtime PM child_count non-zero.
* * -EPERM: Device PM QoS resume latency 0.
* * -EINPROGRESS: Suspend already in progress.
* * -ENOSYS: CONFIG_PM not enabled.
- * * 1: Device already suspended.
* Other values and conditions for the above values are possible as returned by
* Runtime PM suspend callbacks.
*/
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 012/371] dma-mapping: fix direction in dma_alloc direction traces
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (10 preceding siblings ...)
2025-10-17 14:49 ` [PATCH 6.17 011/371] PM: runtime: Update kerneldoc return codes Greg Kroah-Hartman
@ 2025-10-17 14:49 ` Greg Kroah-Hartman
2025-10-17 14:49 ` [PATCH 6.17 013/371] cpufreq: Make drivers using CPUFREQ_ETERNAL specify transition latency Greg Kroah-Hartman
` (371 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Petr Tesarik, Sean Anderson,
Marek Szyprowski
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Petr Tesarik <ptesarik@suse.com>
commit 16abbabc004bedeeaa702e11913da9d4fa70e63a upstream.
Set __entry->dir to the actual "dir" parameter of all trace events
in dma_alloc_class. This struct member was left uninitialized by
mistake.
Signed-off-by: Petr Tesarik <ptesarik@suse.com>
Fixes: 3afff779a725 ("dma-mapping: trace dma_alloc/free direction")
Cc: stable@vger.kernel.org
Reviewed-by: Sean Anderson <sean.anderson@linux.dev>
Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Link: https://lore.kernel.org/r/20251001061028.412258-1-ptesarik@suse.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/trace/events/dma.h | 1 +
1 file changed, 1 insertion(+)
--- a/include/trace/events/dma.h
+++ b/include/trace/events/dma.h
@@ -134,6 +134,7 @@ DECLARE_EVENT_CLASS(dma_alloc_class,
__entry->dma_addr = dma_addr;
__entry->size = size;
__entry->flags = flags;
+ __entry->dir = dir;
__entry->attrs = attrs;
),
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 013/371] cpufreq: Make drivers using CPUFREQ_ETERNAL specify transition latency
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (11 preceding siblings ...)
2025-10-17 14:49 ` [PATCH 6.17 012/371] dma-mapping: fix direction in dma_alloc direction traces Greg Kroah-Hartman
@ 2025-10-17 14:49 ` Greg Kroah-Hartman
2025-10-17 14:49 ` [PATCH 6.17 014/371] nfsd: unregister with rpcbind when deleting a transport Greg Kroah-Hartman
` (370 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shawn Guo, Mario Limonciello (AMD),
Jie Zhan, Viresh Kumar, Rafael J. Wysocki, Qais Yousef
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
commit f97aef092e199c10a3da96ae79b571edd5362faa upstream.
Commit a755d0e2d41b ("cpufreq: Honour transition_latency over
transition_delay_us") caused platforms where cpuinfo.transition_latency
is CPUFREQ_ETERNAL to get a very large transition latency whereas
previously it had been capped at 10 ms (and later at 2 ms).
This led to a user-observable regression between 6.6 and 6.12 as
described by Shawn:
"The dbs sampling_rate was 10000 us on 6.6 and suddently becomes
6442450 us (4294967295 / 1000 * 1.5) on 6.12 for these platforms
because the default transition delay was dropped [...].
It slows down dbs governor's reacting to CPU loading change
dramatically. Also, as transition_delay_us is used by schedutil
governor as rate_limit_us, it shows a negative impact on device
idle power consumption, because the device gets slightly less time
in the lowest OPP."
Evidently, the expectation of the drivers using CPUFREQ_ETERNAL as
cpuinfo.transition_latency was that it would be capped by the core,
but they may as well return a default transition latency value instead
of CPUFREQ_ETERNAL and the core need not do anything with it.
Accordingly, introduce CPUFREQ_DEFAULT_TRANSITION_LATENCY_NS and make
all of the drivers in question use it instead of CPUFREQ_ETERNAL. Also
update the related Rust binding.
Fixes: a755d0e2d41b ("cpufreq: Honour transition_latency over transition_delay_us")
Closes: https://lore.kernel.org/linux-pm/20250922125929.453444-1-shawnguo2@yeah.net/
Reported-by: Shawn Guo <shawnguo@kernel.org>
Reviewed-by: Mario Limonciello (AMD) <superm1@kernel.org>
Reviewed-by: Jie Zhan <zhanjie9@hisilicon.com>
Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
Cc: 6.6+ <stable@vger.kernel.org> # 6.6+
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Link: https://patch.msgid.link/2264949.irdbgypaU6@rafael.j.wysocki
[ rjw: Fix typo in new symbol name, drop redundant type cast from Rust binding ]
Tested-by: Shawn Guo <shawnguo@kernel.org> # with cpufreq-dt driver
Reviewed-by: Qais Yousef <qyousef@layalina.io>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/cpufreq/cpufreq-dt.c | 2 +-
drivers/cpufreq/imx6q-cpufreq.c | 2 +-
drivers/cpufreq/mediatek-cpufreq-hw.c | 2 +-
drivers/cpufreq/rcpufreq_dt.rs | 2 +-
drivers/cpufreq/scmi-cpufreq.c | 2 +-
drivers/cpufreq/scpi-cpufreq.c | 2 +-
drivers/cpufreq/spear-cpufreq.c | 2 +-
include/linux/cpufreq.h | 3 +++
rust/kernel/cpufreq.rs | 7 ++++---
9 files changed, 14 insertions(+), 10 deletions(-)
--- a/drivers/cpufreq/cpufreq-dt.c
+++ b/drivers/cpufreq/cpufreq-dt.c
@@ -104,7 +104,7 @@ static int cpufreq_init(struct cpufreq_p
transition_latency = dev_pm_opp_get_max_transition_latency(cpu_dev);
if (!transition_latency)
- transition_latency = CPUFREQ_ETERNAL;
+ transition_latency = CPUFREQ_DEFAULT_TRANSITION_LATENCY_NS;
cpumask_copy(policy->cpus, priv->cpus);
policy->driver_data = priv;
--- a/drivers/cpufreq/imx6q-cpufreq.c
+++ b/drivers/cpufreq/imx6q-cpufreq.c
@@ -442,7 +442,7 @@ soc_opp_out:
}
if (of_property_read_u32(np, "clock-latency", &transition_latency))
- transition_latency = CPUFREQ_ETERNAL;
+ transition_latency = CPUFREQ_DEFAULT_TRANSITION_LATENCY_NS;
/*
* Calculate the ramp time for max voltage change in the
--- a/drivers/cpufreq/mediatek-cpufreq-hw.c
+++ b/drivers/cpufreq/mediatek-cpufreq-hw.c
@@ -238,7 +238,7 @@ static int mtk_cpufreq_hw_cpu_init(struc
latency = readl_relaxed(data->reg_bases[REG_FREQ_LATENCY]) * 1000;
if (!latency)
- latency = CPUFREQ_ETERNAL;
+ latency = CPUFREQ_DEFAULT_TRANSITION_LATENCY_NS;
policy->cpuinfo.transition_latency = latency;
policy->fast_switch_possible = true;
--- a/drivers/cpufreq/rcpufreq_dt.rs
+++ b/drivers/cpufreq/rcpufreq_dt.rs
@@ -123,7 +123,7 @@ impl cpufreq::Driver for CPUFreqDTDriver
let mut transition_latency = opp_table.max_transition_latency_ns() as u32;
if transition_latency == 0 {
- transition_latency = cpufreq::ETERNAL_LATENCY_NS;
+ transition_latency = cpufreq::DEFAULT_TRANSITION_LATENCY_NS;
}
policy
--- a/drivers/cpufreq/scmi-cpufreq.c
+++ b/drivers/cpufreq/scmi-cpufreq.c
@@ -294,7 +294,7 @@ static int scmi_cpufreq_init(struct cpuf
latency = perf_ops->transition_latency_get(ph, domain);
if (!latency)
- latency = CPUFREQ_ETERNAL;
+ latency = CPUFREQ_DEFAULT_TRANSITION_LATENCY_NS;
policy->cpuinfo.transition_latency = latency;
--- a/drivers/cpufreq/scpi-cpufreq.c
+++ b/drivers/cpufreq/scpi-cpufreq.c
@@ -157,7 +157,7 @@ static int scpi_cpufreq_init(struct cpuf
latency = scpi_ops->get_transition_latency(cpu_dev);
if (!latency)
- latency = CPUFREQ_ETERNAL;
+ latency = CPUFREQ_DEFAULT_TRANSITION_LATENCY_NS;
policy->cpuinfo.transition_latency = latency;
--- a/drivers/cpufreq/spear-cpufreq.c
+++ b/drivers/cpufreq/spear-cpufreq.c
@@ -182,7 +182,7 @@ static int spear_cpufreq_probe(struct pl
if (of_property_read_u32(np, "clock-latency",
&spear_cpufreq.transition_latency))
- spear_cpufreq.transition_latency = CPUFREQ_ETERNAL;
+ spear_cpufreq.transition_latency = CPUFREQ_DEFAULT_TRANSITION_LATENCY_NS;
cnt = of_property_count_u32_elems(np, "cpufreq_tbl");
if (cnt <= 0) {
--- a/include/linux/cpufreq.h
+++ b/include/linux/cpufreq.h
@@ -32,6 +32,9 @@
*/
#define CPUFREQ_ETERNAL (-1)
+
+#define CPUFREQ_DEFAULT_TRANSITION_LATENCY_NS NSEC_PER_MSEC
+
#define CPUFREQ_NAME_LEN 16
/* Print length for names. Extra 1 space for accommodating '\n' in prints */
#define CPUFREQ_NAME_PLEN (CPUFREQ_NAME_LEN + 1)
--- a/rust/kernel/cpufreq.rs
+++ b/rust/kernel/cpufreq.rs
@@ -39,7 +39,8 @@ use macros::vtable;
const CPUFREQ_NAME_LEN: usize = bindings::CPUFREQ_NAME_LEN as usize;
/// Default transition latency value in nanoseconds.
-pub const ETERNAL_LATENCY_NS: u32 = bindings::CPUFREQ_ETERNAL as u32;
+pub const DEFAULT_TRANSITION_LATENCY_NS: u32 =
+ bindings::CPUFREQ_DEFAULT_TRANSITION_LATENCY_NS;
/// CPU frequency driver flags.
pub mod flags {
@@ -400,13 +401,13 @@ impl TableBuilder {
/// The following example demonstrates how to create a CPU frequency table.
///
/// ```
-/// use kernel::cpufreq::{ETERNAL_LATENCY_NS, Policy};
+/// use kernel::cpufreq::{DEFAULT_TRANSITION_LATENCY_NS, Policy};
///
/// fn update_policy(policy: &mut Policy) {
/// policy
/// .set_dvfs_possible_from_any_cpu(true)
/// .set_fast_switch_possible(true)
-/// .set_transition_latency_ns(ETERNAL_LATENCY_NS);
+/// .set_transition_latency_ns(DEFAULT_TRANSITION_LATENCY_NS);
///
/// pr_info!("The policy details are: {:?}\n", (policy.cpu(), policy.cur()));
/// }
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 014/371] nfsd: unregister with rpcbind when deleting a transport
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (12 preceding siblings ...)
2025-10-17 14:49 ` [PATCH 6.17 013/371] cpufreq: Make drivers using CPUFREQ_ETERNAL specify transition latency Greg Kroah-Hartman
@ 2025-10-17 14:49 ` Greg Kroah-Hartman
2025-10-17 14:49 ` [PATCH 6.17 015/371] KVM: x86: Add helper to retrieve current value of user return MSR Greg Kroah-Hartman
` (369 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chuck Lever, Olga Kornievskaia,
Jeff Layton
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Olga Kornievskaia <okorniev@redhat.com>
commit 898374fdd7f06fa4c4a66e8be3135efeae6128d5 upstream.
When a listener is added, a part of creation of transport also registers
program/port with rpcbind. However, when the listener is removed,
while transport goes away, rpcbind still has the entry for that
port/type.
When deleting the transport, unregister with rpcbind when appropriate.
---v2 created a new xpt_flag XPT_RPCB_UNREG to mark TCP and UDP
transport and at xprt destroy send rpcbind unregister if flag set.
Suggested-by: Chuck Lever <chuck.lever@oracle.com>
Fixes: d093c9089260 ("nfsd: fix management of listener transports")
Cc: stable@vger.kernel.org
Signed-off-by: Olga Kornievskaia <okorniev@redhat.com>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/sunrpc/svc_xprt.h | 3 +++
net/sunrpc/svc_xprt.c | 13 +++++++++++++
net/sunrpc/svcsock.c | 2 ++
3 files changed, 18 insertions(+)
--- a/include/linux/sunrpc/svc_xprt.h
+++ b/include/linux/sunrpc/svc_xprt.h
@@ -104,6 +104,9 @@ enum {
* it has access to. It is NOT counted
* in ->sv_tmpcnt.
*/
+ XPT_RPCB_UNREG, /* transport that needs unregistering
+ * with rpcbind (TCP, UDP) on destroy
+ */
};
/*
--- a/net/sunrpc/svc_xprt.c
+++ b/net/sunrpc/svc_xprt.c
@@ -1014,6 +1014,19 @@ static void svc_delete_xprt(struct svc_x
struct svc_serv *serv = xprt->xpt_server;
struct svc_deferred_req *dr;
+ /* unregister with rpcbind for when transport type is TCP or UDP.
+ */
+ if (test_bit(XPT_RPCB_UNREG, &xprt->xpt_flags)) {
+ struct svc_sock *svsk = container_of(xprt, struct svc_sock,
+ sk_xprt);
+ struct socket *sock = svsk->sk_sock;
+
+ if (svc_register(serv, xprt->xpt_net, sock->sk->sk_family,
+ sock->sk->sk_protocol, 0) < 0)
+ pr_warn("failed to unregister %s with rpcbind\n",
+ xprt->xpt_class->xcl_name);
+ }
+
if (test_and_set_bit(XPT_DEAD, &xprt->xpt_flags))
return;
--- a/net/sunrpc/svcsock.c
+++ b/net/sunrpc/svcsock.c
@@ -836,6 +836,7 @@ static void svc_udp_init(struct svc_sock
/* data might have come in before data_ready set up */
set_bit(XPT_DATA, &svsk->sk_xprt.xpt_flags);
set_bit(XPT_CHNGBUF, &svsk->sk_xprt.xpt_flags);
+ set_bit(XPT_RPCB_UNREG, &svsk->sk_xprt.xpt_flags);
/* make sure we get destination address info */
switch (svsk->sk_sk->sk_family) {
@@ -1355,6 +1356,7 @@ static void svc_tcp_init(struct svc_sock
if (sk->sk_state == TCP_LISTEN) {
strcpy(svsk->sk_xprt.xpt_remotebuf, "listener");
set_bit(XPT_LISTENER, &svsk->sk_xprt.xpt_flags);
+ set_bit(XPT_RPCB_UNREG, &svsk->sk_xprt.xpt_flags);
sk->sk_data_ready = svc_tcp_listen_data_ready;
set_bit(XPT_CONN, &svsk->sk_xprt.xpt_flags);
} else {
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 015/371] KVM: x86: Add helper to retrieve current value of user return MSR
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (13 preceding siblings ...)
2025-10-17 14:49 ` [PATCH 6.17 014/371] nfsd: unregister with rpcbind when deleting a transport Greg Kroah-Hartman
@ 2025-10-17 14:49 ` Greg Kroah-Hartman
2025-10-17 14:49 ` [PATCH 6.17 016/371] KVM: SVM: Emulate PERF_CNTR_GLOBAL_STATUS_SET for PerfMonV2 Greg Kroah-Hartman
` (368 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hou Wenlong, Xiaoyao Li,
Sean Christopherson
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hou Wenlong <houwenlong.hwl@antgroup.com>
commit 9bc366350734246301b090802fc71f9924daad39 upstream.
In the user return MSR support, the cached value is always the hardware
value of the specific MSR. Therefore, add a helper to retrieve the
cached value, which can replace the need for RDMSR, for example, to
allow SEV-ES guests to restore the correct host hardware value without
using RDMSR.
Cc: stable@vger.kernel.org
Signed-off-by: Hou Wenlong <houwenlong.hwl@antgroup.com>
[sean: drop "cache" from the name, make it a one-liner, tag for stable]
Reviewed-by: Xiaoyao Li <xiaoyao.li@intel.com>
Link: https://lore.kernel.org/r/20250923153738.1875174-2-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/include/asm/kvm_host.h | 1 +
arch/x86/kvm/x86.c | 6 ++++++
2 files changed, 7 insertions(+)
--- a/arch/x86/include/asm/kvm_host.h
+++ b/arch/x86/include/asm/kvm_host.h
@@ -2356,6 +2356,7 @@ int kvm_add_user_return_msr(u32 msr);
int kvm_find_user_return_msr(u32 msr);
int kvm_set_user_return_msr(unsigned index, u64 val, u64 mask);
void kvm_user_return_msr_update_cache(unsigned int index, u64 val);
+u64 kvm_get_user_return_msr(unsigned int slot);
static inline bool kvm_is_supported_user_return_msr(u32 msr)
{
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -677,6 +677,12 @@ void kvm_user_return_msr_update_cache(un
}
EXPORT_SYMBOL_GPL(kvm_user_return_msr_update_cache);
+u64 kvm_get_user_return_msr(unsigned int slot)
+{
+ return this_cpu_ptr(user_return_msrs)->values[slot].curr;
+}
+EXPORT_SYMBOL_GPL(kvm_get_user_return_msr);
+
static void drop_user_return_notifiers(void)
{
struct kvm_user_return_msrs *msrs = this_cpu_ptr(user_return_msrs);
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 016/371] KVM: SVM: Emulate PERF_CNTR_GLOBAL_STATUS_SET for PerfMonV2
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (14 preceding siblings ...)
2025-10-17 14:49 ` [PATCH 6.17 015/371] KVM: x86: Add helper to retrieve current value of user return MSR Greg Kroah-Hartman
@ 2025-10-17 14:49 ` Greg Kroah-Hartman
2025-10-17 14:49 ` [PATCH 6.17 017/371] iio: frequency: adf4350: Fix ADF4350_REG3_12BIT_CLKDIV_MODE Greg Kroah-Hartman
` (367 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:49 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sandipan Das, Sean Christopherson
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
commit 68e61f6fd65610e73b17882f86fedfd784d99229 upstream.
Emulate PERF_CNTR_GLOBAL_STATUS_SET when PerfMonV2 is enumerated to the
guest, as the MSR is supposed to exist in all AMD v2 PMUs.
Fixes: 4a2771895ca6 ("KVM: x86/svm/pmu: Add AMD PerfMonV2 support")
Cc: stable@vger.kernel.org
Cc: Sandipan Das <sandipan.das@amd.com>
Link: https://lore.kernel.org/r/20250711172746.1579423-1-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/include/asm/msr-index.h | 1 +
arch/x86/kvm/pmu.c | 5 +++++
arch/x86/kvm/svm/pmu.c | 1 +
arch/x86/kvm/x86.c | 2 ++
4 files changed, 9 insertions(+)
--- a/arch/x86/include/asm/msr-index.h
+++ b/arch/x86/include/asm/msr-index.h
@@ -733,6 +733,7 @@
#define MSR_AMD64_PERF_CNTR_GLOBAL_STATUS 0xc0000300
#define MSR_AMD64_PERF_CNTR_GLOBAL_CTL 0xc0000301
#define MSR_AMD64_PERF_CNTR_GLOBAL_STATUS_CLR 0xc0000302
+#define MSR_AMD64_PERF_CNTR_GLOBAL_STATUS_SET 0xc0000303
/* AMD Hardware Feedback Support MSRs */
#define MSR_AMD_WORKLOAD_CLASS_CONFIG 0xc0000500
--- a/arch/x86/kvm/pmu.c
+++ b/arch/x86/kvm/pmu.c
@@ -650,6 +650,7 @@ int kvm_pmu_get_msr(struct kvm_vcpu *vcp
msr_info->data = pmu->global_ctrl;
break;
case MSR_AMD64_PERF_CNTR_GLOBAL_STATUS_CLR:
+ case MSR_AMD64_PERF_CNTR_GLOBAL_STATUS_SET:
case MSR_CORE_PERF_GLOBAL_OVF_CTRL:
msr_info->data = 0;
break;
@@ -711,6 +712,10 @@ int kvm_pmu_set_msr(struct kvm_vcpu *vcp
if (!msr_info->host_initiated)
pmu->global_status &= ~data;
break;
+ case MSR_AMD64_PERF_CNTR_GLOBAL_STATUS_SET:
+ if (!msr_info->host_initiated)
+ pmu->global_status |= data & ~pmu->global_status_rsvd;
+ break;
default:
kvm_pmu_mark_pmc_in_use(vcpu, msr_info->index);
return kvm_pmu_call(set_msr)(vcpu, msr_info);
--- a/arch/x86/kvm/svm/pmu.c
+++ b/arch/x86/kvm/svm/pmu.c
@@ -113,6 +113,7 @@ static bool amd_is_valid_msr(struct kvm_
case MSR_AMD64_PERF_CNTR_GLOBAL_STATUS:
case MSR_AMD64_PERF_CNTR_GLOBAL_CTL:
case MSR_AMD64_PERF_CNTR_GLOBAL_STATUS_CLR:
+ case MSR_AMD64_PERF_CNTR_GLOBAL_STATUS_SET:
return pmu->version > 1;
default:
if (msr > MSR_F15H_PERF_CTR5 &&
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -367,6 +367,7 @@ static const u32 msrs_to_save_pmu[] = {
MSR_AMD64_PERF_CNTR_GLOBAL_CTL,
MSR_AMD64_PERF_CNTR_GLOBAL_STATUS,
MSR_AMD64_PERF_CNTR_GLOBAL_STATUS_CLR,
+ MSR_AMD64_PERF_CNTR_GLOBAL_STATUS_SET,
};
static u32 msrs_to_save[ARRAY_SIZE(msrs_to_save_base) +
@@ -7359,6 +7360,7 @@ static void kvm_probe_msr_to_save(u32 ms
case MSR_AMD64_PERF_CNTR_GLOBAL_CTL:
case MSR_AMD64_PERF_CNTR_GLOBAL_STATUS:
case MSR_AMD64_PERF_CNTR_GLOBAL_STATUS_CLR:
+ case MSR_AMD64_PERF_CNTR_GLOBAL_STATUS_SET:
if (!kvm_cpu_cap_has(X86_FEATURE_PERFMON_V2))
return;
break;
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 017/371] iio: frequency: adf4350: Fix ADF4350_REG3_12BIT_CLKDIV_MODE
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (15 preceding siblings ...)
2025-10-17 14:49 ` [PATCH 6.17 016/371] KVM: SVM: Emulate PERF_CNTR_GLOBAL_STATUS_SET for PerfMonV2 Greg Kroah-Hartman
@ 2025-10-17 14:49 ` Greg Kroah-Hartman
2025-10-17 14:49 ` [PATCH 6.17 018/371] media: v4l2-subdev: Fix alloc failure check in v4l2_subdev_call_state_try() Greg Kroah-Hartman
` (366 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michael Hennerich, Nuno Sá,
Stable, Jonathan Cameron
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Hennerich <michael.hennerich@analog.com>
commit 1d8fdabe19267338f29b58f968499e5b55e6a3b6 upstream.
The clk div bits (2 bits wide) do not start in bit 16 but in bit 15. Fix it
accordingly.
Fixes: e31166f0fd48 ("iio: frequency: New driver for Analog Devices ADF4350/ADF4351 Wideband Synthesizers")
Signed-off-by: Michael Hennerich <michael.hennerich@analog.com>
Signed-off-by: Nuno Sá <nuno.sa@analog.com>
Link: https://patch.msgid.link/20250829-adf4350-fix-v2-2-0bf543ba797d@analog.com
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/iio/frequency/adf4350.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/include/linux/iio/frequency/adf4350.h
+++ b/include/linux/iio/frequency/adf4350.h
@@ -51,7 +51,7 @@
/* REG3 Bit Definitions */
#define ADF4350_REG3_12BIT_CLKDIV(x) ((x) << 3)
-#define ADF4350_REG3_12BIT_CLKDIV_MODE(x) ((x) << 16)
+#define ADF4350_REG3_12BIT_CLKDIV_MODE(x) ((x) << 15)
#define ADF4350_REG3_12BIT_CSR_EN (1 << 18)
#define ADF4351_REG3_CHARGE_CANCELLATION_EN (1 << 21)
#define ADF4351_REG3_ANTI_BACKLASH_3ns_EN (1 << 22)
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 018/371] media: v4l2-subdev: Fix alloc failure check in v4l2_subdev_call_state_try()
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (16 preceding siblings ...)
2025-10-17 14:49 ` [PATCH 6.17 017/371] iio: frequency: adf4350: Fix ADF4350_REG3_12BIT_CLKDIV_MODE Greg Kroah-Hartman
@ 2025-10-17 14:49 ` Greg Kroah-Hartman
2025-10-17 14:49 ` [PATCH 6.17 019/371] asm-generic/io.h: Skip trace helpers if rwmmio events are disabled Greg Kroah-Hartman
` (365 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tomi Valkeinen, Dan Carpenter,
Sakari Ailus, Hans Verkuil
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
commit f37df9a0eb5e43fcfe02cbaef076123dc0d79c7e upstream.
v4l2_subdev_call_state_try() macro allocates a subdev state with
__v4l2_subdev_state_alloc(), but does not check the returned value. If
__v4l2_subdev_state_alloc fails, it returns an ERR_PTR, and that would
cause v4l2_subdev_call_state_try() to crash.
Add proper error handling to v4l2_subdev_call_state_try().
Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
Fixes: 982c0487185b ("media: subdev: Add v4l2_subdev_call_state_try() macro")
Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
Closes: https://lore.kernel.org/all/aJTNtpDUbTz7eyJc%40stanley.mountain/
Cc: stable@vger.kernel.org
Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org>
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/media/v4l2-subdev.h | 30 +++++++++++++++++-------------
1 file changed, 17 insertions(+), 13 deletions(-)
--- a/include/media/v4l2-subdev.h
+++ b/include/media/v4l2-subdev.h
@@ -1962,19 +1962,23 @@ extern const struct v4l2_subdev_ops v4l2
*
* Note: only legacy non-MC drivers may need this macro.
*/
-#define v4l2_subdev_call_state_try(sd, o, f, args...) \
- ({ \
- int __result; \
- static struct lock_class_key __key; \
- const char *name = KBUILD_BASENAME \
- ":" __stringify(__LINE__) ":state->lock"; \
- struct v4l2_subdev_state *state = \
- __v4l2_subdev_state_alloc(sd, name, &__key); \
- v4l2_subdev_lock_state(state); \
- __result = v4l2_subdev_call(sd, o, f, state, ##args); \
- v4l2_subdev_unlock_state(state); \
- __v4l2_subdev_state_free(state); \
- __result; \
+#define v4l2_subdev_call_state_try(sd, o, f, args...) \
+ ({ \
+ int __result; \
+ static struct lock_class_key __key; \
+ const char *name = KBUILD_BASENAME \
+ ":" __stringify(__LINE__) ":state->lock"; \
+ struct v4l2_subdev_state *state = \
+ __v4l2_subdev_state_alloc(sd, name, &__key); \
+ if (IS_ERR(state)) { \
+ __result = PTR_ERR(state); \
+ } else { \
+ v4l2_subdev_lock_state(state); \
+ __result = v4l2_subdev_call(sd, o, f, state, ##args); \
+ v4l2_subdev_unlock_state(state); \
+ __v4l2_subdev_state_free(state); \
+ } \
+ __result; \
})
/**
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 019/371] asm-generic/io.h: Skip trace helpers if rwmmio events are disabled
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (17 preceding siblings ...)
2025-10-17 14:49 ` [PATCH 6.17 018/371] media: v4l2-subdev: Fix alloc failure check in v4l2_subdev_call_state_try() Greg Kroah-Hartman
@ 2025-10-17 14:49 ` Greg Kroah-Hartman
2025-10-17 14:49 ` [PATCH 6.17 020/371] clk: npcm: select CONFIG_AUXILIARY_BUS Greg Kroah-Hartman
` (364 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:49 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Varad Gautam, Arnd Bergmann
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Varad Gautam <varadgautam@google.com>
commit 8327bd4fcb6c1dab01ce5c6ff00b42496836dcd2 upstream.
With `CONFIG_TRACE_MMIO_ACCESS=y`, the `{read,write}{b,w,l,q}{_relaxed}()`
mmio accessors unconditionally call `log_{post_}{read,write}_mmio()`
helpers, which in turn call the ftrace ops for `rwmmio` trace events
This adds a performance penalty per mmio accessor call, even when
`rwmmio` events are disabled at runtime (~80% overhead on local
measurement).
Guard these with `tracepoint_enabled()`.
Signed-off-by: Varad Gautam <varadgautam@google.com>
Fixes: 210031971cdd ("asm-generic/io: Add logging support for MMIO accessors")
Cc: stable@vger.kernel.org
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/asm-generic/io.h | 98 +++++++++++++++++++++++++++++++----------------
1 file changed, 66 insertions(+), 32 deletions(-)
--- a/include/asm-generic/io.h
+++ b/include/asm-generic/io.h
@@ -75,6 +75,7 @@
#if IS_ENABLED(CONFIG_TRACE_MMIO_ACCESS) && !(defined(__DISABLE_TRACE_MMIO__))
#include <linux/tracepoint-defs.h>
+#define rwmmio_tracepoint_enabled(tracepoint) tracepoint_enabled(tracepoint)
DECLARE_TRACEPOINT(rwmmio_write);
DECLARE_TRACEPOINT(rwmmio_post_write);
DECLARE_TRACEPOINT(rwmmio_read);
@@ -91,6 +92,7 @@ void log_post_read_mmio(u64 val, u8 widt
#else
+#define rwmmio_tracepoint_enabled(tracepoint) false
static inline void log_write_mmio(u64 val, u8 width, volatile void __iomem *addr,
unsigned long caller_addr, unsigned long caller_addr0) {}
static inline void log_post_write_mmio(u64 val, u8 width, volatile void __iomem *addr,
@@ -189,11 +191,13 @@ static inline u8 readb(const volatile vo
{
u8 val;
- log_read_mmio(8, addr, _THIS_IP_, _RET_IP_);
+ if (rwmmio_tracepoint_enabled(rwmmio_read))
+ log_read_mmio(8, addr, _THIS_IP_, _RET_IP_);
__io_br();
val = __raw_readb(addr);
__io_ar(val);
- log_post_read_mmio(val, 8, addr, _THIS_IP_, _RET_IP_);
+ if (rwmmio_tracepoint_enabled(rwmmio_post_read))
+ log_post_read_mmio(val, 8, addr, _THIS_IP_, _RET_IP_);
return val;
}
#endif
@@ -204,11 +208,13 @@ static inline u16 readw(const volatile v
{
u16 val;
- log_read_mmio(16, addr, _THIS_IP_, _RET_IP_);
+ if (rwmmio_tracepoint_enabled(rwmmio_read))
+ log_read_mmio(16, addr, _THIS_IP_, _RET_IP_);
__io_br();
val = __le16_to_cpu((__le16 __force)__raw_readw(addr));
__io_ar(val);
- log_post_read_mmio(val, 16, addr, _THIS_IP_, _RET_IP_);
+ if (rwmmio_tracepoint_enabled(rwmmio_post_read))
+ log_post_read_mmio(val, 16, addr, _THIS_IP_, _RET_IP_);
return val;
}
#endif
@@ -219,11 +225,13 @@ static inline u32 readl(const volatile v
{
u32 val;
- log_read_mmio(32, addr, _THIS_IP_, _RET_IP_);
+ if (rwmmio_tracepoint_enabled(rwmmio_read))
+ log_read_mmio(32, addr, _THIS_IP_, _RET_IP_);
__io_br();
val = __le32_to_cpu((__le32 __force)__raw_readl(addr));
__io_ar(val);
- log_post_read_mmio(val, 32, addr, _THIS_IP_, _RET_IP_);
+ if (rwmmio_tracepoint_enabled(rwmmio_post_read))
+ log_post_read_mmio(val, 32, addr, _THIS_IP_, _RET_IP_);
return val;
}
#endif
@@ -235,11 +243,13 @@ static inline u64 readq(const volatile v
{
u64 val;
- log_read_mmio(64, addr, _THIS_IP_, _RET_IP_);
+ if (rwmmio_tracepoint_enabled(rwmmio_read))
+ log_read_mmio(64, addr, _THIS_IP_, _RET_IP_);
__io_br();
val = __le64_to_cpu((__le64 __force)__raw_readq(addr));
__io_ar(val);
- log_post_read_mmio(val, 64, addr, _THIS_IP_, _RET_IP_);
+ if (rwmmio_tracepoint_enabled(rwmmio_post_read))
+ log_post_read_mmio(val, 64, addr, _THIS_IP_, _RET_IP_);
return val;
}
#endif
@@ -249,11 +259,13 @@ static inline u64 readq(const volatile v
#define writeb writeb
static inline void writeb(u8 value, volatile void __iomem *addr)
{
- log_write_mmio(value, 8, addr, _THIS_IP_, _RET_IP_);
+ if (rwmmio_tracepoint_enabled(rwmmio_write))
+ log_write_mmio(value, 8, addr, _THIS_IP_, _RET_IP_);
__io_bw();
__raw_writeb(value, addr);
__io_aw();
- log_post_write_mmio(value, 8, addr, _THIS_IP_, _RET_IP_);
+ if (rwmmio_tracepoint_enabled(rwmmio_post_write))
+ log_post_write_mmio(value, 8, addr, _THIS_IP_, _RET_IP_);
}
#endif
@@ -261,11 +273,13 @@ static inline void writeb(u8 value, vola
#define writew writew
static inline void writew(u16 value, volatile void __iomem *addr)
{
- log_write_mmio(value, 16, addr, _THIS_IP_, _RET_IP_);
+ if (rwmmio_tracepoint_enabled(rwmmio_write))
+ log_write_mmio(value, 16, addr, _THIS_IP_, _RET_IP_);
__io_bw();
__raw_writew((u16 __force)cpu_to_le16(value), addr);
__io_aw();
- log_post_write_mmio(value, 16, addr, _THIS_IP_, _RET_IP_);
+ if (rwmmio_tracepoint_enabled(rwmmio_post_write))
+ log_post_write_mmio(value, 16, addr, _THIS_IP_, _RET_IP_);
}
#endif
@@ -273,11 +287,13 @@ static inline void writew(u16 value, vol
#define writel writel
static inline void writel(u32 value, volatile void __iomem *addr)
{
- log_write_mmio(value, 32, addr, _THIS_IP_, _RET_IP_);
+ if (rwmmio_tracepoint_enabled(rwmmio_write))
+ log_write_mmio(value, 32, addr, _THIS_IP_, _RET_IP_);
__io_bw();
__raw_writel((u32 __force)__cpu_to_le32(value), addr);
__io_aw();
- log_post_write_mmio(value, 32, addr, _THIS_IP_, _RET_IP_);
+ if (rwmmio_tracepoint_enabled(rwmmio_post_write))
+ log_post_write_mmio(value, 32, addr, _THIS_IP_, _RET_IP_);
}
#endif
@@ -286,11 +302,13 @@ static inline void writel(u32 value, vol
#define writeq writeq
static inline void writeq(u64 value, volatile void __iomem *addr)
{
- log_write_mmio(value, 64, addr, _THIS_IP_, _RET_IP_);
+ if (rwmmio_tracepoint_enabled(rwmmio_write))
+ log_write_mmio(value, 64, addr, _THIS_IP_, _RET_IP_);
__io_bw();
__raw_writeq((u64 __force)__cpu_to_le64(value), addr);
__io_aw();
- log_post_write_mmio(value, 64, addr, _THIS_IP_, _RET_IP_);
+ if (rwmmio_tracepoint_enabled(rwmmio_post_write))
+ log_post_write_mmio(value, 64, addr, _THIS_IP_, _RET_IP_);
}
#endif
#endif /* CONFIG_64BIT */
@@ -306,9 +324,11 @@ static inline u8 readb_relaxed(const vol
{
u8 val;
- log_read_mmio(8, addr, _THIS_IP_, _RET_IP_);
+ if (rwmmio_tracepoint_enabled(rwmmio_read))
+ log_read_mmio(8, addr, _THIS_IP_, _RET_IP_);
val = __raw_readb(addr);
- log_post_read_mmio(val, 8, addr, _THIS_IP_, _RET_IP_);
+ if (rwmmio_tracepoint_enabled(rwmmio_post_read))
+ log_post_read_mmio(val, 8, addr, _THIS_IP_, _RET_IP_);
return val;
}
#endif
@@ -319,9 +339,11 @@ static inline u16 readw_relaxed(const vo
{
u16 val;
- log_read_mmio(16, addr, _THIS_IP_, _RET_IP_);
+ if (rwmmio_tracepoint_enabled(rwmmio_read))
+ log_read_mmio(16, addr, _THIS_IP_, _RET_IP_);
val = __le16_to_cpu((__le16 __force)__raw_readw(addr));
- log_post_read_mmio(val, 16, addr, _THIS_IP_, _RET_IP_);
+ if (rwmmio_tracepoint_enabled(rwmmio_post_read))
+ log_post_read_mmio(val, 16, addr, _THIS_IP_, _RET_IP_);
return val;
}
#endif
@@ -332,9 +354,11 @@ static inline u32 readl_relaxed(const vo
{
u32 val;
- log_read_mmio(32, addr, _THIS_IP_, _RET_IP_);
+ if (rwmmio_tracepoint_enabled(rwmmio_read))
+ log_read_mmio(32, addr, _THIS_IP_, _RET_IP_);
val = __le32_to_cpu((__le32 __force)__raw_readl(addr));
- log_post_read_mmio(val, 32, addr, _THIS_IP_, _RET_IP_);
+ if (rwmmio_tracepoint_enabled(rwmmio_post_read))
+ log_post_read_mmio(val, 32, addr, _THIS_IP_, _RET_IP_);
return val;
}
#endif
@@ -345,9 +369,11 @@ static inline u64 readq_relaxed(const vo
{
u64 val;
- log_read_mmio(64, addr, _THIS_IP_, _RET_IP_);
+ if (rwmmio_tracepoint_enabled(rwmmio_read))
+ log_read_mmio(64, addr, _THIS_IP_, _RET_IP_);
val = __le64_to_cpu((__le64 __force)__raw_readq(addr));
- log_post_read_mmio(val, 64, addr, _THIS_IP_, _RET_IP_);
+ if (rwmmio_tracepoint_enabled(rwmmio_post_read))
+ log_post_read_mmio(val, 64, addr, _THIS_IP_, _RET_IP_);
return val;
}
#endif
@@ -356,9 +382,11 @@ static inline u64 readq_relaxed(const vo
#define writeb_relaxed writeb_relaxed
static inline void writeb_relaxed(u8 value, volatile void __iomem *addr)
{
- log_write_mmio(value, 8, addr, _THIS_IP_, _RET_IP_);
+ if (rwmmio_tracepoint_enabled(rwmmio_write))
+ log_write_mmio(value, 8, addr, _THIS_IP_, _RET_IP_);
__raw_writeb(value, addr);
- log_post_write_mmio(value, 8, addr, _THIS_IP_, _RET_IP_);
+ if (rwmmio_tracepoint_enabled(rwmmio_post_write))
+ log_post_write_mmio(value, 8, addr, _THIS_IP_, _RET_IP_);
}
#endif
@@ -366,9 +394,11 @@ static inline void writeb_relaxed(u8 val
#define writew_relaxed writew_relaxed
static inline void writew_relaxed(u16 value, volatile void __iomem *addr)
{
- log_write_mmio(value, 16, addr, _THIS_IP_, _RET_IP_);
+ if (rwmmio_tracepoint_enabled(rwmmio_write))
+ log_write_mmio(value, 16, addr, _THIS_IP_, _RET_IP_);
__raw_writew((u16 __force)cpu_to_le16(value), addr);
- log_post_write_mmio(value, 16, addr, _THIS_IP_, _RET_IP_);
+ if (rwmmio_tracepoint_enabled(rwmmio_post_write))
+ log_post_write_mmio(value, 16, addr, _THIS_IP_, _RET_IP_);
}
#endif
@@ -376,9 +406,11 @@ static inline void writew_relaxed(u16 va
#define writel_relaxed writel_relaxed
static inline void writel_relaxed(u32 value, volatile void __iomem *addr)
{
- log_write_mmio(value, 32, addr, _THIS_IP_, _RET_IP_);
+ if (rwmmio_tracepoint_enabled(rwmmio_write))
+ log_write_mmio(value, 32, addr, _THIS_IP_, _RET_IP_);
__raw_writel((u32 __force)__cpu_to_le32(value), addr);
- log_post_write_mmio(value, 32, addr, _THIS_IP_, _RET_IP_);
+ if (rwmmio_tracepoint_enabled(rwmmio_post_write))
+ log_post_write_mmio(value, 32, addr, _THIS_IP_, _RET_IP_);
}
#endif
@@ -386,9 +418,11 @@ static inline void writel_relaxed(u32 va
#define writeq_relaxed writeq_relaxed
static inline void writeq_relaxed(u64 value, volatile void __iomem *addr)
{
- log_write_mmio(value, 64, addr, _THIS_IP_, _RET_IP_);
+ if (rwmmio_tracepoint_enabled(rwmmio_write))
+ log_write_mmio(value, 64, addr, _THIS_IP_, _RET_IP_);
__raw_writeq((u64 __force)__cpu_to_le64(value), addr);
- log_post_write_mmio(value, 64, addr, _THIS_IP_, _RET_IP_);
+ if (rwmmio_tracepoint_enabled(rwmmio_post_write))
+ log_post_write_mmio(value, 64, addr, _THIS_IP_, _RET_IP_);
}
#endif
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 020/371] clk: npcm: select CONFIG_AUXILIARY_BUS
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (18 preceding siblings ...)
2025-10-17 14:49 ` [PATCH 6.17 019/371] asm-generic/io.h: Skip trace helpers if rwmmio events are disabled Greg Kroah-Hartman
@ 2025-10-17 14:49 ` Greg Kroah-Hartman
2025-10-17 14:49 ` [PATCH 6.17 021/371] clk: thead: th1520-ap: describe gate clocks with clk_gate Greg Kroah-Hartman
` (363 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Arnd Bergmann, Stephen Boyd,
Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arnd Bergmann <arnd@arndb.de>
[ Upstream commit c123519bffd29e6320d3a8c4977f9e5a86d6b83d ]
There are very rare randconfig builds that turn on this driver but
don't already select CONFIG_AUXILIARY_BUS from another driver, and
this results in a build failure:
arm-linux-gnueabi-ld: drivers/clk/clk-npcm8xx.o: in function `npcm8xx_clock_driver_init':
clk-npcm8xx.c:(.init.text+0x18): undefined reference to `__auxiliary_driver_register'
Select the bus here, as all other clk drivers using it do.
Fixes: e0b255df027e ("clk: npcm8xx: add clock controller")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Link: https://lore.kernel.org/r/20250807072241.4190376-1-arnd@kernel.org
Signed-off-by: Stephen Boyd <sboyd@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/Kconfig | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/clk/Kconfig b/drivers/clk/Kconfig
index 4d56475f94fc1..b1425aed65938 100644
--- a/drivers/clk/Kconfig
+++ b/drivers/clk/Kconfig
@@ -364,6 +364,7 @@ config COMMON_CLK_LOCHNAGAR
config COMMON_CLK_NPCM8XX
tristate "Clock driver for the NPCM8XX SoC Family"
depends on ARCH_NPCM || COMPILE_TEST
+ select AUXILIARY_BUS
help
This driver supports the clocks on the Nuvoton BMC NPCM8XX SoC Family,
all the clocks are initialized by the bootloader, so this driver
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 021/371] clk: thead: th1520-ap: describe gate clocks with clk_gate
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (19 preceding siblings ...)
2025-10-17 14:49 ` [PATCH 6.17 020/371] clk: npcm: select CONFIG_AUXILIARY_BUS Greg Kroah-Hartman
@ 2025-10-17 14:49 ` Greg Kroah-Hartman
2025-10-17 14:49 ` [PATCH 6.17 022/371] clk: thead: th1520-ap: fix parent of padctrl0 clock Greg Kroah-Hartman
` (362 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Icenowy Zheng, Drew Fustini,
Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Icenowy Zheng <uwu@icenowy.me>
[ Upstream commit aaa75cbd5d4f63e4edf8b74118d367361dcf92f7 ]
Similar to previous situation of mux clocks, the gate clocks of
clk-th1520-ap drivers are also using a helper that creates a temporary
struct clk_hw and abandons the struct clk_hw in struct ccu_common, which
prevents clock gates to be clock parents.
Do the similar refactor of dropping struct ccu_common and directly use
struct clk_gate here.
This patch mimics the refactor done on struct ccu_mux in 54edba916e29
("clk: thead: th1520-ap: Describe mux clocks with clk_mux").
Fixes: ae81b69fd2b1 ("clk: thead: Add support for T-Head TH1520 AP_SUBSYS clocks")
Signed-off-by: Icenowy Zheng <uwu@icenowy.me>
Reviewed-by: Drew Fustini <fustini@kernel.org>
Signed-off-by: Drew Fustini <fustini@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/thead/clk-th1520-ap.c | 382 +++++++++++++++---------------
1 file changed, 185 insertions(+), 197 deletions(-)
diff --git a/drivers/clk/thead/clk-th1520-ap.c b/drivers/clk/thead/clk-th1520-ap.c
index cf1bba58f641e..4dbd1df9a86d4 100644
--- a/drivers/clk/thead/clk-th1520-ap.c
+++ b/drivers/clk/thead/clk-th1520-ap.c
@@ -48,8 +48,9 @@ struct ccu_mux {
};
struct ccu_gate {
- u32 enable;
- struct ccu_common common;
+ int clkid;
+ u32 reg;
+ struct clk_gate gate;
};
struct ccu_div {
@@ -87,12 +88,12 @@ struct ccu_pll {
0), \
}
-#define CCU_GATE(_clkid, _struct, _name, _parent, _reg, _gate, _flags) \
+#define CCU_GATE(_clkid, _struct, _name, _parent, _reg, _bit, _flags) \
struct ccu_gate _struct = { \
- .enable = _gate, \
- .common = { \
- .clkid = _clkid, \
- .cfg0 = _reg, \
+ .clkid = _clkid, \
+ .reg = _reg, \
+ .gate = { \
+ .bit_idx = _bit, \
.hw.init = CLK_HW_INIT_PARENTS_DATA( \
_name, \
_parent, \
@@ -120,13 +121,6 @@ static inline struct ccu_div *hw_to_ccu_div(struct clk_hw *hw)
return container_of(common, struct ccu_div, common);
}
-static inline struct ccu_gate *hw_to_ccu_gate(struct clk_hw *hw)
-{
- struct ccu_common *common = hw_to_ccu_common(hw);
-
- return container_of(common, struct ccu_gate, common);
-}
-
static u8 ccu_get_parent_helper(struct ccu_common *common,
struct ccu_internal *mux)
{
@@ -786,128 +780,128 @@ static const struct clk_parent_data emmc_sdio_ref_clk_pd[] = {
{ .hw = &emmc_sdio_ref_clk.hw },
};
-static CCU_GATE(CLK_BROM, brom_clk, "brom", ahb2_cpusys_hclk_pd, 0x100, BIT(4), 0);
-static CCU_GATE(CLK_BMU, bmu_clk, "bmu", axi4_cpusys2_aclk_pd, 0x100, BIT(5), 0);
+static CCU_GATE(CLK_BROM, brom_clk, "brom", ahb2_cpusys_hclk_pd, 0x100, 4, 0);
+static CCU_GATE(CLK_BMU, bmu_clk, "bmu", axi4_cpusys2_aclk_pd, 0x100, 5, 0);
static CCU_GATE(CLK_AON2CPU_A2X, aon2cpu_a2x_clk, "aon2cpu-a2x", axi4_cpusys2_aclk_pd,
- 0x134, BIT(8), 0);
+ 0x134, 8, 0);
static CCU_GATE(CLK_X2X_CPUSYS, x2x_cpusys_clk, "x2x-cpusys", axi4_cpusys2_aclk_pd,
- 0x134, BIT(7), 0);
+ 0x134, 7, 0);
static CCU_GATE(CLK_CPU2AON_X2H, cpu2aon_x2h_clk, "cpu2aon-x2h", axi_aclk_pd,
- 0x138, BIT(8), CLK_IGNORE_UNUSED);
+ 0x138, 8, CLK_IGNORE_UNUSED);
static CCU_GATE(CLK_CPU2PERI_X2H, cpu2peri_x2h_clk, "cpu2peri-x2h", axi4_cpusys2_aclk_pd,
- 0x140, BIT(9), CLK_IGNORE_UNUSED);
+ 0x140, 9, CLK_IGNORE_UNUSED);
static CCU_GATE(CLK_PERISYS_APB1_HCLK, perisys_apb1_hclk, "perisys-apb1-hclk", perisys_ahb_hclk_pd,
- 0x150, BIT(9), CLK_IGNORE_UNUSED);
+ 0x150, 9, CLK_IGNORE_UNUSED);
static CCU_GATE(CLK_PERISYS_APB2_HCLK, perisys_apb2_hclk, "perisys-apb2-hclk", perisys_ahb_hclk_pd,
- 0x150, BIT(10), CLK_IGNORE_UNUSED);
+ 0x150, 10, CLK_IGNORE_UNUSED);
static CCU_GATE(CLK_PERISYS_APB3_HCLK, perisys_apb3_hclk, "perisys-apb3-hclk", perisys_ahb_hclk_pd,
- 0x150, BIT(11), CLK_IGNORE_UNUSED);
+ 0x150, 11, CLK_IGNORE_UNUSED);
static CCU_GATE(CLK_PERISYS_APB4_HCLK, perisys_apb4_hclk, "perisys-apb4-hclk", perisys_ahb_hclk_pd,
- 0x150, BIT(12), 0);
-static CCU_GATE(CLK_NPU_AXI, npu_axi_clk, "npu-axi", axi_aclk_pd, 0x1c8, BIT(5), 0);
-static CCU_GATE(CLK_CPU2VP, cpu2vp_clk, "cpu2vp", axi_aclk_pd, 0x1e0, BIT(13), 0);
-static CCU_GATE(CLK_EMMC_SDIO, emmc_sdio_clk, "emmc-sdio", emmc_sdio_ref_clk_pd, 0x204, BIT(30), 0);
-static CCU_GATE(CLK_GMAC1, gmac1_clk, "gmac1", gmac_pll_clk_pd, 0x204, BIT(26), 0);
-static CCU_GATE(CLK_PADCTRL1, padctrl1_clk, "padctrl1", perisys_apb_pclk_pd, 0x204, BIT(24), 0);
-static CCU_GATE(CLK_DSMART, dsmart_clk, "dsmart", perisys_apb_pclk_pd, 0x204, BIT(23), 0);
-static CCU_GATE(CLK_PADCTRL0, padctrl0_clk, "padctrl0", perisys_apb_pclk_pd, 0x204, BIT(22), 0);
-static CCU_GATE(CLK_GMAC_AXI, gmac_axi_clk, "gmac-axi", axi4_cpusys2_aclk_pd, 0x204, BIT(21), 0);
-static CCU_GATE(CLK_GPIO3, gpio3_clk, "gpio3-clk", peri2sys_apb_pclk_pd, 0x204, BIT(20), 0);
-static CCU_GATE(CLK_GMAC0, gmac0_clk, "gmac0", gmac_pll_clk_pd, 0x204, BIT(19), 0);
-static CCU_GATE(CLK_PWM, pwm_clk, "pwm", perisys_apb_pclk_pd, 0x204, BIT(18), 0);
-static CCU_GATE(CLK_QSPI0, qspi0_clk, "qspi0", video_pll_clk_pd, 0x204, BIT(17), 0);
-static CCU_GATE(CLK_QSPI1, qspi1_clk, "qspi1", video_pll_clk_pd, 0x204, BIT(16), 0);
-static CCU_GATE(CLK_SPI, spi_clk, "spi", video_pll_clk_pd, 0x204, BIT(15), 0);
-static CCU_GATE(CLK_UART0_PCLK, uart0_pclk, "uart0-pclk", perisys_apb_pclk_pd, 0x204, BIT(14), 0);
-static CCU_GATE(CLK_UART1_PCLK, uart1_pclk, "uart1-pclk", perisys_apb_pclk_pd, 0x204, BIT(13), 0);
-static CCU_GATE(CLK_UART2_PCLK, uart2_pclk, "uart2-pclk", perisys_apb_pclk_pd, 0x204, BIT(12), 0);
-static CCU_GATE(CLK_UART3_PCLK, uart3_pclk, "uart3-pclk", perisys_apb_pclk_pd, 0x204, BIT(11), 0);
-static CCU_GATE(CLK_UART4_PCLK, uart4_pclk, "uart4-pclk", perisys_apb_pclk_pd, 0x204, BIT(10), 0);
-static CCU_GATE(CLK_UART5_PCLK, uart5_pclk, "uart5-pclk", perisys_apb_pclk_pd, 0x204, BIT(9), 0);
-static CCU_GATE(CLK_GPIO0, gpio0_clk, "gpio0-clk", perisys_apb_pclk_pd, 0x204, BIT(8), 0);
-static CCU_GATE(CLK_GPIO1, gpio1_clk, "gpio1-clk", perisys_apb_pclk_pd, 0x204, BIT(7), 0);
-static CCU_GATE(CLK_GPIO2, gpio2_clk, "gpio2-clk", peri2sys_apb_pclk_pd, 0x204, BIT(6), 0);
-static CCU_GATE(CLK_I2C0, i2c0_clk, "i2c0", perisys_apb_pclk_pd, 0x204, BIT(5), 0);
-static CCU_GATE(CLK_I2C1, i2c1_clk, "i2c1", perisys_apb_pclk_pd, 0x204, BIT(4), 0);
-static CCU_GATE(CLK_I2C2, i2c2_clk, "i2c2", perisys_apb_pclk_pd, 0x204, BIT(3), 0);
-static CCU_GATE(CLK_I2C3, i2c3_clk, "i2c3", perisys_apb_pclk_pd, 0x204, BIT(2), 0);
-static CCU_GATE(CLK_I2C4, i2c4_clk, "i2c4", perisys_apb_pclk_pd, 0x204, BIT(1), 0);
-static CCU_GATE(CLK_I2C5, i2c5_clk, "i2c5", perisys_apb_pclk_pd, 0x204, BIT(0), 0);
-static CCU_GATE(CLK_SPINLOCK, spinlock_clk, "spinlock", ahb2_cpusys_hclk_pd, 0x208, BIT(10), 0);
-static CCU_GATE(CLK_DMA, dma_clk, "dma", axi4_cpusys2_aclk_pd, 0x208, BIT(8), 0);
-static CCU_GATE(CLK_MBOX0, mbox0_clk, "mbox0", apb3_cpusys_pclk_pd, 0x208, BIT(7), 0);
-static CCU_GATE(CLK_MBOX1, mbox1_clk, "mbox1", apb3_cpusys_pclk_pd, 0x208, BIT(6), 0);
-static CCU_GATE(CLK_MBOX2, mbox2_clk, "mbox2", apb3_cpusys_pclk_pd, 0x208, BIT(5), 0);
-static CCU_GATE(CLK_MBOX3, mbox3_clk, "mbox3", apb3_cpusys_pclk_pd, 0x208, BIT(4), 0);
-static CCU_GATE(CLK_WDT0, wdt0_clk, "wdt0", apb3_cpusys_pclk_pd, 0x208, BIT(3), 0);
-static CCU_GATE(CLK_WDT1, wdt1_clk, "wdt1", apb3_cpusys_pclk_pd, 0x208, BIT(2), 0);
-static CCU_GATE(CLK_TIMER0, timer0_clk, "timer0", apb3_cpusys_pclk_pd, 0x208, BIT(1), 0);
-static CCU_GATE(CLK_TIMER1, timer1_clk, "timer1", apb3_cpusys_pclk_pd, 0x208, BIT(0), 0);
-static CCU_GATE(CLK_SRAM0, sram0_clk, "sram0", axi_aclk_pd, 0x20c, BIT(4), 0);
-static CCU_GATE(CLK_SRAM1, sram1_clk, "sram1", axi_aclk_pd, 0x20c, BIT(3), 0);
-static CCU_GATE(CLK_SRAM2, sram2_clk, "sram2", axi_aclk_pd, 0x20c, BIT(2), 0);
-static CCU_GATE(CLK_SRAM3, sram3_clk, "sram3", axi_aclk_pd, 0x20c, BIT(1), 0);
+ 0x150, 12, 0);
+static CCU_GATE(CLK_NPU_AXI, npu_axi_clk, "npu-axi", axi_aclk_pd, 0x1c8, 5, 0);
+static CCU_GATE(CLK_CPU2VP, cpu2vp_clk, "cpu2vp", axi_aclk_pd, 0x1e0, 13, 0);
+static CCU_GATE(CLK_EMMC_SDIO, emmc_sdio_clk, "emmc-sdio", emmc_sdio_ref_clk_pd, 0x204, 30, 0);
+static CCU_GATE(CLK_GMAC1, gmac1_clk, "gmac1", gmac_pll_clk_pd, 0x204, 26, 0);
+static CCU_GATE(CLK_PADCTRL1, padctrl1_clk, "padctrl1", perisys_apb_pclk_pd, 0x204, 24, 0);
+static CCU_GATE(CLK_DSMART, dsmart_clk, "dsmart", perisys_apb_pclk_pd, 0x204, 23, 0);
+static CCU_GATE(CLK_PADCTRL0, padctrl0_clk, "padctrl0", perisys_apb_pclk_pd, 0x204, 22, 0);
+static CCU_GATE(CLK_GMAC_AXI, gmac_axi_clk, "gmac-axi", axi4_cpusys2_aclk_pd, 0x204, 21, 0);
+static CCU_GATE(CLK_GPIO3, gpio3_clk, "gpio3-clk", peri2sys_apb_pclk_pd, 0x204, 20, 0);
+static CCU_GATE(CLK_GMAC0, gmac0_clk, "gmac0", gmac_pll_clk_pd, 0x204, 19, 0);
+static CCU_GATE(CLK_PWM, pwm_clk, "pwm", perisys_apb_pclk_pd, 0x204, 18, 0);
+static CCU_GATE(CLK_QSPI0, qspi0_clk, "qspi0", video_pll_clk_pd, 0x204, 17, 0);
+static CCU_GATE(CLK_QSPI1, qspi1_clk, "qspi1", video_pll_clk_pd, 0x204, 16, 0);
+static CCU_GATE(CLK_SPI, spi_clk, "spi", video_pll_clk_pd, 0x204, 15, 0);
+static CCU_GATE(CLK_UART0_PCLK, uart0_pclk, "uart0-pclk", perisys_apb_pclk_pd, 0x204, 14, 0);
+static CCU_GATE(CLK_UART1_PCLK, uart1_pclk, "uart1-pclk", perisys_apb_pclk_pd, 0x204, 13, 0);
+static CCU_GATE(CLK_UART2_PCLK, uart2_pclk, "uart2-pclk", perisys_apb_pclk_pd, 0x204, 12, 0);
+static CCU_GATE(CLK_UART3_PCLK, uart3_pclk, "uart3-pclk", perisys_apb_pclk_pd, 0x204, 11, 0);
+static CCU_GATE(CLK_UART4_PCLK, uart4_pclk, "uart4-pclk", perisys_apb_pclk_pd, 0x204, 10, 0);
+static CCU_GATE(CLK_UART5_PCLK, uart5_pclk, "uart5-pclk", perisys_apb_pclk_pd, 0x204, 9, 0);
+static CCU_GATE(CLK_GPIO0, gpio0_clk, "gpio0-clk", perisys_apb_pclk_pd, 0x204, 8, 0);
+static CCU_GATE(CLK_GPIO1, gpio1_clk, "gpio1-clk", perisys_apb_pclk_pd, 0x204, 7, 0);
+static CCU_GATE(CLK_GPIO2, gpio2_clk, "gpio2-clk", peri2sys_apb_pclk_pd, 0x204, 6, 0);
+static CCU_GATE(CLK_I2C0, i2c0_clk, "i2c0", perisys_apb_pclk_pd, 0x204, 5, 0);
+static CCU_GATE(CLK_I2C1, i2c1_clk, "i2c1", perisys_apb_pclk_pd, 0x204, 4, 0);
+static CCU_GATE(CLK_I2C2, i2c2_clk, "i2c2", perisys_apb_pclk_pd, 0x204, 3, 0);
+static CCU_GATE(CLK_I2C3, i2c3_clk, "i2c3", perisys_apb_pclk_pd, 0x204, 2, 0);
+static CCU_GATE(CLK_I2C4, i2c4_clk, "i2c4", perisys_apb_pclk_pd, 0x204, 1, 0);
+static CCU_GATE(CLK_I2C5, i2c5_clk, "i2c5", perisys_apb_pclk_pd, 0x204, 0, 0);
+static CCU_GATE(CLK_SPINLOCK, spinlock_clk, "spinlock", ahb2_cpusys_hclk_pd, 0x208, 10, 0);
+static CCU_GATE(CLK_DMA, dma_clk, "dma", axi4_cpusys2_aclk_pd, 0x208, 8, 0);
+static CCU_GATE(CLK_MBOX0, mbox0_clk, "mbox0", apb3_cpusys_pclk_pd, 0x208, 7, 0);
+static CCU_GATE(CLK_MBOX1, mbox1_clk, "mbox1", apb3_cpusys_pclk_pd, 0x208, 6, 0);
+static CCU_GATE(CLK_MBOX2, mbox2_clk, "mbox2", apb3_cpusys_pclk_pd, 0x208, 5, 0);
+static CCU_GATE(CLK_MBOX3, mbox3_clk, "mbox3", apb3_cpusys_pclk_pd, 0x208, 4, 0);
+static CCU_GATE(CLK_WDT0, wdt0_clk, "wdt0", apb3_cpusys_pclk_pd, 0x208, 3, 0);
+static CCU_GATE(CLK_WDT1, wdt1_clk, "wdt1", apb3_cpusys_pclk_pd, 0x208, 2, 0);
+static CCU_GATE(CLK_TIMER0, timer0_clk, "timer0", apb3_cpusys_pclk_pd, 0x208, 1, 0);
+static CCU_GATE(CLK_TIMER1, timer1_clk, "timer1", apb3_cpusys_pclk_pd, 0x208, 0, 0);
+static CCU_GATE(CLK_SRAM0, sram0_clk, "sram0", axi_aclk_pd, 0x20c, 4, 0);
+static CCU_GATE(CLK_SRAM1, sram1_clk, "sram1", axi_aclk_pd, 0x20c, 3, 0);
+static CCU_GATE(CLK_SRAM2, sram2_clk, "sram2", axi_aclk_pd, 0x20c, 2, 0);
+static CCU_GATE(CLK_SRAM3, sram3_clk, "sram3", axi_aclk_pd, 0x20c, 1, 0);
static CCU_GATE(CLK_AXI4_VO_ACLK, axi4_vo_aclk, "axi4-vo-aclk",
- video_pll_clk_pd, 0x0, BIT(0), 0);
+ video_pll_clk_pd, 0x0, 0, 0);
static CCU_GATE(CLK_GPU_CORE, gpu_core_clk, "gpu-core-clk", video_pll_clk_pd,
- 0x0, BIT(3), 0);
+ 0x0, 3, 0);
static CCU_GATE(CLK_GPU_CFG_ACLK, gpu_cfg_aclk, "gpu-cfg-aclk",
- video_pll_clk_pd, 0x0, BIT(4), 0);
+ video_pll_clk_pd, 0x0, 4, 0);
static CCU_GATE(CLK_DPU_PIXELCLK0, dpu0_pixelclk, "dpu0-pixelclk",
- video_pll_clk_pd, 0x0, BIT(5), 0);
+ video_pll_clk_pd, 0x0, 5, 0);
static CCU_GATE(CLK_DPU_PIXELCLK1, dpu1_pixelclk, "dpu1-pixelclk",
- video_pll_clk_pd, 0x0, BIT(6), 0);
+ video_pll_clk_pd, 0x0, 6, 0);
static CCU_GATE(CLK_DPU_HCLK, dpu_hclk, "dpu-hclk", video_pll_clk_pd, 0x0,
- BIT(7), 0);
+ 7, 0);
static CCU_GATE(CLK_DPU_ACLK, dpu_aclk, "dpu-aclk", video_pll_clk_pd, 0x0,
- BIT(8), 0);
+ 8, 0);
static CCU_GATE(CLK_DPU_CCLK, dpu_cclk, "dpu-cclk", video_pll_clk_pd, 0x0,
- BIT(9), 0);
+ 9, 0);
static CCU_GATE(CLK_HDMI_SFR, hdmi_sfr_clk, "hdmi-sfr-clk", video_pll_clk_pd,
- 0x0, BIT(10), 0);
+ 0x0, 10, 0);
static CCU_GATE(CLK_HDMI_PCLK, hdmi_pclk, "hdmi-pclk", video_pll_clk_pd, 0x0,
- BIT(11), 0);
+ 11, 0);
static CCU_GATE(CLK_HDMI_CEC, hdmi_cec_clk, "hdmi-cec-clk", video_pll_clk_pd,
- 0x0, BIT(12), 0);
+ 0x0, 12, 0);
static CCU_GATE(CLK_MIPI_DSI0_PCLK, mipi_dsi0_pclk, "mipi-dsi0-pclk",
- video_pll_clk_pd, 0x0, BIT(13), 0);
+ video_pll_clk_pd, 0x0, 13, 0);
static CCU_GATE(CLK_MIPI_DSI1_PCLK, mipi_dsi1_pclk, "mipi-dsi1-pclk",
- video_pll_clk_pd, 0x0, BIT(14), 0);
+ video_pll_clk_pd, 0x0, 14, 0);
static CCU_GATE(CLK_MIPI_DSI0_CFG, mipi_dsi0_cfg_clk, "mipi-dsi0-cfg-clk",
- video_pll_clk_pd, 0x0, BIT(15), 0);
+ video_pll_clk_pd, 0x0, 15, 0);
static CCU_GATE(CLK_MIPI_DSI1_CFG, mipi_dsi1_cfg_clk, "mipi-dsi1-cfg-clk",
- video_pll_clk_pd, 0x0, BIT(16), 0);
+ video_pll_clk_pd, 0x0, 16, 0);
static CCU_GATE(CLK_MIPI_DSI0_REFCLK, mipi_dsi0_refclk, "mipi-dsi0-refclk",
- video_pll_clk_pd, 0x0, BIT(17), 0);
+ video_pll_clk_pd, 0x0, 17, 0);
static CCU_GATE(CLK_MIPI_DSI1_REFCLK, mipi_dsi1_refclk, "mipi-dsi1-refclk",
- video_pll_clk_pd, 0x0, BIT(18), 0);
+ video_pll_clk_pd, 0x0, 18, 0);
static CCU_GATE(CLK_HDMI_I2S, hdmi_i2s_clk, "hdmi-i2s-clk", video_pll_clk_pd,
- 0x0, BIT(19), 0);
+ 0x0, 19, 0);
static CCU_GATE(CLK_X2H_DPU1_ACLK, x2h_dpu1_aclk, "x2h-dpu1-aclk",
- video_pll_clk_pd, 0x0, BIT(20), 0);
+ video_pll_clk_pd, 0x0, 20, 0);
static CCU_GATE(CLK_X2H_DPU_ACLK, x2h_dpu_aclk, "x2h-dpu-aclk",
- video_pll_clk_pd, 0x0, BIT(21), 0);
+ video_pll_clk_pd, 0x0, 21, 0);
static CCU_GATE(CLK_AXI4_VO_PCLK, axi4_vo_pclk, "axi4-vo-pclk",
- video_pll_clk_pd, 0x0, BIT(22), 0);
+ video_pll_clk_pd, 0x0, 22, 0);
static CCU_GATE(CLK_IOPMP_VOSYS_DPU_PCLK, iopmp_vosys_dpu_pclk,
- "iopmp-vosys-dpu-pclk", video_pll_clk_pd, 0x0, BIT(23), 0);
+ "iopmp-vosys-dpu-pclk", video_pll_clk_pd, 0x0, 23, 0);
static CCU_GATE(CLK_IOPMP_VOSYS_DPU1_PCLK, iopmp_vosys_dpu1_pclk,
- "iopmp-vosys-dpu1-pclk", video_pll_clk_pd, 0x0, BIT(24), 0);
+ "iopmp-vosys-dpu1-pclk", video_pll_clk_pd, 0x0, 24, 0);
static CCU_GATE(CLK_IOPMP_VOSYS_GPU_PCLK, iopmp_vosys_gpu_pclk,
- "iopmp-vosys-gpu-pclk", video_pll_clk_pd, 0x0, BIT(25), 0);
+ "iopmp-vosys-gpu-pclk", video_pll_clk_pd, 0x0, 25, 0);
static CCU_GATE(CLK_IOPMP_DPU1_ACLK, iopmp_dpu1_aclk, "iopmp-dpu1-aclk",
- video_pll_clk_pd, 0x0, BIT(27), 0);
+ video_pll_clk_pd, 0x0, 27, 0);
static CCU_GATE(CLK_IOPMP_DPU_ACLK, iopmp_dpu_aclk, "iopmp-dpu-aclk",
- video_pll_clk_pd, 0x0, BIT(28), 0);
+ video_pll_clk_pd, 0x0, 28, 0);
static CCU_GATE(CLK_IOPMP_GPU_ACLK, iopmp_gpu_aclk, "iopmp-gpu-aclk",
- video_pll_clk_pd, 0x0, BIT(29), 0);
+ video_pll_clk_pd, 0x0, 29, 0);
static CCU_GATE(CLK_MIPIDSI0_PIXCLK, mipi_dsi0_pixclk, "mipi-dsi0-pixclk",
- video_pll_clk_pd, 0x0, BIT(30), 0);
+ video_pll_clk_pd, 0x0, 30, 0);
static CCU_GATE(CLK_MIPIDSI1_PIXCLK, mipi_dsi1_pixclk, "mipi-dsi1-pixclk",
- video_pll_clk_pd, 0x0, BIT(31), 0);
+ video_pll_clk_pd, 0x0, 31, 0);
static CCU_GATE(CLK_HDMI_PIXCLK, hdmi_pixclk, "hdmi-pixclk", video_pll_clk_pd,
- 0x4, BIT(0), 0);
+ 0x4, 0, 0);
static CLK_FIXED_FACTOR_HW(gmac_pll_clk_100m, "gmac-pll-clk-100m",
&gmac_pll_clk.common.hw, 10, 1, 0);
@@ -963,93 +957,93 @@ static struct ccu_mux *th1520_mux_clks[] = {
&uart_sclk,
};
-static struct ccu_common *th1520_gate_clks[] = {
- &emmc_sdio_clk.common,
- &aon2cpu_a2x_clk.common,
- &x2x_cpusys_clk.common,
- &brom_clk.common,
- &bmu_clk.common,
- &cpu2aon_x2h_clk.common,
- &cpu2peri_x2h_clk.common,
- &cpu2vp_clk.common,
- &perisys_apb1_hclk.common,
- &perisys_apb2_hclk.common,
- &perisys_apb3_hclk.common,
- &perisys_apb4_hclk.common,
- &npu_axi_clk.common,
- &gmac1_clk.common,
- &padctrl1_clk.common,
- &dsmart_clk.common,
- &padctrl0_clk.common,
- &gmac_axi_clk.common,
- &gpio3_clk.common,
- &gmac0_clk.common,
- &pwm_clk.common,
- &qspi0_clk.common,
- &qspi1_clk.common,
- &spi_clk.common,
- &uart0_pclk.common,
- &uart1_pclk.common,
- &uart2_pclk.common,
- &uart3_pclk.common,
- &uart4_pclk.common,
- &uart5_pclk.common,
- &gpio0_clk.common,
- &gpio1_clk.common,
- &gpio2_clk.common,
- &i2c0_clk.common,
- &i2c1_clk.common,
- &i2c2_clk.common,
- &i2c3_clk.common,
- &i2c4_clk.common,
- &i2c5_clk.common,
- &spinlock_clk.common,
- &dma_clk.common,
- &mbox0_clk.common,
- &mbox1_clk.common,
- &mbox2_clk.common,
- &mbox3_clk.common,
- &wdt0_clk.common,
- &wdt1_clk.common,
- &timer0_clk.common,
- &timer1_clk.common,
- &sram0_clk.common,
- &sram1_clk.common,
- &sram2_clk.common,
- &sram3_clk.common,
-};
-
-static struct ccu_common *th1520_vo_gate_clks[] = {
- &axi4_vo_aclk.common,
- &gpu_core_clk.common,
- &gpu_cfg_aclk.common,
- &dpu0_pixelclk.common,
- &dpu1_pixelclk.common,
- &dpu_hclk.common,
- &dpu_aclk.common,
- &dpu_cclk.common,
- &hdmi_sfr_clk.common,
- &hdmi_pclk.common,
- &hdmi_cec_clk.common,
- &mipi_dsi0_pclk.common,
- &mipi_dsi1_pclk.common,
- &mipi_dsi0_cfg_clk.common,
- &mipi_dsi1_cfg_clk.common,
- &mipi_dsi0_refclk.common,
- &mipi_dsi1_refclk.common,
- &hdmi_i2s_clk.common,
- &x2h_dpu1_aclk.common,
- &x2h_dpu_aclk.common,
- &axi4_vo_pclk.common,
- &iopmp_vosys_dpu_pclk.common,
- &iopmp_vosys_dpu1_pclk.common,
- &iopmp_vosys_gpu_pclk.common,
- &iopmp_dpu1_aclk.common,
- &iopmp_dpu_aclk.common,
- &iopmp_gpu_aclk.common,
- &mipi_dsi0_pixclk.common,
- &mipi_dsi1_pixclk.common,
- &hdmi_pixclk.common
+static struct ccu_gate *th1520_gate_clks[] = {
+ &emmc_sdio_clk,
+ &aon2cpu_a2x_clk,
+ &x2x_cpusys_clk,
+ &brom_clk,
+ &bmu_clk,
+ &cpu2aon_x2h_clk,
+ &cpu2peri_x2h_clk,
+ &cpu2vp_clk,
+ &perisys_apb1_hclk,
+ &perisys_apb2_hclk,
+ &perisys_apb3_hclk,
+ &perisys_apb4_hclk,
+ &npu_axi_clk,
+ &gmac1_clk,
+ &padctrl1_clk,
+ &dsmart_clk,
+ &padctrl0_clk,
+ &gmac_axi_clk,
+ &gpio3_clk,
+ &gmac0_clk,
+ &pwm_clk,
+ &qspi0_clk,
+ &qspi1_clk,
+ &spi_clk,
+ &uart0_pclk,
+ &uart1_pclk,
+ &uart2_pclk,
+ &uart3_pclk,
+ &uart4_pclk,
+ &uart5_pclk,
+ &gpio0_clk,
+ &gpio1_clk,
+ &gpio2_clk,
+ &i2c0_clk,
+ &i2c1_clk,
+ &i2c2_clk,
+ &i2c3_clk,
+ &i2c4_clk,
+ &i2c5_clk,
+ &spinlock_clk,
+ &dma_clk,
+ &mbox0_clk,
+ &mbox1_clk,
+ &mbox2_clk,
+ &mbox3_clk,
+ &wdt0_clk,
+ &wdt1_clk,
+ &timer0_clk,
+ &timer1_clk,
+ &sram0_clk,
+ &sram1_clk,
+ &sram2_clk,
+ &sram3_clk,
+};
+
+static struct ccu_gate *th1520_vo_gate_clks[] = {
+ &axi4_vo_aclk,
+ &gpu_core_clk,
+ &gpu_cfg_aclk,
+ &dpu0_pixelclk,
+ &dpu1_pixelclk,
+ &dpu_hclk,
+ &dpu_aclk,
+ &dpu_cclk,
+ &hdmi_sfr_clk,
+ &hdmi_pclk,
+ &hdmi_cec_clk,
+ &mipi_dsi0_pclk,
+ &mipi_dsi1_pclk,
+ &mipi_dsi0_cfg_clk,
+ &mipi_dsi1_cfg_clk,
+ &mipi_dsi0_refclk,
+ &mipi_dsi1_refclk,
+ &hdmi_i2s_clk,
+ &x2h_dpu1_aclk,
+ &x2h_dpu_aclk,
+ &axi4_vo_pclk,
+ &iopmp_vosys_dpu_pclk,
+ &iopmp_vosys_dpu1_pclk,
+ &iopmp_vosys_gpu_pclk,
+ &iopmp_dpu1_aclk,
+ &iopmp_dpu_aclk,
+ &iopmp_gpu_aclk,
+ &mipi_dsi0_pixclk,
+ &mipi_dsi1_pixclk,
+ &hdmi_pixclk
};
static const struct regmap_config th1520_clk_regmap_config = {
@@ -1063,7 +1057,7 @@ struct th1520_plat_data {
struct ccu_common **th1520_pll_clks;
struct ccu_common **th1520_div_clks;
struct ccu_mux **th1520_mux_clks;
- struct ccu_common **th1520_gate_clks;
+ struct ccu_gate **th1520_gate_clks;
int nr_clks;
int nr_pll_clks;
@@ -1102,7 +1096,6 @@ static int th1520_clk_probe(struct platform_device *pdev)
struct regmap *map;
void __iomem *base;
- struct clk_hw *hw;
int ret, i;
plat_data = device_get_match_data(&pdev->dev);
@@ -1161,20 +1154,15 @@ static int th1520_clk_probe(struct platform_device *pdev)
}
for (i = 0; i < plat_data->nr_gate_clks; i++) {
- struct ccu_gate *cg = hw_to_ccu_gate(&plat_data->th1520_gate_clks[i]->hw);
+ struct ccu_gate *cg = plat_data->th1520_gate_clks[i];
- plat_data->th1520_gate_clks[i]->map = map;
+ cg->gate.reg = base + cg->reg;
- hw = devm_clk_hw_register_gate_parent_data(dev,
- cg->common.hw.init->name,
- cg->common.hw.init->parent_data,
- cg->common.hw.init->flags,
- base + cg->common.cfg0,
- ffs(cg->enable) - 1, 0, NULL);
- if (IS_ERR(hw))
- return PTR_ERR(hw);
+ ret = devm_clk_hw_register(dev, &cg->gate.hw);
+ if (ret)
+ return ret;
- priv->hws[cg->common.clkid] = hw;
+ priv->hws[cg->clkid] = &cg->gate.hw;
}
if (plat_data == &th1520_ap_platdata) {
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 022/371] clk: thead: th1520-ap: fix parent of padctrl0 clock
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (20 preceding siblings ...)
2025-10-17 14:49 ` [PATCH 6.17 021/371] clk: thead: th1520-ap: describe gate clocks with clk_gate Greg Kroah-Hartman
@ 2025-10-17 14:49 ` Greg Kroah-Hartman
2025-10-17 14:49 ` [PATCH 6.17 023/371] clk: thead: Correct parent for DPU pixel clocks Greg Kroah-Hartman
` (361 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Icenowy Zheng, Drew Fustini,
Troy Mitchell, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Icenowy Zheng <uwu@icenowy.me>
[ Upstream commit 9e99b992c8874f323091d50a5e4727bbd138192d ]
The padctrl0 clock seems to be a child of the perisys_apb4_hclk clock,
gating the later makes padctrl0 registers stuck too.
Fix this relationship.
Fixes: ae81b69fd2b1 ("clk: thead: Add support for T-Head TH1520 AP_SUBSYS clocks")
Signed-off-by: Icenowy Zheng <uwu@icenowy.me>
Reviewed-by: Drew Fustini <fustini@kernel.org>
Reviewed-by: Troy Mitchell <troy.mitchell@linux.dev>
Signed-off-by: Drew Fustini <fustini@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/thead/clk-th1520-ap.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/clk/thead/clk-th1520-ap.c b/drivers/clk/thead/clk-th1520-ap.c
index 4dbd1df9a86d4..8a5d699638379 100644
--- a/drivers/clk/thead/clk-th1520-ap.c
+++ b/drivers/clk/thead/clk-th1520-ap.c
@@ -798,13 +798,17 @@ static CCU_GATE(CLK_PERISYS_APB3_HCLK, perisys_apb3_hclk, "perisys-apb3-hclk", p
0x150, 11, CLK_IGNORE_UNUSED);
static CCU_GATE(CLK_PERISYS_APB4_HCLK, perisys_apb4_hclk, "perisys-apb4-hclk", perisys_ahb_hclk_pd,
0x150, 12, 0);
+static const struct clk_parent_data perisys_apb4_hclk_pd[] = {
+ { .hw = &perisys_apb4_hclk.gate.hw },
+};
+
static CCU_GATE(CLK_NPU_AXI, npu_axi_clk, "npu-axi", axi_aclk_pd, 0x1c8, 5, 0);
static CCU_GATE(CLK_CPU2VP, cpu2vp_clk, "cpu2vp", axi_aclk_pd, 0x1e0, 13, 0);
static CCU_GATE(CLK_EMMC_SDIO, emmc_sdio_clk, "emmc-sdio", emmc_sdio_ref_clk_pd, 0x204, 30, 0);
static CCU_GATE(CLK_GMAC1, gmac1_clk, "gmac1", gmac_pll_clk_pd, 0x204, 26, 0);
static CCU_GATE(CLK_PADCTRL1, padctrl1_clk, "padctrl1", perisys_apb_pclk_pd, 0x204, 24, 0);
static CCU_GATE(CLK_DSMART, dsmart_clk, "dsmart", perisys_apb_pclk_pd, 0x204, 23, 0);
-static CCU_GATE(CLK_PADCTRL0, padctrl0_clk, "padctrl0", perisys_apb_pclk_pd, 0x204, 22, 0);
+static CCU_GATE(CLK_PADCTRL0, padctrl0_clk, "padctrl0", perisys_apb4_hclk_pd, 0x204, 22, 0);
static CCU_GATE(CLK_GMAC_AXI, gmac_axi_clk, "gmac-axi", axi4_cpusys2_aclk_pd, 0x204, 21, 0);
static CCU_GATE(CLK_GPIO3, gpio3_clk, "gpio3-clk", peri2sys_apb_pclk_pd, 0x204, 20, 0);
static CCU_GATE(CLK_GMAC0, gmac0_clk, "gmac0", gmac_pll_clk_pd, 0x204, 19, 0);
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 023/371] clk: thead: Correct parent for DPU pixel clocks
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (21 preceding siblings ...)
2025-10-17 14:49 ` [PATCH 6.17 022/371] clk: thead: th1520-ap: fix parent of padctrl0 clock Greg Kroah-Hartman
@ 2025-10-17 14:49 ` Greg Kroah-Hartman
2025-10-17 14:49 ` [PATCH 6.17 024/371] clk: renesas: r9a08g045: Add MSTOP for GPIO Greg Kroah-Hartman
` (360 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Icenowy Zheng, Michal Wilczynski,
Drew Fustini, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michal Wilczynski <m.wilczynski@samsung.com>
[ Upstream commit c51a37ffea3813374a8f7955abbba6da25357388 ]
The dpu0_pixelclk and dpu1_pixelclk gates were incorrectly parented to
the video_pll_clk.
According to the TH1520 TRM, the "dpu0_pixelclk" should be sourced from
"DPU0 PLL DIV CLK". In this driver, "DPU0 PLL DIV CLK" corresponds to
the `dpu0_clk` clock, which is a divider whose parent is the
`dpu0_pll_clk`.
This patch corrects the clock hierarchy by reparenting `dpu0_pixelclk`
to `dpu0_clk`. By symmetry, `dpu1_pixelclk` is also reparented to its
correct source, `dpu1_clk`.
Fixes: 50d4b157fa96 ("clk: thead: Add clock support for VO subsystem in T-HEAD TH1520 SoC")
Reported-by: Icenowy Zheng <uwu@icenowy.me>
Signed-off-by: Michal Wilczynski <m.wilczynski@samsung.com>
[Icenowy: add Drew's R-b and rebased atop ccu_gate refactor]
Reviewed-by: Drew Fustini <fustini@kernel.org>
Signed-off-by: Icenowy Zheng <uwu@icenowy.me>
Signed-off-by: Drew Fustini <fustini@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/thead/clk-th1520-ap.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/drivers/clk/thead/clk-th1520-ap.c b/drivers/clk/thead/clk-th1520-ap.c
index 8a5d699638379..ec52726fbea95 100644
--- a/drivers/clk/thead/clk-th1520-ap.c
+++ b/drivers/clk/thead/clk-th1520-ap.c
@@ -761,6 +761,10 @@ static struct ccu_div dpu0_clk = {
},
};
+static const struct clk_parent_data dpu0_clk_pd[] = {
+ { .hw = &dpu0_clk.common.hw }
+};
+
static struct ccu_div dpu1_clk = {
.div = TH_CCU_DIV_FLAGS(0, 8, CLK_DIVIDER_ONE_BASED),
.common = {
@@ -773,6 +777,10 @@ static struct ccu_div dpu1_clk = {
},
};
+static const struct clk_parent_data dpu1_clk_pd[] = {
+ { .hw = &dpu1_clk.common.hw }
+};
+
static CLK_FIXED_FACTOR_HW(emmc_sdio_ref_clk, "emmc-sdio-ref",
&video_pll_clk.common.hw, 4, 1, 0);
@@ -853,9 +861,9 @@ static CCU_GATE(CLK_GPU_CORE, gpu_core_clk, "gpu-core-clk", video_pll_clk_pd,
static CCU_GATE(CLK_GPU_CFG_ACLK, gpu_cfg_aclk, "gpu-cfg-aclk",
video_pll_clk_pd, 0x0, 4, 0);
static CCU_GATE(CLK_DPU_PIXELCLK0, dpu0_pixelclk, "dpu0-pixelclk",
- video_pll_clk_pd, 0x0, 5, 0);
+ dpu0_clk_pd, 0x0, 5, 0);
static CCU_GATE(CLK_DPU_PIXELCLK1, dpu1_pixelclk, "dpu1-pixelclk",
- video_pll_clk_pd, 0x0, 6, 0);
+ dpu1_clk_pd, 0x0, 6, 0);
static CCU_GATE(CLK_DPU_HCLK, dpu_hclk, "dpu-hclk", video_pll_clk_pd, 0x0,
7, 0);
static CCU_GATE(CLK_DPU_ACLK, dpu_aclk, "dpu-aclk", video_pll_clk_pd, 0x0,
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 024/371] clk: renesas: r9a08g045: Add MSTOP for GPIO
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (22 preceding siblings ...)
2025-10-17 14:49 ` [PATCH 6.17 023/371] clk: thead: Correct parent for DPU pixel clocks Greg Kroah-Hartman
@ 2025-10-17 14:49 ` Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 025/371] perf disasm: Avoid undefined behavior in incrementing NULL Greg Kroah-Hartman
` (359 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Claudiu Beznea, Geert Uytterhoeven,
Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
[ Upstream commit f0cb3463d0244765ab66792a88dc5e2152c130e1 ]
The GPIO module also supports MSTOP. Add it in the description of the gpio
clock.
Fixes: c49695952746 ("clk: renesas: r9a08g045: Drop power domain instantiation")
Signed-off-by: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
Link: https://lore.kernel.org/20250806092129.621194-2-claudiu.beznea.uj@bp.renesas.com
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/renesas/r9a08g045-cpg.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/clk/renesas/r9a08g045-cpg.c b/drivers/clk/renesas/r9a08g045-cpg.c
index ed0661997928b..3b28edfabc34e 100644
--- a/drivers/clk/renesas/r9a08g045-cpg.c
+++ b/drivers/clk/renesas/r9a08g045-cpg.c
@@ -284,7 +284,8 @@ static const struct rzg2l_mod_clk r9a08g045_mod_clks[] = {
MSTOP(BUS_MCPU2, BIT(5))),
DEF_MOD("scif5_clk_pck", R9A08G045_SCIF5_CLK_PCK, R9A08G045_CLK_P0, 0x584, 5,
MSTOP(BUS_MCPU3, BIT(4))),
- DEF_MOD("gpio_hclk", R9A08G045_GPIO_HCLK, R9A08G045_OSCCLK, 0x598, 0, 0),
+ DEF_MOD("gpio_hclk", R9A08G045_GPIO_HCLK, R9A08G045_OSCCLK, 0x598, 0,
+ MSTOP(BUS_PERI_CPU, BIT(6))),
DEF_MOD("adc_adclk", R9A08G045_ADC_ADCLK, R9A08G045_CLK_TSU, 0x5a8, 0,
MSTOP(BUS_MCPU2, BIT(14))),
DEF_MOD("adc_pclk", R9A08G045_ADC_PCLK, R9A08G045_CLK_TSU, 0x5a8, 1,
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 025/371] perf disasm: Avoid undefined behavior in incrementing NULL
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (23 preceding siblings ...)
2025-10-17 14:49 ` [PATCH 6.17 024/371] clk: renesas: r9a08g045: Add MSTOP for GPIO Greg Kroah-Hartman
@ 2025-10-17 14:50 ` Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 026/371] perf test trace_btf_enum: Skip if permissions are insufficient Greg Kroah-Hartman
` (358 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Collin Funk, James Clark,
Kuan-Wei Chiu, Ian Rogers, Namhyung Kim, Adrian Hunter,
Alexander Shishkin, Athira Rajeev, Blake Jones, Chun-Tse Shao,
Howard Chu, Ingo Molnar, Jan Polensky, Jiri Olsa, Kan Liang,
Li Huafei, Mark Rutland, Nam Cao, Peter Zijlstra,
Steinar H. Gunderson, Thomas Gleixner, Arnaldo Carvalho de Melo,
Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ian Rogers <irogers@google.com>
[ Upstream commit 78d853512d6f979cf0cc41566e4f6cd82995ff34 ]
Incrementing NULL is undefined behavior and triggers ubsan during the
perf annotate test.
Split a compound statement over two lines to avoid this.
Fixes: 98f69a573c668a18 ("perf annotate: Split out util/disasm.c")
Reviewed-by: Collin Funk <collin.funk1@gmail.com>
Reviewed-by: James Clark <james.clark@linaro.org>
Reviewed-by: Kuan-Wei Chiu <visitorckw@gmail.com>
Signed-off-by: Ian Rogers <irogers@google.com>
Acked-by: Namhyung Kim <namhyung@kernel.org>
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Athira Rajeev <atrajeev@linux.ibm.com>
Cc: Blake Jones <blakejones@google.com>
Cc: Chun-Tse Shao <ctshao@google.com>
Cc: Howard Chu <howardchu95@gmail.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Jan Polensky <japo@linux.ibm.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Kan Liang <kan.liang@linux.intel.com>
Cc: Li Huafei <lihuafei1@huawei.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Nam Cao <namcao@linutronix.de>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Steinar H. Gunderson <sesse@google.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Link: https://lore.kernel.org/r/20250821163820.1132977-2-irogers@google.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/util/disasm.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/tools/perf/util/disasm.c b/tools/perf/util/disasm.c
index b1e4919d016f1..e257bd918c891 100644
--- a/tools/perf/util/disasm.c
+++ b/tools/perf/util/disasm.c
@@ -390,13 +390,16 @@ static int jump__parse(struct arch *arch, struct ins_operands *ops, struct map_s
* skip over possible up to 2 operands to get to address, e.g.:
* tbnz w0, #26, ffff0000083cd190 <security_file_permission+0xd0>
*/
- if (c++ != NULL) {
+ if (c != NULL) {
+ c++;
ops->target.addr = strtoull(c, NULL, 16);
if (!ops->target.addr) {
c = strchr(c, ',');
c = validate_comma(c, ops);
- if (c++ != NULL)
+ if (c != NULL) {
+ c++;
ops->target.addr = strtoull(c, NULL, 16);
+ }
}
} else {
ops->target.addr = strtoull(ops->raw, NULL, 16);
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 026/371] perf test trace_btf_enum: Skip if permissions are insufficient
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (24 preceding siblings ...)
2025-10-17 14:50 ` [PATCH 6.17 025/371] perf disasm: Avoid undefined behavior in incrementing NULL Greg Kroah-Hartman
@ 2025-10-17 14:50 ` Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 027/371] perf evsel: Avoid container_of on a NULL leader Greg Kroah-Hartman
` (357 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, James Clark, Ian Rogers,
Namhyung Kim, Adrian Hunter, Alexander Shishkin, Athira Rajeev,
Blake Jones, Chun-Tse Shao, Collin Funk, Howard Chu, Ingo Molnar,
Jan Polensky, Jiri Olsa, Kan Liang, Li Huafei, Mark Rutland,
Nam Cao, Peter Zijlstra, Steinar H. Gunderson, Thomas Gleixner,
Arnaldo Carvalho de Melo, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ian Rogers <irogers@google.com>
[ Upstream commit 4bd5bd8dbd41a208fb73afb65bda6f38e2b5a637 ]
Modify test behavior to skip if BPF calls fail with "Operation not
permitted".
Fixes: d66763fed30f0bd8 ("perf test trace_btf_enum: Add regression test for the BTF augmentation of enums in 'perf trace'")
Reviewed-by: James Clark <james.clark@linaro.org>
Signed-off-by: Ian Rogers <irogers@google.com>
Acked-by: Namhyung Kim <namhyung@kernel.org>
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Athira Rajeev <atrajeev@linux.ibm.com>
Cc: Blake Jones <blakejones@google.com>
Cc: Chun-Tse Shao <ctshao@google.com>
Cc: Collin Funk <collin.funk1@gmail.com>
Cc: Howard Chu <howardchu95@gmail.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Jan Polensky <japo@linux.ibm.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Kan Liang <kan.liang@linux.intel.com>
Cc: Li Huafei <lihuafei1@huawei.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Nam Cao <namcao@linutronix.de>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Steinar H. Gunderson <sesse@google.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Link: https://lore.kernel.org/r/20250821163820.1132977-3-irogers@google.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/tests/shell/trace_btf_enum.sh | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/tools/perf/tests/shell/trace_btf_enum.sh b/tools/perf/tests/shell/trace_btf_enum.sh
index 572001d75d781..03e9f680a4a69 100755
--- a/tools/perf/tests/shell/trace_btf_enum.sh
+++ b/tools/perf/tests/shell/trace_btf_enum.sh
@@ -23,6 +23,14 @@ check_vmlinux() {
fi
}
+check_permissions() {
+ if perf trace -e $syscall $TESTPROG 2>&1 | grep -q "Operation not permitted"
+ then
+ echo "trace+enum test [Skipped permissions]"
+ err=2
+ fi
+}
+
trace_landlock() {
echo "Tracing syscall ${syscall}"
@@ -56,6 +64,9 @@ trace_non_syscall() {
}
check_vmlinux
+if [ $err = 0 ]; then
+ check_permissions
+fi
if [ $err = 0 ]; then
trace_landlock
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 027/371] perf evsel: Avoid container_of on a NULL leader
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (25 preceding siblings ...)
2025-10-17 14:50 ` [PATCH 6.17 026/371] perf test trace_btf_enum: Skip if permissions are insufficient Greg Kroah-Hartman
@ 2025-10-17 14:50 ` Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 028/371] libperf event: Ensure tracing data is multiple of 8 sized Greg Kroah-Hartman
` (356 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, James Clark, Ian Rogers,
Namhyung Kim, Adrian Hunter, Alexander Shishkin, Athira Rajeev,
Blake Jones, Chun-Tse Shao, Collin Funk, Howard Chu, Ingo Molnar,
Jan Polensky, Jiri Olsa, Kan Liang, Li Huafei, Mark Rutland,
Nam Cao, Peter Zijlstra, Steinar H. Gunderson, Thomas Gleixner,
Arnaldo Carvalho de Melo, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ian Rogers <irogers@google.com>
[ Upstream commit 2354479026d726954ff86ce82f4b649637319661 ]
An evsel should typically have a leader of itself, however, in tests
like 'Sample parsing' a NULL leader may occur and the container_of
will return a corrupt pointer.
Avoid this with an explicit NULL test.
Fixes: fba7c86601e2e42d ("libperf: Move 'leader' from tools/perf to perf_evsel::leader")
Reviewed-by: James Clark <james.clark@linaro.org>
Signed-off-by: Ian Rogers <irogers@google.com>
Acked-by: Namhyung Kim <namhyung@kernel.org>
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Athira Rajeev <atrajeev@linux.ibm.com>
Cc: Blake Jones <blakejones@google.com>
Cc: Chun-Tse Shao <ctshao@google.com>
Cc: Collin Funk <collin.funk1@gmail.com>
Cc: Howard Chu <howardchu95@gmail.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Jan Polensky <japo@linux.ibm.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Kan Liang <kan.liang@linux.intel.com>
Cc: Li Huafei <lihuafei1@huawei.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Nam Cao <namcao@linutronix.de>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Steinar H. Gunderson <sesse@google.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Link: https://lore.kernel.org/r/20250821163820.1132977-4-irogers@google.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/util/evsel.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/tools/perf/util/evsel.c b/tools/perf/util/evsel.c
index d264c143b5925..496f42434327b 100644
--- a/tools/perf/util/evsel.c
+++ b/tools/perf/util/evsel.c
@@ -3935,6 +3935,8 @@ bool evsel__is_hybrid(const struct evsel *evsel)
struct evsel *evsel__leader(const struct evsel *evsel)
{
+ if (evsel->core.leader == NULL)
+ return NULL;
return container_of(evsel->core.leader, struct evsel, core);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 028/371] libperf event: Ensure tracing data is multiple of 8 sized
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (26 preceding siblings ...)
2025-10-17 14:50 ` [PATCH 6.17 027/371] perf evsel: Avoid container_of on a NULL leader Greg Kroah-Hartman
@ 2025-10-17 14:50 ` Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 029/371] clk: qcom: common: Fix NULL vs IS_ERR() check in qcom_cc_icc_register() Greg Kroah-Hartman
` (355 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, James Clark, Ian Rogers,
Namhyung Kim, Arnaldo Carvalho de Melo, Adrian Hunter,
Alexander Shishkin, Athira Rajeev, Blake Jones, Chun-Tse Shao,
Collin Funk, Howard Chu, Ingo Molnar, Jan Polensky, Jiri Olsa,
Kan Liang, Li Huafei, Mark Rutland, Nam Cao, Peter Zijlstra,
Steinar H. Gunderson, Thomas Gleixner, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ian Rogers <irogers@google.com>
[ Upstream commit b39c915a4f365cce6bdc0e538ed95d31823aea8f ]
Perf's synthetic-events.c will ensure 8-byte alignment of tracing
data, writing it after a perf_record_header_tracing_data event.
Add padding to struct perf_record_header_tracing_data to make it 16-byte
rather than 12-byte sized.
Fixes: 055c67ed39887c55 ("perf tools: Move event synthesizing routines to separate .c file")
Reviewed-by: James Clark <james.clark@linaro.org>
Signed-off-by: Ian Rogers <irogers@google.com>
Acked-by: Namhyung Kim <namhyung@kernel.org>
Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Athira Rajeev <atrajeev@linux.ibm.com>
Cc: Blake Jones <blakejones@google.com>
Cc: Chun-Tse Shao <ctshao@google.com>
Cc: Collin Funk <collin.funk1@gmail.com>
Cc: Howard Chu <howardchu95@gmail.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Jan Polensky <japo@linux.ibm.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Kan Liang <kan.liang@linux.intel.com>
Cc: Li Huafei <lihuafei1@huawei.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Nam Cao <namcao@linutronix.de>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Steinar H. Gunderson <sesse@google.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Link: https://lore.kernel.org/r/20250821163820.1132977-6-irogers@google.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/lib/perf/include/perf/event.h | 1 +
1 file changed, 1 insertion(+)
diff --git a/tools/lib/perf/include/perf/event.h b/tools/lib/perf/include/perf/event.h
index 6608f1e3701b4..aa1e91c97a226 100644
--- a/tools/lib/perf/include/perf/event.h
+++ b/tools/lib/perf/include/perf/event.h
@@ -291,6 +291,7 @@ struct perf_record_header_event_type {
struct perf_record_header_tracing_data {
struct perf_event_header header;
__u32 size;
+ __u32 pad;
};
#define PERF_RECORD_MISC_BUILD_ID_SIZE (1 << 15)
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 029/371] clk: qcom: common: Fix NULL vs IS_ERR() check in qcom_cc_icc_register()
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (27 preceding siblings ...)
2025-10-17 14:50 ` [PATCH 6.17 028/371] libperf event: Ensure tracing data is multiple of 8 sized Greg Kroah-Hartman
@ 2025-10-17 14:50 ` Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 030/371] clk: qcom: Select the intended config in QCS_DISPCC_615 Greg Kroah-Hartman
` (354 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Imran Shaik,
Konrad Dybcio, Dmitry Baryshkov, Bjorn Andersson, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@linaro.org>
[ Upstream commit 1e50f5c9965252ed6657b8692cd7366784d60616 ]
The devm_clk_hw_get_clk() function doesn't return NULL, it returns error
pointers. Update the checking to match.
Fixes: 8737ec830ee3 ("clk: qcom: common: Add interconnect clocks support")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Reviewed-by: Imran Shaik <imran.shaik@oss.qualcomm.com>
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Link: https://lore.kernel.org/r/aLaPwL2gFS85WsfD@stanley.mountain
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/qcom/common.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/clk/qcom/common.c b/drivers/clk/qcom/common.c
index 37c3008e6c1be..1215918867741 100644
--- a/drivers/clk/qcom/common.c
+++ b/drivers/clk/qcom/common.c
@@ -277,8 +277,8 @@ static int qcom_cc_icc_register(struct device *dev,
icd[i].slave_id = desc->icc_hws[i].slave_id;
hws = &desc->clks[desc->icc_hws[i].clk_id]->hw;
icd[i].clk = devm_clk_hw_get_clk(dev, hws, "icc");
- if (!icd[i].clk)
- return dev_err_probe(dev, -ENOENT,
+ if (IS_ERR(icd[i].clk))
+ return dev_err_probe(dev, PTR_ERR(icd[i].clk),
"(%d) clock entry is null\n", i);
icd[i].name = clk_hw_get_name(hws);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 030/371] clk: qcom: Select the intended config in QCS_DISPCC_615
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (28 preceding siblings ...)
2025-10-17 14:50 ` [PATCH 6.17 029/371] clk: qcom: common: Fix NULL vs IS_ERR() check in qcom_cc_icc_register() Greg Kroah-Hartman
@ 2025-10-17 14:50 ` Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 031/371] perf parse-events: Handle fake PMUs in CPU terms Greg Kroah-Hartman
` (353 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lukas Bulwahn, Imran Shaik,
Dmitry Baryshkov, Bjorn Andersson, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lukas Bulwahn <lukas.bulwahn@redhat.com>
[ Upstream commit 9524f95c4042545ee8fc3191b9b89c61a1aca6fb ]
Commit 9b47105f5434 ("clk: qcom: dispcc-qcs615: Add QCS615 display clock
controller driver") adds the config QCS_DISPCC_615, which selects the
non-existing config QCM_GCC_615. Probably, this is just a three-letter
abbreviation mix-up here, though. There is a config named QCS_GCC_615,
and the related config QCS_CAMCC_615 selects that config.
Fix the typo and use the intended config name in the select command.
Fixes: 9b47105f5434 ("clk: qcom: dispcc-qcs615: Add QCS615 display clock controller driver")
Signed-off-by: Lukas Bulwahn <lukas.bulwahn@redhat.com>
Reviewed-by: Imran Shaik <imran.shaik@oss.qualcomm.com>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20250902121754.277452-1-lukas.bulwahn@redhat.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/qcom/Kconfig | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/clk/qcom/Kconfig b/drivers/clk/qcom/Kconfig
index 6cb6cd3e1778a..e721b23234ddd 100644
--- a/drivers/clk/qcom/Kconfig
+++ b/drivers/clk/qcom/Kconfig
@@ -495,7 +495,7 @@ config QCM_DISPCC_2290
config QCS_DISPCC_615
tristate "QCS615 Display Clock Controller"
- select QCM_GCC_615
+ select QCS_GCC_615
help
Support for the display clock controller on Qualcomm Technologies, Inc
QCS615 devices.
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 031/371] perf parse-events: Handle fake PMUs in CPU terms
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (29 preceding siblings ...)
2025-10-17 14:50 ` [PATCH 6.17 030/371] clk: qcom: Select the intended config in QCS_DISPCC_615 Greg Kroah-Hartman
@ 2025-10-17 14:50 ` Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 032/371] clk: at91: peripheral: fix return value Greg Kroah-Hartman
` (352 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ian Rogers, Adrian Hunter,
Alexander Shishkin, Andreas Färber, Caleb Biggers,
Ingo Molnar, Jiri Olsa, Kan Liang, linux-actions,
Manivannan Sadhasivam, Mark Rutland, Namhyung Kim, Peter Zijlstra,
Thomas Falcon, Weilin Wang, Arnaldo Carvalho de Melo, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ian Rogers <irogers@google.com>
[ Upstream commit 1a461a62fb422db9cf870a4f184885cc69873b7f ]
The "Parsing of PMU event table metrics with fake PMUs" will test
metrics on machines/models that may be missing a PMU, in such a case
the fake_pmu should be used to avoid errors.
Metrics that get the cpumask from a different PMU, such as
"tsc/cpu=cpu_atom/", also need to be resilient in this test.
The parse_events_state fake_pmu is set when missing PMUs should be
ignored.
So that it can be queried, pass it to the config term functions, as well
as to get_config_cpu, then ignore failures when fake_pmu is set.
Some minor code refactoring to cut down on the indent and remove some
redundant checks.
Fixes: bd741d80dc65922c ("perf parse-events: Allow the cpu term to be a PMU or CPU range")
Signed-off-by: Ian Rogers <irogers@google.com>
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Andreas Färber <afaerber@suse.de>
Cc: Caleb Biggers <caleb.biggers@intel.com>
Cc: Ian Rogers <irogers@google.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Kan Liang <kan.liang@linux.intel.com>
Cc: linux-actions@lists.infradead.org
Cc: Manivannan Sadhasivam <mani@kernel.org>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Falcon <thomas.falcon@intel.com>
Cc: Weilin Wang <weilin.wang@intel.com>
Link: https://lore.kernel.org/r/20250818190416.145274-2-irogers@google.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/util/parse-events.c | 116 +++++++++++++++++----------------
1 file changed, 60 insertions(+), 56 deletions(-)
diff --git a/tools/perf/util/parse-events.c b/tools/perf/util/parse-events.c
index 8282ddf68b983..0026cff4d69e4 100644
--- a/tools/perf/util/parse-events.c
+++ b/tools/perf/util/parse-events.c
@@ -126,7 +126,8 @@ static char *get_config_name(const struct parse_events_terms *head_terms)
return get_config_str(head_terms, PARSE_EVENTS__TERM_TYPE_NAME);
}
-static struct perf_cpu_map *get_config_cpu(const struct parse_events_terms *head_terms)
+static struct perf_cpu_map *get_config_cpu(const struct parse_events_terms *head_terms,
+ bool fake_pmu)
{
struct parse_events_term *term;
struct perf_cpu_map *cpus = NULL;
@@ -135,24 +136,33 @@ static struct perf_cpu_map *get_config_cpu(const struct parse_events_terms *head
return NULL;
list_for_each_entry(term, &head_terms->terms, list) {
- if (term->type_term == PARSE_EVENTS__TERM_TYPE_CPU) {
- struct perf_cpu_map *term_cpus;
+ struct perf_cpu_map *term_cpus;
- if (term->type_val == PARSE_EVENTS__TERM_TYPE_NUM) {
- term_cpus = perf_cpu_map__new_int(term->val.num);
+ if (term->type_term != PARSE_EVENTS__TERM_TYPE_CPU)
+ continue;
+
+ if (term->type_val == PARSE_EVENTS__TERM_TYPE_NUM) {
+ term_cpus = perf_cpu_map__new_int(term->val.num);
+ } else {
+ struct perf_pmu *pmu = perf_pmus__find(term->val.str);
+
+ if (pmu) {
+ term_cpus = pmu->is_core && perf_cpu_map__is_empty(pmu->cpus)
+ ? cpu_map__online()
+ : perf_cpu_map__get(pmu->cpus);
} else {
- struct perf_pmu *pmu = perf_pmus__find(term->val.str);
-
- if (pmu && perf_cpu_map__is_empty(pmu->cpus))
- term_cpus = pmu->is_core ? cpu_map__online() : NULL;
- else if (pmu)
- term_cpus = perf_cpu_map__get(pmu->cpus);
- else
- term_cpus = perf_cpu_map__new(term->val.str);
+ term_cpus = perf_cpu_map__new(term->val.str);
+ if (!term_cpus && fake_pmu) {
+ /*
+ * Assume the PMU string makes sense on a different
+ * machine and fake a value with all online CPUs.
+ */
+ term_cpus = cpu_map__online();
+ }
}
- perf_cpu_map__merge(&cpus, term_cpus);
- perf_cpu_map__put(term_cpus);
}
+ perf_cpu_map__merge(&cpus, term_cpus);
+ perf_cpu_map__put(term_cpus);
}
return cpus;
@@ -369,13 +379,13 @@ static int parse_aliases(const char *str, const char *const names[][EVSEL__MAX_A
typedef int config_term_func_t(struct perf_event_attr *attr,
struct parse_events_term *term,
- struct parse_events_error *err);
+ struct parse_events_state *parse_state);
static int config_term_common(struct perf_event_attr *attr,
struct parse_events_term *term,
- struct parse_events_error *err);
+ struct parse_events_state *parse_state);
static int config_attr(struct perf_event_attr *attr,
const struct parse_events_terms *head,
- struct parse_events_error *err,
+ struct parse_events_state *parse_state,
config_term_func_t config_term);
/**
@@ -471,7 +481,7 @@ int parse_events_add_cache(struct list_head *list, int *idx, const char *name,
bool found_supported = false;
const char *config_name = get_config_name(parsed_terms);
const char *metric_id = get_config_metric_id(parsed_terms);
- struct perf_cpu_map *cpus = get_config_cpu(parsed_terms);
+ struct perf_cpu_map *cpus = get_config_cpu(parsed_terms, parse_state->fake_pmu);
int ret = 0;
struct evsel *first_wildcard_match = NULL;
@@ -514,8 +524,7 @@ int parse_events_add_cache(struct list_head *list, int *idx, const char *name,
found_supported = true;
if (parsed_terms) {
- if (config_attr(&attr, parsed_terms, parse_state->error,
- config_term_common)) {
+ if (config_attr(&attr, parsed_terms, parse_state, config_term_common)) {
ret = -EINVAL;
goto out_err;
}
@@ -767,8 +776,7 @@ int parse_events_add_breakpoint(struct parse_events_state *parse_state,
attr.sample_period = 1;
if (head_config) {
- if (config_attr(&attr, head_config, parse_state->error,
- config_term_common))
+ if (config_attr(&attr, head_config, parse_state, config_term_common))
return -EINVAL;
if (get_config_terms(head_config, &config_terms))
@@ -903,12 +911,12 @@ void parse_events__shrink_config_terms(void)
static int config_term_common(struct perf_event_attr *attr,
struct parse_events_term *term,
- struct parse_events_error *err)
+ struct parse_events_state *parse_state)
{
-#define CHECK_TYPE_VAL(type) \
-do { \
- if (check_type_val(term, err, PARSE_EVENTS__TERM_TYPE_ ## type)) \
- return -EINVAL; \
+#define CHECK_TYPE_VAL(type) \
+do { \
+ if (check_type_val(term, parse_state->error, PARSE_EVENTS__TERM_TYPE_ ## type)) \
+ return -EINVAL; \
} while (0)
switch (term->type_term) {
@@ -939,7 +947,7 @@ do { \
if (strcmp(term->val.str, "no") &&
parse_branch_str(term->val.str,
&attr->branch_sample_type)) {
- parse_events_error__handle(err, term->err_val,
+ parse_events_error__handle(parse_state->error, term->err_val,
strdup("invalid branch sample type"),
NULL);
return -EINVAL;
@@ -948,7 +956,7 @@ do { \
case PARSE_EVENTS__TERM_TYPE_TIME:
CHECK_TYPE_VAL(NUM);
if (term->val.num > 1) {
- parse_events_error__handle(err, term->err_val,
+ parse_events_error__handle(parse_state->error, term->err_val,
strdup("expected 0 or 1"),
NULL);
return -EINVAL;
@@ -990,7 +998,7 @@ do { \
case PARSE_EVENTS__TERM_TYPE_PERCORE:
CHECK_TYPE_VAL(NUM);
if ((unsigned int)term->val.num > 1) {
- parse_events_error__handle(err, term->err_val,
+ parse_events_error__handle(parse_state->error, term->err_val,
strdup("expected 0 or 1"),
NULL);
return -EINVAL;
@@ -1005,7 +1013,7 @@ do { \
case PARSE_EVENTS__TERM_TYPE_AUX_SAMPLE_SIZE:
CHECK_TYPE_VAL(NUM);
if (term->val.num > UINT_MAX) {
- parse_events_error__handle(err, term->err_val,
+ parse_events_error__handle(parse_state->error, term->err_val,
strdup("too big"),
NULL);
return -EINVAL;
@@ -1016,7 +1024,7 @@ do { \
if (term->type_val == PARSE_EVENTS__TERM_TYPE_NUM) {
if (term->val.num >= (u64)cpu__max_present_cpu().cpu) {
- parse_events_error__handle(err, term->err_val,
+ parse_events_error__handle(parse_state->error, term->err_val,
strdup("too big"),
/*help=*/NULL);
return -EINVAL;
@@ -1028,8 +1036,8 @@ do { \
break;
map = perf_cpu_map__new(term->val.str);
- if (!map) {
- parse_events_error__handle(err, term->err_val,
+ if (!map && !parse_state->fake_pmu) {
+ parse_events_error__handle(parse_state->error, term->err_val,
strdup("not a valid PMU or CPU number"),
/*help=*/NULL);
return -EINVAL;
@@ -1042,7 +1050,7 @@ do { \
case PARSE_EVENTS__TERM_TYPE_LEGACY_CACHE:
case PARSE_EVENTS__TERM_TYPE_HARDWARE:
default:
- parse_events_error__handle(err, term->err_term,
+ parse_events_error__handle(parse_state->error, term->err_term,
strdup(parse_events__term_type_str(term->type_term)),
parse_events_formats_error_string(NULL));
return -EINVAL;
@@ -1057,7 +1065,7 @@ do { \
* if an invalid config term is provided for legacy events
* (for example, instructions/badterm/...), which is confusing.
*/
- if (!config_term_avail(term->type_term, err))
+ if (!config_term_avail(term->type_term, parse_state->error))
return -EINVAL;
return 0;
#undef CHECK_TYPE_VAL
@@ -1065,7 +1073,7 @@ do { \
static int config_term_pmu(struct perf_event_attr *attr,
struct parse_events_term *term,
- struct parse_events_error *err)
+ struct parse_events_state *parse_state)
{
if (term->type_term == PARSE_EVENTS__TERM_TYPE_LEGACY_CACHE) {
struct perf_pmu *pmu = perf_pmus__find_by_type(attr->type);
@@ -1074,7 +1082,7 @@ static int config_term_pmu(struct perf_event_attr *attr,
char *err_str;
if (asprintf(&err_str, "Failed to find PMU for type %d", attr->type) >= 0)
- parse_events_error__handle(err, term->err_term,
+ parse_events_error__handle(parse_state->error, term->err_term,
err_str, /*help=*/NULL);
return -EINVAL;
}
@@ -1100,7 +1108,7 @@ static int config_term_pmu(struct perf_event_attr *attr,
char *err_str;
if (asprintf(&err_str, "Failed to find PMU for type %d", attr->type) >= 0)
- parse_events_error__handle(err, term->err_term,
+ parse_events_error__handle(parse_state->error, term->err_term,
err_str, /*help=*/NULL);
return -EINVAL;
}
@@ -1128,12 +1136,12 @@ static int config_term_pmu(struct perf_event_attr *attr,
*/
return 0;
}
- return config_term_common(attr, term, err);
+ return config_term_common(attr, term, parse_state);
}
static int config_term_tracepoint(struct perf_event_attr *attr,
struct parse_events_term *term,
- struct parse_events_error *err)
+ struct parse_events_state *parse_state)
{
switch (term->type_term) {
case PARSE_EVENTS__TERM_TYPE_CALLGRAPH:
@@ -1147,7 +1155,7 @@ static int config_term_tracepoint(struct perf_event_attr *attr,
case PARSE_EVENTS__TERM_TYPE_AUX_OUTPUT:
case PARSE_EVENTS__TERM_TYPE_AUX_ACTION:
case PARSE_EVENTS__TERM_TYPE_AUX_SAMPLE_SIZE:
- return config_term_common(attr, term, err);
+ return config_term_common(attr, term, parse_state);
case PARSE_EVENTS__TERM_TYPE_USER:
case PARSE_EVENTS__TERM_TYPE_CONFIG:
case PARSE_EVENTS__TERM_TYPE_CONFIG1:
@@ -1166,12 +1174,10 @@ static int config_term_tracepoint(struct perf_event_attr *attr,
case PARSE_EVENTS__TERM_TYPE_HARDWARE:
case PARSE_EVENTS__TERM_TYPE_CPU:
default:
- if (err) {
- parse_events_error__handle(err, term->err_term,
+ parse_events_error__handle(parse_state->error, term->err_term,
strdup(parse_events__term_type_str(term->type_term)),
strdup("valid terms: call-graph,stack-size\n")
);
- }
return -EINVAL;
}
@@ -1180,13 +1186,13 @@ static int config_term_tracepoint(struct perf_event_attr *attr,
static int config_attr(struct perf_event_attr *attr,
const struct parse_events_terms *head,
- struct parse_events_error *err,
+ struct parse_events_state *parse_state,
config_term_func_t config_term)
{
struct parse_events_term *term;
list_for_each_entry(term, &head->terms, list)
- if (config_term(attr, term, err))
+ if (config_term(attr, term, parse_state))
return -EINVAL;
return 0;
@@ -1378,8 +1384,7 @@ int parse_events_add_tracepoint(struct parse_events_state *parse_state,
if (head_config) {
struct perf_event_attr attr;
- if (config_attr(&attr, head_config, err,
- config_term_tracepoint))
+ if (config_attr(&attr, head_config, parse_state, config_term_tracepoint))
return -EINVAL;
}
@@ -1408,8 +1413,7 @@ static int __parse_events_add_numeric(struct parse_events_state *parse_state,
}
if (head_config) {
- if (config_attr(&attr, head_config, parse_state->error,
- config_term_common))
+ if (config_attr(&attr, head_config, parse_state, config_term_common))
return -EINVAL;
if (get_config_terms(head_config, &config_terms))
@@ -1418,7 +1422,7 @@ static int __parse_events_add_numeric(struct parse_events_state *parse_state,
name = get_config_name(head_config);
metric_id = get_config_metric_id(head_config);
- cpus = get_config_cpu(head_config);
+ cpus = get_config_cpu(head_config, parse_state->fake_pmu);
ret = __add_event(list, &parse_state->idx, &attr, /*init_attr*/true, name,
metric_id, pmu, &config_terms, first_wildcard_match,
cpus, /*alternate_hw_config=*/PERF_COUNT_HW_MAX) ? 0 : -ENOMEM;
@@ -1531,7 +1535,7 @@ static int parse_events_add_pmu(struct parse_events_state *parse_state,
fix_raw(&parsed_terms, pmu);
/* Configure attr/terms with a known PMU, this will set hardcoded terms. */
- if (config_attr(&attr, &parsed_terms, parse_state->error, config_term_pmu)) {
+ if (config_attr(&attr, &parsed_terms, parse_state, config_term_pmu)) {
parse_events_terms__exit(&parsed_terms);
return -EINVAL;
}
@@ -1555,7 +1559,7 @@ static int parse_events_add_pmu(struct parse_events_state *parse_state,
/* Configure attr/terms again if an alias was expanded. */
if (alias_rewrote_terms &&
- config_attr(&attr, &parsed_terms, parse_state->error, config_term_pmu)) {
+ config_attr(&attr, &parsed_terms, parse_state, config_term_pmu)) {
parse_events_terms__exit(&parsed_terms);
return -EINVAL;
}
@@ -1583,7 +1587,7 @@ static int parse_events_add_pmu(struct parse_events_state *parse_state,
return -EINVAL;
}
- term_cpu = get_config_cpu(&parsed_terms);
+ term_cpu = get_config_cpu(&parsed_terms, parse_state->fake_pmu);
evsel = __add_event(list, &parse_state->idx, &attr, /*init_attr=*/true,
get_config_name(&parsed_terms),
get_config_metric_id(&parsed_terms), pmu,
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 032/371] clk: at91: peripheral: fix return value
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (30 preceding siblings ...)
2025-10-17 14:50 ` [PATCH 6.17 031/371] perf parse-events: Handle fake PMUs in CPU terms Greg Kroah-Hartman
@ 2025-10-17 14:50 ` Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 033/371] clk: renesas: cpg-mssr: Fix memory leak in cpg_mssr_reserved_init() Greg Kroah-Hartman
` (351 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexander Sverdlin, Nicolas Ferre,
Brian Masney, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Brian Masney <bmasney@redhat.com>
[ Upstream commit 47b13635dabc14f1c2fdcaa5468b47ddadbdd1b5 ]
determine_rate() is expected to return an error code, or 0 on success.
clk_sam9x5_peripheral_determine_rate() has a branch that returns the
parent rate on a certain case. This is the behavior of round_rate(),
so let's go ahead and fix this by setting req->rate.
Fixes: b4c115c76184f ("clk: at91: clk-peripheral: add support for changeable parent rate")
Reviewed-by: Alexander Sverdlin <alexander.sverdlin@gmail.com>
Acked-by: Nicolas Ferre <nicolas.ferre@microchip.com>
Signed-off-by: Brian Masney <bmasney@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/at91/clk-peripheral.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/drivers/clk/at91/clk-peripheral.c b/drivers/clk/at91/clk-peripheral.c
index c173a44c800aa..629f050a855aa 100644
--- a/drivers/clk/at91/clk-peripheral.c
+++ b/drivers/clk/at91/clk-peripheral.c
@@ -279,8 +279,11 @@ static int clk_sam9x5_peripheral_determine_rate(struct clk_hw *hw,
long best_diff = LONG_MIN;
u32 shift;
- if (periph->id < PERIPHERAL_ID_MIN || !periph->range.max)
- return parent_rate;
+ if (periph->id < PERIPHERAL_ID_MIN || !periph->range.max) {
+ req->rate = parent_rate;
+
+ return 0;
+ }
/* Fist step: check the available dividers. */
for (shift = 0; shift <= PERIPHERAL_MAX_SHIFT; shift++) {
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 033/371] clk: renesas: cpg-mssr: Fix memory leak in cpg_mssr_reserved_init()
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (31 preceding siblings ...)
2025-10-17 14:50 ` [PATCH 6.17 032/371] clk: at91: peripheral: fix return value Greg Kroah-Hartman
@ 2025-10-17 14:50 ` Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 034/371] perf: Completely remove possibility to override MAX_NR_CPUS Greg Kroah-Hartman
` (350 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yuan CHen, Geert Uytterhoeven,
Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yuan CHen <chenyuan@kylinos.cn>
[ Upstream commit cc55fc58fc1b7f405003fd2ecf79e74653461f0b ]
In case of krealloc_array() failure, the current error handling just
returns from the function without freeing the original array.
Fix this memory leak by freeing the original array.
Fixes: 6aa1754764901668 ("clk: renesas: cpg-mssr: Ignore all clocks assigned to non-Linux system")
Signed-off-by: Yuan CHen <chenyuan@kylinos.cn>
Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
Link: https://patch.msgid.link/20250908012810.4767-1-chenyuan_fl@163.com
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/renesas/renesas-cpg-mssr.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/drivers/clk/renesas/renesas-cpg-mssr.c b/drivers/clk/renesas/renesas-cpg-mssr.c
index 5ff6ee1f7d4b7..de1cf7ba45b78 100644
--- a/drivers/clk/renesas/renesas-cpg-mssr.c
+++ b/drivers/clk/renesas/renesas-cpg-mssr.c
@@ -1082,6 +1082,7 @@ static int __init cpg_mssr_reserved_init(struct cpg_mssr_priv *priv,
of_for_each_phandle(&it, rc, node, "clocks", "#clock-cells", -1) {
int idx;
+ unsigned int *new_ids;
if (it.node != priv->np)
continue;
@@ -1092,11 +1093,13 @@ static int __init cpg_mssr_reserved_init(struct cpg_mssr_priv *priv,
if (args[0] != CPG_MOD)
continue;
- ids = krealloc_array(ids, (num + 1), sizeof(*ids), GFP_KERNEL);
- if (!ids) {
+ new_ids = krealloc_array(ids, (num + 1), sizeof(*ids), GFP_KERNEL);
+ if (!new_ids) {
of_node_put(it.node);
+ kfree(ids);
return -ENOMEM;
}
+ ids = new_ids;
if (priv->reg_layout == CLK_REG_LAYOUT_RZ_A)
idx = MOD_CLK_PACK_10(args[1]); /* for DEF_MOD_STB() */
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 034/371] perf: Completely remove possibility to override MAX_NR_CPUS
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (32 preceding siblings ...)
2025-10-17 14:50 ` [PATCH 6.17 033/371] clk: renesas: cpg-mssr: Fix memory leak in cpg_mssr_reserved_init() Greg Kroah-Hartman
@ 2025-10-17 14:50 ` Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 035/371] perf drm_pmu: Fix fd_dir leaks in for_each_drm_fdinfo_in_dir() Greg Kroah-Hartman
` (349 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christophe Leroy, Adrian Hunter,
Alexander Shishkin, Ian Rogers, Ingo Molnar, Jiri Olsa, Kan Liang,
Leo Yan, Mark Rutland, Namhyung Kim, Peter Zijlstra,
Arnaldo Carvalho de Melo, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christophe Leroy <christophe.leroy@csgroup.eu>
[ Upstream commit 6f8fb022ef2c6694e47f6e2f5676eb63be66c208 ]
Commit 21b8732eb447 ("perf tools: Allow overriding MAX_NR_CPUS at
compile time") added the capability to override MAX_NR_CPUS. At
that time it was necessary to reduce the huge amount of RAM used
by static stats variables.
But this has been unnecessary since commit 6a1e2c5c2673 ("perf stat:
Remove a set of shadow stats static variables"), and
commit e8399d34d568 ("libperf cpumap: Hide/reduce scope of
MAX_NR_CPUS") broke the build in that case because it failed to
add the guard around the new definition of MAX_NR_CPUS.
So cleanup things and remove guards completely to officialise it
is not necessary anymore to override MAX_NR_CPUS.
Fixes: e8399d34d568d61c ("libperf cpumap: Hide/reduce scope of MAX_NR_CPUS")
Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Ian Rogers <irogers@google.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Kan Liang <kan.liang@linux.intel.com>
Cc: Leo Yan <leo.yan@arm.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Link: https://lore.kernel.org/all/8c8553387ebf904a9e5a93eaf643cb01164d9fb3.1736188471.git.christophe.leroy@csgroup.eu/
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/perf.h | 2 --
tools/perf/util/bpf_skel/kwork_top.bpf.c | 2 --
2 files changed, 4 deletions(-)
diff --git a/tools/perf/perf.h b/tools/perf/perf.h
index 3cb40965549f5..e004178472d9e 100644
--- a/tools/perf/perf.h
+++ b/tools/perf/perf.h
@@ -2,9 +2,7 @@
#ifndef _PERF_PERF_H
#define _PERF_PERF_H
-#ifndef MAX_NR_CPUS
#define MAX_NR_CPUS 4096
-#endif
enum perf_affinity {
PERF_AFFINITY_SYS = 0,
diff --git a/tools/perf/util/bpf_skel/kwork_top.bpf.c b/tools/perf/util/bpf_skel/kwork_top.bpf.c
index 73e32e0630301..6673386302e2f 100644
--- a/tools/perf/util/bpf_skel/kwork_top.bpf.c
+++ b/tools/perf/util/bpf_skel/kwork_top.bpf.c
@@ -18,9 +18,7 @@ enum kwork_class_type {
};
#define MAX_ENTRIES 102400
-#ifndef MAX_NR_CPUS
#define MAX_NR_CPUS 4096
-#endif
#define PF_KTHREAD 0x00200000
#define MAX_COMMAND_LEN 16
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 035/371] perf drm_pmu: Fix fd_dir leaks in for_each_drm_fdinfo_in_dir()
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (33 preceding siblings ...)
2025-10-17 14:50 ` [PATCH 6.17 034/371] perf: Completely remove possibility to override MAX_NR_CPUS Greg Kroah-Hartman
@ 2025-10-17 14:50 ` Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 036/371] perf util: Fix compression checks returning -1 as bool Greg Kroah-Hartman
` (348 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ian Rogers, Markus Elfring,
Namhyung Kim, GuoHan Zhao, Adrian Hunter, Alexander Shishkin,
Ingo Molnar, Jiri Olsa, Kan Liang, Mark Rutland, Peter Zijlstra,
Arnaldo Carvalho de Melo, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: GuoHan Zhao <zhaoguohan@kylinos.cn>
[ Upstream commit baa03483fdf3545f2b223a4ca775e1938d956284 ]
Fix file descriptor leak when callback function returns error. The
function was directly returning without closing fdinfo_dir_fd and
fd_dir when cb() returned non-zero value.
Fixes: 28917cb17f9df9c2 ("perf drm_pmu: Add a tool like PMU to expose DRM information")
Reviewed-by: Ian Rogers <irogers@google.com>
Reviewed-by: Markus Elfring <Markus.Elfring@web.de>
Reviewed-by: Namhyung Kim <namhyung@kernel.org>
Signed-off-by: GuoHan Zhao <zhaoguohan@kylinos.cn>
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Kan Liang <kan.liang@linux.intel.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Link: https://lore.kernel.org/r/20250908065203.22187-1-zhaoguohan@kylinos.cn
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/util/drm_pmu.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/tools/perf/util/drm_pmu.c b/tools/perf/util/drm_pmu.c
index 988890f37ba7a..98d4d2b556d4e 100644
--- a/tools/perf/util/drm_pmu.c
+++ b/tools/perf/util/drm_pmu.c
@@ -458,8 +458,10 @@ static int for_each_drm_fdinfo_in_dir(int (*cb)(void *args, int fdinfo_dir_fd, c
}
ret = cb(args, fdinfo_dir_fd, fd_entry->d_name);
if (ret)
- return ret;
+ goto close_fdinfo;
}
+
+close_fdinfo:
if (fdinfo_dir_fd != -1)
close(fdinfo_dir_fd);
closedir(fd_dir);
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 036/371] perf util: Fix compression checks returning -1 as bool
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (34 preceding siblings ...)
2025-10-17 14:50 ` [PATCH 6.17 035/371] perf drm_pmu: Fix fd_dir leaks in for_each_drm_fdinfo_in_dir() Greg Kroah-Hartman
@ 2025-10-17 14:50 ` Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 037/371] rtc: x1205: Fix Xicor X1205 vendor prefix Greg Kroah-Hartman
` (347 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ian Rogers, Yunseong Kim,
Adrian Hunter, Alexander Shishkin, Jiri Olsa, Kan Liang,
Namhyung Kim, Stephen Brennan, Arnaldo Carvalho de Melo,
Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yunseong Kim <ysk@kzalloc.com>
[ Upstream commit 43fa1141e2c1af79c91aaa4df03e436c415a6fc3 ]
The lzma_is_compressed and gzip_is_compressed functions are declared
to return a "bool" type, but in case of an error (e.g., file open
failure), they incorrectly returned -1.
A bool type is a boolean value that is either true or false.
Returning -1 for a bool return type can lead to unexpected behavior
and may violate strict type-checking in some compilers.
Fix the return value to be false in error cases, ensuring the function
adheres to its declared return type improves for preventing potential
bugs related to type mismatch.
Fixes: 4b57fd44b61beb51 ("perf tools: Add lzma_is_compressed function")
Reviewed-by: Ian Rogers <irogers@google.com>
Signed-off-by: Yunseong Kim <ysk@kzalloc.com>
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Kan Liang <kan.liang@linux.intel.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Stephen Brennan <stephen.s.brennan@oracle.com>
Link: https://lore.kernel.org/r/20250822162506.316844-3-ysk@kzalloc.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/util/lzma.c | 2 +-
tools/perf/util/zlib.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/tools/perf/util/lzma.c b/tools/perf/util/lzma.c
index bbcd2ffcf4bd1..c355757ed3911 100644
--- a/tools/perf/util/lzma.c
+++ b/tools/perf/util/lzma.c
@@ -120,7 +120,7 @@ bool lzma_is_compressed(const char *input)
ssize_t rc;
if (fd < 0)
- return -1;
+ return false;
rc = read(fd, buf, sizeof(buf));
close(fd);
diff --git a/tools/perf/util/zlib.c b/tools/perf/util/zlib.c
index 78d2297c1b674..1f7c065230599 100644
--- a/tools/perf/util/zlib.c
+++ b/tools/perf/util/zlib.c
@@ -88,7 +88,7 @@ bool gzip_is_compressed(const char *input)
ssize_t rc;
if (fd < 0)
- return -1;
+ return false;
rc = read(fd, buf, sizeof(buf));
close(fd);
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 037/371] rtc: x1205: Fix Xicor X1205 vendor prefix
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (35 preceding siblings ...)
2025-10-17 14:50 ` [PATCH 6.17 036/371] perf util: Fix compression checks returning -1 as bool Greg Kroah-Hartman
@ 2025-10-17 14:50 ` Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 038/371] rtc: optee: fix memory leak on driver removal Greg Kroah-Hartman
` (346 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rob Herring (Arm), Linus Walleij,
Alexandre Belloni, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rob Herring (Arm) <robh@kernel.org>
[ Upstream commit 606d19ee37de3a72f1b6e95a4ea544f6f20dbb46 ]
The vendor for the X1205 RTC is not Xircom, but Xicor which was acquired
by Intersil. Since the I2C subsystem drops the vendor prefix for driver
matching, the vendor prefix hasn't mattered.
Fixes: 6875404fdb44 ("rtc: x1205: Add DT probing support")
Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
Link: https://lore.kernel.org/r/20250821215703.869628-2-robh@kernel.org
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/rtc/rtc-x1205.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/rtc/rtc-x1205.c b/drivers/rtc/rtc-x1205.c
index 4bcd7ca32f27b..b8a0fccef14e0 100644
--- a/drivers/rtc/rtc-x1205.c
+++ b/drivers/rtc/rtc-x1205.c
@@ -669,7 +669,7 @@ static const struct i2c_device_id x1205_id[] = {
MODULE_DEVICE_TABLE(i2c, x1205_id);
static const struct of_device_id x1205_dt_ids[] = {
- { .compatible = "xircom,x1205", },
+ { .compatible = "xicor,x1205", },
{},
};
MODULE_DEVICE_TABLE(of, x1205_dt_ids);
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 038/371] rtc: optee: fix memory leak on driver removal
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (36 preceding siblings ...)
2025-10-17 14:50 ` [PATCH 6.17 037/371] rtc: x1205: Fix Xicor X1205 vendor prefix Greg Kroah-Hartman
@ 2025-10-17 14:50 ` Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 039/371] perf arm_spe: Correct setting remote access Greg Kroah-Hartman
` (345 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Clément Le Goffic,
Alexandre Belloni, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Clément Le Goffic <clement.legoffic@foss.st.com>
[ Upstream commit a531350d2fe58f7fc4516e555f22391dee94efd9 ]
Fix a memory leak in case of driver removal.
Free the shared memory used for arguments exchanges between kernel and
OP-TEE RTC PTA.
Fixes: 81c2f059ab90 ("rtc: optee: add RTC driver for OP-TEE RTC PTA")
Signed-off-by: Clément Le Goffic <clement.legoffic@foss.st.com>
Link: https://lore.kernel.org/r/20250715-upstream-optee-rtc-v1-1-e0fdf8aae545@foss.st.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/rtc/rtc-optee.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/rtc/rtc-optee.c b/drivers/rtc/rtc-optee.c
index 9f8b5d4a8f6b6..6b77c122fdc10 100644
--- a/drivers/rtc/rtc-optee.c
+++ b/drivers/rtc/rtc-optee.c
@@ -320,6 +320,7 @@ static int optee_rtc_remove(struct device *dev)
{
struct optee_rtc *priv = dev_get_drvdata(dev);
+ tee_shm_free(priv->shm);
tee_client_close_session(priv->ctx, priv->session_id);
tee_client_close_context(priv->ctx);
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 039/371] perf arm_spe: Correct setting remote access
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (37 preceding siblings ...)
2025-10-17 14:50 ` [PATCH 6.17 038/371] rtc: optee: fix memory leak on driver removal Greg Kroah-Hartman
@ 2025-10-17 14:50 ` Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 040/371] perf arm_spe: Correct memory level for " Greg Kroah-Hartman
` (344 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, James Clark, Leo Yan, Adrian Hunter,
Alexander Shishkin, Ali Saidi, German Gomez, Ian Rogers,
Jiri Olsa, Mark Rutland, Namhyung Kim, Will Deacon,
Arnaldo Carvalho de Melo, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Leo Yan <leo.yan@arm.com>
[ Upstream commit 039fd0634a0629132432632d7ac9a14915406b5c ]
Set the mem_remote field for a remote access to appropriately represent
the event.
Fixes: a89dbc9b988f3ba8 ("perf arm-spe: Set sample's data source field")
Reviewed-by: James Clark <james.clark@linaro.org>
Signed-off-by: Leo Yan <leo.yan@arm.com>
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Ali Saidi <alisaidi@amazon.com>
Cc: German Gomez <german.gomez@arm.com>
Cc: Ian Rogers <irogers@google.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Will Deacon <will@kernel.org>
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/util/arm-spe.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/perf/util/arm-spe.c b/tools/perf/util/arm-spe.c
index 8942fa598a84f..8ecf7142dcd87 100644
--- a/tools/perf/util/arm-spe.c
+++ b/tools/perf/util/arm-spe.c
@@ -839,7 +839,7 @@ static void arm_spe__synth_memory_level(const struct arm_spe_record *record,
}
if (record->type & ARM_SPE_REMOTE_ACCESS)
- data_src->mem_lvl |= PERF_MEM_LVL_REM_CCE1;
+ data_src->mem_remote = PERF_MEM_REMOTE_REMOTE;
}
static bool arm_spe__synth_ds(struct arm_spe_queue *speq,
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 040/371] perf arm_spe: Correct memory level for remote access
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (38 preceding siblings ...)
2025-10-17 14:50 ` [PATCH 6.17 039/371] perf arm_spe: Correct setting remote access Greg Kroah-Hartman
@ 2025-10-17 14:50 ` Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 041/371] perf vendor events arm64 AmpereOneX: Fix typo - should be l1d_cache_access_prefetches Greg Kroah-Hartman
` (343 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, James Clark, Leo Yan, Adrian Hunter,
Alexander Shishkin, Ali Saidi, German Gomez, Ian Rogers,
Jiri Olsa, Mark Rutland, Namhyung Kim, Will Deacon,
Arnaldo Carvalho de Melo, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Leo Yan <leo.yan@arm.com>
[ Upstream commit cb300e3515057fb555983ce47e8acc86a5c69c3c ]
For remote accesses, the data source packet does not contain information
about the memory level. To avoid misinformation, set the memory level to
NA (Not Available).
Fixes: 4e6430cbb1a9f1dc ("perf arm-spe: Use SPE data source for neoverse cores")
Reviewed-by: James Clark <james.clark@linaro.org>
Signed-off-by: Leo Yan <leo.yan@arm.com>
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Ali Saidi <alisaidi@amazon.com>
Cc: German Gomez <german.gomez@arm.com>
Cc: Ian Rogers <irogers@google.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Will Deacon <will@kernel.org>
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/util/arm-spe.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/tools/perf/util/arm-spe.c b/tools/perf/util/arm-spe.c
index 8ecf7142dcd87..3086dad92965a 100644
--- a/tools/perf/util/arm-spe.c
+++ b/tools/perf/util/arm-spe.c
@@ -670,8 +670,8 @@ static void arm_spe__synth_data_source_common(const struct arm_spe_record *recor
* socket
*/
case ARM_SPE_COMMON_DS_REMOTE:
- data_src->mem_lvl = PERF_MEM_LVL_REM_CCE1;
- data_src->mem_lvl_num = PERF_MEM_LVLNUM_ANY_CACHE;
+ data_src->mem_lvl = PERF_MEM_LVL_NA;
+ data_src->mem_lvl_num = PERF_MEM_LVLNUM_NA;
data_src->mem_remote = PERF_MEM_REMOTE_REMOTE;
data_src->mem_snoopx = PERF_MEM_SNOOPX_PEER;
break;
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 041/371] perf vendor events arm64 AmpereOneX: Fix typo - should be l1d_cache_access_prefetches
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (39 preceding siblings ...)
2025-10-17 14:50 ` [PATCH 6.17 040/371] perf arm_spe: Correct memory level for " Greg Kroah-Hartman
@ 2025-10-17 14:50 ` Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 042/371] perf test: AMD IBS swfilt skip kernel tests if paranoia is >1 Greg Kroah-Hartman
` (342 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, James Clark, Ilkka Koskinen,
Adrian Hunter, Alexander Shishkin, Ian Rogers, Ingo Molnar,
Jiri Olsa, John Garry, Kan Liang, Leo Yan, Mark Rutland,
Mike Leach, Namhyung Kim, Peter Zijlstra, Will Deacon,
Arnaldo Carvalho de Melo, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ilkka Koskinen <ilkka@os.amperecomputing.com>
[ Upstream commit 97996580da08f06f8b09a86f3384ed9fa7a52e32 ]
Add missing 'h' to l1d_cache_access_prefetces
Also fix a couple of typos and use consistent term in brief descriptions
Fixes: 16438b652b464ef7 ("perf vendor events arm64 AmpereOneX: Add core PMU events and metrics")
Reviewed-by: James Clark <james.clark@linaro.org>
Signed-off-by: Ilkka Koskinen <ilkka@os.amperecomputing.com>
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Ian Rogers <irogers@google.com>
Cc: Ilkka Koskinen <ilkka@os.amperecomputing.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: John Garry <john.g.garry@oracle.com>
Cc: Kan Liang <kan.liang@linux.intel.com>
Cc: Leo Yan <leo.yan@linux.dev>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Mike Leach <mike.leach@linaro.org>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Will Deacon <will@kernel.org>
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../arch/arm64/ampere/ampereonex/metrics.json | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/tools/perf/pmu-events/arch/arm64/ampere/ampereonex/metrics.json b/tools/perf/pmu-events/arch/arm64/ampere/ampereonex/metrics.json
index 5228f94a793f9..6817cac149e0b 100644
--- a/tools/perf/pmu-events/arch/arm64/ampere/ampereonex/metrics.json
+++ b/tools/perf/pmu-events/arch/arm64/ampere/ampereonex/metrics.json
@@ -113,7 +113,7 @@
{
"MetricName": "load_store_spec_rate",
"MetricExpr": "LDST_SPEC / INST_SPEC",
- "BriefDescription": "The rate of load or store instructions speculatively executed to overall instructions speclatively executed",
+ "BriefDescription": "The rate of load or store instructions speculatively executed to overall instructions speculatively executed",
"MetricGroup": "Operation_Mix",
"ScaleUnit": "100percent of operations"
},
@@ -132,7 +132,7 @@
{
"MetricName": "pc_write_spec_rate",
"MetricExpr": "PC_WRITE_SPEC / INST_SPEC",
- "BriefDescription": "The rate of software change of the PC speculatively executed to overall instructions speclatively executed",
+ "BriefDescription": "The rate of software change of the PC speculatively executed to overall instructions speculatively executed",
"MetricGroup": "Operation_Mix",
"ScaleUnit": "100percent of operations"
},
@@ -195,14 +195,14 @@
{
"MetricName": "stall_frontend_cache_rate",
"MetricExpr": "STALL_FRONTEND_CACHE / CPU_CYCLES",
- "BriefDescription": "Proportion of cycles stalled and no ops delivered from frontend and cache miss",
+ "BriefDescription": "Proportion of cycles stalled and no operations delivered from frontend and cache miss",
"MetricGroup": "Stall",
"ScaleUnit": "100percent of cycles"
},
{
"MetricName": "stall_frontend_tlb_rate",
"MetricExpr": "STALL_FRONTEND_TLB / CPU_CYCLES",
- "BriefDescription": "Proportion of cycles stalled and no ops delivered from frontend and TLB miss",
+ "BriefDescription": "Proportion of cycles stalled and no operations delivered from frontend and TLB miss",
"MetricGroup": "Stall",
"ScaleUnit": "100percent of cycles"
},
@@ -391,7 +391,7 @@
"ScaleUnit": "100percent of cache acceses"
},
{
- "MetricName": "l1d_cache_access_prefetces",
+ "MetricName": "l1d_cache_access_prefetches",
"MetricExpr": "L1D_CACHE_PRFM / L1D_CACHE",
"BriefDescription": "L1D cache access - prefetch",
"MetricGroup": "Cache",
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 042/371] perf test: AMD IBS swfilt skip kernel tests if paranoia is >1
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (40 preceding siblings ...)
2025-10-17 14:50 ` [PATCH 6.17 041/371] perf vendor events arm64 AmpereOneX: Fix typo - should be l1d_cache_access_prefetches Greg Kroah-Hartman
@ 2025-10-17 14:50 ` Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 043/371] perf test shell lbr: Avoid failures with perf event paranoia Greg Kroah-Hartman
` (341 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Namhyung Kim, Ian Rogers,
Adrian Hunter, Alexander Shishkin, Collin Funk, Ingo Molnar,
James Clark, Jiri Olsa, Kan Liang, Mark Rutland, Peter Zijlstra,
Ravi Bangoria, Arnaldo Carvalho de Melo, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ian Rogers <irogers@google.com>
[ Upstream commit 2e3501212293c5005873c6ca6bb4f963a7eec442 ]
If not root and the perf_event_paranoid is set >1 swfilt will fail to
open the event failing the test. Add check to skip the test in that
case.
Fixes: 0e71bcdcf1f0b10b ("perf test: Add AMD IBS sw filter test")
Reviewed-by: Namhyung Kim <namhyung@kernel.org>
Signed-off-by: Ian Rogers <irogers@google.com>
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Collin Funk <collin.funk1@gmail.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: James Clark <james.clark@linaro.org>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Kan Liang <kan.liang@linux.intel.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Ravi Bangoria <ravi.bangoria@amd.com>
Link: https://lore.kernel.org/r/20250913000350.1306948-1-irogers@google.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/tests/shell/amd-ibs-swfilt.sh | 51 ++++++++++++++++++------
1 file changed, 38 insertions(+), 13 deletions(-)
diff --git a/tools/perf/tests/shell/amd-ibs-swfilt.sh b/tools/perf/tests/shell/amd-ibs-swfilt.sh
index 7045ec72ba4cf..e7f66df05c4b1 100755
--- a/tools/perf/tests/shell/amd-ibs-swfilt.sh
+++ b/tools/perf/tests/shell/amd-ibs-swfilt.sh
@@ -1,6 +1,10 @@
#!/bin/bash
# AMD IBS software filtering
+ParanoidAndNotRoot() {
+ [ "$(id -u)" != 0 ] && [ "$(cat /proc/sys/kernel/perf_event_paranoid)" -gt $1 ]
+}
+
echo "check availability of IBS swfilt"
# check if IBS PMU is available
@@ -16,6 +20,7 @@ if [ ! -f /sys/bus/event_source/devices/ibs_op/format/swfilt ]; then
fi
echo "run perf record with modifier and swfilt"
+err=0
# setting any modifiers should fail
perf record -B -e ibs_op//u -o /dev/null true 2> /dev/null
@@ -31,11 +36,17 @@ if [ $? -ne 0 ]; then
exit 1
fi
-# setting it with swfilt=1 should be fine
-perf record -B -e ibs_op/swfilt=1/k -o /dev/null true
-if [ $? -ne 0 ]; then
- echo "[FAIL] IBS op PMU cannot handle swfilt for exclude_user"
- exit 1
+if ! ParanoidAndNotRoot 1
+then
+ # setting it with swfilt=1 should be fine
+ perf record -B -e ibs_op/swfilt=1/k -o /dev/null true
+ if [ $? -ne 0 ]; then
+ echo "[FAIL] IBS op PMU cannot handle swfilt for exclude_user"
+ exit 1
+ fi
+else
+ echo "[SKIP] not root and perf_event_paranoid too high for exclude_user"
+ err=2
fi
# check ibs_fetch PMU as well
@@ -46,10 +57,16 @@ if [ $? -ne 0 ]; then
fi
# check system wide recording
-perf record -aB --synth=no -e ibs_op/swfilt/k -o /dev/null true
-if [ $? -ne 0 ]; then
- echo "[FAIL] IBS op PMU cannot handle swfilt in system-wide mode"
- exit 1
+if ! ParanoidAndNotRoot 0
+then
+ perf record -aB --synth=no -e ibs_op/swfilt/k -o /dev/null true
+ if [ $? -ne 0 ]; then
+ echo "[FAIL] IBS op PMU cannot handle swfilt in system-wide mode"
+ exit 1
+ fi
+else
+ echo "[SKIP] not root and perf_event_paranoid too high for system-wide/exclude_user"
+ err=2
fi
echo "check number of samples with swfilt"
@@ -60,8 +77,16 @@ if [ ${kernel_sample} -ne 0 ]; then
exit 1
fi
-user_sample=$(perf record -e ibs_fetch/swfilt/k -o- true | perf script -i- -F misc | grep -c ^U)
-if [ ${user_sample} -ne 0 ]; then
- echo "[FAIL] unexpected user samples: " ${user_sample}
- exit 1
+if ! ParanoidAndNotRoot 1
+then
+ user_sample=$(perf record -e ibs_fetch/swfilt/k -o- true | perf script -i- -F misc | grep -c ^U)
+ if [ ${user_sample} -ne 0 ]; then
+ echo "[FAIL] unexpected user samples: " ${user_sample}
+ exit 1
+ fi
+else
+ echo "[SKIP] not root and perf_event_paranoid too high for exclude_user"
+ err=2
fi
+
+exit $err
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 043/371] perf test shell lbr: Avoid failures with perf event paranoia
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (41 preceding siblings ...)
2025-10-17 14:50 ` [PATCH 6.17 042/371] perf test: AMD IBS swfilt skip kernel tests if paranoia is >1 Greg Kroah-Hartman
@ 2025-10-17 14:50 ` Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 044/371] perf trace: Fix IS_ERR() vs NULL check bug Greg Kroah-Hartman
` (340 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ian Rogers, Adrian Hunter,
Alexander Shishkin, Chun-Tse Shao, Howard Chu, Ingo Molnar,
James Clark, Jiri Olsa, Kan Liang, Mark Rutland, Namhyung Kim,
Peter Zijlstra, Arnaldo Carvalho de Melo, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ian Rogers <irogers@google.com>
[ Upstream commit 48314d20fe467d6653783cbf5536cb2fcc9bdd7c ]
When not running as root and with higher perf event paranoia values
the perf record LBR tests could fail rather than skipping the
problematic tests.
Add the sensitivity to the test and confirm it passes with paranoia
values from -1 to 2.
Committer testing:
Testing with '$ perf test -vv lbr', i.e. as non root, and then comparing
the output shows the mentioned errors before this patch:
acme@x1:~$ grep -m1 "model name" /proc/cpuinfo
model name : 13th Gen Intel(R) Core(TM) i7-1365U
acme@x1:~$
Before:
132: perf record LBR tests : Skip
After:
132: perf record LBR tests : Ok
Fixes: 32559b99e0f59070 ("perf test: Add set of perf record LBR tests")
Signed-off-by: Ian Rogers <irogers@google.com>
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Chun-Tse Shao <ctshao@google.com>
Cc: Howard Chu <howardchu95@gmail.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: James Clark <james.clark@linaro.org>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Kan Liang <kan.liang@linux.intel.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/tests/shell/record_lbr.sh | 26 ++++++++++++++++++++------
1 file changed, 20 insertions(+), 6 deletions(-)
diff --git a/tools/perf/tests/shell/record_lbr.sh b/tools/perf/tests/shell/record_lbr.sh
index 6fcb5e52b9b4f..78a02e90ece1e 100755
--- a/tools/perf/tests/shell/record_lbr.sh
+++ b/tools/perf/tests/shell/record_lbr.sh
@@ -4,6 +4,10 @@
set -e
+ParanoidAndNotRoot() {
+ [ "$(id -u)" != 0 ] && [ "$(cat /proc/sys/kernel/perf_event_paranoid)" -gt $1 ]
+}
+
if [ ! -f /sys/bus/event_source/devices/cpu/caps/branches ] &&
[ ! -f /sys/bus/event_source/devices/cpu_core/caps/branches ]
then
@@ -23,6 +27,7 @@ cleanup() {
}
trap_cleanup() {
+ echo "Unexpected signal in ${FUNCNAME[1]}"
cleanup
exit 1
}
@@ -123,8 +128,11 @@ lbr_test "-j ind_call" "any indirect call" 2
lbr_test "-j ind_jmp" "any indirect jump" 100
lbr_test "-j call" "direct calls" 2
lbr_test "-j ind_call,u" "any indirect user call" 100
-lbr_test "-a -b" "system wide any branch" 2
-lbr_test "-a -j any_call" "system wide any call" 2
+if ! ParanoidAndNotRoot 1
+then
+ lbr_test "-a -b" "system wide any branch" 2
+ lbr_test "-a -j any_call" "system wide any call" 2
+fi
# Parallel
parallel_lbr_test "-b" "parallel any branch" 100 &
@@ -141,10 +149,16 @@ parallel_lbr_test "-j call" "parallel direct calls" 100 &
pid6=$!
parallel_lbr_test "-j ind_call,u" "parallel any indirect user call" 100 &
pid7=$!
-parallel_lbr_test "-a -b" "parallel system wide any branch" 100 &
-pid8=$!
-parallel_lbr_test "-a -j any_call" "parallel system wide any call" 100 &
-pid9=$!
+if ParanoidAndNotRoot 1
+then
+ pid8=
+ pid9=
+else
+ parallel_lbr_test "-a -b" "parallel system wide any branch" 100 &
+ pid8=$!
+ parallel_lbr_test "-a -j any_call" "parallel system wide any call" 100 &
+ pid9=$!
+fi
for pid in $pid1 $pid2 $pid3 $pid4 $pid5 $pid6 $pid7 $pid8 $pid9
do
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 044/371] perf trace: Fix IS_ERR() vs NULL check bug
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (42 preceding siblings ...)
2025-10-17 14:50 ` [PATCH 6.17 043/371] perf test shell lbr: Avoid failures with perf event paranoia Greg Kroah-Hartman
@ 2025-10-17 14:50 ` Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 045/371] perf session: Fix handling when buffer exceeds 2 GiB Greg Kroah-Hartman
` (339 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ian Rogers, Fushuai Wang,
Adrian Hunter, Alexander Shishkin, Ingo Molnar, Jiri Olsa,
Kan Liang, Mark Rutland, Namhyung Kim, Peter Zijlstra,
Arnaldo Carvalho de Melo, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fushuai Wang <wangfushuai@baidu.com>
[ Upstream commit b0f4ade163e551d0c470ead7ac57eaf373eec71a ]
The alloc_syscall_stats() function always returns an error pointer
(ERR_PTR) on failure.
So replace NULL check with IS_ERR() check after calling
alloc_syscall_stats() function.
Fixes: fc00897c8a3f7f57 ("perf trace: Add --summary-mode option")
Reviewed-by: Ian Rogers <irogers@google.com>
Signed-off-by: Fushuai Wang <wangfushuai@baidu.com>
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Kan Liang <kan.liang@linux.intel.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/builtin-trace.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/tools/perf/builtin-trace.c b/tools/perf/builtin-trace.c
index fe737b3ac6e67..25c41b89f8abb 100644
--- a/tools/perf/builtin-trace.c
+++ b/tools/perf/builtin-trace.c
@@ -4440,7 +4440,7 @@ static int trace__run(struct trace *trace, int argc, const char **argv)
if (trace->summary_mode == SUMMARY__BY_TOTAL && !trace->summary_bpf) {
trace->syscall_stats = alloc_syscall_stats();
- if (trace->syscall_stats == NULL)
+ if (IS_ERR(trace->syscall_stats))
goto out_delete_evlist;
}
@@ -4748,7 +4748,7 @@ static int trace__replay(struct trace *trace)
if (trace->summary_mode == SUMMARY__BY_TOTAL) {
trace->syscall_stats = alloc_syscall_stats();
- if (trace->syscall_stats == NULL)
+ if (IS_ERR(trace->syscall_stats))
goto out;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 045/371] perf session: Fix handling when buffer exceeds 2 GiB
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (43 preceding siblings ...)
2025-10-17 14:50 ` [PATCH 6.17 044/371] perf trace: Fix IS_ERR() vs NULL check bug Greg Kroah-Hartman
@ 2025-10-17 14:50 ` Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 046/371] perf test: Dont leak workload gopipe in PERF_RECORD_* Greg Kroah-Hartman
` (338 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tamas Zsoldos, Leo Yan, Namhyung Kim,
Adrian Hunter, Ian Rogers, Jiri Olsa, Arnaldo Carvalho de Melo,
Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Leo Yan <leo.yan@arm.com>
[ Upstream commit c17dda8013495d8132c976cbf349be9949d0fbd1 ]
If a user specifies an AUX buffer larger than 2 GiB, the returned size
may exceed 0x80000000. Since the err variable is defined as a signed
32-bit integer, such a value overflows and becomes negative.
As a result, the perf record command reports an error:
0x146e8 [0x30]: failed to process type: 71 [Unknown error 183711232]
Change the type of the err variable to a signed 64-bit integer to
accommodate large buffer sizes correctly.
Fixes: d5652d865ea734a1 ("perf session: Add ability to skip 4GiB or more")
Reported-by: Tamas Zsoldos <tamas.zsoldos@arm.com>
Signed-off-by: Leo Yan <leo.yan@arm.com>
Acked-by: Namhyung Kim <namhyung@kernel.org>
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: Ian Rogers <irogers@google.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Link: https://lore.kernel.org/r/20250808-perf_fix_big_buffer_size-v1-1-45f45444a9a4@arm.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/util/session.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/perf/util/session.c b/tools/perf/util/session.c
index 26ae078278cd6..09af486c83e4f 100644
--- a/tools/perf/util/session.c
+++ b/tools/perf/util/session.c
@@ -1402,7 +1402,7 @@ static s64 perf_session__process_user_event(struct perf_session *session,
const struct perf_tool *tool = session->tool;
struct perf_sample sample;
int fd = perf_data__fd(session->data);
- int err;
+ s64 err;
perf_sample__init(&sample, /*all=*/true);
if ((event->header.type != PERF_RECORD_COMPRESSED &&
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 046/371] perf test: Dont leak workload gopipe in PERF_RECORD_*
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (44 preceding siblings ...)
2025-10-17 14:50 ` [PATCH 6.17 045/371] perf session: Fix handling when buffer exceeds 2 GiB Greg Kroah-Hartman
@ 2025-10-17 14:50 ` Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 047/371] perf evsel: Fix uniquification when PMU given without suffix Greg Kroah-Hartman
` (337 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ian Rogers, Arnaldo Carvalho de Melo,
Adrian Hunter, Alexander Shishkin, Athira Rajeev, Chun-Tse Shao,
Howard Chu, Ingo Molnar, James Clark, Jiri Olsa, Kan Liang,
Mark Rutland, Namhyung Kim, Peter Zijlstra, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ian Rogers <irogers@google.com>
[ Upstream commit 48918cacefd226af44373e914e63304927c0e7dc ]
The test starts a workload and then opens events. If the events fail
to open, for example because of perf_event_paranoid, the gopipe of the
workload is leaked and the file descriptor leak check fails when the
test exits. To avoid this cancel the workload when opening the events
fails.
Before:
```
$ perf test -vv 7
7: PERF_RECORD_* events & perf_sample fields:
--- start ---
test child forked, pid 1189568
Using CPUID GenuineIntel-6-B7-1
------------------------------------------------------------
perf_event_attr:
type 0 (PERF_TYPE_HARDWARE)
config 0xa00000000 (cpu_atom/PERF_COUNT_HW_CPU_CYCLES/)
disabled 1
------------------------------------------------------------
sys_perf_event_open: pid 0 cpu -1 group_fd -1 flags 0x8
sys_perf_event_open failed, error -13
------------------------------------------------------------
perf_event_attr:
type 0 (PERF_TYPE_HARDWARE)
config 0xa00000000 (cpu_atom/PERF_COUNT_HW_CPU_CYCLES/)
disabled 1
exclude_kernel 1
------------------------------------------------------------
sys_perf_event_open: pid 0 cpu -1 group_fd -1 flags 0x8 = 3
------------------------------------------------------------
perf_event_attr:
type 0 (PERF_TYPE_HARDWARE)
config 0x400000000 (cpu_core/PERF_COUNT_HW_CPU_CYCLES/)
disabled 1
------------------------------------------------------------
sys_perf_event_open: pid 0 cpu -1 group_fd -1 flags 0x8
sys_perf_event_open failed, error -13
------------------------------------------------------------
perf_event_attr:
type 0 (PERF_TYPE_HARDWARE)
config 0x400000000 (cpu_core/PERF_COUNT_HW_CPU_CYCLES/)
disabled 1
exclude_kernel 1
------------------------------------------------------------
sys_perf_event_open: pid 0 cpu -1 group_fd -1 flags 0x8 = 3
Attempt to add: software/cpu-clock/
..after resolving event: software/config=0/
cpu-clock -> software/cpu-clock/
------------------------------------------------------------
perf_event_attr:
type 1 (PERF_TYPE_SOFTWARE)
size 136
config 0x9 (PERF_COUNT_SW_DUMMY)
sample_type IP|TID|TIME|CPU
read_format ID|LOST
disabled 1
inherit 1
mmap 1
comm 1
enable_on_exec 1
task 1
sample_id_all 1
mmap2 1
comm_exec 1
ksymbol 1
bpf_event 1
{ wakeup_events, wakeup_watermark } 1
------------------------------------------------------------
sys_perf_event_open: pid 1189569 cpu 0 group_fd -1 flags 0x8
sys_perf_event_open failed, error -13
perf_evlist__open: Permission denied
---- end(-2) ----
Leak of file descriptor 6 that opened: 'pipe:[14200347]'
---- unexpected signal (6) ----
iFailed to read build ID for //anon
Failed to read build ID for //anon
Failed to read build ID for //anon
Failed to read build ID for //anon
Failed to read build ID for //anon
Failed to read build ID for //anon
Failed to read build ID for //anon
Failed to read build ID for //anon
Failed to read build ID for //anon
Failed to read build ID for //anon
Failed to read build ID for //anon
Failed to read build ID for //anon
Failed to read build ID for //anon
Failed to read build ID for //anon
Failed to read build ID for //anon
Failed to read build ID for //anon
Failed to read build ID for //anon
Failed to read build ID for //anon
Failed to read build ID for //anon
Failed to read build ID for //anon
Failed to read build ID for //anon
Failed to read build ID for //anon
Failed to read build ID for //anon
Failed to read build ID for //anon
Failed to read build ID for //anon
Failed to read build ID for //anon
Failed to read build ID for //anon
Failed to read build ID for //anon
Failed to read build ID for //anon
Failed to read build ID for //anon
Failed to read build ID for //anon
Failed to read build ID for //anon
#0 0x565358f6666e in child_test_sig_handler builtin-test.c:311
#1 0x7f29ce849df0 in __restore_rt libc_sigaction.c:0
#2 0x7f29ce89e95c in __pthread_kill_implementation pthread_kill.c:44
#3 0x7f29ce849cc2 in raise raise.c:27
#4 0x7f29ce8324ac in abort abort.c:81
#5 0x565358f662d4 in check_leaks builtin-test.c:226
#6 0x565358f6682e in run_test_child builtin-test.c:344
#7 0x565358ef7121 in start_command run-command.c:128
#8 0x565358f67273 in start_test builtin-test.c:545
#9 0x565358f6771d in __cmd_test builtin-test.c:647
#10 0x565358f682bd in cmd_test builtin-test.c:849
#11 0x565358ee5ded in run_builtin perf.c:349
#12 0x565358ee6085 in handle_internal_command perf.c:401
#13 0x565358ee61de in run_argv perf.c:448
#14 0x565358ee6527 in main perf.c:555
#15 0x7f29ce833ca8 in __libc_start_call_main libc_start_call_main.h:74
#16 0x7f29ce833d65 in __libc_start_main@@GLIBC_2.34 libc-start.c:128
#17 0x565358e391c1 in _start perf[851c1]
7: PERF_RECORD_* events & perf_sample fields : FAILED!
```
After:
```
$ perf test 7
7: PERF_RECORD_* events & perf_sample fields : Skip (permissions)
```
Fixes: 16d00fee703866c6 ("perf tests: Move test__PERF_RECORD into separate object")
Signed-off-by: Ian Rogers <irogers@google.com>
Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Athira Rajeev <atrajeev@linux.ibm.com>
Cc: Chun-Tse Shao <ctshao@google.com>
Cc: Howard Chu <howardchu95@gmail.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: James Clark <james.clark@linaro.org>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Kan Liang <kan.liang@linux.intel.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/tests/perf-record.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/tools/perf/tests/perf-record.c b/tools/perf/tests/perf-record.c
index 0b3c37e668717..8c79b5166a058 100644
--- a/tools/perf/tests/perf-record.c
+++ b/tools/perf/tests/perf-record.c
@@ -115,6 +115,7 @@ static int test__PERF_RECORD(struct test_suite *test __maybe_unused, int subtest
if (err < 0) {
pr_debug("sched__get_first_possible_cpu: %s\n",
str_error_r(errno, sbuf, sizeof(sbuf)));
+ evlist__cancel_workload(evlist);
goto out_delete_evlist;
}
@@ -126,6 +127,7 @@ static int test__PERF_RECORD(struct test_suite *test __maybe_unused, int subtest
if (sched_setaffinity(evlist->workload.pid, cpu_mask_size, &cpu_mask) < 0) {
pr_debug("sched_setaffinity: %s\n",
str_error_r(errno, sbuf, sizeof(sbuf)));
+ evlist__cancel_workload(evlist);
goto out_delete_evlist;
}
@@ -137,6 +139,7 @@ static int test__PERF_RECORD(struct test_suite *test __maybe_unused, int subtest
if (err < 0) {
pr_debug("perf_evlist__open: %s\n",
str_error_r(errno, sbuf, sizeof(sbuf)));
+ evlist__cancel_workload(evlist);
goto out_delete_evlist;
}
@@ -149,6 +152,7 @@ static int test__PERF_RECORD(struct test_suite *test __maybe_unused, int subtest
if (err < 0) {
pr_debug("evlist__mmap: %s\n",
str_error_r(errno, sbuf, sizeof(sbuf)));
+ evlist__cancel_workload(evlist);
goto out_delete_evlist;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 047/371] perf evsel: Fix uniquification when PMU given without suffix
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (45 preceding siblings ...)
2025-10-17 14:50 ` [PATCH 6.17 046/371] perf test: Dont leak workload gopipe in PERF_RECORD_* Greg Kroah-Hartman
@ 2025-10-17 14:50 ` Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 048/371] perf test: Avoid uncore_imc/clockticks in uniquification test Greg Kroah-Hartman
` (336 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ian Rogers, Arnaldo Carvalho de Melo,
Adrian Hunter, Alexander Shishkin, Athira Rajeev, Chun-Tse Shao,
Howard Chu, Ingo Molnar, James Clark, Jiri Olsa, Kan Liang,
Mark Rutland, Namhyung Kim, Peter Zijlstra, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ian Rogers <irogers@google.com>
[ Upstream commit 693101792e45eefc888c7ba10b91108047399f5d ]
The PMU name is appearing twice in:
```
$ perf stat -e uncore_imc_free_running/data_total/ -A true
Performance counter stats for 'system wide':
CPU0 1.57 MiB uncore_imc_free_running_0/uncore_imc_free_running,data_total/
CPU0 1.58 MiB uncore_imc_free_running_1/uncore_imc_free_running,data_total/
0.000892376 seconds time elapsed
```
Use the pmu_name_len_no_suffix to avoid this problem.
Committer testing:
After this patch:
root@x1:~# perf stat -e uncore_imc_free_running/data_total/ -A true
Performance counter stats for 'system wide':
CPU0 1.69 MiB uncore_imc_free_running_0/data_total/
CPU0 1.68 MiB uncore_imc_free_running_1/data_total/
0.002141605 seconds time elapsed
root@x1:~#
Fixes: 7d45f402d3117e0b ("perf evlist: Make uniquifying counter names consistent")
Signed-off-by: Ian Rogers <irogers@google.com>
Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Athira Rajeev <atrajeev@linux.ibm.com>
Cc: Chun-Tse Shao <ctshao@google.com>
Cc: Howard Chu <howardchu95@gmail.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: James Clark <james.clark@linaro.org>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Kan Liang <kan.liang@linux.intel.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/util/evsel.c | 28 ++++++++++++++++++----------
1 file changed, 18 insertions(+), 10 deletions(-)
diff --git a/tools/perf/util/evsel.c b/tools/perf/util/evsel.c
index 496f42434327b..9c086d743d344 100644
--- a/tools/perf/util/evsel.c
+++ b/tools/perf/util/evsel.c
@@ -4050,9 +4050,9 @@ bool evsel__set_needs_uniquify(struct evsel *counter, const struct perf_stat_con
void evsel__uniquify_counter(struct evsel *counter)
{
- const char *name, *pmu_name;
- char *new_name, *config;
- int ret;
+ const char *name, *pmu_name, *config;
+ char *new_name;
+ int len, ret;
/* No uniquification necessary. */
if (!counter->needs_uniquify)
@@ -4066,15 +4066,23 @@ void evsel__uniquify_counter(struct evsel *counter)
counter->uniquified_name = true;
name = evsel__name(counter);
+ config = strchr(name, '/');
pmu_name = counter->pmu->name;
- /* Already prefixed by the PMU name. */
- if (!strncmp(name, pmu_name, strlen(pmu_name)))
- return;
- config = strchr(name, '/');
- if (config) {
- int len = config - name;
+ /* Already prefixed by the PMU name? */
+ len = pmu_name_len_no_suffix(pmu_name);
+
+ if (!strncmp(name, pmu_name, len)) {
+ /*
+ * If the PMU name is there, then there is no sense in not
+ * having a slash. Do this for robustness.
+ */
+ if (config == NULL)
+ config = name - 1;
+ ret = asprintf(&new_name, "%s/%s", pmu_name, config + 1);
+ } else if (config) {
+ len = config - name;
if (config[1] == '/') {
/* case: event// */
ret = asprintf(&new_name, "%s/%.*s/%s", pmu_name, len, name, config + 2);
@@ -4086,7 +4094,7 @@ void evsel__uniquify_counter(struct evsel *counter)
config = strchr(name, ':');
if (config) {
/* case: event:.. */
- int len = config - name;
+ len = config - name;
ret = asprintf(&new_name, "%s/%.*s/%s", pmu_name, len, name, config + 1);
} else {
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 048/371] perf test: Avoid uncore_imc/clockticks in uniquification test
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (46 preceding siblings ...)
2025-10-17 14:50 ` [PATCH 6.17 047/371] perf evsel: Fix uniquification when PMU given without suffix Greg Kroah-Hartman
@ 2025-10-17 14:50 ` Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 049/371] perf evsel: Ensure the fallback message is always written to Greg Kroah-Hartman
` (335 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ian Rogers, Arnaldo Carvalho de Melo,
Adrian Hunter, Alexander Shishkin, Athira Rajeev, Chun-Tse Shao,
Howard Chu, Ingo Molnar, James Clark, Jiri Olsa, Kan Liang,
Mark Rutland, Namhyung Kim, Peter Zijlstra, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ian Rogers <irogers@google.com>
[ Upstream commit edaeb4bcf1511fe4e464fff9dd4a3abf6b0096da ]
The detection of uncore_imc may happen for free running PMUs and the
clockticks event may be present on uncore_clock. Rewrite the test to
detect duplicated/deduplicated events from perf list, not hardcoded to
uncore_imc.
If perf stat fails then assume it is permissions and skip the test.
Committer testing:
Before:
root@x1:~# perf test -vv uniquifyi
96: perf stat events uniquifying:
--- start ---
test child forked, pid 220851
stat event uniquifying test
grep: Unmatched [, [^, [:, [., or [=
Event is not uniquified [Failed]
perf stat -e clockticks -A -o /tmp/__perf_test.stat_output.X7ChD -- true
# started on Fri Sep 19 16:48:38 2025
Performance counter stats for 'system wide':
CPU0 2,310,956 uncore_clock/clockticks/
0.001746771 seconds time elapsed
---- end(-1) ----
96: perf stat events uniquifying : FAILED!
root@x1:~#
After:
root@x1:~# perf test -vv uniquifyi
96: perf stat events uniquifying:
--- start ---
test child forked, pid 222366
Uniquification of PMU sysfs events test
Testing event uncore_imc_free_running/data_read/ is uniquified to uncore_imc_free_running_0/data_read/
Testing event uncore_imc_free_running/data_total/ is uniquified to uncore_imc_free_running_0/data_total/
Testing event uncore_imc_free_running/data_write/ is uniquified to uncore_imc_free_running_0/data_write/
Testing event uncore_imc_free_running/data_read/ is uniquified to uncore_imc_free_running_1/data_read/
Testing event uncore_imc_free_running/data_total/ is uniquified to uncore_imc_free_running_1/data_total/
Testing event uncore_imc_free_running/data_write/ is uniquified to uncore_imc_free_running_1/data_write/
---- end(0) ----
96: perf stat events uniquifying : Ok
root@x1:~#
Fixes: 070b315333ee942f ("perf test: Restrict uniquifying test to machines with 'uncore_imc'")
Signed-off-by: Ian Rogers <irogers@google.com>
Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Athira Rajeev <atrajeev@linux.ibm.com>
Cc: Chun-Tse Shao <ctshao@google.com>
Cc: Howard Chu <howardchu95@gmail.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: James Clark <james.clark@linaro.org>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Kan Liang <kan.liang@linux.intel.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../tests/shell/stat+event_uniquifying.sh | 109 ++++++++----------
1 file changed, 49 insertions(+), 60 deletions(-)
diff --git a/tools/perf/tests/shell/stat+event_uniquifying.sh b/tools/perf/tests/shell/stat+event_uniquifying.sh
index bf54bd6c3e2e6..b5dec6b6da369 100755
--- a/tools/perf/tests/shell/stat+event_uniquifying.sh
+++ b/tools/perf/tests/shell/stat+event_uniquifying.sh
@@ -4,74 +4,63 @@
set -e
-stat_output=$(mktemp /tmp/__perf_test.stat_output.XXXXX)
-perf_tool=perf
err=0
+stat_output=$(mktemp /tmp/__perf_test.stat_output.XXXXX)
-test_event_uniquifying() {
- # We use `clockticks` in `uncore_imc` to verify the uniquify behavior.
- pmu="uncore_imc"
- event="clockticks"
-
- # If the `-A` option is added, the event should be uniquified.
- #
- # $perf list -v clockticks
- #
- # List of pre-defined events (to be used in -e or -M):
- #
- # uncore_imc_0/clockticks/ [Kernel PMU event]
- # uncore_imc_1/clockticks/ [Kernel PMU event]
- # uncore_imc_2/clockticks/ [Kernel PMU event]
- # uncore_imc_3/clockticks/ [Kernel PMU event]
- # uncore_imc_4/clockticks/ [Kernel PMU event]
- # uncore_imc_5/clockticks/ [Kernel PMU event]
- #
- # ...
- #
- # $perf stat -e clockticks -A -- true
- #
- # Performance counter stats for 'system wide':
- #
- # CPU0 3,773,018 uncore_imc_0/clockticks/
- # CPU0 3,609,025 uncore_imc_1/clockticks/
- # CPU0 0 uncore_imc_2/clockticks/
- # CPU0 3,230,009 uncore_imc_3/clockticks/
- # CPU0 3,049,897 uncore_imc_4/clockticks/
- # CPU0 0 uncore_imc_5/clockticks/
- #
- # 0.002029828 seconds time elapsed
-
- echo "stat event uniquifying test"
- uniquified_event_array=()
+cleanup() {
+ rm -f "${stat_output}"
- # Skip if the machine does not have `uncore_imc` device.
- if ! ${perf_tool} list pmu | grep -q ${pmu}; then
- echo "Target does not support PMU ${pmu} [Skipped]"
- err=2
- return
- fi
+ trap - EXIT TERM INT
+}
- # Check how many uniquified events.
- while IFS= read -r line; do
- uniquified_event=$(echo "$line" | awk '{print $1}')
- uniquified_event_array+=("${uniquified_event}")
- done < <(${perf_tool} list -v ${event} | grep ${pmu})
+trap_cleanup() {
+ echo "Unexpected signal in ${FUNCNAME[1]}"
+ cleanup
+ exit 1
+}
+trap trap_cleanup EXIT TERM INT
- perf_command="${perf_tool} stat -e $event -A -o ${stat_output} -- true"
- $perf_command
+test_event_uniquifying() {
+ echo "Uniquification of PMU sysfs events test"
- # Check the output contains all uniquified events.
- for uniquified_event in "${uniquified_event_array[@]}"; do
- if ! cat "${stat_output}" | grep -q "${uniquified_event}"; then
- echo "Event is not uniquified [Failed]"
- echo "${perf_command}"
- cat "${stat_output}"
- err=1
- break
- fi
+ # Read events from perf list with and without -v. With -v the duplicate PMUs
+ # aren't deduplicated. Note, json events are listed by perf list without a
+ # PMU.
+ read -ra pmu_events <<< "$(perf list --raw pmu)"
+ read -ra pmu_v_events <<< "$(perf list -v --raw pmu)"
+ # For all non-deduplicated events.
+ for pmu_v_event in "${pmu_v_events[@]}"; do
+ # If the event matches an event in the deduplicated events then it musn't
+ # be an event with duplicate PMUs, continue the outer loop.
+ for pmu_event in "${pmu_events[@]}"; do
+ if [[ "$pmu_v_event" == "$pmu_event" ]]; then
+ continue 2
+ fi
+ done
+ # Strip the suffix from the non-deduplicated event's PMU.
+ event=$(echo "$pmu_v_event" | sed -E 's/_[0-9]+//')
+ for pmu_event in "${pmu_events[@]}"; do
+ if [[ "$event" == "$pmu_event" ]]; then
+ echo "Testing event ${event} is uniquified to ${pmu_v_event}"
+ if ! perf stat -e "$event" -A -o ${stat_output} -- true; then
+ echo "Error running perf stat for event '$event' [Skip]"
+ if [ $err = 0 ]; then
+ err=2
+ fi
+ continue
+ fi
+ # Ensure the non-deduplicated event appears in the output.
+ if ! grep -q "${pmu_v_event}" "${stat_output}"; then
+ echo "Uniquification of PMU sysfs events test [Failed]"
+ cat "${stat_output}"
+ err=1
+ fi
+ break
+ fi
+ done
done
}
test_event_uniquifying
-rm -f "${stat_output}"
+cleanup
exit $err
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 049/371] perf evsel: Ensure the fallback message is always written to
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (47 preceding siblings ...)
2025-10-17 14:50 ` [PATCH 6.17 048/371] perf test: Avoid uncore_imc/clockticks in uniquification test Greg Kroah-Hartman
@ 2025-10-17 14:50 ` Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 050/371] perf build-id: Ensure snprintf string is empty when size is 0 Greg Kroah-Hartman
` (334 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ian Rogers, Adrian Hunter,
Alexander Shishkin, Howard Chu, Ingo Molnar, James Clark,
Jiri Olsa, Kan Liang, Mark Rutland, Namhyung Kim, Peter Zijlstra,
Arnaldo Carvalho de Melo, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ian Rogers <irogers@google.com>
[ Upstream commit 24937ee839e4bbc097acde73eeed67812bad2d99 ]
The fallback message is unconditionally printed in places like
record__open().
If no fallback is attempted this can lead to printing uninitialized
data, crashes, etc.
Fixes: c0a54341c0e89333 ("perf evsel: Introduce event fallback method")
Signed-off-by: Ian Rogers <irogers@google.com>
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Howard Chu <howardchu95@gmail.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: James Clark <james.clark@linaro.org>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Kan Liang <kan.liang@linux.intel.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/util/evsel.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/tools/perf/util/evsel.c b/tools/perf/util/evsel.c
index 9c086d743d344..5df59812b80ca 100644
--- a/tools/perf/util/evsel.c
+++ b/tools/perf/util/evsel.c
@@ -3562,7 +3562,7 @@ bool evsel__fallback(struct evsel *evsel, struct target *target, int err,
/* If event has exclude user then don't exclude kernel. */
if (evsel->core.attr.exclude_user)
- return false;
+ goto no_fallback;
/* Is there already the separator in the name. */
if (strchr(name, '/') ||
@@ -3570,7 +3570,7 @@ bool evsel__fallback(struct evsel *evsel, struct target *target, int err,
sep = "";
if (asprintf(&new_name, "%s%su", name, sep) < 0)
- return false;
+ goto no_fallback;
free(evsel->name);
evsel->name = new_name;
@@ -3593,17 +3593,19 @@ bool evsel__fallback(struct evsel *evsel, struct target *target, int err,
sep = "";
if (asprintf(&new_name, "%s%sH", name, sep) < 0)
- return false;
+ goto no_fallback;
free(evsel->name);
evsel->name = new_name;
/* Apple M1 requires exclude_guest */
- scnprintf(msg, msgsize, "trying to fall back to excluding guest samples");
+ scnprintf(msg, msgsize, "Trying to fall back to excluding guest samples");
evsel->core.attr.exclude_guest = 1;
return true;
}
-
+no_fallback:
+ scnprintf(msg, msgsize, "No fallback found for '%s' for error %d",
+ evsel__name(evsel), err);
return false;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 050/371] perf build-id: Ensure snprintf string is empty when size is 0
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (48 preceding siblings ...)
2025-10-17 14:50 ` [PATCH 6.17 049/371] perf evsel: Ensure the fallback message is always written to Greg Kroah-Hartman
@ 2025-10-17 14:50 ` Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 051/371] clk: mediatek: mt8195-infra_ao: Fix parent for infra_ao_hdmi_26m Greg Kroah-Hartman
` (333 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ian Rogers, Adrian Hunter,
Alexander Shishkin, Howard Chu, Ingo Molnar, James Clark,
Jiri Olsa, Kan Liang, Mark Rutland, Namhyung Kim, Peter Zijlstra,
Arnaldo Carvalho de Melo, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ian Rogers <irogers@google.com>
[ Upstream commit 0dc96cae063cbf9ebf6631b33b08e9ba02324248 ]
The string result of build_id__snprintf() is unconditionally used in
places like dsos__fprintf_buildid_cb(). If the build id has size 0 then
this creates a use of uninitialized memory. Add null termination for the
size 0 case.
A similar fix was written by Jiri Olsa in commit 6311951d4f8f28c4 ("perf
tools: Initialize output buffer in build_id__sprintf") but lost in the
transition to snprintf.
Fixes: fccaaf6fbbc59910 ("perf build-id: Change sprintf functions to snprintf")
Signed-off-by: Ian Rogers <irogers@google.com>
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Howard Chu <howardchu95@gmail.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: James Clark <james.clark@linaro.org>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Kan Liang <kan.liang@linux.intel.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/util/build-id.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/tools/perf/util/build-id.c b/tools/perf/util/build-id.c
index bf7f3268b9a2f..35505a1ffd111 100644
--- a/tools/perf/util/build-id.c
+++ b/tools/perf/util/build-id.c
@@ -86,6 +86,13 @@ int build_id__snprintf(const struct build_id *build_id, char *bf, size_t bf_size
{
size_t offs = 0;
+ if (build_id->size == 0) {
+ /* Ensure bf is always \0 terminated. */
+ if (bf_size > 0)
+ bf[0] = '\0';
+ return 0;
+ }
+
for (size_t i = 0; i < build_id->size && offs < bf_size; ++i)
offs += snprintf(bf + offs, bf_size - offs, "%02x", build_id->data[i]);
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 051/371] clk: mediatek: mt8195-infra_ao: Fix parent for infra_ao_hdmi_26m
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (49 preceding siblings ...)
2025-10-17 14:50 ` [PATCH 6.17 050/371] perf build-id: Ensure snprintf string is empty when size is 0 Greg Kroah-Hartman
@ 2025-10-17 14:50 ` Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 052/371] clk: mediatek: clk-mux: Do not pass flags to clk_mux_determine_rate_flags() Greg Kroah-Hartman
` (332 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, AngeloGioacchino Del Regno,
Stephen Boyd, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
[ Upstream commit 6c4c26b624790098988c1034541087e3e5ed5bed ]
The infrastructure gate for the HDMI specific crystal needs the
top_hdmi_xtal clock to be configured in order to ungate the 26m
clock to the HDMI IP, and it wouldn't work without.
Reparent the infra_ao_hdmi_26m clock to top_hdmi_xtal to fix that.
Fixes: e2edf59dec0b ("clk: mediatek: Add MT8195 infrastructure clock support")
Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Signed-off-by: Stephen Boyd <sboyd@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/mediatek/clk-mt8195-infra_ao.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/clk/mediatek/clk-mt8195-infra_ao.c b/drivers/clk/mediatek/clk-mt8195-infra_ao.c
index bb648a88e43af..ad47fdb234607 100644
--- a/drivers/clk/mediatek/clk-mt8195-infra_ao.c
+++ b/drivers/clk/mediatek/clk-mt8195-infra_ao.c
@@ -103,7 +103,7 @@ static const struct mtk_gate infra_ao_clks[] = {
GATE_INFRA_AO0(CLK_INFRA_AO_CQ_DMA_FPC, "infra_ao_cq_dma_fpc", "fpc", 28),
GATE_INFRA_AO0(CLK_INFRA_AO_UART5, "infra_ao_uart5", "top_uart", 29),
/* INFRA_AO1 */
- GATE_INFRA_AO1(CLK_INFRA_AO_HDMI_26M, "infra_ao_hdmi_26m", "clk26m", 0),
+ GATE_INFRA_AO1(CLK_INFRA_AO_HDMI_26M, "infra_ao_hdmi_26m", "top_hdmi_xtal", 0),
GATE_INFRA_AO1(CLK_INFRA_AO_SPI0, "infra_ao_spi0", "top_spi", 1),
GATE_INFRA_AO1(CLK_INFRA_AO_MSDC0, "infra_ao_msdc0", "top_msdc50_0_hclk", 2),
GATE_INFRA_AO1(CLK_INFRA_AO_MSDC1, "infra_ao_msdc1", "top_axi", 4),
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 052/371] clk: mediatek: clk-mux: Do not pass flags to clk_mux_determine_rate_flags()
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (50 preceding siblings ...)
2025-10-17 14:50 ` [PATCH 6.17 051/371] clk: mediatek: mt8195-infra_ao: Fix parent for infra_ao_hdmi_26m Greg Kroah-Hartman
@ 2025-10-17 14:50 ` Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 053/371] clk: nxp: lpc18xx-cgu: convert from round_rate() to determine_rate() Greg Kroah-Hartman
` (331 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:50 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Chen-Yu Tsai, Stephen Boyd,
Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chen-Yu Tsai <wenst@chromium.org>
[ Upstream commit 5e121370a7ad3414c7f3a77002e2b18abe5c6fe1 ]
The `flags` in |struct mtk_mux| are core clk flags, not mux clk flags.
Passing one to the other is wrong.
Since there aren't any actual users adding CLK_MUX_* flags, just drop it
for now.
Fixes: b05ea3314390 ("clk: mediatek: clk-mux: Add .determine_rate() callback")
Signed-off-by: Chen-Yu Tsai <wenst@chromium.org>
Signed-off-by: Stephen Boyd <sboyd@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/mediatek/clk-mux.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/drivers/clk/mediatek/clk-mux.c b/drivers/clk/mediatek/clk-mux.c
index 60990296450bb..9a12e58230bed 100644
--- a/drivers/clk/mediatek/clk-mux.c
+++ b/drivers/clk/mediatek/clk-mux.c
@@ -146,9 +146,7 @@ static int mtk_clk_mux_set_parent_setclr_lock(struct clk_hw *hw, u8 index)
static int mtk_clk_mux_determine_rate(struct clk_hw *hw,
struct clk_rate_request *req)
{
- struct mtk_clk_mux *mux = to_mtk_clk_mux(hw);
-
- return clk_mux_determine_rate_flags(hw, req, mux->data->flags);
+ return clk_mux_determine_rate_flags(hw, req, 0);
}
const struct clk_ops mtk_mux_clr_set_upd_ops = {
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 053/371] clk: nxp: lpc18xx-cgu: convert from round_rate() to determine_rate()
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (51 preceding siblings ...)
2025-10-17 14:50 ` [PATCH 6.17 052/371] clk: mediatek: clk-mux: Do not pass flags to clk_mux_determine_rate_flags() Greg Kroah-Hartman
@ 2025-10-17 14:50 ` Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 054/371] clk: nxp: Fix pll0 rate check condition in LPC18xx CGU driver Greg Kroah-Hartman
` (330 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:50 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Brian Masney, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Brian Masney <bmasney@redhat.com>
[ Upstream commit b46a3d323a5b7942e65025254c13801d0f475f02 ]
The round_rate() clk ops is deprecated, so migrate this driver from
round_rate() to determine_rate() using the Coccinelle semantic patch
on the cover letter of this series.
Signed-off-by: Brian Masney <bmasney@redhat.com>
Stable-dep-of: 1624dead9a4d ("clk: nxp: Fix pll0 rate check condition in LPC18xx CGU driver")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/nxp/clk-lpc18xx-cgu.c | 16 +++++++++-------
1 file changed, 9 insertions(+), 7 deletions(-)
diff --git a/drivers/clk/nxp/clk-lpc18xx-cgu.c b/drivers/clk/nxp/clk-lpc18xx-cgu.c
index 81efa885069b2..30e0b283ca608 100644
--- a/drivers/clk/nxp/clk-lpc18xx-cgu.c
+++ b/drivers/clk/nxp/clk-lpc18xx-cgu.c
@@ -370,23 +370,25 @@ static unsigned long lpc18xx_pll0_recalc_rate(struct clk_hw *hw,
return 0;
}
-static long lpc18xx_pll0_round_rate(struct clk_hw *hw, unsigned long rate,
- unsigned long *prate)
+static int lpc18xx_pll0_determine_rate(struct clk_hw *hw,
+ struct clk_rate_request *req)
{
unsigned long m;
- if (*prate < rate) {
+ if (req->best_parent_rate < req->rate) {
pr_warn("%s: pll dividers not supported\n", __func__);
return -EINVAL;
}
- m = DIV_ROUND_UP_ULL(*prate, rate * 2);
+ m = DIV_ROUND_UP_ULL(req->best_parent_rate, req->rate * 2);
if (m <= 0 && m > LPC18XX_PLL0_MSEL_MAX) {
- pr_warn("%s: unable to support rate %lu\n", __func__, rate);
+ pr_warn("%s: unable to support rate %lu\n", __func__, req->rate);
return -EINVAL;
}
- return 2 * *prate * m;
+ req->rate = 2 * req->best_parent_rate * m;
+
+ return 0;
}
static int lpc18xx_pll0_set_rate(struct clk_hw *hw, unsigned long rate,
@@ -443,7 +445,7 @@ static int lpc18xx_pll0_set_rate(struct clk_hw *hw, unsigned long rate,
static const struct clk_ops lpc18xx_pll0_ops = {
.recalc_rate = lpc18xx_pll0_recalc_rate,
- .round_rate = lpc18xx_pll0_round_rate,
+ .determine_rate = lpc18xx_pll0_determine_rate,
.set_rate = lpc18xx_pll0_set_rate,
};
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 054/371] clk: nxp: Fix pll0 rate check condition in LPC18xx CGU driver
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (52 preceding siblings ...)
2025-10-17 14:50 ` [PATCH 6.17 053/371] clk: nxp: lpc18xx-cgu: convert from round_rate() to determine_rate() Greg Kroah-Hartman
@ 2025-10-17 14:50 ` Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 055/371] clk: tegra: do not overallocate memory for bpmp clocks Greg Kroah-Hartman
` (329 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:50 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Alok Tiwari, Stephen Boyd,
Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alok Tiwari <alok.a.tiwari@oracle.com>
[ Upstream commit 1624dead9a4d288a594fdf19735ebfe4bb567cb8 ]
The conditional check for the PLL0 multiplier 'm' used a logical AND
instead of OR, making the range check ineffective. This patch replaces
&& with || to correctly reject invalid values of 'm' that are either
less than or equal to 0 or greater than LPC18XX_PLL0_MSEL_MAX.
This ensures proper bounds checking during clk rate setting and rounding.
Fixes: b04e0b8fd544 ("clk: add lpc18xx cgu clk driver")
Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
[sboyd@kernel.org: 'm' is unsigned so remove < condition]
Signed-off-by: Stephen Boyd <sboyd@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/nxp/clk-lpc18xx-cgu.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/clk/nxp/clk-lpc18xx-cgu.c b/drivers/clk/nxp/clk-lpc18xx-cgu.c
index 30e0b283ca608..b9e204d63a972 100644
--- a/drivers/clk/nxp/clk-lpc18xx-cgu.c
+++ b/drivers/clk/nxp/clk-lpc18xx-cgu.c
@@ -381,7 +381,7 @@ static int lpc18xx_pll0_determine_rate(struct clk_hw *hw,
}
m = DIV_ROUND_UP_ULL(req->best_parent_rate, req->rate * 2);
- if (m <= 0 && m > LPC18XX_PLL0_MSEL_MAX) {
+ if (m == 0 || m > LPC18XX_PLL0_MSEL_MAX) {
pr_warn("%s: unable to support rate %lu\n", __func__, req->rate);
return -EINVAL;
}
@@ -404,7 +404,7 @@ static int lpc18xx_pll0_set_rate(struct clk_hw *hw, unsigned long rate,
}
m = DIV_ROUND_UP_ULL(parent_rate, rate * 2);
- if (m <= 0 && m > LPC18XX_PLL0_MSEL_MAX) {
+ if (m == 0 || m > LPC18XX_PLL0_MSEL_MAX) {
pr_warn("%s: unable to support rate %lu\n", __func__, rate);
return -EINVAL;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 055/371] clk: tegra: do not overallocate memory for bpmp clocks
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (53 preceding siblings ...)
2025-10-17 14:50 ` [PATCH 6.17 054/371] clk: nxp: Fix pll0 rate check condition in LPC18xx CGU driver Greg Kroah-Hartman
@ 2025-10-17 14:50 ` Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 056/371] nfsd: fix assignment of ia_ctime.tv_nsec on delegated mtime update Greg Kroah-Hartman
` (328 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Fedor Pchelkin, Stephen Boyd,
Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fedor Pchelkin <pchelkin@ispras.ru>
[ Upstream commit 49ef6491106209c595476fc122c3922dfd03253f ]
struct tegra_bpmp::clocks is a pointer to a dynamically allocated array
of pointers to 'struct tegra_bpmp_clk'.
But the size of the allocated area is calculated like it is an array
containing actual 'struct tegra_bpmp_clk' objects - it's not true, there
are just pointers.
Found by Linux Verification Center (linuxtesting.org) with Svace static
analysis tool.
Fixes: 2db12b15c6f3 ("clk: tegra: Register clocks from root to leaf")
Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
Signed-off-by: Stephen Boyd <sboyd@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/tegra/clk-bpmp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/clk/tegra/clk-bpmp.c b/drivers/clk/tegra/clk-bpmp.c
index b2323cb8eddcc..77a2586dbe000 100644
--- a/drivers/clk/tegra/clk-bpmp.c
+++ b/drivers/clk/tegra/clk-bpmp.c
@@ -635,7 +635,7 @@ static int tegra_bpmp_register_clocks(struct tegra_bpmp *bpmp,
bpmp->num_clocks = count;
- bpmp->clocks = devm_kcalloc(bpmp->dev, count, sizeof(struct tegra_bpmp_clk), GFP_KERNEL);
+ bpmp->clocks = devm_kcalloc(bpmp->dev, count, sizeof(*bpmp->clocks), GFP_KERNEL);
if (!bpmp->clocks)
return -ENOMEM;
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 056/371] nfsd: fix assignment of ia_ctime.tv_nsec on delegated mtime update
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (54 preceding siblings ...)
2025-10-17 14:50 ` [PATCH 6.17 055/371] clk: tegra: do not overallocate memory for bpmp clocks Greg Kroah-Hartman
@ 2025-10-17 14:50 ` Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 057/371] nfsd: ignore ATTR_DELEG when checking ia_valid before notify_change() Greg Kroah-Hartman
` (327 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:50 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jeff Layton, Chuck Lever,
Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jeff Layton <jlayton@kernel.org>
[ Upstream commit 2990b5a47984c27873d165de9e88099deee95c8d ]
The ia_ctime.tv_nsec field should be set to modify.nseconds.
Fixes: 7e13f4f8d27d ("nfsd: handle delegated timestamps in SETATTR")
Signed-off-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nfsd/nfs4xdr.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c
index ea91bad4eee2c..1f3a20360d0c2 100644
--- a/fs/nfsd/nfs4xdr.c
+++ b/fs/nfsd/nfs4xdr.c
@@ -538,7 +538,7 @@ nfsd4_decode_fattr4(struct nfsd4_compoundargs *argp, u32 *bmval, u32 bmlen,
iattr->ia_mtime.tv_sec = modify.seconds;
iattr->ia_mtime.tv_nsec = modify.nseconds;
iattr->ia_ctime.tv_sec = modify.seconds;
- iattr->ia_ctime.tv_nsec = modify.seconds;
+ iattr->ia_ctime.tv_nsec = modify.nseconds;
iattr->ia_valid |= ATTR_CTIME | ATTR_MTIME | ATTR_MTIME_SET | ATTR_DELEG;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 057/371] nfsd: ignore ATTR_DELEG when checking ia_valid before notify_change()
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (55 preceding siblings ...)
2025-10-17 14:50 ` [PATCH 6.17 056/371] nfsd: fix assignment of ia_ctime.tv_nsec on delegated mtime update Greg Kroah-Hartman
@ 2025-10-17 14:50 ` Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 058/371] vfs: add ATTR_CTIME_SET flag Greg Kroah-Hartman
` (326 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:50 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jeff Layton, Chuck Lever,
Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jeff Layton <jlayton@kernel.org>
[ Upstream commit 5affb498e70bba3053b835c478a199bf92c99c4d ]
If the only flag left is ATTR_DELEG, then there are no changes to be
made.
Fixes: 7e13f4f8d27d ("nfsd: handle delegated timestamps in SETATTR")
Signed-off-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nfsd/vfs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c
index edf050766e570..3cd3b9e069f4a 100644
--- a/fs/nfsd/vfs.c
+++ b/fs/nfsd/vfs.c
@@ -467,7 +467,7 @@ static int __nfsd_setattr(struct dentry *dentry, struct iattr *iap)
return 0;
}
- if (!iap->ia_valid)
+ if ((iap->ia_valid & ~ATTR_DELEG) == 0)
return 0;
/*
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 058/371] vfs: add ATTR_CTIME_SET flag
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (56 preceding siblings ...)
2025-10-17 14:50 ` [PATCH 6.17 057/371] nfsd: ignore ATTR_DELEG when checking ia_valid before notify_change() Greg Kroah-Hartman
@ 2025-10-17 14:50 ` Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 059/371] nfsd: use ATTR_CTIME_SET for delegated ctime updates Greg Kroah-Hartman
` (325 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:50 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jeff Layton, Chuck Lever,
Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jeff Layton <jlayton@kernel.org>
[ Upstream commit afc5b36e29b95fbd31a60b9630d148857e5e513d ]
When ATTR_ATIME_SET and ATTR_MTIME_SET are set in the ia_valid mask, the
notify_change() logic takes that to mean that the request should set
those values explicitly, and not override them with "now".
With the advent of delegated timestamps, similar functionality is needed
for the ctime. Add a ATTR_CTIME_SET flag, and use that to indicate that
the ctime should be accepted as-is. Also, clean up the if statements to
eliminate the extra negatives.
In setattr_copy() and setattr_copy_mgtime() use inode_set_ctime_deleg()
when ATTR_CTIME_SET is set, instead of basing the decision on ATTR_DELEG.
Signed-off-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Stable-dep-of: c066ff58e5d6 ("nfsd: use ATTR_CTIME_SET for delegated ctime updates")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/attr.c | 44 +++++++++++++++++++-------------------------
include/linux/fs.h | 1 +
2 files changed, 20 insertions(+), 25 deletions(-)
diff --git a/fs/attr.c b/fs/attr.c
index 5425c1dbbff92..795f231d00e8e 100644
--- a/fs/attr.c
+++ b/fs/attr.c
@@ -286,20 +286,12 @@ static void setattr_copy_mgtime(struct inode *inode, const struct iattr *attr)
unsigned int ia_valid = attr->ia_valid;
struct timespec64 now;
- if (ia_valid & ATTR_CTIME) {
- /*
- * In the case of an update for a write delegation, we must respect
- * the value in ia_ctime and not use the current time.
- */
- if (ia_valid & ATTR_DELEG)
- now = inode_set_ctime_deleg(inode, attr->ia_ctime);
- else
- now = inode_set_ctime_current(inode);
- } else {
- /* If ATTR_CTIME isn't set, then ATTR_MTIME shouldn't be either. */
- WARN_ON_ONCE(ia_valid & ATTR_MTIME);
+ if (ia_valid & ATTR_CTIME_SET)
+ now = inode_set_ctime_deleg(inode, attr->ia_ctime);
+ else if (ia_valid & ATTR_CTIME)
+ now = inode_set_ctime_current(inode);
+ else
now = current_time(inode);
- }
if (ia_valid & ATTR_ATIME_SET)
inode_set_atime_to_ts(inode, attr->ia_atime);
@@ -359,12 +351,11 @@ void setattr_copy(struct mnt_idmap *idmap, struct inode *inode,
inode_set_atime_to_ts(inode, attr->ia_atime);
if (ia_valid & ATTR_MTIME)
inode_set_mtime_to_ts(inode, attr->ia_mtime);
- if (ia_valid & ATTR_CTIME) {
- if (ia_valid & ATTR_DELEG)
- inode_set_ctime_deleg(inode, attr->ia_ctime);
- else
- inode_set_ctime_to_ts(inode, attr->ia_ctime);
- }
+
+ if (ia_valid & ATTR_CTIME_SET)
+ inode_set_ctime_deleg(inode, attr->ia_ctime);
+ else if (ia_valid & ATTR_CTIME)
+ inode_set_ctime_to_ts(inode, attr->ia_ctime);
}
EXPORT_SYMBOL(setattr_copy);
@@ -463,15 +454,18 @@ int notify_change(struct mnt_idmap *idmap, struct dentry *dentry,
now = current_time(inode);
- attr->ia_ctime = now;
- if (!(ia_valid & ATTR_ATIME_SET))
- attr->ia_atime = now;
- else
+ if (ia_valid & ATTR_ATIME_SET)
attr->ia_atime = timestamp_truncate(attr->ia_atime, inode);
- if (!(ia_valid & ATTR_MTIME_SET))
- attr->ia_mtime = now;
else
+ attr->ia_atime = now;
+ if (ia_valid & ATTR_CTIME_SET)
+ attr->ia_ctime = timestamp_truncate(attr->ia_ctime, inode);
+ else
+ attr->ia_ctime = now;
+ if (ia_valid & ATTR_MTIME_SET)
attr->ia_mtime = timestamp_truncate(attr->ia_mtime, inode);
+ else
+ attr->ia_mtime = now;
if (ia_valid & ATTR_KILL_PRIV) {
error = security_inode_need_killpriv(dentry);
diff --git a/include/linux/fs.h b/include/linux/fs.h
index 601d036a6c78e..74f2bfc519263 100644
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -238,6 +238,7 @@ typedef int (dio_iodone_t)(struct kiocb *iocb, loff_t offset,
#define ATTR_ATIME_SET (1 << 7)
#define ATTR_MTIME_SET (1 << 8)
#define ATTR_FORCE (1 << 9) /* Not a change, but a change it */
+#define ATTR_CTIME_SET (1 << 10)
#define ATTR_KILL_SUID (1 << 11)
#define ATTR_KILL_SGID (1 << 12)
#define ATTR_FILE (1 << 13)
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 059/371] nfsd: use ATTR_CTIME_SET for delegated ctime updates
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (57 preceding siblings ...)
2025-10-17 14:50 ` [PATCH 6.17 058/371] vfs: add ATTR_CTIME_SET flag Greg Kroah-Hartman
@ 2025-10-17 14:50 ` Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 060/371] nfsd: track original timestamps in nfs4_delegation Greg Kroah-Hartman
` (324 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:50 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jeff Layton, Chuck Lever,
Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jeff Layton <jlayton@kernel.org>
[ Upstream commit c066ff58e5d6e5d7400e5fda0c33f95b8c37dd02 ]
Ensure that notify_change() doesn't clobber a delegated ctime update
with current_time() by setting ATTR_CTIME_SET for those updates.
Don't bother setting the timestamps in cb_getattr_update_times() in the
non-delegated case. notify_change() will do that itself.
Fixes: 7e13f4f8d27d ("nfsd: handle delegated timestamps in SETATTR")
Signed-off-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nfsd/nfs4state.c | 6 +++---
fs/nfsd/nfs4xdr.c | 3 ++-
2 files changed, 5 insertions(+), 4 deletions(-)
diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c
index 88c347957da5b..77eea2ad93cc0 100644
--- a/fs/nfsd/nfs4state.c
+++ b/fs/nfsd/nfs4state.c
@@ -9167,7 +9167,6 @@ static bool set_cb_time(struct timespec64 *cb, const struct timespec64 *orig,
static int cb_getattr_update_times(struct dentry *dentry, struct nfs4_delegation *dp)
{
struct inode *inode = d_inode(dentry);
- struct timespec64 now = current_time(inode);
struct nfs4_cb_fattr *ncf = &dp->dl_cb_fattr;
struct iattr attrs = { };
int ret;
@@ -9175,6 +9174,7 @@ static int cb_getattr_update_times(struct dentry *dentry, struct nfs4_delegation
if (deleg_attrs_deleg(dp->dl_type)) {
struct timespec64 atime = inode_get_atime(inode);
struct timespec64 mtime = inode_get_mtime(inode);
+ struct timespec64 now = current_time(inode);
attrs.ia_atime = ncf->ncf_cb_atime;
attrs.ia_mtime = ncf->ncf_cb_mtime;
@@ -9183,12 +9183,12 @@ static int cb_getattr_update_times(struct dentry *dentry, struct nfs4_delegation
attrs.ia_valid |= ATTR_ATIME | ATTR_ATIME_SET;
if (set_cb_time(&attrs.ia_mtime, &mtime, &now)) {
- attrs.ia_valid |= ATTR_CTIME | ATTR_MTIME | ATTR_MTIME_SET;
+ attrs.ia_valid |= ATTR_CTIME | ATTR_CTIME_SET |
+ ATTR_MTIME | ATTR_MTIME_SET;
attrs.ia_ctime = attrs.ia_mtime;
}
} else {
attrs.ia_valid |= ATTR_MTIME | ATTR_CTIME;
- attrs.ia_mtime = attrs.ia_ctime = now;
}
if (!attrs.ia_valid)
diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c
index 1f3a20360d0c2..a00300b287754 100644
--- a/fs/nfsd/nfs4xdr.c
+++ b/fs/nfsd/nfs4xdr.c
@@ -539,7 +539,8 @@ nfsd4_decode_fattr4(struct nfsd4_compoundargs *argp, u32 *bmval, u32 bmlen,
iattr->ia_mtime.tv_nsec = modify.nseconds;
iattr->ia_ctime.tv_sec = modify.seconds;
iattr->ia_ctime.tv_nsec = modify.nseconds;
- iattr->ia_valid |= ATTR_CTIME | ATTR_MTIME | ATTR_MTIME_SET | ATTR_DELEG;
+ iattr->ia_valid |= ATTR_CTIME | ATTR_CTIME_SET |
+ ATTR_MTIME | ATTR_MTIME_SET | ATTR_DELEG;
}
/* request sanity: did attrlist4 contain the expected number of words? */
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 060/371] nfsd: track original timestamps in nfs4_delegation
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (58 preceding siblings ...)
2025-10-17 14:50 ` [PATCH 6.17 059/371] nfsd: use ATTR_CTIME_SET for delegated ctime updates Greg Kroah-Hartman
@ 2025-10-17 14:50 ` Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 061/371] nfsd: fix SETATTR updates for delegated timestamps Greg Kroah-Hartman
` (323 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:50 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jeff Layton, Chuck Lever,
Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jeff Layton <jlayton@kernel.org>
[ Upstream commit 7663e963a51122792811811c8119fd55c9ab254a ]
As Trond points out [1], the "original time" mentioned in RFC 9754
refers to the timestamps on the files at the time that the delegation
was granted, and not the current timestamp of the file on the server.
Store the current timestamps for the file in the nfs4_delegation when
granting one. Add STATX_ATIME and STATX_MTIME to the request mask in
nfs4_delegation_stat(). When granting OPEN_DELEGATE_READ_ATTRS_DELEG, do
a nfs4_delegation_stat() and save the correct atime. If the stat() fails
for any reason, fall back to granting a normal read deleg.
[1]: https://lore.kernel.org/linux-nfs/47a4e40310e797f21b5137e847b06bb203d99e66.camel@kernel.org/
Fixes: 7e13f4f8d27d ("nfsd: handle delegated timestamps in SETATTR")
Signed-off-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nfsd/nfs4state.c | 11 ++++++++---
fs/nfsd/state.h | 5 +++++
2 files changed, 13 insertions(+), 3 deletions(-)
diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c
index 77eea2ad93cc0..8737b721daf34 100644
--- a/fs/nfsd/nfs4state.c
+++ b/fs/nfsd/nfs4state.c
@@ -6157,7 +6157,8 @@ nfs4_delegation_stat(struct nfs4_delegation *dp, struct svc_fh *currentfh,
path.dentry = file_dentry(nf->nf_file);
rc = vfs_getattr(&path, stat,
- (STATX_MODE | STATX_SIZE | STATX_CTIME | STATX_CHANGE_COOKIE),
+ STATX_MODE | STATX_SIZE | STATX_ATIME |
+ STATX_MTIME | STATX_CTIME | STATX_CHANGE_COOKIE,
AT_STATX_SYNC_AS_STAT);
nfsd_file_put(nf);
@@ -6274,10 +6275,14 @@ nfs4_open_delegation(struct svc_rqst *rqstp, struct nfsd4_open *open,
OPEN_DELEGATE_WRITE;
dp->dl_cb_fattr.ncf_cur_fsize = stat.size;
dp->dl_cb_fattr.ncf_initial_cinfo = nfsd4_change_attribute(&stat);
+ dp->dl_atime = stat.atime;
+ dp->dl_ctime = stat.ctime;
+ dp->dl_mtime = stat.mtime;
trace_nfsd_deleg_write(&dp->dl_stid.sc_stateid);
} else {
- open->op_delegate_type = deleg_ts ? OPEN_DELEGATE_READ_ATTRS_DELEG :
- OPEN_DELEGATE_READ;
+ open->op_delegate_type = deleg_ts && nfs4_delegation_stat(dp, currentfh, &stat) ?
+ OPEN_DELEGATE_READ_ATTRS_DELEG : OPEN_DELEGATE_READ;
+ dp->dl_atime = stat.atime;
trace_nfsd_deleg_read(&dp->dl_stid.sc_stateid);
}
nfs4_put_stid(&dp->dl_stid);
diff --git a/fs/nfsd/state.h b/fs/nfsd/state.h
index 8adc2550129e6..ce7c0d129ba33 100644
--- a/fs/nfsd/state.h
+++ b/fs/nfsd/state.h
@@ -224,6 +224,11 @@ struct nfs4_delegation {
/* for CB_GETATTR */
struct nfs4_cb_fattr dl_cb_fattr;
+
+ /* For delegated timestamps */
+ struct timespec64 dl_atime;
+ struct timespec64 dl_mtime;
+ struct timespec64 dl_ctime;
};
static inline bool deleg_is_read(u32 dl_type)
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 061/371] nfsd: fix SETATTR updates for delegated timestamps
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (59 preceding siblings ...)
2025-10-17 14:50 ` [PATCH 6.17 060/371] nfsd: track original timestamps in nfs4_delegation Greg Kroah-Hartman
@ 2025-10-17 14:50 ` Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 062/371] nfsd: fix timestamp updates in CB_GETATTR Greg Kroah-Hartman
` (322 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:50 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jeff Layton, Chuck Lever,
Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jeff Layton <jlayton@kernel.org>
[ Upstream commit 3952f1cbcbc454b2cb639ddbf165c07068e90371 ]
SETATTRs containing delegated timestamp updates are currently not being
vetted properly. Since we no longer need to compare the timestamps vs.
the current timestamps, move the vetting of delegated timestamps wholly
into nfsd.
Rename the set_cb_time() helper to nfsd4_vet_deleg_time(), and make it
non-static. Add a new vet_deleg_attrs() helper that is called from
nfsd4_setattr that uses nfsd4_vet_deleg_time() to properly validate the
all the timestamps. If the validation indicates that the update should
be skipped, unset the appropriate flags in ia_valid.
Fixes: 7e13f4f8d27d ("nfsd: handle delegated timestamps in SETATTR")
Signed-off-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nfsd/nfs4proc.c | 31 ++++++++++++++++++++++++++++++-
fs/nfsd/nfs4state.c | 24 +++++++++++-------------
fs/nfsd/state.h | 3 +++
3 files changed, 44 insertions(+), 14 deletions(-)
diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c
index 71b428efcbb59..9bd49783db932 100644
--- a/fs/nfsd/nfs4proc.c
+++ b/fs/nfsd/nfs4proc.c
@@ -1133,6 +1133,33 @@ nfsd4_secinfo_no_name_release(union nfsd4_op_u *u)
exp_put(u->secinfo_no_name.sin_exp);
}
+/*
+ * Validate that the requested timestamps are within the acceptable range. If
+ * timestamp appears to be in the future, then it will be clamped to
+ * current_time().
+ */
+static void
+vet_deleg_attrs(struct nfsd4_setattr *setattr, struct nfs4_delegation *dp)
+{
+ struct timespec64 now = current_time(dp->dl_stid.sc_file->fi_inode);
+ struct iattr *iattr = &setattr->sa_iattr;
+
+ if ((setattr->sa_bmval[2] & FATTR4_WORD2_TIME_DELEG_ACCESS) &&
+ !nfsd4_vet_deleg_time(&iattr->ia_atime, &dp->dl_atime, &now))
+ iattr->ia_valid &= ~(ATTR_ATIME | ATTR_ATIME_SET);
+
+ if (setattr->sa_bmval[2] & FATTR4_WORD2_TIME_DELEG_MODIFY) {
+ if (nfsd4_vet_deleg_time(&iattr->ia_mtime, &dp->dl_mtime, &now)) {
+ iattr->ia_ctime = iattr->ia_mtime;
+ if (!nfsd4_vet_deleg_time(&iattr->ia_ctime, &dp->dl_ctime, &now))
+ iattr->ia_valid &= ~(ATTR_CTIME | ATTR_CTIME_SET);
+ } else {
+ iattr->ia_valid &= ~(ATTR_CTIME | ATTR_CTIME_SET |
+ ATTR_MTIME | ATTR_MTIME_SET);
+ }
+ }
+}
+
static __be32
nfsd4_setattr(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate,
union nfsd4_op_u *u)
@@ -1170,8 +1197,10 @@ nfsd4_setattr(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate,
struct nfs4_delegation *dp = delegstateid(st);
/* Only for *_ATTRS_DELEG flavors */
- if (deleg_attrs_deleg(dp->dl_type))
+ if (deleg_attrs_deleg(dp->dl_type)) {
+ vet_deleg_attrs(setattr, dp);
status = nfs_ok;
+ }
}
}
if (st)
diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c
index 8737b721daf34..f2fd0cbe256b9 100644
--- a/fs/nfsd/nfs4state.c
+++ b/fs/nfsd/nfs4state.c
@@ -9135,25 +9135,25 @@ nfsd4_get_writestateid(struct nfsd4_compound_state *cstate,
}
/**
- * set_cb_time - vet and set the timespec for a cb_getattr update
- * @cb: timestamp from the CB_GETATTR response
+ * nfsd4_vet_deleg_time - vet and set the timespec for a delegated timestamp update
+ * @req: timestamp from the client
* @orig: original timestamp in the inode
* @now: current time
*
- * Given a timestamp in a CB_GETATTR response, check it against the
+ * Given a timestamp from the client response, check it against the
* current timestamp in the inode and the current time. Returns true
* if the inode's timestamp needs to be updated, and false otherwise.
- * @cb may also be changed if the timestamp needs to be clamped.
+ * @req may also be changed if the timestamp needs to be clamped.
*/
-static bool set_cb_time(struct timespec64 *cb, const struct timespec64 *orig,
- const struct timespec64 *now)
+bool nfsd4_vet_deleg_time(struct timespec64 *req, const struct timespec64 *orig,
+ const struct timespec64 *now)
{
/*
* "When the time presented is before the original time, then the
* update is ignored." Also no need to update if there is no change.
*/
- if (timespec64_compare(cb, orig) <= 0)
+ if (timespec64_compare(req, orig) <= 0)
return false;
/*
@@ -9161,10 +9161,8 @@ static bool set_cb_time(struct timespec64 *cb, const struct timespec64 *orig,
* clamp the new time to the current time, or it may
* return NFS4ERR_DELAY to the client, allowing it to retry."
*/
- if (timespec64_compare(cb, now) > 0) {
- /* clamp it */
- *cb = *now;
- }
+ if (timespec64_compare(req, now) > 0)
+ *req = *now;
return true;
}
@@ -9184,10 +9182,10 @@ static int cb_getattr_update_times(struct dentry *dentry, struct nfs4_delegation
attrs.ia_atime = ncf->ncf_cb_atime;
attrs.ia_mtime = ncf->ncf_cb_mtime;
- if (set_cb_time(&attrs.ia_atime, &atime, &now))
+ if (nfsd4_vet_deleg_time(&attrs.ia_atime, &atime, &now))
attrs.ia_valid |= ATTR_ATIME | ATTR_ATIME_SET;
- if (set_cb_time(&attrs.ia_mtime, &mtime, &now)) {
+ if (nfsd4_vet_deleg_time(&attrs.ia_mtime, &mtime, &now)) {
attrs.ia_valid |= ATTR_CTIME | ATTR_CTIME_SET |
ATTR_MTIME | ATTR_MTIME_SET;
attrs.ia_ctime = attrs.ia_mtime;
diff --git a/fs/nfsd/state.h b/fs/nfsd/state.h
index ce7c0d129ba33..bf9436cdb93c5 100644
--- a/fs/nfsd/state.h
+++ b/fs/nfsd/state.h
@@ -247,6 +247,9 @@ static inline bool deleg_attrs_deleg(u32 dl_type)
dl_type == OPEN_DELEGATE_WRITE_ATTRS_DELEG;
}
+bool nfsd4_vet_deleg_time(struct timespec64 *cb, const struct timespec64 *orig,
+ const struct timespec64 *now);
+
#define cb_to_delegation(cb) \
container_of(cb, struct nfs4_delegation, dl_recall)
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 062/371] nfsd: fix timestamp updates in CB_GETATTR
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (60 preceding siblings ...)
2025-10-17 14:50 ` [PATCH 6.17 061/371] nfsd: fix SETATTR updates for delegated timestamps Greg Kroah-Hartman
@ 2025-10-17 14:50 ` Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 063/371] tracing: Fix the bug where bpf_get_stackid returns -EFAULT on the ARM64 Greg Kroah-Hartman
` (321 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:50 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jeff Layton, Chuck Lever,
Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jeff Layton <jlayton@kernel.org>
[ Upstream commit b40b1ba37ad5b6099c426765c4bc327c08b390b9 ]
When updating the local timestamps from CB_GETATTR, the updated values
are not being properly vetted.
Compare the update times vs. the saved times in the delegation rather
than the current times in the inode. Also, ensure that the ctime is
properly vetted vs. its original value.
Fixes: 6ae30d6eb26b ("nfsd: add support for delegated timestamps")
Signed-off-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nfsd/nfs4state.c | 11 +++++------
1 file changed, 5 insertions(+), 6 deletions(-)
diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c
index f2fd0cbe256b9..205ee8cc6fa2b 100644
--- a/fs/nfsd/nfs4state.c
+++ b/fs/nfsd/nfs4state.c
@@ -9175,20 +9175,19 @@ static int cb_getattr_update_times(struct dentry *dentry, struct nfs4_delegation
int ret;
if (deleg_attrs_deleg(dp->dl_type)) {
- struct timespec64 atime = inode_get_atime(inode);
- struct timespec64 mtime = inode_get_mtime(inode);
struct timespec64 now = current_time(inode);
attrs.ia_atime = ncf->ncf_cb_atime;
attrs.ia_mtime = ncf->ncf_cb_mtime;
- if (nfsd4_vet_deleg_time(&attrs.ia_atime, &atime, &now))
+ if (nfsd4_vet_deleg_time(&attrs.ia_atime, &dp->dl_atime, &now))
attrs.ia_valid |= ATTR_ATIME | ATTR_ATIME_SET;
- if (nfsd4_vet_deleg_time(&attrs.ia_mtime, &mtime, &now)) {
- attrs.ia_valid |= ATTR_CTIME | ATTR_CTIME_SET |
- ATTR_MTIME | ATTR_MTIME_SET;
+ if (nfsd4_vet_deleg_time(&attrs.ia_mtime, &dp->dl_mtime, &now)) {
+ attrs.ia_valid |= ATTR_MTIME | ATTR_MTIME_SET;
attrs.ia_ctime = attrs.ia_mtime;
+ if (nfsd4_vet_deleg_time(&attrs.ia_ctime, &dp->dl_ctime, &now))
+ attrs.ia_valid |= ATTR_CTIME | ATTR_CTIME_SET;
}
} else {
attrs.ia_valid |= ATTR_MTIME | ATTR_CTIME;
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 063/371] tracing: Fix the bug where bpf_get_stackid returns -EFAULT on the ARM64
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (61 preceding siblings ...)
2025-10-17 14:50 ` [PATCH 6.17 062/371] nfsd: fix timestamp updates in CB_GETATTR Greg Kroah-Hartman
@ 2025-10-17 14:50 ` Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 064/371] PM: core: Annotate loops walking device links as _srcu Greg Kroah-Hartman
` (320 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Feng Yang, Jiri Olsa,
Masami Hiramatsu (Google), Will Deacon, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Feng Yang <yangfeng@kylinos.cn>
[ Upstream commit fd2f74f8f3d3c1a524637caf5bead9757fae4332 ]
When using bpf_program__attach_kprobe_multi_opts on ARM64 to hook a BPF program
that contains the bpf_get_stackid function, the BPF program fails
to obtain the stack trace and returns -EFAULT.
This is because ftrace_partial_regs omits the configuration of the pstate register,
leaving pstate at the default value of 0. When get_perf_callchain executes,
it uses user_mode(regs) to determine whether it is in kernel mode.
This leads to a misjudgment that the code is in user mode,
so perf_callchain_kernel is not executed and the function returns directly.
As a result, trace->nr becomes 0, and finally -EFAULT is returned.
Therefore, the assignment of the pstate register is added here.
Fixes: b9b55c8912ce ("tracing: Add ftrace_partial_regs() for converting ftrace_regs to pt_regs")
Closes: https://lore.kernel.org/bpf/20250919071902.554223-1-yangfeng59949@163.com/
Signed-off-by: Feng Yang <yangfeng@kylinos.cn>
Tested-by: Jiri Olsa <jolsa@kernel.org>
Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/include/asm/ftrace.h | 1 +
1 file changed, 1 insertion(+)
diff --git a/arch/arm64/include/asm/ftrace.h b/arch/arm64/include/asm/ftrace.h
index bfe3ce9df1978..ba7cf7fec5e97 100644
--- a/arch/arm64/include/asm/ftrace.h
+++ b/arch/arm64/include/asm/ftrace.h
@@ -153,6 +153,7 @@ ftrace_partial_regs(const struct ftrace_regs *fregs, struct pt_regs *regs)
regs->pc = afregs->pc;
regs->regs[29] = afregs->fp;
regs->regs[30] = afregs->lr;
+ regs->pstate = PSR_MODE_EL1h;
return regs;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 064/371] PM: core: Annotate loops walking device links as _srcu
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (62 preceding siblings ...)
2025-10-17 14:50 ` [PATCH 6.17 063/371] tracing: Fix the bug where bpf_get_stackid returns -EFAULT on the ARM64 Greg Kroah-Hartman
@ 2025-10-17 14:50 ` Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 065/371] PM: core: Add two macros for walking device links Greg Kroah-Hartman
` (319 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rafael J. Wysocki, Ulf Hansson,
Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
[ Upstream commit fdd9ae23bb989fa9ed1beebba7d3e0c82c7c81ae ]
Since SRCU is used for the protection of device link lists, the loops
over device link lists in multiple places in drivers/base/power/main.c
and in pm_runtime_get_suppliers() should be annotated as _srcu rather
than as _rcu which is the case currently.
Change the annotations accordingly.
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Reviewed-by: Ulf Hansson <ulf.hansson@linaro.org>
Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Link: https://patch.msgid.link/2393512.ElGaqSPkdT@rafael.j.wysocki
Stable-dep-of: 632d31067be2 ("PM: sleep: Do not wait on SYNC_STATE_ONLY device links")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/base/power/main.c | 18 +++++++++---------
drivers/base/power/runtime.c | 4 ++--
2 files changed, 11 insertions(+), 11 deletions(-)
diff --git a/drivers/base/power/main.c b/drivers/base/power/main.c
index c883b01ffbddc..b6ab41265d7a3 100644
--- a/drivers/base/power/main.c
+++ b/drivers/base/power/main.c
@@ -40,8 +40,8 @@
typedef int (*pm_callback_t)(struct device *);
-#define list_for_each_entry_rcu_locked(pos, head, member) \
- list_for_each_entry_rcu(pos, head, member, \
+#define list_for_each_entry_srcu_locked(pos, head, member) \
+ list_for_each_entry_srcu(pos, head, member, \
device_links_read_lock_held())
/*
@@ -281,7 +281,7 @@ static void dpm_wait_for_suppliers(struct device *dev, bool async)
* callbacks freeing the link objects for the links in the list we're
* walking.
*/
- list_for_each_entry_rcu_locked(link, &dev->links.suppliers, c_node)
+ list_for_each_entry_srcu_locked(link, &dev->links.suppliers, c_node)
if (READ_ONCE(link->status) != DL_STATE_DORMANT)
dpm_wait(link->supplier, async);
@@ -338,7 +338,7 @@ static void dpm_wait_for_consumers(struct device *dev, bool async)
* continue instead of trying to continue in parallel with its
* unregistration).
*/
- list_for_each_entry_rcu_locked(link, &dev->links.consumers, s_node)
+ list_for_each_entry_srcu_locked(link, &dev->links.consumers, s_node)
if (READ_ONCE(link->status) != DL_STATE_DORMANT)
dpm_wait(link->consumer, async);
@@ -675,7 +675,7 @@ static void dpm_async_resume_subordinate(struct device *dev, async_func_t func)
idx = device_links_read_lock();
/* Start processing the device's "async" consumers. */
- list_for_each_entry_rcu_locked(link, &dev->links.consumers, s_node)
+ list_for_each_entry_srcu_locked(link, &dev->links.consumers, s_node)
if (READ_ONCE(link->status) != DL_STATE_DORMANT)
dpm_async_with_cleanup(link->consumer, func);
@@ -1342,7 +1342,7 @@ static void dpm_async_suspend_superior(struct device *dev, async_func_t func)
idx = device_links_read_lock();
/* Start processing the device's "async" suppliers. */
- list_for_each_entry_rcu_locked(link, &dev->links.suppliers, c_node)
+ list_for_each_entry_srcu_locked(link, &dev->links.suppliers, c_node)
if (READ_ONCE(link->status) != DL_STATE_DORMANT)
dpm_async_with_cleanup(link->supplier, func);
@@ -1396,7 +1396,7 @@ static void dpm_superior_set_must_resume(struct device *dev)
idx = device_links_read_lock();
- list_for_each_entry_rcu_locked(link, &dev->links.suppliers, c_node)
+ list_for_each_entry_srcu_locked(link, &dev->links.suppliers, c_node)
link->supplier->power.must_resume = true;
device_links_read_unlock(idx);
@@ -1825,7 +1825,7 @@ static void dpm_clear_superiors_direct_complete(struct device *dev)
idx = device_links_read_lock();
- list_for_each_entry_rcu_locked(link, &dev->links.suppliers, c_node) {
+ list_for_each_entry_srcu_locked(link, &dev->links.suppliers, c_node) {
spin_lock_irq(&link->supplier->power.lock);
link->supplier->power.direct_complete = false;
spin_unlock_irq(&link->supplier->power.lock);
@@ -2077,7 +2077,7 @@ static bool device_prepare_smart_suspend(struct device *dev)
idx = device_links_read_lock();
- list_for_each_entry_rcu_locked(link, &dev->links.suppliers, c_node) {
+ list_for_each_entry_srcu_locked(link, &dev->links.suppliers, c_node) {
if (!device_link_test(link, DL_FLAG_PM_RUNTIME))
continue;
diff --git a/drivers/base/power/runtime.c b/drivers/base/power/runtime.c
index 3e84dc4122def..8c23a11e80176 100644
--- a/drivers/base/power/runtime.c
+++ b/drivers/base/power/runtime.c
@@ -1903,8 +1903,8 @@ void pm_runtime_get_suppliers(struct device *dev)
idx = device_links_read_lock();
- list_for_each_entry_rcu(link, &dev->links.suppliers, c_node,
- device_links_read_lock_held())
+ list_for_each_entry_srcu(link, &dev->links.suppliers, c_node,
+ device_links_read_lock_held())
if (device_link_test(link, DL_FLAG_PM_RUNTIME)) {
link->supplier_preactivated = true;
pm_runtime_get_sync(link->supplier);
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 065/371] PM: core: Add two macros for walking device links
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (63 preceding siblings ...)
2025-10-17 14:50 ` [PATCH 6.17 064/371] PM: core: Annotate loops walking device links as _srcu Greg Kroah-Hartman
@ 2025-10-17 14:50 ` Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 066/371] PM: sleep: Do not wait on SYNC_STATE_ONLY " Greg Kroah-Hartman
` (318 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rafael J. Wysocki, Ulf Hansson,
Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
[ Upstream commit 3ce3f569991347d2085925041f4932232da43bcf ]
Add separate macros for walking links to suppliers and consumers of a
device to help device links users to avoid exposing the internals of
struct dev_links_info in their code and possible coding mistakes related
to that.
Accordingly, use the new macros to replace open-coded device links list
walks in the core power management code.
No intentional functional impact.
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Reviewed-by: Ulf Hansson <ulf.hansson@linaro.org>
Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Link: https://patch.msgid.link/1944671.tdWV9SEqCh@rafael.j.wysocki
Stable-dep-of: 632d31067be2 ("PM: sleep: Do not wait on SYNC_STATE_ONLY device links")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/base/base.h | 8 ++++++++
drivers/base/power/main.c | 18 +++++++-----------
drivers/base/power/runtime.c | 3 +--
3 files changed, 16 insertions(+), 13 deletions(-)
diff --git a/drivers/base/base.h b/drivers/base/base.h
index 123031a757d91..700aecd22fd34 100644
--- a/drivers/base/base.h
+++ b/drivers/base/base.h
@@ -251,6 +251,14 @@ void device_links_unbind_consumers(struct device *dev);
void fw_devlink_drivers_done(void);
void fw_devlink_probing_done(void);
+#define dev_for_each_link_to_supplier(__link, __dev) \
+ list_for_each_entry_srcu(__link, &(__dev)->links.suppliers, c_node, \
+ device_links_read_lock_held())
+
+#define dev_for_each_link_to_consumer(__link, __dev) \
+ list_for_each_entry_srcu(__link, &(__dev)->links.consumers, s_node, \
+ device_links_read_lock_held())
+
/* device pm support */
void device_pm_move_to_tail(struct device *dev);
diff --git a/drivers/base/power/main.c b/drivers/base/power/main.c
index b6ab41265d7a3..b9a34c3425ecf 100644
--- a/drivers/base/power/main.c
+++ b/drivers/base/power/main.c
@@ -40,10 +40,6 @@
typedef int (*pm_callback_t)(struct device *);
-#define list_for_each_entry_srcu_locked(pos, head, member) \
- list_for_each_entry_srcu(pos, head, member, \
- device_links_read_lock_held())
-
/*
* The entries in the dpm_list list are in a depth first order, simply
* because children are guaranteed to be discovered after parents, and
@@ -281,7 +277,7 @@ static void dpm_wait_for_suppliers(struct device *dev, bool async)
* callbacks freeing the link objects for the links in the list we're
* walking.
*/
- list_for_each_entry_srcu_locked(link, &dev->links.suppliers, c_node)
+ dev_for_each_link_to_supplier(link, dev)
if (READ_ONCE(link->status) != DL_STATE_DORMANT)
dpm_wait(link->supplier, async);
@@ -338,7 +334,7 @@ static void dpm_wait_for_consumers(struct device *dev, bool async)
* continue instead of trying to continue in parallel with its
* unregistration).
*/
- list_for_each_entry_srcu_locked(link, &dev->links.consumers, s_node)
+ dev_for_each_link_to_consumer(link, dev)
if (READ_ONCE(link->status) != DL_STATE_DORMANT)
dpm_wait(link->consumer, async);
@@ -675,7 +671,7 @@ static void dpm_async_resume_subordinate(struct device *dev, async_func_t func)
idx = device_links_read_lock();
/* Start processing the device's "async" consumers. */
- list_for_each_entry_srcu_locked(link, &dev->links.consumers, s_node)
+ dev_for_each_link_to_consumer(link, dev)
if (READ_ONCE(link->status) != DL_STATE_DORMANT)
dpm_async_with_cleanup(link->consumer, func);
@@ -1342,7 +1338,7 @@ static void dpm_async_suspend_superior(struct device *dev, async_func_t func)
idx = device_links_read_lock();
/* Start processing the device's "async" suppliers. */
- list_for_each_entry_srcu_locked(link, &dev->links.suppliers, c_node)
+ dev_for_each_link_to_supplier(link, dev)
if (READ_ONCE(link->status) != DL_STATE_DORMANT)
dpm_async_with_cleanup(link->supplier, func);
@@ -1396,7 +1392,7 @@ static void dpm_superior_set_must_resume(struct device *dev)
idx = device_links_read_lock();
- list_for_each_entry_srcu_locked(link, &dev->links.suppliers, c_node)
+ dev_for_each_link_to_supplier(link, dev)
link->supplier->power.must_resume = true;
device_links_read_unlock(idx);
@@ -1825,7 +1821,7 @@ static void dpm_clear_superiors_direct_complete(struct device *dev)
idx = device_links_read_lock();
- list_for_each_entry_srcu_locked(link, &dev->links.suppliers, c_node) {
+ dev_for_each_link_to_supplier(link, dev) {
spin_lock_irq(&link->supplier->power.lock);
link->supplier->power.direct_complete = false;
spin_unlock_irq(&link->supplier->power.lock);
@@ -2077,7 +2073,7 @@ static bool device_prepare_smart_suspend(struct device *dev)
idx = device_links_read_lock();
- list_for_each_entry_srcu_locked(link, &dev->links.suppliers, c_node) {
+ dev_for_each_link_to_supplier(link, dev) {
if (!device_link_test(link, DL_FLAG_PM_RUNTIME))
continue;
diff --git a/drivers/base/power/runtime.c b/drivers/base/power/runtime.c
index 8c23a11e80176..7420b9851fe0f 100644
--- a/drivers/base/power/runtime.c
+++ b/drivers/base/power/runtime.c
@@ -1903,8 +1903,7 @@ void pm_runtime_get_suppliers(struct device *dev)
idx = device_links_read_lock();
- list_for_each_entry_srcu(link, &dev->links.suppliers, c_node,
- device_links_read_lock_held())
+ dev_for_each_link_to_supplier(link, dev)
if (device_link_test(link, DL_FLAG_PM_RUNTIME)) {
link->supplier_preactivated = true;
pm_runtime_get_sync(link->supplier);
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 066/371] PM: sleep: Do not wait on SYNC_STATE_ONLY device links
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (64 preceding siblings ...)
2025-10-17 14:50 ` [PATCH 6.17 065/371] PM: core: Add two macros for walking device links Greg Kroah-Hartman
@ 2025-10-17 14:50 ` Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 067/371] cpufreq: tegra186: Set target frequency for all cpus in policy Greg Kroah-Hartman
` (317 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pin-yen Lin, Rafael J. Wysocki,
Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pin-yen Lin <treapking@chromium.org>
[ Upstream commit 632d31067be2f414c57955efcf29c79290cc749b ]
Device links with DL_FLAG_SYNC_STATE_ONLY should not affect system
suspend and resume, and functions like device_reorder_to_tail() and
device_link_add() don't try to reorder the consumers with that flag.
However, dpm_wait_for_consumers() and dpm_wait_for_suppliers() don't
check thas flag before triggering dpm_wait(), leading to potential hang
during suspend/resume.
This can be reproduced on MT8186 Corsola Chromebook with devicetree like:
usb-a-connector {
compatible = "usb-a-connector";
port {
usb_a_con: endpoint {
remote-endpoint = <&usb_hs>;
};
};
};
usb_host {
compatible = "mediatek,mt8186-xhci", "mediatek,mtk-xhci";
port {
usb_hs: endpoint {
remote-endpoint = <&usb_a_con>;
};
};
};
In this case, the two nodes form a cycle and a SYNC_STATE_ONLY devlink
between usb_host (supplier) and usb-a-connector (consumer) is created.
Address this by exporting device_link_flag_is_sync_state_only() and
making dpm_wait_for_consumers() and dpm_wait_for_suppliers() use it
when deciding if dpm_wait() should be called.
Fixes: 05ef983e0d65a ("driver core: Add device link support for SYNC_STATE_ONLY flag")
Signed-off-by: Pin-yen Lin <treapking@chromium.org>
Link: https://patch.msgid.link/20250926102320.4053167-1-treapking@chromium.org
[ rjw: Subject and changelog edits ]
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/base/base.h | 1 +
drivers/base/core.c | 2 +-
drivers/base/power/main.c | 6 ++++--
3 files changed, 6 insertions(+), 3 deletions(-)
diff --git a/drivers/base/base.h b/drivers/base/base.h
index 700aecd22fd34..86fa7fbb35489 100644
--- a/drivers/base/base.h
+++ b/drivers/base/base.h
@@ -248,6 +248,7 @@ void device_links_driver_cleanup(struct device *dev);
void device_links_no_driver(struct device *dev);
bool device_links_busy(struct device *dev);
void device_links_unbind_consumers(struct device *dev);
+bool device_link_flag_is_sync_state_only(u32 flags);
void fw_devlink_drivers_done(void);
void fw_devlink_probing_done(void);
diff --git a/drivers/base/core.c b/drivers/base/core.c
index d22d6b23e7589..a54ec6df1058f 100644
--- a/drivers/base/core.c
+++ b/drivers/base/core.c
@@ -287,7 +287,7 @@ static bool device_is_ancestor(struct device *dev, struct device *target)
#define DL_MARKER_FLAGS (DL_FLAG_INFERRED | \
DL_FLAG_CYCLE | \
DL_FLAG_MANAGED)
-static inline bool device_link_flag_is_sync_state_only(u32 flags)
+bool device_link_flag_is_sync_state_only(u32 flags)
{
return (flags & ~DL_MARKER_FLAGS) == DL_FLAG_SYNC_STATE_ONLY;
}
diff --git a/drivers/base/power/main.c b/drivers/base/power/main.c
index b9a34c3425ecf..e83503bdc1fdb 100644
--- a/drivers/base/power/main.c
+++ b/drivers/base/power/main.c
@@ -278,7 +278,8 @@ static void dpm_wait_for_suppliers(struct device *dev, bool async)
* walking.
*/
dev_for_each_link_to_supplier(link, dev)
- if (READ_ONCE(link->status) != DL_STATE_DORMANT)
+ if (READ_ONCE(link->status) != DL_STATE_DORMANT &&
+ !device_link_flag_is_sync_state_only(link->flags))
dpm_wait(link->supplier, async);
device_links_read_unlock(idx);
@@ -335,7 +336,8 @@ static void dpm_wait_for_consumers(struct device *dev, bool async)
* unregistration).
*/
dev_for_each_link_to_consumer(link, dev)
- if (READ_ONCE(link->status) != DL_STATE_DORMANT)
+ if (READ_ONCE(link->status) != DL_STATE_DORMANT &&
+ !device_link_flag_is_sync_state_only(link->flags))
dpm_wait(link->consumer, async);
device_links_read_unlock(idx);
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 067/371] cpufreq: tegra186: Set target frequency for all cpus in policy
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (65 preceding siblings ...)
2025-10-17 14:50 ` [PATCH 6.17 066/371] PM: sleep: Do not wait on SYNC_STATE_ONLY " Greg Kroah-Hartman
@ 2025-10-17 14:50 ` Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 068/371] scsi: mvsas: Fix use-after-free bugs in mvs_work_queue Greg Kroah-Hartman
` (316 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Aaron Kling, Mikko Perttunen,
Viresh Kumar, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Aaron Kling <webgeek1234@gmail.com>
[ Upstream commit 0b1bb980fd7cae126ee3d59f817068a13e321b07 ]
The original commit set all cores in a cluster to a shared policy, but
did not update set_target to apply a frequency change to all cores for
the policy. This caused most cores to remain stuck at their boot
frequency.
Fixes: be4ae8c19492 ("cpufreq: tegra186: Share policy per cluster")
Signed-off-by: Aaron Kling <webgeek1234@gmail.com>
Reviewed-by: Mikko Perttunen <mperttunen@nvidia.com>
Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/cpufreq/tegra186-cpufreq.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/drivers/cpufreq/tegra186-cpufreq.c b/drivers/cpufreq/tegra186-cpufreq.c
index cbabb726c6645..6c394b429b618 100644
--- a/drivers/cpufreq/tegra186-cpufreq.c
+++ b/drivers/cpufreq/tegra186-cpufreq.c
@@ -93,10 +93,14 @@ static int tegra186_cpufreq_set_target(struct cpufreq_policy *policy,
{
struct tegra186_cpufreq_data *data = cpufreq_get_driver_data();
struct cpufreq_frequency_table *tbl = policy->freq_table + index;
- unsigned int edvd_offset = data->cpus[policy->cpu].edvd_offset;
+ unsigned int edvd_offset;
u32 edvd_val = tbl->driver_data;
+ u32 cpu;
- writel(edvd_val, data->regs + edvd_offset);
+ for_each_cpu(cpu, policy->cpus) {
+ edvd_offset = data->cpus[cpu].edvd_offset;
+ writel(edvd_val, data->regs + edvd_offset);
+ }
return 0;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 068/371] scsi: mvsas: Fix use-after-free bugs in mvs_work_queue
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (66 preceding siblings ...)
2025-10-17 14:50 ` [PATCH 6.17 067/371] cpufreq: tegra186: Set target frequency for all cpus in policy Greg Kroah-Hartman
@ 2025-10-17 14:50 ` Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 069/371] perf bpf-filter: Fix opts declaration on older libbpfs Greg Kroah-Hartman
` (315 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Duoming Zhou, Martin K. Petersen,
Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Duoming Zhou <duoming@zju.edu.cn>
[ Upstream commit 60cd16a3b7439ccb699d0bf533799eeb894fd217 ]
During the detaching of Marvell's SAS/SATA controller, the original code
calls cancel_delayed_work() in mvs_free() to cancel the delayed work
item mwq->work_q. However, if mwq->work_q is already running, the
cancel_delayed_work() may fail to cancel it. This can lead to
use-after-free scenarios where mvs_free() frees the mvs_info while
mvs_work_queue() is still executing and attempts to access the
already-freed mvs_info.
A typical race condition is illustrated below:
CPU 0 (remove) | CPU 1 (delayed work callback)
mvs_pci_remove() |
mvs_free() | mvs_work_queue()
cancel_delayed_work() |
kfree(mvi) |
| mvi-> // UAF
Replace cancel_delayed_work() with cancel_delayed_work_sync() to ensure
that the delayed work item is properly canceled and any executing
delayed work item completes before the mvs_info is deallocated.
This bug was found by static analysis.
Fixes: 20b09c2992fe ("[SCSI] mvsas: add support for 94xx; layout change; bug fixes")
Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/mvsas/mv_init.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/scsi/mvsas/mv_init.c b/drivers/scsi/mvsas/mv_init.c
index 2c72da6b8cf0c..7f1ad305eee63 100644
--- a/drivers/scsi/mvsas/mv_init.c
+++ b/drivers/scsi/mvsas/mv_init.c
@@ -124,7 +124,7 @@ static void mvs_free(struct mvs_info *mvi)
if (mvi->shost)
scsi_host_put(mvi->shost);
list_for_each_entry(mwq, &mvi->wq_list, entry)
- cancel_delayed_work(&mwq->work_q);
+ cancel_delayed_work_sync(&mwq->work_q);
kfree(mvi->rsvd_tags);
kfree(mvi);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 069/371] perf bpf-filter: Fix opts declaration on older libbpfs
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (67 preceding siblings ...)
2025-10-17 14:50 ` [PATCH 6.17 068/371] scsi: mvsas: Fix use-after-free bugs in mvs_work_queue Greg Kroah-Hartman
@ 2025-10-17 14:50 ` Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 070/371] scsi: ufs: sysfs: Make HID attributes visible Greg Kroah-Hartman
` (314 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ian Rogers, Arnaldo Carvalho de Melo,
Adrian Hunter, Alexander Shishkin, Alexei Starovoitov, bpf,
Hao Ge, Ilya Leoshkevich, Ingo Molnar, Jiri Olsa, Kan Liang,
Mark Rutland, Namhyung Kim, Peter Zijlstra, Thomas Richter,
Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ian Rogers <irogers@google.com>
[ Upstream commit 3a0f56d72a7575f03187a85b7869c76a862b40ab ]
Building perf with LIBBPF_DYNAMIC (ie not the default static linking of
libbpf with perf) is breaking as the libbpf isn't version 1.7 or newer,
where dont_enable is added to bpf_perf_event_opts.
To avoid this breakage add a compile time version check and don't
declare the variable when not present.
Fixes: 5e2ac8e8571df54d ("perf bpf-filter: Enable events manually")
Signed-off-by: Ian Rogers <irogers@google.com>
Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Alexei Starovoitov <ast@kernel.org>
Cc: bpf@vger.kernel.org
Cc: Hao Ge <gehao@kylinos.cn>
Cc: Ilya Leoshkevich <iii@linux.ibm.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Kan Liang <kan.liang@linux.intel.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Richter <tmricht@linux.ibm.com>
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/util/bpf-filter.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/tools/perf/util/bpf-filter.c b/tools/perf/util/bpf-filter.c
index a0b11f35395f8..92308c38fbb56 100644
--- a/tools/perf/util/bpf-filter.c
+++ b/tools/perf/util/bpf-filter.c
@@ -443,6 +443,10 @@ static int create_idx_hash(struct evsel *evsel, struct perf_bpf_filter_entry *en
return -1;
}
+#define LIBBPF_CURRENT_VERSION_GEQ(major, minor) \
+ (LIBBPF_MAJOR_VERSION > (major) || \
+ (LIBBPF_MAJOR_VERSION == (major) && LIBBPF_MINOR_VERSION >= (minor)))
+
int perf_bpf_filter__prepare(struct evsel *evsel, struct target *target)
{
int i, x, y, fd, ret;
@@ -451,8 +455,12 @@ int perf_bpf_filter__prepare(struct evsel *evsel, struct target *target)
struct bpf_link *link;
struct perf_bpf_filter_entry *entry;
bool needs_idx_hash = !target__has_cpu(target);
+#if LIBBPF_CURRENT_VERSION_GEQ(1, 7)
DECLARE_LIBBPF_OPTS(bpf_perf_event_opts, pe_opts,
.dont_enable = true);
+#else
+ DECLARE_LIBBPF_OPTS(bpf_perf_event_opts, pe_opts);
+#endif
entry = calloc(MAX_FILTERS, sizeof(*entry));
if (entry == NULL)
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 070/371] scsi: ufs: sysfs: Make HID attributes visible
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (68 preceding siblings ...)
2025-10-17 14:50 ` [PATCH 6.17 069/371] perf bpf-filter: Fix opts declaration on older libbpfs Greg Kroah-Hartman
@ 2025-10-17 14:50 ` Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 071/371] mshv: Handle NEED_RESCHED_LAZY before transferring to guest Greg Kroah-Hartman
` (313 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Daniel Lee, Bart Van Assche,
Martin K. Petersen, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Lee <chullee@google.com>
[ Upstream commit bb7663dec67b691528f104894429b3859fb16c14 ]
Call sysfs_update_group() after reading the device descriptor to ensure
the HID sysfs attributes are visible when the feature is supported.
Fixes: ae7795a8c258 ("scsi: ufs: core: Add HID support")
Signed-off-by: Daniel Lee <chullee@google.com>
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/ufs/core/ufs-sysfs.c | 2 +-
drivers/ufs/core/ufs-sysfs.h | 1 +
drivers/ufs/core/ufshcd.c | 2 ++
3 files changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/ufs/core/ufs-sysfs.c b/drivers/ufs/core/ufs-sysfs.c
index 0086816b27cd9..c040afc6668e8 100644
--- a/drivers/ufs/core/ufs-sysfs.c
+++ b/drivers/ufs/core/ufs-sysfs.c
@@ -1949,7 +1949,7 @@ static umode_t ufs_sysfs_hid_is_visible(struct kobject *kobj,
return hba->dev_info.hid_sup ? attr->mode : 0;
}
-static const struct attribute_group ufs_sysfs_hid_group = {
+const struct attribute_group ufs_sysfs_hid_group = {
.name = "hid",
.attrs = ufs_sysfs_hid,
.is_visible = ufs_sysfs_hid_is_visible,
diff --git a/drivers/ufs/core/ufs-sysfs.h b/drivers/ufs/core/ufs-sysfs.h
index 8d94af3b80771..6efb82a082fdd 100644
--- a/drivers/ufs/core/ufs-sysfs.h
+++ b/drivers/ufs/core/ufs-sysfs.h
@@ -14,5 +14,6 @@ void ufs_sysfs_remove_nodes(struct device *dev);
extern const struct attribute_group ufs_sysfs_unit_descriptor_group;
extern const struct attribute_group ufs_sysfs_lun_attributes_group;
+extern const struct attribute_group ufs_sysfs_hid_group;
#endif
diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c
index 96a0f5fcc0e57..465e66dbe08e8 100644
--- a/drivers/ufs/core/ufshcd.c
+++ b/drivers/ufs/core/ufshcd.c
@@ -8482,6 +8482,8 @@ static int ufs_get_device_desc(struct ufs_hba *hba)
DEVICE_DESC_PARAM_EXT_UFS_FEATURE_SUP) &
UFS_DEV_HID_SUPPORT;
+ sysfs_update_group(&hba->dev->kobj, &ufs_sysfs_hid_group);
+
model_index = desc_buf[DEVICE_DESC_PARAM_PRDCT_NAME];
err = ufshcd_read_string_desc(hba, model_index,
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 071/371] mshv: Handle NEED_RESCHED_LAZY before transferring to guest
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (69 preceding siblings ...)
2025-10-17 14:50 ` [PATCH 6.17 070/371] scsi: ufs: sysfs: Make HID attributes visible Greg Kroah-Hartman
@ 2025-10-17 14:50 ` Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 072/371] perf bpf_counter: Fix handling of cpumap fixing hybrid Greg Kroah-Hartman
` (312 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nuno Das Neves, Mukesh R,
Sean Christopherson, Wei Liu, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
[ Upstream commit 0ebac01a00be972020c002a7fe0bb6b6fca8410f ]
Check for NEED_RESCHED_LAZY, not just NEED_RESCHED, prior to transferring
control to a guest. Failure to check for lazy resched can unnecessarily
delay rescheduling until the next tick when using a lazy preemption model.
Note, ideally both the checking and processing of TIF bits would be handled
in common code, to avoid having to keep three separate paths synchronized,
but defer such cleanups to the future to keep the fix as standalone as
possible.
Cc: Nuno Das Neves <nunodasneves@linux.microsoft.com>
Cc: Mukesh R <mrathor@linux.microsoft.com>
Fixes: 621191d709b1 ("Drivers: hv: Introduce mshv_root module to expose /dev/mshv to VMMs")
Signed-off-by: Sean Christopherson <seanjc@google.com>
Tested-by: Nuno Das Neves <nunodasneves@linux.microsoft.com>
Reviewed-by: Nuno Das Neves <nunodasneves@linux.microsoft.com>
Signed-off-by: Wei Liu <wei.liu@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hv/mshv_common.c | 2 +-
drivers/hv/mshv_root_main.c | 3 ++-
2 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/hv/mshv_common.c b/drivers/hv/mshv_common.c
index 6f227a8a5af71..eb3df3e296bbe 100644
--- a/drivers/hv/mshv_common.c
+++ b/drivers/hv/mshv_common.c
@@ -151,7 +151,7 @@ int mshv_do_pre_guest_mode_work(ulong th_flags)
if (th_flags & (_TIF_SIGPENDING | _TIF_NOTIFY_SIGNAL))
return -EINTR;
- if (th_flags & _TIF_NEED_RESCHED)
+ if (th_flags & (_TIF_NEED_RESCHED | _TIF_NEED_RESCHED_LAZY))
schedule();
if (th_flags & _TIF_NOTIFY_RESUME)
diff --git a/drivers/hv/mshv_root_main.c b/drivers/hv/mshv_root_main.c
index 72df774e410ab..cad09ff5f94dc 100644
--- a/drivers/hv/mshv_root_main.c
+++ b/drivers/hv/mshv_root_main.c
@@ -490,7 +490,8 @@ mshv_vp_wait_for_hv_kick(struct mshv_vp *vp)
static int mshv_pre_guest_mode_work(struct mshv_vp *vp)
{
const ulong work_flags = _TIF_NOTIFY_SIGNAL | _TIF_SIGPENDING |
- _TIF_NEED_RESCHED | _TIF_NOTIFY_RESUME;
+ _TIF_NEED_RESCHED | _TIF_NEED_RESCHED_LAZY |
+ _TIF_NOTIFY_RESUME;
ulong th_flags;
th_flags = read_thread_flags();
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 072/371] perf bpf_counter: Fix handling of cpumap fixing hybrid
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (70 preceding siblings ...)
2025-10-17 14:50 ` [PATCH 6.17 071/371] mshv: Handle NEED_RESCHED_LAZY before transferring to guest Greg Kroah-Hartman
@ 2025-10-17 14:50 ` Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 073/371] ASoC: SOF: ipc4-topology: Correct the minimum host DMA buffer size Greg Kroah-Hartman
` (311 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ian Rogers, Adrian Hunter,
Alexander Shishkin, Athira Rajeev, bpf, Gabriele Monaco,
Howard Chu, Ingo Molnar, James Clark, Jiri Olsa, Namhyung Kim,
Peter Zijlstra, Song Liu, Tengda Wu, Arnaldo Carvalho de Melo,
Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ian Rogers <irogers@google.com>
[ Upstream commit b91917c0c6fa6df97ec0222d8d6285ab2d60c21b ]
Don't open evsels on all CPUs, open them just on the CPUs they
support. This avoids opening say an e-core event on a p-core and
getting a failure - achieve this by getting rid of the "all_cpu_map".
In install_pe functions don't use the cpu_map_idx as a CPU number,
translate the cpu_map_idx, which is a dense index into the cpu_map
skipping holes at the beginning, to a proper CPU number.
Before:
```
$ perf stat --bpf-counters -a -e cycles,instructions -- sleep 1
Performance counter stats for 'system wide':
<not supported> cpu_atom/cycles/
566,270,672 cpu_core/cycles/
<not supported> cpu_atom/instructions/
572,792,836 cpu_core/instructions/ # 1.01 insn per cycle
1.001595384 seconds time elapsed
```
After:
```
$ perf stat --bpf-counters -a -e cycles,instructions -- sleep 1
Performance counter stats for 'system wide':
443,299,201 cpu_atom/cycles/
1,233,919,737 cpu_core/cycles/
213,634,112 cpu_atom/instructions/ # 0.48 insn per cycle
2,758,965,527 cpu_core/instructions/ # 2.24 insn per cycle
1.001699485 seconds time elapsed
```
Fixes: 7fac83aaf2eecc9e ("perf stat: Introduce 'bperf' to share hardware PMCs with BPF")
Signed-off-by: Ian Rogers <irogers@google.com>
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Athira Rajeev <atrajeev@linux.vnet.ibm.com>
Cc: bpf@vger.kernel.org
Cc: Gabriele Monaco <gmonaco@redhat.com>
Cc: Howard Chu <howardchu95@gmail.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: James Clark <james.clark@linaro.org>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Song Liu <songliubraving@fb.com>
Cc: Tengda Wu <wutengda@huaweicloud.com>
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/util/bpf_counter.c | 26 ++++++++++----------------
tools/perf/util/bpf_counter_cgroup.c | 3 ++-
2 files changed, 12 insertions(+), 17 deletions(-)
diff --git a/tools/perf/util/bpf_counter.c b/tools/perf/util/bpf_counter.c
index 73fcafbffc6a6..ed88ba570c80a 100644
--- a/tools/perf/util/bpf_counter.c
+++ b/tools/perf/util/bpf_counter.c
@@ -278,6 +278,7 @@ static int bpf_program_profiler__install_pe(struct evsel *evsel, int cpu_map_idx
{
struct bpf_prog_profiler_bpf *skel;
struct bpf_counter *counter;
+ int cpu = perf_cpu_map__cpu(evsel->core.cpus, cpu_map_idx).cpu;
int ret;
list_for_each_entry(counter, &evsel->bpf_counter_list, list) {
@@ -285,7 +286,7 @@ static int bpf_program_profiler__install_pe(struct evsel *evsel, int cpu_map_idx
assert(skel != NULL);
ret = bpf_map_update_elem(bpf_map__fd(skel->maps.events),
- &cpu_map_idx, &fd, BPF_ANY);
+ &cpu, &fd, BPF_ANY);
if (ret)
return ret;
}
@@ -393,7 +394,6 @@ static int bperf_check_target(struct evsel *evsel,
return 0;
}
-static struct perf_cpu_map *all_cpu_map;
static __u32 filter_entry_cnt;
static int bperf_reload_leader_program(struct evsel *evsel, int attr_map_fd,
@@ -437,7 +437,7 @@ static int bperf_reload_leader_program(struct evsel *evsel, int attr_map_fd,
* following evsel__open_per_cpu call
*/
evsel->leader_skel = skel;
- evsel__open_per_cpu(evsel, all_cpu_map, -1);
+ evsel__open(evsel, evsel->core.cpus, evsel->core.threads);
out:
bperf_leader_bpf__destroy(skel);
@@ -475,12 +475,6 @@ static int bperf__load(struct evsel *evsel, struct target *target)
if (bperf_check_target(evsel, target, &filter_type, &filter_entry_cnt))
return -1;
- if (!all_cpu_map) {
- all_cpu_map = perf_cpu_map__new_online_cpus();
- if (!all_cpu_map)
- return -1;
- }
-
evsel->bperf_leader_prog_fd = -1;
evsel->bperf_leader_link_fd = -1;
@@ -598,9 +592,10 @@ static int bperf__load(struct evsel *evsel, struct target *target)
static int bperf__install_pe(struct evsel *evsel, int cpu_map_idx, int fd)
{
struct bperf_leader_bpf *skel = evsel->leader_skel;
+ int cpu = perf_cpu_map__cpu(evsel->core.cpus, cpu_map_idx).cpu;
return bpf_map_update_elem(bpf_map__fd(skel->maps.events),
- &cpu_map_idx, &fd, BPF_ANY);
+ &cpu, &fd, BPF_ANY);
}
/*
@@ -609,13 +604,12 @@ static int bperf__install_pe(struct evsel *evsel, int cpu_map_idx, int fd)
*/
static int bperf_sync_counters(struct evsel *evsel)
{
- int num_cpu, i, cpu;
+ struct perf_cpu cpu;
+ int idx;
+
+ perf_cpu_map__for_each_cpu(cpu, idx, evsel->core.cpus)
+ bperf_trigger_reading(evsel->bperf_leader_prog_fd, cpu.cpu);
- num_cpu = perf_cpu_map__nr(all_cpu_map);
- for (i = 0; i < num_cpu; i++) {
- cpu = perf_cpu_map__cpu(all_cpu_map, i).cpu;
- bperf_trigger_reading(evsel->bperf_leader_prog_fd, cpu);
- }
return 0;
}
diff --git a/tools/perf/util/bpf_counter_cgroup.c b/tools/perf/util/bpf_counter_cgroup.c
index 6ff42619de12b..883ce8a670bcd 100644
--- a/tools/perf/util/bpf_counter_cgroup.c
+++ b/tools/perf/util/bpf_counter_cgroup.c
@@ -185,7 +185,8 @@ static int bperf_cgrp__load(struct evsel *evsel,
}
static int bperf_cgrp__install_pe(struct evsel *evsel __maybe_unused,
- int cpu __maybe_unused, int fd __maybe_unused)
+ int cpu_map_idx __maybe_unused,
+ int fd __maybe_unused)
{
/* nothing to do */
return 0;
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 073/371] ASoC: SOF: ipc4-topology: Correct the minimum host DMA buffer size
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (71 preceding siblings ...)
2025-10-17 14:50 ` [PATCH 6.17 072/371] perf bpf_counter: Fix handling of cpumap fixing hybrid Greg Kroah-Hartman
@ 2025-10-17 14:50 ` Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 074/371] ASoC: SOF: ipc4-topology: Account for different ChainDMA host " Greg Kroah-Hartman
` (310 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Peter Ujfalusi, Ranjani Sridharan,
Kai Vehmanen, Bard Liao, Mark Brown, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
[ Upstream commit a7fe5ff832d61d9393095bc3dd5f06f4af7da3c1 ]
The firmware has changed the minimum host buffer size from 2 periods to
4 periods (1 period is 1ms) which was missed by the kernel side.
Adjust the SOF_IPC4_MIN_DMA_BUFFER_SIZE to 4 ms to align with firmware.
Link: https://github.com/thesofproject/sof/commit/f0a14a3f410735db18a79eb7a5f40dc49fdee7a7
Fixes: 594c1bb9ff73 ("ASoC: SOF: ipc4-topology: Do not parse the DMA_BUFFER_SIZE token")
Signed-off-by: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
Reviewed-by: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
Reviewed-by: Kai Vehmanen <kai.vehmanen@linux.intel.com>
Reviewed-by: Bard Liao <yung-chuan.liao@linux.intel.com>
Link: https://patch.msgid.link/20251002135752.2430-2-peter.ujfalusi@linux.intel.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/sof/ipc4-topology.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/sound/soc/sof/ipc4-topology.h b/sound/soc/sof/ipc4-topology.h
index 659e1ae0a85f9..ce5c69cb9ea4e 100644
--- a/sound/soc/sof/ipc4-topology.h
+++ b/sound/soc/sof/ipc4-topology.h
@@ -61,8 +61,8 @@
#define SOF_IPC4_CHAIN_DMA_NODE_ID 0x7fffffff
#define SOF_IPC4_INVALID_NODE_ID 0xffffffff
-/* FW requires minimum 2ms DMA buffer size */
-#define SOF_IPC4_MIN_DMA_BUFFER_SIZE 2
+/* FW requires minimum 4ms DMA buffer size */
+#define SOF_IPC4_MIN_DMA_BUFFER_SIZE 4
/*
* The base of multi-gateways. Multi-gateways addressing starts from
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 074/371] ASoC: SOF: ipc4-topology: Account for different ChainDMA host buffer size
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (72 preceding siblings ...)
2025-10-17 14:50 ` [PATCH 6.17 073/371] ASoC: SOF: ipc4-topology: Correct the minimum host DMA buffer size Greg Kroah-Hartman
@ 2025-10-17 14:50 ` Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 075/371] ASoC: SOF: Intel: hda-pcm: Place the constraint on period time instead of buffer time Greg Kroah-Hartman
` (309 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Peter Ujfalusi, Ranjani Sridharan,
Kai Vehmanen, Bard Liao, Mark Brown, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
[ Upstream commit 3dcf683bf1062d69014fe81b90d285c7eb85ca8a ]
For ChainDMA the firmware allocates 5ms host buffer instead of the standard
4ms which should be taken into account when setting the constraint on the
buffer size.
Fixes: 842bb8b62cc6 ("ASoC: SOF: ipc4-topology: Save the DMA maximum burst size for PCMs")
Signed-off-by: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
Reviewed-by: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
Reviewed-by: Kai Vehmanen <kai.vehmanen@linux.intel.com>
Reviewed-by: Bard Liao <yung-chuan.liao@linux.intel.com>
Link: https://patch.msgid.link/20251002135752.2430-3-peter.ujfalusi@linux.intel.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/sof/ipc4-topology.c | 9 +++++++--
sound/soc/sof/ipc4-topology.h | 3 +++
2 files changed, 10 insertions(+), 2 deletions(-)
diff --git a/sound/soc/sof/ipc4-topology.c b/sound/soc/sof/ipc4-topology.c
index c93db452bbc07..16053d224dcdb 100644
--- a/sound/soc/sof/ipc4-topology.c
+++ b/sound/soc/sof/ipc4-topology.c
@@ -623,8 +623,13 @@ static int sof_ipc4_widget_setup_pcm(struct snd_sof_widget *swidget)
swidget->tuples,
swidget->num_tuples, sizeof(u32), 1);
/* Set default DMA buffer size if it is not specified in topology */
- if (!sps->dsp_max_burst_size_in_ms)
- sps->dsp_max_burst_size_in_ms = SOF_IPC4_MIN_DMA_BUFFER_SIZE;
+ if (!sps->dsp_max_burst_size_in_ms) {
+ struct snd_sof_widget *pipe_widget = swidget->spipe->pipe_widget;
+ struct sof_ipc4_pipeline *pipeline = pipe_widget->private;
+
+ sps->dsp_max_burst_size_in_ms = pipeline->use_chain_dma ?
+ SOF_IPC4_CHAIN_DMA_BUFFER_SIZE : SOF_IPC4_MIN_DMA_BUFFER_SIZE;
+ }
} else {
/* Capture data is copied from DSP to host in 1ms bursts */
spcm->stream[dir].dsp_max_burst_size_in_ms = 1;
diff --git a/sound/soc/sof/ipc4-topology.h b/sound/soc/sof/ipc4-topology.h
index ce5c69cb9ea4e..2a2afd0e83338 100644
--- a/sound/soc/sof/ipc4-topology.h
+++ b/sound/soc/sof/ipc4-topology.h
@@ -64,6 +64,9 @@
/* FW requires minimum 4ms DMA buffer size */
#define SOF_IPC4_MIN_DMA_BUFFER_SIZE 4
+/* ChainDMA in fw uses 5ms DMA buffer */
+#define SOF_IPC4_CHAIN_DMA_BUFFER_SIZE 5
+
/*
* The base of multi-gateways. Multi-gateways addressing starts from
* ALH_MULTI_GTW_BASE and there are ALH_MULTI_GTW_COUNT multi-sources
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 075/371] ASoC: SOF: Intel: hda-pcm: Place the constraint on period time instead of buffer time
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (73 preceding siblings ...)
2025-10-17 14:50 ` [PATCH 6.17 074/371] ASoC: SOF: ipc4-topology: Account for different ChainDMA host " Greg Kroah-Hartman
@ 2025-10-17 14:50 ` Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 076/371] LoongArch: Add cflag -fno-isolate-erroneous-paths-dereference Greg Kroah-Hartman
` (308 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Peter Ujfalusi, Ranjani Sridharan,
Kai Vehmanen, Bard Liao, Mark Brown, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
[ Upstream commit 45ad27d9a6f7c620d8bbc80be3bab1faf37dfa0a ]
Instead of constraining the ALSA buffer time to be double of the firmware
host buffer size, it is better to set it for the period time.
This will implicitly constrain the buffer time to a safe value
(num_periods is at least 2) and prohibits applications to set smaller
period size than what will be covered by the initial DMA burst.
Fixes: fe76d2e75a6d ("ASoC: SOF: Intel: hda-pcm: Use dsp_max_burst_size_in_ms to place constraint")
Signed-off-by: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
Reviewed-by: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
Reviewed-by: Kai Vehmanen <kai.vehmanen@linux.intel.com>
Reviewed-by: Bard Liao <yung-chuan.liao@linux.intel.com>
Link: https://patch.msgid.link/20251002135752.2430-4-peter.ujfalusi@linux.intel.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/sof/intel/hda-pcm.c | 29 +++++++++++++++++++++--------
1 file changed, 21 insertions(+), 8 deletions(-)
diff --git a/sound/soc/sof/intel/hda-pcm.c b/sound/soc/sof/intel/hda-pcm.c
index 1dd8d2092c3b4..da6c1e7263cde 100644
--- a/sound/soc/sof/intel/hda-pcm.c
+++ b/sound/soc/sof/intel/hda-pcm.c
@@ -29,6 +29,8 @@
#define SDnFMT_BITS(x) ((x) << 4)
#define SDnFMT_CHAN(x) ((x) << 0)
+#define HDA_MAX_PERIOD_TIME_HEADROOM 10
+
static bool hda_always_enable_dmi_l1;
module_param_named(always_enable_dmi_l1, hda_always_enable_dmi_l1, bool, 0444);
MODULE_PARM_DESC(always_enable_dmi_l1, "SOF HDA always enable DMI l1");
@@ -291,19 +293,30 @@ int hda_dsp_pcm_open(struct snd_sof_dev *sdev,
* On playback start the DMA will transfer dsp_max_burst_size_in_ms
* amount of data in one initial burst to fill up the host DMA buffer.
* Consequent DMA burst sizes are shorter and their length can vary.
- * To make sure that userspace allocate large enough ALSA buffer we need
- * to place a constraint on the buffer time.
+ * To avoid immediate xrun by the initial burst we need to place
+ * constraint on the period size (via PERIOD_TIME) to cover the size of
+ * the host buffer.
+ * We need to add headroom of max 10ms as the firmware needs time to
+ * settle to the 1ms pacing and initially it can run faster for few
+ * internal periods.
*
* On capture the DMA will transfer 1ms chunks.
- *
- * Exact dsp_max_burst_size_in_ms constraint is racy, so set the
- * constraint to a minimum of 2x dsp_max_burst_size_in_ms.
*/
- if (spcm->stream[direction].dsp_max_burst_size_in_ms)
+ if (spcm->stream[direction].dsp_max_burst_size_in_ms) {
+ unsigned int period_time = spcm->stream[direction].dsp_max_burst_size_in_ms;
+
+ /*
+ * add headroom over the maximum burst size to cover the time
+ * needed for the DMA pace to settle.
+ * Limit the headroom time to HDA_MAX_PERIOD_TIME_HEADROOM
+ */
+ period_time += min(period_time, HDA_MAX_PERIOD_TIME_HEADROOM);
+
snd_pcm_hw_constraint_minmax(substream->runtime,
- SNDRV_PCM_HW_PARAM_BUFFER_TIME,
- spcm->stream[direction].dsp_max_burst_size_in_ms * USEC_PER_MSEC * 2,
+ SNDRV_PCM_HW_PARAM_PERIOD_TIME,
+ period_time * USEC_PER_MSEC,
UINT_MAX);
+ }
/* binding pcm substream to hda stream */
substream->runtime->private_data = &dsp_stream->hstream;
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 076/371] LoongArch: Add cflag -fno-isolate-erroneous-paths-dereference
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (74 preceding siblings ...)
2025-10-17 14:50 ` [PATCH 6.17 075/371] ASoC: SOF: Intel: hda-pcm: Place the constraint on period time instead of buffer time Greg Kroah-Hartman
@ 2025-10-17 14:50 ` Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 077/371] LoongArch: Fix build error for LTO with LLVM-18 Greg Kroah-Hartman
` (307 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, kernel test robot, WANG Rui,
Tiezhu Yang, Huacai Chen, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tiezhu Yang <yangtiezhu@loongson.cn>
[ Upstream commit abb2a5572264b425e6dd9c213b735a82ab0ca68a ]
Currently, when compiling with GCC, there is no "break 7" instruction
for zero division due to using the option -mno-check-zero-division, but
the compiler still generates "break 0" instruction for zero division.
Here is a simple example:
$ cat test.c
int div(int a)
{
return a / 0;
}
$ gcc -O2 -S test.c -o test.s
GCC generates "break 0" on LoongArch and "ud2" on x86, objtool decodes
"ud2" as INSN_BUG for x86, so decode "break 0" as INSN_BUG can fix the
objtool warnings for LoongArch, but this is not the intention.
When decoding "break 0" as INSN_TRAP in the previous commit, the aim is
to handle "break 0" as a trap. The generated "break 0" for zero division
by GCC is not proper, it should generate a break instruction with proper
bug type, so add the GCC option -fno-isolate-erroneous-paths-dereference
to avoid generating the unexpected "break 0" instruction for now.
Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/r/202509200413.7uihAxJ5-lkp@intel.com/
Fixes: baad7830ee9a ("objtool/LoongArch: Mark types based on break immediate code")
Suggested-by: WANG Rui <wangrui@loongson.cn>
Signed-off-by: Tiezhu Yang <yangtiezhu@loongson.cn>
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/loongarch/Makefile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/loongarch/Makefile b/arch/loongarch/Makefile
index ae419e32f22e2..f2a585b4a9375 100644
--- a/arch/loongarch/Makefile
+++ b/arch/loongarch/Makefile
@@ -129,7 +129,7 @@ KBUILD_RUSTFLAGS_KERNEL += -Crelocation-model=pie
LDFLAGS_vmlinux += -static -pie --no-dynamic-linker -z notext $(call ld-option, --apply-dynamic-relocs)
endif
-cflags-y += $(call cc-option, -mno-check-zero-division)
+cflags-y += $(call cc-option, -mno-check-zero-division -fno-isolate-erroneous-paths-dereference)
ifndef CONFIG_KASAN
cflags-y += -fno-builtin-memcpy -fno-builtin-memmove -fno-builtin-memset
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 077/371] LoongArch: Fix build error for LTO with LLVM-18
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (75 preceding siblings ...)
2025-10-17 14:50 ` [PATCH 6.17 076/371] LoongArch: Add cflag -fno-isolate-erroneous-paths-dereference Greg Kroah-Hartman
@ 2025-10-17 14:50 ` Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 078/371] LoongArch: Init acpi_gbl_use_global_lock to false Greg Kroah-Hartman
` (306 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nathan Chancellor, WANG Rui,
Huacai Chen, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Huacai Chen <chenhuacai@loongson.cn>
[ Upstream commit 19baac378a5f4c34e61007023cfcb605cc64c76d ]
Commit b15212824a01 ("LoongArch: Make LTO case independent in Makefile")
moves "KBUILD_LDFLAGS += -mllvm --loongarch-annotate-tablejump" out of
CONFIG_CC_HAS_ANNOTATE_TABLEJUMP, which breaks the build for LLVM-18, as
'--loongarch-annotate-tablejump' is unimplemented there:
ld.lld: error: -mllvm: ld.lld: Unknown command line argument '--loongarch-annotate-tablejump'.
Call ld-option to detect '--loongarch-annotate-tablejump' before use, so
as to fix the build error.
Fixes: b15212824a01 ("LoongArch: Make LTO case independent in Makefile")
Reported-by: Nathan Chancellor <nathan@kernel.org>
Reviewed-by: Nathan Chancellor <nathan@kernel.org>
Tested-by: Nathan Chancellor <nathan@kernel.org> # build
Suggested-by: WANG Rui <wangrui@loongson.cn>
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/loongarch/Makefile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/loongarch/Makefile b/arch/loongarch/Makefile
index f2a585b4a9375..dc5bd3f1b8d2c 100644
--- a/arch/loongarch/Makefile
+++ b/arch/loongarch/Makefile
@@ -115,7 +115,7 @@ ifdef CONFIG_LTO_CLANG
# The annotate-tablejump option can not be passed to LLVM backend when LTO is enabled.
# Ensure it is aware of linker with LTO, '--loongarch-annotate-tablejump' also needs to
# be passed via '-mllvm' to ld.lld.
-KBUILD_LDFLAGS += -mllvm --loongarch-annotate-tablejump
+KBUILD_LDFLAGS += $(call ld-option,-mllvm --loongarch-annotate-tablejump)
endif
endif
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 078/371] LoongArch: Init acpi_gbl_use_global_lock to false
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (76 preceding siblings ...)
2025-10-17 14:50 ` [PATCH 6.17 077/371] LoongArch: Fix build error for LTO with LLVM-18 Greg Kroah-Hartman
@ 2025-10-17 14:50 ` Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 079/371] ASoC: SOF: Intel: Read the LLP via the associated Link DMA channel Greg Kroah-Hartman
` (305 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:50 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Huacai Chen, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Huacai Chen <chenhuacai@loongson.cn>
[ Upstream commit 98662be7ef20d2b88b598f72e7ce9b6ac26a40f9 ]
Init acpi_gbl_use_global_lock to false, in order to void error messages
during boot phase:
ACPI Error: Could not enable GlobalLock event (20240827/evxfevnt-182)
ACPI Error: No response from Global Lock hardware, disabling lock (20240827/evglock-59)
Fixes: 628c3bb40e9a8cefc0a6 ("LoongArch: Add boot and setup routines")
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/loongarch/kernel/setup.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/arch/loongarch/kernel/setup.c b/arch/loongarch/kernel/setup.c
index 075b79b2c1d39..69c17d162fff3 100644
--- a/arch/loongarch/kernel/setup.c
+++ b/arch/loongarch/kernel/setup.c
@@ -355,6 +355,7 @@ void __init platform_init(void)
#ifdef CONFIG_ACPI
acpi_table_upgrade();
+ acpi_gbl_use_global_lock = false;
acpi_gbl_use_default_register_widths = false;
acpi_boot_table_init();
#endif
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 079/371] ASoC: SOF: Intel: Read the LLP via the associated Link DMA channel
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (77 preceding siblings ...)
2025-10-17 14:50 ` [PATCH 6.17 078/371] LoongArch: Init acpi_gbl_use_global_lock to false Greg Kroah-Hartman
@ 2025-10-17 14:50 ` Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 080/371] net: usb: lan78xx: Fix lost EEPROM read timeout error(-ETIMEDOUT) in lan78xx_read_raw_eeprom Greg Kroah-Hartman
` (304 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Peter Ujfalusi, Kai Vehmanen,
Ranjani Sridharan, Mark Brown, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
[ Upstream commit aaab61de1f1e44a2ab527e935474e2e03a0f6b08 ]
It is allowed to mix Link and Host DMA channels in a way that their index
is different. In this case we would read the LLP from a channel which is
not used or used for other operation.
Such case can be reproduced on cAVS2.5 or ACE1 platforms with soundwire
configuration:
playback to SDW would take Host channel 0 (stream_tag 1) and no Link DMA
used
Second playback to HDMI (HDA) would use Host channel 1 (stream_tag 2) and
Link channel 0 (stream_tag 1).
In this case reading the LLP from channel 2 is incorrect as that is not the
Link channel used for the HDMI playback.
To correct this, we should look up the BE and get the channel used on the
Link side.
Fixes: 67b182bea08a ("ASoC: SOF: Intel: hda: Implement get_stream_position (Linear Link Position)")
Signed-off-by: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
Reviewed-by: Kai Vehmanen <kai.vehmanen@linux.intel.com>
Reviewed-by: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
Link: https://patch.msgid.link/20251002074719.2084-6-peter.ujfalusi@linux.intel.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/sof/intel/hda-stream.c | 29 +++++++++++++++++++++++++++--
1 file changed, 27 insertions(+), 2 deletions(-)
diff --git a/sound/soc/sof/intel/hda-stream.c b/sound/soc/sof/intel/hda-stream.c
index a34f472ef1751..9c3b3a9aaf83c 100644
--- a/sound/soc/sof/intel/hda-stream.c
+++ b/sound/soc/sof/intel/hda-stream.c
@@ -1129,10 +1129,35 @@ u64 hda_dsp_get_stream_llp(struct snd_sof_dev *sdev,
struct snd_soc_component *component,
struct snd_pcm_substream *substream)
{
- struct hdac_stream *hstream = substream->runtime->private_data;
- struct hdac_ext_stream *hext_stream = stream_to_hdac_ext_stream(hstream);
+ struct snd_soc_pcm_runtime *rtd = snd_soc_substream_to_rtd(substream);
+ struct snd_soc_pcm_runtime *be_rtd = NULL;
+ struct hdac_ext_stream *hext_stream;
+ struct snd_soc_dai *cpu_dai;
+ struct snd_soc_dpcm *dpcm;
u32 llp_l, llp_u;
+ /*
+ * The LLP needs to be read from the Link DMA used for this FE as it is
+ * allowed to use any combination of Link and Host channels
+ */
+ for_each_dpcm_be(rtd, substream->stream, dpcm) {
+ if (dpcm->fe != rtd)
+ continue;
+
+ be_rtd = dpcm->be;
+ }
+
+ if (!be_rtd)
+ return 0;
+
+ cpu_dai = snd_soc_rtd_to_cpu(be_rtd, 0);
+ if (!cpu_dai)
+ return 0;
+
+ hext_stream = snd_soc_dai_get_dma_data(cpu_dai, substream);
+ if (!hext_stream)
+ return 0;
+
/*
* The pplc_addr have been calculated during probe in
* hda_dsp_stream_init():
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 080/371] net: usb: lan78xx: Fix lost EEPROM read timeout error(-ETIMEDOUT) in lan78xx_read_raw_eeprom
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (78 preceding siblings ...)
2025-10-17 14:50 ` [PATCH 6.17 079/371] ASoC: SOF: Intel: Read the LLP via the associated Link DMA channel Greg Kroah-Hartman
@ 2025-10-17 14:50 ` Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 081/371] net/mlx4: prevent potential use after free in mlx4_en_do_uc_filter() Greg Kroah-Hartman
` (303 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+62ec8226f01cb4ca19d9,
Bhanu Seshu Kumar Valluri, Oleksij Rempel, Jakub Kicinski,
Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bhanu Seshu Kumar Valluri <bhanuseshukumar@gmail.com>
[ Upstream commit 49bdb63ff64469a6de8ea901aef123c75be9bbe7 ]
Syzbot reported read of uninitialized variable BUG with following call stack.
lan78xx 8-1:1.0 (unnamed net_device) (uninitialized): EEPROM read operation timeout
=====================================================
BUG: KMSAN: uninit-value in lan78xx_read_eeprom drivers/net/usb/lan78xx.c:1095 [inline]
BUG: KMSAN: uninit-value in lan78xx_init_mac_address drivers/net/usb/lan78xx.c:1937 [inline]
BUG: KMSAN: uninit-value in lan78xx_reset+0x999/0x2cd0 drivers/net/usb/lan78xx.c:3241
lan78xx_read_eeprom drivers/net/usb/lan78xx.c:1095 [inline]
lan78xx_init_mac_address drivers/net/usb/lan78xx.c:1937 [inline]
lan78xx_reset+0x999/0x2cd0 drivers/net/usb/lan78xx.c:3241
lan78xx_bind+0x711/0x1690 drivers/net/usb/lan78xx.c:3766
lan78xx_probe+0x225c/0x3310 drivers/net/usb/lan78xx.c:4707
Local variable sig.i.i created at:
lan78xx_read_eeprom drivers/net/usb/lan78xx.c:1092 [inline]
lan78xx_init_mac_address drivers/net/usb/lan78xx.c:1937 [inline]
lan78xx_reset+0x77e/0x2cd0 drivers/net/usb/lan78xx.c:3241
lan78xx_bind+0x711/0x1690 drivers/net/usb/lan78xx.c:3766
The function lan78xx_read_raw_eeprom failed to properly propagate EEPROM
read timeout errors (-ETIMEDOUT). In the fallthrough path, it first
attempted to restore the pin configuration for LED outputs and then
returned only the status of that restore operation, discarding the
original timeout error.
As a result, callers could mistakenly treat the data buffer as valid
even though the EEPROM read had actually timed out with no data or partial
data.
To fix this, handle errors in restoring the LED pin configuration separately.
If the restore succeeds, return any prior EEPROM timeout error correctly
to the caller.
Reported-by: syzbot+62ec8226f01cb4ca19d9@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=62ec8226f01cb4ca19d9
Fixes: 8b1b2ca83b20 ("net: usb: lan78xx: Improve error handling in EEPROM and OTP operations")
Signed-off-by: Bhanu Seshu Kumar Valluri <bhanuseshukumar@gmail.com>
Reviewed-by: Oleksij Rempel <o.rempel@pengutronix.de>
Link: https://patch.msgid.link/20250930084902.19062-1-bhanuseshukumar@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/usb/lan78xx.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/drivers/net/usb/lan78xx.c b/drivers/net/usb/lan78xx.c
index 1ff25f57329a8..d75502ebbc0d9 100644
--- a/drivers/net/usb/lan78xx.c
+++ b/drivers/net/usb/lan78xx.c
@@ -1079,10 +1079,13 @@ static int lan78xx_read_raw_eeprom(struct lan78xx_net *dev, u32 offset,
}
read_raw_eeprom_done:
- if (dev->chipid == ID_REV_CHIP_ID_7800_)
- return lan78xx_write_reg(dev, HW_CFG, saved);
-
- return 0;
+ if (dev->chipid == ID_REV_CHIP_ID_7800_) {
+ int rc = lan78xx_write_reg(dev, HW_CFG, saved);
+ /* If USB fails, there is nothing to do */
+ if (rc < 0)
+ return rc;
+ }
+ return ret;
}
static int lan78xx_read_eeprom(struct lan78xx_net *dev, u32 offset,
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 081/371] net/mlx4: prevent potential use after free in mlx4_en_do_uc_filter()
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (79 preceding siblings ...)
2025-10-17 14:50 ` [PATCH 6.17 080/371] net: usb: lan78xx: Fix lost EEPROM read timeout error(-ETIMEDOUT) in lan78xx_read_raw_eeprom Greg Kroah-Hartman
@ 2025-10-17 14:50 ` Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 082/371] drm/xe/hw_engine_group: Fix double write lock release in error path Greg Kroah-Hartman
` (302 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Tariq Toukan,
Jakub Kicinski, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@linaro.org>
[ Upstream commit 4f0d91ba72811fd5dd577bcdccd7fed649aae62c ]
Print "entry->mac" before freeing "entry". The "entry" pointer is
freed with kfree_rcu() so it's unlikely that we would trigger this
in real life, but it's safer to re-order it.
Fixes: cc5387f7346a ("net/mlx4_en: Add unicast MAC filtering")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
Link: https://patch.msgid.link/aNvMHX4g8RksFFvV@stanley.mountain
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/mellanox/mlx4/en_netdev.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/mellanox/mlx4/en_netdev.c b/drivers/net/ethernet/mellanox/mlx4/en_netdev.c
index d2071aff7b8f3..308b4458e0d44 100644
--- a/drivers/net/ethernet/mellanox/mlx4/en_netdev.c
+++ b/drivers/net/ethernet/mellanox/mlx4/en_netdev.c
@@ -1180,9 +1180,9 @@ static void mlx4_en_do_uc_filter(struct mlx4_en_priv *priv,
mlx4_unregister_mac(mdev->dev, priv->port, mac);
hlist_del_rcu(&entry->hlist);
- kfree_rcu(entry, rcu);
en_dbg(DRV, priv, "Removed MAC %pM on port:%d\n",
entry->mac, priv->port);
+ kfree_rcu(entry, rcu);
++removed;
}
}
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 082/371] drm/xe/hw_engine_group: Fix double write lock release in error path
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (80 preceding siblings ...)
2025-10-17 14:50 ` [PATCH 6.17 081/371] net/mlx4: prevent potential use after free in mlx4_en_do_uc_filter() Greg Kroah-Hartman
@ 2025-10-17 14:50 ` Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 083/371] drm/xe/i2c: Dont rely on d3cold.allowed flag in system PM path Greg Kroah-Hartman
` (301 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Francois Dugast, Shuicheng Lin,
Lucas De Marchi, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shuicheng Lin <shuicheng.lin@intel.com>
[ Upstream commit 08fdfd260e641da203f80aff8d3ed19c5ecceb7d ]
In xe_hw_engine_group_get_mode(), a write lock is acquired before
calling switch_mode(), which in turn invokes
xe_hw_engine_group_suspend_faulting_lr_jobs().
On failure inside xe_hw_engine_group_suspend_faulting_lr_jobs(),
the write lock is released there, and then again in
xe_hw_engine_group_get_mode(), leading to a double release.
Fix this by keeping both acquire and release operation in
xe_hw_engine_group_get_mode().
Fixes: 770bd1d34113 ("drm/xe/hw_engine_group: Ensure safe transition between execution modes")
Cc: Francois Dugast <francois.dugast@intel.com>
Signed-off-by: Shuicheng Lin <shuicheng.lin@intel.com>
Reviewed-by: Francois Dugast <francois.dugast@intel.com>
Link: https://lore.kernel.org/r/20250925023145.1203004-2-shuicheng.lin@intel.com
Signed-off-by: Lucas De Marchi <lucas.demarchi@intel.com>
(cherry picked from commit 662d98b8b373007fa1b08ba93fee11f6fd3e387c)
Signed-off-by: Lucas De Marchi <lucas.demarchi@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/xe/xe_hw_engine_group.c | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)
diff --git a/drivers/gpu/drm/xe/xe_hw_engine_group.c b/drivers/gpu/drm/xe/xe_hw_engine_group.c
index c926f840c87b0..cb1d7ed54f429 100644
--- a/drivers/gpu/drm/xe/xe_hw_engine_group.c
+++ b/drivers/gpu/drm/xe/xe_hw_engine_group.c
@@ -213,17 +213,13 @@ static int xe_hw_engine_group_suspend_faulting_lr_jobs(struct xe_hw_engine_group
err = q->ops->suspend_wait(q);
if (err)
- goto err_suspend;
+ return err;
}
if (need_resume)
xe_hw_engine_group_resume_faulting_lr_jobs(group);
return 0;
-
-err_suspend:
- up_write(&group->mode_sem);
- return err;
}
/**
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 083/371] drm/xe/i2c: Dont rely on d3cold.allowed flag in system PM path
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (81 preceding siblings ...)
2025-10-17 14:50 ` [PATCH 6.17 082/371] drm/xe/hw_engine_group: Fix double write lock release in error path Greg Kroah-Hartman
@ 2025-10-17 14:50 ` Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 084/371] s390/cio: Update purge function to unregister the unused subchannels Greg Kroah-Hartman
` (300 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Raag Jadav, Rodrigo Vivi,
Lucas De Marchi, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Raag Jadav <raag.jadav@intel.com>
[ Upstream commit 1af59cd5cc2b65d7fc95165f056695ce3f171133 ]
In S3 and above sleep states, the device can loose power regardless of
d3cold.allowed flag. Bring up I2C controller explicitly in system PM
path to ensure its normal operation after losing power.
v2: Cover S3 and above states (Rodrigo)
Fixes: 0ea07b69517a ("drm/xe/pm: Wire up suspend/resume for I2C controller")
Signed-off-by: Raag Jadav <raag.jadav@intel.com>
Reviewed-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
Link: https://lore.kernel.org/r/20250918103200.2952576-1-raag.jadav@intel.com
Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
(cherry picked from commit e4863f1159befcd70df24fcb5458afaf2feab043)
Signed-off-by: Lucas De Marchi <lucas.demarchi@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/xe/xe_pm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/xe/xe_pm.c b/drivers/gpu/drm/xe/xe_pm.c
index bb9b6ecad2afc..3e301e42b2f19 100644
--- a/drivers/gpu/drm/xe/xe_pm.c
+++ b/drivers/gpu/drm/xe/xe_pm.c
@@ -194,7 +194,7 @@ int xe_pm_resume(struct xe_device *xe)
if (err)
goto err;
- xe_i2c_pm_resume(xe, xe->d3cold.allowed);
+ xe_i2c_pm_resume(xe, true);
xe_irq_resume(xe);
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 084/371] s390/cio: Update purge function to unregister the unused subchannels
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (82 preceding siblings ...)
2025-10-17 14:50 ` [PATCH 6.17 083/371] drm/xe/i2c: Dont rely on d3cold.allowed flag in system PM path Greg Kroah-Hartman
@ 2025-10-17 14:50 ` Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 085/371] drm/vmwgfx: Fix a null-ptr access in the cursor snooper Greg Kroah-Hartman
` (299 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Peter Oberparleiter, Vineeth Vijayan,
Heiko Carstens, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vineeth Vijayan <vneethv@linux.ibm.com>
[ Upstream commit 9daa5a8795865f9a3c93d8d1066785b07ded6073 ]
Starting with 'commit 2297791c92d0 ("s390/cio: dont unregister
subchannel from child-drivers")', cio no longer unregisters
subchannels when the attached device is invalid or unavailable.
As an unintended side-effect, the cio_ignore purge function no longer
removes subchannels for devices on the cio_ignore list if no CCW device
is attached. This situation occurs when a CCW device is non-operational
or unavailable
To ensure the same outcome of the purge function as when the
current cio_ignore list had been active during boot, update the purge
function to remove I/O subchannels without working CCW devices if the
associated device number is found on the cio_ignore list.
Fixes: 2297791c92d0 ("s390/cio: dont unregister subchannel from child-drivers")
Suggested-by: Peter Oberparleiter <oberpar@linux.ibm.com>
Reviewed-by: Peter Oberparleiter <oberpar@linux.ibm.com>
Signed-off-by: Vineeth Vijayan <vneethv@linux.ibm.com>
Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/s390/cio/device.c | 37 ++++++++++++++++++++++++-------------
1 file changed, 24 insertions(+), 13 deletions(-)
diff --git a/drivers/s390/cio/device.c b/drivers/s390/cio/device.c
index fb2c07cb4d3dd..4b2dae6eb3760 100644
--- a/drivers/s390/cio/device.c
+++ b/drivers/s390/cio/device.c
@@ -1316,23 +1316,34 @@ void ccw_device_schedule_recovery(void)
spin_unlock_irqrestore(&recovery_lock, flags);
}
-static int purge_fn(struct device *dev, void *data)
+static int purge_fn(struct subchannel *sch, void *data)
{
- struct ccw_device *cdev = to_ccwdev(dev);
- struct ccw_dev_id *id = &cdev->private->dev_id;
- struct subchannel *sch = to_subchannel(cdev->dev.parent);
+ struct ccw_device *cdev;
- spin_lock_irq(cdev->ccwlock);
- if (is_blacklisted(id->ssid, id->devno) &&
- (cdev->private->state == DEV_STATE_OFFLINE) &&
- (atomic_cmpxchg(&cdev->private->onoff, 0, 1) == 0)) {
- CIO_MSG_EVENT(3, "ccw: purging 0.%x.%04x\n", id->ssid,
- id->devno);
+ spin_lock_irq(&sch->lock);
+ if (sch->st != SUBCHANNEL_TYPE_IO || !sch->schib.pmcw.dnv)
+ goto unlock;
+
+ if (!is_blacklisted(sch->schid.ssid, sch->schib.pmcw.dev))
+ goto unlock;
+
+ cdev = sch_get_cdev(sch);
+ if (cdev) {
+ if (cdev->private->state != DEV_STATE_OFFLINE)
+ goto unlock;
+
+ if (atomic_cmpxchg(&cdev->private->onoff, 0, 1) != 0)
+ goto unlock;
ccw_device_sched_todo(cdev, CDEV_TODO_UNREG);
- css_sched_sch_todo(sch, SCH_TODO_UNREG);
atomic_set(&cdev->private->onoff, 0);
}
- spin_unlock_irq(cdev->ccwlock);
+
+ css_sched_sch_todo(sch, SCH_TODO_UNREG);
+ CIO_MSG_EVENT(3, "ccw: purging 0.%x.%04x%s\n", sch->schid.ssid,
+ sch->schib.pmcw.dev, cdev ? "" : " (no cdev)");
+
+unlock:
+ spin_unlock_irq(&sch->lock);
/* Abort loop in case of pending signal. */
if (signal_pending(current))
return -EINTR;
@@ -1348,7 +1359,7 @@ static int purge_fn(struct device *dev, void *data)
int ccw_purge_blacklisted(void)
{
CIO_MSG_EVENT(2, "ccw: purging blacklisted devices\n");
- bus_for_each_dev(&ccw_bus_type, NULL, NULL, purge_fn);
+ for_each_subchannel_staged(purge_fn, NULL, NULL);
return 0;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 085/371] drm/vmwgfx: Fix a null-ptr access in the cursor snooper
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (83 preceding siblings ...)
2025-10-17 14:50 ` [PATCH 6.17 084/371] s390/cio: Update purge function to unregister the unused subchannels Greg Kroah-Hartman
@ 2025-10-17 14:51 ` Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 086/371] drm/vmwgfx: Fix Use-after-free in validation Greg Kroah-Hartman
` (298 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zack Rusin, Kuzey Arda Bulut,
Broadcom internal kernel review list, dri-devel, Ian Forbes,
Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zack Rusin <zack.rusin@broadcom.com>
[ Upstream commit 5ac2c0279053a2c5265d46903432fb26ae2d0da2 ]
Check that the resource which is converted to a surface exists before
trying to use the cursor snooper on it.
vmw_cmd_res_check allows explicit invalid (SVGA3D_INVALID_ID) identifiers
because some svga commands accept SVGA3D_INVALID_ID to mean "no surface",
unfortunately functions that accept the actual surfaces as objects might
(and in case of the cursor snooper, do not) be able to handle null
objects. Make sure that we validate not only the identifier (via the
vmw_cmd_res_check) but also check that the actual resource exists before
trying to do something with it.
Fixes unchecked null-ptr reference in the snooping code.
Signed-off-by: Zack Rusin <zack.rusin@broadcom.com>
Fixes: c0951b797e7d ("drm/vmwgfx: Refactor resource management")
Reported-by: Kuzey Arda Bulut <kuzeyardabulut@gmail.com>
Cc: Broadcom internal kernel review list <bcm-kernel-feedback-list@broadcom.com>
Cc: dri-devel@lists.freedesktop.org
Reviewed-by: Ian Forbes <ian.forbes@broadcom.com>
Link: https://lore.kernel.org/r/20250917153655.1968583-1-zack.rusin@broadcom.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c | 17 ++++++++++++-----
1 file changed, 12 insertions(+), 5 deletions(-)
diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
index 819704ac675d0..d539f25b5fbe0 100644
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
@@ -1497,6 +1497,7 @@ static int vmw_cmd_dma(struct vmw_private *dev_priv,
SVGA3dCmdHeader *header)
{
struct vmw_bo *vmw_bo = NULL;
+ struct vmw_resource *res;
struct vmw_surface *srf = NULL;
VMW_DECLARE_CMD_VAR(*cmd, SVGA3dCmdSurfaceDMA);
int ret;
@@ -1532,18 +1533,24 @@ static int vmw_cmd_dma(struct vmw_private *dev_priv,
dirty = (cmd->body.transfer == SVGA3D_WRITE_HOST_VRAM) ?
VMW_RES_DIRTY_SET : 0;
- ret = vmw_cmd_res_check(dev_priv, sw_context, vmw_res_surface,
- dirty, user_surface_converter,
- &cmd->body.host.sid, NULL);
+ ret = vmw_cmd_res_check(dev_priv, sw_context, vmw_res_surface, dirty,
+ user_surface_converter, &cmd->body.host.sid,
+ NULL);
if (unlikely(ret != 0)) {
if (unlikely(ret != -ERESTARTSYS))
VMW_DEBUG_USER("could not find surface for DMA.\n");
return ret;
}
- srf = vmw_res_to_srf(sw_context->res_cache[vmw_res_surface].res);
+ res = sw_context->res_cache[vmw_res_surface].res;
+ if (!res) {
+ VMW_DEBUG_USER("Invalid DMA surface.\n");
+ return -EINVAL;
+ }
- vmw_kms_cursor_snoop(srf, sw_context->fp->tfile, &vmw_bo->tbo, header);
+ srf = vmw_res_to_srf(res);
+ vmw_kms_cursor_snoop(srf, sw_context->fp->tfile, &vmw_bo->tbo,
+ header);
return 0;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 086/371] drm/vmwgfx: Fix Use-after-free in validation
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (84 preceding siblings ...)
2025-10-17 14:51 ` [PATCH 6.17 085/371] drm/vmwgfx: Fix a null-ptr access in the cursor snooper Greg Kroah-Hartman
@ 2025-10-17 14:51 ` Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 087/371] drm/vmwgfx: Fix copy-paste typo " Greg Kroah-Hartman
` (297 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kuzey Arda Bulut, Ian Forbes,
Zack Rusin, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ian Forbes <ian.forbes@broadcom.com>
[ Upstream commit dfe1323ab3c8a4dd5625ebfdba44dc47df84512a ]
Nodes stored in the validation duplicates hashtable come from an arena
allocator that is cleared at the end of vmw_execbuf_process. All nodes
are expected to be cleared in vmw_validation_drop_ht but this node escaped
because its resource was destroyed prematurely.
Fixes: 64ad2abfe9a6 ("drm/vmwgfx: Adapt validation code for reference-free lookups")
Reported-by: Kuzey Arda Bulut <kuzeyardabulut@gmail.com>
Signed-off-by: Ian Forbes <ian.forbes@broadcom.com>
Reviewed-by: Zack Rusin <zack.rusin@broadcom.com>
Signed-off-by: Zack Rusin <zack.rusin@broadcom.com>
Link: https://lore.kernel.org/r/20250926195427.1405237-1-ian.forbes@broadcom.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/vmwgfx/vmwgfx_validation.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_validation.c b/drivers/gpu/drm/vmwgfx/vmwgfx_validation.c
index 7ee93e7191c7f..4d0fb71f62111 100644
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_validation.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_validation.c
@@ -308,8 +308,10 @@ int vmw_validation_add_resource(struct vmw_validation_context *ctx,
hash_add_rcu(ctx->sw_context->res_ht, &node->hash.head, node->hash.key);
}
node->res = vmw_resource_reference_unless_doomed(res);
- if (!node->res)
+ if (!node->res) {
+ hash_del_rcu(&node->hash.head);
return -ESRCH;
+ }
node->first_usage = 1;
if (!res->dev_priv->has_mob) {
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 087/371] drm/vmwgfx: Fix copy-paste typo in validation
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (85 preceding siblings ...)
2025-10-17 14:51 ` [PATCH 6.17 086/371] drm/vmwgfx: Fix Use-after-free in validation Greg Kroah-Hartman
@ 2025-10-17 14:51 ` Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 088/371] net/sctp: fix a null dereference in sctp_disposition sctp_sf_do_5_1D_ce() Greg Kroah-Hartman
` (296 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:51 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ian Forbes, Zack Rusin, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ian Forbes <ian.forbes@broadcom.com>
[ Upstream commit 228c5d44dffe8c293cd2d2f0e7ea45e64565b1c4 ]
'entry' should be 'val' which is the loop iterator.
Fixes: 9e931f2e0970 ("drm/vmwgfx: Refactor resource validation hashtable to use linux/hashtable implementation.")
Signed-off-by: Ian Forbes <ian.forbes@broadcom.com>
Reviewed-by: Zack Rusin <zack.rusin@broadcom.com>
Signed-off-by: Zack Rusin <zack.rusin@broadcom.com>
Link: https://lore.kernel.org/r/20250926195427.1405237-2-ian.forbes@broadcom.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/vmwgfx/vmwgfx_validation.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_validation.c b/drivers/gpu/drm/vmwgfx/vmwgfx_validation.c
index 4d0fb71f62111..35dc94c3db399 100644
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_validation.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_validation.c
@@ -638,7 +638,7 @@ void vmw_validation_drop_ht(struct vmw_validation_context *ctx)
hash_del_rcu(&val->hash.head);
list_for_each_entry(val, &ctx->resource_ctx_list, head)
- hash_del_rcu(&entry->hash.head);
+ hash_del_rcu(&val->hash.head);
ctx->sw_context = NULL;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 088/371] net/sctp: fix a null dereference in sctp_disposition sctp_sf_do_5_1D_ce()
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (86 preceding siblings ...)
2025-10-17 14:51 ` [PATCH 6.17 087/371] drm/vmwgfx: Fix copy-paste typo " Greg Kroah-Hartman
@ 2025-10-17 14:51 ` Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 089/371] tcp: Dont call reqsk_fastopen_remove() in tcp_conn_request() Greg Kroah-Hartman
` (295 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexandr Sapozhnikov, Xin Long,
Jakub Kicinski, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexandr Sapozhnikov <alsp705@gmail.com>
[ Upstream commit 2f3119686ef50319490ccaec81a575973da98815 ]
If new_asoc->peer.adaptation_ind=0 and sctp_ulpevent_make_authkey=0
and sctp_ulpevent_make_authkey() returns 0, then the variable
ai_ev remains zero and the zero will be dereferenced
in the sctp_ulpevent_free() function.
Signed-off-by: Alexandr Sapozhnikov <alsp705@gmail.com>
Acked-by: Xin Long <lucien.xin@gmail.com>
Fixes: 30f6ebf65bc4 ("sctp: add SCTP_AUTH_NO_AUTH type for AUTHENTICATION_EVENT")
Link: https://patch.msgid.link/20251002091448.11-1-alsp705@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sctp/sm_statefuns.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
index a0524ba8d7878..93cac73472c79 100644
--- a/net/sctp/sm_statefuns.c
+++ b/net/sctp/sm_statefuns.c
@@ -885,7 +885,8 @@ enum sctp_disposition sctp_sf_do_5_1D_ce(struct net *net,
return SCTP_DISPOSITION_CONSUME;
nomem_authev:
- sctp_ulpevent_free(ai_ev);
+ if (ai_ev)
+ sctp_ulpevent_free(ai_ev);
nomem_aiev:
sctp_ulpevent_free(ev);
nomem_ev:
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 089/371] tcp: Dont call reqsk_fastopen_remove() in tcp_conn_request().
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (87 preceding siblings ...)
2025-10-17 14:51 ` [PATCH 6.17 088/371] net/sctp: fix a null dereference in sctp_disposition sctp_sf_do_5_1D_ce() Greg Kroah-Hartman
@ 2025-10-17 14:51 ` Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 090/371] net: mscc: ocelot: Fix use-after-free caused by cyclic delayed work Greg Kroah-Hartman
` (294 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzkaller, Kuniyuki Iwashima,
Jakub Kicinski, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuniyuki Iwashima <kuniyu@google.com>
[ Upstream commit 2e7cbbbe3d61c63606994b7ff73c72537afe2e1c ]
syzbot reported the splat below in tcp_conn_request(). [0]
If a listener is close()d while a TFO socket is being processed in
tcp_conn_request(), inet_csk_reqsk_queue_add() does not set reqsk->sk
and calls inet_child_forget(), which calls tcp_disconnect() for the
TFO socket.
After the cited commit, tcp_disconnect() calls reqsk_fastopen_remove(),
where reqsk_put() is called due to !reqsk->sk.
Then, reqsk_fastopen_remove() in tcp_conn_request() decrements the
last req->rsk_refcnt and frees reqsk, and __reqsk_free() at the
drop_and_free label causes the refcount underflow for the listener
and double-free of the reqsk.
Let's remove reqsk_fastopen_remove() in tcp_conn_request().
Note that other callers make sure tp->fastopen_rsk is not NULL.
[0]:
refcount_t: underflow; use-after-free.
WARNING: CPU: 12 PID: 5563 at lib/refcount.c:28 refcount_warn_saturate (lib/refcount.c:28)
Modules linked in:
CPU: 12 UID: 0 PID: 5563 Comm: syz-executor Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
RIP: 0010:refcount_warn_saturate (lib/refcount.c:28)
Code: ab e8 8e b4 98 ff 0f 0b c3 cc cc cc cc cc 80 3d a4 e4 d6 01 00 75 9c c6 05 9b e4 d6 01 01 48 c7 c7 e8 df fb ab e8 6a b4 98 ff <0f> 0b e9 03 5b 76 00 cc 80 3d 7d e4 d6 01 00 0f 85 74 ff ff ff c6
RSP: 0018:ffffa79fc0304a98 EFLAGS: 00010246
RAX: d83af4db1c6b3900 RBX: ffff9f65c7a69020 RCX: d83af4db1c6b3900
RDX: 0000000000000000 RSI: 00000000ffff7fff RDI: ffffffffac78a280
RBP: 000000009d781b60 R08: 0000000000007fff R09: ffffffffac6ca280
R10: 0000000000017ffd R11: 0000000000000004 R12: ffff9f65c7b4f100
R13: ffff9f65c7d23c00 R14: ffff9f65c7d26000 R15: ffff9f65c7a64ef8
FS: 00007f9f962176c0(0000) GS:ffff9f65fcf00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000200000000180 CR3: 000000000dbbe006 CR4: 0000000000372ef0
Call Trace:
<IRQ>
tcp_conn_request (./include/linux/refcount.h:400 ./include/linux/refcount.h:432 ./include/linux/refcount.h:450 ./include/net/sock.h:1965 ./include/net/request_sock.h:131 net/ipv4/tcp_input.c:7301)
tcp_rcv_state_process (net/ipv4/tcp_input.c:6708)
tcp_v6_do_rcv (net/ipv6/tcp_ipv6.c:1670)
tcp_v6_rcv (net/ipv6/tcp_ipv6.c:1906)
ip6_protocol_deliver_rcu (net/ipv6/ip6_input.c:438)
ip6_input (net/ipv6/ip6_input.c:500)
ipv6_rcv (net/ipv6/ip6_input.c:311)
__netif_receive_skb (net/core/dev.c:6104)
process_backlog (net/core/dev.c:6456)
__napi_poll (net/core/dev.c:7506)
net_rx_action (net/core/dev.c:7569 net/core/dev.c:7696)
handle_softirqs (kernel/softirq.c:579)
do_softirq (kernel/softirq.c:480)
</IRQ>
Fixes: 45c8a6cc2bcd ("tcp: Clear tcp_sk(sk)->fastopen_rsk in tcp_disconnect().")
Reported-by: syzkaller <syzkaller@googlegroups.com>
Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
Link: https://patch.msgid.link/20251001233755.1340927-1-kuniyu@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/tcp_input.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index 64f93668a8452..a88e82f7ec485 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -7275,7 +7275,6 @@ int tcp_conn_request(struct request_sock_ops *rsk_ops,
&foc, TCP_SYNACK_FASTOPEN, skb);
/* Add the child socket directly into the accept queue */
if (!inet_csk_reqsk_queue_add(sk, req, fastopen_sk)) {
- reqsk_fastopen_remove(fastopen_sk, req, false);
bh_unlock_sock(fastopen_sk);
sock_put(fastopen_sk);
goto drop_and_free;
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 090/371] net: mscc: ocelot: Fix use-after-free caused by cyclic delayed work
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (88 preceding siblings ...)
2025-10-17 14:51 ` [PATCH 6.17 089/371] tcp: Dont call reqsk_fastopen_remove() in tcp_conn_request() Greg Kroah-Hartman
@ 2025-10-17 14:51 ` Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 091/371] selftest: net: ovpn: Fix uninit return values Greg Kroah-Hartman
` (293 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Duoming Zhou, Jakub Kicinski,
Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Duoming Zhou <duoming@zju.edu.cn>
[ Upstream commit bc9ea787079671cb19a8b25ff9f02be5ef6bfcf5 ]
The origin code calls cancel_delayed_work() in ocelot_stats_deinit()
to cancel the cyclic delayed work item ocelot->stats_work. However,
cancel_delayed_work() may fail to cancel the work item if it is already
executing. While destroy_workqueue() does wait for all pending work items
in the work queue to complete before destroying the work queue, it cannot
prevent the delayed work item from being rescheduled within the
ocelot_check_stats_work() function. This limitation exists because the
delayed work item is only enqueued into the work queue after its timer
expires. Before the timer expiration, destroy_workqueue() has no visibility
of this pending work item. Once the work queue appears empty,
destroy_workqueue() proceeds with destruction. When the timer eventually
expires, the delayed work item gets queued again, leading to the following
warning:
workqueue: cannot queue ocelot_check_stats_work on wq ocelot-switch-stats
WARNING: CPU: 2 PID: 0 at kernel/workqueue.c:2255 __queue_work+0x875/0xaf0
...
RIP: 0010:__queue_work+0x875/0xaf0
...
RSP: 0018:ffff88806d108b10 EFLAGS: 00010086
RAX: 0000000000000000 RBX: 0000000000000101 RCX: 0000000000000027
RDX: 0000000000000027 RSI: 0000000000000004 RDI: ffff88806d123e88
RBP: ffffffff813c3170 R08: 0000000000000000 R09: ffffed100da247d2
R10: ffffed100da247d1 R11: ffff88806d123e8b R12: ffff88800c00f000
R13: ffff88800d7285c0 R14: ffff88806d0a5580 R15: ffff88800d7285a0
FS: 0000000000000000(0000) GS:ffff8880e5725000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fe18e45ea10 CR3: 0000000005e6c000 CR4: 00000000000006f0
Call Trace:
<IRQ>
? kasan_report+0xc6/0xf0
? __pfx_delayed_work_timer_fn+0x10/0x10
? __pfx_delayed_work_timer_fn+0x10/0x10
call_timer_fn+0x25/0x1c0
__run_timer_base.part.0+0x3be/0x8c0
? __pfx_delayed_work_timer_fn+0x10/0x10
? rcu_sched_clock_irq+0xb06/0x27d0
? __pfx___run_timer_base.part.0+0x10/0x10
? try_to_wake_up+0xb15/0x1960
? _raw_spin_lock_irq+0x80/0xe0
? __pfx__raw_spin_lock_irq+0x10/0x10
tmigr_handle_remote_up+0x603/0x7e0
? __pfx_tmigr_handle_remote_up+0x10/0x10
? sched_balance_trigger+0x1c0/0x9f0
? sched_tick+0x221/0x5a0
? _raw_spin_lock_irq+0x80/0xe0
? __pfx__raw_spin_lock_irq+0x10/0x10
? tick_nohz_handler+0x339/0x440
? __pfx_tmigr_handle_remote_up+0x10/0x10
__walk_groups.isra.0+0x42/0x150
tmigr_handle_remote+0x1f4/0x2e0
? __pfx_tmigr_handle_remote+0x10/0x10
? ktime_get+0x60/0x140
? lapic_next_event+0x11/0x20
? clockevents_program_event+0x1d4/0x2a0
? hrtimer_interrupt+0x322/0x780
handle_softirqs+0x16a/0x550
irq_exit_rcu+0xaf/0xe0
sysvec_apic_timer_interrupt+0x70/0x80
</IRQ>
...
The following diagram reveals the cause of the above warning:
CPU 0 (remove) | CPU 1 (delayed work callback)
mscc_ocelot_remove() |
ocelot_deinit() | ocelot_check_stats_work()
ocelot_stats_deinit() |
cancel_delayed_work()| ...
| queue_delayed_work()
destroy_workqueue() | (wait a time)
| __queue_work() //UAF
The above scenario actually constitutes a UAF vulnerability.
The ocelot_stats_deinit() is only invoked when initialization
failure or resource destruction, so we must ensure that any
delayed work items cannot be rescheduled.
Replace cancel_delayed_work() with disable_delayed_work_sync()
to guarantee proper cancellation of the delayed work item and
ensure completion of any currently executing work before the
workqueue is deallocated.
A deadlock concern was considered: ocelot_stats_deinit() is called
in a process context and is not holding any locks that the delayed
work item might also need. Therefore, the use of the _sync() variant
is safe here.
This bug was identified through static analysis. To reproduce the
issue and validate the fix, I simulated ocelot-switch device by
writing a kernel module and prepared the necessary resources for
the virtual ocelot-switch device's probe process. Then, removing
the virtual device will trigger the mscc_ocelot_remove() function,
which in turn destroys the workqueue.
Fixes: a556c76adc05 ("net: mscc: Add initial Ocelot switch support")
Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
Link: https://patch.msgid.link/20251001011149.55073-1-duoming@zju.edu.cn
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/mscc/ocelot_stats.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/mscc/ocelot_stats.c b/drivers/net/ethernet/mscc/ocelot_stats.c
index 545710dadcf54..d2be1be377165 100644
--- a/drivers/net/ethernet/mscc/ocelot_stats.c
+++ b/drivers/net/ethernet/mscc/ocelot_stats.c
@@ -1021,6 +1021,6 @@ int ocelot_stats_init(struct ocelot *ocelot)
void ocelot_stats_deinit(struct ocelot *ocelot)
{
- cancel_delayed_work(&ocelot->stats_work);
+ disable_delayed_work_sync(&ocelot->stats_work);
destroy_workqueue(ocelot->stats_queue);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 091/371] selftest: net: ovpn: Fix uninit return values
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (89 preceding siblings ...)
2025-10-17 14:51 ` [PATCH 6.17 090/371] net: mscc: ocelot: Fix use-after-free caused by cyclic delayed work Greg Kroah-Hartman
@ 2025-10-17 14:51 ` Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 092/371] ice: ice_adapter: release xa entry on adapter allocation failure Greg Kroah-Hartman
` (292 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sidharth Seela, Jakub Kicinski,
Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sidharth Seela <sidharthseela@gmail.com>
[ Upstream commit 7fc25c5a5ae6230d14b4c088fc94dbd58b2a9f3a ]
Fix functions that return undefined values. These issues were caught by
running clang using LLVM=1 option.
Clang warnings are as follows:
ovpn-cli.c:1587:6: warning: variable 'ret' is used uninitialized whenever 'if' condition is true [-Wsometimes-uninitialized]
1587 | if (!sock) {
| ^~~~~
ovpn-cli.c:1635:9: note: uninitialized use occurs here
1635 | return ret;
| ^~~
ovpn-cli.c:1587:2: note: remove the 'if' if its condition is always false
1587 | if (!sock) {
| ^~~~~~~~~~~~
1588 | fprintf(stderr, "cannot allocate netlink socket\n");
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1589 | goto err_free;
| ~~~~~~~~~~~~~~
1590 | }
| ~
ovpn-cli.c:1584:15: note: initialize the variable 'ret' to silence this warning
1584 | int mcid, ret;
| ^
| = 0
ovpn-cli.c:2107:7: warning: variable 'ret' is used uninitialized whenever switch case is taken [-Wsometimes-uninitialized]
2107 | case CMD_INVALID:
| ^~~~~~~~~~~
ovpn-cli.c:2111:9: note: uninitialized use occurs here
2111 | return ret;
| ^~~
ovpn-cli.c:1939:12: note: initialize the variable 'ret' to silence this warning
1939 | int n, ret;
| ^
|
Fixes: 959bc330a439 ("testing/selftests: add test tool and scripts for ovpn module")
Signed-off-by: Sidharth Seela <sidharthseela@gmail.com>
Link: https://patch.msgid.link/20251001123107.96244-2-sidharthseela@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/selftests/net/ovpn/ovpn-cli.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/tools/testing/selftests/net/ovpn/ovpn-cli.c b/tools/testing/selftests/net/ovpn/ovpn-cli.c
index 9201f2905f2ce..8d0f2f61923c9 100644
--- a/tools/testing/selftests/net/ovpn/ovpn-cli.c
+++ b/tools/testing/selftests/net/ovpn/ovpn-cli.c
@@ -1586,6 +1586,7 @@ static int ovpn_listen_mcast(void)
sock = nl_socket_alloc();
if (!sock) {
fprintf(stderr, "cannot allocate netlink socket\n");
+ ret = -ENOMEM;
goto err_free;
}
@@ -2105,6 +2106,7 @@ static int ovpn_run_cmd(struct ovpn_ctx *ovpn)
ret = ovpn_listen_mcast();
break;
case CMD_INVALID:
+ ret = -EINVAL;
break;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 092/371] ice: ice_adapter: release xa entry on adapter allocation failure
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (90 preceding siblings ...)
2025-10-17 14:51 ` [PATCH 6.17 091/371] selftest: net: ovpn: Fix uninit return values Greg Kroah-Hartman
@ 2025-10-17 14:51 ` Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 093/371] net: fsl_pq_mdio: Fix device node reference leak in fsl_pq_mdio_probe Greg Kroah-Hartman
` (291 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Przemek Kitszel, Jacob Keller,
Haotian Zhang, Aleksandr Loktionov, Jakub Kicinski, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haotian Zhang <vulab@iscas.ac.cn>
[ Upstream commit 2db687f3469dbc5c59bc53d55acafd75d530b497 ]
When ice_adapter_new() fails, the reserved XArray entry created by
xa_insert() is not released. This causes subsequent insertions at
the same index to return -EBUSY, potentially leading to
NULL pointer dereferences.
Reorder the operations as suggested by Przemek Kitszel:
1. Check if adapter already exists (xa_load)
2. Reserve the XArray slot (xa_reserve)
3. Allocate the adapter (ice_adapter_new)
4. Store the adapter (xa_store)
Fixes: 0f0023c649c7 ("ice: do not init struct ice_adapter more times than needed")
Suggested-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
Suggested-by: Jacob Keller <jacob.e.keller@intel.com>
Signed-off-by: Haotian Zhang <vulab@iscas.ac.cn>
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
Link: https://patch.msgid.link/20251001115336.1707-1-vulab@iscas.ac.cn
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/ice/ice_adapter.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/drivers/net/ethernet/intel/ice/ice_adapter.c b/drivers/net/ethernet/intel/ice/ice_adapter.c
index b53561c347082..0a8a48cd4bce6 100644
--- a/drivers/net/ethernet/intel/ice/ice_adapter.c
+++ b/drivers/net/ethernet/intel/ice/ice_adapter.c
@@ -99,19 +99,21 @@ struct ice_adapter *ice_adapter_get(struct pci_dev *pdev)
index = ice_adapter_xa_index(pdev);
scoped_guard(mutex, &ice_adapters_mutex) {
- err = xa_insert(&ice_adapters, index, NULL, GFP_KERNEL);
- if (err == -EBUSY) {
- adapter = xa_load(&ice_adapters, index);
+ adapter = xa_load(&ice_adapters, index);
+ if (adapter) {
refcount_inc(&adapter->refcount);
WARN_ON_ONCE(adapter->index != ice_adapter_index(pdev));
return adapter;
}
+ err = xa_reserve(&ice_adapters, index, GFP_KERNEL);
if (err)
return ERR_PTR(err);
adapter = ice_adapter_new(pdev);
- if (!adapter)
+ if (!adapter) {
+ xa_release(&ice_adapters, index);
return ERR_PTR(-ENOMEM);
+ }
xa_store(&ice_adapters, index, adapter, GFP_KERNEL);
}
return adapter;
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 093/371] net: fsl_pq_mdio: Fix device node reference leak in fsl_pq_mdio_probe
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (91 preceding siblings ...)
2025-10-17 14:51 ` [PATCH 6.17 092/371] ice: ice_adapter: release xa entry on adapter allocation failure Greg Kroah-Hartman
@ 2025-10-17 14:51 ` Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 094/371] tools build: Align warning options with perf Greg Kroah-Hartman
` (290 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Erick Karanja, Jakub Kicinski,
Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Erick Karanja <karanja99erick@gmail.com>
[ Upstream commit 521405cb54cd2812bbb6dedd5afc14bca1e7e98a ]
Add missing of_node_put call to release device node tbi obtained
via for_each_child_of_node.
Fixes: afae5ad78b342 ("net/fsl_pq_mdio: streamline probing of MDIO nodes")
Signed-off-by: Erick Karanja <karanja99erick@gmail.com>
Link: https://patch.msgid.link/20251002174617.960521-1-karanja99erick@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/freescale/fsl_pq_mdio.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/net/ethernet/freescale/fsl_pq_mdio.c b/drivers/net/ethernet/freescale/fsl_pq_mdio.c
index 577f9b1780ad6..de88776dd2a20 100644
--- a/drivers/net/ethernet/freescale/fsl_pq_mdio.c
+++ b/drivers/net/ethernet/freescale/fsl_pq_mdio.c
@@ -479,10 +479,12 @@ static int fsl_pq_mdio_probe(struct platform_device *pdev)
"missing 'reg' property in node %pOF\n",
tbi);
err = -EBUSY;
+ of_node_put(tbi);
goto error;
}
set_tbipa(*prop, pdev,
data->get_tbipa, priv->map, &res);
+ of_node_put(tbi);
}
}
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 094/371] tools build: Align warning options with perf
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (92 preceding siblings ...)
2025-10-17 14:51 ` [PATCH 6.17 093/371] net: fsl_pq_mdio: Fix device node reference leak in fsl_pq_mdio_probe Greg Kroah-Hartman
@ 2025-10-17 14:51 ` Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 095/371] perf python: split Clang options when invoking Popen Greg Kroah-Hartman
` (289 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Leo Yan, Ian Rogers, Palmer Dabbelt,
Albert Ou, Alexandre Ghiti, Nick Desaulniers, Justin Stitt,
Bill Wendling, Adrian Hunter, Arnaldo Carvalho de Melo, Jiri Olsa,
Namhyung Kim, Nathan Chancellor, James Clark, linux-riscv, llvm,
Paul Walmsley, linux-kernel, linux-perf-users,
Arnaldo Carvalho de Melo, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Leo Yan <leo.yan@arm.com>
[ Upstream commit 53d067feb8c4f16d1f24ce3f4df4450bb18c555f ]
The feature test programs are built without enabling '-Wall -Werror'
options. As a result, a feature may appear to be available, but later
building in perf can fail with stricter checks.
Make the feature test program use the same warning options as perf.
Fixes: 1925459b4d92 ("tools build: Fix feature Makefile issues with 'O='")
Signed-off-by: Leo Yan <leo.yan@arm.com>
Reviewed-by: Ian Rogers <irogers@google.com>
Link: https://lore.kernel.org/r/20251006-perf_build_android_ndk-v3-1-4305590795b2@arm.com
Cc: Palmer Dabbelt <palmer@dabbelt.com>
Cc: Albert Ou <aou@eecs.berkeley.edu>
Cc: Alexandre Ghiti <alex@ghiti.fr>
Cc: Nick Desaulniers <nick.desaulniers+lkml@gmail.com>
Cc: Justin Stitt <justinstitt@google.com>
Cc: Bill Wendling <morbo@google.com>
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Nathan Chancellor <nathan@kernel.org>
Cc: James Clark <james.clark@linaro.org>
Cc: linux-riscv@lists.infradead.org
Cc: llvm@lists.linux.dev
Cc: Paul Walmsley <paul.walmsley@sifive.com>
Cc: linux-kernel@vger.kernel.org
Cc: linux-perf-users@vger.kernel.org
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/build/feature/Makefile | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/tools/build/feature/Makefile b/tools/build/feature/Makefile
index b41a42818d8ac..bd615a708a0aa 100644
--- a/tools/build/feature/Makefile
+++ b/tools/build/feature/Makefile
@@ -316,10 +316,10 @@ $(OUTPUT)test-libcapstone.bin:
$(BUILD) # -lcapstone provided by $(FEATURE_CHECK_LDFLAGS-libcapstone)
$(OUTPUT)test-compile-32.bin:
- $(CC) -m32 -o $@ test-compile.c
+ $(CC) -m32 -Wall -Werror -o $@ test-compile.c
$(OUTPUT)test-compile-x32.bin:
- $(CC) -mx32 -o $@ test-compile.c
+ $(CC) -mx32 -Wall -Werror -o $@ test-compile.c
$(OUTPUT)test-zlib.bin:
$(BUILD) -lz
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 095/371] perf python: split Clang options when invoking Popen
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (93 preceding siblings ...)
2025-10-17 14:51 ` [PATCH 6.17 094/371] tools build: Align warning options with perf Greg Kroah-Hartman
@ 2025-10-17 14:51 ` Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 096/371] tcp: take care of zero tp->window_clamp in tcp_set_rcvlowat() Greg Kroah-Hartman
` (288 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Leo Yan, Ian Rogers, Palmer Dabbelt,
Albert Ou, Alexandre Ghiti, Nick Desaulniers, Justin Stitt,
Bill Wendling, Adrian Hunter, Arnaldo Carvalho de Melo, Jiri Olsa,
Namhyung Kim, Nathan Chancellor, James Clark, linux-riscv, llvm,
Paul Walmsley, linux-kernel, linux-perf-users,
Arnaldo Carvalho de Melo, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Leo Yan <leo.yan@arm.com>
[ Upstream commit c6a43bc3e8f6102a47da0d2e53428d08f00172fb ]
When passing a list to subprocess.Popen, each element maps to one argv
token. Current code bundles multiple Clang flags into a single element,
something like:
cmd = ['clang',
'--target=x86_64-linux-gnu -fintegrated-as -Wno-cast-function-type-mismatch',
'test-hello.c']
So Clang only sees one long, invalid option instead of separate flags,
as a result, the script cannot capture any log via PIPE.
Fix this by using shlex.split() to separate the string so each option
becomes its own argv element. The fixed list will be:
cmd = ['clang',
'--target=x86_64-linux-gnu',
'-fintegrated-as',
'-Wno-cast-function-type-mismatch',
'test-hello.c']
Fixes: 09e6f9f98370 ("perf python: Fix splitting CC into compiler and options")
Signed-off-by: Leo Yan <leo.yan@arm.com>
Reviewed-by: Ian Rogers <irogers@google.com>
Link: https://lore.kernel.org/r/20251006-perf_build_android_ndk-v3-2-4305590795b2@arm.com
Cc: Palmer Dabbelt <palmer@dabbelt.com>
Cc: Albert Ou <aou@eecs.berkeley.edu>
Cc: Alexandre Ghiti <alex@ghiti.fr>
Cc: Nick Desaulniers <nick.desaulniers+lkml@gmail.com>
Cc: Justin Stitt <justinstitt@google.com>
Cc: Bill Wendling <morbo@google.com>
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Nathan Chancellor <nathan@kernel.org>
Cc: James Clark <james.clark@linaro.org>
Cc: linux-riscv@lists.infradead.org
Cc: llvm@lists.linux.dev
Cc: Paul Walmsley <paul.walmsley@sifive.com>
Cc: linux-kernel@vger.kernel.org
Cc: linux-perf-users@vger.kernel.org
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/util/setup.py | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/tools/perf/util/setup.py b/tools/perf/util/setup.py
index dd289d15acfd6..9cae2c472f4ad 100644
--- a/tools/perf/util/setup.py
+++ b/tools/perf/util/setup.py
@@ -1,6 +1,7 @@
from os import getenv, path
from subprocess import Popen, PIPE
from re import sub
+import shlex
cc = getenv("CC")
assert cc, "Environment variable CC not set"
@@ -22,7 +23,9 @@ assert srctree, "Environment variable srctree, for the Linux sources, not set"
src_feature_tests = f'{srctree}/tools/build/feature'
def clang_has_option(option):
- cc_output = Popen([cc, cc_options + option, path.join(src_feature_tests, "test-hello.c") ], stderr=PIPE).stderr.readlines()
+ cmd = shlex.split(f"{cc} {cc_options} {option}")
+ cmd.append(path.join(src_feature_tests, "test-hello.c"))
+ cc_output = Popen(cmd, stderr=PIPE).stderr.readlines()
return [o for o in cc_output if ((b"unknown argument" in o) or (b"is not supported" in o) or (b"unknown warning option" in o))] == [ ]
if cc_is_clang:
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 096/371] tcp: take care of zero tp->window_clamp in tcp_set_rcvlowat()
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (94 preceding siblings ...)
2025-10-17 14:51 ` [PATCH 6.17 095/371] perf python: split Clang options when invoking Popen Greg Kroah-Hartman
@ 2025-10-17 14:51 ` Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 097/371] perf tools: Fix arm64 libjvmti build by generating unistd_64.h Greg Kroah-Hartman
` (287 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Kuniyuki Iwashima,
Neal Cardwell, Jakub Kicinski, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 21b29e74ffe5a6c851c235bb80bf5ee26292c67b ]
Some applications (like selftests/net/tcp_mmap.c) call SO_RCVLOWAT
on their listener, before accept().
This has an unfortunate effect on wscale selection in
tcp_select_initial_window() during 3WHS.
For instance, tcp_mmap was negotiating wscale 4, regardless
of tcp_rmem[2] and sysctl_rmem_max.
Do not change tp->window_clamp if it is zero
or bigger than our computed value.
Zero value is special, it allows tcp_select_initial_window()
to enable autotuning.
Note that SO_RCVLOWAT use on listener is probably not wise,
because tp->scaling_ratio has a default value, possibly wrong.
Fixes: d1361840f8c5 ("tcp: fix SO_RCVLOWAT and RCVBUF autotuning")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
Reviewed-by: Neal Cardwell <ncardwell@google.com>
Link: https://patch.msgid.link/20251003184119.2526655-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/tcp.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index 89040007c7b70..ba36f558f144c 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -1771,6 +1771,7 @@ EXPORT_IPV6_MOD(tcp_peek_len);
/* Make sure sk_rcvbuf is big enough to satisfy SO_RCVLOWAT hint */
int tcp_set_rcvlowat(struct sock *sk, int val)
{
+ struct tcp_sock *tp = tcp_sk(sk);
int space, cap;
if (sk->sk_userlocks & SOCK_RCVBUF_LOCK)
@@ -1789,7 +1790,9 @@ int tcp_set_rcvlowat(struct sock *sk, int val)
space = tcp_space_from_win(sk, val);
if (space > sk->sk_rcvbuf) {
WRITE_ONCE(sk->sk_rcvbuf, space);
- WRITE_ONCE(tcp_sk(sk)->window_clamp, val);
+
+ if (tp->window_clamp && tp->window_clamp < val)
+ WRITE_ONCE(tp->window_clamp, val);
}
return 0;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 097/371] perf tools: Fix arm64 libjvmti build by generating unistd_64.h
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (95 preceding siblings ...)
2025-10-17 14:51 ` [PATCH 6.17 096/371] tcp: take care of zero tp->window_clamp in tcp_set_rcvlowat() Greg Kroah-Hartman
@ 2025-10-17 14:51 ` Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 098/371] mailbox: zynqmp-ipi: Remove redundant mbox_controller_unregister() call Greg Kroah-Hartman
` (286 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Namhyung Kim, Vincent Minet,
Arnaldo Carvalho de Melo, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vincent Minet <v.minet@criteo.com>
[ Upstream commit f3b601f900902ab80902c44f820a8985384ac021 ]
Since commit 22f72088ffe6 ("tools headers: Update the syscall table with
the kernel sources") the arm64 syscall header is generated at build
time. Later, commit bfb713ea53c7 ("perf tools: Fix arm64 build by
generating unistd_64.h") added a dependency to libperf to guarantee that
this header was created before building libperf or perf itself.
However, libjvmti also requires this header but does not depend on
libperf, leading to build failures such as:
In file included from /usr/include/sys/syscall.h:24,
from /usr/include/syscall.h:1,
from jvmti/jvmti_agent.c:36:
tools/arch/arm64/include/uapi/asm/unistd.h:2:10: fatal error: asm/unistd_64.h: No such file or directory
2 | #include <asm/unistd_64.h>
Fix this by ensuring that libperf is built before libjvmti, so that
unistd_64.h is always available.
Fixes: 22f72088ffe69a37 ("tools headers: Update the syscall table with the kernel sources")
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Vincent Minet <v.minet@criteo.com>
Link: https://lore.kernel.org/r/20250922053702.2688374-1-v.minet@criteo.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/Makefile.perf | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/perf/Makefile.perf b/tools/perf/Makefile.perf
index e2150acc2c133..f561025d4085e 100644
--- a/tools/perf/Makefile.perf
+++ b/tools/perf/Makefile.perf
@@ -941,7 +941,7 @@ $(OUTPUT)dlfilters/%.so: $(OUTPUT)dlfilters/%.o
ifndef NO_JVMTI
LIBJVMTI_IN := $(OUTPUT)jvmti/jvmti-in.o
-$(LIBJVMTI_IN): FORCE
+$(LIBJVMTI_IN): prepare FORCE
$(Q)$(MAKE) -f $(srctree)/tools/build/Makefile.build dir=jvmti obj=jvmti
$(OUTPUT)$(LIBJVMTI): $(LIBJVMTI_IN)
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 098/371] mailbox: zynqmp-ipi: Remove redundant mbox_controller_unregister() call
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (96 preceding siblings ...)
2025-10-17 14:51 ` [PATCH 6.17 097/371] perf tools: Fix arm64 libjvmti build by generating unistd_64.h Greg Kroah-Hartman
@ 2025-10-17 14:51 ` Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 099/371] mailbox: zynqmp-ipi: Remove dev.parent check in zynqmp_ipi_free_mboxes Greg Kroah-Hartman
` (285 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Harini T, Peng Fan, Jassi Brar,
Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Harini T <harini.t@amd.com>
[ Upstream commit 341867f730d3d3bb54491ee64e8b1a0c446656e7 ]
The controller is registered using the device-managed function
'devm_mbox_controller_register()'. As documented in mailbox.c, this
ensures the devres framework automatically calls
mbox_controller_unregister() when device_unregister() is invoked, making
the explicit call unnecessary.
Remove redundant mbox_controller_unregister() call as
device_unregister() handles controller cleanup.
Fixes: 4981b82ba2ff ("mailbox: ZynqMP IPI mailbox controller")
Signed-off-by: Harini T <harini.t@amd.com>
Reviewed-by: Peng Fan <peng.fan@nxp.com>
Signed-off-by: Jassi Brar <jassisinghbrar@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mailbox/zynqmp-ipi-mailbox.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/mailbox/zynqmp-ipi-mailbox.c b/drivers/mailbox/zynqmp-ipi-mailbox.c
index 0c143beaafda6..263a3413a8c7f 100644
--- a/drivers/mailbox/zynqmp-ipi-mailbox.c
+++ b/drivers/mailbox/zynqmp-ipi-mailbox.c
@@ -894,7 +894,6 @@ static void zynqmp_ipi_free_mboxes(struct zynqmp_ipi_pdata *pdata)
for (; i >= 0; i--) {
ipi_mbox = &pdata->ipi_mboxes[i];
if (ipi_mbox->dev.parent) {
- mbox_controller_unregister(&ipi_mbox->mbox);
if (device_is_registered(&ipi_mbox->dev))
device_unregister(&ipi_mbox->dev);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 099/371] mailbox: zynqmp-ipi: Remove dev.parent check in zynqmp_ipi_free_mboxes
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (97 preceding siblings ...)
2025-10-17 14:51 ` [PATCH 6.17 098/371] mailbox: zynqmp-ipi: Remove redundant mbox_controller_unregister() call Greg Kroah-Hartman
@ 2025-10-17 14:51 ` Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 100/371] mailbox: zynqmp-ipi: Fix out-of-bounds access in mailbox cleanup loop Greg Kroah-Hartman
` (284 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Harini T, Peng Fan, Jassi Brar,
Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Harini T <harini.t@amd.com>
[ Upstream commit 019e3f4550fc7d319a7fd03eff487255f8e8aecd ]
The ipi_mbox->dev.parent check is unreliable proxy for registration
status as it fails to protect against probe failures that occur after
the parent is assigned but before device_register() completes.
device_is_registered() is the canonical and robust method to verify the
registration status.
Remove ipi_mbox->dev.parent check in zynqmp_ipi_free_mboxes().
Fixes: 4981b82ba2ff ("mailbox: ZynqMP IPI mailbox controller")
Signed-off-by: Harini T <harini.t@amd.com>
Reviewed-by: Peng Fan <peng.fan@nxp.com>
Signed-off-by: Jassi Brar <jassisinghbrar@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mailbox/zynqmp-ipi-mailbox.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/drivers/mailbox/zynqmp-ipi-mailbox.c b/drivers/mailbox/zynqmp-ipi-mailbox.c
index 263a3413a8c7f..bdcc6937ee309 100644
--- a/drivers/mailbox/zynqmp-ipi-mailbox.c
+++ b/drivers/mailbox/zynqmp-ipi-mailbox.c
@@ -893,10 +893,8 @@ static void zynqmp_ipi_free_mboxes(struct zynqmp_ipi_pdata *pdata)
i = pdata->num_mboxes;
for (; i >= 0; i--) {
ipi_mbox = &pdata->ipi_mboxes[i];
- if (ipi_mbox->dev.parent) {
- if (device_is_registered(&ipi_mbox->dev))
- device_unregister(&ipi_mbox->dev);
- }
+ if (device_is_registered(&ipi_mbox->dev))
+ device_unregister(&ipi_mbox->dev);
}
}
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 100/371] mailbox: zynqmp-ipi: Fix out-of-bounds access in mailbox cleanup loop
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (98 preceding siblings ...)
2025-10-17 14:51 ` [PATCH 6.17 099/371] mailbox: zynqmp-ipi: Remove dev.parent check in zynqmp_ipi_free_mboxes Greg Kroah-Hartman
@ 2025-10-17 14:51 ` Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 101/371] mailbox: zynqmp-ipi: Fix SGI cleanup on unbind Greg Kroah-Hartman
` (283 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Harini T, Peng Fan, Jassi Brar,
Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Harini T <harini.t@amd.com>
[ Upstream commit 0aead8197fc1a85b0a89646e418feb49a564b029 ]
The cleanup loop was starting at the wrong array index, causing
out-of-bounds access.
Start the loop at the correct index for zero-indexed arrays to prevent
accessing memory beyond the allocated array bounds.
Fixes: 4981b82ba2ff ("mailbox: ZynqMP IPI mailbox controller")
Signed-off-by: Harini T <harini.t@amd.com>
Reviewed-by: Peng Fan <peng.fan@nxp.com>
Signed-off-by: Jassi Brar <jassisinghbrar@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mailbox/zynqmp-ipi-mailbox.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/mailbox/zynqmp-ipi-mailbox.c b/drivers/mailbox/zynqmp-ipi-mailbox.c
index bdcc6937ee309..dddbef6b2cb8f 100644
--- a/drivers/mailbox/zynqmp-ipi-mailbox.c
+++ b/drivers/mailbox/zynqmp-ipi-mailbox.c
@@ -890,7 +890,7 @@ static void zynqmp_ipi_free_mboxes(struct zynqmp_ipi_pdata *pdata)
if (pdata->irq < MAX_SGI)
xlnx_mbox_cleanup_sgi(pdata);
- i = pdata->num_mboxes;
+ i = pdata->num_mboxes - 1;
for (; i >= 0; i--) {
ipi_mbox = &pdata->ipi_mboxes[i];
if (device_is_registered(&ipi_mbox->dev))
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 101/371] mailbox: zynqmp-ipi: Fix SGI cleanup on unbind
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (99 preceding siblings ...)
2025-10-17 14:51 ` [PATCH 6.17 100/371] mailbox: zynqmp-ipi: Fix out-of-bounds access in mailbox cleanup loop Greg Kroah-Hartman
@ 2025-10-17 14:51 ` Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 102/371] bpf: Fix metadata_dst leak __bpf_redirect_neigh_v{4,6} Greg Kroah-Hartman
` (282 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Harini T, Peng Fan, Jassi Brar,
Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Harini T <harini.t@amd.com>
[ Upstream commit bb160e791ab15b89188a7a19589b8e11f681bef3 ]
The driver incorrectly determines SGI vs SPI interrupts by checking IRQ
number < 16, which fails with dynamic IRQ allocation. During unbind,
this causes improper SGI cleanup leading to kernel crash.
Add explicit irq_type field to pdata for reliable identification of SGI
interrupts (type-2) and only clean up SGI resources when appropriate.
Fixes: 6ffb1635341b ("mailbox: zynqmp: handle SGI for shared IPI")
Signed-off-by: Harini T <harini.t@amd.com>
Reviewed-by: Peng Fan <peng.fan@nxp.com>
Signed-off-by: Jassi Brar <jassisinghbrar@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mailbox/zynqmp-ipi-mailbox.c | 15 ++++++++++-----
1 file changed, 10 insertions(+), 5 deletions(-)
diff --git a/drivers/mailbox/zynqmp-ipi-mailbox.c b/drivers/mailbox/zynqmp-ipi-mailbox.c
index dddbef6b2cb8f..967967b2b8a96 100644
--- a/drivers/mailbox/zynqmp-ipi-mailbox.c
+++ b/drivers/mailbox/zynqmp-ipi-mailbox.c
@@ -62,7 +62,8 @@
#define DST_BIT_POS 9U
#define SRC_BITMASK GENMASK(11, 8)
-#define MAX_SGI 16
+/* Macro to represent SGI type for IPI IRQs */
+#define IPI_IRQ_TYPE_SGI 2
/*
* Module parameters
@@ -121,6 +122,7 @@ struct zynqmp_ipi_mbox {
* @dev: device pointer corresponding to the Xilinx ZynqMP
* IPI agent
* @irq: IPI agent interrupt ID
+ * @irq_type: IPI SGI or SPI IRQ type
* @method: IPI SMC or HVC is going to be used
* @local_id: local IPI agent ID
* @virq_sgi: IRQ number mapped to SGI
@@ -130,6 +132,7 @@ struct zynqmp_ipi_mbox {
struct zynqmp_ipi_pdata {
struct device *dev;
int irq;
+ unsigned int irq_type;
unsigned int method;
u32 local_id;
int virq_sgi;
@@ -887,7 +890,7 @@ static void zynqmp_ipi_free_mboxes(struct zynqmp_ipi_pdata *pdata)
struct zynqmp_ipi_mbox *ipi_mbox;
int i;
- if (pdata->irq < MAX_SGI)
+ if (pdata->irq_type == IPI_IRQ_TYPE_SGI)
xlnx_mbox_cleanup_sgi(pdata);
i = pdata->num_mboxes - 1;
@@ -956,14 +959,16 @@ static int zynqmp_ipi_probe(struct platform_device *pdev)
dev_err(dev, "failed to parse interrupts\n");
goto free_mbox_dev;
}
- ret = out_irq.args[1];
+
+ /* Use interrupt type to distinguish SGI and SPI interrupts */
+ pdata->irq_type = out_irq.args[0];
/*
* If Interrupt number is in SGI range, then request SGI else request
* IPI system IRQ.
*/
- if (ret < MAX_SGI) {
- pdata->irq = ret;
+ if (pdata->irq_type == IPI_IRQ_TYPE_SGI) {
+ pdata->irq = out_irq.args[1];
ret = xlnx_mbox_init_sgi(pdev, pdata->irq, pdata);
if (ret)
goto free_mbox_dev;
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 102/371] bpf: Fix metadata_dst leak __bpf_redirect_neigh_v{4,6}
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (100 preceding siblings ...)
2025-10-17 14:51 ` [PATCH 6.17 101/371] mailbox: zynqmp-ipi: Fix SGI cleanup on unbind Greg Kroah-Hartman
@ 2025-10-17 14:51 ` Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 103/371] net: mdio: mdio-i2c: Hold the i2c bus lock during smbus transactions Greg Kroah-Hartman
` (281 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yusuke Suzuki, Julian Wiedmann,
Daniel Borkmann, Martin KaFai Lau, Jakub Kicinski, Jordan Rife,
Simon Horman, Alexei Starovoitov, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Borkmann <daniel@iogearbox.net>
[ Upstream commit 23f3770e1a53e6c7a553135011f547209e141e72 ]
Cilium has a BPF egress gateway feature which forces outgoing K8s Pod
traffic to pass through dedicated egress gateways which then SNAT the
traffic in order to interact with stable IPs outside the cluster.
The traffic is directed to the gateway via vxlan tunnel in collect md
mode. A recent BPF change utilized the bpf_redirect_neigh() helper to
forward packets after the arrival and decap on vxlan, which turned out
over time that the kmalloc-256 slab usage in kernel was ever-increasing.
The issue was that vxlan allocates the metadata_dst object and attaches
it through a fake dst entry to the skb. The latter was never released
though given bpf_redirect_neigh() was merely setting the new dst entry
via skb_dst_set() without dropping an existing one first.
Fixes: b4ab31414970 ("bpf: Add redirect_neigh helper as redirect drop-in")
Reported-by: Yusuke Suzuki <yusuke.suzuki@isovalent.com>
Reported-by: Julian Wiedmann <jwi@isovalent.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Cc: Martin KaFai Lau <martin.lau@kernel.org>
Cc: Jakub Kicinski <kuba@kernel.org>
Cc: Jordan Rife <jrife@google.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Reviewed-by: Jordan Rife <jrife@google.com>
Reviewed-by: Jakub Kicinski <kuba@kernel.org>
Reviewed-by: Martin KaFai Lau <martin.lau@kernel.org>
Link: https://lore.kernel.org/r/20251003073418.291171-1-daniel@iogearbox.net
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/filter.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/core/filter.c b/net/core/filter.c
index 2d326d35c3871..c5cdf3b08341a 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -2281,6 +2281,7 @@ static int __bpf_redirect_neigh_v6(struct sk_buff *skb, struct net_device *dev,
if (IS_ERR(dst))
goto out_drop;
+ skb_dst_drop(skb);
skb_dst_set(skb, dst);
} else if (nh->nh_family != AF_INET6) {
goto out_drop;
@@ -2389,6 +2390,7 @@ static int __bpf_redirect_neigh_v4(struct sk_buff *skb, struct net_device *dev,
goto out_drop;
}
+ skb_dst_drop(skb);
skb_dst_set(skb, &rt->dst);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 103/371] net: mdio: mdio-i2c: Hold the i2c bus lock during smbus transactions
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (101 preceding siblings ...)
2025-10-17 14:51 ` [PATCH 6.17 102/371] bpf: Fix metadata_dst leak __bpf_redirect_neigh_v{4,6} Greg Kroah-Hartman
@ 2025-10-17 14:51 ` Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 104/371] net: sparx5/lan969x: fix flooding configuration on bridge join/leave Greg Kroah-Hartman
` (280 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maxime Chevallier, Kory Maincent,
Andrew Lunn, Paolo Abeni, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maxime Chevallier <maxime.chevallier@bootlin.com>
[ Upstream commit 4dc8b26a3ac2cb79f19f252d9077696d3ef0823a ]
When accessing an MDIO register using single-byte smbus accesses, we have to
perform 2 consecutive operations targeting the same address,
first accessing the MSB then the LSB of the 16 bit register:
read_1_byte(addr); <- returns MSB of register at address 'addr'
read_1_byte(addr); <- returns LSB
Some PHY devices present in SFP such as the Broadcom 5461 don't like
seeing foreign i2c transactions in-between these 2 smbus accesses, and
will return the MSB a second time when trying to read the LSB :
read_1_byte(addr); <- returns MSB
i2c_transaction_for_other_device_on_the_bus();
read_1_byte(addr); <- returns MSB again
Given the already fragile nature of accessing PHYs/SFPs with single-byte
smbus accesses, it's safe to say that this Broadcom PHY may not be the
only one acting like this.
Let's therefore hold the i2c bus lock while performing our smbus
transactions to avoid interleaved accesses.
Fixes: d4bd3aca33c2 ("net: mdio: mdio-i2c: Add support for single-byte SMBus operations")
Signed-off-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
Reviewed-by: Kory Maincent <kory.maincent@bootlin.com>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Link: https://patch.msgid.link/20251003070311.861135-1-maxime.chevallier@bootlin.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/mdio/mdio-i2c.c | 39 ++++++++++++++++++++++++-------------
1 file changed, 25 insertions(+), 14 deletions(-)
diff --git a/drivers/net/mdio/mdio-i2c.c b/drivers/net/mdio/mdio-i2c.c
index 53e96bfab5422..ed20352a589a3 100644
--- a/drivers/net/mdio/mdio-i2c.c
+++ b/drivers/net/mdio/mdio-i2c.c
@@ -116,17 +116,23 @@ static int smbus_byte_mii_read_default_c22(struct mii_bus *bus, int phy_id,
if (!i2c_mii_valid_phy_id(phy_id))
return 0;
- ret = i2c_smbus_xfer(i2c, i2c_mii_phy_addr(phy_id), 0,
- I2C_SMBUS_READ, reg,
- I2C_SMBUS_BYTE_DATA, &smbus_data);
+ i2c_lock_bus(i2c, I2C_LOCK_SEGMENT);
+
+ ret = __i2c_smbus_xfer(i2c, i2c_mii_phy_addr(phy_id), 0,
+ I2C_SMBUS_READ, reg,
+ I2C_SMBUS_BYTE_DATA, &smbus_data);
if (ret < 0)
- return ret;
+ goto unlock;
val = (smbus_data.byte & 0xff) << 8;
- ret = i2c_smbus_xfer(i2c, i2c_mii_phy_addr(phy_id), 0,
- I2C_SMBUS_READ, reg,
- I2C_SMBUS_BYTE_DATA, &smbus_data);
+ ret = __i2c_smbus_xfer(i2c, i2c_mii_phy_addr(phy_id), 0,
+ I2C_SMBUS_READ, reg,
+ I2C_SMBUS_BYTE_DATA, &smbus_data);
+
+unlock:
+ i2c_unlock_bus(i2c, I2C_LOCK_SEGMENT);
+
if (ret < 0)
return ret;
@@ -147,17 +153,22 @@ static int smbus_byte_mii_write_default_c22(struct mii_bus *bus, int phy_id,
smbus_data.byte = (val & 0xff00) >> 8;
- ret = i2c_smbus_xfer(i2c, i2c_mii_phy_addr(phy_id), 0,
- I2C_SMBUS_WRITE, reg,
- I2C_SMBUS_BYTE_DATA, &smbus_data);
+ i2c_lock_bus(i2c, I2C_LOCK_SEGMENT);
+
+ ret = __i2c_smbus_xfer(i2c, i2c_mii_phy_addr(phy_id), 0,
+ I2C_SMBUS_WRITE, reg,
+ I2C_SMBUS_BYTE_DATA, &smbus_data);
if (ret < 0)
- return ret;
+ goto unlock;
smbus_data.byte = val & 0xff;
- ret = i2c_smbus_xfer(i2c, i2c_mii_phy_addr(phy_id), 0,
- I2C_SMBUS_WRITE, reg,
- I2C_SMBUS_BYTE_DATA, &smbus_data);
+ ret = __i2c_smbus_xfer(i2c, i2c_mii_phy_addr(phy_id), 0,
+ I2C_SMBUS_WRITE, reg,
+ I2C_SMBUS_BYTE_DATA, &smbus_data);
+
+unlock:
+ i2c_unlock_bus(i2c, I2C_LOCK_SEGMENT);
return ret < 0 ? ret : 0;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 104/371] net: sparx5/lan969x: fix flooding configuration on bridge join/leave
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (102 preceding siblings ...)
2025-10-17 14:51 ` [PATCH 6.17 103/371] net: mdio: mdio-i2c: Hold the i2c bus lock during smbus transactions Greg Kroah-Hartman
@ 2025-10-17 14:51 ` Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 105/371] net/mlx5: Prevent tunnel mode conflicts between FDB and NIC IPsec tables Greg Kroah-Hartman
` (279 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Daniel Machon, Simon Horman,
Paolo Abeni, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Machon <daniel.machon@microchip.com>
[ Upstream commit c9d1b0b54258ba13b567dd116ead3c7c30cba7d8 ]
The sparx5 driver programs UC/MC/BC flooding in sparx5_update_fwd() by
unconditionally applying bridge_fwd_mask to all flood PGIDs. Any bridge
topology change that triggers sparx5_update_fwd() (for example enslaving
another port) therefore reinstalls flooding in hardware for already
bridged ports, regardless of their per-port flood flags.
This results in clobbering of the flood masks, and desynchronization
between software and hardware: the bridge still reports “flood off” for
the port, but hardware has flooding enabled due to unconditional PGID
reprogramming.
Steps to reproduce:
$ ip link add br0 type bridge
$ ip link set br0 up
$ ip link set eth0 master br0
$ ip link set eth0 up
$ bridge link set dev eth0 flood off
$ ip link set eth1 master br0
$ ip link set eth1 up
At this point, flooding is silently re-enabled for eth0. Software still
shows “flood off” for eth0, but hardware has flooding enabled.
To fix this, flooding is now set explicitly during bridge join/leave,
through sparx5_port_attr_bridge_flags():
On bridge join, UC/MC/BC flooding is enabled by default.
On bridge leave, UC/MC/BC flooding is disabled.
sparx5_update_fwd() no longer touches the flood PGIDs, clobbering
the flood masks, and desynchronizing software and hardware.
Initialization of the flooding PGIDs have been moved to
sparx5_start(). This is required as flooding PGIDs defaults to
0x3fffffff in hardware and the initialization was previously handled
in sparx5_update_fwd(), which was removed.
With this change, user-configured flooding flags persist across bridge
updates and are no longer overridden by sparx5_update_fwd().
Fixes: d6fce5141929 ("net: sparx5: add switching support")
Signed-off-by: Daniel Machon <daniel.machon@microchip.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20251003-fix-flood-fwd-v1-1-48eb478b2904@microchip.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/microchip/sparx5/sparx5_main.c | 5 +++++
.../net/ethernet/microchip/sparx5/sparx5_switchdev.c | 12 ++++++++++++
drivers/net/ethernet/microchip/sparx5/sparx5_vlan.c | 10 ----------
3 files changed, 17 insertions(+), 10 deletions(-)
diff --git a/drivers/net/ethernet/microchip/sparx5/sparx5_main.c b/drivers/net/ethernet/microchip/sparx5/sparx5_main.c
index 74ad1d73b4652..40b1bfc600a79 100644
--- a/drivers/net/ethernet/microchip/sparx5/sparx5_main.c
+++ b/drivers/net/ethernet/microchip/sparx5/sparx5_main.c
@@ -708,6 +708,11 @@ static int sparx5_start(struct sparx5 *sparx5)
/* Init masks */
sparx5_update_fwd(sparx5);
+ /* Init flood masks */
+ for (int pgid = sparx5_get_pgid(sparx5, PGID_UC_FLOOD);
+ pgid <= sparx5_get_pgid(sparx5, PGID_BCAST); pgid++)
+ sparx5_pgid_clear(sparx5, pgid);
+
/* CPU copy CPU pgids */
spx5_wr(ANA_AC_PGID_MISC_CFG_PGID_CPU_COPY_ENA_SET(1), sparx5,
ANA_AC_PGID_MISC_CFG(sparx5_get_pgid(sparx5, PGID_CPU)));
diff --git a/drivers/net/ethernet/microchip/sparx5/sparx5_switchdev.c b/drivers/net/ethernet/microchip/sparx5/sparx5_switchdev.c
index bc9ecb9392cd3..0a71abbd3da58 100644
--- a/drivers/net/ethernet/microchip/sparx5/sparx5_switchdev.c
+++ b/drivers/net/ethernet/microchip/sparx5/sparx5_switchdev.c
@@ -176,6 +176,7 @@ static int sparx5_port_bridge_join(struct sparx5_port *port,
struct net_device *bridge,
struct netlink_ext_ack *extack)
{
+ struct switchdev_brport_flags flags = {0};
struct sparx5 *sparx5 = port->sparx5;
struct net_device *ndev = port->ndev;
int err;
@@ -205,6 +206,11 @@ static int sparx5_port_bridge_join(struct sparx5_port *port,
*/
__dev_mc_unsync(ndev, sparx5_mc_unsync);
+ /* Enable uc/mc/bc flooding */
+ flags.mask = BR_FLOOD | BR_MCAST_FLOOD | BR_BCAST_FLOOD;
+ flags.val = flags.mask;
+ sparx5_port_attr_bridge_flags(port, flags);
+
return 0;
err_switchdev_offload:
@@ -215,6 +221,7 @@ static int sparx5_port_bridge_join(struct sparx5_port *port,
static void sparx5_port_bridge_leave(struct sparx5_port *port,
struct net_device *bridge)
{
+ struct switchdev_brport_flags flags = {0};
struct sparx5 *sparx5 = port->sparx5;
switchdev_bridge_port_unoffload(port->ndev, NULL, NULL, NULL);
@@ -234,6 +241,11 @@ static void sparx5_port_bridge_leave(struct sparx5_port *port,
/* Port enters in host more therefore restore mc list */
__dev_mc_sync(port->ndev, sparx5_mc_sync, sparx5_mc_unsync);
+
+ /* Disable uc/mc/bc flooding */
+ flags.mask = BR_FLOOD | BR_MCAST_FLOOD | BR_BCAST_FLOOD;
+ flags.val = 0;
+ sparx5_port_attr_bridge_flags(port, flags);
}
static int sparx5_port_changeupper(struct net_device *dev,
diff --git a/drivers/net/ethernet/microchip/sparx5/sparx5_vlan.c b/drivers/net/ethernet/microchip/sparx5/sparx5_vlan.c
index d42097aa60a0e..4947828719038 100644
--- a/drivers/net/ethernet/microchip/sparx5/sparx5_vlan.c
+++ b/drivers/net/ethernet/microchip/sparx5/sparx5_vlan.c
@@ -167,16 +167,6 @@ void sparx5_update_fwd(struct sparx5 *sparx5)
/* Divide up fwd mask in 32 bit words */
bitmap_to_arr32(mask, sparx5->bridge_fwd_mask, SPX5_PORTS);
- /* Update flood masks */
- for (port = sparx5_get_pgid(sparx5, PGID_UC_FLOOD);
- port <= sparx5_get_pgid(sparx5, PGID_BCAST); port++) {
- spx5_wr(mask[0], sparx5, ANA_AC_PGID_CFG(port));
- if (is_sparx5(sparx5)) {
- spx5_wr(mask[1], sparx5, ANA_AC_PGID_CFG1(port));
- spx5_wr(mask[2], sparx5, ANA_AC_PGID_CFG2(port));
- }
- }
-
/* Update SRC masks */
for (port = 0; port < sparx5->data->consts->n_ports; port++) {
if (test_bit(port, sparx5->bridge_fwd_mask)) {
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 105/371] net/mlx5: Prevent tunnel mode conflicts between FDB and NIC IPsec tables
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (103 preceding siblings ...)
2025-10-17 14:51 ` [PATCH 6.17 104/371] net: sparx5/lan969x: fix flooding configuration on bridge join/leave Greg Kroah-Hartman
@ 2025-10-17 14:51 ` Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 106/371] net/mlx5e: Prevent tunnel reformat when tunnel mode not allowed Greg Kroah-Hartman
` (278 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Carolina Jubran, Jianbo Liu,
Leon Romanovsky, Tariq Toukan, Paolo Abeni, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Carolina Jubran <cjubran@nvidia.com>
[ Upstream commit 7593439c13933164f701eed9c83d89358f203469 ]
When creating IPsec flow tables with tunnel mode enabled, the driver
uses mlx5_eswitch_block_encap() to prevent tunnel encapsulation
conflicts across different domains (NIC_RX/NIC_TX and FDB), since the
firmware doesn’t allow both at the same time.
Currently, the driver attempts to reserve tunnel mode unconditionally
for both NIC and FDB IPsec tables. This can lead to conflicting tunnel
mode setups, for example, if a flow table was created in the FDB
domain with tunnel offload enabled, and we later try to create another
one in the NIC, or vice versa.
To resolve this, adjust the blocking logic so that tunnel mode is only
reserved by NIC flows. This ensures that tunnel offload is exclusively
used in either the NIC or the FDB, and avoids unintended offload
conflicts.
Fixes: 1762f132d542 ("net/mlx5e: Support IPsec packet offload for RX in switchdev mode")
Fixes: c6c2bf5db4ea ("net/mlx5e: Support IPsec packet offload for TX in switchdev mode")
Signed-off-by: Carolina Jubran <cjubran@nvidia.com>
Reviewed-by: Jianbo Liu <jianbol@nvidia.com>
Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
Link: https://patch.msgid.link/1759652999-858513-2-git-send-email-tariqt@nvidia.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../mellanox/mlx5/core/en_accel/ipsec_fs.c | 8 ++++++--
.../net/ethernet/mellanox/mlx5/core/eswitch.h | 5 +++--
.../mellanox/mlx5/core/eswitch_offloads.c | 18 ++++++++++--------
3 files changed, 19 insertions(+), 12 deletions(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c
index 65dc3529283b6..b525f3f21c51f 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c
@@ -1045,7 +1045,9 @@ static int rx_create(struct mlx5_core_dev *mdev, struct mlx5e_ipsec *ipsec,
/* Create FT */
if (mlx5_ipsec_device_caps(mdev) & MLX5_IPSEC_CAP_TUNNEL)
- rx->allow_tunnel_mode = mlx5_eswitch_block_encap(mdev);
+ rx->allow_tunnel_mode =
+ mlx5_eswitch_block_encap(mdev, rx == ipsec->rx_esw);
+
if (rx->allow_tunnel_mode)
flags = MLX5_FLOW_TABLE_TUNNEL_EN_REFORMAT;
ft = ipsec_ft_create(attr.ns, attr.sa_level, attr.prio, 1, 2, flags);
@@ -1286,7 +1288,9 @@ static int tx_create(struct mlx5e_ipsec *ipsec, struct mlx5e_ipsec_tx *tx,
goto err_status_rule;
if (mlx5_ipsec_device_caps(mdev) & MLX5_IPSEC_CAP_TUNNEL)
- tx->allow_tunnel_mode = mlx5_eswitch_block_encap(mdev);
+ tx->allow_tunnel_mode =
+ mlx5_eswitch_block_encap(mdev, tx == ipsec->tx_esw);
+
if (tx->allow_tunnel_mode)
flags = MLX5_FLOW_TABLE_TUNNEL_EN_REFORMAT;
ft = ipsec_ft_create(tx->ns, attr.sa_level, attr.prio, 1, 4, flags);
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h
index 45506ad568470..53d7e33d6c0b1 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h
+++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h
@@ -851,7 +851,7 @@ void mlx5_eswitch_offloads_single_fdb_del_one(struct mlx5_eswitch *master_esw,
struct mlx5_eswitch *slave_esw);
int mlx5_eswitch_reload_ib_reps(struct mlx5_eswitch *esw);
-bool mlx5_eswitch_block_encap(struct mlx5_core_dev *dev);
+bool mlx5_eswitch_block_encap(struct mlx5_core_dev *dev, bool from_fdb);
void mlx5_eswitch_unblock_encap(struct mlx5_core_dev *dev);
int mlx5_eswitch_block_mode(struct mlx5_core_dev *dev);
@@ -943,7 +943,8 @@ mlx5_eswitch_reload_ib_reps(struct mlx5_eswitch *esw)
return 0;
}
-static inline bool mlx5_eswitch_block_encap(struct mlx5_core_dev *dev)
+static inline bool
+mlx5_eswitch_block_encap(struct mlx5_core_dev *dev, bool from_fdb)
{
return true;
}
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c
index bee906661282a..f358e8fe432cf 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c
@@ -3938,23 +3938,25 @@ int mlx5_devlink_eswitch_inline_mode_get(struct devlink *devlink, u8 *mode)
return esw_inline_mode_to_devlink(esw->offloads.inline_mode, mode);
}
-bool mlx5_eswitch_block_encap(struct mlx5_core_dev *dev)
+bool mlx5_eswitch_block_encap(struct mlx5_core_dev *dev, bool from_fdb)
{
struct mlx5_eswitch *esw = dev->priv.eswitch;
+ enum devlink_eswitch_encap_mode encap;
+ bool allow_tunnel = false;
if (!mlx5_esw_allowed(esw))
return true;
down_write(&esw->mode_lock);
- if (esw->mode != MLX5_ESWITCH_LEGACY &&
- esw->offloads.encap != DEVLINK_ESWITCH_ENCAP_MODE_NONE) {
- up_write(&esw->mode_lock);
- return false;
+ encap = esw->offloads.encap;
+ if (esw->mode == MLX5_ESWITCH_LEGACY ||
+ (encap == DEVLINK_ESWITCH_ENCAP_MODE_NONE && !from_fdb)) {
+ allow_tunnel = true;
+ esw->offloads.num_block_encap++;
}
-
- esw->offloads.num_block_encap++;
up_write(&esw->mode_lock);
- return true;
+
+ return allow_tunnel;
}
void mlx5_eswitch_unblock_encap(struct mlx5_core_dev *dev)
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 106/371] net/mlx5e: Prevent tunnel reformat when tunnel mode not allowed
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (104 preceding siblings ...)
2025-10-17 14:51 ` [PATCH 6.17 105/371] net/mlx5: Prevent tunnel mode conflicts between FDB and NIC IPsec tables Greg Kroah-Hartman
@ 2025-10-17 14:51 ` Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 107/371] mailbox: mtk-cmdq: Remove pm_runtime APIs from cmdq_mbox_send_data() Greg Kroah-Hartman
` (277 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Carolina Jubran, Jianbo Liu,
Leon Romanovsky, Tariq Toukan, Paolo Abeni, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Carolina Jubran <cjubran@nvidia.com>
[ Upstream commit 22239eb258bc1e6ccdb2d3502fce1cc2b2a88386 ]
When configuring IPsec packet offload in tunnel mode, the driver tries
to create tunnel reformat objects unconditionally. This is incorrect,
because tunnel mode is only permitted under specific encapsulation
settings, and that decision is already made when the flow table is
created.
The offending commit attempted to block this case in the state add
path, but the check there happens too late and does not prevent the
reformat from being configured.
Fix by taking short reservations for both the eswitch mode and the
encap at the start of state setup. This preserves the block ordering
(mode --> encap) used later: the mode is blocked during RX/TX get, and
the encap is blocked during flow-table creation. This lets us fail
early if either reservation cannot be obtained, it means a mode
transition is underway or a conflicting configuration already owns
encap. If both succeed, the flow-table path later takes the ownership
and the reservations are released on exit.
Fixes: 146c196b60e4 ("net/mlx5e: Create IPsec table with tunnel support only when encap is disabled")
Signed-off-by: Carolina Jubran <cjubran@nvidia.com>
Reviewed-by: Jianbo Liu <jianbol@nvidia.com>
Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
Link: https://patch.msgid.link/1759652999-858513-3-git-send-email-tariqt@nvidia.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../mellanox/mlx5/core/en_accel/ipsec.c | 38 +++++++++++++------
.../mellanox/mlx5/core/en_accel/ipsec.h | 2 +-
.../mellanox/mlx5/core/en_accel/ipsec_fs.c | 24 +++++++-----
3 files changed, 43 insertions(+), 21 deletions(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
index 00e77c71e201f..0a4fb8c922684 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
@@ -772,6 +772,7 @@ static int mlx5e_xfrm_add_state(struct net_device *dev,
struct netlink_ext_ack *extack)
{
struct mlx5e_ipsec_sa_entry *sa_entry = NULL;
+ bool allow_tunnel_mode = false;
struct mlx5e_ipsec *ipsec;
struct mlx5e_priv *priv;
gfp_t gfp;
@@ -803,6 +804,20 @@ static int mlx5e_xfrm_add_state(struct net_device *dev,
goto err_xfrm;
}
+ if (mlx5_eswitch_block_mode(priv->mdev))
+ goto unblock_ipsec;
+
+ if (x->props.mode == XFRM_MODE_TUNNEL &&
+ x->xso.type == XFRM_DEV_OFFLOAD_PACKET) {
+ allow_tunnel_mode = mlx5e_ipsec_fs_tunnel_allowed(sa_entry);
+ if (!allow_tunnel_mode) {
+ NL_SET_ERR_MSG_MOD(extack,
+ "Packet offload tunnel mode is disabled due to encap settings");
+ err = -EINVAL;
+ goto unblock_mode;
+ }
+ }
+
/* check esn */
if (x->props.flags & XFRM_STATE_ESN)
mlx5e_ipsec_update_esn_state(sa_entry);
@@ -817,7 +832,7 @@ static int mlx5e_xfrm_add_state(struct net_device *dev,
err = mlx5_ipsec_create_work(sa_entry);
if (err)
- goto unblock_ipsec;
+ goto unblock_encap;
err = mlx5e_ipsec_create_dwork(sa_entry);
if (err)
@@ -832,14 +847,6 @@ static int mlx5e_xfrm_add_state(struct net_device *dev,
if (err)
goto err_hw_ctx;
- if (x->props.mode == XFRM_MODE_TUNNEL &&
- x->xso.type == XFRM_DEV_OFFLOAD_PACKET &&
- !mlx5e_ipsec_fs_tunnel_enabled(sa_entry)) {
- NL_SET_ERR_MSG_MOD(extack, "Packet offload tunnel mode is disabled due to encap settings");
- err = -EINVAL;
- goto err_add_rule;
- }
-
/* We use *_bh() variant because xfrm_timer_handler(), which runs
* in softirq context, can reach our state delete logic and we need
* xa_erase_bh() there.
@@ -855,8 +862,7 @@ static int mlx5e_xfrm_add_state(struct net_device *dev,
queue_delayed_work(ipsec->wq, &sa_entry->dwork->dwork,
MLX5_IPSEC_RESCHED);
- if (x->xso.type == XFRM_DEV_OFFLOAD_PACKET &&
- x->props.mode == XFRM_MODE_TUNNEL) {
+ if (allow_tunnel_mode) {
xa_lock_bh(&ipsec->sadb);
__xa_set_mark(&ipsec->sadb, sa_entry->ipsec_obj_id,
MLX5E_IPSEC_TUNNEL_SA);
@@ -865,6 +871,11 @@ static int mlx5e_xfrm_add_state(struct net_device *dev,
out:
x->xso.offload_handle = (unsigned long)sa_entry;
+ if (allow_tunnel_mode)
+ mlx5_eswitch_unblock_encap(priv->mdev);
+
+ mlx5_eswitch_unblock_mode(priv->mdev);
+
return 0;
err_add_rule:
@@ -877,6 +888,11 @@ static int mlx5e_xfrm_add_state(struct net_device *dev,
if (sa_entry->work)
kfree(sa_entry->work->data);
kfree(sa_entry->work);
+unblock_encap:
+ if (allow_tunnel_mode)
+ mlx5_eswitch_unblock_encap(priv->mdev);
+unblock_mode:
+ mlx5_eswitch_unblock_mode(priv->mdev);
unblock_ipsec:
mlx5_eswitch_unblock_ipsec(priv->mdev);
err_xfrm:
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.h b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.h
index 23703f28386ad..5d7c15abfcaf6 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.h
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.h
@@ -319,7 +319,7 @@ void mlx5e_accel_ipsec_fs_del_rule(struct mlx5e_ipsec_sa_entry *sa_entry);
int mlx5e_accel_ipsec_fs_add_pol(struct mlx5e_ipsec_pol_entry *pol_entry);
void mlx5e_accel_ipsec_fs_del_pol(struct mlx5e_ipsec_pol_entry *pol_entry);
void mlx5e_accel_ipsec_fs_modify(struct mlx5e_ipsec_sa_entry *sa_entry);
-bool mlx5e_ipsec_fs_tunnel_enabled(struct mlx5e_ipsec_sa_entry *sa_entry);
+bool mlx5e_ipsec_fs_tunnel_allowed(struct mlx5e_ipsec_sa_entry *sa_entry);
int mlx5_ipsec_create_sa_ctx(struct mlx5e_ipsec_sa_entry *sa_entry);
void mlx5_ipsec_free_sa_ctx(struct mlx5e_ipsec_sa_entry *sa_entry);
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c
index b525f3f21c51f..9e23652535638 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c
@@ -2826,18 +2826,24 @@ void mlx5e_accel_ipsec_fs_modify(struct mlx5e_ipsec_sa_entry *sa_entry)
memcpy(sa_entry, &sa_entry_shadow, sizeof(*sa_entry));
}
-bool mlx5e_ipsec_fs_tunnel_enabled(struct mlx5e_ipsec_sa_entry *sa_entry)
+bool mlx5e_ipsec_fs_tunnel_allowed(struct mlx5e_ipsec_sa_entry *sa_entry)
{
- struct mlx5_accel_esp_xfrm_attrs *attrs = &sa_entry->attrs;
- struct mlx5e_ipsec_rx *rx;
- struct mlx5e_ipsec_tx *tx;
+ struct mlx5e_ipsec *ipsec = sa_entry->ipsec;
+ struct xfrm_state *x = sa_entry->x;
+ bool from_fdb;
- rx = ipsec_rx(sa_entry->ipsec, attrs->addrs.family, attrs->type);
- tx = ipsec_tx(sa_entry->ipsec, attrs->type);
- if (sa_entry->attrs.dir == XFRM_DEV_OFFLOAD_OUT)
- return tx->allow_tunnel_mode;
+ if (x->xso.dir == XFRM_DEV_OFFLOAD_OUT) {
+ struct mlx5e_ipsec_tx *tx = ipsec_tx(ipsec, x->xso.type);
+
+ from_fdb = (tx == ipsec->tx_esw);
+ } else {
+ struct mlx5e_ipsec_rx *rx = ipsec_rx(ipsec, x->props.family,
+ x->xso.type);
+
+ from_fdb = (rx == ipsec->rx_esw);
+ }
- return rx->allow_tunnel_mode;
+ return mlx5_eswitch_block_encap(ipsec->mdev, from_fdb);
}
void mlx5e_ipsec_handle_mpv_event(int event, struct mlx5e_priv *slave_priv,
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 107/371] mailbox: mtk-cmdq: Remove pm_runtime APIs from cmdq_mbox_send_data()
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (105 preceding siblings ...)
2025-10-17 14:51 ` [PATCH 6.17 106/371] net/mlx5e: Prevent tunnel reformat when tunnel mode not allowed Greg Kroah-Hartman
@ 2025-10-17 14:51 ` Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 108/371] drm/amdgpu: Add additional DCE6 SCL registers Greg Kroah-Hartman
` (276 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:51 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jason-JH Lin, Jassi Brar,
Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jason-JH Lin <jason-jh.lin@mediatek.com>
[ Upstream commit 3f39f56520374cf56872644acf9afcc618a4b674 ]
pm_runtime_get_sync() and pm_runtime_put_autosuspend() were previously
called in cmdq_mbox_send_data(), which is under a spinlock in msg_submit()
(mailbox.c). This caused lockdep warnings such as "sleeping function
called from invalid context" when running with lockdebug enabled.
The BUG report:
BUG: sleeping function called from invalid context at drivers/base/power/runtime.c:1164
in_atomic(): 1, irqs_disabled(): 128, non_block: 0, pid: 3616, name: kworker/u17:3
preempt_count: 1, expected: 0
RCU nest depth: 0, expected: 0
INFO: lockdep is turned off.
irq event stamp: 0
CPU: 1 PID: 3616 Comm: kworker/u17:3 Not tainted 6.1.87-lockdep-14133-g26e933aca785 #1
Hardware name: Google Ciri sku0/unprovisioned board (DT)
Workqueue: imgsys_runner imgsys_runner_func
Call trace:
dump_backtrace+0x100/0x120
show_stack+0x20/0x2c
dump_stack_lvl+0x84/0xb4
dump_stack+0x18/0x48
__might_resched+0x354/0x4c0
__might_sleep+0x98/0xe4
__pm_runtime_resume+0x70/0x124
cmdq_mbox_send_data+0xe4/0xb1c
msg_submit+0x194/0x2dc
mbox_send_message+0x190/0x330
imgsys_cmdq_sendtask+0x1618/0x2224
imgsys_runner_func+0xac/0x11c
process_one_work+0x638/0xf84
worker_thread+0x808/0xcd0
kthread+0x24c/0x324
ret_from_fork+0x10/0x20
Additionally, pm_runtime_put_autosuspend() should be invoked from the
GCE IRQ handler to ensure the hardware has actually completed its work.
To resolve these issues, remove the pm_runtime calls from
cmdq_mbox_send_data() and delegate power management responsibilities
to the client driver.
Fixes: 8afe816b0c99 ("mailbox: mtk-cmdq-mailbox: Implement Runtime PM with autosuspend")
Signed-off-by: Jason-JH Lin <jason-jh.lin@mediatek.com>
Signed-off-by: Jassi Brar <jassisinghbrar@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mailbox/mtk-cmdq-mailbox.c | 12 +-----------
1 file changed, 1 insertion(+), 11 deletions(-)
diff --git a/drivers/mailbox/mtk-cmdq-mailbox.c b/drivers/mailbox/mtk-cmdq-mailbox.c
index 532929916e998..654a60f63756a 100644
--- a/drivers/mailbox/mtk-cmdq-mailbox.c
+++ b/drivers/mailbox/mtk-cmdq-mailbox.c
@@ -379,20 +379,13 @@ static int cmdq_mbox_send_data(struct mbox_chan *chan, void *data)
struct cmdq *cmdq = dev_get_drvdata(chan->mbox->dev);
struct cmdq_task *task;
unsigned long curr_pa, end_pa;
- int ret;
/* Client should not flush new tasks if suspended. */
WARN_ON(cmdq->suspended);
- ret = pm_runtime_get_sync(cmdq->mbox.dev);
- if (ret < 0)
- return ret;
-
task = kzalloc(sizeof(*task), GFP_ATOMIC);
- if (!task) {
- pm_runtime_put_autosuspend(cmdq->mbox.dev);
+ if (!task)
return -ENOMEM;
- }
task->cmdq = cmdq;
INIT_LIST_HEAD(&task->list_entry);
@@ -439,9 +432,6 @@ static int cmdq_mbox_send_data(struct mbox_chan *chan, void *data)
}
list_move_tail(&task->list_entry, &thread->task_busy_list);
- pm_runtime_mark_last_busy(cmdq->mbox.dev);
- pm_runtime_put_autosuspend(cmdq->mbox.dev);
-
return 0;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 108/371] drm/amdgpu: Add additional DCE6 SCL registers
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (106 preceding siblings ...)
2025-10-17 14:51 ` [PATCH 6.17 107/371] mailbox: mtk-cmdq: Remove pm_runtime APIs from cmdq_mbox_send_data() Greg Kroah-Hartman
@ 2025-10-17 14:51 ` Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 109/371] drm/amd/display: Add missing DCE6 SCL_HORZ_FILTER_INIT* SRIs Greg Kroah-Hartman
` (275 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:51 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Alex Deucher, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alex Deucher <alexander.deucher@amd.com>
[ Upstream commit 507296328b36ffd00ec1f4fde5b8acafb7222ec7 ]
Fixes: 102b2f587ac8 ("drm/amd/display: dce_transform: DCE6 Scaling Horizontal Filter Init (v2)")
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/include/asic_reg/dce/dce_6_0_d.h | 7 +++++++
drivers/gpu/drm/amd/include/asic_reg/dce/dce_6_0_sh_mask.h | 2 ++
2 files changed, 9 insertions(+)
diff --git a/drivers/gpu/drm/amd/include/asic_reg/dce/dce_6_0_d.h b/drivers/gpu/drm/amd/include/asic_reg/dce/dce_6_0_d.h
index 9de01ae574c03..067eddd9c62d8 100644
--- a/drivers/gpu/drm/amd/include/asic_reg/dce/dce_6_0_d.h
+++ b/drivers/gpu/drm/amd/include/asic_reg/dce/dce_6_0_d.h
@@ -4115,6 +4115,7 @@
#define mmSCL0_SCL_COEF_RAM_CONFLICT_STATUS 0x1B55
#define mmSCL0_SCL_COEF_RAM_SELECT 0x1B40
#define mmSCL0_SCL_COEF_RAM_TAP_DATA 0x1B41
+#define mmSCL0_SCL_SCALER_ENABLE 0x1B42
#define mmSCL0_SCL_CONTROL 0x1B44
#define mmSCL0_SCL_DEBUG 0x1B6A
#define mmSCL0_SCL_DEBUG2 0x1B69
@@ -4144,6 +4145,7 @@
#define mmSCL1_SCL_COEF_RAM_CONFLICT_STATUS 0x1E55
#define mmSCL1_SCL_COEF_RAM_SELECT 0x1E40
#define mmSCL1_SCL_COEF_RAM_TAP_DATA 0x1E41
+#define mmSCL1_SCL_SCALER_ENABLE 0x1E42
#define mmSCL1_SCL_CONTROL 0x1E44
#define mmSCL1_SCL_DEBUG 0x1E6A
#define mmSCL1_SCL_DEBUG2 0x1E69
@@ -4173,6 +4175,7 @@
#define mmSCL2_SCL_COEF_RAM_CONFLICT_STATUS 0x4155
#define mmSCL2_SCL_COEF_RAM_SELECT 0x4140
#define mmSCL2_SCL_COEF_RAM_TAP_DATA 0x4141
+#define mmSCL2_SCL_SCALER_ENABLE 0x4142
#define mmSCL2_SCL_CONTROL 0x4144
#define mmSCL2_SCL_DEBUG 0x416A
#define mmSCL2_SCL_DEBUG2 0x4169
@@ -4202,6 +4205,7 @@
#define mmSCL3_SCL_COEF_RAM_CONFLICT_STATUS 0x4455
#define mmSCL3_SCL_COEF_RAM_SELECT 0x4440
#define mmSCL3_SCL_COEF_RAM_TAP_DATA 0x4441
+#define mmSCL3_SCL_SCALER_ENABLE 0x4442
#define mmSCL3_SCL_CONTROL 0x4444
#define mmSCL3_SCL_DEBUG 0x446A
#define mmSCL3_SCL_DEBUG2 0x4469
@@ -4231,6 +4235,7 @@
#define mmSCL4_SCL_COEF_RAM_CONFLICT_STATUS 0x4755
#define mmSCL4_SCL_COEF_RAM_SELECT 0x4740
#define mmSCL4_SCL_COEF_RAM_TAP_DATA 0x4741
+#define mmSCL4_SCL_SCALER_ENABLE 0x4742
#define mmSCL4_SCL_CONTROL 0x4744
#define mmSCL4_SCL_DEBUG 0x476A
#define mmSCL4_SCL_DEBUG2 0x4769
@@ -4260,6 +4265,7 @@
#define mmSCL5_SCL_COEF_RAM_CONFLICT_STATUS 0x4A55
#define mmSCL5_SCL_COEF_RAM_SELECT 0x4A40
#define mmSCL5_SCL_COEF_RAM_TAP_DATA 0x4A41
+#define mmSCL5_SCL_SCALER_ENABLE 0x4A42
#define mmSCL5_SCL_CONTROL 0x4A44
#define mmSCL5_SCL_DEBUG 0x4A6A
#define mmSCL5_SCL_DEBUG2 0x4A69
@@ -4287,6 +4293,7 @@
#define mmSCL_COEF_RAM_CONFLICT_STATUS 0x1B55
#define mmSCL_COEF_RAM_SELECT 0x1B40
#define mmSCL_COEF_RAM_TAP_DATA 0x1B41
+#define mmSCL_SCALER_ENABLE 0x1B42
#define mmSCL_CONTROL 0x1B44
#define mmSCL_DEBUG 0x1B6A
#define mmSCL_DEBUG2 0x1B69
diff --git a/drivers/gpu/drm/amd/include/asic_reg/dce/dce_6_0_sh_mask.h b/drivers/gpu/drm/amd/include/asic_reg/dce/dce_6_0_sh_mask.h
index 2d6a598a6c25c..9317a7afa6211 100644
--- a/drivers/gpu/drm/amd/include/asic_reg/dce/dce_6_0_sh_mask.h
+++ b/drivers/gpu/drm/amd/include/asic_reg/dce/dce_6_0_sh_mask.h
@@ -8650,6 +8650,8 @@
#define REGAMMA_LUT_INDEX__REGAMMA_LUT_INDEX__SHIFT 0x00000000
#define REGAMMA_LUT_WRITE_EN_MASK__REGAMMA_LUT_WRITE_EN_MASK_MASK 0x00000007L
#define REGAMMA_LUT_WRITE_EN_MASK__REGAMMA_LUT_WRITE_EN_MASK__SHIFT 0x00000000
+#define SCL_SCALER_ENABLE__SCL_SCALE_EN_MASK 0x00000001L
+#define SCL_SCALER_ENABLE__SCL_SCALE_EN__SHIFT 0x00000000
#define SCL_ALU_CONTROL__SCL_ALU_DISABLE_MASK 0x00000001L
#define SCL_ALU_CONTROL__SCL_ALU_DISABLE__SHIFT 0x00000000
#define SCL_BYPASS_CONTROL__SCL_BYPASS_MODE_MASK 0x00000003L
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 109/371] drm/amd/display: Add missing DCE6 SCL_HORZ_FILTER_INIT* SRIs
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (107 preceding siblings ...)
2025-10-17 14:51 ` [PATCH 6.17 108/371] drm/amdgpu: Add additional DCE6 SCL registers Greg Kroah-Hartman
@ 2025-10-17 14:51 ` Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 110/371] drm/amd/display: Properly clear SCL_*_FILTER_CONTROL on DCE6 Greg Kroah-Hartman
` (274 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alex Deucher, Timur Kristóf,
Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Timur Kristóf <timur.kristof@gmail.com>
[ Upstream commit d60f9c45d1bff7e20ecd57492ef7a5e33c94a37c ]
Without these, it's impossible to program these registers.
Fixes: 102b2f587ac8 ("drm/amd/display: dce_transform: DCE6 Scaling Horizontal Filter Init (v2)")
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Timur Kristóf <timur.kristof@gmail.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/display/dc/dce/dce_transform.h | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/gpu/drm/amd/display/dc/dce/dce_transform.h b/drivers/gpu/drm/amd/display/dc/dce/dce_transform.h
index cbce194ec7b82..ff746fba850bc 100644
--- a/drivers/gpu/drm/amd/display/dc/dce/dce_transform.h
+++ b/drivers/gpu/drm/amd/display/dc/dce/dce_transform.h
@@ -155,6 +155,8 @@
SRI(SCL_COEF_RAM_TAP_DATA, SCL, id), \
SRI(VIEWPORT_START, SCL, id), \
SRI(VIEWPORT_SIZE, SCL, id), \
+ SRI(SCL_HORZ_FILTER_INIT_RGB_LUMA, SCL, id), \
+ SRI(SCL_HORZ_FILTER_INIT_CHROMA, SCL, id), \
SRI(SCL_HORZ_FILTER_SCALE_RATIO, SCL, id), \
SRI(SCL_VERT_FILTER_SCALE_RATIO, SCL, id), \
SRI(SCL_VERT_FILTER_INIT, SCL, id), \
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 110/371] drm/amd/display: Properly clear SCL_*_FILTER_CONTROL on DCE6
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (108 preceding siblings ...)
2025-10-17 14:51 ` [PATCH 6.17 109/371] drm/amd/display: Add missing DCE6 SCL_HORZ_FILTER_INIT* SRIs Greg Kroah-Hartman
@ 2025-10-17 14:51 ` Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 111/371] drm/amd/display: Properly disable scaling " Greg Kroah-Hartman
` (273 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alex Deucher, Timur Kristóf,
Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Timur Kristóf <timur.kristof@gmail.com>
[ Upstream commit c0aa7cf49dd6cb302fe28e7183992b772cb7420c ]
Previously, the code would set a bit field which didn't exist
on DCE6 so it would be effectively a no-op.
Fixes: b70aaf5586f2 ("drm/amd/display: dce_transform: add DCE6 specific macros,functions")
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Timur Kristóf <timur.kristof@gmail.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/display/dc/dce/dce_transform.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/drivers/gpu/drm/amd/display/dc/dce/dce_transform.c b/drivers/gpu/drm/amd/display/dc/dce/dce_transform.c
index 2b1673d69ea83..e5c2fb134d14d 100644
--- a/drivers/gpu/drm/amd/display/dc/dce/dce_transform.c
+++ b/drivers/gpu/drm/amd/display/dc/dce/dce_transform.c
@@ -527,8 +527,7 @@ static void dce60_transform_set_scaler(
if (coeffs_v != xfm_dce->filter_v || coeffs_h != xfm_dce->filter_h) {
/* 4. Program vertical filters */
if (xfm_dce->filter_v == NULL)
- REG_SET(SCL_VERT_FILTER_CONTROL, 0,
- SCL_V_2TAP_HARDCODE_COEF_EN, 0);
+ REG_WRITE(SCL_VERT_FILTER_CONTROL, 0);
program_multi_taps_filter(
xfm_dce,
data->taps.v_taps,
@@ -542,8 +541,7 @@ static void dce60_transform_set_scaler(
/* 5. Program horizontal filters */
if (xfm_dce->filter_h == NULL)
- REG_SET(SCL_HORZ_FILTER_CONTROL, 0,
- SCL_H_2TAP_HARDCODE_COEF_EN, 0);
+ REG_WRITE(SCL_HORZ_FILTER_CONTROL, 0);
program_multi_taps_filter(
xfm_dce,
data->taps.h_taps,
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 111/371] drm/amd/display: Properly disable scaling on DCE6
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (109 preceding siblings ...)
2025-10-17 14:51 ` [PATCH 6.17 110/371] drm/amd/display: Properly clear SCL_*_FILTER_CONTROL on DCE6 Greg Kroah-Hartman
@ 2025-10-17 14:51 ` Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 112/371] drm/amd/display: Disable scaling on DCE6 for now Greg Kroah-Hartman
` (272 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alex Deucher, Timur Kristóf,
Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Timur Kristóf <timur.kristof@gmail.com>
[ Upstream commit a7dc87f3448bea5ebe054f14e861074b9c289c65 ]
SCL_SCALER_ENABLE can be used to enable/disable the scaler
on DCE6. Program it to 0 when scaling isn't used, 1 when used.
Additionally, clear some other registers when scaling is
disabled and program the SCL_UPDATE register as recommended.
This fixes visible glitches for users whose BIOS sets up a
mode with scaling at boot, which DC was unable to clean up.
Fixes: b70aaf5586f2 ("drm/amd/display: dce_transform: add DCE6 specific macros,functions")
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Timur Kristóf <timur.kristof@gmail.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../gpu/drm/amd/display/dc/dce/dce_transform.c | 15 +++++++++++----
.../gpu/drm/amd/display/dc/dce/dce_transform.h | 2 ++
2 files changed, 13 insertions(+), 4 deletions(-)
diff --git a/drivers/gpu/drm/amd/display/dc/dce/dce_transform.c b/drivers/gpu/drm/amd/display/dc/dce/dce_transform.c
index e5c2fb134d14d..1ab5ae9b5ea51 100644
--- a/drivers/gpu/drm/amd/display/dc/dce/dce_transform.c
+++ b/drivers/gpu/drm/amd/display/dc/dce/dce_transform.c
@@ -154,10 +154,13 @@ static bool dce60_setup_scaling_configuration(
REG_SET(SCL_BYPASS_CONTROL, 0, SCL_BYPASS_MODE, 0);
if (data->taps.h_taps + data->taps.v_taps <= 2) {
- /* Set bypass */
-
- /* DCE6 has no SCL_MODE register, skip scale mode programming */
+ /* Disable scaler functionality */
+ REG_WRITE(SCL_SCALER_ENABLE, 0);
+ /* Clear registers that can cause glitches even when the scaler is off */
+ REG_WRITE(SCL_TAP_CONTROL, 0);
+ REG_WRITE(SCL_AUTOMATIC_MODE_CONTROL, 0);
+ REG_WRITE(SCL_F_SHARP_CONTROL, 0);
return false;
}
@@ -165,7 +168,7 @@ static bool dce60_setup_scaling_configuration(
SCL_H_NUM_OF_TAPS, data->taps.h_taps - 1,
SCL_V_NUM_OF_TAPS, data->taps.v_taps - 1);
- /* DCE6 has no SCL_MODE register, skip scale mode programming */
+ REG_WRITE(SCL_SCALER_ENABLE, 1);
/* DCE6 has no SCL_BOUNDARY_MODE bit, skip replace out of bound pixels */
@@ -502,6 +505,8 @@ static void dce60_transform_set_scaler(
REG_SET(DC_LB_MEM_SIZE, 0,
DC_LB_MEM_SIZE, xfm_dce->lb_memory_size);
+ REG_WRITE(SCL_UPDATE, 0x00010000);
+
/* Clear SCL_F_SHARP_CONTROL value to 0 */
REG_WRITE(SCL_F_SHARP_CONTROL, 0);
@@ -564,6 +569,8 @@ static void dce60_transform_set_scaler(
/* DCE6 has no SCL_COEF_UPDATE_COMPLETE bit to flip to new coefficient memory */
/* DCE6 DATA_FORMAT register does not support ALPHA_EN */
+
+ REG_WRITE(SCL_UPDATE, 0);
}
#endif
diff --git a/drivers/gpu/drm/amd/display/dc/dce/dce_transform.h b/drivers/gpu/drm/amd/display/dc/dce/dce_transform.h
index ff746fba850bc..eb716e8337e23 100644
--- a/drivers/gpu/drm/amd/display/dc/dce/dce_transform.h
+++ b/drivers/gpu/drm/amd/display/dc/dce/dce_transform.h
@@ -155,6 +155,7 @@
SRI(SCL_COEF_RAM_TAP_DATA, SCL, id), \
SRI(VIEWPORT_START, SCL, id), \
SRI(VIEWPORT_SIZE, SCL, id), \
+ SRI(SCL_SCALER_ENABLE, SCL, id), \
SRI(SCL_HORZ_FILTER_INIT_RGB_LUMA, SCL, id), \
SRI(SCL_HORZ_FILTER_INIT_CHROMA, SCL, id), \
SRI(SCL_HORZ_FILTER_SCALE_RATIO, SCL, id), \
@@ -592,6 +593,7 @@ struct dce_transform_registers {
uint32_t SCL_VERT_FILTER_SCALE_RATIO;
uint32_t SCL_HORZ_FILTER_INIT;
#if defined(CONFIG_DRM_AMD_DC_SI)
+ uint32_t SCL_SCALER_ENABLE;
uint32_t SCL_HORZ_FILTER_INIT_RGB_LUMA;
uint32_t SCL_HORZ_FILTER_INIT_CHROMA;
#endif
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 112/371] drm/amd/display: Disable scaling on DCE6 for now
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (110 preceding siblings ...)
2025-10-17 14:51 ` [PATCH 6.17 111/371] drm/amd/display: Properly disable scaling " Greg Kroah-Hartman
@ 2025-10-17 14:51 ` Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 113/371] drm/amdkfd: Fix kfd process ref leaking when userptr unmapping Greg Kroah-Hartman
` (271 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alex Deucher, Timur Kristóf,
Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Timur Kristóf <timur.kristof@gmail.com>
[ Upstream commit 0e190a0446ec517666dab4691b296a9b758e590f ]
Scaling doesn't work on DCE6 at the moment, the current
register programming produces incorrect output when using
fractional scaling (between 100-200%) on resolutions higher
than 1080p.
Disable it until we figure out how to program it properly.
Fixes: 7c15fd86aaec ("drm/amd/display: dc/dce: add initial DCE6 support (v10)")
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Timur Kristóf <timur.kristof@gmail.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../gpu/drm/amd/display/dc/resource/dce60/dce60_resource.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/amd/display/dc/resource/dce60/dce60_resource.c b/drivers/gpu/drm/amd/display/dc/resource/dce60/dce60_resource.c
index 53b60044653f8..f887d59da7c6f 100644
--- a/drivers/gpu/drm/amd/display/dc/resource/dce60/dce60_resource.c
+++ b/drivers/gpu/drm/amd/display/dc/resource/dce60/dce60_resource.c
@@ -403,13 +403,13 @@ static const struct dc_plane_cap plane_cap = {
},
.max_upscale_factor = {
- .argb8888 = 16000,
+ .argb8888 = 1,
.nv12 = 1,
.fp16 = 1
},
.max_downscale_factor = {
- .argb8888 = 250,
+ .argb8888 = 1,
.nv12 = 1,
.fp16 = 1
}
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 113/371] drm/amdkfd: Fix kfd process ref leaking when userptr unmapping
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (111 preceding siblings ...)
2025-10-17 14:51 ` [PATCH 6.17 112/371] drm/amd/display: Disable scaling on DCE6 for now Greg Kroah-Hartman
@ 2025-10-17 14:51 ` Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 114/371] net: pse-pd: tps23881: Fix current measurement scaling Greg Kroah-Hartman
` (270 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Philip Yang, Harish Kasiviswanathan,
Alex Deucher, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Philip Yang <Philip.Yang@amd.com>
[ Upstream commit 58e6fc2fb94f0f409447e5d46cf6a417b6397fbc ]
kfd_lookup_process_by_pid hold the kfd process reference to ensure it
doesn't get destroyed while sending the segfault event to user space.
Calling kfd_lookup_process_by_pid as function parameter leaks the kfd
process refcount and miss the NULL pointer check if app process is
already destroyed.
Fixes: 2d274bf7099b ("amd/amdkfd: Trigger segfault for early userptr unmmapping")
Signed-off-by: Philip Yang <Philip.Yang@amd.com>
Reviewed-by: Harish Kasiviswanathan <Harish.Kasiviswanathan@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c
index b16cce7c22c37..d5f9d48bf8842 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c
@@ -2583,12 +2583,17 @@ static int update_invalid_user_pages(struct amdkfd_process_info *process_info,
* from the KFD, trigger a segmentation fault in VM debug mode.
*/
if (amdgpu_ttm_adev(bo->tbo.bdev)->debug_vm_userptr) {
+ struct kfd_process *p;
+
pr_err("Pid %d unmapped memory before destroying userptr at GPU addr 0x%llx\n",
pid_nr(process_info->pid), mem->va);
// Send GPU VM fault to user space
- kfd_signal_vm_fault_event_with_userptr(kfd_lookup_process_by_pid(process_info->pid),
- mem->va);
+ p = kfd_lookup_process_by_pid(process_info->pid);
+ if (p) {
+ kfd_signal_vm_fault_event_with_userptr(p, mem->va);
+ kfd_unref_process(p);
+ }
}
ret = 0;
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 114/371] net: pse-pd: tps23881: Fix current measurement scaling
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (112 preceding siblings ...)
2025-10-17 14:51 ` [PATCH 6.17 113/371] drm/amdkfd: Fix kfd process ref leaking when userptr unmapping Greg Kroah-Hartman
@ 2025-10-17 14:51 ` Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 115/371] crypto: skcipher - Fix reqsize handling Greg Kroah-Hartman
` (269 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Wismer, Kory Maincent,
Jakub Kicinski, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Wismer <thomas.wismer@scs.ch>
[ Upstream commit 2c95a756e0cfc19af6d0b32b0c6cf3bada334998 ]
The TPS23881 improves on the TPS23880 with current sense resistors reduced
from 255 mOhm to 200 mOhm. This has a direct impact on the scaling of the
current measurement. However, the latest TPS23881 data sheet from May 2023
still shows the scaling of the TPS23880 model.
Fixes: 7f076ce3f1733 ("net: pse-pd: tps23881: Add support for power limit and measurement features")
Signed-off-by: Thomas Wismer <thomas.wismer@scs.ch>
Acked-by: Kory Maincent <kory.maincent@bootlin.com>
Link: https://patch.msgid.link/20251006204029.7169-2-thomas@wismer.xyz
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/pse-pd/tps23881.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/pse-pd/tps23881.c b/drivers/net/pse-pd/tps23881.c
index 63f8f43062bce..b724b222ab44c 100644
--- a/drivers/net/pse-pd/tps23881.c
+++ b/drivers/net/pse-pd/tps23881.c
@@ -62,7 +62,7 @@
#define TPS23881_REG_SRAM_DATA 0x61
#define TPS23881_UV_STEP 3662
-#define TPS23881_NA_STEP 70190
+#define TPS23881_NA_STEP 89500
#define TPS23881_MW_STEP 500
#define TPS23881_MIN_PI_PW_LIMIT_MW 2000
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 115/371] crypto: skcipher - Fix reqsize handling
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (113 preceding siblings ...)
2025-10-17 14:51 ` [PATCH 6.17 114/371] net: pse-pd: tps23881: Fix current measurement scaling Greg Kroah-Hartman
@ 2025-10-17 14:51 ` Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 116/371] netfilter: nft_objref: validate objref and objrefmap expressions Greg Kroah-Hartman
` (268 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:51 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, T Pratham, Herbert Xu, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: T Pratham <t-pratham@ti.com>
[ Upstream commit 229c586b5e86979badb7cb0d38717b88a9e95ddd ]
Commit afddce13ce81d ("crypto: api - Add reqsize to crypto_alg")
introduced cra_reqsize field in crypto_alg struct to replace type
specific reqsize fields. It looks like this was introduced specifically
for ahash and acomp from the commit description as subsequent commits
add necessary changes in these alg frameworks.
However, this is being recommended for use in all crypto algs [1]
instead of setting reqsize using crypto_*_set_reqsize(). Using
cra_reqsize in skcipher algorithms, hence, causes memory
corruptions and crashes as the underlying functions in the algorithm
framework have not been updated to set the reqsize properly from
cra_reqsize. [2]
Add proper set_reqsize calls in the skcipher init function to
properly initialize reqsize for these algorithms in the framework.
[1]: https://lore.kernel.org/linux-crypto/aCL8BxpHr5OpT04k@gondor.apana.org.au/
[2]: https://gist.github.com/Pratham-T/24247446f1faf4b7843e4014d5089f6b
Fixes: afddce13ce81d ("crypto: api - Add reqsize to crypto_alg")
Fixes: 52f641bc63a4 ("crypto: ti - Add driver for DTHE V2 AES Engine (ECB, CBC)")
Signed-off-by: T Pratham <t-pratham@ti.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
crypto/skcipher.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/crypto/skcipher.c b/crypto/skcipher.c
index de5fc91bba267..8fa5d9686d085 100644
--- a/crypto/skcipher.c
+++ b/crypto/skcipher.c
@@ -294,6 +294,8 @@ static int crypto_skcipher_init_tfm(struct crypto_tfm *tfm)
return crypto_init_lskcipher_ops_sg(tfm);
}
+ crypto_skcipher_set_reqsize(skcipher, crypto_tfm_alg_reqsize(tfm));
+
if (alg->exit)
skcipher->base.exit = crypto_skcipher_exit_tfm;
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 116/371] netfilter: nft_objref: validate objref and objrefmap expressions
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (114 preceding siblings ...)
2025-10-17 14:51 ` [PATCH 6.17 115/371] crypto: skcipher - Fix reqsize handling Greg Kroah-Hartman
@ 2025-10-17 14:51 ` Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 117/371] bridge: br_vlan_fill_forward_path_pvid: use br_vlan_group_rcu() Greg Kroah-Hartman
` (267 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Georg Pfuetzenreuter,
Fernando Fernandez Mancera, Pablo Neira Ayuso, Florian Westphal,
Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fernando Fernandez Mancera <fmancera@suse.de>
[ Upstream commit f359b809d54c6e3dd1d039b97e0b68390b0e53e4 ]
Referencing a synproxy stateful object from OUTPUT hook causes kernel
crash due to infinite recursive calls:
BUG: TASK stack guard page was hit at 000000008bda5b8c (stack is 000000003ab1c4a5..00000000494d8b12)
[...]
Call Trace:
__find_rr_leaf+0x99/0x230
fib6_table_lookup+0x13b/0x2d0
ip6_pol_route+0xa4/0x400
fib6_rule_lookup+0x156/0x240
ip6_route_output_flags+0xc6/0x150
__nf_ip6_route+0x23/0x50
synproxy_send_tcp_ipv6+0x106/0x200
synproxy_send_client_synack_ipv6+0x1aa/0x1f0
nft_synproxy_do_eval+0x263/0x310
nft_do_chain+0x5a8/0x5f0 [nf_tables
nft_do_chain_inet+0x98/0x110
nf_hook_slow+0x43/0xc0
__ip6_local_out+0xf0/0x170
ip6_local_out+0x17/0x70
synproxy_send_tcp_ipv6+0x1a2/0x200
synproxy_send_client_synack_ipv6+0x1aa/0x1f0
[...]
Implement objref and objrefmap expression validate functions.
Currently, only NFT_OBJECT_SYNPROXY object type requires validation.
This will also handle a jump to a chain using a synproxy object from the
OUTPUT hook.
Now when trying to reference a synproxy object in the OUTPUT hook, nft
will produce the following error:
synproxy_crash.nft: Error: Could not process rule: Operation not supported
synproxy name mysynproxy
^^^^^^^^^^^^^^^^^^^^^^^^
Fixes: ee394f96ad75 ("netfilter: nft_synproxy: add synproxy stateful object support")
Reported-by: Georg Pfuetzenreuter <georg.pfuetzenreuter@suse.com>
Closes: https://bugzilla.suse.com/1250237
Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nft_objref.c | 39 ++++++++++++++++++++++++++++++++++++++
1 file changed, 39 insertions(+)
diff --git a/net/netfilter/nft_objref.c b/net/netfilter/nft_objref.c
index 8ee66a86c3bc7..1a62e384766a7 100644
--- a/net/netfilter/nft_objref.c
+++ b/net/netfilter/nft_objref.c
@@ -22,6 +22,35 @@ void nft_objref_eval(const struct nft_expr *expr,
obj->ops->eval(obj, regs, pkt);
}
+static int nft_objref_validate_obj_type(const struct nft_ctx *ctx, u32 type)
+{
+ unsigned int hooks;
+
+ switch (type) {
+ case NFT_OBJECT_SYNPROXY:
+ if (ctx->family != NFPROTO_IPV4 &&
+ ctx->family != NFPROTO_IPV6 &&
+ ctx->family != NFPROTO_INET)
+ return -EOPNOTSUPP;
+
+ hooks = (1 << NF_INET_LOCAL_IN) | (1 << NF_INET_FORWARD);
+
+ return nft_chain_validate_hooks(ctx->chain, hooks);
+ default:
+ break;
+ }
+
+ return 0;
+}
+
+static int nft_objref_validate(const struct nft_ctx *ctx,
+ const struct nft_expr *expr)
+{
+ struct nft_object *obj = nft_objref_priv(expr);
+
+ return nft_objref_validate_obj_type(ctx, obj->ops->type->type);
+}
+
static int nft_objref_init(const struct nft_ctx *ctx,
const struct nft_expr *expr,
const struct nlattr * const tb[])
@@ -93,6 +122,7 @@ static const struct nft_expr_ops nft_objref_ops = {
.activate = nft_objref_activate,
.deactivate = nft_objref_deactivate,
.dump = nft_objref_dump,
+ .validate = nft_objref_validate,
.reduce = NFT_REDUCE_READONLY,
};
@@ -197,6 +227,14 @@ static void nft_objref_map_destroy(const struct nft_ctx *ctx,
nf_tables_destroy_set(ctx, priv->set);
}
+static int nft_objref_map_validate(const struct nft_ctx *ctx,
+ const struct nft_expr *expr)
+{
+ const struct nft_objref_map *priv = nft_expr_priv(expr);
+
+ return nft_objref_validate_obj_type(ctx, priv->set->objtype);
+}
+
static const struct nft_expr_ops nft_objref_map_ops = {
.type = &nft_objref_type,
.size = NFT_EXPR_SIZE(sizeof(struct nft_objref_map)),
@@ -206,6 +244,7 @@ static const struct nft_expr_ops nft_objref_map_ops = {
.deactivate = nft_objref_map_deactivate,
.destroy = nft_objref_map_destroy,
.dump = nft_objref_map_dump,
+ .validate = nft_objref_map_validate,
.reduce = NFT_REDUCE_READONLY,
};
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 117/371] bridge: br_vlan_fill_forward_path_pvid: use br_vlan_group_rcu()
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (115 preceding siblings ...)
2025-10-17 14:51 ` [PATCH 6.17 116/371] netfilter: nft_objref: validate objref and objrefmap expressions Greg Kroah-Hartman
@ 2025-10-17 14:51 ` Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 118/371] selftests: netfilter: nft_fib.sh: fix spurious test failures Greg Kroah-Hartman
` (266 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Woudstra, Florian Westphal,
Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Woudstra <ericwouds@gmail.com>
[ Upstream commit bbf0c98b3ad9edaea1f982de6c199cc11d3b7705 ]
net/bridge/br_private.h:1627 suspicious rcu_dereference_protected() usage!
other info that might help us debug this:
rcu_scheduler_active = 2, debug_locks = 1
7 locks held by socat/410:
#0: ffff88800d7a9c90 (sk_lock-AF_INET){+.+.}-{0:0}, at: inet_stream_connect+0x43/0xa0
#1: ffffffff9a779900 (rcu_read_lock){....}-{1:3}, at: __ip_queue_xmit+0x62/0x1830
[..]
#6: ffffffff9a779900 (rcu_read_lock){....}-{1:3}, at: nf_hook.constprop.0+0x8a/0x440
Call Trace:
lockdep_rcu_suspicious.cold+0x4f/0xb1
br_vlan_fill_forward_path_pvid+0x32c/0x410 [bridge]
br_fill_forward_path+0x7a/0x4d0 [bridge]
Use to correct helper, non _rcu variant requires RTNL mutex.
Fixes: bcf2766b1377 ("net: bridge: resolve forwarding path for VLAN tag actions in bridge devices")
Signed-off-by: Eric Woudstra <ericwouds@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bridge/br_vlan.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/bridge/br_vlan.c b/net/bridge/br_vlan.c
index 939a3aa78d5c4..54993a05037c1 100644
--- a/net/bridge/br_vlan.c
+++ b/net/bridge/br_vlan.c
@@ -1455,7 +1455,7 @@ void br_vlan_fill_forward_path_pvid(struct net_bridge *br,
if (!br_opt_get(br, BROPT_VLAN_ENABLED))
return;
- vg = br_vlan_group(br);
+ vg = br_vlan_group_rcu(br);
if (idx >= 0 &&
ctx->vlan[idx].proto == br->vlan_proto) {
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 118/371] selftests: netfilter: nft_fib.sh: fix spurious test failures
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (116 preceding siblings ...)
2025-10-17 14:51 ` [PATCH 6.17 117/371] bridge: br_vlan_fill_forward_path_pvid: use br_vlan_group_rcu() Greg Kroah-Hartman
@ 2025-10-17 14:51 ` Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 119/371] selftests: netfilter: query conntrack state to check for port clash resolution Greg Kroah-Hartman
` (265 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jakub Kicinski, Florian Westphal,
Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
[ Upstream commit a126ab6b26f107f4eb100c8c77e9f10b706f26e6 ]
Jakub reports spurious failure of nft_fib.sh test.
This is caused by a subtle bug inherited when i moved faulty ping
from one test case to another.
nft_fib.sh not only checks that the fib expression matched, it also
records the number of matches and then validates we have the expected
count. When I did this it was under the assumption that we would
have 0 to n matching packets. In case of the failure, the entry has
n+1 matching packets.
This happens because ping_unreachable helper uses "ping -c 1 -w 1",
instead of the intended "-W". -w alters the meaning of -c (count),
namely, its then treated as number of wanted *replies* instead of
"number of packets to send".
So, in some cases, ping -c 1 -w 1 ends up sending two packets which then
makes the test fail due to the higher-than-expected packet count.
Fix the actual bug (s/-w/-W) and also change the error handling:
1. Show the number of expected packets in the error message
2. Always try to delete the key from the set.
Else, later test that makes sure we don't have unexpected keys
in there will always fail as well.
Reported-by: Jakub Kicinski <kuba@kernel.org>
Closes: https://lore.kernel.org/netfilter-devel/20250927090709.0b3cd783@kernel.org/
Fixes: 98287045c979 ("selftests: netfilter: move fib vrf test to nft_fib.sh")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/selftests/net/netfilter/nft_fib.sh | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/tools/testing/selftests/net/netfilter/nft_fib.sh b/tools/testing/selftests/net/netfilter/nft_fib.sh
index 9929a9ffef652..04544905c2164 100755
--- a/tools/testing/selftests/net/netfilter/nft_fib.sh
+++ b/tools/testing/selftests/net/netfilter/nft_fib.sh
@@ -256,12 +256,12 @@ test_ping_unreachable() {
local daddr4=$1
local daddr6=$2
- if ip netns exec "$ns1" ping -c 1 -w 1 -q "$daddr4" > /dev/null; then
+ if ip netns exec "$ns1" ping -c 1 -W 0.1 -q "$daddr4" > /dev/null; then
echo "FAIL: ${ns1} could reach $daddr4" 1>&2
return 1
fi
- if ip netns exec "$ns1" ping -c 1 -w 1 -q "$daddr6" > /dev/null; then
+ if ip netns exec "$ns1" ping -c 1 -W 0.1 -q "$daddr6" > /dev/null; then
echo "FAIL: ${ns1} could reach $daddr6" 1>&2
return 1
fi
@@ -437,14 +437,17 @@ check_type()
local addr="$3"
local type="$4"
local count="$5"
+ local lret=0
[ -z "$count" ] && count=1
if ! ip netns exec "$nsrouter" nft get element inet t "$setname" { "$iifname" . "$addr" . "$type" } |grep -q "counter packets $count";then
- echo "FAIL: did not find $iifname . $addr . $type in $setname"
+ echo "FAIL: did not find $iifname . $addr . $type in $setname with $count packets"
ip netns exec "$nsrouter" nft list set inet t "$setname"
ret=1
- return 1
+ # do not fail right away, delete entry if it exists so later test that
+ # checks for unwanted keys don't get confused by this *expected* key.
+ lret=1
fi
# delete the entry, this allows to check if anything unexpected appeared
@@ -456,7 +459,7 @@ check_type()
return 1
fi
- return 0
+ return $lret
}
check_local()
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 119/371] selftests: netfilter: query conntrack state to check for port clash resolution
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (117 preceding siblings ...)
2025-10-17 14:51 ` [PATCH 6.17 118/371] selftests: netfilter: nft_fib.sh: fix spurious test failures Greg Kroah-Hartman
@ 2025-10-17 14:51 ` Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 120/371] io_uring/zcrx: increment fallback loop src offset Greg Kroah-Hartman
` (264 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jakub Kicinski, Florian Westphal,
Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
[ Upstream commit e84945bdc619ed4243ba4298dbb8ca2062026474 ]
Jakub reported this self test flaking occasionally (fails, but passes on
re-run) on debug kernels.
This is because the test checks for elapsed time to determine if both
connections were established in parallel.
Rework this to no longer depend on timing.
Use busywait helper to check that both sockets have moved to established
state and then query the conntrack engine for the two entries.
Reported-by: Jakub Kicinski <kuba@kernel.org>
Closes: https://lore.kernel.org/netfilter-devel/20250926163318.40d1a502@kernel.org/
Fixes: 117e149e26d1 ("selftests: netfilter: test nat source port clash resolution interaction with tcp early demux")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../selftests/net/netfilter/nf_nat_edemux.sh | 58 +++++++++++++------
1 file changed, 41 insertions(+), 17 deletions(-)
diff --git a/tools/testing/selftests/net/netfilter/nf_nat_edemux.sh b/tools/testing/selftests/net/netfilter/nf_nat_edemux.sh
index 1014551dd7694..6731fe1eaf2e9 100755
--- a/tools/testing/selftests/net/netfilter/nf_nat_edemux.sh
+++ b/tools/testing/selftests/net/netfilter/nf_nat_edemux.sh
@@ -17,9 +17,31 @@ cleanup()
checktool "socat -h" "run test without socat"
checktool "iptables --version" "run test without iptables"
+checktool "conntrack --version" "run test without conntrack"
trap cleanup EXIT
+connect_done()
+{
+ local ns="$1"
+ local port="$2"
+
+ ip netns exec "$ns" ss -nt -o state established "dport = :$port" | grep -q "$port"
+}
+
+check_ctstate()
+{
+ local ns="$1"
+ local dp="$2"
+
+ if ! ip netns exec "$ns" conntrack --get -s 192.168.1.2 -d 192.168.1.1 -p tcp \
+ --sport 10000 --dport "$dp" --state ESTABLISHED > /dev/null 2>&1;then
+ echo "FAIL: Did not find expected state for dport $2"
+ ip netns exec "$ns" bash -c 'conntrack -L; conntrack -S; ss -nt'
+ ret=1
+ fi
+}
+
setup_ns ns1 ns2
# Connect the namespaces using a veth pair
@@ -44,15 +66,18 @@ socatpid=$!
ip netns exec "$ns2" sysctl -q net.ipv4.ip_local_port_range="10000 10000"
# add a virtual IP using DNAT
-ip netns exec "$ns2" iptables -t nat -A OUTPUT -d 10.96.0.1/32 -p tcp --dport 443 -j DNAT --to-destination 192.168.1.1:5201
+ip netns exec "$ns2" iptables -t nat -A OUTPUT -d 10.96.0.1/32 -p tcp --dport 443 -j DNAT --to-destination 192.168.1.1:5201 || exit 1
# ... and route it to the other namespace
ip netns exec "$ns2" ip route add 10.96.0.1 via 192.168.1.1
-# add a persistent connection from the other namespace
-ip netns exec "$ns2" socat -t 10 - TCP:192.168.1.1:5201 > /dev/null &
+# listener should be up by now, wait if it isn't yet.
+wait_local_port_listen "$ns1" 5201 tcp
-sleep 1
+# add a persistent connection from the other namespace
+sleep 10 | ip netns exec "$ns2" socat -t 10 - TCP:192.168.1.1:5201 > /dev/null &
+cpid0=$!
+busywait "$BUSYWAIT_TIMEOUT" connect_done "$ns2" "5201"
# ip daddr:dport will be rewritten to 192.168.1.1 5201
# NAT must reallocate source port 10000 because
@@ -71,26 +96,25 @@ fi
ip netns exec "$ns1" iptables -t nat -A PREROUTING -p tcp --dport 5202 -j REDIRECT --to-ports 5201
ip netns exec "$ns1" iptables -t nat -A PREROUTING -p tcp --dport 5203 -j REDIRECT --to-ports 5201
-sleep 5 | ip netns exec "$ns2" socat -t 5 -u STDIN TCP:192.168.1.1:5202,connect-timeout=5 >/dev/null &
+sleep 5 | ip netns exec "$ns2" socat -T 5 -u STDIN TCP:192.168.1.1:5202,connect-timeout=5 >/dev/null &
+cpid1=$!
-# if connect succeeds, client closes instantly due to EOF on stdin.
-# if connect hangs, it will time out after 5s.
-echo | ip netns exec "$ns2" socat -t 3 -u STDIN TCP:192.168.1.1:5203,connect-timeout=5 >/dev/null &
+sleep 5 | ip netns exec "$ns2" socat -T 5 -u STDIN TCP:192.168.1.1:5203,connect-timeout=5 >/dev/null &
cpid2=$!
-time_then=$(date +%s)
-wait $cpid2
-rv=$?
-time_now=$(date +%s)
+busywait "$BUSYWAIT_TIMEOUT" connect_done "$ns2" 5202
+busywait "$BUSYWAIT_TIMEOUT" connect_done "$ns2" 5203
-# Check how much time has elapsed, expectation is for
-# 'cpid2' to connect and then exit (and no connect delay).
-delta=$((time_now - time_then))
+check_ctstate "$ns1" 5202
+check_ctstate "$ns1" 5203
-if [ $delta -lt 2 ] && [ $rv -eq 0 ]; then
+kill $socatpid $cpid0 $cpid1 $cpid2
+socatpid=0
+
+if [ $ret -eq 0 ]; then
echo "PASS: could connect to service via redirected ports"
else
- echo "FAIL: socat cannot connect to service via redirect ($delta seconds elapsed, returned $rv)"
+ echo "FAIL: socat cannot connect to service via redirect"
ret=1
fi
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 120/371] io_uring/zcrx: increment fallback loop src offset
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (118 preceding siblings ...)
2025-10-17 14:51 ` [PATCH 6.17 119/371] selftests: netfilter: query conntrack state to check for port clash resolution Greg Kroah-Hartman
@ 2025-10-17 14:51 ` Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 121/371] crypto: essiv - Check ssize for decryption and in-place encryption Greg Kroah-Hartman
` (263 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:51 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Pavel Begunkov, Jens Axboe,
Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pavel Begunkov <asml.silence@gmail.com>
[ Upstream commit e9a9dcb4ccb32446165800a9d83058e95c4833d2 ]
Don't forget to adjust the source offset in io_copy_page(), otherwise
it'll be copying into the same location in some cases for highmem
setups.
Fixes: e67645bb7f3f4 ("io_uring/zcrx: prepare fallback for larger pages")
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
io_uring/zcrx.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/io_uring/zcrx.c b/io_uring/zcrx.c
index 643a69f9ffe2a..2035c77a16357 100644
--- a/io_uring/zcrx.c
+++ b/io_uring/zcrx.c
@@ -993,6 +993,7 @@ static ssize_t io_copy_page(struct io_copy_cache *cc, struct page *src_page,
cc->size -= n;
cc->offset += n;
+ src_offset += n;
len -= n;
copied += n;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 121/371] crypto: essiv - Check ssize for decryption and in-place encryption
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (119 preceding siblings ...)
2025-10-17 14:51 ` [PATCH 6.17 120/371] io_uring/zcrx: increment fallback loop src offset Greg Kroah-Hartman
@ 2025-10-17 14:51 ` Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 122/371] net: airoha: Fix loopback mode configuration for GDM2 port Greg Kroah-Hartman
` (262 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Muhammad Alifa Ramdhan, Herbert Xu,
Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Herbert Xu <herbert@gondor.apana.org.au>
[ Upstream commit 6bb73db6948c2de23e407fe1b7ef94bf02b7529f ]
Move the ssize check to the start in essiv_aead_crypt so that
it's also checked for decryption and in-place encryption.
Reported-by: Muhammad Alifa Ramdhan <ramdhan@starlabs.sg>
Fixes: be1eb7f78aa8 ("crypto: essiv - create wrapper template for ESSIV generation")
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
crypto/essiv.c | 14 ++++++--------
1 file changed, 6 insertions(+), 8 deletions(-)
diff --git a/crypto/essiv.c b/crypto/essiv.c
index d003b78fcd855..a47a3eab69351 100644
--- a/crypto/essiv.c
+++ b/crypto/essiv.c
@@ -186,9 +186,14 @@ static int essiv_aead_crypt(struct aead_request *req, bool enc)
const struct essiv_tfm_ctx *tctx = crypto_aead_ctx(tfm);
struct essiv_aead_request_ctx *rctx = aead_request_ctx(req);
struct aead_request *subreq = &rctx->aead_req;
+ int ivsize = crypto_aead_ivsize(tfm);
+ int ssize = req->assoclen - ivsize;
struct scatterlist *src = req->src;
int err;
+ if (ssize < 0)
+ return -EINVAL;
+
crypto_cipher_encrypt_one(tctx->essiv_cipher, req->iv, req->iv);
/*
@@ -198,19 +203,12 @@ static int essiv_aead_crypt(struct aead_request *req, bool enc)
*/
rctx->assoc = NULL;
if (req->src == req->dst || !enc) {
- scatterwalk_map_and_copy(req->iv, req->dst,
- req->assoclen - crypto_aead_ivsize(tfm),
- crypto_aead_ivsize(tfm), 1);
+ scatterwalk_map_and_copy(req->iv, req->dst, ssize, ivsize, 1);
} else {
u8 *iv = (u8 *)aead_request_ctx(req) + tctx->ivoffset;
- int ivsize = crypto_aead_ivsize(tfm);
- int ssize = req->assoclen - ivsize;
struct scatterlist *sg;
int nents;
- if (ssize < 0)
- return -EINVAL;
-
nents = sg_nents_for_len(req->src, ssize);
if (nents < 0)
return -EINVAL;
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 122/371] net: airoha: Fix loopback mode configuration for GDM2 port
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (120 preceding siblings ...)
2025-10-17 14:51 ` [PATCH 6.17 121/371] crypto: essiv - Check ssize for decryption and in-place encryption Greg Kroah-Hartman
@ 2025-10-17 14:51 ` Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 123/371] cifs: Fix copy_to_iter return value check Greg Kroah-Hartman
` (261 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lorenzo Bianconi, Jacob Keller,
Paolo Abeni, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lorenzo Bianconi <lorenzo@kernel.org>
[ Upstream commit fea8cdf6738a8b25fccbb7b109b440795a0892cb ]
Add missing configuration for loopback mode in airhoha_set_gdm2_loopback
routine.
Fixes: 9cd451d414f6e ("net: airoha: Add loopback support for GDM2")
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
Link: https://patch.msgid.link/20251008-airoha-loopback-mode-fix-v2-1-045694fe7f60@kernel.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/airoha/airoha_eth.c | 4 +++-
drivers/net/ethernet/airoha/airoha_regs.h | 3 +++
2 files changed, 6 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/airoha/airoha_eth.c b/drivers/net/ethernet/airoha/airoha_eth.c
index e6b802e3d8449..6d23c5c049b9a 100644
--- a/drivers/net/ethernet/airoha/airoha_eth.c
+++ b/drivers/net/ethernet/airoha/airoha_eth.c
@@ -1709,7 +1709,9 @@ static void airhoha_set_gdm2_loopback(struct airoha_gdm_port *port)
airoha_fe_wr(eth, REG_GDM_RXCHN_EN(2), 0xffff);
airoha_fe_rmw(eth, REG_GDM_LPBK_CFG(2),
LPBK_CHAN_MASK | LPBK_MODE_MASK | LPBK_EN_MASK,
- FIELD_PREP(LPBK_CHAN_MASK, chan) | LPBK_EN_MASK);
+ FIELD_PREP(LPBK_CHAN_MASK, chan) |
+ LBK_GAP_MODE_MASK | LBK_LEN_MODE_MASK |
+ LBK_CHAN_MODE_MASK | LPBK_EN_MASK);
airoha_fe_rmw(eth, REG_GDM_LEN_CFG(2),
GDM_SHORT_LEN_MASK | GDM_LONG_LEN_MASK,
FIELD_PREP(GDM_SHORT_LEN_MASK, 60) |
diff --git a/drivers/net/ethernet/airoha/airoha_regs.h b/drivers/net/ethernet/airoha/airoha_regs.h
index 150c85995cc1a..0c8f61081699c 100644
--- a/drivers/net/ethernet/airoha/airoha_regs.h
+++ b/drivers/net/ethernet/airoha/airoha_regs.h
@@ -151,6 +151,9 @@
#define LPBK_LEN_MASK GENMASK(23, 10)
#define LPBK_CHAN_MASK GENMASK(8, 4)
#define LPBK_MODE_MASK GENMASK(3, 1)
+#define LBK_GAP_MODE_MASK BIT(3)
+#define LBK_LEN_MODE_MASK BIT(2)
+#define LBK_CHAN_MODE_MASK BIT(1)
#define LPBK_EN_MASK BIT(0)
#define REG_GDM_TXCHN_EN(_n) (GDM_BASE(_n) + 0x24)
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 123/371] cifs: Fix copy_to_iter return value check
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (121 preceding siblings ...)
2025-10-17 14:51 ` [PATCH 6.17 122/371] net: airoha: Fix loopback mode configuration for GDM2 port Greg Kroah-Hartman
@ 2025-10-17 14:51 ` Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 124/371] smb: client: fix missing timestamp updates after utime(2) Greg Kroah-Hartman
` (260 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tom Talpey, David Howells,
Fushuai Wang, Steve French, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fushuai Wang <wangfushuai@baidu.com>
[ Upstream commit 0cc380d0e1d36b8f2703379890e90f896f68e9e8 ]
The return value of copy_to_iter() function will never be negative,
it is the number of bytes copied, or zero if nothing was copied.
Update the check to treat 0 as an error, and return -1 in that case.
Fixes: d08089f649a0 ("cifs: Change the I/O paths to use an iterator rather than a page list")
Acked-by: Tom Talpey <tom@talpey.com>
Reviewed-by: David Howells <dhowells@redhat.com>
Signed-off-by: Fushuai Wang <wangfushuai@baidu.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/smb/client/smb2ops.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/fs/smb/client/smb2ops.c b/fs/smb/client/smb2ops.c
index 68286673afc99..328fdeecae29a 100644
--- a/fs/smb/client/smb2ops.c
+++ b/fs/smb/client/smb2ops.c
@@ -4653,7 +4653,7 @@ handle_read_data(struct TCP_Server_Info *server, struct mid_q_entry *mid,
unsigned int pad_len;
struct cifs_io_subrequest *rdata = mid->callback_data;
struct smb2_hdr *shdr = (struct smb2_hdr *)buf;
- int length;
+ size_t copied;
bool use_rdma_mr = false;
if (shdr->Command != SMB2_READ) {
@@ -4766,10 +4766,10 @@ handle_read_data(struct TCP_Server_Info *server, struct mid_q_entry *mid,
} else if (buf_len >= data_offset + data_len) {
/* read response payload is in buf */
WARN_ONCE(buffer, "read data can be either in buf or in buffer");
- length = copy_to_iter(buf + data_offset, data_len, &rdata->subreq.io_iter);
- if (length < 0)
- return length;
- rdata->got_bytes = data_len;
+ copied = copy_to_iter(buf + data_offset, data_len, &rdata->subreq.io_iter);
+ if (copied == 0)
+ return -EIO;
+ rdata->got_bytes = copied;
} else {
/* read response payload cannot be in both buf and pages */
WARN_ONCE(1, "buf can not contain only a part of read data");
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 124/371] smb: client: fix missing timestamp updates after utime(2)
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (122 preceding siblings ...)
2025-10-17 14:51 ` [PATCH 6.17 123/371] cifs: Fix copy_to_iter return value check Greg Kroah-Hartman
@ 2025-10-17 14:51 ` Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 125/371] rtc: isl12022: Fix initial enable_irq/disable_irq balance Greg Kroah-Hartman
` (259 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paulo Alcantara (Red Hat),
Frank Sorenson, David Howells, linux-cifs, Steve French,
Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paulo Alcantara <pc@manguebit.org>
[ Upstream commit b95cd1bdf5aa9221c98fc9259014b8bb8d1829d7 ]
Don't reuse open handle when changing timestamps to prevent the server
from disabling automatic timestamp updates as per MS-FSA 2.1.4.17.
---8<---
import os
import time
filename = '/mnt/foo'
def print_stat(prefix):
st = os.stat(filename)
print(prefix, ': ', time.ctime(st.st_atime), time.ctime(st.st_ctime))
fd = os.open(filename, os.O_CREAT|os.O_TRUNC|os.O_WRONLY, 0o644)
print_stat('old')
os.utime(fd, None)
time.sleep(2)
os.write(fd, b'foo')
os.close(fd)
time.sleep(2)
print_stat('new')
---8<---
Before patch:
$ mount.cifs //srv/share /mnt -o ...
$ python3 run.py
old : Fri Oct 3 14:01:21 2025 Fri Oct 3 14:01:21 2025
new : Fri Oct 3 14:01:21 2025 Fri Oct 3 14:01:21 2025
After patch:
$ mount.cifs //srv/share /mnt -o ...
$ python3 run.py
old : Fri Oct 3 17:03:34 2025 Fri Oct 3 17:03:34 2025
new : Fri Oct 3 17:03:36 2025 Fri Oct 3 17:03:36 2025
Fixes: b6f2a0f89d7e ("cifs: for compound requests, use open handle if possible")
Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
Cc: Frank Sorenson <sorenson@redhat.com>
Reviewed-by: David Howells <dhowells@redhat.com>
Cc: linux-cifs@vger.kernel.org
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/smb/client/smb2inode.c | 22 ++++++++++++----------
1 file changed, 12 insertions(+), 10 deletions(-)
diff --git a/fs/smb/client/smb2inode.c b/fs/smb/client/smb2inode.c
index 0985db9f86e51..e441fa2e76897 100644
--- a/fs/smb/client/smb2inode.c
+++ b/fs/smb/client/smb2inode.c
@@ -1382,31 +1382,33 @@ int
smb2_set_file_info(struct inode *inode, const char *full_path,
FILE_BASIC_INFO *buf, const unsigned int xid)
{
- struct cifs_open_parms oparms;
+ struct kvec in_iov = { .iov_base = buf, .iov_len = sizeof(*buf), };
struct cifs_sb_info *cifs_sb = CIFS_SB(inode->i_sb);
+ struct cifsFileInfo *cfile = NULL;
+ struct cifs_open_parms oparms;
struct tcon_link *tlink;
struct cifs_tcon *tcon;
- struct cifsFileInfo *cfile;
- struct kvec in_iov = { .iov_base = buf, .iov_len = sizeof(*buf), };
- int rc;
-
- if ((buf->CreationTime == 0) && (buf->LastAccessTime == 0) &&
- (buf->LastWriteTime == 0) && (buf->ChangeTime == 0) &&
- (buf->Attributes == 0))
- return 0; /* would be a no op, no sense sending this */
+ int rc = 0;
tlink = cifs_sb_tlink(cifs_sb);
if (IS_ERR(tlink))
return PTR_ERR(tlink);
tcon = tlink_tcon(tlink);
- cifs_get_writable_path(tcon, full_path, FIND_WR_ANY, &cfile);
+ if ((buf->CreationTime == 0) && (buf->LastAccessTime == 0) &&
+ (buf->LastWriteTime == 0) && (buf->ChangeTime == 0)) {
+ if (buf->Attributes == 0)
+ goto out; /* would be a no op, no sense sending this */
+ cifs_get_writable_path(tcon, full_path, FIND_WR_ANY, &cfile);
+ }
+
oparms = CIFS_OPARMS(cifs_sb, tcon, full_path, FILE_WRITE_ATTRIBUTES,
FILE_OPEN, 0, ACL_NO_MODE);
rc = smb2_compound_op(xid, tcon, cifs_sb,
full_path, &oparms, &in_iov,
&(int){SMB2_OP_SET_INFO}, 1,
cfile, NULL, NULL, NULL);
+out:
cifs_put_tlink(tlink);
return rc;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 125/371] rtc: isl12022: Fix initial enable_irq/disable_irq balance
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (123 preceding siblings ...)
2025-10-17 14:51 ` [PATCH 6.17 124/371] smb: client: fix missing timestamp updates after utime(2) Greg Kroah-Hartman
@ 2025-10-17 14:51 ` Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 126/371] cifs: Query EA $LXMOD in cifs_query_path_info() for WSL reparse points Greg Kroah-Hartman
` (258 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Esben Haabendal, Alexandre Belloni,
Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Esben Haabendal <esben@geanix.com>
[ Upstream commit 9ffe06b6ccd7a8eaa31d31625db009ea26a22a3c ]
Interrupts are automatically enabled when requested, so we need to
initialize irq_enabled accordingly to avoid causing an unbalanced enable
warning.
Fixes: c62d658e5253 ("rtc: isl12022: Add alarm support")
Signed-off-by: Esben Haabendal <esben@geanix.com>
Link: https://lore.kernel.org/r/20250516-rtc-uie-irq-fixes-v2-2-3de8e530a39e@geanix.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/rtc/rtc-isl12022.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/rtc/rtc-isl12022.c b/drivers/rtc/rtc-isl12022.c
index 9b44839a7402c..5fc52dc642130 100644
--- a/drivers/rtc/rtc-isl12022.c
+++ b/drivers/rtc/rtc-isl12022.c
@@ -413,6 +413,7 @@ static int isl12022_setup_irq(struct device *dev, int irq)
if (ret)
return ret;
+ isl12022->irq_enabled = true;
ret = devm_request_threaded_irq(dev, irq, NULL,
isl12022_rtc_interrupt,
IRQF_SHARED | IRQF_ONESHOT,
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 126/371] cifs: Query EA $LXMOD in cifs_query_path_info() for WSL reparse points
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (124 preceding siblings ...)
2025-10-17 14:51 ` [PATCH 6.17 125/371] rtc: isl12022: Fix initial enable_irq/disable_irq balance Greg Kroah-Hartman
@ 2025-10-17 14:51 ` Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 127/371] tpm_tis: Fix incorrect arguments in tpm_tis_probe_irq_single Greg Kroah-Hartman
` (257 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pali Rohár, Steve French,
Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pali Rohár <pali@kernel.org>
[ Upstream commit 057ac50638bcece64b3b436d3a61b70ed6c01a34 ]
EA $LXMOD is required for WSL non-symlink reparse points.
Fixes: ef86ab131d91 ("cifs: Fix querying of WSL CHR and BLK reparse points over SMB1")
Signed-off-by: Pali Rohár <pali@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/smb/client/smb1ops.c | 62 +++++++++++++++++++++++++++++++++++++++--
1 file changed, 60 insertions(+), 2 deletions(-)
diff --git a/fs/smb/client/smb1ops.c b/fs/smb/client/smb1ops.c
index a02d41d1ce4a3..3fdbb71036cff 100644
--- a/fs/smb/client/smb1ops.c
+++ b/fs/smb/client/smb1ops.c
@@ -651,14 +651,72 @@ static int cifs_query_path_info(const unsigned int xid,
}
#ifdef CONFIG_CIFS_XATTR
+ /*
+ * For non-symlink WSL reparse points it is required to fetch
+ * EA $LXMOD which contains in its S_DT part the mandatory file type.
+ */
+ if (!rc && data->reparse_point) {
+ struct smb2_file_full_ea_info *ea;
+ u32 next = 0;
+
+ ea = (struct smb2_file_full_ea_info *)data->wsl.eas;
+ do {
+ ea = (void *)((u8 *)ea + next);
+ next = le32_to_cpu(ea->next_entry_offset);
+ } while (next);
+ if (le16_to_cpu(ea->ea_value_length)) {
+ ea->next_entry_offset = cpu_to_le32(ALIGN(sizeof(*ea) +
+ ea->ea_name_length + 1 +
+ le16_to_cpu(ea->ea_value_length), 4));
+ ea = (void *)((u8 *)ea + le32_to_cpu(ea->next_entry_offset));
+ }
+
+ rc = CIFSSMBQAllEAs(xid, tcon, full_path, SMB2_WSL_XATTR_MODE,
+ &ea->ea_data[SMB2_WSL_XATTR_NAME_LEN + 1],
+ SMB2_WSL_XATTR_MODE_SIZE, cifs_sb);
+ if (rc == SMB2_WSL_XATTR_MODE_SIZE) {
+ ea->next_entry_offset = cpu_to_le32(0);
+ ea->flags = 0;
+ ea->ea_name_length = SMB2_WSL_XATTR_NAME_LEN;
+ ea->ea_value_length = cpu_to_le16(SMB2_WSL_XATTR_MODE_SIZE);
+ memcpy(&ea->ea_data[0], SMB2_WSL_XATTR_MODE, SMB2_WSL_XATTR_NAME_LEN + 1);
+ data->wsl.eas_len += ALIGN(sizeof(*ea) + SMB2_WSL_XATTR_NAME_LEN + 1 +
+ SMB2_WSL_XATTR_MODE_SIZE, 4);
+ rc = 0;
+ } else if (rc >= 0) {
+ /* It is an error if EA $LXMOD has wrong size. */
+ rc = -EINVAL;
+ } else {
+ /*
+ * In all other cases ignore error if fetching
+ * of EA $LXMOD failed. It is needed only for
+ * non-symlink WSL reparse points and wsl_to_fattr()
+ * handle the case when EA is missing.
+ */
+ rc = 0;
+ }
+ }
+
/*
* For WSL CHR and BLK reparse points it is required to fetch
* EA $LXDEV which contains major and minor device numbers.
*/
if (!rc && data->reparse_point) {
struct smb2_file_full_ea_info *ea;
+ u32 next = 0;
ea = (struct smb2_file_full_ea_info *)data->wsl.eas;
+ do {
+ ea = (void *)((u8 *)ea + next);
+ next = le32_to_cpu(ea->next_entry_offset);
+ } while (next);
+ if (le16_to_cpu(ea->ea_value_length)) {
+ ea->next_entry_offset = cpu_to_le32(ALIGN(sizeof(*ea) +
+ ea->ea_name_length + 1 +
+ le16_to_cpu(ea->ea_value_length), 4));
+ ea = (void *)((u8 *)ea + le32_to_cpu(ea->next_entry_offset));
+ }
+
rc = CIFSSMBQAllEAs(xid, tcon, full_path, SMB2_WSL_XATTR_DEV,
&ea->ea_data[SMB2_WSL_XATTR_NAME_LEN + 1],
SMB2_WSL_XATTR_DEV_SIZE, cifs_sb);
@@ -668,8 +726,8 @@ static int cifs_query_path_info(const unsigned int xid,
ea->ea_name_length = SMB2_WSL_XATTR_NAME_LEN;
ea->ea_value_length = cpu_to_le16(SMB2_WSL_XATTR_DEV_SIZE);
memcpy(&ea->ea_data[0], SMB2_WSL_XATTR_DEV, SMB2_WSL_XATTR_NAME_LEN + 1);
- data->wsl.eas_len = sizeof(*ea) + SMB2_WSL_XATTR_NAME_LEN + 1 +
- SMB2_WSL_XATTR_DEV_SIZE;
+ data->wsl.eas_len += ALIGN(sizeof(*ea) + SMB2_WSL_XATTR_NAME_LEN + 1 +
+ SMB2_WSL_XATTR_MODE_SIZE, 4);
rc = 0;
} else if (rc >= 0) {
/* It is an error if EA $LXDEV has wrong size. */
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 127/371] tpm_tis: Fix incorrect arguments in tpm_tis_probe_irq_single
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (125 preceding siblings ...)
2025-10-17 14:51 ` [PATCH 6.17 126/371] cifs: Query EA $LXMOD in cifs_query_path_info() for WSL reparse points Greg Kroah-Hartman
@ 2025-10-17 14:51 ` Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 128/371] gpio: wcd934x: mark the GPIO controller as sleeping Greg Kroah-Hartman
` (256 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gunnar Kudrjavets, Justinien Bouron,
Jarkko Sakkinen, Paul Menzel, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gunnar Kudrjavets <gunnarku@amazon.com>
[ Upstream commit 8a81236f2cb0882c7ea6c621ce357f7f3f601fe5 ]
The tpm_tis_write8() call specifies arguments in wrong order. Should be
(data, addr, value) not (data, value, addr). The initial correct order
was changed during the major refactoring when the code was split.
Fixes: 41a5e1cf1fe1 ("tpm/tpm_tis: Split tpm_tis driver into a core and TCG TIS compliant phy")
Signed-off-by: Gunnar Kudrjavets <gunnarku@amazon.com>
Reviewed-by: Justinien Bouron <jbouron@amazon.com>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/char/tpm/tpm_tis_core.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/char/tpm/tpm_tis_core.c b/drivers/char/tpm/tpm_tis_core.c
index 4b12c4b9da8be..8954a8660ffc5 100644
--- a/drivers/char/tpm/tpm_tis_core.c
+++ b/drivers/char/tpm/tpm_tis_core.c
@@ -978,8 +978,8 @@ static int tpm_tis_probe_irq_single(struct tpm_chip *chip, u32 intmask,
* will call disable_irq which undoes all of the above.
*/
if (!(chip->flags & TPM_CHIP_FLAG_IRQ)) {
- tpm_tis_write8(priv, original_int_vec,
- TPM_INT_VECTOR(priv->locality));
+ tpm_tis_write8(priv, TPM_INT_VECTOR(priv->locality),
+ original_int_vec);
rc = -1;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 128/371] gpio: wcd934x: mark the GPIO controller as sleeping
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (126 preceding siblings ...)
2025-10-17 14:51 ` [PATCH 6.17 127/371] tpm_tis: Fix incorrect arguments in tpm_tis_probe_irq_single Greg Kroah-Hartman
@ 2025-10-17 14:51 ` Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 129/371] bpf: Avoid RCU context warning when unpinning htab with internal structs Greg Kroah-Hartman
` (255 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:51 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Bartosz Golaszewski, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
[ Upstream commit b5f8aa8d4bde0cf3e4595af5a536da337e5f1c78 ]
The slimbus regmap passed to the GPIO driver down from MFD does not use
fast_io. This means a mutex is used for locking and thus this GPIO chip
must not be used in atomic context. Change the can_sleep switch in
struct gpio_chip to true.
Fixes: 59c324683400 ("gpio: wcd934x: Add support to wcd934x gpio controller")
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpio/gpio-wcd934x.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpio/gpio-wcd934x.c b/drivers/gpio/gpio-wcd934x.c
index 4af504c23e6ff..572b85e773700 100644
--- a/drivers/gpio/gpio-wcd934x.c
+++ b/drivers/gpio/gpio-wcd934x.c
@@ -103,7 +103,7 @@ static int wcd_gpio_probe(struct platform_device *pdev)
chip->base = -1;
chip->ngpio = WCD934X_NPINS;
chip->label = dev_name(dev);
- chip->can_sleep = false;
+ chip->can_sleep = true;
return devm_gpiochip_add_data(dev, chip, data);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 129/371] bpf: Avoid RCU context warning when unpinning htab with internal structs
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (127 preceding siblings ...)
2025-10-17 14:51 ` [PATCH 6.17 128/371] gpio: wcd934x: mark the GPIO controller as sleeping Greg Kroah-Hartman
@ 2025-10-17 14:51 ` Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 130/371] kbuild: always create intermediate vmlinux.unstripped Greg Kroah-Hartman
` (254 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Le Chen, Alexei Starovoitov,
KaFai Wan, Yonghong Song, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: KaFai Wan <kafai.wan@linux.dev>
[ Upstream commit 4f375ade6aa9f37fd72d7a78682f639772089eed ]
When unpinning a BPF hash table (htab or htab_lru) that contains internal
structures (timer, workqueue, or task_work) in its values, a BUG warning
is triggered:
BUG: sleeping function called from invalid context at kernel/bpf/hashtab.c:244
in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 14, name: ksoftirqd/0
...
The issue arises from the interaction between BPF object unpinning and
RCU callback mechanisms:
1. BPF object unpinning uses ->free_inode() which schedules cleanup via
call_rcu(), deferring the actual freeing to an RCU callback that
executes within the RCU_SOFTIRQ context.
2. During cleanup of hash tables containing internal structures,
htab_map_free_internal_structs() is invoked, which includes
cond_resched() or cond_resched_rcu() calls to yield the CPU during
potentially long operations.
However, cond_resched() or cond_resched_rcu() cannot be safely called from
atomic RCU softirq context, leading to the BUG warning when attempting
to reschedule.
Fix this by changing from ->free_inode() to ->destroy_inode() and rename
bpf_free_inode() to bpf_destroy_inode() for BPF objects (prog, map, link).
This allows direct inode freeing without RCU callback scheduling,
avoiding the invalid context warning.
Reported-by: Le Chen <tom2cat@sjtu.edu.cn>
Closes: https://lore.kernel.org/all/1444123482.1827743.1750996347470.JavaMail.zimbra@sjtu.edu.cn/
Fixes: 68134668c17f ("bpf: Add map side support for bpf timers.")
Suggested-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: KaFai Wan <kafai.wan@linux.dev>
Acked-by: Yonghong Song <yonghong.song@linux.dev>
Link: https://lore.kernel.org/r/20251008102628.808045-2-kafai.wan@linux.dev
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/bpf/inode.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/kernel/bpf/inode.c b/kernel/bpf/inode.c
index 5c2e96b19392a..1a31c87234877 100644
--- a/kernel/bpf/inode.c
+++ b/kernel/bpf/inode.c
@@ -775,7 +775,7 @@ static int bpf_show_options(struct seq_file *m, struct dentry *root)
return 0;
}
-static void bpf_free_inode(struct inode *inode)
+static void bpf_destroy_inode(struct inode *inode)
{
enum bpf_type type;
@@ -790,7 +790,7 @@ const struct super_operations bpf_super_ops = {
.statfs = simple_statfs,
.drop_inode = generic_delete_inode,
.show_options = bpf_show_options,
- .free_inode = bpf_free_inode,
+ .destroy_inode = bpf_destroy_inode,
};
enum {
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 130/371] kbuild: always create intermediate vmlinux.unstripped
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (128 preceding siblings ...)
2025-10-17 14:51 ` [PATCH 6.17 129/371] bpf: Avoid RCU context warning when unpinning htab with internal structs Greg Kroah-Hartman
@ 2025-10-17 14:51 ` Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 131/371] kbuild: keep .modinfo section in vmlinux.unstripped Greg Kroah-Hartman
` (253 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Masahiro Yamada, Nicolas Schier,
Nathan Chancellor, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Masahiro Yamada <masahiroy@kernel.org>
[ Upstream commit 0ce5139fd96e9d415d3faaef1c575e238f9bbd67 ]
Generate the intermediate vmlinux.unstripped regardless of
CONFIG_ARCH_VMLINUX_NEEDS_RELOCS.
If CONFIG_ARCH_VMLINUX_NEEDS_RELOCS is unset, vmlinux.unstripped and
vmlinux are identiacal.
This simplifies the build rule, and allows to strip more sections
by adding them to remove-section-y.
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
Reviewed-by: Nicolas Schier <nsc@kernel.org>
Link: https://patch.msgid.link/a48ca543fa2305bd17324f41606dcaed9b19f2d4.1758182101.git.legion@kernel.org
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Stable-dep-of: 8ec3af916fe3 ("kbuild: Add '.rel.*' strip pattern for vmlinux")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
scripts/Makefile.vmlinux | 45 ++++++++++++++++++++--------------------
1 file changed, 22 insertions(+), 23 deletions(-)
diff --git a/scripts/Makefile.vmlinux b/scripts/Makefile.vmlinux
index b64862dc6f08d..4f2d4c3fb7372 100644
--- a/scripts/Makefile.vmlinux
+++ b/scripts/Makefile.vmlinux
@@ -9,20 +9,6 @@ include $(srctree)/scripts/Makefile.lib
targets :=
-ifdef CONFIG_ARCH_VMLINUX_NEEDS_RELOCS
-vmlinux-final := vmlinux.unstripped
-
-quiet_cmd_strip_relocs = RSTRIP $@
- cmd_strip_relocs = $(OBJCOPY) --remove-section='.rel*' --remove-section=!'.rel*.dyn' $< $@
-
-vmlinux: $(vmlinux-final) FORCE
- $(call if_changed,strip_relocs)
-
-targets += vmlinux
-else
-vmlinux-final := vmlinux
-endif
-
%.o: %.c FORCE
$(call if_changed_rule,cc_o_c)
@@ -61,19 +47,19 @@ targets += .builtin-dtbs-list
ifdef CONFIG_GENERIC_BUILTIN_DTB
targets += .builtin-dtbs.S .builtin-dtbs.o
-$(vmlinux-final): .builtin-dtbs.o
+vmlinux.unstripped: .builtin-dtbs.o
endif
-# vmlinux
+# vmlinux.unstripped
# ---------------------------------------------------------------------------
ifdef CONFIG_MODULES
targets += .vmlinux.export.o
-$(vmlinux-final): .vmlinux.export.o
+vmlinux.unstripped: .vmlinux.export.o
endif
ifdef CONFIG_ARCH_WANTS_PRE_LINK_VMLINUX
-$(vmlinux-final): arch/$(SRCARCH)/tools/vmlinux.arch.o
+vmlinux.unstripped: arch/$(SRCARCH)/tools/vmlinux.arch.o
arch/$(SRCARCH)/tools/vmlinux.arch.o: vmlinux.o FORCE
$(Q)$(MAKE) $(build)=arch/$(SRCARCH)/tools $@
@@ -86,17 +72,30 @@ cmd_link_vmlinux = \
$< "$(LD)" "$(KBUILD_LDFLAGS)" "$(LDFLAGS_vmlinux)" "$@"; \
$(if $(ARCH_POSTLINK), $(MAKE) -f $(ARCH_POSTLINK) $@, true)
-targets += $(vmlinux-final)
-$(vmlinux-final): scripts/link-vmlinux.sh vmlinux.o $(KBUILD_LDS) FORCE
+targets += vmlinux.unstripped
+vmlinux.unstripped: scripts/link-vmlinux.sh vmlinux.o $(KBUILD_LDS) FORCE
+$(call if_changed_dep,link_vmlinux)
ifdef CONFIG_DEBUG_INFO_BTF
-$(vmlinux-final): $(RESOLVE_BTFIDS)
+vmlinux.unstripped: $(RESOLVE_BTFIDS)
endif
ifdef CONFIG_BUILDTIME_TABLE_SORT
-$(vmlinux-final): scripts/sorttable
+vmlinux.unstripped: scripts/sorttable
endif
+# vmlinux
+# ---------------------------------------------------------------------------
+
+remove-section-y :=
+remove-section-$(CONFIG_ARCH_VMLINUX_NEEDS_RELOCS) += '.rel*'
+
+quiet_cmd_strip_relocs = OBJCOPY $@
+ cmd_strip_relocs = $(OBJCOPY) $(addprefix --remove-section=,$(remove-section-y)) $< $@
+
+targets += vmlinux
+vmlinux: vmlinux.unstripped FORCE
+ $(call if_changed,strip_relocs)
+
# modules.builtin.ranges
# ---------------------------------------------------------------------------
ifdef CONFIG_BUILTIN_MODULE_RANGES
@@ -110,7 +109,7 @@ modules.builtin.ranges: $(srctree)/scripts/generate_builtin_ranges.awk \
modules.builtin vmlinux.map vmlinux.o.map FORCE
$(call if_changed,modules_builtin_ranges)
-vmlinux.map: $(vmlinux-final)
+vmlinux.map: vmlinux.unstripped
@:
endif
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 131/371] kbuild: keep .modinfo section in vmlinux.unstripped
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (129 preceding siblings ...)
2025-10-17 14:51 ` [PATCH 6.17 130/371] kbuild: always create intermediate vmlinux.unstripped Greg Kroah-Hartman
@ 2025-10-17 14:51 ` Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 132/371] kbuild: Restore pattern to avoid stripping .rela.dyn from vmlinux Greg Kroah-Hartman
` (252 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Masahiro Yamada, Alexey Gladkov,
Nicolas Schier, Nathan Chancellor, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Masahiro Yamada <masahiroy@kernel.org>
[ Upstream commit 3e86e4d74c0490e5fc5a7f8de8f29e7579c9ffe5 ]
Keep the .modinfo section during linking, but strip it from the final
vmlinux.
Adjust scripts/mksysmap to exclude modinfo symbols from kallsyms.
This change will allow the next commit to extract the .modinfo section
from the vmlinux.unstripped intermediate.
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
Signed-off-by: Alexey Gladkov <legion@kernel.org>
Reviewed-by: Nicolas Schier <nsc@kernel.org>
Link: https://patch.msgid.link/aaf67c07447215463300fccaa758904bac42f992.1758182101.git.legion@kernel.org
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Stable-dep-of: 8ec3af916fe3 ("kbuild: Add '.rel.*' strip pattern for vmlinux")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/asm-generic/vmlinux.lds.h | 2 +-
scripts/Makefile.vmlinux | 7 +++++--
scripts/mksysmap | 3 +++
3 files changed, 9 insertions(+), 3 deletions(-)
diff --git a/include/asm-generic/vmlinux.lds.h b/include/asm-generic/vmlinux.lds.h
index 8efbe8c4874ee..d61a02fce7274 100644
--- a/include/asm-generic/vmlinux.lds.h
+++ b/include/asm-generic/vmlinux.lds.h
@@ -832,6 +832,7 @@ defined(CONFIG_AUTOFDO_CLANG) || defined(CONFIG_PROPELLER_CLANG)
/* Required sections not related to debugging. */
#define ELF_DETAILS \
+ .modinfo : { *(.modinfo) } \
.comment 0 : { *(.comment) } \
.symtab 0 : { *(.symtab) } \
.strtab 0 : { *(.strtab) } \
@@ -1045,7 +1046,6 @@ defined(CONFIG_AUTOFDO_CLANG) || defined(CONFIG_PROPELLER_CLANG)
*(.discard.*) \
*(.export_symbol) \
*(.no_trim_symbol) \
- *(.modinfo) \
/* ld.bfd warns about .gnu.version* even when not emitted */ \
*(.gnu.version*) \
diff --git a/scripts/Makefile.vmlinux b/scripts/Makefile.vmlinux
index 4f2d4c3fb7372..70856dab0f541 100644
--- a/scripts/Makefile.vmlinux
+++ b/scripts/Makefile.vmlinux
@@ -86,11 +86,14 @@ endif
# vmlinux
# ---------------------------------------------------------------------------
-remove-section-y :=
+remove-section-y := .modinfo
remove-section-$(CONFIG_ARCH_VMLINUX_NEEDS_RELOCS) += '.rel*'
+# To avoid warnings: "empty loadable segment detected at ..." from GNU objcopy,
+# it is necessary to remove the PT_LOAD flag from the segment.
quiet_cmd_strip_relocs = OBJCOPY $@
- cmd_strip_relocs = $(OBJCOPY) $(addprefix --remove-section=,$(remove-section-y)) $< $@
+ cmd_strip_relocs = $(OBJCOPY) $(patsubst %,--set-section-flags %=noload,$(remove-section-y)) $< $@; \
+ $(OBJCOPY) $(addprefix --remove-section=,$(remove-section-y)) $@
targets += vmlinux
vmlinux: vmlinux.unstripped FORCE
diff --git a/scripts/mksysmap b/scripts/mksysmap
index 3accbdb269ac7..a607a0059d119 100755
--- a/scripts/mksysmap
+++ b/scripts/mksysmap
@@ -79,6 +79,9 @@
/ _SDA_BASE_$/d
/ _SDA2_BASE_$/d
+# MODULE_INFO()
+/ __UNIQUE_ID_modinfo[0-9]*$/d
+
# ---------------------------------------------------------------------------
# Ignored patterns
# (symbols that contain the pattern are ignored)
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 132/371] kbuild: Restore pattern to avoid stripping .rela.dyn from vmlinux
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (130 preceding siblings ...)
2025-10-17 14:51 ` [PATCH 6.17 131/371] kbuild: keep .modinfo section in vmlinux.unstripped Greg Kroah-Hartman
@ 2025-10-17 14:51 ` Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 133/371] kbuild: Add .rel.* strip pattern for vmlinux Greg Kroah-Hartman
` (251 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ard Biesheuvel, Alexey Gladkov,
Nicolas Schier, Nathan Chancellor, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nathan Chancellor <nathan@kernel.org>
[ Upstream commit 4b47a3aefb29c523ca66f0d28de8db15a10f9352 ]
Commit 0ce5139fd96e ("kbuild: always create intermediate
vmlinux.unstripped") removed the pattern to avoid stripping .rela.dyn
sections added by commit e9d86b8e17e7 ("scripts: Do not strip .rela.dyn
section"). Restore it so that .rela.dyn sections remain in the final
vmlinux.
Fixes: 0ce5139fd96e ("kbuild: always create intermediate vmlinux.unstripped")
Acked-by: Ard Biesheuvel <ardb@kernel.org>
Acked-by: Alexey Gladkov <legion@kernel.org>
Acked-by: Nicolas Schier <nsc@kernel.org>
Link: https://patch.msgid.link/20251008-kbuild-fix-modinfo-regressions-v1-1-9fc776c5887c@kernel.org
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Stable-dep-of: 8ec3af916fe3 ("kbuild: Add '.rel.*' strip pattern for vmlinux")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
scripts/Makefile.vmlinux | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/scripts/Makefile.vmlinux b/scripts/Makefile.vmlinux
index 70856dab0f541..7c6f0e882eabb 100644
--- a/scripts/Makefile.vmlinux
+++ b/scripts/Makefile.vmlinux
@@ -87,7 +87,7 @@ endif
# ---------------------------------------------------------------------------
remove-section-y := .modinfo
-remove-section-$(CONFIG_ARCH_VMLINUX_NEEDS_RELOCS) += '.rel*'
+remove-section-$(CONFIG_ARCH_VMLINUX_NEEDS_RELOCS) += '.rel*' '!.rel*.dyn'
# To avoid warnings: "empty loadable segment detected at ..." from GNU objcopy,
# it is necessary to remove the PT_LOAD flag from the segment.
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 133/371] kbuild: Add .rel.* strip pattern for vmlinux
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (131 preceding siblings ...)
2025-10-17 14:51 ` [PATCH 6.17 132/371] kbuild: Restore pattern to avoid stripping .rela.dyn from vmlinux Greg Kroah-Hartman
@ 2025-10-17 14:51 ` Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 134/371] s390: vmlinux.lds.S: Reorder sections Greg Kroah-Hartman
` (250 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Linux Kernel Functional Testing,
Ard Biesheuvel, Alexey Gladkov, Nicolas Schier, Nathan Chancellor,
Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nathan Chancellor <nathan@kernel.org>
[ Upstream commit 8ec3af916fe3954381cf3555ea03dc5adf4d0e8e ]
Prior to binutils commit c12d9fa2afe ("Support objcopy
--remove-section=.relaFOO") [1] in 2.32, stripping relocation sections
required the trailing period (i.e., '.rel.*') to work properly.
After commit 3e86e4d74c04 ("kbuild: keep .modinfo section in
vmlinux.unstripped"), there is an error with binutils 2.31.1 or earlier
because these sections are not properly removed:
s390-linux-objcopy: st6tO8Ev: symbol `.modinfo' required but not present
s390-linux-objcopy:st6tO8Ev: no symbols
Add the old pattern to resolve this issue (along with a comment to allow
cleaning this when binutils 2.32 or newer is the minimum supported
version). While the aforementioned kbuild change exposes this, the
pattern was originally changed by commit 71d815bf5dfd ("kbuild: Strip
runtime const RELA sections correctly"), where it would still be
incorrect with binutils older than 2.32.
Fixes: 71d815bf5dfd ("kbuild: Strip runtime const RELA sections correctly")
Link: https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=c12d9fa2afe7abcbe407a00e15719e1a1350c2a7 [1]
Reported-by: Linux Kernel Functional Testing <lkft@linaro.org>
Closes: https://lore.kernel.org/CA+G9fYvVktRhFtZXdNgVOL8j+ArsJDpvMLgCitaQvQmCx=hwOQ@mail.gmail.com/
Acked-by: Ard Biesheuvel <ardb@kernel.org>
Acked-by: Alexey Gladkov <legion@kernel.org>
Acked-by: Nicolas Schier <nsc@kernel.org>
Link: https://patch.msgid.link/20251008-kbuild-fix-modinfo-regressions-v1-2-9fc776c5887c@kernel.org
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
scripts/Makefile.vmlinux | 3 +++
1 file changed, 3 insertions(+)
diff --git a/scripts/Makefile.vmlinux b/scripts/Makefile.vmlinux
index 7c6f0e882eabb..ffc7b49e54f70 100644
--- a/scripts/Makefile.vmlinux
+++ b/scripts/Makefile.vmlinux
@@ -88,6 +88,9 @@ endif
remove-section-y := .modinfo
remove-section-$(CONFIG_ARCH_VMLINUX_NEEDS_RELOCS) += '.rel*' '!.rel*.dyn'
+# for compatibility with binutils < 2.32
+# https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=c12d9fa2afe7abcbe407a00e15719e1a1350c2a7
+remove-section-$(CONFIG_ARCH_VMLINUX_NEEDS_RELOCS) += '.rel.*'
# To avoid warnings: "empty loadable segment detected at ..." from GNU objcopy,
# it is necessary to remove the PT_LOAD flag from the segment.
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 134/371] s390: vmlinux.lds.S: Reorder sections
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (132 preceding siblings ...)
2025-10-17 14:51 ` [PATCH 6.17 133/371] kbuild: Add .rel.* strip pattern for vmlinux Greg Kroah-Hartman
@ 2025-10-17 14:51 ` Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 135/371] s390/vmlinux.lds.S: Move .vmlinux.info to end of allocatable sections Greg Kroah-Hartman
` (249 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Heiko Carstens, Vasily Gorbik,
Alexander Gordeev, linux-s390, kernel test robot, Alexey Gladkov,
Nathan Chancellor, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexey Gladkov <legion@kernel.org>
[ Upstream commit 8d18ef04f940a8d336fe7915b5ea419c3eb0c0a6 ]
In the upcoming changes, the ELF_DETAILS macro will be extended with
the ".modinfo" section, which will cause an error:
>> s390x-linux-ld: .tmp_vmlinux1: warning: allocated section `.modinfo' not in segment
>> s390x-linux-ld: .tmp_vmlinux2: warning: allocated section `.modinfo' not in segment
>> s390x-linux-ld: vmlinux.unstripped: warning: allocated section `.modinfo' not in segment
This happens because the .vmlinux.info use :NONE to override the default
segment and tell the linker to not put the section in any segment at all.
To avoid this, we need to change the sections order that will be placed
in the default segment.
Cc: Heiko Carstens <hca@linux.ibm.com>
Cc: Vasily Gorbik <gor@linux.ibm.com>
Cc: Alexander Gordeev <agordeev@linux.ibm.com>
Cc: linux-s390@vger.kernel.org
Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202506062053.zbkFBEnJ-lkp@intel.com/
Signed-off-by: Alexey Gladkov <legion@kernel.org>
Acked-by: Heiko Carstens <hca@linux.ibm.com>
Link: https://patch.msgid.link/20d40a7a3a053ba06a54155e777dcde7fdada1db.1758182101.git.legion@kernel.org
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Stable-dep-of: 9338d660b79a ("s390/vmlinux.lds.S: Move .vmlinux.info to end of allocatable sections")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/s390/kernel/vmlinux.lds.S | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/arch/s390/kernel/vmlinux.lds.S b/arch/s390/kernel/vmlinux.lds.S
index 1c606dfa595d8..feecf1a6ddb44 100644
--- a/arch/s390/kernel/vmlinux.lds.S
+++ b/arch/s390/kernel/vmlinux.lds.S
@@ -209,6 +209,11 @@ SECTIONS
. = ALIGN(PAGE_SIZE);
_end = . ;
+ /* Debugging sections. */
+ STABS_DEBUG
+ DWARF_DEBUG
+ ELF_DETAILS
+
/*
* uncompressed image info used by the decompressor
* it should match struct vmlinux_info
@@ -239,11 +244,6 @@ SECTIONS
#endif
} :NONE
- /* Debugging sections. */
- STABS_DEBUG
- DWARF_DEBUG
- ELF_DETAILS
-
/*
* Make sure that the .got.plt is either completely empty or it
* contains only the three reserved double words.
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 135/371] s390/vmlinux.lds.S: Move .vmlinux.info to end of allocatable sections
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (133 preceding siblings ...)
2025-10-17 14:51 ` [PATCH 6.17 134/371] s390: vmlinux.lds.S: Reorder sections Greg Kroah-Hartman
@ 2025-10-17 14:51 ` Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 136/371] ACPICA: acpidump: drop ACPI_NONSTRING attribute from file_name Greg Kroah-Hartman
` (248 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexander Gordeev, Alexey Gladkov,
Nicolas Schier, Nathan Chancellor, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nathan Chancellor <nathan@kernel.org>
[ Upstream commit 9338d660b79a0dfe4eb3fe9bd748054cded87d4f ]
When building s390 defconfig with binutils older than 2.32, there are
several warnings during the final linking stage:
s390-linux-ld: .tmp_vmlinux1: warning: allocated section `.got.plt' not in segment
s390-linux-ld: .tmp_vmlinux2: warning: allocated section `.got.plt' not in segment
s390-linux-ld: vmlinux.unstripped: warning: allocated section `.got.plt' not in segment
s390-linux-objcopy: vmlinux: warning: allocated section `.got.plt' not in segment
s390-linux-objcopy: st7afZyb: warning: allocated section `.got.plt' not in segment
binutils commit afca762f598 ("S/390: Improve partial relro support for
64 bit") [1] in 2.32 changed where .got.plt is emitted, avoiding the
warning.
The :NONE in the .vmlinux.info output section description changes the
segment for subsequent allocated sections. Move .vmlinux.info right
above the discards section to place all other sections in the previously
defined segment, .data.
Fixes: 30226853d6ec ("s390: vmlinux.lds.S: explicitly handle '.got' and '.plt' sections")
Link: https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=afca762f598d453c563f244cd3777715b1a0cb72 [1]
Acked-by: Alexander Gordeev <agordeev@linux.ibm.com>
Acked-by: Alexey Gladkov <legion@kernel.org>
Acked-by: Nicolas Schier <nsc@kernel.org>
Link: https://patch.msgid.link/20251008-kbuild-fix-modinfo-regressions-v1-3-9fc776c5887c@kernel.org
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/s390/kernel/vmlinux.lds.S | 44 +++++++++++++++++-----------------
1 file changed, 22 insertions(+), 22 deletions(-)
diff --git a/arch/s390/kernel/vmlinux.lds.S b/arch/s390/kernel/vmlinux.lds.S
index feecf1a6ddb44..d74d4c52ccd05 100644
--- a/arch/s390/kernel/vmlinux.lds.S
+++ b/arch/s390/kernel/vmlinux.lds.S
@@ -214,6 +214,28 @@ SECTIONS
DWARF_DEBUG
ELF_DETAILS
+ /*
+ * Make sure that the .got.plt is either completely empty or it
+ * contains only the three reserved double words.
+ */
+ .got.plt : {
+ *(.got.plt)
+ }
+ ASSERT(SIZEOF(.got.plt) == 0 || SIZEOF(.got.plt) == 0x18, "Unexpected GOT/PLT entries detected!")
+
+ /*
+ * Sections that should stay zero sized, which is safer to
+ * explicitly check instead of blindly discarding.
+ */
+ .plt : {
+ *(.plt) *(.plt.*) *(.iplt) *(.igot .igot.plt)
+ }
+ ASSERT(SIZEOF(.plt) == 0, "Unexpected run-time procedure linkages detected!")
+ .rela.dyn : {
+ *(.rela.*) *(.rela_*)
+ }
+ ASSERT(SIZEOF(.rela.dyn) == 0, "Unexpected run-time relocations (.rela) detected!")
+
/*
* uncompressed image info used by the decompressor
* it should match struct vmlinux_info
@@ -244,28 +266,6 @@ SECTIONS
#endif
} :NONE
- /*
- * Make sure that the .got.plt is either completely empty or it
- * contains only the three reserved double words.
- */
- .got.plt : {
- *(.got.plt)
- }
- ASSERT(SIZEOF(.got.plt) == 0 || SIZEOF(.got.plt) == 0x18, "Unexpected GOT/PLT entries detected!")
-
- /*
- * Sections that should stay zero sized, which is safer to
- * explicitly check instead of blindly discarding.
- */
- .plt : {
- *(.plt) *(.plt.*) *(.iplt) *(.igot .igot.plt)
- }
- ASSERT(SIZEOF(.plt) == 0, "Unexpected run-time procedure linkages detected!")
- .rela.dyn : {
- *(.rela.*) *(.rela_*)
- }
- ASSERT(SIZEOF(.rela.dyn) == 0, "Unexpected run-time relocations (.rela) detected!")
-
/* Sections to be discarded */
DISCARDS
/DISCARD/ : {
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 136/371] ACPICA: acpidump: drop ACPI_NONSTRING attribute from file_name
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (134 preceding siblings ...)
2025-10-17 14:51 ` [PATCH 6.17 135/371] s390/vmlinux.lds.S: Move .vmlinux.info to end of allocatable sections Greg Kroah-Hartman
@ 2025-10-17 14:51 ` Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 137/371] ACPI: property: Fix buffer properties extraction for subnodes Greg Kroah-Hartman
` (247 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Collin Funk, Ahmed Salem,
Rafael J. Wysocki
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ahmed Salem <x0rw3ll@gmail.com>
commit 16ae95800b1cc46c0d69d8d90c9c7be488421a40 upstream.
Partially revert commit 70662db73d54 ("ACPICA: Apply ACPI_NONSTRING in
more places") as I've yet again incorrectly applied the ACPI_NONSTRING
attribute where it is not needed.
A warning was initially reported by Collin Funk [1], and further review
by Jiri Slaby [2] highlighted another issue related to the same commit.
Drop the ACPI_NONSTRING attribute to fix the issue.
Fixes: 70662db73d54 ("ACPICA: Apply ACPI_NONSTRING in more places")
Link: https://lore.kernel.org/all/87ecvpcypw.fsf@gmail.com [1]
Link: https://lore.kernel.org/all/5c210121-c9b8-4458-b1ad-0da24732ac72@kernel.org [2]
Link: https://github.com/acpica/acpica/commit/a6ee09ca
Reported-by: Collin Funk <collin.funk1@gmail.com>
Signed-off-by: Ahmed Salem <x0rw3ll@gmail.com>
Cc: 6.16+ <stable@vger.kernel.org> # 6.16+
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/power/acpi/tools/acpidump/apfiles.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/tools/power/acpi/tools/acpidump/apfiles.c
+++ b/tools/power/acpi/tools/acpidump/apfiles.c
@@ -103,7 +103,7 @@ int ap_open_output_file(char *pathname)
int ap_write_to_binary_file(struct acpi_table_header *table, u32 instance)
{
- char filename[ACPI_NAMESEG_SIZE + 16] ACPI_NONSTRING;
+ char filename[ACPI_NAMESEG_SIZE + 16];
char instance_str[16];
ACPI_FILE file;
acpi_size actual;
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 137/371] ACPI: property: Fix buffer properties extraction for subnodes
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (135 preceding siblings ...)
2025-10-17 14:51 ` [PATCH 6.17 136/371] ACPICA: acpidump: drop ACPI_NONSTRING attribute from file_name Greg Kroah-Hartman
@ 2025-10-17 14:51 ` Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 138/371] ACPI: TAD: Add missing sysfs_remove_group() for ACPI_TAD_RT Greg Kroah-Hartman
` (246 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:51 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Rafael J. Wysocki, Sakari Ailus
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
commit d0759b10989c5c5aae3d455458c9fc4e8cc694f7 upstream.
The ACPI handle passed to acpi_extract_properties() as the first
argument represents the ACPI namespace scope in which to look for
objects returning buffers associated with buffer properties.
For _DSD objects located immediately under ACPI devices, this handle is
the same as the handle of the device object holding the _DSD, but for
data-only subnodes it is not so.
First of all, data-only subnodes are represented by objects that
cannot hold other objects in their scopes (like control methods).
Therefore a data-only subnode handle cannot be used for completing
relative pathname segments, so the current code in
in acpi_nondev_subnode_extract() passing a data-only subnode handle
to acpi_extract_properties() is invalid.
Moreover, a data-only subnode of device A may be represented by an
object located in the scope of device B (which kind of makes sense,
for instance, if A is a B's child). In that case, the scope in
question would be the one of device B. In other words, the scope
mentioned above is the same as the scope used for subnode object
lookup in acpi_nondev_subnode_extract().
Accordingly, rearrange that function to use the same scope for the
extraction of properties and subnode object lookup.
Fixes: 103e10c69c61 ("ACPI: property: Add support for parsing buffer property UUID")
Cc: 6.0+ <stable@vger.kernel.org> # 6.0+
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Reviewed-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Tested-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/acpi/property.c | 30 +++++++++++-------------------
1 file changed, 11 insertions(+), 19 deletions(-)
--- a/drivers/acpi/property.c
+++ b/drivers/acpi/property.c
@@ -83,6 +83,7 @@ static bool acpi_nondev_subnode_extract(
struct fwnode_handle *parent)
{
struct acpi_data_node *dn;
+ acpi_handle scope = NULL;
bool result;
if (acpi_graph_ignore_port(handle))
@@ -98,27 +99,18 @@ static bool acpi_nondev_subnode_extract(
INIT_LIST_HEAD(&dn->data.properties);
INIT_LIST_HEAD(&dn->data.subnodes);
- result = acpi_extract_properties(handle, desc, &dn->data);
+ /*
+ * The scope for the completion of relative pathname segments and
+ * subnode object lookup is the one of the namespace node (device)
+ * containing the object that has returned the package. That is, it's
+ * the scope of that object's parent device.
+ */
+ if (handle)
+ acpi_get_parent(handle, &scope);
- if (handle) {
- acpi_handle scope;
- acpi_status status;
-
- /*
- * The scope for the subnode object lookup is the one of the
- * namespace node (device) containing the object that has
- * returned the package. That is, it's the scope of that
- * object's parent.
- */
- status = acpi_get_parent(handle, &scope);
- if (ACPI_SUCCESS(status)
- && acpi_enumerate_nondev_subnodes(scope, desc, &dn->data,
- &dn->fwnode))
- result = true;
- } else if (acpi_enumerate_nondev_subnodes(NULL, desc, &dn->data,
- &dn->fwnode)) {
+ result = acpi_extract_properties(scope, desc, &dn->data);
+ if (acpi_enumerate_nondev_subnodes(scope, desc, &dn->data, &dn->fwnode))
result = true;
- }
if (result) {
dn->handle = handle;
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 138/371] ACPI: TAD: Add missing sysfs_remove_group() for ACPI_TAD_RT
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (136 preceding siblings ...)
2025-10-17 14:51 ` [PATCH 6.17 137/371] ACPI: property: Fix buffer properties extraction for subnodes Greg Kroah-Hartman
@ 2025-10-17 14:51 ` Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 139/371] ACPICA: Debugger: drop ACPI_NONSTRING attribute from name_seg Greg Kroah-Hartman
` (245 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Daniel Tang, Mika Westerberg,
Rafael J. Wysocki
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Tang <danielzgtg.opensource@gmail.com>
commit 4aac453deca0d9c61df18d968f8864c3ae7d3d8d upstream.
Previously, after `rmmod acpi_tad`, `modprobe acpi_tad` would fail
with this dmesg:
sysfs: cannot create duplicate filename '/devices/platform/ACPI000E:00/time'
Call Trace:
<TASK>
dump_stack_lvl+0x6c/0x90
dump_stack+0x10/0x20
sysfs_warn_dup+0x8b/0xa0
sysfs_add_file_mode_ns+0x122/0x130
internal_create_group+0x1dd/0x4c0
sysfs_create_group+0x13/0x20
acpi_tad_probe+0x147/0x1f0 [acpi_tad]
platform_probe+0x42/0xb0
</TASK>
acpi-tad ACPI000E:00: probe with driver acpi-tad failed with error -17
Fixes: 3230b2b3c1ab ("ACPI: TAD: Add low-level support for real time capability")
Signed-off-by: Daniel Tang <danielzgtg.opensource@gmail.com>
Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Link: https://patch.msgid.link/2881298.hMirdbgypa@daniel-desktop3
Cc: 5.2+ <stable@vger.kernel.org> # 5.2+
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/acpi/acpi_tad.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/acpi/acpi_tad.c
+++ b/drivers/acpi/acpi_tad.c
@@ -565,6 +565,9 @@ static void acpi_tad_remove(struct platf
pm_runtime_get_sync(dev);
+ if (dd->capabilities & ACPI_TAD_RT)
+ sysfs_remove_group(&dev->kobj, &acpi_tad_time_attr_group);
+
if (dd->capabilities & ACPI_TAD_DC_WAKE)
sysfs_remove_group(&dev->kobj, &acpi_tad_dc_attr_group);
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 139/371] ACPICA: Debugger: drop ACPI_NONSTRING attribute from name_seg
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (137 preceding siblings ...)
2025-10-17 14:51 ` [PATCH 6.17 138/371] ACPI: TAD: Add missing sysfs_remove_group() for ACPI_TAD_RT Greg Kroah-Hartman
@ 2025-10-17 14:51 ` Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 140/371] ACPI: debug: fix signedness issues in read/write helpers Greg Kroah-Hartman
` (244 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jiri Slaby, Ahmed Salem,
Rafael J. Wysocki
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ahmed Salem <x0rw3ll@gmail.com>
commit 22c65572eff14a6e9546a9dbaa333619eb5505ab upstream.
ACPICA commit 4623b3369f3aa1ec5229d461e91c514510a96912
Partially revert commit 70662db73d54 ("ACPICA: Apply ACPI_NONSTRING in
more places") as I've yet again incorrectly applied the ACPI_NONSTRING
attribute where it is not needed.
A warning was initially reported by Collin Funk [1], and further review
by Jiri Slaby [2] highlighted another issue related to the same commit.
Drop the ACPI_NONSTRING attribute to fix the issue.
Fixes: 70662db73d54 ("ACPICA: Apply ACPI_NONSTRING in more places")
Link: https://lore.kernel.org/all/87ecvpcypw.fsf@gmail.com [1]
Link: https://lore.kernel.org/all/5c210121-c9b8-4458-b1ad-0da24732ac72@kernel.org [2]
Link: https://github.com/acpica/acpica/commit/4623b336
Reported-by: Jiri Slaby <jirislaby@kernel.org>
Signed-off-by: Ahmed Salem <x0rw3ll@gmail.com>
Cc: 6.16+ <stable@vger.kernel.org> # 6.16+
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/acpi/acpica/acdebug.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/acpi/acpica/acdebug.h
+++ b/drivers/acpi/acpica/acdebug.h
@@ -37,7 +37,7 @@ struct acpi_db_argument_info {
struct acpi_db_execute_walk {
u32 count;
u32 max_count;
- char name_seg[ACPI_NAMESEG_SIZE + 1] ACPI_NONSTRING;
+ char name_seg[ACPI_NAMESEG_SIZE + 1];
};
#define PARAM_LIST(pl) pl
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 140/371] ACPI: debug: fix signedness issues in read/write helpers
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (138 preceding siblings ...)
2025-10-17 14:51 ` [PATCH 6.17 139/371] ACPICA: Debugger: drop ACPI_NONSTRING attribute from name_seg Greg Kroah-Hartman
@ 2025-10-17 14:51 ` Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 141/371] ACPI: battery: Add synchronization between interface updates Greg Kroah-Hartman
` (243 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Amir Mohammad Jahangirzad,
Rafael J. Wysocki
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Amir Mohammad Jahangirzad <a.jahangirzad@gmail.com>
commit 496f9372eae14775e0524e83e952814691fe850a upstream.
In the ACPI debugger interface, the helper functions for read and write
operations use "int" as the length parameter data type. When a large
"size_t count" is passed from the file operations, this cast to "int"
results in truncation and a negative value due to signed integer
representation.
Logically, this negative number propagates to the min() calculation,
where it is selected over the positive buffer space value, leading to
unexpected behavior. Subsequently, when this negative value is used in
copy_to_user() or copy_from_user(), it is interpreted as a large positive
value due to the unsigned nature of the size parameter in these functions,
causing the copy operations to attempt handling sizes far beyond the
intended buffer limits.
Address the issue by:
- Changing the length parameters in acpi_aml_read_user() and
acpi_aml_write_user() from "int" to "size_t", aligning with the
expected unsigned size semantics.
- Updating return types and local variables in acpi_aml_read() and
acpi_aml_write() to "ssize_t" for consistency with kernel file
operation conventions.
- Using "size_t" for the "n" variable to ensure calculations remain
unsigned.
- Using min_t() for circ_count_to_end() and circ_space_to_end() to
ensure type-safe comparisons and prevent integer overflow.
Signed-off-by: Amir Mohammad Jahangirzad <a.jahangirzad@gmail.com>
Link: https://patch.msgid.link/20250923013113.20615-1-a.jahangirzad@gmail.com
[ rjw: Changelog tweaks, local variable definitions ordering adjustments ]
Fixes: 8cfb0cdf07e2 ("ACPI / debugger: Add IO interface to access debugger functionalities")
Cc: 4.5+ <stable@vger.kernel.org> # 4.5+
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/acpi/acpi_dbg.c | 26 +++++++++++++-------------
1 file changed, 13 insertions(+), 13 deletions(-)
--- a/drivers/acpi/acpi_dbg.c
+++ b/drivers/acpi/acpi_dbg.c
@@ -569,11 +569,11 @@ static int acpi_aml_release(struct inode
return 0;
}
-static int acpi_aml_read_user(char __user *buf, int len)
+static ssize_t acpi_aml_read_user(char __user *buf, size_t len)
{
- int ret;
struct circ_buf *crc = &acpi_aml_io.out_crc;
- int n;
+ ssize_t ret;
+ size_t n;
char *p;
ret = acpi_aml_lock_read(crc, ACPI_AML_OUT_USER);
@@ -582,7 +582,7 @@ static int acpi_aml_read_user(char __use
/* sync head before removing logs */
smp_rmb();
p = &crc->buf[crc->tail];
- n = min(len, circ_count_to_end(crc));
+ n = min_t(size_t, len, circ_count_to_end(crc));
if (copy_to_user(buf, p, n)) {
ret = -EFAULT;
goto out;
@@ -599,8 +599,8 @@ out:
static ssize_t acpi_aml_read(struct file *file, char __user *buf,
size_t count, loff_t *ppos)
{
- int ret = 0;
- int size = 0;
+ ssize_t ret = 0;
+ ssize_t size = 0;
if (!count)
return 0;
@@ -639,11 +639,11 @@ again:
return size > 0 ? size : ret;
}
-static int acpi_aml_write_user(const char __user *buf, int len)
+static ssize_t acpi_aml_write_user(const char __user *buf, size_t len)
{
- int ret;
struct circ_buf *crc = &acpi_aml_io.in_crc;
- int n;
+ ssize_t ret;
+ size_t n;
char *p;
ret = acpi_aml_lock_write(crc, ACPI_AML_IN_USER);
@@ -652,7 +652,7 @@ static int acpi_aml_write_user(const cha
/* sync tail before inserting cmds */
smp_mb();
p = &crc->buf[crc->head];
- n = min(len, circ_space_to_end(crc));
+ n = min_t(size_t, len, circ_space_to_end(crc));
if (copy_from_user(p, buf, n)) {
ret = -EFAULT;
goto out;
@@ -663,14 +663,14 @@ static int acpi_aml_write_user(const cha
ret = n;
out:
acpi_aml_unlock_fifo(ACPI_AML_IN_USER, ret >= 0);
- return n;
+ return ret;
}
static ssize_t acpi_aml_write(struct file *file, const char __user *buf,
size_t count, loff_t *ppos)
{
- int ret = 0;
- int size = 0;
+ ssize_t ret = 0;
+ ssize_t size = 0;
if (!count)
return 0;
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 141/371] ACPI: battery: Add synchronization between interface updates
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (139 preceding siblings ...)
2025-10-17 14:51 ` [PATCH 6.17 140/371] ACPI: debug: fix signedness issues in read/write helpers Greg Kroah-Hartman
@ 2025-10-17 14:51 ` Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 142/371] arm64: dts: qcom: msm8916: Add missing MDSS reset Greg Kroah-Hartman
` (242 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:51 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, GuangFei Luo, Rafael J. Wysocki
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
commit 399dbcadc01ebf0035f325eaa8c264f8b5cd0a14 upstream.
There is no synchronization between different code paths in the ACPI
battery driver that update its sysfs interface or its power supply
class device interface. In some cases this results to functional
failures due to race conditions.
One example of this is when two ACPI notifications:
- ACPI_BATTERY_NOTIFY_STATUS (0x80)
- ACPI_BATTERY_NOTIFY_INFO (0x81)
are triggered (by the platform firmware) in a row with a little delay
in between after removing and reinserting a laptop battery. Both
notifications cause acpi_battery_update() to be called and if the delay
between them is sufficiently small, sysfs_add_battery() can be re-entered
before battery->bat is set which leads to a duplicate sysfs entry error:
sysfs: cannot create duplicate filename '/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0C0A:00/power_supply/BAT1'
CPU: 1 UID: 0 PID: 185 Comm: kworker/1:4 Kdump: loaded Not tainted 6.12.38+deb13-amd64 #1 Debian 6.12.38-1
Hardware name: Gateway NV44 /SJV40-MV , BIOS V1.3121 04/08/2009
Workqueue: kacpi_notify acpi_os_execute_deferred
Call Trace:
<TASK>
dump_stack_lvl+0x5d/0x80
sysfs_warn_dup.cold+0x17/0x23
sysfs_create_dir_ns+0xce/0xe0
kobject_add_internal+0xba/0x250
kobject_add+0x96/0xc0
? get_device_parent+0xde/0x1e0
device_add+0xe2/0x870
__power_supply_register.part.0+0x20f/0x3f0
? wake_up_q+0x4e/0x90
sysfs_add_battery+0xa4/0x1d0 [battery]
acpi_battery_update+0x19e/0x290 [battery]
acpi_battery_notify+0x50/0x120 [battery]
acpi_ev_notify_dispatch+0x49/0x70
acpi_os_execute_deferred+0x1a/0x30
process_one_work+0x177/0x330
worker_thread+0x251/0x390
? __pfx_worker_thread+0x10/0x10
kthread+0xd2/0x100
? __pfx_kthread+0x10/0x10
ret_from_fork+0x34/0x50
? __pfx_kthread+0x10/0x10
ret_from_fork_asm+0x1a/0x30
</TASK>
kobject: kobject_add_internal failed for BAT1 with -EEXIST, don't try to register things with the same name in the same directory.
There are also other scenarios in which analogous issues may occur.
Address this by using a common lock in all of the code paths leading
to updates of driver interfaces: ACPI Notify () handler, system resume
callback and post-resume notification, device addition and removal.
This new lock replaces sysfs_lock that has been used only in
sysfs_remove_battery() which now is going to be always called under
the new lock, so it doesn't need any internal locking any more.
Fixes: 10666251554c ("ACPI: battery: Install Notify() handler directly")
Closes: https://lore.kernel.org/linux-acpi/20250910142653.313360-1-luogf2025@163.com/
Reported-by: GuangFei Luo <luogf2025@163.com>
Tested-by: GuangFei Luo <luogf2025@163.com>
Cc: 6.6+ <stable@vger.kernel.org> # 6.6+
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/acpi/battery.c | 43 +++++++++++++++++++++++++++++--------------
1 file changed, 29 insertions(+), 14 deletions(-)
--- a/drivers/acpi/battery.c
+++ b/drivers/acpi/battery.c
@@ -92,7 +92,7 @@ enum {
struct acpi_battery {
struct mutex lock;
- struct mutex sysfs_lock;
+ struct mutex update_lock;
struct power_supply *bat;
struct power_supply_desc bat_desc;
struct acpi_device *device;
@@ -904,15 +904,12 @@ static int sysfs_add_battery(struct acpi
static void sysfs_remove_battery(struct acpi_battery *battery)
{
- mutex_lock(&battery->sysfs_lock);
- if (!battery->bat) {
- mutex_unlock(&battery->sysfs_lock);
+ if (!battery->bat)
return;
- }
+
battery_hook_remove_battery(battery);
power_supply_unregister(battery->bat);
battery->bat = NULL;
- mutex_unlock(&battery->sysfs_lock);
}
static void find_battery(const struct dmi_header *dm, void *private)
@@ -1072,6 +1069,9 @@ static void acpi_battery_notify(acpi_han
if (!battery)
return;
+
+ guard(mutex)(&battery->update_lock);
+
old = battery->bat;
/*
* On Acer Aspire V5-573G notifications are sometimes triggered too
@@ -1094,21 +1094,22 @@ static void acpi_battery_notify(acpi_han
}
static int battery_notify(struct notifier_block *nb,
- unsigned long mode, void *_unused)
+ unsigned long mode, void *_unused)
{
struct acpi_battery *battery = container_of(nb, struct acpi_battery,
pm_nb);
- int result;
- switch (mode) {
- case PM_POST_HIBERNATION:
- case PM_POST_SUSPEND:
+ if (mode == PM_POST_SUSPEND || mode == PM_POST_HIBERNATION) {
+ guard(mutex)(&battery->update_lock);
+
if (!acpi_battery_present(battery))
return 0;
if (battery->bat) {
acpi_battery_refresh(battery);
} else {
+ int result;
+
result = acpi_battery_get_info(battery);
if (result)
return result;
@@ -1120,7 +1121,6 @@ static int battery_notify(struct notifie
acpi_battery_init_alarm(battery);
acpi_battery_get_state(battery);
- break;
}
return 0;
@@ -1198,6 +1198,8 @@ static int acpi_battery_update_retry(str
{
int retry, ret;
+ guard(mutex)(&battery->update_lock);
+
for (retry = 5; retry; retry--) {
ret = acpi_battery_update(battery, false);
if (!ret)
@@ -1208,6 +1210,13 @@ static int acpi_battery_update_retry(str
return ret;
}
+static void sysfs_battery_cleanup(struct acpi_battery *battery)
+{
+ guard(mutex)(&battery->update_lock);
+
+ sysfs_remove_battery(battery);
+}
+
static int acpi_battery_add(struct acpi_device *device)
{
int result = 0;
@@ -1230,7 +1239,7 @@ static int acpi_battery_add(struct acpi_
if (result)
return result;
- result = devm_mutex_init(&device->dev, &battery->sysfs_lock);
+ result = devm_mutex_init(&device->dev, &battery->update_lock);
if (result)
return result;
@@ -1262,7 +1271,7 @@ fail_pm:
device_init_wakeup(&device->dev, 0);
unregister_pm_notifier(&battery->pm_nb);
fail:
- sysfs_remove_battery(battery);
+ sysfs_battery_cleanup(battery);
return result;
}
@@ -1281,6 +1290,9 @@ static void acpi_battery_remove(struct a
device_init_wakeup(&device->dev, 0);
unregister_pm_notifier(&battery->pm_nb);
+
+ guard(mutex)(&battery->update_lock);
+
sysfs_remove_battery(battery);
}
@@ -1297,6 +1309,9 @@ static int acpi_battery_resume(struct de
return -EINVAL;
battery->update_time = 0;
+
+ guard(mutex)(&battery->update_lock);
+
acpi_battery_update(battery, true);
return 0;
}
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 142/371] arm64: dts: qcom: msm8916: Add missing MDSS reset
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (140 preceding siblings ...)
2025-10-17 14:51 ` [PATCH 6.17 141/371] ACPI: battery: Add synchronization between interface updates Greg Kroah-Hartman
@ 2025-10-17 14:51 ` Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 143/371] arm64: dts: qcom: msm8939: " Greg Kroah-Hartman
` (241 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stephan Gerhold, Dmitry Baryshkov,
Konrad Dybcio, Bjorn Andersson
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stephan Gerhold <stephan.gerhold@linaro.org>
commit 99b78773c2ae55dcc01025f94eae8ce9700ae985 upstream.
On most MSM8916 devices (aside from the DragonBoard 410c), the bootloader
already initializes the display to show the boot splash screen. In this
situation, MDSS is already configured and left running when starting Linux.
To avoid side effects from the bootloader configuration, the MDSS reset can
be specified in the device tree to start again with a clean hardware state.
The reset for MDSS is currently missing in msm8916.dtsi, which causes
errors when the MDSS driver tries to re-initialize the registers:
dsi_err_worker: status=6
dsi_err_worker: status=6
dsi_err_worker: status=6
...
It turns out that we have always indirectly worked around this by building
the MDSS driver as a module. Before v6.17, the power domain was temporarily
turned off until the module was loaded, long enough to clear the register
contents. In v6.17, power domains are not turned off during boot until
sync_state() happens, so this is no longer working. Even before v6.17 this
resulted in broken behavior, but notably only when the MDSS driver was
built-in instead of a module.
Cc: stable@vger.kernel.org
Fixes: 305410ffd1b2 ("arm64: dts: msm8916: Add display support")
Signed-off-by: Stephan Gerhold <stephan.gerhold@linaro.org>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20250915-msm8916-resets-v1-1-a5c705df0c45@linaro.org
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/boot/dts/qcom/msm8916.dtsi | 2 ++
1 file changed, 2 insertions(+)
--- a/arch/arm64/boot/dts/qcom/msm8916.dtsi
+++ b/arch/arm64/boot/dts/qcom/msm8916.dtsi
@@ -1562,6 +1562,8 @@
interrupts = <GIC_SPI 72 IRQ_TYPE_LEVEL_HIGH>;
+ resets = <&gcc GCC_MDSS_BCR>;
+
interrupt-controller;
#interrupt-cells = <1>;
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 143/371] arm64: dts: qcom: msm8939: Add missing MDSS reset
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (141 preceding siblings ...)
2025-10-17 14:51 ` [PATCH 6.17 142/371] arm64: dts: qcom: msm8916: Add missing MDSS reset Greg Kroah-Hartman
@ 2025-10-17 14:51 ` Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 144/371] arm64: dts: qcom: sdm845: Fix slimbam num-channels/ees Greg Kroah-Hartman
` (240 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stephan Gerhold, Dmitry Baryshkov,
Konrad Dybcio, Bjorn Andersson
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stephan Gerhold <stephan.gerhold@linaro.org>
commit f73c82c855e186e9b67125e3eee743960320e43c upstream.
On most MSM8939 devices, the bootloader already initializes the display to
show the boot splash screen. In this situation, MDSS is already configured
and left running when starting Linux. To avoid side effects from the
bootloader configuration, the MDSS reset can be specified in the device
tree to start again with a clean hardware state.
The reset for MDSS is currently missing in msm8939.dtsi, which causes
errors when the MDSS driver tries to re-initialize the registers:
dsi_err_worker: status=6
dsi_err_worker: status=6
dsi_err_worker: status=6
...
It turns out that we have always indirectly worked around this by building
the MDSS driver as a module. Before v6.17, the power domain was temporarily
turned off until the module was loaded, long enough to clear the register
contents. In v6.17, power domains are not turned off during boot until
sync_state() happens, so this is no longer working. Even before v6.17 this
resulted in broken behavior, but notably only when the MDSS driver was
built-in instead of a module.
Cc: stable@vger.kernel.org
Fixes: 61550c6c156c ("arm64: dts: qcom: Add msm8939 SoC")
Signed-off-by: Stephan Gerhold <stephan.gerhold@linaro.org>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20250915-msm8916-resets-v1-2-a5c705df0c45@linaro.org
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/boot/dts/qcom/msm8939.dtsi | 2 ++
1 file changed, 2 insertions(+)
--- a/arch/arm64/boot/dts/qcom/msm8939.dtsi
+++ b/arch/arm64/boot/dts/qcom/msm8939.dtsi
@@ -1249,6 +1249,8 @@
power-domains = <&gcc MDSS_GDSC>;
+ resets = <&gcc GCC_MDSS_BCR>;
+
#address-cells = <1>;
#size-cells = <1>;
#interrupt-cells = <1>;
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 144/371] arm64: dts: qcom: sdm845: Fix slimbam num-channels/ees
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (142 preceding siblings ...)
2025-10-17 14:51 ` [PATCH 6.17 143/371] arm64: dts: qcom: msm8939: " Greg Kroah-Hartman
@ 2025-10-17 14:51 ` Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 145/371] arm64: dts: qcom: x1e80100-pmics: Disable pm8010 by default Greg Kroah-Hartman
` (239 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stephan Gerhold, Dmitry Baryshkov,
Bjorn Andersson
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stephan Gerhold <stephan.gerhold@linaro.org>
commit 316294bb6695a43a9181973ecd4e6fb3e576a9f7 upstream.
Reading the hardware registers of the &slimbam on RB3 reveals that the BAM
supports only 23 pipes (channels) and supports 4 EEs instead of 2. This
hasn't caused problems so far since nothing is using the extra channels,
but attempting to use them would lead to crashes.
The bam_dma driver might warn in the future if the num-channels in the DT
are wrong, so correct the properties in the DT to avoid future regressions.
Cc: stable@vger.kernel.org
Fixes: 27ca1de07dc3 ("arm64: dts: qcom: sdm845: add slimbus nodes")
Signed-off-by: Stephan Gerhold <stephan.gerhold@linaro.org>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20250821-sdm845-slimbam-channels-v1-1-498f7d46b9ee@linaro.org
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/boot/dts/qcom/sdm845.dtsi | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/arch/arm64/boot/dts/qcom/sdm845.dtsi
+++ b/arch/arm64/boot/dts/qcom/sdm845.dtsi
@@ -5404,11 +5404,11 @@
compatible = "qcom,bam-v1.7.4", "qcom,bam-v1.7.0";
qcom,controlled-remotely;
reg = <0 0x17184000 0 0x2a000>;
- num-channels = <31>;
+ num-channels = <23>;
interrupts = <GIC_SPI 164 IRQ_TYPE_LEVEL_HIGH>;
#dma-cells = <1>;
qcom,ee = <1>;
- qcom,num-ees = <2>;
+ qcom,num-ees = <4>;
iommus = <&apps_smmu 0x1806 0x0>;
};
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 145/371] arm64: dts: qcom: x1e80100-pmics: Disable pm8010 by default
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (143 preceding siblings ...)
2025-10-17 14:51 ` [PATCH 6.17 144/371] arm64: dts: qcom: sdm845: Fix slimbam num-channels/ees Greg Kroah-Hartman
@ 2025-10-17 14:52 ` Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 146/371] arm64: dts: ti: k3-am62a-main: Fix main padcfg length Greg Kroah-Hartman
` (238 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bryan ODonoghue, Johan Hovold,
Konrad Dybcio, Aleksandrs Vinarskis, Bjorn Andersson
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Aleksandrs Vinarskis <alex.vinarskis@gmail.com>
commit b9a185198f96259311543b30d884d8c01da913f7 upstream.
pm8010 is a camera specific PMIC, and may not be present on some
devices. These may instead use a dedicated vreg for this purpose (Dell
XPS 9345, Dell Inspiron..) or use USB webcam instead of a MIPI one
alltogether (Lenovo Thinbook 16, Lenovo Yoga..).
Disable pm8010 by default, let platforms that actually have one onboard
enable it instead.
Cc: stable@vger.kernel.org
Fixes: 2559e61e7ef4 ("arm64: dts: qcom: x1e80100-pmics: Add the missing PMICs")
Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Reviewed-by: Johan Hovold <johan+linaro@kernel.org>
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Signed-off-by: Aleksandrs Vinarskis <alex.vinarskis@gmail.com>
Link: https://lore.kernel.org/r/20250701183625.1968246-2-alex.vinarskis@gmail.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/boot/dts/qcom/x1e80100-pmics.dtsi | 2 ++
1 file changed, 2 insertions(+)
--- a/arch/arm64/boot/dts/qcom/x1e80100-pmics.dtsi
+++ b/arch/arm64/boot/dts/qcom/x1e80100-pmics.dtsi
@@ -475,6 +475,8 @@
#address-cells = <1>;
#size-cells = <0>;
+ status = "disabled";
+
pm8010_temp_alarm: temp-alarm@2400 {
compatible = "qcom,spmi-temp-alarm";
reg = <0x2400>;
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 146/371] arm64: dts: ti: k3-am62a-main: Fix main padcfg length
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (144 preceding siblings ...)
2025-10-17 14:52 ` [PATCH 6.17 145/371] arm64: dts: qcom: x1e80100-pmics: Disable pm8010 by default Greg Kroah-Hartman
@ 2025-10-17 14:52 ` Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 147/371] arm64: dts: ti: k3-am62p: Fix supported hardware for 1GHz OPP Greg Kroah-Hartman
` (237 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vibhore Vardhan, Paresh Bhagat,
Siddharth Vadapalli, Nishanth Menon
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vibhore Vardhan <vibhore@ti.com>
commit 4c4e48afb6d85c1a8f9fdbae1fdf17ceef4a6f5b upstream.
The main pad configuration register region starts with the register
MAIN_PADCFG_CTRL_MMR_CFG0_PADCONFIG0 with address 0x000f4000 and ends
with the MAIN_PADCFG_CTRL_MMR_CFG0_PADCONFIG150 register with address
0x000f4258, as a result of which, total size of the region is 0x25c
instead of 0x2ac.
Reference Docs
TRM (AM62A) - https://www.ti.com/lit/ug/spruj16b/spruj16b.pdf
TRM (AM62D) - https://www.ti.com/lit/ug/sprujd4/sprujd4.pdf
Fixes: 5fc6b1b62639c ("arm64: dts: ti: Introduce AM62A7 family of SoCs")
Cc: stable@vger.kernel.org
Signed-off-by: Vibhore Vardhan <vibhore@ti.com>
Signed-off-by: Paresh Bhagat <p-bhagat@ti.com>
Reviewed-by: Siddharth Vadapalli <s-vadapalli@ti.com>
Link: https://patch.msgid.link/20250903062513.813925-2-p-bhagat@ti.com
Signed-off-by: Nishanth Menon <nm@ti.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/boot/dts/ti/k3-am62a-main.dtsi | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/arm64/boot/dts/ti/k3-am62a-main.dtsi
+++ b/arch/arm64/boot/dts/ti/k3-am62a-main.dtsi
@@ -267,7 +267,7 @@
main_pmx0: pinctrl@f4000 {
compatible = "pinctrl-single";
- reg = <0x00 0xf4000 0x00 0x2ac>;
+ reg = <0x00 0xf4000 0x00 0x25c>;
#pinctrl-cells = <1>;
pinctrl-single,register-width = <32>;
pinctrl-single,function-mask = <0xffffffff>;
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 147/371] arm64: dts: ti: k3-am62p: Fix supported hardware for 1GHz OPP
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (145 preceding siblings ...)
2025-10-17 14:52 ` [PATCH 6.17 146/371] arm64: dts: ti: k3-am62a-main: Fix main padcfg length Greg Kroah-Hartman
@ 2025-10-17 14:52 ` Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 148/371] arm64: kprobes: call set_memory_rox() for kprobe page Greg Kroah-Hartman
` (236 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:52 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Judith Mendez, Viresh Kumar
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Judith Mendez <jm@ti.com>
commit f434ec2200667d5362bd19f93a498d9b3f121588 upstream.
The 1GHz OPP is supported on speed grade "O" as well according to the
device datasheet [0], so fix the opp-supported-hw property to support
this speed grade for 1GHz OPP.
[0] https://www.ti.com/lit/gpn/am62p
Fixes: 76d855f05801 ("arm64: dts: ti: k3-am62p: add opp frequencies")
Cc: stable@vger.kernel.org
Signed-off-by: Judith Mendez <jm@ti.com>
Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/boot/dts/ti/k3-am62p5.dtsi | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/arm64/boot/dts/ti/k3-am62p5.dtsi
+++ b/arch/arm64/boot/dts/ti/k3-am62p5.dtsi
@@ -135,7 +135,7 @@
opp-1000000000 {
opp-hz = /bits/ 64 <1000000000>;
- opp-supported-hw = <0x01 0x0006>;
+ opp-supported-hw = <0x01 0x0007>;
clock-latency-ns = <6000000>;
};
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 148/371] arm64: kprobes: call set_memory_rox() for kprobe page
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (146 preceding siblings ...)
2025-10-17 14:52 ` [PATCH 6.17 147/371] arm64: dts: ti: k3-am62p: Fix supported hardware for 1GHz OPP Greg Kroah-Hartman
@ 2025-10-17 14:52 ` Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 149/371] arm64: mte: Do not flag the zero page as PG_mte_tagged Greg Kroah-Hartman
` (235 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:52 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yang Shi, Catalin Marinas,
Will Deacon
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yang Shi <yang@os.amperecomputing.com>
commit 195a1b7d8388c0ec2969a39324feb8bebf9bb907 upstream.
The kprobe page is allocated by execmem allocator with ROX permission.
It needs to call set_memory_rox() to set proper permission for the
direct map too. It was missed.
Fixes: 10d5e97c1bf8 ("arm64: use PAGE_KERNEL_ROX directly in alloc_insn_page")
Cc: <stable@vger.kernel.org>
Signed-off-by: Yang Shi <yang@os.amperecomputing.com>
Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/kernel/probes/kprobes.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
--- a/arch/arm64/kernel/probes/kprobes.c
+++ b/arch/arm64/kernel/probes/kprobes.c
@@ -10,6 +10,7 @@
#define pr_fmt(fmt) "kprobes: " fmt
+#include <linux/execmem.h>
#include <linux/extable.h>
#include <linux/kasan.h>
#include <linux/kernel.h>
@@ -41,6 +42,17 @@ DEFINE_PER_CPU(struct kprobe_ctlblk, kpr
static void __kprobes
post_kprobe_handler(struct kprobe *, struct kprobe_ctlblk *, struct pt_regs *);
+void *alloc_insn_page(void)
+{
+ void *addr;
+
+ addr = execmem_alloc(EXECMEM_KPROBES, PAGE_SIZE);
+ if (!addr)
+ return NULL;
+ set_memory_rox((unsigned long)addr, 1);
+ return addr;
+}
+
static void __kprobes arch_prepare_ss_slot(struct kprobe *p)
{
kprobe_opcode_t *addr = p->ainsn.xol_insn;
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 149/371] arm64: mte: Do not flag the zero page as PG_mte_tagged
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (147 preceding siblings ...)
2025-10-17 14:52 ` [PATCH 6.17 148/371] arm64: kprobes: call set_memory_rox() for kprobe page Greg Kroah-Hartman
@ 2025-10-17 14:52 ` Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 150/371] ARM: AM33xx: Implement TI advisory 1.0.36 (EMU0/EMU1 pins state on reset) Greg Kroah-Hartman
` (234 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Catalin Marinas, Gergely Kovacs,
Will Deacon, David Hildenbrand, Lance Yang
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Catalin Marinas <catalin.marinas@arm.com>
commit f620d66af3165838bfa845dcf9f5f9b4089bf508 upstream.
Commit 68d54ceeec0e ("arm64: mte: Allow PTRACE_PEEKMTETAGS access to the
zero page") attempted to fix ptrace() reading of tags from the zero page
by marking it as PG_mte_tagged during cpu_enable_mte(). The same commit
also changed the ptrace() tag access permission check to the VM_MTE vma
flag while turning the page flag test into a WARN_ON_ONCE().
Attempting to set the PG_mte_tagged flag early with
CONFIG_DEFERRED_STRUCT_PAGE_INIT enabled may either hang (after commit
d77e59a8fccd "arm64: mte: Lock a page for MTE tag initialisation") or
have the flags cleared later during page_alloc_init_late(). In addition,
pages_identical() -> memcmp_pages() will reject any comparison with the
zero page as it is marked as tagged.
Partially revert the above commit to avoid setting PG_mte_tagged on the
zero page. Update the __access_remote_tags() warning on untagged pages
to ignore the zero page since it is known to have the tags initialised.
Note that all user mapping of the zero page are marked as pte_special().
The arm64 set_pte_at() will not call mte_sync_tags() on such pages, so
PG_mte_tagged will remain cleared.
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Fixes: 68d54ceeec0e ("arm64: mte: Allow PTRACE_PEEKMTETAGS access to the zero page")
Reported-by: Gergely Kovacs <Gergely.Kovacs2@arm.com>
Cc: stable@vger.kernel.org # 5.10.x
Cc: Will Deacon <will@kernel.org>
Cc: David Hildenbrand <david@redhat.com>
Cc: Lance Yang <lance.yang@linux.dev>
Acked-by: Lance Yang <lance.yang@linux.dev>
Reviewed-by: David Hildenbrand <david@redhat.com>
Tested-by: Lance Yang <lance.yang@linux.dev>
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/kernel/cpufeature.c | 10 +++++++---
arch/arm64/kernel/mte.c | 2 +-
2 files changed, 8 insertions(+), 4 deletions(-)
--- a/arch/arm64/kernel/cpufeature.c
+++ b/arch/arm64/kernel/cpufeature.c
@@ -2408,17 +2408,21 @@ static void bti_enable(const struct arm6
#ifdef CONFIG_ARM64_MTE
static void cpu_enable_mte(struct arm64_cpu_capabilities const *cap)
{
+ static bool cleared_zero_page = false;
+
sysreg_clear_set(sctlr_el1, 0, SCTLR_ELx_ATA | SCTLR_EL1_ATA0);
mte_cpu_setup();
/*
* Clear the tags in the zero page. This needs to be done via the
- * linear map which has the Tagged attribute.
+ * linear map which has the Tagged attribute. Since this page is
+ * always mapped as pte_special(), set_pte_at() will not attempt to
+ * clear the tags or set PG_mte_tagged.
*/
- if (try_page_mte_tagging(ZERO_PAGE(0))) {
+ if (!cleared_zero_page) {
+ cleared_zero_page = true;
mte_clear_page_tags(lm_alias(empty_zero_page));
- set_page_mte_tagged(ZERO_PAGE(0));
}
kasan_init_hw_tags_cpu();
--- a/arch/arm64/kernel/mte.c
+++ b/arch/arm64/kernel/mte.c
@@ -460,7 +460,7 @@ static int __access_remote_tags(struct m
if (folio_test_hugetlb(folio))
WARN_ON_ONCE(!folio_test_hugetlb_mte_tagged(folio));
else
- WARN_ON_ONCE(!page_mte_tagged(page));
+ WARN_ON_ONCE(!page_mte_tagged(page) && !is_zero_page(page));
/* limit access to the end of the page */
offset = offset_in_page(addr);
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 150/371] ARM: AM33xx: Implement TI advisory 1.0.36 (EMU0/EMU1 pins state on reset)
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (148 preceding siblings ...)
2025-10-17 14:52 ` [PATCH 6.17 149/371] arm64: mte: Do not flag the zero page as PG_mte_tagged Greg Kroah-Hartman
@ 2025-10-17 14:52 ` Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 151/371] ARM: OMAP2+: pm33xx-core: ix device node reference leaks in amx3_idle_init Greg Kroah-Hartman
` (233 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:52 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Alexander Sverdlin, Kevin Hilman
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexander Sverdlin <alexander.sverdlin@siemens.com>
commit 8a6506e1ba0d2b831729808d958aae77604f12f9 upstream.
There is an issue possible where TI AM33xx SoCs do not boot properly after
a reset if EMU0/EMU1 pins were used as GPIO and have been driving low level
actively prior to reset [1].
"Advisory 1.0.36 EMU0 and EMU1: Terminals Must be Pulled High Before
ICEPick Samples
The state of the EMU[1:0] terminals are latched during reset to determine
ICEPick boot mode. For normal device operation, these terminals must be
pulled up to a valid high logic level ( > VIH min) before ICEPick samples
the state of these terminals, which occurs
[five CLK_M_OSC clock cycles - 10 ns] after the falling edge of WARMRSTn.
Many applications may not require the secondary GPIO function of the
EMU[1:0] terminals. In this case, they would only be connected to pull-up
resistors, which ensures they are always high when ICEPick samples.
However, some applications may need to use these terminals as GPIO where
they could be driven low before reset is asserted. This usage of the
EMU[1:0] terminals may require special attention to ensure the terminals
are allowed to return to a valid high-logic level before ICEPick samples
the state of these terminals.
When any device reset is asserted, the pin mux mode of EMU[1:0] terminals
configured to operate as GPIO (mode 7) will change back to EMU input
(mode 0) on the falling edge of WARMRSTn. This only provides a short period
of time for the terminals to return high if driven low before reset is
asserted...
If the EMU[1:0] terminals are configured to operate as GPIO, the product
should be designed such these terminals can be pulled to a valid high-logic
level within 190 ns after the falling edge of WARMRSTn."
We've noticed this problem with custom am335x hardware in combination with
recently implemented cold reset method
(commit 6521f6a195c70 ("ARM: AM33xx: PRM: Implement REBOOT_COLD")).
It looks like the problem can affect other HW, for instance AM335x
Chiliboard, because the latter has LEDs on GPIO3_7/GPIO3_8 as well.
One option would be to check if the pins are in GPIO mode and either switch
to output active high, or switch to input and poll until the external
pull-ups have brought the pins to the desired high state. But fighting
with GPIO driver for these pins is probably not the most straight forward
approch in a reboot handler.
Fortunately we can easily control pinmuxing here and rely on the external
pull-ups. TI recommends 4k7 external pull up resistors [2] and even with
quite conservative estimation for pin capacity (1 uF should never happen)
the required delay shall not exceed 5ms.
[1] Link: https://www.ti.com/lit/pdf/sprz360
[2] Link: https://e2e.ti.com/support/processors-group/processors/f/processors-forum/866346/am3352-emu-1-0-questions
Cc: stable@vger.kernel.org
Signed-off-by: Alexander Sverdlin <alexander.sverdlin@siemens.com>
Link: https://lore.kernel.org/r/20250717152708.487891-1-alexander.sverdlin@siemens.com
Signed-off-by: Kevin Hilman <khilman@baylibre.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm/mach-omap2/am33xx-restart.c | 36 +++++++++++++++++++++++++++++++++++
1 file changed, 36 insertions(+)
--- a/arch/arm/mach-omap2/am33xx-restart.c
+++ b/arch/arm/mach-omap2/am33xx-restart.c
@@ -2,12 +2,46 @@
/*
* am33xx-restart.c - Code common to all AM33xx machines.
*/
+#include <dt-bindings/pinctrl/am33xx.h>
+#include <linux/delay.h>
#include <linux/kernel.h>
#include <linux/reboot.h>
#include "common.h"
+#include "control.h"
#include "prm.h"
+/*
+ * Advisory 1.0.36 EMU0 and EMU1: Terminals Must be Pulled High Before
+ * ICEPick Samples
+ *
+ * If EMU0/EMU1 pins have been used as GPIO outputs and actively driving low
+ * level, the device might not reboot in normal mode. We are in a bad position
+ * to override GPIO state here, so just switch the pins into EMU input mode
+ * (that's what reset will do anyway) and wait a bit, because the state will be
+ * latched 190 ns after reset.
+ */
+static void am33xx_advisory_1_0_36(void)
+{
+ u32 emu0 = omap_ctrl_readl(AM335X_PIN_EMU0);
+ u32 emu1 = omap_ctrl_readl(AM335X_PIN_EMU1);
+
+ /* If both pins are in EMU mode, nothing to do */
+ if (!(emu0 & 7) && !(emu1 & 7))
+ return;
+
+ /* Switch GPIO3_7/GPIO3_8 into EMU0/EMU1 modes respectively */
+ omap_ctrl_writel(emu0 & ~7, AM335X_PIN_EMU0);
+ omap_ctrl_writel(emu1 & ~7, AM335X_PIN_EMU1);
+
+ /*
+ * Give pull-ups time to load the pin/PCB trace capacity.
+ * 5 ms shall be enough to load 1 uF (would be huge capacity for these
+ * pins) with TI-recommended 4k7 external pull-ups.
+ */
+ mdelay(5);
+}
+
/**
* am33xx_restart - trigger a software restart of the SoC
* @mode: the "reboot mode", see arch/arm/kernel/{setup,process}.c
@@ -18,6 +52,8 @@
*/
void am33xx_restart(enum reboot_mode mode, const char *cmd)
{
+ am33xx_advisory_1_0_36();
+
/* TODO: Handle cmd if necessary */
prm_reboot_mode = mode;
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 151/371] ARM: OMAP2+: pm33xx-core: ix device node reference leaks in amx3_idle_init
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (149 preceding siblings ...)
2025-10-17 14:52 ` [PATCH 6.17 150/371] ARM: AM33xx: Implement TI advisory 1.0.36 (EMU0/EMU1 pins state on reset) Greg Kroah-Hartman
@ 2025-10-17 14:52 ` Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 152/371] firmware: arm_scmi: quirk: Prevent writes to string constants Greg Kroah-Hartman
` (232 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:52 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Miaoqian Lin, Kevin Hilman
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Miaoqian Lin <linmq006@gmail.com>
commit 74139a64e8cedb6d971c78d5d17384efeced1725 upstream.
Add missing of_node_put() calls to release
device node references obtained via of_parse_phandle().
Fixes: 06ee7a950b6a ("ARM: OMAP2+: pm33xx-core: Add cpuidle_ops for am335x/am437x")
Cc: stable@vger.kernel.org
Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
Link: https://lore.kernel.org/r/20250902075943.2408832-1-linmq006@gmail.com
Signed-off-by: Kevin Hilman <khilman@baylibre.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm/mach-omap2/pm33xx-core.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/arch/arm/mach-omap2/pm33xx-core.c
+++ b/arch/arm/mach-omap2/pm33xx-core.c
@@ -388,12 +388,15 @@ static int __init amx3_idle_init(struct
if (!state_node)
break;
- if (!of_device_is_available(state_node))
+ if (!of_device_is_available(state_node)) {
+ of_node_put(state_node);
continue;
+ }
if (i == CPUIDLE_STATE_MAX) {
pr_warn("%s: cpuidle states reached max possible\n",
__func__);
+ of_node_put(state_node);
break;
}
@@ -403,6 +406,7 @@ static int __init amx3_idle_init(struct
states[state_count].wfi_flags |= WFI_FLAG_WAKE_M3 |
WFI_FLAG_FLUSH_CACHE;
+ of_node_put(state_node);
state_count++;
}
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 152/371] firmware: arm_scmi: quirk: Prevent writes to string constants
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (150 preceding siblings ...)
2025-10-17 14:52 ` [PATCH 6.17 151/371] ARM: OMAP2+: pm33xx-core: ix device node reference leaks in amx3_idle_init Greg Kroah-Hartman
@ 2025-10-17 14:52 ` Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 153/371] perf/arm-cmn: Fix CMN S3 DTM offset Greg Kroah-Hartman
` (231 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Cristian Marussi, Jan Palus,
Johan Hovold, Sudeep Holla
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 572ce546390d1b7c99b16c38cae1b680c716216c upstream.
The quirk version range is typically a string constant and must not be
modified (e.g. as it may be stored in read-only memory). Attempting
to do so can trigger faults such as:
| Unable to handle kernel write to read-only memory at virtual
| address ffffc036d998a947
Update the range parsing so that it operates on a copy of the version
range string, and mark all the quirk strings as const to reduce the
risk of introducing similar future issues.
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220437
Fixes: 487c407d57d6 ("firmware: arm_scmi: Add common framework to handle firmware quirks")
Cc: stable@vger.kernel.org # 6.16
Cc: Cristian Marussi <cristian.marussi@arm.com>
Reported-by: Jan Palus <jpalus@fastmail.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Message-Id: <20250829132152.28218-1-johan@kernel.org>
[sudeep.holla: minor commit message rewording; switch to cleanup helpers]
Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/firmware/arm_scmi/quirks.c | 15 ++++++++++-----
1 file changed, 10 insertions(+), 5 deletions(-)
--- a/drivers/firmware/arm_scmi/quirks.c
+++ b/drivers/firmware/arm_scmi/quirks.c
@@ -71,6 +71,7 @@
*/
#include <linux/ctype.h>
+#include <linux/cleanup.h>
#include <linux/device.h>
#include <linux/export.h>
#include <linux/hashtable.h>
@@ -89,9 +90,9 @@
struct scmi_quirk {
bool enabled;
const char *name;
- char *vendor;
- char *sub_vendor_id;
- char *impl_ver_range;
+ const char *vendor;
+ const char *sub_vendor_id;
+ const char *impl_ver_range;
u32 start_range;
u32 end_range;
struct static_key_false *key;
@@ -217,7 +218,7 @@ static unsigned int scmi_quirk_signature
static int scmi_quirk_range_parse(struct scmi_quirk *quirk)
{
- const char *last, *first = quirk->impl_ver_range;
+ const char *last, *first __free(kfree) = NULL;
size_t len;
char *sep;
int ret;
@@ -228,8 +229,12 @@ static int scmi_quirk_range_parse(struct
if (!len)
return 0;
+ first = kmemdup(quirk->impl_ver_range, len + 1, GFP_KERNEL);
+ if (!first)
+ return -ENOMEM;
+
last = first + len - 1;
- sep = strchr(quirk->impl_ver_range, '-');
+ sep = strchr(first, '-');
if (sep)
*sep = '\0';
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 153/371] perf/arm-cmn: Fix CMN S3 DTM offset
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (151 preceding siblings ...)
2025-10-17 14:52 ` [PATCH 6.17 152/371] firmware: arm_scmi: quirk: Prevent writes to string constants Greg Kroah-Hartman
@ 2025-10-17 14:52 ` Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 154/371] KVM: s390: Fix to clear PTE when discarding a swapped page Greg Kroah-Hartman
` (230 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:52 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Robin Murphy, Will Deacon
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Robin Murphy <robin.murphy@arm.com>
commit b3fe1c83a56f3cb7c475747ee1c6ec5a9dd5f60e upstream.
CMN S3's DTM offset is different between r0px and r1p0, and it
turns out this was not a error in the earlier documentation, but
does actually exist in the design. Lovely.
Cc: stable@vger.kernel.org
Fixes: 0dc2f4963f7e ("perf/arm-cmn: Support CMN S3")
Signed-off-by: Robin Murphy <robin.murphy@arm.com>
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/perf/arm-cmn.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
--- a/drivers/perf/arm-cmn.c
+++ b/drivers/perf/arm-cmn.c
@@ -65,7 +65,7 @@
/* PMU registers occupy the 3rd 4KB page of each node's region */
#define CMN_PMU_OFFSET 0x2000
/* ...except when they don't :( */
-#define CMN_S3_DTM_OFFSET 0xa000
+#define CMN_S3_R1_DTM_OFFSET 0xa000
#define CMN_S3_PMU_OFFSET 0xd900
/* For most nodes, this is all there is */
@@ -233,6 +233,9 @@ enum cmn_revision {
REV_CMN700_R1P0,
REV_CMN700_R2P0,
REV_CMN700_R3P0,
+ REV_CMNS3_R0P0 = 0,
+ REV_CMNS3_R0P1,
+ REV_CMNS3_R1P0,
REV_CI700_R0P0 = 0,
REV_CI700_R1P0,
REV_CI700_R2P0,
@@ -425,8 +428,8 @@ static enum cmn_model arm_cmn_model(cons
static int arm_cmn_pmu_offset(const struct arm_cmn *cmn, const struct arm_cmn_node *dn)
{
if (cmn->part == PART_CMN_S3) {
- if (dn->type == CMN_TYPE_XP)
- return CMN_S3_DTM_OFFSET;
+ if (cmn->rev >= REV_CMNS3_R1P0 && dn->type == CMN_TYPE_XP)
+ return CMN_S3_R1_DTM_OFFSET;
return CMN_S3_PMU_OFFSET;
}
return CMN_PMU_OFFSET;
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 154/371] KVM: s390: Fix to clear PTE when discarding a swapped page
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (152 preceding siblings ...)
2025-10-17 14:52 ` [PATCH 6.17 153/371] perf/arm-cmn: Fix CMN S3 DTM offset Greg Kroah-Hartman
@ 2025-10-17 14:52 ` Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 155/371] KVM: arm64: Fix debug checking for np-guests using huge mappings Greg Kroah-Hartman
` (229 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:52 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Claudio Imbrenda, Gautam Gala
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gautam Gala <ggala@linux.ibm.com>
commit 5deafa27d9ae040b75d392f60b12e300b42b4792 upstream.
KVM run fails when guests with 'cmm' cpu feature and host are
under memory pressure and use swap heavily. This is because
npages becomes ENOMEN (out of memory) in hva_to_pfn_slow()
which inturn propagates as EFAULT to qemu. Clearing the page
table entry when discarding an address that maps to a swap
entry resolves the issue.
Fixes: 200197908dc4 ("KVM: s390: Refactor and split some gmap helpers")
Cc: stable@vger.kernel.org
Suggested-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
Signed-off-by: Gautam Gala <ggala@linux.ibm.com>
Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
Signed-off-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/s390/include/asm/pgtable.h | 22 ++++++++++++++++++++++
arch/s390/mm/gmap_helpers.c | 12 +++++++++++-
arch/s390/mm/pgtable.c | 23 +----------------------
3 files changed, 34 insertions(+), 23 deletions(-)
--- a/arch/s390/include/asm/pgtable.h
+++ b/arch/s390/include/asm/pgtable.h
@@ -2055,4 +2055,26 @@ static inline unsigned long gmap_pgste_g
return res;
}
+static inline pgste_t pgste_get_lock(pte_t *ptep)
+{
+ unsigned long value = 0;
+#ifdef CONFIG_PGSTE
+ unsigned long *ptr = (unsigned long *)(ptep + PTRS_PER_PTE);
+
+ do {
+ value = __atomic64_or_barrier(PGSTE_PCL_BIT, ptr);
+ } while (value & PGSTE_PCL_BIT);
+ value |= PGSTE_PCL_BIT;
+#endif
+ return __pgste(value);
+}
+
+static inline void pgste_set_unlock(pte_t *ptep, pgste_t pgste)
+{
+#ifdef CONFIG_PGSTE
+ barrier();
+ WRITE_ONCE(*(unsigned long *)(ptep + PTRS_PER_PTE), pgste_val(pgste) & ~PGSTE_PCL_BIT);
+#endif
+}
+
#endif /* _S390_PAGE_H */
--- a/arch/s390/mm/gmap_helpers.c
+++ b/arch/s390/mm/gmap_helpers.c
@@ -15,6 +15,7 @@
#include <linux/pagewalk.h>
#include <linux/ksm.h>
#include <asm/gmap_helpers.h>
+#include <asm/pgtable.h>
/**
* ptep_zap_swap_entry() - discard a swap entry.
@@ -47,6 +48,7 @@ void gmap_helper_zap_one_page(struct mm_
{
struct vm_area_struct *vma;
spinlock_t *ptl;
+ pgste_t pgste;
pte_t *ptep;
mmap_assert_locked(mm);
@@ -60,8 +62,16 @@ void gmap_helper_zap_one_page(struct mm_
ptep = get_locked_pte(mm, vmaddr, &ptl);
if (unlikely(!ptep))
return;
- if (pte_swap(*ptep))
+ if (pte_swap(*ptep)) {
+ preempt_disable();
+ pgste = pgste_get_lock(ptep);
+
ptep_zap_swap_entry(mm, pte_to_swp_entry(*ptep));
+ pte_clear(mm, vmaddr, ptep);
+
+ pgste_set_unlock(ptep, pgste);
+ preempt_enable();
+ }
pte_unmap_unlock(ptep, ptl);
}
EXPORT_SYMBOL_GPL(gmap_helper_zap_one_page);
--- a/arch/s390/mm/pgtable.c
+++ b/arch/s390/mm/pgtable.c
@@ -24,6 +24,7 @@
#include <asm/tlbflush.h>
#include <asm/mmu_context.h>
#include <asm/page-states.h>
+#include <asm/pgtable.h>
#include <asm/machine.h>
pgprot_t pgprot_writecombine(pgprot_t prot)
@@ -115,28 +116,6 @@ static inline pte_t ptep_flush_lazy(stru
return old;
}
-static inline pgste_t pgste_get_lock(pte_t *ptep)
-{
- unsigned long value = 0;
-#ifdef CONFIG_PGSTE
- unsigned long *ptr = (unsigned long *)(ptep + PTRS_PER_PTE);
-
- do {
- value = __atomic64_or_barrier(PGSTE_PCL_BIT, ptr);
- } while (value & PGSTE_PCL_BIT);
- value |= PGSTE_PCL_BIT;
-#endif
- return __pgste(value);
-}
-
-static inline void pgste_set_unlock(pte_t *ptep, pgste_t pgste)
-{
-#ifdef CONFIG_PGSTE
- barrier();
- WRITE_ONCE(*(unsigned long *)(ptep + PTRS_PER_PTE), pgste_val(pgste) & ~PGSTE_PCL_BIT);
-#endif
-}
-
static inline pgste_t pgste_get(pte_t *ptep)
{
unsigned long pgste = 0;
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 155/371] KVM: arm64: Fix debug checking for np-guests using huge mappings
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (153 preceding siblings ...)
2025-10-17 14:52 ` [PATCH 6.17 154/371] KVM: s390: Fix to clear PTE when discarding a swapped page Greg Kroah-Hartman
@ 2025-10-17 14:52 ` Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 156/371] KVM: arm64: Fix page leak in user_mem_abort() Greg Kroah-Hartman
` (228 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ben Horgan, Vincent Donnefort,
Quentin Perret, Ryan Roberts, Marc Zyngier
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ben Horgan <ben.horgan@arm.com>
commit 2ba972bf71cb71d2127ec6c3db1ceb6dd0c73173 upstream.
When running with transparent huge pages and CONFIG_NVHE_EL2_DEBUG then
the debug checking in assert_host_shared_guest() fails on the launch of an
np-guest. This WARN_ON() causes a panic and generates the stack below.
In __pkvm_host_relax_perms_guest() the debug checking assumes the mapping
is a single page but it may be a block map. Update the checking so that
the size is not checked and just assumes the correct size.
While we're here make the same fix in __pkvm_host_mkyoung_guest().
Info: # lkvm run -k /share/arch/arm64/boot/Image -m 704 -c 8 --name guest-128
Info: Removed ghost socket file "/.lkvm//guest-128.sock".
[ 1406.521757] kvm [141]: nVHE hyp BUG at: arch/arm64/kvm/hyp/nvhe/mem_protect.c:1088!
[ 1406.521804] kvm [141]: nVHE call trace:
[ 1406.521828] kvm [141]: [<ffff8000811676b4>] __kvm_nvhe_hyp_panic+0xb4/0xe8
[ 1406.521946] kvm [141]: [<ffff80008116d12c>] __kvm_nvhe_assert_host_shared_guest+0xb0/0x10c
[ 1406.522049] kvm [141]: [<ffff80008116f068>] __kvm_nvhe___pkvm_host_relax_perms_guest+0x48/0x104
[ 1406.522157] kvm [141]: [<ffff800081169df8>] __kvm_nvhe_handle___pkvm_host_relax_perms_guest+0x64/0x7c
[ 1406.522250] kvm [141]: [<ffff800081169f0c>] __kvm_nvhe_handle_trap+0x8c/0x1a8
[ 1406.522333] kvm [141]: [<ffff8000811680fc>] __kvm_nvhe___skip_pauth_save+0x4/0x4
[ 1406.522454] kvm [141]: ---[ end nVHE call trace ]---
[ 1406.522477] kvm [141]: Hyp Offset: 0xfffece8013600000
[ 1406.522554] Kernel panic - not syncing: HYP panic:
[ 1406.522554] PS:834003c9 PC:0000b1806db6d170 ESR:00000000f2000800
[ 1406.522554] FAR:ffff8000804be420 HPFAR:0000000000804be0 PAR:0000000000000000
[ 1406.522554] VCPU:0000000000000000
[ 1406.523337] CPU: 3 UID: 0 PID: 141 Comm: kvm-vcpu-0 Not tainted 6.16.0-rc7 #97 PREEMPT
[ 1406.523485] Hardware name: FVP Base RevC (DT)
[ 1406.523566] Call trace:
[ 1406.523629] show_stack+0x18/0x24 (C)
[ 1406.523753] dump_stack_lvl+0xd4/0x108
[ 1406.523899] dump_stack+0x18/0x24
[ 1406.524040] panic+0x3d8/0x448
[ 1406.524184] nvhe_hyp_panic_handler+0x10c/0x23c
[ 1406.524325] kvm_handle_guest_abort+0x68c/0x109c
[ 1406.524500] handle_exit+0x60/0x17c
[ 1406.524630] kvm_arch_vcpu_ioctl_run+0x2e0/0x8c0
[ 1406.524794] kvm_vcpu_ioctl+0x1a8/0x9cc
[ 1406.524919] __arm64_sys_ioctl+0xac/0x104
[ 1406.525067] invoke_syscall+0x48/0x10c
[ 1406.525189] el0_svc_common.constprop.0+0x40/0xe0
[ 1406.525322] do_el0_svc+0x1c/0x28
[ 1406.525441] el0_svc+0x38/0x120
[ 1406.525588] el0t_64_sync_handler+0x10c/0x138
[ 1406.525750] el0t_64_sync+0x1ac/0x1b0
[ 1406.525876] SMP: stopping secondary CPUs
[ 1406.525965] Kernel Offset: disabled
[ 1406.526032] CPU features: 0x0000,00000080,8e134ca1,9446773f
[ 1406.526130] Memory Limit: none
[ 1406.959099] ---[ end Kernel panic - not syncing: HYP panic:
[ 1406.959099] PS:834003c9 PC:0000b1806db6d170 ESR:00000000f2000800
[ 1406.959099] FAR:ffff8000804be420 HPFAR:0000000000804be0 PAR:0000000000000000
[ 1406.959099] VCPU:0000000000000000 ]
Signed-off-by: Ben Horgan <ben.horgan@arm.com>
Fixes: f28f1d02f4eaa ("KVM: arm64: Add a range to __pkvm_host_unshare_guest()")
Cc: Vincent Donnefort <vdonnefort@google.com>
Cc: Quentin Perret <qperret@google.com>
Cc: Ryan Roberts <ryan.roberts@arm.com>
Cc: stable@vger.kernel.org
Reviewed-by: Vincent Donnefort <vdonnefort@google.com>
Signed-off-by: Marc Zyngier <maz@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/kvm/hyp/nvhe/mem_protect.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
--- a/arch/arm64/kvm/hyp/nvhe/mem_protect.c
+++ b/arch/arm64/kvm/hyp/nvhe/mem_protect.c
@@ -1010,9 +1010,12 @@ static int __check_host_shared_guest(str
return ret;
if (!kvm_pte_valid(pte))
return -ENOENT;
- if (kvm_granule_size(level) != size)
+ if (size && kvm_granule_size(level) != size)
return -E2BIG;
+ if (!size)
+ size = kvm_granule_size(level);
+
state = guest_get_page_state(pte, ipa);
if (state != PKVM_PAGE_SHARED_BORROWED)
return -EPERM;
@@ -1100,7 +1103,7 @@ int __pkvm_host_relax_perms_guest(u64 gf
if (prot & ~KVM_PGTABLE_PROT_RWX)
return -EINVAL;
- assert_host_shared_guest(vm, ipa, PAGE_SIZE);
+ assert_host_shared_guest(vm, ipa, 0);
guest_lock_component(vm);
ret = kvm_pgtable_stage2_relax_perms(&vm->pgt, ipa, prot, 0);
guest_unlock_component(vm);
@@ -1156,7 +1159,7 @@ int __pkvm_host_mkyoung_guest(u64 gfn, s
if (pkvm_hyp_vm_is_protected(vm))
return -EPERM;
- assert_host_shared_guest(vm, ipa, PAGE_SIZE);
+ assert_host_shared_guest(vm, ipa, 0);
guest_lock_component(vm);
kvm_pgtable_stage2_mkyoung(&vm->pgt, ipa, 0);
guest_unlock_component(vm);
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 156/371] KVM: arm64: Fix page leak in user_mem_abort()
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (154 preceding siblings ...)
2025-10-17 14:52 ` [PATCH 6.17 155/371] KVM: arm64: Fix debug checking for np-guests using huge mappings Greg Kroah-Hartman
@ 2025-10-17 14:52 ` Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 157/371] x86/kvm: Force legacy PCI hole to UC when overriding MTRRs for TDX/SNP Greg Kroah-Hartman
` (227 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:52 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Fuad Tabba, Oliver Upton,
Marc Zyngier
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fuad Tabba <tabba@google.com>
commit 5f9466b50c1b4253d91abf81780b90a722133162 upstream.
The user_mem_abort() function acquires a page reference via
__kvm_faultin_pfn() early in its execution. However, the subsequent
checks for mismatched attributes between stage 1 and stage 2 mappings
would return an error code directly, bypassing the corresponding page
release.
Fix this by storing the error and releasing the unused page before
returning the error.
Fixes: 6d674e28f642 ("KVM: arm/arm64: Properly handle faulting of device mappings")
Fixes: 2a8dfab26677 ("KVM: arm64: Block cacheable PFNMAP mapping")
Signed-off-by: Fuad Tabba <tabba@google.com>
Reviewed-by: Oliver Upton <oliver.upton@linux.dev>
Signed-off-by: Marc Zyngier <maz@kernel.org>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/kvm/mmu.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
--- a/arch/arm64/kvm/mmu.c
+++ b/arch/arm64/kvm/mmu.c
@@ -1673,7 +1673,7 @@ static int user_mem_abort(struct kvm_vcp
* cache maintenance.
*/
if (!kvm_supports_cacheable_pfnmap())
- return -EFAULT;
+ ret = -EFAULT;
} else {
/*
* If the page was identified as device early by looking at
@@ -1696,7 +1696,12 @@ static int user_mem_abort(struct kvm_vcp
}
if (exec_fault && s2_force_noncacheable)
- return -ENOEXEC;
+ ret = -ENOEXEC;
+
+ if (ret) {
+ kvm_release_page_unused(page);
+ return ret;
+ }
/*
* Potentially reduce shadow S2 permissions to match the guest's own
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 157/371] x86/kvm: Force legacy PCI hole to UC when overriding MTRRs for TDX/SNP
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (155 preceding siblings ...)
2025-10-17 14:52 ` [PATCH 6.17 156/371] KVM: arm64: Fix page leak in user_mem_abort() Greg Kroah-Hartman
@ 2025-10-17 14:52 ` Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 158/371] KVM: SVM: Re-load current, not host, TSC_AUX on #VMEXIT from SEV-ES guest Greg Kroah-Hartman
` (226 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Peter Gonda, Vitaly Kuznetsov,
Tom Lendacky, Jürgen Groß, Korakit Seemakhupt,
Jianxiong Gao, Nikolay Borisov, Binbin Wu, Sean Christopherson
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
commit 0dccbc75e18df85399a71933d60b97494110f559 upstream.
When running as an SNP or TDX guest under KVM, force the legacy PCI hole,
i.e. memory between Top of Lower Usable DRAM and 4GiB, to be mapped as UC
via a forced variable MTRR range.
In most KVM-based setups, legacy devices such as the HPET and TPM are
enumerated via ACPI. ACPI enumeration includes a Memory32Fixed entry, and
optionally a SystemMemory descriptor for an OperationRegion, e.g. if the
device needs to be accessed via a Control Method.
If a SystemMemory entry is present, then the kernel's ACPI driver will
auto-ioremap the region so that it can be accessed at will. However, the
ACPI spec doesn't provide a way to enumerate the memory type of
SystemMemory regions, i.e. there's no way to tell software that a region
must be mapped as UC vs. WB, etc. As a result, Linux's ACPI driver always
maps SystemMemory regions using ioremap_cache(), i.e. as WB on x86.
The dedicated device drivers however, e.g. the HPET driver and TPM driver,
want to map their associated memory as UC or WC, as accessing PCI devices
using WB is unsupported.
On bare metal and non-CoCO, the conflicting requirements "work" as firmware
configures the PCI hole (and other device memory) to be UC in the MTRRs.
So even though the ACPI mappings request WB, they are forced to UC- in the
kernel's tracking due to the kernel properly handling the MTRR overrides,
and thus are compatible with the drivers' requested WC/UC-.
With force WB MTRRs on SNP and TDX guests, the ACPI mappings get their
requested WB if the ACPI mappings are established before the dedicated
driver code attempts to initialize the device. E.g. if acpi_init()
runs before the corresponding device driver is probed, ACPI's WB mapping
will "win", and result in the driver's ioremap() failing because the
existing WB mapping isn't compatible with the requested WC/UC-.
E.g. when a TPM is emulated by the hypervisor (ignoring the security
implications of relying on what is allegedly an untrusted entity to store
measurements), the TPM driver will request UC and fail:
[ 1.730459] ioremap error for 0xfed40000-0xfed45000, requested 0x2, got 0x0
[ 1.732780] tpm_tis MSFT0101:00: probe with driver tpm_tis failed with error -12
Note, the '0x2' and '0x0' values refer to "enum page_cache_mode", not x86's
memtypes (which frustratingly are an almost pure inversion; 2 == WB, 0 == UC).
E.g. tracing mapping requests for TPM TIS yields:
Mapping TPM TIS with req_type = 0
WARNING: CPU: 22 PID: 1 at arch/x86/mm/pat/memtype.c:530 memtype_reserve+0x2ab/0x460
Modules linked in:
CPU: 22 UID: 0 PID: 1 Comm: swapper/0 Tainted: G W 6.16.0-rc7+ #2 VOLUNTARY
Tainted: [W]=WARN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/29/2025
RIP: 0010:memtype_reserve+0x2ab/0x460
__ioremap_caller+0x16d/0x3d0
ioremap_cache+0x17/0x30
x86_acpi_os_ioremap+0xe/0x20
acpi_os_map_iomem+0x1f3/0x240
acpi_os_map_memory+0xe/0x20
acpi_ex_system_memory_space_handler+0x273/0x440
acpi_ev_address_space_dispatch+0x176/0x4c0
acpi_ex_access_region+0x2ad/0x530
acpi_ex_field_datum_io+0xa2/0x4f0
acpi_ex_extract_from_field+0x296/0x3e0
acpi_ex_read_data_from_field+0xd1/0x460
acpi_ex_resolve_node_to_value+0x2ee/0x530
acpi_ex_resolve_to_value+0x1f2/0x540
acpi_ds_evaluate_name_path+0x11b/0x190
acpi_ds_exec_end_op+0x456/0x960
acpi_ps_parse_loop+0x27a/0xa50
acpi_ps_parse_aml+0x226/0x600
acpi_ps_execute_method+0x172/0x3e0
acpi_ns_evaluate+0x175/0x5f0
acpi_evaluate_object+0x213/0x490
acpi_evaluate_integer+0x6d/0x140
acpi_bus_get_status+0x93/0x150
acpi_add_single_object+0x43a/0x7c0
acpi_bus_check_add+0x149/0x3a0
acpi_bus_check_add_1+0x16/0x30
acpi_ns_walk_namespace+0x22c/0x360
acpi_walk_namespace+0x15c/0x170
acpi_bus_scan+0x1dd/0x200
acpi_scan_init+0xe5/0x2b0
acpi_init+0x264/0x5b0
do_one_initcall+0x5a/0x310
kernel_init_freeable+0x34f/0x4f0
kernel_init+0x1b/0x200
ret_from_fork+0x186/0x1b0
ret_from_fork_asm+0x1a/0x30
</TASK>
The above traces are from a Google-VMM based VM, but the same behavior
happens with a QEMU based VM that is modified to add a SystemMemory range
for the TPM TIS address space.
The only reason this doesn't cause problems for HPET, which appears to
require a SystemMemory region, is because HPET gets special treatment via
x86_init.timers.timer_init(), and so gets a chance to create its UC-
mapping before acpi_init() clobbers things. Disabling the early call to
hpet_time_init() yields the same behavior for HPET:
[ 0.318264] ioremap error for 0xfed00000-0xfed01000, requested 0x2, got 0x0
Hack around the ACPI gap by forcing the legacy PCI hole to UC when
overriding the (virtual) MTRRs for CoCo guest, so that ioremap handling
of MTRRs naturally kicks in and forces the ACPI mappings to be UC.
Note, the requested/mapped memtype doesn't actually matter in terms of
accessing the device. In practically every setup, legacy PCI devices are
emulated by the hypervisor, and accesses are intercepted and handled as
emulated MMIO, i.e. never access physical memory and thus don't have an
effective memtype.
Even in a theoretical setup where such devices are passed through by the
host, i.e. point at real MMIO memory, it is KVM's (as the hypervisor)
responsibility to force the memory to be WC/UC, e.g. via EPT memtype
under TDX or real hardware MTRRs under SNP. Not doing so cannot work,
and the hypervisor is highly motivated to do the right thing as letting
the guest access hardware MMIO with WB would likely result in a variety
of fatal #MCs.
In other words, forcing the range to be UC is all about coercing the
kernel's tracking into thinking that it has established UC mappings, so
that the ioremap code doesn't reject mappings from e.g. the TPM driver and
thus prevent the driver from loading and the device from functioning.
Note #2, relying on guest firmware to handle this scenario, e.g. by setting
virtual MTRRs and then consuming them in Linux, is not a viable option, as
the virtual MTRR state is managed by the untrusted hypervisor, and because
OVMF at least has stopped programming virtual MTRRs when running as a TDX
guest.
Link: https://lore.kernel.org/all/8137d98e-8825-415b-9282-1d2a115bb51a@linux.intel.com
Fixes: 8e690b817e38 ("x86/kvm: Override default caching mode for SEV-SNP and TDX")
Cc: stable@vger.kernel.org
Cc: Peter Gonda <pgonda@google.com>
Cc: Vitaly Kuznetsov <vkuznets@redhat.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Cc: Jürgen Groß <jgross@suse.com>
Cc: Korakit Seemakhupt <korakit@google.com>
Cc: Jianxiong Gao <jxgao@google.com>
Cc: Nikolay Borisov <nik.borisov@suse.com>
Suggested-by: Binbin Wu <binbin.wu@linux.intel.com>
Reviewed-by: Binbin Wu <binbin.wu@linux.intel.com>
Tested-by: Korakit Seemakhupt <korakit@google.com>
Link: https://lore.kernel.org/r/20250828005249.39339-1-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kernel/kvm.c | 21 +++++++++++++++++++--
1 file changed, 19 insertions(+), 2 deletions(-)
--- a/arch/x86/kernel/kvm.c
+++ b/arch/x86/kernel/kvm.c
@@ -933,6 +933,19 @@ static void kvm_sev_hc_page_enc_status(u
static void __init kvm_init_platform(void)
{
+ u64 tolud = PFN_PHYS(e820__end_of_low_ram_pfn());
+ /*
+ * Note, hardware requires variable MTRR ranges to be power-of-2 sized
+ * and naturally aligned. But when forcing guest MTRR state, Linux
+ * doesn't program the forced ranges into hardware. Don't bother doing
+ * the math to generate a technically-legal range.
+ */
+ struct mtrr_var_range pci_hole = {
+ .base_lo = tolud | X86_MEMTYPE_UC,
+ .mask_lo = (u32)(~(SZ_4G - tolud - 1)) | MTRR_PHYSMASK_V,
+ .mask_hi = (BIT_ULL(boot_cpu_data.x86_phys_bits) - 1) >> 32,
+ };
+
if (cc_platform_has(CC_ATTR_GUEST_MEM_ENCRYPT) &&
kvm_para_has_feature(KVM_FEATURE_MIGRATION_CONTROL)) {
unsigned long nr_pages;
@@ -982,8 +995,12 @@ static void __init kvm_init_platform(voi
kvmclock_init();
x86_platform.apic_post_init = kvm_apic_init;
- /* Set WB as the default cache mode for SEV-SNP and TDX */
- guest_force_mtrr_state(NULL, 0, MTRR_TYPE_WRBACK);
+ /*
+ * Set WB as the default cache mode for SEV-SNP and TDX, with a single
+ * UC range for the legacy PCI hole, e.g. so that devices that expect
+ * to get UC/WC mappings don't get surprised with WB.
+ */
+ guest_force_mtrr_state(&pci_hole, 1, MTRR_TYPE_WRBACK);
}
#if defined(CONFIG_AMD_MEM_ENCRYPT)
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 158/371] KVM: SVM: Re-load current, not host, TSC_AUX on #VMEXIT from SEV-ES guest
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (156 preceding siblings ...)
2025-10-17 14:52 ` [PATCH 6.17 157/371] x86/kvm: Force legacy PCI hole to UC when overriding MTRRs for TDX/SNP Greg Kroah-Hartman
@ 2025-10-17 14:52 ` Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 159/371] KVM: TDX: Fix uninitialized error code for __tdx_bringup() Greg Kroah-Hartman
` (225 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lai Jiangshan, Hou Wenlong,
Xiaoyao Li, Sean Christopherson
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hou Wenlong <houwenlong.hwl@antgroup.com>
commit 29da8c823abffdacb71c7c07ec48fcf9eb38757c upstream.
Prior to running an SEV-ES guest, set TSC_AUX in the host save area to the
current value in hardware, as tracked by the user return infrastructure,
instead of always loading the host's desired value for the CPU. If the
pCPU is also running a non-SEV-ES vCPU, loading the host's value on #VMEXIT
could clobber the other vCPU's value, e.g. if the SEV-ES vCPU preempted
the non-SEV-ES vCPU, in which case KVM expects the other vCPU's TSC_AUX
value to be resident in hardware.
Note, unlike TDX, which blindly _zeroes_ TSC_AUX on TD-Exit, SEV-ES CPUs
can load an arbitrary value. Stuff the current value in the host save
area instead of refreshing the user return cache so that KVM doesn't need
to track whether or not the vCPU actually enterred the guest and thus
loaded TSC_AUX from the host save area.
Opportunistically tag tsc_aux_uret_slot as read-only after init to guard
against unexpected modifications, and to make it obvious that using the
variable in sev_es_prepare_switch_to_guest() is safe.
Fixes: 916e3e5f26ab ("KVM: SVM: Do not use user return MSR support for virtualized TSC_AUX")
Cc: stable@vger.kernel.org
Suggested-by: Lai Jiangshan <jiangshan.ljs@antgroup.com>
Signed-off-by: Hou Wenlong <houwenlong.hwl@antgroup.com>
[sean: handle the SEV-ES case in sev_es_prepare_switch_to_guest()]
Reviewed-by: Xiaoyao Li <xiaoyao.li@intel.com>
Link: https://lore.kernel.org/r/20250923153738.1875174-3-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/svm/sev.c | 10 ++++++++++
arch/x86/kvm/svm/svm.c | 25 ++++++-------------------
arch/x86/kvm/svm/svm.h | 2 ++
3 files changed, 18 insertions(+), 19 deletions(-)
--- a/arch/x86/kvm/svm/sev.c
+++ b/arch/x86/kvm/svm/sev.c
@@ -4618,6 +4618,16 @@ void sev_es_prepare_switch_to_guest(stru
hostsa->dr2_addr_mask = amd_get_dr_addr_mask(2);
hostsa->dr3_addr_mask = amd_get_dr_addr_mask(3);
}
+
+ /*
+ * TSC_AUX is always virtualized for SEV-ES guests when the feature is
+ * available, i.e. TSC_AUX is loaded on #VMEXIT from the host save area.
+ * Set the save area to the current hardware value, i.e. the current
+ * user return value, so that the correct value is restored on #VMEXIT.
+ */
+ if (cpu_feature_enabled(X86_FEATURE_V_TSC_AUX) &&
+ !WARN_ON_ONCE(tsc_aux_uret_slot < 0))
+ hostsa->tsc_aux = kvm_get_user_return_msr(tsc_aux_uret_slot);
}
void sev_vcpu_deliver_sipi_vector(struct kvm_vcpu *vcpu, u8 vector)
--- a/arch/x86/kvm/svm/svm.c
+++ b/arch/x86/kvm/svm/svm.c
@@ -195,7 +195,7 @@ static DEFINE_MUTEX(vmcb_dump_mutex);
* RDTSCP and RDPID are not used in the kernel, specifically to allow KVM to
* defer the restoration of TSC_AUX until the CPU returns to userspace.
*/
-static int tsc_aux_uret_slot __read_mostly = -1;
+int tsc_aux_uret_slot __ro_after_init = -1;
static int get_npt_level(void)
{
@@ -577,18 +577,6 @@ static int svm_enable_virtualization_cpu
amd_pmu_enable_virt();
- /*
- * If TSC_AUX virtualization is supported, TSC_AUX becomes a swap type
- * "B" field (see sev_es_prepare_switch_to_guest()) for SEV-ES guests.
- * Since Linux does not change the value of TSC_AUX once set, prime the
- * TSC_AUX field now to avoid a RDMSR on every vCPU run.
- */
- if (boot_cpu_has(X86_FEATURE_V_TSC_AUX)) {
- u32 __maybe_unused msr_hi;
-
- rdmsr(MSR_TSC_AUX, sev_es_host_save_area(sd)->tsc_aux, msr_hi);
- }
-
return 0;
}
@@ -1423,10 +1411,10 @@ static void svm_prepare_switch_to_guest(
__svm_write_tsc_multiplier(vcpu->arch.tsc_scaling_ratio);
/*
- * TSC_AUX is always virtualized for SEV-ES guests when the feature is
- * available. The user return MSR support is not required in this case
- * because TSC_AUX is restored on #VMEXIT from the host save area
- * (which has been initialized in svm_enable_virtualization_cpu()).
+ * TSC_AUX is always virtualized (context switched by hardware) for
+ * SEV-ES guests when the feature is available. For non-SEV-ES guests,
+ * context switch TSC_AUX via the user_return MSR infrastructure (not
+ * all CPUs support TSC_AUX virtualization).
*/
if (likely(tsc_aux_uret_slot >= 0) &&
(!boot_cpu_has(X86_FEATURE_V_TSC_AUX) || !sev_es_guest(vcpu->kvm)))
@@ -3021,8 +3009,7 @@ static int svm_set_msr(struct kvm_vcpu *
* TSC_AUX is always virtualized for SEV-ES guests when the
* feature is available. The user return MSR support is not
* required in this case because TSC_AUX is restored on #VMEXIT
- * from the host save area (which has been initialized in
- * svm_enable_virtualization_cpu()).
+ * from the host save area.
*/
if (boot_cpu_has(X86_FEATURE_V_TSC_AUX) && sev_es_guest(vcpu->kvm))
break;
--- a/arch/x86/kvm/svm/svm.h
+++ b/arch/x86/kvm/svm/svm.h
@@ -52,6 +52,8 @@ extern bool x2avic_enabled;
extern bool vnmi;
extern int lbrv;
+extern int tsc_aux_uret_slot __ro_after_init;
+
/*
* Clean bits in VMCB.
* VMCB_ALL_CLEAN_MASK might also need to
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 159/371] KVM: TDX: Fix uninitialized error code for __tdx_bringup()
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (157 preceding siblings ...)
2025-10-17 14:52 ` [PATCH 6.17 158/371] KVM: SVM: Re-load current, not host, TSC_AUX on #VMEXIT from SEV-ES guest Greg Kroah-Hartman
@ 2025-10-17 14:52 ` Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 160/371] dt-bindings: phy: rockchip-inno-csi-dphy: make power-domains non-required Greg Kroah-Hartman
` (224 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Kai Huang,
Tony Lindgren, Sean Christopherson
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tony Lindgren <tony.lindgren@linux.intel.com>
commit 510c47f165f0c1f0b57329a30a9a797795519831 upstream.
Fix a Smatch static checker warning reported by Dan:
arch/x86/kvm/vmx/tdx.c:3464 __tdx_bringup()
warn: missing error code 'r'
Initialize r to -EINVAL before tdx_get_sysinfo() to simplify the code and
to prevent similar issues from sneaking in later on as suggested by Kai.
Cc: stable@vger.kernel.org
Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
Fixes: 61bb28279623 ("KVM: TDX: Get system-wide info about TDX module on initialization")
Suggested-by: Kai Huang <kai.huang@intel.com>
Reviewed-by: Kai Huang <kai.huang@intel.com>
Signed-off-by: Tony Lindgren <tony.lindgren@linux.intel.com>
Link: https://lore.kernel.org/r/20250918053226.802204-1-tony.lindgren@linux.intel.com
[sean: tag for stable]
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/vmx/tdx.c | 10 +++-------
1 file changed, 3 insertions(+), 7 deletions(-)
--- a/arch/x86/kvm/vmx/tdx.c
+++ b/arch/x86/kvm/vmx/tdx.c
@@ -3457,12 +3457,11 @@ static int __init __tdx_bringup(void)
if (r)
goto tdx_bringup_err;
+ r = -EINVAL;
/* Get TDX global information for later use */
tdx_sysinfo = tdx_get_sysinfo();
- if (WARN_ON_ONCE(!tdx_sysinfo)) {
- r = -EINVAL;
+ if (WARN_ON_ONCE(!tdx_sysinfo))
goto get_sysinfo_err;
- }
/* Check TDX module and KVM capabilities */
if (!tdx_get_supported_attrs(&tdx_sysinfo->td_conf) ||
@@ -3505,14 +3504,11 @@ static int __init __tdx_bringup(void)
if (td_conf->max_vcpus_per_td < num_present_cpus()) {
pr_err("Disable TDX: MAX_VCPU_PER_TD (%u) smaller than number of logical CPUs (%u).\n",
td_conf->max_vcpus_per_td, num_present_cpus());
- r = -EINVAL;
goto get_sysinfo_err;
}
- if (misc_cg_set_capacity(MISC_CG_RES_TDX, tdx_get_nr_guest_keyids())) {
- r = -EINVAL;
+ if (misc_cg_set_capacity(MISC_CG_RES_TDX, tdx_get_nr_guest_keyids()))
goto get_sysinfo_err;
- }
/*
* Leave hardware virtualization enabled after TDX is enabled
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 160/371] dt-bindings: phy: rockchip-inno-csi-dphy: make power-domains non-required
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (158 preceding siblings ...)
2025-10-17 14:52 ` [PATCH 6.17 159/371] KVM: TDX: Fix uninitialized error code for __tdx_bringup() Greg Kroah-Hartman
@ 2025-10-17 14:52 ` Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 161/371] xen: take system_transition_mutex on suspend Greg Kroah-Hartman
` (223 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Krzysztof Kozlowski,
Michael Riesch, Vinod Koul
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Riesch <michael.riesch@collabora.com>
commit c254815b02673cc77a84103c4c0d6197bd90c0ef upstream.
There are variants of the Rockchip Innosilicon CSI DPHY (e.g., the RK3568
variant) that are powered on by default as they are part of the ALIVE power
domain.
Remove 'power-domains' from the required properties in order to avoid false
positives.
Fixes: 22c8e0a69b7f ("dt-bindings: phy: add compatible for rk356x to rockchip-inno-csi-dphy")
Cc: stable@kernel.org
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Signed-off-by: Michael Riesch <michael.riesch@collabora.com>
Link: https://lore.kernel.org/r/20250616-rk3588-csi-dphy-v4-2-a4f340a7f0cf@collabora.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
Documentation/devicetree/bindings/phy/rockchip-inno-csi-dphy.yaml | 15 +++++++++-
1 file changed, 14 insertions(+), 1 deletion(-)
--- a/Documentation/devicetree/bindings/phy/rockchip-inno-csi-dphy.yaml
+++ b/Documentation/devicetree/bindings/phy/rockchip-inno-csi-dphy.yaml
@@ -57,11 +57,24 @@ required:
- clocks
- clock-names
- '#phy-cells'
- - power-domains
- resets
- reset-names
- rockchip,grf
+allOf:
+ - if:
+ properties:
+ compatible:
+ contains:
+ enum:
+ - rockchip,px30-csi-dphy
+ - rockchip,rk1808-csi-dphy
+ - rockchip,rk3326-csi-dphy
+ - rockchip,rk3368-csi-dphy
+ then:
+ required:
+ - power-domains
+
additionalProperties: false
examples:
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 161/371] xen: take system_transition_mutex on suspend
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (159 preceding siblings ...)
2025-10-17 14:52 ` [PATCH 6.17 160/371] dt-bindings: phy: rockchip-inno-csi-dphy: make power-domains non-required Greg Kroah-Hartman
@ 2025-10-17 14:52 ` Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 162/371] xen/events: Cleanup find_virq() return codes Greg Kroah-Hartman
` (222 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jürgen Groß,
Marek Marczykowski-Górecki
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
commit 9d52b0b41be5b932a0a929c10038f1bb04af4ca5 upstream.
Xen's do_suspend() calls dpm_suspend_start() without taking required
system_transition_mutex. Since 12ffc3b1513eb moved the
pm_restrict_gfp_mask() call, not taking that mutex results in a WARN.
Take the mutex in do_suspend(), and use mutex_trylock() to follow
how enter_state() does this.
Suggested-by: Jürgen Groß <jgross@suse.com>
Fixes: 12ffc3b1513eb "PM: Restrict swap use to later in the suspend sequence"
Link: https://lore.kernel.org/xen-devel/aKiBJeqsYx_4Top5@mail-itl/
Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
Cc: stable@vger.kernel.org # v6.16+
Reviewed-by: Juergen Gross <jgross@suse.com>
Signed-off-by: Juergen Gross <jgross@suse.com>
Message-ID: <20250921162853.223116-1-marmarek@invisiblethingslab.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/xen/manage.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
--- a/drivers/xen/manage.c
+++ b/drivers/xen/manage.c
@@ -11,6 +11,7 @@
#include <linux/reboot.h>
#include <linux/sysrq.h>
#include <linux/stop_machine.h>
+#include <linux/suspend.h>
#include <linux/freezer.h>
#include <linux/syscore_ops.h>
#include <linux/export.h>
@@ -95,10 +96,16 @@ static void do_suspend(void)
shutting_down = SHUTDOWN_SUSPEND;
+ if (!mutex_trylock(&system_transition_mutex))
+ {
+ pr_err("%s: failed to take system_transition_mutex\n", __func__);
+ goto out;
+ }
+
err = freeze_processes();
if (err) {
pr_err("%s: freeze processes failed %d\n", __func__, err);
- goto out;
+ goto out_unlock;
}
err = freeze_kernel_threads();
@@ -154,6 +161,8 @@ out_resume:
out_thaw:
thaw_processes();
+out_unlock:
+ mutex_unlock(&system_transition_mutex);
out:
shutting_down = SHUTDOWN_INVALID;
}
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 162/371] xen/events: Cleanup find_virq() return codes
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (160 preceding siblings ...)
2025-10-17 14:52 ` [PATCH 6.17 161/371] xen: take system_transition_mutex on suspend Greg Kroah-Hartman
@ 2025-10-17 14:52 ` Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 163/371] xen/manage: Fix suspend error path Greg Kroah-Hartman
` (221 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jason Andryuk, Jan Beulich,
Juergen Gross
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jason Andryuk <jason.andryuk@amd.com>
commit 08df2d7dd4ab2db8a172d824cda7872d5eca460a upstream.
rc is overwritten by the evtchn_status hypercall in each iteration, so
the return value will be whatever the last iteration is. This could
incorrectly return success even if the event channel was not found.
Change to an explicit -ENOENT for an un-found virq and return 0 on a
successful match.
Fixes: 62cc5fc7b2e0 ("xen/pv-on-hvm kexec: rebind virqs to existing eventchannel ports")
Cc: stable@vger.kernel.org
Signed-off-by: Jason Andryuk <jason.andryuk@amd.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Juergen Gross <jgross@suse.com>
Signed-off-by: Juergen Gross <jgross@suse.com>
Message-ID: <20250828003604.8949-2-jason.andryuk@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/xen/events/events_base.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
--- a/drivers/xen/events/events_base.c
+++ b/drivers/xen/events/events_base.c
@@ -1318,10 +1318,11 @@ static int find_virq(unsigned int virq,
{
struct evtchn_status status;
evtchn_port_t port;
- int rc = -ENOENT;
memset(&status, 0, sizeof(status));
for (port = 0; port < xen_evtchn_max_channels(); port++) {
+ int rc;
+
status.dom = DOMID_SELF;
status.port = port;
rc = HYPERVISOR_event_channel_op(EVTCHNOP_status, &status);
@@ -1331,10 +1332,10 @@ static int find_virq(unsigned int virq,
continue;
if (status.u.virq == virq && status.vcpu == xen_vcpu_nr(cpu)) {
*evtchn = port;
- break;
+ return 0;
}
}
- return rc;
+ return -ENOENT;
}
/**
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 163/371] xen/manage: Fix suspend error path
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (161 preceding siblings ...)
2025-10-17 14:52 ` [PATCH 6.17 162/371] xen/events: Cleanup find_virq() return codes Greg Kroah-Hartman
@ 2025-10-17 14:52 ` Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 164/371] xen/events: Return -EEXIST for bound VIRQs Greg Kroah-Hartman
` (220 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lukas Wunner,
Rafael J. Wysocki (Intel), Juergen Gross
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lukas Wunner <lukas@wunner.de>
commit f770c3d858687252f1270265ba152d5c622e793f upstream.
The device power management API has the following asymmetry:
* dpm_suspend_start() does not clean up on failure
(it requires a call to dpm_resume_end())
* dpm_suspend_end() does clean up on failure
(it does not require a call to dpm_resume_start())
The asymmetry was introduced by commit d8f3de0d2412 ("Suspend-related
patches for 2.6.27") in June 2008: It removed a call to device_resume()
from device_suspend() (which was later renamed to dpm_suspend_start()).
When Xen began using the device power management API in May 2008 with
commit 0e91398f2a5d ("xen: implement save/restore"), the asymmetry did
not yet exist. But since it was introduced, a call to dpm_resume_end()
is missing in the error path of dpm_suspend_start(). Fix it.
Fixes: d8f3de0d2412 ("Suspend-related patches for 2.6.27")
Signed-off-by: Lukas Wunner <lukas@wunner.de>
Cc: stable@vger.kernel.org # v2.6.27
Reviewed-by: "Rafael J. Wysocki (Intel)" <rafael@kernel.org>
Signed-off-by: Juergen Gross <jgross@suse.com>
Message-ID: <22453676d1ddcebbe81641bb68ddf587fee7e21e.1756990799.git.lukas@wunner.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/xen/manage.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/xen/manage.c
+++ b/drivers/xen/manage.c
@@ -117,7 +117,7 @@ static void do_suspend(void)
err = dpm_suspend_start(PMSG_FREEZE);
if (err) {
pr_err("%s: dpm_suspend_start %d\n", __func__, err);
- goto out_thaw;
+ goto out_resume_end;
}
printk(KERN_DEBUG "suspending xenstore...\n");
@@ -157,6 +157,7 @@ out_resume:
else
xs_suspend_cancel();
+out_resume_end:
dpm_resume_end(si.cancelled ? PMSG_THAW : PMSG_RESTORE);
out_thaw:
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 164/371] xen/events: Return -EEXIST for bound VIRQs
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (162 preceding siblings ...)
2025-10-17 14:52 ` [PATCH 6.17 163/371] xen/manage: Fix suspend error path Greg Kroah-Hartman
@ 2025-10-17 14:52 ` Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 165/371] xen/events: Update virq_to_irq on migration Greg Kroah-Hartman
` (219 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:52 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jason Andryuk, Juergen Gross
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jason Andryuk <jason.andryuk@amd.com>
commit 07ce121d93a5e5fb2440a24da3dbf408fcee978e upstream.
Change find_virq() to return -EEXIST when a VIRQ is bound to a
different CPU than the one passed in. With that, remove the BUG_ON()
from bind_virq_to_irq() to propogate the error upwards.
Some VIRQs are per-cpu, but others are per-domain or global. Those must
be bound to CPU0 and can then migrate elsewhere. The lookup for
per-domain and global will probably fail when migrated off CPU 0,
especially when the current CPU is tracked. This now returns -EEXIST
instead of BUG_ON().
A second call to bind a per-domain or global VIRQ is not expected, but
make it non-fatal to avoid trying to look up the irq, since we don't
know which per_cpu(virq_to_irq) it will be in.
Cc: stable@vger.kernel.org
Signed-off-by: Jason Andryuk <jason.andryuk@amd.com>
Reviewed-by: Juergen Gross <jgross@suse.com>
Signed-off-by: Juergen Gross <jgross@suse.com>
Message-ID: <20250828003604.8949-3-jason.andryuk@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/xen/events/events_base.c | 19 ++++++++++++++-----
1 file changed, 14 insertions(+), 5 deletions(-)
--- a/drivers/xen/events/events_base.c
+++ b/drivers/xen/events/events_base.c
@@ -1314,10 +1314,12 @@ int bind_interdomain_evtchn_to_irq_latee
}
EXPORT_SYMBOL_GPL(bind_interdomain_evtchn_to_irq_lateeoi);
-static int find_virq(unsigned int virq, unsigned int cpu, evtchn_port_t *evtchn)
+static int find_virq(unsigned int virq, unsigned int cpu, evtchn_port_t *evtchn,
+ bool percpu)
{
struct evtchn_status status;
evtchn_port_t port;
+ bool exists = false;
memset(&status, 0, sizeof(status));
for (port = 0; port < xen_evtchn_max_channels(); port++) {
@@ -1330,12 +1332,16 @@ static int find_virq(unsigned int virq,
continue;
if (status.status != EVTCHNSTAT_virq)
continue;
- if (status.u.virq == virq && status.vcpu == xen_vcpu_nr(cpu)) {
+ if (status.u.virq != virq)
+ continue;
+ if (status.vcpu == xen_vcpu_nr(cpu)) {
*evtchn = port;
return 0;
+ } else if (!percpu) {
+ exists = true;
}
}
- return -ENOENT;
+ return exists ? -EEXIST : -ENOENT;
}
/**
@@ -1382,8 +1388,11 @@ int bind_virq_to_irq(unsigned int virq,
evtchn = bind_virq.port;
else {
if (ret == -EEXIST)
- ret = find_virq(virq, cpu, &evtchn);
- BUG_ON(ret < 0);
+ ret = find_virq(virq, cpu, &evtchn, percpu);
+ if (ret) {
+ __unbind_from_irq(info, info->irq);
+ goto out;
+ }
}
ret = xen_irq_info_virq_setup(info, cpu, evtchn, virq);
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 165/371] xen/events: Update virq_to_irq on migration
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (163 preceding siblings ...)
2025-10-17 14:52 ` [PATCH 6.17 164/371] xen/events: Return -EEXIST for bound VIRQs Greg Kroah-Hartman
@ 2025-10-17 14:52 ` Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 166/371] firmware: exynos-acpm: fix PMIC returned errno Greg Kroah-Hartman
` (218 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:52 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jason Andryuk, Juergen Gross
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jason Andryuk <jason.andryuk@amd.com>
commit 3fcc8e146935415d69ffabb5df40ecf50e106131 upstream.
VIRQs come in 3 flavors, per-VPU, per-domain, and global, and the VIRQs
are tracked in per-cpu virq_to_irq arrays.
Per-domain and global VIRQs must be bound on CPU 0, and
bind_virq_to_irq() sets the per_cpu virq_to_irq at registration time
Later, the interrupt can migrate, and info->cpu is updated. When
calling __unbind_from_irq(), the per-cpu virq_to_irq is cleared for a
different cpu. If bind_virq_to_irq() is called again with CPU 0, the
stale irq is returned. There won't be any irq_info for the irq, so
things break.
Make xen_rebind_evtchn_to_cpu() update the per_cpu virq_to_irq mappings
to keep them update to date with the current cpu. This ensures the
correct virq_to_irq is cleared in __unbind_from_irq().
Fixes: e46cdb66c8fc ("xen: event channels")
Cc: stable@vger.kernel.org
Signed-off-by: Jason Andryuk <jason.andryuk@amd.com>
Reviewed-by: Juergen Gross <jgross@suse.com>
Signed-off-by: Juergen Gross <jgross@suse.com>
Message-ID: <20250828003604.8949-4-jason.andryuk@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/xen/events/events_base.c | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
--- a/drivers/xen/events/events_base.c
+++ b/drivers/xen/events/events_base.c
@@ -1797,9 +1797,20 @@ static int xen_rebind_evtchn_to_cpu(stru
* virq or IPI channel, which don't actually need to be rebound. Ignore
* it, but don't do the xenlinux-level rebind in that case.
*/
- if (HYPERVISOR_event_channel_op(EVTCHNOP_bind_vcpu, &bind_vcpu) >= 0)
+ if (HYPERVISOR_event_channel_op(EVTCHNOP_bind_vcpu, &bind_vcpu) >= 0) {
+ int old_cpu = info->cpu;
+
bind_evtchn_to_cpu(info, tcpu, false);
+ if (info->type == IRQT_VIRQ) {
+ int virq = info->u.virq;
+ int irq = per_cpu(virq_to_irq, old_cpu)[virq];
+
+ per_cpu(virq_to_irq, old_cpu)[virq] = -1;
+ per_cpu(virq_to_irq, tcpu)[virq] = irq;
+ }
+ }
+
do_unmask(info, EVT_MASK_REASON_TEMPORARY);
return 0;
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 166/371] firmware: exynos-acpm: fix PMIC returned errno
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (164 preceding siblings ...)
2025-10-17 14:52 ` [PATCH 6.17 165/371] xen/events: Update virq_to_irq on migration Greg Kroah-Hartman
@ 2025-10-17 14:52 ` Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 167/371] firmware: meson_sm: fix device leak at probe Greg Kroah-Hartman
` (217 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Tudor Ambarus,
Krzysztof Kozlowski
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tudor Ambarus <tudor.ambarus@linaro.org>
commit 1da4cbefed4a2e69ebad81fc9b356cd9b807f380 upstream.
ACPM PMIC command handlers returned a u8 value when they should
have returned either zero or negative error codes.
Translate the APM PMIC errno to linux errno.
Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
Closes: https://lore.kernel.org/linux-input/aElHlTApXj-W_o1r@stanley.mountain/
Fixes: a88927b534ba ("firmware: add Exynos ACPM protocol driver")
Cc: stable@vger.kernel.org
Signed-off-by: Tudor Ambarus <tudor.ambarus@linaro.org>
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/firmware/samsung/exynos-acpm-pmic.c | 25 ++++++++++++++++-----
1 file changed, 20 insertions(+), 5 deletions(-)
diff --git a/drivers/firmware/samsung/exynos-acpm-pmic.c b/drivers/firmware/samsung/exynos-acpm-pmic.c
index 39b33a356ebd..961d7599e422 100644
--- a/drivers/firmware/samsung/exynos-acpm-pmic.c
+++ b/drivers/firmware/samsung/exynos-acpm-pmic.c
@@ -4,7 +4,9 @@
* Copyright 2020 Google LLC.
* Copyright 2024 Linaro Ltd.
*/
+#include <linux/array_size.h>
#include <linux/bitfield.h>
+#include <linux/errno.h>
#include <linux/firmware/samsung/exynos-acpm-protocol.h>
#include <linux/ktime.h>
#include <linux/types.h>
@@ -33,6 +35,19 @@ enum exynos_acpm_pmic_func {
ACPM_PMIC_BULK_WRITE,
};
+static const int acpm_pmic_linux_errmap[] = {
+ [0] = 0, /* ACPM_PMIC_SUCCESS */
+ [1] = -EACCES, /* Read register can't be accessed or issues to access it. */
+ [2] = -EACCES, /* Write register can't be accessed or issues to access it. */
+};
+
+static int acpm_pmic_to_linux_err(int err)
+{
+ if (err >= 0 && err < ARRAY_SIZE(acpm_pmic_linux_errmap))
+ return acpm_pmic_linux_errmap[err];
+ return -EIO;
+}
+
static inline u32 acpm_pmic_set_bulk(u32 data, unsigned int i)
{
return (data & ACPM_PMIC_BULK_MASK) << (ACPM_PMIC_BULK_SHIFT * i);
@@ -79,7 +94,7 @@ int acpm_pmic_read_reg(const struct acpm_handle *handle,
*buf = FIELD_GET(ACPM_PMIC_VALUE, xfer.rxd[1]);
- return FIELD_GET(ACPM_PMIC_RETURN, xfer.rxd[1]);
+ return acpm_pmic_to_linux_err(FIELD_GET(ACPM_PMIC_RETURN, xfer.rxd[1]));
}
static void acpm_pmic_init_bulk_read_cmd(u32 cmd[4], u8 type, u8 reg, u8 chan,
@@ -110,7 +125,7 @@ int acpm_pmic_bulk_read(const struct acpm_handle *handle,
if (ret)
return ret;
- ret = FIELD_GET(ACPM_PMIC_RETURN, xfer.rxd[1]);
+ ret = acpm_pmic_to_linux_err(FIELD_GET(ACPM_PMIC_RETURN, xfer.rxd[1]));
if (ret)
return ret;
@@ -150,7 +165,7 @@ int acpm_pmic_write_reg(const struct acpm_handle *handle,
if (ret)
return ret;
- return FIELD_GET(ACPM_PMIC_RETURN, xfer.rxd[1]);
+ return acpm_pmic_to_linux_err(FIELD_GET(ACPM_PMIC_RETURN, xfer.rxd[1]));
}
static void acpm_pmic_init_bulk_write_cmd(u32 cmd[4], u8 type, u8 reg, u8 chan,
@@ -190,7 +205,7 @@ int acpm_pmic_bulk_write(const struct acpm_handle *handle,
if (ret)
return ret;
- return FIELD_GET(ACPM_PMIC_RETURN, xfer.rxd[1]);
+ return acpm_pmic_to_linux_err(FIELD_GET(ACPM_PMIC_RETURN, xfer.rxd[1]));
}
static void acpm_pmic_init_update_cmd(u32 cmd[4], u8 type, u8 reg, u8 chan,
@@ -220,5 +235,5 @@ int acpm_pmic_update_reg(const struct acpm_handle *handle,
if (ret)
return ret;
- return FIELD_GET(ACPM_PMIC_RETURN, xfer.rxd[1]);
+ return acpm_pmic_to_linux_err(FIELD_GET(ACPM_PMIC_RETURN, xfer.rxd[1]));
}
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 167/371] firmware: meson_sm: fix device leak at probe
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (165 preceding siblings ...)
2025-10-17 14:52 ` [PATCH 6.17 166/371] firmware: exynos-acpm: fix PMIC returned errno Greg Kroah-Hartman
@ 2025-10-17 14:52 ` Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 168/371] media: cec: extron-da-hd-4k-plus: drop external-module make commands Greg Kroah-Hartman
` (216 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Carlo Caione, Johan Hovold,
Martin Blumenstingl, Neil Armstrong
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 8ece3173f87df03935906d0c612c2aeda9db92ca upstream.
Make sure to drop the reference to the secure monitor device taken by
of_find_device_by_node() when looking up its driver data on behalf of
other drivers (e.g. during probe).
Note that holding a reference to the platform device does not prevent
its driver data from going away so there is no point in keeping the
reference after the helper returns.
Fixes: 8cde3c2153e8 ("firmware: meson_sm: Rework driver as a proper platform driver")
Cc: stable@vger.kernel.org # 5.5
Cc: Carlo Caione <ccaione@baylibre.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Acked-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
Link: https://lore.kernel.org/r/20250725074019.8765-1-johan@kernel.org
Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/firmware/meson/meson_sm.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/drivers/firmware/meson/meson_sm.c
+++ b/drivers/firmware/meson/meson_sm.c
@@ -232,11 +232,16 @@ EXPORT_SYMBOL(meson_sm_call_write);
struct meson_sm_firmware *meson_sm_get(struct device_node *sm_node)
{
struct platform_device *pdev = of_find_device_by_node(sm_node);
+ struct meson_sm_firmware *fw;
if (!pdev)
return NULL;
- return platform_get_drvdata(pdev);
+ fw = platform_get_drvdata(pdev);
+
+ put_device(&pdev->dev);
+
+ return fw;
}
EXPORT_SYMBOL_GPL(meson_sm_get);
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 168/371] media: cec: extron-da-hd-4k-plus: drop external-module make commands
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (166 preceding siblings ...)
2025-10-17 14:52 ` [PATCH 6.17 167/371] firmware: meson_sm: fix device leak at probe Greg Kroah-Hartman
@ 2025-10-17 14:52 ` Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 169/371] media: cx18: Add missing check after DMA map Greg Kroah-Hartman
` (215 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:52 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Randy Dunlap, Hans Verkuil
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Randy Dunlap <rdunlap@infradead.org>
commit d5d12cc03e501c38925e544abe44d5bfe23dc930 upstream.
Delete the external-module style Makefile commands. They are not needed
for in-tree modules.
This is the only Makefile in the kernel tree (aside from tools/ and
samples/) that uses this Makefile style.
The same files are built with or without this patch.
Fixes: 056f2821b631 ("media: cec: extron-da-hd-4k-plus: add the Extron DA HD 4K Plus CEC driver")
Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
Cc: stable@vger.kernel.org
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/cec/usb/extron-da-hd-4k-plus/Makefile | 6 ------
1 file changed, 6 deletions(-)
--- a/drivers/media/cec/usb/extron-da-hd-4k-plus/Makefile
+++ b/drivers/media/cec/usb/extron-da-hd-4k-plus/Makefile
@@ -1,8 +1,2 @@
extron-da-hd-4k-plus-cec-objs := extron-da-hd-4k-plus.o cec-splitter.o
obj-$(CONFIG_USB_EXTRON_DA_HD_4K_PLUS_CEC) := extron-da-hd-4k-plus-cec.o
-
-all:
- $(MAKE) -C $(KDIR) M=$(shell pwd) modules
-
-install:
- $(MAKE) -C $(KDIR) M=$(shell pwd) modules_install
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 169/371] media: cx18: Add missing check after DMA map
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (167 preceding siblings ...)
2025-10-17 14:52 ` [PATCH 6.17 168/371] media: cec: extron-da-hd-4k-plus: drop external-module make commands Greg Kroah-Hartman
@ 2025-10-17 14:52 ` Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 170/371] media: i2c: mt9p031: fix mbus code initialization Greg Kroah-Hartman
` (214 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:52 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Thomas Fourier, Hans Verkuil
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Fourier <fourier.thomas@gmail.com>
commit 23b53639a793477326fd57ed103823a8ab63084f upstream.
The DMA map functions can fail and should be tested for errors.
If the mapping fails, dealloc buffers, and return.
Fixes: 1c1e45d17b66 ("V4L/DVB (7786): cx18: new driver for the Conexant CX23418 MPEG encoder chip")
Cc: stable@vger.kernel.org
Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/pci/cx18/cx18-queue.c | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
--- a/drivers/media/pci/cx18/cx18-queue.c
+++ b/drivers/media/pci/cx18/cx18-queue.c
@@ -379,15 +379,22 @@ int cx18_stream_alloc(struct cx18_stream
break;
}
+ buf->dma_handle = dma_map_single(&s->cx->pci_dev->dev,
+ buf->buf, s->buf_size,
+ s->dma);
+ if (dma_mapping_error(&s->cx->pci_dev->dev, buf->dma_handle)) {
+ kfree(buf->buf);
+ kfree(mdl);
+ kfree(buf);
+ break;
+ }
+
INIT_LIST_HEAD(&mdl->list);
INIT_LIST_HEAD(&mdl->buf_list);
mdl->id = s->mdl_base_idx; /* a somewhat safe value */
cx18_enqueue(s, mdl, &s->q_idle);
INIT_LIST_HEAD(&buf->list);
- buf->dma_handle = dma_map_single(&s->cx->pci_dev->dev,
- buf->buf, s->buf_size,
- s->dma);
cx18_buf_sync_for_cpu(s, buf);
list_add_tail(&buf->list, &s->buf_pool);
}
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 170/371] media: i2c: mt9p031: fix mbus code initialization
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (168 preceding siblings ...)
2025-10-17 14:52 ` [PATCH 6.17 169/371] media: cx18: Add missing check after DMA map Greg Kroah-Hartman
@ 2025-10-17 14:52 ` Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 171/371] media: i2c: mt9v111: fix incorrect type for ret Greg Kroah-Hartman
` (213 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:52 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sakari Ailus, Hans Verkuil
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hans Verkuil <hverkuil+cisco@kernel.org>
commit 075710b670d96cf9edca1894abecba7402fe4f34 upstream.
The mediabus code is device dependent, but the probe() function
thought that device_get_match_data() would return the code directly,
when in fact it returned a pointer to a struct mt9p031_model_info.
As a result, the initial mbus code was garbage.
Tested with a BeagleBoard xM and a Leopard Imaging LI-5M03 sensor board.
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Tested-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Fixes: a80b1bbff88b ("media: mt9p031: Refactor format handling for different sensor models")
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/i2c/mt9p031.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/media/i2c/mt9p031.c
+++ b/drivers/media/i2c/mt9p031.c
@@ -1092,6 +1092,7 @@ static int mt9p031_parse_properties(stru
static int mt9p031_probe(struct i2c_client *client)
{
struct i2c_adapter *adapter = client->adapter;
+ const struct mt9p031_model_info *info;
struct mt9p031 *mt9p031;
unsigned int i;
int ret;
@@ -1112,7 +1113,8 @@ static int mt9p031_probe(struct i2c_clie
mt9p031->output_control = MT9P031_OUTPUT_CONTROL_DEF;
mt9p031->mode2 = MT9P031_READ_MODE_2_ROW_BLC;
- mt9p031->code = (uintptr_t)device_get_match_data(&client->dev);
+ info = device_get_match_data(&client->dev);
+ mt9p031->code = info->code;
mt9p031->regulators[0].supply = "vdd";
mt9p031->regulators[1].supply = "vdd_io";
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 171/371] media: i2c: mt9v111: fix incorrect type for ret
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (169 preceding siblings ...)
2025-10-17 14:52 ` [PATCH 6.17 170/371] media: i2c: mt9p031: fix mbus code initialization Greg Kroah-Hartman
@ 2025-10-17 14:52 ` Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 172/371] media: mc: Fix MUST_CONNECT handling for pads with no links Greg Kroah-Hartman
` (212 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Qianfeng Rong, Jacopo Mondi,
Sakari Ailus, Hans Verkuil
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qianfeng Rong <rongqianfeng@vivo.com>
commit bacd713145443dce7764bb2967d30832a95e5ec8 upstream.
Change "ret" from unsigned int to int type in mt9v111_calc_frame_rate()
to store negative error codes or zero returned by __mt9v111_hw_reset()
and other functions.
Storing the negative error codes in unsigned type, doesn't cause an issue
at runtime but it's ugly as pants.
No effect on runtime.
Signed-off-by: Qianfeng Rong <rongqianfeng@vivo.com>
Fixes: aab7ed1c3927 ("media: i2c: Add driver for Aptina MT9V111")
Cc: stable@vger.kernel.org
Reviewed-by: Jacopo Mondi <jacopo.mondi@ideasonboard.com>
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/i2c/mt9v111.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/media/i2c/mt9v111.c
+++ b/drivers/media/i2c/mt9v111.c
@@ -532,8 +532,8 @@ static int mt9v111_calc_frame_rate(struc
static int mt9v111_hw_config(struct mt9v111_dev *mt9v111)
{
struct i2c_client *c = mt9v111->client;
- unsigned int ret;
u16 outfmtctrl2;
+ int ret;
/* Force device reset. */
ret = __mt9v111_hw_reset(mt9v111);
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 172/371] media: mc: Fix MUST_CONNECT handling for pads with no links
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (170 preceding siblings ...)
2025-10-17 14:52 ` [PATCH 6.17 171/371] media: i2c: mt9v111: fix incorrect type for ret Greg Kroah-Hartman
@ 2025-10-17 14:52 ` Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 173/371] media: pci: ivtv: Add missing check after DMA map Greg Kroah-Hartman
` (211 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Martin Kepplinger-Novaković,
Maud Spierings, Laurent Pinchart, Sakari Ailus, Hans Verkuil
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
commit eec81250219a209b863f11d02128ec1dd8e20877 upstream.
Commit b3decc5ce7d7 ("media: mc: Expand MUST_CONNECT flag to always
require an enabled link") expanded the meaning of the MUST_CONNECT flag
to require an enabled link in all cases. To do so, the link exploration
code was expanded to cover unconnected pads, in order to reject those
that have the MUST_CONNECT flag set. The implementation was however
incorrect, ignoring unconnected pads instead of ignoring connected pads.
Fix it.
Reported-by: Martin Kepplinger-Novaković <martink@posteo.de>
Closes: https://lore.kernel.org/linux-media/20250205172957.182362-1-martink@posteo.de
Reported-by: Maud Spierings <maudspierings@gocontroll.com>
Closes: https://lore.kernel.org/linux-media/20250818-imx8_isi-v1-1-e9cfe994c435@gocontroll.com
Fixes: b3decc5ce7d7 ("media: mc: Expand MUST_CONNECT flag to always require an enabled link")
Cc: stable@vger.kernel.org # 6.1
Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Tested-by: Maud Spierings <maudspierings@gocontroll.com>
Tested-by: Martin Kepplinger-Novaković <martink@posteo.de>
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/mc/mc-entity.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/media/mc/mc-entity.c
+++ b/drivers/media/mc/mc-entity.c
@@ -691,7 +691,7 @@ done:
* (already discovered through iterating over links) and pads
* not internally connected.
*/
- if (origin == local || !local->num_links ||
+ if (origin == local || local->num_links ||
!media_entity_has_pad_interdep(origin->entity, origin->index,
local->index))
continue;
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 173/371] media: pci: ivtv: Add missing check after DMA map
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (171 preceding siblings ...)
2025-10-17 14:52 ` [PATCH 6.17 172/371] media: mc: Fix MUST_CONNECT handling for pads with no links Greg Kroah-Hartman
@ 2025-10-17 14:52 ` Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 174/371] media: pci: mg4b: fix uninitialized iio scan data Greg Kroah-Hartman
` (210 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:52 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Thomas Fourier, Hans Verkuil
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Fourier <fourier.thomas@gmail.com>
commit 1069a4fe637d0e3e4c163e3f8df9be306cc299b4 upstream.
The DMA map functions can fail and should be tested for errors.
If the mapping fails, free blanking_ptr and set it to 0. As 0 is a
valid DMA address, use blanking_ptr to test if the DMA address
is set.
Fixes: 1a0adaf37c30 ("V4L/DVB (5345): ivtv driver for Conexant cx23416/cx23415 MPEG encoder/decoder")
Cc: stable@vger.kernel.org
Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/pci/ivtv/ivtv-irq.c | 2 +-
drivers/media/pci/ivtv/ivtv-yuv.c | 8 +++++++-
2 files changed, 8 insertions(+), 2 deletions(-)
--- a/drivers/media/pci/ivtv/ivtv-irq.c
+++ b/drivers/media/pci/ivtv/ivtv-irq.c
@@ -351,7 +351,7 @@ void ivtv_dma_stream_dec_prepare(struct
/* Insert buffer block for YUV if needed */
if (s->type == IVTV_DEC_STREAM_TYPE_YUV && f->offset_y) {
- if (yi->blanking_dmaptr) {
+ if (yi->blanking_ptr) {
s->sg_pending[idx].src = yi->blanking_dmaptr;
s->sg_pending[idx].dst = offset;
s->sg_pending[idx].size = 720 * 16;
--- a/drivers/media/pci/ivtv/ivtv-yuv.c
+++ b/drivers/media/pci/ivtv/ivtv-yuv.c
@@ -125,7 +125,7 @@ static int ivtv_yuv_prep_user_dma(struct
ivtv_udma_fill_sg_array(dma, y_buffer_offset, uv_buffer_offset, y_size);
/* If we've offset the y plane, ensure top area is blanked */
- if (f->offset_y && yi->blanking_dmaptr) {
+ if (f->offset_y && yi->blanking_ptr) {
dma->SGarray[dma->SG_length].size = cpu_to_le32(720*16);
dma->SGarray[dma->SG_length].src = cpu_to_le32(yi->blanking_dmaptr);
dma->SGarray[dma->SG_length].dst = cpu_to_le32(IVTV_DECODER_OFFSET + yuv_offset[frame]);
@@ -929,6 +929,12 @@ static void ivtv_yuv_init(struct ivtv *i
yi->blanking_dmaptr = dma_map_single(&itv->pdev->dev,
yi->blanking_ptr,
720 * 16, DMA_TO_DEVICE);
+ if (dma_mapping_error(&itv->pdev->dev, yi->blanking_dmaptr)) {
+ kfree(yi->blanking_ptr);
+ yi->blanking_ptr = NULL;
+ yi->blanking_dmaptr = 0;
+ IVTV_DEBUG_WARN("Failed to dma_map yuv blanking buffer\n");
+ }
} else {
yi->blanking_dmaptr = 0;
IVTV_DEBUG_WARN("Failed to allocate yuv blanking buffer\n");
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 174/371] media: pci: mg4b: fix uninitialized iio scan data
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (172 preceding siblings ...)
2025-10-17 14:52 ` [PATCH 6.17 173/371] media: pci: ivtv: Add missing check after DMA map Greg Kroah-Hartman
@ 2025-10-17 14:52 ` Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 175/371] media: platform: mtk-mdp3: Add missing MT8188 compatible to comp_dt_ids Greg Kroah-Hartman
` (209 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Lechner, Jonathan Cameron,
Hans Verkuil
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Lechner <dlechner@baylibre.com>
commit c0d3f6969bb4d72476cfe7ea9263831f1c283704 upstream.
Fix potential leak of uninitialized stack data to userspace by ensuring
that the `scan` structure is zeroed before use.
Fixes: 0ab13674a9bd ("media: pci: mgb4: Added Digiteq Automotive MGB4 driver")
Cc: stable@vger.kernel.org
Signed-off-by: David Lechner <dlechner@baylibre.com>
Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/pci/mgb4/mgb4_trigger.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/media/pci/mgb4/mgb4_trigger.c
+++ b/drivers/media/pci/mgb4/mgb4_trigger.c
@@ -91,7 +91,7 @@ static irqreturn_t trigger_handler(int i
struct {
u32 data;
s64 ts __aligned(8);
- } scan;
+ } scan = { };
scan.data = mgb4_read_reg(&st->mgbdev->video, 0xA0);
mgb4_write_reg(&st->mgbdev->video, 0xA0, scan.data);
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 175/371] media: platform: mtk-mdp3: Add missing MT8188 compatible to comp_dt_ids
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (173 preceding siblings ...)
2025-10-17 14:52 ` [PATCH 6.17 174/371] media: pci: mg4b: fix uninitialized iio scan data Greg Kroah-Hartman
@ 2025-10-17 14:52 ` Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 176/371] media: s5p-mfc: remove an unused/uninitialized variable Greg Kroah-Hartman
` (208 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nícolas F . R . A . Prado,
Nicolas Dufresne, Hans Verkuil
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nícolas F. R. A. Prado <nfraprado@collabora.com>
commit bbcc6d16dea4b5c878d56a8d25daf996c6b8a1d4 upstream.
Commit 4a81656c8eaa ("arm64: dts: mediatek: mt8188: Address binding
warnings for MDP3 nodes") caused a regression on the MDP functionality
when it removed the MT8195 compatibles from the MDP3 nodes, since the
MT8188 compatible was not yet listed as a possible MDP component
compatible in mdp_comp_dt_ids. This resulted in an empty output
bitstream when using the MDP from userspace, as well as the following
errors:
mtk-mdp3 14001000.dma-controller: Uninit component inner id 4
mtk-mdp3 14001000.dma-controller: mdp_path_ctx_init error 0
mtk-mdp3 14001000.dma-controller: CMDQ sendtask failed: -22
Add the missing compatible to the array to restore functionality.
Fixes: 4a81656c8eaa ("arm64: dts: mediatek: mt8188: Address binding warnings for MDP3 nodes")
Cc: stable@vger.kernel.org
Signed-off-by: Nícolas F. R. A. Prado <nfraprado@collabora.com>
Signed-off-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/mediatek/mdp3/mtk-mdp3-comp.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/media/platform/mediatek/mdp3/mtk-mdp3-comp.c
+++ b/drivers/media/platform/mediatek/mdp3/mtk-mdp3-comp.c
@@ -1530,6 +1530,9 @@ static const struct of_device_id mdp_com
}, {
.compatible = "mediatek,mt8195-mdp3-tcc",
.data = (void *)MDP_COMP_TYPE_TCC,
+ }, {
+ .compatible = "mediatek,mt8188-mdp3-rdma",
+ .data = (void *)MDP_COMP_TYPE_RDMA,
},
{}
};
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 176/371] media: s5p-mfc: remove an unused/uninitialized variable
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (174 preceding siblings ...)
2025-10-17 14:52 ` [PATCH 6.17 175/371] media: platform: mtk-mdp3: Add missing MT8188 compatible to comp_dt_ids Greg Kroah-Hartman
@ 2025-10-17 14:52 ` Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 177/371] media: staging/ipu7: fix isys device runtime PM usage in firmware closing Greg Kroah-Hartman
` (207 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:52 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Arnd Bergmann, Hans Verkuil
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arnd Bergmann <arnd@arndb.de>
commit 7fa37ba25a1dfc084e24ea9acc14bf1fad8af14c upstream.
The s5p_mfc_cmd_args structure in the v6 driver is never used, not
initialized to anything other than zero, but as of clang-21 this
causes a warning:
drivers/media/platform/samsung/s5p-mfc/s5p_mfc_cmd_v6.c:45:7: error: variable 'h2r_args' is uninitialized when passed as a const pointer argument here [-Werror,-Wuninitialized-const-pointer]
45 | &h2r_args);
| ^~~~~~~~
Just remove this for simplicity. Since the function is also called
through a callback, this does require adding a trivial wrapper with
the correct prototype.
Fixes: f96f3cfa0bb8 ("[media] s5p-mfc: Update MFC v4l2 driver to support MFC6.x")
Cc: stable@vger.kernel.org
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/samsung/s5p-mfc/s5p_mfc_cmd_v6.c | 35 +++++-----------
1 file changed, 13 insertions(+), 22 deletions(-)
--- a/drivers/media/platform/samsung/s5p-mfc/s5p_mfc_cmd_v6.c
+++ b/drivers/media/platform/samsung/s5p-mfc/s5p_mfc_cmd_v6.c
@@ -14,8 +14,7 @@
#include "s5p_mfc_opr.h"
#include "s5p_mfc_cmd_v6.h"
-static int s5p_mfc_cmd_host2risc_v6(struct s5p_mfc_dev *dev, int cmd,
- const struct s5p_mfc_cmd_args *args)
+static int s5p_mfc_cmd_host2risc_v6(struct s5p_mfc_dev *dev, int cmd)
{
mfc_debug(2, "Issue the command: %d\n", cmd);
@@ -31,7 +30,6 @@ static int s5p_mfc_cmd_host2risc_v6(stru
static int s5p_mfc_sys_init_cmd_v6(struct s5p_mfc_dev *dev)
{
- struct s5p_mfc_cmd_args h2r_args;
const struct s5p_mfc_buf_size_v6 *buf_size = dev->variant->buf_size->priv;
int ret;
@@ -41,33 +39,23 @@ static int s5p_mfc_sys_init_cmd_v6(struc
mfc_write(dev, dev->ctx_buf.dma, S5P_FIMV_CONTEXT_MEM_ADDR_V6);
mfc_write(dev, buf_size->dev_ctx, S5P_FIMV_CONTEXT_MEM_SIZE_V6);
- return s5p_mfc_cmd_host2risc_v6(dev, S5P_FIMV_H2R_CMD_SYS_INIT_V6,
- &h2r_args);
+ return s5p_mfc_cmd_host2risc_v6(dev, S5P_FIMV_H2R_CMD_SYS_INIT_V6);
}
static int s5p_mfc_sleep_cmd_v6(struct s5p_mfc_dev *dev)
{
- struct s5p_mfc_cmd_args h2r_args;
-
- memset(&h2r_args, 0, sizeof(struct s5p_mfc_cmd_args));
- return s5p_mfc_cmd_host2risc_v6(dev, S5P_FIMV_H2R_CMD_SLEEP_V6,
- &h2r_args);
+ return s5p_mfc_cmd_host2risc_v6(dev, S5P_FIMV_H2R_CMD_SLEEP_V6);
}
static int s5p_mfc_wakeup_cmd_v6(struct s5p_mfc_dev *dev)
{
- struct s5p_mfc_cmd_args h2r_args;
-
- memset(&h2r_args, 0, sizeof(struct s5p_mfc_cmd_args));
- return s5p_mfc_cmd_host2risc_v6(dev, S5P_FIMV_H2R_CMD_WAKEUP_V6,
- &h2r_args);
+ return s5p_mfc_cmd_host2risc_v6(dev, S5P_FIMV_H2R_CMD_WAKEUP_V6);
}
/* Open a new instance and get its number */
static int s5p_mfc_open_inst_cmd_v6(struct s5p_mfc_ctx *ctx)
{
struct s5p_mfc_dev *dev = ctx->dev;
- struct s5p_mfc_cmd_args h2r_args;
int codec_type;
mfc_debug(2, "Requested codec mode: %d\n", ctx->codec_mode);
@@ -129,23 +117,20 @@ static int s5p_mfc_open_inst_cmd_v6(stru
mfc_write(dev, ctx->ctx.size, S5P_FIMV_CONTEXT_MEM_SIZE_V6);
mfc_write(dev, 0, S5P_FIMV_D_CRC_CTRL_V6); /* no crc */
- return s5p_mfc_cmd_host2risc_v6(dev, S5P_FIMV_H2R_CMD_OPEN_INSTANCE_V6,
- &h2r_args);
+ return s5p_mfc_cmd_host2risc_v6(dev, S5P_FIMV_H2R_CMD_OPEN_INSTANCE_V6);
}
/* Close instance */
static int s5p_mfc_close_inst_cmd_v6(struct s5p_mfc_ctx *ctx)
{
struct s5p_mfc_dev *dev = ctx->dev;
- struct s5p_mfc_cmd_args h2r_args;
int ret = 0;
dev->curr_ctx = ctx->num;
if (ctx->state != MFCINST_FREE) {
mfc_write(dev, ctx->inst_no, S5P_FIMV_INSTANCE_ID_V6);
ret = s5p_mfc_cmd_host2risc_v6(dev,
- S5P_FIMV_H2R_CMD_CLOSE_INSTANCE_V6,
- &h2r_args);
+ S5P_FIMV_H2R_CMD_CLOSE_INSTANCE_V6);
} else {
ret = -EINVAL;
}
@@ -153,9 +138,15 @@ static int s5p_mfc_close_inst_cmd_v6(str
return ret;
}
+static int s5p_mfc_cmd_host2risc_v6_args(struct s5p_mfc_dev *dev, int cmd,
+ const struct s5p_mfc_cmd_args *ignored)
+{
+ return s5p_mfc_cmd_host2risc_v6(dev, cmd);
+}
+
/* Initialize cmd function pointers for MFC v6 */
static const struct s5p_mfc_hw_cmds s5p_mfc_cmds_v6 = {
- .cmd_host2risc = s5p_mfc_cmd_host2risc_v6,
+ .cmd_host2risc = s5p_mfc_cmd_host2risc_v6_args,
.sys_init_cmd = s5p_mfc_sys_init_cmd_v6,
.sleep_cmd = s5p_mfc_sleep_cmd_v6,
.wakeup_cmd = s5p_mfc_wakeup_cmd_v6,
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 177/371] media: staging/ipu7: fix isys device runtime PM usage in firmware closing
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (175 preceding siblings ...)
2025-10-17 14:52 ` [PATCH 6.17 176/371] media: s5p-mfc: remove an unused/uninitialized variable Greg Kroah-Hartman
@ 2025-10-17 14:52 ` Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 178/371] media: uvcvideo: Avoid variable shadowing in uvc_ctrl_cleanup_fh Greg Kroah-Hartman
` (206 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stable, Bingbu Cao, Sakari Ailus,
Hans Verkuil
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bingbu Cao <bingbu.cao@intel.com>
commit 895d3b4b5832edefd2f1fbad9d75c0179f47fe0e upstream.
The PM usage counter of isys was bumped up when start camera stream
(opening firmware) but it was not dropped after stream stop(closing
firmware), it forbids system fail to suspend due to the wrong PM state
of ISYS. This patch drop the PM usage counter in firmware close to fix
it.
Cc: Stable@vger.kernel.org
Fixes: a516d36bdc3d ("media: staging/ipu7: add IPU7 input system device driver")
Signed-off-by: Bingbu Cao <bingbu.cao@intel.com>
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/staging/media/ipu7/ipu7-isys-video.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/staging/media/ipu7/ipu7-isys-video.c
+++ b/drivers/staging/media/ipu7/ipu7-isys-video.c
@@ -946,6 +946,7 @@ void ipu7_isys_fw_close(struct ipu7_isys
ipu7_fw_isys_close(isys);
mutex_unlock(&isys->mutex);
+ pm_runtime_put(&isys->adev->auxdev.dev);
}
int ipu7_isys_setup_video(struct ipu7_isys_video *av,
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 178/371] media: uvcvideo: Avoid variable shadowing in uvc_ctrl_cleanup_fh
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (176 preceding siblings ...)
2025-10-17 14:52 ` [PATCH 6.17 177/371] media: staging/ipu7: fix isys device runtime PM usage in firmware closing Greg Kroah-Hartman
@ 2025-10-17 14:52 ` Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 179/371] media: venus: firmware: Use correct reset sequence for IRIS2 Greg Kroah-Hartman
` (205 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Desnes Nunes, Laurent Pinchart,
Hans de Goede, Hans Verkuil
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Desnes Nunes <desnesn@redhat.com>
commit f4da0de6b4b470a60c5c0cc4c09b0c987f9df35f upstream.
This avoids a variable loop shadowing occurring between the local loop
iterating through the uvc_entity's controls and the global one going
through the pending async controls of the file handle.
Fixes: 10acb9101355 ("media: uvcvideo: Increase/decrease the PM counter per IOCTL")
Cc: stable@vger.kernel.org
Signed-off-by: Desnes Nunes <desnesn@redhat.com>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Hans de Goede <hansg@kernel.org>
Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/usb/uvc/uvc_ctrl.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/drivers/media/usb/uvc/uvc_ctrl.c
+++ b/drivers/media/usb/uvc/uvc_ctrl.c
@@ -3307,7 +3307,6 @@ int uvc_ctrl_init_device(struct uvc_devi
void uvc_ctrl_cleanup_fh(struct uvc_fh *handle)
{
struct uvc_entity *entity;
- int i;
guard(mutex)(&handle->chain->ctrl_mutex);
@@ -3325,7 +3324,7 @@ void uvc_ctrl_cleanup_fh(struct uvc_fh *
if (!WARN_ON(handle->pending_async_ctrls))
return;
- for (i = 0; i < handle->pending_async_ctrls; i++)
+ for (unsigned int i = 0; i < handle->pending_async_ctrls; i++)
uvc_pm_put(handle->stream->dev);
}
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 179/371] media: venus: firmware: Use correct reset sequence for IRIS2
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (177 preceding siblings ...)
2025-10-17 14:52 ` [PATCH 6.17 178/371] media: uvcvideo: Avoid variable shadowing in uvc_ctrl_cleanup_fh Greg Kroah-Hartman
@ 2025-10-17 14:52 ` Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 180/371] media: venus: pm_helpers: add fallback for the opp-table Greg Kroah-Hartman
` (204 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stephan Gerhold, Vikash Garodia,
Dikshita Agarwal, Bryan ODonoghue, Dmitry Baryshkov,
Bryan ODonoghue, Hans Verkuil
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stephan Gerhold <stephan.gerhold@linaro.org>
commit 93f213b444a40f1e7a4383b499b65e782dcb14b9 upstream.
When starting venus with the "no_tz" code path, IRIS2 needs the same
boot/reset sequence as IRIS2_1. This is because most of the registers were
moved to the "wrapper_tz_base", which is already defined for both IRIS2 and
IRIS2_1 inside core.c. Add IRIS2 to the checks inside firmware.c as well to
make sure that it uses the correct reset sequence.
Both IRIS2 and IRIS2_1 are HFI v6 variants, so the correct sequence was
used before commit c38610f8981e ("media: venus: firmware: Sanitize
per-VPU-version").
Fixes: c38610f8981e ("media: venus: firmware: Sanitize per-VPU-version")
Cc: stable@vger.kernel.org
Signed-off-by: Stephan Gerhold <stephan.gerhold@linaro.org>
Reviewed-by: Vikash Garodia <quic_vgarodia@quicinc.com>
Reviewed-by: Dikshita Agarwal <quic_dikshita@quicinc.com>
Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
[bod: Fixed commit log IRIS -> IRIS2]
Signed-off-by: Bryan O'Donoghue <bod@kernel.org>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/qcom/venus/firmware.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/drivers/media/platform/qcom/venus/firmware.c
+++ b/drivers/media/platform/qcom/venus/firmware.c
@@ -30,7 +30,7 @@ static void venus_reset_cpu(struct venus
u32 fw_size = core->fw.mapped_mem_size;
void __iomem *wrapper_base;
- if (IS_IRIS2_1(core))
+ if (IS_IRIS2(core) || IS_IRIS2_1(core))
wrapper_base = core->wrapper_tz_base;
else
wrapper_base = core->wrapper_base;
@@ -42,7 +42,7 @@ static void venus_reset_cpu(struct venus
writel(fw_size, wrapper_base + WRAPPER_NONPIX_START_ADDR);
writel(fw_size, wrapper_base + WRAPPER_NONPIX_END_ADDR);
- if (IS_IRIS2_1(core)) {
+ if (IS_IRIS2(core) || IS_IRIS2_1(core)) {
/* Bring XTSS out of reset */
writel(0, wrapper_base + WRAPPER_TZ_XTSS_SW_RESET);
} else {
@@ -68,7 +68,7 @@ int venus_set_hw_state(struct venus_core
if (resume) {
venus_reset_cpu(core);
} else {
- if (IS_IRIS2_1(core))
+ if (IS_IRIS2(core) || IS_IRIS2_1(core))
writel(WRAPPER_XTSS_SW_RESET_BIT,
core->wrapper_tz_base + WRAPPER_TZ_XTSS_SW_RESET);
else
@@ -181,7 +181,7 @@ static int venus_shutdown_no_tz(struct v
void __iomem *wrapper_base = core->wrapper_base;
void __iomem *wrapper_tz_base = core->wrapper_tz_base;
- if (IS_IRIS2_1(core)) {
+ if (IS_IRIS2(core) || IS_IRIS2_1(core)) {
/* Assert the reset to XTSS */
reg = readl(wrapper_tz_base + WRAPPER_TZ_XTSS_SW_RESET);
reg |= WRAPPER_XTSS_SW_RESET_BIT;
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 180/371] media: venus: pm_helpers: add fallback for the opp-table
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (178 preceding siblings ...)
2025-10-17 14:52 ` [PATCH 6.17 179/371] media: venus: firmware: Use correct reset sequence for IRIS2 Greg Kroah-Hartman
@ 2025-10-17 14:52 ` Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 181/371] media: vivid: fix disappearing <Vendor Command With ID> messages Greg Kroah-Hartman
` (203 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Baryshkov, Bryan ODonoghue,
Vikash Garodia, Renjiang Han, Bryan ODonoghue, Hans Verkuil
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Renjiang Han <quic_renjiang@quicinc.com>
commit afb100a5ea7a13d7e6937dcd3b36b19dc6cc9328 upstream.
Since the device trees for both HFI_VERSION_1XX and HFI_VERSION_3XX
do not include an opp-table and have not configured opp-pmdomain, they
still need to use the frequencies defined in the driver's freq_tbl.
Both core_power_v1 and core_power_v4 functions require core_clks_enable
function during POWER_ON. Therefore, in the core_clks_enable function,
if calling dev_pm_opp_find_freq_ceil to obtain the frequency fails,
it needs to fall back to the freq_tbl to retrieve the frequency.
Fixes: b179234b5e59 ("media: venus: pm_helpers: use opp-table for the frequency")
Cc: stable@vger.kernel.org
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Reviewed-by: Vikash Garodia <quic_vgarodia@quicinc.com>
Closes: https://lore.kernel.org/linux-media/CA+G9fYu5=3n84VY+vTbCAcfFKOq7Us5vgBZgpypY4MveM=eVwg@mail.gmail.com
Signed-off-by: Renjiang Han <quic_renjiang@quicinc.com>
Signed-off-by: Bryan O'Donoghue <bod@kernel.org>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/qcom/venus/pm_helpers.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
--- a/drivers/media/platform/qcom/venus/pm_helpers.c
+++ b/drivers/media/platform/qcom/venus/pm_helpers.c
@@ -40,6 +40,8 @@ static int core_clks_get(struct venus_co
static int core_clks_enable(struct venus_core *core)
{
+ const struct freq_tbl *freq_tbl = core->res->freq_tbl;
+ unsigned int freq_tbl_size = core->res->freq_tbl_size;
const struct venus_resources *res = core->res;
struct device *dev = core->dev;
unsigned long freq = 0;
@@ -48,8 +50,13 @@ static int core_clks_enable(struct venus
int ret;
opp = dev_pm_opp_find_freq_ceil(dev, &freq);
- if (!IS_ERR(opp))
+ if (IS_ERR(opp)) {
+ if (!freq_tbl)
+ return -ENODEV;
+ freq = freq_tbl[freq_tbl_size - 1].freq;
+ } else {
dev_pm_opp_put(opp);
+ }
for (i = 0; i < res->clks_num; i++) {
if (IS_V6(core)) {
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 181/371] media: vivid: fix disappearing <Vendor Command With ID> messages
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (179 preceding siblings ...)
2025-10-17 14:52 ` [PATCH 6.17 180/371] media: venus: pm_helpers: add fallback for the opp-table Greg Kroah-Hartman
@ 2025-10-17 14:52 ` Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 182/371] media: vsp1: Export missing vsp1_isp_free_buffer symbol Greg Kroah-Hartman
` (202 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:52 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Hans Verkuil, Mauro Carvalho Chehab
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hans Verkuil <hverkuil+cisco@kernel.org>
commit 4bd8a6147645480d550242ff816b4c7ba160e5b7 upstream.
The vivid driver supports the <Vendor Command With ID> message,
but if the Vendor ID of the received message didn't match the Vendor ID
of the CEC Adapter, then it ignores it (good) and returns 0 (bad).
It should return -ENOMSG to indicate that other followers should be
asked to handle it. Return code 0 means that the driver handled it,
which is wrong in this case.
As a result, userspace followers never get the chance to process such a
message.
Refactor the code a bit to have the function return -ENOMSG at the end,
drop the default case, and ensure that the message handlers return 0.
That way 0 is only returned if the message is actually handled in the
vivid_received() function.
Fixes: 812765cd6954 ("media: vivid: add <Vendor Command With ID> support")
Cc: stable@vger.kernel.org
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/test-drivers/vivid/vivid-cec.c | 12 +++++-------
1 file changed, 5 insertions(+), 7 deletions(-)
--- a/drivers/media/test-drivers/vivid/vivid-cec.c
+++ b/drivers/media/test-drivers/vivid/vivid-cec.c
@@ -327,7 +327,7 @@ static int vivid_received(struct cec_ada
char osd[14];
if (!cec_is_sink(adap))
- return -ENOMSG;
+ break;
cec_ops_set_osd_string(msg, &disp_ctl, osd);
switch (disp_ctl) {
case CEC_OP_DISP_CTL_DEFAULT:
@@ -348,7 +348,7 @@ static int vivid_received(struct cec_ada
cec_transmit_msg(adap, &reply, false);
break;
}
- break;
+ return 0;
}
case CEC_MSG_VENDOR_COMMAND_WITH_ID: {
u32 vendor_id;
@@ -379,7 +379,7 @@ static int vivid_received(struct cec_ada
if (size == 1) {
// Ignore even op values
if (!(vendor_cmd[0] & 1))
- break;
+ return 0;
reply.len = msg->len;
memcpy(reply.msg + 1, msg->msg + 1, msg->len - 1);
reply.msg[msg->len - 1]++;
@@ -388,12 +388,10 @@ static int vivid_received(struct cec_ada
CEC_OP_ABORT_INVALID_OP);
}
cec_transmit_msg(adap, &reply, false);
- break;
+ return 0;
}
- default:
- return -ENOMSG;
}
- return 0;
+ return -ENOMSG;
}
static const struct cec_adap_ops vivid_cec_adap_ops = {
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 182/371] media: vsp1: Export missing vsp1_isp_free_buffer symbol
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (180 preceding siblings ...)
2025-10-17 14:52 ` [PATCH 6.17 181/371] media: vivid: fix disappearing <Vendor Command With ID> messages Greg Kroah-Hartman
@ 2025-10-17 14:52 ` Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 183/371] media: ti: j721e-csi2rx: Use devm_of_platform_populate Greg Kroah-Hartman
` (201 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Laurent Pinchart, Jacopo Mondi,
Niklas Söderlund, Hans Verkuil
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
commit b32655a5f4c1a3b830f05fe3d43e17b2c4d09146 upstream.
The vsp1_isp_free_buffer() function implemented by the vsp1 driver is
part of the API exposed to the rcar-isp driver. All other symbols except
that one are properly exported. Fix it.
Fixes: d06c1a9f348d ("media: vsp1: Add VSPX support")
Cc: stable@vger.kernel.org
Signed-off-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
Reviewed-by: Jacopo Mondi <jacopo.mondi@ideasonboard.com>
Reviewed-by: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/renesas/vsp1/vsp1_vspx.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/media/platform/renesas/vsp1/vsp1_vspx.c b/drivers/media/platform/renesas/vsp1/vsp1_vspx.c
index a754b92232bd..1673479be0ff 100644
--- a/drivers/media/platform/renesas/vsp1/vsp1_vspx.c
+++ b/drivers/media/platform/renesas/vsp1/vsp1_vspx.c
@@ -286,6 +286,7 @@ void vsp1_isp_free_buffer(struct device *dev,
dma_free_coherent(bus_master, buffer_desc->size, buffer_desc->cpu_addr,
buffer_desc->dma_addr);
}
+EXPORT_SYMBOL_GPL(vsp1_isp_free_buffer);
/**
* vsp1_isp_start_streaming - Start processing VSPX jobs
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 183/371] media: ti: j721e-csi2rx: Use devm_of_platform_populate
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (181 preceding siblings ...)
2025-10-17 14:52 ` [PATCH 6.17 182/371] media: vsp1: Export missing vsp1_isp_free_buffer symbol Greg Kroah-Hartman
@ 2025-10-17 14:52 ` Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 184/371] media: ti: j721e-csi2rx: Fix source subdev link creation Greg Kroah-Hartman
` (200 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Devarsh Thakkar, Jai Luthra,
Sakari Ailus, Hans Verkuil, Yemike Abhilash Chandra
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jai Luthra <jai.luthra@ideasonboard.com>
commit 072799db233f9de90a62be54c1e59275c2db3969 upstream.
Ensure that we clean up the platform bus when we remove this driver.
This fixes a crash seen when reloading the module for the child device
with the parent not yet reloaded.
Fixes: b4a3d877dc92 ("media: ti: Add CSI2RX support for J721E")
Cc: stable@vger.kernel.org
Reviewed-by: Devarsh Thakkar <devarsht@ti.com>
Tested-by: Yemike Abhilash Chandra <y-abhilashchandra@ti.com> (on SK-AM68)
Signed-off-by: Jai Luthra <jai.luthra@ideasonboard.com>
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/ti/j721e-csi2rx/j721e-csi2rx.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/media/platform/ti/j721e-csi2rx/j721e-csi2rx.c
+++ b/drivers/media/platform/ti/j721e-csi2rx/j721e-csi2rx.c
@@ -1120,7 +1120,7 @@ static int ti_csi2rx_probe(struct platfo
if (ret)
goto err_vb2q;
- ret = of_platform_populate(csi->dev->of_node, NULL, NULL, csi->dev);
+ ret = devm_of_platform_populate(csi->dev);
if (ret) {
dev_err(csi->dev, "Failed to create children: %d\n", ret);
goto err_subdev;
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 184/371] media: ti: j721e-csi2rx: Fix source subdev link creation
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (182 preceding siblings ...)
2025-10-17 14:52 ` [PATCH 6.17 183/371] media: ti: j721e-csi2rx: Use devm_of_platform_populate Greg Kroah-Hartman
@ 2025-10-17 14:52 ` Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 185/371] media: lirc: Fix error handling in lirc_register() Greg Kroah-Hartman
` (199 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Devarsh Thakkar, Jai Luthra,
Sakari Ailus, Hans Verkuil, Yemike Abhilash Chandra
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jai Luthra <jai.luthra@ideasonboard.com>
commit 3e743cd0a73246219da117ee99061aad51c4748c upstream.
We don't use OF ports and remote-endpoints to connect the CSI2RX bridge
and this device in the device tree, thus it is wrong to use
v4l2_create_fwnode_links_to_pad() to create the media graph link between
the two.
It works out on accident, as neither the source nor the sink implement
the .get_fwnode_pad() callback, and the framework helper falls back on
using the first source and sink pads to create the link between them.
Instead, manually create the media link from the first source pad of the
bridge to the first sink pad of the J721E CSI2RX.
Fixes: b4a3d877dc92 ("media: ti: Add CSI2RX support for J721E")
Cc: stable@vger.kernel.org
Reviewed-by: Devarsh Thakkar <devarsht@ti.com>
Tested-by: Yemike Abhilash Chandra <y-abhilashchandra@ti.com> (on SK-AM68)
Signed-off-by: Jai Luthra <jai.luthra@ideasonboard.com>
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/ti/j721e-csi2rx/j721e-csi2rx.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
--- a/drivers/media/platform/ti/j721e-csi2rx/j721e-csi2rx.c
+++ b/drivers/media/platform/ti/j721e-csi2rx/j721e-csi2rx.c
@@ -52,6 +52,8 @@
#define DRAIN_TIMEOUT_MS 50
#define DRAIN_BUFFER_SIZE SZ_32K
+#define CSI2RX_BRIDGE_SOURCE_PAD 1
+
struct ti_csi2rx_fmt {
u32 fourcc; /* Four character code. */
u32 code; /* Mbus code. */
@@ -426,8 +428,9 @@ static int csi_async_notifier_complete(s
if (ret)
return ret;
- ret = v4l2_create_fwnode_links_to_pad(csi->source, &csi->pad,
- MEDIA_LNK_FL_IMMUTABLE | MEDIA_LNK_FL_ENABLED);
+ ret = media_create_pad_link(&csi->source->entity, CSI2RX_BRIDGE_SOURCE_PAD,
+ &vdev->entity, csi->pad.index,
+ MEDIA_LNK_FL_IMMUTABLE | MEDIA_LNK_FL_ENABLED);
if (ret) {
video_unregister_device(vdev);
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 185/371] media: lirc: Fix error handling in lirc_register()
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (183 preceding siblings ...)
2025-10-17 14:52 ` [PATCH 6.17 184/371] media: ti: j721e-csi2rx: Fix source subdev link creation Greg Kroah-Hartman
@ 2025-10-17 14:52 ` Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 186/371] drm/exynos: exynos7_drm_decon: remove ctx->suspended Greg Kroah-Hartman
` (198 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:52 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ma Ke, Sean Young, Hans Verkuil
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ma Ke <make24@iscas.ac.cn>
commit 4f4098c57e139ad972154077fb45c3e3141555dd upstream.
When cdev_device_add() failed, calling put_device() to explicitly
release dev->lirc_dev. Otherwise, it could cause the fault of the
reference count.
Found by code review.
Cc: stable@vger.kernel.org
Fixes: a6ddd4fecbb0 ("media: lirc: remove last remnants of lirc kapi")
Signed-off-by: Ma Ke <make24@iscas.ac.cn>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/rc/lirc_dev.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
--- a/drivers/media/rc/lirc_dev.c
+++ b/drivers/media/rc/lirc_dev.c
@@ -736,11 +736,11 @@ int lirc_register(struct rc_dev *dev)
cdev_init(&dev->lirc_cdev, &lirc_fops);
+ get_device(&dev->dev);
+
err = cdev_device_add(&dev->lirc_cdev, &dev->lirc_dev);
if (err)
- goto out_ida;
-
- get_device(&dev->dev);
+ goto out_put_device;
switch (dev->driver_type) {
case RC_DRIVER_SCANCODE:
@@ -764,7 +764,8 @@ int lirc_register(struct rc_dev *dev)
return 0;
-out_ida:
+out_put_device:
+ put_device(&dev->lirc_dev);
ida_free(&lirc_ida, minor);
return err;
}
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 186/371] drm/exynos: exynos7_drm_decon: remove ctx->suspended
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (184 preceding siblings ...)
2025-10-17 14:52 ` [PATCH 6.17 185/371] media: lirc: Fix error handling in lirc_register() Greg Kroah-Hartman
@ 2025-10-17 14:52 ` Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 187/371] drm/panthor: Fix memory leak in panthor_ioctl_group_create() Greg Kroah-Hartman
` (197 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:52 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Inki Dae, Kaustabh Chakraborty
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kaustabh Chakraborty <kauschluss@disroot.org>
commit e1361a4f1be9cb69a662c6d7b5ce218007d6e82b upstream.
Condition guards are found to be redundant, as the call flow is properly
managed now, as also observed in the Exynos5433 DECON driver. Since
state checking is no longer necessary, remove it.
This also fixes an issue which prevented decon_commit() from
decon_atomic_enable() due to an incorrect state change setting.
Fixes: 96976c3d9aff ("drm/exynos: Add DECON driver")
Cc: stable@vger.kernel.org
Suggested-by: Inki Dae <inki.dae@samsung.com>
Signed-off-by: Kaustabh Chakraborty <kauschluss@disroot.org>
Signed-off-by: Inki Dae <inki.dae@samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/exynos/exynos7_drm_decon.c | 36 -----------------------------
1 file changed, 36 deletions(-)
--- a/drivers/gpu/drm/exynos/exynos7_drm_decon.c
+++ b/drivers/gpu/drm/exynos/exynos7_drm_decon.c
@@ -69,7 +69,6 @@ struct decon_context {
void __iomem *regs;
unsigned long irq_flags;
bool i80_if;
- bool suspended;
wait_queue_head_t wait_vsync_queue;
atomic_t wait_vsync_event;
@@ -132,9 +131,6 @@ static void decon_shadow_protect_win(str
static void decon_wait_for_vblank(struct decon_context *ctx)
{
- if (ctx->suspended)
- return;
-
atomic_set(&ctx->wait_vsync_event, 1);
/*
@@ -210,9 +206,6 @@ static void decon_commit(struct exynos_d
struct drm_display_mode *mode = &crtc->base.state->adjusted_mode;
u32 val, clkdiv;
- if (ctx->suspended)
- return;
-
/* nothing to do if we haven't set the mode yet */
if (mode->htotal == 0 || mode->vtotal == 0)
return;
@@ -274,9 +267,6 @@ static int decon_enable_vblank(struct ex
struct decon_context *ctx = crtc->ctx;
u32 val;
- if (ctx->suspended)
- return -EPERM;
-
if (!test_and_set_bit(0, &ctx->irq_flags)) {
val = readl(ctx->regs + VIDINTCON0);
@@ -299,9 +289,6 @@ static void decon_disable_vblank(struct
struct decon_context *ctx = crtc->ctx;
u32 val;
- if (ctx->suspended)
- return;
-
if (test_and_clear_bit(0, &ctx->irq_flags)) {
val = readl(ctx->regs + VIDINTCON0);
@@ -404,9 +391,6 @@ static void decon_atomic_begin(struct ex
struct decon_context *ctx = crtc->ctx;
int i;
- if (ctx->suspended)
- return;
-
for (i = 0; i < WINDOWS_NR; i++)
decon_shadow_protect_win(ctx, i, true);
}
@@ -427,9 +411,6 @@ static void decon_update_plane(struct ex
unsigned int pitch = fb->pitches[0];
unsigned int vidw_addr0_base = ctx->data->vidw_buf_start_base;
- if (ctx->suspended)
- return;
-
/*
* SHADOWCON/PRTCON register is used for enabling timing.
*
@@ -517,9 +498,6 @@ static void decon_disable_plane(struct e
unsigned int win = plane->index;
u32 val;
- if (ctx->suspended)
- return;
-
/* protect windows */
decon_shadow_protect_win(ctx, win, true);
@@ -538,9 +516,6 @@ static void decon_atomic_flush(struct ex
struct decon_context *ctx = crtc->ctx;
int i;
- if (ctx->suspended)
- return;
-
for (i = 0; i < WINDOWS_NR; i++)
decon_shadow_protect_win(ctx, i, false);
exynos_crtc_handle_event(crtc);
@@ -568,9 +543,6 @@ static void decon_atomic_enable(struct e
struct decon_context *ctx = crtc->ctx;
int ret;
- if (!ctx->suspended)
- return;
-
ret = pm_runtime_resume_and_get(ctx->dev);
if (ret < 0) {
DRM_DEV_ERROR(ctx->dev, "failed to enable DECON device.\n");
@@ -584,8 +556,6 @@ static void decon_atomic_enable(struct e
decon_enable_vblank(ctx->crtc);
decon_commit(ctx->crtc);
-
- ctx->suspended = false;
}
static void decon_atomic_disable(struct exynos_drm_crtc *crtc)
@@ -593,9 +563,6 @@ static void decon_atomic_disable(struct
struct decon_context *ctx = crtc->ctx;
int i;
- if (ctx->suspended)
- return;
-
/*
* We need to make sure that all windows are disabled before we
* suspend that connector. Otherwise we might try to scan from
@@ -605,8 +572,6 @@ static void decon_atomic_disable(struct
decon_disable_plane(crtc, &ctx->planes[i]);
pm_runtime_put_sync(ctx->dev);
-
- ctx->suspended = true;
}
static const struct exynos_drm_crtc_ops decon_crtc_ops = {
@@ -727,7 +692,6 @@ static int decon_probe(struct platform_d
return -ENOMEM;
ctx->dev = dev;
- ctx->suspended = true;
ctx->data = of_device_get_match_data(dev);
i80_if_timings = of_get_child_by_name(dev->of_node, "i80-if-timings");
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 187/371] drm/panthor: Fix memory leak in panthor_ioctl_group_create()
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (185 preceding siblings ...)
2025-10-17 14:52 ` [PATCH 6.17 186/371] drm/exynos: exynos7_drm_decon: remove ctx->suspended Greg Kroah-Hartman
@ 2025-10-17 14:52 ` Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 188/371] drm/msm/a6xx: Fix PDC sleep sequence Greg Kroah-Hartman
` (196 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jann Horn, Boris Brezillon,
Liviu Dudau, Steven Price
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jann Horn <jannh@google.com>
commit ca2a6abdaee43808034cdb218428d2ed85fd3db8 upstream.
When bailing out due to group_priority_permit() failure, the queue_args
need to be freed. Fix it by rearranging the function to use the
goto-on-error pattern, such that the success case flows straight without
indentation while error cases jump forward to cleanup.
Cc: stable@vger.kernel.org
Fixes: 5f7762042f8a ("drm/panthor: Restrict high priorities on group_create")
Signed-off-by: Jann Horn <jannh@google.com>
Reviewed-by: Boris Brezillon <boris.brezillon@collabora.com>
Reviewed-by: Liviu Dudau <liviu.dudau@arm.com>
Reviewed-by: Steven Price <steven.price@arm.com>
Signed-off-by: Steven Price <steven.price@arm.com>
Link: https://lore.kernel.org/r/20241113-panthor-fix-gcq-bailout-v1-1-654307254d68@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/panthor/panthor_drv.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
--- a/drivers/gpu/drm/panthor/panthor_drv.c
+++ b/drivers/gpu/drm/panthor/panthor_drv.c
@@ -1103,14 +1103,15 @@ static int panthor_ioctl_group_create(st
ret = group_priority_permit(file, args->priority);
if (ret)
- return ret;
+ goto out;
ret = panthor_group_create(pfile, args, queue_args);
- if (ret >= 0) {
- args->group_handle = ret;
- ret = 0;
- }
+ if (ret < 0)
+ goto out;
+ args->group_handle = ret;
+ ret = 0;
+out:
kvfree(queue_args);
return ret;
}
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 188/371] drm/msm/a6xx: Fix PDC sleep sequence
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (186 preceding siblings ...)
2025-10-17 14:52 ` [PATCH 6.17 187/371] drm/panthor: Fix memory leak in panthor_ioctl_group_create() Greg Kroah-Hartman
@ 2025-10-17 14:52 ` Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 189/371] drm/rcar-du: dsi: Fix 1/2/3 lane support Greg Kroah-Hartman
` (195 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:52 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Akhil P Oommen, Rob Clark
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Akhil P Oommen <akhilpo@oss.qualcomm.com>
commit f248d5d5159a88ded55329f0b1b463d0f4094228 upstream.
Since the PDC resides out of the GPU subsystem and cannot be reset in
case it enters bad state, utmost care must be taken to trigger the PDC
wake/sleep routines in the correct order.
The PDC wake sequence can be exercised only after a PDC sleep sequence.
Additionally, GMU firmware should initialize a few registers before the
KMD can trigger a PDC sleep sequence. So PDC sleep can't be done if the
GMU firmware has not initialized. Track these dependencies using a new
status variable and trigger PDC sleep/wake sequences appropriately.
Cc: stable@vger.kernel.org
Fixes: 4b565ca5a2cb ("drm/msm: Add A6XX device support")
Signed-off-by: Akhil P Oommen <akhilpo@oss.qualcomm.com>
Patchwork: https://patchwork.freedesktop.org/patch/673362/
Signed-off-by: Rob Clark <robin.clark@oss.qualcomm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/msm/adreno/a6xx_gmu.c | 28 +++++++++++++++++-----------
drivers/gpu/drm/msm/adreno/a6xx_gmu.h | 6 ++++++
2 files changed, 23 insertions(+), 11 deletions(-)
--- a/drivers/gpu/drm/msm/adreno/a6xx_gmu.c
+++ b/drivers/gpu/drm/msm/adreno/a6xx_gmu.c
@@ -272,6 +272,8 @@ static int a6xx_gmu_start(struct a6xx_gm
if (ret)
DRM_DEV_ERROR(gmu->dev, "GMU firmware initialization timed out\n");
+ set_bit(GMU_STATUS_FW_START, &gmu->status);
+
return ret;
}
@@ -518,6 +520,9 @@ static int a6xx_rpmh_start(struct a6xx_g
int ret;
u32 val;
+ if (!test_and_clear_bit(GMU_STATUS_PDC_SLEEP, &gmu->status))
+ return 0;
+
gmu_write(gmu, REG_A6XX_GMU_RSCC_CONTROL_REQ, BIT(1));
ret = gmu_poll_timeout(gmu, REG_A6XX_GMU_RSCC_CONTROL_ACK, val,
@@ -545,6 +550,9 @@ static void a6xx_rpmh_stop(struct a6xx_g
int ret;
u32 val;
+ if (test_and_clear_bit(GMU_STATUS_FW_START, &gmu->status))
+ return;
+
gmu_write(gmu, REG_A6XX_GMU_RSCC_CONTROL_REQ, 1);
ret = gmu_poll_timeout_rscc(gmu, REG_A6XX_GPU_RSCC_RSC_STATUS0_DRV0,
@@ -553,6 +561,8 @@ static void a6xx_rpmh_stop(struct a6xx_g
DRM_DEV_ERROR(gmu->dev, "Unable to power off the GPU RSC\n");
gmu_write(gmu, REG_A6XX_GMU_RSCC_CONTROL_REQ, 0);
+
+ set_bit(GMU_STATUS_PDC_SLEEP, &gmu->status);
}
static inline void pdc_write(void __iomem *ptr, u32 offset, u32 value)
@@ -681,8 +691,6 @@ setup_pdc:
/* ensure no writes happen before the uCode is fully written */
wmb();
- a6xx_rpmh_stop(gmu);
-
err:
if (!IS_ERR_OR_NULL(pdcptr))
iounmap(pdcptr);
@@ -842,19 +850,15 @@ static int a6xx_gmu_fw_start(struct a6xx
else
gmu_write(gmu, REG_A6XX_GMU_GENERAL_7, 1);
- if (state == GMU_WARM_BOOT) {
- ret = a6xx_rpmh_start(gmu);
- if (ret)
- return ret;
- } else {
+ ret = a6xx_rpmh_start(gmu);
+ if (ret)
+ return ret;
+
+ if (state == GMU_COLD_BOOT) {
if (WARN(!adreno_gpu->fw[ADRENO_FW_GMU],
"GMU firmware is not loaded\n"))
return -ENOENT;
- ret = a6xx_rpmh_start(gmu);
- if (ret)
- return ret;
-
ret = a6xx_gmu_fw_load(gmu);
if (ret)
return ret;
@@ -1023,6 +1027,8 @@ static void a6xx_gmu_force_off(struct a6
/* Reset GPU core blocks */
a6xx_gpu_sw_reset(gpu, true);
+
+ a6xx_rpmh_stop(gmu);
}
static void a6xx_gmu_set_initial_freq(struct msm_gpu *gpu, struct a6xx_gmu *gmu)
--- a/drivers/gpu/drm/msm/adreno/a6xx_gmu.h
+++ b/drivers/gpu/drm/msm/adreno/a6xx_gmu.h
@@ -117,6 +117,12 @@ struct a6xx_gmu {
struct qmp *qmp;
struct a6xx_hfi_msg_bw_table *bw_table;
+
+/* To check if we can trigger sleep seq at PDC. Cleared in a6xx_rpmh_stop() */
+#define GMU_STATUS_FW_START 0
+/* To track if PDC sleep seq was done */
+#define GMU_STATUS_PDC_SLEEP 1
+ unsigned long status;
};
static inline u32 gmu_read(struct a6xx_gmu *gmu, u32 offset)
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 189/371] drm/rcar-du: dsi: Fix 1/2/3 lane support
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (187 preceding siblings ...)
2025-10-17 14:52 ` [PATCH 6.17 188/371] drm/msm/a6xx: Fix PDC sleep sequence Greg Kroah-Hartman
@ 2025-10-17 14:52 ` Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 190/371] drm/nouveau: fix bad ret code in nouveau_bo_move_prep Greg Kroah-Hartman
` (194 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Marek Vasut, Tomi Valkeinen,
Tomi Valkeinen
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marek Vasut <marek.vasut+renesas@mailbox.org>
commit d83f1d19c898ac1b54ae64d1c950f5beff801982 upstream.
Remove fixed PPI lane count setup. The R-Car DSI host is capable
of operating in 1..4 DSI lane mode. Remove the hard-coded 4-lane
configuration from PPI register settings and instead configure
the PPI lane count according to lane count information already
obtained by this driver instance.
Configure TXSETR register to match PPI lane count. The R-Car V4H
Reference Manual R19UH0186EJ0121 Rev.1.21 section 67.2.2.3 Tx Set
Register (TXSETR), field LANECNT description indicates that the
TXSETR register LANECNT bitfield lane count must be configured
such, that it matches lane count configuration in PPISETR register
DLEN bitfield. Make sure the LANECNT and DLEN bitfields are
configured to match.
Fixes: 155358310f01 ("drm: rcar-du: Add R-Car DSI driver")
Cc: stable@vger.kernel.org
Signed-off-by: Marek Vasut <marek.vasut+renesas@mailbox.org>
Reviewed-by: Tomi Valkeinen <tomi.valkeinen+renesas@ideasonboard.com>
Link: https://lore.kernel.org/r/20250813210840.97621-1-marek.vasut+renesas@mailbox.org
Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/renesas/rcar-du/rcar_mipi_dsi.c | 5 ++++-
drivers/gpu/drm/renesas/rcar-du/rcar_mipi_dsi_regs.h | 8 ++++----
2 files changed, 8 insertions(+), 5 deletions(-)
--- a/drivers/gpu/drm/renesas/rcar-du/rcar_mipi_dsi.c
+++ b/drivers/gpu/drm/renesas/rcar-du/rcar_mipi_dsi.c
@@ -576,7 +576,10 @@ static int rcar_mipi_dsi_startup(struct
udelay(10);
rcar_mipi_dsi_clr(dsi, CLOCKSET1, CLOCKSET1_UPDATEPLL);
- ppisetr = PPISETR_DLEN_3 | PPISETR_CLEN;
+ rcar_mipi_dsi_clr(dsi, TXSETR, TXSETR_LANECNT_MASK);
+ rcar_mipi_dsi_set(dsi, TXSETR, dsi->lanes - 1);
+
+ ppisetr = ((BIT(dsi->lanes) - 1) & PPISETR_DLEN_MASK) | PPISETR_CLEN;
rcar_mipi_dsi_write(dsi, PPISETR, ppisetr);
rcar_mipi_dsi_set(dsi, PHYSETUP, PHYSETUP_SHUTDOWNZ);
--- a/drivers/gpu/drm/renesas/rcar-du/rcar_mipi_dsi_regs.h
+++ b/drivers/gpu/drm/renesas/rcar-du/rcar_mipi_dsi_regs.h
@@ -12,6 +12,9 @@
#define LINKSR_LPBUSY (1 << 1)
#define LINKSR_HSBUSY (1 << 0)
+#define TXSETR 0x100
+#define TXSETR_LANECNT_MASK (0x3 << 0)
+
/*
* Video Mode Register
*/
@@ -80,10 +83,7 @@
* PHY-Protocol Interface (PPI) Registers
*/
#define PPISETR 0x700
-#define PPISETR_DLEN_0 (0x1 << 0)
-#define PPISETR_DLEN_1 (0x3 << 0)
-#define PPISETR_DLEN_2 (0x7 << 0)
-#define PPISETR_DLEN_3 (0xf << 0)
+#define PPISETR_DLEN_MASK (0xf << 0)
#define PPISETR_CLEN (1 << 8)
#define PPICLCR 0x710
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 190/371] drm/nouveau: fix bad ret code in nouveau_bo_move_prep
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (188 preceding siblings ...)
2025-10-17 14:52 ` [PATCH 6.17 189/371] drm/rcar-du: dsi: Fix 1/2/3 lane support Greg Kroah-Hartman
@ 2025-10-17 14:52 ` Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 191/371] drm/xe/uapi: loosen used tracking restriction Greg Kroah-Hartman
` (193 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:52 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Petr Vorel, Shuhao Fu,
Danilo Krummrich
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shuhao Fu <sfual@cse.ust.hk>
commit e4bea919584ff292c9156cf7d641a2ab3cbe27b0 upstream.
In `nouveau_bo_move_prep`, if `nouveau_mem_map` fails, an error code
should be returned. Currently, it returns zero even if vmm addr is not
correctly mapped.
Cc: stable@vger.kernel.org
Reviewed-by: Petr Vorel <pvorel@suse.cz>
Signed-off-by: Shuhao Fu <sfual@cse.ust.hk>
Fixes: 9ce523cc3bf2 ("drm/nouveau: separate buffer object backing memory from nvkm structures")
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/nouveau/nouveau_bo.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/gpu/drm/nouveau/nouveau_bo.c
+++ b/drivers/gpu/drm/nouveau/nouveau_bo.c
@@ -929,7 +929,7 @@ done:
nvif_vmm_put(vmm, &old_mem->vma[1]);
nvif_vmm_put(vmm, &old_mem->vma[0]);
}
- return 0;
+ return ret;
}
static int
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 191/371] drm/xe/uapi: loosen used tracking restriction
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (189 preceding siblings ...)
2025-10-17 14:52 ` [PATCH 6.17 190/371] drm/nouveau: fix bad ret code in nouveau_bo_move_prep Greg Kroah-Hartman
@ 2025-10-17 14:52 ` Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 192/371] drm/amd/display: Incorrect Mirror Cositing Greg Kroah-Hartman
` (192 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matthew Auld, Thomas Hellström,
Joshua Santosh, José Roberto de Souza, Matthew Brost,
Rodrigo Vivi, Lucas De Marchi
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthew Auld <matthew.auld@intel.com>
commit 2d1684a077d62fddfac074052c162ec6573a34e1 upstream.
Currently this is hidden behind perfmon_capable() since this is
technically an info leak, given that this is a system wide metric.
However the granularity reported here is always PAGE_SIZE aligned, which
matches what the core kernel is already willing to expose to userspace
if querying how many free RAM pages there are on the system, and that
doesn't need any special privileges. In addition other drm drivers seem
happy to expose this.
The motivation here if with oneAPI where they want to use the system
wide 'used' reporting here, so not the per-client fdinfo stats. This has
also come up with some perf overlay applications wanting this
information.
Fixes: 1105ac15d2a1 ("drm/xe/uapi: restrict system wide accounting")
Signed-off-by: Matthew Auld <matthew.auld@intel.com>
Cc: Thomas Hellström <thomas.hellstrom@linux.intel.com>
Cc: Joshua Santosh <joshua.santosh.ranjan@intel.com>
Cc: José Roberto de Souza <jose.souza@intel.com>
Cc: Matthew Brost <matthew.brost@intel.com>
Cc: Rodrigo Vivi <rodrigo.vivi@intel.com>
Cc: <stable@vger.kernel.org> # v6.8+
Acked-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
Reviewed-by: Lucas De Marchi <lucas.demarchi@intel.com>
Link: https://lore.kernel.org/r/20250919122052.420979-2-matthew.auld@intel.com
(cherry picked from commit 4d0b035fd6dae8ee48e9c928b10f14877e595356)
Signed-off-by: Lucas De Marchi <lucas.demarchi@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/xe/xe_query.c | 15 ++++++---------
1 file changed, 6 insertions(+), 9 deletions(-)
--- a/drivers/gpu/drm/xe/xe_query.c
+++ b/drivers/gpu/drm/xe/xe_query.c
@@ -274,8 +274,7 @@ static int query_mem_regions(struct xe_d
mem_regions->mem_regions[0].instance = 0;
mem_regions->mem_regions[0].min_page_size = PAGE_SIZE;
mem_regions->mem_regions[0].total_size = man->size << PAGE_SHIFT;
- if (perfmon_capable())
- mem_regions->mem_regions[0].used = ttm_resource_manager_usage(man);
+ mem_regions->mem_regions[0].used = ttm_resource_manager_usage(man);
mem_regions->num_mem_regions = 1;
for (i = XE_PL_VRAM0; i <= XE_PL_VRAM1; ++i) {
@@ -291,13 +290,11 @@ static int query_mem_regions(struct xe_d
mem_regions->mem_regions[mem_regions->num_mem_regions].total_size =
man->size;
- if (perfmon_capable()) {
- xe_ttm_vram_get_used(man,
- &mem_regions->mem_regions
- [mem_regions->num_mem_regions].used,
- &mem_regions->mem_regions
- [mem_regions->num_mem_regions].cpu_visible_used);
- }
+ xe_ttm_vram_get_used(man,
+ &mem_regions->mem_regions
+ [mem_regions->num_mem_regions].used,
+ &mem_regions->mem_regions
+ [mem_regions->num_mem_regions].cpu_visible_used);
mem_regions->mem_regions[mem_regions->num_mem_regions].cpu_visible_size =
xe_ttm_vram_get_cpu_visible_size(man);
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 192/371] drm/amd/display: Incorrect Mirror Cositing
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (190 preceding siblings ...)
2025-10-17 14:52 ` [PATCH 6.17 191/371] drm/xe/uapi: loosen used tracking restriction Greg Kroah-Hartman
@ 2025-10-17 14:52 ` Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 193/371] drm/amd/display: Enable Dynamic DTBCLK Switch Greg Kroah-Hartman
` (191 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mario Limonciello, Alex Deucher,
Samson Tam, Jesse Agate, Brendan Leder, Alex Hung
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jesse Agate <jesse.agate@amd.com>
commit d07e142641417e67f3bfc9d8ba3da8a69c39cfcd upstream.
[WHY]
hinit/vinit are incorrect in the case of mirroring.
[HOW]
Cositing sign must be flipped when image is mirrored in the vertical
or horizontal direction.
Cc: Mario Limonciello <mario.limonciello@amd.com>
Cc: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
Reviewed-by: Samson Tam <samson.tam@amd.com>
Signed-off-by: Jesse Agate <jesse.agate@amd.com>
Signed-off-by: Brendan Leder <breleder@amd.com>
Signed-off-by: Alex Hung <alex.hung@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/display/dc/sspl/dc_spl.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
--- a/drivers/gpu/drm/amd/display/dc/sspl/dc_spl.c
+++ b/drivers/gpu/drm/amd/display/dc/sspl/dc_spl.c
@@ -641,16 +641,16 @@ static void spl_calculate_inits_and_view
/* this gives the direction of the cositing (negative will move
* left, right otherwise)
*/
- int sign = 1;
+ int h_sign = flip_horz_scan_dir ? -1 : 1;
+ int v_sign = flip_vert_scan_dir ? -1 : 1;
switch (spl_in->basic_in.cositing) {
-
case CHROMA_COSITING_TOPLEFT:
- init_adj_h = spl_fixpt_from_fraction(sign, 4);
- init_adj_v = spl_fixpt_from_fraction(sign, 4);
+ init_adj_h = spl_fixpt_from_fraction(h_sign, 4);
+ init_adj_v = spl_fixpt_from_fraction(v_sign, 4);
break;
case CHROMA_COSITING_LEFT:
- init_adj_h = spl_fixpt_from_fraction(sign, 4);
+ init_adj_h = spl_fixpt_from_fraction(h_sign, 4);
init_adj_v = spl_fixpt_zero;
break;
case CHROMA_COSITING_NONE:
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 193/371] drm/amd/display: Enable Dynamic DTBCLK Switch
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (191 preceding siblings ...)
2025-10-17 14:52 ` [PATCH 6.17 192/371] drm/amd/display: Incorrect Mirror Cositing Greg Kroah-Hartman
@ 2025-10-17 14:52 ` Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 194/371] drm/amd/display: Fix unsafe uses of kernel mode FPU Greg Kroah-Hartman
` (190 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mario Limonciello, Alex Deucher,
Aurabindo Pillai, Fangzhi Zuo, Alex Hung
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fangzhi Zuo <Jerry.Zuo@amd.com>
commit 5949e7c4890c3cf65e783c83c355b95e21f10dba upstream.
[WHAT]
Since dcn35, DTBCLK can be disabled when no DP2 sink connected for
power saving purpose.
Cc: Mario Limonciello <mario.limonciello@amd.com>
Cc: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
Reviewed-by: Aurabindo Pillai <aurabindo.pillai@amd.com>
Signed-off-by: Fangzhi Zuo <Jerry.Zuo@amd.com>
Signed-off-by: Alex Hung <alex.hung@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
@@ -1956,6 +1956,10 @@ static int amdgpu_dm_init(struct amdgpu_
init_data.flags.disable_ips_in_vpb = 0;
+ /* DCN35 and above supports dynamic DTBCLK switch */
+ if (amdgpu_ip_version(adev, DCE_HWIP, 0) >= IP_VERSION(3, 5, 0))
+ init_data.flags.allow_0_dtb_clk = true;
+
/* Enable DWB for tested platforms only */
if (amdgpu_ip_version(adev, DCE_HWIP, 0) >= IP_VERSION(3, 0, 0))
init_data.num_virtual_links = 1;
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 194/371] drm/amd/display: Fix unsafe uses of kernel mode FPU
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (192 preceding siblings ...)
2025-10-17 14:52 ` [PATCH 6.17 193/371] drm/amd/display: Enable Dynamic DTBCLK Switch Greg Kroah-Hartman
@ 2025-10-17 14:52 ` Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 195/371] blk-crypto: fix missing blktrace bio split events Greg Kroah-Hartman
` (189 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Austin Zheng, Jun Lei,
Harry Wentland, Leo Li, Rodrigo Siqueira, Alex Deucher,
Christian König, amd-gfx, dri-devel, Ard Biesheuvel
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ard Biesheuvel <ardb@kernel.org>
commit ddbfac152830e38d488ff8e45ab7eaf5d72f8527 upstream.
The point of isolating code that uses kernel mode FPU in separate
compilation units is to ensure that even implicit uses of, e.g., SIMD
registers for spilling occur only in a context where this is permitted,
i.e., from inside a kernel_fpu_begin/end block.
This is important on arm64, which uses -mgeneral-regs-only to build all
kernel code, with the exception of such compilation units where FP or
SIMD registers are expected to be used. Given that the compiler may
invent uses of FP/SIMD anywhere in such a unit, none of its code may be
accessible from outside a kernel_fpu_begin/end block.
This means that all callers into such compilation units must use the
DC_FP start/end macros, which must not occur there themselves. For
robustness, all functions with external linkage that reside there should
call dc_assert_fp_enabled() to assert that the FPU context was set up
correctly.
Fix this for the DCN35, DCN351 and DCN36 implementations.
Cc: Austin Zheng <austin.zheng@amd.com>
Cc: Jun Lei <jun.lei@amd.com>
Cc: Harry Wentland <harry.wentland@amd.com>
Cc: Leo Li <sunpeng.li@amd.com>
Cc: Rodrigo Siqueira <siqueira@igalia.com>
Cc: Alex Deucher <alexander.deucher@amd.com>
Cc: "Christian König" <christian.koenig@amd.com>
Cc: amd-gfx@lists.freedesktop.org
Cc: dri-devel@lists.freedesktop.org
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/display/dc/dml/dcn31/dcn31_fpu.c | 4 ++
drivers/gpu/drm/amd/display/dc/dml/dcn35/dcn35_fpu.c | 6 ++-
drivers/gpu/drm/amd/display/dc/dml/dcn351/dcn351_fpu.c | 4 +-
drivers/gpu/drm/amd/display/dc/resource/dcn35/dcn35_resource.c | 16 ++++++++-
drivers/gpu/drm/amd/display/dc/resource/dcn351/dcn351_resource.c | 17 +++++++++-
drivers/gpu/drm/amd/display/dc/resource/dcn36/dcn36_resource.c | 16 ++++++++-
6 files changed, 56 insertions(+), 7 deletions(-)
--- a/drivers/gpu/drm/amd/display/dc/dml/dcn31/dcn31_fpu.c
+++ b/drivers/gpu/drm/amd/display/dc/dml/dcn31/dcn31_fpu.c
@@ -808,6 +808,8 @@ void dcn316_update_bw_bounding_box(struc
int dcn_get_max_non_odm_pix_rate_100hz(struct _vcs_dpi_soc_bounding_box_st *soc)
{
+ dc_assert_fp_enabled();
+
return soc->clock_limits[0].dispclk_mhz * 10000.0 / (1.0 + soc->dcn_downspread_percent / 100.0);
}
@@ -815,6 +817,8 @@ int dcn_get_approx_det_segs_required_for
struct _vcs_dpi_soc_bounding_box_st *soc,
int pix_clk_100hz, int bpp, int seg_size_kb)
{
+ dc_assert_fp_enabled();
+
/* Roughly calculate required crb to hide latency. In practice there is slightly
* more buffer available for latency hiding
*/
--- a/drivers/gpu/drm/amd/display/dc/dml/dcn35/dcn35_fpu.c
+++ b/drivers/gpu/drm/amd/display/dc/dml/dcn35/dcn35_fpu.c
@@ -445,6 +445,8 @@ int dcn35_populate_dml_pipes_from_contex
bool upscaled = false;
const unsigned int max_allowed_vblank_nom = 1023;
+ dc_assert_fp_enabled();
+
dcn31_populate_dml_pipes_from_context(dc, context, pipes,
validate_mode);
@@ -498,9 +500,7 @@ int dcn35_populate_dml_pipes_from_contex
pipes[pipe_cnt].pipe.src.unbounded_req_mode = false;
- DC_FP_START();
dcn31_zero_pipe_dcc_fraction(pipes, pipe_cnt);
- DC_FP_END();
pipes[pipe_cnt].pipe.dest.vfront_porch = timing->v_front_porch;
pipes[pipe_cnt].pipe.src.dcc_rate = 3;
@@ -581,6 +581,8 @@ void dcn35_decide_zstate_support(struct
unsigned int i, plane_count = 0;
DC_LOGGER_INIT(dc->ctx->logger);
+ dc_assert_fp_enabled();
+
for (i = 0; i < dc->res_pool->pipe_count; i++) {
if (context->res_ctx.pipe_ctx[i].plane_state)
plane_count++;
--- a/drivers/gpu/drm/amd/display/dc/dml/dcn351/dcn351_fpu.c
+++ b/drivers/gpu/drm/amd/display/dc/dml/dcn351/dcn351_fpu.c
@@ -478,6 +478,8 @@ int dcn351_populate_dml_pipes_from_conte
bool upscaled = false;
const unsigned int max_allowed_vblank_nom = 1023;
+ dc_assert_fp_enabled();
+
dcn31_populate_dml_pipes_from_context(dc, context, pipes,
validate_mode);
@@ -531,9 +533,7 @@ int dcn351_populate_dml_pipes_from_conte
pipes[pipe_cnt].pipe.src.unbounded_req_mode = false;
- DC_FP_START();
dcn31_zero_pipe_dcc_fraction(pipes, pipe_cnt);
- DC_FP_END();
pipes[pipe_cnt].pipe.dest.vfront_porch = timing->v_front_porch;
pipes[pipe_cnt].pipe.src.dcc_rate = 3;
--- a/drivers/gpu/drm/amd/display/dc/resource/dcn35/dcn35_resource.c
+++ b/drivers/gpu/drm/amd/display/dc/resource/dcn35/dcn35_resource.c
@@ -1760,6 +1760,20 @@ enum dc_status dcn35_patch_unknown_plane
}
+static int populate_dml_pipes_from_context_fpu(struct dc *dc,
+ struct dc_state *context,
+ display_e2e_pipe_params_st *pipes,
+ enum dc_validate_mode validate_mode)
+{
+ int ret;
+
+ DC_FP_START();
+ ret = dcn35_populate_dml_pipes_from_context_fpu(dc, context, pipes, validate_mode);
+ DC_FP_END();
+
+ return ret;
+}
+
static struct resource_funcs dcn35_res_pool_funcs = {
.destroy = dcn35_destroy_resource_pool,
.link_enc_create = dcn35_link_encoder_create,
@@ -1770,7 +1784,7 @@ static struct resource_funcs dcn35_res_p
.validate_bandwidth = dcn35_validate_bandwidth,
.calculate_wm_and_dlg = NULL,
.update_soc_for_wm_a = dcn31_update_soc_for_wm_a,
- .populate_dml_pipes = dcn35_populate_dml_pipes_from_context_fpu,
+ .populate_dml_pipes = populate_dml_pipes_from_context_fpu,
.acquire_free_pipe_as_secondary_dpp_pipe = dcn20_acquire_free_pipe_for_layer,
.release_pipe = dcn20_release_pipe,
.add_stream_to_ctx = dcn30_add_stream_to_ctx,
--- a/drivers/gpu/drm/amd/display/dc/resource/dcn351/dcn351_resource.c
+++ b/drivers/gpu/drm/amd/display/dc/resource/dcn351/dcn351_resource.c
@@ -1732,6 +1732,21 @@ static enum dc_status dcn351_validate_ba
return out ? DC_OK : DC_FAIL_BANDWIDTH_VALIDATE;
}
+static int populate_dml_pipes_from_context_fpu(struct dc *dc,
+ struct dc_state *context,
+ display_e2e_pipe_params_st *pipes,
+ enum dc_validate_mode validate_mode)
+{
+ int ret;
+
+ DC_FP_START();
+ ret = dcn351_populate_dml_pipes_from_context_fpu(dc, context, pipes, validate_mode);
+ DC_FP_END();
+
+ return ret;
+
+}
+
static struct resource_funcs dcn351_res_pool_funcs = {
.destroy = dcn351_destroy_resource_pool,
.link_enc_create = dcn35_link_encoder_create,
@@ -1742,7 +1757,7 @@ static struct resource_funcs dcn351_res_
.validate_bandwidth = dcn351_validate_bandwidth,
.calculate_wm_and_dlg = NULL,
.update_soc_for_wm_a = dcn31_update_soc_for_wm_a,
- .populate_dml_pipes = dcn351_populate_dml_pipes_from_context_fpu,
+ .populate_dml_pipes = populate_dml_pipes_from_context_fpu,
.acquire_free_pipe_as_secondary_dpp_pipe = dcn20_acquire_free_pipe_for_layer,
.release_pipe = dcn20_release_pipe,
.add_stream_to_ctx = dcn30_add_stream_to_ctx,
--- a/drivers/gpu/drm/amd/display/dc/resource/dcn36/dcn36_resource.c
+++ b/drivers/gpu/drm/amd/display/dc/resource/dcn36/dcn36_resource.c
@@ -1734,6 +1734,20 @@ static enum dc_status dcn35_validate_ban
}
+static int populate_dml_pipes_from_context_fpu(struct dc *dc,
+ struct dc_state *context,
+ display_e2e_pipe_params_st *pipes,
+ enum dc_validate_mode validate_mode)
+{
+ int ret;
+
+ DC_FP_START();
+ ret = dcn35_populate_dml_pipes_from_context_fpu(dc, context, pipes, validate_mode);
+ DC_FP_END();
+
+ return ret;
+}
+
static struct resource_funcs dcn36_res_pool_funcs = {
.destroy = dcn36_destroy_resource_pool,
.link_enc_create = dcn35_link_encoder_create,
@@ -1744,7 +1758,7 @@ static struct resource_funcs dcn36_res_p
.validate_bandwidth = dcn35_validate_bandwidth,
.calculate_wm_and_dlg = NULL,
.update_soc_for_wm_a = dcn31_update_soc_for_wm_a,
- .populate_dml_pipes = dcn35_populate_dml_pipes_from_context_fpu,
+ .populate_dml_pipes = populate_dml_pipes_from_context_fpu,
.acquire_free_pipe_as_secondary_dpp_pipe = dcn20_acquire_free_pipe_for_layer,
.release_pipe = dcn20_release_pipe,
.add_stream_to_ctx = dcn30_add_stream_to_ctx,
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 195/371] blk-crypto: fix missing blktrace bio split events
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (193 preceding siblings ...)
2025-10-17 14:52 ` [PATCH 6.17 194/371] drm/amd/display: Fix unsafe uses of kernel mode FPU Greg Kroah-Hartman
@ 2025-10-17 14:52 ` Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 196/371] btrfs: avoid potential out-of-bounds in btrfs_encode_fh() Greg Kroah-Hartman
` (188 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yu Kuai, Bart Van Assche,
Christoph Hellwig, Jens Axboe
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yu Kuai <yukuai3@huawei.com>
commit 06d712d297649f48ebf1381d19bd24e942813b37 upstream.
trace_block_split() is missing, resulting in blktrace inability to catch
BIO split events and making it harder to analyze the BIO sequence.
Cc: stable@vger.kernel.org
Fixes: 488f6682c832 ("block: blk-crypto-fallback for Inline Encryption")
Signed-off-by: Yu Kuai <yukuai3@huawei.com>
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
block/blk-crypto-fallback.c | 3 +++
1 file changed, 3 insertions(+)
--- a/block/blk-crypto-fallback.c
+++ b/block/blk-crypto-fallback.c
@@ -18,6 +18,7 @@
#include <linux/module.h>
#include <linux/random.h>
#include <linux/scatterlist.h>
+#include <trace/events/block.h>
#include "blk-cgroup.h"
#include "blk-crypto-internal.h"
@@ -231,7 +232,9 @@ static bool blk_crypto_fallback_split_bi
bio->bi_status = BLK_STS_RESOURCE;
return false;
}
+
bio_chain(split_bio, bio);
+ trace_block_split(split_bio, bio->bi_iter.bi_sector);
submit_bio_noacct(bio);
*bio_ptr = split_bio;
}
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 196/371] btrfs: avoid potential out-of-bounds in btrfs_encode_fh()
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (194 preceding siblings ...)
2025-10-17 14:52 ` [PATCH 6.17 195/371] blk-crypto: fix missing blktrace bio split events Greg Kroah-Hartman
@ 2025-10-17 14:52 ` Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 197/371] bus: mhi: ep: Fix chained transfer handling in read path Greg Kroah-Hartman
` (187 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:52 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Anderson Nascimento, David Sterba
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Anderson Nascimento <anderson@allelesecurity.com>
commit dff4f9ff5d7f289e4545cc936362e01ed3252742 upstream.
The function btrfs_encode_fh() does not properly account for the three
cases it handles.
Before writing to the file handle (fh), the function only returns to the
user BTRFS_FID_SIZE_NON_CONNECTABLE (5 dwords, 20 bytes) or
BTRFS_FID_SIZE_CONNECTABLE (8 dwords, 32 bytes).
However, when a parent exists and the root ID of the parent and the
inode are different, the function writes BTRFS_FID_SIZE_CONNECTABLE_ROOT
(10 dwords, 40 bytes).
If *max_len is not large enough, this write goes out of bounds because
BTRFS_FID_SIZE_CONNECTABLE_ROOT is greater than
BTRFS_FID_SIZE_CONNECTABLE originally returned.
This results in an 8-byte out-of-bounds write at
fid->parent_root_objectid = parent_root_id.
A previous attempt to fix this issue was made but was lost.
https://lore.kernel.org/all/4CADAEEC020000780001B32C@vpn.id2.novell.com/
Although this issue does not seem to be easily triggerable, it is a
potential memory corruption bug that should be fixed. This patch
resolves the issue by ensuring the function returns the appropriate size
for all three cases and validates that *max_len is large enough before
writing any data.
Fixes: be6e8dc0ba84 ("NFS support for btrfs - v3")
CC: stable@vger.kernel.org # 3.0+
Signed-off-by: Anderson Nascimento <anderson@allelesecurity.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/export.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/fs/btrfs/export.c
+++ b/fs/btrfs/export.c
@@ -23,7 +23,11 @@ static int btrfs_encode_fh(struct inode
int type;
if (parent && (len < BTRFS_FID_SIZE_CONNECTABLE)) {
- *max_len = BTRFS_FID_SIZE_CONNECTABLE;
+ if (btrfs_root_id(BTRFS_I(inode)->root) !=
+ btrfs_root_id(BTRFS_I(parent)->root))
+ *max_len = BTRFS_FID_SIZE_CONNECTABLE_ROOT;
+ else
+ *max_len = BTRFS_FID_SIZE_CONNECTABLE;
return FILEID_INVALID;
} else if (len < BTRFS_FID_SIZE_NON_CONNECTABLE) {
*max_len = BTRFS_FID_SIZE_NON_CONNECTABLE;
@@ -45,6 +49,8 @@ static int btrfs_encode_fh(struct inode
parent_root_id = btrfs_root_id(BTRFS_I(parent)->root);
if (parent_root_id != fid->root_objectid) {
+ if (*max_len < BTRFS_FID_SIZE_CONNECTABLE_ROOT)
+ return FILEID_INVALID;
fid->parent_root_objectid = parent_root_id;
len = BTRFS_FID_SIZE_CONNECTABLE_ROOT;
type = FILEID_BTRFS_WITH_PARENT_ROOT;
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 197/371] bus: mhi: ep: Fix chained transfer handling in read path
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (195 preceding siblings ...)
2025-10-17 14:52 ` [PATCH 6.17 196/371] btrfs: avoid potential out-of-bounds in btrfs_encode_fh() Greg Kroah-Hartman
@ 2025-10-17 14:52 ` Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 198/371] bus: mhi: host: Do not use uninitialized dev pointer in mhi_init_irq_setup() Greg Kroah-Hartman
` (186 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Akhil Vinod, Sumit Kumar,
Manivannan Sadhasivam, Krishna Chaitanya Chundru
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sumit Kumar <sumit.kumar@oss.qualcomm.com>
commit f5225a34bd8f9f64eec37f6ae1461289aaa3eb86 upstream.
The mhi_ep_read_channel function incorrectly assumes the End of Transfer
(EOT) bit is present for each packet in a chained transactions, causing
it to advance mhi_chan->rd_offset beyond wr_offset during host-to-device
transfers when EOT has not yet arrived. This leads to access of unmapped
host memory, causing IOMMU faults and processing of stale TREs.
Modify the loop condition to ensure mhi_queue is not empty, allowing the
function to process only valid TREs up to the current write pointer to
prevent premature reads and ensure safe traversal of chained TREs.
Due to this change, buf_left needs to be removed from the while loop
condition to avoid exiting prematurely before reading the ring completely,
and also remove write_offset since it will always be zero because the new
cache buffer is allocated every time.
Fixes: 5301258899773 ("bus: mhi: ep: Add support for reading from the host")
Co-developed-by: Akhil Vinod <akhil.vinod@oss.qualcomm.com>
Signed-off-by: Akhil Vinod <akhil.vinod@oss.qualcomm.com>
Signed-off-by: Sumit Kumar <sumit.kumar@oss.qualcomm.com>
[mani: reworded description slightly]
Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
Reviewed-by: Krishna Chaitanya Chundru <krishna.chundru@oss.qualcomm.com>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20250910-final_chained-v3-1-ec77c9d88ace@oss.qualcomm.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/bus/mhi/ep/main.c | 37 ++++++++++++-------------------------
1 file changed, 12 insertions(+), 25 deletions(-)
--- a/drivers/bus/mhi/ep/main.c
+++ b/drivers/bus/mhi/ep/main.c
@@ -403,17 +403,13 @@ static int mhi_ep_read_channel(struct mh
{
struct mhi_ep_chan *mhi_chan = &mhi_cntrl->mhi_chan[ring->ch_id];
struct device *dev = &mhi_cntrl->mhi_dev->dev;
- size_t tr_len, read_offset, write_offset;
+ size_t tr_len, read_offset;
struct mhi_ep_buf_info buf_info = {};
u32 len = MHI_EP_DEFAULT_MTU;
struct mhi_ring_element *el;
- bool tr_done = false;
void *buf_addr;
- u32 buf_left;
int ret;
- buf_left = len;
-
do {
/* Don't process the transfer ring if the channel is not in RUNNING state */
if (mhi_chan->state != MHI_CH_STATE_RUNNING) {
@@ -426,24 +422,23 @@ static int mhi_ep_read_channel(struct mh
/* Check if there is data pending to be read from previous read operation */
if (mhi_chan->tre_bytes_left) {
dev_dbg(dev, "TRE bytes remaining: %u\n", mhi_chan->tre_bytes_left);
- tr_len = min(buf_left, mhi_chan->tre_bytes_left);
+ tr_len = min(len, mhi_chan->tre_bytes_left);
} else {
mhi_chan->tre_loc = MHI_TRE_DATA_GET_PTR(el);
mhi_chan->tre_size = MHI_TRE_DATA_GET_LEN(el);
mhi_chan->tre_bytes_left = mhi_chan->tre_size;
- tr_len = min(buf_left, mhi_chan->tre_size);
+ tr_len = min(len, mhi_chan->tre_size);
}
read_offset = mhi_chan->tre_size - mhi_chan->tre_bytes_left;
- write_offset = len - buf_left;
buf_addr = kmem_cache_zalloc(mhi_cntrl->tre_buf_cache, GFP_KERNEL);
if (!buf_addr)
return -ENOMEM;
buf_info.host_addr = mhi_chan->tre_loc + read_offset;
- buf_info.dev_addr = buf_addr + write_offset;
+ buf_info.dev_addr = buf_addr;
buf_info.size = tr_len;
buf_info.cb = mhi_ep_read_completion;
buf_info.cb_buf = buf_addr;
@@ -459,16 +454,12 @@ static int mhi_ep_read_channel(struct mh
goto err_free_buf_addr;
}
- buf_left -= tr_len;
mhi_chan->tre_bytes_left -= tr_len;
- if (!mhi_chan->tre_bytes_left) {
- if (MHI_TRE_DATA_GET_IEOT(el))
- tr_done = true;
-
+ if (!mhi_chan->tre_bytes_left)
mhi_chan->rd_offset = (mhi_chan->rd_offset + 1) % ring->ring_size;
- }
- } while (buf_left && !tr_done);
+ /* Read until the some buffer is left or the ring becomes not empty */
+ } while (!mhi_ep_queue_is_empty(mhi_chan->mhi_dev, DMA_TO_DEVICE));
return 0;
@@ -502,15 +493,11 @@ static int mhi_ep_process_ch_ring(struct
mhi_chan->xfer_cb(mhi_chan->mhi_dev, &result);
} else {
/* UL channel */
- do {
- ret = mhi_ep_read_channel(mhi_cntrl, ring);
- if (ret < 0) {
- dev_err(&mhi_chan->mhi_dev->dev, "Failed to read channel\n");
- return ret;
- }
-
- /* Read until the ring becomes empty */
- } while (!mhi_ep_queue_is_empty(mhi_chan->mhi_dev, DMA_TO_DEVICE));
+ ret = mhi_ep_read_channel(mhi_cntrl, ring);
+ if (ret < 0) {
+ dev_err(&mhi_chan->mhi_dev->dev, "Failed to read channel\n");
+ return ret;
+ }
}
return 0;
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 198/371] bus: mhi: host: Do not use uninitialized dev pointer in mhi_init_irq_setup()
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (196 preceding siblings ...)
2025-10-17 14:52 ` [PATCH 6.17 197/371] bus: mhi: ep: Fix chained transfer handling in read path Greg Kroah-Hartman
@ 2025-10-17 14:52 ` Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 199/371] cdx: Fix device node reference leak in cdx_msi_domain_init Greg Kroah-Hartman
` (185 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Adam Xue, Manivannan Sadhasivam,
Krishna Chaitanya Chundru
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Adam Xue <zxue@semtech.com>
commit d0856a6dff57f95cc5d2d74e50880f01697d0cc4 upstream.
In mhi_init_irq_setup, the device pointer used for dev_err() was not
initialized. Use the pointer from mhi_cntrl instead.
Fixes: b0fc0167f254 ("bus: mhi: core: Allow shared IRQ for event rings")
Fixes: 3000f85b8f47 ("bus: mhi: core: Add support for basic PM operations")
Signed-off-by: Adam Xue <zxue@semtech.com>
[mani: reworded subject/description and CCed stable]
Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
Reviewed-by: Krishna Chaitanya Chundru <krishna.chundru@oss.qualcomm.com>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20250905174118.38512-1-zxue@semtech.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/bus/mhi/host/init.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
--- a/drivers/bus/mhi/host/init.c
+++ b/drivers/bus/mhi/host/init.c
@@ -194,7 +194,6 @@ static void mhi_deinit_free_irq(struct m
static int mhi_init_irq_setup(struct mhi_controller *mhi_cntrl)
{
struct mhi_event *mhi_event = mhi_cntrl->mhi_event;
- struct device *dev = &mhi_cntrl->mhi_dev->dev;
unsigned long irq_flags = IRQF_SHARED | IRQF_NO_SUSPEND;
int i, ret;
@@ -221,7 +220,7 @@ static int mhi_init_irq_setup(struct mhi
continue;
if (mhi_event->irq >= mhi_cntrl->nr_irqs) {
- dev_err(dev, "irq %d not available for event ring\n",
+ dev_err(mhi_cntrl->cntrl_dev, "irq %d not available for event ring\n",
mhi_event->irq);
ret = -EINVAL;
goto error_request;
@@ -232,7 +231,7 @@ static int mhi_init_irq_setup(struct mhi
irq_flags,
"mhi", mhi_event);
if (ret) {
- dev_err(dev, "Error requesting irq:%d for ev:%d\n",
+ dev_err(mhi_cntrl->cntrl_dev, "Error requesting irq:%d for ev:%d\n",
mhi_cntrl->irq[mhi_event->irq], i);
goto error_request;
}
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 199/371] cdx: Fix device node reference leak in cdx_msi_domain_init
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (197 preceding siblings ...)
2025-10-17 14:52 ` [PATCH 6.17 198/371] bus: mhi: host: Do not use uninitialized dev pointer in mhi_init_irq_setup() Greg Kroah-Hartman
@ 2025-10-17 14:52 ` Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 200/371] clk: qcom: tcsrcc-x1e80100: Set the bi_tcxo as parent to eDP refclk Greg Kroah-Hartman
` (184 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:52 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Miaoqian Lin, Nipun Gupta
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Miaoqian Lin <linmq006@gmail.com>
commit 76254bc489d39dae9a3427f0984fe64213d20548 upstream.
Add missing of_node_put() call to release
the device node reference obtained via of_parse_phandle().
Fixes: 0e439ba38e61 ("cdx: add MSI support for CDX bus")
Cc: stable@vger.kernel.org
Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
Acked-by: Nipun Gupta <nipun.gupta@amd.com>
Link: https://lore.kernel.org/r/20250902084933.2418264-1-linmq006@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/cdx/cdx_msi.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/cdx/cdx_msi.c
+++ b/drivers/cdx/cdx_msi.c
@@ -174,6 +174,7 @@ struct irq_domain *cdx_msi_domain_init(s
}
parent = irq_find_matching_fwnode(of_fwnode_handle(parent_node), DOMAIN_BUS_NEXUS);
+ of_node_put(parent_node);
if (!parent || !msi_get_domain_info(parent)) {
dev_err(dev, "unable to locate ITS domain\n");
return NULL;
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 200/371] clk: qcom: tcsrcc-x1e80100: Set the bi_tcxo as parent to eDP refclk
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (198 preceding siblings ...)
2025-10-17 14:52 ` [PATCH 6.17 199/371] cdx: Fix device node reference leak in cdx_msi_domain_init Greg Kroah-Hartman
@ 2025-10-17 14:52 ` Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 201/371] clk: samsung: exynos990: Use PLL_CON0 for PLL parent muxes Greg Kroah-Hartman
` (183 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Abel Vesa, Dmitry Baryshkov,
Bjorn Andersson
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Abel Vesa <abel.vesa@linaro.org>
commit 57c8e9da3dfe606b918d8f193837ebf2213a9545 upstream.
All the other ref clocks provided by this driver have the bi_tcxo
as parent. The eDP refclk is the only one without a parent, leading
to reporting its rate as 0. So set its parent to bi_tcxo, just like
the rest of the refclks.
Cc: stable@vger.kernel.org # v6.9
Fixes: 06aff116199c ("clk: qcom: Add TCSR clock driver for x1e80100")
Signed-off-by: Abel Vesa <abel.vesa@linaro.org>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20250730-clk-qcom-tcsrcc-x1e80100-parent-edp-refclk-v1-1-7a36ef06e045@linaro.org
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/clk/qcom/tcsrcc-x1e80100.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/clk/qcom/tcsrcc-x1e80100.c
+++ b/drivers/clk/qcom/tcsrcc-x1e80100.c
@@ -29,6 +29,10 @@ static struct clk_branch tcsr_edp_clkref
.enable_mask = BIT(0),
.hw.init = &(const struct clk_init_data) {
.name = "tcsr_edp_clkref_en",
+ .parent_data = &(const struct clk_parent_data){
+ .index = DT_BI_TCXO_PAD,
+ },
+ .num_parents = 1,
.ops = &clk_branch2_ops,
},
},
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 201/371] clk: samsung: exynos990: Use PLL_CON0 for PLL parent muxes
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (199 preceding siblings ...)
2025-10-17 14:52 ` [PATCH 6.17 200/371] clk: qcom: tcsrcc-x1e80100: Set the bi_tcxo as parent to eDP refclk Greg Kroah-Hartman
@ 2025-10-17 14:52 ` Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 202/371] clk: samsung: exynos990: Fix CMU_TOP mux/div bit widths Greg Kroah-Hartman
` (182 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:52 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Denzeel Oliva, Krzysztof Kozlowski
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Denzeel Oliva <wachiturroxd150@gmail.com>
commit 19b50ab02eddbbd87ec2f0ad4a5bc93ac1c9b82d upstream.
Parent select bits for shared PLLs are in PLL_CON0, not PLL_CON3.
Using the wrong register leads to incorrect parent selection and rates.
Fixes: bdd03ebf721f ("clk: samsung: Introduce Exynos990 clock controller driver")
Signed-off-by: Denzeel Oliva <wachiturroxd150@gmail.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20250830-fix-cmu-top-v5-1-7c62f608309e@gmail.com
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/clk/samsung/clk-exynos990.c | 15 +++++++++++----
1 file changed, 11 insertions(+), 4 deletions(-)
diff --git a/drivers/clk/samsung/clk-exynos990.c b/drivers/clk/samsung/clk-exynos990.c
index 8d3f193d2b4d..12e98bf5005a 100644
--- a/drivers/clk/samsung/clk-exynos990.c
+++ b/drivers/clk/samsung/clk-exynos990.c
@@ -239,12 +239,19 @@ static const unsigned long top_clk_regs[] __initconst = {
PLL_LOCKTIME_PLL_SHARED2,
PLL_LOCKTIME_PLL_SHARED3,
PLL_LOCKTIME_PLL_SHARED4,
+ PLL_CON0_PLL_G3D,
PLL_CON3_PLL_G3D,
+ PLL_CON0_PLL_MMC,
PLL_CON3_PLL_MMC,
+ PLL_CON0_PLL_SHARED0,
PLL_CON3_PLL_SHARED0,
+ PLL_CON0_PLL_SHARED1,
PLL_CON3_PLL_SHARED1,
+ PLL_CON0_PLL_SHARED2,
PLL_CON3_PLL_SHARED2,
+ PLL_CON0_PLL_SHARED3,
PLL_CON3_PLL_SHARED3,
+ PLL_CON0_PLL_SHARED4,
PLL_CON3_PLL_SHARED4,
CLK_CON_MUX_MUX_CLKCMU_APM_BUS,
CLK_CON_MUX_MUX_CLKCMU_AUD_CPU,
@@ -689,13 +696,13 @@ PNAME(mout_cmu_vra_bus_p) = { "dout_cmu_shared0_div3",
static const struct samsung_mux_clock top_mux_clks[] __initconst = {
MUX(CLK_MOUT_PLL_SHARED0, "mout_pll_shared0", mout_pll_shared0_p,
- PLL_CON3_PLL_SHARED0, 4, 1),
+ PLL_CON0_PLL_SHARED0, 4, 1),
MUX(CLK_MOUT_PLL_SHARED1, "mout_pll_shared1", mout_pll_shared1_p,
- PLL_CON3_PLL_SHARED1, 4, 1),
+ PLL_CON0_PLL_SHARED1, 4, 1),
MUX(CLK_MOUT_PLL_SHARED2, "mout_pll_shared2", mout_pll_shared2_p,
- PLL_CON3_PLL_SHARED2, 4, 1),
+ PLL_CON0_PLL_SHARED2, 4, 1),
MUX(CLK_MOUT_PLL_SHARED3, "mout_pll_shared3", mout_pll_shared3_p,
- PLL_CON3_PLL_SHARED3, 4, 1),
+ PLL_CON0_PLL_SHARED3, 4, 1),
MUX(CLK_MOUT_PLL_SHARED4, "mout_pll_shared4", mout_pll_shared4_p,
PLL_CON0_PLL_SHARED4, 4, 1),
MUX(CLK_MOUT_PLL_MMC, "mout_pll_mmc", mout_pll_mmc_p,
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 202/371] clk: samsung: exynos990: Fix CMU_TOP mux/div bit widths
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (200 preceding siblings ...)
2025-10-17 14:52 ` [PATCH 6.17 201/371] clk: samsung: exynos990: Use PLL_CON0 for PLL parent muxes Greg Kroah-Hartman
@ 2025-10-17 14:52 ` Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 203/371] clk: samsung: exynos990: Replace bogus divs with fixed-factor clocks Greg Kroah-Hartman
` (181 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:52 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Denzeel Oliva, Krzysztof Kozlowski
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Denzeel Oliva <wachiturroxd150@gmail.com>
commit ce2eb09b430ddf9d7c9d685bdd81de011bccd4ad upstream.
Correct several mux/div widths (DSP_BUS, G2D_MSCL, HSI0 USBDP_DEBUG,
HSI1 UFS_EMBD, APM_BUS, CPUCL0_DBG_BUS, DPU) to match hardware.
Fixes: bdd03ebf721f ("clk: samsung: Introduce Exynos990 clock controller driver")
Signed-off-by: Denzeel Oliva <wachiturroxd150@gmail.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20250830-fix-cmu-top-v5-2-7c62f608309e@gmail.com
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/clk/samsung/clk-exynos990.c | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)
diff --git a/drivers/clk/samsung/clk-exynos990.c b/drivers/clk/samsung/clk-exynos990.c
index 12e98bf5005a..385f1d972667 100644
--- a/drivers/clk/samsung/clk-exynos990.c
+++ b/drivers/clk/samsung/clk-exynos990.c
@@ -766,11 +766,11 @@ static const struct samsung_mux_clock top_mux_clks[] __initconst = {
MUX(CLK_MOUT_CMU_DPU_ALT, "mout_cmu_dpu_alt",
mout_cmu_dpu_alt_p, CLK_CON_MUX_MUX_CLKCMU_DPU_ALT, 0, 2),
MUX(CLK_MOUT_CMU_DSP_BUS, "mout_cmu_dsp_bus",
- mout_cmu_dsp_bus_p, CLK_CON_MUX_MUX_CLKCMU_DSP_BUS, 0, 2),
+ mout_cmu_dsp_bus_p, CLK_CON_MUX_MUX_CLKCMU_DSP_BUS, 0, 3),
MUX(CLK_MOUT_CMU_G2D_G2D, "mout_cmu_g2d_g2d",
mout_cmu_g2d_g2d_p, CLK_CON_MUX_MUX_CLKCMU_G2D_G2D, 0, 2),
MUX(CLK_MOUT_CMU_G2D_MSCL, "mout_cmu_g2d_mscl",
- mout_cmu_g2d_mscl_p, CLK_CON_MUX_MUX_CLKCMU_G2D_MSCL, 0, 1),
+ mout_cmu_g2d_mscl_p, CLK_CON_MUX_MUX_CLKCMU_G2D_MSCL, 0, 2),
MUX(CLK_MOUT_CMU_HPM, "mout_cmu_hpm",
mout_cmu_hpm_p, CLK_CON_MUX_MUX_CLKCMU_HPM, 0, 2),
MUX(CLK_MOUT_CMU_HSI0_BUS, "mout_cmu_hsi0_bus",
@@ -782,7 +782,7 @@ static const struct samsung_mux_clock top_mux_clks[] __initconst = {
0, 2),
MUX(CLK_MOUT_CMU_HSI0_USBDP_DEBUG, "mout_cmu_hsi0_usbdp_debug",
mout_cmu_hsi0_usbdp_debug_p,
- CLK_CON_MUX_MUX_CLKCMU_HSI0_USBDP_DEBUG, 0, 2),
+ CLK_CON_MUX_MUX_CLKCMU_HSI0_USBDP_DEBUG, 0, 1),
MUX(CLK_MOUT_CMU_HSI1_BUS, "mout_cmu_hsi1_bus",
mout_cmu_hsi1_bus_p, CLK_CON_MUX_MUX_CLKCMU_HSI1_BUS, 0, 3),
MUX(CLK_MOUT_CMU_HSI1_MMC_CARD, "mout_cmu_hsi1_mmc_card",
@@ -795,7 +795,7 @@ static const struct samsung_mux_clock top_mux_clks[] __initconst = {
0, 2),
MUX(CLK_MOUT_CMU_HSI1_UFS_EMBD, "mout_cmu_hsi1_ufs_embd",
mout_cmu_hsi1_ufs_embd_p, CLK_CON_MUX_MUX_CLKCMU_HSI1_UFS_EMBD,
- 0, 1),
+ 0, 2),
MUX(CLK_MOUT_CMU_HSI2_BUS, "mout_cmu_hsi2_bus",
mout_cmu_hsi2_bus_p, CLK_CON_MUX_MUX_CLKCMU_HSI2_BUS, 0, 1),
MUX(CLK_MOUT_CMU_HSI2_PCIE, "mout_cmu_hsi2_pcie",
@@ -869,7 +869,7 @@ static const struct samsung_div_clock top_div_clks[] __initconst = {
CLK_CON_DIV_PLL_SHARED4_DIV4, 0, 1),
DIV(CLK_DOUT_CMU_APM_BUS, "dout_cmu_apm_bus", "gout_cmu_apm_bus",
- CLK_CON_DIV_CLKCMU_APM_BUS, 0, 3),
+ CLK_CON_DIV_CLKCMU_APM_BUS, 0, 2),
DIV(CLK_DOUT_CMU_AUD_CPU, "dout_cmu_aud_cpu", "gout_cmu_aud_cpu",
CLK_CON_DIV_CLKCMU_AUD_CPU, 0, 3),
DIV(CLK_DOUT_CMU_BUS0_BUS, "dout_cmu_bus0_bus", "gout_cmu_bus0_bus",
@@ -894,9 +894,9 @@ static const struct samsung_div_clock top_div_clks[] __initconst = {
CLK_CON_DIV_CLKCMU_CMU_BOOST, 0, 2),
DIV(CLK_DOUT_CMU_CORE_BUS, "dout_cmu_core_bus", "gout_cmu_core_bus",
CLK_CON_DIV_CLKCMU_CORE_BUS, 0, 4),
- DIV(CLK_DOUT_CMU_CPUCL0_DBG_BUS, "dout_cmu_cpucl0_debug",
+ DIV(CLK_DOUT_CMU_CPUCL0_DBG_BUS, "dout_cmu_cpucl0_dbg_bus",
"gout_cmu_cpucl0_dbg_bus", CLK_CON_DIV_CLKCMU_CPUCL0_DBG_BUS,
- 0, 3),
+ 0, 4),
DIV(CLK_DOUT_CMU_CPUCL0_SWITCH, "dout_cmu_cpucl0_switch",
"gout_cmu_cpucl0_switch", CLK_CON_DIV_CLKCMU_CPUCL0_SWITCH, 0, 3),
DIV(CLK_DOUT_CMU_CPUCL1_SWITCH, "dout_cmu_cpucl1_switch",
@@ -986,8 +986,8 @@ static const struct samsung_div_clock top_div_clks[] __initconst = {
CLK_CON_DIV_CLKCMU_TNR_BUS, 0, 4),
DIV(CLK_DOUT_CMU_VRA_BUS, "dout_cmu_vra_bus", "gout_cmu_vra_bus",
CLK_CON_DIV_CLKCMU_VRA_BUS, 0, 4),
- DIV(CLK_DOUT_CMU_DPU, "dout_cmu_clkcmu_dpu", "gout_cmu_dpu",
- CLK_CON_DIV_DIV_CLKCMU_DPU, 0, 4),
+ DIV(CLK_DOUT_CMU_DPU, "dout_cmu_dpu", "gout_cmu_dpu",
+ CLK_CON_DIV_DIV_CLKCMU_DPU, 0, 3),
};
static const struct samsung_gate_clock top_gate_clks[] __initconst = {
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 203/371] clk: samsung: exynos990: Replace bogus divs with fixed-factor clocks
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (201 preceding siblings ...)
2025-10-17 14:52 ` [PATCH 6.17 202/371] clk: samsung: exynos990: Fix CMU_TOP mux/div bit widths Greg Kroah-Hartman
@ 2025-10-17 14:52 ` Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 204/371] copy_sighand: Handle architectures where sizeof(unsigned long) < sizeof(u64) Greg Kroah-Hartman
` (180 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:52 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Denzeel Oliva, Krzysztof Kozlowski
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Denzeel Oliva <wachiturroxd150@gmail.com>
commit a66dabcd2cb8389fd73cab8896fd727fa2ea8d8b upstream.
HSI1/2 PCIe and HSI0 USBDP debug outputs are fixed divide-by-8.
OTP also uses 1/8 from oscclk. Replace incorrect div clocks with
fixed-factor clocks to reflect hardware.
Fixes: bdd03ebf721f ("clk: samsung: Introduce Exynos990 clock controller driver")
Signed-off-by: Denzeel Oliva <wachiturroxd150@gmail.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20250830-fix-cmu-top-v5-3-7c62f608309e@gmail.com
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/clk/samsung/clk-exynos990.c | 19 ++++++++++++-------
1 file changed, 12 insertions(+), 7 deletions(-)
diff --git a/drivers/clk/samsung/clk-exynos990.c b/drivers/clk/samsung/clk-exynos990.c
index 385f1d972667..8571c225d090 100644
--- a/drivers/clk/samsung/clk-exynos990.c
+++ b/drivers/clk/samsung/clk-exynos990.c
@@ -931,16 +931,11 @@ static const struct samsung_div_clock top_div_clks[] __initconst = {
CLK_CON_DIV_CLKCMU_HSI0_DPGTC, 0, 3),
DIV(CLK_DOUT_CMU_HSI0_USB31DRD, "dout_cmu_hsi0_usb31drd",
"gout_cmu_hsi0_usb31drd", CLK_CON_DIV_CLKCMU_HSI0_USB31DRD, 0, 4),
- DIV(CLK_DOUT_CMU_HSI0_USBDP_DEBUG, "dout_cmu_hsi0_usbdp_debug",
- "gout_cmu_hsi0_usbdp_debug", CLK_CON_DIV_CLKCMU_HSI0_USBDP_DEBUG,
- 0, 4),
DIV(CLK_DOUT_CMU_HSI1_BUS, "dout_cmu_hsi1_bus", "gout_cmu_hsi1_bus",
CLK_CON_DIV_CLKCMU_HSI1_BUS, 0, 3),
DIV(CLK_DOUT_CMU_HSI1_MMC_CARD, "dout_cmu_hsi1_mmc_card",
"gout_cmu_hsi1_mmc_card", CLK_CON_DIV_CLKCMU_HSI1_MMC_CARD,
0, 9),
- DIV(CLK_DOUT_CMU_HSI1_PCIE, "dout_cmu_hsi1_pcie", "gout_cmu_hsi1_pcie",
- CLK_CON_DIV_CLKCMU_HSI1_PCIE, 0, 7),
DIV(CLK_DOUT_CMU_HSI1_UFS_CARD, "dout_cmu_hsi1_ufs_card",
"gout_cmu_hsi1_ufs_card", CLK_CON_DIV_CLKCMU_HSI1_UFS_CARD,
0, 3),
@@ -949,8 +944,6 @@ static const struct samsung_div_clock top_div_clks[] __initconst = {
0, 3),
DIV(CLK_DOUT_CMU_HSI2_BUS, "dout_cmu_hsi2_bus", "gout_cmu_hsi2_bus",
CLK_CON_DIV_CLKCMU_HSI2_BUS, 0, 4),
- DIV(CLK_DOUT_CMU_HSI2_PCIE, "dout_cmu_hsi2_pcie", "gout_cmu_hsi2_pcie",
- CLK_CON_DIV_CLKCMU_HSI2_PCIE, 0, 7),
DIV(CLK_DOUT_CMU_IPP_BUS, "dout_cmu_ipp_bus", "gout_cmu_ipp_bus",
CLK_CON_DIV_CLKCMU_IPP_BUS, 0, 4),
DIV(CLK_DOUT_CMU_ITP_BUS, "dout_cmu_itp_bus", "gout_cmu_itp_bus",
@@ -990,6 +983,16 @@ static const struct samsung_div_clock top_div_clks[] __initconst = {
CLK_CON_DIV_DIV_CLKCMU_DPU, 0, 3),
};
+static const struct samsung_fixed_factor_clock cmu_top_ffactor[] __initconst = {
+ FFACTOR(CLK_DOUT_CMU_HSI1_PCIE, "dout_cmu_hsi1_pcie",
+ "gout_cmu_hsi1_pcie", 1, 8, 0),
+ FFACTOR(CLK_DOUT_CMU_OTP, "dout_cmu_otp", "oscclk", 1, 8, 0),
+ FFACTOR(CLK_DOUT_CMU_HSI0_USBDP_DEBUG, "dout_cmu_hsi0_usbdp_debug",
+ "gout_cmu_hsi0_usbdp_debug", 1, 8, 0),
+ FFACTOR(CLK_DOUT_CMU_HSI2_PCIE, "dout_cmu_hsi2_pcie",
+ "gout_cmu_hsi2_pcie", 1, 8, 0),
+};
+
static const struct samsung_gate_clock top_gate_clks[] __initconst = {
GATE(CLK_GOUT_CMU_APM_BUS, "gout_cmu_apm_bus", "mout_cmu_apm_bus",
CLK_CON_GAT_GATE_CLKCMU_APM_BUS, 21, CLK_IGNORE_UNUSED, 0),
@@ -1133,6 +1136,8 @@ static const struct samsung_cmu_info top_cmu_info __initconst = {
.nr_mux_clks = ARRAY_SIZE(top_mux_clks),
.div_clks = top_div_clks,
.nr_div_clks = ARRAY_SIZE(top_div_clks),
+ .fixed_factor_clks = cmu_top_ffactor,
+ .nr_fixed_factor_clks = ARRAY_SIZE(cmu_top_ffactor),
.gate_clks = top_gate_clks,
.nr_gate_clks = ARRAY_SIZE(top_gate_clks),
.nr_clk_ids = CLKS_NR_TOP,
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 204/371] copy_sighand: Handle architectures where sizeof(unsigned long) < sizeof(u64)
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (202 preceding siblings ...)
2025-10-17 14:52 ` [PATCH 6.17 203/371] clk: samsung: exynos990: Replace bogus divs with fixed-factor clocks Greg Kroah-Hartman
@ 2025-10-17 14:52 ` Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 205/371] cpufreq: CPPC: Avoid using CPUFREQ_ETERNAL as transition delay Greg Kroah-Hartman
` (179 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Simon Schuster, David Hildenbrand,
Lorenzo Stoakes, Arnd Bergmann, Christian Brauner
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Simon Schuster <schuster.simon@siemens-energy.com>
commit 04ff48239f46e8b493571e260bd0e6c3a6400371 upstream.
With the introduction of clone3 in commit 7f192e3cd316 ("fork: add
clone3") the effective bit width of clone_flags on all architectures was
increased from 32-bit to 64-bit. However, the signature of the copy_*
helper functions (e.g., copy_sighand) used by copy_process was not
adapted.
As such, they truncate the flags on any 32-bit architectures that
supports clone3 (arc, arm, csky, m68k, microblaze, mips32, openrisc,
parisc32, powerpc32, riscv32, x86-32 and xtensa).
For copy_sighand with CLONE_CLEAR_SIGHAND being an actual u64
constant, this triggers an observable bug in kernel selftest
clone3_clear_sighand:
if (clone_flags & CLONE_CLEAR_SIGHAND)
in function copy_sighand within fork.c will always fail given:
unsigned long /* == uint32_t */ clone_flags
#define CLONE_CLEAR_SIGHAND 0x100000000ULL
This commit fixes the bug by always passing clone_flags to copy_sighand
via their declared u64 type, invariant of architecture-dependent integer
sizes.
Fixes: b612e5df4587 ("clone3: add CLONE_CLEAR_SIGHAND")
Cc: stable@vger.kernel.org # linux-5.5+
Signed-off-by: Simon Schuster <schuster.simon@siemens-energy.com>
Link: https://lore.kernel.org/20250901-nios2-implement-clone3-v2-1-53fcf5577d57@siemens-energy.com
Acked-by: David Hildenbrand <david@redhat.com>
Reviewed-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Reviewed-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/fork.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -1596,7 +1596,7 @@ static int copy_files(unsigned long clon
return 0;
}
-static int copy_sighand(unsigned long clone_flags, struct task_struct *tsk)
+static int copy_sighand(u64 clone_flags, struct task_struct *tsk)
{
struct sighand_struct *sig;
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 205/371] cpufreq: CPPC: Avoid using CPUFREQ_ETERNAL as transition delay
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (203 preceding siblings ...)
2025-10-17 14:52 ` [PATCH 6.17 204/371] copy_sighand: Handle architectures where sizeof(unsigned long) < sizeof(u64) Greg Kroah-Hartman
@ 2025-10-17 14:53 ` Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 206/371] cpufreq: intel_pstate: Fix object lifecycle issue in update_qos_request() Greg Kroah-Hartman
` (178 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rafael J. Wysocki,
Mario Limonciello (AMD), Jie Zhan, Viresh Kumar, Qais Yousef
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
commit f965d111e68f4a993cc44d487d416e3d954eea11 upstream.
If cppc_get_transition_latency() returns CPUFREQ_ETERNAL to indicate a
failure to retrieve the transition latency value from the platform
firmware, the CPPC cpufreq driver will use that value (converted to
microseconds) as the policy transition delay, but it is way too large
for any practical use.
Address this by making the driver use the cpufreq's default
transition latency value (in microseconds) as the transition delay
if CPUFREQ_ETERNAL is returned by cppc_get_transition_latency().
Fixes: d4f3388afd48 ("cpufreq / CPPC: Set platform specific transition_delay_us")
Cc: 5.19+ <stable@vger.kernel.org> # 5.19
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Reviewed-by: Mario Limonciello (AMD) <superm1@kernel.org>
Reviewed-by: Jie Zhan <zhanjie9@hisilicon.com>
Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
Reviewed-by: Qais Yousef <qyousef@layalina.io>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/cpufreq/cppc_cpufreq.c | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
--- a/drivers/cpufreq/cppc_cpufreq.c
+++ b/drivers/cpufreq/cppc_cpufreq.c
@@ -310,6 +310,16 @@ static int cppc_verify_policy(struct cpu
return 0;
}
+static unsigned int __cppc_cpufreq_get_transition_delay_us(unsigned int cpu)
+{
+ unsigned int transition_latency_ns = cppc_get_transition_latency(cpu);
+
+ if (transition_latency_ns == CPUFREQ_ETERNAL)
+ return CPUFREQ_DEFAULT_TRANSITION_LATENCY_NS / NSEC_PER_USEC;
+
+ return transition_latency_ns / NSEC_PER_USEC;
+}
+
/*
* The PCC subspace describes the rate at which platform can accept commands
* on the shared PCC channel (including READs which do not count towards freq
@@ -332,12 +342,12 @@ static unsigned int cppc_cpufreq_get_tra
return 10000;
}
}
- return cppc_get_transition_latency(cpu) / NSEC_PER_USEC;
+ return __cppc_cpufreq_get_transition_delay_us(cpu);
}
#else
static unsigned int cppc_cpufreq_get_transition_delay_us(unsigned int cpu)
{
- return cppc_get_transition_latency(cpu) / NSEC_PER_USEC;
+ return __cppc_cpufreq_get_transition_delay_us(cpu);
}
#endif
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 206/371] cpufreq: intel_pstate: Fix object lifecycle issue in update_qos_request()
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (204 preceding siblings ...)
2025-10-17 14:53 ` [PATCH 6.17 205/371] cpufreq: CPPC: Avoid using CPUFREQ_ETERNAL as transition delay Greg Kroah-Hartman
@ 2025-10-17 14:53 ` Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 207/371] crypto: aspeed - Fix dma_unmap_sg() direction Greg Kroah-Hartman
` (177 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:53 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Rafael J. Wysocki, Zihuan Zhang
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
commit 69e5d50fcf4093fb3f9f41c4f931f12c2ca8c467 upstream.
The cpufreq_cpu_put() call in update_qos_request() takes place too early
because the latter subsequently calls freq_qos_update_request() that
indirectly accesses the policy object in question through the QoS request
object passed to it.
Fortunately, update_qos_request() is called under intel_pstate_driver_lock,
so this issue does not matter for changing the intel_pstate operation
mode, but it theoretically can cause a crash to occur on CPU device hot
removal (which currently can only happen in virt, but it is formally
supported nevertheless).
Address this issue by modifying update_qos_request() to drop the
reference to the policy later.
Fixes: da5c504c7aae ("cpufreq: intel_pstate: Implement QoS supported freq constraints")
Cc: 5.4+ <stable@vger.kernel.org> # 5.4+
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Reviewed-by: Zihuan Zhang <zhangzihuan@kylinos.cn>
Link: https://patch.msgid.link/2255671.irdbgypaU6@rafael.j.wysocki
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/cpufreq/intel_pstate.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
--- a/drivers/cpufreq/intel_pstate.c
+++ b/drivers/cpufreq/intel_pstate.c
@@ -1710,10 +1710,10 @@ static void update_qos_request(enum freq
continue;
req = policy->driver_data;
- cpufreq_cpu_put(policy);
-
- if (!req)
+ if (!req) {
+ cpufreq_cpu_put(policy);
continue;
+ }
if (hwp_active)
intel_pstate_get_hwp_cap(cpu);
@@ -1729,6 +1729,8 @@ static void update_qos_request(enum freq
if (freq_qos_update_request(req, freq) < 0)
pr_warn("Failed to update freq constraint: CPU%d\n", i);
+
+ cpufreq_cpu_put(policy);
}
}
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 207/371] crypto: aspeed - Fix dma_unmap_sg() direction
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (205 preceding siblings ...)
2025-10-17 14:53 ` [PATCH 6.17 206/371] cpufreq: intel_pstate: Fix object lifecycle issue in update_qos_request() Greg Kroah-Hartman
@ 2025-10-17 14:53 ` Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 208/371] crypto: atmel " Greg Kroah-Hartman
` (176 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:53 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Thomas Fourier, Herbert Xu
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Fourier <fourier.thomas@gmail.com>
commit 838d2d51513e6d2504a678e906823cfd2ecaaa22 upstream.
It seems like everywhere in this file, when the request is not
bidirectionala, req->src is mapped with DMA_TO_DEVICE and req->dst is
mapped with DMA_FROM_DEVICE.
Fixes: 62f58b1637b7 ("crypto: aspeed - add HACE crypto driver")
Cc: <stable@vger.kernel.org>
Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/crypto/aspeed/aspeed-hace-crypto.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/crypto/aspeed/aspeed-hace-crypto.c
+++ b/drivers/crypto/aspeed/aspeed-hace-crypto.c
@@ -346,7 +346,7 @@ free_req:
} else {
dma_unmap_sg(hace_dev->dev, req->dst, rctx->dst_nents,
- DMA_TO_DEVICE);
+ DMA_FROM_DEVICE);
dma_unmap_sg(hace_dev->dev, req->src, rctx->src_nents,
DMA_TO_DEVICE);
}
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 208/371] crypto: atmel - Fix dma_unmap_sg() direction
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (206 preceding siblings ...)
2025-10-17 14:53 ` [PATCH 6.17 207/371] crypto: aspeed - Fix dma_unmap_sg() direction Greg Kroah-Hartman
@ 2025-10-17 14:53 ` Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 209/371] crypto: rockchip - Fix dma_unmap_sg() nents value Greg Kroah-Hartman
` (175 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:53 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Thomas Fourier, Herbert Xu
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Fourier <fourier.thomas@gmail.com>
commit f5d643156ef62216955c119216d2f3815bd51cb1 upstream.
It seems like everywhere in this file, dd->in_sg is mapped with
DMA_TO_DEVICE and dd->out_sg is mapped with DMA_FROM_DEVICE.
Fixes: 13802005d8f2 ("crypto: atmel - add Atmel DES/TDES driver")
Cc: <stable@vger.kernel.org>
Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/crypto/atmel-tdes.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/crypto/atmel-tdes.c
+++ b/drivers/crypto/atmel-tdes.c
@@ -512,7 +512,7 @@ static int atmel_tdes_crypt_start(struct
if (err && (dd->flags & TDES_FLAGS_FAST)) {
dma_unmap_sg(dd->dev, dd->in_sg, 1, DMA_TO_DEVICE);
- dma_unmap_sg(dd->dev, dd->out_sg, 1, DMA_TO_DEVICE);
+ dma_unmap_sg(dd->dev, dd->out_sg, 1, DMA_FROM_DEVICE);
}
return err;
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 209/371] crypto: rockchip - Fix dma_unmap_sg() nents value
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (207 preceding siblings ...)
2025-10-17 14:53 ` [PATCH 6.17 208/371] crypto: atmel " Greg Kroah-Hartman
@ 2025-10-17 14:53 ` Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 210/371] eventpoll: Replace rwlock with spinlock Greg Kroah-Hartman
` (174 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:53 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Thomas Fourier, Herbert Xu
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Fourier <fourier.thomas@gmail.com>
commit 21140e5caf019e4a24e1ceabcaaa16bd693b393f upstream.
The dma_unmap_sg() functions should be called with the same nents as the
dma_map_sg(), not the value the map function returned.
Fixes: 57d67c6e8219 ("crypto: rockchip - rework by using crypto_engine")
Cc: <stable@vger.kernel.org>
Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/crypto/rockchip/rk3288_crypto_ahash.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/crypto/rockchip/rk3288_crypto_ahash.c
+++ b/drivers/crypto/rockchip/rk3288_crypto_ahash.c
@@ -254,7 +254,7 @@ static void rk_hash_unprepare(struct cry
struct rk_ahash_rctx *rctx = ahash_request_ctx(areq);
struct rk_crypto_info *rkc = rctx->dev;
- dma_unmap_sg(rkc->dev, areq->src, rctx->nrsg, DMA_TO_DEVICE);
+ dma_unmap_sg(rkc->dev, areq->src, sg_nents(areq->src), DMA_TO_DEVICE);
}
static int rk_hash_run(struct crypto_engine *engine, void *breq)
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 210/371] eventpoll: Replace rwlock with spinlock
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (208 preceding siblings ...)
2025-10-17 14:53 ` [PATCH 6.17 209/371] crypto: rockchip - Fix dma_unmap_sg() nents value Greg Kroah-Hartman
@ 2025-10-17 14:53 ` Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 211/371] fbdev: Fix logic error in "offb" name match Greg Kroah-Hartman
` (173 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nam Cao, K Prateek Nayak,
Frederic Weisbecker, Valentin Schneider, Christian Brauner
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nam Cao <namcao@linutronix.de>
commit 0c43094f8cc9d3d99d835c0ac9c4fe1ccc62babd upstream.
The ready event list of an epoll object is protected by read-write
semaphore:
- The consumer (waiter) acquires the write lock and takes items.
- the producer (waker) takes the read lock and adds items.
The point of this design is enabling epoll to scale well with large number
of producers, as multiple producers can hold the read lock at the same
time.
Unfortunately, this implementation may cause scheduling priority inversion
problem. Suppose the consumer has higher scheduling priority than the
producer. The consumer needs to acquire the write lock, but may be blocked
by the producer holding the read lock. Since read-write semaphore does not
support priority-boosting for the readers (even with CONFIG_PREEMPT_RT=y),
we have a case of priority inversion: a higher priority consumer is blocked
by a lower priority producer. This problem was reported in [1].
Furthermore, this could also cause stall problem, as described in [2].
Fix this problem by replacing rwlock with spinlock.
This reduces the event bandwidth, as the producers now have to contend with
each other for the spinlock. According to the benchmark from
https://github.com/rouming/test-tools/blob/master/stress-epoll.c:
On 12 x86 CPUs:
Before After Diff
threads events/ms events/ms
8 7162 4956 -31%
16 8733 5383 -38%
32 7968 5572 -30%
64 10652 5739 -46%
128 11236 5931 -47%
On 4 riscv CPUs:
Before After Diff
threads events/ms events/ms
8 2958 2833 -4%
16 3323 3097 -7%
32 3451 3240 -6%
64 3554 3178 -11%
128 3601 3235 -10%
Although the numbers look bad, it should be noted that this benchmark
creates multiple threads who do nothing except constantly generating new
epoll events, thus contention on the spinlock is high. For real workload,
the event rate is likely much lower, and the performance drop is not as
bad.
Using another benchmark (perf bench epoll wait) where spinlock contention
is lower, improvement is even observed on x86:
On 12 x86 CPUs:
Before: Averaged 110279 operations/sec (+- 1.09%), total secs = 8
After: Averaged 114577 operations/sec (+- 2.25%), total secs = 8
On 4 riscv CPUs:
Before: Averaged 175767 operations/sec (+- 0.62%), total secs = 8
After: Averaged 167396 operations/sec (+- 0.23%), total secs = 8
In conclusion, no one is likely to be upset over this change. After all,
spinlock was used originally for years, and the commit which converted to
rwlock didn't mention a real workload, just that the benchmark numbers are
nice.
This patch is not exactly the revert of commit a218cc491420 ("epoll: use
rwlock in order to reduce ep_poll_callback() contention"), because git
revert conflicts in some places which are not obvious on the resolution.
This patch is intended to be backported, therefore go with the obvious
approach:
- Replace rwlock_t with spinlock_t one to one
- Delete list_add_tail_lockless() and chain_epi_lockless(). These were
introduced to allow producers to concurrently add items to the list.
But now that spinlock no longer allows producers to touch the event
list concurrently, these two functions are not necessary anymore.
Fixes: a218cc491420 ("epoll: use rwlock in order to reduce ep_poll_callback() contention")
Signed-off-by: Nam Cao <namcao@linutronix.de>
Link: https://lore.kernel.org/ec92458ea357ec503c737ead0f10b2c6e4c37d47.1752581388.git.namcao@linutronix.de
Tested-by: K Prateek Nayak <kprateek.nayak@amd.com>
Cc: stable@vger.kernel.org
Reported-by: Frederic Weisbecker <frederic@kernel.org>
Closes: https://lore.kernel.org/linux-rt-users/20210825132754.GA895675@lothringen/ [1]
Reported-by: Valentin Schneider <vschneid@redhat.com>
Closes: https://lore.kernel.org/linux-rt-users/xhsmhttqvnall.mognet@vschneid.remote.csb/ [2]
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/eventpoll.c | 139 ++++++++++-----------------------------------------------
1 file changed, 26 insertions(+), 113 deletions(-)
--- a/fs/eventpoll.c
+++ b/fs/eventpoll.c
@@ -46,10 +46,10 @@
*
* 1) epnested_mutex (mutex)
* 2) ep->mtx (mutex)
- * 3) ep->lock (rwlock)
+ * 3) ep->lock (spinlock)
*
* The acquire order is the one listed above, from 1 to 3.
- * We need a rwlock (ep->lock) because we manipulate objects
+ * We need a spinlock (ep->lock) because we manipulate objects
* from inside the poll callback, that might be triggered from
* a wake_up() that in turn might be called from IRQ context.
* So we can't sleep inside the poll callback and hence we need
@@ -195,7 +195,7 @@ struct eventpoll {
struct list_head rdllist;
/* Lock which protects rdllist and ovflist */
- rwlock_t lock;
+ spinlock_t lock;
/* RB tree root used to store monitored fd structs */
struct rb_root_cached rbr;
@@ -741,10 +741,10 @@ static void ep_start_scan(struct eventpo
* in a lockless way.
*/
lockdep_assert_irqs_enabled();
- write_lock_irq(&ep->lock);
+ spin_lock_irq(&ep->lock);
list_splice_init(&ep->rdllist, txlist);
WRITE_ONCE(ep->ovflist, NULL);
- write_unlock_irq(&ep->lock);
+ spin_unlock_irq(&ep->lock);
}
static void ep_done_scan(struct eventpoll *ep,
@@ -752,7 +752,7 @@ static void ep_done_scan(struct eventpol
{
struct epitem *epi, *nepi;
- write_lock_irq(&ep->lock);
+ spin_lock_irq(&ep->lock);
/*
* During the time we spent inside the "sproc" callback, some
* other events might have been queued by the poll callback.
@@ -793,7 +793,7 @@ static void ep_done_scan(struct eventpol
wake_up(&ep->wq);
}
- write_unlock_irq(&ep->lock);
+ spin_unlock_irq(&ep->lock);
}
static void ep_get(struct eventpoll *ep)
@@ -868,10 +868,10 @@ static bool __ep_remove(struct eventpoll
rb_erase_cached(&epi->rbn, &ep->rbr);
- write_lock_irq(&ep->lock);
+ spin_lock_irq(&ep->lock);
if (ep_is_linked(epi))
list_del_init(&epi->rdllink);
- write_unlock_irq(&ep->lock);
+ spin_unlock_irq(&ep->lock);
wakeup_source_unregister(ep_wakeup_source(epi));
/*
@@ -1152,7 +1152,7 @@ static int ep_alloc(struct eventpoll **p
return -ENOMEM;
mutex_init(&ep->mtx);
- rwlock_init(&ep->lock);
+ spin_lock_init(&ep->lock);
init_waitqueue_head(&ep->wq);
init_waitqueue_head(&ep->poll_wait);
INIT_LIST_HEAD(&ep->rdllist);
@@ -1240,99 +1240,9 @@ struct file *get_epoll_tfile_raw_ptr(str
#endif /* CONFIG_KCMP */
/*
- * Adds a new entry to the tail of the list in a lockless way, i.e.
- * multiple CPUs are allowed to call this function concurrently.
- *
- * Beware: it is necessary to prevent any other modifications of the
- * existing list until all changes are completed, in other words
- * concurrent list_add_tail_lockless() calls should be protected
- * with a read lock, where write lock acts as a barrier which
- * makes sure all list_add_tail_lockless() calls are fully
- * completed.
- *
- * Also an element can be locklessly added to the list only in one
- * direction i.e. either to the tail or to the head, otherwise
- * concurrent access will corrupt the list.
- *
- * Return: %false if element has been already added to the list, %true
- * otherwise.
- */
-static inline bool list_add_tail_lockless(struct list_head *new,
- struct list_head *head)
-{
- struct list_head *prev;
-
- /*
- * This is simple 'new->next = head' operation, but cmpxchg()
- * is used in order to detect that same element has been just
- * added to the list from another CPU: the winner observes
- * new->next == new.
- */
- if (!try_cmpxchg(&new->next, &new, head))
- return false;
-
- /*
- * Initially ->next of a new element must be updated with the head
- * (we are inserting to the tail) and only then pointers are atomically
- * exchanged. XCHG guarantees memory ordering, thus ->next should be
- * updated before pointers are actually swapped and pointers are
- * swapped before prev->next is updated.
- */
-
- prev = xchg(&head->prev, new);
-
- /*
- * It is safe to modify prev->next and new->prev, because a new element
- * is added only to the tail and new->next is updated before XCHG.
- */
-
- prev->next = new;
- new->prev = prev;
-
- return true;
-}
-
-/*
- * Chains a new epi entry to the tail of the ep->ovflist in a lockless way,
- * i.e. multiple CPUs are allowed to call this function concurrently.
- *
- * Return: %false if epi element has been already chained, %true otherwise.
- */
-static inline bool chain_epi_lockless(struct epitem *epi)
-{
- struct eventpoll *ep = epi->ep;
-
- /* Fast preliminary check */
- if (epi->next != EP_UNACTIVE_PTR)
- return false;
-
- /* Check that the same epi has not been just chained from another CPU */
- if (cmpxchg(&epi->next, EP_UNACTIVE_PTR, NULL) != EP_UNACTIVE_PTR)
- return false;
-
- /* Atomically exchange tail */
- epi->next = xchg(&ep->ovflist, epi);
-
- return true;
-}
-
-/*
* This is the callback that is passed to the wait queue wakeup
* mechanism. It is called by the stored file descriptors when they
* have events to report.
- *
- * This callback takes a read lock in order not to contend with concurrent
- * events from another file descriptor, thus all modifications to ->rdllist
- * or ->ovflist are lockless. Read lock is paired with the write lock from
- * ep_start/done_scan(), which stops all list modifications and guarantees
- * that lists state is seen correctly.
- *
- * Another thing worth to mention is that ep_poll_callback() can be called
- * concurrently for the same @epi from different CPUs if poll table was inited
- * with several wait queues entries. Plural wakeup from different CPUs of a
- * single wait queue is serialized by wq.lock, but the case when multiple wait
- * queues are used should be detected accordingly. This is detected using
- * cmpxchg() operation.
*/
static int ep_poll_callback(wait_queue_entry_t *wait, unsigned mode, int sync, void *key)
{
@@ -1343,7 +1253,7 @@ static int ep_poll_callback(wait_queue_e
unsigned long flags;
int ewake = 0;
- read_lock_irqsave(&ep->lock, flags);
+ spin_lock_irqsave(&ep->lock, flags);
ep_set_busy_poll_napi_id(epi);
@@ -1372,12 +1282,15 @@ static int ep_poll_callback(wait_queue_e
* chained in ep->ovflist and requeued later on.
*/
if (READ_ONCE(ep->ovflist) != EP_UNACTIVE_PTR) {
- if (chain_epi_lockless(epi))
+ if (epi->next == EP_UNACTIVE_PTR) {
+ epi->next = READ_ONCE(ep->ovflist);
+ WRITE_ONCE(ep->ovflist, epi);
ep_pm_stay_awake_rcu(epi);
+ }
} else if (!ep_is_linked(epi)) {
/* In the usual case, add event to ready list. */
- if (list_add_tail_lockless(&epi->rdllink, &ep->rdllist))
- ep_pm_stay_awake_rcu(epi);
+ list_add_tail(&epi->rdllink, &ep->rdllist);
+ ep_pm_stay_awake_rcu(epi);
}
/*
@@ -1410,7 +1323,7 @@ static int ep_poll_callback(wait_queue_e
pwake++;
out_unlock:
- read_unlock_irqrestore(&ep->lock, flags);
+ spin_unlock_irqrestore(&ep->lock, flags);
/* We have to call this outside the lock */
if (pwake)
@@ -1745,7 +1658,7 @@ static int ep_insert(struct eventpoll *e
}
/* We have to drop the new item inside our item list to keep track of it */
- write_lock_irq(&ep->lock);
+ spin_lock_irq(&ep->lock);
/* record NAPI ID of new item if present */
ep_set_busy_poll_napi_id(epi);
@@ -1762,7 +1675,7 @@ static int ep_insert(struct eventpoll *e
pwake++;
}
- write_unlock_irq(&ep->lock);
+ spin_unlock_irq(&ep->lock);
/* We have to call this outside the lock */
if (pwake)
@@ -1826,7 +1739,7 @@ static int ep_modify(struct eventpoll *e
* list, push it inside.
*/
if (ep_item_poll(epi, &pt, 1)) {
- write_lock_irq(&ep->lock);
+ spin_lock_irq(&ep->lock);
if (!ep_is_linked(epi)) {
list_add_tail(&epi->rdllink, &ep->rdllist);
ep_pm_stay_awake(epi);
@@ -1837,7 +1750,7 @@ static int ep_modify(struct eventpoll *e
if (waitqueue_active(&ep->poll_wait))
pwake++;
}
- write_unlock_irq(&ep->lock);
+ spin_unlock_irq(&ep->lock);
}
/* We have to call this outside the lock */
@@ -2089,7 +2002,7 @@ static int ep_poll(struct eventpoll *ep,
init_wait(&wait);
wait.func = ep_autoremove_wake_function;
- write_lock_irq(&ep->lock);
+ spin_lock_irq(&ep->lock);
/*
* Barrierless variant, waitqueue_active() is called under
* the same lock on wakeup ep_poll_callback() side, so it
@@ -2108,7 +2021,7 @@ static int ep_poll(struct eventpoll *ep,
if (!eavail)
__add_wait_queue_exclusive(&ep->wq, &wait);
- write_unlock_irq(&ep->lock);
+ spin_unlock_irq(&ep->lock);
if (!eavail)
timed_out = !ep_schedule_timeout(to) ||
@@ -2124,7 +2037,7 @@ static int ep_poll(struct eventpoll *ep,
eavail = 1;
if (!list_empty_careful(&wait.entry)) {
- write_lock_irq(&ep->lock);
+ spin_lock_irq(&ep->lock);
/*
* If the thread timed out and is not on the wait queue,
* it means that the thread was woken up after its
@@ -2135,7 +2048,7 @@ static int ep_poll(struct eventpoll *ep,
if (timed_out)
eavail = list_empty(&wait.entry);
__remove_wait_queue(&ep->wq, &wait);
- write_unlock_irq(&ep->lock);
+ spin_unlock_irq(&ep->lock);
}
}
}
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 211/371] fbdev: Fix logic error in "offb" name match
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (209 preceding siblings ...)
2025-10-17 14:53 ` [PATCH 6.17 210/371] eventpoll: Replace rwlock with spinlock Greg Kroah-Hartman
@ 2025-10-17 14:53 ` Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 212/371] fs/ntfs3: Fix a resource leak bug in wnd_extend() Greg Kroah-Hartman
` (172 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:53 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Finn Thain, Helge Deller,
Stan Johnson
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Finn Thain <fthain@linux-m68k.org>
commit 15df28699b28d6b49dc305040c4e26a9553df07a upstream.
A regression was reported to me recently whereby /dev/fb0 had disappeared
from a PowerBook G3 Series "Wallstreet". The problem shows up when the
"video=ofonly" parameter is passed to the kernel, which is what the
bootloader does when "no video driver" is selected. The cause of the
problem is the "offb" string comparison, which got mangled when it got
refactored. Fix it.
Cc: stable@vger.kernel.org
Fixes: 93604a5ade3a ("fbdev: Handle video= parameter in video/cmdline.c")
Reported-and-tested-by: Stan Johnson <userm57@yahoo.com>
Signed-off-by: Finn Thain <fthain@linux-m68k.org>
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/video/fbdev/core/fb_cmdline.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/video/fbdev/core/fb_cmdline.c
+++ b/drivers/video/fbdev/core/fb_cmdline.c
@@ -40,7 +40,7 @@ int fb_get_options(const char *name, cha
bool enabled;
if (name)
- is_of = strncmp(name, "offb", 4);
+ is_of = !strncmp(name, "offb", 4);
enabled = __video_get_options(name, &options, is_of);
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 212/371] fs/ntfs3: Fix a resource leak bug in wnd_extend()
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (210 preceding siblings ...)
2025-10-17 14:53 ` [PATCH 6.17 211/371] fbdev: Fix logic error in "offb" name match Greg Kroah-Hartman
@ 2025-10-17 14:53 ` Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 213/371] fs: quota: create dedicated workqueue for quota_release_work Greg Kroah-Hartman
` (171 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:53 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Haoxiang Li, Konstantin Komarov
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haoxiang Li <haoxiang_li2024@163.com>
commit d68318471aa2e16222ebf492883e05a2d72b9b17 upstream.
Add put_bh() to decrease the refcount of 'bh' after the job
is finished, preventing a resource leak.
Fixes: 3f3b442b5ad2 ("fs/ntfs3: Add bitmap")
Cc: stable@vger.kernel.org
Signed-off-by: Haoxiang Li <haoxiang_li2024@163.com>
Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ntfs3/bitmap.c | 1 +
1 file changed, 1 insertion(+)
--- a/fs/ntfs3/bitmap.c
+++ b/fs/ntfs3/bitmap.c
@@ -1371,6 +1371,7 @@ int wnd_extend(struct wnd_bitmap *wnd, s
mark_buffer_dirty(bh);
unlock_buffer(bh);
/* err = sync_dirty_buffer(bh); */
+ put_bh(bh);
b0 = 0;
bits -= op;
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 213/371] fs: quota: create dedicated workqueue for quota_release_work
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (211 preceding siblings ...)
2025-10-17 14:53 ` [PATCH 6.17 212/371] fs/ntfs3: Fix a resource leak bug in wnd_extend() Greg Kroah-Hartman
@ 2025-10-17 14:53 ` Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 214/371] fsnotify: pass correct offset to fsnotify_mmap_perm() Greg Kroah-Hartman
` (170 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:53 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Shashank A P, Jan Kara
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shashank A P <shashank.ap@samsung.com>
commit 72b7ceca857f38a8ca7c5629feffc63769638974 upstream.
There is a kernel panic due to WARN_ONCE when panic_on_warn is set.
This issue occurs when writeback is triggered due to sync call for an
opened file(ie, writeback reason is WB_REASON_SYNC). When f2fs balance
is needed at sync path, flush for quota_release_work is triggered.
By default quota_release_work is queued to "events_unbound" queue which
does not have WQ_MEM_RECLAIM flag. During f2fs balance "writeback"
workqueue tries to flush quota_release_work causing kernel panic due to
MEM_RECLAIM flag mismatch errors.
This patch creates dedicated workqueue with WQ_MEM_RECLAIM flag
for work quota_release_work.
------------[ cut here ]------------
WARNING: CPU: 4 PID: 14867 at kernel/workqueue.c:3721 check_flush_dependency+0x13c/0x148
Call trace:
check_flush_dependency+0x13c/0x148
__flush_work+0xd0/0x398
flush_delayed_work+0x44/0x5c
dquot_writeback_dquots+0x54/0x318
f2fs_do_quota_sync+0xb8/0x1a8
f2fs_write_checkpoint+0x3cc/0x99c
f2fs_gc+0x190/0x750
f2fs_balance_fs+0x110/0x168
f2fs_write_single_data_page+0x474/0x7dc
f2fs_write_data_pages+0x7d0/0xd0c
do_writepages+0xe0/0x2f4
__writeback_single_inode+0x44/0x4ac
writeback_sb_inodes+0x30c/0x538
wb_writeback+0xf4/0x440
wb_workfn+0x128/0x5d4
process_scheduled_works+0x1c4/0x45c
worker_thread+0x32c/0x3e8
kthread+0x11c/0x1b0
ret_from_fork+0x10/0x20
Kernel panic - not syncing: kernel: panic_on_warn set ...
Fixes: ac6f420291b3 ("quota: flush quota_release_work upon quota writeback")
CC: stable@vger.kernel.org
Signed-off-by: Shashank A P <shashank.ap@samsung.com>
Link: https://patch.msgid.link/20250901092905.2115-1-shashank.ap@samsung.com
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/quota/dquot.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
--- a/fs/quota/dquot.c
+++ b/fs/quota/dquot.c
@@ -162,6 +162,9 @@ static struct quota_module_name module_n
/* SLAB cache for dquot structures */
static struct kmem_cache *dquot_cachep;
+/* workqueue for work quota_release_work*/
+static struct workqueue_struct *quota_unbound_wq;
+
void register_quota_format(struct quota_format_type *fmt)
{
spin_lock(&dq_list_lock);
@@ -881,7 +884,7 @@ void dqput(struct dquot *dquot)
put_releasing_dquots(dquot);
atomic_dec(&dquot->dq_count);
spin_unlock(&dq_list_lock);
- queue_delayed_work(system_unbound_wq, "a_release_work, 1);
+ queue_delayed_work(quota_unbound_wq, "a_release_work, 1);
}
EXPORT_SYMBOL(dqput);
@@ -3041,6 +3044,11 @@ static int __init dquot_init(void)
shrinker_register(dqcache_shrinker);
+ quota_unbound_wq = alloc_workqueue("quota_events_unbound",
+ WQ_UNBOUND | WQ_MEM_RECLAIM, WQ_MAX_ACTIVE);
+ if (!quota_unbound_wq)
+ panic("Cannot create quota_unbound_wq\n");
+
return 0;
}
fs_initcall(dquot_init);
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 214/371] fsnotify: pass correct offset to fsnotify_mmap_perm()
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (212 preceding siblings ...)
2025-10-17 14:53 ` [PATCH 6.17 213/371] fs: quota: create dedicated workqueue for quota_release_work Greg Kroah-Hartman
@ 2025-10-17 14:53 ` Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 215/371] fuse: fix possibly missing fuse_copy_finish() call in fuse_notify() Greg Kroah-Hartman
` (169 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ryan Roberts, Kiryl Shutsemau,
Amir Goldstein, David Hildenbrand, Liam Howlett, Lorenzo Stoakes,
Michal Hocko, Mike Rapoport, Suren Baghdasaryan, Vlastimil Babka,
Andrew Morton
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ryan Roberts <ryan.roberts@arm.com>
commit 28bba2c2935e219d6cb6946e16b9a0b7c47913be upstream.
fsnotify_mmap_perm() requires a byte offset for the file about to be
mmap'ed. But it is called from vm_mmap_pgoff(), which has a page offset.
Previously the conversion was done incorrectly so let's fix it, being
careful not to overflow on 32-bit platforms.
Discovered during code review.
Link: https://lkml.kernel.org/r/20251003155238.2147410-1-ryan.roberts@arm.com
Fixes: 066e053fe208 ("fsnotify: add pre-content hooks on mmap()")
Signed-off-by: Ryan Roberts <ryan.roberts@arm.com>
Reviewed-by: Kiryl Shutsemau <kas@kernel.org>
Cc: Amir Goldstein <amir73il@gmail.com>
Cc: David Hildenbrand <david@redhat.com>
Cc: Liam Howlett <liam.howlett@oracle.com>
Cc: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Mike Rapoport <rppt@kernel.org>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/util.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/mm/util.c b/mm/util.c
index 6c1d64ed0221..8989d5767528 100644
--- a/mm/util.c
+++ b/mm/util.c
@@ -566,6 +566,7 @@ unsigned long vm_mmap_pgoff(struct file *file, unsigned long addr,
unsigned long len, unsigned long prot,
unsigned long flag, unsigned long pgoff)
{
+ loff_t off = (loff_t)pgoff << PAGE_SHIFT;
unsigned long ret;
struct mm_struct *mm = current->mm;
unsigned long populate;
@@ -573,7 +574,7 @@ unsigned long vm_mmap_pgoff(struct file *file, unsigned long addr,
ret = security_mmap_file(file, prot, flag);
if (!ret)
- ret = fsnotify_mmap_perm(file, prot, pgoff >> PAGE_SHIFT, len);
+ ret = fsnotify_mmap_perm(file, prot, off, len);
if (!ret) {
if (mmap_write_lock_killable(mm))
return -EINTR;
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 215/371] fuse: fix possibly missing fuse_copy_finish() call in fuse_notify()
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (213 preceding siblings ...)
2025-10-17 14:53 ` [PATCH 6.17 214/371] fsnotify: pass correct offset to fsnotify_mmap_perm() Greg Kroah-Hartman
@ 2025-10-17 14:53 ` Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 216/371] fuse: fix livelock in synchronous file put from fuseblk workers Greg Kroah-Hartman
` (168 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:53 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Joanne Koong, Miklos Szeredi
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Miklos Szeredi <mszeredi@redhat.com>
commit 0b563aad1c0a05dc7d123f68a9f82f79de206dad upstream.
In case of FUSE_NOTIFY_RESEND and FUSE_NOTIFY_INC_EPOCH fuse_copy_finish()
isn't called.
Fix by always calling fuse_copy_finish() after fuse_notify(). It's a no-op
if called a second time.
Fixes: 760eac73f9f6 ("fuse: Introduce a new notification type for resend pending requests")
Fixes: 2396356a945b ("fuse: add more control over cache invalidation behaviour")
Cc: <stable@vger.kernel.org> # v6.9
Reviewed-by: Joanne Koong <joannelkoong@gmail.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/fuse/dev.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/fuse/dev.c
+++ b/fs/fuse/dev.c
@@ -2156,7 +2156,7 @@ static ssize_t fuse_dev_do_write(struct
*/
if (!oh.unique) {
err = fuse_notify(fc, oh.error, nbytes - sizeof(oh), cs);
- goto out;
+ goto copy_finish;
}
err = -EINVAL;
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 216/371] fuse: fix livelock in synchronous file put from fuseblk workers
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (214 preceding siblings ...)
2025-10-17 14:53 ` [PATCH 6.17 215/371] fuse: fix possibly missing fuse_copy_finish() call in fuse_notify() Greg Kroah-Hartman
@ 2025-10-17 14:53 ` Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 217/371] gpio: mpfs: fix setting gpio direction to output Greg Kroah-Hartman
` (167 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:53 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Darrick J. Wong, Miklos Szeredi
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Darrick J. Wong <djwong@kernel.org>
commit 26e5c67deb2e1f42a951f022fdf5b9f7eb747b01 upstream.
I observed a hang when running generic/323 against a fuseblk server.
This test opens a file, initiates a lot of AIO writes to that file
descriptor, and closes the file descriptor before the writes complete.
Unsurprisingly, the AIO exerciser threads are mostly stuck waiting for
responses from the fuseblk server:
# cat /proc/372265/task/372313/stack
[<0>] request_wait_answer+0x1fe/0x2a0 [fuse]
[<0>] __fuse_simple_request+0xd3/0x2b0 [fuse]
[<0>] fuse_do_getattr+0xfc/0x1f0 [fuse]
[<0>] fuse_file_read_iter+0xbe/0x1c0 [fuse]
[<0>] aio_read+0x130/0x1e0
[<0>] io_submit_one+0x542/0x860
[<0>] __x64_sys_io_submit+0x98/0x1a0
[<0>] do_syscall_64+0x37/0xf0
[<0>] entry_SYSCALL_64_after_hwframe+0x4b/0x53
But the /weird/ part is that the fuseblk server threads are waiting for
responses from itself:
# cat /proc/372210/task/372232/stack
[<0>] request_wait_answer+0x1fe/0x2a0 [fuse]
[<0>] __fuse_simple_request+0xd3/0x2b0 [fuse]
[<0>] fuse_file_put+0x9a/0xd0 [fuse]
[<0>] fuse_release+0x36/0x50 [fuse]
[<0>] __fput+0xec/0x2b0
[<0>] task_work_run+0x55/0x90
[<0>] syscall_exit_to_user_mode+0xe9/0x100
[<0>] do_syscall_64+0x43/0xf0
[<0>] entry_SYSCALL_64_after_hwframe+0x4b/0x53
The fuseblk server is fuse2fs so there's nothing all that exciting in
the server itself. So why is the fuse server calling fuse_file_put?
The commit message for the fstest sheds some light on that:
"By closing the file descriptor before calling io_destroy, you pretty
much guarantee that the last put on the ioctx will be done in interrupt
context (during I/O completion).
Aha. AIO fgets a new struct file from the fd when it queues the ioctx.
The completion of the FUSE_WRITE command from userspace causes the fuse
server to call the AIO completion function. The completion puts the
struct file, queuing a delayed fput to the fuse server task. When the
fuse server task returns to userspace, it has to run the delayed fput,
which in the case of a fuseblk server, it does synchronously.
Sending the FUSE_RELEASE command sychronously from fuse server threads
is a bad idea because a client program can initiate enough simultaneous
AIOs such that all the fuse server threads end up in delayed_fput, and
now there aren't any threads left to handle the queued fuse commands.
Fix this by only using asynchronous fputs when closing files, and leave
a comment explaining why.
Cc: stable@vger.kernel.org # v2.6.38
Fixes: 5a18ec176c934c ("fuse: fix hang of single threaded fuseblk filesystem")
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/fuse/file.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/fs/fuse/file.c
+++ b/fs/fuse/file.c
@@ -356,8 +356,14 @@ void fuse_file_release(struct inode *ino
* Make the release synchronous if this is a fuseblk mount,
* synchronous RELEASE is allowed (and desirable) in this case
* because the server can be trusted not to screw up.
+ *
+ * Always use the asynchronous file put because the current thread
+ * might be the fuse server. This can happen if a process starts some
+ * aio and closes the fd before the aio completes. Since aio takes its
+ * own ref to the file, the IO completion has to drop the ref, which is
+ * how the fuse server can end up closing its clients' files.
*/
- fuse_file_put(ff, ff->fm->fc->destroy);
+ fuse_file_put(ff, false);
}
void fuse_release_common(struct file *file, bool isdir)
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 217/371] gpio: mpfs: fix setting gpio direction to output
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (215 preceding siblings ...)
2025-10-17 14:53 ` [PATCH 6.17 216/371] fuse: fix livelock in synchronous file put from fuseblk workers Greg Kroah-Hartman
@ 2025-10-17 14:53 ` Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 218/371] i3c: Fix default I2C adapter timeout value Greg Kroah-Hartman
` (166 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:53 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Conor Dooley, Bartosz Golaszewski
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Conor Dooley <conor.dooley@microchip.com>
commit bc061143637532c08d9fc657eec93fdc2588068e upstream.
mpfs_gpio_direction_output() actually sets the line to input mode.
Use the correct register settings for output mode so that this function
actually works as intended.
This was a copy-paste mistake made when converting to regmap during the
driver submission process. It went unnoticed because my test for output
mode is toggling LEDs on an Icicle kit which functions with the
incorrect code. The internal reporter has yet to test the patch, but on
their system the incorrect setting may be the reason for failures to
drive the GPIO lines on the BeagleV-fire board.
CC: stable@vger.kernel.org
Fixes: a987b78f3615e ("gpio: mpfs: add polarfire soc gpio support")
Signed-off-by: Conor Dooley <conor.dooley@microchip.com>
Link: https://lore.kernel.org/r/20250925-boogieman-carrot-82989ff75d10@spud
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpio/gpio-mpfs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/gpio/gpio-mpfs.c
+++ b/drivers/gpio/gpio-mpfs.c
@@ -69,7 +69,7 @@ static int mpfs_gpio_direction_output(st
struct mpfs_gpio_chip *mpfs_gpio = gpiochip_get_data(gc);
regmap_update_bits(mpfs_gpio->regs, MPFS_GPIO_CTRL(gpio_index),
- MPFS_GPIO_DIR_MASK, MPFS_GPIO_EN_IN);
+ MPFS_GPIO_DIR_MASK, MPFS_GPIO_EN_OUT | MPFS_GPIO_EN_OUT_BUF);
regmap_update_bits(mpfs_gpio->regs, mpfs_gpio->offsets->outp, BIT(gpio_index),
value << gpio_index);
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 218/371] i3c: Fix default I2C adapter timeout value
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (216 preceding siblings ...)
2025-10-17 14:53 ` [PATCH 6.17 217/371] gpio: mpfs: fix setting gpio direction to output Greg Kroah-Hartman
@ 2025-10-17 14:53 ` Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 219/371] iio/adc/pac1934: fix channel disable configuration Greg Kroah-Hartman
` (165 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jarkko Nikula, Frank Li,
Wolfram Sang, Alexandre Belloni
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jarkko Nikula <jarkko.nikula@linux.intel.com>
commit 9395b3c412933401a34845d5326afe4011bbd40f upstream.
Commit 3a379bbcea0a ("i3c: Add core I3C infrastructure") set the default
adapter timeout for I2C transfers as 1000 (ms). However that parameter
is defined in jiffies not in milliseconds.
With mipi-i3c-hci driver this wasn't visible until commit c0a90eb55a69
("i3c: mipi-i3c-hci: use adapter timeout value for I2C transfers").
Fix this by setting the default timeout as HZ (CONFIG_HZ) not 1000.
Fixes: 1b84691e7870 ("i3c: dw: use adapter timeout value for I2C transfers")
Fixes: be27ed672878 ("i3c: master: cdns: use adapter timeout value for I2C transfers")
Fixes: c0a90eb55a69 ("i3c: mipi-i3c-hci: use adapter timeout value for I2C transfers")
Fixes: a747e01adad2 ("i3c: master: svc: use adapter timeout value for I2C transfers")
Fixes: d028219a9f14 ("i3c: master: Add basic driver for the Renesas I3C controller")
Fixes: 3a379bbcea0a ("i3c: Add core I3C infrastructure")
Cc: stable@vger.kernel.org # 6.17
Signed-off-by: Jarkko Nikula <jarkko.nikula@linux.intel.com>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Reviewed-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Link: https://lore.kernel.org/r/20250905100320.954536-1-jarkko.nikula@linux.intel.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/i3c/master.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/i3c/master.c
+++ b/drivers/i3c/master.c
@@ -2492,7 +2492,7 @@ static int i3c_master_i2c_adapter_init(s
strscpy(adap->name, dev_name(master->dev.parent), sizeof(adap->name));
/* FIXME: Should we allow i3c masters to override these values? */
- adap->timeout = 1000;
+ adap->timeout = HZ;
adap->retries = 3;
id = of_alias_get_id(master->dev.of_node, "i2c");
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 219/371] iio/adc/pac1934: fix channel disable configuration
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (217 preceding siblings ...)
2025-10-17 14:53 ` [PATCH 6.17 218/371] i3c: Fix default I2C adapter timeout value Greg Kroah-Hartman
@ 2025-10-17 14:53 ` Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 220/371] iio: dac: ad5360: use int type to store negative error codes Greg Kroah-Hartman
` (164 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Aleksandar Gerasimovski,
Marius Cristea, Stable, Jonathan Cameron, Rene Straub <mailto
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Aleksandar Gerasimovski <aleksandar.gerasimovski@belden.com>
commit 3c63ba1c430af1c0dcd68dd36f2246980621dcba upstream.
There are two problems with the chip configuration in this driver:
- First, is that writing 12 bytes (ARRAY_SIZE(regs)) would anyhow
lead to a config overflow due to HW auto increment implementation
in the chip.
- Second, the i2c_smbus_write_block_data write ends up in writing
unexpected value to the channel_dis register, this is because
the smbus size that is 0x03 in this case gets written to the
register. The PAC1931/2/3/4 data sheet does not really specify
that block write is indeed supported.
This problem is probably not visible on PAC1934 version where all
channels are used as the chip is properly configured by luck,
but in our case whenusing PAC1931 this leads to nonfunctional device.
Fixes: 0fb528c8255b (iio: adc: adding support for PAC193x)
Suggested-by: Rene Straub <mailto:rene.straub@belden.com>
Signed-off-by: Aleksandar Gerasimovski <aleksandar.gerasimovski@belden.com>
Reviewed-by: Marius Cristea <marius.cristea@microchip.com>
Link: https://patch.msgid.link/20250811130904.2481790-1-aleksandar.gerasimovski@belden.com
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/adc/pac1934.c | 20 ++++++++++++++++++--
1 file changed, 18 insertions(+), 2 deletions(-)
--- a/drivers/iio/adc/pac1934.c
+++ b/drivers/iio/adc/pac1934.c
@@ -88,6 +88,7 @@
#define PAC1934_VPOWER_3_ADDR 0x19
#define PAC1934_VPOWER_4_ADDR 0x1A
#define PAC1934_REFRESH_V_REG_ADDR 0x1F
+#define PAC1934_SLOW_REG_ADDR 0x20
#define PAC1934_CTRL_STAT_REGS_ADDR 0x1C
#define PAC1934_PID_REG_ADDR 0xFD
#define PAC1934_MID_REG_ADDR 0xFE
@@ -1265,8 +1266,23 @@ static int pac1934_chip_configure(struct
/* no SLOW triggered REFRESH, clear POR */
regs[PAC1934_SLOW_REG_OFF] = 0;
- ret = i2c_smbus_write_block_data(client, PAC1934_CTRL_STAT_REGS_ADDR,
- ARRAY_SIZE(regs), (u8 *)regs);
+ /*
+ * Write the three bytes sequentially, as the device does not support
+ * block write.
+ */
+ ret = i2c_smbus_write_byte_data(client, PAC1934_CTRL_STAT_REGS_ADDR,
+ regs[PAC1934_CHANNEL_DIS_REG_OFF]);
+ if (ret)
+ return ret;
+
+ ret = i2c_smbus_write_byte_data(client,
+ PAC1934_CTRL_STAT_REGS_ADDR + PAC1934_NEG_PWR_REG_OFF,
+ regs[PAC1934_NEG_PWR_REG_OFF]);
+ if (ret)
+ return ret;
+
+ ret = i2c_smbus_write_byte_data(client, PAC1934_SLOW_REG_ADDR,
+ regs[PAC1934_SLOW_REG_OFF]);
if (ret)
return ret;
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 220/371] iio: dac: ad5360: use int type to store negative error codes
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (218 preceding siblings ...)
2025-10-17 14:53 ` [PATCH 6.17 219/371] iio/adc/pac1934: fix channel disable configuration Greg Kroah-Hartman
@ 2025-10-17 14:53 ` Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 221/371] iio: dac: ad5421: " Greg Kroah-Hartman
` (163 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Qianfeng Rong, Andy Shevchenko,
Stable, Jonathan Cameron
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qianfeng Rong <rongqianfeng@vivo.com>
commit f9381ece76de999a2065d5b4fdd87fa17883978c upstream.
Change the 'ret' variable in ad5360_update_ctrl() from unsigned int to
int, as it needs to store either negative error codes or zero returned
by ad5360_write_unlocked().
Fixes: a3e2940c24d3 ("staging:iio:dac: Add AD5360 driver")
Signed-off-by: Qianfeng Rong <rongqianfeng@vivo.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
Link: https://patch.msgid.link/20250901135726.17601-2-rongqianfeng@vivo.com
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/dac/ad5360.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/iio/dac/ad5360.c
+++ b/drivers/iio/dac/ad5360.c
@@ -262,7 +262,7 @@ static int ad5360_update_ctrl(struct iio
unsigned int clr)
{
struct ad5360_state *st = iio_priv(indio_dev);
- unsigned int ret;
+ int ret;
mutex_lock(&st->lock);
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 221/371] iio: dac: ad5421: use int type to store negative error codes
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (219 preceding siblings ...)
2025-10-17 14:53 ` [PATCH 6.17 220/371] iio: dac: ad5360: use int type to store negative error codes Greg Kroah-Hartman
@ 2025-10-17 14:53 ` Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 222/371] iio: frequency: adf4350: Fix prescaler usage Greg Kroah-Hartman
` (162 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Qianfeng Rong, Andy Shevchenko,
Stable, Jonathan Cameron
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qianfeng Rong <rongqianfeng@vivo.com>
commit 3379c900320954d768ed9903691fb2520926bbe3 upstream.
Change the 'ret' variable in ad5421_update_ctrl() from unsigned int to
int, as it needs to store either negative error codes or zero returned
by ad5421_write_unlocked().
Fixes: 5691b23489db ("staging:iio:dac: Add AD5421 driver")
Signed-off-by: Qianfeng Rong <rongqianfeng@vivo.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
Link: https://patch.msgid.link/20250901135726.17601-3-rongqianfeng@vivo.com
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/dac/ad5421.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/iio/dac/ad5421.c
+++ b/drivers/iio/dac/ad5421.c
@@ -186,7 +186,7 @@ static int ad5421_update_ctrl(struct iio
unsigned int clr)
{
struct ad5421_state *st = iio_priv(indio_dev);
- unsigned int ret;
+ int ret;
mutex_lock(&st->lock);
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 222/371] iio: frequency: adf4350: Fix prescaler usage.
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (220 preceding siblings ...)
2025-10-17 14:53 ` [PATCH 6.17 221/371] iio: dac: ad5421: " Greg Kroah-Hartman
@ 2025-10-17 14:53 ` Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 223/371] iio: xilinx-ams: Fix AMS_ALARM_THR_DIRECT_MASK Greg Kroah-Hartman
` (161 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michael Hennerich, Nuno Sá,
Andy Shevchenko, Stable, Jonathan Cameron
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Hennerich <michael.hennerich@analog.com>
commit 33d7ecbf69aa7dd4145e3b77962bcb8759eede3d upstream.
The ADF4350/1 features a programmable dual-modulus prescaler of 4/5 or 8/9.
When set to 4/5, the maximum RF frequency allowed is 3 GHz.
Therefore, when operating the ADF4351 above 3 GHz, this must be set to 8/9.
In this context not the RF output frequency is meant
- it's the VCO frequency.
Therefore move the prescaler selection after we derived the VCO frequency
from the desired RF output frequency.
This BUG may have caused PLL lock instabilities when operating the VCO at
the very high range close to 4.4 GHz.
Fixes: e31166f0fd48 ("iio: frequency: New driver for Analog Devices ADF4350/ADF4351 Wideband Synthesizers")
Signed-off-by: Michael Hennerich <michael.hennerich@analog.com>
Signed-off-by: Nuno Sá <nuno.sa@analog.com>
Reviewed-by: Andy Shevchenko <andy@kernel.org>
Link: https://patch.msgid.link/20250829-adf4350-fix-v2-1-0bf543ba797d@analog.com
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/frequency/adf4350.c | 20 +++++++++++++-------
1 file changed, 13 insertions(+), 7 deletions(-)
--- a/drivers/iio/frequency/adf4350.c
+++ b/drivers/iio/frequency/adf4350.c
@@ -149,6 +149,19 @@ static int adf4350_set_freq(struct adf43
if (freq > ADF4350_MAX_OUT_FREQ || freq < st->min_out_freq)
return -EINVAL;
+ st->r4_rf_div_sel = 0;
+
+ /*
+ * !\TODO: The below computation is making sure we get a power of 2
+ * shift (st->r4_rf_div_sel) so that freq becomes higher or equal to
+ * ADF4350_MIN_VCO_FREQ. This might be simplified with fls()/fls_long()
+ * and friends.
+ */
+ while (freq < ADF4350_MIN_VCO_FREQ) {
+ freq <<= 1;
+ st->r4_rf_div_sel++;
+ }
+
if (freq > ADF4350_MAX_FREQ_45_PRESC) {
prescaler = ADF4350_REG1_PRESCALER;
mdiv = 75;
@@ -157,13 +170,6 @@ static int adf4350_set_freq(struct adf43
mdiv = 23;
}
- st->r4_rf_div_sel = 0;
-
- while (freq < ADF4350_MIN_VCO_FREQ) {
- freq <<= 1;
- st->r4_rf_div_sel++;
- }
-
/*
* Allow a predefined reference division factor
* if not set, compute our own
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 223/371] iio: xilinx-ams: Fix AMS_ALARM_THR_DIRECT_MASK
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (221 preceding siblings ...)
2025-10-17 14:53 ` [PATCH 6.17 222/371] iio: frequency: adf4350: Fix prescaler usage Greg Kroah-Hartman
@ 2025-10-17 14:53 ` Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 224/371] iio: xilinx-ams: Unmask interrupts after updating alarms Greg Kroah-Hartman
` (160 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sean Anderson, OGriofa, Conall,
Erim, Salih, Stable, Jonathan Cameron
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Anderson <sean.anderson@linux.dev>
commit 1315cc2dbd5034f566e20ddce4d675cb9e6d4ddd upstream.
AMS_ALARM_THR_DIRECT_MASK should be bit 0, not bit 1. This would cause
hysteresis to be enabled with a lower threshold of -28C. The temperature
alarm would never deassert even if the temperature dropped below the
upper threshold.
Fixes: d5c70627a794 ("iio: adc: Add Xilinx AMS driver")
Signed-off-by: Sean Anderson <sean.anderson@linux.dev>
Reviewed-by: O'Griofa, Conall <conall.ogriofa@amd.com>
Tested-by: Erim, Salih <Salih.Erim@amd.com>
Acked-by: Erim, Salih <Salih.Erim@amd.com>
Link: https://patch.msgid.link/20250715003058.2035656-1-sean.anderson@linux.dev
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/adc/xilinx-ams.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/iio/adc/xilinx-ams.c
+++ b/drivers/iio/adc/xilinx-ams.c
@@ -118,7 +118,7 @@
#define AMS_ALARM_THRESHOLD_OFF_10 0x10
#define AMS_ALARM_THRESHOLD_OFF_20 0x20
-#define AMS_ALARM_THR_DIRECT_MASK BIT(1)
+#define AMS_ALARM_THR_DIRECT_MASK BIT(0)
#define AMS_ALARM_THR_MIN 0x0000
#define AMS_ALARM_THR_MAX (BIT(16) - 1)
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 224/371] iio: xilinx-ams: Unmask interrupts after updating alarms
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (222 preceding siblings ...)
2025-10-17 14:53 ` [PATCH 6.17 223/371] iio: xilinx-ams: Fix AMS_ALARM_THR_DIRECT_MASK Greg Kroah-Hartman
@ 2025-10-17 14:53 ` Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 225/371] init: handle bootloader identifier in kernel parameters Greg Kroah-Hartman
` (159 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sean Anderson, OGriofa, Conall,
Erim, Salih, Stable, Jonathan Cameron
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Anderson <sean.anderson@linux.dev>
commit feb500c7ae7a198db4d2757901bce562feeefa5e upstream.
To convert level-triggered alarms into edge-triggered IIO events, alarms
are masked when they are triggered. To ensure we catch subsequent
alarms, we then periodically poll to see if the alarm is still active.
If it isn't, we unmask it. Active but masked alarms are stored in
current_masked_alarm.
If an active alarm is disabled, it will remain set in
current_masked_alarm until ams_unmask_worker clears it. If the alarm is
re-enabled before ams_unmask_worker runs, then it will never be cleared
from current_masked_alarm. This will prevent the alarm event from being
pushed even if the alarm is still active.
Fix this by recalculating current_masked_alarm immediately when enabling
or disabling alarms.
Fixes: d5c70627a794 ("iio: adc: Add Xilinx AMS driver")
Signed-off-by: Sean Anderson <sean.anderson@linux.dev>
Reviewed-by: O'Griofa, Conall <conall.ogriofa@amd.com>
Tested-by: Erim, Salih <Salih.Erim@amd.com>
Acked-by: Erim, Salih <Salih.Erim@amd.com>
Link: https://patch.msgid.link/20250715002847.2035228-1-sean.anderson@linux.dev
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/adc/xilinx-ams.c | 45 +++++++++++++++++++++++--------------------
1 file changed, 25 insertions(+), 20 deletions(-)
--- a/drivers/iio/adc/xilinx-ams.c
+++ b/drivers/iio/adc/xilinx-ams.c
@@ -389,6 +389,29 @@ static void ams_update_pl_alarm(struct a
ams_pl_update_reg(ams, AMS_REG_CONFIG3, AMS_REGCFG3_ALARM_MASK, cfg);
}
+static void ams_unmask(struct ams *ams)
+{
+ unsigned int status, unmask;
+
+ status = readl(ams->base + AMS_ISR_0);
+
+ /* Clear those bits which are not active anymore */
+ unmask = (ams->current_masked_alarm ^ status) & ams->current_masked_alarm;
+
+ /* Clear status of disabled alarm */
+ unmask |= ams->intr_mask;
+
+ ams->current_masked_alarm &= status;
+
+ /* Also clear those which are masked out anyway */
+ ams->current_masked_alarm &= ~ams->intr_mask;
+
+ /* Clear the interrupts before we unmask them */
+ writel(unmask, ams->base + AMS_ISR_0);
+
+ ams_update_intrmask(ams, ~AMS_ALARM_MASK, ~AMS_ALARM_MASK);
+}
+
static void ams_update_alarm(struct ams *ams, unsigned long alarm_mask)
{
unsigned long flags;
@@ -401,6 +424,7 @@ static void ams_update_alarm(struct ams
spin_lock_irqsave(&ams->intr_lock, flags);
ams_update_intrmask(ams, AMS_ISR0_ALARM_MASK, ~alarm_mask);
+ ams_unmask(ams);
spin_unlock_irqrestore(&ams->intr_lock, flags);
}
@@ -1035,28 +1059,9 @@ static void ams_handle_events(struct iio
static void ams_unmask_worker(struct work_struct *work)
{
struct ams *ams = container_of(work, struct ams, ams_unmask_work.work);
- unsigned int status, unmask;
spin_lock_irq(&ams->intr_lock);
-
- status = readl(ams->base + AMS_ISR_0);
-
- /* Clear those bits which are not active anymore */
- unmask = (ams->current_masked_alarm ^ status) & ams->current_masked_alarm;
-
- /* Clear status of disabled alarm */
- unmask |= ams->intr_mask;
-
- ams->current_masked_alarm &= status;
-
- /* Also clear those which are masked out anyway */
- ams->current_masked_alarm &= ~ams->intr_mask;
-
- /* Clear the interrupts before we unmask them */
- writel(unmask, ams->base + AMS_ISR_0);
-
- ams_update_intrmask(ams, ~AMS_ALARM_MASK, ~AMS_ALARM_MASK);
-
+ ams_unmask(ams);
spin_unlock_irq(&ams->intr_lock);
/* If still pending some alarm re-trigger the timer */
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 225/371] init: handle bootloader identifier in kernel parameters
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (223 preceding siblings ...)
2025-10-17 14:53 ` [PATCH 6.17 224/371] iio: xilinx-ams: Unmask interrupts after updating alarms Greg Kroah-Hartman
@ 2025-10-17 14:53 ` Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 226/371] iio: imu: inv_icm42600: Simplify pm_runtime setup Greg Kroah-Hartman
` (158 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Huacai Chen, Al Viro,
Christian Brauner, Jan Kara, Andrew Morton
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Huacai Chen <chenhuacai@loongson.cn>
commit e416f0ed3c500c05c55fb62ee62662717b1c7f71 upstream.
BootLoaders (Grub, LILO, etc) may pass an identifier such as "BOOT_IMAGE=
/boot/vmlinuz-x.y.z" to kernel parameters. But these identifiers are not
recognized by the kernel itself so will be passed to userspace. However
user space init program also don't recognize it.
KEXEC/KDUMP (kexec-tools) may also pass an identifier such as "kexec" on
some architectures.
We cannot change BootLoader's behavior, because this behavior exists for
many years, and there are already user space programs search BOOT_IMAGE=
in /proc/cmdline to obtain the kernel image locations:
https://github.com/linuxdeepin/deepin-ab-recovery/blob/master/util.go
(search getBootOptions)
https://github.com/linuxdeepin/deepin-ab-recovery/blob/master/main.go
(search getKernelReleaseWithBootOption) So the the best way is handle
(ignore) it by the kernel itself, which can avoid such boot warnings (if
we use something like init=/bin/bash, bootloader identifier can even cause
a crash):
Kernel command line: BOOT_IMAGE=(hd0,1)/vmlinuz-6.x root=/dev/sda3 ro console=tty
Unknown kernel command line parameters "BOOT_IMAGE=(hd0,1)/vmlinuz-6.x", will be passed to user space.
[chenhuacai@loongson.cn: use strstarts()]
Link: https://lkml.kernel.org/r/20250815090120.1569947-1-chenhuacai@loongson.cn
Link: https://lkml.kernel.org/r/20250721101343.3283480-1-chenhuacai@loongson.cn
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Christian Brauner <brauner@kernel.org>
Cc: Jan Kara <jack@suse.cz>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
init/main.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
--- a/init/main.c
+++ b/init/main.c
@@ -544,6 +544,12 @@ static int __init unknown_bootoption(cha
const char *unused, void *arg)
{
size_t len = strlen(param);
+ /*
+ * Well-known bootloader identifiers:
+ * 1. LILO/Grub pass "BOOT_IMAGE=...";
+ * 2. kexec/kdump (kexec-tools) pass "kexec".
+ */
+ const char *bootloader[] = { "BOOT_IMAGE=", "kexec", NULL };
/* Handle params aliased to sysctls */
if (sysctl_is_alias(param))
@@ -551,6 +557,12 @@ static int __init unknown_bootoption(cha
repair_env_string(param, val);
+ /* Handle bootloader identifier */
+ for (int i = 0; bootloader[i]; i++) {
+ if (strstarts(param, bootloader[i]))
+ return 0;
+ }
+
/* Handle obsolete-style parameters */
if (obsolete_checksetup(param))
return 0;
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 226/371] iio: imu: inv_icm42600: Simplify pm_runtime setup
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (224 preceding siblings ...)
2025-10-17 14:53 ` [PATCH 6.17 225/371] init: handle bootloader identifier in kernel parameters Greg Kroah-Hartman
@ 2025-10-17 14:53 ` Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 227/371] iio: imu: inv_icm42600: Drop redundant pm_runtime reinitialization in resume Greg Kroah-Hartman
` (157 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:53 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sean Nyekjaer, Stable,
Jonathan Cameron
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Nyekjaer <sean@geanix.com>
commit 0792c1984a45ccd7a296d6b8cb78088bc99a212e upstream.
Rework the power management in inv_icm42600_core_probe() to use
devm_pm_runtime_set_active_enabled(), which simplifies the runtime PM
setup by handling activation and enabling in one step.
Remove the separate inv_icm42600_disable_pm callback, as it's no longer
needed with the devm-managed approach.
Using devm_pm_runtime_enable() also fixes the missing disable of
autosuspend.
Update inv_icm42600_disable_vddio_reg() to only disable the regulator if
the device is not suspended i.e. powered-down, preventing unbalanced
disables.
Also remove redundant error msg on regulator_disable(), the regulator
framework already emits an error message when regulator_disable() fails.
This simplifies the PM setup and avoids manipulating the usage counter
unnecessarily.
Fixes: 31c24c1e93c3 ("iio: imu: inv_icm42600: add core of new inv_icm42600 driver")
Signed-off-by: Sean Nyekjaer <sean@geanix.com>
Link: https://patch.msgid.link/20250901-icm42pmreg-v3-1-ef1336246960@geanix.com
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/imu/inv_icm42600/inv_icm42600_core.c | 24 ++++++-----------------
1 file changed, 7 insertions(+), 17 deletions(-)
--- a/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c
+++ b/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c
@@ -711,20 +711,12 @@ static void inv_icm42600_disable_vdd_reg
static void inv_icm42600_disable_vddio_reg(void *_data)
{
struct inv_icm42600_state *st = _data;
- const struct device *dev = regmap_get_device(st->map);
- int ret;
-
- ret = regulator_disable(st->vddio_supply);
- if (ret)
- dev_err(dev, "failed to disable vddio error %d\n", ret);
-}
+ struct device *dev = regmap_get_device(st->map);
-static void inv_icm42600_disable_pm(void *_data)
-{
- struct device *dev = _data;
+ if (pm_runtime_status_suspended(dev))
+ return;
- pm_runtime_put_sync(dev);
- pm_runtime_disable(dev);
+ regulator_disable(st->vddio_supply);
}
int inv_icm42600_core_probe(struct regmap *regmap, int chip,
@@ -824,16 +816,14 @@ int inv_icm42600_core_probe(struct regma
return ret;
/* setup runtime power management */
- ret = pm_runtime_set_active(dev);
+ ret = devm_pm_runtime_set_active_enabled(dev);
if (ret)
return ret;
- pm_runtime_get_noresume(dev);
- pm_runtime_enable(dev);
+
pm_runtime_set_autosuspend_delay(dev, INV_ICM42600_SUSPEND_DELAY_MS);
pm_runtime_use_autosuspend(dev);
- pm_runtime_put(dev);
- return devm_add_action_or_reset(dev, inv_icm42600_disable_pm, dev);
+ return ret;
}
EXPORT_SYMBOL_NS_GPL(inv_icm42600_core_probe, "IIO_ICM42600");
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 227/371] iio: imu: inv_icm42600: Drop redundant pm_runtime reinitialization in resume
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (225 preceding siblings ...)
2025-10-17 14:53 ` [PATCH 6.17 226/371] iio: imu: inv_icm42600: Simplify pm_runtime setup Greg Kroah-Hartman
@ 2025-10-17 14:53 ` Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 228/371] iio: imu: inv_icm42600: Avoid configuring if already pm_runtime suspended Greg Kroah-Hartman
` (156 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:53 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sean Nyekjaer, Stable,
Jonathan Cameron
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Nyekjaer <sean@geanix.com>
commit a95a0b4e471a6d8860f40c6ac8f1cad9dde3189a upstream.
Remove unnecessary calls to pm_runtime_disable(), pm_runtime_set_active(),
and pm_runtime_enable() from the resume path. These operations are not
required here and can interfere with proper pm_runtime state handling,
especially when resuming from a pm_runtime suspended state.
Fixes: 31c24c1e93c3 ("iio: imu: inv_icm42600: add core of new inv_icm42600 driver")
Signed-off-by: Sean Nyekjaer <sean@geanix.com>
Link: https://patch.msgid.link/20250901-icm42pmreg-v3-2-ef1336246960@geanix.com
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/imu/inv_icm42600/inv_icm42600_core.c | 4 ----
1 file changed, 4 deletions(-)
--- a/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c
+++ b/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c
@@ -917,10 +917,6 @@ static int inv_icm42600_resume(struct de
goto out_unlock;
}
- pm_runtime_disable(dev);
- pm_runtime_set_active(dev);
- pm_runtime_enable(dev);
-
/* restore sensors state */
ret = inv_icm42600_set_pwr_mgmt0(st, st->suspended.gyro,
st->suspended.accel,
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 228/371] iio: imu: inv_icm42600: Avoid configuring if already pm_runtime suspended
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (226 preceding siblings ...)
2025-10-17 14:53 ` [PATCH 6.17 227/371] iio: imu: inv_icm42600: Drop redundant pm_runtime reinitialization in resume Greg Kroah-Hartman
@ 2025-10-17 14:53 ` Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 229/371] iommu/vt-d: PRS isnt usable if PDS isnt supported Greg Kroah-Hartman
` (155 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:53 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sean Nyekjaer, Stable,
Jonathan Cameron
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Nyekjaer <sean@geanix.com>
commit 466f7a2fef2a4e426f809f79845a1ec1aeb558f4 upstream.
Do as in suspend, skip resume configuration steps if the device is already
pm_runtime suspended. This avoids reconfiguring a device that is already
in the correct low-power state and ensures that pm_runtime handles the
power state transitions properly.
Fixes: 31c24c1e93c3 ("iio: imu: inv_icm42600: add core of new inv_icm42600 driver")
Signed-off-by: Sean Nyekjaer <sean@geanix.com>
Link: https://patch.msgid.link/20250901-icm42pmreg-v3-3-ef1336246960@geanix.com
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/imu/inv_icm42600/inv_icm42600_core.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
--- a/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c
+++ b/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c
@@ -837,17 +837,15 @@ static int inv_icm42600_suspend(struct d
struct device *accel_dev;
bool wakeup;
int accel_conf;
- int ret;
+ int ret = 0;
mutex_lock(&st->lock);
st->suspended.gyro = st->conf.gyro.mode;
st->suspended.accel = st->conf.accel.mode;
st->suspended.temp = st->conf.temp_en;
- if (pm_runtime_suspended(dev)) {
- ret = 0;
+ if (pm_runtime_suspended(dev))
goto out_unlock;
- }
/* disable FIFO data streaming */
if (st->fifo.on) {
@@ -900,10 +898,13 @@ static int inv_icm42600_resume(struct de
struct inv_icm42600_sensor_state *accel_st = iio_priv(st->indio_accel);
struct device *accel_dev;
bool wakeup;
- int ret;
+ int ret = 0;
mutex_lock(&st->lock);
+ if (pm_runtime_suspended(dev))
+ goto out_unlock;
+
/* check wakeup capability */
accel_dev = &st->indio_accel->dev;
wakeup = st->apex.on && device_may_wakeup(accel_dev);
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 229/371] iommu/vt-d: PRS isnt usable if PDS isnt supported
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (227 preceding siblings ...)
2025-10-17 14:53 ` [PATCH 6.17 228/371] iio: imu: inv_icm42600: Avoid configuring if already pm_runtime suspended Greg Kroah-Hartman
@ 2025-10-17 14:53 ` Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 230/371] ipmi: Rework user message limit handling Greg Kroah-Hartman
` (154 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:53 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Joel Granados, Lu Baolu,
Joerg Roedel
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lu Baolu <baolu.lu@linux.intel.com>
commit 5ef7e24c742038a5d8c626fdc0e3a21834358341 upstream.
The specification, Section 7.10, "Software Steps to Drain Page Requests &
Responses," requires software to submit an Invalidation Wait Descriptor
(inv_wait_dsc) with the Page-request Drain (PD=1) flag set, along with
the Invalidation Wait Completion Status Write flag (SW=1). It then waits
for the Invalidation Wait Descriptor's completion.
However, the PD field in the Invalidation Wait Descriptor is optional, as
stated in Section 6.5.2.9, "Invalidation Wait Descriptor":
"Page-request Drain (PD): Remapping hardware implementations reporting
Page-request draining as not supported (PDS = 0 in ECAP_REG) treat this
field as reserved."
This implies that if the IOMMU doesn't support the PDS capability, software
can't drain page requests and group responses as expected.
Do not enable PCI/PRI if the IOMMU doesn't support PDS.
Reported-by: Joel Granados <joel.granados@kernel.org>
Closes: https://lore.kernel.org/r/20250909-jag-pds-v1-1-ad8cba0e494e@kernel.org
Fixes: 66ac4db36f4c ("iommu/vt-d: Add page request draining support")
Cc: stable@vger.kernel.org
Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
Link: https://lore.kernel.org/r/20250915062946.120196-1-baolu.lu@linux.intel.com
Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iommu/intel/iommu.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/iommu/intel/iommu.c
+++ b/drivers/iommu/intel/iommu.c
@@ -3817,7 +3817,7 @@ static struct iommu_device *intel_iommu_
}
if (info->ats_supported && ecap_prs(iommu->ecap) &&
- pci_pri_supported(pdev))
+ ecap_pds(iommu->ecap) && pci_pri_supported(pdev))
info->pri_supported = 1;
}
}
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 230/371] ipmi: Rework user message limit handling
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (228 preceding siblings ...)
2025-10-17 14:53 ` [PATCH 6.17 229/371] iommu/vt-d: PRS isnt usable if PDS isnt supported Greg Kroah-Hartman
@ 2025-10-17 14:53 ` Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 231/371] ipmi:msghandler:Change seq_lock to a mutex Greg Kroah-Hartman
` (153 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:53 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Gilles BULOZ, Corey Minyard
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Corey Minyard <corey@minyard.net>
commit b52da4054ee0bf9ecb44996f2c83236ff50b3812 upstream.
The limit on the number of user messages had a number of issues,
improper counting in some cases and a use after free.
Restructure how this is all done to handle more in the receive message
allocation routine, so all refcouting and user message limit counts
are done in that routine. It's a lot cleaner and safer.
Reported-by: Gilles BULOZ <gilles.buloz@kontron.com>
Closes: https://lore.kernel.org/lkml/aLsw6G0GyqfpKs2S@mail.minyard.net/
Fixes: 8e76741c3d8b ("ipmi: Add a limit on the number of users that may use IPMI")
Cc: <stable@vger.kernel.org> # 4.19
Signed-off-by: Corey Minyard <corey@minyard.net>
Tested-by: Gilles BULOZ <gilles.buloz@kontron.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/char/ipmi/ipmi_msghandler.c | 420 +++++++++++++++++-------------------
1 file changed, 200 insertions(+), 220 deletions(-)
--- a/drivers/char/ipmi/ipmi_msghandler.c
+++ b/drivers/char/ipmi/ipmi_msghandler.c
@@ -38,7 +38,9 @@
#define IPMI_DRIVER_VERSION "39.2"
-static struct ipmi_recv_msg *ipmi_alloc_recv_msg(void);
+static struct ipmi_recv_msg *ipmi_alloc_recv_msg(struct ipmi_user *user);
+static void ipmi_set_recv_msg_user(struct ipmi_recv_msg *msg,
+ struct ipmi_user *user);
static int ipmi_init_msghandler(void);
static void smi_work(struct work_struct *t);
static void handle_new_recv_msgs(struct ipmi_smi *intf);
@@ -955,7 +957,6 @@ static int deliver_response(struct ipmi_
* risk. At this moment, simply skip it in that case.
*/
ipmi_free_recv_msg(msg);
- atomic_dec(&msg->user->nr_msgs);
} else {
/*
* Deliver it in smi_work. The message will hold a
@@ -1616,8 +1617,7 @@ int ipmi_set_gets_events(struct ipmi_use
}
list_for_each_entry_safe(msg, msg2, &msgs, link) {
- msg->user = user;
- kref_get(&user->refcount);
+ ipmi_set_recv_msg_user(msg, user);
deliver_local_response(intf, msg);
}
}
@@ -2288,22 +2288,15 @@ static int i_ipmi_request(struct ipmi_us
int run_to_completion = READ_ONCE(intf->run_to_completion);
int rv = 0;
- if (user) {
- if (atomic_add_return(1, &user->nr_msgs) > max_msgs_per_user) {
- /* Decrement will happen at the end of the routine. */
- rv = -EBUSY;
- goto out;
- }
- }
-
- if (supplied_recv)
+ if (supplied_recv) {
recv_msg = supplied_recv;
- else {
- recv_msg = ipmi_alloc_recv_msg();
- if (recv_msg == NULL) {
- rv = -ENOMEM;
- goto out;
- }
+ recv_msg->user = user;
+ if (user)
+ atomic_inc(&user->nr_msgs);
+ } else {
+ recv_msg = ipmi_alloc_recv_msg(user);
+ if (IS_ERR(recv_msg))
+ return PTR_ERR(recv_msg);
}
recv_msg->user_msg_data = user_msg_data;
@@ -2314,8 +2307,7 @@ static int i_ipmi_request(struct ipmi_us
if (smi_msg == NULL) {
if (!supplied_recv)
ipmi_free_recv_msg(recv_msg);
- rv = -ENOMEM;
- goto out;
+ return -ENOMEM;
}
}
@@ -2326,10 +2318,6 @@ static int i_ipmi_request(struct ipmi_us
goto out_err;
}
- recv_msg->user = user;
- if (user)
- /* The put happens when the message is freed. */
- kref_get(&user->refcount);
recv_msg->msgid = msgid;
/*
* Store the message to send in the receive message so timeout
@@ -2358,8 +2346,10 @@ static int i_ipmi_request(struct ipmi_us
if (rv) {
out_err:
- ipmi_free_smi_msg(smi_msg);
- ipmi_free_recv_msg(recv_msg);
+ if (!supplied_smi)
+ ipmi_free_smi_msg(smi_msg);
+ if (!supplied_recv)
+ ipmi_free_recv_msg(recv_msg);
} else {
dev_dbg(intf->si_dev, "Send: %*ph\n",
smi_msg->data_size, smi_msg->data);
@@ -2369,9 +2359,6 @@ out_err:
if (!run_to_completion)
mutex_unlock(&intf->users_mutex);
-out:
- if (rv && user)
- atomic_dec(&user->nr_msgs);
return rv;
}
@@ -3862,7 +3849,7 @@ static int handle_ipmb_get_msg_cmd(struc
unsigned char chan;
struct ipmi_user *user = NULL;
struct ipmi_ipmb_addr *ipmb_addr;
- struct ipmi_recv_msg *recv_msg;
+ struct ipmi_recv_msg *recv_msg = NULL;
if (msg->rsp_size < 10) {
/* Message not big enough, just ignore it. */
@@ -3883,9 +3870,8 @@ static int handle_ipmb_get_msg_cmd(struc
rcvr = find_cmd_rcvr(intf, netfn, cmd, chan);
if (rcvr) {
user = rcvr->user;
- kref_get(&user->refcount);
- } else
- user = NULL;
+ recv_msg = ipmi_alloc_recv_msg(user);
+ }
rcu_read_unlock();
if (user == NULL) {
@@ -3915,47 +3901,41 @@ static int handle_ipmb_get_msg_cmd(struc
* causes it to not be freed or queued.
*/
rv = -1;
- } else {
- recv_msg = ipmi_alloc_recv_msg();
- if (!recv_msg) {
- /*
- * We couldn't allocate memory for the
- * message, so requeue it for handling
- * later.
- */
- rv = 1;
- kref_put(&user->refcount, free_ipmi_user);
- } else {
- /* Extract the source address from the data. */
- ipmb_addr = (struct ipmi_ipmb_addr *) &recv_msg->addr;
- ipmb_addr->addr_type = IPMI_IPMB_ADDR_TYPE;
- ipmb_addr->slave_addr = msg->rsp[6];
- ipmb_addr->lun = msg->rsp[7] & 3;
- ipmb_addr->channel = msg->rsp[3] & 0xf;
+ } else if (!IS_ERR(recv_msg)) {
+ /* Extract the source address from the data. */
+ ipmb_addr = (struct ipmi_ipmb_addr *) &recv_msg->addr;
+ ipmb_addr->addr_type = IPMI_IPMB_ADDR_TYPE;
+ ipmb_addr->slave_addr = msg->rsp[6];
+ ipmb_addr->lun = msg->rsp[7] & 3;
+ ipmb_addr->channel = msg->rsp[3] & 0xf;
- /*
- * Extract the rest of the message information
- * from the IPMB header.
- */
- recv_msg->user = user;
- recv_msg->recv_type = IPMI_CMD_RECV_TYPE;
- recv_msg->msgid = msg->rsp[7] >> 2;
- recv_msg->msg.netfn = msg->rsp[4] >> 2;
- recv_msg->msg.cmd = msg->rsp[8];
- recv_msg->msg.data = recv_msg->msg_data;
+ /*
+ * Extract the rest of the message information
+ * from the IPMB header.
+ */
+ recv_msg->recv_type = IPMI_CMD_RECV_TYPE;
+ recv_msg->msgid = msg->rsp[7] >> 2;
+ recv_msg->msg.netfn = msg->rsp[4] >> 2;
+ recv_msg->msg.cmd = msg->rsp[8];
+ recv_msg->msg.data = recv_msg->msg_data;
- /*
- * We chop off 10, not 9 bytes because the checksum
- * at the end also needs to be removed.
- */
- recv_msg->msg.data_len = msg->rsp_size - 10;
- memcpy(recv_msg->msg_data, &msg->rsp[9],
- msg->rsp_size - 10);
- if (deliver_response(intf, recv_msg))
- ipmi_inc_stat(intf, unhandled_commands);
- else
- ipmi_inc_stat(intf, handled_commands);
- }
+ /*
+ * We chop off 10, not 9 bytes because the checksum
+ * at the end also needs to be removed.
+ */
+ recv_msg->msg.data_len = msg->rsp_size - 10;
+ memcpy(recv_msg->msg_data, &msg->rsp[9],
+ msg->rsp_size - 10);
+ if (deliver_response(intf, recv_msg))
+ ipmi_inc_stat(intf, unhandled_commands);
+ else
+ ipmi_inc_stat(intf, handled_commands);
+ } else {
+ /*
+ * We couldn't allocate memory for the message, so
+ * requeue it for handling later.
+ */
+ rv = 1;
}
return rv;
@@ -3968,7 +3948,7 @@ static int handle_ipmb_direct_rcv_cmd(st
int rv = 0;
struct ipmi_user *user = NULL;
struct ipmi_ipmb_direct_addr *daddr;
- struct ipmi_recv_msg *recv_msg;
+ struct ipmi_recv_msg *recv_msg = NULL;
unsigned char netfn = msg->rsp[0] >> 2;
unsigned char cmd = msg->rsp[3];
@@ -3977,9 +3957,8 @@ static int handle_ipmb_direct_rcv_cmd(st
rcvr = find_cmd_rcvr(intf, netfn, cmd, 0);
if (rcvr) {
user = rcvr->user;
- kref_get(&user->refcount);
- } else
- user = NULL;
+ recv_msg = ipmi_alloc_recv_msg(user);
+ }
rcu_read_unlock();
if (user == NULL) {
@@ -4001,44 +3980,38 @@ static int handle_ipmb_direct_rcv_cmd(st
* causes it to not be freed or queued.
*/
rv = -1;
- } else {
- recv_msg = ipmi_alloc_recv_msg();
- if (!recv_msg) {
- /*
- * We couldn't allocate memory for the
- * message, so requeue it for handling
- * later.
- */
- rv = 1;
- kref_put(&user->refcount, free_ipmi_user);
- } else {
- /* Extract the source address from the data. */
- daddr = (struct ipmi_ipmb_direct_addr *)&recv_msg->addr;
- daddr->addr_type = IPMI_IPMB_DIRECT_ADDR_TYPE;
- daddr->channel = 0;
- daddr->slave_addr = msg->rsp[1];
- daddr->rs_lun = msg->rsp[0] & 3;
- daddr->rq_lun = msg->rsp[2] & 3;
+ } else if (!IS_ERR(recv_msg)) {
+ /* Extract the source address from the data. */
+ daddr = (struct ipmi_ipmb_direct_addr *)&recv_msg->addr;
+ daddr->addr_type = IPMI_IPMB_DIRECT_ADDR_TYPE;
+ daddr->channel = 0;
+ daddr->slave_addr = msg->rsp[1];
+ daddr->rs_lun = msg->rsp[0] & 3;
+ daddr->rq_lun = msg->rsp[2] & 3;
- /*
- * Extract the rest of the message information
- * from the IPMB header.
- */
- recv_msg->user = user;
- recv_msg->recv_type = IPMI_CMD_RECV_TYPE;
- recv_msg->msgid = (msg->rsp[2] >> 2);
- recv_msg->msg.netfn = msg->rsp[0] >> 2;
- recv_msg->msg.cmd = msg->rsp[3];
- recv_msg->msg.data = recv_msg->msg_data;
-
- recv_msg->msg.data_len = msg->rsp_size - 4;
- memcpy(recv_msg->msg_data, msg->rsp + 4,
- msg->rsp_size - 4);
- if (deliver_response(intf, recv_msg))
- ipmi_inc_stat(intf, unhandled_commands);
- else
- ipmi_inc_stat(intf, handled_commands);
- }
+ /*
+ * Extract the rest of the message information
+ * from the IPMB header.
+ */
+ recv_msg->recv_type = IPMI_CMD_RECV_TYPE;
+ recv_msg->msgid = (msg->rsp[2] >> 2);
+ recv_msg->msg.netfn = msg->rsp[0] >> 2;
+ recv_msg->msg.cmd = msg->rsp[3];
+ recv_msg->msg.data = recv_msg->msg_data;
+
+ recv_msg->msg.data_len = msg->rsp_size - 4;
+ memcpy(recv_msg->msg_data, msg->rsp + 4,
+ msg->rsp_size - 4);
+ if (deliver_response(intf, recv_msg))
+ ipmi_inc_stat(intf, unhandled_commands);
+ else
+ ipmi_inc_stat(intf, handled_commands);
+ } else {
+ /*
+ * We couldn't allocate memory for the message, so
+ * requeue it for handling later.
+ */
+ rv = 1;
}
return rv;
@@ -4152,7 +4125,7 @@ static int handle_lan_get_msg_cmd(struct
unsigned char chan;
struct ipmi_user *user = NULL;
struct ipmi_lan_addr *lan_addr;
- struct ipmi_recv_msg *recv_msg;
+ struct ipmi_recv_msg *recv_msg = NULL;
if (msg->rsp_size < 12) {
/* Message not big enough, just ignore it. */
@@ -4173,9 +4146,8 @@ static int handle_lan_get_msg_cmd(struct
rcvr = find_cmd_rcvr(intf, netfn, cmd, chan);
if (rcvr) {
user = rcvr->user;
- kref_get(&user->refcount);
- } else
- user = NULL;
+ recv_msg = ipmi_alloc_recv_msg(user);
+ }
rcu_read_unlock();
if (user == NULL) {
@@ -4206,49 +4178,44 @@ static int handle_lan_get_msg_cmd(struct
* causes it to not be freed or queued.
*/
rv = -1;
- } else {
- recv_msg = ipmi_alloc_recv_msg();
- if (!recv_msg) {
- /*
- * We couldn't allocate memory for the
- * message, so requeue it for handling later.
- */
- rv = 1;
- kref_put(&user->refcount, free_ipmi_user);
- } else {
- /* Extract the source address from the data. */
- lan_addr = (struct ipmi_lan_addr *) &recv_msg->addr;
- lan_addr->addr_type = IPMI_LAN_ADDR_TYPE;
- lan_addr->session_handle = msg->rsp[4];
- lan_addr->remote_SWID = msg->rsp[8];
- lan_addr->local_SWID = msg->rsp[5];
- lan_addr->lun = msg->rsp[9] & 3;
- lan_addr->channel = msg->rsp[3] & 0xf;
- lan_addr->privilege = msg->rsp[3] >> 4;
+ } else if (!IS_ERR(recv_msg)) {
+ /* Extract the source address from the data. */
+ lan_addr = (struct ipmi_lan_addr *) &recv_msg->addr;
+ lan_addr->addr_type = IPMI_LAN_ADDR_TYPE;
+ lan_addr->session_handle = msg->rsp[4];
+ lan_addr->remote_SWID = msg->rsp[8];
+ lan_addr->local_SWID = msg->rsp[5];
+ lan_addr->lun = msg->rsp[9] & 3;
+ lan_addr->channel = msg->rsp[3] & 0xf;
+ lan_addr->privilege = msg->rsp[3] >> 4;
- /*
- * Extract the rest of the message information
- * from the IPMB header.
- */
- recv_msg->user = user;
- recv_msg->recv_type = IPMI_CMD_RECV_TYPE;
- recv_msg->msgid = msg->rsp[9] >> 2;
- recv_msg->msg.netfn = msg->rsp[6] >> 2;
- recv_msg->msg.cmd = msg->rsp[10];
- recv_msg->msg.data = recv_msg->msg_data;
+ /*
+ * Extract the rest of the message information
+ * from the IPMB header.
+ */
+ recv_msg->recv_type = IPMI_CMD_RECV_TYPE;
+ recv_msg->msgid = msg->rsp[9] >> 2;
+ recv_msg->msg.netfn = msg->rsp[6] >> 2;
+ recv_msg->msg.cmd = msg->rsp[10];
+ recv_msg->msg.data = recv_msg->msg_data;
- /*
- * We chop off 12, not 11 bytes because the checksum
- * at the end also needs to be removed.
- */
- recv_msg->msg.data_len = msg->rsp_size - 12;
- memcpy(recv_msg->msg_data, &msg->rsp[11],
- msg->rsp_size - 12);
- if (deliver_response(intf, recv_msg))
- ipmi_inc_stat(intf, unhandled_commands);
- else
- ipmi_inc_stat(intf, handled_commands);
- }
+ /*
+ * We chop off 12, not 11 bytes because the checksum
+ * at the end also needs to be removed.
+ */
+ recv_msg->msg.data_len = msg->rsp_size - 12;
+ memcpy(recv_msg->msg_data, &msg->rsp[11],
+ msg->rsp_size - 12);
+ if (deliver_response(intf, recv_msg))
+ ipmi_inc_stat(intf, unhandled_commands);
+ else
+ ipmi_inc_stat(intf, handled_commands);
+ } else {
+ /*
+ * We couldn't allocate memory for the message, so
+ * requeue it for handling later.
+ */
+ rv = 1;
}
return rv;
@@ -4270,7 +4237,7 @@ static int handle_oem_get_msg_cmd(struct
unsigned char chan;
struct ipmi_user *user = NULL;
struct ipmi_system_interface_addr *smi_addr;
- struct ipmi_recv_msg *recv_msg;
+ struct ipmi_recv_msg *recv_msg = NULL;
/*
* We expect the OEM SW to perform error checking
@@ -4299,9 +4266,8 @@ static int handle_oem_get_msg_cmd(struct
rcvr = find_cmd_rcvr(intf, netfn, cmd, chan);
if (rcvr) {
user = rcvr->user;
- kref_get(&user->refcount);
- } else
- user = NULL;
+ recv_msg = ipmi_alloc_recv_msg(user);
+ }
rcu_read_unlock();
if (user == NULL) {
@@ -4314,48 +4280,42 @@ static int handle_oem_get_msg_cmd(struct
*/
rv = 0;
- } else {
- recv_msg = ipmi_alloc_recv_msg();
- if (!recv_msg) {
- /*
- * We couldn't allocate memory for the
- * message, so requeue it for handling
- * later.
- */
- rv = 1;
- kref_put(&user->refcount, free_ipmi_user);
- } else {
- /*
- * OEM Messages are expected to be delivered via
- * the system interface to SMS software. We might
- * need to visit this again depending on OEM
- * requirements
- */
- smi_addr = ((struct ipmi_system_interface_addr *)
- &recv_msg->addr);
- smi_addr->addr_type = IPMI_SYSTEM_INTERFACE_ADDR_TYPE;
- smi_addr->channel = IPMI_BMC_CHANNEL;
- smi_addr->lun = msg->rsp[0] & 3;
-
- recv_msg->user = user;
- recv_msg->user_msg_data = NULL;
- recv_msg->recv_type = IPMI_OEM_RECV_TYPE;
- recv_msg->msg.netfn = msg->rsp[0] >> 2;
- recv_msg->msg.cmd = msg->rsp[1];
- recv_msg->msg.data = recv_msg->msg_data;
+ } else if (!IS_ERR(recv_msg)) {
+ /*
+ * OEM Messages are expected to be delivered via
+ * the system interface to SMS software. We might
+ * need to visit this again depending on OEM
+ * requirements
+ */
+ smi_addr = ((struct ipmi_system_interface_addr *)
+ &recv_msg->addr);
+ smi_addr->addr_type = IPMI_SYSTEM_INTERFACE_ADDR_TYPE;
+ smi_addr->channel = IPMI_BMC_CHANNEL;
+ smi_addr->lun = msg->rsp[0] & 3;
+
+ recv_msg->user_msg_data = NULL;
+ recv_msg->recv_type = IPMI_OEM_RECV_TYPE;
+ recv_msg->msg.netfn = msg->rsp[0] >> 2;
+ recv_msg->msg.cmd = msg->rsp[1];
+ recv_msg->msg.data = recv_msg->msg_data;
- /*
- * The message starts at byte 4 which follows the
- * Channel Byte in the "GET MESSAGE" command
- */
- recv_msg->msg.data_len = msg->rsp_size - 4;
- memcpy(recv_msg->msg_data, &msg->rsp[4],
- msg->rsp_size - 4);
- if (deliver_response(intf, recv_msg))
- ipmi_inc_stat(intf, unhandled_commands);
- else
- ipmi_inc_stat(intf, handled_commands);
- }
+ /*
+ * The message starts at byte 4 which follows the
+ * Channel Byte in the "GET MESSAGE" command
+ */
+ recv_msg->msg.data_len = msg->rsp_size - 4;
+ memcpy(recv_msg->msg_data, &msg->rsp[4],
+ msg->rsp_size - 4);
+ if (deliver_response(intf, recv_msg))
+ ipmi_inc_stat(intf, unhandled_commands);
+ else
+ ipmi_inc_stat(intf, handled_commands);
+ } else {
+ /*
+ * We couldn't allocate memory for the message, so
+ * requeue it for handling later.
+ */
+ rv = 1;
}
return rv;
@@ -4413,8 +4373,8 @@ static int handle_read_event_rsp(struct
if (!user->gets_events)
continue;
- recv_msg = ipmi_alloc_recv_msg();
- if (!recv_msg) {
+ recv_msg = ipmi_alloc_recv_msg(user);
+ if (IS_ERR(recv_msg)) {
mutex_unlock(&intf->users_mutex);
list_for_each_entry_safe(recv_msg, recv_msg2, &msgs,
link) {
@@ -4435,8 +4395,6 @@ static int handle_read_event_rsp(struct
deliver_count++;
copy_event_into_recv_msg(recv_msg, msg);
- recv_msg->user = user;
- kref_get(&user->refcount);
list_add_tail(&recv_msg->link, &msgs);
}
mutex_unlock(&intf->users_mutex);
@@ -4452,8 +4410,8 @@ static int handle_read_event_rsp(struct
* No one to receive the message, put it in queue if there's
* not already too many things in the queue.
*/
- recv_msg = ipmi_alloc_recv_msg();
- if (!recv_msg) {
+ recv_msg = ipmi_alloc_recv_msg(NULL);
+ if (IS_ERR(recv_msg)) {
/*
* We couldn't allocate memory for the
* message, so requeue it for handling
@@ -4868,12 +4826,10 @@ static void smi_work(struct work_struct
list_del(&msg->link);
- if (refcount_read(&user->destroyed) == 0) {
+ if (refcount_read(&user->destroyed) == 0)
ipmi_free_recv_msg(msg);
- } else {
- atomic_dec(&user->nr_msgs);
+ else
user->handler->ipmi_recv_hndl(msg, user->handler_data);
- }
}
mutex_unlock(&intf->user_msgs_mutex);
@@ -5190,27 +5146,51 @@ static void free_recv_msg(struct ipmi_re
kfree(msg);
}
-static struct ipmi_recv_msg *ipmi_alloc_recv_msg(void)
+static struct ipmi_recv_msg *ipmi_alloc_recv_msg(struct ipmi_user *user)
{
struct ipmi_recv_msg *rv;
+ if (user) {
+ if (atomic_add_return(1, &user->nr_msgs) > max_msgs_per_user) {
+ atomic_dec(&user->nr_msgs);
+ return ERR_PTR(-EBUSY);
+ }
+ }
+
rv = kmalloc(sizeof(struct ipmi_recv_msg), GFP_ATOMIC);
- if (rv) {
- rv->user = NULL;
- rv->done = free_recv_msg;
- atomic_inc(&recv_msg_inuse_count);
+ if (!rv) {
+ if (user)
+ atomic_dec(&user->nr_msgs);
+ return ERR_PTR(-ENOMEM);
}
+
+ rv->user = user;
+ rv->done = free_recv_msg;
+ if (user)
+ kref_get(&user->refcount);
+ atomic_inc(&recv_msg_inuse_count);
return rv;
}
void ipmi_free_recv_msg(struct ipmi_recv_msg *msg)
{
- if (msg->user && !oops_in_progress)
+ if (msg->user && !oops_in_progress) {
+ atomic_dec(&msg->user->nr_msgs);
kref_put(&msg->user->refcount, free_ipmi_user);
+ }
msg->done(msg);
}
EXPORT_SYMBOL(ipmi_free_recv_msg);
+static void ipmi_set_recv_msg_user(struct ipmi_recv_msg *msg,
+ struct ipmi_user *user)
+{
+ WARN_ON_ONCE(msg->user); /* User should not be set. */
+ msg->user = user;
+ atomic_inc(&user->nr_msgs);
+ kref_get(&user->refcount);
+}
+
static atomic_t panic_done_count = ATOMIC_INIT(0);
static void dummy_smi_done_handler(struct ipmi_smi_msg *msg)
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 231/371] ipmi:msghandler:Change seq_lock to a mutex
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (229 preceding siblings ...)
2025-10-17 14:53 ` [PATCH 6.17 230/371] ipmi: Rework user message limit handling Greg Kroah-Hartman
@ 2025-10-17 14:53 ` Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 232/371] kernel/sys.c: fix the racy usage of task_lock(tsk->group_leader) in sys_prlimit64() paths Greg Kroah-Hartman
` (152 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, kernel test robot, Dan Carpenter,
Corey Minyard
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Corey Minyard <corey@minyard.net>
commit 8fd8ea2869cfafb3b1d6f95ff49561b13a73438d upstream.
Dan Carpenter got a Smatch warning:
drivers/char/ipmi/ipmi_msghandler.c:5265 ipmi_free_recv_msg()
warn: sleeping in atomic context
due to the recent rework of the IPMI driver's locking. I didn't realize
vfree could block. But there is an easy solution to this, now that
almost everything in the message handler runs in thread context.
I wanted to spend the time earlier to see if seq_lock could be converted
from a spinlock to a mutex, but I wanted the previous changes to go in
and soak before I did that. So I went ahead and did the analysis and
converting should work. And solve this problem.
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
Closes: https://lore.kernel.org/r/202503240244.LR7pOwyr-lkp@intel.com/
Fixes: 3be997d5a64a ("ipmi:msghandler: Remove srcu from the ipmi user structure")
Cc: <stable@vger.kernel.org> # 6.16
Signed-off-by: Corey Minyard <corey@minyard.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/char/ipmi/ipmi_msghandler.c | 63 ++++++++++++++----------------------
1 file changed, 26 insertions(+), 37 deletions(-)
--- a/drivers/char/ipmi/ipmi_msghandler.c
+++ b/drivers/char/ipmi/ipmi_msghandler.c
@@ -466,7 +466,7 @@ struct ipmi_smi {
* interface to match them up with their responses. A routine
* is called periodically to time the items in this list.
*/
- spinlock_t seq_lock;
+ struct mutex seq_lock;
struct seq_table seq_table[IPMI_IPMB_NUM_SEQ];
int curr_seq;
@@ -1117,12 +1117,11 @@ static int intf_find_seq(struct ipmi_smi
struct ipmi_recv_msg **recv_msg)
{
int rv = -ENODEV;
- unsigned long flags;
if (seq >= IPMI_IPMB_NUM_SEQ)
return -EINVAL;
- spin_lock_irqsave(&intf->seq_lock, flags);
+ mutex_lock(&intf->seq_lock);
if (intf->seq_table[seq].inuse) {
struct ipmi_recv_msg *msg = intf->seq_table[seq].recv_msg;
@@ -1135,7 +1134,7 @@ static int intf_find_seq(struct ipmi_smi
rv = 0;
}
}
- spin_unlock_irqrestore(&intf->seq_lock, flags);
+ mutex_unlock(&intf->seq_lock);
return rv;
}
@@ -1146,14 +1145,13 @@ static int intf_start_seq_timer(struct i
long msgid)
{
int rv = -ENODEV;
- unsigned long flags;
unsigned char seq;
unsigned long seqid;
GET_SEQ_FROM_MSGID(msgid, seq, seqid);
- spin_lock_irqsave(&intf->seq_lock, flags);
+ mutex_lock(&intf->seq_lock);
/*
* We do this verification because the user can be deleted
* while a message is outstanding.
@@ -1164,7 +1162,7 @@ static int intf_start_seq_timer(struct i
ent->timeout = ent->orig_timeout;
rv = 0;
}
- spin_unlock_irqrestore(&intf->seq_lock, flags);
+ mutex_unlock(&intf->seq_lock);
return rv;
}
@@ -1175,7 +1173,6 @@ static int intf_err_seq(struct ipmi_smi
unsigned int err)
{
int rv = -ENODEV;
- unsigned long flags;
unsigned char seq;
unsigned long seqid;
struct ipmi_recv_msg *msg = NULL;
@@ -1183,7 +1180,7 @@ static int intf_err_seq(struct ipmi_smi
GET_SEQ_FROM_MSGID(msgid, seq, seqid);
- spin_lock_irqsave(&intf->seq_lock, flags);
+ mutex_lock(&intf->seq_lock);
/*
* We do this verification because the user can be deleted
* while a message is outstanding.
@@ -1197,7 +1194,7 @@ static int intf_err_seq(struct ipmi_smi
msg = ent->recv_msg;
rv = 0;
}
- spin_unlock_irqrestore(&intf->seq_lock, flags);
+ mutex_unlock(&intf->seq_lock);
if (msg)
deliver_err_response(intf, msg, err);
@@ -1210,7 +1207,6 @@ int ipmi_create_user(unsigned int
void *handler_data,
struct ipmi_user **user)
{
- unsigned long flags;
struct ipmi_user *new_user = NULL;
int rv = 0;
struct ipmi_smi *intf;
@@ -1278,9 +1274,9 @@ int ipmi_create_user(unsigned int
new_user->gets_events = false;
mutex_lock(&intf->users_mutex);
- spin_lock_irqsave(&intf->seq_lock, flags);
+ mutex_lock(&intf->seq_lock);
list_add(&new_user->link, &intf->users);
- spin_unlock_irqrestore(&intf->seq_lock, flags);
+ mutex_unlock(&intf->seq_lock);
mutex_unlock(&intf->users_mutex);
if (handler->ipmi_watchdog_pretimeout)
@@ -1326,7 +1322,6 @@ static void _ipmi_destroy_user(struct ip
{
struct ipmi_smi *intf = user->intf;
int i;
- unsigned long flags;
struct cmd_rcvr *rcvr;
struct cmd_rcvr *rcvrs = NULL;
struct ipmi_recv_msg *msg, *msg2;
@@ -1347,7 +1342,7 @@ static void _ipmi_destroy_user(struct ip
list_del(&user->link);
atomic_dec(&intf->nr_users);
- spin_lock_irqsave(&intf->seq_lock, flags);
+ mutex_lock(&intf->seq_lock);
for (i = 0; i < IPMI_IPMB_NUM_SEQ; i++) {
if (intf->seq_table[i].inuse
&& (intf->seq_table[i].recv_msg->user == user)) {
@@ -1356,7 +1351,7 @@ static void _ipmi_destroy_user(struct ip
ipmi_free_recv_msg(intf->seq_table[i].recv_msg);
}
}
- spin_unlock_irqrestore(&intf->seq_lock, flags);
+ mutex_unlock(&intf->seq_lock);
/*
* Remove the user from the command receiver's table. First
@@ -2026,10 +2021,7 @@ static int i_ipmi_req_ipmb(struct ipmi_s
*/
smi_msg->user_data = recv_msg;
} else {
- /* It's a command, so get a sequence for it. */
- unsigned long flags;
-
- spin_lock_irqsave(&intf->seq_lock, flags);
+ mutex_lock(&intf->seq_lock);
if (is_maintenance_mode_cmd(msg))
intf->ipmb_maintenance_mode_timeout =
@@ -2087,7 +2079,7 @@ static int i_ipmi_req_ipmb(struct ipmi_s
* to be correct.
*/
out_err:
- spin_unlock_irqrestore(&intf->seq_lock, flags);
+ mutex_unlock(&intf->seq_lock);
}
return rv;
@@ -2205,10 +2197,7 @@ static int i_ipmi_req_lan(struct ipmi_sm
*/
smi_msg->user_data = recv_msg;
} else {
- /* It's a command, so get a sequence for it. */
- unsigned long flags;
-
- spin_lock_irqsave(&intf->seq_lock, flags);
+ mutex_lock(&intf->seq_lock);
/*
* Create a sequence number with a 1 second
@@ -2257,7 +2246,7 @@ static int i_ipmi_req_lan(struct ipmi_sm
* to be correct.
*/
out_err:
- spin_unlock_irqrestore(&intf->seq_lock, flags);
+ mutex_unlock(&intf->seq_lock);
}
return rv;
@@ -3562,7 +3551,7 @@ int ipmi_add_smi(struct module *
atomic_set(&intf->nr_users, 0);
intf->handlers = handlers;
intf->send_info = send_info;
- spin_lock_init(&intf->seq_lock);
+ mutex_init(&intf->seq_lock);
for (j = 0; j < IPMI_IPMB_NUM_SEQ; j++) {
intf->seq_table[j].inuse = 0;
intf->seq_table[j].seqid = 0;
@@ -4487,9 +4476,10 @@ static int handle_one_recv_msg(struct ip
if (msg->rsp_size < 2) {
/* Message is too small to be correct. */
- dev_warn(intf->si_dev,
- "BMC returned too small a message for netfn %x cmd %x, got %d bytes\n",
- (msg->data[0] >> 2) | 1, msg->data[1], msg->rsp_size);
+ dev_warn_ratelimited(intf->si_dev,
+ "BMC returned too small a message for netfn %x cmd %x, got %d bytes\n",
+ (msg->data[0] >> 2) | 1,
+ msg->data[1], msg->rsp_size);
return_unspecified:
/* Generate an error response for the message. */
@@ -4907,8 +4897,7 @@ smi_from_recv_msg(struct ipmi_smi *intf,
static void check_msg_timeout(struct ipmi_smi *intf, struct seq_table *ent,
struct list_head *timeouts,
unsigned long timeout_period,
- int slot, unsigned long *flags,
- bool *need_timer)
+ int slot, bool *need_timer)
{
struct ipmi_recv_msg *msg;
@@ -4960,7 +4949,7 @@ static void check_msg_timeout(struct ipm
return;
}
- spin_unlock_irqrestore(&intf->seq_lock, *flags);
+ mutex_unlock(&intf->seq_lock);
/*
* Send the new message. We send with a zero
@@ -4981,7 +4970,7 @@ static void check_msg_timeout(struct ipm
} else
ipmi_free_smi_msg(smi_msg);
- spin_lock_irqsave(&intf->seq_lock, *flags);
+ mutex_lock(&intf->seq_lock);
}
}
@@ -5008,7 +4997,7 @@ static bool ipmi_timeout_handler(struct
* list.
*/
INIT_LIST_HEAD(&timeouts);
- spin_lock_irqsave(&intf->seq_lock, flags);
+ mutex_lock(&intf->seq_lock);
if (intf->ipmb_maintenance_mode_timeout) {
if (intf->ipmb_maintenance_mode_timeout <= timeout_period)
intf->ipmb_maintenance_mode_timeout = 0;
@@ -5018,8 +5007,8 @@ static bool ipmi_timeout_handler(struct
for (i = 0; i < IPMI_IPMB_NUM_SEQ; i++)
check_msg_timeout(intf, &intf->seq_table[i],
&timeouts, timeout_period, i,
- &flags, &need_timer);
- spin_unlock_irqrestore(&intf->seq_lock, flags);
+ &need_timer);
+ mutex_unlock(&intf->seq_lock);
list_for_each_entry_safe(msg, msg2, &timeouts, link)
deliver_err_response(intf, msg, IPMI_TIMEOUT_COMPLETION_CODE);
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 232/371] kernel/sys.c: fix the racy usage of task_lock(tsk->group_leader) in sys_prlimit64() paths
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (230 preceding siblings ...)
2025-10-17 14:53 ` [PATCH 6.17 231/371] ipmi:msghandler:Change seq_lock to a mutex Greg Kroah-Hartman
@ 2025-10-17 14:53 ` Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 233/371] KEYS: trusted_tpm1: Compare HMAC values in constant time Greg Kroah-Hartman
` (151 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Oleg Nesterov, Christian Brauner,
Jiri Slaby, Mateusz Guzik, Andrew Morton
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oleg Nesterov <oleg@redhat.com>
commit a15f37a40145c986cdf289a4b88390f35efdecc4 upstream.
The usage of task_lock(tsk->group_leader) in sys_prlimit64()->do_prlimit()
path is very broken.
sys_prlimit64() does get_task_struct(tsk) but this only protects task_struct
itself. If tsk != current and tsk is not a leader, this process can exit/exec
and task_lock(tsk->group_leader) may use the already freed task_struct.
Another problem is that sys_prlimit64() can race with mt-exec which changes
->group_leader. In this case do_prlimit() may take the wrong lock, or (worse)
->group_leader may change between task_lock() and task_unlock().
Change sys_prlimit64() to take tasklist_lock when necessary. This is not
nice, but I don't see a better fix for -stable.
Link: https://lkml.kernel.org/r/20250915120917.GA27702@redhat.com
Fixes: 18c91bb2d872 ("prlimit: do not grab the tasklist_lock")
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Cc: Christian Brauner <brauner@kernel.org>
Cc: Jiri Slaby <jirislaby@kernel.org>
Cc: Mateusz Guzik <mjguzik@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/sys.c | 22 ++++++++++++++++++++--
1 file changed, 20 insertions(+), 2 deletions(-)
--- a/kernel/sys.c
+++ b/kernel/sys.c
@@ -1734,6 +1734,7 @@ SYSCALL_DEFINE4(prlimit64, pid_t, pid, u
struct rlimit old, new;
struct task_struct *tsk;
unsigned int checkflags = 0;
+ bool need_tasklist;
int ret;
if (old_rlim)
@@ -1760,8 +1761,25 @@ SYSCALL_DEFINE4(prlimit64, pid_t, pid, u
get_task_struct(tsk);
rcu_read_unlock();
- ret = do_prlimit(tsk, resource, new_rlim ? &new : NULL,
- old_rlim ? &old : NULL);
+ need_tasklist = !same_thread_group(tsk, current);
+ if (need_tasklist) {
+ /*
+ * Ensure we can't race with group exit or de_thread(),
+ * so tsk->group_leader can't be freed or changed until
+ * read_unlock(tasklist_lock) below.
+ */
+ read_lock(&tasklist_lock);
+ if (!pid_alive(tsk))
+ ret = -ESRCH;
+ }
+
+ if (!ret) {
+ ret = do_prlimit(tsk, resource, new_rlim ? &new : NULL,
+ old_rlim ? &old : NULL);
+ }
+
+ if (need_tasklist)
+ read_unlock(&tasklist_lock);
if (!ret && old_rlim) {
rlim_to_rlim64(&old, &old64);
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 233/371] KEYS: trusted_tpm1: Compare HMAC values in constant time
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (231 preceding siblings ...)
2025-10-17 14:53 ` [PATCH 6.17 232/371] kernel/sys.c: fix the racy usage of task_lock(tsk->group_leader) in sys_prlimit64() paths Greg Kroah-Hartman
@ 2025-10-17 14:53 ` Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 234/371] kho: only fill kimage if KHO is finalized Greg Kroah-Hartman
` (150 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:53 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Eric Biggers, Jarkko Sakkinen
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@kernel.org>
commit eed0e3d305530066b4fc5370107cff8ef1a0d229 upstream.
To prevent timing attacks, HMAC value comparison needs to be constant
time. Replace the memcmp() with the correct function, crypto_memneq().
[For the Fixes commit I used the commit that introduced the memcmp().
It predates the introduction of crypto_memneq(), but it was still a bug
at the time even though a helper function didn't exist yet.]
Fixes: d00a1c72f7f4 ("keys: add new trusted key-type")
Cc: stable@vger.kernel.org
Signed-off-by: Eric Biggers <ebiggers@kernel.org>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
security/keys/trusted-keys/trusted_tpm1.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
--- a/security/keys/trusted-keys/trusted_tpm1.c
+++ b/security/keys/trusted-keys/trusted_tpm1.c
@@ -7,6 +7,7 @@
*/
#include <crypto/hash_info.h>
+#include <crypto/utils.h>
#include <linux/init.h>
#include <linux/slab.h>
#include <linux/parser.h>
@@ -241,7 +242,7 @@ int TSS_checkhmac1(unsigned char *buffer
if (ret < 0)
goto out;
- if (memcmp(testhmac, authdata, SHA1_DIGEST_SIZE))
+ if (crypto_memneq(testhmac, authdata, SHA1_DIGEST_SIZE))
ret = -EINVAL;
out:
kfree_sensitive(sdesc);
@@ -334,7 +335,7 @@ static int TSS_checkhmac2(unsigned char
TPM_NONCE_SIZE, ononce, 1, continueflag1, 0, 0);
if (ret < 0)
goto out;
- if (memcmp(testhmac1, authdata1, SHA1_DIGEST_SIZE)) {
+ if (crypto_memneq(testhmac1, authdata1, SHA1_DIGEST_SIZE)) {
ret = -EINVAL;
goto out;
}
@@ -343,7 +344,7 @@ static int TSS_checkhmac2(unsigned char
TPM_NONCE_SIZE, ononce, 1, continueflag2, 0, 0);
if (ret < 0)
goto out;
- if (memcmp(testhmac2, authdata2, SHA1_DIGEST_SIZE))
+ if (crypto_memneq(testhmac2, authdata2, SHA1_DIGEST_SIZE))
ret = -EINVAL;
out:
kfree_sensitive(sdesc);
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 234/371] kho: only fill kimage if KHO is finalized
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (232 preceding siblings ...)
2025-10-17 14:53 ` [PATCH 6.17 233/371] KEYS: trusted_tpm1: Compare HMAC values in constant time Greg Kroah-Hartman
@ 2025-10-17 14:53 ` Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 235/371] lib/genalloc: fix device leak in of_gen_pool_get() Greg Kroah-Hartman
` (149 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pratyush Yadav,
Mike Rapoport (Microsoft), Alexander Graf, Baoquan He,
Changyuan Lyu, Jason Gunthorpe, Pasha Tatashin, Andrew Morton
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pratyush Yadav <pratyush@kernel.org>
commit f322a97aeb2a05b6b1ee17629145eb02e1a4c6a0 upstream.
kho_fill_kimage() only checks for KHO being enabled before filling in the
FDT to the image. KHO being enabled does not mean that the kernel has
data to hand over. That happens when KHO is finalized.
When a kexec is done with KHO enabled but not finalized, the FDT page is
allocated but not initialized. FDT initialization happens after finalize.
This means the KHO segment is filled in but the FDT contains garbage
data.
This leads to the below error messages in the next kernel:
[ 0.000000] KHO: setup: handover FDT (0x10116b000) is invalid: -9
[ 0.000000] KHO: disabling KHO revival: -22
There is no problem in practice, and the next kernel boots and works fine.
But this still leads to misleading error messages and garbage being
handed over.
Only fill in KHO segment when KHO is finalized. When KHO is not enabled,
the debugfs interface is not created and there is no way to finalize it
anyway. So the check for kho_enable is not needed, and kho_out.finalize
alone is enough.
Link: https://lkml.kernel.org/r/20250918170617.91413-1-pratyush@kernel.org
Fixes: 3bdecc3c93f9 ("kexec: add KHO support to kexec file loads")
Signed-off-by: Pratyush Yadav <pratyush@kernel.org>
Reviewed-by: Mike Rapoport (Microsoft) <rppt@kernel.org>
Cc: Alexander Graf <graf@amazon.com>
Cc: Baoquan He <bhe@redhat.com>
Cc: Changyuan Lyu <changyuanl@google.com>
Cc: Jason Gunthorpe <jgg@nvidia.com>
Cc: Pasha Tatashin <pasha.tatashin@soleen.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/kexec_handover.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/kernel/kexec_handover.c
+++ b/kernel/kexec_handover.c
@@ -1233,7 +1233,7 @@ int kho_fill_kimage(struct kimage *image
int err = 0;
struct kexec_buf scratch;
- if (!kho_enable)
+ if (!kho_out.finalized)
return 0;
image->kho.fdt = page_to_phys(kho_out.ser.fdt);
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 235/371] lib/genalloc: fix device leak in of_gen_pool_get()
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (233 preceding siblings ...)
2025-10-17 14:53 ` [PATCH 6.17 234/371] kho: only fill kimage if KHO is finalized Greg Kroah-Hartman
@ 2025-10-17 14:53 ` Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 236/371] loop: fix backing file reference leak on validation error Greg Kroah-Hartman
` (148 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Johan Hovold, Philipp Zabel,
Vladimir Zapolskiy, Andrew Morton
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 1260cbcffa608219fc9188a6cbe9c45a300ef8b5 upstream.
Make sure to drop the reference taken when looking up the genpool platform
device in of_gen_pool_get() before returning the pool.
Note that holding a reference to a device does typically not prevent its
devres managed resources from being released so there is no point in
keeping the reference.
Link: https://lkml.kernel.org/r/20250924080207.18006-1-johan@kernel.org
Fixes: 9375db07adea ("genalloc: add devres support, allow to find a managed pool by device")
Signed-off-by: Johan Hovold <johan@kernel.org>
Cc: Philipp Zabel <p.zabel@pengutronix.de>
Cc: Vladimir Zapolskiy <vz@mleia.com>
Cc: <stable@vger.kernel.org> [3.10+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
lib/genalloc.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/lib/genalloc.c
+++ b/lib/genalloc.c
@@ -899,8 +899,11 @@ struct gen_pool *of_gen_pool_get(struct
if (!name)
name = of_node_full_name(np_pool);
}
- if (pdev)
+ if (pdev) {
pool = gen_pool_get(&pdev->dev, name);
+ put_device(&pdev->dev);
+ }
+
of_node_put(np_pool);
return pool;
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 236/371] loop: fix backing file reference leak on validation error
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (234 preceding siblings ...)
2025-10-17 14:53 ` [PATCH 6.17 235/371] lib/genalloc: fix device leak in of_gen_pool_get() Greg Kroah-Hartman
@ 2025-10-17 14:53 ` Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 237/371] md: fix mssing blktrace bio split events Greg Kroah-Hartman
` (147 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Markus Elfring, Yang Erkun, Ming Lei,
Yu Kuai, Li Chen, Jens Axboe
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Li Chen <me@linux.beauty>
commit 98b7bf54338b797e3a11e8178ce0e806060d8fa3 upstream.
loop_change_fd() and loop_configure() call loop_check_backing_file()
to validate the new backing file. If validation fails, the reference
acquired by fget() was not dropped, leaking a file reference.
Fix this by calling fput(file) before returning the error.
Cc: stable@vger.kernel.org
Cc: Markus Elfring <Markus.Elfring@web.de>
CC: Yang Erkun <yangerkun@huawei.com>
Cc: Ming Lei <ming.lei@redhat.com>
Cc: Yu Kuai <yukuai1@huaweicloud.com>
Fixes: f5c84eff634b ("loop: Add sanity check for read/write_iter")
Signed-off-by: Li Chen <chenl311@chinatelecom.cn>
Reviewed-by: Ming Lei <ming.lei@redhat.com>
Reviewed-by: Yang Erkun <yangerkun@huawei.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/block/loop.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
--- a/drivers/block/loop.c
+++ b/drivers/block/loop.c
@@ -551,8 +551,10 @@ static int loop_change_fd(struct loop_de
return -EBADF;
error = loop_check_backing_file(file);
- if (error)
+ if (error) {
+ fput(file);
return error;
+ }
/* suppress uevents while reconfiguring the device */
dev_set_uevent_suppress(disk_to_dev(lo->lo_disk), 1);
@@ -993,8 +995,10 @@ static int loop_configure(struct loop_de
return -EBADF;
error = loop_check_backing_file(file);
- if (error)
+ if (error) {
+ fput(file);
return error;
+ }
is_loop = is_loop_device(file);
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 237/371] md: fix mssing blktrace bio split events
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (235 preceding siblings ...)
2025-10-17 14:53 ` [PATCH 6.17 236/371] loop: fix backing file reference leak on validation error Greg Kroah-Hartman
@ 2025-10-17 14:53 ` Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 238/371] of: unittest: Fix device reference count leak in of_unittest_pci_node_verify Greg Kroah-Hartman
` (146 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yu Kuai, Damien Le Moal,
Christoph Hellwig, Jens Axboe
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yu Kuai <yukuai3@huawei.com>
commit 22f166218f7313e8fe2d19213b5f4b3265f8c39e upstream.
If bio is split by internal handling like chunksize or badblocks, the
corresponding trace_block_split() is missing, resulting in blktrace
inability to catch BIO split events and making it harder to analyze the
BIO sequence.
Cc: stable@vger.kernel.org
Fixes: 4b1faf931650 ("block: Kill bio_pair_split()")
Signed-off-by: Yu Kuai <yukuai3@huawei.com>
Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/md/md-linear.c | 1 +
drivers/md/raid0.c | 4 ++++
drivers/md/raid1.c | 4 ++++
drivers/md/raid10.c | 8 ++++++++
drivers/md/raid5.c | 2 ++
5 files changed, 19 insertions(+)
--- a/drivers/md/md-linear.c
+++ b/drivers/md/md-linear.c
@@ -267,6 +267,7 @@ static bool linear_make_request(struct m
}
bio_chain(split, bio);
+ trace_block_split(split, bio->bi_iter.bi_sector);
submit_bio_noacct(bio);
bio = split;
}
--- a/drivers/md/raid0.c
+++ b/drivers/md/raid0.c
@@ -473,7 +473,9 @@ static void raid0_handle_discard(struct
bio_endio(bio);
return;
}
+
bio_chain(split, bio);
+ trace_block_split(split, bio->bi_iter.bi_sector);
submit_bio_noacct(bio);
bio = split;
end = zone->zone_end;
@@ -621,7 +623,9 @@ static bool raid0_make_request(struct md
bio_endio(bio);
return true;
}
+
bio_chain(split, bio);
+ trace_block_split(split, bio->bi_iter.bi_sector);
raid0_map_submit_bio(mddev, bio);
bio = split;
}
--- a/drivers/md/raid1.c
+++ b/drivers/md/raid1.c
@@ -1383,7 +1383,9 @@ static void raid1_read_request(struct md
error = PTR_ERR(split);
goto err_handle;
}
+
bio_chain(split, bio);
+ trace_block_split(split, bio->bi_iter.bi_sector);
submit_bio_noacct(bio);
bio = split;
r1_bio->master_bio = bio;
@@ -1591,7 +1593,9 @@ static void raid1_write_request(struct m
error = PTR_ERR(split);
goto err_handle;
}
+
bio_chain(split, bio);
+ trace_block_split(split, bio->bi_iter.bi_sector);
submit_bio_noacct(bio);
bio = split;
r1_bio->master_bio = bio;
--- a/drivers/md/raid10.c
+++ b/drivers/md/raid10.c
@@ -1209,7 +1209,9 @@ static void raid10_read_request(struct m
error = PTR_ERR(split);
goto err_handle;
}
+
bio_chain(split, bio);
+ trace_block_split(split, bio->bi_iter.bi_sector);
allow_barrier(conf);
submit_bio_noacct(bio);
wait_barrier(conf, false);
@@ -1495,7 +1497,9 @@ static void raid10_write_request(struct
error = PTR_ERR(split);
goto err_handle;
}
+
bio_chain(split, bio);
+ trace_block_split(split, bio->bi_iter.bi_sector);
allow_barrier(conf);
submit_bio_noacct(bio);
wait_barrier(conf, false);
@@ -1679,7 +1683,9 @@ static int raid10_handle_discard(struct
bio_endio(bio);
return 0;
}
+
bio_chain(split, bio);
+ trace_block_split(split, bio->bi_iter.bi_sector);
allow_barrier(conf);
/* Resend the fist split part */
submit_bio_noacct(split);
@@ -1694,7 +1700,9 @@ static int raid10_handle_discard(struct
bio_endio(bio);
return 0;
}
+
bio_chain(split, bio);
+ trace_block_split(split, bio->bi_iter.bi_sector);
allow_barrier(conf);
/* Resend the second split part */
submit_bio_noacct(bio);
--- a/drivers/md/raid5.c
+++ b/drivers/md/raid5.c
@@ -5475,8 +5475,10 @@ static struct bio *chunk_aligned_read(st
if (sectors < bio_sectors(raid_bio)) {
struct r5conf *conf = mddev->private;
+
split = bio_split(raid_bio, sectors, GFP_NOIO, &conf->bio_split);
bio_chain(split, raid_bio);
+ trace_block_split(split, raid_bio->bi_iter.bi_sector);
submit_bio_noacct(raid_bio);
raid_bio = split;
}
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 238/371] of: unittest: Fix device reference count leak in of_unittest_pci_node_verify
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (236 preceding siblings ...)
2025-10-17 14:53 ` [PATCH 6.17 237/371] md: fix mssing blktrace bio split events Greg Kroah-Hartman
@ 2025-10-17 14:53 ` Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 239/371] openat2: dont trigger automounts with RESOLVE_NO_XDEV Greg Kroah-Hartman
` (145 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:53 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ma Ke, Rob Herring (Arm)
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ma Ke <make24@iscas.ac.cn>
commit a8de554774ae48efbe48ace79f8badae2daa2bf1 upstream.
In of_unittest_pci_node_verify(), when the add parameter is false,
device_find_any_child() obtains a reference to a child device. This
function implicitly calls get_device() to increment the device's
reference count before returning the pointer. However, the caller
fails to properly release this reference by calling put_device(),
leading to a device reference count leak. Add put_device() in the else
branch immediately after child_dev is no longer needed.
As the comment of device_find_any_child states: "NOTE: you will need
to drop the reference with put_device() after use".
Found by code review.
Cc: stable@vger.kernel.org
Fixes: 26409dd04589 ("of: unittest: Add pci_dt_testdrv pci driver")
Signed-off-by: Ma Ke <make24@iscas.ac.cn>
Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/of/unittest.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/of/unittest.c
+++ b/drivers/of/unittest.c
@@ -4300,6 +4300,7 @@ static int of_unittest_pci_node_verify(s
unittest(!np, "Child device tree node is not removed\n");
child_dev = device_find_any_child(&pdev->dev);
unittest(!child_dev, "Child device is not removed\n");
+ put_device(child_dev);
}
failed:
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 239/371] openat2: dont trigger automounts with RESOLVE_NO_XDEV
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (237 preceding siblings ...)
2025-10-17 14:53 ` [PATCH 6.17 238/371] of: unittest: Fix device reference count leak in of_unittest_pci_node_verify Greg Kroah-Hartman
@ 2025-10-17 14:53 ` Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 240/371] padata: Reset next CPU when reorder sequence wraps around Greg Kroah-Hartman
` (144 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Aleksa Sarai, Askar Safin,
Christian Brauner
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Askar Safin <safinaskar@zohomail.com>
commit 042a60680de43175eb4df0977ff04a4eba9da082 upstream.
openat2 had a bug: if we pass RESOLVE_NO_XDEV, then openat2
doesn't traverse through automounts, but may still trigger them.
(See the link for full bug report with reproducer.)
This commit fixes this bug.
Link: https://lore.kernel.org/linux-fsdevel/20250817075252.4137628-1-safinaskar@zohomail.com/
Fixes: fddb5d430ad9fa91b49b1 ("open: introduce openat2(2) syscall")
Reviewed-by: Aleksa Sarai <cyphar@cyphar.com>
Cc: stable@vger.kernel.org
Signed-off-by: Askar Safin <safinaskar@zohomail.com>
Link: https://lore.kernel.org/20250825181233.2464822-5-safinaskar@zohomail.com
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/namei.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -1449,6 +1449,10 @@ static int follow_automount(struct path
dentry->d_inode)
return -EISDIR;
+ /* No need to trigger automounts if mountpoint crossing is disabled. */
+ if (lookup_flags & LOOKUP_NO_XDEV)
+ return -EXDEV;
+
if (count && (*count)++ >= MAXSYMLINKS)
return -ELOOP;
@@ -1472,6 +1476,10 @@ static int __traverse_mounts(struct path
/* Allow the filesystem to manage the transit without i_rwsem
* being held. */
if (flags & DCACHE_MANAGE_TRANSIT) {
+ if (lookup_flags & LOOKUP_NO_XDEV) {
+ ret = -EXDEV;
+ break;
+ }
ret = path->dentry->d_op->d_manage(path, false);
flags = smp_load_acquire(&path->dentry->d_flags);
if (ret < 0)
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 240/371] padata: Reset next CPU when reorder sequence wraps around
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (238 preceding siblings ...)
2025-10-17 14:53 ` [PATCH 6.17 239/371] openat2: dont trigger automounts with RESOLVE_NO_XDEV Greg Kroah-Hartman
@ 2025-10-17 14:53 ` Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 241/371] parisc: dont reference obsolete termio struct for TC* constants Greg Kroah-Hartman
` (143 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:53 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Xiao Liang, Herbert Xu
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xiao Liang <shaw.leon@gmail.com>
commit 501302d5cee0d8e8ec2c4a5919c37e0df9abc99b upstream.
When seq_nr wraps around, the next reorder job with seq 0 is hashed to
the first CPU in padata_do_serial(). Correspondingly, need reset pd->cpu
to the first one when pd->processed wraps around. Otherwise, if the
number of used CPUs is not a power of 2, padata_find_next() will be
checking a wrong list, hence deadlock.
Fixes: 6fc4dbcf0276 ("padata: Replace delayed timer with immediate workqueue in padata_reorder")
Cc: <stable@vger.kernel.org>
Signed-off-by: Xiao Liang <shaw.leon@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/padata.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/kernel/padata.c
+++ b/kernel/padata.c
@@ -291,8 +291,12 @@ static void padata_reorder(struct padata
struct padata_serial_queue *squeue;
int cb_cpu;
- cpu = cpumask_next_wrap(cpu, pd->cpumask.pcpu);
processed++;
+ /* When sequence wraps around, reset to the first CPU. */
+ if (unlikely(processed == 0))
+ cpu = cpumask_first(pd->cpumask.pcpu);
+ else
+ cpu = cpumask_next_wrap(cpu, pd->cpumask.pcpu);
cb_cpu = padata->cb_cpu;
squeue = per_cpu_ptr(pd->squeue, cb_cpu);
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 241/371] parisc: dont reference obsolete termio struct for TC* constants
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (239 preceding siblings ...)
2025-10-17 14:53 ` [PATCH 6.17 240/371] padata: Reset next CPU when reorder sequence wraps around Greg Kroah-Hartman
@ 2025-10-17 14:53 ` Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 242/371] parisc: Remove spurious if statement from raw_copy_from_user() Greg Kroah-Hartman
` (142 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:53 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sam James, Helge Deller,
Stian Halseth
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sam James <sam@gentoo.org>
commit 8ec5a066f88f89bd52094ba18792b34c49dcd55a upstream.
Similar in nature to ab107276607af90b13a5994997e19b7b9731e251. glibc-2.42
drops the legacy termio struct, but the ioctls.h header still defines some
TC* constants in terms of termio (via sizeof). Hardcode the values instead.
This fixes building Python for example, which falls over like:
./Modules/termios.c:1119:16: error: invalid application of 'sizeof' to incomplete type 'struct termio'
Link: https://bugs.gentoo.org/961769
Link: https://bugs.gentoo.org/962600
Co-authored-by: Stian Halseth <stian@itx.no>
Cc: stable@vger.kernel.org
Signed-off-by: Sam James <sam@gentoo.org>
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/parisc/include/uapi/asm/ioctls.h | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/arch/parisc/include/uapi/asm/ioctls.h
+++ b/arch/parisc/include/uapi/asm/ioctls.h
@@ -10,10 +10,10 @@
#define TCSETS _IOW('T', 17, struct termios) /* TCSETATTR */
#define TCSETSW _IOW('T', 18, struct termios) /* TCSETATTRD */
#define TCSETSF _IOW('T', 19, struct termios) /* TCSETATTRF */
-#define TCGETA _IOR('T', 1, struct termio)
-#define TCSETA _IOW('T', 2, struct termio)
-#define TCSETAW _IOW('T', 3, struct termio)
-#define TCSETAF _IOW('T', 4, struct termio)
+#define TCGETA 0x40125401
+#define TCSETA 0x80125402
+#define TCSETAW 0x80125403
+#define TCSETAF 0x80125404
#define TCSBRK _IO('T', 5)
#define TCXONC _IO('T', 6)
#define TCFLSH _IO('T', 7)
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 242/371] parisc: Remove spurious if statement from raw_copy_from_user()
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (240 preceding siblings ...)
2025-10-17 14:53 ` [PATCH 6.17 241/371] parisc: dont reference obsolete termio struct for TC* constants Greg Kroah-Hartman
@ 2025-10-17 14:53 ` Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 243/371] nvme-pci: Add TUXEDO IBS Gen8 to Samsung sleep quirk Greg Kroah-Hartman
` (141 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:53 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, John David Anglin, Helge Deller
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: John David Anglin <dave.anglin@bell.net>
commit 16794e524d310780163fdd49d0bf7fac30f8dbc8 upstream.
Accidently introduced in commit 91428ca9320e.
Signed-off-by: John David Anglin <dave.anglin@bell.net>
Signed-off-by: Helge Deller <deller@gmx.de>
Fixes: 91428ca9320e ("parisc: Check region is readable by user in raw_copy_from_user()")
Cc: stable@vger.kernel.org # v5.12+
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/parisc/lib/memcpy.c | 1 -
1 file changed, 1 deletion(-)
--- a/arch/parisc/lib/memcpy.c
+++ b/arch/parisc/lib/memcpy.c
@@ -41,7 +41,6 @@ unsigned long raw_copy_from_user(void *d
mtsp(get_kernel_space(), SR_TEMP2);
/* Check region is user accessible */
- if (start)
while (start < end) {
if (!prober_user(SR_TEMP1, start)) {
newlen = (start - (unsigned long) src);
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 243/371] nvme-pci: Add TUXEDO IBS Gen8 to Samsung sleep quirk
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (241 preceding siblings ...)
2025-10-17 14:53 ` [PATCH 6.17 242/371] parisc: Remove spurious if statement from raw_copy_from_user() Greg Kroah-Hartman
@ 2025-10-17 14:53 ` Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 244/371] pinctrl: samsung: Drop unused S3C24xx driver data Greg Kroah-Hartman
` (140 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Georg Gottleuber, Werner Sembach,
Keith Busch
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Georg Gottleuber <ggo@tuxedocomputers.com>
commit eeaed48980a7aeb0d3d8b438185d4b5a66154ff9 upstream.
On the TUXEDO InfinityBook S Gen8, a Samsung 990 Evo NVMe leads to
a high power consumption in s2idle sleep (3.5 watts).
This patch applies 'Force No Simple Suspend' quirk to achieve a sleep with
a lower power consumption, typically around 1 watts.
Signed-off-by: Georg Gottleuber <ggo@tuxedocomputers.com>
Signed-off-by: Werner Sembach <wse@tuxedocomputers.com>
Cc: stable@vger.kernel.org
Signed-off-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/nvme/host/pci.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/nvme/host/pci.c
+++ b/drivers/nvme/host/pci.c
@@ -3324,10 +3324,12 @@ static unsigned long check_vendor_combin
* Exclude Samsung 990 Evo from NVME_QUIRK_SIMPLE_SUSPEND
* because of high power consumption (> 2 Watt) in s2idle
* sleep. Only some boards with Intel CPU are affected.
+ * (Note for testing: Samsung 990 Evo Plus has same PCI ID)
*/
if (dmi_match(DMI_BOARD_NAME, "DN50Z-140HC-YD") ||
dmi_match(DMI_BOARD_NAME, "GMxPXxx") ||
dmi_match(DMI_BOARD_NAME, "GXxMRXx") ||
+ dmi_match(DMI_BOARD_NAME, "NS5X_NS7XAU") ||
dmi_match(DMI_BOARD_NAME, "PH4PG31") ||
dmi_match(DMI_BOARD_NAME, "PH4PRX1_PH6PRX1") ||
dmi_match(DMI_BOARD_NAME, "PH6PG01_PH6PG71"))
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 244/371] pinctrl: samsung: Drop unused S3C24xx driver data
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (242 preceding siblings ...)
2025-10-17 14:53 ` [PATCH 6.17 243/371] nvme-pci: Add TUXEDO IBS Gen8 to Samsung sleep quirk Greg Kroah-Hartman
@ 2025-10-17 14:53 ` Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 245/371] PM: EM: Fix late boot with holes in CPU topology Greg Kroah-Hartman
` (139 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:53 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Krzysztof Kozlowski
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
commit 358253fa8179ab4217ac283b56adde0174186f87 upstream.
Drop unused declarations after S3C24xx SoC family removal in the commit
61b7f8920b17 ("ARM: s3c: remove all s3c24xx support").
Fixes: 1ea35b355722 ("ARM: s3c: remove s3c24xx specific hacks")
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20250830111657.126190-3-krzysztof.kozlowski@linaro.org
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pinctrl/samsung/pinctrl-samsung.h | 4 ----
1 file changed, 4 deletions(-)
--- a/drivers/pinctrl/samsung/pinctrl-samsung.h
+++ b/drivers/pinctrl/samsung/pinctrl-samsung.h
@@ -402,10 +402,6 @@ extern const struct samsung_pinctrl_of_m
extern const struct samsung_pinctrl_of_match_data fsd_of_data;
extern const struct samsung_pinctrl_of_match_data gs101_of_data;
extern const struct samsung_pinctrl_of_match_data s3c64xx_of_data;
-extern const struct samsung_pinctrl_of_match_data s3c2412_of_data;
-extern const struct samsung_pinctrl_of_match_data s3c2416_of_data;
-extern const struct samsung_pinctrl_of_match_data s3c2440_of_data;
-extern const struct samsung_pinctrl_of_match_data s3c2450_of_data;
extern const struct samsung_pinctrl_of_match_data s5pv210_of_data;
#endif /* __PINCTRL_SAMSUNG_H */
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 245/371] PM: EM: Fix late boot with holes in CPU topology
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (243 preceding siblings ...)
2025-10-17 14:53 ` [PATCH 6.17 244/371] pinctrl: samsung: Drop unused S3C24xx driver data Greg Kroah-Hartman
@ 2025-10-17 14:53 ` Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 246/371] PM: hibernate: Fix hybrid-sleep Greg Kroah-Hartman
` (138 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kenneth Crudup, Christian Loehle,
Rafael J. Wysocki
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christian Loehle <christian.loehle@arm.com>
commit 1ebe8f7e782523e62cd1fa8237f7afba5d1dae83 upstream.
Commit e3f1164fc9ee ("PM: EM: Support late CPUs booting and capacity
adjustment") added a mechanism to handle CPUs that come up late by
retrying when any of the `cpufreq_cpu_get()` call fails.
However, if there are holes in the CPU topology (offline CPUs, e.g.
nosmt), the first missing CPU causes the loop to break, preventing
subsequent online CPUs from being updated.
Instead of aborting on the first missing CPU policy, loop through all
and retry if any were missing.
Fixes: e3f1164fc9ee ("PM: EM: Support late CPUs booting and capacity adjustment")
Suggested-by: Kenneth Crudup <kenneth.crudup@gmail.com>
Reported-by: Kenneth Crudup <kenneth.crudup@gmail.com>
Link: https://lore.kernel.org/linux-pm/40212796-734c-4140-8a85-854f72b8144d@panix.com/
Cc: 6.9+ <stable@vger.kernel.org> # 6.9+
Signed-off-by: Christian Loehle <christian.loehle@arm.com>
Link: https://patch.msgid.link/20250831214357.2020076-1-christian.loehle@arm.com
[ rjw: Drop the new pr_debug() message which is not very useful ]
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/power/energy_model.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
--- a/kernel/power/energy_model.c
+++ b/kernel/power/energy_model.c
@@ -799,7 +799,7 @@ void em_adjust_cpu_capacity(unsigned int
static void em_check_capacity_update(void)
{
cpumask_var_t cpu_done_mask;
- int cpu;
+ int cpu, failed_cpus = 0;
if (!zalloc_cpumask_var(&cpu_done_mask, GFP_KERNEL)) {
pr_warn("no free memory\n");
@@ -817,10 +817,8 @@ static void em_check_capacity_update(voi
policy = cpufreq_cpu_get(cpu);
if (!policy) {
- pr_debug("Accessing cpu%d policy failed\n", cpu);
- schedule_delayed_work(&em_update_work,
- msecs_to_jiffies(1000));
- break;
+ failed_cpus++;
+ continue;
}
cpufreq_cpu_put(policy);
@@ -835,6 +833,9 @@ static void em_check_capacity_update(voi
em_adjust_new_capacity(cpu, dev, pd);
}
+ if (failed_cpus)
+ schedule_delayed_work(&em_update_work, msecs_to_jiffies(1000));
+
free_cpumask_var(cpu_done_mask);
}
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 246/371] PM: hibernate: Fix hybrid-sleep
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (244 preceding siblings ...)
2025-10-17 14:53 ` [PATCH 6.17 245/371] PM: EM: Fix late boot with holes in CPU topology Greg Kroah-Hartman
@ 2025-10-17 14:53 ` Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 247/371] PM: hibernate: Restrict GFP mask in power_down() Greg Kroah-Hartman
` (137 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ionut Nechita, Kenneth Crudup,
Alex Deucher, Mario Limonciello (AMD), Rafael J. Wysocki
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mario Limonciello (AMD) <superm1@kernel.org>
commit 469d80a3712c66a00b5bb888e62e809db8887ba7 upstream.
Hybrid sleep will hibernate the system followed by running through
the suspend routine. Since both the hibernate and the suspend routine
will call pm_restrict_gfp_mask(), pm_restore_gfp_mask() must be called
before starting the suspend sequence.
Add an explicit call to pm_restore_gfp_mask() to power_down() before
the suspend sequence starts. Add an extra call for pm_restrict_gfp_mask()
when exiting suspend so that the pm_restore_gfp_mask() call in hibernate()
is balanced.
Reported-by: Ionut Nechita <ionut_n2001@yahoo.com>
Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4573
Tested-by: Ionut Nechita <ionut_n2001@yahoo.com>
Fixes: 12ffc3b1513eb ("PM: Restrict swap use to later in the suspend sequence")
Tested-by: Kenneth Crudup <kenny@panix.com>
Acked-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Mario Limonciello (AMD) <superm1@kernel.org>
Link: https://patch.msgid.link/20250925185108.2968494-2-superm1@kernel.org
[ rjw: Add comment explainig the new pm_restrict_gfp_mask() call purpose ]
Cc: 6.16+ <stable@vger.kernel.org> # 6.16+
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/power/hibernate.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/kernel/power/hibernate.c
+++ b/kernel/power/hibernate.c
@@ -695,12 +695,16 @@ static void power_down(void)
#ifdef CONFIG_SUSPEND
if (hibernation_mode == HIBERNATION_SUSPEND) {
+ pm_restore_gfp_mask();
error = suspend_devices_and_enter(mem_sleep_current);
if (error) {
hibernation_mode = hibernation_ops ?
HIBERNATION_PLATFORM :
HIBERNATION_SHUTDOWN;
} else {
+ /* Match pm_restore_gfp_mask() call in hibernate() */
+ pm_restrict_gfp_mask();
+
/* Restore swap signature. */
error = swsusp_unmark();
if (error)
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 247/371] PM: hibernate: Restrict GFP mask in power_down()
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (245 preceding siblings ...)
2025-10-17 14:53 ` [PATCH 6.17 246/371] PM: hibernate: Fix hybrid-sleep Greg Kroah-Hartman
@ 2025-10-17 14:53 ` Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 248/371] power: supply: max77976_charger: fix constant current reporting Greg Kroah-Hartman
` (136 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rafael J. Wysocki,
Mario Limonciello (AMD)
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
commit 6f4c6f9ed4ce65303f6bb153e2afc71bc33c8ded upstream.
Commit 12ffc3b1513e ("PM: Restrict swap use to later in the
suspend sequence") caused hibernation_platform_enter() to call
pm_restore_gfp_mask() via dpm_resume_end(), so when power_down()
returns after aborting hibernation_platform_enter(), it needs
to match the pm_restore_gfp_mask() call in hibernate() that will
occur subsequently.
Address this by adding a pm_restrict_gfp_mask() call to the relevant
error path in power_down().
Fixes: 12ffc3b1513e ("PM: Restrict swap use to later in the suspend sequence")
Cc: 6.16+ <stable@vger.kernel.org> # 6.16+
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Reviewed-by: Mario Limonciello (AMD) <superm1@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/power/hibernate.c | 2 ++
1 file changed, 2 insertions(+)
--- a/kernel/power/hibernate.c
+++ b/kernel/power/hibernate.c
@@ -722,6 +722,8 @@ static void power_down(void)
case HIBERNATION_PLATFORM:
error = hibernation_platform_enter();
if (error == -EAGAIN || error == -EBUSY) {
+ /* Match pm_restore_gfp_mask() in hibernate(). */
+ pm_restrict_gfp_mask();
swsusp_unmark();
events_check_enabled = false;
pr_info("Wakeup event detected during hibernation, rolling back.\n");
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 248/371] power: supply: max77976_charger: fix constant current reporting
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (246 preceding siblings ...)
2025-10-17 14:53 ` [PATCH 6.17 247/371] PM: hibernate: Restrict GFP mask in power_down() Greg Kroah-Hartman
@ 2025-10-17 14:53 ` Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 249/371] powerpc/powernv/pci: Fix underflow and leak issue Greg Kroah-Hartman
` (135 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:53 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Dzmitry Sankouski, Sebastian Reichel
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dzmitry Sankouski <dsankouski@gmail.com>
commit ee6cd8f3e28ee5a929c3b67c01a350f550f9b73a upstream.
CHARGE_CONTROL_LIMIT is a wrong property to report charge current limit,
because `CHARGE_*` attributes represents capacity, not current. The
correct attribute to report and set charge current limit is
CONSTANT_CHARGE_CURRENT.
Rename CHARGE_CONTROL_LIMIT to CONSTANT_CHARGE_CURRENT.
Cc: stable@vger.kernel.org
Fixes: 715ecbc10d6a ("power: supply: max77976: add Maxim MAX77976 charger driver")
Signed-off-by: Dzmitry Sankouski <dsankouski@gmail.com>
Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/power/supply/max77976_charger.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
--- a/drivers/power/supply/max77976_charger.c
+++ b/drivers/power/supply/max77976_charger.c
@@ -292,10 +292,10 @@ static int max77976_get_property(struct
case POWER_SUPPLY_PROP_ONLINE:
err = max77976_get_online(chg, &val->intval);
break;
- case POWER_SUPPLY_PROP_CHARGE_CONTROL_LIMIT_MAX:
+ case POWER_SUPPLY_PROP_CONSTANT_CHARGE_CURRENT_MAX:
val->intval = MAX77976_CHG_CC_MAX;
break;
- case POWER_SUPPLY_PROP_CHARGE_CONTROL_LIMIT:
+ case POWER_SUPPLY_PROP_CONSTANT_CHARGE_CURRENT:
err = max77976_get_integer(chg, CHG_CC,
MAX77976_CHG_CC_MIN,
MAX77976_CHG_CC_MAX,
@@ -330,7 +330,7 @@ static int max77976_set_property(struct
int err = 0;
switch (psp) {
- case POWER_SUPPLY_PROP_CHARGE_CONTROL_LIMIT:
+ case POWER_SUPPLY_PROP_CONSTANT_CHARGE_CURRENT:
err = max77976_set_integer(chg, CHG_CC,
MAX77976_CHG_CC_MIN,
MAX77976_CHG_CC_MAX,
@@ -355,7 +355,7 @@ static int max77976_property_is_writeabl
enum power_supply_property psp)
{
switch (psp) {
- case POWER_SUPPLY_PROP_CHARGE_CONTROL_LIMIT:
+ case POWER_SUPPLY_PROP_CONSTANT_CHARGE_CURRENT:
case POWER_SUPPLY_PROP_INPUT_CURRENT_LIMIT:
return true;
default:
@@ -368,8 +368,8 @@ static enum power_supply_property max779
POWER_SUPPLY_PROP_CHARGE_TYPE,
POWER_SUPPLY_PROP_HEALTH,
POWER_SUPPLY_PROP_ONLINE,
- POWER_SUPPLY_PROP_CHARGE_CONTROL_LIMIT,
- POWER_SUPPLY_PROP_CHARGE_CONTROL_LIMIT_MAX,
+ POWER_SUPPLY_PROP_CONSTANT_CHARGE_CURRENT,
+ POWER_SUPPLY_PROP_CONSTANT_CHARGE_CURRENT_MAX,
POWER_SUPPLY_PROP_INPUT_CURRENT_LIMIT,
POWER_SUPPLY_PROP_MODEL_NAME,
POWER_SUPPLY_PROP_MANUFACTURER,
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 249/371] powerpc/powernv/pci: Fix underflow and leak issue
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (247 preceding siblings ...)
2025-10-17 14:53 ` [PATCH 6.17 248/371] power: supply: max77976_charger: fix constant current reporting Greg Kroah-Hartman
@ 2025-10-17 14:53 ` Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 250/371] powerpc/pseries/msi: Fix potential " Greg Kroah-Hartman
` (134 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nam Cao, Cédric Le Goater,
Madhavan Srinivasan
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nam Cao <namcao@linutronix.de>
commit a39087905af9ffecaa237a918a2c03a04e479934 upstream.
pnv_irq_domain_alloc() allocates interrupts at parent's interrupt
domain. If it fails in the progress, all allocated interrupts are
freed.
The number of successfully allocated interrupts so far is stored
"i". However, "i - 1" interrupts are freed. This is broken:
- One interrupt is not be freed
- If "i" is zero, "i - 1" wraps around
Correct the number of freed interrupts to "i".
Fixes: 0fcfe2247e75 ("powerpc/powernv/pci: Add MSI domains")
Signed-off-by: Nam Cao <namcao@linutronix.de>
Cc: stable@vger.kernel.org
Reviewed-by: Cédric Le Goater <clg@redhat.com>
Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
Link: https://patch.msgid.link/70f8debe8688e0b467367db769b71c20146a836d.1754300646.git.namcao@linutronix.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/powerpc/platforms/powernv/pci-ioda.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/powerpc/platforms/powernv/pci-ioda.c
+++ b/arch/powerpc/platforms/powernv/pci-ioda.c
@@ -1854,7 +1854,7 @@ static int pnv_irq_domain_alloc(struct i
return 0;
out:
- irq_domain_free_irqs_parent(domain, virq, i - 1);
+ irq_domain_free_irqs_parent(domain, virq, i);
msi_bitmap_free_hwirqs(&phb->msi_bmp, hwirq, nr_irqs);
return ret;
}
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 250/371] powerpc/pseries/msi: Fix potential underflow and leak issue
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (248 preceding siblings ...)
2025-10-17 14:53 ` [PATCH 6.17 249/371] powerpc/powernv/pci: Fix underflow and leak issue Greg Kroah-Hartman
@ 2025-10-17 14:53 ` Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 251/371] pwm: berlin: Fix wrong register in suspend/resume Greg Kroah-Hartman
` (133 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nam Cao, Cédric Le Goater,
Madhavan Srinivasan
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nam Cao <namcao@linutronix.de>
commit 3443ff3be6e59b80d74036bb39f5b6409eb23cc9 upstream.
pseries_irq_domain_alloc() allocates interrupts at parent's interrupt
domain. If it fails in the progress, all allocated interrupts are
freed.
The number of successfully allocated interrupts so far is stored
"i". However, "i - 1" interrupts are freed. This is broken:
- One interrupt is not be freed
- If "i" is zero, "i - 1" wraps around
Correct the number of freed interrupts to 'i'.
Fixes: a5f3d2c17b07 ("powerpc/pseries/pci: Add MSI domains")
Signed-off-by: Nam Cao <namcao@linutronix.de>
Cc: stable@vger.kernel.org
Reviewed-by: Cédric Le Goater <clg@redhat.com>
Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
Link: https://patch.msgid.link/a980067f2b256bf716b4cd713bc1095966eed8cd.1754300646.git.namcao@linutronix.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/powerpc/platforms/pseries/msi.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/powerpc/platforms/pseries/msi.c
+++ b/arch/powerpc/platforms/pseries/msi.c
@@ -593,7 +593,7 @@ static int pseries_irq_domain_alloc(stru
out:
/* TODO: handle RTAS cleanup in ->msi_finish() ? */
- irq_domain_free_irqs_parent(domain, virq, i - 1);
+ irq_domain_free_irqs_parent(domain, virq, i);
return ret;
}
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 251/371] pwm: berlin: Fix wrong register in suspend/resume
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (249 preceding siblings ...)
2025-10-17 14:53 ` [PATCH 6.17 250/371] powerpc/pseries/msi: Fix potential " Greg Kroah-Hartman
@ 2025-10-17 14:53 ` Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 252/371] pwm: Fix incorrect variable used in error message Greg Kroah-Hartman
` (132 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:53 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jisheng Zhang, Uwe Kleine-König
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jisheng Zhang <jszhang@kernel.org>
commit 3a4b9d027e4061766f618292df91760ea64a1fcc upstream.
The 'enable' register should be BERLIN_PWM_EN rather than
BERLIN_PWM_ENABLE, otherwise, the driver accesses wrong address, there
will be cpu exception then kernel panic during suspend/resume.
Fixes: bbf0722c1c66 ("pwm: berlin: Add suspend/resume support")
Signed-off-by: Jisheng Zhang <jszhang@kernel.org>
Link: https://lore.kernel.org/r/20250819114224.31825-1-jszhang@kernel.org
Cc: stable@vger.kernel.org
Signed-off-by: Uwe Kleine-König <ukleinek@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pwm/pwm-berlin.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/pwm/pwm-berlin.c
+++ b/drivers/pwm/pwm-berlin.c
@@ -234,7 +234,7 @@ static int berlin_pwm_suspend(struct dev
for (i = 0; i < chip->npwm; i++) {
struct berlin_pwm_channel *channel = &bpc->channel[i];
- channel->enable = berlin_pwm_readl(bpc, i, BERLIN_PWM_ENABLE);
+ channel->enable = berlin_pwm_readl(bpc, i, BERLIN_PWM_EN);
channel->ctrl = berlin_pwm_readl(bpc, i, BERLIN_PWM_CONTROL);
channel->duty = berlin_pwm_readl(bpc, i, BERLIN_PWM_DUTY);
channel->tcnt = berlin_pwm_readl(bpc, i, BERLIN_PWM_TCNT);
@@ -262,7 +262,7 @@ static int berlin_pwm_resume(struct devi
berlin_pwm_writel(bpc, i, channel->ctrl, BERLIN_PWM_CONTROL);
berlin_pwm_writel(bpc, i, channel->duty, BERLIN_PWM_DUTY);
berlin_pwm_writel(bpc, i, channel->tcnt, BERLIN_PWM_TCNT);
- berlin_pwm_writel(bpc, i, channel->enable, BERLIN_PWM_ENABLE);
+ berlin_pwm_writel(bpc, i, channel->enable, BERLIN_PWM_EN);
}
return 0;
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 252/371] pwm: Fix incorrect variable used in error message
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (250 preceding siblings ...)
2025-10-17 14:53 ` [PATCH 6.17 251/371] pwm: berlin: Fix wrong register in suspend/resume Greg Kroah-Hartman
@ 2025-10-17 14:53 ` Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 253/371] Revert "ipmi: fix msg stack when IPMI is disconnected" Greg Kroah-Hartman
` (131 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:53 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Colin Ian King,
Uwe Kleine-König
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Colin Ian King <colin.i.king@gmail.com>
commit afe872274edc7da46719a2029bfa4eab142b15f6 upstream.
The dev_err message is reporting the incorrect return value ret_tohw,
it should be reporting the value in ret_fromhw. Fix this by using
ret_fromhw instead of ret_tohw.
Fixes: 6c5126c6406d ("pwm: Provide new consumer API functions for waveforms")
Signed-off-by: Colin Ian King <colin.i.king@gmail.com>
Link: https://lore.kernel.org/r/20250902130348.2630053-1-colin.i.king@gmail.com
Cc: stable@vger.kernel.org
Signed-off-by: Uwe Kleine-König <ukleinek@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pwm/core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/pwm/core.c
+++ b/drivers/pwm/core.c
@@ -276,7 +276,7 @@ int pwm_round_waveform_might_sleep(struc
if (IS_ENABLED(CONFIG_PWM_DEBUG) && ret_fromhw > 0)
dev_err(&chip->dev, "Unexpected return value from __pwm_round_waveform_fromhw: requested %llu/%llu [+%llu], return value %d\n",
- wf_req.duty_length_ns, wf_req.period_length_ns, wf_req.duty_offset_ns, ret_tohw);
+ wf_req.duty_length_ns, wf_req.period_length_ns, wf_req.duty_offset_ns, ret_fromhw);
if (IS_ENABLED(CONFIG_PWM_DEBUG) &&
(ret_tohw == 0) != pwm_check_rounding(&wf_req, wf))
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 253/371] Revert "ipmi: fix msg stack when IPMI is disconnected"
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (251 preceding siblings ...)
2025-10-17 14:53 ` [PATCH 6.17 252/371] pwm: Fix incorrect variable used in error message Greg Kroah-Hartman
@ 2025-10-17 14:53 ` Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 254/371] riscv: use an atomic xchg in pudp_huge_get_and_clear() Greg Kroah-Hartman
` (130 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:53 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Corey Minyard, Eric Hagberg
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Corey Minyard <corey@minyard.net>
commit 5d09ee1bec870263f4ace439402ea840503b503b upstream.
This reverts commit c608966f3f9c2dca596967501d00753282b395fc.
This patch has a subtle bug that can cause the IPMI driver to go into an
infinite loop if the BMC misbehaves in a certain way. Apparently
certain BMCs do misbehave this way because several reports have come in
recently about this.
Signed-off-by: Corey Minyard <corey@minyard.net>
Tested-by: Eric Hagberg <ehagberg@janestreet.com>
Cc: <stable@vger.kernel.org> # 6.2
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/char/ipmi/ipmi_kcs_sm.c | 16 +++++-----------
1 file changed, 5 insertions(+), 11 deletions(-)
--- a/drivers/char/ipmi/ipmi_kcs_sm.c
+++ b/drivers/char/ipmi/ipmi_kcs_sm.c
@@ -122,10 +122,10 @@ struct si_sm_data {
unsigned long error0_timeout;
};
-static unsigned int init_kcs_data_with_state(struct si_sm_data *kcs,
- struct si_sm_io *io, enum kcs_states state)
+static unsigned int init_kcs_data(struct si_sm_data *kcs,
+ struct si_sm_io *io)
{
- kcs->state = state;
+ kcs->state = KCS_IDLE;
kcs->io = io;
kcs->write_pos = 0;
kcs->write_count = 0;
@@ -140,12 +140,6 @@ static unsigned int init_kcs_data_with_s
return 2;
}
-static unsigned int init_kcs_data(struct si_sm_data *kcs,
- struct si_sm_io *io)
-{
- return init_kcs_data_with_state(kcs, io, KCS_IDLE);
-}
-
static inline unsigned char read_status(struct si_sm_data *kcs)
{
return kcs->io->inputb(kcs->io, 1);
@@ -276,7 +270,7 @@ static int start_kcs_transaction(struct
if (size > MAX_KCS_WRITE_SIZE)
return IPMI_REQ_LEN_EXCEEDED_ERR;
- if (kcs->state != KCS_IDLE) {
+ if ((kcs->state != KCS_IDLE) && (kcs->state != KCS_HOSED)) {
dev_warn(kcs->io->dev, "KCS in invalid state %d\n", kcs->state);
return IPMI_NOT_IN_MY_STATE_ERR;
}
@@ -501,7 +495,7 @@ static enum si_sm_result kcs_event(struc
}
if (kcs->state == KCS_HOSED) {
- init_kcs_data_with_state(kcs, kcs->io, KCS_ERROR0);
+ init_kcs_data(kcs, kcs->io);
return SI_SM_HOSED;
}
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 254/371] riscv: use an atomic xchg in pudp_huge_get_and_clear()
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (252 preceding siblings ...)
2025-10-17 14:53 ` [PATCH 6.17 253/371] Revert "ipmi: fix msg stack when IPMI is disconnected" Greg Kroah-Hartman
@ 2025-10-17 14:53 ` Greg Kroah-Hartman
2025-10-17 18:13 ` Jiri Slaby
2025-10-17 14:53 ` [PATCH 6.17 255/371] sched/deadline: Fix race in push_dl_task() Greg Kroah-Hartman
` (129 subsequent siblings)
383 siblings, 1 reply; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexandre Ghiti, Andrew Donnellan,
Andrew Morton
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexandre Ghiti <alexghiti@rivosinc.com>
commit 668208b161a0b679427e7d0f34c0a65fd7d23979 upstream.
Make sure we return the right pud value and not a value that could have
been overwritten in between by a different core.
Link: https://lkml.kernel.org/r/20250814-dev-alex-thp_pud_xchg-v1-1-b4704dfae206@rivosinc.com
Fixes: c3cc2a4a3a23 ("riscv: Add support for PUD THP")
Signed-off-by: Alexandre Ghiti <alexghiti@rivosinc.com>
Cc: Andrew Donnellan <ajd@linux.ibm.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/riscv/include/asm/pgtable.h | 11 +++++++++++
1 file changed, 11 insertions(+)
--- a/arch/riscv/include/asm/pgtable.h
+++ b/arch/riscv/include/asm/pgtable.h
@@ -959,6 +959,17 @@ static inline pud_t pudp_huge_get_and_cl
return pud;
}
+#define __HAVE_ARCH_PUDP_HUGE_GET_AND_CLEAR
+static inline pud_t pudp_huge_get_and_clear(struct mm_struct *mm,
+ unsigned long address, pud_t *pudp)
+{
+ pud_t pud = __pud(atomic_long_xchg((atomic_long_t *)pudp, 0));
+
+ page_table_check_pud_clear(mm, pud);
+
+ return pud;
+}
+
static inline int pud_young(pud_t pud)
{
return pte_young(pud_pte(pud));
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 255/371] sched/deadline: Fix race in push_dl_task()
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (253 preceding siblings ...)
2025-10-17 14:53 ` [PATCH 6.17 254/371] riscv: use an atomic xchg in pudp_huge_get_and_clear() Greg Kroah-Hartman
@ 2025-10-17 14:53 ` Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 256/371] scsi: hpsa: Fix potential memory leak in hpsa_big_passthru_ioctl() Greg Kroah-Hartman
` (128 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Harshit Agarwal,
Peter Zijlstra (Intel), Juri Lelli
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Harshit Agarwal <harshit@nutanix.com>
commit 8fd5485fb4f3d9da3977fd783fcb8e5452463420 upstream.
When a CPU chooses to call push_dl_task and picks a task to push to
another CPU's runqueue then it will call find_lock_later_rq method
which would take a double lock on both CPUs' runqueues. If one of the
locks aren't readily available, it may lead to dropping the current
runqueue lock and reacquiring both the locks at once. During this window
it is possible that the task is already migrated and is running on some
other CPU. These cases are already handled. However, if the task is
migrated and has already been executed and another CPU is now trying to
wake it up (ttwu) such that it is queued again on the runqeue
(on_rq is 1) and also if the task was run by the same CPU, then the
current checks will pass even though the task was migrated out and is no
longer in the pushable tasks list.
Please go through the original rt change for more details on the issue.
To fix this, after the lock is obtained inside the find_lock_later_rq,
it ensures that the task is still at the head of pushable tasks list.
Also removed some checks that are no longer needed with the addition of
this new check.
However, the new check of pushable tasks list only applies when
find_lock_later_rq is called by push_dl_task. For the other caller i.e.
dl_task_offline_migration, existing checks are used.
Signed-off-by: Harshit Agarwal <harshit@nutanix.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Acked-by: Juri Lelli <juri.lelli@redhat.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20250408045021.3283624-1-harshit@nutanix.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/sched/deadline.c | 73 ++++++++++++++++++++++++++++++++----------------
1 file changed, 49 insertions(+), 24 deletions(-)
--- a/kernel/sched/deadline.c
+++ b/kernel/sched/deadline.c
@@ -2551,6 +2551,25 @@ static int find_later_rq(struct task_str
return -1;
}
+static struct task_struct *pick_next_pushable_dl_task(struct rq *rq)
+{
+ struct task_struct *p;
+
+ if (!has_pushable_dl_tasks(rq))
+ return NULL;
+
+ p = __node_2_pdl(rb_first_cached(&rq->dl.pushable_dl_tasks_root));
+
+ WARN_ON_ONCE(rq->cpu != task_cpu(p));
+ WARN_ON_ONCE(task_current(rq, p));
+ WARN_ON_ONCE(p->nr_cpus_allowed <= 1);
+
+ WARN_ON_ONCE(!task_on_rq_queued(p));
+ WARN_ON_ONCE(!dl_task(p));
+
+ return p;
+}
+
/* Locks the rq it finds */
static struct rq *find_lock_later_rq(struct task_struct *task, struct rq *rq)
{
@@ -2578,12 +2597,37 @@ static struct rq *find_lock_later_rq(str
/* Retry if something changed. */
if (double_lock_balance(rq, later_rq)) {
- if (unlikely(task_rq(task) != rq ||
+ /*
+ * double_lock_balance had to release rq->lock, in the
+ * meantime, task may no longer be fit to be migrated.
+ * Check the following to ensure that the task is
+ * still suitable for migration:
+ * 1. It is possible the task was scheduled,
+ * migrate_disabled was set and then got preempted,
+ * so we must check the task migration disable
+ * flag.
+ * 2. The CPU picked is in the task's affinity.
+ * 3. For throttled task (dl_task_offline_migration),
+ * check the following:
+ * - the task is not on the rq anymore (it was
+ * migrated)
+ * - the task is not on CPU anymore
+ * - the task is still a dl task
+ * - the task is not queued on the rq anymore
+ * 4. For the non-throttled task (push_dl_task), the
+ * check to ensure that this task is still at the
+ * head of the pushable tasks list is enough.
+ */
+ if (unlikely(is_migration_disabled(task) ||
!cpumask_test_cpu(later_rq->cpu, &task->cpus_mask) ||
- task_on_cpu(rq, task) ||
- !dl_task(task) ||
- is_migration_disabled(task) ||
- !task_on_rq_queued(task))) {
+ (task->dl.dl_throttled &&
+ (task_rq(task) != rq ||
+ task_on_cpu(rq, task) ||
+ !dl_task(task) ||
+ !task_on_rq_queued(task))) ||
+ (!task->dl.dl_throttled &&
+ task != pick_next_pushable_dl_task(rq)))) {
+
double_unlock_balance(rq, later_rq);
later_rq = NULL;
break;
@@ -2606,25 +2650,6 @@ static struct rq *find_lock_later_rq(str
return later_rq;
}
-static struct task_struct *pick_next_pushable_dl_task(struct rq *rq)
-{
- struct task_struct *p;
-
- if (!has_pushable_dl_tasks(rq))
- return NULL;
-
- p = __node_2_pdl(rb_first_cached(&rq->dl.pushable_dl_tasks_root));
-
- WARN_ON_ONCE(rq->cpu != task_cpu(p));
- WARN_ON_ONCE(task_current(rq, p));
- WARN_ON_ONCE(p->nr_cpus_allowed <= 1);
-
- WARN_ON_ONCE(!task_on_rq_queued(p));
- WARN_ON_ONCE(!dl_task(p));
-
- return p;
-}
-
/*
* See if the non running -deadline tasks on this rq
* can be sent to some other CPU where they can preempt
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 256/371] scsi: hpsa: Fix potential memory leak in hpsa_big_passthru_ioctl()
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (254 preceding siblings ...)
2025-10-17 14:53 ` [PATCH 6.17 255/371] sched/deadline: Fix race in push_dl_task() Greg Kroah-Hartman
@ 2025-10-17 14:53 ` Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 257/371] scsi: sd: Fix build warning in sd_revalidate_disk() Greg Kroah-Hartman
` (127 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thorsten Blum, Don Brace,
Martin K. Petersen
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thorsten Blum <thorsten.blum@linux.dev>
commit b81296591c567b12d3873b05a37b975707959b94 upstream.
Replace kmalloc() followed by copy_from_user() with memdup_user() to fix
a memory leak that occurs when copy_from_user(buff[sg_used],,) fails and
the 'cleanup1:' path does not free the memory for 'buff[sg_used]'. Using
memdup_user() avoids this by freeing the memory internally.
Since memdup_user() already allocates memory, use kzalloc() in the else
branch instead of manually zeroing 'buff[sg_used]' using memset(0).
Cc: stable@vger.kernel.org
Fixes: edd163687ea5 ("[SCSI] hpsa: add driver for HP Smart Array controllers.")
Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
Acked-by: Don Brace <don.brace@microchip.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/scsi/hpsa.c | 21 ++++++++++++---------
1 file changed, 12 insertions(+), 9 deletions(-)
--- a/drivers/scsi/hpsa.c
+++ b/drivers/scsi/hpsa.c
@@ -6522,18 +6522,21 @@ static int hpsa_big_passthru_ioctl(struc
while (left) {
sz = (left > ioc->malloc_size) ? ioc->malloc_size : left;
buff_size[sg_used] = sz;
- buff[sg_used] = kmalloc(sz, GFP_KERNEL);
- if (buff[sg_used] == NULL) {
- status = -ENOMEM;
- goto cleanup1;
- }
+
if (ioc->Request.Type.Direction & XFER_WRITE) {
- if (copy_from_user(buff[sg_used], data_ptr, sz)) {
- status = -EFAULT;
+ buff[sg_used] = memdup_user(data_ptr, sz);
+ if (IS_ERR(buff[sg_used])) {
+ status = PTR_ERR(buff[sg_used]);
+ goto cleanup1;
+ }
+ } else {
+ buff[sg_used] = kzalloc(sz, GFP_KERNEL);
+ if (!buff[sg_used]) {
+ status = -ENOMEM;
goto cleanup1;
}
- } else
- memset(buff[sg_used], 0, sz);
+ }
+
left -= sz;
data_ptr += sz;
sg_used++;
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 257/371] scsi: sd: Fix build warning in sd_revalidate_disk()
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (255 preceding siblings ...)
2025-10-17 14:53 ` [PATCH 6.17 256/371] scsi: hpsa: Fix potential memory leak in hpsa_big_passthru_ioctl() Greg Kroah-Hartman
@ 2025-10-17 14:53 ` Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 258/371] sctp: Fix MAC comparison to be constant-time Greg Kroah-Hartman
` (126 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bart Van Assche, Abinash Singh,
Damien Le Moal, Martin K. Petersen
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Abinash Singh <abinashsinghlalotra@gmail.com>
commit b5f717b31b5e478398740db8aee2ecbc4dd72bf3 upstream.
A build warning was triggered due to excessive stack usage in
sd_revalidate_disk():
drivers/scsi/sd.c: In function ‘sd_revalidate_disk.isra’:
drivers/scsi/sd.c:3824:1: warning: the frame size of 1160 bytes is larger than 1024 bytes [-Wframe-larger-than=]
This is caused by a large local struct queue_limits (~400B) allocated on
the stack. Replacing it with a heap allocation using kmalloc()
significantly reduces frame usage. Kernel stack is limited (~8 KB), and
allocating large structs on the stack is discouraged. As the function
already performs heap allocations (e.g. for buffer), this change fits
well.
Fixes: 804e498e0496 ("sd: convert to the atomic queue limits API")
Cc: stable@vger.kernel.org
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Signed-off-by: Abinash Singh <abinashsinghlalotra@gmail.com>
Link: https://lore.kernel.org/r/20250825183940.13211-2-abinashsinghlalotra@gmail.com
Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/scsi/sd.c | 50 ++++++++++++++++++++++++++++----------------------
1 file changed, 28 insertions(+), 22 deletions(-)
--- a/drivers/scsi/sd.c
+++ b/drivers/scsi/sd.c
@@ -3696,10 +3696,10 @@ static int sd_revalidate_disk(struct gen
struct scsi_disk *sdkp = scsi_disk(disk);
struct scsi_device *sdp = sdkp->device;
sector_t old_capacity = sdkp->capacity;
- struct queue_limits lim;
- unsigned char *buffer;
+ struct queue_limits *lim = NULL;
+ unsigned char *buffer = NULL;
unsigned int dev_max;
- int err;
+ int err = 0;
SCSI_LOG_HLQUEUE(3, sd_printk(KERN_INFO, sdkp,
"sd_revalidate_disk\n"));
@@ -3711,6 +3711,10 @@ static int sd_revalidate_disk(struct gen
if (!scsi_device_online(sdp))
goto out;
+ lim = kmalloc(sizeof(*lim), GFP_KERNEL);
+ if (!lim)
+ goto out;
+
buffer = kmalloc(SD_BUF_SIZE, GFP_KERNEL);
if (!buffer) {
sd_printk(KERN_WARNING, sdkp, "sd_revalidate_disk: Memory "
@@ -3720,14 +3724,14 @@ static int sd_revalidate_disk(struct gen
sd_spinup_disk(sdkp);
- lim = queue_limits_start_update(sdkp->disk->queue);
+ *lim = queue_limits_start_update(sdkp->disk->queue);
/*
* Without media there is no reason to ask; moreover, some devices
* react badly if we do.
*/
if (sdkp->media_present) {
- sd_read_capacity(sdkp, &lim, buffer);
+ sd_read_capacity(sdkp, lim, buffer);
/*
* Some USB/UAS devices return generic values for mode pages
* until the media has been accessed. Trigger a READ operation
@@ -3741,17 +3745,17 @@ static int sd_revalidate_disk(struct gen
* cause this to be updated correctly and any device which
* doesn't support it should be treated as rotational.
*/
- lim.features |= (BLK_FEAT_ROTATIONAL | BLK_FEAT_ADD_RANDOM);
+ lim->features |= (BLK_FEAT_ROTATIONAL | BLK_FEAT_ADD_RANDOM);
if (scsi_device_supports_vpd(sdp)) {
sd_read_block_provisioning(sdkp);
- sd_read_block_limits(sdkp, &lim);
+ sd_read_block_limits(sdkp, lim);
sd_read_block_limits_ext(sdkp);
- sd_read_block_characteristics(sdkp, &lim);
- sd_zbc_read_zones(sdkp, &lim, buffer);
+ sd_read_block_characteristics(sdkp, lim);
+ sd_zbc_read_zones(sdkp, lim, buffer);
}
- sd_config_discard(sdkp, &lim, sd_discard_mode(sdkp));
+ sd_config_discard(sdkp, lim, sd_discard_mode(sdkp));
sd_print_capacity(sdkp, old_capacity);
@@ -3761,47 +3765,46 @@ static int sd_revalidate_disk(struct gen
sd_read_app_tag_own(sdkp, buffer);
sd_read_write_same(sdkp, buffer);
sd_read_security(sdkp, buffer);
- sd_config_protection(sdkp, &lim);
+ sd_config_protection(sdkp, lim);
}
/*
* We now have all cache related info, determine how we deal
* with flush requests.
*/
- sd_set_flush_flag(sdkp, &lim);
+ sd_set_flush_flag(sdkp, lim);
/* Initial block count limit based on CDB TRANSFER LENGTH field size. */
dev_max = sdp->use_16_for_rw ? SD_MAX_XFER_BLOCKS : SD_DEF_XFER_BLOCKS;
/* Some devices report a maximum block count for READ/WRITE requests. */
dev_max = min_not_zero(dev_max, sdkp->max_xfer_blocks);
- lim.max_dev_sectors = logical_to_sectors(sdp, dev_max);
+ lim->max_dev_sectors = logical_to_sectors(sdp, dev_max);
if (sd_validate_min_xfer_size(sdkp))
- lim.io_min = logical_to_bytes(sdp, sdkp->min_xfer_blocks);
+ lim->io_min = logical_to_bytes(sdp, sdkp->min_xfer_blocks);
else
- lim.io_min = 0;
+ lim->io_min = 0;
/*
* Limit default to SCSI host optimal sector limit if set. There may be
* an impact on performance for when the size of a request exceeds this
* host limit.
*/
- lim.io_opt = sdp->host->opt_sectors << SECTOR_SHIFT;
+ lim->io_opt = sdp->host->opt_sectors << SECTOR_SHIFT;
if (sd_validate_opt_xfer_size(sdkp, dev_max)) {
- lim.io_opt = min_not_zero(lim.io_opt,
+ lim->io_opt = min_not_zero(lim->io_opt,
logical_to_bytes(sdp, sdkp->opt_xfer_blocks));
}
sdkp->first_scan = 0;
set_capacity_and_notify(disk, logical_to_sectors(sdp, sdkp->capacity));
- sd_config_write_same(sdkp, &lim);
- kfree(buffer);
+ sd_config_write_same(sdkp, lim);
- err = queue_limits_commit_update_frozen(sdkp->disk->queue, &lim);
+ err = queue_limits_commit_update_frozen(sdkp->disk->queue, lim);
if (err)
- return err;
+ goto out;
/*
* Query concurrent positioning ranges after
@@ -3820,7 +3823,10 @@ static int sd_revalidate_disk(struct gen
set_capacity_and_notify(disk, 0);
out:
- return 0;
+ kfree(buffer);
+ kfree(lim);
+
+ return err;
}
/**
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 258/371] sctp: Fix MAC comparison to be constant-time
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (256 preceding siblings ...)
2025-10-17 14:53 ` [PATCH 6.17 257/371] scsi: sd: Fix build warning in sd_revalidate_disk() Greg Kroah-Hartman
@ 2025-10-17 14:53 ` Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 259/371] smb client: fix bug with newly created file in cached dir Greg Kroah-Hartman
` (125 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:53 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Eric Biggers, Jakub Kicinski
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@kernel.org>
commit dd91c79e4f58fbe2898dac84858033700e0e99fb upstream.
To prevent timing attacks, MACs need to be compared in constant time.
Use the appropriate helper function for this.
Fixes: bbd0d59809f9 ("[SCTP]: Implement the receive and verification of AUTH chunk")
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Eric Biggers <ebiggers@kernel.org>
Link: https://patch.msgid.link/20250818205426.30222-3-ebiggers@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/sctp/sm_make_chunk.c | 3 ++-
net/sctp/sm_statefuns.c | 3 ++-
2 files changed, 4 insertions(+), 2 deletions(-)
--- a/net/sctp/sm_make_chunk.c
+++ b/net/sctp/sm_make_chunk.c
@@ -31,6 +31,7 @@
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
#include <crypto/hash.h>
+#include <crypto/utils.h>
#include <linux/types.h>
#include <linux/kernel.h>
#include <linux/ip.h>
@@ -1788,7 +1789,7 @@ struct sctp_association *sctp_unpack_coo
}
}
- if (memcmp(digest, cookie->signature, SCTP_SIGNATURE_SIZE)) {
+ if (crypto_memneq(digest, cookie->signature, SCTP_SIGNATURE_SIZE)) {
*error = -SCTP_IERROR_BAD_SIG;
goto fail;
}
--- a/net/sctp/sm_statefuns.c
+++ b/net/sctp/sm_statefuns.c
@@ -30,6 +30,7 @@
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
+#include <crypto/utils.h>
#include <linux/types.h>
#include <linux/kernel.h>
#include <linux/ip.h>
@@ -4417,7 +4418,7 @@ static enum sctp_ierror sctp_sf_authenti
sh_key, GFP_ATOMIC);
/* Discard the packet if the digests do not match */
- if (memcmp(save_digest, digest, sig_len)) {
+ if (crypto_memneq(save_digest, digest, sig_len)) {
kfree(save_digest);
return SCTP_IERROR_BAD_SIG;
}
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 259/371] smb client: fix bug with newly created file in cached dir
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (257 preceding siblings ...)
2025-10-17 14:53 ` [PATCH 6.17 258/371] sctp: Fix MAC comparison to be constant-time Greg Kroah-Hartman
@ 2025-10-17 14:53 ` Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 260/371] sparc64: fix hugetlb for sun4u Greg Kroah-Hartman
` (124 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:53 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Bharath SM, Steve French
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bharath SM <bharathsm@microsoft.com>
commit aa12118dbcfe659697567c9daa0eac2c71e3fd37 upstream.
Test generic/637 spotted a problem with create of a new file in a
cached directory (by the same client) could cause cases where the
new file does not show up properly in ls on that client until the
lease times out.
Fixes: 037e1bae588e ("smb: client: use ParentLeaseKey in cifs_do_create")
Cc: stable@vger.kernel.org
Signed-off-by: Bharath SM <bharathsm@microsoft.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/client/dir.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/fs/smb/client/dir.c b/fs/smb/client/dir.c
index bc145436eba4..a233a5fe377b 100644
--- a/fs/smb/client/dir.c
+++ b/fs/smb/client/dir.c
@@ -329,6 +329,7 @@ static int cifs_do_create(struct inode *inode, struct dentry *direntry, unsigned
parent_cfid->fid.lease_key,
SMB2_LEASE_KEY_SIZE);
parent_cfid->dirents.is_valid = false;
+ parent_cfid->dirents.is_failed = true;
}
break;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 260/371] sparc64: fix hugetlb for sun4u
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (258 preceding siblings ...)
2025-10-17 14:53 ` [PATCH 6.17 259/371] smb client: fix bug with newly created file in cached dir Greg Kroah-Hartman
@ 2025-10-17 14:53 ` Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 261/371] sparc: fix error handling in scan_one_device() Greg Kroah-Hartman
` (123 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Anthony Yznaga,
John Paul Adrian Glaubitz, Andreas Larsson
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Anthony Yznaga <anthony.yznaga@oracle.com>
commit 6fd44a481b3c6111e4801cec964627791d0f3ec5 upstream.
An attempt to exercise sparc hugetlb code in a sun4u-based guest
running under qemu results in the guest hanging due to being stuck
in a trap loop. This is due to invalid hugetlb TTEs being installed
that do not have the expected _PAGE_PMD_HUGE and page size bits set.
Although the breakage has gone apparently unnoticed for several years,
fix it now so there is the option to exercise sparc hugetlb code under
qemu. This can be useful because sun4v support in qemu does not support
linux guests currently and sun4v-based hardware resources may not be
readily available.
Fix tested with a 6.15.2 and 6.16-rc6 kernels by running libhugetlbfs
tests on a qemu guest running Debian 13.
Fixes: c7d9f77d33a7 ("sparc64: Multi-page size support")
Cc: stable@vger.kernel.org
Signed-off-by: Anthony Yznaga <anthony.yznaga@oracle.com>
Tested-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
Reviewed-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
Reviewed-by: Andreas Larsson <andreas@gaisler.com>
Link: https://lore.kernel.org/r/20250716012446.10357-1-anthony.yznaga@oracle.com
Signed-off-by: Andreas Larsson <andreas@gaisler.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/sparc/mm/hugetlbpage.c | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
--- a/arch/sparc/mm/hugetlbpage.c
+++ b/arch/sparc/mm/hugetlbpage.c
@@ -22,6 +22,26 @@
static pte_t sun4u_hugepage_shift_to_tte(pte_t entry, unsigned int shift)
{
+ unsigned long hugepage_size = _PAGE_SZ4MB_4U;
+
+ pte_val(entry) = pte_val(entry) & ~_PAGE_SZALL_4U;
+
+ switch (shift) {
+ case HPAGE_256MB_SHIFT:
+ hugepage_size = _PAGE_SZ256MB_4U;
+ pte_val(entry) |= _PAGE_PMD_HUGE;
+ break;
+ case HPAGE_SHIFT:
+ pte_val(entry) |= _PAGE_PMD_HUGE;
+ break;
+ case HPAGE_64K_SHIFT:
+ hugepage_size = _PAGE_SZ64K_4U;
+ break;
+ default:
+ WARN_ONCE(1, "unsupported hugepage shift=%u\n", shift);
+ }
+
+ pte_val(entry) = pte_val(entry) | hugepage_size;
return entry;
}
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 261/371] sparc: fix error handling in scan_one_device()
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (259 preceding siblings ...)
2025-10-17 14:53 ` [PATCH 6.17 260/371] sparc64: fix hugetlb for sun4u Greg Kroah-Hartman
@ 2025-10-17 14:53 ` Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 262/371] xtensa: simdisk: add input size check in proc_write_simdisk Greg Kroah-Hartman
` (122 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:53 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ma Ke, Andreas Larsson
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ma Ke <make24@iscas.ac.cn>
commit 302c04110f0ce70d25add2496b521132548cd408 upstream.
Once of_device_register() failed, we should call put_device() to
decrement reference count for cleanup. Or it could cause memory leak.
So fix this by calling put_device(), then the name can be freed in
kobject_cleanup().
Calling path: of_device_register() -> of_device_add() -> device_add().
As comment of device_add() says, 'if device_add() succeeds, you should
call device_del() when you want to get rid of it. If device_add() has
not succeeded, use only put_device() to drop the reference count'.
Found by code review.
Cc: stable@vger.kernel.org
Fixes: cf44bbc26cf1 ("[SPARC]: Beginnings of generic of_device framework.")
Signed-off-by: Ma Ke <make24@iscas.ac.cn>
Reviewed-by: Andreas Larsson <andreas@gaisler.com>
Signed-off-by: Andreas Larsson <andreas@gaisler.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/sparc/kernel/of_device_32.c | 1 +
arch/sparc/kernel/of_device_64.c | 1 +
2 files changed, 2 insertions(+)
--- a/arch/sparc/kernel/of_device_32.c
+++ b/arch/sparc/kernel/of_device_32.c
@@ -387,6 +387,7 @@ static struct platform_device * __init s
if (of_device_register(op)) {
printk("%pOF: Could not register of device.\n", dp);
+ put_device(&op->dev);
kfree(op);
op = NULL;
}
--- a/arch/sparc/kernel/of_device_64.c
+++ b/arch/sparc/kernel/of_device_64.c
@@ -677,6 +677,7 @@ static struct platform_device * __init s
if (of_device_register(op)) {
printk("%pOF: Could not register of device.\n", dp);
+ put_device(&op->dev);
kfree(op);
op = NULL;
}
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 262/371] xtensa: simdisk: add input size check in proc_write_simdisk
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (260 preceding siblings ...)
2025-10-17 14:53 ` [PATCH 6.17 261/371] sparc: fix error handling in scan_one_device() Greg Kroah-Hartman
@ 2025-10-17 14:53 ` Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 263/371] xsk: Harden userspace-supplied xdp_desc validation Greg Kroah-Hartman
` (121 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:53 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Miaoqian Lin, Max Filippov
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Miaoqian Lin <linmq006@gmail.com>
commit 5d5f08fd0cd970184376bee07d59f635c8403f63 upstream.
A malicious user could pass an arbitrarily bad value
to memdup_user_nul(), potentially causing kernel crash.
This follows the same pattern as commit ee76746387f6
("netdevsim: prevent bad user input in nsim_dev_health_break_write()")
Fixes: b6c7e873daf7 ("xtensa: ISS: add host file-based simulated disk")
Fixes: 16e5c1fc3604 ("convert a bunch of open-coded instances of memdup_user_nul()")
Cc: stable@vger.kernel.org
Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
Message-Id: <20250829083015.1992751-1-linmq006@gmail.com>
Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/xtensa/platforms/iss/simdisk.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/arch/xtensa/platforms/iss/simdisk.c
+++ b/arch/xtensa/platforms/iss/simdisk.c
@@ -231,10 +231,14 @@ static ssize_t proc_read_simdisk(struct
static ssize_t proc_write_simdisk(struct file *file, const char __user *buf,
size_t count, loff_t *ppos)
{
- char *tmp = memdup_user_nul(buf, count);
+ char *tmp;
struct simdisk *dev = pde_data(file_inode(file));
int err;
+ if (count == 0 || count > PAGE_SIZE)
+ return -EINVAL;
+
+ tmp = memdup_user_nul(buf, count);
if (IS_ERR(tmp))
return PTR_ERR(tmp);
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 263/371] xsk: Harden userspace-supplied xdp_desc validation
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (261 preceding siblings ...)
2025-10-17 14:53 ` [PATCH 6.17 262/371] xtensa: simdisk: add input size check in proc_write_simdisk Greg Kroah-Hartman
@ 2025-10-17 14:53 ` Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 264/371] mtd: rawnand: fsmc: Default to autodetect buswidth Greg Kroah-Hartman
` (120 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexander Lobakin, Jason Xing,
Maciej Fijalkowski, Alexei Starovoitov
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexander Lobakin <aleksander.lobakin@intel.com>
commit 07ca98f906a403637fc5e513a872a50ef1247f3b upstream.
Turned out certain clearly invalid values passed in xdp_desc from
userspace can pass xp_{,un}aligned_validate_desc() and then lead
to UBs or just invalid frames to be queued for xmit.
desc->len close to ``U32_MAX`` with a non-zero pool->tx_metadata_len
can cause positive integer overflow and wraparound, the same way low
enough desc->addr with a non-zero pool->tx_metadata_len can cause
negative integer overflow. Both scenarios can then pass the
validation successfully.
This doesn't happen with valid XSk applications, but can be used
to perform attacks.
Always promote desc->len to ``u64`` first to exclude positive
overflows of it. Use explicit check_{add,sub}_overflow() when
validating desc->addr (which is ``u64`` already).
bloat-o-meter reports a little growth of the code size:
add/remove: 0/0 grow/shrink: 2/1 up/down: 60/-16 (44)
Function old new delta
xskq_cons_peek_desc 299 330 +31
xsk_tx_peek_release_desc_batch 973 1002 +29
xsk_generic_xmit 3148 3132 -16
but hopefully this doesn't hurt the performance much.
Fixes: 341ac980eab9 ("xsk: Support tx_metadata_len")
Cc: stable@vger.kernel.org # 6.8+
Signed-off-by: Alexander Lobakin <aleksander.lobakin@intel.com>
Reviewed-by: Jason Xing <kerneljasonxing@gmail.com>
Reviewed-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
Link: https://lore.kernel.org/r/20251008165659.4141318-1-aleksander.lobakin@intel.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/xdp/xsk_queue.h | 45 +++++++++++++++++++++++++++++++++++----------
1 file changed, 35 insertions(+), 10 deletions(-)
--- a/net/xdp/xsk_queue.h
+++ b/net/xdp/xsk_queue.h
@@ -143,14 +143,24 @@ static inline bool xp_unused_options_set
static inline bool xp_aligned_validate_desc(struct xsk_buff_pool *pool,
struct xdp_desc *desc)
{
- u64 addr = desc->addr - pool->tx_metadata_len;
- u64 len = desc->len + pool->tx_metadata_len;
- u64 offset = addr & (pool->chunk_size - 1);
+ u64 len = desc->len;
+ u64 addr, offset;
- if (!desc->len)
+ if (!len)
return false;
- if (offset + len > pool->chunk_size)
+ /* Can overflow if desc->addr < pool->tx_metadata_len */
+ if (check_sub_overflow(desc->addr, pool->tx_metadata_len, &addr))
+ return false;
+
+ offset = addr & (pool->chunk_size - 1);
+
+ /*
+ * Can't overflow: @offset is guaranteed to be < ``U32_MAX``
+ * (pool->chunk_size is ``u32``), @len is guaranteed
+ * to be <= ``U32_MAX``.
+ */
+ if (offset + len + pool->tx_metadata_len > pool->chunk_size)
return false;
if (addr >= pool->addrs_cnt)
@@ -158,27 +168,42 @@ static inline bool xp_aligned_validate_d
if (xp_unused_options_set(desc->options))
return false;
+
return true;
}
static inline bool xp_unaligned_validate_desc(struct xsk_buff_pool *pool,
struct xdp_desc *desc)
{
- u64 addr = xp_unaligned_add_offset_to_addr(desc->addr) - pool->tx_metadata_len;
- u64 len = desc->len + pool->tx_metadata_len;
+ u64 len = desc->len;
+ u64 addr, end;
- if (!desc->len)
+ if (!len)
return false;
+ /* Can't overflow: @len is guaranteed to be <= ``U32_MAX`` */
+ len += pool->tx_metadata_len;
if (len > pool->chunk_size)
return false;
- if (addr >= pool->addrs_cnt || addr + len > pool->addrs_cnt ||
- xp_desc_crosses_non_contig_pg(pool, addr, len))
+ /* Can overflow if desc->addr is close to 0 */
+ if (check_sub_overflow(xp_unaligned_add_offset_to_addr(desc->addr),
+ pool->tx_metadata_len, &addr))
+ return false;
+
+ if (addr >= pool->addrs_cnt)
+ return false;
+
+ /* Can overflow if pool->addrs_cnt is high enough */
+ if (check_add_overflow(addr, len, &end) || end > pool->addrs_cnt)
+ return false;
+
+ if (xp_desc_crosses_non_contig_pg(pool, addr, len))
return false;
if (xp_unused_options_set(desc->options))
return false;
+
return true;
}
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 264/371] mtd: rawnand: fsmc: Default to autodetect buswidth
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (262 preceding siblings ...)
2025-10-17 14:53 ` [PATCH 6.17 263/371] xsk: Harden userspace-supplied xdp_desc validation Greg Kroah-Hartman
@ 2025-10-17 14:53 ` Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 265/371] mtd: nand: raw: gpmi: fix clocks when CONFIG_PM=N Greg Kroah-Hartman
` (119 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:53 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Linus Walleij, Miquel Raynal
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Linus Walleij <linus.walleij@linaro.org>
commit b8df622cf7f6808c85764e681847150ed6d85f3d upstream.
If you don't specify buswidth 2 (16 bits) in the device
tree, FSMC doesn't even probe anymore:
fsmc-nand 10100000.flash: FSMC device partno 090,
manufacturer 80, revision 00, config 00
nand: device found, Manufacturer ID: 0x20, Chip ID: 0xb1
nand: ST Micro 10100000.flash
nand: bus width 8 instead of 16 bits
nand: No NAND device found
fsmc-nand 10100000.flash: probe with driver fsmc-nand failed
with error -22
With this patch to use autodetection unless buswidth is
specified, the device is properly detected again:
fsmc-nand 10100000.flash: FSMC device partno 090,
manufacturer 80, revision 00, config 00
nand: device found, Manufacturer ID: 0x20, Chip ID: 0xb1
nand: ST Micro NAND 128MiB 1,8V 16-bit
nand: 128 MiB, SLC, erase size: 128 KiB, page size: 2048, OOB size: 64
fsmc-nand 10100000.flash: Using 1-bit HW ECC scheme
Scanning device for bad blocks
I don't know where or how this happened, I think some change
in the nand core.
Cc: stable@vger.kernel.org
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mtd/nand/raw/fsmc_nand.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/drivers/mtd/nand/raw/fsmc_nand.c
+++ b/drivers/mtd/nand/raw/fsmc_nand.c
@@ -876,10 +876,14 @@ static int fsmc_nand_probe_config_dt(str
if (!of_property_read_u32(np, "bank-width", &val)) {
if (val == 2) {
nand->options |= NAND_BUSWIDTH_16;
- } else if (val != 1) {
+ } else if (val == 1) {
+ nand->options |= NAND_BUSWIDTH_AUTO;
+ } else {
dev_err(&pdev->dev, "invalid bank-width %u\n", val);
return -EINVAL;
}
+ } else {
+ nand->options |= NAND_BUSWIDTH_AUTO;
}
if (of_property_read_bool(np, "nand-skip-bbtscan"))
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 265/371] mtd: nand: raw: gpmi: fix clocks when CONFIG_PM=N
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (263 preceding siblings ...)
2025-10-17 14:53 ` [PATCH 6.17 264/371] mtd: rawnand: fsmc: Default to autodetect buswidth Greg Kroah-Hartman
@ 2025-10-17 14:54 ` Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 266/371] mmc: core: SPI mode remove cmd7 Greg Kroah-Hartman
` (118 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Maarten Zanders, Miquel Raynal
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maarten Zanders <maarten@zanders.be>
commit 1001cc1171248ebb21d371fbe086b5d3f11b410b upstream.
Commit f04ced6d545e ("mtd: nand: raw: gpmi: improve power management
handling") moved all clock handling into PM callbacks. With CONFIG_PM
disabled, those callbacks are missing, leaving the driver unusable.
Add clock init/teardown for !CONFIG_PM builds to restore basic operation.
Keeping the driver working without requiring CONFIG_PM is preferred over
adding a Kconfig dependency.
Fixes: f04ced6d545e ("mtd: nand: raw: gpmi: improve power management handling")
Signed-off-by: Maarten Zanders <maarten@zanders.be>
Cc: stable@vger.kernel.org
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mtd/nand/raw/gpmi-nand/gpmi-nand.c | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
--- a/drivers/mtd/nand/raw/gpmi-nand/gpmi-nand.c
+++ b/drivers/mtd/nand/raw/gpmi-nand/gpmi-nand.c
@@ -145,6 +145,9 @@ err_clk:
return ret;
}
+#define gpmi_enable_clk(x) __gpmi_enable_clk(x, true)
+#define gpmi_disable_clk(x) __gpmi_enable_clk(x, false)
+
static int gpmi_init(struct gpmi_nand_data *this)
{
struct resources *r = &this->resources;
@@ -2765,6 +2768,11 @@ static int gpmi_nand_probe(struct platfo
pm_runtime_enable(&pdev->dev);
pm_runtime_set_autosuspend_delay(&pdev->dev, 500);
pm_runtime_use_autosuspend(&pdev->dev);
+#ifndef CONFIG_PM
+ ret = gpmi_enable_clk(this);
+ if (ret)
+ goto exit_acquire_resources;
+#endif
ret = gpmi_init(this);
if (ret)
@@ -2800,6 +2808,9 @@ static void gpmi_nand_remove(struct plat
release_resources(this);
pm_runtime_dont_use_autosuspend(&pdev->dev);
pm_runtime_disable(&pdev->dev);
+#ifndef CONFIG_PM
+ gpmi_disable_clk(this);
+#endif
}
static int gpmi_pm_suspend(struct device *dev)
@@ -2846,9 +2857,6 @@ static int gpmi_pm_resume(struct device
return 0;
}
-#define gpmi_enable_clk(x) __gpmi_enable_clk(x, true)
-#define gpmi_disable_clk(x) __gpmi_enable_clk(x, false)
-
static int gpmi_runtime_suspend(struct device *dev)
{
struct gpmi_nand_data *this = dev_get_drvdata(dev);
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 266/371] mmc: core: SPI mode remove cmd7
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (264 preceding siblings ...)
2025-10-17 14:54 ` [PATCH 6.17 265/371] mtd: nand: raw: gpmi: fix clocks when CONFIG_PM=N Greg Kroah-Hartman
@ 2025-10-17 14:54 ` Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 267/371] mmc: mmc_spi: multiple block read remove read crc ack Greg Kroah-Hartman
` (117 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Rex Chen, Ulf Hansson
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rex Chen <rex.chen_1@nxp.com>
commit fec40f44afdabcbc4a7748e4278f30737b54bb1a upstream.
SPI mode doesn't support cmd7, so remove it in mmc_sdio_alive() and
confirm if sdio is active by checking CCCR register value is available
or not.
Signed-off-by: Rex Chen <rex.chen_1@nxp.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20250728082230.1037917-2-rex.chen_1@nxp.com
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mmc/core/sdio.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/drivers/mmc/core/sdio.c
+++ b/drivers/mmc/core/sdio.c
@@ -945,7 +945,11 @@ static void mmc_sdio_remove(struct mmc_h
*/
static int mmc_sdio_alive(struct mmc_host *host)
{
- return mmc_select_card(host->card);
+ if (!mmc_host_is_spi(host))
+ return mmc_select_card(host->card);
+ else
+ return mmc_io_rw_direct(host->card, 0, 0, SDIO_CCCR_CCCR, 0,
+ NULL);
}
/*
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 267/371] mmc: mmc_spi: multiple block read remove read crc ack
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (265 preceding siblings ...)
2025-10-17 14:54 ` [PATCH 6.17 266/371] mmc: core: SPI mode remove cmd7 Greg Kroah-Hartman
@ 2025-10-17 14:54 ` Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 268/371] memory: samsung: exynos-srom: Fix of_iomap leak in exynos_srom_probe Greg Kroah-Hartman
` (116 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Rex Chen, Ulf Hansson
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rex Chen <rex.chen_1@nxp.com>
commit fef12d9f5bcf7e2b19a7cf1295c6abd5642dd241 upstream.
For multiple block read, the current implementation, transfer packet
includes cmd53 + cmd53 response + block nums*(1byte token +
block length bytes payload + 2bytes CRC + 1byte transfer), the last
1byte transfer of every block is not needed, so remove it.
Why doesn't multiple block read need CRC ack?
For read operation, host side get the payload and CRC value, then
will only check the CRC value to confirm if the data is correct or
not, but not send CRC ack to card. If the data is correct, save it,
or discard it and retransmit if data is error, so the last 1byte
transfer of every block make no sense.
What's the side effect of this 1byte transfer?
As the SPI is full duplex, if add this redundant 1byte transfer, SDIO
card side take it as the token of next block, then all the next sub
blocks sequence distort.
Signed-off-by: Rex Chen <rex.chen_1@nxp.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20250728082230.1037917-3-rex.chen_1@nxp.com
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mmc/host/mmc_spi.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/mmc/host/mmc_spi.c
+++ b/drivers/mmc/host/mmc_spi.c
@@ -563,7 +563,7 @@ mmc_spi_setup_data_message(struct mmc_sp
* the next token (next data block, or STOP_TRAN). We can try to
* minimize I/O ops by using a single read to collect end-of-busy.
*/
- if (multiple || write) {
+ if (write) {
t = &host->early_status;
memset(t, 0, sizeof(*t));
t->len = write ? sizeof(scratch->status) : 1;
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 268/371] memory: samsung: exynos-srom: Fix of_iomap leak in exynos_srom_probe
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (266 preceding siblings ...)
2025-10-17 14:54 ` [PATCH 6.17 267/371] mmc: mmc_spi: multiple block read remove read crc ack Greg Kroah-Hartman
@ 2025-10-17 14:54 ` Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 269/371] memory: stm32_omm: Fix req2ack update test Greg Kroah-Hartman
` (115 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zhen Ni, Krzysztof Kozlowski
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhen Ni <zhen.ni@easystack.cn>
commit 6744085079e785dae5f7a2239456135407c58b25 upstream.
The of_platform_populate() call at the end of the function has a
possible failure path, causing a resource leak.
Replace of_iomap() with devm_platform_ioremap_resource() to ensure
automatic cleanup of srom->reg_base.
This issue was detected by smatch static analysis:
drivers/memory/samsung/exynos-srom.c:155 exynos_srom_probe()warn:
'srom->reg_base' from of_iomap() not released on lines: 155.
Fixes: 8ac2266d8831 ("memory: samsung: exynos-srom: Add support for bank configuration")
Cc: stable@vger.kernel.org
Signed-off-by: Zhen Ni <zhen.ni@easystack.cn>
Link: https://lore.kernel.org/r/20250806025538.306593-1-zhen.ni@easystack.cn
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/memory/samsung/exynos-srom.c | 10 ++++------
1 file changed, 4 insertions(+), 6 deletions(-)
--- a/drivers/memory/samsung/exynos-srom.c
+++ b/drivers/memory/samsung/exynos-srom.c
@@ -121,20 +121,18 @@ static int exynos_srom_probe(struct plat
return -ENOMEM;
srom->dev = dev;
- srom->reg_base = of_iomap(np, 0);
- if (!srom->reg_base) {
+ srom->reg_base = devm_platform_ioremap_resource(pdev, 0);
+ if (IS_ERR(srom->reg_base)) {
dev_err(&pdev->dev, "iomap of exynos srom controller failed\n");
- return -ENOMEM;
+ return PTR_ERR(srom->reg_base);
}
platform_set_drvdata(pdev, srom);
srom->reg_offset = exynos_srom_alloc_reg_dump(exynos_srom_offsets,
ARRAY_SIZE(exynos_srom_offsets));
- if (!srom->reg_offset) {
- iounmap(srom->reg_base);
+ if (!srom->reg_offset)
return -ENOMEM;
- }
for_each_child_of_node(np, child) {
if (exynos_srom_configure_bank(srom, child)) {
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 269/371] memory: stm32_omm: Fix req2ack update test
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (267 preceding siblings ...)
2025-10-17 14:54 ` [PATCH 6.17 268/371] memory: samsung: exynos-srom: Fix of_iomap leak in exynos_srom_probe Greg Kroah-Hartman
@ 2025-10-17 14:54 ` Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 270/371] rtc: interface: Ensure alarm irq is enabled when UIE is enabled Greg Kroah-Hartman
` (114 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Patrice Chotard, Krzysztof Kozlowski
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Patrice Chotard <patrice.chotard@foss.st.com>
commit d140f3ba76ac98faad7f9b37ef5a3dcbd57f59e2 upstream.
If "st,omm-req2ack-ns" property is found and its value is not 0,
the current test doesn't allow to compute and set req2ack value,
Fix this test.
Fixes: 8181d061dcff ("memory: Add STM32 Octo Memory Manager driver")
Signed-off-by: Patrice Chotard <patrice.chotard@foss.st.com>
Link: https://lore.kernel.org/r/20250807-upstream_omm_fix_req2ack_test_condition-v2-1-d7df4af2b48b@foss.st.com
Cc: <stable@vger.kernel.org>
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/memory/stm32_omm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/memory/stm32_omm.c b/drivers/memory/stm32_omm.c
index bee2ecc8c2b9..5d06623f3f68 100644
--- a/drivers/memory/stm32_omm.c
+++ b/drivers/memory/stm32_omm.c
@@ -238,7 +238,7 @@ static int stm32_omm_configure(struct device *dev)
if (mux & CR_MUXEN) {
ret = of_property_read_u32(dev->of_node, "st,omm-req2ack-ns",
&req2ack);
- if (!ret && !req2ack) {
+ if (!ret && req2ack) {
req2ack = DIV_ROUND_UP(req2ack, NSEC_PER_SEC / clk_rate_max) - 1;
if (req2ack > 256)
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 270/371] rtc: interface: Ensure alarm irq is enabled when UIE is enabled
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (268 preceding siblings ...)
2025-10-17 14:54 ` [PATCH 6.17 269/371] memory: stm32_omm: Fix req2ack update test Greg Kroah-Hartman
@ 2025-10-17 14:54 ` Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 271/371] rtc: interface: Fix long-standing race when setting alarm Greg Kroah-Hartman
` (113 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Esben Haabendal, Alexandre Belloni
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Esben Haabendal <esben@geanix.com>
commit 9db26d5855d0374d4652487bfb5aacf40821c469 upstream.
When setting a normal alarm, user-space is responsible for using
RTC_AIE_ON/RTC_AIE_OFF to control if alarm irq should be enabled.
But when RTC_UIE_ON is used, interrupts must be enabled so that the
requested irq events are generated.
When RTC_UIE_OFF is used, alarm irq is disabled if there are no other
alarms queued, so this commit brings symmetry to that.
Signed-off-by: Esben Haabendal <esben@geanix.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20250516-rtc-uie-irq-fixes-v2-5-3de8e530a39e@geanix.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/rtc/interface.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/rtc/interface.c
+++ b/drivers/rtc/interface.c
@@ -594,6 +594,10 @@ int rtc_update_irq_enable(struct rtc_dev
rtc->uie_rtctimer.node.expires = ktime_add(now, onesec);
rtc->uie_rtctimer.period = ktime_set(1, 0);
err = rtc_timer_enqueue(rtc, &rtc->uie_rtctimer);
+ if (!err && rtc->ops && rtc->ops->alarm_irq_enable)
+ err = rtc->ops->alarm_irq_enable(rtc->dev.parent, 1);
+ if (err)
+ goto out;
} else {
rtc_timer_remove(rtc, &rtc->uie_rtctimer);
}
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 271/371] rtc: interface: Fix long-standing race when setting alarm
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (269 preceding siblings ...)
2025-10-17 14:54 ` [PATCH 6.17 270/371] rtc: interface: Ensure alarm irq is enabled when UIE is enabled Greg Kroah-Hartman
@ 2025-10-17 14:54 ` Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 272/371] rseq/selftests: Use weak symbol reference, not definition, to link with glibc Greg Kroah-Hartman
` (112 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Esben Haabendal, Alexandre Belloni
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Esben Haabendal <esben@geanix.com>
commit 795cda8338eab036013314dbc0b04aae728880ab upstream.
As described in the old comment dating back to
commit 6610e0893b8b ("RTC: Rework RTC code to use timerqueue for events")
from 2010, we have been living with a race window when setting alarm
with an expiry in the near future (i.e. next second).
With 1 second resolution, it can happen that the second ticks after the
check for the timer having expired, but before the alarm is actually set.
When this happen, no alarm IRQ is generated, at least not with some RTC
chips (isl12022 is an example of this).
With UIE RTC timer being implemented on top of alarm irq, being re-armed
every second, UIE will occasionally fail to work, as an alarm irq lost
due to this race will stop the re-arming loop.
For now, I have limited the additional expiry check to only be done for
alarms set to next seconds. I expect it should be good enough, although I
don't know if we can now for sure that systems with loads could end up
causing the same problems for alarms set 2 seconds or even longer in the
future.
I haven't been able to reproduce the problem with this check in place.
Cc: stable@vger.kernel.org
Signed-off-by: Esben Haabendal <esben@geanix.com>
Link: https://lore.kernel.org/r/20250516-rtc-uie-irq-fixes-v2-1-3de8e530a39e@geanix.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/rtc/interface.c | 23 +++++++++++++++++++++++
1 file changed, 23 insertions(+)
--- a/drivers/rtc/interface.c
+++ b/drivers/rtc/interface.c
@@ -443,6 +443,29 @@ static int __rtc_set_alarm(struct rtc_de
else
err = rtc->ops->set_alarm(rtc->dev.parent, alarm);
+ /*
+ * Check for potential race described above. If the waiting for next
+ * second, and the second just ticked since the check above, either
+ *
+ * 1) It ticked after the alarm was set, and an alarm irq should be
+ * generated.
+ *
+ * 2) It ticked before the alarm was set, and alarm irq most likely will
+ * not be generated.
+ *
+ * While we cannot easily check for which of these two scenarios we
+ * are in, we can return -ETIME to signal that the timer has already
+ * expired, which is true in both cases.
+ */
+ if ((scheduled - now) <= 1) {
+ err = __rtc_read_time(rtc, &tm);
+ if (err)
+ return err;
+ now = rtc_tm_to_time64(&tm);
+ if (scheduled <= now)
+ return -ETIME;
+ }
+
trace_rtc_set_alarm(rtc_tm_to_time64(&alarm->time), err);
return err;
}
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 272/371] rseq/selftests: Use weak symbol reference, not definition, to link with glibc
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (270 preceding siblings ...)
2025-10-17 14:54 ` [PATCH 6.17 271/371] rtc: interface: Fix long-standing race when setting alarm Greg Kroah-Hartman
@ 2025-10-17 14:54 ` Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 273/371] PCI: xilinx-nwl: Fix ECAM programming Greg Kroah-Hartman
` (111 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Gleixner, Florian Weimer,
Sean Christopherson, Mathieu Desnoyers
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
commit a001cd248ab244633c5fabe4f7c707e13fc1d1cc upstream.
Add "extern" to the glibc-defined weak rseq symbols to convert the rseq
selftest's usage from weak symbol definitions to weak symbol _references_.
Effectively re-defining the glibc symbols wreaks havoc when building with
-fno-common, e.g. generates segfaults when running multi-threaded programs,
as dynamically linked applications end up with multiple versions of the
symbols.
Building with -fcommon, which until recently has the been the default for
GCC and clang, papers over the bug by allowing the linker to resolve the
weak/tentative definition to glibc's "real" definition.
Note, the symbol itself (or rather its address), not the value of the
symbol, is set to 0/NULL for unresolved weak symbol references, as the
symbol doesn't exist and thus can't have a value. Check for a NULL rseq
size pointer to handle the scenario where the test is statically linked
against a libc that doesn't support rseq in any capacity.
Fixes: 3bcbc20942db ("selftests/rseq: Play nice with binaries statically linked against glibc 2.35+")
Reported-by: Thomas Gleixner <tglx@linutronix.de>
Suggested-by: Florian Weimer <fweimer@redhat.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Cc: stable@vger.kernel.org
Closes: https://lore.kernel.org/all/87frdoybk4.ffs@tglx
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/testing/selftests/rseq/rseq.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/tools/testing/selftests/rseq/rseq.c
+++ b/tools/testing/selftests/rseq/rseq.c
@@ -40,9 +40,9 @@
* Define weak versions to play nice with binaries that are statically linked
* against a libc that doesn't support registering its own rseq.
*/
-__weak ptrdiff_t __rseq_offset;
-__weak unsigned int __rseq_size;
-__weak unsigned int __rseq_flags;
+extern __weak ptrdiff_t __rseq_offset;
+extern __weak unsigned int __rseq_size;
+extern __weak unsigned int __rseq_flags;
static const ptrdiff_t *libc_rseq_offset_p = &__rseq_offset;
static const unsigned int *libc_rseq_size_p = &__rseq_size;
@@ -209,7 +209,7 @@ void rseq_init(void)
* libc not having registered a restartable sequence. Try to find the
* symbols if that's the case.
*/
- if (!*libc_rseq_size_p) {
+ if (!libc_rseq_size_p || !*libc_rseq_size_p) {
libc_rseq_offset_p = dlsym(RTLD_NEXT, "__rseq_offset");
libc_rseq_size_p = dlsym(RTLD_NEXT, "__rseq_size");
libc_rseq_flags_p = dlsym(RTLD_NEXT, "__rseq_flags");
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 273/371] PCI: xilinx-nwl: Fix ECAM programming
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (271 preceding siblings ...)
2025-10-17 14:54 ` [PATCH 6.17 272/371] rseq/selftests: Use weak symbol reference, not definition, to link with glibc Greg Kroah-Hartman
@ 2025-10-17 14:54 ` Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 274/371] PCI: tegra: Convert struct tegra_msi mask_lock into raw spinlock Greg Kroah-Hartman
` (110 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jani Nurminen, Manivannan Sadhasivam,
Bjorn Helgaas
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jani Nurminen <jani.nurminen@windriver.com>
commit 98a4f5b7359205ced1b6a626df3963bf7c5e5052 upstream.
When PCIe has been set up by the bootloader, the ecam_size field in the
E_ECAM_CONTROL register already contains a value.
The driver previously programmed it to 0xc (for 16 busses; 16 MB), but
bumped to 0x10 (for 256 busses; 256 MB) by the commit 2fccd11518f1 ("PCI:
xilinx-nwl: Modify ECAM size to enable support for 256 buses").
Regardless of what the bootloader has programmed, the driver ORs in a
new maximal value without doing a proper RMW sequence. This can lead to
problems.
For example, if the bootloader programs in 0xc and the driver uses 0x10,
the ORed result is 0x1c, which is beyond the ecam_max_size limit of 0x10
(from E_ECAM_CAPABILITIES).
Avoid the problems by doing a proper RMW.
Fixes: 2fccd11518f1 ("PCI: xilinx-nwl: Modify ECAM size to enable support for 256 buses")
Signed-off-by: Jani Nurminen <jani.nurminen@windriver.com>
[mani: added stable tag]
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/e83a2af2-af0b-4670-bcf5-ad408571c2b0@windriver.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pci/controller/pcie-xilinx-nwl.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
--- a/drivers/pci/controller/pcie-xilinx-nwl.c
+++ b/drivers/pci/controller/pcie-xilinx-nwl.c
@@ -718,9 +718,10 @@ static int nwl_pcie_bridge_init(struct n
nwl_bridge_writel(pcie, nwl_bridge_readl(pcie, E_ECAM_CONTROL) |
E_ECAM_CR_ENABLE, E_ECAM_CONTROL);
- nwl_bridge_writel(pcie, nwl_bridge_readl(pcie, E_ECAM_CONTROL) |
- (NWL_ECAM_MAX_SIZE << E_ECAM_SIZE_SHIFT),
- E_ECAM_CONTROL);
+ ecam_val = nwl_bridge_readl(pcie, E_ECAM_CONTROL);
+ ecam_val &= ~E_ECAM_SIZE_LOC;
+ ecam_val |= NWL_ECAM_MAX_SIZE << E_ECAM_SIZE_SHIFT;
+ nwl_bridge_writel(pcie, ecam_val, E_ECAM_CONTROL);
nwl_bridge_writel(pcie, lower_32_bits(pcie->phys_ecam_base),
E_ECAM_BASE_LO);
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 274/371] PCI: tegra: Convert struct tegra_msi mask_lock into raw spinlock
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (272 preceding siblings ...)
2025-10-17 14:54 ` [PATCH 6.17 273/371] PCI: xilinx-nwl: Fix ECAM programming Greg Kroah-Hartman
@ 2025-10-17 14:54 ` Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 275/371] PCI/sysfs: Ensure devices are powered for config reads Greg Kroah-Hartman
` (109 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Geert Uytterhoeven, Marek Vasut,
Manivannan Sadhasivam, Bjorn Helgaas
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marek Vasut <marek.vasut+renesas@mailbox.org>
commit 26fda92d3b56bf44a02bcb4001c5a5548e0ae8ee upstream.
The tegra_msi_irq_unmask() function may be called from a PCI driver
request_threaded_irq() function. This triggers kernel/irq/manage.c
__setup_irq() which locks raw spinlock &desc->lock descriptor lock
and with that descriptor lock held, calls tegra_msi_irq_unmask().
Since the &desc->lock descriptor lock is a raw spinlock, and the tegra_msi
.mask_lock is not a raw spinlock, this setup triggers 'BUG: Invalid wait
context' with CONFIG_PROVE_RAW_LOCK_NESTING=y.
Use scoped_guard() to simplify the locking.
Fixes: 2c99e55f7955 ("PCI: tegra: Convert to MSI domains")
Reported-by: Geert Uytterhoeven <geert+renesas@glider.be>
Closes: https://patchwork.kernel.org/project/linux-pci/patch/20250909162707.13927-2-marek.vasut+renesas@mailbox.org/#26574451
Signed-off-by: Marek Vasut <marek.vasut+renesas@mailbox.org>
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20250922150811.88450-1-marek.vasut+renesas@mailbox.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pci/controller/pci-tegra.c | 27 +++++++++++++--------------
1 file changed, 13 insertions(+), 14 deletions(-)
--- a/drivers/pci/controller/pci-tegra.c
+++ b/drivers/pci/controller/pci-tegra.c
@@ -14,6 +14,7 @@
*/
#include <linux/clk.h>
+#include <linux/cleanup.h>
#include <linux/debugfs.h>
#include <linux/delay.h>
#include <linux/export.h>
@@ -270,7 +271,7 @@ struct tegra_msi {
DECLARE_BITMAP(used, INT_PCI_MSI_NR);
struct irq_domain *domain;
struct mutex map_lock;
- spinlock_t mask_lock;
+ raw_spinlock_t mask_lock;
void *virt;
dma_addr_t phys;
int irq;
@@ -1581,14 +1582,13 @@ static void tegra_msi_irq_mask(struct ir
struct tegra_msi *msi = irq_data_get_irq_chip_data(d);
struct tegra_pcie *pcie = msi_to_pcie(msi);
unsigned int index = d->hwirq / 32;
- unsigned long flags;
u32 value;
- spin_lock_irqsave(&msi->mask_lock, flags);
- value = afi_readl(pcie, AFI_MSI_EN_VEC(index));
- value &= ~BIT(d->hwirq % 32);
- afi_writel(pcie, value, AFI_MSI_EN_VEC(index));
- spin_unlock_irqrestore(&msi->mask_lock, flags);
+ scoped_guard(raw_spinlock_irqsave, &msi->mask_lock) {
+ value = afi_readl(pcie, AFI_MSI_EN_VEC(index));
+ value &= ~BIT(d->hwirq % 32);
+ afi_writel(pcie, value, AFI_MSI_EN_VEC(index));
+ }
}
static void tegra_msi_irq_unmask(struct irq_data *d)
@@ -1596,14 +1596,13 @@ static void tegra_msi_irq_unmask(struct
struct tegra_msi *msi = irq_data_get_irq_chip_data(d);
struct tegra_pcie *pcie = msi_to_pcie(msi);
unsigned int index = d->hwirq / 32;
- unsigned long flags;
u32 value;
- spin_lock_irqsave(&msi->mask_lock, flags);
- value = afi_readl(pcie, AFI_MSI_EN_VEC(index));
- value |= BIT(d->hwirq % 32);
- afi_writel(pcie, value, AFI_MSI_EN_VEC(index));
- spin_unlock_irqrestore(&msi->mask_lock, flags);
+ scoped_guard(raw_spinlock_irqsave, &msi->mask_lock) {
+ value = afi_readl(pcie, AFI_MSI_EN_VEC(index));
+ value |= BIT(d->hwirq % 32);
+ afi_writel(pcie, value, AFI_MSI_EN_VEC(index));
+ }
}
static void tegra_compose_msi_msg(struct irq_data *data, struct msi_msg *msg)
@@ -1711,7 +1710,7 @@ static int tegra_pcie_msi_setup(struct t
int err;
mutex_init(&msi->map_lock);
- spin_lock_init(&msi->mask_lock);
+ raw_spin_lock_init(&msi->mask_lock);
if (IS_ENABLED(CONFIG_PCI_MSI)) {
err = tegra_allocate_domains(msi);
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 275/371] PCI/sysfs: Ensure devices are powered for config reads
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (273 preceding siblings ...)
2025-10-17 14:54 ` [PATCH 6.17 274/371] PCI: tegra: Convert struct tegra_msi mask_lock into raw spinlock Greg Kroah-Hartman
@ 2025-10-17 14:54 ` Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 276/371] PCI/IOV: Add PCI rescan-remove locking when enabling/disabling SR-IOV Greg Kroah-Hartman
` (108 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Brian Norris, Brian Norris,
Bjorn Helgaas
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Brian Norris <briannorris@google.com>
commit 48991e4935078b05f80616c75d1ee2ea3ae18e58 upstream.
The "max_link_width", "current_link_speed", "current_link_width",
"secondary_bus_number", and "subordinate_bus_number" sysfs files all access
config registers, but they don't check the runtime PM state. If the device
is in D3cold or a parent bridge is suspended, we may see -EINVAL, bogus
values, or worse, depending on implementation details.
Wrap these access in pci_config_pm_runtime_{get,put}() like most of the
rest of the similar sysfs attributes.
Notably, "max_link_speed" does not access config registers; it returns a
cached value since d2bd39c0456b ("PCI: Store all PCIe Supported Link
Speeds").
Fixes: 56c1af4606f0 ("PCI: Add sysfs max_link_speed/width, current_link_speed/width, etc")
Signed-off-by: Brian Norris <briannorris@google.com>
Signed-off-by: Brian Norris <briannorris@chromium.org>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20250924095711.v2.1.Ibb5b6ca1e2c059e04ec53140cd98a44f2684c668@changeid
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pci/pci-sysfs.c | 20 +++++++++++++++++++-
1 file changed, 19 insertions(+), 1 deletion(-)
--- a/drivers/pci/pci-sysfs.c
+++ b/drivers/pci/pci-sysfs.c
@@ -201,8 +201,14 @@ static ssize_t max_link_width_show(struc
struct device_attribute *attr, char *buf)
{
struct pci_dev *pdev = to_pci_dev(dev);
+ ssize_t ret;
- return sysfs_emit(buf, "%u\n", pcie_get_width_cap(pdev));
+ /* We read PCI_EXP_LNKCAP, so we need the device to be accessible. */
+ pci_config_pm_runtime_get(pdev);
+ ret = sysfs_emit(buf, "%u\n", pcie_get_width_cap(pdev));
+ pci_config_pm_runtime_put(pdev);
+
+ return ret;
}
static DEVICE_ATTR_RO(max_link_width);
@@ -214,7 +220,10 @@ static ssize_t current_link_speed_show(s
int err;
enum pci_bus_speed speed;
+ pci_config_pm_runtime_get(pci_dev);
err = pcie_capability_read_word(pci_dev, PCI_EXP_LNKSTA, &linkstat);
+ pci_config_pm_runtime_put(pci_dev);
+
if (err)
return -EINVAL;
@@ -231,7 +240,10 @@ static ssize_t current_link_width_show(s
u16 linkstat;
int err;
+ pci_config_pm_runtime_get(pci_dev);
err = pcie_capability_read_word(pci_dev, PCI_EXP_LNKSTA, &linkstat);
+ pci_config_pm_runtime_put(pci_dev);
+
if (err)
return -EINVAL;
@@ -247,7 +259,10 @@ static ssize_t secondary_bus_number_show
u8 sec_bus;
int err;
+ pci_config_pm_runtime_get(pci_dev);
err = pci_read_config_byte(pci_dev, PCI_SECONDARY_BUS, &sec_bus);
+ pci_config_pm_runtime_put(pci_dev);
+
if (err)
return -EINVAL;
@@ -263,7 +278,10 @@ static ssize_t subordinate_bus_number_sh
u8 sub_bus;
int err;
+ pci_config_pm_runtime_get(pci_dev);
err = pci_read_config_byte(pci_dev, PCI_SUBORDINATE_BUS, &sub_bus);
+ pci_config_pm_runtime_put(pci_dev);
+
if (err)
return -EINVAL;
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 276/371] PCI/IOV: Add PCI rescan-remove locking when enabling/disabling SR-IOV
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (274 preceding siblings ...)
2025-10-17 14:54 ` [PATCH 6.17 275/371] PCI/sysfs: Ensure devices are powered for config reads Greg Kroah-Hartman
@ 2025-10-17 14:54 ` Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 277/371] PCI/ERR: Fix uevent on failure to recover Greg Kroah-Hartman
` (107 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Niklas Schnelle, Bjorn Helgaas,
Benjamin Block, Farhan Ali, Julian Ruess
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Niklas Schnelle <schnelle@linux.ibm.com>
commit 05703271c3cdcc0f2a8cf6ebdc45892b8ca83520 upstream.
Before disabling SR-IOV via config space accesses to the parent PF,
sriov_disable() first removes the PCI devices representing the VFs.
Since commit 9d16947b7583 ("PCI: Add global pci_lock_rescan_remove()")
such removal operations are serialized against concurrent remove and
rescan using the pci_rescan_remove_lock. No such locking was ever added
in sriov_disable() however. In particular when commit 18f9e9d150fc
("PCI/IOV: Factor out sriov_add_vfs()") factored out the PCI device
removal into sriov_del_vfs() there was still no locking around the
pci_iov_remove_virtfn() calls.
On s390 the lack of serialization in sriov_disable() may cause double
remove and list corruption with the below (amended) trace being observed:
PSW: 0704c00180000000 0000000c914e4b38 (klist_put+56)
GPRS: 000003800313fb48 0000000000000000 0000000100000001 0000000000000001
00000000f9b520a8 0000000000000000 0000000000002fbd 00000000f4cc9480
0000000000000001 0000000000000000 0000000000000000 0000000180692828
00000000818e8000 000003800313fe2c 000003800313fb20 000003800313fad8
#0 [3800313fb20] device_del at c9158ad5c
#1 [3800313fb88] pci_remove_bus_device at c915105ba
#2 [3800313fbd0] pci_iov_remove_virtfn at c9152f198
#3 [3800313fc28] zpci_iov_remove_virtfn at c90fb67c0
#4 [3800313fc60] zpci_bus_remove_device at c90fb6104
#5 [3800313fca0] __zpci_event_availability at c90fb3dca
#6 [3800313fd08] chsc_process_sei_nt0 at c918fe4a2
#7 [3800313fd60] crw_collect_info at c91905822
#8 [3800313fe10] kthread at c90feb390
#9 [3800313fe68] __ret_from_fork at c90f6aa64
#10 [3800313fe98] ret_from_fork at c9194f3f2.
This is because in addition to sriov_disable() removing the VFs, the
platform also generates hot-unplug events for the VFs. This being the
reverse operation to the hotplug events generated by sriov_enable() and
handled via pdev->no_vf_scan. And while the event processing takes
pci_rescan_remove_lock and checks whether the struct pci_dev still exists,
the lack of synchronization makes this checking racy.
Other races may also be possible of course though given that this lack of
locking persisted so long observable races seem very rare. Even on s390 the
list corruption was only observed with certain devices since the platform
events are only triggered by config accesses after the removal, so as long
as the removal finished synchronously they would not race. Either way the
locking is missing so fix this by adding it to the sriov_del_vfs() helper.
Just like PCI rescan-remove, locking is also missing in sriov_add_vfs()
including for the error case where pci_stop_and_remove_bus_device() is
called without the PCI rescan-remove lock being held. Even in the non-error
case, adding new PCI devices and buses should be serialized via the PCI
rescan-remove lock. Add the necessary locking.
Fixes: 18f9e9d150fc ("PCI/IOV: Factor out sriov_add_vfs()")
Signed-off-by: Niklas Schnelle <schnelle@linux.ibm.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Reviewed-by: Benjamin Block <bblock@linux.ibm.com>
Reviewed-by: Farhan Ali <alifm@linux.ibm.com>
Reviewed-by: Julian Ruess <julianr@linux.ibm.com>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20250826-pci_fix_sriov_disable-v1-1-2d0bc938f2a3@linux.ibm.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pci/iov.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/pci/iov.c
+++ b/drivers/pci/iov.c
@@ -629,15 +629,18 @@ static int sriov_add_vfs(struct pci_dev
if (dev->no_vf_scan)
return 0;
+ pci_lock_rescan_remove();
for (i = 0; i < num_vfs; i++) {
rc = pci_iov_add_virtfn(dev, i);
if (rc)
goto failed;
}
+ pci_unlock_rescan_remove();
return 0;
failed:
while (i--)
pci_iov_remove_virtfn(dev, i);
+ pci_unlock_rescan_remove();
return rc;
}
@@ -762,8 +765,10 @@ static void sriov_del_vfs(struct pci_dev
struct pci_sriov *iov = dev->sriov;
int i;
+ pci_lock_rescan_remove();
for (i = 0; i < iov->num_VFs; i++)
pci_iov_remove_virtfn(dev, i);
+ pci_unlock_rescan_remove();
}
static void sriov_disable(struct pci_dev *dev)
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 277/371] PCI/ERR: Fix uevent on failure to recover
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (275 preceding siblings ...)
2025-10-17 14:54 ` [PATCH 6.17 276/371] PCI/IOV: Add PCI rescan-remove locking when enabling/disabling SR-IOV Greg Kroah-Hartman
@ 2025-10-17 14:54 ` Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 278/371] PCI/AER: Fix missing uevent on recovery when a reset is requested Greg Kroah-Hartman
` (106 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Lukas Wunner, Bjorn Helgaas
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lukas Wunner <lukas@wunner.de>
commit 1cbc5e25fb70e942a7a735a1f3d6dd391afc9b29 upstream.
Upon failure to recover from a PCIe error through AER, DPC or EDR, a
uevent is sent to inform user space about disconnection of the bridge
whose subordinate devices failed to recover.
However the bridge itself is not disconnected. Instead, a uevent should
be sent for each of the subordinate devices.
Only if the "bridge" happens to be a Root Complex Event Collector or
Integrated Endpoint does it make sense to send a uevent for it (because
there are no subordinate devices).
Right now if there is a mix of subordinate devices with and without
pci_error_handlers, a BEGIN_RECOVERY event is sent for those with
pci_error_handlers but no FAILED_RECOVERY event is ever sent for them
afterwards. Fix it.
Fixes: 856e1eb9bdd4 ("PCI/AER: Add uevents in AER and EEH error/resume")
Signed-off-by: Lukas Wunner <lukas@wunner.de>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Cc: stable@vger.kernel.org # v4.16+
Link: https://patch.msgid.link/68fc527a380821b5d861dd554d2ce42cb739591c.1755008151.git.lukas@wunner.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pci/pcie/err.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/drivers/pci/pcie/err.c
+++ b/drivers/pci/pcie/err.c
@@ -108,6 +108,12 @@ static int report_normal_detected(struct
return report_error_detected(dev, pci_channel_io_normal, data);
}
+static int report_perm_failure_detected(struct pci_dev *dev, void *data)
+{
+ pci_uevent_ers(dev, PCI_ERS_RESULT_DISCONNECT);
+ return 0;
+}
+
static int report_mmio_enabled(struct pci_dev *dev, void *data)
{
struct pci_driver *pdrv;
@@ -269,7 +275,7 @@ pci_ers_result_t pcie_do_recovery(struct
failed:
pci_walk_bridge(bridge, pci_pm_runtime_put, NULL);
- pci_uevent_ers(bridge, PCI_ERS_RESULT_DISCONNECT);
+ pci_walk_bridge(bridge, report_perm_failure_detected, NULL);
pci_info(bridge, "device recovery failed\n");
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 278/371] PCI/AER: Fix missing uevent on recovery when a reset is requested
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (276 preceding siblings ...)
2025-10-17 14:54 ` [PATCH 6.17 277/371] PCI/ERR: Fix uevent on failure to recover Greg Kroah-Hartman
@ 2025-10-17 14:54 ` Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 279/371] PCI/AER: Support errors introduced by PCIe r6.0 Greg Kroah-Hartman
` (105 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Niklas Schnelle, Bjorn Helgaas,
Lukas Wunner
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Niklas Schnelle <schnelle@linux.ibm.com>
commit bbf7d0468d0da71d76cc6ec9bc8a224325d07b6b upstream.
Since commit 7b42d97e99d3 ("PCI/ERR: Always report current recovery
status for udev") AER uses the result of error_detected() as parameter
to pci_uevent_ers(). As pci_uevent_ers() however does not handle
PCI_ERS_RESULT_NEED_RESET this results in a missing uevent for the
beginning of recovery if drivers request a reset. Fix this by treating
PCI_ERS_RESULT_NEED_RESET as beginning recovery.
Fixes: 7b42d97e99d3 ("PCI/ERR: Always report current recovery status for udev")
Signed-off-by: Niklas Schnelle <schnelle@linux.ibm.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Reviewed-by: Lukas Wunner <lukas@wunner.de>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20250807-add_err_uevents-v5-1-adf85b0620b0@linux.ibm.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pci/pci-driver.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/pci/pci-driver.c
+++ b/drivers/pci/pci-driver.c
@@ -1596,6 +1596,7 @@ void pci_uevent_ers(struct pci_dev *pdev
switch (err_type) {
case PCI_ERS_RESULT_NONE:
case PCI_ERS_RESULT_CAN_RECOVER:
+ case PCI_ERS_RESULT_NEED_RESET:
envp[idx++] = "ERROR_EVENT=BEGIN_RECOVERY";
envp[idx++] = "DEVICE_ONLINE=0";
break;
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 279/371] PCI/AER: Support errors introduced by PCIe r6.0
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (277 preceding siblings ...)
2025-10-17 14:54 ` [PATCH 6.17 278/371] PCI/AER: Fix missing uevent on recovery when a reset is requested Greg Kroah-Hartman
@ 2025-10-17 14:54 ` Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 280/371] PCI: Ensure relaxed tail alignment does not increase min_align Greg Kroah-Hartman
` (104 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lukas Wunner, Bjorn Helgaas,
Kuppuswamy Sathyanarayanan
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lukas Wunner <lukas@wunner.de>
commit 6633875250b38b18b8638cf01e695de031c71f02 upstream.
PCIe r6.0 defined five additional errors in the Uncorrectable Error
Status, Mask and Severity Registers (PCIe r7.0 sec 7.8.4.2ff).
lspci has been supporting them since commit 144b0911cc0b ("ls-ecaps:
extend decode support for more fields for AER CE and UE status"):
https://git.kernel.org/pub/scm/utils/pciutils/pciutils.git/commit/?id=144b0911cc0b
Amend the AER driver to recognize them as well, instead of logging them as
"Unknown Error Bit".
Signed-off-by: Lukas Wunner <lukas@wunner.de>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Reviewed-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/21f1875b18d4078c99353378f37dcd6b994f6d4e.1756301211.git.lukas@wunner.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pci/pcie/aer.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
--- a/drivers/pci/pcie/aer.c
+++ b/drivers/pci/pcie/aer.c
@@ -43,7 +43,7 @@
#define AER_ERROR_SOURCES_MAX 128
#define AER_MAX_TYPEOF_COR_ERRS 16 /* as per PCI_ERR_COR_STATUS */
-#define AER_MAX_TYPEOF_UNCOR_ERRS 27 /* as per PCI_ERR_UNCOR_STATUS*/
+#define AER_MAX_TYPEOF_UNCOR_ERRS 32 /* as per PCI_ERR_UNCOR_STATUS*/
struct aer_err_source {
u32 status; /* PCI_ERR_ROOT_STATUS */
@@ -525,11 +525,11 @@ static const char *aer_uncorrectable_err
"AtomicOpBlocked", /* Bit Position 24 */
"TLPBlockedErr", /* Bit Position 25 */
"PoisonTLPBlocked", /* Bit Position 26 */
- NULL, /* Bit Position 27 */
- NULL, /* Bit Position 28 */
- NULL, /* Bit Position 29 */
- NULL, /* Bit Position 30 */
- NULL, /* Bit Position 31 */
+ "DMWrReqBlocked", /* Bit Position 27 */
+ "IDECheck", /* Bit Position 28 */
+ "MisIDETLP", /* Bit Position 29 */
+ "PCRC_CHECK", /* Bit Position 30 */
+ "TLPXlatBlocked", /* Bit Position 31 */
};
static const char *aer_agent_string[] = {
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 280/371] PCI: Ensure relaxed tail alignment does not increase min_align
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (278 preceding siblings ...)
2025-10-17 14:54 ` [PATCH 6.17 279/371] PCI/AER: Support errors introduced by PCIe r6.0 Greg Kroah-Hartman
@ 2025-10-17 14:54 ` Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 281/371] PCI: Fix failure detection during resource resize Greg Kroah-Hartman
` (103 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rio Liu, Ilpo Järvinen,
Bjorn Helgaas
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
commit 6e460c3d611009a1d1c2c1f61c96578284a14fba upstream.
When using relaxed tail alignment for the bridge window, pbus_size_mem()
also tries to minimize min_align, which can under certain scenarios end up
increasing min_align from that found by calculate_mem_align().
Ensure min_align is not increased by the relaxed tail alignment.
Eventually, it would be better to add calculate_relaxed_head_align()
similar to calculate_mem_align() which finds out what alignment can be used
for the head without introducing any gaps into the bridge window to give
flexibility on head address too. But that looks relatively complex so it
requires much more testing than fixing the immediate problem causing a
regression.
Fixes: 67f9085596ee ("PCI: Allow relaxed bridge window tail sizing for optional resources")
Reported-by: Rio Liu <rio@r26.me>
Closes: https://lore.kernel.org/all/o2bL8MtD_40-lf8GlslTw-AZpUPzm8nmfCnJKvS8RQ3NOzOW1uq1dVCEfRpUjJ2i7G2WjfQhk2IWZ7oGp-7G-jXN4qOdtnyOcjRR0PZWK5I=@r26.me/
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Tested-by: Rio Liu <rio@r26.me>
Cc: stable@vger.kernel.org # v6.15+
Link: https://patch.msgid.link/20250822123359.16305-2-ilpo.jarvinen@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pci/setup-bus.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/drivers/pci/setup-bus.c b/drivers/pci/setup-bus.c
index 7853ac6999e2..527f0479e983 100644
--- a/drivers/pci/setup-bus.c
+++ b/drivers/pci/setup-bus.c
@@ -1169,6 +1169,7 @@ static int pbus_size_mem(struct pci_bus *bus, unsigned long mask,
resource_size_t children_add_size = 0;
resource_size_t children_add_align = 0;
resource_size_t add_align = 0;
+ resource_size_t relaxed_align;
if (!b_res)
return -ENOSPC;
@@ -1246,8 +1247,9 @@ static int pbus_size_mem(struct pci_bus *bus, unsigned long mask,
if (bus->self && size0 &&
!pbus_upstream_space_available(bus, mask | IORESOURCE_PREFETCH, type,
size0, min_align)) {
- min_align = 1ULL << (max_order + __ffs(SZ_1M));
- min_align = max(min_align, win_align);
+ relaxed_align = 1ULL << (max_order + __ffs(SZ_1M));
+ relaxed_align = max(relaxed_align, win_align);
+ min_align = min(min_align, relaxed_align);
size0 = calculate_memsize(size, min_size, 0, 0, resource_size(b_res), win_align);
pci_info(bus->self, "bridge window %pR to %pR requires relaxed alignment rules\n",
b_res, &bus->busn_res);
@@ -1261,8 +1263,9 @@ static int pbus_size_mem(struct pci_bus *bus, unsigned long mask,
if (bus->self && size1 &&
!pbus_upstream_space_available(bus, mask | IORESOURCE_PREFETCH, type,
size1, add_align)) {
- min_align = 1ULL << (max_order + __ffs(SZ_1M));
- min_align = max(min_align, win_align);
+ relaxed_align = 1ULL << (max_order + __ffs(SZ_1M));
+ relaxed_align = max(relaxed_align, win_align);
+ min_align = min(min_align, relaxed_align);
size1 = calculate_memsize(size, min_size, add_size, children_add_size,
resource_size(b_res), win_align);
pci_info(bus->self,
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 281/371] PCI: Fix failure detection during resource resize
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (279 preceding siblings ...)
2025-10-17 14:54 ` [PATCH 6.17 280/371] PCI: Ensure relaxed tail alignment does not increase min_align Greg Kroah-Hartman
@ 2025-10-17 14:54 ` Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 282/371] PCI: j721e: Fix module autoloading Greg Kroah-Hartman
` (102 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, D Scott Phillips, Ilpo Järvinen,
Bjorn Helgaas, Christian König
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
commit 31af09b3eaf3603870ce9fd5a7b6c8693129c4cf upstream.
Since 96336ec70264 ("PCI: Perform reset_resource() and build fail list in
sync") the failed list is always built and returned to let the caller
decide what to do with the failures. The caller may want to retry resource
fitting and assignment and before that can happen, the resources should be
restored to their original state (a reset effectively clears the struct
resource), which requires returning them to the failed list so the original
state remains stored in the associated struct pci_dev_resource.
Resource resizing is different from the ordinary resource fitting and
assignment in that it only considers part of the resources. This means
failures for other resource types are not relevant at all and should be
ignored. As resize doesn't unassign such unrelated resources, those
resources ending up in the failed list implies assignment of that
resource must have failed before resize too. The check in
pci_reassign_bridge_resources() to decide if the whole assignment is
successful, however, is based on list emptiness which will cause false
negatives when the failed list has resources with an unrelated type.
If the failed list is not empty, call pci_required_resource_failed() and
extend it to be able to filter on specific resource types too (if
provided).
Calling pci_required_resource_failed() at this point is slightly
problematic because the resource itself is reset when the failed list
is constructed in __assign_resources_sorted(). As a result,
pci_resource_is_optional() does not have access to the original
resource flags. This could be worked around by restoring and
re-resetting the resource around the call to pci_resource_is_optional(),
however, it shouldn't cause issue as resource resizing is meant for
64-bit prefetchable resources according to Christian König (see the
Link which unfortunately doesn't point directly to Christian's reply
because lore didn't store that email at all).
Fixes: 96336ec70264 ("PCI: Perform reset_resource() and build fail list in sync")
Link: https://lore.kernel.org/all/c5d1b5d8-8669-5572-75a7-0b480f581ac1@linux.intel.com/
Reported-by: D Scott Phillips <scott@os.amperecomputing.com>
Closes: https://lore.kernel.org/all/86plf0lgit.fsf@scott-ph-mail.amperecomputing.com/
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Tested-by: D Scott Phillips <scott@os.amperecomputing.com>
Reviewed-by: D Scott Phillips <scott@os.amperecomputing.com>
Cc: Christian König <christian.koenig@amd.com>
Cc: stable@vger.kernel.org # v6.15+
Link: https://patch.msgid.link/20250822123359.16305-4-ilpo.jarvinen@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pci/setup-bus.c | 26 ++++++++++++++++++--------
1 file changed, 18 insertions(+), 8 deletions(-)
--- a/drivers/pci/setup-bus.c
+++ b/drivers/pci/setup-bus.c
@@ -28,6 +28,10 @@
#include <linux/acpi.h>
#include "pci.h"
+#define PCI_RES_TYPE_MASK \
+ (IORESOURCE_IO | IORESOURCE_MEM | IORESOURCE_PREFETCH |\
+ IORESOURCE_MEM_64)
+
unsigned int pci_flags;
EXPORT_SYMBOL_GPL(pci_flags);
@@ -384,13 +388,19 @@ static bool pci_need_to_release(unsigned
}
/* Return: @true if assignment of a required resource failed. */
-static bool pci_required_resource_failed(struct list_head *fail_head)
+static bool pci_required_resource_failed(struct list_head *fail_head,
+ unsigned long type)
{
struct pci_dev_resource *fail_res;
+ type &= PCI_RES_TYPE_MASK;
+
list_for_each_entry(fail_res, fail_head, list) {
int idx = pci_resource_num(fail_res->dev, fail_res->res);
+ if (type && (fail_res->flags & PCI_RES_TYPE_MASK) != type)
+ continue;
+
if (!pci_resource_is_optional(fail_res->dev, idx))
return true;
}
@@ -504,7 +514,7 @@ assign:
}
/* Without realloc_head and only optional fails, nothing more to do. */
- if (!pci_required_resource_failed(&local_fail_head) &&
+ if (!pci_required_resource_failed(&local_fail_head, 0) &&
list_empty(realloc_head)) {
list_for_each_entry(save_res, &save_head, list) {
struct resource *res = save_res->res;
@@ -1707,10 +1717,6 @@ static void __pci_bridge_assign_resource
}
}
-#define PCI_RES_TYPE_MASK \
- (IORESOURCE_IO | IORESOURCE_MEM | IORESOURCE_PREFETCH |\
- IORESOURCE_MEM_64)
-
static void pci_bridge_release_resources(struct pci_bus *bus,
unsigned long type)
{
@@ -2449,8 +2455,12 @@ int pci_reassign_bridge_resources(struct
free_list(&added);
if (!list_empty(&failed)) {
- ret = -ENOSPC;
- goto cleanup;
+ if (pci_required_resource_failed(&failed, type)) {
+ ret = -ENOSPC;
+ goto cleanup;
+ }
+ /* Only resources with unrelated types failed (again) */
+ free_list(&failed);
}
list_for_each_entry(dev_res, &saved, list) {
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 282/371] PCI: j721e: Fix module autoloading
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (280 preceding siblings ...)
2025-10-17 14:54 ` [PATCH 6.17 281/371] PCI: Fix failure detection during resource resize Greg Kroah-Hartman
@ 2025-10-17 14:54 ` Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 283/371] PCI: j721e: Fix programming sequence of "strap" settings Greg Kroah-Hartman
` (101 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Siddharth Vadapalli,
Manivannan Sadhasivam
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Siddharth Vadapalli <s-vadapalli@ti.com>
commit 9a7f144e18dc5f037d85a0f0d99524a574331098 upstream.
Commit a2790bf81f0f ("PCI: j721e: Add support to build as a loadable
module") added support to build the driver as a loadable module. However,
it did not add MODULE_DEVICE_TABLE() which is required for autoloading the
driver based on device table when it is built as a loadable module.
Fix it by adding MODULE_DEVICE_TABLE.
Fixes: a2790bf81f0f ("PCI: j721e: Add support to build as a loadable module")
Signed-off-by: Siddharth Vadapalli <s-vadapalli@ti.com>
[mani: reworded description]
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20250901120359.3410774-1-s-vadapalli@ti.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pci/controller/cadence/pci-j721e.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/pci/controller/cadence/pci-j721e.c b/drivers/pci/controller/cadence/pci-j721e.c
index 6c93f39d0288..cfca13a4c840 100644
--- a/drivers/pci/controller/cadence/pci-j721e.c
+++ b/drivers/pci/controller/cadence/pci-j721e.c
@@ -440,6 +440,7 @@ static const struct of_device_id of_j721e_pcie_match[] = {
},
{},
};
+MODULE_DEVICE_TABLE(of, of_j721e_pcie_match);
static int j721e_pcie_probe(struct platform_device *pdev)
{
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 283/371] PCI: j721e: Fix programming sequence of "strap" settings
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (281 preceding siblings ...)
2025-10-17 14:54 ` [PATCH 6.17 282/371] PCI: j721e: Fix module autoloading Greg Kroah-Hartman
@ 2025-10-17 14:54 ` Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 284/371] PCI: keystone: Use devm_request_irq() to free "ks-pcie-error-irq" on exit Greg Kroah-Hartman
` (100 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Siddharth Vadapalli,
Manivannan Sadhasivam
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Siddharth Vadapalli <s-vadapalli@ti.com>
commit f842d3313ba179d4005096357289c7ad09cec575 upstream.
The Cadence PCIe Controller integrated in the TI K3 SoCs supports both
Root-Complex and Endpoint modes of operation. The Glue Layer allows
"strapping" the Mode of operation of the Controller, the Link Speed
and the Link Width. This is enabled by programming the "PCIEn_CTRL"
register (n corresponds to the PCIe instance) within the CTRL_MMR
memory-mapped register space. The "reset-values" of the registers are
also different depending on the mode of operation.
Since the PCIe Controller latches onto the "reset-values" immediately
after being powered on, if the Glue Layer configuration is not done while
the PCIe Controller is off, it will result in the PCIe Controller latching
onto the wrong "reset-values". In practice, this will show up as a wrong
representation of the PCIe Controller's capability structures in the PCIe
Configuration Space. Some such capabilities which are supported by the PCIe
Controller in the Root-Complex mode but are incorrectly latched onto as
being unsupported are:
- Link Bandwidth Notification
- Alternate Routing ID (ARI) Forwarding Support
- Next capability offset within Advanced Error Reporting (AER) capability
Fix this by powering off the PCIe Controller before programming the "strap"
settings and powering it on after that. The runtime PM APIs namely
pm_runtime_put_sync() and pm_runtime_get_sync() will decrement and
increment the usage counter respectively, causing GENPD to power off and
power on the PCIe Controller.
Fixes: f3e25911a430 ("PCI: j721e: Add TI J721E PCIe driver")
Signed-off-by: Siddharth Vadapalli <s-vadapalli@ti.com>
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20250908120828.1471776-1-s-vadapalli@ti.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pci/controller/cadence/pci-j721e.c | 25 +++++++++++++++++++++++++
1 file changed, 25 insertions(+)
--- a/drivers/pci/controller/cadence/pci-j721e.c
+++ b/drivers/pci/controller/cadence/pci-j721e.c
@@ -284,6 +284,25 @@ static int j721e_pcie_ctrl_init(struct j
if (!ret)
offset = args.args[0];
+ /*
+ * The PCIe Controller's registers have different "reset-values"
+ * depending on the "strap" settings programmed into the PCIEn_CTRL
+ * register within the CTRL_MMR memory-mapped register space.
+ * The registers latch onto a "reset-value" based on the "strap"
+ * settings sampled after the PCIe Controller is powered on.
+ * To ensure that the "reset-values" are sampled accurately, power
+ * off the PCIe Controller before programming the "strap" settings
+ * and power it on after that. The runtime PM APIs namely
+ * pm_runtime_put_sync() and pm_runtime_get_sync() will decrement and
+ * increment the usage counter respectively, causing GENPD to power off
+ * and power on the PCIe Controller.
+ */
+ ret = pm_runtime_put_sync(dev);
+ if (ret < 0) {
+ dev_err(dev, "Failed to power off PCIe Controller\n");
+ return ret;
+ }
+
ret = j721e_pcie_set_mode(pcie, syscon, offset);
if (ret < 0) {
dev_err(dev, "Failed to set pci mode\n");
@@ -302,6 +321,12 @@ static int j721e_pcie_ctrl_init(struct j
return ret;
}
+ ret = pm_runtime_get_sync(dev);
+ if (ret < 0) {
+ dev_err(dev, "Failed to power on PCIe Controller\n");
+ return ret;
+ }
+
/* Enable ACSPCIE refclk output if the optional property exists */
syscon = syscon_regmap_lookup_by_phandle_optional(node,
"ti,syscon-acspcie-proxy-ctrl");
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 284/371] PCI: keystone: Use devm_request_irq() to free "ks-pcie-error-irq" on exit
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (282 preceding siblings ...)
2025-10-17 14:54 ` [PATCH 6.17 283/371] PCI: j721e: Fix programming sequence of "strap" settings Greg Kroah-Hartman
@ 2025-10-17 14:54 ` Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 285/371] PCI: rcar-gen4: Fix PHY initialization Greg Kroah-Hartman
` (99 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jiri Slaby, Siddharth Vadapalli,
Manivannan Sadhasivam
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Siddharth Vadapalli <s-vadapalli@ti.com>
commit e51d05f523e43ce5d2bad957943a2b14f68078cd upstream.
Commit under Fixes introduced the IRQ handler for "ks-pcie-error-irq".
The interrupt is acquired using "request_irq()" but is never freed if
the driver exits due to an error. Although the section in the driver that
invokes "request_irq()" has moved around over time, the issue hasn't been
addressed until now.
Fix this by using "devm_request_irq()" which automatically frees the
interrupt if the driver exits.
Fixes: 025dd3daeda7 ("PCI: keystone: Add error IRQ handler")
Reported-by: Jiri Slaby <jirislaby@kernel.org>
Closes: https://lore.kernel.org/r/3d3a4b52-e343-42f3-9d69-94c259812143@kernel.org
Signed-off-by: Siddharth Vadapalli <s-vadapalli@ti.com>
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20250912100802.3136121-2-s-vadapalli@ti.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pci/controller/dwc/pci-keystone.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/pci/controller/dwc/pci-keystone.c
+++ b/drivers/pci/controller/dwc/pci-keystone.c
@@ -1201,8 +1201,8 @@ static int ks_pcie_probe(struct platform
if (irq < 0)
return irq;
- ret = request_irq(irq, ks_pcie_err_irq_handler, IRQF_SHARED,
- "ks-pcie-error-irq", ks_pcie);
+ ret = devm_request_irq(dev, irq, ks_pcie_err_irq_handler, IRQF_SHARED,
+ "ks-pcie-error-irq", ks_pcie);
if (ret < 0) {
dev_err(dev, "failed to request error IRQ %d\n",
irq);
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 285/371] PCI: rcar-gen4: Fix PHY initialization
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (283 preceding siblings ...)
2025-10-17 14:54 ` [PATCH 6.17 284/371] PCI: keystone: Use devm_request_irq() to free "ks-pcie-error-irq" on exit Greg Kroah-Hartman
@ 2025-10-17 14:54 ` Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 286/371] PCI: rcar-host: Drop PMSR spinlock Greg Kroah-Hartman
` (98 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Marek Vasut, Manivannan Sadhasivam
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marek Vasut <marek.vasut+renesas@mailbox.org>
commit d96ac5bdc52b271b4f8ac0670a203913666b8758 upstream.
R-Car V4H Reference Manual R19UH0186EJ0130 Rev.1.30 Apr. 21, 2025 page 4581
Figure 104.3b Initial Setting of PCIEC(example), middle of the figure
indicates that fourth write into register 0x148 [2:0] is 0x3 or
GENMASK(1, 0). The current code writes GENMASK(11, 0) which is a typo. Fix
the typo.
Fixes: faf5a975ee3b ("PCI: rcar-gen4: Add support for R-Car V4H")
Signed-off-by: Marek Vasut <marek.vasut+renesas@mailbox.org>
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20250806192548.133140-1-marek.vasut+renesas@mailbox.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pci/controller/dwc/pcie-rcar-gen4.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/pci/controller/dwc/pcie-rcar-gen4.c
+++ b/drivers/pci/controller/dwc/pcie-rcar-gen4.c
@@ -723,7 +723,7 @@ static int rcar_gen4_pcie_ltssm_control(
rcar_gen4_pcie_phy_reg_update_bits(rcar, 0x148, GENMASK(23, 22), BIT(22));
rcar_gen4_pcie_phy_reg_update_bits(rcar, 0x148, GENMASK(18, 16), GENMASK(17, 16));
rcar_gen4_pcie_phy_reg_update_bits(rcar, 0x148, GENMASK(7, 6), BIT(6));
- rcar_gen4_pcie_phy_reg_update_bits(rcar, 0x148, GENMASK(2, 0), GENMASK(11, 0));
+ rcar_gen4_pcie_phy_reg_update_bits(rcar, 0x148, GENMASK(2, 0), GENMASK(1, 0));
rcar_gen4_pcie_phy_reg_update_bits(rcar, 0x1d4, GENMASK(16, 15), GENMASK(16, 15));
rcar_gen4_pcie_phy_reg_update_bits(rcar, 0x514, BIT(26), BIT(26));
rcar_gen4_pcie_phy_reg_update_bits(rcar, 0x0f8, BIT(16), 0);
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 286/371] PCI: rcar-host: Drop PMSR spinlock
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (284 preceding siblings ...)
2025-10-17 14:54 ` [PATCH 6.17 285/371] PCI: rcar-gen4: Fix PHY initialization Greg Kroah-Hartman
@ 2025-10-17 14:54 ` Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 287/371] PCI: rcar-host: Convert struct rcar_msi mask_lock into raw spinlock Greg Kroah-Hartman
` (97 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Duy Nguyen, Thuan Nguyen,
Marek Vasut, Manivannan Sadhasivam, Geert Uytterhoeven
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marek Vasut <marek.vasut+renesas@mailbox.org>
commit 0a8f173d9dad13930d5888505dc4c4fd6a1d4262 upstream.
The pmsr_lock spinlock used to be necessary to synchronize access to the
PMSR register, because that access could have been triggered from either
config space access in rcar_pcie_config_access() or an exception handler
rcar_pcie_aarch32_abort_handler().
The rcar_pcie_aarch32_abort_handler() case is no longer applicable since
commit 6e36203bc14c ("PCI: rcar: Use PCI_SET_ERROR_RESPONSE after read
which triggered an exception"), which performs more accurate, controlled
invocation of the exception, and a fixup.
This leaves rcar_pcie_config_access() as the only call site from which
rcar_pcie_wakeup() is called. The rcar_pcie_config_access() can only be
called from the controller struct pci_ops .read and .write callbacks,
and those are serialized in drivers/pci/access.c using raw spinlock
'pci_lock' . It should be noted that CONFIG_PCI_LOCKLESS_CONFIG is never
set on this platform.
Since the 'pci_lock' is a raw spinlock , and the 'pmsr_lock' is not a
raw spinlock, this constellation triggers 'BUG: Invalid wait context'
with CONFIG_PROVE_RAW_LOCK_NESTING=y .
Remove the pmsr_lock to fix the locking.
Fixes: a115b1bd3af0 ("PCI: rcar: Add L1 link state fix into data abort hook")
Reported-by: Duy Nguyen <duy.nguyen.rh@renesas.com>
Reported-by: Thuan Nguyen <thuan.nguyen-hong@banvien.com.vn>
Signed-off-by: Marek Vasut <marek.vasut+renesas@mailbox.org>
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20250909162707.13927-1-marek.vasut+renesas@mailbox.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pci/controller/pcie-rcar-host.c | 13 ++-----------
1 file changed, 2 insertions(+), 11 deletions(-)
--- a/drivers/pci/controller/pcie-rcar-host.c
+++ b/drivers/pci/controller/pcie-rcar-host.c
@@ -52,20 +52,13 @@ struct rcar_pcie_host {
int (*phy_init_fn)(struct rcar_pcie_host *host);
};
-static DEFINE_SPINLOCK(pmsr_lock);
-
static int rcar_pcie_wakeup(struct device *pcie_dev, void __iomem *pcie_base)
{
- unsigned long flags;
u32 pmsr, val;
int ret = 0;
- spin_lock_irqsave(&pmsr_lock, flags);
-
- if (!pcie_base || pm_runtime_suspended(pcie_dev)) {
- ret = -EINVAL;
- goto unlock_exit;
- }
+ if (!pcie_base || pm_runtime_suspended(pcie_dev))
+ return -EINVAL;
pmsr = readl(pcie_base + PMSR);
@@ -87,8 +80,6 @@ static int rcar_pcie_wakeup(struct devic
writel(L1FAEG | PMEL1RX, pcie_base + PMSR);
}
-unlock_exit:
- spin_unlock_irqrestore(&pmsr_lock, flags);
return ret;
}
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 287/371] PCI: rcar-host: Convert struct rcar_msi mask_lock into raw spinlock
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (285 preceding siblings ...)
2025-10-17 14:54 ` [PATCH 6.17 286/371] PCI: rcar-host: Drop PMSR spinlock Greg Kroah-Hartman
@ 2025-10-17 14:54 ` Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 288/371] PCI: tegra194: Fix broken tegra_pcie_ep_raise_msi_irq() Greg Kroah-Hartman
` (96 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Duy Nguyen, Thuan Nguyen,
Marek Vasut, Manivannan Sadhasivam, Bjorn Helgaas,
Geert Uytterhoeven, Marc Zyngier
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marek Vasut <marek.vasut+renesas@mailbox.org>
commit 5ed35b4d490d8735021cce9b715b62a418310864 upstream.
The rcar_msi_irq_unmask() function may be called from a PCI driver
request_threaded_irq() function. This triggers kernel/irq/manage.c
__setup_irq() which locks raw spinlock &desc->lock descriptor lock
and with that descriptor lock held, calls rcar_msi_irq_unmask().
Since the &desc->lock descriptor lock is a raw spinlock, and the rcar_msi
.mask_lock is not a raw spinlock, this setup triggers 'BUG: Invalid wait
context' with CONFIG_PROVE_RAW_LOCK_NESTING=y.
Use scoped_guard() to simplify the locking.
Fixes: 83ed8d4fa656 ("PCI: rcar: Convert to MSI domains")
Reported-by: Duy Nguyen <duy.nguyen.rh@renesas.com>
Reported-by: Thuan Nguyen <thuan.nguyen-hong@banvien.com.vn>
Signed-off-by: Marek Vasut <marek.vasut+renesas@mailbox.org>
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
Acked-by: Marc Zyngier <maz@kernel.org>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20250909162707.13927-2-marek.vasut+renesas@mailbox.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pci/controller/pcie-rcar-host.c | 27 +++++++++++++--------------
1 file changed, 13 insertions(+), 14 deletions(-)
--- a/drivers/pci/controller/pcie-rcar-host.c
+++ b/drivers/pci/controller/pcie-rcar-host.c
@@ -12,6 +12,7 @@
*/
#include <linux/bitops.h>
+#include <linux/cleanup.h>
#include <linux/clk.h>
#include <linux/clk-provider.h>
#include <linux/delay.h>
@@ -38,7 +39,7 @@ struct rcar_msi {
DECLARE_BITMAP(used, INT_PCI_MSI_NR);
struct irq_domain *domain;
struct mutex map_lock;
- spinlock_t mask_lock;
+ raw_spinlock_t mask_lock;
int irq1;
int irq2;
};
@@ -602,28 +603,26 @@ static void rcar_msi_irq_mask(struct irq
{
struct rcar_msi *msi = irq_data_get_irq_chip_data(d);
struct rcar_pcie *pcie = &msi_to_host(msi)->pcie;
- unsigned long flags;
u32 value;
- spin_lock_irqsave(&msi->mask_lock, flags);
- value = rcar_pci_read_reg(pcie, PCIEMSIIER);
- value &= ~BIT(d->hwirq);
- rcar_pci_write_reg(pcie, value, PCIEMSIIER);
- spin_unlock_irqrestore(&msi->mask_lock, flags);
+ scoped_guard(raw_spinlock_irqsave, &msi->mask_lock) {
+ value = rcar_pci_read_reg(pcie, PCIEMSIIER);
+ value &= ~BIT(d->hwirq);
+ rcar_pci_write_reg(pcie, value, PCIEMSIIER);
+ }
}
static void rcar_msi_irq_unmask(struct irq_data *d)
{
struct rcar_msi *msi = irq_data_get_irq_chip_data(d);
struct rcar_pcie *pcie = &msi_to_host(msi)->pcie;
- unsigned long flags;
u32 value;
- spin_lock_irqsave(&msi->mask_lock, flags);
- value = rcar_pci_read_reg(pcie, PCIEMSIIER);
- value |= BIT(d->hwirq);
- rcar_pci_write_reg(pcie, value, PCIEMSIIER);
- spin_unlock_irqrestore(&msi->mask_lock, flags);
+ scoped_guard(raw_spinlock_irqsave, &msi->mask_lock) {
+ value = rcar_pci_read_reg(pcie, PCIEMSIIER);
+ value |= BIT(d->hwirq);
+ rcar_pci_write_reg(pcie, value, PCIEMSIIER);
+ }
}
static void rcar_compose_msi_msg(struct irq_data *data, struct msi_msg *msg)
@@ -736,7 +735,7 @@ static int rcar_pcie_enable_msi(struct r
int err;
mutex_init(&msi->map_lock);
- spin_lock_init(&msi->mask_lock);
+ raw_spin_lock_init(&msi->mask_lock);
err = of_address_to_resource(dev->of_node, 0, &res);
if (err)
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 288/371] PCI: tegra194: Fix broken tegra_pcie_ep_raise_msi_irq()
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (286 preceding siblings ...)
2025-10-17 14:54 ` [PATCH 6.17 287/371] PCI: rcar-host: Convert struct rcar_msi mask_lock into raw spinlock Greg Kroah-Hartman
@ 2025-10-17 14:54 ` Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 289/371] PCI: tegra194: Handle errors in BPMP response Greg Kroah-Hartman
` (95 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Niklas Cassel, Manivannan Sadhasivam
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Niklas Cassel <cassel@kernel.org>
commit b640d42a6ac9ba01abe65ec34f7c73aaf6758ab8 upstream.
The pci_epc_raise_irq() supplies a MSI or MSI-X interrupt number in range
(1-N), as per the pci_epc_raise_irq() kdoc, where N is 32 for MSI.
But tegra_pcie_ep_raise_msi_irq() incorrectly uses the interrupt number as
the MSI vector. This causes wrong MSI vector to be triggered, leading to
the failure of PCI endpoint Kselftest MSI_TEST test case.
To fix this issue, convert the interrupt number to MSI vector.
Fixes: c57247f940e8 ("PCI: tegra: Add support for PCIe endpoint mode in Tegra194")
Signed-off-by: Niklas Cassel <cassel@kernel.org>
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20250922140822.519796-6-cassel@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pci/controller/dwc/pcie-tegra194.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/pci/controller/dwc/pcie-tegra194.c
+++ b/drivers/pci/controller/dwc/pcie-tegra194.c
@@ -1955,10 +1955,10 @@ static int tegra_pcie_ep_raise_intx_irq(
static int tegra_pcie_ep_raise_msi_irq(struct tegra_pcie_dw *pcie, u16 irq)
{
- if (unlikely(irq > 31))
+ if (unlikely(irq > 32))
return -EINVAL;
- appl_writel(pcie, BIT(irq), APPL_MSI_CTRL_1);
+ appl_writel(pcie, BIT(irq - 1), APPL_MSI_CTRL_1);
return 0;
}
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 289/371] PCI: tegra194: Handle errors in BPMP response
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (287 preceding siblings ...)
2025-10-17 14:54 ` [PATCH 6.17 288/371] PCI: tegra194: Fix broken tegra_pcie_ep_raise_msi_irq() Greg Kroah-Hartman
@ 2025-10-17 14:54 ` Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 290/371] PCI: tegra194: Reset BARs when running in PCIe endpoint mode Greg Kroah-Hartman
` (94 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vidya Sagar, Niklas Cassel,
Manivannan Sadhasivam, Bjorn Helgaas, Jon Hunter, Thierry Reding
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vidya Sagar <vidyas@nvidia.com>
commit f8c9ad46b00453a8c075453f3745f8d263f44834 upstream.
The return value from tegra_bpmp_transfer() indicates the success or
failure of the IPC transaction with BPMP. If the transaction succeeded, we
also need to check the actual command's result code.
If we don't have error handling for tegra_bpmp_transfer(), we will set the
pcie->ep_state to EP_STATE_ENABLED even when the tegra_bpmp_transfer()
command fails. Thus, the pcie->ep_state will get out of sync with reality,
and any further PERST# assert + deassert will be a no-op and will not
trigger the hardware initialization sequence.
This is because pex_ep_event_pex_rst_deassert() checks the current
pcie->ep_state, and does nothing if the current state is already
EP_STATE_ENABLED.
Thus, it is important to have error handling for tegra_bpmp_transfer(),
such that the pcie->ep_state can not get out of sync with reality, so that
we will try to initialize the hardware not only during the first PERST#
assert + deassert, but also during any succeeding PERST# assert + deassert.
One example where this fix is needed is when using a rock5b as host.
During the initial PERST# assert + deassert (triggered by the bootloader on
the rock5b) pex_ep_event_pex_rst_deassert() will get called, but for some
unknown reason, the tegra_bpmp_transfer() call to initialize the PHY fails.
Once Linux has been loaded on the rock5b, the PCIe driver will once again
assert + deassert PERST#. However, without tegra_bpmp_transfer() error
handling, this second PERST# assert + deassert will not trigger the
hardware initialization sequence.
With tegra_bpmp_transfer() error handling, the second PERST# assert +
deassert will once again trigger the hardware to be initialized and this
time the tegra_bpmp_transfer() succeeds.
Fixes: c57247f940e8 ("PCI: tegra: Add support for PCIe endpoint mode in Tegra194")
Signed-off-by: Vidya Sagar <vidyas@nvidia.com>
[cassel: improve commit log]
Signed-off-by: Niklas Cassel <cassel@kernel.org>
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Reviewed-by: Jon Hunter <jonathanh@nvidia.com>
Acked-by: Thierry Reding <treding@nvidia.com>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20250922140822.519796-8-cassel@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pci/controller/dwc/pcie-tegra194.c | 18 ++++++++++++++++--
1 file changed, 16 insertions(+), 2 deletions(-)
--- a/drivers/pci/controller/dwc/pcie-tegra194.c
+++ b/drivers/pci/controller/dwc/pcie-tegra194.c
@@ -1214,6 +1214,7 @@ static int tegra_pcie_bpmp_set_ctrl_stat
struct mrq_uphy_response resp;
struct tegra_bpmp_message msg;
struct mrq_uphy_request req;
+ int err;
/*
* Controller-5 doesn't need to have its state set by BPMP-FW in
@@ -1236,7 +1237,13 @@ static int tegra_pcie_bpmp_set_ctrl_stat
msg.rx.data = &resp;
msg.rx.size = sizeof(resp);
- return tegra_bpmp_transfer(pcie->bpmp, &msg);
+ err = tegra_bpmp_transfer(pcie->bpmp, &msg);
+ if (err)
+ return err;
+ if (msg.rx.ret)
+ return -EINVAL;
+
+ return 0;
}
static int tegra_pcie_bpmp_set_pll_state(struct tegra_pcie_dw *pcie,
@@ -1245,6 +1252,7 @@ static int tegra_pcie_bpmp_set_pll_state
struct mrq_uphy_response resp;
struct tegra_bpmp_message msg;
struct mrq_uphy_request req;
+ int err;
memset(&req, 0, sizeof(req));
memset(&resp, 0, sizeof(resp));
@@ -1264,7 +1272,13 @@ static int tegra_pcie_bpmp_set_pll_state
msg.rx.data = &resp;
msg.rx.size = sizeof(resp);
- return tegra_bpmp_transfer(pcie->bpmp, &msg);
+ err = tegra_bpmp_transfer(pcie->bpmp, &msg);
+ if (err)
+ return err;
+ if (msg.rx.ret)
+ return -EINVAL;
+
+ return 0;
}
static void tegra_pcie_downstream_dev_to_D0(struct tegra_pcie_dw *pcie)
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 290/371] PCI: tegra194: Reset BARs when running in PCIe endpoint mode
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (288 preceding siblings ...)
2025-10-17 14:54 ` [PATCH 6.17 289/371] PCI: tegra194: Handle errors in BPMP response Greg Kroah-Hartman
@ 2025-10-17 14:54 ` Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 291/371] PCI/pwrctrl: Fix device leak at registration Greg Kroah-Hartman
` (93 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Niklas Cassel, Manivannan Sadhasivam,
Bjorn Helgaas
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Niklas Cassel <cassel@kernel.org>
commit 42f9c66a6d0cc45758dab77233c5460e1cf003df upstream.
Tegra already defines all BARs except BAR0 as BAR_RESERVED. This is
sufficient for pci-epf-test to not allocate backing memory and to not call
set_bar() for those BARs. However, marking a BAR as BAR_RESERVED does not
mean that the BAR gets disabled.
The host side driver, pci_endpoint_test, simply does an ioremap for all
enabled BARs and will run tests against all enabled BARs, so it will run
tests against the BARs marked as BAR_RESERVED.
After running the BAR tests (which will write to all enabled BARs), the
inbound address translation is broken. This is because the tegra controller
exposes the ATU Port Logic Structure in BAR4, so when BAR4 is written, the
inbound address translation settings get overwritten.
To avoid this, implement the dw_pcie_ep_ops .init() callback and start off
by disabling all BARs (pci-epf-test will later enable/configure BARs that
are not defined as BAR_RESERVED).
This matches the behavior of other PCIe endpoint drivers: dra7xx, imx6,
layerscape-ep, artpec6, dw-rockchip, qcom-ep, rcar-gen4, and uniphier-ep.
With this, the PCI endpoint kselftest test case CONSECUTIVE_BAR_TEST (which
was specifically made to detect address translation issues) passes.
Fixes: c57247f940e8 ("PCI: tegra: Add support for PCIe endpoint mode in Tegra194")
Signed-off-by: Niklas Cassel <cassel@kernel.org>
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20250922140822.519796-7-cassel@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pci/controller/dwc/pcie-tegra194.c | 10 ++++++++++
1 file changed, 10 insertions(+)
--- a/drivers/pci/controller/dwc/pcie-tegra194.c
+++ b/drivers/pci/controller/dwc/pcie-tegra194.c
@@ -1955,6 +1955,15 @@ static irqreturn_t tegra_pcie_ep_pex_rst
return IRQ_HANDLED;
}
+static void tegra_pcie_ep_init(struct dw_pcie_ep *ep)
+{
+ struct dw_pcie *pci = to_dw_pcie_from_ep(ep);
+ enum pci_barno bar;
+
+ for (bar = 0; bar < PCI_STD_NUM_BARS; bar++)
+ dw_pcie_ep_reset_bar(pci, bar);
+};
+
static int tegra_pcie_ep_raise_intx_irq(struct tegra_pcie_dw *pcie, u16 irq)
{
/* Tegra194 supports only INTA */
@@ -2031,6 +2040,7 @@ tegra_pcie_ep_get_features(struct dw_pci
}
static const struct dw_pcie_ep_ops pcie_ep_ops = {
+ .init = tegra_pcie_ep_init,
.raise_irq = tegra_pcie_ep_raise_irq,
.get_features = tegra_pcie_ep_get_features,
};
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 291/371] PCI/pwrctrl: Fix device leak at registration
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (289 preceding siblings ...)
2025-10-17 14:54 ` [PATCH 6.17 290/371] PCI: tegra194: Reset BARs when running in PCIe endpoint mode Greg Kroah-Hartman
@ 2025-10-17 14:54 ` Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 292/371] PCI/pwrctrl: Fix device and OF node leak at bus scan Greg Kroah-Hartman
` (92 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Johan Hovold, Bjorn Helgaas,
Manivannan Sadhasivam
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan+linaro@kernel.org>
commit 39f9be6aba3ae4d6fdd4b8554f1184d054d7a713 upstream.
Make sure to drop the reference to the pwrctrl device taken by
of_find_device_by_node() when registering a PCI device.
Fixes: b458ff7e8176 ("PCI/pwrctl: Ensure that pwrctl drivers are probed before PCI client drivers")
Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Reviewed-by: Manivannan Sadhasivam <mani@kernel.org>
Cc: stable@vger.kernel.org # v6.13
Link: https://patch.msgid.link/20250721153609.8611-2-johan+linaro@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pci/bus.c | 14 +++++++++-----
1 file changed, 9 insertions(+), 5 deletions(-)
--- a/drivers/pci/bus.c
+++ b/drivers/pci/bus.c
@@ -361,11 +361,15 @@ void pci_bus_add_device(struct pci_dev *
* before PCI client drivers.
*/
pdev = of_find_device_by_node(dn);
- if (pdev && of_pci_supply_present(dn)) {
- if (!device_link_add(&dev->dev, &pdev->dev,
- DL_FLAG_AUTOREMOVE_CONSUMER))
- pci_err(dev, "failed to add device link to power control device %s\n",
- pdev->name);
+ if (pdev) {
+ if (of_pci_supply_present(dn)) {
+ if (!device_link_add(&dev->dev, &pdev->dev,
+ DL_FLAG_AUTOREMOVE_CONSUMER)) {
+ pci_err(dev, "failed to add device link to power control device %s\n",
+ pdev->name);
+ }
+ }
+ put_device(&pdev->dev);
}
if (!dn || of_device_is_available(dn))
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 292/371] PCI/pwrctrl: Fix device and OF node leak at bus scan
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (290 preceding siblings ...)
2025-10-17 14:54 ` [PATCH 6.17 291/371] PCI/pwrctrl: Fix device leak at registration Greg Kroah-Hartman
@ 2025-10-17 14:54 ` Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 293/371] PCI/pwrctrl: Fix device leak at device stop Greg Kroah-Hartman
` (91 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Johan Hovold, Bjorn Helgaas,
Manivannan Sadhasivam
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan+linaro@kernel.org>
commit e24bbbe0780262a21fc8619fe99078a5b8d64b18 upstream.
Make sure to drop the references to the pwrctrl OF node and device taken by
of_pci_find_child_device() and of_find_device_by_node() respectively when
scanning the bus.
Fixes: 957f40d039a9 ("PCI/pwrctrl: Move creation of pwrctrl devices to pci_scan_device()")
Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Reviewed-by: Manivannan Sadhasivam <mani@kernel.org>
Cc: stable@vger.kernel.org # v6.15
Link: https://patch.msgid.link/20250721153609.8611-3-johan+linaro@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pci/probe.c | 19 ++++++++++++++++---
1 file changed, 16 insertions(+), 3 deletions(-)
diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c
index f41128f91ca7..a56dfa1c9b6f 100644
--- a/drivers/pci/probe.c
+++ b/drivers/pci/probe.c
@@ -2516,9 +2516,15 @@ static struct platform_device *pci_pwrctrl_create_device(struct pci_bus *bus, in
struct device_node *np;
np = of_pci_find_child_device(dev_of_node(&bus->dev), devfn);
- if (!np || of_find_device_by_node(np))
+ if (!np)
return NULL;
+ pdev = of_find_device_by_node(np);
+ if (pdev) {
+ put_device(&pdev->dev);
+ goto err_put_of_node;
+ }
+
/*
* First check whether the pwrctrl device really needs to be created or
* not. This is decided based on at least one of the power supplies
@@ -2526,17 +2532,24 @@ static struct platform_device *pci_pwrctrl_create_device(struct pci_bus *bus, in
*/
if (!of_pci_supply_present(np)) {
pr_debug("PCI/pwrctrl: Skipping OF node: %s\n", np->name);
- return NULL;
+ goto err_put_of_node;
}
/* Now create the pwrctrl device */
pdev = of_platform_device_create(np, NULL, &host->dev);
if (!pdev) {
pr_err("PCI/pwrctrl: Failed to create pwrctrl device for node: %s\n", np->name);
- return NULL;
+ goto err_put_of_node;
}
+ of_node_put(np);
+
return pdev;
+
+err_put_of_node:
+ of_node_put(np);
+
+ return NULL;
}
#else
static struct platform_device *pci_pwrctrl_create_device(struct pci_bus *bus, int devfn)
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 293/371] PCI/pwrctrl: Fix device leak at device stop
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (291 preceding siblings ...)
2025-10-17 14:54 ` [PATCH 6.17 292/371] PCI/pwrctrl: Fix device and OF node leak at bus scan Greg Kroah-Hartman
@ 2025-10-17 14:54 ` Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 294/371] spi: cadence-quadspi: Flush posted register writes before INDAC access Greg Kroah-Hartman
` (90 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Johan Hovold, Bjorn Helgaas,
Manivannan Sadhasivam
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan+linaro@kernel.org>
commit dc32e9346b26ba33e84ec3034a1e53a9733700f9 upstream.
Make sure to drop the reference to the pwrctrl device taken by
of_find_device_by_node() when stopping a PCI device.
Fixes: 681725afb6b9 ("PCI/pwrctl: Remove pwrctl device without iterating over all children of pwrctl parent")
Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Reviewed-by: Manivannan Sadhasivam <mani@kernel.org>
Cc: stable@vger.kernel.org # v6.13
Link: https://patch.msgid.link/20250721153609.8611-4-johan+linaro@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pci/remove.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/pci/remove.c b/drivers/pci/remove.c
index 445afdfa6498..16f21edbc29d 100644
--- a/drivers/pci/remove.c
+++ b/drivers/pci/remove.c
@@ -31,6 +31,8 @@ static void pci_pwrctrl_unregister(struct device *dev)
return;
of_device_unregister(pdev);
+ put_device(&pdev->dev);
+
of_node_clear_flag(np, OF_POPULATED);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 294/371] spi: cadence-quadspi: Flush posted register writes before INDAC access
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (292 preceding siblings ...)
2025-10-17 14:54 ` [PATCH 6.17 293/371] PCI/pwrctrl: Fix device leak at device stop Greg Kroah-Hartman
@ 2025-10-17 14:54 ` Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 295/371] spi: cadence-quadspi: Flush posted register writes before DAC access Greg Kroah-Hartman
` (89 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pratyush Yadav, Santhosh Kumar K,
Mark Brown
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pratyush Yadav <pratyush@kernel.org>
commit 29e0b471ccbd674d20d4bbddea1a51e7105212c5 upstream.
cqspi_indirect_read_execute() and cqspi_indirect_write_execute() first
set the enable bit on APB region and then start reading/writing to the
AHB region. On TI K3 SoCs these regions lie on different endpoints. This
means that the order of the two operations is not guaranteed, and they
might be reordered at the interconnect level.
It is possible for the AHB write to be executed before the APB write to
enable the indirect controller, causing the transaction to be invalid
and the write erroring out. Read back the APB region write before
accessing the AHB region to make sure the write got flushed and the race
condition is eliminated.
Fixes: 140623410536 ("mtd: spi-nor: Add driver for Cadence Quad SPI Flash Controller")
CC: stable@vger.kernel.org
Reviewed-by: Pratyush Yadav <pratyush@kernel.org>
Signed-off-by: Pratyush Yadav <pratyush@kernel.org>
Signed-off-by: Santhosh Kumar K <s-k6@ti.com>
Message-ID: <20250905185958.3575037-2-s-k6@ti.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-cadence-quadspi.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/spi/spi-cadence-quadspi.c
+++ b/drivers/spi/spi-cadence-quadspi.c
@@ -765,6 +765,7 @@ static int cqspi_indirect_read_execute(s
reinit_completion(&cqspi->transfer_complete);
writel(CQSPI_REG_INDIRECTRD_START_MASK,
reg_base + CQSPI_REG_INDIRECTRD);
+ readl(reg_base + CQSPI_REG_INDIRECTRD); /* Flush posted write. */
while (remaining > 0) {
if (use_irq &&
@@ -1091,6 +1092,8 @@ static int cqspi_indirect_write_execute(
reinit_completion(&cqspi->transfer_complete);
writel(CQSPI_REG_INDIRECTWR_START_MASK,
reg_base + CQSPI_REG_INDIRECTWR);
+ readl(reg_base + CQSPI_REG_INDIRECTWR); /* Flush posted write. */
+
/*
* As per 66AK2G02 TRM SPRUHY8F section 11.15.5.3 Indirect Access
* Controller programming sequence, couple of cycles of
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 295/371] spi: cadence-quadspi: Flush posted register writes before DAC access
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (293 preceding siblings ...)
2025-10-17 14:54 ` [PATCH 6.17 294/371] spi: cadence-quadspi: Flush posted register writes before INDAC access Greg Kroah-Hartman
@ 2025-10-17 14:54 ` Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 296/371] spi: cadence-quadspi: Fix cqspi_setup_flash() Greg Kroah-Hartman
` (88 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pratyush Yadav, Santhosh Kumar K,
Mark Brown
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pratyush Yadav <pratyush@kernel.org>
commit 1ad55767e77a853c98752ed1e33b68049a243bd7 upstream.
cqspi_read_setup() and cqspi_write_setup() program the address width as
the last step in the setup. This is likely to be immediately followed by
a DAC region read/write. On TI K3 SoCs the DAC region is on a different
endpoint from the register region. This means that the order of the two
operations is not guaranteed, and they might be reordered at the
interconnect level. It is possible that the DAC read/write goes through
before the address width update goes through. In this situation if the
previous command used a different address width the OSPI command is sent
with the wrong number of address bytes, resulting in an invalid command
and undefined behavior.
Read back the size register to make sure the write gets flushed before
accessing the DAC region.
Fixes: 140623410536 ("mtd: spi-nor: Add driver for Cadence Quad SPI Flash Controller")
CC: stable@vger.kernel.org
Reviewed-by: Pratyush Yadav <pratyush@kernel.org>
Signed-off-by: Pratyush Yadav <pratyush@kernel.org>
Signed-off-by: Santhosh Kumar K <s-k6@ti.com>
Message-ID: <20250905185958.3575037-3-s-k6@ti.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-cadence-quadspi.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/spi/spi-cadence-quadspi.c
+++ b/drivers/spi/spi-cadence-quadspi.c
@@ -720,6 +720,7 @@ static int cqspi_read_setup(struct cqspi
reg &= ~CQSPI_REG_SIZE_ADDRESS_MASK;
reg |= (op->addr.nbytes - 1);
writel(reg, reg_base + CQSPI_REG_SIZE);
+ readl(reg_base + CQSPI_REG_SIZE); /* Flush posted write. */
return 0;
}
@@ -1064,6 +1065,7 @@ static int cqspi_write_setup(struct cqsp
reg &= ~CQSPI_REG_SIZE_ADDRESS_MASK;
reg |= (op->addr.nbytes - 1);
writel(reg, reg_base + CQSPI_REG_SIZE);
+ readl(reg_base + CQSPI_REG_SIZE); /* Flush posted write. */
return 0;
}
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 296/371] spi: cadence-quadspi: Fix cqspi_setup_flash()
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (294 preceding siblings ...)
2025-10-17 14:54 ` [PATCH 6.17 295/371] spi: cadence-quadspi: Flush posted register writes before DAC access Greg Kroah-Hartman
@ 2025-10-17 14:54 ` Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 297/371] xfs: use deferred intent items for reaping crosslinked blocks Greg Kroah-Hartman
` (87 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pratyush Yadav, Théo Lebrun,
Santhosh Kumar K, Mark Brown
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Santhosh Kumar K <s-k6@ti.com>
commit 858d4d9e0a9d6b64160ef3c824f428c9742172c4 upstream.
The 'max_cs' stores the largest chip select number. It should only
be updated when the current 'cs' is greater than existing 'max_cs'. So,
fix the condition accordingly.
Also, return failure if there are no flash device declared.
Fixes: 0f3841a5e115 ("spi: cadence-qspi: report correct number of chip-select")
CC: stable@vger.kernel.org
Reviewed-by: Pratyush Yadav <pratyush@kernel.org>
Reviewed-by: Théo Lebrun <theo.lebrun@bootlin.com>
Signed-off-by: Santhosh Kumar K <s-k6@ti.com>
Message-ID: <20250905185958.3575037-4-s-k6@ti.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-cadence-quadspi.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
--- a/drivers/spi/spi-cadence-quadspi.c
+++ b/drivers/spi/spi-cadence-quadspi.c
@@ -1727,12 +1727,10 @@ static const struct spi_controller_mem_c
static int cqspi_setup_flash(struct cqspi_st *cqspi)
{
- unsigned int max_cs = cqspi->num_chipselect - 1;
struct platform_device *pdev = cqspi->pdev;
struct device *dev = &pdev->dev;
struct cqspi_flash_pdata *f_pdata;
- unsigned int cs;
- int ret;
+ int ret, cs, max_cs = -1;
/* Get flash device data */
for_each_available_child_of_node_scoped(dev->of_node, np) {
@@ -1745,10 +1743,10 @@ static int cqspi_setup_flash(struct cqsp
if (cs >= cqspi->num_chipselect) {
dev_err(dev, "Chip select %d out of range.\n", cs);
return -EINVAL;
- } else if (cs < max_cs) {
- max_cs = cs;
}
+ max_cs = max_t(int, cs, max_cs);
+
f_pdata = &cqspi->f_pdata[cs];
f_pdata->cqspi = cqspi;
f_pdata->cs = cs;
@@ -1758,6 +1756,11 @@ static int cqspi_setup_flash(struct cqsp
return ret;
}
+ if (max_cs < 0) {
+ dev_err(dev, "No flash device declared\n");
+ return -ENODEV;
+ }
+
cqspi->num_chipselect = max_cs + 1;
return 0;
}
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 297/371] xfs: use deferred intent items for reaping crosslinked blocks
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (295 preceding siblings ...)
2025-10-17 14:54 ` [PATCH 6.17 296/371] spi: cadence-quadspi: Fix cqspi_setup_flash() Greg Kroah-Hartman
@ 2025-10-17 14:54 ` Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 298/371] x86/fred: Remove ENDBR64 from FRED entry points Greg Kroah-Hartman
` (86 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Darrick J. Wong, Christoph Hellwig
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Darrick J. Wong <djwong@kernel.org>
commit cd32a0c0dcdf634f2e0e71f41c272e19dece6264 upstream.
When we're removing rmap records for crosslinked blocks, use deferred
intent items so that we can try to free/unmap as many of the old data
structure's blocks as we can in the same transaction as the commit.
Cc: <stable@vger.kernel.org> # v6.6
Fixes: 1c7ce115e52106 ("xfs: reap large AG metadata extents when possible")
Signed-off-by: "Darrick J. Wong" <djwong@kernel.org>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/xfs/scrub/reap.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
--- a/fs/xfs/scrub/reap.c
+++ b/fs/xfs/scrub/reap.c
@@ -416,8 +416,6 @@ xreap_agextent_iter(
trace_xreap_dispose_unmap_extent(pag_group(sc->sa.pag), agbno,
*aglenp);
- rs->force_roll = true;
-
if (rs->oinfo == &XFS_RMAP_OINFO_COW) {
/*
* If we're unmapping CoW staging extents, remove the
@@ -426,11 +424,14 @@ xreap_agextent_iter(
*/
xfs_refcount_free_cow_extent(sc->tp, false, fsbno,
*aglenp);
+ rs->force_roll = true;
return 0;
}
- return xfs_rmap_free(sc->tp, sc->sa.agf_bp, sc->sa.pag, agbno,
- *aglenp, rs->oinfo);
+ xfs_rmap_free_extent(sc->tp, false, fsbno, *aglenp,
+ rs->oinfo->oi_owner);
+ rs->deferred++;
+ return 0;
}
trace_xreap_dispose_free_extent(pag_group(sc->sa.pag), agbno, *aglenp);
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 298/371] x86/fred: Remove ENDBR64 from FRED entry points
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (296 preceding siblings ...)
2025-10-17 14:54 ` [PATCH 6.17 297/371] xfs: use deferred intent items for reaping crosslinked blocks Greg Kroah-Hartman
@ 2025-10-17 14:54 ` Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 299/371] x86/umip: Check that the instruction opcode is at least two bytes Greg Kroah-Hartman
` (85 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xin Li (Intel), Dave Hansen,
H. Peter Anvin (Intel), Andrew Cooper
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xin Li (Intel) <xin@zytor.com>
commit 3da01ffe1aeaa0d427ab5235ba735226670a80d9 upstream.
The FRED specification has been changed in v9.0 to state that there
is no need for FRED event handlers to begin with ENDBR64, because
in the presence of supervisor indirect branch tracking, FRED event
delivery does not enter the WAIT_FOR_ENDBRANCH state.
As a result, remove ENDBR64 from FRED entry points.
Then add ANNOTATE_NOENDBR to indicate that FRED entry points will
never be used for indirect calls to suppress an objtool warning.
This change implies that any indirect CALL/JMP to FRED entry points
causes #CP in the presence of supervisor indirect branch tracking.
Credit goes to Jennifer Miller <jmill@asu.edu> and other contributors
from Arizona State University whose research shows that placing ENDBR
at entry points has negative value thus led to this change.
Note: This is obviously an incompatible change to the FRED
architecture. But, it's OK because there no FRED systems out in the
wild today. All production hardware and late pre-production hardware
will follow the FRED v9 spec and be compatible with this approach.
[ dhansen: add note to changelog about incompatibility ]
Fixes: 14619d912b65 ("x86/fred: FRED entry/exit and dispatch code")
Signed-off-by: Xin Li (Intel) <xin@zytor.com>
Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Reviewed-by: H. Peter Anvin (Intel) <hpa@zytor.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Link: https://lore.kernel.org/linux-hardening/Z60NwR4w%2F28Z7XUa@ubun/
Cc:stable@vger.kernel.org
Link: https://lore.kernel.org/all/20250716063320.1337818-1-xin%40zytor.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/entry/entry_64_fred.S | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/x86/entry/entry_64_fred.S
+++ b/arch/x86/entry/entry_64_fred.S
@@ -16,7 +16,7 @@
.macro FRED_ENTER
UNWIND_HINT_END_OF_STACK
- ENDBR
+ ANNOTATE_NOENDBR
PUSH_AND_CLEAR_REGS
movq %rsp, %rdi /* %rdi -> pt_regs */
.endm
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 299/371] x86/umip: Check that the instruction opcode is at least two bytes
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (297 preceding siblings ...)
2025-10-17 14:54 ` [PATCH 6.17 298/371] x86/fred: Remove ENDBR64 from FRED entry points Greg Kroah-Hartman
@ 2025-10-17 14:54 ` Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 300/371] x86/umip: Fix decoding of register forms of 0F 01 (SGDT and SIDT aliases) Greg Kroah-Hartman
` (84 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dan Snyder, Sean Christopherson,
Borislav Petkov (AMD), Peter Zijlstra (Intel)
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
commit 32278c677947ae2f042c9535674a7fff9a245dd3 upstream.
When checking for a potential UMIP violation on #GP, verify the decoder found
at least two opcode bytes to avoid false positives when the kernel encounters
an unknown instruction that starts with 0f. Because the array of opcode.bytes
is zero-initialized by insn_init(), peeking at bytes[1] will misinterpret
garbage as a potential SLDT or STR instruction, and can incorrectly trigger
emulation.
E.g. if a VPALIGNR instruction
62 83 c5 05 0f 08 ff vpalignr xmm17{k5},xmm23,XMMWORD PTR [r8],0xff
hits a #GP, the kernel emulates it as STR and squashes the #GP (and corrupts
the userspace code stream).
Arguably the check should look for exactly two bytes, but no three byte
opcodes use '0f 00 xx' or '0f 01 xx' as an escape, i.e. it should be
impossible to get a false positive if the first two opcode bytes match '0f 00'
or '0f 01'. Go with a more conservative check with respect to the existing
code to minimize the chances of breaking userspace, e.g. due to decoder
weirdness.
Analyzed by Nick Bray <ncbray@google.com>.
Fixes: 1e5db223696a ("x86/umip: Add emulation code for UMIP instructions")
Reported-by: Dan Snyder <dansnyder@google.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kernel/umip.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/arch/x86/kernel/umip.c
+++ b/arch/x86/kernel/umip.c
@@ -156,8 +156,8 @@ static int identify_insn(struct insn *in
if (!insn->modrm.nbytes)
return -EINVAL;
- /* All the instructions of interest start with 0x0f. */
- if (insn->opcode.bytes[0] != 0xf)
+ /* The instructions of interest have 2-byte opcodes: 0F 00 or 0F 01. */
+ if (insn->opcode.nbytes < 2 || insn->opcode.bytes[0] != 0xf)
return -EINVAL;
if (insn->opcode.bytes[1] == 0x1) {
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 300/371] x86/umip: Fix decoding of register forms of 0F 01 (SGDT and SIDT aliases)
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (298 preceding siblings ...)
2025-10-17 14:54 ` [PATCH 6.17 299/371] x86/umip: Check that the instruction opcode is at least two bytes Greg Kroah-Hartman
@ 2025-10-17 14:54 ` Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 301/371] mptcp: pm: in-kernel: usable client side with C-flag Greg Kroah-Hartman
` (83 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sean Christopherson,
Borislav Petkov (AMD), Peter Zijlstra (Intel)
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
commit 27b1fd62012dfe9d3eb8ecde344d7aa673695ecf upstream.
Filter out the register forms of 0F 01 when determining whether or not to
emulate in response to a potential UMIP violation #GP, as SGDT and SIDT only
accept memory operands. The register variants of 0F 01 are used to encode
instructions for things like VMX and SGX, i.e. not checking the Mod field
would cause the kernel to incorrectly emulate on #GP, e.g. due to a CPL
violation on VMLAUNCH.
Fixes: 1e5db223696a ("x86/umip: Add emulation code for UMIP instructions")
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kernel/umip.c | 11 +++++++++++
1 file changed, 11 insertions(+)
--- a/arch/x86/kernel/umip.c
+++ b/arch/x86/kernel/umip.c
@@ -163,8 +163,19 @@ static int identify_insn(struct insn *in
if (insn->opcode.bytes[1] == 0x1) {
switch (X86_MODRM_REG(insn->modrm.value)) {
case 0:
+ /* The reg form of 0F 01 /0 encodes VMX instructions. */
+ if (X86_MODRM_MOD(insn->modrm.value) == 3)
+ return -EINVAL;
+
return UMIP_INST_SGDT;
case 1:
+ /*
+ * The reg form of 0F 01 /1 encodes MONITOR/MWAIT,
+ * STAC/CLAC, and ENCLS.
+ */
+ if (X86_MODRM_MOD(insn->modrm.value) == 3)
+ return -EINVAL;
+
return UMIP_INST_SIDT;
case 4:
return UMIP_INST_SMSW;
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 301/371] mptcp: pm: in-kernel: usable client side with C-flag
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (299 preceding siblings ...)
2025-10-17 14:54 ` [PATCH 6.17 300/371] x86/umip: Fix decoding of register forms of 0F 01 (SGDT and SIDT aliases) Greg Kroah-Hartman
@ 2025-10-17 14:54 ` Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 302/371] mptcp: reset blackhole on success with non-loopback ifaces Greg Kroah-Hartman
` (82 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Geliang Tang, Matthieu Baerts (NGI0),
Jakub Kicinski
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
commit 4b1ff850e0c1aacc23e923ed22989b827b9808f9 upstream.
When servers set the C-flag in their MP_CAPABLE to tell clients not to
create subflows to the initial address and port, clients will likely not
use their other endpoints. That's because the in-kernel path-manager
uses the 'subflow' endpoints to create subflows only to the initial
address and port.
If the limits have not been modified to accept ADD_ADDR, the client
doesn't try to establish new subflows. If the limits accept ADD_ADDR,
the routing routes will be used to select the source IP.
The C-flag is typically set when the server is operating behind a legacy
Layer 4 load balancer, or using anycast IP address. Clients having their
different 'subflow' endpoints setup, don't end up creating multiple
subflows as expected, and causing some deployment issues.
A special case is then added here: when servers set the C-flag in the
MPC and directly sends an ADD_ADDR, this single ADD_ADDR is accepted.
The 'subflows' endpoints will then be used with this new remote IP and
port. This exception is only allowed when the ADD_ADDR is sent
immediately after the 3WHS, and makes the client switching to the 'fully
established' mode. After that, 'select_local_address()' will not be able
to find any subflows, because 'id_avail_bitmap' will be filled in
mptcp_pm_create_subflow_or_signal_addr(), when switching to 'fully
established' mode.
Fixes: df377be38725 ("mptcp: add deny_join_id0 in mptcp_options_received")
Cc: stable@vger.kernel.org
Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/536
Reviewed-by: Geliang Tang <geliang@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20250925-net-next-mptcp-c-flag-laminar-v1-1-ad126cc47c6b@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/pm.c | 7 +++++--
net/mptcp/pm_kernel.c | 50 +++++++++++++++++++++++++++++++++++++++++++++++++-
net/mptcp/protocol.h | 8 ++++++++
3 files changed, 62 insertions(+), 3 deletions(-)
--- a/net/mptcp/pm.c
+++ b/net/mptcp/pm.c
@@ -617,9 +617,12 @@ void mptcp_pm_add_addr_received(const st
} else {
__MPTCP_INC_STATS(sock_net((struct sock *)msk), MPTCP_MIB_ADDADDRDROP);
}
- /* id0 should not have a different address */
+ /* - id0 should not have a different address
+ * - special case for C-flag: linked to fill_local_addresses_vec()
+ */
} else if ((addr->id == 0 && !mptcp_pm_is_init_remote_addr(msk, addr)) ||
- (addr->id > 0 && !READ_ONCE(pm->accept_addr))) {
+ (addr->id > 0 && !READ_ONCE(pm->accept_addr) &&
+ !mptcp_pm_add_addr_c_flag_case(msk))) {
mptcp_pm_announce_addr(msk, addr, true);
mptcp_pm_add_addr_send_ack(msk);
} else if (mptcp_pm_schedule_work(msk, MPTCP_PM_ADD_ADDR_RECEIVED)) {
--- a/net/mptcp/pm_kernel.c
+++ b/net/mptcp/pm_kernel.c
@@ -389,10 +389,12 @@ static unsigned int fill_local_addresses
struct mptcp_addr_info mpc_addr;
struct pm_nl_pernet *pernet;
unsigned int subflows_max;
+ bool c_flag_case;
int i = 0;
pernet = pm_nl_get_pernet_from_msk(msk);
subflows_max = mptcp_pm_get_subflows_max(msk);
+ c_flag_case = remote->id && mptcp_pm_add_addr_c_flag_case(msk);
mptcp_local_address((struct sock_common *)msk, &mpc_addr);
@@ -405,12 +407,27 @@ static unsigned int fill_local_addresses
continue;
if (msk->pm.subflows < subflows_max) {
+ bool is_id0;
+
locals[i].addr = entry->addr;
locals[i].flags = entry->flags;
locals[i].ifindex = entry->ifindex;
+ is_id0 = mptcp_addresses_equal(&locals[i].addr,
+ &mpc_addr,
+ locals[i].addr.port);
+
+ if (c_flag_case &&
+ (entry->flags & MPTCP_PM_ADDR_FLAG_SUBFLOW)) {
+ __clear_bit(locals[i].addr.id,
+ msk->pm.id_avail_bitmap);
+
+ if (!is_id0)
+ msk->pm.local_addr_used++;
+ }
+
/* Special case for ID0: set the correct ID */
- if (mptcp_addresses_equal(&locals[i].addr, &mpc_addr, locals[i].addr.port))
+ if (is_id0)
locals[i].addr.id = 0;
msk->pm.subflows++;
@@ -419,6 +436,37 @@ static unsigned int fill_local_addresses
}
rcu_read_unlock();
+ /* Special case: peer sets the C flag, accept one ADD_ADDR if default
+ * limits are used -- accepting no ADD_ADDR -- and use subflow endpoints
+ */
+ if (!i && c_flag_case) {
+ unsigned int local_addr_max = mptcp_pm_get_local_addr_max(msk);
+
+ while (msk->pm.local_addr_used < local_addr_max &&
+ msk->pm.subflows < subflows_max) {
+ struct mptcp_pm_local *local = &locals[i];
+
+ if (!select_local_address(pernet, msk, local))
+ break;
+
+ __clear_bit(local->addr.id, msk->pm.id_avail_bitmap);
+
+ if (!mptcp_pm_addr_families_match(sk, &local->addr,
+ remote))
+ continue;
+
+ if (mptcp_addresses_equal(&local->addr, &mpc_addr,
+ local->addr.port))
+ continue;
+
+ msk->pm.local_addr_used++;
+ msk->pm.subflows++;
+ i++;
+ }
+
+ return i;
+ }
+
/* If the array is empty, fill in the single
* 'IPADDRANY' local address
*/
--- a/net/mptcp/protocol.h
+++ b/net/mptcp/protocol.h
@@ -1201,6 +1201,14 @@ static inline void mptcp_pm_close_subflo
spin_unlock_bh(&msk->pm.lock);
}
+static inline bool mptcp_pm_add_addr_c_flag_case(struct mptcp_sock *msk)
+{
+ return READ_ONCE(msk->pm.remote_deny_join_id0) &&
+ msk->pm.local_addr_used == 0 &&
+ mptcp_pm_get_add_addr_accept_max(msk) == 0 &&
+ msk->pm.subflows < mptcp_pm_get_subflows_max(msk);
+}
+
void mptcp_sockopt_sync_locked(struct mptcp_sock *msk, struct sock *ssk);
static inline struct mptcp_ext *mptcp_get_ext(const struct sk_buff *skb)
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 302/371] mptcp: reset blackhole on success with non-loopback ifaces
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (300 preceding siblings ...)
2025-10-17 14:54 ` [PATCH 6.17 301/371] mptcp: pm: in-kernel: usable client side with C-flag Greg Kroah-Hartman
@ 2025-10-17 14:54 ` Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 303/371] selftests: mptcp: join: validate C-flag + def limit Greg Kroah-Hartman
` (81 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matthieu Baerts (NGI0), Simon Horman,
Kuniyuki Iwashima, Jakub Kicinski
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
commit 833d4313bc1e9e194814917d23e8874d6b651649 upstream.
When a first MPTCP connection gets successfully established after a
blackhole period, 'active_disable_times' was supposed to be reset when
this connection was done via any non-loopback interfaces.
Unfortunately, the opposite condition was checked: only reset when the
connection was established via a loopback interface. Fixing this by
simply looking at the opposite.
This is similar to what is done with TCP FastOpen, see
tcp_fastopen_active_disable_ofo_check().
This patch is a follow-up of a previous discussion linked to commit
893c49a78d9f ("mptcp: Use __sk_dst_get() and dst_dev_rcu() in
mptcp_active_enable()."), see [1].
Fixes: 27069e7cb3d1 ("mptcp: disable active MPTCP in case of blackhole")
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/4209a283-8822-47bd-95b7-87e96d9b7ea3@kernel.org [1]
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
Link: https://patch.msgid.link/20250918-net-next-mptcp-blackhole-reset-loopback-v1-1-bf5818326639@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/ctrl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/mptcp/ctrl.c
+++ b/net/mptcp/ctrl.c
@@ -507,7 +507,7 @@ void mptcp_active_enable(struct sock *sk
rcu_read_lock();
dst = __sk_dst_get(sk);
dev = dst ? dst_dev_rcu(dst) : NULL;
- if (dev && (dev->flags & IFF_LOOPBACK))
+ if (!(dev && (dev->flags & IFF_LOOPBACK)))
atomic_set(&pernet->active_disable_times, 0);
rcu_read_unlock();
}
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 303/371] selftests: mptcp: join: validate C-flag + def limit
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (301 preceding siblings ...)
2025-10-17 14:54 ` [PATCH 6.17 302/371] mptcp: reset blackhole on success with non-loopback ifaces Greg Kroah-Hartman
@ 2025-10-17 14:54 ` Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 304/371] s390/cio/ioasm: Fix __xsch() condition code handling Greg Kroah-Hartman
` (80 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Geliang Tang, Matthieu Baerts (NGI0),
Jakub Kicinski
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
commit 008385efd05e04d8dff299382df2e8be0f91d8a0 upstream.
The previous commit adds an exception for the C-flag case. The
'mptcp_join.sh' selftest is extended to validate this case.
In this subtest, there is a typical CDN deployment with a client where
MPTCP endpoints have been 'automatically' configured:
- the server set net.mptcp.allow_join_initial_addr_port=0
- the client has multiple 'subflow' endpoints, and the default limits:
not accepting ADD_ADDRs.
Without the parent patch, the client is not able to establish new
subflows using its 'subflow' endpoints. The parent commit fixes that.
The 'Fixes' tag here below is the same as the one from the previous
commit: this patch here is not fixing anything wrong in the selftests,
but it validates the previous fix for an issue introduced by this commit
ID.
Fixes: df377be38725 ("mptcp: add deny_join_id0 in mptcp_options_received")
Cc: stable@vger.kernel.org
Reviewed-by: Geliang Tang <geliang@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20250925-net-next-mptcp-c-flag-laminar-v1-2-ad126cc47c6b@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/testing/selftests/net/mptcp/mptcp_join.sh | 11 +++++++++++
1 file changed, 11 insertions(+)
--- a/tools/testing/selftests/net/mptcp/mptcp_join.sh
+++ b/tools/testing/selftests/net/mptcp/mptcp_join.sh
@@ -3187,6 +3187,17 @@ deny_join_id0_tests()
run_tests $ns1 $ns2 10.0.1.1
chk_join_nr 1 1 1
fi
+
+ # default limits, server deny join id 0 + signal
+ if reset_with_allow_join_id0 "default limits, server deny join id 0" 0 1; then
+ pm_nl_set_limits $ns1 0 2
+ pm_nl_set_limits $ns2 0 2
+ pm_nl_add_endpoint $ns1 10.0.2.1 flags signal
+ pm_nl_add_endpoint $ns2 10.0.3.2 flags subflow
+ pm_nl_add_endpoint $ns2 10.0.4.2 flags subflow
+ run_tests $ns1 $ns2 10.0.1.1
+ chk_join_nr 2 2 2
+ fi
}
fullmesh_tests()
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 304/371] s390/cio/ioasm: Fix __xsch() condition code handling
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (302 preceding siblings ...)
2025-10-17 14:54 ` [PATCH 6.17 303/371] selftests: mptcp: join: validate C-flag + def limit Greg Kroah-Hartman
@ 2025-10-17 14:54 ` Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 305/371] s390/dasd: enforce dma_alignment to ensure proper buffer validation Greg Kroah-Hartman
` (79 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Heiko Carstens, Alexander Gordeev,
Juergen Christ
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Heiko Carstens <hca@linux.ibm.com>
commit f0edc8f113a39d1c9f8cf83e865c32b0668d80e0 upstream.
For the __xsch() inline assembly the conversion to flag output macros is
incomplete. Only the conditional shift of the return value was added, while
the required changes to the inline assembly itself are missing.
If compiled with GCC versions before 14.2 this leads to a double shift of
the cc output operand and therefore the returned value of __xsch() is
incorrectly always zero, instead of the expected condition code.
Fixes: e200565d434b ("s390/cio/ioasm: Convert to use flag output macros")
Cc: stable@vger.kernel.org
Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
Acked-by: Alexander Gordeev <agordeev@linux.ibm.com>
Reviewed-by: Juergen Christ <jchrist@linux.ibm.com>
Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/s390/cio/ioasm.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/drivers/s390/cio/ioasm.c b/drivers/s390/cio/ioasm.c
index a540045b64a6..8b06b234e110 100644
--- a/drivers/s390/cio/ioasm.c
+++ b/drivers/s390/cio/ioasm.c
@@ -253,11 +253,10 @@ static inline int __xsch(struct subchannel_id schid)
asm volatile(
" lgr 1,%[r1]\n"
" xsch\n"
- " ipm %[cc]\n"
- " srl %[cc],28\n"
- : [cc] "=&d" (ccode)
+ CC_IPM(cc)
+ : CC_OUT(cc, ccode)
: [r1] "d" (r1)
- : "cc", "1");
+ : CC_CLOBBER_LIST("1"));
return CC_TRANSFORM(ccode);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 305/371] s390/dasd: enforce dma_alignment to ensure proper buffer validation
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (303 preceding siblings ...)
2025-10-17 14:54 ` [PATCH 6.17 304/371] s390/cio/ioasm: Fix __xsch() condition code handling Greg Kroah-Hartman
@ 2025-10-17 14:54 ` Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 306/371] s390/dasd: Return BLK_STS_INVAL for EINVAL from do_dasd_request Greg Kroah-Hartman
` (78 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stefan Haberland, Jaehoon Kim,
Jens Axboe
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jaehoon Kim <jhkim@linux.ibm.com>
commit 130e6de62107116eba124647116276266be0f84c upstream.
The block layer validates buffer alignment using the device's
dma_alignment value. If dma_alignment is smaller than
logical_block_size(bp_block) -1, misaligned buffer incorrectly pass
validation and propagate to the lower-level driver.
This patch adjusts dma_alignment to be at least logical_block_size -1,
ensuring that misalignment buffers are properly rejected at the block
layer and do not reach the DASD driver unnecessarily.
Fixes: 2a07bb64d801 ("s390/dasd: Remove DMA alignment")
Reviewed-by: Stefan Haberland <sth@linux.ibm.com>
Cc: stable@vger.kernel.org #6.11+
Signed-off-by: Jaehoon Kim <jhkim@linux.ibm.com>
Signed-off-by: Stefan Haberland <sth@linux.ibm.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/s390/block/dasd.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/s390/block/dasd.c
+++ b/drivers/s390/block/dasd.c
@@ -334,6 +334,11 @@ static int dasd_state_basic_to_ready(str
lim.max_dev_sectors = device->discipline->max_sectors(block);
lim.max_hw_sectors = lim.max_dev_sectors;
lim.logical_block_size = block->bp_block;
+ /*
+ * Adjust dma_alignment to match block_size - 1
+ * to ensure proper buffer alignment checks in the block layer.
+ */
+ lim.dma_alignment = lim.logical_block_size - 1;
if (device->discipline->has_discard) {
unsigned int max_bytes;
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 306/371] s390/dasd: Return BLK_STS_INVAL for EINVAL from do_dasd_request
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (304 preceding siblings ...)
2025-10-17 14:54 ` [PATCH 6.17 305/371] s390/dasd: enforce dma_alignment to ensure proper buffer validation Greg Kroah-Hartman
@ 2025-10-17 14:54 ` Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 307/371] s390: Add -Wno-pointer-sign to KBUILD_CFLAGS_DECOMPRESSOR Greg Kroah-Hartman
` (77 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stefan Haberland, Jaehoon Kim,
Jens Axboe
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jaehoon Kim <jhkim@linux.ibm.com>
commit 8f4ed0ce4857ceb444174503fc9058720d4faaa1 upstream.
Currently, if CCW request creation fails with -EINVAL, the DASD driver
returns BLK_STS_IOERR to the block layer.
This can happen, for example, when a user-space application such as QEMU
passes a misaligned buffer, but the original cause of the error is
masked as a generic I/O error.
This patch changes the behavior so that -EINVAL is returned as
BLK_STS_INVAL, allowing user space to properly detect alignment issues
instead of interpreting them as I/O errors.
Reviewed-by: Stefan Haberland <sth@linux.ibm.com>
Cc: stable@vger.kernel.org #6.11+
Signed-off-by: Jaehoon Kim <jhkim@linux.ibm.com>
Signed-off-by: Stefan Haberland <sth@linux.ibm.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/s390/block/dasd.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
--- a/drivers/s390/block/dasd.c
+++ b/drivers/s390/block/dasd.c
@@ -3119,12 +3119,14 @@ static blk_status_t do_dasd_request(stru
PTR_ERR(cqr) == -ENOMEM ||
PTR_ERR(cqr) == -EAGAIN) {
rc = BLK_STS_RESOURCE;
- goto out;
+ } else if (PTR_ERR(cqr) == -EINVAL) {
+ rc = BLK_STS_INVAL;
+ } else {
+ DBF_DEV_EVENT(DBF_ERR, basedev,
+ "CCW creation failed (rc=%ld) on request %p",
+ PTR_ERR(cqr), req);
+ rc = BLK_STS_IOERR;
}
- DBF_DEV_EVENT(DBF_ERR, basedev,
- "CCW creation failed (rc=%ld) on request %p",
- PTR_ERR(cqr), req);
- rc = BLK_STS_IOERR;
goto out;
}
/*
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 307/371] s390: Add -Wno-pointer-sign to KBUILD_CFLAGS_DECOMPRESSOR
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (305 preceding siblings ...)
2025-10-17 14:54 ` [PATCH 6.17 306/371] s390/dasd: Return BLK_STS_INVAL for EINVAL from do_dasd_request Greg Kroah-Hartman
@ 2025-10-17 14:54 ` Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 308/371] slab: prevent warnings when slab obj_exts vector allocation fails Greg Kroah-Hartman
` (76 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gerd Bayer, Heiko Carstens,
Alexander Gordeev
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Heiko Carstens <hca@linux.ibm.com>
commit fa7a0a53eeb7e16402f82c3d5a9ef4bf5efe9357 upstream.
If the decompressor is compiled with clang this can lead to the following
warning:
In file included from arch/s390/boot/startup.c:4:
...
In file included from ./include/linux/pgtable.h:6:
./arch/s390/include/asm/pgtable.h:2065:48: warning: passing 'unsigned long *' to parameter of type
'long *' converts between pointers to integer types with different sign [-Wpointer-sign]
2065 | value = __atomic64_or_barrier(PGSTE_PCL_BIT, ptr);
Add -Wno-pointer-sign to the decompressor compile flags, like it is also
done for the kernel. This is similar to what was done for x86 to address
the same problem [1].
[1] commit dca5203e3fe2 ("x86/boot: Add -Wno-pointer-sign to KBUILD_CFLAGS")
Cc: stable@vger.kernel.org
Reported-by: Gerd Bayer <gbayer@linux.ibm.com>
Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
Reviewed-by: Alexander Gordeev <agordeev@linux.ibm.com>
Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/s390/Makefile | 1 +
1 file changed, 1 insertion(+)
--- a/arch/s390/Makefile
+++ b/arch/s390/Makefile
@@ -25,6 +25,7 @@ endif
KBUILD_CFLAGS_DECOMPRESSOR := $(CLANG_FLAGS) -m64 -O2 -mpacked-stack -std=gnu11
KBUILD_CFLAGS_DECOMPRESSOR += -DDISABLE_BRANCH_PROFILING -D__NO_FORTIFY
KBUILD_CFLAGS_DECOMPRESSOR += -D__DECOMPRESSOR
+KBUILD_CFLAGS_DECOMPRESSOR += -Wno-pointer-sign
KBUILD_CFLAGS_DECOMPRESSOR += -fno-delete-null-pointer-checks -msoft-float -mbackchain
KBUILD_CFLAGS_DECOMPRESSOR += -fno-asynchronous-unwind-tables
KBUILD_CFLAGS_DECOMPRESSOR += -ffreestanding
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 308/371] slab: prevent warnings when slab obj_exts vector allocation fails
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (306 preceding siblings ...)
2025-10-17 14:54 ` [PATCH 6.17 307/371] s390: Add -Wno-pointer-sign to KBUILD_CFLAGS_DECOMPRESSOR Greg Kroah-Hartman
@ 2025-10-17 14:54 ` Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 309/371] slab: mark slab->obj_exts allocation failures unconditionally Greg Kroah-Hartman
` (75 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shakeel Butt, Suren Baghdasaryan,
Vlastimil Babka
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Suren Baghdasaryan <surenb@google.com>
commit 4038016397da5c1cebb10e7c85a36d06123724a8 upstream.
When object extension vector allocation fails, we set slab->obj_exts to
OBJEXTS_ALLOC_FAIL to indicate the failure. Later, once the vector is
successfully allocated, we will use this flag to mark codetag references
stored in that vector as empty to avoid codetag warnings.
slab_obj_exts() used to retrieve the slab->obj_exts vector pointer checks
slab->obj_exts for being either NULL or a pointer with MEMCG_DATA_OBJEXTS
bit set. However it does not handle the case when slab->obj_exts equals
OBJEXTS_ALLOC_FAIL. Add the missing condition to avoid extra warning.
Fixes: 09c46563ff6d ("codetag: debug: introduce OBJEXTS_ALLOC_FAIL to mark failed slab_ext allocations")
Reported-by: Shakeel Butt <shakeel.butt@linux.dev>
Closes: https://lore.kernel.org/all/jftidhymri2af5u3xtcqry3cfu6aqzte3uzlznhlaylgrdztsi@5vpjnzpsemf5/
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Cc: stable@vger.kernel.org # v6.10+
Acked-by: Shakeel Butt <shakeel.butt@linux.dev>
Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/slab.h | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
--- a/mm/slab.h
+++ b/mm/slab.h
@@ -526,8 +526,12 @@ static inline struct slabobj_ext *slab_o
unsigned long obj_exts = READ_ONCE(slab->obj_exts);
#ifdef CONFIG_MEMCG
- VM_BUG_ON_PAGE(obj_exts && !(obj_exts & MEMCG_DATA_OBJEXTS),
- slab_page(slab));
+ /*
+ * obj_exts should be either NULL, a valid pointer with
+ * MEMCG_DATA_OBJEXTS bit set or be equal to OBJEXTS_ALLOC_FAIL.
+ */
+ VM_BUG_ON_PAGE(obj_exts && !(obj_exts & MEMCG_DATA_OBJEXTS) &&
+ obj_exts != OBJEXTS_ALLOC_FAIL, slab_page(slab));
VM_BUG_ON_PAGE(obj_exts & MEMCG_DATA_KMEM, slab_page(slab));
#endif
return (struct slabobj_ext *)(obj_exts & ~OBJEXTS_FLAGS_MASK);
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 309/371] slab: mark slab->obj_exts allocation failures unconditionally
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (307 preceding siblings ...)
2025-10-17 14:54 ` [PATCH 6.17 308/371] slab: prevent warnings when slab obj_exts vector allocation fails Greg Kroah-Hartman
@ 2025-10-17 14:54 ` Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 310/371] wifi: ath11k: HAL SRNG: dont deinitialize and re-initialize again Greg Kroah-Hartman
` (74 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shakeel Butt, Suren Baghdasaryan,
Vlastimil Babka
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Suren Baghdasaryan <surenb@google.com>
commit f7381b9116407ba2a429977c80ff8df953ea9354 upstream.
alloc_slab_obj_exts() should mark failed obj_exts vector allocations
independent on whether the vector is being allocated for a new or an
existing slab. Current implementation skips doing this for existing
slabs. Fix this by marking failed allocations unconditionally.
Fixes: 09c46563ff6d ("codetag: debug: introduce OBJEXTS_ALLOC_FAIL to mark failed slab_ext allocations")
Reported-by: Shakeel Butt <shakeel.butt@linux.dev>
Closes: https://lore.kernel.org/all/avhakjldsgczmq356gkwmvfilyvf7o6temvcmtt5lqd4fhp5rk@47gp2ropyixg/
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Cc: stable@vger.kernel.org # v6.10+
Acked-by: Shakeel Butt <shakeel.butt@linux.dev>
Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/slub.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/mm/slub.c
+++ b/mm/slub.c
@@ -2034,8 +2034,7 @@ int alloc_slab_obj_exts(struct slab *sla
slab_nid(slab));
if (!vec) {
/* Mark vectors which failed to allocate */
- if (new_slab)
- mark_failed_objexts_alloc(slab);
+ mark_failed_objexts_alloc(slab);
return -ENOMEM;
}
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 310/371] wifi: ath11k: HAL SRNG: dont deinitialize and re-initialize again
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (308 preceding siblings ...)
2025-10-17 14:54 ` [PATCH 6.17 309/371] slab: mark slab->obj_exts allocation failures unconditionally Greg Kroah-Hartman
@ 2025-10-17 14:54 ` Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 311/371] wifi: iwlwifi: Fix dentry reference leak in iwl_mld_add_link_debugfs Greg Kroah-Hartman
` (73 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Baochen Qiang, Muhammad Usama Anjum,
Jeff Johnson
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Muhammad Usama Anjum <usama.anjum@collabora.com>
commit 32be3ca4cf78b309dfe7ba52fe2d7cc3c23c5634 upstream.
Don't deinitialize and reinitialize the HAL helpers. The dma memory is
deallocated and there is high possibility that we'll not be able to get
the same memory allocated from dma when there is high memory pressure.
Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03926.13-QCAHSPSWPL_V2_SILICONZ_CE-2.52297.6
Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices")
Cc: stable@vger.kernel.org
Cc: Baochen Qiang <baochen.qiang@oss.qualcomm.com>
Reviewed-by: Baochen Qiang <baochen.qiang@oss.qualcomm.com>
Signed-off-by: Muhammad Usama Anjum <usama.anjum@collabora.com>
Link: https://patch.msgid.link/20250722053121.1145001-1-usama.anjum@collabora.com
Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/ath/ath11k/core.c | 6 +-----
drivers/net/wireless/ath/ath11k/hal.c | 16 ++++++++++++++++
drivers/net/wireless/ath/ath11k/hal.h | 1 +
3 files changed, 18 insertions(+), 5 deletions(-)
--- a/drivers/net/wireless/ath/ath11k/core.c
+++ b/drivers/net/wireless/ath/ath11k/core.c
@@ -2215,14 +2215,10 @@ static int ath11k_core_reconfigure_on_cr
mutex_unlock(&ab->core_lock);
ath11k_dp_free(ab);
- ath11k_hal_srng_deinit(ab);
+ ath11k_hal_srng_clear(ab);
ab->free_vdev_map = (1LL << (ab->num_radios * TARGET_NUM_VDEVS(ab))) - 1;
- ret = ath11k_hal_srng_init(ab);
- if (ret)
- return ret;
-
clear_bit(ATH11K_FLAG_CRASH_FLUSH, &ab->dev_flags);
ret = ath11k_core_qmi_firmware_ready(ab);
--- a/drivers/net/wireless/ath/ath11k/hal.c
+++ b/drivers/net/wireless/ath/ath11k/hal.c
@@ -1386,6 +1386,22 @@ void ath11k_hal_srng_deinit(struct ath11
}
EXPORT_SYMBOL(ath11k_hal_srng_deinit);
+void ath11k_hal_srng_clear(struct ath11k_base *ab)
+{
+ /* No need to memset rdp and wrp memory since each individual
+ * segment would get cleared in ath11k_hal_srng_src_hw_init()
+ * and ath11k_hal_srng_dst_hw_init().
+ */
+ memset(ab->hal.srng_list, 0,
+ sizeof(ab->hal.srng_list));
+ memset(ab->hal.shadow_reg_addr, 0,
+ sizeof(ab->hal.shadow_reg_addr));
+ ab->hal.avail_blk_resource = 0;
+ ab->hal.current_blk_index = 0;
+ ab->hal.num_shadow_reg_configured = 0;
+}
+EXPORT_SYMBOL(ath11k_hal_srng_clear);
+
void ath11k_hal_dump_srng_stats(struct ath11k_base *ab)
{
struct hal_srng *srng;
--- a/drivers/net/wireless/ath/ath11k/hal.h
+++ b/drivers/net/wireless/ath/ath11k/hal.h
@@ -965,6 +965,7 @@ int ath11k_hal_srng_setup(struct ath11k_
struct hal_srng_params *params);
int ath11k_hal_srng_init(struct ath11k_base *ath11k);
void ath11k_hal_srng_deinit(struct ath11k_base *ath11k);
+void ath11k_hal_srng_clear(struct ath11k_base *ab);
void ath11k_hal_dump_srng_stats(struct ath11k_base *ab);
void ath11k_hal_srng_get_shadow_config(struct ath11k_base *ab,
u32 **cfg, u32 *len);
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 311/371] wifi: iwlwifi: Fix dentry reference leak in iwl_mld_add_link_debugfs
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (309 preceding siblings ...)
2025-10-17 14:54 ` [PATCH 6.17 310/371] wifi: ath11k: HAL SRNG: dont deinitialize and re-initialize again Greg Kroah-Hartman
@ 2025-10-17 14:54 ` Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 312/371] wifi: rtw89: avoid possible TX wait initialization race Greg Kroah-Hartman
` (72 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Miaoqian Lin, Miri Korenblit
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Miaoqian Lin <linmq006@gmail.com>
commit ff46e2e7034c78489fa7a6bc35f7c9dd8ab82905 upstream.
The debugfs_lookup() function increases the dentry reference count.
Add missing dput() call to release the reference when the "iwlmld"
directory already exists.
Fixes: d1e879ec600f ("wifi: iwlwifi: add iwlmld sub-driver")
Cc: stable@vger.kernel.org
Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
Link: https://patch.msgid.link/20250902040955.2362472-1-linmq006@gmail.com
Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/intel/iwlwifi/mld/debugfs.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/intel/iwlwifi/mld/debugfs.c b/drivers/net/wireless/intel/iwlwifi/mld/debugfs.c
index cc052b0aa53f..372204bf8452 100644
--- a/drivers/net/wireless/intel/iwlwifi/mld/debugfs.c
+++ b/drivers/net/wireless/intel/iwlwifi/mld/debugfs.c
@@ -1001,8 +1001,12 @@ void iwl_mld_add_link_debugfs(struct ieee80211_hw *hw,
* If not, this is a per-link dir of a MLO vif, add in it the iwlmld
* dir.
*/
- if (!mld_link_dir)
+ if (!mld_link_dir) {
mld_link_dir = debugfs_create_dir("iwlmld", dir);
+ } else {
+ /* Release the reference from debugfs_lookup */
+ dput(mld_link_dir);
+ }
}
static ssize_t _iwl_dbgfs_fixed_rate_write(struct iwl_mld *mld, char *buf,
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 312/371] wifi: rtw89: avoid possible TX wait initialization race
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (310 preceding siblings ...)
2025-10-17 14:54 ` [PATCH 6.17 311/371] wifi: iwlwifi: Fix dentry reference leak in iwl_mld_add_link_debugfs Greg Kroah-Hartman
@ 2025-10-17 14:54 ` Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 313/371] wifi: mt76: mt7925u: Add VID/PID for Netgear A9000 Greg Kroah-Hartman
` (71 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Fedor Pchelkin, Ping-Ke Shih
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fedor Pchelkin <pchelkin@ispras.ru>
commit c24248ed78f33ea299ea61d105355ba47157d49f upstream.
The value of skb_data->wait indicates whether skb is passed on to the
core mac80211 stack or released by the driver itself. Make sure that by
the time skb is added to txwd queue and becomes visible to the completing
side, it has already allocated and initialized TX wait related data (in
case it's needed).
This is found by code review and addresses a possible race scenario
described below:
Waiting thread Completing thread
rtw89_core_send_nullfunc()
rtw89_core_tx_write_link()
...
rtw89_pci_txwd_submit()
skb_data->wait = NULL
/* add skb to the queue */
skb_queue_tail(&txwd->queue, skb)
/* another thread (e.g. rtw89_ops_tx) performs TX kick off for the same queue */
rtw89_pci_napi_poll()
...
rtw89_pci_release_txwd_skb()
/* get skb from the queue */
skb_unlink(skb, &txwd->queue)
rtw89_pci_tx_status()
rtw89_core_tx_wait_complete()
/* use incorrect skb_data->wait */
rtw89_core_tx_kick_off_and_wait()
/* assign skb_data->wait but too late */
Found by Linux Verification Center (linuxtesting.org).
Fixes: 1ae5ca615285 ("wifi: rtw89: add function to wait for completion of TX skbs")
Cc: stable@vger.kernel.org
Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
Acked-by: Ping-Ke Shih <pkshih@realtek.com>
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/20250919210852.823912-3-pchelkin@ispras.ru
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/realtek/rtw89/core.c | 39 ++++++++++++++++--------------
drivers/net/wireless/realtek/rtw89/core.h | 3 +-
drivers/net/wireless/realtek/rtw89/pci.c | 2 -
3 files changed, 24 insertions(+), 20 deletions(-)
--- a/drivers/net/wireless/realtek/rtw89/core.c
+++ b/drivers/net/wireless/realtek/rtw89/core.c
@@ -1091,25 +1091,14 @@ void rtw89_core_tx_kick_off(struct rtw89
}
int rtw89_core_tx_kick_off_and_wait(struct rtw89_dev *rtwdev, struct sk_buff *skb,
- int qsel, unsigned int timeout)
+ struct rtw89_tx_wait_info *wait, int qsel,
+ unsigned int timeout)
{
- struct rtw89_tx_skb_data *skb_data = RTW89_TX_SKB_CB(skb);
- struct rtw89_tx_wait_info *wait;
unsigned long time_left;
int ret = 0;
lockdep_assert_wiphy(rtwdev->hw->wiphy);
- wait = kzalloc(sizeof(*wait), GFP_KERNEL);
- if (!wait) {
- rtw89_core_tx_kick_off(rtwdev, qsel);
- return 0;
- }
-
- init_completion(&wait->completion);
- wait->skb = skb;
- rcu_assign_pointer(skb_data->wait, wait);
-
rtw89_core_tx_kick_off(rtwdev, qsel);
time_left = wait_for_completion_timeout(&wait->completion,
msecs_to_jiffies(timeout));
@@ -1172,10 +1161,12 @@ int rtw89_h2c_tx(struct rtw89_dev *rtwde
static int rtw89_core_tx_write_link(struct rtw89_dev *rtwdev,
struct rtw89_vif_link *rtwvif_link,
struct rtw89_sta_link *rtwsta_link,
- struct sk_buff *skb, int *qsel, bool sw_mld)
+ struct sk_buff *skb, int *qsel, bool sw_mld,
+ struct rtw89_tx_wait_info *wait)
{
struct ieee80211_sta *sta = rtwsta_link_to_sta_safe(rtwsta_link);
struct ieee80211_vif *vif = rtwvif_link_to_vif(rtwvif_link);
+ struct rtw89_tx_skb_data *skb_data = RTW89_TX_SKB_CB(skb);
struct rtw89_vif *rtwvif = rtwvif_link->rtwvif;
struct rtw89_core_tx_request tx_req = {};
int ret;
@@ -1192,6 +1183,8 @@ static int rtw89_core_tx_write_link(stru
rtw89_core_tx_update_desc_info(rtwdev, &tx_req);
rtw89_core_tx_wake(rtwdev, &tx_req);
+ rcu_assign_pointer(skb_data->wait, wait);
+
ret = rtw89_hci_tx_write(rtwdev, &tx_req);
if (ret) {
rtw89_err(rtwdev, "failed to transmit skb to HCI\n");
@@ -1228,7 +1221,8 @@ int rtw89_core_tx_write(struct rtw89_dev
}
}
- return rtw89_core_tx_write_link(rtwdev, rtwvif_link, rtwsta_link, skb, qsel, false);
+ return rtw89_core_tx_write_link(rtwdev, rtwvif_link, rtwsta_link, skb, qsel, false,
+ NULL);
}
static __le32 rtw89_build_txwd_body0(struct rtw89_tx_desc_info *desc_info)
@@ -3426,6 +3420,7 @@ int rtw89_core_send_nullfunc(struct rtw8
struct ieee80211_vif *vif = rtwvif_link_to_vif(rtwvif_link);
int link_id = ieee80211_vif_is_mld(vif) ? rtwvif_link->link_id : -1;
struct rtw89_sta_link *rtwsta_link;
+ struct rtw89_tx_wait_info *wait;
struct ieee80211_sta *sta;
struct ieee80211_hdr *hdr;
struct rtw89_sta *rtwsta;
@@ -3435,6 +3430,12 @@ int rtw89_core_send_nullfunc(struct rtw8
if (vif->type != NL80211_IFTYPE_STATION || !vif->cfg.assoc)
return 0;
+ wait = kzalloc(sizeof(*wait), GFP_KERNEL);
+ if (!wait)
+ return -ENOMEM;
+
+ init_completion(&wait->completion);
+
rcu_read_lock();
sta = ieee80211_find_sta(vif, vif->cfg.ap_addr);
if (!sta) {
@@ -3449,6 +3450,8 @@ int rtw89_core_send_nullfunc(struct rtw8
goto out;
}
+ wait->skb = skb;
+
hdr = (struct ieee80211_hdr *)skb->data;
if (ps)
hdr->frame_control |= cpu_to_le16(IEEE80211_FCTL_PM);
@@ -3460,7 +3463,8 @@ int rtw89_core_send_nullfunc(struct rtw8
goto out;
}
- ret = rtw89_core_tx_write_link(rtwdev, rtwvif_link, rtwsta_link, skb, &qsel, true);
+ ret = rtw89_core_tx_write_link(rtwdev, rtwvif_link, rtwsta_link, skb, &qsel, true,
+ wait);
if (ret) {
rtw89_warn(rtwdev, "nullfunc transmit failed: %d\n", ret);
dev_kfree_skb_any(skb);
@@ -3469,10 +3473,11 @@ int rtw89_core_send_nullfunc(struct rtw8
rcu_read_unlock();
- return rtw89_core_tx_kick_off_and_wait(rtwdev, skb, qsel,
+ return rtw89_core_tx_kick_off_and_wait(rtwdev, skb, wait, qsel,
timeout);
out:
rcu_read_unlock();
+ kfree(wait);
return ret;
}
--- a/drivers/net/wireless/realtek/rtw89/core.h
+++ b/drivers/net/wireless/realtek/rtw89/core.h
@@ -7389,7 +7389,8 @@ int rtw89_h2c_tx(struct rtw89_dev *rtwde
struct sk_buff *skb, bool fwdl);
void rtw89_core_tx_kick_off(struct rtw89_dev *rtwdev, u8 qsel);
int rtw89_core_tx_kick_off_and_wait(struct rtw89_dev *rtwdev, struct sk_buff *skb,
- int qsel, unsigned int timeout);
+ struct rtw89_tx_wait_info *wait, int qsel,
+ unsigned int timeout);
void rtw89_core_fill_txdesc(struct rtw89_dev *rtwdev,
struct rtw89_tx_desc_info *desc_info,
void *txdesc);
--- a/drivers/net/wireless/realtek/rtw89/pci.c
+++ b/drivers/net/wireless/realtek/rtw89/pci.c
@@ -1372,7 +1372,6 @@ static int rtw89_pci_txwd_submit(struct
struct pci_dev *pdev = rtwpci->pdev;
struct sk_buff *skb = tx_req->skb;
struct rtw89_pci_tx_data *tx_data = RTW89_PCI_TX_SKB_CB(skb);
- struct rtw89_tx_skb_data *skb_data = RTW89_TX_SKB_CB(skb);
bool en_wd_info = desc_info->en_wd_info;
u32 txwd_len;
u32 txwp_len;
@@ -1388,7 +1387,6 @@ static int rtw89_pci_txwd_submit(struct
}
tx_data->dma = dma;
- rcu_assign_pointer(skb_data->wait, NULL);
txwp_len = sizeof(*txwp_info);
txwd_len = chip->txwd_body_size;
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 313/371] wifi: mt76: mt7925u: Add VID/PID for Netgear A9000
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (311 preceding siblings ...)
2025-10-17 14:54 ` [PATCH 6.17 312/371] wifi: rtw89: avoid possible TX wait initialization race Greg Kroah-Hartman
@ 2025-10-17 14:54 ` Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 314/371] wifi: mt76: mt7921u: Add VID/PID for Netgear A7500 Greg Kroah-Hartman
` (70 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Nick Morrow, Felix Fietkau
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nick Morrow <morrownr@gmail.com>
commit f6159b2051e157550d7609e19d04471609c6050b upstream.
Add VID/PID 0846/9072 for recently released Netgear A9000.
Signed-off-by: Nick Morrow <morrownr@gmail.com>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/7afd3c3c-e7cf-4bd9-801d-bdfc76def506@gmail.com
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/mediatek/mt76/mt7925/usb.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/net/wireless/mediatek/mt76/mt7925/usb.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7925/usb.c
@@ -12,6 +12,9 @@
static const struct usb_device_id mt7925u_device_table[] = {
{ USB_DEVICE_AND_INTERFACE_INFO(0x0e8d, 0x7925, 0xff, 0xff, 0xff),
.driver_info = (kernel_ulong_t)MT7925_FIRMWARE_WM },
+ /* Netgear, Inc. A9000 */
+ { USB_DEVICE_AND_INTERFACE_INFO(0x0846, 0x9072, 0xff, 0xff, 0xff),
+ .driver_info = (kernel_ulong_t)MT7925_FIRMWARE_WM },
{ },
};
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 314/371] wifi: mt76: mt7921u: Add VID/PID for Netgear A7500
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (312 preceding siblings ...)
2025-10-17 14:54 ` [PATCH 6.17 313/371] wifi: mt76: mt7925u: Add VID/PID for Netgear A9000 Greg Kroah-Hartman
@ 2025-10-17 14:54 ` Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 315/371] mm/thp: fix MTE tag mismatch when replacing zero-filled subpages Greg Kroah-Hartman
` (69 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Autumn Dececco, Nick Morrow,
Lorenzo Bianconi, Felix Fietkau
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nick Morrow <morrownr@gmail.com>
commit fc6627ca8a5f811b601aea74e934cf8a048c88ac upstream.
Add VID/PID 0846/9065 for Netgear A7500.
Reported-by: Autumn Dececco <autumndececco@gmail.com>
Tested-by: Autumn Dececco <autumndececco@gmail.com>
Signed-off-by: Nick Morrow <morrownr@gmail.com>
Cc: stable@vger.kernel.org
Acked-by: Lorenzo Bianconi <lorenzo@kernel.org>
Link: https://patch.msgid.link/80bacfd6-6073-4ce5-be32-ae9580832337@gmail.com
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/mediatek/mt76/mt7921/usb.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/net/wireless/mediatek/mt76/mt7921/usb.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7921/usb.c
@@ -21,6 +21,9 @@ static const struct usb_device_id mt7921
/* Netgear, Inc. [A8000,AXE3000] */
{ USB_DEVICE_AND_INTERFACE_INFO(0x0846, 0x9060, 0xff, 0xff, 0xff),
.driver_info = (kernel_ulong_t)MT7921_FIRMWARE_WM },
+ /* Netgear, Inc. A7500 */
+ { USB_DEVICE_AND_INTERFACE_INFO(0x0846, 0x9065, 0xff, 0xff, 0xff),
+ .driver_info = (kernel_ulong_t)MT7921_FIRMWARE_WM },
/* TP-Link TXE50UH */
{ USB_DEVICE_AND_INTERFACE_INFO(0x35bc, 0x0107, 0xff, 0xff, 0xff),
.driver_info = (kernel_ulong_t)MT7921_FIRMWARE_WM },
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 315/371] mm/thp: fix MTE tag mismatch when replacing zero-filled subpages
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (313 preceding siblings ...)
2025-10-17 14:54 ` [PATCH 6.17 314/371] wifi: mt76: mt7921u: Add VID/PID for Netgear A7500 Greg Kroah-Hartman
@ 2025-10-17 14:54 ` Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 316/371] mm/rmap: fix soft-dirty and uffd-wp bit loss when remapping zero-filled mTHP subpage to shared zeropage Greg Kroah-Hartman
` (68 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lance Yang, Qun-wei Lin,
David Hildenbrand, Zi Yan, Usama Arif, Catalin Marinas, Wei Yang,
Alistair Popple, andrew.yang, Baolin Wang, Barry Song,
Byungchul Park, Charlie Jenkins, Chinwen Chang, Dev Jain,
Domenico Cerasuolo, Gregory Price, Huang, Ying, Hugh Dickins,
Johannes Weiner, Joshua Hahn, Kairui Song, Kalesh Singh,
Liam Howlett, Lorenzo Stoakes, Mariano Pache, Mathew Brost,
Matthew Wilcox (Oracle), Mike Rapoport, Palmer Dabbelt, Rakie Kim,
Rik van Riel, Roman Gushchin, Ryan Roberts, Samuel Holland,
Shakeel Butt, Suren Baghdasaryan, Yu Zhao, Andrew Morton
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lance Yang <lance.yang@linux.dev>
commit 1ce6473d17e78e3cb9a40147658231731a551828 upstream.
When both THP and MTE are enabled, splitting a THP and replacing its
zero-filled subpages with the shared zeropage can cause MTE tag mismatch
faults in userspace.
Remapping zero-filled subpages to the shared zeropage is unsafe, as the
zeropage has a fixed tag of zero, which may not match the tag expected by
the userspace pointer.
KSM already avoids this problem by using memcmp_pages(), which on arm64
intentionally reports MTE-tagged pages as non-identical to prevent unsafe
merging.
As suggested by David[1], this patch adopts the same pattern, replacing the
memchr_inv() byte-level check with a call to pages_identical(). This
leverages existing architecture-specific logic to determine if a page is
truly identical to the shared zeropage.
Having both the THP shrinker and KSM rely on pages_identical() makes the
design more future-proof, IMO. Instead of handling quirks in generic code,
we just let the architecture decide what makes two pages identical.
[1] https://lore.kernel.org/all/ca2106a3-4bb2-4457-81af-301fd99fbef4@redhat.com
Link: https://lkml.kernel.org/r/20250922021458.68123-1-lance.yang@linux.dev
Fixes: b1f202060afe ("mm: remap unused subpages to shared zeropage when splitting isolated thp")
Signed-off-by: Lance Yang <lance.yang@linux.dev>
Reported-by: Qun-wei Lin <Qun-wei.Lin@mediatek.com>
Closes: https://lore.kernel.org/all/a7944523fcc3634607691c35311a5d59d1a3f8d4.camel@mediatek.com
Suggested-by: David Hildenbrand <david@redhat.com>
Acked-by: Zi Yan <ziy@nvidia.com>
Acked-by: David Hildenbrand <david@redhat.com>
Acked-by: Usama Arif <usamaarif642@gmail.com>
Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
Reviewed-by: Wei Yang <richard.weiyang@gmail.com>
Cc: Alistair Popple <apopple@nvidia.com>
Cc: andrew.yang <andrew.yang@mediatek.com>
Cc: Baolin Wang <baolin.wang@linux.alibaba.com>
Cc: Barry Song <baohua@kernel.org>
Cc: Byungchul Park <byungchul@sk.com>
Cc: Charlie Jenkins <charlie@rivosinc.com>
Cc: Chinwen Chang <chinwen.chang@mediatek.com>
Cc: Dev Jain <dev.jain@arm.com>
Cc: Domenico Cerasuolo <cerasuolodomenico@gmail.com>
Cc: Gregory Price <gourry@gourry.net>
Cc: "Huang, Ying" <ying.huang@linux.alibaba.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: Joshua Hahn <joshua.hahnjy@gmail.com>
Cc: Kairui Song <ryncsn@gmail.com>
Cc: Kalesh Singh <kaleshsingh@google.com>
Cc: Liam Howlett <liam.howlett@oracle.com>
Cc: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Cc: Mariano Pache <npache@redhat.com>
Cc: Mathew Brost <matthew.brost@intel.com>
Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
Cc: Mike Rapoport <rppt@kernel.org>
Cc: Palmer Dabbelt <palmer@rivosinc.com>
Cc: Rakie Kim <rakie.kim@sk.com>
Cc: Rik van Riel <riel@surriel.com>
Cc: Roman Gushchin <roman.gushchin@linux.dev>
Cc: Ryan Roberts <ryan.roberts@arm.com>
Cc: Samuel Holland <samuel.holland@sifive.com>
Cc: Shakeel Butt <shakeel.butt@linux.dev>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: Yu Zhao <yuzhao@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/huge_memory.c | 15 +++------------
mm/migrate.c | 8 +-------
2 files changed, 4 insertions(+), 19 deletions(-)
--- a/mm/huge_memory.c
+++ b/mm/huge_memory.c
@@ -4115,32 +4115,23 @@ static unsigned long deferred_split_coun
static bool thp_underused(struct folio *folio)
{
int num_zero_pages = 0, num_filled_pages = 0;
- void *kaddr;
int i;
if (khugepaged_max_ptes_none == HPAGE_PMD_NR - 1)
return false;
for (i = 0; i < folio_nr_pages(folio); i++) {
- kaddr = kmap_local_folio(folio, i * PAGE_SIZE);
- if (!memchr_inv(kaddr, 0, PAGE_SIZE)) {
- num_zero_pages++;
- if (num_zero_pages > khugepaged_max_ptes_none) {
- kunmap_local(kaddr);
+ if (pages_identical(folio_page(folio, i), ZERO_PAGE(0))) {
+ if (++num_zero_pages > khugepaged_max_ptes_none)
return true;
- }
} else {
/*
* Another path for early exit once the number
* of non-zero filled pages exceeds threshold.
*/
- num_filled_pages++;
- if (num_filled_pages >= HPAGE_PMD_NR - khugepaged_max_ptes_none) {
- kunmap_local(kaddr);
+ if (++num_filled_pages >= HPAGE_PMD_NR - khugepaged_max_ptes_none)
return false;
- }
}
- kunmap_local(kaddr);
}
return false;
}
--- a/mm/migrate.c
+++ b/mm/migrate.c
@@ -301,9 +301,7 @@ static bool try_to_map_unused_to_zeropag
unsigned long idx)
{
struct page *page = folio_page(folio, idx);
- bool contains_data;
pte_t newpte;
- void *addr;
if (PageCompound(page))
return false;
@@ -320,11 +318,7 @@ static bool try_to_map_unused_to_zeropag
* this subpage has been non present. If the subpage is only zero-filled
* then map it to the shared zeropage.
*/
- addr = kmap_local_page(page);
- contains_data = memchr_inv(addr, 0, PAGE_SIZE);
- kunmap_local(addr);
-
- if (contains_data)
+ if (!pages_identical(page, ZERO_PAGE(0)))
return false;
newpte = pte_mkspecial(pfn_pte(my_zero_pfn(pvmw->address),
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 316/371] mm/rmap: fix soft-dirty and uffd-wp bit loss when remapping zero-filled mTHP subpage to shared zeropage
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (314 preceding siblings ...)
2025-10-17 14:54 ` [PATCH 6.17 315/371] mm/thp: fix MTE tag mismatch when replacing zero-filled subpages Greg Kroah-Hartman
@ 2025-10-17 14:54 ` Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 317/371] mm/page_alloc: only set ALLOC_HIGHATOMIC for __GPF_HIGH allocations Greg Kroah-Hartman
` (67 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lance Yang, David Hildenbrand,
Dev Jain, Zi Yan, Liam R. Howlett, Harry Yoo, Alistair Popple,
Baolin Wang, Barry Song, Byungchul Park, Gregory Price,
Huang, Ying, Jann Horn, Joshua Hahn, Lorenzo Stoakes,
Mariano Pache, Mathew Brost, Peter Xu, Rakie Kim, Rik van Riel,
Ryan Roberts, Usama Arif, Vlastimil Babka, Yu Zhao, Andrew Morton
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lance Yang <lance.yang@linux.dev>
commit 9658d698a8a83540bf6a6c80d13c9a61590ee985 upstream.
When splitting an mTHP and replacing a zero-filled subpage with the shared
zeropage, try_to_map_unused_to_zeropage() currently drops several
important PTE bits.
For userspace tools like CRIU, which rely on the soft-dirty mechanism for
incremental snapshots, losing the soft-dirty bit means modified pages are
missed, leading to inconsistent memory state after restore.
As pointed out by David, the more critical uffd-wp bit is also dropped.
This breaks the userfaultfd write-protection mechanism, causing writes to
be silently missed by monitoring applications, which can lead to data
corruption.
Preserve both the soft-dirty and uffd-wp bits from the old PTE when
creating the new zeropage mapping to ensure they are correctly tracked.
Link: https://lkml.kernel.org/r/20250930081040.80926-1-lance.yang@linux.dev
Fixes: b1f202060afe ("mm: remap unused subpages to shared zeropage when splitting isolated thp")
Signed-off-by: Lance Yang <lance.yang@linux.dev>
Suggested-by: David Hildenbrand <david@redhat.com>
Suggested-by: Dev Jain <dev.jain@arm.com>
Acked-by: David Hildenbrand <david@redhat.com>
Reviewed-by: Dev Jain <dev.jain@arm.com>
Acked-by: Zi Yan <ziy@nvidia.com>
Reviewed-by: Liam R. Howlett <Liam.Howlett@oracle.com>
Reviewed-by: Harry Yoo <harry.yoo@oracle.com>
Cc: Alistair Popple <apopple@nvidia.com>
Cc: Baolin Wang <baolin.wang@linux.alibaba.com>
Cc: Barry Song <baohua@kernel.org>
Cc: Byungchul Park <byungchul@sk.com>
Cc: Gregory Price <gourry@gourry.net>
Cc: "Huang, Ying" <ying.huang@linux.alibaba.com>
Cc: Jann Horn <jannh@google.com>
Cc: Joshua Hahn <joshua.hahnjy@gmail.com>
Cc: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Cc: Mariano Pache <npache@redhat.com>
Cc: Mathew Brost <matthew.brost@intel.com>
Cc: Peter Xu <peterx@redhat.com>
Cc: Rakie Kim <rakie.kim@sk.com>
Cc: Rik van Riel <riel@surriel.com>
Cc: Ryan Roberts <ryan.roberts@arm.com>
Cc: Usama Arif <usamaarif642@gmail.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Yu Zhao <yuzhao@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/migrate.c | 15 ++++++++++-----
1 file changed, 10 insertions(+), 5 deletions(-)
--- a/mm/migrate.c
+++ b/mm/migrate.c
@@ -297,8 +297,7 @@ bool isolate_folio_to_list(struct folio
}
static bool try_to_map_unused_to_zeropage(struct page_vma_mapped_walk *pvmw,
- struct folio *folio,
- unsigned long idx)
+ struct folio *folio, pte_t old_pte, unsigned long idx)
{
struct page *page = folio_page(folio, idx);
pte_t newpte;
@@ -307,7 +306,7 @@ static bool try_to_map_unused_to_zeropag
return false;
VM_BUG_ON_PAGE(!PageAnon(page), page);
VM_BUG_ON_PAGE(!PageLocked(page), page);
- VM_BUG_ON_PAGE(pte_present(ptep_get(pvmw->pte)), page);
+ VM_BUG_ON_PAGE(pte_present(old_pte), page);
if (folio_test_mlocked(folio) || (pvmw->vma->vm_flags & VM_LOCKED) ||
mm_forbids_zeropage(pvmw->vma->vm_mm))
@@ -323,6 +322,12 @@ static bool try_to_map_unused_to_zeropag
newpte = pte_mkspecial(pfn_pte(my_zero_pfn(pvmw->address),
pvmw->vma->vm_page_prot));
+
+ if (pte_swp_soft_dirty(old_pte))
+ newpte = pte_mksoft_dirty(newpte);
+ if (pte_swp_uffd_wp(old_pte))
+ newpte = pte_mkuffd_wp(newpte);
+
set_pte_at(pvmw->vma->vm_mm, pvmw->address, pvmw->pte, newpte);
dec_mm_counter(pvmw->vma->vm_mm, mm_counter(folio));
@@ -365,13 +370,13 @@ static bool remove_migration_pte(struct
continue;
}
#endif
+ old_pte = ptep_get(pvmw.pte);
if (rmap_walk_arg->map_unused_to_zeropage &&
- try_to_map_unused_to_zeropage(&pvmw, folio, idx))
+ try_to_map_unused_to_zeropage(&pvmw, folio, old_pte, idx))
continue;
folio_get(folio);
pte = mk_pte(new, READ_ONCE(vma->vm_page_prot));
- old_pte = ptep_get(pvmw.pte);
entry = pte_to_swp_entry(old_pte);
if (!is_migration_entry_young(entry))
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 317/371] mm/page_alloc: only set ALLOC_HIGHATOMIC for __GPF_HIGH allocations
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (315 preceding siblings ...)
2025-10-17 14:54 ` [PATCH 6.17 316/371] mm/rmap: fix soft-dirty and uffd-wp bit loss when remapping zero-filled mTHP subpage to shared zeropage Greg Kroah-Hartman
@ 2025-10-17 14:54 ` Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 318/371] mm/hugetlb: early exit from hugetlb_pages_alloc_boot() when max_huge_pages=0 Greg Kroah-Hartman
` (66 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thadeu Lima de Souza Cascardo,
Helen Koike, Vlastimil Babka, Sergey Senozhatsky, Michal Hocko,
Mel Gorman, Matthew Wilcox, NeilBrown, Thierry Reding,
Brendan Jackman, Johannes Weiner, Suren Baghdasaryan, Zi Yan,
Andrew Morton
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
commit 6a204d4b14c99232e05d35305c27ebce1c009840 upstream.
Commit 524c48072e56 ("mm/page_alloc: rename ALLOC_HIGH to
ALLOC_MIN_RESERVE") is the start of a series that explains how __GFP_HIGH,
which implies ALLOC_MIN_RESERVE, is going to be used instead of
__GFP_ATOMIC for high atomic reserves.
Commit eb2e2b425c69 ("mm/page_alloc: explicitly record high-order atomic
allocations in alloc_flags") introduced ALLOC_HIGHATOMIC for such
allocations of order higher than 0. It still used __GFP_ATOMIC, though.
Then, commit 1ebbb21811b7 ("mm/page_alloc: explicitly define how
__GFP_HIGH non-blocking allocations accesses reserves") just turned that
check for !__GFP_DIRECT_RECLAIM, ignoring that high atomic reserves were
expected to test for __GFP_HIGH.
This leads to high atomic reserves being added for high-order GFP_NOWAIT
allocations and others that clear __GFP_DIRECT_RECLAIM, which is
unexpected. Later, those reserves lead to 0-order allocations going to
the slow path and starting reclaim.
>From /proc/pagetypeinfo, without the patch:
Node 0, zone DMA, type HighAtomic 0 0 0 0 0 0 0 0 0 0 0
Node 0, zone DMA32, type HighAtomic 1 8 10 9 7 3 0 0 0 0 0
Node 0, zone Normal, type HighAtomic 64 20 12 5 0 0 0 0 0 0 0
With the patch:
Node 0, zone DMA, type HighAtomic 0 0 0 0 0 0 0 0 0 0 0
Node 0, zone DMA32, type HighAtomic 0 0 0 0 0 0 0 0 0 0 0
Node 0, zone Normal, type HighAtomic 0 0 0 0 0 0 0 0 0 0 0
Link: https://lkml.kernel.org/r/20250814172245.1259625-1-cascardo@igalia.com
Fixes: 1ebbb21811b7 ("mm/page_alloc: explicitly define how __GFP_HIGH non-blocking allocations accesses reserves")
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
Tested-by: Helen Koike <koike@igalia.com>
Reviewed-by: Vlastimil Babka <vbabka@suse.cz>
Tested-by: Sergey Senozhatsky <senozhatsky@chromium.org>
Acked-by: Michal Hocko <mhocko@suse.com>
Cc: Mel Gorman <mgorman@techsingularity.net>
Cc: Matthew Wilcox <willy@infradead.org>
Cc: NeilBrown <neilb@suse.de>
Cc: Thierry Reding <thierry.reding@gmail.com>
Cc: Brendan Jackman <jackmanb@google.com>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: Zi Yan <ziy@nvidia.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/page_alloc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/mm/page_alloc.c
+++ b/mm/page_alloc.c
@@ -4408,7 +4408,7 @@ gfp_to_alloc_flags(gfp_t gfp_mask, unsig
if (!(gfp_mask & __GFP_NOMEMALLOC)) {
alloc_flags |= ALLOC_NON_BLOCK;
- if (order > 0)
+ if (order > 0 && (alloc_flags & ALLOC_MIN_RESERVE))
alloc_flags |= ALLOC_HIGHATOMIC;
}
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 318/371] mm/hugetlb: early exit from hugetlb_pages_alloc_boot() when max_huge_pages=0
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (316 preceding siblings ...)
2025-10-17 14:54 ` [PATCH 6.17 317/371] mm/page_alloc: only set ALLOC_HIGHATOMIC for __GPF_HIGH allocations Greg Kroah-Hartman
@ 2025-10-17 14:54 ` Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 319/371] mm/damon/vaddr: do not repeat pte_offset_map_lock() until success Greg Kroah-Hartman
` (65 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Li RongQing, Dev Jain, Jane Chu,
David Hildenbrand, Muchun Song, Oscar Salvador, Andrew Morton
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Li RongQing <lirongqing@baidu.com>
commit b322e88b3d553e85b4e15779491c70022783faa4 upstream.
Optimize hugetlb_pages_alloc_boot() to return immediately when
max_huge_pages is 0, avoiding unnecessary CPU cycles and the below log
message when hugepages aren't configured in the kernel command line.
[ 3.702280] HugeTLB: allocation took 0ms with hugepage_allocation_threads=32
Link: https://lkml.kernel.org/r/20250814102333.4428-1-lirongqing@baidu.com
Signed-off-by: Li RongQing <lirongqing@baidu.com>
Reviewed-by: Dev Jain <dev.jain@arm.com>
Tested-by: Dev Jain <dev.jain@arm.com>
Reviewed-by: Jane Chu <jane.chu@oracle.com>
Acked-by: David Hildenbrand <david@redhat.com>
Cc: Muchun Song <muchun.song@linux.dev>
Cc: Oscar Salvador <osalvador@suse.de>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/hugetlb.c | 3 +++
1 file changed, 3 insertions(+)
--- a/mm/hugetlb.c
+++ b/mm/hugetlb.c
@@ -3654,6 +3654,9 @@ static void __init hugetlb_hstate_alloc_
return;
}
+ if (!h->max_huge_pages)
+ return;
+
/* do node specific alloc */
if (hugetlb_hstate_alloc_pages_specific_nodes(h))
return;
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 319/371] mm/damon/vaddr: do not repeat pte_offset_map_lock() until success
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (317 preceding siblings ...)
2025-10-17 14:54 ` [PATCH 6.17 318/371] mm/hugetlb: early exit from hugetlb_pages_alloc_boot() when max_huge_pages=0 Greg Kroah-Hartman
@ 2025-10-17 14:54 ` Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 320/371] mm/damon/lru_sort: use param_ctx for damon_attrs staging Greg Kroah-Hartman
` (64 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, SeongJae Park, Xinyu Zheng,
Hugh Dickins, Andrew Morton
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: SeongJae Park <sj@kernel.org>
commit b93af2cc8e036754c0d9970d9ddc47f43cc94b9f upstream.
DAMON's virtual address space operation set implementation (vaddr) calls
pte_offset_map_lock() inside the page table walk callback function. This
is for reading and writing page table accessed bits. If
pte_offset_map_lock() fails, it retries by returning the page table walk
callback function with ACTION_AGAIN.
pte_offset_map_lock() can continuously fail if the target is a pmd
migration entry, though. Hence it could cause an infinite page table walk
if the migration cannot be done until the page table walk is finished.
This indeed caused a soft lockup when CPU hotplugging and DAMON were
running in parallel.
Avoid the infinite loop by simply not retrying the page table walk. DAMON
is promising only a best-effort accuracy, so missing access to such pages
is no problem.
Link: https://lkml.kernel.org/r/20250930004410.55228-1-sj@kernel.org
Fixes: 7780d04046a2 ("mm/pagewalkers: ACTION_AGAIN if pte_offset_map_lock() fails")
Signed-off-by: SeongJae Park <sj@kernel.org>
Reported-by: Xinyu Zheng <zhengxinyu6@huawei.com>
Closes: https://lore.kernel.org/20250918030029.2652607-1-zhengxinyu6@huawei.com
Acked-by: Hugh Dickins <hughd@google.com>
Cc: <stable@vger.kernel.org> [6.5+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/damon/vaddr.c | 8 ++------
1 file changed, 2 insertions(+), 6 deletions(-)
--- a/mm/damon/vaddr.c
+++ b/mm/damon/vaddr.c
@@ -328,10 +328,8 @@ static int damon_mkold_pmd_entry(pmd_t *
}
pte = pte_offset_map_lock(walk->mm, pmd, addr, &ptl);
- if (!pte) {
- walk->action = ACTION_AGAIN;
+ if (!pte)
return 0;
- }
if (!pte_present(ptep_get(pte)))
goto out;
damon_ptep_mkold(pte, walk->vma, addr);
@@ -481,10 +479,8 @@ regular_page:
#endif /* CONFIG_TRANSPARENT_HUGEPAGE */
pte = pte_offset_map_lock(walk->mm, pmd, addr, &ptl);
- if (!pte) {
- walk->action = ACTION_AGAIN;
+ if (!pte)
return 0;
- }
ptent = ptep_get(pte);
if (!pte_present(ptent))
goto out;
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 320/371] mm/damon/lru_sort: use param_ctx for damon_attrs staging
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (318 preceding siblings ...)
2025-10-17 14:54 ` [PATCH 6.17 319/371] mm/damon/vaddr: do not repeat pte_offset_map_lock() until success Greg Kroah-Hartman
@ 2025-10-17 14:54 ` Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 321/371] nfsd: decouple the xprtsec policy check from check_nfsd_access() Greg Kroah-Hartman
` (63 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, SeongJae Park, Joshua Hahn,
Andrew Morton
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: SeongJae Park <sj@kernel.org>
commit e18190b7e97e9db6546390e6e0ceddae606892b2 upstream.
damon_lru_sort_apply_parameters() allocates a new DAMON context, stages
user-specified DAMON parameters on it, and commits to running DAMON
context at once, using damon_commit_ctx(). The code is, however, directly
updating the monitoring attributes of the running context. And the
attributes are over-written by later damon_commit_ctx() call. This means
that the monitoring attributes parameters are not really working. Fix the
wrong use of the parameter context.
Link: https://lkml.kernel.org/r/20250916031549.115326-1-sj@kernel.org
Fixes: a30969436428 ("mm/damon/lru_sort: use damon_commit_ctx()")
Signed-off-by: SeongJae Park <sj@kernel.org>
Reviewed-by: Joshua Hahn <joshua.hahnjy@gmail.com>
Cc: Joshua Hahn <joshua.hahnjy@gmail.com>
Cc: <stable@vger.kernel.org> [6.11+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/damon/lru_sort.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/mm/damon/lru_sort.c
+++ b/mm/damon/lru_sort.c
@@ -203,7 +203,7 @@ static int damon_lru_sort_apply_paramete
goto out;
}
- err = damon_set_attrs(ctx, &damon_lru_sort_mon_attrs);
+ err = damon_set_attrs(param_ctx, &damon_lru_sort_mon_attrs);
if (err)
goto out;
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 321/371] nfsd: decouple the xprtsec policy check from check_nfsd_access()
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (319 preceding siblings ...)
2025-10-17 14:54 ` [PATCH 6.17 320/371] mm/damon/lru_sort: use param_ctx for damon_attrs staging Greg Kroah-Hartman
@ 2025-10-17 14:54 ` Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 322/371] NFSD: Fix destination buffer size in nfsd4_ssc_setup_dul() Greg Kroah-Hartman
` (62 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Scott Mayhew, Chuck Lever
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Scott Mayhew <smayhew@redhat.com>
commit e4f574ca9c6dfa66695bb054ff5df43ecea873ec upstream.
A while back I had reported that an NFSv3 client could successfully
mount using '-o xprtsec=none' an export that had been exported with
'xprtsec=tls:mtls'. By "successfully" I mean that the mount command
would succeed and the mount would show up in /proc/mount. Attempting
to do anything futher with the mount would be met with NFS3ERR_ACCES.
This was fixed (albeit accidentally) by commit bb4f07f2409c ("nfsd:
Fix NFSD_MAY_BYPASS_GSS and NFSD_MAY_BYPASS_GSS_ON_ROOT") and was
subsequently re-broken by commit 0813c5f01249 ("nfsd: fix access
checking for NLM under XPRTSEC policies").
Transport Layer Security isn't an RPC security flavor or pseudo-flavor,
so we shouldn't be conflating them when determining whether the access
checks can be bypassed. Split check_nfsd_access() into two helpers, and
have __fh_verify() call the helpers directly since __fh_verify() has
logic that allows one or both of the checks to be skipped. All other
sites will continue to call check_nfsd_access().
Link: https://lore.kernel.org/linux-nfs/ZjO3Qwf_G87yNXb2@aion/
Fixes: 9280c5774314 ("NFSD: Handle new xprtsec= export option")
Cc: stable@vger.kernel.org
Signed-off-by: Scott Mayhew <smayhew@redhat.com>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nfsd/export.c | 82 ++++++++++++++++++++++++++++++++++++++-----------------
fs/nfsd/export.h | 3 ++
fs/nfsd/nfsfh.c | 24 +++++++++++++++-
3 files changed, 83 insertions(+), 26 deletions(-)
--- a/fs/nfsd/export.c
+++ b/fs/nfsd/export.c
@@ -1082,50 +1082,62 @@ static struct svc_export *exp_find(struc
}
/**
- * check_nfsd_access - check if access to export is allowed.
+ * check_xprtsec_policy - check if access to export is allowed by the
+ * xprtsec policy
* @exp: svc_export that is being accessed.
- * @rqstp: svc_rqst attempting to access @exp (will be NULL for LOCALIO).
- * @may_bypass_gss: reduce strictness of authorization check
+ * @rqstp: svc_rqst attempting to access @exp.
+ *
+ * Helper function for check_nfsd_access(). Note that callers should be
+ * using check_nfsd_access() instead of calling this function directly. The
+ * one exception is __fh_verify() since it has logic that may result in one
+ * or both of the helpers being skipped.
*
* Return values:
* %nfs_ok if access is granted, or
* %nfserr_wrongsec if access is denied
*/
-__be32 check_nfsd_access(struct svc_export *exp, struct svc_rqst *rqstp,
- bool may_bypass_gss)
+__be32 check_xprtsec_policy(struct svc_export *exp, struct svc_rqst *rqstp)
{
- struct exp_flavor_info *f, *end = exp->ex_flavors + exp->ex_nflavors;
- struct svc_xprt *xprt;
-
- /*
- * If rqstp is NULL, this is a LOCALIO request which will only
- * ever use a filehandle/credential pair for which access has
- * been affirmed (by ACCESS or OPEN NFS requests) over the
- * wire. So there is no need for further checks here.
- */
- if (!rqstp)
- return nfs_ok;
-
- xprt = rqstp->rq_xprt;
+ struct svc_xprt *xprt = rqstp->rq_xprt;
if (exp->ex_xprtsec_modes & NFSEXP_XPRTSEC_NONE) {
if (!test_bit(XPT_TLS_SESSION, &xprt->xpt_flags))
- goto ok;
+ return nfs_ok;
}
if (exp->ex_xprtsec_modes & NFSEXP_XPRTSEC_TLS) {
if (test_bit(XPT_TLS_SESSION, &xprt->xpt_flags) &&
!test_bit(XPT_PEER_AUTH, &xprt->xpt_flags))
- goto ok;
+ return nfs_ok;
}
if (exp->ex_xprtsec_modes & NFSEXP_XPRTSEC_MTLS) {
if (test_bit(XPT_TLS_SESSION, &xprt->xpt_flags) &&
test_bit(XPT_PEER_AUTH, &xprt->xpt_flags))
- goto ok;
+ return nfs_ok;
}
- if (!may_bypass_gss)
- goto denied;
+ return nfserr_wrongsec;
+}
+
+/**
+ * check_security_flavor - check if access to export is allowed by the
+ * security flavor
+ * @exp: svc_export that is being accessed.
+ * @rqstp: svc_rqst attempting to access @exp.
+ * @may_bypass_gss: reduce strictness of authorization check
+ *
+ * Helper function for check_nfsd_access(). Note that callers should be
+ * using check_nfsd_access() instead of calling this function directly. The
+ * one exception is __fh_verify() since it has logic that may result in one
+ * or both of the helpers being skipped.
+ *
+ * Return values:
+ * %nfs_ok if access is granted, or
+ * %nfserr_wrongsec if access is denied
+ */
+__be32 check_security_flavor(struct svc_export *exp, struct svc_rqst *rqstp,
+ bool may_bypass_gss)
+{
+ struct exp_flavor_info *f, *end = exp->ex_flavors + exp->ex_nflavors;
-ok:
/* legacy gss-only clients are always OK: */
if (exp->ex_client == rqstp->rq_gssclient)
return nfs_ok;
@@ -1167,10 +1179,30 @@ ok:
}
}
-denied:
return nfserr_wrongsec;
}
+/**
+ * check_nfsd_access - check if access to export is allowed.
+ * @exp: svc_export that is being accessed.
+ * @rqstp: svc_rqst attempting to access @exp.
+ * @may_bypass_gss: reduce strictness of authorization check
+ *
+ * Return values:
+ * %nfs_ok if access is granted, or
+ * %nfserr_wrongsec if access is denied
+ */
+__be32 check_nfsd_access(struct svc_export *exp, struct svc_rqst *rqstp,
+ bool may_bypass_gss)
+{
+ __be32 status;
+
+ status = check_xprtsec_policy(exp, rqstp);
+ if (status != nfs_ok)
+ return status;
+ return check_security_flavor(exp, rqstp, may_bypass_gss);
+}
+
/*
* Uses rq_client and rq_gssclient to find an export; uses rq_client (an
* auth_unix client) if it's available and has secinfo information;
--- a/fs/nfsd/export.h
+++ b/fs/nfsd/export.h
@@ -101,6 +101,9 @@ struct svc_expkey {
struct svc_cred;
int nfsexp_flags(struct svc_cred *cred, struct svc_export *exp);
+__be32 check_xprtsec_policy(struct svc_export *exp, struct svc_rqst *rqstp);
+__be32 check_security_flavor(struct svc_export *exp, struct svc_rqst *rqstp,
+ bool may_bypass_gss);
__be32 check_nfsd_access(struct svc_export *exp, struct svc_rqst *rqstp,
bool may_bypass_gss);
--- a/fs/nfsd/nfsfh.c
+++ b/fs/nfsd/nfsfh.c
@@ -364,10 +364,30 @@ __fh_verify(struct svc_rqst *rqstp,
if (error)
goto out;
+ /*
+ * If rqstp is NULL, this is a LOCALIO request which will only
+ * ever use a filehandle/credential pair for which access has
+ * been affirmed (by ACCESS or OPEN NFS requests) over the
+ * wire. Skip both the xprtsec policy and the security flavor
+ * checks.
+ */
+ if (!rqstp)
+ goto check_permissions;
+
if ((access & NFSD_MAY_NLM) && (exp->ex_flags & NFSEXP_NOAUTHNLM))
/* NLM is allowed to fully bypass authentication */
goto out;
+ /*
+ * NLM is allowed to bypass the xprtsec policy check because lockd
+ * doesn't support xprtsec.
+ */
+ if (!(access & NFSD_MAY_NLM)) {
+ error = check_xprtsec_policy(exp, rqstp);
+ if (error)
+ goto out;
+ }
+
if (access & NFSD_MAY_BYPASS_GSS)
may_bypass_gss = true;
/*
@@ -379,13 +399,15 @@ __fh_verify(struct svc_rqst *rqstp,
&& exp->ex_path.dentry == dentry)
may_bypass_gss = true;
- error = check_nfsd_access(exp, rqstp, may_bypass_gss);
+ error = check_security_flavor(exp, rqstp, may_bypass_gss);
if (error)
goto out;
+
/* During LOCALIO call to fh_verify will be called with a NULL rqstp */
if (rqstp)
svc_xprt_set_valid(rqstp->rq_xprt);
+check_permissions:
/* Finally, check access permissions. */
error = nfsd_permission(cred, exp, dentry, access);
out:
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 322/371] NFSD: Fix destination buffer size in nfsd4_ssc_setup_dul()
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (320 preceding siblings ...)
2025-10-17 14:54 ` [PATCH 6.17 321/371] nfsd: decouple the xprtsec policy check from check_nfsd_access() Greg Kroah-Hartman
@ 2025-10-17 14:54 ` Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 323/371] nfsd: nfserr_jukebox in nlm_fopen should lead to a retry Greg Kroah-Hartman
` (61 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Thorsten Blum, Chuck Lever
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thorsten Blum <thorsten.blum@linux.dev>
commit ab1c282c010c4f327bd7addc3c0035fd8e3c1721 upstream.
Commit 5304877936c0 ("NFSD: Fix strncpy() fortify warning") replaced
strncpy(,, sizeof(..)) with strlcpy(,, sizeof(..) - 1), but strlcpy()
already guaranteed NUL-termination of the destination buffer and
subtracting one byte potentially truncated the source string.
The incorrect size was then carried over in commit 72f78ae00a8e ("NFSD:
move from strlcpy with unused retval to strscpy") when switching from
strlcpy() to strscpy().
Fix this off-by-one error by using the full size of the destination
buffer again.
Cc: stable@vger.kernel.org
Fixes: 5304877936c0 ("NFSD: Fix strncpy() fortify warning")
Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nfsd/nfs4proc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/nfsd/nfs4proc.c
+++ b/fs/nfsd/nfs4proc.c
@@ -1498,7 +1498,7 @@ try_again:
return 0;
}
if (work) {
- strscpy(work->nsui_ipaddr, ipaddr, sizeof(work->nsui_ipaddr) - 1);
+ strscpy(work->nsui_ipaddr, ipaddr, sizeof(work->nsui_ipaddr));
refcount_set(&work->nsui_refcnt, 2);
work->nsui_busy = true;
list_add_tail(&work->nsui_list, &nn->nfsd_ssc_mount_list);
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 323/371] nfsd: nfserr_jukebox in nlm_fopen should lead to a retry
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (321 preceding siblings ...)
2025-10-17 14:54 ` [PATCH 6.17 322/371] NFSD: Fix destination buffer size in nfsd4_ssc_setup_dul() Greg Kroah-Hartman
@ 2025-10-17 14:54 ` Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 324/371] media: iris: Call correct power off callback in cleanup path Greg Kroah-Hartman
` (60 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Olga Kornievskaia, Chuck Lever
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Olga Kornievskaia <okorniev@redhat.com>
commit a082e4b4d08a4a0e656d90c2c05da85f23e6d0c9 upstream.
When v3 NLM request finds a conflicting delegation, it triggers
a delegation recall and nfsd_open fails with EAGAIN. nfsd_open
then translates EAGAIN into nfserr_jukebox. In nlm_fopen, instead
of returning nlm_failed for when there is a conflicting delegation,
drop this NLM request so that the client retries. Once delegation
is recalled and if a local lock is claimed, a retry would lead to
nfsd returning a nlm_lck_blocked error or a successful nlm lock.
Fixes: d343fce148a4 ("[PATCH] knfsd: Allow lockd to drop replies as appropriate")
Cc: stable@vger.kernel.org # v6.6
Signed-off-by: Olga Kornievskaia <okorniev@redhat.com>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nfsd/lockd.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
--- a/fs/nfsd/lockd.c
+++ b/fs/nfsd/lockd.c
@@ -57,6 +57,21 @@ nlm_fopen(struct svc_rqst *rqstp, struct
switch (nfserr) {
case nfs_ok:
return 0;
+ case nfserr_jukebox:
+ /* this error can indicate a presence of a conflicting
+ * delegation to an NLM lock request. Options are:
+ * (1) For now, drop this request and make the client
+ * retry. When delegation is returned, client's lock retry
+ * will complete.
+ * (2) NLM4_DENIED as per "spec" signals to the client
+ * that the lock is unavailable now but client can retry.
+ * Linux client implementation does not. It treats
+ * NLM4_DENIED same as NLM4_FAILED and errors the request.
+ * (3) For the future, treat this as blocked lock and try
+ * to callback when the delegation is returned but might
+ * not have a proper lock request to block on.
+ */
+ fallthrough;
case nfserr_dropit:
return nlm_drop_reply;
case nfserr_stale:
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 324/371] media: iris: Call correct power off callback in cleanup path
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (322 preceding siblings ...)
2025-10-17 14:54 ` [PATCH 6.17 323/371] nfsd: nfserr_jukebox in nlm_fopen should lead to a retry Greg Kroah-Hartman
@ 2025-10-17 14:54 ` Greg Kroah-Hartman
2025-10-17 14:55 ` [PATCH 6.17 325/371] media: iris: Fix firmware reference leak and unmap memory after load Greg Kroah-Hartman
` (59 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Krzysztof Kozlowski, Vikash Garodia,
Bryan ODonoghue, Bryan ODonoghue, Hans Verkuil
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
commit 2fbb823a0744665fe6015bd03d435bd334ccecf7 upstream.
Driver implements different callbacks for the power off controller
(.power_off_controller):
- iris_vpu_power_off_controller,
- iris_vpu33_power_off_controller,
The generic wrapper for handling power off - iris_vpu_power_off() -
calls them via 'iris_platform_data->vpu_ops', so shall the cleanup code
in iris_vpu_power_on().
This makes also sense if looking at caller of iris_vpu_power_on(), which
unwinds also with the wrapper calling respective platfortm code (unwinds
with iris_vpu_power_off()).
Otherwise power off sequence on the newer VPU3.3 in error path is not
complete.
Fixes: c69df5de4ac3 ("media: platform: qcom/iris: add power_off_controller to vpu_ops")
Cc: stable@vger.kernel.org
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Reviewed-by: Vikash Garodia <quic_vgarodia@quicinc.com>
Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Signed-off-by: Bryan O'Donoghue <bod@kernel.org>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/qcom/iris/iris_vpu_common.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/media/platform/qcom/iris/iris_vpu_common.c b/drivers/media/platform/qcom/iris/iris_vpu_common.c
index 268e45acaa7c..42a7c53ce48e 100644
--- a/drivers/media/platform/qcom/iris/iris_vpu_common.c
+++ b/drivers/media/platform/qcom/iris/iris_vpu_common.c
@@ -359,7 +359,7 @@ int iris_vpu_power_on(struct iris_core *core)
return 0;
err_power_off_ctrl:
- iris_vpu_power_off_controller(core);
+ core->iris_platform_data->vpu_ops->power_off_controller(core);
err_unvote_icc:
iris_unset_icc_bw(core);
err:
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 325/371] media: iris: Fix firmware reference leak and unmap memory after load
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (323 preceding siblings ...)
2025-10-17 14:54 ` [PATCH 6.17 324/371] media: iris: Call correct power off callback in cleanup path Greg Kroah-Hartman
@ 2025-10-17 14:55 ` Greg Kroah-Hartman
2025-10-17 14:55 ` [PATCH 6.17 326/371] media: iris: fix module removal if firmware download failed Greg Kroah-Hartman
` (58 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stephan Gerhold, Bryan ODonoghue,
Dikshita Agarwal, Bryan ODonoghue, Hans Verkuil
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stephan Gerhold <stephan.gerhold@linaro.org>
commit 57429b0fddfe3cea21a56326576451a4a4c2019b upstream.
When we succeed loading the firmware, we don't want to hold on to the
firmware pointer anymore, since it won't be freed anywhere else. The same
applies for the mapped memory. Unmapping the memory is particularly
important since the memory will be protected after the Iris firmware is
started, so we need to make sure there will be no accidental access to this
region (even if just a speculative one from the CPU).
Almost the same firmware loading code also exists in venus/firmware.c,
there it is implemented correctly.
Fix this by dropping the early "return ret" and move the call of
qcom_scm_pas_auth_and_reset() out of iris_load_fw_to_memory(). We should
unmap the memory before bringing the firmware out of reset.
Cc: stable@vger.kernel.org
Fixes: d19b163356b8 ("media: iris: implement video firmware load/unload")
Signed-off-by: Stephan Gerhold <stephan.gerhold@linaro.org>
Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Reviewed-by: Dikshita Agarwal <quic_dikshita@quicinc.com>
Signed-off-by: Bryan O'Donoghue <bod@kernel.org>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/qcom/iris/iris_firmware.c | 15 ++++++---------
1 file changed, 6 insertions(+), 9 deletions(-)
diff --git a/drivers/media/platform/qcom/iris/iris_firmware.c b/drivers/media/platform/qcom/iris/iris_firmware.c
index f1b5cd56db32..9ab499fad946 100644
--- a/drivers/media/platform/qcom/iris/iris_firmware.c
+++ b/drivers/media/platform/qcom/iris/iris_firmware.c
@@ -60,16 +60,7 @@ static int iris_load_fw_to_memory(struct iris_core *core, const char *fw_name)
ret = qcom_mdt_load(dev, firmware, fw_name,
pas_id, mem_virt, mem_phys, res_size, NULL);
- if (ret)
- goto err_mem_unmap;
- ret = qcom_scm_pas_auth_and_reset(pas_id);
- if (ret)
- goto err_mem_unmap;
-
- return ret;
-
-err_mem_unmap:
memunmap(mem_virt);
err_release_fw:
release_firmware(firmware);
@@ -94,6 +85,12 @@ int iris_fw_load(struct iris_core *core)
return -ENOMEM;
}
+ ret = qcom_scm_pas_auth_and_reset(core->iris_platform_data->pas_id);
+ if (ret) {
+ dev_err(core->dev, "auth and reset failed: %d\n", ret);
+ return ret;
+ }
+
ret = qcom_scm_mem_protect_video_var(cp_config->cp_start,
cp_config->cp_size,
cp_config->cp_nonpixel_start,
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 326/371] media: iris: fix module removal if firmware download failed
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (324 preceding siblings ...)
2025-10-17 14:55 ` [PATCH 6.17 325/371] media: iris: Fix firmware reference leak and unmap memory after load Greg Kroah-Hartman
@ 2025-10-17 14:55 ` Greg Kroah-Hartman
2025-10-17 14:55 ` [PATCH 6.17 327/371] media: iris: vpu3x: Add MNoC low power handshake during hardware power-off Greg Kroah-Hartman
` (57 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dikshita Agarwal, Bryan ODonoghue,
Neil Armstrong, Bryan ODonoghue, Hans Verkuil
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Neil Armstrong <neil.armstrong@linaro.org>
commit fde38008fc4f43db8c17869491870df24b501543 upstream.
Fix remove if firmware failed to load:
qcom-iris aa00000.video-codec: Direct firmware load for qcom/vpu/vpu33_p4.mbn failed with error -2
qcom-iris aa00000.video-codec: firmware download failed
qcom-iris aa00000.video-codec: core init failed
then:
$ echo aa00000.video-codec > /sys/bus/platform/drivers/qcom-iris/unbind
Triggers:
genpd genpd:1:aa00000.video-codec: Runtime PM usage count underflow!
------------[ cut here ]------------
video_cc_mvs0_clk already disabled
WARNING: drivers/clk/clk.c:1206 at clk_core_disable+0xa4/0xac, CPU#1: sh/542
<snip>
pc : clk_core_disable+0xa4/0xac
lr : clk_core_disable+0xa4/0xac
<snip>
Call trace:
clk_core_disable+0xa4/0xac (P)
clk_disable+0x30/0x4c
iris_disable_unprepare_clock+0x20/0x48 [qcom_iris]
iris_vpu_power_off_hw+0x48/0x58 [qcom_iris]
iris_vpu33_power_off_hardware+0x44/0x230 [qcom_iris]
iris_vpu_power_off+0x34/0x84 [qcom_iris]
iris_core_deinit+0x44/0xc8 [qcom_iris]
iris_remove+0x20/0x48 [qcom_iris]
platform_remove+0x20/0x30
device_remove+0x4c/0x80
<snip>
---[ end trace 0000000000000000 ]---
------------[ cut here ]------------
video_cc_mvs0_clk already unprepared
WARNING: drivers/clk/clk.c:1065 at clk_core_unprepare+0xf0/0x110, CPU#2: sh/542
<snip>
pc : clk_core_unprepare+0xf0/0x110
lr : clk_core_unprepare+0xf0/0x110
<snip>
Call trace:
clk_core_unprepare+0xf0/0x110 (P)
clk_unprepare+0x2c/0x44
iris_disable_unprepare_clock+0x28/0x48 [qcom_iris]
iris_vpu_power_off_hw+0x48/0x58 [qcom_iris]
iris_vpu33_power_off_hardware+0x44/0x230 [qcom_iris]
iris_vpu_power_off+0x34/0x84 [qcom_iris]
iris_core_deinit+0x44/0xc8 [qcom_iris]
iris_remove+0x20/0x48 [qcom_iris]
platform_remove+0x20/0x30
device_remove+0x4c/0x80
<snip>
---[ end trace 0000000000000000 ]---
genpd genpd:0:aa00000.video-codec: Runtime PM usage count underflow!
------------[ cut here ]------------
gcc_video_axi0_clk already disabled
WARNING: drivers/clk/clk.c:1206 at clk_core_disable+0xa4/0xac, CPU#4: sh/542
<snip>
pc : clk_core_disable+0xa4/0xac
lr : clk_core_disable+0xa4/0xac
<snip>
Call trace:
clk_core_disable+0xa4/0xac (P)
clk_disable+0x30/0x4c
iris_disable_unprepare_clock+0x20/0x48 [qcom_iris]
iris_vpu33_power_off_controller+0x17c/0x428 [qcom_iris]
iris_vpu_power_off+0x48/0x84 [qcom_iris]
iris_core_deinit+0x44/0xc8 [qcom_iris]
iris_remove+0x20/0x48 [qcom_iris]
platform_remove+0x20/0x30
device_remove+0x4c/0x80
<snip>
------------[ cut here ]------------
gcc_video_axi0_clk already unprepared
WARNING: drivers/clk/clk.c:1065 at clk_core_unprepare+0xf0/0x110, CPU#4: sh/542
<snip>
pc : clk_core_unprepare+0xf0/0x110
lr : clk_core_unprepare+0xf0/0x110
<snip>
Call trace:
clk_core_unprepare+0xf0/0x110 (P)
clk_unprepare+0x2c/0x44
iris_disable_unprepare_clock+0x28/0x48 [qcom_iris]
iris_vpu33_power_off_controller+0x17c/0x428 [qcom_iris]
iris_vpu_power_off+0x48/0x84 [qcom_iris]
iris_core_deinit+0x44/0xc8 [qcom_iris]
iris_remove+0x20/0x48 [qcom_iris]
platform_remove+0x20/0x30
device_remove+0x4c/0x80
<snip>
---[ end trace 0000000000000000 ]---
Skip deinit if initialization never succeeded.
Fixes: d7378f84e94e ("media: iris: introduce iris core state management with shared queues")
Fixes: d19b163356b8 ("media: iris: implement video firmware load/unload")
Fixes: bb8a95aa038e ("media: iris: implement power management")
Cc: stable@vger.kernel.org
Reviewed-by: Dikshita Agarwal <quic_dikshita@quicinc.com>
Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
Signed-off-by: Bryan O'Donoghue <bod@kernel.org>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/qcom/iris/iris_core.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/drivers/media/platform/qcom/iris/iris_core.c b/drivers/media/platform/qcom/iris/iris_core.c
index 0fa0a3b549a2..8406c48d635b 100644
--- a/drivers/media/platform/qcom/iris/iris_core.c
+++ b/drivers/media/platform/qcom/iris/iris_core.c
@@ -15,10 +15,12 @@ void iris_core_deinit(struct iris_core *core)
pm_runtime_resume_and_get(core->dev);
mutex_lock(&core->lock);
- iris_fw_unload(core);
- iris_vpu_power_off(core);
- iris_hfi_queues_deinit(core);
- core->state = IRIS_CORE_DEINIT;
+ if (core->state != IRIS_CORE_DEINIT) {
+ iris_fw_unload(core);
+ iris_vpu_power_off(core);
+ iris_hfi_queues_deinit(core);
+ core->state = IRIS_CORE_DEINIT;
+ }
mutex_unlock(&core->lock);
pm_runtime_put_sync(core->dev);
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 327/371] media: iris: vpu3x: Add MNoC low power handshake during hardware power-off
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (325 preceding siblings ...)
2025-10-17 14:55 ` [PATCH 6.17 326/371] media: iris: fix module removal if firmware download failed Greg Kroah-Hartman
@ 2025-10-17 14:55 ` Greg Kroah-Hartman
2025-10-17 14:55 ` [PATCH 6.17 328/371] media: iris: Fix port streaming handling Greg Kroah-Hartman
` (56 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bryan ODonoghue, Dikshita Agarwal,
Bryan ODonoghue, Hans Verkuil, Neil Armstrong
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dikshita Agarwal <quic_dikshita@quicinc.com>
commit 93fad55aa996eef17a837ed95b1d621ef05d967b upstream.
Add the missing write to AON_WRAPPER_MVP_NOC_LPI_CONTROL before
reading the LPI status register. Introduce a handshake loop to ensure
MNoC enters low power mode reliably during VPU3 hardware power-off with
timeout handling.
Fixes: 02083a1e00ae ("media: platform: qcom/iris: add support for vpu33")
Cc: stable@vger.kernel.org
Tested-by: Neil Armstrong <neil.armstrong@linaro.org> # on SM8650-QRD
Tested-by: Neil Armstrong <neil.armstrong@linaro.org> # on SM8650-HDK
Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Signed-off-by: Dikshita Agarwal <quic_dikshita@quicinc.com>
Signed-off-by: Bryan O'Donoghue <bod@kernel.org>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/qcom/iris/iris_vpu3x.c | 32 +++++++++++++++++--
1 file changed, 30 insertions(+), 2 deletions(-)
diff --git a/drivers/media/platform/qcom/iris/iris_vpu3x.c b/drivers/media/platform/qcom/iris/iris_vpu3x.c
index 9b7c9a1495ee..bfc52eb04ed0 100644
--- a/drivers/media/platform/qcom/iris/iris_vpu3x.c
+++ b/drivers/media/platform/qcom/iris/iris_vpu3x.c
@@ -19,6 +19,9 @@
#define WRAPPER_IRIS_CPU_NOC_LPI_CONTROL (WRAPPER_BASE_OFFS + 0x5C)
#define REQ_POWER_DOWN_PREP BIT(0)
#define WRAPPER_IRIS_CPU_NOC_LPI_STATUS (WRAPPER_BASE_OFFS + 0x60)
+#define NOC_LPI_STATUS_DONE BIT(0) /* Indicates the NOC handshake is complete */
+#define NOC_LPI_STATUS_DENY BIT(1) /* Indicates the NOC handshake is denied */
+#define NOC_LPI_STATUS_ACTIVE BIT(2) /* Indicates the NOC is active */
#define WRAPPER_CORE_CLOCK_CONFIG (WRAPPER_BASE_OFFS + 0x88)
#define CORE_CLK_RUN 0x0
@@ -109,7 +112,9 @@ static void iris_vpu3_power_off_hardware(struct iris_core *core)
static void iris_vpu33_power_off_hardware(struct iris_core *core)
{
+ bool handshake_done = false, handshake_busy = false;
u32 reg_val = 0, value, i;
+ u32 count = 0;
int ret;
if (iris_vpu3x_hw_power_collapsed(core))
@@ -128,13 +133,36 @@ static void iris_vpu33_power_off_hardware(struct iris_core *core)
goto disable_power;
}
+ /* Retry up to 1000 times as recommended by hardware documentation */
+ do {
+ /* set MNoC to low power */
+ writel(REQ_POWER_DOWN_PREP, core->reg_base + AON_WRAPPER_MVP_NOC_LPI_CONTROL);
+
+ udelay(15);
+
+ value = readl(core->reg_base + AON_WRAPPER_MVP_NOC_LPI_STATUS);
+
+ handshake_done = value & NOC_LPI_STATUS_DONE;
+ handshake_busy = value & (NOC_LPI_STATUS_DENY | NOC_LPI_STATUS_ACTIVE);
+
+ if (handshake_done || !handshake_busy)
+ break;
+
+ writel(0, core->reg_base + AON_WRAPPER_MVP_NOC_LPI_CONTROL);
+
+ udelay(15);
+
+ } while (++count < 1000);
+
+ if (!handshake_done && handshake_busy)
+ dev_err(core->dev, "LPI handshake timeout\n");
+
ret = readl_poll_timeout(core->reg_base + AON_WRAPPER_MVP_NOC_LPI_STATUS,
reg_val, reg_val & BIT(0), 200, 2000);
if (ret)
goto disable_power;
- /* set MNoC to low power, set PD_NOC_QREQ (bit 0) */
- writel(BIT(0), core->reg_base + AON_WRAPPER_MVP_NOC_LPI_CONTROL);
+ writel(0, core->reg_base + AON_WRAPPER_MVP_NOC_LPI_CONTROL);
writel(CORE_BRIDGE_SW_RESET | CORE_BRIDGE_HW_RESET_DISABLE,
core->reg_base + CPU_CS_AHB_BRIDGE_SYNC_RESET);
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 328/371] media: iris: Fix port streaming handling
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (326 preceding siblings ...)
2025-10-17 14:55 ` [PATCH 6.17 327/371] media: iris: vpu3x: Add MNoC low power handshake during hardware power-off Greg Kroah-Hartman
@ 2025-10-17 14:55 ` Greg Kroah-Hartman
2025-10-17 14:55 ` [PATCH 6.17 329/371] media: iris: Fix buffer count reporting in internal buffer check Greg Kroah-Hartman
` (55 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vikash Garodia, Bryan ODonoghue,
Dikshita Agarwal, Bryan ODonoghue, Hans Verkuil, Neil Armstrong
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dikshita Agarwal <quic_dikshita@quicinc.com>
commit 4b67ef9b333ed645879b4b1a11e35e019ff4cfea upstream.
The previous check to block capture port streaming before output port
was incorrect and caused some valid usecase to fail. While removing that
check allows capture port to enter streaming independently, it also
introduced firmware errors due to premature queuing of DPB buffers
before the firmware session was fully started which happens only when
streamon is called on output port.
Fix this by deferring DPB buffer queuing to the firmware until both
capture and output are streaming and state is 'STREAMING'.
Fixes: 11712ce70f8e ("media: iris: implement vb2 streaming ops")
Cc: stable@vger.kernel.org
Reviewed-by: Vikash Garodia <quic_vgarodia@quicinc.com>
Tested-by: Vikash Garodia <quic_vgarodia@quicinc.com> # X1E80100
Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Tested-by: Neil Armstrong <neil.armstrong@linaro.org> # on SM8550-HDK
Tested-by: Neil Armstrong <neil.armstrong@linaro.org> # on SM8650-HDK
Signed-off-by: Dikshita Agarwal <quic_dikshita@quicinc.com>
Tested-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org> # x1e80100-crd
Signed-off-by: Bryan O'Donoghue <bod@kernel.org>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
.../media/platform/qcom/iris/iris_buffer.c | 27 +++++++++++++++++++
.../media/platform/qcom/iris/iris_buffer.h | 1 +
drivers/media/platform/qcom/iris/iris_vb2.c | 8 +++---
3 files changed, 32 insertions(+), 4 deletions(-)
diff --git a/drivers/media/platform/qcom/iris/iris_buffer.c b/drivers/media/platform/qcom/iris/iris_buffer.c
index 9f664c241149..23cac5d13129 100644
--- a/drivers/media/platform/qcom/iris/iris_buffer.c
+++ b/drivers/media/platform/qcom/iris/iris_buffer.c
@@ -334,6 +334,29 @@ int iris_queue_buffer(struct iris_inst *inst, struct iris_buffer *buf)
return 0;
}
+int iris_queue_internal_deferred_buffers(struct iris_inst *inst, enum iris_buffer_type buffer_type)
+{
+ struct iris_buffer *buffer, *next;
+ struct iris_buffers *buffers;
+ int ret = 0;
+
+ buffers = &inst->buffers[buffer_type];
+ list_for_each_entry_safe(buffer, next, &buffers->list, list) {
+ if (buffer->attr & BUF_ATTR_PENDING_RELEASE)
+ continue;
+ if (buffer->attr & BUF_ATTR_QUEUED)
+ continue;
+
+ if (buffer->attr & BUF_ATTR_DEFERRED) {
+ ret = iris_queue_buffer(inst, buffer);
+ if (ret)
+ return ret;
+ }
+ }
+
+ return ret;
+}
+
int iris_queue_internal_buffers(struct iris_inst *inst, u32 plane)
{
const struct iris_platform_data *platform_data = inst->core->iris_platform_data;
@@ -358,6 +381,10 @@ int iris_queue_internal_buffers(struct iris_inst *inst, u32 plane)
continue;
if (buffer->attr & BUF_ATTR_QUEUED)
continue;
+ if (buffer->type == BUF_DPB && inst->state != IRIS_INST_STREAMING) {
+ buffer->attr |= BUF_ATTR_DEFERRED;
+ continue;
+ }
ret = iris_queue_buffer(inst, buffer);
if (ret)
return ret;
diff --git a/drivers/media/platform/qcom/iris/iris_buffer.h b/drivers/media/platform/qcom/iris/iris_buffer.h
index 00825ad2dc3a..b9b011faa13a 100644
--- a/drivers/media/platform/qcom/iris/iris_buffer.h
+++ b/drivers/media/platform/qcom/iris/iris_buffer.h
@@ -105,6 +105,7 @@ int iris_get_buffer_size(struct iris_inst *inst, enum iris_buffer_type buffer_ty
void iris_get_internal_buffers(struct iris_inst *inst, u32 plane);
int iris_create_internal_buffers(struct iris_inst *inst, u32 plane);
int iris_queue_internal_buffers(struct iris_inst *inst, u32 plane);
+int iris_queue_internal_deferred_buffers(struct iris_inst *inst, enum iris_buffer_type buffer_type);
int iris_destroy_internal_buffer(struct iris_inst *inst, struct iris_buffer *buffer);
int iris_destroy_all_internal_buffers(struct iris_inst *inst, u32 plane);
int iris_destroy_dequeued_internal_buffers(struct iris_inst *inst, u32 plane);
diff --git a/drivers/media/platform/qcom/iris/iris_vb2.c b/drivers/media/platform/qcom/iris/iris_vb2.c
index 8b17c7c39487..e62ed7a57df2 100644
--- a/drivers/media/platform/qcom/iris/iris_vb2.c
+++ b/drivers/media/platform/qcom/iris/iris_vb2.c
@@ -173,9 +173,6 @@ int iris_vb2_start_streaming(struct vb2_queue *q, unsigned int count)
inst = vb2_get_drv_priv(q);
- if (V4L2_TYPE_IS_CAPTURE(q->type) && inst->state == IRIS_INST_INIT)
- return 0;
-
mutex_lock(&inst->lock);
if (inst->state == IRIS_INST_ERROR) {
ret = -EBUSY;
@@ -203,7 +200,10 @@ int iris_vb2_start_streaming(struct vb2_queue *q, unsigned int count)
buf_type = iris_v4l2_type_to_driver(q->type);
- ret = iris_queue_deferred_buffers(inst, buf_type);
+ if (inst->state == IRIS_INST_STREAMING)
+ ret = iris_queue_internal_deferred_buffers(inst, BUF_DPB);
+ if (!ret)
+ ret = iris_queue_deferred_buffers(inst, buf_type);
if (ret)
goto error;
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 329/371] media: iris: Fix buffer count reporting in internal buffer check
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (327 preceding siblings ...)
2025-10-17 14:55 ` [PATCH 6.17 328/371] media: iris: Fix port streaming handling Greg Kroah-Hartman
@ 2025-10-17 14:55 ` Greg Kroah-Hartman
2025-10-17 14:55 ` [PATCH 6.17 330/371] media: iris: Allow substate transition to load resources during output streaming Greg Kroah-Hartman
` (54 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vikash Garodia, Bryan ODonoghue,
Dikshita Agarwal, Bryan ODonoghue, Hans Verkuil, Neil Armstrong
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dikshita Agarwal <quic_dikshita@quicinc.com>
commit cba6aed4223e83ae0f2ed1c0f68d974fd62847bc upstream.
Initialize the count variable to zero before counting unreleased
internal buffers in iris_check_num_queued_internal_buffers().
This prevents stale values from previous iterations and ensures accurate
error reporting for each buffer type. Without this initialization, the
count could accumulate across types, leading to incorrect log messages.
Fixes: d2abb1ff5a3c ("media: iris: Verify internal buffer release on close")
Cc: stable@vger.kernel.org
Reviewed-by: Vikash Garodia <quic_vgarodia@quicinc.com>
Tested-by: Vikash Garodia <quic_vgarodia@quicinc.com> # X1E80100
Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Tested-by: Neil Armstrong <neil.armstrong@linaro.org> # on SM8550-HDK
Tested-by: Neil Armstrong <neil.armstrong@linaro.org> # on SM8650-HDK
Signed-off-by: Dikshita Agarwal <quic_dikshita@quicinc.com>
Tested-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org> # x1e80100-crd
Signed-off-by: Bryan O'Donoghue <bod@kernel.org>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/qcom/iris/iris_vidc.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/media/platform/qcom/iris/iris_vidc.c
+++ b/drivers/media/platform/qcom/iris/iris_vidc.c
@@ -240,6 +240,7 @@ static void iris_check_num_queued_intern
for (i = 0; i < internal_buffer_count; i++) {
buffers = &inst->buffers[internal_buf_type[i]];
+ count = 0;
list_for_each_entry_safe(buf, next, &buffers->list, list)
count++;
if (count)
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 330/371] media: iris: Allow substate transition to load resources during output streaming
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (328 preceding siblings ...)
2025-10-17 14:55 ` [PATCH 6.17 329/371] media: iris: Fix buffer count reporting in internal buffer check Greg Kroah-Hartman
@ 2025-10-17 14:55 ` Greg Kroah-Hartman
2025-10-17 14:55 ` [PATCH 6.17 331/371] media: iris: Always destroy internal buffers on firmware release response Greg Kroah-Hartman
` (53 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vikash Garodia, Dikshita Agarwal,
Bryan ODonoghue, Hans Verkuil, Neil Armstrong,
Bryan O'Donoghue
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dikshita Agarwal <quic_dikshita@quicinc.com>
commit 65f72c6a8d97c0cbdc785cb9a35dc358dee67959 upstream.
A client (e.g., GST for encoder) can initiate streaming on the capture
port before the output port, causing the instance state to transition to
OUTPUT_STREAMING. When streaming is subsequently started on the output
port, the instance state advances to STREAMING, and the substate should
transition to LOAD_RESOURCES.
Previously, the code blocked the substate transition to LOAD_RESOURCES
if the instance state was OUTPUT_STREAMING. This update modifies the
logic to permit the substate transition to LOAD_RESOURCES when the
instance state is OUTPUT_STREAMING, thereby supporting this client
streaming sequence.
Fixes: 547f7b8c5090 ("media: iris: add check to allow sub states transitions")
Cc: stable@vger.kernel.org
Reviewed-by: Vikash Garodia <quic_vgarodia@quicinc.com>
Tested-by: Vikash Garodia <quic_vgarodia@quicinc.com> # X1E80100
Tested-by: Neil Armstrong <neil.armstrong@linaro.org> # on SM8550-HDK
Tested-by: Neil Armstrong <neil.armstrong@linaro.org> # on SM8650-HDK
Signed-off-by: Dikshita Agarwal <quic_dikshita@quicinc.com>
Tested-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org> # x1e80100-crd
Signed-off-by: Bryan O'Donoghue <bod@kernel.org>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/qcom/iris/iris_state.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/media/platform/qcom/iris/iris_state.c b/drivers/media/platform/qcom/iris/iris_state.c
index 104e1687ad39..a21238d2818f 100644
--- a/drivers/media/platform/qcom/iris/iris_state.c
+++ b/drivers/media/platform/qcom/iris/iris_state.c
@@ -122,7 +122,8 @@ static bool iris_inst_allow_sub_state(struct iris_inst *inst, enum iris_inst_sub
return false;
case IRIS_INST_OUTPUT_STREAMING:
if (sub_state & (IRIS_INST_SUB_DRC_LAST |
- IRIS_INST_SUB_DRAIN_LAST | IRIS_INST_SUB_OUTPUT_PAUSE))
+ IRIS_INST_SUB_DRAIN_LAST | IRIS_INST_SUB_OUTPUT_PAUSE |
+ IRIS_INST_SUB_LOAD_RESOURCES))
return true;
return false;
case IRIS_INST_STREAMING:
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 331/371] media: iris: Always destroy internal buffers on firmware release response
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (329 preceding siblings ...)
2025-10-17 14:55 ` [PATCH 6.17 330/371] media: iris: Allow substate transition to load resources during output streaming Greg Kroah-Hartman
@ 2025-10-17 14:55 ` Greg Kroah-Hartman
2025-10-17 14:55 ` [PATCH 6.17 332/371] media: iris: Simplify session stop logic by relying on vb2 checks Greg Kroah-Hartman
` (52 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vikash Garodia, Bryan ODonoghue,
Dikshita Agarwal, Bryan ODonoghue, Hans Verkuil, Neil Armstrong
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dikshita Agarwal <quic_dikshita@quicinc.com>
commit 9cae3619e465dd1cdaa5a5ffbbaf4f41338b0022 upstream.
Currently, internal buffers are destroyed only if 'PENDING_RELEASE' flag
is set when a release response is received from the firmware, which is
incorrect. Internal buffers should always be destroyed when the firmware
explicitly releases it, regardless of whether the 'PENDING_RELEASE' flag
was set by the driver. This is specially important during force-stop
scenarios, where the firmware may release buffers without driver marking
them for release.
Fix this by removing the incorrect check and ensuring all buffers are
properly cleaned up.
Fixes: 73702f45db81 ("media: iris: allocate, initialize and queue internal buffers")
Cc: stable@vger.kernel.org
Reviewed-by: Vikash Garodia <quic_vgarodia@quicinc.com>
Tested-by: Vikash Garodia <quic_vgarodia@quicinc.com> # X1E80100
Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Tested-by: Neil Armstrong <neil.armstrong@linaro.org> # on SM8550-HDK
Tested-by: Neil Armstrong <neil.armstrong@linaro.org> # on SM8650-HDK
Signed-off-by: Dikshita Agarwal <quic_dikshita@quicinc.com>
Tested-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org> # x1e80100-crd
Signed-off-by: Bryan O'Donoghue <bod@kernel.org>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/qcom/iris/iris_hfi_gen2_response.c | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
diff --git a/drivers/media/platform/qcom/iris/iris_hfi_gen2_response.c b/drivers/media/platform/qcom/iris/iris_hfi_gen2_response.c
index a8c30fc5c0d0..dda775d463e9 100644
--- a/drivers/media/platform/qcom/iris/iris_hfi_gen2_response.c
+++ b/drivers/media/platform/qcom/iris/iris_hfi_gen2_response.c
@@ -424,7 +424,6 @@ static int iris_hfi_gen2_handle_release_internal_buffer(struct iris_inst *inst,
struct iris_buffers *buffers = &inst->buffers[buf_type];
struct iris_buffer *buf, *iter;
bool found = false;
- int ret = 0;
list_for_each_entry(iter, &buffers->list, list) {
if (iter->device_addr == buffer->base_address) {
@@ -437,10 +436,8 @@ static int iris_hfi_gen2_handle_release_internal_buffer(struct iris_inst *inst,
return -EINVAL;
buf->attr &= ~BUF_ATTR_QUEUED;
- if (buf->attr & BUF_ATTR_PENDING_RELEASE)
- ret = iris_destroy_internal_buffer(inst, buf);
- return ret;
+ return iris_destroy_internal_buffer(inst, buf);
}
static int iris_hfi_gen2_handle_session_stop(struct iris_inst *inst,
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 332/371] media: iris: Simplify session stop logic by relying on vb2 checks
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (330 preceding siblings ...)
2025-10-17 14:55 ` [PATCH 6.17 331/371] media: iris: Always destroy internal buffers on firmware release response Greg Kroah-Hartman
@ 2025-10-17 14:55 ` Greg Kroah-Hartman
2025-10-17 14:55 ` [PATCH 6.17 333/371] media: iris: Update vbuf flags before v4l2_m2m_buf_done Greg Kroah-Hartman
` (51 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vikash Garodia, Dikshita Agarwal,
Bryan ODonoghue, Hans Verkuil, Neil Armstrong,
Bryan O'Donoghue
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dikshita Agarwal <quic_dikshita@quicinc.com>
commit 0fe10666d3b4d0757b7f4671892523855ee68cc8 upstream.
Remove earlier complex conditional checks in the non-streaming path that
attempted to verify if stop was called on a plane that was previously
started. These explicit checks are redundant, as vb2 already ensures
that stop is only called on ports that have been started, maintaining
correct buffer state management.
Fixes: 11712ce70f8e ("media: iris: implement vb2 streaming ops")
Cc: stable@vger.kernel.org
Reviewed-by: Vikash Garodia <quic_vgarodia@quicinc.com>
Tested-by: Vikash Garodia <quic_vgarodia@quicinc.com> # X1E80100
Tested-by: Neil Armstrong <neil.armstrong@linaro.org> # on SM8550-HDK
Tested-by: Neil Armstrong <neil.armstrong@linaro.org> # on SM8650-HDK
Signed-off-by: Dikshita Agarwal <quic_dikshita@quicinc.com>
Tested-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org> # x1e80100-crd
Signed-off-by: Bryan O'Donoghue <bod@kernel.org>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
.../qcom/iris/iris_hfi_gen1_command.c | 42 +++++++++----------
1 file changed, 19 insertions(+), 23 deletions(-)
diff --git a/drivers/media/platform/qcom/iris/iris_hfi_gen1_command.c b/drivers/media/platform/qcom/iris/iris_hfi_gen1_command.c
index 5fc30d54af4d..3e41c8cb620e 100644
--- a/drivers/media/platform/qcom/iris/iris_hfi_gen1_command.c
+++ b/drivers/media/platform/qcom/iris/iris_hfi_gen1_command.c
@@ -184,11 +184,25 @@ static int iris_hfi_gen1_session_stop(struct iris_inst *inst, u32 plane)
u32 flush_type = 0;
int ret = 0;
- if ((V4L2_TYPE_IS_OUTPUT(plane) &&
- inst->state == IRIS_INST_INPUT_STREAMING) ||
- (V4L2_TYPE_IS_CAPTURE(plane) &&
- inst->state == IRIS_INST_OUTPUT_STREAMING) ||
- inst->state == IRIS_INST_ERROR) {
+ if (inst->state == IRIS_INST_STREAMING) {
+ if (V4L2_TYPE_IS_OUTPUT(plane))
+ flush_type = HFI_FLUSH_ALL;
+ else if (V4L2_TYPE_IS_CAPTURE(plane))
+ flush_type = HFI_FLUSH_OUTPUT;
+
+ reinit_completion(&inst->flush_completion);
+
+ flush_pkt.shdr.hdr.size = sizeof(struct hfi_session_flush_pkt);
+ flush_pkt.shdr.hdr.pkt_type = HFI_CMD_SESSION_FLUSH;
+ flush_pkt.shdr.session_id = inst->session_id;
+ flush_pkt.flush_type = flush_type;
+
+ ret = iris_hfi_queue_cmd_write(core, &flush_pkt, flush_pkt.shdr.hdr.size);
+ if (!ret) {
+ inst->flush_responses_pending++;
+ ret = iris_wait_for_session_response(inst, true);
+ }
+ } else {
reinit_completion(&inst->completion);
iris_hfi_gen1_packet_session_cmd(inst, &pkt, HFI_CMD_SESSION_STOP);
ret = iris_hfi_queue_cmd_write(core, &pkt, pkt.shdr.hdr.size);
@@ -207,24 +221,6 @@ static int iris_hfi_gen1_session_stop(struct iris_inst *inst, u32 plane)
VB2_BUF_STATE_ERROR);
iris_helper_buffers_done(inst, V4L2_BUF_TYPE_VIDEO_CAPTURE_MPLANE,
VB2_BUF_STATE_ERROR);
- } else if (inst->state == IRIS_INST_STREAMING) {
- if (V4L2_TYPE_IS_OUTPUT(plane))
- flush_type = HFI_FLUSH_ALL;
- else if (V4L2_TYPE_IS_CAPTURE(plane))
- flush_type = HFI_FLUSH_OUTPUT;
-
- reinit_completion(&inst->flush_completion);
-
- flush_pkt.shdr.hdr.size = sizeof(struct hfi_session_flush_pkt);
- flush_pkt.shdr.hdr.pkt_type = HFI_CMD_SESSION_FLUSH;
- flush_pkt.shdr.session_id = inst->session_id;
- flush_pkt.flush_type = flush_type;
-
- ret = iris_hfi_queue_cmd_write(core, &flush_pkt, flush_pkt.shdr.hdr.size);
- if (!ret) {
- inst->flush_responses_pending++;
- ret = iris_wait_for_session_response(inst, true);
- }
}
return ret;
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 333/371] media: iris: Update vbuf flags before v4l2_m2m_buf_done
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (331 preceding siblings ...)
2025-10-17 14:55 ` [PATCH 6.17 332/371] media: iris: Simplify session stop logic by relying on vb2 checks Greg Kroah-Hartman
@ 2025-10-17 14:55 ` Greg Kroah-Hartman
2025-10-17 14:55 ` [PATCH 6.17 334/371] media: iris: Send dummy buffer address for all codecs during drain Greg Kroah-Hartman
` (50 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vikash Garodia, Bryan ODonoghue,
Dikshita Agarwal, Bryan ODonoghue, Hans Verkuil, Neil Armstrong
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dikshita Agarwal <quic_dikshita@quicinc.com>
commit 8a432174ac263fb9dd93d232b99c84e430e6d6b5 upstream.
Update the vbuf flags appropriately in error cases before calling
v4l2_m2m_buf_done(). Previously, the flag update was skippied in error
scenario, which could result in incorrect state reporting for buffers.
Fixes: 17f2a485ca67 ("media: iris: implement vb2 ops for buf_queue and firmware response")
Cc: stable@vger.kernel.org
Reviewed-by: Vikash Garodia <quic_vgarodia@quicinc.com>
Tested-by: Vikash Garodia <quic_vgarodia@quicinc.com> # X1E80100
Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Tested-by: Neil Armstrong <neil.armstrong@linaro.org> # on SM8550-HDK
Tested-by: Neil Armstrong <neil.armstrong@linaro.org> # on SM8650-HDK
Signed-off-by: Dikshita Agarwal <quic_dikshita@quicinc.com>
Tested-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org> # x1e80100-crd
Signed-off-by: Bryan O'Donoghue <bod@kernel.org>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/qcom/iris/iris_buffer.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/media/platform/qcom/iris/iris_buffer.c b/drivers/media/platform/qcom/iris/iris_buffer.c
index 23cac5d13129..38548ee4749e 100644
--- a/drivers/media/platform/qcom/iris/iris_buffer.c
+++ b/drivers/media/platform/qcom/iris/iris_buffer.c
@@ -651,6 +651,8 @@ int iris_vb2_buffer_done(struct iris_inst *inst, struct iris_buffer *buf)
vb2 = &vbuf->vb2_buf;
+ vbuf->flags |= buf->flags;
+
if (buf->flags & V4L2_BUF_FLAG_ERROR) {
state = VB2_BUF_STATE_ERROR;
vb2_set_plane_payload(vb2, 0, 0);
@@ -659,8 +661,6 @@ int iris_vb2_buffer_done(struct iris_inst *inst, struct iris_buffer *buf)
return 0;
}
- vbuf->flags |= buf->flags;
-
if (V4L2_TYPE_IS_CAPTURE(type)) {
vb2_set_plane_payload(vb2, 0, buf->data_size);
vbuf->sequence = inst->sequence_cap++;
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 334/371] media: iris: Send dummy buffer address for all codecs during drain
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (332 preceding siblings ...)
2025-10-17 14:55 ` [PATCH 6.17 333/371] media: iris: Update vbuf flags before v4l2_m2m_buf_done Greg Kroah-Hartman
@ 2025-10-17 14:55 ` Greg Kroah-Hartman
2025-10-17 14:55 ` [PATCH 6.17 335/371] media: iris: Fix missing LAST flag handling " Greg Kroah-Hartman
` (49 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vikash Garodia, Bryan ODonoghue,
Dikshita Agarwal, Bryan ODonoghue, Hans Verkuil, Neil Armstrong
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dikshita Agarwal <quic_dikshita@quicinc.com>
commit dec073dd8452e174a69db8444e0932e6b4f31c99 upstream.
Firmware can handle a dummy address for buffers with the EOS flag. To
ensure consistent behavior across all codecs, update the drain
command to always send a dummy buffer address.
This makes the drain handling uniform and avoids any codec specific
assumptions.
Fixes: 478c4478610d ("media: iris: Add codec specific check for VP9 decoder drain handling")
Cc: stable@vger.kernel.org
Reviewed-by: Vikash Garodia <quic_vgarodia@quicinc.com>
Tested-by: Vikash Garodia <quic_vgarodia@quicinc.com> # X1E80100
Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Tested-by: Neil Armstrong <neil.armstrong@linaro.org> # on SM8550-HDK
Tested-by: Neil Armstrong <neil.armstrong@linaro.org> # on SM8650-HDK
Signed-off-by: Dikshita Agarwal <quic_dikshita@quicinc.com>
Tested-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org> # x1e80100-crd
Signed-off-by: Bryan O'Donoghue <bod@kernel.org>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/qcom/iris/iris_hfi_gen1_command.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/drivers/media/platform/qcom/iris/iris_hfi_gen1_command.c
+++ b/drivers/media/platform/qcom/iris/iris_hfi_gen1_command.c
@@ -397,8 +397,7 @@ static int iris_hfi_gen1_session_drain(s
ip_pkt.shdr.hdr.pkt_type = HFI_CMD_SESSION_EMPTY_BUFFER;
ip_pkt.shdr.session_id = inst->session_id;
ip_pkt.flags = HFI_BUFFERFLAG_EOS;
- if (inst->codec == V4L2_PIX_FMT_VP9)
- ip_pkt.packet_buffer = 0xdeadb000;
+ ip_pkt.packet_buffer = 0xdeadb000;
return iris_hfi_queue_cmd_write(inst->core, &ip_pkt, ip_pkt.shdr.hdr.size);
}
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 335/371] media: iris: Fix missing LAST flag handling during drain
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (333 preceding siblings ...)
2025-10-17 14:55 ` [PATCH 6.17 334/371] media: iris: Send dummy buffer address for all codecs during drain Greg Kroah-Hartman
@ 2025-10-17 14:55 ` Greg Kroah-Hartman
2025-10-17 14:55 ` [PATCH 6.17 336/371] media: iris: Fix format check for CAPTURE plane in try_fmt Greg Kroah-Hartman
` (48 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vikash Garodia, Bryan ODonoghue,
Dikshita Agarwal, Bryan ODonoghue, Hans Verkuil, Neil Armstrong
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dikshita Agarwal <quic_dikshita@quicinc.com>
commit 8172f57746d68e5c3c743f725435d75c5a4db1ac upstream.
Improve drain handling by ensuring the LAST flag is attached to final
capture buffer when drain response is received from the firmware.
Previously, the driver failed to attach the V4L2_BUF_FLAG_LAST flag when
a drain response was received from the firmware, relying on userspace to
mark the next queued buffer as LAST. This update fixes the issue by
checking the pending drain status, attaching the LAST flag to the
capture buffer received from the firmware (with EOS attached), and
returning it to the V4L2 layer correctly.
Fixes: d09100763bed ("media: iris: add support for drain sequence")
Cc: stable@vger.kernel.org
Reviewed-by: Vikash Garodia <quic_vgarodia@quicinc.com>
Tested-by: Vikash Garodia <quic_vgarodia@quicinc.com> # X1E80100
Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Tested-by: Neil Armstrong <neil.armstrong@linaro.org> # on SM8550-HDK
Tested-by: Neil Armstrong <neil.armstrong@linaro.org> # on SM8650-HDK
Signed-off-by: Dikshita Agarwal <quic_dikshita@quicinc.com>
Tested-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org> # x1e80100-crd
Signed-off-by: Bryan O'Donoghue <bod@kernel.org>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/qcom/iris/iris_hfi_gen1_response.c | 4 +---
drivers/media/platform/qcom/iris/iris_state.c | 2 +-
drivers/media/platform/qcom/iris/iris_state.h | 1 +
3 files changed, 3 insertions(+), 4 deletions(-)
diff --git a/drivers/media/platform/qcom/iris/iris_hfi_gen1_response.c b/drivers/media/platform/qcom/iris/iris_hfi_gen1_response.c
index 8d1ce8a19a45..2a9645883383 100644
--- a/drivers/media/platform/qcom/iris/iris_hfi_gen1_response.c
+++ b/drivers/media/platform/qcom/iris/iris_hfi_gen1_response.c
@@ -416,8 +416,6 @@ static void iris_hfi_gen1_session_ftb_done(struct iris_inst *inst, void *packet)
inst->flush_responses_pending++;
iris_inst_sub_state_change_drain_last(inst);
-
- return;
}
if (iris_split_mode_enabled(inst) && pkt->stream_id == 0) {
@@ -462,7 +460,7 @@ static void iris_hfi_gen1_session_ftb_done(struct iris_inst *inst, void *packet)
timestamp_us = (timestamp_us << 32) | timestamp_lo;
} else {
if (pkt->stream_id == 1 && !inst->last_buffer_dequeued) {
- if (iris_drc_pending(inst)) {
+ if (iris_drc_pending(inst) || iris_drain_pending(inst)) {
flags |= V4L2_BUF_FLAG_LAST;
inst->last_buffer_dequeued = true;
}
diff --git a/drivers/media/platform/qcom/iris/iris_state.c b/drivers/media/platform/qcom/iris/iris_state.c
index a21238d2818f..d1dc1a863da0 100644
--- a/drivers/media/platform/qcom/iris/iris_state.c
+++ b/drivers/media/platform/qcom/iris/iris_state.c
@@ -252,7 +252,7 @@ bool iris_drc_pending(struct iris_inst *inst)
inst->sub_state & IRIS_INST_SUB_DRC_LAST;
}
-static inline bool iris_drain_pending(struct iris_inst *inst)
+bool iris_drain_pending(struct iris_inst *inst)
{
return inst->sub_state & IRIS_INST_SUB_DRAIN &&
inst->sub_state & IRIS_INST_SUB_DRAIN_LAST;
diff --git a/drivers/media/platform/qcom/iris/iris_state.h b/drivers/media/platform/qcom/iris/iris_state.h
index e718386dbe04..b09fa54cf17e 100644
--- a/drivers/media/platform/qcom/iris/iris_state.h
+++ b/drivers/media/platform/qcom/iris/iris_state.h
@@ -141,5 +141,6 @@ int iris_inst_sub_state_change_drc_last(struct iris_inst *inst);
int iris_inst_sub_state_change_pause(struct iris_inst *inst, u32 plane);
bool iris_allow_cmd(struct iris_inst *inst, u32 cmd);
bool iris_drc_pending(struct iris_inst *inst);
+bool iris_drain_pending(struct iris_inst *inst);
#endif
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 336/371] media: iris: Fix format check for CAPTURE plane in try_fmt
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (334 preceding siblings ...)
2025-10-17 14:55 ` [PATCH 6.17 335/371] media: iris: Fix missing LAST flag handling " Greg Kroah-Hartman
@ 2025-10-17 14:55 ` Greg Kroah-Hartman
2025-10-17 14:55 ` [PATCH 6.17 337/371] media: iris: Allow stop on firmware only if start was issued Greg Kroah-Hartman
` (47 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vikash Garodia, Dikshita Agarwal,
Bryan ODonoghue, Hans Verkuil, Neil Armstrong,
Bryan O'Donoghue
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dikshita Agarwal <quic_dikshita@quicinc.com>
commit 2dbd2645c07df8de04ee37b24f2395800513391e upstream.
Previously, the format validation relied on an array of supported
formats, which only listed formats for the OUTPUT plane. This caused
failures when validating formats for the CAPTURE plane.
Update the check to validate against the only supported format on the
CAPTURE plane, which is NV12.
Fixes: fde6161d91bb ("media: iris: Add HEVC and VP9 formats for decoder")
Cc: stable@vger.kernel.org
Reviewed-by: Vikash Garodia <quic_vgarodia@quicinc.com>
Tested-by: Vikash Garodia <quic_vgarodia@quicinc.com> # X1E80100
Tested-by: Neil Armstrong <neil.armstrong@linaro.org> # on SM8550-HDK
Tested-by: Neil Armstrong <neil.armstrong@linaro.org> # on SM8650-HDK
Signed-off-by: Dikshita Agarwal <quic_dikshita@quicinc.com>
Tested-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org> # x1e80100-crd
Signed-off-by: Bryan O'Donoghue <bod@kernel.org>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/qcom/iris/iris_vdec.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/media/platform/qcom/iris/iris_vdec.c b/drivers/media/platform/qcom/iris/iris_vdec.c
index d670b51c5839..0f5adaac829f 100644
--- a/drivers/media/platform/qcom/iris/iris_vdec.c
+++ b/drivers/media/platform/qcom/iris/iris_vdec.c
@@ -158,7 +158,7 @@ int iris_vdec_try_fmt(struct iris_inst *inst, struct v4l2_format *f)
}
break;
case V4L2_BUF_TYPE_VIDEO_CAPTURE_MPLANE:
- if (!fmt) {
+ if (f->fmt.pix_mp.pixelformat != V4L2_PIX_FMT_NV12) {
f_inst = inst->fmt_dst;
f->fmt.pix_mp.pixelformat = f_inst->fmt.pix_mp.pixelformat;
f->fmt.pix_mp.width = f_inst->fmt.pix_mp.width;
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 337/371] media: iris: Allow stop on firmware only if start was issued.
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (335 preceding siblings ...)
2025-10-17 14:55 ` [PATCH 6.17 336/371] media: iris: Fix format check for CAPTURE plane in try_fmt Greg Kroah-Hartman
@ 2025-10-17 14:55 ` Greg Kroah-Hartman
2025-10-17 14:55 ` [PATCH 6.17 338/371] ext4: add ext4_sb_bread_nofail() helper function for ext4_free_branches() Greg Kroah-Hartman
` (46 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vikash Garodia, Dikshita Agarwal,
Bryan ODonoghue, Hans Verkuil, Neil Armstrong,
Bryan O'Donoghue
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dikshita Agarwal <quic_dikshita@quicinc.com>
commit 56a2d85ee8f9b994e5cd17039133218c57c5902b upstream.
For HFI Gen1, the instances substate is changed to LOAD_RESOURCES only
when a START command is issues to the firmware. If STOP is called
without a prior START, the firmware may reject the command and throw
some erros.
Handle this by adding a substate check before issuing STOP command to
the firmware.
Fixes: 11712ce70f8e ("media: iris: implement vb2 streaming ops")
Cc: stable@vger.kernel.org
Reviewed-by: Vikash Garodia <quic_vgarodia@quicinc.com>
Tested-by: Vikash Garodia <quic_vgarodia@quicinc.com> # X1E80100
Tested-by: Neil Armstrong <neil.armstrong@linaro.org> # on SM8550-HDK
Tested-by: Neil Armstrong <neil.armstrong@linaro.org> # on SM8650-HDK
Signed-off-by: Dikshita Agarwal <quic_dikshita@quicinc.com>
Tested-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org> # x1e80100-crd
Signed-off-by: Bryan O'Donoghue <bod@kernel.org>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/qcom/iris/iris_hfi_gen1_command.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/media/platform/qcom/iris/iris_hfi_gen1_command.c b/drivers/media/platform/qcom/iris/iris_hfi_gen1_command.c
index 3e41c8cb620e..a3461ccf170a 100644
--- a/drivers/media/platform/qcom/iris/iris_hfi_gen1_command.c
+++ b/drivers/media/platform/qcom/iris/iris_hfi_gen1_command.c
@@ -202,7 +202,7 @@ static int iris_hfi_gen1_session_stop(struct iris_inst *inst, u32 plane)
inst->flush_responses_pending++;
ret = iris_wait_for_session_response(inst, true);
}
- } else {
+ } else if (inst->sub_state & IRIS_INST_SUB_LOAD_RESOURCES) {
reinit_completion(&inst->completion);
iris_hfi_gen1_packet_session_cmd(inst, &pkt, HFI_CMD_SESSION_STOP);
ret = iris_hfi_queue_cmd_write(core, &pkt, pkt.shdr.hdr.size);
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 338/371] ext4: add ext4_sb_bread_nofail() helper function for ext4_free_branches()
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (336 preceding siblings ...)
2025-10-17 14:55 ` [PATCH 6.17 337/371] media: iris: Allow stop on firmware only if start was issued Greg Kroah-Hartman
@ 2025-10-17 14:55 ` Greg Kroah-Hartman
2025-10-17 14:55 ` [PATCH 6.17 339/371] ext4: fail unaligned direct IO write with EINVAL Greg Kroah-Hartman
` (45 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Baokun Li, Jan Kara,
Theodore Tso
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Baokun Li <libaokun1@huawei.com>
commit d8b90e6387a74bcb1714c8d1e6a782ff709de9a9 upstream.
The implicit __GFP_NOFAIL flag in ext4_sb_bread() was removed in commit
8a83ac54940d ("ext4: call bdev_getblk() from sb_getblk_gfp()"), meaning
the function can now fail under memory pressure.
Most callers of ext4_sb_bread() propagate the error to userspace and do not
remount the filesystem read-only. However, ext4_free_branches() handles
ext4_sb_bread() failure by remounting the filesystem read-only.
This implies that an ext3 filesystem (mounted via the ext4 driver) could be
forcibly remounted read-only due to a transient page allocation failure,
which is unacceptable.
To mitigate this, introduce a new helper function, ext4_sb_bread_nofail(),
which explicitly uses __GFP_NOFAIL, and use it in ext4_free_branches().
Fixes: 8a83ac54940d ("ext4: call bdev_getblk() from sb_getblk_gfp()")
Cc: stable@kernel.org
Signed-off-by: Baokun Li <libaokun1@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/ext4.h | 2 ++
fs/ext4/indirect.c | 2 +-
fs/ext4/super.c | 9 +++++++++
3 files changed, 12 insertions(+), 1 deletion(-)
--- a/fs/ext4/ext4.h
+++ b/fs/ext4/ext4.h
@@ -3144,6 +3144,8 @@ extern struct buffer_head *ext4_sb_bread
sector_t block, blk_opf_t op_flags);
extern struct buffer_head *ext4_sb_bread_unmovable(struct super_block *sb,
sector_t block);
+extern struct buffer_head *ext4_sb_bread_nofail(struct super_block *sb,
+ sector_t block);
extern void ext4_read_bh_nowait(struct buffer_head *bh, blk_opf_t op_flags,
bh_end_io_t *end_io, bool simu_fail);
extern int ext4_read_bh(struct buffer_head *bh, blk_opf_t op_flags,
--- a/fs/ext4/indirect.c
+++ b/fs/ext4/indirect.c
@@ -1025,7 +1025,7 @@ static void ext4_free_branches(handle_t
}
/* Go read the buffer for the next level down */
- bh = ext4_sb_bread(inode->i_sb, nr, 0);
+ bh = ext4_sb_bread_nofail(inode->i_sb, nr);
/*
* A read failure? Report error and clear slot
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -265,6 +265,15 @@ struct buffer_head *ext4_sb_bread_unmova
return __ext4_sb_bread_gfp(sb, block, 0, gfp);
}
+struct buffer_head *ext4_sb_bread_nofail(struct super_block *sb,
+ sector_t block)
+{
+ gfp_t gfp = mapping_gfp_constraint(sb->s_bdev->bd_mapping,
+ ~__GFP_FS) | __GFP_MOVABLE | __GFP_NOFAIL;
+
+ return __ext4_sb_bread_gfp(sb, block, 0, gfp);
+}
+
void ext4_sb_breadahead_unmovable(struct super_block *sb, sector_t block)
{
struct buffer_head *bh = bdev_getblk(sb->s_bdev, block,
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 339/371] ext4: fail unaligned direct IO write with EINVAL
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (337 preceding siblings ...)
2025-10-17 14:55 ` [PATCH 6.17 338/371] ext4: add ext4_sb_bread_nofail() helper function for ext4_free_branches() Greg Kroah-Hartman
@ 2025-10-17 14:55 ` Greg Kroah-Hartman
2025-10-17 14:55 ` [PATCH 6.17 340/371] ext4: verify orphan file size is not too big Greg Kroah-Hartman
` (44 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Jan Kara,
Ritesh Harjani (IBM), Theodore Tso
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jan Kara <jack@suse.cz>
commit 963845748fe67125006859229487b45485564db7 upstream.
Commit bc264fea0f6f ("iomap: support incremental iomap_iter advances")
changed the error handling logic in iomap_iter(). Previously any error
from iomap_dio_bio_iter() got propagated to userspace, after this commit
if ->iomap_end returns error, it gets propagated to userspace instead of
an error from iomap_dio_bio_iter(). This results in unaligned writes to
ext4 to silently fallback to buffered IO instead of erroring out.
Now returning ENOTBLK for DIO writes from ext4_iomap_end() seems
unnecessary these days. It is enough to return ENOTBLK from
ext4_iomap_begin() when we don't support DIO write for that particular
file offset (due to hole).
Fixes: bc264fea0f6f ("iomap: support incremental iomap_iter advances")
Cc: stable@kernel.org
Signed-off-by: Jan Kara <jack@suse.cz>
Reviewed-by: Ritesh Harjani (IBM) <ritesh.list@gmail.com>
Message-ID: <20250901112739.32484-2-jack@suse.cz>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/inode.c | 35 -----------------------------------
1 file changed, 35 deletions(-)
diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
index 5b7a15db4953..c3b23c90fd11 100644
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -3872,47 +3872,12 @@ static int ext4_iomap_overwrite_begin(struct inode *inode, loff_t offset,
return ret;
}
-static inline bool ext4_want_directio_fallback(unsigned flags, ssize_t written)
-{
- /* must be a directio to fall back to buffered */
- if ((flags & (IOMAP_WRITE | IOMAP_DIRECT)) !=
- (IOMAP_WRITE | IOMAP_DIRECT))
- return false;
-
- /* atomic writes are all-or-nothing */
- if (flags & IOMAP_ATOMIC)
- return false;
-
- /* can only try again if we wrote nothing */
- return written == 0;
-}
-
-static int ext4_iomap_end(struct inode *inode, loff_t offset, loff_t length,
- ssize_t written, unsigned flags, struct iomap *iomap)
-{
- /*
- * Check to see whether an error occurred while writing out the data to
- * the allocated blocks. If so, return the magic error code for
- * non-atomic write so that we fallback to buffered I/O and attempt to
- * complete the remainder of the I/O.
- * For non-atomic writes, any blocks that may have been
- * allocated in preparation for the direct I/O will be reused during
- * buffered I/O. For atomic write, we never fallback to buffered-io.
- */
- if (ext4_want_directio_fallback(flags, written))
- return -ENOTBLK;
-
- return 0;
-}
-
const struct iomap_ops ext4_iomap_ops = {
.iomap_begin = ext4_iomap_begin,
- .iomap_end = ext4_iomap_end,
};
const struct iomap_ops ext4_iomap_overwrite_ops = {
.iomap_begin = ext4_iomap_overwrite_begin,
- .iomap_end = ext4_iomap_end,
};
static int ext4_iomap_begin_report(struct inode *inode, loff_t offset,
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 340/371] ext4: verify orphan file size is not too big
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (338 preceding siblings ...)
2025-10-17 14:55 ` [PATCH 6.17 339/371] ext4: fail unaligned direct IO write with EINVAL Greg Kroah-Hartman
@ 2025-10-17 14:55 ` Greg Kroah-Hartman
2025-10-17 14:55 ` [PATCH 6.17 341/371] ext4: increase i_disksize to offset + len in ext4_update_disksize_before_punch() Greg Kroah-Hartman
` (43 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+0b92850d68d9b12934f5, stable,
Jan Kara, Theodore Tso
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jan Kara <jack@suse.cz>
commit 0a6ce20c156442a4ce2a404747bb0fb05d54eeb3 upstream.
In principle orphan file can be arbitrarily large. However orphan replay
needs to traverse it all and we also pin all its buffers in memory. Thus
filesystems with absurdly large orphan files can lead to big amounts of
memory consumed. Limit orphan file size to a sane value and also use
kvmalloc() for allocating array of block descriptor structures to avoid
large order allocations for sane but large orphan files.
Reported-by: syzbot+0b92850d68d9b12934f5@syzkaller.appspotmail.com
Fixes: 02f310fcf47f ("ext4: Speedup ext4 orphan inode handling")
Cc: stable@kernel.org
Signed-off-by: Jan Kara <jack@suse.cz>
Message-ID: <20250909112206.10459-2-jack@suse.cz>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/orphan.c | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
--- a/fs/ext4/orphan.c
+++ b/fs/ext4/orphan.c
@@ -583,9 +583,20 @@ int ext4_init_orphan_info(struct super_b
ext4_msg(sb, KERN_ERR, "get orphan inode failed");
return PTR_ERR(inode);
}
+ /*
+ * This is just an artificial limit to prevent corrupted fs from
+ * consuming absurd amounts of memory when pinning blocks of orphan
+ * file in memory.
+ */
+ if (inode->i_size > 8 << 20) {
+ ext4_msg(sb, KERN_ERR, "orphan file too big: %llu",
+ (unsigned long long)inode->i_size);
+ ret = -EFSCORRUPTED;
+ goto out_put;
+ }
oi->of_blocks = inode->i_size >> sb->s_blocksize_bits;
oi->of_csum_seed = EXT4_I(inode)->i_csum_seed;
- oi->of_binfo = kmalloc_array(oi->of_blocks,
+ oi->of_binfo = kvmalloc_array(oi->of_blocks,
sizeof(struct ext4_orphan_block),
GFP_KERNEL);
if (!oi->of_binfo) {
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 341/371] ext4: increase i_disksize to offset + len in ext4_update_disksize_before_punch()
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (339 preceding siblings ...)
2025-10-17 14:55 ` [PATCH 6.17 340/371] ext4: verify orphan file size is not too big Greg Kroah-Hartman
@ 2025-10-17 14:55 ` Greg Kroah-Hartman
2025-10-17 14:55 ` [PATCH 6.17 342/371] ext4: correctly handle queries for metadata mappings Greg Kroah-Hartman
` (42 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yongjian Sun, Zhang Yi,
Jan Kara, Baokun Li, Theodore Tso
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yongjian Sun <sunyongjian1@huawei.com>
commit 9d80eaa1a1d37539224982b76c9ceeee736510b9 upstream.
After running a stress test combined with fault injection,
we performed fsck -a followed by fsck -fn on the filesystem
image. During the second pass, fsck -fn reported:
Inode 131512, end of extent exceeds allowed value
(logical block 405, physical block 1180540, len 2)
This inode was not in the orphan list. Analysis revealed the
following call chain that leads to the inconsistency:
ext4_da_write_end()
//does not update i_disksize
ext4_punch_hole()
//truncate folio, keep size
ext4_page_mkwrite()
ext4_block_page_mkwrite()
ext4_block_write_begin()
ext4_get_block()
//insert written extent without update i_disksize
journal commit
echo 1 > /sys/block/xxx/device/delete
da-write path updates i_size but does not update i_disksize. Then
ext4_punch_hole truncates the da-folio yet still leaves i_disksize
unchanged(in the ext4_update_disksize_before_punch function, the
condition offset + len < size is met). Then ext4_page_mkwrite sees
ext4_nonda_switch return 1 and takes the nodioread_nolock path, the
folio about to be written has just been punched out, and it’s offset
sits beyond the current i_disksize. This may result in a written
extent being inserted, but again does not update i_disksize. If the
journal gets committed and then the block device is yanked, we might
run into this. It should be noted that replacing ext4_punch_hole with
ext4_zero_range in the call sequence may also trigger this issue, as
neither will update i_disksize under these circumstances.
To fix this, we can modify ext4_update_disksize_before_punch to
increase i_disksize to min(i_size, offset + len) when both i_size and
(offset + len) are greater than i_disksize.
Cc: stable@kernel.org
Signed-off-by: Yongjian Sun <sunyongjian1@huawei.com>
Reviewed-by: Zhang Yi <yi.zhang@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Reviewed-by: Baokun Li <libaokun1@huawei.com>
Message-ID: <20250911133024.1841027-1-sunyongjian@huaweicloud.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/inode.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -4252,7 +4252,11 @@ int ext4_can_truncate(struct inode *inod
* We have to make sure i_disksize gets properly updated before we truncate
* page cache due to hole punching or zero range. Otherwise i_disksize update
* can get lost as it may have been postponed to submission of writeback but
- * that will never happen after we truncate page cache.
+ * that will never happen if we remove the folio containing i_size from the
+ * page cache. Also if we punch hole within i_size but above i_disksize,
+ * following ext4_page_mkwrite() may mistakenly allocate written blocks over
+ * the hole and thus introduce allocated blocks beyond i_disksize which is
+ * not allowed (e2fsck would complain in case of crash).
*/
int ext4_update_disksize_before_punch(struct inode *inode, loff_t offset,
loff_t len)
@@ -4263,9 +4267,11 @@ int ext4_update_disksize_before_punch(st
loff_t size = i_size_read(inode);
WARN_ON(!inode_is_locked(inode));
- if (offset > size || offset + len < size)
+ if (offset > size)
return 0;
+ if (offset + len < size)
+ size = offset + len;
if (EXT4_I(inode)->i_disksize >= size)
return 0;
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 342/371] ext4: correctly handle queries for metadata mappings
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (340 preceding siblings ...)
2025-10-17 14:55 ` [PATCH 6.17 341/371] ext4: increase i_disksize to offset + len in ext4_update_disksize_before_punch() Greg Kroah-Hartman
@ 2025-10-17 14:55 ` Greg Kroah-Hartman
2025-10-17 14:55 ` [PATCH 6.17 343/371] ext4: avoid potential buffer over-read in parse_apply_sb_mount_options() Greg Kroah-Hartman
` (41 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ritesh Harjani (IBM), stable,
Ojaswin Mujoo, Theodore Tso
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ojaswin Mujoo <ojaswin@linux.ibm.com>
commit 46c22a8bb4cb03211da1100d7ee4a2005bf77c70 upstream.
Currently, our handling of metadata is _ambiguous_ in some scenarios,
that is, we end up returning unknown if the range only covers the
mapping partially.
For example, in the following case:
$ xfs_io -c fsmap -d
0: 254:16 [0..7]: static fs metadata 8
1: 254:16 [8..15]: special 102:1 8
2: 254:16 [16..5127]: special 102:2 5112
3: 254:16 [5128..5255]: special 102:3 128
4: 254:16 [5256..5383]: special 102:4 128
5: 254:16 [5384..70919]: inodes 65536
6: 254:16 [70920..70967]: unknown 48
...
$ xfs_io -c fsmap -d 24 33
0: 254:16 [24..39]: unknown 16 <--- incomplete reporting
$ xfs_io -c fsmap -d 24 33 (With patch)
0: 254:16 [16..5127]: special 102:2 5112
This is because earlier in ext4_getfsmap_meta_helper, we end up ignoring
any extent that starts before our queried range, but overlaps it. While
the man page [1] is a bit ambiguous on this, this fix makes the output
make more sense since we are anyways returning an "unknown" extent. This
is also consistent to how XFS does it:
$ xfs_io -c fsmap -d
...
6: 254:16 [104..127]: free space 24
7: 254:16 [128..191]: inodes 64
...
$ xfs_io -c fsmap -d 137 150
0: 254:16 [128..191]: inodes 64 <-- full extent returned
[1] https://man7.org/linux/man-pages/man2/ioctl_getfsmap.2.html
Reported-by: Ritesh Harjani (IBM) <ritesh.list@gmail.com>
Cc: stable@kernel.org
Signed-off-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
Message-ID: <023f37e35ee280cd9baac0296cbadcbe10995cab.1757058211.git.ojaswin@linux.ibm.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/fsmap.c | 14 +++++++++-----
1 file changed, 9 insertions(+), 5 deletions(-)
--- a/fs/ext4/fsmap.c
+++ b/fs/ext4/fsmap.c
@@ -74,7 +74,8 @@ static int ext4_getfsmap_dev_compare(con
static bool ext4_getfsmap_rec_before_low_key(struct ext4_getfsmap_info *info,
struct ext4_fsmap *rec)
{
- return rec->fmr_physical < info->gfi_low.fmr_physical;
+ return rec->fmr_physical + rec->fmr_length <=
+ info->gfi_low.fmr_physical;
}
/*
@@ -200,15 +201,18 @@ static int ext4_getfsmap_meta_helper(str
ext4_group_first_block_no(sb, agno));
fs_end = fs_start + EXT4_C2B(sbi, len);
- /* Return relevant extents from the meta_list */
+ /*
+ * Return relevant extents from the meta_list. We emit all extents that
+ * partially/fully overlap with the query range
+ */
list_for_each_entry_safe(p, tmp, &info->gfi_meta_list, fmr_list) {
- if (p->fmr_physical < info->gfi_next_fsblk) {
+ if (p->fmr_physical + p->fmr_length <= info->gfi_next_fsblk) {
list_del(&p->fmr_list);
kfree(p);
continue;
}
- if (p->fmr_physical <= fs_start ||
- p->fmr_physical + p->fmr_length <= fs_end) {
+ if (p->fmr_physical <= fs_end &&
+ p->fmr_physical + p->fmr_length > fs_start) {
/* Emit the retained free extent record if present */
if (info->gfi_lastfree.fmr_owner) {
error = ext4_getfsmap_helper(sb, info,
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 343/371] ext4: avoid potential buffer over-read in parse_apply_sb_mount_options()
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (341 preceding siblings ...)
2025-10-17 14:55 ` [PATCH 6.17 342/371] ext4: correctly handle queries for metadata mappings Greg Kroah-Hartman
@ 2025-10-17 14:55 ` Greg Kroah-Hartman
2025-10-17 14:55 ` [PATCH 6.17 344/371] ext4: fix an off-by-one issue during moving extents Greg Kroah-Hartman
` (40 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jan Kara, Darrick J. Wong,
Theodore Tso
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Theodore Ts'o <tytso@mit.edu>
commit 8ecb790ea8c3fc69e77bace57f14cf0d7c177bd8 upstream.
Unlike other strings in the ext4 superblock, we rely on tune2fs to
make sure s_mount_opts is NUL terminated. Harden
parse_apply_sb_mount_options() by treating s_mount_opts as a potential
__nonstring.
Cc: stable@vger.kernel.org
Fixes: 8b67f04ab9de ("ext4: Add mount options in superblock")
Reviewed-by: Jan Kara <jack@suse.cz>
Reviewed-by: Darrick J. Wong <djwong@kernel.org>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Message-ID: <20250916-tune2fs-v2-1-d594dc7486f0@mit.edu>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/super.c | 17 +++++------------
1 file changed, 5 insertions(+), 12 deletions(-)
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -2469,7 +2469,7 @@ static int parse_apply_sb_mount_options(
struct ext4_fs_context *m_ctx)
{
struct ext4_sb_info *sbi = EXT4_SB(sb);
- char *s_mount_opts = NULL;
+ char s_mount_opts[65];
struct ext4_fs_context *s_ctx = NULL;
struct fs_context *fc = NULL;
int ret = -ENOMEM;
@@ -2477,15 +2477,11 @@ static int parse_apply_sb_mount_options(
if (!sbi->s_es->s_mount_opts[0])
return 0;
- s_mount_opts = kstrndup(sbi->s_es->s_mount_opts,
- sizeof(sbi->s_es->s_mount_opts),
- GFP_KERNEL);
- if (!s_mount_opts)
- return ret;
+ strscpy_pad(s_mount_opts, sbi->s_es->s_mount_opts);
fc = kzalloc(sizeof(struct fs_context), GFP_KERNEL);
if (!fc)
- goto out_free;
+ return -ENOMEM;
s_ctx = kzalloc(sizeof(struct ext4_fs_context), GFP_KERNEL);
if (!s_ctx)
@@ -2517,11 +2513,8 @@ parse_failed:
ret = 0;
out_free:
- if (fc) {
- ext4_fc_free(fc);
- kfree(fc);
- }
- kfree(s_mount_opts);
+ ext4_fc_free(fc);
+ kfree(fc);
return ret;
}
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 344/371] ext4: fix an off-by-one issue during moving extents
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (342 preceding siblings ...)
2025-10-17 14:55 ` [PATCH 6.17 343/371] ext4: avoid potential buffer over-read in parse_apply_sb_mount_options() Greg Kroah-Hartman
@ 2025-10-17 14:55 ` Greg Kroah-Hartman
2025-10-17 14:55 ` [PATCH 6.17 345/371] ext4: guard against EA inode refcount underflow in xattr update Greg Kroah-Hartman
` (39 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Zhang Yi, Jan Kara,
Theodore Tso
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhang Yi <yi.zhang@huawei.com>
commit 12e803c8827d049ae8f2c743ef66ab87ae898375 upstream.
During the movement of a written extent, mext_page_mkuptodate() is
called to read data in the range [from, to) into the page cache and to
update the corresponding buffers. Therefore, we should not wait on any
buffer whose start offset is >= 'to'. Otherwise, it will return -EIO and
fail the extents movement.
$ for i in `seq 3 -1 0`; \
do xfs_io -fs -c "pwrite -b 1024 $((i * 1024)) 1024" /mnt/foo; \
done
$ umount /mnt && mount /dev/pmem1s /mnt # drop cache
$ e4defrag /mnt/foo
e4defrag 1.47.0 (5-Feb-2023)
ext4 defragmentation for /mnt/foo
[1/1]/mnt/foo: 0% [ NG ]
Success: [0/1]
Cc: stable@kernel.org
Fixes: a40759fb16ae ("ext4: remove array of buffer_heads from mext_page_mkuptodate()")
Signed-off-by: Zhang Yi <yi.zhang@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Message-ID: <20250912105841.1886799-1-yi.zhang@huaweicloud.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/move_extent.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/ext4/move_extent.c
+++ b/fs/ext4/move_extent.c
@@ -225,7 +225,7 @@ static int mext_page_mkuptodate(struct f
do {
if (bh_offset(bh) + blocksize <= from)
continue;
- if (bh_offset(bh) > to)
+ if (bh_offset(bh) >= to)
break;
wait_on_buffer(bh);
if (buffer_uptodate(bh))
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 345/371] ext4: guard against EA inode refcount underflow in xattr update
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (343 preceding siblings ...)
2025-10-17 14:55 ` [PATCH 6.17 344/371] ext4: fix an off-by-one issue during moving extents Greg Kroah-Hartman
@ 2025-10-17 14:55 ` Greg Kroah-Hartman
2025-10-17 14:55 ` [PATCH 6.17 346/371] ext4: validate ea_ino and size in check_xattrs Greg Kroah-Hartman
` (38 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+0be4f339a8218d2a5bb1, stable,
Albin Babu Varghese, Ahmet Eray Karadag, Theodore Tso
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ahmet Eray Karadag <eraykrdg1@gmail.com>
commit 57295e835408d8d425bef58da5253465db3d6888 upstream.
syzkaller found a path where ext4_xattr_inode_update_ref() reads an EA
inode refcount that is already <= 0 and then applies ref_change (often
-1). That lets the refcount underflow and we proceed with a bogus value,
triggering errors like:
EXT4-fs error: EA inode <n> ref underflow: ref_count=-1 ref_change=-1
EXT4-fs warning: ea_inode dec ref err=-117
Make the invariant explicit: if the current refcount is non-positive,
treat this as on-disk corruption, emit ext4_error_inode(), and fail the
operation with -EFSCORRUPTED instead of updating the refcount. Delete the
WARN_ONCE() as negative refcounts are now impossible; keep error reporting
in ext4_error_inode().
This prevents the underflow and the follow-on orphan/cleanup churn.
Reported-by: syzbot+0be4f339a8218d2a5bb1@syzkaller.appspotmail.com
Fixes: https://syzbot.org/bug?extid=0be4f339a8218d2a5bb1
Cc: stable@kernel.org
Co-developed-by: Albin Babu Varghese <albinbabuvarghese20@gmail.com>
Signed-off-by: Albin Babu Varghese <albinbabuvarghese20@gmail.com>
Signed-off-by: Ahmet Eray Karadag <eraykrdg1@gmail.com>
Message-ID: <20250920021342.45575-1-eraykrdg1@gmail.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/xattr.c | 15 ++++++++-------
1 file changed, 8 insertions(+), 7 deletions(-)
--- a/fs/ext4/xattr.c
+++ b/fs/ext4/xattr.c
@@ -1019,7 +1019,7 @@ static int ext4_xattr_inode_update_ref(h
int ref_change)
{
struct ext4_iloc iloc;
- s64 ref_count;
+ u64 ref_count;
int ret;
inode_lock_nested(ea_inode, I_MUTEX_XATTR);
@@ -1029,13 +1029,17 @@ static int ext4_xattr_inode_update_ref(h
goto out;
ref_count = ext4_xattr_inode_get_ref(ea_inode);
+ if ((ref_count == 0 && ref_change < 0) || (ref_count == U64_MAX && ref_change > 0)) {
+ ext4_error_inode(ea_inode, __func__, __LINE__, 0,
+ "EA inode %lu ref wraparound: ref_count=%lld ref_change=%d",
+ ea_inode->i_ino, ref_count, ref_change);
+ ret = -EFSCORRUPTED;
+ goto out;
+ }
ref_count += ref_change;
ext4_xattr_inode_set_ref(ea_inode, ref_count);
if (ref_change > 0) {
- WARN_ONCE(ref_count <= 0, "EA inode %lu ref_count=%lld",
- ea_inode->i_ino, ref_count);
-
if (ref_count == 1) {
WARN_ONCE(ea_inode->i_nlink, "EA inode %lu i_nlink=%u",
ea_inode->i_ino, ea_inode->i_nlink);
@@ -1044,9 +1048,6 @@ static int ext4_xattr_inode_update_ref(h
ext4_orphan_del(handle, ea_inode);
}
} else {
- WARN_ONCE(ref_count < 0, "EA inode %lu ref_count=%lld",
- ea_inode->i_ino, ref_count);
-
if (ref_count == 0) {
WARN_ONCE(ea_inode->i_nlink != 1,
"EA inode %lu i_nlink=%u",
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 346/371] ext4: validate ea_ino and size in check_xattrs
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (344 preceding siblings ...)
2025-10-17 14:55 ` [PATCH 6.17 345/371] ext4: guard against EA inode refcount underflow in xattr update Greg Kroah-Hartman
@ 2025-10-17 14:55 ` Greg Kroah-Hartman
2025-10-17 14:55 ` [PATCH 6.17 347/371] ACPICA: Allow to skip Global Lock initialization Greg Kroah-Hartman
` (37 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Theodore Tso,
syzbot+4c9d23743a2409b80293, Deepanshu Kartikey
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Deepanshu Kartikey <kartikey406@gmail.com>
commit 44d2a72f4d64655f906ba47a5e108733f59e6f28 upstream.
During xattr block validation, check_xattrs() processes xattr entries
without validating that entries claiming to use EA inodes have non-zero
sizes. Corrupted filesystems may contain xattr entries where e_value_size
is zero but e_value_inum is non-zero, indicating invalid xattr data.
Add validation in check_xattrs() to detect this corruption pattern early
and return -EFSCORRUPTED, preventing invalid xattr entries from causing
issues throughout the ext4 codebase.
Cc: stable@kernel.org
Suggested-by: Theodore Ts'o <tytso@mit.edu>
Reported-by: syzbot+4c9d23743a2409b80293@syzkaller.appspotmail.com
Link: https://syzkaller.appspot.com/bug?extid=4c9d23743a2409b80293
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Message-ID: <20250923133245.1091761-1-kartikey406@gmail.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/xattr.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/fs/ext4/xattr.c
+++ b/fs/ext4/xattr.c
@@ -251,6 +251,10 @@ check_xattrs(struct inode *inode, struct
err_str = "invalid ea_ino";
goto errout;
}
+ if (ea_ino && !size) {
+ err_str = "invalid size in ea xattr";
+ goto errout;
+ }
if (size > EXT4_XATTR_SIZE_MAX) {
err_str = "e_value size too large";
goto errout;
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 347/371] ACPICA: Allow to skip Global Lock initialization
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (345 preceding siblings ...)
2025-10-17 14:55 ` [PATCH 6.17 346/371] ext4: validate ea_ino and size in check_xattrs Greg Kroah-Hartman
@ 2025-10-17 14:55 ` Greg Kroah-Hartman
2025-10-17 14:55 ` [PATCH 6.17 348/371] ext4: free orphan info with kvfree Greg Kroah-Hartman
` (36 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Huacai Chen, Rafael J. Wysocki,
Huacai Chen
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Huacai Chen <chenhuacai@loongson.cn>
commit feb8ae81b2378b75a99c81d315602ac8918ed382 upstream.
Introduce acpi_gbl_use_global_lock, which allows to skip the Global Lock
initialization. This is useful for systems without Global Lock (such as
loong_arch), so as to avoid error messages during boot phase:
ACPI Error: Could not enable global_lock event (20240827/evxfevnt-182)
ACPI Error: No response from Global Lock hardware, disabling lock (20240827/evglock-59)
Link: https://github.com/acpica/acpica/commit/463cb0fe
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Cc: Huacai Chen <chenhuacai@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/acpi/acpica/evglock.c | 4 ++++
include/acpi/acpixf.h | 6 ++++++
2 files changed, 10 insertions(+)
--- a/drivers/acpi/acpica/evglock.c
+++ b/drivers/acpi/acpica/evglock.c
@@ -42,6 +42,10 @@ acpi_status acpi_ev_init_global_lock_han
return_ACPI_STATUS(AE_OK);
}
+ if (!acpi_gbl_use_global_lock) {
+ return_ACPI_STATUS(AE_OK);
+ }
+
/* Attempt installation of the global lock handler */
status = acpi_install_fixed_event_handler(ACPI_EVENT_GLOBAL,
--- a/include/acpi/acpixf.h
+++ b/include/acpi/acpixf.h
@@ -214,6 +214,12 @@ ACPI_INIT_GLOBAL(u8, acpi_gbl_osi_data,
ACPI_INIT_GLOBAL(u8, acpi_gbl_reduced_hardware, FALSE);
/*
+ * ACPI Global Lock is mainly used for systems with SMM, so no-SMM systems
+ * (such as loong_arch) may not have and not use Global Lock.
+ */
+ACPI_INIT_GLOBAL(u8, acpi_gbl_use_global_lock, TRUE);
+
+/*
* Maximum timeout for While() loop iterations before forced method abort.
* This mechanism is intended to prevent infinite loops during interpreter
* execution within a host kernel.
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 348/371] ext4: free orphan info with kvfree
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (346 preceding siblings ...)
2025-10-17 14:55 ` [PATCH 6.17 347/371] ACPICA: Allow to skip Global Lock initialization Greg Kroah-Hartman
@ 2025-10-17 14:55 ` Greg Kroah-Hartman
2025-10-17 14:55 ` [PATCH 6.17 349/371] ipmi: Fix handling of messages with provided receive message pointer Greg Kroah-Hartman
` (35 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Chris Mason, Jan Kara, Theodore Tso
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jan Kara <jack@suse.cz>
commit 971843c511c3c2f6eda96c6b03442913bfee6148 upstream.
Orphan info is now getting allocated with kvmalloc_array(). Free it with
kvfree() instead of kfree() to avoid complaints from mm.
Reported-by: Chris Mason <clm@meta.com>
Fixes: 0a6ce20c1564 ("ext4: verify orphan file size is not too big")
Cc: stable@vger.kernel.org
Signed-off-by: Jan Kara <jack@suse.cz>
Message-ID: <20251007134936.7291-2-jack@suse.cz>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/orphan.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/fs/ext4/orphan.c
+++ b/fs/ext4/orphan.c
@@ -513,7 +513,7 @@ void ext4_release_orphan_info(struct sup
return;
for (i = 0; i < oi->of_blocks; i++)
brelse(oi->of_binfo[i].ob_bh);
- kfree(oi->of_binfo);
+ kvfree(oi->of_binfo);
}
static struct ext4_orphan_block_tail *ext4_orphan_block_tail(
@@ -637,7 +637,7 @@ int ext4_init_orphan_info(struct super_b
out_free:
for (i--; i >= 0; i--)
brelse(oi->of_binfo[i].ob_bh);
- kfree(oi->of_binfo);
+ kvfree(oi->of_binfo);
out_put:
iput(inode);
return ret;
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 349/371] ipmi: Fix handling of messages with provided receive message pointer
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (347 preceding siblings ...)
2025-10-17 14:55 ` [PATCH 6.17 348/371] ext4: free orphan info with kvfree Greg Kroah-Hartman
@ 2025-10-17 14:55 ` Greg Kroah-Hartman
2025-10-17 14:55 ` [PATCH 6.17 350/371] Squashfs: add additional inode sanity checking Greg Kroah-Hartman
` (34 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Greg Thelen,
Guenter Roeck, Corey Minyard
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Guenter Roeck <linux@roeck-us.net>
commit e2c69490dda5d4c9f1bfbb2898989c8f3530e354 upstream.
Prior to commit b52da4054ee0 ("ipmi: Rework user message limit handling"),
i_ipmi_request() used to increase the user reference counter if the receive
message is provided by the caller of IPMI API functions. This is no longer
the case. However, ipmi_free_recv_msg() is still called and decreases the
reference counter. This results in the reference counter reaching zero,
the user data pointer is released, and all kinds of interesting crashes are
seen.
Fix the problem by increasing user reference counter if the receive message
has been provided by the caller.
Fixes: b52da4054ee0 ("ipmi: Rework user message limit handling")
Reported-by: Eric Dumazet <edumazet@google.com>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Greg Thelen <gthelen@google.com>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Message-ID: <20251006201857.3433837-1-linux@roeck-us.net>
Signed-off-by: Corey Minyard <corey@minyard.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/char/ipmi/ipmi_msghandler.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/drivers/char/ipmi/ipmi_msghandler.c
+++ b/drivers/char/ipmi/ipmi_msghandler.c
@@ -2280,8 +2280,11 @@ static int i_ipmi_request(struct ipmi_us
if (supplied_recv) {
recv_msg = supplied_recv;
recv_msg->user = user;
- if (user)
+ if (user) {
atomic_inc(&user->nr_msgs);
+ /* The put happens when the message is freed. */
+ kref_get(&user->refcount);
+ }
} else {
recv_msg = ipmi_alloc_recv_msg(user);
if (IS_ERR(recv_msg))
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 350/371] Squashfs: add additional inode sanity checking
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (348 preceding siblings ...)
2025-10-17 14:55 ` [PATCH 6.17 349/371] ipmi: Fix handling of messages with provided receive message pointer Greg Kroah-Hartman
@ 2025-10-17 14:55 ` Greg Kroah-Hartman
2025-10-17 14:55 ` [PATCH 6.17 351/371] Squashfs: reject negative file sizes in squashfs_read_inode() Greg Kroah-Hartman
` (33 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Phillip Lougher, Andrew Morton,
Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Phillip Lougher <phillip@squashfs.org.uk>
[ Upstream commit 9ee94bfbe930a1b39df53fa2d7b31141b780eb5a ]
Patch series "Squashfs: performance improvement and a sanity check".
This patchset adds an additional sanity check when reading regular file
inodes, and adds support for SEEK_DATA/SEEK_HOLE lseek() whence values.
This patch (of 2):
Add an additional sanity check when reading regular file inodes.
A regular file if the file size is an exact multiple of the filesystem
block size cannot have a fragment. This is because by definition a
fragment block stores tailends which are not a whole block in size.
Link: https://lkml.kernel.org/r/20250923220652.568416-1-phillip@squashfs.org.uk
Link: https://lkml.kernel.org/r/20250923220652.568416-2-phillip@squashfs.org.uk
Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Stable-dep-of: 9f1c14c1de1b ("Squashfs: reject negative file sizes in squashfs_read_inode()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/squashfs/inode.c | 20 ++++++++++++++++++--
1 file changed, 18 insertions(+), 2 deletions(-)
--- a/fs/squashfs/inode.c
+++ b/fs/squashfs/inode.c
@@ -140,8 +140,17 @@ int squashfs_read_inode(struct inode *in
if (err < 0)
goto failed_read;
+ inode->i_size = le32_to_cpu(sqsh_ino->file_size);
frag = le32_to_cpu(sqsh_ino->fragment);
if (frag != SQUASHFS_INVALID_FRAG) {
+ /*
+ * the file cannot have a fragment (tailend) and have a
+ * file size a multiple of the block size
+ */
+ if ((inode->i_size & (msblk->block_size - 1)) == 0) {
+ err = -EINVAL;
+ goto failed_read;
+ }
frag_offset = le32_to_cpu(sqsh_ino->offset);
frag_size = squashfs_frag_lookup(sb, frag, &frag_blk);
if (frag_size < 0) {
@@ -155,7 +164,6 @@ int squashfs_read_inode(struct inode *in
}
set_nlink(inode, 1);
- inode->i_size = le32_to_cpu(sqsh_ino->file_size);
inode->i_fop = &generic_ro_fops;
inode->i_mode |= S_IFREG;
inode->i_blocks = ((inode->i_size - 1) >> 9) + 1;
@@ -184,8 +192,17 @@ int squashfs_read_inode(struct inode *in
if (err < 0)
goto failed_read;
+ inode->i_size = le64_to_cpu(sqsh_ino->file_size);
frag = le32_to_cpu(sqsh_ino->fragment);
if (frag != SQUASHFS_INVALID_FRAG) {
+ /*
+ * the file cannot have a fragment (tailend) and have a
+ * file size a multiple of the block size
+ */
+ if ((inode->i_size & (msblk->block_size - 1)) == 0) {
+ err = -EINVAL;
+ goto failed_read;
+ }
frag_offset = le32_to_cpu(sqsh_ino->offset);
frag_size = squashfs_frag_lookup(sb, frag, &frag_blk);
if (frag_size < 0) {
@@ -200,7 +217,6 @@ int squashfs_read_inode(struct inode *in
xattr_id = le32_to_cpu(sqsh_ino->xattr);
set_nlink(inode, le32_to_cpu(sqsh_ino->nlink));
- inode->i_size = le64_to_cpu(sqsh_ino->file_size);
inode->i_op = &squashfs_inode_ops;
inode->i_fop = &generic_ro_fops;
inode->i_mode |= S_IFREG;
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 351/371] Squashfs: reject negative file sizes in squashfs_read_inode()
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (349 preceding siblings ...)
2025-10-17 14:55 ` [PATCH 6.17 350/371] Squashfs: add additional inode sanity checking Greg Kroah-Hartman
@ 2025-10-17 14:55 ` Greg Kroah-Hartman
2025-10-17 14:55 ` [PATCH 6.17 352/371] mm/ksm: fix incorrect KSM counter handling in mm_struct during fork Greg Kroah-Hartman
` (32 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Phillip Lougher,
syzbot+f754e01116421e9754b9, Amir Goldstein, Andrew Morton,
Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Phillip Lougher <phillip@squashfs.org.uk>
[ Upstream commit 9f1c14c1de1bdde395f6cc893efa4f80a2ae3b2b ]
Syskaller reports a "WARNING in ovl_copy_up_file" in overlayfs.
This warning is ultimately caused because the underlying Squashfs file
system returns a file with a negative file size.
This commit checks for a negative file size and returns EINVAL.
[phillip@squashfs.org.uk: only need to check 64 bit quantity]
Link: https://lkml.kernel.org/r/20250926222305.110103-1-phillip@squashfs.org.uk
Link: https://lkml.kernel.org/r/20250926215935.107233-1-phillip@squashfs.org.uk
Fixes: 6545b246a2c8 ("Squashfs: inode operations")
Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk>
Reported-by: syzbot+f754e01116421e9754b9@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/68d580e5.a00a0220.303701.0019.GAE@google.com/
Cc: Amir Goldstein <amir73il@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/squashfs/inode.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/fs/squashfs/inode.c
+++ b/fs/squashfs/inode.c
@@ -193,6 +193,10 @@ int squashfs_read_inode(struct inode *in
goto failed_read;
inode->i_size = le64_to_cpu(sqsh_ino->file_size);
+ if (inode->i_size < 0) {
+ err = -EINVAL;
+ goto failed_read;
+ }
frag = le32_to_cpu(sqsh_ino->fragment);
if (frag != SQUASHFS_INVALID_FRAG) {
/*
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 352/371] mm/ksm: fix incorrect KSM counter handling in mm_struct during fork
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (350 preceding siblings ...)
2025-10-17 14:55 ` [PATCH 6.17 351/371] Squashfs: reject negative file sizes in squashfs_read_inode() Greg Kroah-Hartman
@ 2025-10-17 14:55 ` Greg Kroah-Hartman
2025-10-17 14:55 ` [PATCH 6.17 353/371] media: mc: Clear minor number before put device Greg Kroah-Hartman
` (31 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Donet Tom, Chengming Zhou,
David Hildenbrand, Aboorva Devarajan, Ritesh Harjani (IBM),
Wei Yang, xu xin, Andrew Morton, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Donet Tom <donettom@linux.ibm.com>
[ Upstream commit 4d6fc29f36341d7795db1d1819b4c15fe9be7b23 ]
Patch series "mm/ksm: Fix incorrect accounting of KSM counters during
fork", v3.
The first patch in this series fixes the incorrect accounting of KSM
counters such as ksm_merging_pages, ksm_rmap_items, and the global
ksm_zero_pages during fork.
The following patch add a selftest to verify the ksm_merging_pages counter
was updated correctly during fork.
Test Results
============
Without the first patch
-----------------------
# [RUN] test_fork_ksm_merging_page_count
not ok 10 ksm_merging_page in child: 32
With the first patch
--------------------
# [RUN] test_fork_ksm_merging_page_count
ok 10 ksm_merging_pages is not inherited after fork
This patch (of 2):
Currently, the KSM-related counters in `mm_struct`, such as
`ksm_merging_pages`, `ksm_rmap_items`, and `ksm_zero_pages`, are inherited
by the child process during fork. This results in inconsistent
accounting.
When a process uses KSM, identical pages are merged and an rmap item is
created for each merged page. The `ksm_merging_pages` and
`ksm_rmap_items` counters are updated accordingly. However, after a fork,
these counters are copied to the child while the corresponding rmap items
are not. As a result, when the child later triggers an unmerge, there are
no rmap items present in the child, so the counters remain stale, leading
to incorrect accounting.
A similar issue exists with `ksm_zero_pages`, which maintains both a
global counter and a per-process counter. During fork, the per-process
counter is inherited by the child, but the global counter is not
incremented. Since the child also references zero pages, the global
counter should be updated as well. Otherwise, during zero-page unmerge,
both the global and per-process counters are decremented, causing the
global counter to become inconsistent.
To fix this, ksm_merging_pages and ksm_rmap_items are reset to 0 during
fork, and the global ksm_zero_pages counter is updated with the
per-process ksm_zero_pages value inherited by the child. This ensures
that KSM statistics remain accurate and reflect the activity of each
process correctly.
Link: https://lkml.kernel.org/r/cover.1758648700.git.donettom@linux.ibm.com
Link: https://lkml.kernel.org/r/7b9870eb67ccc0d79593940d9dbd4a0b39b5d396.1758648700.git.donettom@linux.ibm.com
Fixes: 7609385337a4 ("ksm: count ksm merging pages for each process")
Fixes: cb4df4cae4f2 ("ksm: count allocated ksm rmap_items for each process")
Fixes: e2942062e01d ("ksm: count all zero pages placed by KSM")
Signed-off-by: Donet Tom <donettom@linux.ibm.com>
Reviewed-by: Chengming Zhou <chengming.zhou@linux.dev>
Acked-by: David Hildenbrand <david@redhat.com>
Cc: Aboorva Devarajan <aboorvad@linux.ibm.com>
Cc: David Hildenbrand <david@redhat.com>
Cc: Donet Tom <donettom@linux.ibm.com>
Cc: "Ritesh Harjani (IBM)" <ritesh.list@gmail.com>
Cc: Wei Yang <richard.weiyang@gmail.com>
Cc: xu xin <xu.xin16@zte.com.cn>
Cc: <stable@vger.kernel.org> [6.6+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
[ replaced mm_flags_test() calls with test_bit() ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/ksm.h | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/include/linux/ksm.h
+++ b/include/linux/ksm.h
@@ -56,8 +56,14 @@ static inline long mm_ksm_zero_pages(str
static inline void ksm_fork(struct mm_struct *mm, struct mm_struct *oldmm)
{
/* Adding mm to ksm is best effort on fork. */
- if (test_bit(MMF_VM_MERGEABLE, &oldmm->flags))
+ if (test_bit(MMF_VM_MERGEABLE, &oldmm->flags)) {
+ long nr_ksm_zero_pages = atomic_long_read(&mm->ksm_zero_pages);
+
+ mm->ksm_merging_pages = 0;
+ mm->ksm_rmap_items = 0;
+ atomic_long_add(nr_ksm_zero_pages, &ksm_zero_pages);
__ksm_enter(mm);
+ }
}
static inline int ksm_execve(struct mm_struct *mm)
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 353/371] media: mc: Clear minor number before put device
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (351 preceding siblings ...)
2025-10-17 14:55 ` [PATCH 6.17 352/371] mm/ksm: fix incorrect KSM counter handling in mm_struct during fork Greg Kroah-Hartman
@ 2025-10-17 14:55 ` Greg Kroah-Hartman
2025-10-17 14:55 ` [PATCH 6.17 354/371] arm64: dts: qcom: qcs615: add missing dt property in QUP SEs Greg Kroah-Hartman
` (30 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+031d0cfd7c362817963f,
Edward Adam Davis, Sakari Ailus, Hans Verkuil, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Edward Adam Davis <eadavis@qq.com>
[ Upstream commit 8cfc8cec1b4da88a47c243a11f384baefd092a50 ]
The device minor should not be cleared after the device is released.
Fixes: 9e14868dc952 ("media: mc: Clear minor number reservation at unregistration time")
Cc: stable@vger.kernel.org
Reported-by: syzbot+031d0cfd7c362817963f@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=031d0cfd7c362817963f
Tested-by: syzbot+031d0cfd7c362817963f@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
[ moved clear_bit from media_devnode_release callback to media_devnode_unregister before put_device ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/mc/mc-devnode.c | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)
--- a/drivers/media/mc/mc-devnode.c
+++ b/drivers/media/mc/mc-devnode.c
@@ -50,11 +50,6 @@ static void media_devnode_release(struct
{
struct media_devnode *devnode = to_media_devnode(cd);
- mutex_lock(&media_devnode_lock);
- /* Mark device node number as free */
- clear_bit(devnode->minor, media_devnode_nums);
- mutex_unlock(&media_devnode_lock);
-
/* Release media_devnode and perform other cleanups as needed. */
if (devnode->release)
devnode->release(devnode);
@@ -281,6 +276,7 @@ void media_devnode_unregister(struct med
/* Delete the cdev on this minor as well */
cdev_device_del(&devnode->cdev, &devnode->dev);
devnode->media_dev = NULL;
+ clear_bit(devnode->minor, media_devnode_nums);
mutex_unlock(&media_devnode_lock);
put_device(&devnode->dev);
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 354/371] arm64: dts: qcom: qcs615: add missing dt property in QUP SEs
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (352 preceding siblings ...)
2025-10-17 14:55 ` [PATCH 6.17 353/371] media: mc: Clear minor number before put device Greg Kroah-Hartman
@ 2025-10-17 14:55 ` Greg Kroah-Hartman
2025-10-17 14:55 ` [PATCH 6.17 355/371] ACPI: property: Disregard references in data-only subnode lists Greg Kroah-Hartman
` (29 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Viken Dadhaniya, Dmitry Baryshkov,
Bjorn Andersson, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Viken Dadhaniya <viken.dadhaniya@oss.qualcomm.com>
[ Upstream commit 6a5e9b9738a32229e2673d4eccfcbfe2ef3a1ab4 ]
Add the missing required-opps and operating-points-v2 properties to
several I2C, SPI, and UART nodes in the QUP SEs.
Fixes: f6746dc9e379 ("arm64: dts: qcom: qcs615: Add QUPv3 configuration")
Cc: stable@vger.kernel.org
Signed-off-by: Viken Dadhaniya <viken.dadhaniya@oss.qualcomm.com>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20250630064338.2487409-1-viken.dadhaniya@oss.qualcomm.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/boot/dts/qcom/qcs615.dtsi | 6 ++++++
1 file changed, 6 insertions(+)
--- a/arch/arm64/boot/dts/qcom/qcs615.dtsi
+++ b/arch/arm64/boot/dts/qcom/qcs615.dtsi
@@ -631,6 +631,7 @@
interconnect-names = "qup-core",
"qup-config";
power-domains = <&rpmhpd RPMHPD_CX>;
+ operating-points-v2 = <&qup_opp_table>;
status = "disabled";
};
@@ -654,6 +655,7 @@
"qup-config",
"qup-memory";
power-domains = <&rpmhpd RPMHPD_CX>;
+ required-opps = <&rpmhpd_opp_low_svs>;
dmas = <&gpi_dma0 0 1 QCOM_GPI_I2C>,
<&gpi_dma0 1 1 QCOM_GPI_I2C>;
dma-names = "tx",
@@ -681,6 +683,7 @@
"qup-config",
"qup-memory";
power-domains = <&rpmhpd RPMHPD_CX>;
+ required-opps = <&rpmhpd_opp_low_svs>;
dmas = <&gpi_dma0 0 2 QCOM_GPI_I2C>,
<&gpi_dma0 1 2 QCOM_GPI_I2C>;
dma-names = "tx",
@@ -703,6 +706,7 @@
interconnect-names = "qup-core",
"qup-config";
power-domains = <&rpmhpd RPMHPD_CX>;
+ operating-points-v2 = <&qup_opp_table>;
dmas = <&gpi_dma0 0 2 QCOM_GPI_SPI>,
<&gpi_dma0 1 2 QCOM_GPI_SPI>;
dma-names = "tx",
@@ -728,6 +732,7 @@
interconnect-names = "qup-core",
"qup-config";
power-domains = <&rpmhpd RPMHPD_CX>;
+ operating-points-v2 = <&qup_opp_table>;
status = "disabled";
};
@@ -751,6 +756,7 @@
"qup-config",
"qup-memory";
power-domains = <&rpmhpd RPMHPD_CX>;
+ required-opps = <&rpmhpd_opp_low_svs>;
dmas = <&gpi_dma0 0 3 QCOM_GPI_I2C>,
<&gpi_dma0 1 3 QCOM_GPI_I2C>;
dma-names = "tx",
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 355/371] ACPI: property: Disregard references in data-only subnode lists
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (353 preceding siblings ...)
2025-10-17 14:55 ` [PATCH 6.17 354/371] arm64: dts: qcom: qcs615: add missing dt property in QUP SEs Greg Kroah-Hartman
@ 2025-10-17 14:55 ` Greg Kroah-Hartman
2025-10-17 14:55 ` [PATCH 6.17 356/371] ACPI: property: Add code comments explaining what is going on Greg Kroah-Hartman
` (28 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rafael J. Wysocki, Sakari Ailus,
Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>
[ Upstream commit d06118fe9b03426484980ed4c189a8c7b99fa631 ]
Data-only subnode links following the ACPI data subnode GUID in a _DSD
package are expected to point to named objects returning _DSD-equivalent
packages. If a reference to such an object is used in the target field
of any of those links, that object will be evaluated in place (as a
named object) and its return data will be embedded in the outer _DSD
package.
For this reason, it is not expected to see a subnode link with the
target field containing a local reference (that would mean pointing
to a device or another object that cannot be evaluated in place and
therefore cannot return a _DSD-equivalent package).
Accordingly, simplify the code parsing data-only subnode links to
simply print a message when it encounters a local reference in the
target field of one of those links.
Moreover, since acpi_nondev_subnode_data_ok() would only have one
caller after the change above, fold it into that caller.
Link: https://lore.kernel.org/linux-acpi/CAJZ5v0jVeSrDO6hrZhKgRZrH=FpGD4vNUjFD8hV9WwN9TLHjzQ@mail.gmail.com/
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Reviewed-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Tested-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Stable-dep-of: baf60d5cb8bc ("ACPI: property: Do not pass NULL handles to acpi_attach_data()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/acpi/property.c | 51 ++++++++++++++++++++----------------------------
1 file changed, 22 insertions(+), 29 deletions(-)
--- a/drivers/acpi/property.c
+++ b/drivers/acpi/property.c
@@ -124,32 +124,12 @@ static bool acpi_nondev_subnode_extract(
return false;
}
-static bool acpi_nondev_subnode_data_ok(acpi_handle handle,
- const union acpi_object *link,
- struct list_head *list,
- struct fwnode_handle *parent)
-{
- struct acpi_buffer buf = { ACPI_ALLOCATE_BUFFER };
- acpi_status status;
-
- status = acpi_evaluate_object_typed(handle, NULL, NULL, &buf,
- ACPI_TYPE_PACKAGE);
- if (ACPI_FAILURE(status))
- return false;
-
- if (acpi_nondev_subnode_extract(buf.pointer, handle, link, list,
- parent))
- return true;
-
- ACPI_FREE(buf.pointer);
- return false;
-}
-
static bool acpi_nondev_subnode_ok(acpi_handle scope,
const union acpi_object *link,
struct list_head *list,
struct fwnode_handle *parent)
{
+ struct acpi_buffer buf = { ACPI_ALLOCATE_BUFFER };
acpi_handle handle;
acpi_status status;
@@ -161,7 +141,17 @@ static bool acpi_nondev_subnode_ok(acpi_
if (ACPI_FAILURE(status))
return false;
- return acpi_nondev_subnode_data_ok(handle, link, list, parent);
+ status = acpi_evaluate_object_typed(handle, NULL, NULL, &buf,
+ ACPI_TYPE_PACKAGE);
+ if (ACPI_FAILURE(status))
+ return false;
+
+ if (acpi_nondev_subnode_extract(buf.pointer, handle, link, list,
+ parent))
+ return true;
+
+ ACPI_FREE(buf.pointer);
+ return false;
}
static bool acpi_add_nondev_subnodes(acpi_handle scope,
@@ -174,7 +164,6 @@ static bool acpi_add_nondev_subnodes(acp
for (i = 0; i < links->package.count; i++) {
union acpi_object *link, *desc;
- acpi_handle handle;
bool result;
link = &links->package.elements[i];
@@ -186,22 +175,26 @@ static bool acpi_add_nondev_subnodes(acp
if (link->package.elements[0].type != ACPI_TYPE_STRING)
continue;
- /* The second one may be a string, a reference or a package. */
+ /* The second one may be a string or a package. */
switch (link->package.elements[1].type) {
case ACPI_TYPE_STRING:
result = acpi_nondev_subnode_ok(scope, link, list,
parent);
break;
- case ACPI_TYPE_LOCAL_REFERENCE:
- handle = link->package.elements[1].reference.handle;
- result = acpi_nondev_subnode_data_ok(handle, link, list,
- parent);
- break;
case ACPI_TYPE_PACKAGE:
desc = &link->package.elements[1];
result = acpi_nondev_subnode_extract(desc, NULL, link,
list, parent);
break;
+ case ACPI_TYPE_LOCAL_REFERENCE:
+ /*
+ * It is not expected to see any local references in
+ * the links package because referencing a named object
+ * should cause it to be evaluated in place.
+ */
+ acpi_handle_info(scope, "subnode %s: Unexpected reference\n",
+ link->package.elements[0].string.pointer);
+ fallthrough;
default:
result = false;
break;
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 356/371] ACPI: property: Add code comments explaining what is going on
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (354 preceding siblings ...)
2025-10-17 14:55 ` [PATCH 6.17 355/371] ACPI: property: Disregard references in data-only subnode lists Greg Kroah-Hartman
@ 2025-10-17 14:55 ` Greg Kroah-Hartman
2025-10-17 14:55 ` [PATCH 6.17 357/371] ACPI: property: Do not pass NULL handles to acpi_attach_data() Greg Kroah-Hartman
` (27 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rafael J. Wysocki, Sakari Ailus,
Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>
[ Upstream commit 737c3a09dcf69ba2814f3674947ccaec1861c985 ]
In some places in the ACPI device properties handling code, it is
unclear why the code is what it is. Some assumptions are not documented
and some pieces of code are based on knowledge that is not mentioned
anywhere.
Add code comments explaining these things.
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Reviewed-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Tested-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Stable-dep-of: baf60d5cb8bc ("ACPI: property: Do not pass NULL handles to acpi_attach_data()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/acpi/property.c | 46 ++++++++++++++++++++++++++++++++++++++++++++--
1 file changed, 44 insertions(+), 2 deletions(-)
--- a/drivers/acpi/property.c
+++ b/drivers/acpi/property.c
@@ -108,7 +108,18 @@ static bool acpi_nondev_subnode_extract(
if (handle)
acpi_get_parent(handle, &scope);
+ /*
+ * Extract properties from the _DSD-equivalent package pointed to by
+ * desc and use scope (if not NULL) for the completion of relative
+ * pathname segments.
+ *
+ * The extracted properties will be held in the new data node dn.
+ */
result = acpi_extract_properties(scope, desc, &dn->data);
+ /*
+ * Look for subnodes in the _DSD-equivalent package pointed to by desc
+ * and create child nodes of dn if there are any.
+ */
if (acpi_enumerate_nondev_subnodes(scope, desc, &dn->data, &dn->fwnode))
result = true;
@@ -133,6 +144,12 @@ static bool acpi_nondev_subnode_ok(acpi_
acpi_handle handle;
acpi_status status;
+ /*
+ * If the scope is unknown, the _DSD-equivalent package being parsed
+ * was embedded in an outer _DSD-equivalent package as a result of
+ * direct evaluation of an object pointed to by a reference. In that
+ * case, using a pathname as the target object pointer is invalid.
+ */
if (!scope)
return false;
@@ -162,6 +179,10 @@ static bool acpi_add_nondev_subnodes(acp
bool ret = false;
int i;
+ /*
+ * Every element in the links package is expected to represent a link
+ * to a non-device node in a tree containing device-specific data.
+ */
for (i = 0; i < links->package.count; i++) {
union acpi_object *link, *desc;
bool result;
@@ -171,17 +192,38 @@ static bool acpi_add_nondev_subnodes(acp
if (link->package.count != 2)
continue;
- /* The first one must be a string. */
+ /* The first one (the key) must be a string. */
if (link->package.elements[0].type != ACPI_TYPE_STRING)
continue;
- /* The second one may be a string or a package. */
+ /* The second one (the target) may be a string or a package. */
switch (link->package.elements[1].type) {
case ACPI_TYPE_STRING:
+ /*
+ * The string is expected to be a full pathname or a
+ * pathname segment relative to the given scope. That
+ * pathname is expected to point to an object returning
+ * a package that contains _DSD-equivalent information.
+ */
result = acpi_nondev_subnode_ok(scope, link, list,
parent);
break;
case ACPI_TYPE_PACKAGE:
+ /*
+ * This happens when a reference is used in AML to
+ * point to the target. Since the target is expected
+ * to be a named object, a reference to it will cause it
+ * to be avaluated in place and its return package will
+ * be embedded in the links package at the location of
+ * the reference.
+ *
+ * The target package is expected to contain _DSD-
+ * equivalent information, but the scope in which it
+ * is located in the original AML is unknown. Thus
+ * it cannot contain pathname segments represented as
+ * strings because there is no way to build full
+ * pathnames out of them.
+ */
desc = &link->package.elements[1];
result = acpi_nondev_subnode_extract(desc, NULL, link,
list, parent);
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 357/371] ACPI: property: Do not pass NULL handles to acpi_attach_data()
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (355 preceding siblings ...)
2025-10-17 14:55 ` [PATCH 6.17 356/371] ACPI: property: Add code comments explaining what is going on Greg Kroah-Hartman
@ 2025-10-17 14:55 ` Greg Kroah-Hartman
2025-10-17 14:55 ` [PATCH 6.17 358/371] irqchip/sifive-plic: Avoid interrupt ID 0 handling during suspend/resume Greg Kroah-Hartman
` (26 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rafael J. Wysocki, Sakari Ailus,
Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>
[ Upstream commit baf60d5cb8bc6b85511c5df5f0ad7620bb66d23c ]
In certain circumstances, the ACPI handle of a data-only node may be
NULL, in which case it does not make sense to attempt to attach that
node to an ACPI namespace object, so update the code to avoid attempts
to do so.
This prevents confusing and unuseful error messages from being printed.
Also document the fact that the ACPI handle of a data-only node may be
NULL and when that happens in a code comment. In addition, make
acpi_add_nondev_subnodes() print a diagnostic message for each data-only
node with an unknown ACPI namespace scope.
Fixes: 1d52f10917a7 ("ACPI: property: Tie data nodes to acpi handles")
Cc: 6.0+ <stable@vger.kernel.org> # 6.0+
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Reviewed-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Tested-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/acpi/property.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
--- a/drivers/acpi/property.c
+++ b/drivers/acpi/property.c
@@ -124,6 +124,10 @@ static bool acpi_nondev_subnode_extract(
result = true;
if (result) {
+ /*
+ * This will be NULL if the desc package is embedded in an outer
+ * _DSD-equivalent package and its scope cannot be determined.
+ */
dn->handle = handle;
dn->data.pointer = desc;
list_add_tail(&dn->sibling, list);
@@ -224,6 +228,8 @@ static bool acpi_add_nondev_subnodes(acp
* strings because there is no way to build full
* pathnames out of them.
*/
+ acpi_handle_debug(scope, "subnode %s: Unknown scope\n",
+ link->package.elements[0].string.pointer);
desc = &link->package.elements[1];
result = acpi_nondev_subnode_extract(desc, NULL, link,
list, parent);
@@ -396,6 +402,9 @@ static void acpi_untie_nondev_subnodes(s
struct acpi_data_node *dn;
list_for_each_entry(dn, &data->subnodes, sibling) {
+ if (!dn->handle)
+ continue;
+
acpi_detach_data(dn->handle, acpi_nondev_subnode_tag);
acpi_untie_nondev_subnodes(&dn->data);
@@ -410,6 +419,9 @@ static bool acpi_tie_nondev_subnodes(str
acpi_status status;
bool ret;
+ if (!dn->handle)
+ continue;
+
status = acpi_attach_data(dn->handle, acpi_nondev_subnode_tag, dn);
if (ACPI_FAILURE(status) && status != AE_ALREADY_EXISTS) {
acpi_handle_err(dn->handle, "Can't tag data node\n");
^ permalink raw reply [flat|nested] 389+ messages in thread
* [PATCH 6.17 358/371] irqchip/sifive-plic: Avoid interrupt ID 0 handling during suspend/resume
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (356 preceding siblings ...)
2025-10-17 14:55 ` [PATCH 6.17 357/371] ACPI: property: Do not pass NULL handles to acpi_attach_data() Greg Kroah-Hartman
@ 2025-10-17 14:55 ` Greg Kroah-Hartman
2025-10-17 14:55 ` [PATCH 6.17 359/371] copy_file_range: limit size if in compat mode Greg Kroah-Hartman
` (25 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jia Wang, Charles Mirabile,
Lucas Zampieri, Thomas Gleixner, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lucas Zampieri <lzampier@redhat.com>
[ Upstream commit f75e07bf5226da640fa99a0594687c780d9bace4 ]
According to the PLIC specification[1], global interrupt sources are
assigned small unsigned integer identifiers beginning at the value 1.
An interrupt ID of 0 is reserved to mean "no interrupt".
The current plic_irq_resume() and plic_irq_suspend() functions incorrectly
start the loop from index 0, which accesses the register space for the
reserved interrupt ID 0.
Change the loop to start from index 1, skipping the reserved
interrupt ID 0 as per the PLIC specification.
This prevents potential undefined behavior when accessing the reserved
register space during suspend/resume cycles.
Fixes: e80f0b6a2cf3 ("irqchip/irq-sifive-plic: Add syscore callbacks for hibernation")
Co-developed-by: Jia Wang <wangjia@ultrarisc.com>
Signed-off-by: Jia Wang <wangjia@ultrarisc.com>
Co-developed-by: Charles Mirabile <cmirabil@redhat.com>
Signed-off-by: Charles Mirabile <cmirabil@redhat.com>
Signed-off-by: Lucas Zampieri <lzampier@redhat.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Link: https://github.com/riscv/riscv-plic-spec/releases/tag/1.0.0
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/irqchip/irq-sifive-plic.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/irqchip/irq-sifive-plic.c b/drivers/irqchip/irq-sifive-plic.c
index bf69a4802b71e..9c4af7d588463 100644
--- a/drivers/irqchip/irq-sifive-plic.c
+++ b/drivers/irqchip/irq-sifive-plic.c
@@ -252,7 +252,8 @@ static int plic_irq_suspend(void)
priv = per_cpu_ptr(&plic_handlers, smp_processor_id())->priv;
- for (i = 0; i < priv->nr_irqs; i++) {
+ /* irq ID 0 is reserved */
+ for (i = 1; i < priv->nr_irqs; i++) {
__assign_bit(i, priv->prio_save,
readl(priv->regs + PRIORITY_BASE + i * PRIORITY_PER_ID));
}
@@ -283,7 +284,8 @@ static void plic_irq_resume(void)
priv = per_cpu_ptr(&plic_handlers, smp_processor_id())->priv;
- for (i = 0; i < priv->nr_irqs; i++) {
+ /* irq ID 0 is reserved */
+ for (i = 1; i < priv->nr_irqs; i++) {
index = BIT_WORD(i);
writel((priv->prio_save[index] & BIT_MASK(i)) ? 1 : 0,
priv->regs + PRIORITY_BASE + i * PRIORITY_PER_ID);
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 359/371] copy_file_range: limit size if in compat mode
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (357 preceding siblings ...)
2025-10-17 14:55 ` [PATCH 6.17 358/371] irqchip/sifive-plic: Avoid interrupt ID 0 handling during suspend/resume Greg Kroah-Hartman
@ 2025-10-17 14:55 ` Greg Kroah-Hartman
2025-10-17 14:55 ` [PATCH 6.17 360/371] minixfs: Verify inode mode when loading from disk Greg Kroah-Hartman
` (24 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Florian Weimer, Miklos Szeredi,
Amir Goldstein, Christian Brauner, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Miklos Szeredi <mszeredi@redhat.com>
[ Upstream commit f8f59a2c05dc16d19432e3154a9ac7bc385f4b92 ]
If the process runs in 32-bit compat mode, copy_file_range results can be
in the in-band error range. In this case limit copy length to MAX_RW_COUNT
to prevent a signed overflow.
Reported-by: Florian Weimer <fweimer@redhat.com>
Closes: https://lore.kernel.org/all/lhuh5ynl8z5.fsf@oldenburg.str.redhat.com/
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Link: https://lore.kernel.org/20250813151107.99856-1-mszeredi@redhat.com
Reviewed-by: Amir Goldstein <amir73il@gmail.com>
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/read_write.c | 14 +++++++++-----
1 file changed, 9 insertions(+), 5 deletions(-)
diff --git a/fs/read_write.c b/fs/read_write.c
index c5b6265d984ba..833bae068770a 100644
--- a/fs/read_write.c
+++ b/fs/read_write.c
@@ -1576,6 +1576,13 @@ ssize_t vfs_copy_file_range(struct file *file_in, loff_t pos_in,
if (len == 0)
return 0;
+ /*
+ * Make sure return value doesn't overflow in 32bit compat mode. Also
+ * limit the size for all cases except when calling ->copy_file_range().
+ */
+ if (splice || !file_out->f_op->copy_file_range || in_compat_syscall())
+ len = min_t(size_t, MAX_RW_COUNT, len);
+
file_start_write(file_out);
/*
@@ -1589,9 +1596,7 @@ ssize_t vfs_copy_file_range(struct file *file_in, loff_t pos_in,
len, flags);
} else if (!splice && file_in->f_op->remap_file_range && samesb) {
ret = file_in->f_op->remap_file_range(file_in, pos_in,
- file_out, pos_out,
- min_t(loff_t, MAX_RW_COUNT, len),
- REMAP_FILE_CAN_SHORTEN);
+ file_out, pos_out, len, REMAP_FILE_CAN_SHORTEN);
/* fallback to splice */
if (ret <= 0)
splice = true;
@@ -1624,8 +1629,7 @@ ssize_t vfs_copy_file_range(struct file *file_in, loff_t pos_in,
* to splicing from input file, while file_start_write() is held on
* the output file on a different sb.
*/
- ret = do_splice_direct(file_in, &pos_in, file_out, &pos_out,
- min_t(size_t, len, MAX_RW_COUNT), 0);
+ ret = do_splice_direct(file_in, &pos_in, file_out, &pos_out, len, 0);
done:
if (ret > 0) {
fsnotify_access(file_in);
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 360/371] minixfs: Verify inode mode when loading from disk
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (358 preceding siblings ...)
2025-10-17 14:55 ` [PATCH 6.17 359/371] copy_file_range: limit size if in compat mode Greg Kroah-Hartman
@ 2025-10-17 14:55 ` Greg Kroah-Hartman
2025-10-17 14:55 ` [PATCH 6.17 361/371] pid: Add a judgment for ns null in pid_nr_ns Greg Kroah-Hartman
` (23 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot, Tetsuo Handa,
Christian Brauner, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
[ Upstream commit 73861970938ad1323eb02bbbc87f6fbd1e5bacca ]
The inode mode loaded from corrupted disk can be invalid. Do like what
commit 0a9e74051313 ("isofs: Verify inode mode when loading from disk")
does.
Reported-by: syzbot <syzbot+895c23f6917da440ed0d@syzkaller.appspotmail.com>
Closes: https://syzkaller.appspot.com/bug?extid=895c23f6917da440ed0d
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Link: https://lore.kernel.org/ec982681-84b8-4624-94fa-8af15b77cbd2@I-love.SAKURA.ne.jp
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/minix/inode.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/fs/minix/inode.c b/fs/minix/inode.c
index df9d11479caf1..32db676127a9e 100644
--- a/fs/minix/inode.c
+++ b/fs/minix/inode.c
@@ -492,8 +492,14 @@ void minix_set_inode(struct inode *inode, dev_t rdev)
inode->i_op = &minix_symlink_inode_operations;
inode_nohighmem(inode);
inode->i_mapping->a_ops = &minix_aops;
- } else
+ } else if (S_ISCHR(inode->i_mode) || S_ISBLK(inode->i_mode) ||
+ S_ISFIFO(inode->i_mode) || S_ISSOCK(inode->i_mode)) {
init_special_inode(inode, inode->i_mode, rdev);
+ } else {
+ printk(KERN_DEBUG "MINIX-fs: Invalid file type 0%04o for inode %lu.\n",
+ inode->i_mode, inode->i_ino);
+ make_bad_inode(inode);
+ }
}
/*
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 361/371] pid: Add a judgment for ns null in pid_nr_ns
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (359 preceding siblings ...)
2025-10-17 14:55 ` [PATCH 6.17 360/371] minixfs: Verify inode mode when loading from disk Greg Kroah-Hartman
@ 2025-10-17 14:55 ` Greg Kroah-Hartman
2025-10-17 14:55 ` [PATCH 6.17 362/371] pid: make __task_pid_nr_ns(ns => NULL) safe for zombie callers Greg Kroah-Hartman
` (22 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, gaoxiang17, Baoquan He,
Christian Brauner, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: gaoxiang17 <gaoxiang17@xiaomi.com>
[ Upstream commit 006568ab4c5ca2309ceb36fa553e390b4aa9c0c7 ]
__task_pid_nr_ns
ns = task_active_pid_ns(current);
pid_nr_ns(rcu_dereference(*task_pid_ptr(task, type)), ns);
if (pid && ns->level <= pid->level) {
Sometimes null is returned for task_active_pid_ns. Then it will trigger kernel panic in pid_nr_ns.
For example:
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000058
Mem abort info:
ESR = 0x0000000096000007
EC = 0x25: DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
FSC = 0x07: level 3 translation fault
Data abort info:
ISV = 0, ISS = 0x00000007, ISS2 = 0x00000000
CM = 0, WnR = 0, TnD = 0, TagAccess = 0
GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
user pgtable: 4k pages, 39-bit VAs, pgdp=00000002175aa000
[0000000000000058] pgd=08000002175ab003, p4d=08000002175ab003, pud=08000002175ab003, pmd=08000002175be003, pte=0000000000000000
pstate: 834000c5 (Nzcv daIF +PAN -UAO +TCO +DIT -SSBS BTYPE=--)
pc : __task_pid_nr_ns+0x74/0xd0
lr : __task_pid_nr_ns+0x24/0xd0
sp : ffffffc08001bd10
x29: ffffffc08001bd10 x28: ffffffd4422b2000 x27: 0000000000000001
x26: ffffffd442821168 x25: ffffffd442821000 x24: 00000f89492eab31
x23: 00000000000000c0 x22: ffffff806f5693c0 x21: ffffff806f5693c0
x20: 0000000000000001 x19: 0000000000000000 x18: 0000000000000000
x17: 00000000529c6ef0 x16: 00000000529c6ef0 x15: 00000000023a1adc
x14: 0000000000000003 x13: 00000000007ef6d8 x12: 001167c391c78800
x11: 00ffffffffffffff x10: 0000000000000000 x9 : 0000000000000001
x8 : ffffff80816fa3c0 x7 : 0000000000000000 x6 : 49534d702d535449
x5 : ffffffc080c4c2c0 x4 : ffffffd43ee128c8 x3 : ffffffd43ee124dc
x2 : 0000000000000000 x1 : 0000000000000001 x0 : ffffff806f5693c0
Call trace:
__task_pid_nr_ns+0x74/0xd0
...
__handle_irq_event_percpu+0xd4/0x284
handle_irq_event+0x48/0xb0
handle_fasteoi_irq+0x160/0x2d8
generic_handle_domain_irq+0x44/0x60
gic_handle_irq+0x4c/0x114
call_on_irq_stack+0x3c/0x74
do_interrupt_handler+0x4c/0x84
el1_interrupt+0x34/0x58
el1h_64_irq_handler+0x18/0x24
el1h_64_irq+0x68/0x6c
account_kernel_stack+0x60/0x144
exit_task_stack_account+0x1c/0x80
do_exit+0x7e4/0xaf8
...
get_signal+0x7bc/0x8d8
do_notify_resume+0x128/0x828
el0_svc+0x6c/0x70
el0t_64_sync_handler+0x68/0xbc
el0t_64_sync+0x1a8/0x1ac
Code: 35fffe54 911a02a8 f9400108 b4000128 (b9405a69)
---[ end trace 0000000000000000 ]---
Kernel panic - not syncing: Oops: Fatal exception in interrupt
Signed-off-by: gaoxiang17 <gaoxiang17@xiaomi.com>
Link: https://lore.kernel.org/20250802022123.3536934-1-gxxa03070307@gmail.com
Reviewed-by: Baoquan He <bhe@redhat.com>
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/pid.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/pid.c b/kernel/pid.c
index d94ce02505012..296cd04c24bae 100644
--- a/kernel/pid.c
+++ b/kernel/pid.c
@@ -491,7 +491,7 @@ pid_t pid_nr_ns(struct pid *pid, struct pid_namespace *ns)
struct upid *upid;
pid_t nr = 0;
- if (pid && ns->level <= pid->level) {
+ if (pid && ns && ns->level <= pid->level) {
upid = &pid->numbers[ns->level];
if (upid->ns == ns)
nr = upid->nr;
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 362/371] pid: make __task_pid_nr_ns(ns => NULL) safe for zombie callers
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (360 preceding siblings ...)
2025-10-17 14:55 ` [PATCH 6.17 361/371] pid: Add a judgment for ns null in pid_nr_ns Greg Kroah-Hartman
@ 2025-10-17 14:55 ` Greg Kroah-Hartman
2025-10-17 14:55 ` [PATCH 6.17 363/371] fs: Add initramfs_options to set initramfs mount options Greg Kroah-Hartman
` (21 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Oleg Nesterov, Christian Brauner,
Sasha Levin, 高翔
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oleg Nesterov <oleg@redhat.com>
[ Upstream commit abdfd4948e45c51b19162cf8b3f5003f8f53c9b9 ]
task_pid_vnr(another_task) will crash if the caller was already reaped.
The pid_alive(current) check can't really help, the parent/debugger can
call release_task() right after this check.
This also means that even task_ppid_nr_ns(current, NULL) is not safe,
pid_alive() only ensures that it is safe to dereference ->real_parent.
Change __task_pid_nr_ns() to ensure ns != NULL.
Originally-by: 高翔 <gaoxiang17@xiaomi.com>
Link: https://lore.kernel.org/all/20250802022123.3536934-1-gxxa03070307@gmail.com/
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Link: https://lore.kernel.org/20250810173604.GA19991@redhat.com
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/pid.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/kernel/pid.c b/kernel/pid.c
index 296cd04c24bae..2dbcc4dd90cc0 100644
--- a/kernel/pid.c
+++ b/kernel/pid.c
@@ -514,7 +514,8 @@ pid_t __task_pid_nr_ns(struct task_struct *task, enum pid_type type,
rcu_read_lock();
if (!ns)
ns = task_active_pid_ns(current);
- nr = pid_nr_ns(rcu_dereference(*task_pid_ptr(task, type)), ns);
+ if (ns)
+ nr = pid_nr_ns(rcu_dereference(*task_pid_ptr(task, type)), ns);
rcu_read_unlock();
return nr;
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 363/371] fs: Add initramfs_options to set initramfs mount options
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (361 preceding siblings ...)
2025-10-17 14:55 ` [PATCH 6.17 362/371] pid: make __task_pid_nr_ns(ns => NULL) safe for zombie callers Greg Kroah-Hartman
@ 2025-10-17 14:55 ` Greg Kroah-Hartman
2025-10-17 14:55 ` [PATCH 6.17 364/371] cramfs: Verify inode mode when loading from disk Greg Kroah-Hartman
` (20 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lichen Liu, Rob Landley,
Christian Brauner, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lichen Liu <lichliu@redhat.com>
[ Upstream commit 278033a225e13ec21900f0a92b8351658f5377f2 ]
When CONFIG_TMPFS is enabled, the initial root filesystem is a tmpfs.
By default, a tmpfs mount is limited to using 50% of the available RAM
for its content. This can be problematic in memory-constrained
environments, particularly during a kdump capture.
In a kdump scenario, the capture kernel boots with a limited amount of
memory specified by the 'crashkernel' parameter. If the initramfs is
large, it may fail to unpack into the tmpfs rootfs due to insufficient
space. This is because to get X MB of usable space in tmpfs, 2*X MB of
memory must be available for the mount. This leads to an OOM failure
during the early boot process, preventing a successful crash dump.
This patch introduces a new kernel command-line parameter,
initramfs_options, which allows passing specific mount options directly
to the rootfs when it is first mounted. This gives users control over
the rootfs behavior.
For example, a user can now specify initramfs_options=size=75% to allow
the tmpfs to use up to 75% of the available memory. This can
significantly reduce the memory pressure for kdump.
Consider a practical example:
To unpack a 48MB initramfs, the tmpfs needs 48MB of usable space. With
the default 50% limit, this requires a memory pool of 96MB to be
available for the tmpfs mount. The total memory requirement is therefore
approximately: 16MB (vmlinuz) + 48MB (loaded initramfs) + 48MB (unpacked
kernel) + 96MB (for tmpfs) + 12MB (runtime overhead) ≈ 220MB.
By using initramfs_options=size=75%, the memory pool required for the
48MB tmpfs is reduced to 48MB / 0.75 = 64MB. This reduces the total
memory requirement by 32MB (96MB - 64MB), allowing the kdump to succeed
with a smaller crashkernel size, such as 192MB.
An alternative approach of reusing the existing rootflags parameter was
considered. However, a new, dedicated initramfs_options parameter was
chosen to avoid altering the current behavior of rootflags (which
applies to the final root filesystem) and to prevent any potential
regressions.
Also add documentation for the new kernel parameter "initramfs_options"
This approach is inspired by prior discussions and patches on the topic.
Ref: https://www.lightofdawn.org/blog/?viewDetailed=00128
Ref: https://landley.net/notes-2015.html#01-01-2015
Ref: https://lkml.org/lkml/2021/6/29/783
Ref: https://www.kernel.org/doc/html/latest/filesystems/ramfs-rootfs-initramfs.html#what-is-rootfs
Signed-off-by: Lichen Liu <lichliu@redhat.com>
Link: https://lore.kernel.org/20250815121459.3391223-1-lichliu@redhat.com
Tested-by: Rob Landley <rob@landley.net>
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
Documentation/admin-guide/kernel-parameters.txt | 3 +++
fs/namespace.c | 11 ++++++++++-
2 files changed, 13 insertions(+), 1 deletion(-)
diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
index 5a7a83c411e9c..e92c0056e4e0a 100644
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@@ -6429,6 +6429,9 @@
rootflags= [KNL] Set root filesystem mount option string
+ initramfs_options= [KNL]
+ Specify mount options for for the initramfs mount.
+
rootfstype= [KNL] Set root filesystem type
rootwait [KNL] Wait (indefinitely) for root device to show up.
diff --git a/fs/namespace.c b/fs/namespace.c
index 46e654247274f..38609066cf330 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -65,6 +65,15 @@ static int __init set_mphash_entries(char *str)
}
__setup("mphash_entries=", set_mphash_entries);
+static char * __initdata initramfs_options;
+static int __init initramfs_options_setup(char *str)
+{
+ initramfs_options = str;
+ return 1;
+}
+
+__setup("initramfs_options=", initramfs_options_setup);
+
static u64 event;
static DEFINE_XARRAY_FLAGS(mnt_id_xa, XA_FLAGS_ALLOC);
static DEFINE_IDA(mnt_group_ida);
@@ -6127,7 +6136,7 @@ static void __init init_mount_tree(void)
struct mnt_namespace *ns;
struct path root;
- mnt = vfs_kern_mount(&rootfs_fs_type, 0, "rootfs", NULL);
+ mnt = vfs_kern_mount(&rootfs_fs_type, 0, "rootfs", initramfs_options);
if (IS_ERR(mnt))
panic("Can't create rootfs");
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 364/371] cramfs: Verify inode mode when loading from disk
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (362 preceding siblings ...)
2025-10-17 14:55 ` [PATCH 6.17 363/371] fs: Add initramfs_options to set initramfs mount options Greg Kroah-Hartman
@ 2025-10-17 14:55 ` Greg Kroah-Hartman
2025-10-17 14:55 ` [PATCH 6.17 365/371] nsfs: validate extensible ioctls Greg Kroah-Hartman
` (19 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot, Tetsuo Handa, Nicolas Pitre,
Christian Brauner, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
[ Upstream commit 7f9d34b0a7cb93d678ee7207f0634dbf79e47fe5 ]
The inode mode loaded from corrupted disk can be invalid. Do like what
commit 0a9e74051313 ("isofs: Verify inode mode when loading from disk")
does.
Reported-by: syzbot <syzbot+895c23f6917da440ed0d@syzkaller.appspotmail.com>
Closes: https://syzkaller.appspot.com/bug?extid=895c23f6917da440ed0d
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Link: https://lore.kernel.org/429b3ef1-13de-4310-9a8e-c2dc9a36234a@I-love.SAKURA.ne.jp
Acked-by: Nicolas Pitre <nico@fluxnic.net>
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/cramfs/inode.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/fs/cramfs/inode.c b/fs/cramfs/inode.c
index 56c8005b24a34..ca54bf24b719f 100644
--- a/fs/cramfs/inode.c
+++ b/fs/cramfs/inode.c
@@ -116,9 +116,18 @@ static struct inode *get_cramfs_inode(struct super_block *sb,
inode_nohighmem(inode);
inode->i_data.a_ops = &cramfs_aops;
break;
- default:
+ case S_IFCHR:
+ case S_IFBLK:
+ case S_IFIFO:
+ case S_IFSOCK:
init_special_inode(inode, cramfs_inode->mode,
old_decode_dev(cramfs_inode->size));
+ break;
+ default:
+ printk(KERN_DEBUG "CRAMFS: Invalid file type 0%04o for inode %lu.\n",
+ inode->i_mode, inode->i_ino);
+ iget_failed(inode);
+ return ERR_PTR(-EIO);
}
inode->i_mode = cramfs_inode->mode;
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 365/371] nsfs: validate extensible ioctls
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (363 preceding siblings ...)
2025-10-17 14:55 ` [PATCH 6.17 364/371] cramfs: Verify inode mode when loading from disk Greg Kroah-Hartman
@ 2025-10-17 14:55 ` Greg Kroah-Hartman
2025-10-17 14:55 ` [PATCH 6.17 366/371] mnt_ns_tree_remove(): DTRT if mnt_ns had never been added to mnt_ns_list Greg Kroah-Hartman
` (18 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jan Kara, Christian Brauner,
Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christian Brauner <brauner@kernel.org>
[ Upstream commit f8527a29f4619f74bc30a9845ea87abb9a6faa1e ]
Validate extensible ioctls stricter than we do now.
Reviewed-by: Jan Kara <jack@suse.cz>
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nsfs.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/fs/nsfs.c b/fs/nsfs.c
index 59aa801347a7d..34f0b35d3ead7 100644
--- a/fs/nsfs.c
+++ b/fs/nsfs.c
@@ -169,9 +169,11 @@ static bool nsfs_ioctl_valid(unsigned int cmd)
/* Extensible ioctls require some extra handling. */
switch (_IOC_NR(cmd)) {
case _IOC_NR(NS_MNT_GET_INFO):
+ return extensible_ioctl_valid(cmd, NS_MNT_GET_INFO, MNT_NS_INFO_SIZE_VER0);
case _IOC_NR(NS_MNT_GET_NEXT):
+ return extensible_ioctl_valid(cmd, NS_MNT_GET_NEXT, MNT_NS_INFO_SIZE_VER0);
case _IOC_NR(NS_MNT_GET_PREV):
- return (_IOC_TYPE(cmd) == _IOC_TYPE(cmd));
+ return extensible_ioctl_valid(cmd, NS_MNT_GET_PREV, MNT_NS_INFO_SIZE_VER0);
}
return false;
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 366/371] mnt_ns_tree_remove(): DTRT if mnt_ns had never been added to mnt_ns_list
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (364 preceding siblings ...)
2025-10-17 14:55 ` [PATCH 6.17 365/371] nsfs: validate extensible ioctls Greg Kroah-Hartman
@ 2025-10-17 14:55 ` Greg Kroah-Hartman
2025-10-17 14:55 ` [PATCH 6.17 367/371] writeback: Avoid softlockup when switching many inodes Greg Kroah-Hartman
` (17 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Christian Brauner, Al Viro,
Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
[ Upstream commit 38f4885088fc5ad41b8b0a2a2cfc73d01e709e5c ]
Actual removal is done under the lock, but for checking if need to bother
the lockless RB_EMPTY_NODE() is safe - either that namespace had never
been added to mnt_ns_tree, in which case the the node will stay empty, or
whoever had allocated it has called mnt_ns_tree_add() and it has already
run to completion. After that point RB_EMPTY_NODE() will become false and
will remain false, no matter what we do with other nodes in the tree.
Reviewed-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/namespace.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/namespace.c b/fs/namespace.c
index 38609066cf330..fc4cbbefa70e2 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -196,7 +196,7 @@ static void mnt_ns_release_rcu(struct rcu_head *rcu)
static void mnt_ns_tree_remove(struct mnt_namespace *ns)
{
/* remove from global mount namespace list */
- if (!is_anon_ns(ns)) {
+ if (!RB_EMPTY_NODE(&ns->mnt_ns_tree_node)) {
mnt_ns_tree_write_lock();
rb_erase(&ns->mnt_ns_tree_node, &mnt_ns_tree);
list_bidir_del_rcu(&ns->mnt_ns_list);
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 367/371] writeback: Avoid softlockup when switching many inodes
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (365 preceding siblings ...)
2025-10-17 14:55 ` [PATCH 6.17 366/371] mnt_ns_tree_remove(): DTRT if mnt_ns had never been added to mnt_ns_list Greg Kroah-Hartman
@ 2025-10-17 14:55 ` Greg Kroah-Hartman
2025-10-17 14:55 ` [PATCH 6.17 368/371] writeback: Avoid excessively long inode switching times Greg Kroah-Hartman
` (16 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tejun Heo, Jan Kara,
Christian Brauner, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jan Kara <jack@suse.cz>
[ Upstream commit 66c14dccd810d42ec5c73bb8a9177489dfd62278 ]
process_inode_switch_wbs_work() can be switching over 100 inodes to a
different cgroup. Since switching an inode requires counting all dirty &
under-writeback pages in the address space of each inode, this can take
a significant amount of time. Add a possibility to reschedule after
processing each inode to avoid softlockups.
Acked-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/fs-writeback.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/fs/fs-writeback.c b/fs/fs-writeback.c
index a07b8cf73ae27..b4aa78da7d94e 100644
--- a/fs/fs-writeback.c
+++ b/fs/fs-writeback.c
@@ -502,6 +502,7 @@ static void inode_switch_wbs_work_fn(struct work_struct *work)
*/
down_read(&bdi->wb_switch_rwsem);
+ inodep = isw->inodes;
/*
* By the time control reaches here, RCU grace period has passed
* since I_WB_SWITCH assertion and all wb stat update transactions
@@ -512,6 +513,7 @@ static void inode_switch_wbs_work_fn(struct work_struct *work)
* gives us exclusion against all wb related operations on @inode
* including IO list manipulations and stat updates.
*/
+relock:
if (old_wb < new_wb) {
spin_lock(&old_wb->list_lock);
spin_lock_nested(&new_wb->list_lock, SINGLE_DEPTH_NESTING);
@@ -520,10 +522,17 @@ static void inode_switch_wbs_work_fn(struct work_struct *work)
spin_lock_nested(&old_wb->list_lock, SINGLE_DEPTH_NESTING);
}
- for (inodep = isw->inodes; *inodep; inodep++) {
+ while (*inodep) {
WARN_ON_ONCE((*inodep)->i_wb != old_wb);
if (inode_do_switch_wbs(*inodep, old_wb, new_wb))
nr_switched++;
+ inodep++;
+ if (*inodep && need_resched()) {
+ spin_unlock(&new_wb->list_lock);
+ spin_unlock(&old_wb->list_lock);
+ cond_resched();
+ goto relock;
+ }
}
spin_unlock(&new_wb->list_lock);
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 368/371] writeback: Avoid excessively long inode switching times
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (366 preceding siblings ...)
2025-10-17 14:55 ` [PATCH 6.17 367/371] writeback: Avoid softlockup when switching many inodes Greg Kroah-Hartman
@ 2025-10-17 14:55 ` Greg Kroah-Hartman
2025-10-17 14:55 ` [PATCH 6.17 369/371] iomap: error out on file IO when there is no inline_data buffer Greg Kroah-Hartman
` (15 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tejun Heo, Jan Kara,
Christian Brauner, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jan Kara <jack@suse.cz>
[ Upstream commit 9a6ebbdbd41235ea3bc0c4f39e2076599b8113cc ]
With lazytime mount option enabled we can be switching many dirty inodes
on cgroup exit to the parent cgroup. The numbers observed in practice
when systemd slice of a large cron job exits can easily reach hundreds
of thousands or millions. The logic in inode_do_switch_wbs() which sorts
the inode into appropriate place in b_dirty list of the target wb
however has linear complexity in the number of dirty inodes thus overall
time complexity of switching all the inodes is quadratic leading to
workers being pegged for hours consuming 100% of the CPU and switching
inodes to the parent wb.
Simple reproducer of the issue:
FILES=10000
# Filesystem mounted with lazytime mount option
MNT=/mnt/
echo "Creating files and switching timestamps"
for (( j = 0; j < 50; j ++ )); do
mkdir $MNT/dir$j
for (( i = 0; i < $FILES; i++ )); do
echo "foo" >$MNT/dir$j/file$i
done
touch -a -t 202501010000 $MNT/dir$j/file*
done
wait
echo "Syncing and flushing"
sync
echo 3 >/proc/sys/vm/drop_caches
echo "Reading all files from a cgroup"
mkdir /sys/fs/cgroup/unified/mycg1 || exit
echo $$ >/sys/fs/cgroup/unified/mycg1/cgroup.procs || exit
for (( j = 0; j < 50; j ++ )); do
cat /mnt/dir$j/file* >/dev/null &
done
wait
echo "Switching wbs"
# Now rmdir the cgroup after the script exits
We need to maintain b_dirty list ordering to keep writeback happy so
instead of sorting inode into appropriate place just append it at the
end of the list and clobber dirtied_time_when. This may result in inode
writeback starting later after cgroup switch however cgroup switches are
rare so it shouldn't matter much. Since the cgroup had write access to
the inode, there are no practical concerns of the possible DoS issues.
Acked-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/fs-writeback.c | 21 +++++++++++----------
1 file changed, 11 insertions(+), 10 deletions(-)
diff --git a/fs/fs-writeback.c b/fs/fs-writeback.c
index b4aa78da7d94e..3bfc430ef74dc 100644
--- a/fs/fs-writeback.c
+++ b/fs/fs-writeback.c
@@ -445,22 +445,23 @@ static bool inode_do_switch_wbs(struct inode *inode,
* Transfer to @new_wb's IO list if necessary. If the @inode is dirty,
* the specific list @inode was on is ignored and the @inode is put on
* ->b_dirty which is always correct including from ->b_dirty_time.
- * The transfer preserves @inode->dirtied_when ordering. If the @inode
- * was clean, it means it was on the b_attached list, so move it onto
- * the b_attached list of @new_wb.
+ * If the @inode was clean, it means it was on the b_attached list, so
+ * move it onto the b_attached list of @new_wb.
*/
if (!list_empty(&inode->i_io_list)) {
inode->i_wb = new_wb;
if (inode->i_state & I_DIRTY_ALL) {
- struct inode *pos;
-
- list_for_each_entry(pos, &new_wb->b_dirty, i_io_list)
- if (time_after_eq(inode->dirtied_when,
- pos->dirtied_when))
- break;
+ /*
+ * We need to keep b_dirty list sorted by
+ * dirtied_time_when. However properly sorting the
+ * inode in the list gets too expensive when switching
+ * many inodes. So just attach inode at the end of the
+ * dirty list and clobber the dirtied_time_when.
+ */
+ inode->dirtied_time_when = jiffies;
inode_io_list_move_locked(inode, new_wb,
- pos->i_io_list.prev);
+ &new_wb->b_dirty);
} else {
inode_cgwb_move_to_attached(inode, new_wb);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 369/371] iomap: error out on file IO when there is no inline_data buffer
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (367 preceding siblings ...)
2025-10-17 14:55 ` [PATCH 6.17 368/371] writeback: Avoid excessively long inode switching times Greg Kroah-Hartman
@ 2025-10-17 14:55 ` Greg Kroah-Hartman
2025-10-17 14:55 ` [PATCH 6.17 370/371] pidfs: validate extensible ioctls Greg Kroah-Hartman
` (14 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Darrick J. Wong, Christoph Hellwig,
Christian Brauner, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Darrick J. Wong <djwong@kernel.org>
[ Upstream commit 6a96fb653b6481ec73e9627ade216b299e4de9ea ]
Return IO errors if an ->iomap_begin implementation returns an
IOMAP_INLINE buffer but forgets to set the inline_data pointer.
Filesystems should never do this, but we could help fs developers (me)
fix their bugs by handling this more gracefully than crashing the
kernel.
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Link: https://lore.kernel.org/175803480324.966383.7414345025943296442.stgit@frogsfrogsfrogs
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/iomap/buffered-io.c | 15 ++++++++++-----
fs/iomap/direct-io.c | 3 +++
2 files changed, 13 insertions(+), 5 deletions(-)
diff --git a/fs/iomap/buffered-io.c b/fs/iomap/buffered-io.c
index fd827398afd2f..6fa653d83f703 100644
--- a/fs/iomap/buffered-io.c
+++ b/fs/iomap/buffered-io.c
@@ -304,6 +304,9 @@ static int iomap_read_inline_data(const struct iomap_iter *iter,
size_t size = i_size_read(iter->inode) - iomap->offset;
size_t offset = offset_in_folio(folio, iomap->offset);
+ if (WARN_ON_ONCE(!iomap->inline_data))
+ return -EIO;
+
if (folio_test_uptodate(folio))
return 0;
@@ -894,7 +897,7 @@ static bool __iomap_write_end(struct inode *inode, loff_t pos, size_t len,
return true;
}
-static void iomap_write_end_inline(const struct iomap_iter *iter,
+static bool iomap_write_end_inline(const struct iomap_iter *iter,
struct folio *folio, loff_t pos, size_t copied)
{
const struct iomap *iomap = &iter->iomap;
@@ -903,12 +906,16 @@ static void iomap_write_end_inline(const struct iomap_iter *iter,
WARN_ON_ONCE(!folio_test_uptodate(folio));
BUG_ON(!iomap_inline_data_valid(iomap));
+ if (WARN_ON_ONCE(!iomap->inline_data))
+ return false;
+
flush_dcache_folio(folio);
addr = kmap_local_folio(folio, pos);
memcpy(iomap_inline_data(iomap, pos), addr, copied);
kunmap_local(addr);
mark_inode_dirty(iter->inode);
+ return true;
}
/*
@@ -921,10 +928,8 @@ static bool iomap_write_end(struct iomap_iter *iter, size_t len, size_t copied,
const struct iomap *srcmap = iomap_iter_srcmap(iter);
loff_t pos = iter->pos;
- if (srcmap->type == IOMAP_INLINE) {
- iomap_write_end_inline(iter, folio, pos, copied);
- return true;
- }
+ if (srcmap->type == IOMAP_INLINE)
+ return iomap_write_end_inline(iter, folio, pos, copied);
if (srcmap->flags & IOMAP_F_BUFFER_HEAD) {
size_t bh_written;
diff --git a/fs/iomap/direct-io.c b/fs/iomap/direct-io.c
index b84f6af2eb4c8..46aa85af13dc5 100644
--- a/fs/iomap/direct-io.c
+++ b/fs/iomap/direct-io.c
@@ -519,6 +519,9 @@ static int iomap_dio_inline_iter(struct iomap_iter *iomi, struct iomap_dio *dio)
loff_t pos = iomi->pos;
u64 copied;
+ if (WARN_ON_ONCE(!inline_data))
+ return -EIO;
+
if (WARN_ON_ONCE(!iomap_inline_data_valid(iomap)))
return -EIO;
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 370/371] pidfs: validate extensible ioctls
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (368 preceding siblings ...)
2025-10-17 14:55 ` [PATCH 6.17 369/371] iomap: error out on file IO when there is no inline_data buffer Greg Kroah-Hartman
@ 2025-10-17 14:55 ` Greg Kroah-Hartman
2025-10-17 14:55 ` [PATCH 6.17 371/371] mount: handle NULL values in mnt_ns_release() Greg Kroah-Hartman
` (13 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Aleksa Sarai, Jan Kara,
Christian Brauner, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christian Brauner <brauner@kernel.org>
[ Upstream commit 3c17001b21b9f168c957ced9384abe969019b609 ]
Validate extensible ioctls stricter than we do now.
Reviewed-by: Aleksa Sarai <cyphar@cyphar.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/pidfs.c | 2 +-
include/linux/fs.h | 14 ++++++++++++++
2 files changed, 15 insertions(+), 1 deletion(-)
diff --git a/fs/pidfs.c b/fs/pidfs.c
index 108e7527f837f..2c9c7636253af 100644
--- a/fs/pidfs.c
+++ b/fs/pidfs.c
@@ -440,7 +440,7 @@ static bool pidfs_ioctl_valid(unsigned int cmd)
* erronously mistook the file descriptor for a pidfd.
* This is not perfect but will catch most cases.
*/
- return (_IOC_TYPE(cmd) == _IOC_TYPE(PIDFD_GET_INFO));
+ return extensible_ioctl_valid(cmd, PIDFD_GET_INFO, PIDFD_INFO_SIZE_VER0);
}
return false;
diff --git a/include/linux/fs.h b/include/linux/fs.h
index 74f2bfc519263..ed02715261036 100644
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -4025,4 +4025,18 @@ static inline bool vfs_empty_path(int dfd, const char __user *path)
int generic_atomic_write_valid(struct kiocb *iocb, struct iov_iter *iter);
+static inline bool extensible_ioctl_valid(unsigned int cmd_a,
+ unsigned int cmd_b, size_t min_size)
+{
+ if (_IOC_DIR(cmd_a) != _IOC_DIR(cmd_b))
+ return false;
+ if (_IOC_TYPE(cmd_a) != _IOC_TYPE(cmd_b))
+ return false;
+ if (_IOC_NR(cmd_a) != _IOC_NR(cmd_b))
+ return false;
+ if (_IOC_SIZE(cmd_a) < min_size)
+ return false;
+ return true;
+}
+
#endif /* _LINUX_FS_H */
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* [PATCH 6.17 371/371] mount: handle NULL values in mnt_ns_release()
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (369 preceding siblings ...)
2025-10-17 14:55 ` [PATCH 6.17 370/371] pidfs: validate extensible ioctls Greg Kroah-Hartman
@ 2025-10-17 14:55 ` Greg Kroah-Hartman
2025-10-17 18:18 ` [PATCH 6.17 000/371] 6.17.4-rc1 review Ronald Warsow
` (12 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-17 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christian Brauner, Linus Torvalds,
Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christian Brauner <brauner@kernel.org>
[ Upstream commit 6c7ca6a02f8f9549a438a08a23c6327580ecf3d6 ]
When calling in listmount() mnt_ns_release() may be passed a NULL
pointer. Handle that case gracefully.
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/namespace.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/namespace.c b/fs/namespace.c
index fc4cbbefa70e2..c8c2376bb2424 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -180,7 +180,7 @@ static void mnt_ns_tree_add(struct mnt_namespace *ns)
static void mnt_ns_release(struct mnt_namespace *ns)
{
/* keep alive for {list,stat}mount() */
- if (refcount_dec_and_test(&ns->passive)) {
+ if (ns && refcount_dec_and_test(&ns->passive)) {
fsnotify_mntns_delete(ns);
put_user_ns(ns->user_ns);
kfree(ns);
--
2.51.0
^ permalink raw reply related [flat|nested] 389+ messages in thread
* Re: [PATCH 6.17 003/371] btrfs: fix the incorrect max_bytes value for find_lock_delalloc_range()
2025-10-17 14:49 ` [PATCH 6.17 003/371] btrfs: fix the incorrect max_bytes value for find_lock_delalloc_range() Greg Kroah-Hartman
@ 2025-10-17 15:42 ` David Sterba
0 siblings, 0 replies; 389+ messages in thread
From: David Sterba @ 2025-10-17 15:42 UTC (permalink / raw)
To: Greg Kroah-Hartman; +Cc: stable, patches, Qu Wenruo, David Sterba
On Fri, Oct 17, 2025 at 04:49:38PM +0200, Greg Kroah-Hartman wrote:
> 6.17-stable review patch. If anyone has any objections, please let me know.
>
> ------------------
>
> From: Qu Wenruo <wqu@suse.com>
>
> commit 7b26da407420e5054e3f06c5d13271697add9423 upstream.
>
> [BUG]
> With my local branch to enable bs > ps support for btrfs, sometimes I
> hit the following ASSERT() inside submit_one_sector():
>
> ASSERT(block_start != EXTENT_MAP_HOLE);
>
> Please note that it's not yet possible to hit this ASSERT() in the wild
> yet, as it requires btrfs bs > ps support, which is not even in the
> development branch.
>
> But on the other hand, there is also a very low chance to hit above
> ASSERT() with bs < ps cases, so this is an existing bug affect not only
> the incoming bs > ps support but also the existing bs < ps support.
>
> [CAUSE]
> Firstly that ASSERT() means we're trying to submit a dirty block but
> without a real extent map nor ordered extent map backing it.
>
> Furthermore with extra debugging, the folio triggering such ASSERT() is
> always larger than the fs block size in my bs > ps case.
> (8K block size, 4K page size)
>
> After some more debugging, the ASSERT() is trigger by the following
> sequence:
>
> extent_writepage()
> | We got a 32K folio (4 fs blocks) at file offset 0, and the fs block
> | size is 8K, page size is 4K.
> | And there is another 8K folio at file offset 32K, which is also
> | dirty.
> | So the filemap layout looks like the following:
> |
> | "||" is the filio boundary in the filemap.
> | "//| is the dirty range.
> |
> | 0 8K 16K 24K 32K 40K
> | |////////| |//////////////////////||////////|
> |
> |- writepage_delalloc()
> | |- find_lock_delalloc_range() for [0, 8K)
> | | Now range [0, 8K) is properly locked.
> | |
> | |- find_lock_delalloc_range() for [16K, 40K)
> | | |- btrfs_find_delalloc_range() returned range [16K, 40K)
> | | |- lock_delalloc_folios() locked folio 0 successfully
> | | |
> | | | The filemap range [32K, 40K) got dropped from filemap.
> | | |
> | | |- lock_delalloc_folios() failed with -EAGAIN on folio 32K
> | | | As the folio at 32K is dropped.
> | | |
> | | |- loops = 1;
> | | |- max_bytes = PAGE_SIZE;
> | | |- goto again;
> | | | This will re-do the lookup for dirty delalloc ranges.
> | | |
> | | |- btrfs_find_delalloc_range() called with @max_bytes == 4K
> | | | This is smaller than block size, so
> | | | btrfs_find_delalloc_range() is unable to return any range.
> | | \- return false;
> | |
> | \- Now only range [0, 8K) has an OE for it, but for dirty range
> | [16K, 32K) it's dirty without an OE.
> | This breaks the assumption that writepage_delalloc() will find
> | and lock all dirty ranges inside the folio.
> |
> |- extent_writepage_io()
> |- submit_one_sector() for [0, 8K)
> | Succeeded
> |
> |- submit_one_sector() for [16K, 24K)
> Triggering the ASSERT(), as there is no OE, and the original
> extent map is a hole.
>
> Please note that, this also exposed the same problem for bs < ps
> support. E.g. with 64K page size and 4K block size.
>
> If we failed to lock a folio, and falls back into the "loops = 1;"
> branch, we will re-do the search using 64K as max_bytes.
> Which may fail again to lock the next folio, and exit early without
> handling all dirty blocks inside the folio.
>
> [FIX]
> Instead of using the fixed size PAGE_SIZE as @max_bytes, use
> @sectorsize, so that we are ensured to find and lock any remaining
> blocks inside the folio.
>
> And since we're here, add an extra ASSERT() to
> before calling btrfs_find_delalloc_range() to make sure the @max_bytes is
> at least no smaller than a block to avoid false negative.
>
> Cc: stable@vger.kernel.org # 5.15+
> Signed-off-by: Qu Wenruo <wqu@suse.com>
> Signed-off-by: David Sterba <dsterba@suse.com>
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Please drop this patch from all stable branch, this is for an unfinished
feature and not available in any release.
^ permalink raw reply [flat|nested] 389+ messages in thread
* Re: [PATCH 6.17 254/371] riscv: use an atomic xchg in pudp_huge_get_and_clear()
2025-10-17 14:53 ` [PATCH 6.17 254/371] riscv: use an atomic xchg in pudp_huge_get_and_clear() Greg Kroah-Hartman
@ 2025-10-17 18:13 ` Jiri Slaby
2025-10-19 12:01 ` Greg Kroah-Hartman
0 siblings, 1 reply; 389+ messages in thread
From: Jiri Slaby @ 2025-10-17 18:13 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, Alexandre Ghiti, Andrew Donnellan, Andrew Morton
On 17. 10. 25, 16:53, Greg Kroah-Hartman wrote:
> 6.17-stable review patch. If anyone has any objections, please let me know.
>
> ------------------
>
> From: Alexandre Ghiti <alexghiti@rivosinc.com>
>
> commit 668208b161a0b679427e7d0f34c0a65fd7d23979 upstream.
>
> Make sure we return the right pud value and not a value that could have
> been overwritten in between by a different core.
>
> Link: https://lkml.kernel.org/r/20250814-dev-alex-thp_pud_xchg-v1-1-b4704dfae206@rivosinc.com
> Fixes: c3cc2a4a3a23 ("riscv: Add support for PUD THP")
> Signed-off-by: Alexandre Ghiti <alexghiti@rivosinc.com>
> Cc: Andrew Donnellan <ajd@linux.ibm.com>
> Cc: <stable@vger.kernel.org>
> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> ---
> arch/riscv/include/asm/pgtable.h | 11 +++++++++++
> 1 file changed, 11 insertions(+)
>
> --- a/arch/riscv/include/asm/pgtable.h
> +++ b/arch/riscv/include/asm/pgtable.h
> @@ -959,6 +959,17 @@ static inline pud_t pudp_huge_get_and_cl
> return pud;
> }
>
> +#define __HAVE_ARCH_PUDP_HUGE_GET_AND_CLEAR
> +static inline pud_t pudp_huge_get_and_clear(struct mm_struct *mm,
> + unsigned long address, pud_t *pudp)
> +{
> + pud_t pud = __pud(atomic_long_xchg((atomic_long_t *)pudp, 0));
> +
> + page_table_check_pud_clear(mm, pud);
> +
> + return pud;
> +}
With the above, I see:
[ 321s] In file included from ../include/linux/pgtable.h:6,
[ 321s] from ../include/linux/mm.h:31,
[ 321s] from ../arch/riscv/kernel/asm-offsets.c:8:
[ 321s] ../arch/riscv/include/asm/pgtable.h:963:21: error: redefinition
of ‘pudp_huge_get_and_clear’
[ 321s] 963 | static inline pud_t pudp_huge_get_and_clear(struct
mm_struct *mm,
[ 321s] | ^~~~~~~~~~~~~~~~~~~~~~~
[ 321s] ../arch/riscv/include/asm/pgtable.h:946:21: note: previous
definition of ‘pudp_huge_get_and_clear’ with type ‘pud_t(struct
mm_struct *, long unsigned int, pud_t *)’
[ 321s] 946 | static inline pud_t pudp_huge_get_and_clear(struct
mm_struct *mm,
[ 321s] | ^~~~~~~~~~~~~~~~~~~~~~~
thanks,
--
js
suse labs
^ permalink raw reply [flat|nested] 389+ messages in thread
* Re: [PATCH 6.17 000/371] 6.17.4-rc1 review
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (370 preceding siblings ...)
2025-10-17 14:55 ` [PATCH 6.17 371/371] mount: handle NULL values in mnt_ns_release() Greg Kroah-Hartman
@ 2025-10-17 18:18 ` Ronald Warsow
2025-10-17 18:21 ` Jon Hunter
` (11 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Ronald Warsow @ 2025-10-17 18:18 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee,
conor, hargar, broonie, achill
Hi
no regressions here on x86_64 (RKL, Intel 11th Gen. CPU)
Thanks
Tested-by: Ronald Warsow <rwarsow@gmx.de>
^ permalink raw reply [flat|nested] 389+ messages in thread
* Re: [PATCH 6.17 000/371] 6.17.4-rc1 review
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (371 preceding siblings ...)
2025-10-17 18:18 ` [PATCH 6.17 000/371] 6.17.4-rc1 review Ronald Warsow
@ 2025-10-17 18:21 ` Jon Hunter
2025-10-17 21:47 ` Hardik Garg
` (10 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Jon Hunter @ 2025-10-17 18:21 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: Greg Kroah-Hartman, patches, linux-kernel, torvalds, akpm, linux,
shuah, patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill,
linux-tegra, stable
On Fri, 17 Oct 2025 16:49:35 +0200, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.17.4 release.
> There are 371 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Sun, 19 Oct 2025 14:50:59 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.17.4-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.17.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
All tests passing for Tegra ...
Test results for stable-v6.17:
10 builds: 10 pass, 0 fail
28 boots: 28 pass, 0 fail
120 tests: 120 pass, 0 fail
Linux version: 6.17.4-rc1-g396c6daa5f57
Boards tested: tegra124-jetson-tk1, tegra186-p2771-0000,
tegra186-p3509-0000+p3636-0001, tegra194-p2972-0000,
tegra194-p3509-0000+p3668-0000, tegra20-ventana,
tegra210-p2371-2180, tegra210-p3450-0000,
tegra30-cardhu-a04
Tested-by: Jon Hunter <jonathanh@nvidia.com>
Jon
^ permalink raw reply [flat|nested] 389+ messages in thread
* Re: [PATCH 6.17 000/371] 6.17.4-rc1 review
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (372 preceding siblings ...)
2025-10-17 18:21 ` Jon Hunter
@ 2025-10-17 21:47 ` Hardik Garg
2025-10-17 23:04 ` Ron Economos
` (9 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Hardik Garg @ 2025-10-17 21:47 UTC (permalink / raw)
To: gregkh
Cc: achill, akpm, broonie, conor, f.fainelli, hargar, jonathanh,
linux-kernel, linux, lkft-triage, patches, patches, pavel,
rwarsow, shuah, stable, sudipm.mukherjee, torvalds
The kernel, bpf tool, perf tool, and kselftest builds fine for v6.17.4-rc1 on x86 and arm64 Azure VM.
Tested-by: Hardik Garg <hargar@linux.microsoft.com>
Thanks,
Hardik
^ permalink raw reply [flat|nested] 389+ messages in thread
* Re: [PATCH 6.17 000/371] 6.17.4-rc1 review
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (373 preceding siblings ...)
2025-10-17 21:47 ` Hardik Garg
@ 2025-10-17 23:04 ` Ron Economos
2025-10-19 12:02 ` Greg Kroah-Hartman
2025-10-18 0:24 ` Shuah Khan
` (8 subsequent siblings)
383 siblings, 1 reply; 389+ messages in thread
From: Ron Economos @ 2025-10-17 23:04 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee,
rwarsow, conor, hargar, broonie, achill
On 10/17/25 07:49, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.17.4 release.
> There are 371 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Sun, 19 Oct 2025 14:50:59 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.17.4-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.17.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
Build fails for RISC-V with:
In file included from ./include/linux/pgtable.h:6,
from ./include/linux/mm.h:31,
from arch/riscv/kernel/asm-offsets.c:8:
./arch/riscv/include/asm/pgtable.h:963:21: error: redefinition of
'pudp_huge_get_and_clear'
963 | static inline pud_t pudp_huge_get_and_clear(struct mm_struct *mm,
| ^~~~~~~~~~~~~~~~~~~~~~~
./arch/riscv/include/asm/pgtable.h:946:21: note: previous definition of
'pudp_huge_get_and_clear' with type 'pud_t(struct mm_struct *, long
unsigned int, pud_t *)'
946 | static inline pud_t pudp_huge_get_and_clear(struct mm_struct *mm,
| ^~~~~~~~~~~~~~~~~~~~~~~
Reverting 06536c4857271eeb19d76dbb4af989e2654a94e0 riscv: use an atomic
xchg in pudp_huge_get_and_clear() fixes the build.
The problem is that this patch was already applied to 6.17 just before
release, so the function pudp_huge_get_and_clear() ends up being
duplicated in the file.
^ permalink raw reply [flat|nested] 389+ messages in thread
* Re: [PATCH 6.17 000/371] 6.17.4-rc1 review
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (374 preceding siblings ...)
2025-10-17 23:04 ` Ron Economos
@ 2025-10-18 0:24 ` Shuah Khan
2025-10-18 3:45 ` Florian Fainelli
` (7 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Shuah Khan @ 2025-10-18 0:24 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee,
rwarsow, conor, hargar, broonie, achill, Shuah Khan
On 10/17/25 08:49, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.17.4 release.
> There are 371 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Sun, 19 Oct 2025 14:50:59 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.17.4-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.17.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
>
Compiled and booted on my test system. No dmesg regressions.
Tested-by: Shuah Khan <skhan@linuxfoundation.org>
thanks,
-- Shuah
^ permalink raw reply [flat|nested] 389+ messages in thread
* Re: [PATCH 6.17 000/371] 6.17.4-rc1 review
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (375 preceding siblings ...)
2025-10-18 0:24 ` Shuah Khan
@ 2025-10-18 3:45 ` Florian Fainelli
2025-10-18 3:53 ` Peter Schneider
` (6 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Florian Fainelli @ 2025-10-18 3:45 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, sudipm.mukherjee, rwarsow, conor,
hargar, broonie, achill
On 10/17/25 07:49, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.17.4 release.
> There are 371 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Sun, 19 Oct 2025 14:50:59 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.17.4-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.17.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
On ARCH_BRCMSTB using 32-bit and 64-bit ARM kernels, build tested on
BMIPS_GENERIC:
Tested-by: Florian Fainelli <florian.fainelli@broadcom.com>
--
Florian
^ permalink raw reply [flat|nested] 389+ messages in thread
* Re: [PATCH 6.17 000/371] 6.17.4-rc1 review
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (376 preceding siblings ...)
2025-10-18 3:45 ` Florian Fainelli
@ 2025-10-18 3:53 ` Peter Schneider
2025-10-18 7:52 ` Brett A C Sheffield
` (5 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Peter Schneider @ 2025-10-18 3:53 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee,
rwarsow, conor, hargar, broonie, achill
Am 17.10.2025 um 16:49 schrieb Greg Kroah-Hartman:
> This is the start of the stable review cycle for the 6.17.4 release.
> There are 371 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
Builds, boots and works on my 2-socket Ivy Bridge Xeon E5-2697 v2 server. No dmesg oddities or regressions found.
Tested-by: Peter Schneider <pschneider1968@googlemail.com>
Beste Grüße,
Peter Schneider
--
Climb the mountain not to plant your flag, but to embrace the challenge,
enjoy the air and behold the view. Climb it so you can see the world,
not so the world can see you. -- David McCullough Jr.
OpenPGP: 0xA3828BD796CCE11A8CADE8866E3A92C92C3FF244
Download: https://www.peters-netzplatz.de/download/pschneider1968_pub.asc
https://keys.mailvelope.com/pks/lookup?op=get&search=pschneider1968@googlemail.com
https://keys.mailvelope.com/pks/lookup?op=get&search=pschneider1968@gmail.com
^ permalink raw reply [flat|nested] 389+ messages in thread
* Re: [PATCH 6.17 000/371] 6.17.4-rc1 review
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (377 preceding siblings ...)
2025-10-18 3:53 ` Peter Schneider
@ 2025-10-18 7:52 ` Brett A C Sheffield
2025-10-18 9:18 ` Dileep malepu
` (4 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Brett A C Sheffield @ 2025-10-18 7:52 UTC (permalink / raw)
To: gregkh
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill,
Brett A C Sheffield
# Librecast Test Results
020/020 [ OK ] liblcrq
010/010 [ OK ] libmld
120/120 [ OK ] liblibrecast
CPU/kernel: Linux auntie 6.17.4-rc1-g396c6daa5f57 #110 SMP PREEMPT_DYNAMIC Fri Oct 17 19:51:58 -00 2025 x86_64 AMD Ryzen 9 9950X 16-Core Processor AuthenticAMD GNU/Linux
Tested-by: Brett A C Sheffield <bacs@librecast.net>
^ permalink raw reply [flat|nested] 389+ messages in thread
* Re: [PATCH 6.17 000/371] 6.17.4-rc1 review
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (378 preceding siblings ...)
2025-10-18 7:52 ` Brett A C Sheffield
@ 2025-10-18 9:18 ` Dileep malepu
2025-10-18 10:17 ` Markus Reichelt
` (3 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Dileep malepu @ 2025-10-18 9:18 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill
Hey Greg
On Fri, Oct 17, 2025 at 9:10 PM Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
>
> This is the start of the stable review cycle for the 6.17.4 release.
> There are 371 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Sun, 19 Oct 2025 14:50:59 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.17.4-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.17.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
>
> -------------
Build and boot tested 6.17.4-rc1 using qemu-x86_64. The kernel was
successfully built and booted in a virtualized environment without any
issues.
Build
kernel: 6.17.4-rc1
git: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
git commit: 396c6daa5f57fff4f0c5ab890c6bfe6ca31b3bba
Tested-by: Dileep Malepu <dileep.debian@gmail.com>
Best regards
Dileep Malepu.
^ permalink raw reply [flat|nested] 389+ messages in thread
* Re: [PATCH 6.17 000/371] 6.17.4-rc1 review
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (379 preceding siblings ...)
2025-10-18 9:18 ` Dileep malepu
@ 2025-10-18 10:17 ` Markus Reichelt
2025-10-18 16:19 ` Miguel Ojeda
` (2 subsequent siblings)
383 siblings, 0 replies; 389+ messages in thread
From: Markus Reichelt @ 2025-10-18 10:17 UTC (permalink / raw)
To: stable, linux-kernel
* Greg Kroah-Hartman <gregkh@linuxfoundation.org> wrote:
> This is the start of the stable review cycle for the 6.17.4 release.
> There are 371 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Sun, 19 Oct 2025 14:50:59 +0000.
> Anything received after that time might be too late.
Hi Greg
6.17.4-rc1 compiles on x86_64 (Xeon E5-1620 v2, Slackware64-15.0),
and boots & runs on x86_64 (AMD Ryzen 5 7520U, Slackware64-current).
No regressions observed.
Tested-by: Markus Reichelt <lkt+2023@mareichelt.com>
^ permalink raw reply [flat|nested] 389+ messages in thread
* Re: [PATCH 6.17 000/371] 6.17.4-rc1 review
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (380 preceding siblings ...)
2025-10-18 10:17 ` Markus Reichelt
@ 2025-10-18 16:19 ` Miguel Ojeda
2025-10-19 10:36 ` Pascal Ernster
2025-10-20 8:35 ` Naresh Kamboju
383 siblings, 0 replies; 389+ messages in thread
From: Miguel Ojeda @ 2025-10-18 16:19 UTC (permalink / raw)
To: gregkh
Cc: achill, akpm, broonie, conor, f.fainelli, hargar, jonathanh,
linux-kernel, linux, lkft-triage, patches, patches, pavel,
rwarsow, shuah, stable, sudipm.mukherjee, torvalds, Miguel Ojeda
On Fri, 17 Oct 2025 16:49:35 +0200 Greg Kroah-Hartman <gregkh@linuxfoundation.org> wrote:
>
> This is the start of the stable review cycle for the 6.17.4 release.
> There are 371 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Sun, 19 Oct 2025 14:50:59 +0000.
> Anything received after that time might be too late.
Boot-tested under QEMU for Rust x86_64, arm64 and riscv64; built-tested
for arm and loongarch64:
Tested-by: Miguel Ojeda <ojeda@kernel.org>
Thanks!
Cheers,
Miguel
^ permalink raw reply [flat|nested] 389+ messages in thread
* Re: [PATCH 6.17 000/371] 6.17.4-rc1 review
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (381 preceding siblings ...)
2025-10-18 16:19 ` Miguel Ojeda
@ 2025-10-19 10:36 ` Pascal Ernster
2025-10-20 8:35 ` Naresh Kamboju
383 siblings, 0 replies; 389+ messages in thread
From: Pascal Ernster @ 2025-10-19 10:36 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee,
rwarsow, conor, hargar, broonie, achill
[2025-10-17 16:49] Greg Kroah-Hartman:
> This is the start of the stable review cycle for the 6.17.4 release.
> There are 371 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Sun, 19 Oct 2025 14:50:59 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.17.4-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.17.y
I've applied all patches from the current version of stable-queue/queue-6.17 (commit id 11094dba5f8d0df69938f47f5edc5472ba790eca) applied on top of kernel 6.17.3, and compiled the result for x86_64 using GCC 15.2.1+r22+gc4e96a094636 and binutils 2.45+r29+g2b2e51a31ec7. The resulting kernel boots and runs without any discernible issues on various physical machines of mine (Ivy Bridge, Haswell, Kaby Lake, Coffee Lake) and in a Zen 2 VM and a bunch of Kaby Lake VMs.
Tested-by: Pascal Ernster <git@hardfalcon.net>
Regards
Pascal
^ permalink raw reply [flat|nested] 389+ messages in thread
* Re: [PATCH 6.17 254/371] riscv: use an atomic xchg in pudp_huge_get_and_clear()
2025-10-17 18:13 ` Jiri Slaby
@ 2025-10-19 12:01 ` Greg Kroah-Hartman
0 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-19 12:01 UTC (permalink / raw)
To: Jiri Slaby
Cc: stable, patches, Alexandre Ghiti, Andrew Donnellan, Andrew Morton
On Fri, Oct 17, 2025 at 08:13:27PM +0200, Jiri Slaby wrote:
> On 17. 10. 25, 16:53, Greg Kroah-Hartman wrote:
> > 6.17-stable review patch. If anyone has any objections, please let me know.
> >
> > ------------------
> >
> > From: Alexandre Ghiti <alexghiti@rivosinc.com>
> >
> > commit 668208b161a0b679427e7d0f34c0a65fd7d23979 upstream.
> >
> > Make sure we return the right pud value and not a value that could have
> > been overwritten in between by a different core.
> >
> > Link: https://lkml.kernel.org/r/20250814-dev-alex-thp_pud_xchg-v1-1-b4704dfae206@rivosinc.com
> > Fixes: c3cc2a4a3a23 ("riscv: Add support for PUD THP")
> > Signed-off-by: Alexandre Ghiti <alexghiti@rivosinc.com>
> > Cc: Andrew Donnellan <ajd@linux.ibm.com>
> > Cc: <stable@vger.kernel.org>
> > Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
> > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> > ---
> > arch/riscv/include/asm/pgtable.h | 11 +++++++++++
> > 1 file changed, 11 insertions(+)
> >
> > --- a/arch/riscv/include/asm/pgtable.h
> > +++ b/arch/riscv/include/asm/pgtable.h
> > @@ -959,6 +959,17 @@ static inline pud_t pudp_huge_get_and_cl
> > return pud;
> > }
> > +#define __HAVE_ARCH_PUDP_HUGE_GET_AND_CLEAR
> > +static inline pud_t pudp_huge_get_and_clear(struct mm_struct *mm,
> > + unsigned long address, pud_t *pudp)
> > +{
> > + pud_t pud = __pud(atomic_long_xchg((atomic_long_t *)pudp, 0));
> > +
> > + page_table_check_pud_clear(mm, pud);
> > +
> > + return pud;
> > +}
>
> With the above, I see:
> [ 321s] In file included from ../include/linux/pgtable.h:6,
> [ 321s] from ../include/linux/mm.h:31,
> [ 321s] from ../arch/riscv/kernel/asm-offsets.c:8:
> [ 321s] ../arch/riscv/include/asm/pgtable.h:963:21: error: redefinition of
> ‘pudp_huge_get_and_clear’
> [ 321s] 963 | static inline pud_t pudp_huge_get_and_clear(struct
> mm_struct *mm,
> [ 321s] | ^~~~~~~~~~~~~~~~~~~~~~~
> [ 321s] ../arch/riscv/include/asm/pgtable.h:946:21: note: previous
> definition of ‘pudp_huge_get_and_clear’ with type ‘pud_t(struct mm_struct *,
> long unsigned int, pud_t *)’
> [ 321s] 946 | static inline pud_t pudp_huge_get_and_clear(struct
> mm_struct *mm,
> [ 321s] | ^~~~~~~~~~~~~~~~~~~~~~~
>
Ick, not good, I'll go drop this patch from the queue now, thanks!
greg k-h
^ permalink raw reply [flat|nested] 389+ messages in thread
* Re: [PATCH 6.17 000/371] 6.17.4-rc1 review
2025-10-17 23:04 ` Ron Economos
@ 2025-10-19 12:02 ` Greg Kroah-Hartman
0 siblings, 0 replies; 389+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-19 12:02 UTC (permalink / raw)
To: Ron Economos
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill
On Fri, Oct 17, 2025 at 04:04:23PM -0700, Ron Economos wrote:
> On 10/17/25 07:49, Greg Kroah-Hartman wrote:
> > This is the start of the stable review cycle for the 6.17.4 release.
> > There are 371 patches in this series, all will be posted as a response
> > to this one. If anyone has any issues with these being applied, please
> > let me know.
> >
> > Responses should be made by Sun, 19 Oct 2025 14:50:59 +0000.
> > Anything received after that time might be too late.
> >
> > The whole patch series can be found in one patch at:
> > https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.17.4-rc1.gz
> > or in the git tree and branch at:
> > git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.17.y
> > and the diffstat can be found below.
> >
> > thanks,
> >
> > greg k-h
>
> Build fails for RISC-V with:
>
> In file included from ./include/linux/pgtable.h:6,
> from ./include/linux/mm.h:31,
> from arch/riscv/kernel/asm-offsets.c:8:
> ./arch/riscv/include/asm/pgtable.h:963:21: error: redefinition of
> 'pudp_huge_get_and_clear'
> 963 | static inline pud_t pudp_huge_get_and_clear(struct mm_struct *mm,
> | ^~~~~~~~~~~~~~~~~~~~~~~
> ./arch/riscv/include/asm/pgtable.h:946:21: note: previous definition of
> 'pudp_huge_get_and_clear' with type 'pud_t(struct mm_struct *, long unsigned
> int, pud_t *)'
> 946 | static inline pud_t pudp_huge_get_and_clear(struct mm_struct *mm,
> | ^~~~~~~~~~~~~~~~~~~~~~~
>
> Reverting 06536c4857271eeb19d76dbb4af989e2654a94e0 riscv: use an atomic xchg
> in pudp_huge_get_and_clear() fixes the build.
>
> The problem is that this patch was already applied to 6.17 just before
> release, so the function pudp_huge_get_and_clear() ends up being duplicated
> in the file.
Thanks, I'll go drop this patch now, thanks.
greg k-h
^ permalink raw reply [flat|nested] 389+ messages in thread
* Re: [PATCH 6.17 000/371] 6.17.4-rc1 review
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
` (382 preceding siblings ...)
2025-10-19 10:36 ` Pascal Ernster
@ 2025-10-20 8:35 ` Naresh Kamboju
383 siblings, 0 replies; 389+ messages in thread
From: Naresh Kamboju @ 2025-10-20 8:35 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill
On Fri, 17 Oct 2025 at 20:58, Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
>
> This is the start of the stable review cycle for the 6.17.4 release.
> There are 371 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Sun, 19 Oct 2025 14:50:59 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.17.4-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.17.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
[ Apologies for the slight delay in sending the reports, due to the
long weekend here in India.]
As other reported,
The riscv builds failed with clang-21 and gcc-14 on the stable rc 6.17.4-rc1
Build regressions: 6.17.4-rc1 riscv pgtable.h:963:21: error:
redefinition of 'pudp_huge_get_and_clear'
Reported-by: Linux Kernel Functional Testing <lkft@linaro.org>
## Build errors
In file included from include/linux/pgtable.h:6,
from include/linux/mm.h:31,
from arch/riscv/kernel/asm-offsets.c:8:
arch/riscv/include/asm/pgtable.h:963:21: error: redefinition of
'pudp_huge_get_and_clear'
963 | static inline pud_t pudp_huge_get_and_clear(struct mm_struct *mm,
| ^~~~~~~~~~~~~~~~~~~~~~~
arch/riscv/include/asm/pgtable.h:946:21: note: previous definition of
'pudp_huge_get_and_clear' with type 'pud_t(struct mm_struct *, long
unsigned int, pud_t *)'
946 | static inline pud_t pudp_huge_get_and_clear(struct mm_struct *mm,
| ^~~~~~~~~~~~~~~~~~~~~~~
make[3]: *** [scripts/Makefile.build:182:
arch/riscv/kernel/asm-offsets.s] Error 1
## Build
* kernel: 6.17.4-rc1
* git: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
* git commit: 396c6daa5f57fff4f0c5ab890c6bfe6ca31b3bba
* git describe: v6.17.3-372-g396c6daa5f57
* test details:
https://qa-reports.linaro.org/lkft/linux-stable-rc-linux-6.17.y/build/v6.17.3-372-g396c6daa5f57
## Test Regressions (compared to v6.17.2-564-g99cf54e7bd2f)
* riscv, build
- clang-21-lkftconfig
- gcc-14-allmodconfig
- gcc-14-allyesconfig
- gcc-14-lkftconfig
- gcc-14-lkftconfig-libgpiod
## Metric Regressions (compared to v6.17.2-564-g99cf54e7bd2f)
## Test Fixes (compared to v6.17.2-564-g99cf54e7bd2f)
## Metric Fixes (compared to v6.17.2-564-g99cf54e7bd2f)
## Test result summary
total: 123725, pass: 104164, fail: 4205, skip: 15356, xfail: 0
## Build Summary
* arc: 5 total, 5 passed, 0 failed
* arm: 139 total, 139 passed, 0 failed
* arm64: 57 total, 54 passed, 3 failed
* i386: 18 total, 18 passed, 0 failed
* mips: 34 total, 33 passed, 1 failed
* parisc: 4 total, 4 passed, 0 failed
* powerpc: 40 total, 39 passed, 1 failed
* riscv: 25 total, 19 passed, 6 failed
* s390: 22 total, 22 passed, 0 failed
* sh: 5 total, 5 passed, 0 failed
* sparc: 4 total, 3 passed, 1 failed
* x86_64: 49 total, 48 passed, 1 failed
## Test suites summary
* boot
* commands
* kselftest-arm64
* kselftest-breakpoints
* kselftest-capabilities
* kselftest-cgroup
* kselftest-clone3
* kselftest-core
* kselftest-cpu-hotplug
* kselftest-cpufreq
* kselftest-efivarfs
* kselftest-exec
* kselftest-fpu
* kselftest-ftrace
* kselftest-futex
* kselftest-gpio
* kselftest-intel_pstate
* kselftest-ipc
* kselftest-kcmp
* kselftest-kvm
* kselftest-livepatch
* kselftest-membarrier
* kselftest-memfd
* kselftest-mincore
* kselftest-mm
* kselftest-mqueue
* kselftest-net
* kselftest-net-mptcp
* kselftest-openat2
* kselftest-ptrace
* kselftest-rseq
* kselftest-rtc
* kselftest-rust
* kselftest-seccomp
* kselftest-sigaltstack
* kselftest-size
* kselftest-tc-testing
* kselftest-timers
* kselftest-tmpfs
* kselftest-tpm2
* kselftest-user_events
* kselftest-vDSO
* kselftest-x86
* kunit
* kvm-unit-tests
* lava
* libgpiod
* libhugetlbfs
* log-parser-boot
* log-parser-build-clang
* log-parser-build-gcc
* log-parser-test
* ltp-capability
* ltp-commands
* ltp-containers
* ltp-controllers
* ltp-cpuhotplug
* ltp-crypto
* ltp-cve
* ltp-dio
* ltp-fcntl-locktests
* ltp-fs
* ltp-fs_bind
* ltp-fs_perms_simple
* ltp-hugetlb
* ltp-math
* ltp-mm
* ltp-nptl
* ltp-pty
* ltp-sched
* ltp-smoke
* ltp-syscalls
* ltp-tracing
* perf
* rcutorture
* rt-tests-cyclicdeadline
* rt-tests-pi-stress
* rt-tests-pmqtest
* rt-tests-rt-migrate-test
* rt-tests-signaltest
--
Linaro LKFT
https://lkft.linaro.org
^ permalink raw reply [flat|nested] 389+ messages in thread
end of thread, other threads:[~2025-10-20 8:35 UTC | newest]
Thread overview: 389+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-10-17 14:49 [PATCH 6.17 000/371] 6.17.4-rc1 review Greg Kroah-Hartman
2025-10-17 14:49 ` [PATCH 6.17 001/371] fs: always return zero on success from replace_fd() Greg Kroah-Hartman
2025-10-17 14:49 ` [PATCH 6.17 002/371] fscontext: do not consume log entries when returning -EMSGSIZE Greg Kroah-Hartman
2025-10-17 14:49 ` [PATCH 6.17 003/371] btrfs: fix the incorrect max_bytes value for find_lock_delalloc_range() Greg Kroah-Hartman
2025-10-17 15:42 ` David Sterba
2025-10-17 14:49 ` [PATCH 6.17 004/371] arm64: map [_text, _stext) virtual address range non-executable+read-only Greg Kroah-Hartman
2025-10-17 14:49 ` [PATCH 6.17 005/371] rseq: Protect event mask against membarrier IPI Greg Kroah-Hartman
2025-10-17 14:49 ` [PATCH 6.17 006/371] statmount: dont call path_put() under namespace semaphore Greg Kroah-Hartman
2025-10-17 14:49 ` [PATCH 6.17 007/371] listmount: " Greg Kroah-Hartman
2025-10-17 14:49 ` [PATCH 6.17 008/371] clocksource/drivers/clps711x: Fix resource leaks in error paths Greg Kroah-Hartman
2025-10-17 14:49 ` [PATCH 6.17 009/371] memcg: skip cgroup_file_notify if spinning is not allowed Greg Kroah-Hartman
2025-10-17 14:49 ` [PATCH 6.17 010/371] page_pool: Fix PP_MAGIC_MASK to avoid crashing on some 32-bit arches Greg Kroah-Hartman
2025-10-17 14:49 ` [PATCH 6.17 011/371] PM: runtime: Update kerneldoc return codes Greg Kroah-Hartman
2025-10-17 14:49 ` [PATCH 6.17 012/371] dma-mapping: fix direction in dma_alloc direction traces Greg Kroah-Hartman
2025-10-17 14:49 ` [PATCH 6.17 013/371] cpufreq: Make drivers using CPUFREQ_ETERNAL specify transition latency Greg Kroah-Hartman
2025-10-17 14:49 ` [PATCH 6.17 014/371] nfsd: unregister with rpcbind when deleting a transport Greg Kroah-Hartman
2025-10-17 14:49 ` [PATCH 6.17 015/371] KVM: x86: Add helper to retrieve current value of user return MSR Greg Kroah-Hartman
2025-10-17 14:49 ` [PATCH 6.17 016/371] KVM: SVM: Emulate PERF_CNTR_GLOBAL_STATUS_SET for PerfMonV2 Greg Kroah-Hartman
2025-10-17 14:49 ` [PATCH 6.17 017/371] iio: frequency: adf4350: Fix ADF4350_REG3_12BIT_CLKDIV_MODE Greg Kroah-Hartman
2025-10-17 14:49 ` [PATCH 6.17 018/371] media: v4l2-subdev: Fix alloc failure check in v4l2_subdev_call_state_try() Greg Kroah-Hartman
2025-10-17 14:49 ` [PATCH 6.17 019/371] asm-generic/io.h: Skip trace helpers if rwmmio events are disabled Greg Kroah-Hartman
2025-10-17 14:49 ` [PATCH 6.17 020/371] clk: npcm: select CONFIG_AUXILIARY_BUS Greg Kroah-Hartman
2025-10-17 14:49 ` [PATCH 6.17 021/371] clk: thead: th1520-ap: describe gate clocks with clk_gate Greg Kroah-Hartman
2025-10-17 14:49 ` [PATCH 6.17 022/371] clk: thead: th1520-ap: fix parent of padctrl0 clock Greg Kroah-Hartman
2025-10-17 14:49 ` [PATCH 6.17 023/371] clk: thead: Correct parent for DPU pixel clocks Greg Kroah-Hartman
2025-10-17 14:49 ` [PATCH 6.17 024/371] clk: renesas: r9a08g045: Add MSTOP for GPIO Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 025/371] perf disasm: Avoid undefined behavior in incrementing NULL Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 026/371] perf test trace_btf_enum: Skip if permissions are insufficient Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 027/371] perf evsel: Avoid container_of on a NULL leader Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 028/371] libperf event: Ensure tracing data is multiple of 8 sized Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 029/371] clk: qcom: common: Fix NULL vs IS_ERR() check in qcom_cc_icc_register() Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 030/371] clk: qcom: Select the intended config in QCS_DISPCC_615 Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 031/371] perf parse-events: Handle fake PMUs in CPU terms Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 032/371] clk: at91: peripheral: fix return value Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 033/371] clk: renesas: cpg-mssr: Fix memory leak in cpg_mssr_reserved_init() Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 034/371] perf: Completely remove possibility to override MAX_NR_CPUS Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 035/371] perf drm_pmu: Fix fd_dir leaks in for_each_drm_fdinfo_in_dir() Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 036/371] perf util: Fix compression checks returning -1 as bool Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 037/371] rtc: x1205: Fix Xicor X1205 vendor prefix Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 038/371] rtc: optee: fix memory leak on driver removal Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 039/371] perf arm_spe: Correct setting remote access Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 040/371] perf arm_spe: Correct memory level for " Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 041/371] perf vendor events arm64 AmpereOneX: Fix typo - should be l1d_cache_access_prefetches Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 042/371] perf test: AMD IBS swfilt skip kernel tests if paranoia is >1 Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 043/371] perf test shell lbr: Avoid failures with perf event paranoia Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 044/371] perf trace: Fix IS_ERR() vs NULL check bug Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 045/371] perf session: Fix handling when buffer exceeds 2 GiB Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 046/371] perf test: Dont leak workload gopipe in PERF_RECORD_* Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 047/371] perf evsel: Fix uniquification when PMU given without suffix Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 048/371] perf test: Avoid uncore_imc/clockticks in uniquification test Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 049/371] perf evsel: Ensure the fallback message is always written to Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 050/371] perf build-id: Ensure snprintf string is empty when size is 0 Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 051/371] clk: mediatek: mt8195-infra_ao: Fix parent for infra_ao_hdmi_26m Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 052/371] clk: mediatek: clk-mux: Do not pass flags to clk_mux_determine_rate_flags() Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 053/371] clk: nxp: lpc18xx-cgu: convert from round_rate() to determine_rate() Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 054/371] clk: nxp: Fix pll0 rate check condition in LPC18xx CGU driver Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 055/371] clk: tegra: do not overallocate memory for bpmp clocks Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 056/371] nfsd: fix assignment of ia_ctime.tv_nsec on delegated mtime update Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 057/371] nfsd: ignore ATTR_DELEG when checking ia_valid before notify_change() Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 058/371] vfs: add ATTR_CTIME_SET flag Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 059/371] nfsd: use ATTR_CTIME_SET for delegated ctime updates Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 060/371] nfsd: track original timestamps in nfs4_delegation Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 061/371] nfsd: fix SETATTR updates for delegated timestamps Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 062/371] nfsd: fix timestamp updates in CB_GETATTR Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 063/371] tracing: Fix the bug where bpf_get_stackid returns -EFAULT on the ARM64 Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 064/371] PM: core: Annotate loops walking device links as _srcu Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 065/371] PM: core: Add two macros for walking device links Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 066/371] PM: sleep: Do not wait on SYNC_STATE_ONLY " Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 067/371] cpufreq: tegra186: Set target frequency for all cpus in policy Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 068/371] scsi: mvsas: Fix use-after-free bugs in mvs_work_queue Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 069/371] perf bpf-filter: Fix opts declaration on older libbpfs Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 070/371] scsi: ufs: sysfs: Make HID attributes visible Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 071/371] mshv: Handle NEED_RESCHED_LAZY before transferring to guest Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 072/371] perf bpf_counter: Fix handling of cpumap fixing hybrid Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 073/371] ASoC: SOF: ipc4-topology: Correct the minimum host DMA buffer size Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 074/371] ASoC: SOF: ipc4-topology: Account for different ChainDMA host " Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 075/371] ASoC: SOF: Intel: hda-pcm: Place the constraint on period time instead of buffer time Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 076/371] LoongArch: Add cflag -fno-isolate-erroneous-paths-dereference Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 077/371] LoongArch: Fix build error for LTO with LLVM-18 Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 078/371] LoongArch: Init acpi_gbl_use_global_lock to false Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 079/371] ASoC: SOF: Intel: Read the LLP via the associated Link DMA channel Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 080/371] net: usb: lan78xx: Fix lost EEPROM read timeout error(-ETIMEDOUT) in lan78xx_read_raw_eeprom Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 081/371] net/mlx4: prevent potential use after free in mlx4_en_do_uc_filter() Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 082/371] drm/xe/hw_engine_group: Fix double write lock release in error path Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 083/371] drm/xe/i2c: Dont rely on d3cold.allowed flag in system PM path Greg Kroah-Hartman
2025-10-17 14:50 ` [PATCH 6.17 084/371] s390/cio: Update purge function to unregister the unused subchannels Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 085/371] drm/vmwgfx: Fix a null-ptr access in the cursor snooper Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 086/371] drm/vmwgfx: Fix Use-after-free in validation Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 087/371] drm/vmwgfx: Fix copy-paste typo " Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 088/371] net/sctp: fix a null dereference in sctp_disposition sctp_sf_do_5_1D_ce() Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 089/371] tcp: Dont call reqsk_fastopen_remove() in tcp_conn_request() Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 090/371] net: mscc: ocelot: Fix use-after-free caused by cyclic delayed work Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 091/371] selftest: net: ovpn: Fix uninit return values Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 092/371] ice: ice_adapter: release xa entry on adapter allocation failure Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 093/371] net: fsl_pq_mdio: Fix device node reference leak in fsl_pq_mdio_probe Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 094/371] tools build: Align warning options with perf Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 095/371] perf python: split Clang options when invoking Popen Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 096/371] tcp: take care of zero tp->window_clamp in tcp_set_rcvlowat() Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 097/371] perf tools: Fix arm64 libjvmti build by generating unistd_64.h Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 098/371] mailbox: zynqmp-ipi: Remove redundant mbox_controller_unregister() call Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 099/371] mailbox: zynqmp-ipi: Remove dev.parent check in zynqmp_ipi_free_mboxes Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 100/371] mailbox: zynqmp-ipi: Fix out-of-bounds access in mailbox cleanup loop Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 101/371] mailbox: zynqmp-ipi: Fix SGI cleanup on unbind Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 102/371] bpf: Fix metadata_dst leak __bpf_redirect_neigh_v{4,6} Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 103/371] net: mdio: mdio-i2c: Hold the i2c bus lock during smbus transactions Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 104/371] net: sparx5/lan969x: fix flooding configuration on bridge join/leave Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 105/371] net/mlx5: Prevent tunnel mode conflicts between FDB and NIC IPsec tables Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 106/371] net/mlx5e: Prevent tunnel reformat when tunnel mode not allowed Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 107/371] mailbox: mtk-cmdq: Remove pm_runtime APIs from cmdq_mbox_send_data() Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 108/371] drm/amdgpu: Add additional DCE6 SCL registers Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 109/371] drm/amd/display: Add missing DCE6 SCL_HORZ_FILTER_INIT* SRIs Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 110/371] drm/amd/display: Properly clear SCL_*_FILTER_CONTROL on DCE6 Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 111/371] drm/amd/display: Properly disable scaling " Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 112/371] drm/amd/display: Disable scaling on DCE6 for now Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 113/371] drm/amdkfd: Fix kfd process ref leaking when userptr unmapping Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 114/371] net: pse-pd: tps23881: Fix current measurement scaling Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 115/371] crypto: skcipher - Fix reqsize handling Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 116/371] netfilter: nft_objref: validate objref and objrefmap expressions Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 117/371] bridge: br_vlan_fill_forward_path_pvid: use br_vlan_group_rcu() Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 118/371] selftests: netfilter: nft_fib.sh: fix spurious test failures Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 119/371] selftests: netfilter: query conntrack state to check for port clash resolution Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 120/371] io_uring/zcrx: increment fallback loop src offset Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 121/371] crypto: essiv - Check ssize for decryption and in-place encryption Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 122/371] net: airoha: Fix loopback mode configuration for GDM2 port Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 123/371] cifs: Fix copy_to_iter return value check Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 124/371] smb: client: fix missing timestamp updates after utime(2) Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 125/371] rtc: isl12022: Fix initial enable_irq/disable_irq balance Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 126/371] cifs: Query EA $LXMOD in cifs_query_path_info() for WSL reparse points Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 127/371] tpm_tis: Fix incorrect arguments in tpm_tis_probe_irq_single Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 128/371] gpio: wcd934x: mark the GPIO controller as sleeping Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 129/371] bpf: Avoid RCU context warning when unpinning htab with internal structs Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 130/371] kbuild: always create intermediate vmlinux.unstripped Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 131/371] kbuild: keep .modinfo section in vmlinux.unstripped Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 132/371] kbuild: Restore pattern to avoid stripping .rela.dyn from vmlinux Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 133/371] kbuild: Add .rel.* strip pattern for vmlinux Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 134/371] s390: vmlinux.lds.S: Reorder sections Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 135/371] s390/vmlinux.lds.S: Move .vmlinux.info to end of allocatable sections Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 136/371] ACPICA: acpidump: drop ACPI_NONSTRING attribute from file_name Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 137/371] ACPI: property: Fix buffer properties extraction for subnodes Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 138/371] ACPI: TAD: Add missing sysfs_remove_group() for ACPI_TAD_RT Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 139/371] ACPICA: Debugger: drop ACPI_NONSTRING attribute from name_seg Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 140/371] ACPI: debug: fix signedness issues in read/write helpers Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 141/371] ACPI: battery: Add synchronization between interface updates Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 142/371] arm64: dts: qcom: msm8916: Add missing MDSS reset Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 143/371] arm64: dts: qcom: msm8939: " Greg Kroah-Hartman
2025-10-17 14:51 ` [PATCH 6.17 144/371] arm64: dts: qcom: sdm845: Fix slimbam num-channels/ees Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 145/371] arm64: dts: qcom: x1e80100-pmics: Disable pm8010 by default Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 146/371] arm64: dts: ti: k3-am62a-main: Fix main padcfg length Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 147/371] arm64: dts: ti: k3-am62p: Fix supported hardware for 1GHz OPP Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 148/371] arm64: kprobes: call set_memory_rox() for kprobe page Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 149/371] arm64: mte: Do not flag the zero page as PG_mte_tagged Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 150/371] ARM: AM33xx: Implement TI advisory 1.0.36 (EMU0/EMU1 pins state on reset) Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 151/371] ARM: OMAP2+: pm33xx-core: ix device node reference leaks in amx3_idle_init Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 152/371] firmware: arm_scmi: quirk: Prevent writes to string constants Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 153/371] perf/arm-cmn: Fix CMN S3 DTM offset Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 154/371] KVM: s390: Fix to clear PTE when discarding a swapped page Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 155/371] KVM: arm64: Fix debug checking for np-guests using huge mappings Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 156/371] KVM: arm64: Fix page leak in user_mem_abort() Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 157/371] x86/kvm: Force legacy PCI hole to UC when overriding MTRRs for TDX/SNP Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 158/371] KVM: SVM: Re-load current, not host, TSC_AUX on #VMEXIT from SEV-ES guest Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 159/371] KVM: TDX: Fix uninitialized error code for __tdx_bringup() Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 160/371] dt-bindings: phy: rockchip-inno-csi-dphy: make power-domains non-required Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 161/371] xen: take system_transition_mutex on suspend Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 162/371] xen/events: Cleanup find_virq() return codes Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 163/371] xen/manage: Fix suspend error path Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 164/371] xen/events: Return -EEXIST for bound VIRQs Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 165/371] xen/events: Update virq_to_irq on migration Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 166/371] firmware: exynos-acpm: fix PMIC returned errno Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 167/371] firmware: meson_sm: fix device leak at probe Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 168/371] media: cec: extron-da-hd-4k-plus: drop external-module make commands Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 169/371] media: cx18: Add missing check after DMA map Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 170/371] media: i2c: mt9p031: fix mbus code initialization Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 171/371] media: i2c: mt9v111: fix incorrect type for ret Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 172/371] media: mc: Fix MUST_CONNECT handling for pads with no links Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 173/371] media: pci: ivtv: Add missing check after DMA map Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 174/371] media: pci: mg4b: fix uninitialized iio scan data Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 175/371] media: platform: mtk-mdp3: Add missing MT8188 compatible to comp_dt_ids Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 176/371] media: s5p-mfc: remove an unused/uninitialized variable Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 177/371] media: staging/ipu7: fix isys device runtime PM usage in firmware closing Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 178/371] media: uvcvideo: Avoid variable shadowing in uvc_ctrl_cleanup_fh Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 179/371] media: venus: firmware: Use correct reset sequence for IRIS2 Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 180/371] media: venus: pm_helpers: add fallback for the opp-table Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 181/371] media: vivid: fix disappearing <Vendor Command With ID> messages Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 182/371] media: vsp1: Export missing vsp1_isp_free_buffer symbol Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 183/371] media: ti: j721e-csi2rx: Use devm_of_platform_populate Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 184/371] media: ti: j721e-csi2rx: Fix source subdev link creation Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 185/371] media: lirc: Fix error handling in lirc_register() Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 186/371] drm/exynos: exynos7_drm_decon: remove ctx->suspended Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 187/371] drm/panthor: Fix memory leak in panthor_ioctl_group_create() Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 188/371] drm/msm/a6xx: Fix PDC sleep sequence Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 189/371] drm/rcar-du: dsi: Fix 1/2/3 lane support Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 190/371] drm/nouveau: fix bad ret code in nouveau_bo_move_prep Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 191/371] drm/xe/uapi: loosen used tracking restriction Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 192/371] drm/amd/display: Incorrect Mirror Cositing Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 193/371] drm/amd/display: Enable Dynamic DTBCLK Switch Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 194/371] drm/amd/display: Fix unsafe uses of kernel mode FPU Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 195/371] blk-crypto: fix missing blktrace bio split events Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 196/371] btrfs: avoid potential out-of-bounds in btrfs_encode_fh() Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 197/371] bus: mhi: ep: Fix chained transfer handling in read path Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 198/371] bus: mhi: host: Do not use uninitialized dev pointer in mhi_init_irq_setup() Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 199/371] cdx: Fix device node reference leak in cdx_msi_domain_init Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 200/371] clk: qcom: tcsrcc-x1e80100: Set the bi_tcxo as parent to eDP refclk Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 201/371] clk: samsung: exynos990: Use PLL_CON0 for PLL parent muxes Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 202/371] clk: samsung: exynos990: Fix CMU_TOP mux/div bit widths Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 203/371] clk: samsung: exynos990: Replace bogus divs with fixed-factor clocks Greg Kroah-Hartman
2025-10-17 14:52 ` [PATCH 6.17 204/371] copy_sighand: Handle architectures where sizeof(unsigned long) < sizeof(u64) Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 205/371] cpufreq: CPPC: Avoid using CPUFREQ_ETERNAL as transition delay Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 206/371] cpufreq: intel_pstate: Fix object lifecycle issue in update_qos_request() Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 207/371] crypto: aspeed - Fix dma_unmap_sg() direction Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 208/371] crypto: atmel " Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 209/371] crypto: rockchip - Fix dma_unmap_sg() nents value Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 210/371] eventpoll: Replace rwlock with spinlock Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 211/371] fbdev: Fix logic error in "offb" name match Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 212/371] fs/ntfs3: Fix a resource leak bug in wnd_extend() Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 213/371] fs: quota: create dedicated workqueue for quota_release_work Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 214/371] fsnotify: pass correct offset to fsnotify_mmap_perm() Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 215/371] fuse: fix possibly missing fuse_copy_finish() call in fuse_notify() Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 216/371] fuse: fix livelock in synchronous file put from fuseblk workers Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 217/371] gpio: mpfs: fix setting gpio direction to output Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 218/371] i3c: Fix default I2C adapter timeout value Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 219/371] iio/adc/pac1934: fix channel disable configuration Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 220/371] iio: dac: ad5360: use int type to store negative error codes Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 221/371] iio: dac: ad5421: " Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 222/371] iio: frequency: adf4350: Fix prescaler usage Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 223/371] iio: xilinx-ams: Fix AMS_ALARM_THR_DIRECT_MASK Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 224/371] iio: xilinx-ams: Unmask interrupts after updating alarms Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 225/371] init: handle bootloader identifier in kernel parameters Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 226/371] iio: imu: inv_icm42600: Simplify pm_runtime setup Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 227/371] iio: imu: inv_icm42600: Drop redundant pm_runtime reinitialization in resume Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 228/371] iio: imu: inv_icm42600: Avoid configuring if already pm_runtime suspended Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 229/371] iommu/vt-d: PRS isnt usable if PDS isnt supported Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 230/371] ipmi: Rework user message limit handling Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 231/371] ipmi:msghandler:Change seq_lock to a mutex Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 232/371] kernel/sys.c: fix the racy usage of task_lock(tsk->group_leader) in sys_prlimit64() paths Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 233/371] KEYS: trusted_tpm1: Compare HMAC values in constant time Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 234/371] kho: only fill kimage if KHO is finalized Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 235/371] lib/genalloc: fix device leak in of_gen_pool_get() Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 236/371] loop: fix backing file reference leak on validation error Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 237/371] md: fix mssing blktrace bio split events Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 238/371] of: unittest: Fix device reference count leak in of_unittest_pci_node_verify Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 239/371] openat2: dont trigger automounts with RESOLVE_NO_XDEV Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 240/371] padata: Reset next CPU when reorder sequence wraps around Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 241/371] parisc: dont reference obsolete termio struct for TC* constants Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 242/371] parisc: Remove spurious if statement from raw_copy_from_user() Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 243/371] nvme-pci: Add TUXEDO IBS Gen8 to Samsung sleep quirk Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 244/371] pinctrl: samsung: Drop unused S3C24xx driver data Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 245/371] PM: EM: Fix late boot with holes in CPU topology Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 246/371] PM: hibernate: Fix hybrid-sleep Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 247/371] PM: hibernate: Restrict GFP mask in power_down() Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 248/371] power: supply: max77976_charger: fix constant current reporting Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 249/371] powerpc/powernv/pci: Fix underflow and leak issue Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 250/371] powerpc/pseries/msi: Fix potential " Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 251/371] pwm: berlin: Fix wrong register in suspend/resume Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 252/371] pwm: Fix incorrect variable used in error message Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 253/371] Revert "ipmi: fix msg stack when IPMI is disconnected" Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 254/371] riscv: use an atomic xchg in pudp_huge_get_and_clear() Greg Kroah-Hartman
2025-10-17 18:13 ` Jiri Slaby
2025-10-19 12:01 ` Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 255/371] sched/deadline: Fix race in push_dl_task() Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 256/371] scsi: hpsa: Fix potential memory leak in hpsa_big_passthru_ioctl() Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 257/371] scsi: sd: Fix build warning in sd_revalidate_disk() Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 258/371] sctp: Fix MAC comparison to be constant-time Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 259/371] smb client: fix bug with newly created file in cached dir Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 260/371] sparc64: fix hugetlb for sun4u Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 261/371] sparc: fix error handling in scan_one_device() Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 262/371] xtensa: simdisk: add input size check in proc_write_simdisk Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 263/371] xsk: Harden userspace-supplied xdp_desc validation Greg Kroah-Hartman
2025-10-17 14:53 ` [PATCH 6.17 264/371] mtd: rawnand: fsmc: Default to autodetect buswidth Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 265/371] mtd: nand: raw: gpmi: fix clocks when CONFIG_PM=N Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 266/371] mmc: core: SPI mode remove cmd7 Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 267/371] mmc: mmc_spi: multiple block read remove read crc ack Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 268/371] memory: samsung: exynos-srom: Fix of_iomap leak in exynos_srom_probe Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 269/371] memory: stm32_omm: Fix req2ack update test Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 270/371] rtc: interface: Ensure alarm irq is enabled when UIE is enabled Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 271/371] rtc: interface: Fix long-standing race when setting alarm Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 272/371] rseq/selftests: Use weak symbol reference, not definition, to link with glibc Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 273/371] PCI: xilinx-nwl: Fix ECAM programming Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 274/371] PCI: tegra: Convert struct tegra_msi mask_lock into raw spinlock Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 275/371] PCI/sysfs: Ensure devices are powered for config reads Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 276/371] PCI/IOV: Add PCI rescan-remove locking when enabling/disabling SR-IOV Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 277/371] PCI/ERR: Fix uevent on failure to recover Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 278/371] PCI/AER: Fix missing uevent on recovery when a reset is requested Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 279/371] PCI/AER: Support errors introduced by PCIe r6.0 Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 280/371] PCI: Ensure relaxed tail alignment does not increase min_align Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 281/371] PCI: Fix failure detection during resource resize Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 282/371] PCI: j721e: Fix module autoloading Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 283/371] PCI: j721e: Fix programming sequence of "strap" settings Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 284/371] PCI: keystone: Use devm_request_irq() to free "ks-pcie-error-irq" on exit Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 285/371] PCI: rcar-gen4: Fix PHY initialization Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 286/371] PCI: rcar-host: Drop PMSR spinlock Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 287/371] PCI: rcar-host: Convert struct rcar_msi mask_lock into raw spinlock Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 288/371] PCI: tegra194: Fix broken tegra_pcie_ep_raise_msi_irq() Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 289/371] PCI: tegra194: Handle errors in BPMP response Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 290/371] PCI: tegra194: Reset BARs when running in PCIe endpoint mode Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 291/371] PCI/pwrctrl: Fix device leak at registration Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 292/371] PCI/pwrctrl: Fix device and OF node leak at bus scan Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 293/371] PCI/pwrctrl: Fix device leak at device stop Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 294/371] spi: cadence-quadspi: Flush posted register writes before INDAC access Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 295/371] spi: cadence-quadspi: Flush posted register writes before DAC access Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 296/371] spi: cadence-quadspi: Fix cqspi_setup_flash() Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 297/371] xfs: use deferred intent items for reaping crosslinked blocks Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 298/371] x86/fred: Remove ENDBR64 from FRED entry points Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 299/371] x86/umip: Check that the instruction opcode is at least two bytes Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 300/371] x86/umip: Fix decoding of register forms of 0F 01 (SGDT and SIDT aliases) Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 301/371] mptcp: pm: in-kernel: usable client side with C-flag Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 302/371] mptcp: reset blackhole on success with non-loopback ifaces Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 303/371] selftests: mptcp: join: validate C-flag + def limit Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 304/371] s390/cio/ioasm: Fix __xsch() condition code handling Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 305/371] s390/dasd: enforce dma_alignment to ensure proper buffer validation Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 306/371] s390/dasd: Return BLK_STS_INVAL for EINVAL from do_dasd_request Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 307/371] s390: Add -Wno-pointer-sign to KBUILD_CFLAGS_DECOMPRESSOR Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 308/371] slab: prevent warnings when slab obj_exts vector allocation fails Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 309/371] slab: mark slab->obj_exts allocation failures unconditionally Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 310/371] wifi: ath11k: HAL SRNG: dont deinitialize and re-initialize again Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 311/371] wifi: iwlwifi: Fix dentry reference leak in iwl_mld_add_link_debugfs Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 312/371] wifi: rtw89: avoid possible TX wait initialization race Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 313/371] wifi: mt76: mt7925u: Add VID/PID for Netgear A9000 Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 314/371] wifi: mt76: mt7921u: Add VID/PID for Netgear A7500 Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 315/371] mm/thp: fix MTE tag mismatch when replacing zero-filled subpages Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 316/371] mm/rmap: fix soft-dirty and uffd-wp bit loss when remapping zero-filled mTHP subpage to shared zeropage Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 317/371] mm/page_alloc: only set ALLOC_HIGHATOMIC for __GPF_HIGH allocations Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 318/371] mm/hugetlb: early exit from hugetlb_pages_alloc_boot() when max_huge_pages=0 Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 319/371] mm/damon/vaddr: do not repeat pte_offset_map_lock() until success Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 320/371] mm/damon/lru_sort: use param_ctx for damon_attrs staging Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 321/371] nfsd: decouple the xprtsec policy check from check_nfsd_access() Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 322/371] NFSD: Fix destination buffer size in nfsd4_ssc_setup_dul() Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 323/371] nfsd: nfserr_jukebox in nlm_fopen should lead to a retry Greg Kroah-Hartman
2025-10-17 14:54 ` [PATCH 6.17 324/371] media: iris: Call correct power off callback in cleanup path Greg Kroah-Hartman
2025-10-17 14:55 ` [PATCH 6.17 325/371] media: iris: Fix firmware reference leak and unmap memory after load Greg Kroah-Hartman
2025-10-17 14:55 ` [PATCH 6.17 326/371] media: iris: fix module removal if firmware download failed Greg Kroah-Hartman
2025-10-17 14:55 ` [PATCH 6.17 327/371] media: iris: vpu3x: Add MNoC low power handshake during hardware power-off Greg Kroah-Hartman
2025-10-17 14:55 ` [PATCH 6.17 328/371] media: iris: Fix port streaming handling Greg Kroah-Hartman
2025-10-17 14:55 ` [PATCH 6.17 329/371] media: iris: Fix buffer count reporting in internal buffer check Greg Kroah-Hartman
2025-10-17 14:55 ` [PATCH 6.17 330/371] media: iris: Allow substate transition to load resources during output streaming Greg Kroah-Hartman
2025-10-17 14:55 ` [PATCH 6.17 331/371] media: iris: Always destroy internal buffers on firmware release response Greg Kroah-Hartman
2025-10-17 14:55 ` [PATCH 6.17 332/371] media: iris: Simplify session stop logic by relying on vb2 checks Greg Kroah-Hartman
2025-10-17 14:55 ` [PATCH 6.17 333/371] media: iris: Update vbuf flags before v4l2_m2m_buf_done Greg Kroah-Hartman
2025-10-17 14:55 ` [PATCH 6.17 334/371] media: iris: Send dummy buffer address for all codecs during drain Greg Kroah-Hartman
2025-10-17 14:55 ` [PATCH 6.17 335/371] media: iris: Fix missing LAST flag handling " Greg Kroah-Hartman
2025-10-17 14:55 ` [PATCH 6.17 336/371] media: iris: Fix format check for CAPTURE plane in try_fmt Greg Kroah-Hartman
2025-10-17 14:55 ` [PATCH 6.17 337/371] media: iris: Allow stop on firmware only if start was issued Greg Kroah-Hartman
2025-10-17 14:55 ` [PATCH 6.17 338/371] ext4: add ext4_sb_bread_nofail() helper function for ext4_free_branches() Greg Kroah-Hartman
2025-10-17 14:55 ` [PATCH 6.17 339/371] ext4: fail unaligned direct IO write with EINVAL Greg Kroah-Hartman
2025-10-17 14:55 ` [PATCH 6.17 340/371] ext4: verify orphan file size is not too big Greg Kroah-Hartman
2025-10-17 14:55 ` [PATCH 6.17 341/371] ext4: increase i_disksize to offset + len in ext4_update_disksize_before_punch() Greg Kroah-Hartman
2025-10-17 14:55 ` [PATCH 6.17 342/371] ext4: correctly handle queries for metadata mappings Greg Kroah-Hartman
2025-10-17 14:55 ` [PATCH 6.17 343/371] ext4: avoid potential buffer over-read in parse_apply_sb_mount_options() Greg Kroah-Hartman
2025-10-17 14:55 ` [PATCH 6.17 344/371] ext4: fix an off-by-one issue during moving extents Greg Kroah-Hartman
2025-10-17 14:55 ` [PATCH 6.17 345/371] ext4: guard against EA inode refcount underflow in xattr update Greg Kroah-Hartman
2025-10-17 14:55 ` [PATCH 6.17 346/371] ext4: validate ea_ino and size in check_xattrs Greg Kroah-Hartman
2025-10-17 14:55 ` [PATCH 6.17 347/371] ACPICA: Allow to skip Global Lock initialization Greg Kroah-Hartman
2025-10-17 14:55 ` [PATCH 6.17 348/371] ext4: free orphan info with kvfree Greg Kroah-Hartman
2025-10-17 14:55 ` [PATCH 6.17 349/371] ipmi: Fix handling of messages with provided receive message pointer Greg Kroah-Hartman
2025-10-17 14:55 ` [PATCH 6.17 350/371] Squashfs: add additional inode sanity checking Greg Kroah-Hartman
2025-10-17 14:55 ` [PATCH 6.17 351/371] Squashfs: reject negative file sizes in squashfs_read_inode() Greg Kroah-Hartman
2025-10-17 14:55 ` [PATCH 6.17 352/371] mm/ksm: fix incorrect KSM counter handling in mm_struct during fork Greg Kroah-Hartman
2025-10-17 14:55 ` [PATCH 6.17 353/371] media: mc: Clear minor number before put device Greg Kroah-Hartman
2025-10-17 14:55 ` [PATCH 6.17 354/371] arm64: dts: qcom: qcs615: add missing dt property in QUP SEs Greg Kroah-Hartman
2025-10-17 14:55 ` [PATCH 6.17 355/371] ACPI: property: Disregard references in data-only subnode lists Greg Kroah-Hartman
2025-10-17 14:55 ` [PATCH 6.17 356/371] ACPI: property: Add code comments explaining what is going on Greg Kroah-Hartman
2025-10-17 14:55 ` [PATCH 6.17 357/371] ACPI: property: Do not pass NULL handles to acpi_attach_data() Greg Kroah-Hartman
2025-10-17 14:55 ` [PATCH 6.17 358/371] irqchip/sifive-plic: Avoid interrupt ID 0 handling during suspend/resume Greg Kroah-Hartman
2025-10-17 14:55 ` [PATCH 6.17 359/371] copy_file_range: limit size if in compat mode Greg Kroah-Hartman
2025-10-17 14:55 ` [PATCH 6.17 360/371] minixfs: Verify inode mode when loading from disk Greg Kroah-Hartman
2025-10-17 14:55 ` [PATCH 6.17 361/371] pid: Add a judgment for ns null in pid_nr_ns Greg Kroah-Hartman
2025-10-17 14:55 ` [PATCH 6.17 362/371] pid: make __task_pid_nr_ns(ns => NULL) safe for zombie callers Greg Kroah-Hartman
2025-10-17 14:55 ` [PATCH 6.17 363/371] fs: Add initramfs_options to set initramfs mount options Greg Kroah-Hartman
2025-10-17 14:55 ` [PATCH 6.17 364/371] cramfs: Verify inode mode when loading from disk Greg Kroah-Hartman
2025-10-17 14:55 ` [PATCH 6.17 365/371] nsfs: validate extensible ioctls Greg Kroah-Hartman
2025-10-17 14:55 ` [PATCH 6.17 366/371] mnt_ns_tree_remove(): DTRT if mnt_ns had never been added to mnt_ns_list Greg Kroah-Hartman
2025-10-17 14:55 ` [PATCH 6.17 367/371] writeback: Avoid softlockup when switching many inodes Greg Kroah-Hartman
2025-10-17 14:55 ` [PATCH 6.17 368/371] writeback: Avoid excessively long inode switching times Greg Kroah-Hartman
2025-10-17 14:55 ` [PATCH 6.17 369/371] iomap: error out on file IO when there is no inline_data buffer Greg Kroah-Hartman
2025-10-17 14:55 ` [PATCH 6.17 370/371] pidfs: validate extensible ioctls Greg Kroah-Hartman
2025-10-17 14:55 ` [PATCH 6.17 371/371] mount: handle NULL values in mnt_ns_release() Greg Kroah-Hartman
2025-10-17 18:18 ` [PATCH 6.17 000/371] 6.17.4-rc1 review Ronald Warsow
2025-10-17 18:21 ` Jon Hunter
2025-10-17 21:47 ` Hardik Garg
2025-10-17 23:04 ` Ron Economos
2025-10-19 12:02 ` Greg Kroah-Hartman
2025-10-18 0:24 ` Shuah Khan
2025-10-18 3:45 ` Florian Fainelli
2025-10-18 3:53 ` Peter Schneider
2025-10-18 7:52 ` Brett A C Sheffield
2025-10-18 9:18 ` Dileep malepu
2025-10-18 10:17 ` Markus Reichelt
2025-10-18 16:19 ` Miguel Ojeda
2025-10-19 10:36 ` Pascal Ernster
2025-10-20 8:35 ` Naresh Kamboju
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox